--- 1/draft-ietf-opsawg-tacacs-yang-04.txt 2020-05-22 04:13:19.433560069 -0700 +++ 2/draft-ietf-opsawg-tacacs-yang-05.txt 2020-05-22 04:13:19.465560881 -0700 @@ -1,19 +1,19 @@ Network Working Group G. Zheng Internet-Draft M. Wang Intended status: Standards Track B. Wu -Expires: November 9, 2020 Huawei - May 8, 2020 +Expires: November 23, 2020 Huawei + May 22, 2020 Yang data model for TACACS+ - draft-ietf-opsawg-tacacs-yang-04 + draft-ietf-opsawg-tacacs-yang-05 Abstract This document defines YANG modules that augment the System Management data model defined in the RFC 7317 with TACACS+ client model. The data model of Terminal Access Controller Access Control System Plus (TACACS+) client allows the configuration of TACACS+ servers for centralized Authentication, Authorization and Accounting. The YANG modules in this document conforms to the Network Management @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 9, 2020. + This Internet-Draft will expire on November 23, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -53,21 +53,21 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions used in this document . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 - 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 14 Appendix A. Example Tacacs+ Authentication Configuration . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction This document defines YANG modules that augment the System Management data model defined in the [RFC7317] with TACACS+ client model. @@ -200,21 +200,21 @@ +--ro connection-aborts? yang:counter64 +--ro connection-failures? yang:counter64 +--ro connection-timeouts? yang:counter64 +--ro messages-sent? yang:counter64 +--ro messages-received? yang:counter64 +--ro errors-received? yang:counter64 +--ro sessions? yang:counter64 4. TACACS+ Client Module - file "ietf-system-tacacsplus@2020-05-09.yang" + file "ietf-system-tacacsplus@2020-05-22.yang" module ietf-system-tacacsplus { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; prefix sys-tcsplus; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; @@ -262,24 +262,29 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2020-05-09 { + // RFC Ed.: update the date below with the date of RFC + // publication and remove this note. + // RFC Ed.: replace XXXX with actual RFC number and remove + // this note, and the TACACS+ Protocol refers to + // draft-ietf-opsawg-tacacs. + + revision 2020-05-22 { description "Initial revision."; - reference "RFC XXXX: A Yang Data Model for TACACS+"; } typedef tcsplus-server-type { type bits { bit authentication { description "When set, the server is an authentication server."; } @@ -286,49 +291,48 @@ bit authorization { description "When set, the server is an authorization server."; } bit accounting { description "When set, the server is an accounting server."; } } description - "server-type can be set to authentication/authorization/accounting + "tcsplus-server-type can be set to + authentication/authorization/accounting or any combination of the three types. When all three types are supported, all the three bits are set."; } feature tacacsplus { description "Indicates that the device can be configured as a TACACS+ client."; reference - "draft-ietf-opsawg-tacacs-18: The TACACS+ Protocol"; + "RFC XXXX : The TACACS+ Protocol "; } identity tacacsplus { base sys:authentication-method; description "Indicates AAA operation using TACACS+."; reference - "draft-ietf-opsawg-tacacs-18: The TACACS+ Protocol"; + "RFC XXXX: The TACACS+ Protocol"; } - grouping statistics { description "Grouping for TACACS+ statistics attributes"; container statistics { config false; description "A collection of server-related statistics objects"; - leaf connection-opens { type yang:counter64; description "Number of new connection requests sent to the server, e.g. socket open"; } leaf connection-closes { type yang:counter64; description "Number of connection close requests sent to the server, e.g. @@ -351,21 +355,21 @@ "Number of connection timeouts to the server"; } leaf messages-sent { type yang:counter64; description "Number of messages sent to the server"; } leaf messages-received { type yang:counter64; description - "Number of messages received by the server"; + "Number of messages received from the server"; } leaf errors-received { type yang:counter64; description "Number of error messages received from the server"; } leaf sessions { type yang:counter64; description "Number of TACACS+ sessions completed with the server. @@ -430,21 +434,21 @@ mandatory true; nacm:default-deny-all; description "The shared secret, which is known to both the TACACS+ client and server. TACACS+ server administrators should configure shared secret of minimum 16 characters length. It is highly recommended that shared keys are at least 32 characters long."; reference - "TACACS+ protocol"; + "RFC XXXX: The TACACS+ Protocol"; } choice source-type { description "The source address type for outbound TACACS+ packets."; case source-ip { leaf source-ip { type inet:ip-address; description "Specifies source IP address for TACACS+ outbound packets."; @@ -523,21 +528,23 @@ effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability: /system/tacacsplus/server: This list contains the objects used to control the TACACS+ servers used by the device. Unauthorized access to this list could cause a user management failure on the device . /system/tacacsplus/server/shared-secret: This leaf controls the key known to both the TACACS+ client and server. Unauthorized - access to this leaf could cause the device vulnerable to attacks. + access to this leaf could cause the device vulnerable to attacks, + therefore has been restricted using the "default-deny-all" access + control defined in [RFC8341]. This document describes the use of TACACS+ for purposes of authentication, authorization and accounting, it is vulnerable to all of the threats that are present in TACACS+ applications. For a discussion of such threats, see Section 9 of the TACACS+ Protocol [I-D.ietf-opsawg-tacacs]. 6. IANA Considerations This document registers a URI in the IETF XML registry [RFC3688]. @@ -547,21 +554,22 @@ URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace. This document registers a YANG module in the YANG Module Names registry [RFC7950]. Name: ietf-system-tacacsplus Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus Prefix: sys-tcsplus - Reference: RFC XXXX + Reference: RFC XXXX (RFC Ed.: replace XXXX with actual + RFC number and remove this note.) 7. Acknowledgments The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for their helpful comments and suggestions. 8. References 8.1. Normative References