--- 1/draft-ietf-opsawg-tacacs-yang-11.txt 2021-05-14 01:13:10.116106205 -0700 +++ 2/draft-ietf-opsawg-tacacs-yang-12.txt 2021-05-14 01:13:10.140106493 -0700 @@ -1,19 +1,19 @@ Opsawg B. Wu, Ed. Internet-Draft G. Zheng Intended status: Standards Track M. Wang, Ed. -Expires: October 28, 2021 Huawei - April 26, 2021 +Expires: November 14, 2021 Huawei + May 13, 2021 A YANG Module for TACACS+ - draft-ietf-opsawg-tacacs-yang-11 + draft-ietf-opsawg-tacacs-yang-12 Abstract This document defines a Terminal Access Controller Access-Control System Plus (TACACS+) client YANG module, that augments the System Management data model, defined in RFC 7317, to allow devices to make use of TACACS+ servers for centralized Authentication, Authorization and Accounting (AAA). Though being a standard module, this module does not endorse the security mechanisms of the TACACS+ protocol (RFC 8907) and TACACS+ MUST be used within a secure deployment. @@ -29,21 +29,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 28, 2021. + This Internet-Draft will expire on November 14, 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -60,21 +60,21 @@ 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 15 Appendix A. Example TACACS+ Authentication Configuration . . . . 15 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction This document defines a YANG module that augments the System Management data model defined in the [RFC7317] to support the configuration and management of TACACS+ clients. TACACS+ [RFC8907] provides device administration for routers, network access servers and other networked devices via one or more centralized servers. @@ -201,21 +201,21 @@ +--ro errors-received? yang:counter64 +--ro sessions? yang:counter64 4. TACACS+ Client Module This YANG module imports typedefs from [RFC6991]. This module also uses the interface typedef from [RFC8343], the leafref to VRF instance from [RFC8529], and the "default-deny-all" extension statement from [RFC8341]. - file "ietf-system-tacacs-plus@2021-04-27.yang" + file "ietf-system-tacacs-plus@2021-05-13.yang" module ietf-system-tacacs-plus { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; prefix sys-tcs-plus; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; @@ -261,28 +261,34 @@ authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the - RFC itself for full legal notices."; + RFC itself for full legal notices. + + The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL + NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', + 'MAY', and 'OPTIONAL' in this document are to be interpreted as + described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, + they appear in all capitals, as shown here."; // RFC Ed.: update the date below with the date of RFC // publication and remove this note. // RFC Ed.: replace XXXX with actual RFC number and remove // this note. - revision 2021-04-27 { + revision 2021-05-13 { description "Initial revision."; reference "RFC XXXX: A YANG Module for TACACS+"; } typedef tacacs-plus-server-type { type bits { bit authentication { description @@ -417,47 +424,47 @@ leaf port { type inet:port-number; default "49"; description "The port number of TACACS+ Server port."; } choice security { mandatory true; description "Security mechanism between TACACS+ client and server. - Because replacing the mandatory 'shared-secret' with - a future encryption mechanism will result in a - non-backwards-compatible change, the purpose of - this 'security' choice is that new encryption - mechanism could be augmented in as another choice. - Note: The use of leaf 'shared-secret' does not - provide encryption mechanism which is instead obfuscating - the TACACS+ packet payload."; + This is modelled as a YANG 'choice' so that it can be + augmented by a YANG module in a backwards compatible + manner."; case obfuscation { leaf shared-secret { type string { length "1..max"; } nacm:default-deny-all; description "The shared secret, which is known to both the TACACS+ client and server. TACACS+ server administrators SHOULD configure a shared secret of minimum 16 characters length. It is highly recommended that this shared secret is at least 32 characters long and sufficiently complex with a mix of different character types - i.e. upper case, lower case, numeric, punctuation."; + i.e. upper case, lower case, numeric, punctuation. + Note that this security mechanism is best described as + 'obfuscation' and not 'encryption' as it does not + provide any meaningful integrity, privacy, or replay + protection."; reference "RFC 8907: The TACACS+ Protocol"; } } + } choice source-type { description "The source address type for outbound TACACS+ packets."; case source-ip { leaf source-ip { type inet:ip-address; description "Specifies source IP address for TACACS+ outbound packets.";