draft-ietf-opsawg-tacacs-yang-05.txt   draft-ietf-opsawg-tacacs-yang-06.txt 
Network Working Group G. Zheng Network Working Group G. Zheng
Internet-Draft M. Wang Internet-Draft M. Wang
Intended status: Standards Track B. Wu Intended status: Standards Track B. Wu
Expires: November 23, 2020 Huawei Expires: December 3, 2020 Huawei
May 22, 2020 June 1, 2020
Yang data model for TACACS+ Yang data model for TACACS+
draft-ietf-opsawg-tacacs-yang-05 draft-ietf-opsawg-tacacs-yang-06
Abstract Abstract
This document defines YANG modules that augment the System Management This document defines a YANG module that augment the System
data model defined in the RFC 7317 with TACACS+ client model. The Management data model defined in the RFC 7317 with TACACS+ client
data model of Terminal Access Controller Access Control System Plus model. The data model of Terminal Access Controller Access Control
(TACACS+) client allows the configuration of TACACS+ servers for System Plus (TACACS+) client allows the configuration of TACACS+
centralized Authentication, Authorization and Accounting. servers for centralized Authentication, Authorization and Accounting.
The YANG modules in this document conforms to the Network Management The YANG module in this document conforms to the Network Management
Datastore Architecture (NMDA) defined in RFC 8342. Datastore Architecture (NMDA) defined in RFC 8342.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 23, 2020. This Internet-Draft will expire on December 3, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3
4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 14 8.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Example Tacacs+ Authentication Configuration . . . . 14 Appendix A. Example Tacacs+ Authentication Configuration . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines YANG modules that augment the System Management This document defines a YANG module that augment the System
data model defined in the [RFC7317] with TACACS+ client model. Management data model defined in the [RFC7317] with TACACS+ client
model.
TACACS+ provides Device Administration for routers, network access TACACS+ provides Device Administration for routers, network access
servers and other networked computing devices via one or more servers and other networked computing devices via one or more
centralized servers which is defined in the TACACS+ Protocol. centralized servers which is defined in the TACACS+ Protocol.
[I-D.ietf-opsawg-tacacs] [I-D.ietf-opsawg-tacacs]
The System Management Model [RFC7317] defines two YANG features to The System Management Model [RFC7317] defines two YANG features to
support local or RADIUS authentication: support local or RADIUS authentication:
o User Authentication Model: Defines a list of usernames and o User Authentication Model: Defines a list of usernames and
skipping to change at page 3, line 5 skipping to change at page 3, line 5
o RADIUS Client Model: Defines a list of RADIUS servers that a o RADIUS Client Model: Defines a list of RADIUS servers that a
device uses. device uses.
Since TACACS+ is also used for device management and the feature is Since TACACS+ is also used for device management and the feature is
not contained in the System Management model, this document defines a not contained in the System Management model, this document defines a
YANG data model that allows users to configure TACACS+ client YANG data model that allows users to configure TACACS+ client
functions on a device for centralized Authentication, Authorization functions on a device for centralized Authentication, Authorization
and Accounting provided by TACACS+ servers. and Accounting provided by TACACS+ servers.
The YANG models can be used with network management protocols such as The YANG model can be used with network management protocols such as
NETCONF[RFC6241] to install, manipulate, and delete the configuration NETCONF[RFC6241] to install, manipulate, and delete the configuration
of network devices. of network devices.
The YANG data model in this document conforms to the Network The YANG data model in this document conforms to the Network
Management Datastore Architecture (NMDA) defined in [RFC8342]. Management Datastore Architecture (NMDA) defined in [RFC8342].
2. Conventions used in this document 2. Conventions used in this document
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at page 5, line 36 skipping to change at page 5, line 36
+--ro connection-aborts? yang:counter64 +--ro connection-aborts? yang:counter64
+--ro connection-failures? yang:counter64 +--ro connection-failures? yang:counter64
+--ro connection-timeouts? yang:counter64 +--ro connection-timeouts? yang:counter64
+--ro messages-sent? yang:counter64 +--ro messages-sent? yang:counter64
+--ro messages-received? yang:counter64 +--ro messages-received? yang:counter64
+--ro errors-received? yang:counter64 +--ro errors-received? yang:counter64
+--ro sessions? yang:counter64 +--ro sessions? yang:counter64
4. TACACS+ Client Module 4. TACACS+ Client Module
This YANG module imports typedefs from [RFC6991].
<CODE BEGINS> file "ietf-system-tacacsplus@2020-05-22.yang" <CODE BEGINS> file "ietf-system-tacacsplus@2020-05-22.yang"
module ietf-system-tacacsplus { module ietf-system-tacacsplus {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus";
prefix sys-tcsplus; prefix sys-tcsplus;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
skipping to change at page 12, line 20 skipping to change at page 12, line 27
operations and content. operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability: and their sensitivity/vulnerability:
/system/tacacsplus/server: This list contains the objects used to /system/tacacsplus/server: This list contains the objects used to
control the TACACS+ servers used by the device. Unauthorized control the TACACS+ servers used by the device. Unauthorized
access to this list could cause a user management failure on the access to this list could cause a user management failure on the
device . device.
/system/tacacsplus/server/shared-secret: This leaf controls the /system/tacacsplus/server/shared-secret: This leaf controls the key
key known to both the TACACS+ client and server. Unauthorized known to both the TACACS+ client and server. Unauthorized access
access to this leaf could cause the device vulnerable to attacks, to this leaf could cause the device vulnerable to attacks,
therefore has been restricted using the "default-deny-all" access therefore has been restricted using the "default-deny-all" access
control defined in [RFC8341]. control defined in [RFC8341].
This document describes the use of TACACS+ for purposes of This document describes the use of TACACS+ for purposes of
authentication, authorization and accounting, it is vulnerable to all authentication, authorization and accounting, it is vulnerable to all
of the threats that are present in TACACS+ applications. For a of the threats that are present in TACACS+ applications. For a
discussion of such threats, see Section 9 of the TACACS+ Protocol discussion of such threats, see Section 9 of the TACACS+ Protocol
[I-D.ietf-opsawg-tacacs]. [I-D.ietf-opsawg-tacacs].
6. IANA Considerations 6. IANA Considerations
skipping to change at page 15, line 29 skipping to change at page 15, line 29
"timeout": "10" "timeout": "10"
} }
] ]
} }
} }
} }
Authors' Addresses Authors' Addresses
Guangying Zheng Guangying Zheng
Huawei Huawei Technologies, Co., Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: zhengguangying@huawei.com Email: zhengguangying@huawei.com
Michael Wang Michael Wang
Huawei Technologies, Co., Huawei Technologies, Co.,
Ltd Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing 210012 Nanjing 210012
China China
Email: wangzitao@huawei.com Email: wangzitao@huawei.com
Bo Wu Bo Wu
Huawei Huawei Technologies, Co., Ltd
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: lana.wubo@huawei.com Email: lana.wubo@huawei.com
 End of changes. 14 change blocks. 
21 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/