draft-ietf-opsawg-tacacs-yang-08.txt   draft-ietf-opsawg-tacacs-yang-09.txt 
Network Working Group G. Zheng Opsawg B. Wu, Ed.
Internet-Draft M. Wang Internet-Draft G. Zheng
Intended status: Standards Track B. Wu Intended status: Standards Track M. Wang, Ed.
Expires: March 2, 2021 Huawei Expires: September 13, 2021 Huawei
August 29, 2020 March 12, 2021
Yang data model for TACACS+ YANG Data Model for TACACS+
draft-ietf-opsawg-tacacs-yang-08 draft-ietf-opsawg-tacacs-yang-09
Abstract Abstract
This document defines a TACACS+ client YANG module, that augments the This document defines a TACACS+ client YANG module, that augments the
System Management data model, defined in RFC 7317, to allow devices System Management data model, defined in RFC 7317, to allow devices
to make use of TACACS+ servers for centralized Authentication, to make use of TACACS+ servers for centralized Authentication,
Authorization and Accounting. Authorization and Accounting.
The YANG module in this document conforms to the Network Management The YANG module in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in RFC 8342. Datastore Architecture (NMDA) defined in RFC 8342.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 2, 2021. This Internet-Draft will expire on September 13, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3 3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3
4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 14 8.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Example TACACS+ Authentication Configuration . . . . 14 Appendix A. Example TACACS+ Authentication Configuration . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines a YANG module that augments the System This document defines a YANG module that augments the System
Management data model defined in the [RFC7317] to support the Management data model defined in the [RFC7317] to support the
configuration and management of TACACS+ clients. configuration and management of TACACS+ clients.
TACACS+ [I-D.ietf-opsawg-tacacs] provides device administration for TACACS+ [RFC8907] provides device administration for routers, network
routers, network access servers and other networked devices via one access servers and other networked devices via one or more
or more centralized servers. centralized servers.
The System Management Model [RFC7317] defines separate functionality The System Management Model [RFC7317] defines separate functionality
to support local and RADIUS authentication: to support local and RADIUS authentication:
o User Authentication Model: Defines a list of usernames with o User Authentication Model: Defines a list of usernames with
associated passwords and a configuration leaf to decide the order associated passwords and a configuration leaf to decide the order
in which local or RADIUS authentication is used. in which local or RADIUS authentication is used.
o RADIUS Client Model: Defines a list of RADIUS servers used by a o RADIUS Client Model: Defines a list of RADIUS servers used by a
device for centralized user authentication. device for centralized user authentication.
skipping to change at page 4, line 14 skipping to change at page 4, line 14
TACACS+ to validate users who attempt to access the router by several TACACS+ to validate users who attempt to access the router by several
mechanisms, e.g., a command line interface or a web-based user mechanisms, e.g., a command line interface or a web-based user
interface. interface.
The "server" list is directly under the "tacacs-plus" container, The "server" list is directly under the "tacacs-plus" container,
which holds a list of TACACS+ servers and uses server-type to which holds a list of TACACS+ servers and uses server-type to
distinguish between Authentication, Authorization and Accounting distinguish between Authentication, Authorization and Accounting
(AAA). The list of servers is for redundancy. (AAA). The list of servers is for redundancy.
Most of the parameters in the "server" list are taken directly from Most of the parameters in the "server" list are taken directly from
the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived the TACACS+ protocol [RFC8907], and some are derived from the various
from the various implementations by network equipment manufacturers. implementations by network equipment manufacturers. For example,
For example, when there are multiple interfaces connected to the when there are multiple interfaces connected to the TACACS+ client or
TACACS+ client or server, the source address of outgoing TACACS+ server, the source address of outgoing TACACS+ packets could be
packets could be specified, or the source address could be specified specified, or the source address could be specified through the
through the interface IP address setting, or derived from the interface IP address setting, or derived from the outbound interface
outbound interface from the local FIB. For the TACACS+ server from the local FIB. For the TACACS+ server located in a Virtual
located in a Virtual Private Network(VPN), a VRF instance needs to be Private Network(VPN), a VRF instance needs to be specified.
specified.
The "statistics" container under the "server list" is a collection of The "statistics" container under the "server list" is a collection of
read-only counters for sent and received messages from a configured read-only counters for sent and received messages from a configured
server. server.
The data model for TACACS+ client has the following structure: The data model for TACACS+ client has the following structure:
module: ietf-system-tacacs-plus module: ietf-system-tacacs-plus
augment /sys:system: augment /sys:system:
+--rw tacacs-plus +--rw tacacs-plus
+--rw server* [name] +--rw server* [name]
+--rw name string +--rw name string
+--rw server-type? tacacs-plus-server-type +--rw server-type? tacacs-plus-server-type
+--rw address inet:host +--rw address inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw shared-secret string +--rw (encryption)
| +--:(shared-secret)
| +--rw shared-secret? string
+--rw (source-type)? +--rw (source-type)?
| +--:(source-ip) | +--:(source-ip)
| | +--rw source-ip? inet:ip-address | | +--rw source-ip? inet:ip-address
| +--:(source-interface) | +--:(source-interface)
| +--rw source-interface? if:interface-ref | +--rw source-interface? if:interface-ref
+--rw vrf-instance? +--rw vrf-instance?
| -> /ni:network-instances/network-instance/name | -> /ni:network-instances/network-instance/name
+--rw single-connection? boolean +--rw single-connection? boolean
+--rw timeout? uint16 +--rw timeout? uint16
+--ro statistics +--ro statistics
skipping to change at page 5, line 41 skipping to change at page 5, line 43
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64 +--ro sessions? yang:counter64
4. TACACS+ Client Module 4. TACACS+ Client Module
This YANG module imports typedefs from [RFC6991]. This module also This YANG module imports typedefs from [RFC6991]. This module also
uses the interface typedef from [RFC8343], the leafref to VRF uses the interface typedef from [RFC8343], the leafref to VRF
instance from [RFC8529], and the "default-deny-all" extension instance from [RFC8529], and the "default-deny-all" extension
statement from [RFC8341]. statement from [RFC8341].
<CODE BEGINS> file "ietf-system-tacacs-plus@2020-08-28.yang" <CODE BEGINS> file "ietf-system-tacacs-plus@2021-03-12.yang"
module ietf-system-tacacs-plus { module ietf-system-tacacs-plus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";
prefix sys-tcs-plus; prefix sys-tcs-plus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
skipping to change at page 6, line 41 skipping to change at page 6, line 43
"IETF Opsawg (Operations and Management Area Working Group)"; "IETF Opsawg (Operations and Management Area Working Group)";
contact contact
"WG Web: <http://tools.ietf.org/wg/opsawg/> "WG Web: <http://tools.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Bo Wu <lana.wubo@huawei.com> Editor: Bo Wu <lana.wubo@huawei.com>
Editor: Guangying Zheng <zhengguangying@huawei.com>"; Editor: Guangying Zheng <zhengguangying@huawei.com>";
description description
"This module provides configuration of TACACS+ client. "This module provides configuration of TACACS+ client.
Copyright (c) 2020 IETF Trust and the persons identified as Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices."; RFC itself for full legal notices.";
// RFC Ed.: update the date below with the date of RFC // RFC Ed.: update the date below with the date of RFC
// publication and remove this note. // publication and remove this note.
// RFC Ed.: replace XXXX with actual RFC number and remove // RFC Ed.: replace XXXX with actual RFC number and remove
// this note, and the TACACS+ Protocol refers to // this note.
// draft-ietf-opsawg-tacacs.
revision 2020-08-28 { revision 2021-03-12 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A Yang Data Model for TACACS+"; "RFC XXXX: A Yang Data Model for TACACS+";
} }
typedef tacacs-plus-server-type { typedef tacacs-plus-server-type {
type bits { type bits {
bit authentication { bit authentication {
description description
"When set, the server is an authentication server."; "Indicates that the TACACS server is providing authentication
services.";
} }
bit authorization { bit authorization {
description description
"When set, the server is an authorization server."; "Indicates that the TACACS server is providing authorization
services.";
} }
bit accounting { bit accounting {
description description
"When set, the server is an accounting server."; "Indicates that the TACACS server is providing accounting
services.";
} }
} }
description description
"tacacs-plus-server-type can be set to "tacacs-plus-server-type can be set to
authentication/authorization/accounting authentication/authorization/accounting
or any combination of the three types. When all three types are or any combination of the three types.";
supported, all the three bits are set.";
} }
identity tacacs-plus { identity tacacs-plus {
base sys:authentication-method; base sys:authentication-method;
description description
"Indicates AAA operation using TACACS+."; "Indicates AAA operation using TACACS+.";
reference reference
"RFC XXXX: The TACACS+ Protocol"; "RFC 8907: The TACACS+ Protocol";
} }
grouping statistics { grouping statistics {
description description
"Grouping for TACACS+ statistics attributes"; "Grouping for TACACS+ statistics attributes";
container statistics { container statistics {
config false; config false;
description description
"A collection of server-related statistics objects"; "A collection of server-related statistics objects";
leaf connection-opens { leaf connection-opens {
type yang:counter64; type yang:counter64;
description description
"Number of new connection requests sent to the server, e.g., "Number of new connection requests sent to the server, e.g.,
socket open"; socket open";
} }
skipping to change at page 9, line 45 skipping to change at page 9, line 48
"List of TACACS+ servers used by the device."; "List of TACACS+ servers used by the device.";
leaf name { leaf name {
type string; type string;
description description
"An arbitrary name for the TACACS+ server."; "An arbitrary name for the TACACS+ server.";
} }
leaf server-type { leaf server-type {
type tacacs-plus-server-type; type tacacs-plus-server-type;
description description
"Server type: authentication/authorization/accounting and "Server type: authentication/authorization/accounting and
various combinations. various combinations.";
When all three types are supported, all the three bits
are set.";
} }
leaf address { leaf address {
type inet:host; type inet:host;
mandatory true; mandatory true;
description description
"The address of the TACACS+ server."; "The address of the TACACS+ server.";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default "49"; default "49";
description description
"The port number of TACACS+ Server port."; "The port number of TACACS+ Server port.";
} }
leaf shared-secret { choice encryption {
type string {
length "16..max";
}
mandatory true; mandatory true;
nacm:default-deny-all;
description description
"The shared secret, which is known to both the "Encryption mechanism between TACACS+ client and server.";
TACACS+ client and server. TACACS+ server administrators case shared-secret {
should configure shared secret of minimum 16 characters leaf shared-secret {
length. type string {
It is highly recommended that shared keys are at least 32 length "16..max";
characters long."; }
reference nacm:default-deny-all;
"RFC XXXX: The TACACS+ Protocol"; description
"The shared secret, which is known to both the
TACACS+ client and server. TACACS+ server
administrators should configure shared secret of
minimum 16 characters length.
It is highly recommended that shared keys are at least
32 characters long.";
reference
"RFC 8907: The TACACS+ Protocol";
}
}
} }
choice source-type { choice source-type {
description description
"The source address type for outbound TACACS+ packets."; "The source address type for outbound TACACS+ packets.";
case source-ip { case source-ip {
leaf source-ip { leaf source-ip {
type inet:ip-address; type inet:ip-address;
description description
"Specifies source IP address for TACACS+ outbound "Specifies source IP address for TACACS+ outbound
packets."; packets.";
skipping to change at page 11, line 9 skipping to change at page 11, line 15
} }
} }
} }
leaf vrf-instance { leaf vrf-instance {
type leafref { type leafref {
path "/ni:network-instances/ni:network-instance/ni:name"; path "/ni:network-instances/ni:network-instance/ni:name";
} }
description description
"Specifies the VPN Routing and Forwarding (VRF) instance to "Specifies the VPN Routing and Forwarding (VRF) instance to
use to communicate with the TACACS+ server."; use to communicate with the TACACS+ server.";
reference
"RFC 8529: YANG Data Model for Network Instances";
} }
leaf single-connection { leaf single-connection {
type boolean; type boolean;
default "false"; default "false";
description description
"Whether the single connection mode is enabled for the "Whether the single connection mode is enabled for the
server. By default, the single connection mode is server. By default, the single connection mode is
disabled."; disabled.";
} }
leaf timeout { leaf timeout {
skipping to change at page 12, line 25 skipping to change at page 12, line 34
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability: and their sensitivity/vulnerability:
/system/tacacsplus/server: This list contains the data nodes used to /system/tacacsplus/server: This list contains the data nodes used to
control the TACACS+ servers used by the device. Unauthorized control the TACACS+ servers used by the device. Unauthorized
access to this list could cause a complete control over the device access to this list could cause a complete control over the device
by pointing to a compromised TACACS+ server. by pointing to a compromised TACACS+ server.
/system/tacacsplus/server/shared-secret: This leaf controls the key /system/tacacsplus/server/shared-secret: This leaf controls the key
known to both the TACACS+ client and server. Unauthorized access known to both the TACACS+ client and server. Unauthorized access
to this leaf could cause the device vulnerable to attacks, to this leaf could make the device vulnerable to attacks,
therefore has been restricted using the "default-deny-all" access therefore has been restricted using the "default-deny-all" access
control defined in [RFC8341]. control defined in [RFC8341].
This document describes the use of TACACS+ for purposes of This document describes the use of TACACS+ for purposes of
authentication, authorization and accounting, it is vulnerable to all authentication, authorization and accounting, it is vulnerable to all
of the threats that are present in TACACS+ applications. For a of the threats that are present in TACACS+ applications. For a
discussion of such threats, see Section 9 of the TACACS+ Protocol discussion of such threats, see Section 9 of the TACACS+ Protocol
[I-D.ietf-opsawg-tacacs]. [RFC8907].
6. IANA Considerations 6. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688]. This document registers a URI in the IETF XML registry [RFC3688].
Following the format in [RFC3688], the following registration is Following the format in [RFC3688], the following registration is
requested to be made: requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [RFC7950]. registry [RFC7950].
Name: ietf-system-tacacs-plus Name: ietf-system-tacacs-plus
Namespace: urn:ietf:params:xml:ns:yang: ietf-system-tacacs-plus Namespace: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus
Prefix: sys-tcs-plus Prefix: sys-tcs-plus
Reference: RFC XXXX (RFC Ed.: replace XXXX with actual Reference: RFC XXXX (RFC Ed.: replace XXXX with actual
RFC number and remove this note.) RFC number and remove this note.)
7. Acknowledgments 7. Acknowledgments
The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, The authors wish to thank Alex Campbell, John Heasley, Ebben Aries,
Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, Robert Wilton, and
their helpful comments and suggestions. many others for their helpful comments and suggestions.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-opsawg-tacacs]
Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and
L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg-
tacacs-18 (work in progress), March 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
skipping to change at page 14, line 32 skipping to change at page 14, line 36
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8529] Berger, L., Hopps, C., Lindem, A., Bogdanovic, D., and X. [RFC8529] Berger, L., Hopps, C., Lindem, A., Bogdanovic, D., and X.
Liu, "YANG Data Model for Network Instances", RFC 8529, Liu, "YANG Data Model for Network Instances", RFC 8529,
DOI 10.17487/RFC8529, March 2019, DOI 10.17487/RFC8529, March 2019,
<https://www.rfc-editor.org/info/rfc8529>. <https://www.rfc-editor.org/info/rfc8529>.
[RFC8907] Dahm, T., Ota, A., Medway Gash, D., Carrel, D., and L.
Grant, "The Terminal Access Controller Access-Control
System Plus (TACACS+) Protocol", RFC 8907,
DOI 10.17487/RFC8907, September 2020,
<https://www.rfc-editor.org/info/rfc8907>.
8.2. Informative References 8.2. Informative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
Appendix A. Example TACACS+ Authentication Configuration Appendix A. Example TACACS+ Authentication Configuration
The following shows an example where a TACACS+ authentication server The following shows an example where a TACACS+ authentication server
instance is configured. instance is configured.
skipping to change at page 15, line 27 skipping to change at page 15, line 27
"source-ip": "192.0.2.12", "source-ip": "192.0.2.12",
"timeout": "10" "timeout": "10"
} }
] ]
} }
} }
} }
Authors' Addresses Authors' Addresses
Guangying Zheng Bo Wu (editor)
Huawei Technologies, Co., Huawei Technologies, Co.,
Ltd Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: zhengguangying@huawei.com Email: lana.wubo@huawei.com
Michael Wang Guangying Zheng
Huawei Technologies, Co., Huawei Technologies, Co.,
Ltd Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing 210012 Nanjing, Jiangsu 210012
China China
Email: wangzitao@huawei.com Email: zhengguangying@huawei.com
Bo Wu Michael Wang (editor)
Huawei Technologies, Co., Huawei Technologies, Co.,
Ltd Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing 210012
China China
Email: lana.wubo@huawei.com Email: wangzitao@huawei.com
 End of changes. 37 change blocks. 
69 lines changed or deleted 76 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/