--- 1/draft-ietf-dhc-dhcpv6-yang-23.txt 2021-11-18 01:13:13.160446680 -0800 +++ 2/draft-ietf-dhc-dhcpv6-yang-24.txt 2021-11-18 01:13:13.340451163 -0800 @@ -1,18 +1,18 @@ DHC Working Group I. Farrer, Ed. Internet-Draft Deutsche Telekom AG -Intended status: Standards Track 25 October 2021 -Expires: 28 April 2022 +Intended status: Standards Track 18 November 2021 +Expires: 22 May 2022 YANG Data Model for DHCPv6 Configuration - draft-ietf-dhc-dhcpv6-yang-23 + draft-ietf-dhc-dhcpv6-yang-24 Abstract This document describes YANG data modules for the configuration and management of DHCPv6 (Dynamic Host Configuration Protocol for IPv6 RFC8415) servers, relays, and clients. Status of This Memo This Internet-Draft is submitted in full conformance with the @@ -21,21 +21,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 28 April 2022. + This Internet-Draft will expire on 22 May 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -61,21 +61,21 @@ 4.2. DHCPv6 Server YANG Module . . . . . . . . . . . . . . . . 28 4.3. DHCPv6 Relay YANG Module . . . . . . . . . . . . . . . . 48 4.4. DHCPv6 Client YANG Module . . . . . . . . . . . . . . . . 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 74 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 75 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 75 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 76 9.1. Normative References . . . . . . . . . . . . . . . . . . 76 9.2. Informative References . . . . . . . . . . . . . . . . . 78 - Appendix A. Data Tree Examples . . . . . . . . . . . . . . . . . 79 + Appendix A. Data Tree Examples . . . . . . . . . . . . . . . . . 78 A.1. DHCPv6 Server Configuration Examples . . . . . . . . . . 79 A.2. DHCPv6 Relay Configuration Example . . . . . . . . . . . 83 A.3. DHCPv6 Client Configuration Example . . . . . . . . . . . 84 Appendix B. Example of Augmenting Additional DHCPv6 Option Definitions . . . . . . . . . . . . . . . . . . . . . . . 87 Appendix C. Example Vendor Specific Server Configuration Module . . . . . . . . . . . . . . . . . . . . . . . . . 90 Appendix D. Example definition of class-selector configuration . . . . . . . . . . . . . . . . . . . . . . 97 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 104 @@ -88,23 +88,23 @@ of DHCPv6 'element' (servers, relays, and clients) using the Network Configuration Protocol (NETCONF [RFC6241]) or RESTCONF [RFC8040] protocols. Separate modules are defined for each element. Additionally, a 'common' module contains typedefs and groupings used by all of the element modules. Appendix A provides XML examples for each of the element modules and shows their interaction. The relay and client modules provide configuration which is - applicable device's interfaces. This is done by importing the ietf- - interfaces module [RFC8343] and using interface-refs to the relevant - interface(s). + applicable to devices' interfaces. This is done by importing the + ietf-interfaces module [RFC8343] and using interface-refs to the + relevant interface(s). It is worth noting that as DHCPv6 is itself a client configuration protocol, it is not the intention of this document to provide a replacement for the allocation of DHCPv6 assigned addressing and parameters by using NETCONF/YANG. The DHCPv6 client module is intended for the configuration and monitoring of the DHCPv6 client function and does not replace DHCPv6 address and parameter configuration. The YANG modules in this document adopt the Network Management @@ -895,21 +895,21 @@ * retransmission-failed: Raised when the retransmission mechanism defined in [RFC8415] has failed. 4. DHCPv6 YANG Modules 4.1. DHCPv6 Common YANG Module This module imports typedefs from [RFC6991]. - file "ietf-dhcpv6-common@2021-10-25.yang" + file "ietf-dhcpv6-common@2021-11-18.yang" module ietf-dhcpv6-common { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-common"; prefix "dhc6"; organization "IETF DHC (Dynamic Host Configuration) Working Group"; contact @@ -1308,21 +1308,21 @@ container."; } } } 4.2. DHCPv6 Server YANG Module This module imports typedefs from [RFC6991], [RFC8343]. - file "ietf-dhcpv6-server@2021-10-25.yang" + file "ietf-dhcpv6-server@2021-11-18.yang" module ietf-dhcpv6-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-server"; prefix "dhc6-srv"; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; @@ -2267,21 +2267,21 @@ } uses dhc6:status; } } 4.3. DHCPv6 Relay YANG Module This module imports typedefs from [RFC6991], [RFC8343]. - file "ietf-dhcpv6-relay@2021-10-25.yang" + file "ietf-dhcpv6-relay@2021-11-18.yang" module ietf-dhcpv6-relay { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-relay"; prefix "dhc6-rly"; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; @@ -2733,21 +2733,21 @@ } } } } 4.4. DHCPv6 Client YANG Module This module imports typedefs from [RFC6991], [RFC8343]. - file "ietf-dhcpv6-client@2021-10-25.yang" + file "ietf-dhcpv6-client@2021-11-18.yang" module ietf-dhcpv6-client { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-client"; prefix "dhc6-clnt"; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; @@ -3468,53 +3468,57 @@ All data nodes defined in the YANG modules which can be created, modified, and deleted (i.e., config true, which is the default) are considered sensitive. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. As the RPCs for deleting/clearing active address and prefix entries in the server and relay modules are particularly sensitive, these use 'nacm:default-deny-all'. - An attacker who is able to access the DHCPv6 server can undertake + An attacker with read/write access the DHCPv6 server can undertake various attacks, such as: * Denial of service attacks, based on re-configuring messages to a rogue DHCPv6 server. * Various attacks based on re-configuring the contents of DHCPv6 - options. For example, changing the address of a the DNS server - supplied in a DHCP option to point to a rogue server. + options, leading to several types of security or privacy threats. + For example, changing the address of a DNS server supplied in a + DHCP option to point to a rogue server. - An attacker who is able to access the DHCPv6 relay can undertake + An attacker with read/write access the DHCPv6 relay can undertake various attacks, such as: - * Re-configuring the relay's destination address to send messages to - a rogue DHCPv6 server. + * Modifying the relay's "destination-address" to send messages to a + rogue DHCPv6 server. * Deleting information about a client's delegated prefix, causing a denial of service attack as traffic will no longer be routed to the client. Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. Therefore, it is important to control read access (e.g., only permitting get, get- config, or notifications) to these data nodes. These subtrees and data nodes can be misused to track the activity of a host: * Information the server holds about clients with active leases: (dhc6-srv/allocation-ranges/allocation-range/address-pools/ address-pool/active-leases) * Information the relay holds about clients with active leases: (dhc6-rly/relay-if/prefix-delegation/) + [RFC7824] covers privacy considerations for DHCPv6 and is applicable + here. + Security considerations related to DHCPv6 are discussed in [RFC8415]. Security considerations given in [RFC7950] are also applicable here. 6. IANA Considerations This document requests IANA to register the following URIs in the "IETF XML Registry" [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-dhcpv6-server @@ -3672,51 +3675,45 @@ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., Richardson, M., Jiang, S., Lemon, T., and T. Winters, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 8415, DOI 10.17487/RFC8415, November 2018, . - [RFC8987] Farrer, I., Kottapalli, N., Hunek, M., and R. Patterson, - "DHCPv6 Prefix Delegating Relay Requirements", RFC 8987, - DOI 10.17487/RFC8987, February 2021, - . - [IANA-HARDWARE-TYPES] Internet Assigned Numbers Authority, "Hardware Types", . [IANA-PEN] Internet Assigned Numbers Authority, "Private Enterprise Numbers", . - [IANA-AUTH] - Internet Assigned Numbers Authority, "Dynamic Host - Configuration Protocol (DHCP) Authentication Option Name - Spaces", - . - - [IANA-STATUS] - Internet Assigned Numbers Authority, "Dynamic Host - Configuration Protocol for IPv6 (DHCPv6) Status Codes", - . - 9.2. Informative References [RFC3319] Schulzrinne, H. and B. Volz, "Dynamic Host Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP) Servers", RFC 3319, DOI 10.17487/RFC3319, July 2003, . + [RFC7824] Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy + Considerations for DHCPv6", RFC 7824, + DOI 10.17487/RFC7824, May 2016, + . + + [RFC8987] Farrer, I., Kottapalli, N., Hunek, M., and R. Patterson, + "DHCPv6 Prefix Delegating Relay Requirements", RFC 8987, + DOI 10.17487/RFC8987, February 2021, + . + Appendix A. Data Tree Examples This section contains XML examples of data trees for the different DHCPv6 elements. A.1. DHCPv6 Server Configuration Examples The following example shows a basic configuration for a server. The configuration defines: @@ -3767,23 +3764,24 @@ 50 1 Figure 4: Basic Server Configuration Example XML - The following example shows a static host reservation within an - address pool. The host's lease timers are configured to be longer - than hosts from the pool with dynamically assigned addresses. + The following example configuration snippet shows a static host + reservation within an address pool. The host's lease timers are + configured to be longer than hosts from the pool with dynamically + assigned addresses. 1 2001:db8:1:1::/64 2001:db8:1:1::1000 2001:db8:1:1::2000 50 1 @@ -3793,23 +3791,23 @@ 1 604800 86400 172800 345600 - Figure 5: Server Host Reservation Configuration Example XML + Figure 5: Server Host Reservation Configuration Example XML Snippet - The following example shows configuration for a network range and + The following example configuration snippet shows a network range and pool to be used for delegating prefixes to clients. In this example, each client will receive a /56 prefix. The 'max-pd-space-utilization' is set to 80 so that a 'prefix-pool- utilization-threshold-exceeded' notification will be raised if the number of prefix allocations exceeds this. 1 @@ -3824,27 +3822,28 @@ 0 1 2001:db8:1::/48 56 80 - Figure 6: Server Prefix Delegation Configuration Example XML + Figure 6: Server Prefix Delegation Configuration Example XML Snippet - The next example shows the configuration of a set of options that may - be returned to clients, depending on the contents of a received DHCP - request message. The option set ID is '1', which will referenced by - other places in the configuration (e.g., address pool configuration) - as the available options for clients that request them. + The next example configuration snippet shows a set of options that + may be returned to clients, depending on the contents of a received + DHCP request message. The option set ID is '1', which will + referenced by other places in the configuration (e.g., address pool + configuration) as the available options for clients that request + them. The example shows how the option definitions can be extended via augmentation. In this case, "OPTION_SIP_SERVER_D (21) SIP Servers Domain-Name List" from the example module in Appendix B has been augmented to the server's option set. 1 Example DHCP option set @@ -3871,27 +3870,31 @@ sip1.example.org 1 sip2.example.org - Figure 7: Server Option Set Configuration Example XML + Figure 7: Server Option Set Configuration Example XML Snippet A.2. DHCPv6 Relay Configuration Example The following example shows a basic configuration for a single DHCP relay interface and its interaction with the ietf-interfaces module. - The configuration defines: + The configuration shows two XML documents, one for ietf-interfaces + and a second for ietf-dhcpv6-relay, defining: + + * Configuring an interface using the ietf-interfaces module that the + relay configuration will be applied to. * Enabling the DHCP relay function globally and for the relevant interface. * Referencing the interface that the relay configuration is relevant for via an inteface-ref to the ietf-interfaces module. * Defining two destination addresses that incoming DHCP messages will be relayed to. @@ -3926,21 +3930,25 @@ Figure 8: Basic Relay Configuration Example XML A.3. DHCPv6 Client Configuration Example The following example shows a basic configuration for a DHCP client and its interaction with the ietf-interfaces module. The - configuration defines: + configuration shows two XML documents, one for ietf-interfaces and a + second for ietf-dhcpv6-client defining: + + * Configuring an interface using the ietf-interfaces module that the + client configuration will be applied to. * Enabling the DHCP relay function globally and for the relevant interface. * References the interface that the client configuration is relevant for via an inteface-ref to the ietf-interfaces module. * Sets the client's DUID. * Configures a list of option codes that will be requested by the