--- 1/draft-ietf-netmod-system-mgmt-15.txt 2014-05-14 07:14:19.025256707 -0700 +++ 2/draft-ietf-netmod-system-mgmt-16.txt 2014-05-14 07:14:19.089258283 -0700 @@ -1,19 +1,19 @@ Network Working Group A. Bierman Internet-Draft YumaWorks Intended status: Standards Track M. Bjorklund -Expires: October 31, 2014 Tail-f Systems - April 29, 2014 +Expires: November 15, 2014 Tail-f Systems + May 14, 2014 A YANG Data Model for System Management - draft-ietf-netmod-system-mgmt-15 + draft-ietf-netmod-system-mgmt-16 Abstract This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a NETCONF server. This includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 31, 2014. + This Internet-Draft will expire on November 15, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -66,40 +66,40 @@ 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 3.5.2. Local User Password Authentication . . . . . . . . . . 10 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12 6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 33 - 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 - 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 - 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 - 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 - 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 - 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 - 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 - 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 - 10.1. Normative References . . . . . . . . . . . . . . . . . . . 38 - 10.2. Informative References . . . . . . . . . . . . . . . . . . 39 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 34 + 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 + 10.1. Normative References . . . . . . . . . . . . . . . . . . . 39 + 10.2. Informative References . . . . . . . . . . . . . . . . . . 40 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 1. Introduction This document defines a YANG [RFC6020] data model for the configuration and identification of some common properties within a device containing a NETCONF server. Devices that are managed by NETCONF and perhaps other mechanisms have common properties that need to be configured and monitored in a standard way. @@ -326,21 +326,21 @@ based User Interface. The data model for user authentication has the following structure: +--rw system +--rw authentication +--rw user-authentication-order* identityref +--rw user* [name] +--rw name string +--rw password? ianach:crypt-hash - +--rw ssh-key* [name] + +--rw authorized-key* [name] +--rw name string +--rw algorithm string +--rw key-data binary 3.5.1. SSH Public Key Authentication If the NETCONF server advertises the "local-users" feature, configuration of local users and their SSH public keys is supported in the /system/authentication/user list. @@ -410,20 +410,23 @@ +----------------+-------------------+ YANG interface configuration data nodes and related SNMPv2-MIB objects 5. IANA Crypt Hash YANG module This YANG module references [RFC1321], [IEEE-1003.1-2008], and [FIPS.180-3.2008]. + RFC Ed.: update the date below with the date of RFC publication and + remove this note. + file "iana-crypt-hash@2014-04-04.yang" module iana-crypt-hash { namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; prefix ianach; organization "IANA"; contact " Internet Assigned Numbers Authority @@ -548,21 +551,21 @@ 6. System YANG module This YANG module imports YANG extensions from [RFC6536], and imports YANG types from [RFC6991]. It also references [RFC1035], [RFC2865], [RFC3418], [RFC5607], [RFC5966], [RFC6557]. RFC Ed.: update the date below with the date of RFC publication and remove this note. - file "ietf-system@2014-04-04.yang" + file "ietf-system@2014-05-14.yang" module ietf-system { namespace "urn:ietf:params:xml:ns:yang:ietf-system"; prefix "sys"; import ietf-yang-types { prefix yang; } import ietf-inet-types { @@ -619,21 +622,21 @@ the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. // RFC Ed.: remove this note // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision "2014-04-04" { + revision "2014-05-14" { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for System Management"; } /* * Typedefs */ @@ -1203,52 +1206,62 @@ leaf name { type string; description "The user name string identifying this entry."; } leaf password { type ianach:crypt-hash; description "The password for this entry."; } - list ssh-key { + list authorized-key { key name; description - "A list of public SSH keys for this user."; + "A list of public SSH keys for this user. These keys + are allowed for SSH authentication, as described in + RFC 4253."; reference "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; leaf name { type string; description - "An arbitrary name for the ssh key."; - + "An arbitrary name for the SSH key."; } leaf algorithm { type string; mandatory true; description - "The public key algorithm name for this ssh key. + "The public key algorithm name for this SSH key. Valid values are the values in the IANA Secure Shell (SSH) Protocol Parameters registry, Public Key Algorithm Names"; reference "IANA Secure Shell (SSH) Protocol Parameters registry, Public Key Algorithm Names"; } leaf key-data { type binary; mandatory true; description - "The binary key data for this ssh key."; + "The binary public key data for this SSH key, as + specified by RFC 4253, Section 6.6, i.e.,: + + string certificate or public key format + identifier + byte[n] key/certificate data + "; + reference + "RFC 4253: The Secure Shell (SSH) Transport Layer + Protocol"; } } } } } /* * Operational state data nodes */ @@ -1349,29 +1362,29 @@ rpc system-shutdown { nacm:default-deny-all; description "Request that the entire system be shut down immediately. A server SHOULD send an rpc reply to the client before shutting down the system."; } } - 7. IANA Considerations - This document defines first version of the IANA-maintained - "iana-crypt-hash" YANG module, which will allow for new hash - algorithms to be added to the type "crypt-hash". An Expert Review, - as defined by [RFC5226], is REQUIRED, for each modification. + IANA is requested to create an IANA-maintained YANG Module called + "iana-crypt-hash", based on the contents of Section 5, which will + allow for new hash algorithms to be added to the type "crypt-hash". + The registration procedure will be Expert Review, as defined by + [RFC5226]. This document registers two URIs in the IETF XML registry [RFC3688]. Following the format in RFC 3688, the following registrations are requested to be made. URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-system @@ -1451,21 +1464,21 @@ o set-current-datetime: Changes the current date and time on the device. o system-restart: Reboots the device. o system-shutdown: Shuts down the device. Since this document describes the use of RADIUS for purposes of authentication, it is vulnerable to all of the threats that are present in other RADIUS applications. For a discussion of such - threats, see [RFC2865] and [RFC3162]. + threats, see [RFC2865] and [RFC3162], and section 4 of [RFC3579]. This document provides configuration parameters for SSH's "publickey" and "password" authentication mechanisms. Section 9.4 of [RFC4251] and section 11 of [RFC4252] discuss security considerations for these mechanisms. The "iana-crypt-hash" YANG module defines a type "crypt-hash" that can be used to store MD5 hashes. [RFC6151] discusses security considerations for MD5. The usage of MD5 is NOT RECOMMENDED. @@ -1676,20 +1689,24 @@ [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, March 2012. [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013. 10.2. Informative References + [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication + Dial In User Service) Support For Extensible + Authentication Protocol (EAP)", RFC 3579, September 2003. + [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the Time Zone Database", BCP 175, RFC 6557, February 2012. Authors' Addresses Andy Bierman YumaWorks