Diff: draft-ietf-opsawg-tacacs-yang-11.txt - draft-ietf-opsawg-tacacs-yang-12.txt

	draft-ietf-opsawg-tacacs-yang-11.txt	draft-ietf-opsawg-tacacs-yang-12.txt

	Opsawg B. Wu, Ed.	Opsawg B. Wu, Ed.
	Internet-Draft G. Zheng	Internet-Draft G. Zheng
	Intended status: Standards Track M. Wang, Ed.	Intended status: Standards Track M. Wang, Ed.

	Expires: October 28, 2021 Huawei	Expires: November 14, 2021 Huawei
	April 26, 2021	May 13, 2021

	A YANG Module for TACACS+	A YANG Module for TACACS+

	draft-ietf-opsawg-tacacs-yang-11	draft-ietf-opsawg-tacacs-yang-12

	Abstract	Abstract

	This document defines a Terminal Access Controller Access-Control	This document defines a Terminal Access Controller Access-Control
	System Plus (TACACS+) client YANG module, that augments the System	System Plus (TACACS+) client YANG module, that augments the System
	Management data model, defined in RFC 7317, to allow devices to make	Management data model, defined in RFC 7317, to allow devices to make
	use of TACACS+ servers for centralized Authentication, Authorization	use of TACACS+ servers for centralized Authentication, Authorization
	and Accounting (AAA). Though being a standard module, this module	and Accounting (AAA). Though being a standard module, this module
	does not endorse the security mechanisms of the TACACS+ protocol (RFC	does not endorse the security mechanisms of the TACACS+ protocol (RFC
	8907) and TACACS+ MUST be used within a secure deployment.	8907) and TACACS+ MUST be used within a secure deployment.

	skipping to change at page 1, line 40 ¶	skipping to change at page 1, line 40 ¶
	Internet-Drafts are working documents of the Internet Engineering	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.	Drafts is at https://datatracker.ietf.org/drafts/current/.

	Internet-Drafts are draft documents valid for a maximum of six months	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."


	This Internet-Draft will expire on October 28, 2021.	This Internet-Draft will expire on November 14, 2021.

	Copyright Notice	Copyright Notice

	Copyright (c) 2021 IETF Trust and the persons identified as the	Copyright (c) 2021 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of	(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents

	skipping to change at page 2, line 25 ¶	skipping to change at page 2, line 25 ¶
	2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3	2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
	3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3	3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3
	4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5	4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
	5. Security Considerations . . . . . . . . . . . . . . . . . . . 12	5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
	6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13	6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
	7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13	7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
	8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13	8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
	8.1. Normative References . . . . . . . . . . . . . . . . . . 13	8.1. Normative References . . . . . . . . . . . . . . . . . . 13
	8.2. Informative References . . . . . . . . . . . . . . . . . 15	8.2. Informative References . . . . . . . . . . . . . . . . . 15
	Appendix A. Example TACACS+ Authentication Configuration . . . . 15	Appendix A. Example TACACS+ Authentication Configuration . . . . 15

	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16

	1. Introduction	1. Introduction

	This document defines a YANG module that augments the System	This document defines a YANG module that augments the System
	Management data model defined in the [RFC7317] to support the	Management data model defined in the [RFC7317] to support the
	configuration and management of TACACS+ clients.	configuration and management of TACACS+ clients.

	TACACS+ [RFC8907] provides device administration for routers, network	TACACS+ [RFC8907] provides device administration for routers, network
	access servers and other networked devices via one or more	access servers and other networked devices via one or more
	centralized servers.	centralized servers.

	skipping to change at page 5, line 43 ¶	skipping to change at page 5, line 43 ¶
	+--ro errors-received? yang:counter64	+--ro errors-received? yang:counter64
	+--ro sessions? yang:counter64	+--ro sessions? yang:counter64

	4. TACACS+ Client Module	4. TACACS+ Client Module

	This YANG module imports typedefs from [RFC6991]. This module also	This YANG module imports typedefs from [RFC6991]. This module also
	uses the interface typedef from [RFC8343], the leafref to VRF	uses the interface typedef from [RFC8343], the leafref to VRF
	instance from [RFC8529], and the "default-deny-all" extension	instance from [RFC8529], and the "default-deny-all" extension
	statement from [RFC8341].	statement from [RFC8341].


	<CODE BEGINS> file "ietf-system-tacacs-plus@2021-04-27.yang"	<CODE BEGINS> file "ietf-system-tacacs-plus@2021-05-13.yang"

	module ietf-system-tacacs-plus {	module ietf-system-tacacs-plus {
	yang-version 1.1;	yang-version 1.1;
	namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";	namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";
	prefix sys-tcs-plus;	prefix sys-tcs-plus;

	import ietf-inet-types {	import ietf-inet-types {
	prefix inet;	prefix inet;
	reference	reference
	"RFC 6991: Common YANG Data Types";	"RFC 6991: Common YANG Data Types";

	skipping to change at page 7, line 7 ¶	skipping to change at page 7, line 7 ¶
	authors of the code. All rights reserved.	authors of the code. All rights reserved.

	Redistribution and use in source and binary forms, with or	Redistribution and use in source and binary forms, with or
	without modification, is permitted pursuant to, and subject	without modification, is permitted pursuant to, and subject
	to the license terms contained in, the Simplified BSD License	to the license terms contained in, the Simplified BSD License
	set forth in Section 4.c of the IETF Trust's Legal Provisions	set forth in Section 4.c of the IETF Trust's Legal Provisions
	Relating to IETF Documents	Relating to IETF Documents
	(http://trustee.ietf.org/license-info).	(http://trustee.ietf.org/license-info).

	This version of this YANG module is part of RFC XXXX; see the	This version of this YANG module is part of RFC XXXX; see the

	RFC itself for full legal notices.";	RFC itself for full legal notices.

		The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
		NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
		'MAY', and 'OPTIONAL' in this document are to be interpreted as
		described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
		they appear in all capitals, as shown here.";

	// RFC Ed.: update the date below with the date of RFC	// RFC Ed.: update the date below with the date of RFC
	// publication and remove this note.	// publication and remove this note.
	// RFC Ed.: replace XXXX with actual RFC number and remove	// RFC Ed.: replace XXXX with actual RFC number and remove
	// this note.	// this note.


	revision 2021-04-27 {	revision 2021-05-13 {
	description	description
	"Initial revision.";	"Initial revision.";
	reference	reference
	"RFC XXXX: A YANG Module for TACACS+";	"RFC XXXX: A YANG Module for TACACS+";
	}	}

	typedef tacacs-plus-server-type {	typedef tacacs-plus-server-type {
	type bits {	type bits {
	bit authentication {	bit authentication {
	description	description

	skipping to change at page 10, line 19 ¶	skipping to change at page 10, line 26 ¶
	leaf port {	leaf port {
	type inet:port-number;	type inet:port-number;
	default "49";	default "49";
	description	description
	"The port number of TACACS+ Server port.";	"The port number of TACACS+ Server port.";
	}	}
	choice security {	choice security {
	mandatory true;	mandatory true;
	description	description
	"Security mechanism between TACACS+ client and server.	"Security mechanism between TACACS+ client and server.

	Because replacing the mandatory 'shared-secret' with	This is modelled as a YANG 'choice' so that it can be
	a future encryption mechanism will result in a	augmented by a YANG module in a backwards compatible
	non-backwards-compatible change, the purpose of	manner.";
	this 'security' choice is that new encryption
	mechanism could be augmented in as another choice.
	Note: The use of leaf 'shared-secret' does not
	provide encryption mechanism which is instead obfuscating
	the TACACS+ packet payload.";
	case obfuscation {	case obfuscation {
	leaf shared-secret {	leaf shared-secret {
	type string {	type string {
	length "1..max";	length "1..max";
	}	}
	nacm:default-deny-all;	nacm:default-deny-all;
	description	description
	"The shared secret, which is known to both the	"The shared secret, which is known to both the
	TACACS+ client and server. TACACS+ server	TACACS+ client and server. TACACS+ server
	administrators SHOULD configure a shared secret of	administrators SHOULD configure a shared secret of
	minimum 16 characters length.	minimum 16 characters length.
	It is highly recommended that this shared secret is	It is highly recommended that this shared secret is
	at least 32 characters long and sufficiently complex	at least 32 characters long and sufficiently complex
	with a mix of different character types	with a mix of different character types

	i.e. upper case, lower case, numeric, punctuation.";	i.e. upper case, lower case, numeric, punctuation.
		Note that this security mechanism is best described as
		'obfuscation' and not 'encryption' as it does not
		provide any meaningful integrity, privacy, or replay
		protection.";
	reference	reference
	"RFC 8907: The TACACS+ Protocol";	"RFC 8907: The TACACS+ Protocol";
	}	}
	}	}


	}	}
	choice source-type {	choice source-type {
	description	description
	"The source address type for outbound TACACS+ packets.";	"The source address type for outbound TACACS+ packets.";
	case source-ip {	case source-ip {
	leaf source-ip {	leaf source-ip {
	type inet:ip-address;	type inet:ip-address;
	description	description
	"Specifies source IP address for TACACS+ outbound	"Specifies source IP address for TACACS+ outbound
	packets.";	packets.";

End of changes. 10 change blocks.
	17 lines changed or deleted	23 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/