draft-ietf-opsawg-tacacs-yang-11.txt   draft-ietf-opsawg-tacacs-yang-12.txt 
Opsawg B. Wu, Ed. Opsawg B. Wu, Ed.
Internet-Draft G. Zheng Internet-Draft G. Zheng
Intended status: Standards Track M. Wang, Ed. Intended status: Standards Track M. Wang, Ed.
Expires: October 28, 2021 Huawei Expires: November 14, 2021 Huawei
April 26, 2021 May 13, 2021
A YANG Module for TACACS+ A YANG Module for TACACS+
draft-ietf-opsawg-tacacs-yang-11 draft-ietf-opsawg-tacacs-yang-12
Abstract Abstract
This document defines a Terminal Access Controller Access-Control This document defines a Terminal Access Controller Access-Control
System Plus (TACACS+) client YANG module, that augments the System System Plus (TACACS+) client YANG module, that augments the System
Management data model, defined in RFC 7317, to allow devices to make Management data model, defined in RFC 7317, to allow devices to make
use of TACACS+ servers for centralized Authentication, Authorization use of TACACS+ servers for centralized Authentication, Authorization
and Accounting (AAA). Though being a standard module, this module and Accounting (AAA). Though being a standard module, this module
does not endorse the security mechanisms of the TACACS+ protocol (RFC does not endorse the security mechanisms of the TACACS+ protocol (RFC
8907) and TACACS+ MUST be used within a secure deployment. 8907) and TACACS+ MUST be used within a secure deployment.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 28, 2021. This Internet-Draft will expire on November 14, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3 3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3
4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. Example TACACS+ Authentication Configuration . . . . 15 Appendix A. Example TACACS+ Authentication Configuration . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
This document defines a YANG module that augments the System This document defines a YANG module that augments the System
Management data model defined in the [RFC7317] to support the Management data model defined in the [RFC7317] to support the
configuration and management of TACACS+ clients. configuration and management of TACACS+ clients.
TACACS+ [RFC8907] provides device administration for routers, network TACACS+ [RFC8907] provides device administration for routers, network
access servers and other networked devices via one or more access servers and other networked devices via one or more
centralized servers. centralized servers.
skipping to change at page 5, line 43 skipping to change at page 5, line 43
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64 +--ro sessions? yang:counter64
4. TACACS+ Client Module 4. TACACS+ Client Module
This YANG module imports typedefs from [RFC6991]. This module also This YANG module imports typedefs from [RFC6991]. This module also
uses the interface typedef from [RFC8343], the leafref to VRF uses the interface typedef from [RFC8343], the leafref to VRF
instance from [RFC8529], and the "default-deny-all" extension instance from [RFC8529], and the "default-deny-all" extension
statement from [RFC8341]. statement from [RFC8341].
<CODE BEGINS> file "ietf-system-tacacs-plus@2021-04-27.yang" <CODE BEGINS> file "ietf-system-tacacs-plus@2021-05-13.yang"
module ietf-system-tacacs-plus { module ietf-system-tacacs-plus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus";
prefix sys-tcs-plus; prefix sys-tcs-plus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
skipping to change at page 7, line 7 skipping to change at page 7, line 7
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices."; RFC itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.";
// RFC Ed.: update the date below with the date of RFC // RFC Ed.: update the date below with the date of RFC
// publication and remove this note. // publication and remove this note.
// RFC Ed.: replace XXXX with actual RFC number and remove // RFC Ed.: replace XXXX with actual RFC number and remove
// this note. // this note.
revision 2021-04-27 { revision 2021-05-13 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for TACACS+"; "RFC XXXX: A YANG Module for TACACS+";
} }
typedef tacacs-plus-server-type { typedef tacacs-plus-server-type {
type bits { type bits {
bit authentication { bit authentication {
description description
skipping to change at page 10, line 19 skipping to change at page 10, line 26
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default "49"; default "49";
description description
"The port number of TACACS+ Server port."; "The port number of TACACS+ Server port.";
} }
choice security { choice security {
mandatory true; mandatory true;
description description
"Security mechanism between TACACS+ client and server. "Security mechanism between TACACS+ client and server.
Because replacing the mandatory 'shared-secret' with This is modelled as a YANG 'choice' so that it can be
a future encryption mechanism will result in a augmented by a YANG module in a backwards compatible
non-backwards-compatible change, the purpose of manner.";
this 'security' choice is that new encryption
mechanism could be augmented in as another choice.
Note: The use of leaf 'shared-secret' does not
provide encryption mechanism which is instead obfuscating
the TACACS+ packet payload.";
case obfuscation { case obfuscation {
leaf shared-secret { leaf shared-secret {
type string { type string {
length "1..max"; length "1..max";
} }
nacm:default-deny-all; nacm:default-deny-all;
description description
"The shared secret, which is known to both the "The shared secret, which is known to both the
TACACS+ client and server. TACACS+ server TACACS+ client and server. TACACS+ server
administrators SHOULD configure a shared secret of administrators SHOULD configure a shared secret of
minimum 16 characters length. minimum 16 characters length.
It is highly recommended that this shared secret is It is highly recommended that this shared secret is
at least 32 characters long and sufficiently complex at least 32 characters long and sufficiently complex
with a mix of different character types with a mix of different character types
i.e. upper case, lower case, numeric, punctuation."; i.e. upper case, lower case, numeric, punctuation.
Note that this security mechanism is best described as
'obfuscation' and not 'encryption' as it does not
provide any meaningful integrity, privacy, or replay
protection.";
reference reference
"RFC 8907: The TACACS+ Protocol"; "RFC 8907: The TACACS+ Protocol";
} }
} }
} }
choice source-type { choice source-type {
description description
"The source address type for outbound TACACS+ packets."; "The source address type for outbound TACACS+ packets.";
case source-ip { case source-ip {
leaf source-ip { leaf source-ip {
type inet:ip-address; type inet:ip-address;
description description
"Specifies source IP address for TACACS+ outbound "Specifies source IP address for TACACS+ outbound
packets."; packets.";
 End of changes. 10 change blocks. 
17 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/