The Data Model of Network Infrastructure Device Management Plane Security Baseline
draft-lin-sacm-nid-mp-security-baseline-03
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Authors | Qiushi Lin , Liang Xia , Henk Birkholz | ||
| Last updated | 2018-07-02 | ||
| RFC stream | (None) | ||
| Formats | |||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-lin-sacm-nid-mp-security-baseline-03
Security Automation and Continuous Monitoring (SACM) Q. Lin
Internet-Draft L. Xia
Intended status: Standards Track Huawei
Expires: January 3, 2019 H. Birkholz
Fraunhofer SIT
July 2, 2018
The Data Model of Network Infrastructure Device Management Plane
Security Baseline
draft-lin-sacm-nid-mp-security-baseline-03
Abstract
This document provides security baseline for network infrastructure
device management plane, which is represented by YANG data model.
The corresponding values of this YANG data model can be transported
between Security Automation and Continuous Monitoring (SACM)
components and used for network infrastructure device security
evaluation.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Lin, et al. Expires January 3, 2019 [Page 1]
Internet-Draft Network Device Management Plane Security July 2018
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 4
5.1. Administrator Management Security . . . . . . . . . . . . 5
5.1.1. Administrator Security Policy . . . . . . . . . . . . 5
5.1.2. Administrator Login Security . . . . . . . . . . . . 6
5.1.3. AAA . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1.4. Administrator Access Statistics . . . . . . . . . . . 9
5.2. System Management Security . . . . . . . . . . . . . . . 10
5.2.1. SNMP Management Security . . . . . . . . . . . . . . 10
5.2.2. NETCONF Management Security . . . . . . . . . . . . . 11
5.2.3. Port Management Security . . . . . . . . . . . . . . 11
5.3. Log Security . . . . . . . . . . . . . . . . . . . . . . 12
5.4. File Security . . . . . . . . . . . . . . . . . . . . . . 12
6. Network Infrastructure Device Security Baseline Yang Module . 13
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
9. Security Considerations . . . . . . . . . . . . . . . . . . . 27
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
10.1. Normative References . . . . . . . . . . . . . . . . . . 27
10.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction
Besides user devices and servers, network infrastructure devices such
as routers, switches, and firewalls are crucial to enterprise network
security. The security baseline defined in this document is a
minimal set of security controls that are essential to provide
network security. The security posture of network devices can then
be assessed by compare the applied security controls with security
baseline and organization-specific security controls.
Network devices are typically perform three planes of operation:
management plane, control plane and data plane. All the planes
should be protected and monitored to secure the network. This
document focuses on security baseline for network device management
plane. Management plane provides configuration and monitoring
Lin, et al. Expires January 3, 2019 [Page 2]
Internet-Draft Network Device Management Plane Security July 2018
services to network administrator or device owner. Unauthorized
access, insecure access channels, weak cryptographic algorithms are
common security issues that break management plane security. A
number of security best practices have been proposed to deal with
these security issues, such as disabling unused services and ports,
discarding insecure access channels, and enforcing strong user
authentication and authorization. In this document, we provide a
minimal set of security controls that are expected to be widely
applicable to common network devices. In order to conduct security
posture assessment,the values of these security controls that applied
on network devices will then be compared with the reference values
defined by an organization or third party. As for interoperability
and extensibility, additional security controls can be specified by
organizations or provided by specific vendors.
YANG data model is used in this document to describe the security
baseline for network device management plane.
[I-D.birkholz-sacm-yang-content] defines a method to construct the
YANG data model scheme for the security posture assessment of the
network device by brokering YANG push telemetry via SACM statements.
In this document, we follow the same way to define the YANG output
for network device security posture based on the
[I-D.ietf-sacm-information-model].
Besides management plane security baseline, the security baselines
for control plane, data plane, and infrastructure layer of network
infrastructure devices are described in
[I-D.dong-sacm-nid-cp-security-baseline],
[I-D.xia-sacm-nid-dp-security-baseline] and
[I-D.dong-sacm-nid-infra-security-baseline] respectively.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Terminology
This document uses the terms defined in [RFC6020].
4. Tree Diagrams
Tree diagram defined in [RFC8340] is used to represent the YANG data
model of network device management plane security. The meaning of
the symbols used in the tree diagram and the syntax are as follows:
Lin, et al. Expires January 3, 2019 [Page 3]
Internet-Draft Network Device Management Plane Security July 2018
o A module is identified by "module:" followed the module-name. The
top-level data nodes defined in the module, offset by 2 spaces.
Submodules are represented in the same fashion as modules, but are
identified by "submodule:" followed the (sub)module-name.
o Groupings, offset by 2 spaces, and identified by the keyword
"grouping" followed by the name of the grouping and a colon (":")
character.
o Each node in the tree is prefaces with "+--". Schema nodes that
are children of another node are offset from the parent by 3
spaces.
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" means state data (read-only), "x" is used to
mark rpcs and actions, "w" denotes the input parameters to rpcs
and actions, and "u" indicates the use of a predefined grouping.
o Symbols after data node names: "?" means an optional node, "!"
means a presence container, and "*" denotes a "list" and "leaf-
list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
o Curly brackets and a question mark "{...}?" are combined to
represent the features that node depends on.
5. Data Model Structure
This document focuses on network infrastructure device management
plane security, including security of administrator management,
system management protocols, sytem ports, log, and local file system.
Both security configuration and runtime state of security controls
are taken into consideration. Four submodules will be illustrated in
the following sections to represent the security baseline for:
o Administrator management security
o System management protocol security and port management security
o Log security
Lin, et al. Expires January 3, 2019 [Page 4]
Internet-Draft Network Device Management Plane Security July 2018
o Local file system security
There exists a multitude of YANG models for network devices and
network protocols. For management plane security, several RFCs and
drafts have defined some related parts. But an overall data model of
management plane security is still missing. Moreover, the related
data models may only focus on part of the security functions.
Besides defining new submodules and groupings, the following sections
will also reuse the existing YANG modules and provide additional
attributes or groupings for the missing parts. Appendix A provides a
summary of existing YANG modules and the relationship to the security
baseline defined in this document.
5.1. Administrator Management Security
The "admin-management-security" submodule is divided into four parts:
submodule: admin-management-security
+--rw admin-management-security
+--rw admin-security-policy
+--rw admin-login-security
+--rw aaa-security
+--ro admin-access-statistics
5.1.1. Administrator Security Policy
In order to provide basic protection of administrator accounts,
security controls on account properties and passwords should be
applied. The commonly applied security controls include limiting the
length of account name, checking the password complied to the
complexity policy, forbidding the use of some strings in password,
blocking accounts after several login fails, etc. The following data
model illustrates these kinds of security controls.
Lin, et al. Expires January 3, 2019 [Page 5]
Internet-Draft Network Device Management Plane Security July 2018
+--rw admin-security-policy
+--rw account-security-policy
| +--rw security-policy boolean
| +--rw account-aging-period uint64
| +--rw account-name-minlen uint64
+--rw pwd-security-policy
| +--rw expire-days uint64
| +--rw prompt-days uint64
| +--rw change-check boolean
| +--rw complexity-check boolean
| +--rw history-pwd-num uint64
| +--rw pwd-minlen uint64
+--rw forbidden-word-rules
| +--rw forbidden-word-rule* [forbidden-word]
| +--rw forbidden-word string
+--rw login-failed-limit
+--rw failed-times uint64
+--rw period uint64
+--rw reactive-time uint64
5.1.2. Administrator Login Security
Network infrastructure devices typically can be managed through
command line interface (CLI) or web user interface. The web user
interface provides basic maintenance and management functions.
Sometimes an administrator still needs to use the CLI to implement
complex or fine-grained management. If insecure access channels have
to be used, several security controls should be enforced.
Lin, et al. Expires January 3, 2019 [Page 6]
Internet-Draft Network Device Management Plane Security July 2018
+--rw admin-login-security
+--rw console
| +--rw auth-mode auth-mode-type
| +--rw privilege-level uint8
+--rw vtys
| +--rw vty* [vty-number]
| +--rw vty-number uint8
| +--rw auth-mode auth-mode-type
| +--rw privilege-level uint8
| +--rw acl-name-list*? string
| +--rw ip-block-enable boolean
| +--rw ip-block-limit {ip-block-config}?
| +--rw failed-times uint64
| +--rw period uint64
| +--rw reactive-time uint64
+--rw telnet
| +--rw telnet-ipv4-enable boolean
| +--rw telnet-ipv4-server-port? inet:port-number
| +--rw telnet-ipv6-enable boolean
| +--rw telnet-ipv6-server-port? inet:port-number
| +--rw telnet-server-interface? string
| +--rw acl-name-list* string
| +--rw ip-block-enable boolean
| +--rw ip-block-limit {ip-block-config}?
| +--rw failed-times uint64
| +--rw period uint64
| +--rw reactive-time uint64
+--rw ssh
| +--rw ssh-enable boolean
| +--u ssh-server-grouping [I-D.ietf-netconf-ssh-client-server]
| +--u ssh-security-hardening
+--rw web {web-interface}?
+--rw auth-mode auth-mode-type
+--rw privilege-level uint8
+--rw http-server-interface? string
+--rw https-ipv4-enable boolean
+--rw https-ipv6-enable boolean
+--rw https-source-port? inet:port-number
+--rw https-timeout? uint32
+--rw ip-block-enable boolean
+--rw ip-block-limit {ip-block-config}?
| +--rw failed-times uint64
| +--rw period uint64
| +--rw reactive-time uint64
+--u tls-server-grouping
[I-D.ietf-netconf-tls-client-server]
In the above structure, several groupings are used.
Lin, et al. Expires January 3, 2019 [Page 7]
Internet-Draft Network Device Management Plane Security July 2018
o When an administrator log in to a device through SSH based
service, e.g. STelnet, the device acts as a SSH server. Thus,
the grouping "ssh-server-grouping" defined in
[I-D.ietf-netconf-ssh-client-server] is used. This grouping only
focuses on SSH-specific configuration, transport-level
configuration such as what ports to listen-on is not included.
Thus, configurations related to security hardening of SSH server,
for example, configuration of port number and rekey interval, are
added as grouping "ssh-security-hardening" in this document.
o When an administrator log in to a device through web interface,
the device acts as a web server. Thus, the grouping "tls-server-
grouping" defined in [I-D.ietf-netconf-tls-client-server] is used.
This grouping also focuses on TLS-specific configuration,
additional security configuration nodes are provided to augment it
in this document.
The structure of grouping "ssh-security-hardening" :
grouping ssh-security-hardening:
+--rw ssh-security-hardening
+--rw ssh-server-port? inet:port-number
+--rw ssh-rekey-interval? uint32
+--rw ssh-timeout? uint32
+--rw ssh-retry-times? uint32
+--rw ssh-compatible-ssh1x-enable boolean
+--rw ssh-server-interface? string
+--rw ip-block-enable boolean
+--rw ip-block-limit {ip-block-config}?
+--rw failed-times uint64
+--rw period uint64
+--rw reactive-time uint64
5.1.3. AAA
Authentication, Authorization, and Accounting (AAA) provides user
management for network devices. RADIUS (Remote Authentication Dial
In User Service) and TACACS+ (Terminal Access Controller Access
Control System) are the commonly used AAA mechanisms. In order to
implement AAA, network devices act as AAA clients to communicate with
AAA servers. [RFC7317] defined YANG module for client to configure
the RADIUS authentication server information. In this document,
authentication, authorization and accounting schemes, as well as AAA
server lists are all included.
Lin, et al. Expires January 3, 2019 [Page 8]
Internet-Draft Network Device Management Plane Security July 2018
+--rw aaa-security
+--rw authentication-scheme* [authen-scheme-name]
| +--rw authen-scheme-name string
| +--rw authen-mode* aaa-authen-mode
| +--rw authen-type? radius-authen-type
| +--rw authen-fail-policy boolean
+--rw authorization-scheme* [author-scheme-name]
| +--rw author-scheme-name string
| +--rw author-mode* aaa-author-mode
| +--rw cmd-author-mode* aaa-cmd-author-mode
+--rw accounting-scheme* [account-scheme-name]
| +--rw account-scheme-name string
| +--rw account-mode aaa-account-name
+--rw radius-security
| +--rw radius-authen-servers* [address]
| | +--rw address inet:host
| | +--rw port inet:port-number
| +--rw radius-author-servers*? [address]
| | +--rw address inet:host
| | +--rw port inet:port-number
| +--rw radius-account-servers* [address]
| +--rw address inet:host
| +--rw port inet:port-number
+--rw tacacs-security
+--rw tacacs-authen-servers* [address]
| +--rw address inet:host
| +--rw port inet:port-number
+--rw tacacs-author-servers*? [address]
| +--rw address inet:host
| +--rw port inet:port-number
+--rw tacacs-account-servers* [address]
+--rw address inet:host
+--rw port inet:port-number
5.1.4. Administrator Access Statistics
The statistics of the current online administrators, the failed login
attempts and the blocked addresses are useful for the monitoring of
network infrastructure devices. The structure is as follows:
Lin, et al. Expires January 3, 2019 [Page 9]
Internet-Draft Network Device Management Plane Security July 2018
+--ro admin-access-statistics
+--ro total-online-users uint32
+--ro online-admin-list {display-online-info}?
| +--ro online-users* [account-name]
| +--ro account-name string
| +--ro ip-address inet:ip-address-no-zone
| +--ro mac-address yang:mac-address
+--ro ip-block-list
+--ro blocked-ip* [ip-address]
+--ro ip-address inet:ip-address-no-zone
+--ro vpn-instance string
+--rw state ip-block-state-type
+--rw authen-fail-account uint32
5.2. System Management Security
The "system-management-security" submodule is divided into three
parts:
submodule: system-management-security
+--rw system-management-security
+--rw snmp-security
+--rw netconf-security
+--rw port-management-security
5.2.1. SNMP Management Security
Simple Network Management Protocol (SNMP) is a network management
standard to monitor network devices. Three SNMP versions are
available: SNMPv1, SNMPv2c, and SNMPv3. [RFC7407] defines community-
based security model for SNMPv1 and SNMPv2c, view-based access
control model and user-based security model for SNMPv3. The
following module reuses the subtrees defined in RFC7407 for SNMP
security configuration, and only supplements ACL configuration for
VACM group.
Lin, et al. Expires January 3, 2019 [Page 10]
Internet-Draft Network Device Management Plane Security July 2018
+--rw snmp-security [RFC7407]
+--rw target* [name]
| ...
+--rw target-params* [name]
| ...
+--rw community* [index]
| ...
+--rw vacm
| +--rw group* [name]
| +--rw name snmp:group-name
| +--rw access* [context security-model security-level]
| ...
| +--rw acl-name-list* string
+--rw usm
...
5.2.2. NETCONF Management Security
The NETCONF server model defined in
[I-D.ietf-netconf-netconf-client-server] supports both the SSH and
TLS transport protocols. To conduct more security controls on
NETCONF based operations, authorization rules can be used to control
which operations can be done and which resources can be accessed.
+--rw netconf-security
+--rw listen {listen}? [I-D.ietf-netconf-netconf-client-server]
| ...
+--rw call-home {call-home}? [I-D.ietf-netconf-netconf-client-server]
| ...
+--rw netconf-authorization?
+--rw task-group-rules* [task-group-name]
| +--rw task-group-name string
| +--rw task-group-rule* [rule-name]
| +--rw rule-name string
| +--rw rule-type identityref
+--rw user-group-rules* [user-group-name]
+--rw user-group-name string
+--rw user-group-rule* [rule-name]
+--rw rule-name string
+--rw rule-type identityref
5.2.3. Port Management Security
As it is suggested to disable unused service and ports, the current
status (open or shut-down) of the ports that are available on the
network devices can be retrieved and compared with the communication
matrix to check the device security posture.
Lin, et al. Expires January 3, 2019 [Page 11]
Internet-Draft Network Device Management Plane Security July 2018
+--rw port-management-security
+--rw port-list* [port-number]
+--rw port-number inet:port-number
+--rw port-status boolean
5.3. Log Security
To monitor the running status and diagnose faults or attacks on
network devices, the activities of network administrators, the
operations conducted on devices, and the security notification of
abnormal events are needed to be recorded in logs. Besides, policy
should be defined to deal with log overflow. Log records can be
outputted to console, or stored locally, or outputted to remote
Syslog server. The following defined "log-mode" subtree reuses the
security configuration of log remote transfer in
[I-D.ietf-netmod-syslog-model], and adds access control for locally
stored log files.
submodule: log-security
+--rw log-security
+--rw alert-notification
| +--rw login-fail-threshold uint8
| +--rw system-abnormal boolean
| +--rw attack boolean
| +--rw log-overflow-lost boolean
+--rw (log-overflow-action)
| +--:(rewrite-when-overflow) boolean
| | +--ro rewrite-numbers uint16
| +--:(discard-new-logs) boolean
| +--ro discard-numbers uint16
+--rw (log-mode)
+--:(file) {file-action}?
| +--rw user-level-for-read uint8
| +--rw user-level-for-delete uint8
+--:(remote) {remote-action}? [I-D.ietf-netmod-syslog-model]
+--rw destination* [name]
+--rw name string
+--rw (transport)
| ...
+--rw signing! {signed-messages}?
...
5.4. File Security
Patches, packages, configuration files, password files are critical
system files for network infrastructure devices. To provide
security, only administrators with certain security privilege levels
are allowed to access or operate on these files. For file transfer
Lin, et al. Expires January 3, 2019 [Page 12]
Internet-Draft Network Device Management Plane Security July 2018
security, secure protocol should be used. If insecure protocol has
to be used, security hardening needs to be implemented.
+--rw file-security
+--rw role-based-access-control boolean
+--rw ftp-transfer
| +--rw ftp-enable boolean
| +--rw ftp-server-port inet:port-number
| +--rw ip-block-enable boolean
| +--rw ip-block-limit {ip-block-config}?
| +--rw failed-times uint64
| +--rw period uint64
| +--rw reactive-time uint64
+--rw sftp-transfer
| +--rw sftp-enable boolean
| +--rw sftp-server-port inet:port-number
| +--u ssh-server-grouping
| [I-D.ietf-netconf-ssh-client-server]
| +--u ssh-security-hardening
+--rw scp-transfer
| +--rw scp-enable boolean
| +--rw scp-server-port inet:port-number
| +--u ssh-server-grouping
| [I-D.ietf-netconf-ssh-client-server]
| +--u ssh-security-hardening
+--rw ftps-transfer
+--rw ftps-enable boolean
+--rw ftps-server-port inet:port-number
+--u tls-server-grouping
[I-D.ietf-netconf-tls-client-server]
+--rw ip-block-enable boolean
+--rw ip-block-limit {ip-block-config}?
+--rw failed-times uint64
+--rw period uint64
+--rw reactive-time uint64
6. Network Infrastructure Device Security Baseline Yang Module
<CODE BEGINS> file "ietf-management-plane-security@2018-06-29.yang"
module ietf-management-plane-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-management-plane-security";
prefix mp-sec;
import ietf-inet-types {
prefix inet;
reference "RFC 6991 - Common YANG Data Types.";
}
Lin, et al. Expires January 3, 2019 [Page 13]
Internet-Draft Network Device Management Plane Security July 2018
import ietf-yang-types {
prefix yang;
reference
"RFC 6991 - Common YANG Data Types.";
}
import ietf-tls-server {
prefix tlss;
reference "draft-ietf-netconf-tls-client-server";
}
import ietf-ssh-server {
prefix sshs;
reference "draft-ietf-netconf-ssh-client-server";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines groupings that are used by ietf-management-plane-security YANG module. Their usage is not limited to ietf-management-plane-security and can be used anywhere as applicable.";
revision 2018-06-29 {
description "Initial version.";
reference "draft-lin-sacm-nid-mp-security-baseline-03";
}
/*
* features
*/
feature web-interface {
description "The network device supports web interface for administrator to manage itself.";
}
feature ip-block-config {
description "Whether the network device supports the configuration of ip block function.";
}
Lin, et al. Expires January 3, 2019 [Page 14]
Internet-Draft Network Device Management Plane Security July 2018
feature display-online-info {
description "Whether the device supports providing a list of online administrators.";
}
/*
* typedefs
*/
typedef auth-mode-type {
type enumeration {
enum "none" {
description "Authentication mode: none.";
}
enum "password" {
description "Authentication mode: password.";
}
enum "aaa" {
description "Authentication mode: aaa.";
}
}
description "The Authentication mode of console and vty interface.";
}
typedef aaa-authen-mode {
type enumeration {
enum "invalid" {
description "Invalid authentication mode.";
}
enum "local" {
description "Local authentication mode.";
}
enum "tacacs" {
description "TACACS authentication mode. ";
}
enum "radius" {
description "RADIUS authentication mode. ";
}
enum "none" {
description "In this mode, users can pass with authentication.";
}
enum "radius-proxy" {
description "RADIUS proxy authentication mode.";
}
}
description "Diffrent types of authentication modes.";
}
typedef radius-authen-type {
type enumeration {
Lin, et al. Expires January 3, 2019 [Page 15]
Internet-Draft Network Device Management Plane Security July 2018
enum "pap" {
description "PAP authentication";
}
enum "chap" {
description "CHAP authentication.";
}
}
description "Different authentication types of RADIUS authentication.";
}
typedef aaa-author-mode {
type enumeration {
enum "invalid" {
description "Invalid authorization mode.";
}
enum "local" {
description "Local authorization mode.";
}
enum "tacacs" {
description "TACACS authorization mode.";
}
enum "if-authenticated" {
description "If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed.";
}
enum "none" {
description "Users can pass without authorization.";
}
}
description "Different types of AAA authorization modes.";
}
typedef aaa-cmd-author-mode {
type enumeration {
enum "invalid" {
description "Invalid command line authorization mode.";
}
enum "local" {
description "Local command line authorization mode.";
}
enum "tacacs" {
description "Specifies that the TACACS mode is applied.";
}
}
description "Different types of command line authorization modes.";
}
typedef aaa-account-mode {
type enumeration {
Lin, et al. Expires January 3, 2019 [Page 16]
Internet-Draft Network Device Management Plane Security July 2018
enum "invalid" {
description "invalid accounting mode.";
}
enum "radius" {
description "RADIUS accounting mode. ";
}
enum "tacacs" {
description "TACACS accounting mode. ";
}
enum "none" {
description "In this mode, users do not be accounting.";
}
}
description "Different types of accounting modes.";
}
typedef ip-block-state-type {
type enumeration {
enum "authenfail" {
description "Authentication fialed State";
}
enum "blocked" {
description "BLOCKED State";
}
}
description "The status of an login failed IP address";
}
/*
* groupings
*/
grouping ssh-security-hardening {
leaf ssh-server-port {
type inet:port-number;
description "The port number of SSH server.";
}
leaf ssh-rekey-interval {
type uint32;
description "The interval for updating the key pair of the SSH server.";
}
leaf ssh-timeout {
type uint32;
description "The authentication timeout period of SSH.";
}
leaf ssh-retry-times {
type uint32;
description "The authentication retry times.";
}
Lin, et al. Expires January 3, 2019 [Page 17]
Internet-Draft Network Device Management Plane Security July 2018
leaf ssh-compatible-ssh1x-enable {
type boolean;
description "The status of version-compatible function on the SSH server: enabled, disabled.";
}
leaf ssh-server-interface {
type string;
description "The source interface of SSH server.";
}
leaf ip-block-enable {
type boolean;
description "The status of ip block function: enabled, or disabled.";
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description "The failed times in a certain perid.";
}
leaf peroid {
type uint64;
description "The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description "The reactive time after which the address is not blocked.";
}
description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description "A set of SSH configuration status to enhance security.";
}
/*
* admin-security-policy
*/
container admin-security-policy {
container account-sec-policy {
leaf security-policy {
type boolean;
description "The status of account security policy: enabled, or disabled.";
}
leaf account-aging-period {
type uint64;
description "The aging period of an administrator.";
}
leaf account-name-minlen {
type uint64;
description "The minimum length of an administrator account name";
}
Lin, et al. Expires January 3, 2019 [Page 18]
Internet-Draft Network Device Management Plane Security July 2018
description "Get configuration data about administrator account security policy.";
}
container pwd-sec-policy {
leaf expire-days {
type uint64;
description "The password validity period.";
}
leaf prompt-days {
type uint64;
description "The period for advance warning before the password expires.";
}
leaf change-check {
type boolean;
description "The status of mandatory password change when a password is used for the first time: enabled, or disabled.";
}
leaf complexity-check {
type boolean;
description "The status of password complexity check: enable, or disable.";
}
leaf history-pwd-num {
type uint64;
description "The newly configured password should not be the same as the several past passwords.";
}
leaf pwd-minlen {
type uint64;
description "The minimum length of a password.";
}
description "Get configuration data about password security policy.";
}
container forbidden-word-rules {
list forbidden-word-rule {
key "forbidden-word";
leaf forbidden-word {
type string;
description "A forbidden word in password.";
}
description "A list of forbidden words that are not allowed to be used in password.";
}
description "Password blacklist.";
}
container login-failed-limit {
leaf failed-times {
type uint64;
description "The failed time in a certain period.";
}
leaf peroid {
type uint64;
description "The certain period in which the failed times are counted.";
Lin, et al. Expires January 3, 2019 [Page 19]
Internet-Draft Network Device Management Plane Security July 2018
}
leaf reactive-time {
type uint64;
description "The reactive time after which the account is not blocked.";
}
description "If an account login failed several times in a certain period, this account will be blocked for a certain time range.";
}
description "Get configuration data about administrator security policy.";
}
/*
* admin-login-security
*/
grouping admin-login-security {
container console {
leaf auth-mode {
type auth-mode-type;
description "The authentication mode used when administrator login through console interface: none, password, AAA.";
}
leaf privilege-level {
type uint8;
description "User privilege level.";
}
description "Status of security contorls for console interface.";
}
container vtys {
list vty {
key "vty-number";
leaf vty-number {
type uint8;
description "The number of the vty interface.";
}
leaf auth-mode {
type auth-mode-type;
description "The authentication mode used when administrator login through vty interface: none, password, AAA.";
}
leaf privilege-level {
type uint8;
description "User privilege level.";
}
leaf-list acl-name-list {
type string;
description "The name of the acl.";
}
leaf ip-block-enable {
type boolean;
description "The status of ip block function: enabled, or disabled.";
Lin, et al. Expires January 3, 2019 [Page 20]
Internet-Draft Network Device Management Plane Security July 2018
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description "The failed times in a certain perid.";
}
leaf peroid {
type uint64;
description "The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description "The reactive time after which the address is not blocked.";
}
description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description "A list of vty interface configuration status.";
}
description "Configuration status of security contorls for vty interface.";
}
container telnet {
leaf telnet-ipv4-enable {
type boolean;
description "The status of ipv4 telnet server: enabled, or disabled.";
}
leaf telnet-ipv4-server-port {
type inet:port-number;
description "The port number of ipv4 telnet server.";
}
leaf telnet-ipv6-enable {
type boolean;
description "The status of ipv6 telnet server: enabled, or disabled.";
}
leaf telnet-ipv6-server-port {
type inet:port-number;
description "The port number of ipv6 telnet server.";
}
leaf telnet-server-interface {
type string;
description "The source interface of telnet server.";
}
leaf-list acl-name-list {
type string;
description "The name of the acl.";
}
leaf ip-block-enable {
type boolean;
Lin, et al. Expires January 3, 2019 [Page 21]
Internet-Draft Network Device Management Plane Security July 2018
description "Whether the ip block function is enabled: enabled, disabled.";
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description "The failed times in a certain perid.";
}
leaf peroid {
type uint64;
description "The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description "The reactive time after which the address is not blocked.";
}
description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description "Configuration status of security contorls for telnet login.";
}
container ssh {
leaf ssh-enable {
type boolean;
description "The status of SSH server: enabled, or disabled.";
}
uses sshs:ssh-server-grouping;
uses ssh-security-hardening;
description "Configuration status of security contorls for SSH login.";
}
container web {
if-feature web-interface;
uses tlss:tls-server-grouping;
leaf auth-mode {
type auth-mode-type;
description "The authentication mode used when administrator login through web interface: none, password, AAA.";
}
leaf privilege-level {
type uint8;
description "User privilege level.";
}
leaf http-server-interface {
type string;
description "The source interface of web server.";
}
leaf https-ipv4-enable {
type boolean;
description "The status of ipv4 https server: enabled, disabled.";
}
Lin, et al. Expires January 3, 2019 [Page 22]
Internet-Draft Network Device Management Plane Security July 2018
leaf https-ipv6-enable {
type boolean;
description "The status of ipv6 https server: enabled, disabled.";
}
leaf https-source-port {
type inet:port-number;
description "The port number of web server.";
}
leaf https-timeout {
type uint32;
description "The authentication timeout period of https.";
}
leaf ip-block-enable {
type boolean;
description "The status of ip block function: enabled, or disabled.";
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description "The failed times in a certain perid.";
}
leaf peroid {
type uint64;
description "The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description "The reactive time after which the address is not blocked.";
}
description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description "If the network device supports web interface. The configuration status of the web server.";
}
description "Configuration status of different types of login interfaces.";
}
container aaa-security {
list authentication-scheme {
key "authen-scheme-name";
leaf authen-scheme-name {
type string;
description "The name of the authentication scheme.";
}
leaf-list authen-mode {
type aaa-authen-mode;
description "A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond.";
}
Lin, et al. Expires January 3, 2019 [Page 23]
Internet-Draft Network Device Management Plane Security July 2018
leaf authen-type {
type radius-authen-type;
description "Authentication type of RADIUS: PAP, CHAP.";
}
leaf authen-fail-policy {
type boolean;
description "The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control.";
}
description "Authentication scheme list.";
}
list authorization-scheme {
key "author-scheme-name";
leaf author-scheme-name {
type string;
description "The name of the authorization scheme.";
}
leaf-list auhtor-mode {
type aaa-author-mode;
description "A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond.";
}
leaf-list cmd-auhtor-mode {
type aaa-cmd-author-mode;
description "A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond.";
}
description "Authorization scheme list.";
}
list accounting-scheme {
key "account-scheme-name";
leaf account-scheme-name {
type string;
description "The name of the accounting scheme.";
}
leaf account-mode {
type aaa-account-mode;
description "Accounting mode.";
}
description "Accounting scheme list.";
}
container radius-security {
list radius-authen-servers {
key "address";
leaf address {
type inet:host;
description "The ip address of the authentication server.";
}
leaf port {
type inet:port-number;
description "The port number of the authentication server.";
Lin, et al. Expires January 3, 2019 [Page 24]
Internet-Draft Network Device Management Plane Security July 2018
}
description "A list of RADIUS authentication servers";
}
list radius-author-servers {
key "address";
leaf address {
type inet:host;
description "The ip address of the authorization server.";
}
leaf port {
type inet:port-number;
description "The port number of the authorization server.";
}
description "A list of RADIUS authorization servers";
}
list radius-account-servers {
key "address";
leaf address {
type inet:host;
description "The ip address of the accounting server.";
}
leaf port {
type inet:port-number;
description "The port number of the accounting server.";
}
description "A list of RADIUS accounting servers";
}
description "RADIUS authentication servers, authorization servers and accounting servers.";
}
container tacacs-security {
list tacacs-authen-servers {
key "address";
leaf address {
type inet:host;
description "The ip address of the authentication server.";
}
leaf port {
type inet:port-number;
description "The port number of the authentication server.";
}
description "A list of TACACS+ and TACACS+ compatible authentication servers";
}
list tacacs-author-servers {
key "address";
leaf address {
type inet:host;
description "The ip address of the authorization server.";
}
Lin, et al. Expires January 3, 2019 [Page 25]
Internet-Draft Network Device Management Plane Security July 2018
leaf port {
type inet:port-number;
description "The port number of the authorization server.";
}
description "A list of TACACS+ and TACACS+ compatible authorization servers";
}
list tacacs-account-servers {
key "address";
leaf address {
type inet:host;
description "The ip address of the accounting server.";
}
leaf port {
type inet:port-number;
description "The port number of the accounting server.";
}
description "A list of TACACS+ and TACACS+ compatible accounting servers";
}
description "TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers.";
}
description "Configuration status of AAA.";
}
container admin-access-statistics {
config false;
leaf total-online-users {
type uint32;
config false;
description "The number of administrators that are current online.";
}
container online-admin-list {
if-feature display-online-info;
config false;
list online-users {
key "account-name";
leaf account-name {
type string;
config false;
description "The account name of the online account.";
}
leaf ip-address {
type inet:ip-address-no-zone;
config false;
description "The ip address of the online account.";
}
leaf mac-address {
type yang:mac-address;
config false;
Lin, et al. Expires January 3, 2019 [Page 26]
Internet-Draft Network Device Management Plane Security July 2018
description "The MAC address of the online account.";
}
description "Online adminstrator list.";
}
description "If the device supports providing information of online administrators, a list of account details are provided.";
}
description "online administrator lists, ip addresses authentication failure or blocked ip addresses. ";
}
}
7. Acknowledgements
8. IANA Considerations
This document requires no IANA actions.
9. Security Considerations
Secure transport should be used to retrieve the current status of
management plane security baseline.
10. References
10.1. Normative References
[I-D.birkholz-sacm-yang-content]
Birkholz, H. and N. Cam-Winget, "YANG subscribed
notifications via SACM Statements", draft-birkholz-sacm-
yang-content-01 (work in progress), January 2018.
[I-D.dong-sacm-nid-cp-security-baseline]
Dong, Y. and L. Xia, "The Data Model of Network
Infrastructure Device Control Plane Security Baseline",
draft-dong-sacm-nid-cp-security-baseline-00 (work in
progress), September 2017.
[I-D.dong-sacm-nid-infra-security-baseline]
Dong, Y. and L. Xia, "The Data Model of Network
Infrastructure Device Infrastructure Layer Security
Baseline", draft-dong-sacm-nid-infra-security-baseline-01
(work in progress), May 2018.
[I-D.ietf-netconf-netconf-client-server]
Watsen, K. and G. Wu, "NETCONF Client and Server Models",
draft-ietf-netconf-netconf-client-server-06 (work in
progress), June 2018.
Lin, et al. Expires January 3, 2019 [Page 27]
Internet-Draft Network Device Management Plane Security July 2018
[I-D.ietf-netconf-ssh-client-server]
Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and
SSH Servers", draft-ietf-netconf-ssh-client-server-06
(work in progress), June 2018.
[I-D.ietf-netconf-tls-client-server]
Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and
TLS Servers", draft-ietf-netconf-tls-client-server-06
(work in progress), June 2018.
[I-D.ietf-netmod-acl-model]
Jethanandani, M., Huang, L., Agarwal, S., and D. Blair,
"Network Access Control List (ACL) YANG Data Model",
draft-ietf-netmod-acl-model-19 (work in progress), April
2018.
[I-D.ietf-netmod-syslog-model]
Wildes, C. and K. Koushik, "A YANG Data Model for Syslog
Configuration", draft-ietf-netmod-syslog-model-26 (work in
progress), March 2018.
[I-D.ietf-sacm-information-model]
Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus,
M., Haynes, D., and H. Birkholz, "SACM Information Model",
draft-ietf-sacm-information-model-10 (work in progress),
April 2017.
[I-D.xia-sacm-nid-dp-security-baseline]
Xia, L. and G. Zheng, "The Data Model of Network
Infrastructure Device Data Plane Security Baseline",
draft-xia-sacm-nid-dp-security-baseline-02 (work in
progress), June 2018.
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for
System Management", RFC 7317, DOI 10.17487/RFC7317, August
2014, <https://www.rfc-editor.org/info/rfc7317>.
[RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
December 2014, <https://www.rfc-editor.org/info/rfc7407>.
10.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Lin, et al. Expires January 3, 2019 [Page 28]
Internet-Draft Network Device Management Plane Security July 2018
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
Appendix A.
The following is the whole structure of the YANG tree diagram for
network infrastructure device management plane. The existed RFCs and
drafts that related this document are listed at the right side.
module: nid-management-plane-security
+--rw admin-management-security
| +--rw admin-security-policy
| +--rw admin-login-security [I-D.ietf-netconf-ssh-client-server]
| [I-D.ietf-netconf-tls-client-server]
| +--rw aaa-security [RFC7317]
| +--rw admin-access-statistics
+--rw system-management-security
| +--rw snmp-security [RFC7407]
| +--rw netconf-security [I-D.ietf-netconf-netconf-client-server]
| +--rw port-management-security
+--rw log-security
| +--rw alert-notification
| +--rw log-overflow-action
| +--rw log-mode [I-D.ietf-netmod-syslog-model]
+--rw file-security [I-D.ietf-netconf-ssh-client-server]
[I-D.ietf-netconf-tls-client-server]
Draft [I-D.ietf-netconf-tls-client-server] and draft
[I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS-
specific configuration and SSH-specific configuration respectively.
The transport-level configuration, such as what ports to listen-on or
connect-to, is not included. Draft
[I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model
based on the data models defined in the above two documents.
[RFC7317] defines a YANG data model for system management of device
containing a NETCONF sever. It summarizes data modules for NETCONF
user authentication, and defined YANG module for client to configure
the RADIUS authentication server information. Three methods are
defined for user authentication: public key for local users over SSH,
password for local users over any secure transport, password for
RADIUS users over any secure transport.
Lin, et al. Expires January 3, 2019 [Page 29]
Internet-Draft Network Device Management Plane Security July 2018
[RFC7407] defines a YANG model for SNMP configuration, including
community-based security module for SNMPv1 and SNMPv2c, as well as
view-based access control module and user-based security module for
SNMPv3.
Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog
configuration, including TLS based transport security and syslog
messages signing.
Authors' Addresses
Qiushi Lin
Huawei
Huawei Industrial Base
Shenzhen, Guangdong 518129
China
Email: linqiushi@huawei.com
Liang Xia
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, Jiangsu 210012
China
Email: Frank.xialiang@huawei.com
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
Darmstadt 64295
Germany
Email: henk.birkholz@sit.fraunhofer.de
Lin, et al. Expires January 3, 2019 [Page 30]