💾 Archived View for gmi.noulin.net › rfc › rfc7317.gmi captured on 2022-04-29 at 02:34:48. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-01-08)
-=-=-=-=-=-=-
Keywords: NETCONF
Internet Engineering Task Force (IETF) A. Bierman Request for Comments: 7317 YumaWorks Category: Standards Track M. Bjorklund ISSN: 2070-1721 Tail-f Systems August 2014 A YANG Data Model for System Management Abstract This document defines a YANG data model for the configuration and identification of some common system properties within a device containing a Network Configuration Protocol (NETCONF) server. This document also includes data node definitions for system identification, time-of-day management, user management, DNS resolver configuration, and some protocol operations for system management. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7317. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Bierman & Bjorklund Standards Track [Page 1] RFC 7317 YANG System Management August 2014 Table of Contents 1. Introduction ....................................................2 1.1. Terminology ................................................3 1.2. Tree Diagrams ..............................................3 2. Objectives ......................................................4 2.1. System Identification ......................................4 2.2. System Time Management .....................................4 2.3. User Authentication ........................................4 2.4. DNS Resolver ...............................................5 2.5. System Control .............................................5 3. System Data Model ...............................................5 3.1. System Identification ......................................5 3.2. System Time Management .....................................6 3.3. DNS Resolver Model .........................................7 3.4. RADIUS Client Model ........................................7 3.5. User Authentication Model ..................................8 3.5.1. SSH Public Key Authentication .......................8 3.5.2. Local User Password Authentication ..................9 3.5.3. RADIUS Password Authentication ......................9 3.6. System Control .............................................9 4. Relationship to the SNMPv2-MIB .................................10 5. IANA Crypt Hash YANG Module ....................................10 6. System YANG Module .............................................13 7. IANA Considerations ............................................31 8. Security Considerations ........................................31 9. References .....................................................33 9.1. Normative References ......................................33 9.2. Informative References ....................................35 1. Introduction This document defines a YANG [RFC6020] data model for the configuration and identification of some common properties within a device containing a Network Configuration Protocol (NETCONF) server. Devices that are managed by NETCONF and perhaps other mechanisms have common properties that need to be configured and monitored in a standard way. The "ietf-system" YANG module defined in this document provides the following features: o configuration and monitoring of system identification o configuration and monitoring of system time-of-day o configuration of user authentication Bierman & Bjorklund Standards Track [Page 2] RFC 7317 YANG System Management August 2014 o configuration of local users o configuration of the DNS resolver o system control operations (shutdown, restart, setting time) 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC2119]. The following terms are defined in [RFC6241] and are not redefined here: o client o configuration data o server o state data The following terms are defined in [RFC6020] and are not redefined here: o augment o data model 1.2. Tree Diagrams A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams is as follows: o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write), and "ro" means state data (read-only). o Symbols after data node names: "?" means an optional node, "!" means a presence container, and "*" denotes a list and leaf-list. Bierman & Bjorklund Standards Track [Page 3] RFC 7317 YANG System Management August 2014 o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o Ellipsis ("...") stands for contents of subtrees that are not shown. 2. Objectives 2.1. System Identification There are many common properties used to identify devices, operating systems, software versions, etc. that need to be supported in the system data module. These objects are defined as operational state data, and the information returned by the server is intended to be specific to the device vendor. Some user-configurable administrative strings are also provided, such as the system location and description. 2.2. System Time Management Management of the date and time used by the system needs to be supported. The use of one or more NTP servers to automatically set the system date and time needs to be possible. Utilization of the Time Zone Database [RFC6557] also needs to be supported. It should be possible to configure the system to use NTP. 2.3. User Authentication The authentication mechanism needs to support password authentication over RADIUS in order to support deployment scenarios with centralized authentication servers. Additionally, for scenarios when no centralized authentication server exists or for situations where the centralized authentication server cannot be reached from the device, local users need to be supported. Since the mandatory transport protocol for NETCONF is Secure Shell (SSH) [RFC6242], the authentication model needs to support SSH's "publickey" and "password" authentication methods [RFC4252]. The model for authentication configuration should be flexible enough to support authentication methods defined by other standards documents or by vendors. It should be possible to configure the system authentication properties. Bierman & Bjorklund Standards Track [Page 4] RFC 7317 YANG System Management August 2014 2.4. DNS Resolver The configuration of the DNS resolver within the system containing the NETCONF server is required in order to control how domain names are resolved. 2.5. System Control A few operations are needed to support common tasks such as restarting the device or setting the system date and time. 3. System Data Model 3.1. System Identification The data model for system identification has the following structure: +--rw system | +--rw contact? string | +--rw hostname? inet:domain-name | +--rw location? string +--ro system-state +--ro platform +--ro os-name? string +--ro os-release? string +--ro os-version? string +--ro machine? string Bierman & Bjorklund Standards Track [Page 5] RFC 7317 YANG System Management August 2014 3.2. System Time Management The data model for system time management has the following structure: +--rw system | +--rw clock | | +--rw (timezone)? | | +--:(timezone-name) | | | +--rw timezone-name? timezone-name | | +--:(timezone-utc-offset) | | +--rw timezone-utc-offset? int16 | +--rw ntp! | +--rw enabled? boolean | +--rw server* [name] | +--rw name string | +--rw (transport) | | +--:(udp) | | +--rw udp | | +--rw address inet:host | | +--rw port? inet:port-number | +--rw association-type? enumeration | +--rw iburst? boolean | +--rw prefer? boolean +--ro system-state +--ro clock +--ro current-datetime? yang:date-and-time +--ro boot-datetime? yang:date-and-time New "case" statements can be added in future revisions of this data model, or through augmentation by some other data model. Bierman & Bjorklund Standards Track [Page 6] RFC 7317 YANG System Management August 2014 3.3. DNS Resolver Model The data model for configuration of the DNS resolver has the following structure: +--rw system +--rw dns-resolver +--rw search* inet:domain-name +--rw server* [name] | +--rw name string | +--rw (transport) | +--:(udp-and-tcp) | +--udp-and-tcp | +--rw address inet:ip-address | +--rw port? inet:port-number +--rw options +--rw timeout? uint8 +--rw attempts? uint8 New "case" statements can be added in future revisions of this data model, or through augmentation by some other data model. 3.4. RADIUS Client Model The data model for configuration of the RADIUS client has the following structure: +--rw system +--rw radius +--rw server* [name] | +--rw name string | +--rw (transport) | | +--:(udp) | | +--rw udp | | +--rw address inet:host | | +--rw authentication-port? inet:port-number | | +--rw shared-secret string | +--rw authentication-type? identityref +--rw options +--rw timeout? uint8 +--rw attempts? uint8 New "case" statements can be added in future revisions of this data model, or through augmentation by some other data model. Bierman & Bjorklund Standards Track [Page 7] RFC 7317 YANG System Management August 2014 3.5. User Authentication Model This document defines three authentication methods for use with NETCONF: o publickey for local users over SSH o password for local users over any secure transport o password for RADIUS users over any secure transport Additional methods can be defined by other standards documents or by vendors. This document defines two optional YANG features: "local-users" and "radius-authentication", which the server advertises to indicate support for configuring local users on the device and support for using RADIUS for authentication, respectively. The authentication parameters defined in this document are primarily used to configure authentication of NETCONF users but MAY also be used by other interfaces, e.g., a command line interface or a web- based user interface. The data model for user authentication has the following structure: +--rw system +--rw authentication +--rw user-authentication-order* identityref +--rw user* [name] +--rw name string +--rw password? ianach:crypt-hash +--rw authorized-key* [name] +--rw name string +--rw algorithm string +--rw key-data binary 3.5.1. SSH Public Key Authentication If the NETCONF server advertises the "local-users" feature, configuration of local users and their SSH public keys is supported in the /system/authentication/user list. Public key authentication is requested by the SSH client. If the "local-users" feature is supported, then when a NETCONF client starts an SSH session towards the server using the "publickey" authentication "method name" [RFC4252], the SSH server looks up the Bierman & Bjorklund Standards Track [Page 8] RFC 7317 YANG System Management August 2014 user name given in the SSH authentication request in the /system/authentication/user list and verifies the key as described in [RFC4253]. 3.5.2. Local User Password Authentication If the NETCONF server advertises the "local-users" feature, configuration of local users and their passwords is supported in the /system/authentication/user list. For NETCONF transport protocols that support password authentication, the leaf-list "user-authentication-order" is used to control whether or not local user password authentication should be used. In SSH, password authentication is requested by the client. Other NETCONF transport protocols MAY also support password authentication. When local user password authentication is requested, the NETCONF transport looks up the user name provided by the client in the /system/authentication/user list and verifies the password. 3.5.3. RADIUS Password Authentication If the NETCONF server advertises the "radius-authentication" feature, the device supports user authentication using RADIUS. For NETCONF transport protocols that support password authentication, the leaf-list "user-authentication-order" is used to control whether or not RADIUS password authentication should be used. In SSH, password authentication is requested by the client. Other NETCONF transport protocols MAY also support password authentication. 3.6. System Control The following operations are defined: set-current-datetime system-restart system-shutdown Two protocol operations are included to restart or shut down the system. The 'system-restart' operation can be used to restart the entire system (not just the NETCONF server). The 'system-shutdown' operation can be used to power off the entire system. Bierman & Bjorklund Standards Track [Page 9] RFC 7317 YANG System Management August 2014 4. Relationship to the SNMPv2-MIB If a device implements the SNMPv2-MIB [RFC3418], there are two objects that MAY be mapped by the implementation. See the YANG module definition in Section 6 for details. The following table lists the YANG data nodes with corresponding objects in the SNMPv2-MIB. +----------------+-------------------+ | YANG data node | SNMPv2-MIB object | +----------------+-------------------+ | contact | sysContact | | location | sysLocation | +----------------+-------------------+ YANG Interface Configuration Data Nodes and Related SNMPv2-MIB Objects 5. IANA Crypt Hash YANG Module This YANG module references [RFC1321], [IEEE-1003.1-2008], and [FIPS.180-4.2012]. <CODE BEGINS> file "iana-crypt-hash@2014-08-06.yang" module iana-crypt-hash { namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; prefix ianach; organization "IANA"; contact " Internet Assigned Numbers Authority Postal: ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094-2536 United States Tel: +1 310 301 5800 E-Mail: iana@iana.org>"; description "This YANG module defines a type for storing passwords using a hash function and features to indicate which hash functions are supported by an implementation. The latest revision of this YANG module can be obtained from the IANA web site. Bierman & Bjorklund Standards Track [Page 10] RFC 7317 YANG System Management August 2014 Requests for new values should be made to IANA via email (iana@iana.org). Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). The initial version of this YANG module is part of RFC 7317; see the RFC itself for full legal notices."; revision 2014-08-06 { description "Initial revision."; reference "RFC 7317: A YANG Data Model for System Management"; } typedef crypt-hash { type string { pattern '$0$.*' + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; } description "The crypt-hash type is used to store passwords using a hash function. The algorithms for applying the hash function and encoding the result are implemented in various UNIX systems as the function crypt(3). A value of this type matches one of the forms: $0{body}lt;clear text password> {body}lt;id>{body}lt;salt>{body}lt;password hash> {body}lt;id>{body}lt;parameter>{body}lt;salt>{body}lt;password hash> The '$0