💾 Archived View for gemini.bortzmeyer.org › rfc-mirror › rfc7317.txt captured on 2021-12-04 at 18:04:22.
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 7317 YumaWorks
Category: Standards Track M. Bjorklund
ISSN: 2070-1721 Tail-f Systems
August 2014
A YANG Data Model for System Management
Abstract
This document defines a YANG data model for the configuration and
identification of some common system properties within a device
containing a Network Configuration Protocol (NETCONF) server. This
document also includes data node definitions for system
identification, time-of-day management, user management, DNS resolver
configuration, and some protocol operations for system management.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7317.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Bierman & Bjorklund Standards Track [Page 1]
RFC 7317 YANG System Management August 2014
Table of Contents
1. Introduction ....................................................2
1.1. Terminology ................................................3
1.2. Tree Diagrams ..............................................3
2. Objectives ......................................................4
2.1. System Identification ......................................4
2.2. System Time Management .....................................4
2.3. User Authentication ........................................4
2.4. DNS Resolver ...............................................5
2.5. System Control .............................................5
3. System Data Model ...............................................5
3.1. System Identification ......................................5
3.2. System Time Management .....................................6
3.3. DNS Resolver Model .........................................7
3.4. RADIUS Client Model ........................................7
3.5. User Authentication Model ..................................8
3.5.1. SSH Public Key Authentication .......................8
3.5.2. Local User Password Authentication ..................9
3.5.3. RADIUS Password Authentication ......................9
3.6. System Control .............................................9
4. Relationship to the SNMPv2-MIB .................................10
5. IANA Crypt Hash YANG Module ....................................10
6. System YANG Module .............................................13
7. IANA Considerations ............................................31
8. Security Considerations ........................................31
9. References .....................................................33
9.1. Normative References ......................................33
9.2. Informative References ....................................35
1. Introduction
This document defines a YANG [RFC6020] data model for the
configuration and identification of some common properties within a
device containing a Network Configuration Protocol (NETCONF) server.
Devices that are managed by NETCONF and perhaps other mechanisms have
common properties that need to be configured and monitored in a
standard way.
The "ietf-system" YANG module defined in this document provides the
following features:
o configuration and monitoring of system identification
o configuration and monitoring of system time-of-day
o configuration of user authentication
Bierman & Bjorklund Standards Track [Page 2]
RFC 7317 YANG System Management August 2014
o configuration of local users
o configuration of the DNS resolver
o system control operations (shutdown, restart, setting time)
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14, [RFC2119].
The following terms are defined in [RFC6241] and are not redefined
here:
o client
o configuration data
o server
o state data
The following terms are defined in [RFC6020] and are not redefined
here:
o augment
o data model
1.2. Tree Diagrams
A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as
follows:
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write), and "ro" means state data (read-only).
o Symbols after data node names: "?" means an optional node, "!"
means a presence container, and "*" denotes a list and leaf-list.
Bierman & Bjorklund Standards Track [Page 3]
RFC 7317 YANG System Management August 2014
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
2. Objectives
2.1. System Identification
There are many common properties used to identify devices, operating
systems, software versions, etc. that need to be supported in the
system data module. These objects are defined as operational state
data, and the information returned by the server is intended to be
specific to the device vendor.
Some user-configurable administrative strings are also provided, such
as the system location and description.
2.2. System Time Management
Management of the date and time used by the system needs to be
supported. The use of one or more NTP servers to automatically set
the system date and time needs to be possible. Utilization of the
Time Zone Database [RFC6557] also needs to be supported. It should
be possible to configure the system to use NTP.
2.3. User Authentication
The authentication mechanism needs to support password authentication
over RADIUS in order to support deployment scenarios with centralized
authentication servers. Additionally, for scenarios when no
centralized authentication server exists or for situations where the
centralized authentication server cannot be reached from the device,
local users need to be supported.
Since the mandatory transport protocol for NETCONF is Secure Shell
(SSH) [RFC6242], the authentication model needs to support SSH's
"publickey" and "password" authentication methods [RFC4252].
The model for authentication configuration should be flexible enough
to support authentication methods defined by other standards
documents or by vendors. It should be possible to configure the
system authentication properties.
Bierman & Bjorklund Standards Track [Page 4]
RFC 7317 YANG System Management August 2014
2.4. DNS Resolver
The configuration of the DNS resolver within the system containing
the NETCONF server is required in order to control how domain names
are resolved.
2.5. System Control
A few operations are needed to support common tasks such as
restarting the device or setting the system date and time.
3. System Data Model
3.1. System Identification
The data model for system identification has the following structure:
+--rw system
| +--rw contact? string
| +--rw hostname? inet:domain-name
| +--rw location? string
+--ro system-state
+--ro platform
+--ro os-name? string
+--ro os-release? string
+--ro os-version? string
+--ro machine? string
Bierman & Bjorklund Standards Track [Page 5]
RFC 7317 YANG System Management August 2014
3.2. System Time Management
The data model for system time management has the following
structure:
+--rw system
| +--rw clock
| | +--rw (timezone)?
| | +--:(timezone-name)
| | | +--rw timezone-name? timezone-name
| | +--:(timezone-utc-offset)
| | +--rw timezone-utc-offset? int16
| +--rw ntp!
| +--rw enabled? boolean
| +--rw server* [name]
| +--rw name string
| +--rw (transport)
| | +--:(udp)
| | +--rw udp
| | +--rw address inet:host
| | +--rw port? inet:port-number
| +--rw association-type? enumeration
| +--rw iburst? boolean
| +--rw prefer? boolean
+--ro system-state
+--ro clock
+--ro current-datetime? yang:date-and-time
+--ro boot-datetime? yang:date-and-time
New "case" statements can be added in future revisions of this data
model, or through augmentation by some other data model.
Bierman & Bjorklund Standards Track [Page 6]
RFC 7317 YANG System Management August 2014
3.3. DNS Resolver Model
The data model for configuration of the DNS resolver has the
following structure:
+--rw system
+--rw dns-resolver
+--rw search* inet:domain-name
+--rw server* [name]
| +--rw name string
| +--rw (transport)
| +--:(udp-and-tcp)
| +--udp-and-tcp
| +--rw address inet:ip-address
| +--rw port? inet:port-number
+--rw options
+--rw timeout? uint8
+--rw attempts? uint8
New "case" statements can be added in future revisions of this data
model, or through augmentation by some other data model.
3.4. RADIUS Client Model
The data model for configuration of the RADIUS client has the
following structure:
+--rw system
+--rw radius
+--rw server* [name]
| +--rw name string
| +--rw (transport)
| | +--:(udp)
| | +--rw udp
| | +--rw address inet:host
| | +--rw authentication-port? inet:port-number
| | +--rw shared-secret string
| +--rw authentication-type? identityref
+--rw options
+--rw timeout? uint8
+--rw attempts? uint8
New "case" statements can be added in future revisions of this data
model, or through augmentation by some other data model.
Bierman & Bjorklund Standards Track [Page 7]
RFC 7317 YANG System Management August 2014
3.5. User Authentication Model
This document defines three authentication methods for use with
NETCONF:
o publickey for local users over SSH
o password for local users over any secure transport
o password for RADIUS users over any secure transport
Additional methods can be defined by other standards documents or by
vendors.
This document defines two optional YANG features: "local-users" and
"radius-authentication", which the server advertises to indicate
support for configuring local users on the device and support for
using RADIUS for authentication, respectively.
The authentication parameters defined in this document are primarily
used to configure authentication of NETCONF users but MAY also be
used by other interfaces, e.g., a command line interface or a web-
based user interface.
The data model for user authentication has the following structure:
+--rw system
+--rw authentication
+--rw user-authentication-order* identityref
+--rw user* [name]
+--rw name string
+--rw password? ianach:crypt-hash
+--rw authorized-key* [name]
+--rw name string
+--rw algorithm string
+--rw key-data binary
3.5.1. SSH Public Key Authentication
If the NETCONF server advertises the "local-users" feature,
configuration of local users and their SSH public keys is supported
in the /system/authentication/user list.
Public key authentication is requested by the SSH client. If the
"local-users" feature is supported, then when a NETCONF client starts
an SSH session towards the server using the "publickey"
authentication "method name" [RFC4252], the SSH server looks up the
Bierman & Bjorklund Standards Track [Page 8]
RFC 7317 YANG System Management August 2014
user name given in the SSH authentication request in the
/system/authentication/user list and verifies the key as described in
[RFC4253].
3.5.2. Local User Password Authentication
If the NETCONF server advertises the "local-users" feature,
configuration of local users and their passwords is supported in the
/system/authentication/user list.
For NETCONF transport protocols that support password authentication,
the leaf-list "user-authentication-order" is used to control whether
or not local user password authentication should be used.
In SSH, password authentication is requested by the client. Other
NETCONF transport protocols MAY also support password authentication.
When local user password authentication is requested, the NETCONF
transport looks up the user name provided by the client in the
/system/authentication/user list and verifies the password.
3.5.3. RADIUS Password Authentication
If the NETCONF server advertises the "radius-authentication" feature,
the device supports user authentication using RADIUS.
For NETCONF transport protocols that support password authentication,
the leaf-list "user-authentication-order" is used to control whether
or not RADIUS password authentication should be used.
In SSH, password authentication is requested by the client. Other
NETCONF transport protocols MAY also support password authentication.
3.6. System Control
The following operations are defined:
set-current-datetime
system-restart
system-shutdown
Two protocol operations are included to restart or shut down the
system. The 'system-restart' operation can be used to restart the
entire system (not just the NETCONF server). The 'system-shutdown'
operation can be used to power off the entire system.
Bierman & Bjorklund Standards Track [Page 9]
RFC 7317 YANG System Management August 2014
4. Relationship to the SNMPv2-MIB
If a device implements the SNMPv2-MIB [RFC3418], there are two
objects that MAY be mapped by the implementation. See the YANG
module definition in Section 6 for details. The following table
lists the YANG data nodes with corresponding objects in the
SNMPv2-MIB.
+----------------+-------------------+
| YANG data node | SNMPv2-MIB object |
+----------------+-------------------+
| contact | sysContact |
| location | sysLocation |
+----------------+-------------------+
YANG Interface Configuration Data Nodes and
Related SNMPv2-MIB Objects
5. IANA Crypt Hash YANG Module
This YANG module references [RFC1321], [IEEE-1003.1-2008], and
[FIPS.180-4.2012].
<CODE BEGINS> file "iana-crypt-hash@2014-08-06.yang"
module iana-crypt-hash {
namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash";
prefix ianach;
organization "IANA";
contact
" Internet Assigned Numbers Authority
Postal: ICANN
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536
United States
Tel: +1 310 301 5800
E-Mail: iana@iana.org>";
description
"This YANG module defines a type for storing passwords
using a hash function and features to indicate which hash
functions are supported by an implementation.
The latest revision of this YANG module can be obtained from
the IANA web site.
Bierman & Bjorklund Standards Track [Page 10]
RFC 7317 YANG System Management August 2014
Requests for new values should be made to IANA via
email (iana@iana.org).
Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC 7317;
see the RFC itself for full legal notices.";
revision 2014-08-06 {
description
"Initial revision.";
reference
"RFC 7317: A YANG Data Model for System Management";
}
typedef crypt-hash {
type string {
pattern
'$0$.*'
+ '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}'
+ '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}'
+ '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}';
}
description
"The crypt-hash type is used to store passwords using
a hash function. The algorithms for applying the hash
function and encoding the result are implemented in
various UNIX systems as the function crypt(3).
A value of this type matches one of the forms:
$0{body}lt;clear text password>
{body}lt;id>{body}lt;salt>{body}lt;password hash>
{body}lt;id>{body}lt;parameter>{body}lt;salt>{body}lt;password hash>
The '$0