| draft-ietf-netconf-access-control-06.txt | draft-ietf-netconf-access-control-07.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force A. Bierman | Internet Engineering Task Force A. Bierman | |||
| Internet-Draft Brocade | Internet-Draft Brocade | |||
| Intended status: Standards Track M. Bjorklund | Intended status: Standards Track M. Bjorklund | |||
| Expires: May 3, 2012 Tail-f Systems | Expires: June 25, 2012 Tail-f Systems | |||
| October 31, 2011 | December 23, 2011 | |||
| Network Configuration Protocol (NETCONF) Access Control Model | Network Configuration Protocol (NETCONF) Access Control Model | |||
| draft-ietf-netconf-access-control-06 | draft-ietf-netconf-access-control-07 | |||
| Abstract | Abstract | |||
| The standardization of network configuration interfaces for use with | The standardization of network configuration interfaces for use with | |||
| the NETCONF protocol requires a structured and secure operating | the NETCONF protocol requires a structured and secure operating | |||
| environment that promotes human usability and multi-vendor | environment that promotes human usability and multi-vendor | |||
| interoperability. There is a need for standard mechanisms to | interoperability. There is a need for standard mechanisms to | |||
| restrict NETCONF protocol access for particular users to a pre- | restrict NETCONF protocol access for particular users to a pre- | |||
| configured subset of all available NETCONF protocol operations and | configured subset of all available NETCONF protocol operations and | |||
| content. This document defines such an access control model. | content. This document defines such an access control model. | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 3, 2012. | This Internet-Draft will expire on June 25, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 38 | skipping to change at page 2, line 38 | |||
| 3.2.2. <get> and <get-config> Operations . . . . . . . . . . 14 | 3.2.2. <get> and <get-config> Operations . . . . . . . . . . 14 | |||
| 3.2.3. <edit-config> Operation . . . . . . . . . . . . . . . 14 | 3.2.3. <edit-config> Operation . . . . . . . . . . . . . . . 14 | |||
| 3.2.4. <copy-config> Operation . . . . . . . . . . . . . . . 15 | 3.2.4. <copy-config> Operation . . . . . . . . . . . . . . . 15 | |||
| 3.2.5. <delete-config> Operation . . . . . . . . . . . . . . 16 | 3.2.5. <delete-config> Operation . . . . . . . . . . . . . . 16 | |||
| 3.2.6. <commit> Operation . . . . . . . . . . . . . . . . . . 16 | 3.2.6. <commit> Operation . . . . . . . . . . . . . . . . . . 16 | |||
| 3.2.7. <discard-changes> Operation . . . . . . . . . . . . . 16 | 3.2.7. <discard-changes> Operation . . . . . . . . . . . . . 16 | |||
| 3.2.8. <kill-session> Operation . . . . . . . . . . . . . . . 16 | 3.2.8. <kill-session> Operation . . . . . . . . . . . . . . . 16 | |||
| 3.3. Model Components . . . . . . . . . . . . . . . . . . . . . 16 | 3.3. Model Components . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 3.3.1. Users . . . . . . . . . . . . . . . . . . . . . . . . 17 | 3.3.1. Users . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 3.3.2. Groups . . . . . . . . . . . . . . . . . . . . . . . . 17 | 3.3.2. Groups . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 3.3.3. Global Enforcement Controls . . . . . . . . . . . . . 17 | 3.3.3. Emergency Recovery Session . . . . . . . . . . . . . . 17 | |||
| 3.3.3.1. enable-nacm Switch . . . . . . . . . . . . . . . . 17 | 3.3.4. Global Enforcement Controls . . . . . . . . . . . . . 17 | |||
| 3.3.3.2. read-default Switch . . . . . . . . . . . . . . . 17 | 3.3.4.1. enable-nacm Switch . . . . . . . . . . . . . . . . 17 | |||
| 3.3.3.3. write-default Switch . . . . . . . . . . . . . . . 18 | 3.3.4.2. read-default Switch . . . . . . . . . . . . . . . 17 | |||
| 3.3.3.4. exec-default Switch . . . . . . . . . . . . . . . 18 | 3.3.4.3. write-default Switch . . . . . . . . . . . . . . . 18 | |||
| 3.3.4. Access Control Rules . . . . . . . . . . . . . . . . . 18 | 3.3.4.4. exec-default Switch . . . . . . . . . . . . . . . 18 | |||
| 3.3.4.5. enable-external-groups Switch . . . . . . . . . . 18 | ||||
| 3.3.5. Access Control Rules . . . . . . . . . . . . . . . . . 19 | ||||
| 3.4. Access Control Enforcement Procedures . . . . . . . . . . 19 | 3.4. Access Control Enforcement Procedures . . . . . . . . . . 19 | |||
| 3.4.1. Initial Operation . . . . . . . . . . . . . . . . . . 19 | 3.4.1. Initial Operation . . . . . . . . . . . . . . . . . . 19 | |||
| 3.4.2. Session Establishment . . . . . . . . . . . . . . . . 19 | 3.4.2. Session Establishment . . . . . . . . . . . . . . . . 20 | |||
| 3.4.3. "access-denied" Error Handling . . . . . . . . . . . . 20 | 3.4.3. "access-denied" Error Handling . . . . . . . . . . . . 20 | |||
| 3.4.4. Incoming RPC Message Validation . . . . . . . . . . . 20 | 3.4.4. Incoming RPC Message Validation . . . . . . . . . . . 20 | |||
| 3.4.5. Data Node Access Validation . . . . . . . . . . . . . 23 | 3.4.5. Data Node Access Validation . . . . . . . . . . . . . 23 | |||
| 3.4.6. Outgoing <notification> Authorization . . . . . . . . 25 | 3.4.6. Outgoing <notification> Authorization . . . . . . . . 25 | |||
| 3.5. Data Model Definitions . . . . . . . . . . . . . . . . . . 27 | 3.5. Data Model Definitions . . . . . . . . . . . . . . . . . . 27 | |||
| 3.5.1. Data Organization . . . . . . . . . . . . . . . . . . 28 | 3.5.1. Data Organization . . . . . . . . . . . . . . . . . . 27 | |||
| 3.5.2. YANG Module . . . . . . . . . . . . . . . . . . . . . 28 | 3.5.2. YANG Module . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 3.6. IANA Considerations . . . . . . . . . . . . . . . . . . . 38 | 3.6. IANA Considerations . . . . . . . . . . . . . . . . . . . 38 | |||
| 3.7. Security Considerations . . . . . . . . . . . . . . . . . 38 | 3.7. Security Considerations . . . . . . . . . . . . . . . . . 39 | |||
| 3.7.1. NACM Configuration and Monitoring Considerations . . . 38 | 3.7.1. NACM Configuration and Monitoring Considerations . . . 39 | |||
| 3.7.2. General Configuration Issues . . . . . . . . . . . . . 40 | 3.7.2. General Configuration Issues . . . . . . . . . . . . . 40 | |||
| 3.7.3. Data Model Design Considerations . . . . . . . . . . . 41 | 3.7.3. Data Model Design Considerations . . . . . . . . . . . 42 | |||
| 4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 | 4. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
| 4.1. Normative References . . . . . . . . . . . . . . . . . . . 43 | 4.1. Normative References . . . . . . . . . . . . . . . . . . . 43 | |||
| 4.2. Informative References . . . . . . . . . . . . . . . . . . 43 | 4.2. Informative References . . . . . . . . . . . . . . . . . . 43 | |||
| Appendix A. Usage Examples . . . . . . . . . . . . . . . . . . . 44 | Appendix A. Usage Examples . . . . . . . . . . . . . . . . . . . 44 | |||
| A.1. <groups> Example . . . . . . . . . . . . . . . . . . . . . 44 | A.1. <groups> Example . . . . . . . . . . . . . . . . . . . . . 44 | |||
| A.2. Module Rule Example . . . . . . . . . . . . . . . . . . . 45 | A.2. Module Rule Example . . . . . . . . . . . . . . . . . . . 45 | |||
| A.3. RPC Rule Example . . . . . . . . . . . . . . . . . . . . . 46 | A.3. RPC Rule Example . . . . . . . . . . . . . . . . . . . . . 46 | |||
| A.4. Data Rule Example . . . . . . . . . . . . . . . . . . . . 48 | A.4. Data Rule Example . . . . . . . . . . . . . . . . . . . . 48 | |||
| A.5. Notification Rule Example . . . . . . . . . . . . . . . . 50 | A.5. Notification Rule Example . . . . . . . . . . . . . . . . 50 | |||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 52 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 52 | |||
| B.1. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | B.1. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| B.2. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | B.2. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| B.3. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | B.3. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| B.4. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | B.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| B.5. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | B.5. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| B.6. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | B.6. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| B.7. 00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | B.7. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| B.8. 00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 54 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 1. Introduction | 1. Introduction | |||
| The NETCONF protocol does not provide any standard mechanisms to | The NETCONF protocol does not provide any standard mechanisms to | |||
| restrict the protocol operations and content that each user is | restrict the protocol operations and content that each user is | |||
| authorized to access. | authorized to access. | |||
| There is a need for inter-operable management of the controlled | There is a need for inter-operable management of the controlled | |||
| access to administrator selected portions of the available NETCONF | access to administrator selected portions of the available NETCONF | |||
| skipping to change at page 7, line 46 | skipping to change at page 7, line 46 | |||
| standard or proprietary, was used to access the datastore. | standard or proprietary, was used to access the datastore. | |||
| 2.5. Users and Groups | 2.5. Users and Groups | |||
| It is necessary that access control rules for a single user or a | It is necessary that access control rules for a single user or a | |||
| configurable group of users can be configured. | configurable group of users can be configured. | |||
| The ACM needs to support the concept of administrative groups, to | The ACM needs to support the concept of administrative groups, to | |||
| support the well-established distinction between a root account and | support the well-established distinction between a root account and | |||
| other types of less-privileged conceptual user accounts. These | other types of less-privileged conceptual user accounts. These | |||
| groups needs to be configurable by the administrator. | groups need to be configurable by the administrator. | |||
| It is necessary that the user-to-group mapping can be delegated to a | It is necessary that the user-to-group mapping can be delegated to a | |||
| central server, such as a RADIUS server [RFC2865] [RFC5607]. Since | central server, such as a RADIUS server [RFC2865] [RFC5607]. Since | |||
| authentication is performed by the NETCONF transport layer, and | authentication is performed by the NETCONF transport layer, and | |||
| RADIUS performs authentication and service authorization at the same | RADIUS performs authentication and service authorization at the same | |||
| time, the underlying NETCONF transport needs to be able to report a | time, the underlying NETCONF transport needs to be able to report a | |||
| set of group names associated with the user to the server. | set of group names associated with the user to the server. It is | |||
| necessary that the administrator can disable the usage of these group | ||||
| names within the ACM. | ||||
| 2.6. Maintenance | 2.6. Maintenance | |||
| It ought to be possible to disable part or all of the access control | It ought to be possible to disable part or all of the access control | |||
| model without deleting any access control rules. | model enforcement procedures without deleting any access control | |||
| rules. | ||||
| 2.7. Configuration Capabilities | 2.7. Configuration Capabilities | |||
| Suitable configuration and monitoring mechanisms are needed to allow | Suitable configuration and monitoring mechanisms are needed to allow | |||
| an administrator to easily manage all aspects of the ACM behavior. A | an administrator to easily manage all aspects of the ACM behavior. A | |||
| standard data model, suitable for use with the <edit-config> protocol | standard data model, suitable for use with the <edit-config> protocol | |||
| operation needs to be available for this purpose. | operation needs to be available for this purpose. | |||
| Access control rules to restrict access operations on specific | Access control rules to restrict access operations on specific | |||
| subtrees within the configuration datastore needs to be supported. | subtrees within the configuration datastore need to be supported. | |||
| 2.8. Identifying Security-Sensitive Content | 2.8. Identifying Security-Sensitive Content | |||
| One of the most important aspects of the data model documentation, | One of the most important aspects of the data model documentation, | |||
| and biggest concerns during deployment, is the identification of | and biggest concerns during deployment, is the identification of | |||
| security-sensitive content. This applies to protocol operations in | security-sensitive content. This applies to protocol operations in | |||
| NETCONF, not just data and notifications. | NETCONF, not just data and notifications. | |||
| It is mandatory for security-sensitive objects to be documented in | It is mandatory for security-sensitive objects to be documented in | |||
| the Security Considerations section of an RFC. This is nice, but it | the Security Considerations section of an RFC. This is nice, but it | |||
| skipping to change at page 10, line 40 | skipping to change at page 10, line 40 | |||
| o Support for YANG security tagging (e.g., "nacm:default-deny-write" | o Support for YANG security tagging (e.g., "nacm:default-deny-write" | |||
| statement) allows default security modes to automatically exclude | statement) allows default security modes to automatically exclude | |||
| sensitive data. | sensitive data. | |||
| o Separate default access modes for read, write, and execute | o Separate default access modes for read, write, and execute | |||
| permissions. | permissions. | |||
| o Access control rules are applied to configurable groups of users. | o Access control rules are applied to configurable groups of users. | |||
| o The entire ACM can be disabled during operation, in order to debug | o The access control enforcement procedures can be disabled during | |||
| operational problems. | operation, without deleting any access control rules, in order to | |||
| debug operational problems. | ||||
| o Access control rules are simple to configure. | o Access control rules are simple to configure. | |||
| o The number of denied protocol operation requests and denied | o The number of denied protocol operation requests and denied | |||
| datastore write requests can be monitored by the client. | datastore write requests can be monitored by the client. | |||
| o Simple unconstrained YANG instance identifiers are used to | o Simple unconstrained YANG instance identifiers are used to | |||
| configure access control rules for specific data nodes. | configure access control rules for specific data nodes. | |||
| 3.1.2. External Dependencies | 3.1.2. External Dependencies | |||
| The NETCONF [RFC6241] protocol is used for all management purposes | The NETCONF [RFC6241] protocol is used for all management purposes | |||
| within this document. It is expected that the mandatory transport | within this document. | |||
| mapping NETCONF Over SSH [RFC6242] is also supported by the server, | ||||
| and that the server has access to the user name associated with each | ||||
| session. | ||||
| The YANG Data Modeling Language [RFC6020] is used to define the | The YANG Data Modeling Language [RFC6020] is used to define the | |||
| NETCONF data models specified in this document. | NETCONF data models specified in this document. | |||
| 3.1.3. Message Processing Model | 3.1.3. Message Processing Model | |||
| The following diagram shows the conceptual message flow model, | The following diagram shows the conceptual message flow model, | |||
| including the points at which access control is applied, during | including the points at which access control is applied, during | |||
| NETCONF message processing. | NETCONF message processing. | |||
| skipping to change at page 17, line 15 | skipping to change at page 17, line 15 | |||
| 3.3.1. Users | 3.3.1. Users | |||
| A "user" is the conceptual entity that is associated with the access | A "user" is the conceptual entity that is associated with the access | |||
| permissions granted to a particular session. A user is identified by | permissions granted to a particular session. A user is identified by | |||
| a string which is unique within the server. | a string which is unique within the server. | |||
| As described in [RFC6241], the user name string is derived from the | As described in [RFC6241], the user name string is derived from the | |||
| transport layer during session establishment. If the transport layer | transport layer during session establishment. If the transport layer | |||
| cannot authenticate the user, the session is terminated. | cannot authenticate the user, the session is terminated. | |||
| The server MAY support a "recovery session" mechanism, which will | ||||
| bypass all access control enforcement. This is useful for | ||||
| restricting initial access and repairing a broken access control | ||||
| configuration. | ||||
| 3.3.2. Groups | 3.3.2. Groups | |||
| Access to a specific NETCONF protocol operation is granted to a | Access to a specific NETCONF protocol operation is granted to a | |||
| session, associated with a group, not a user. | session, associated with a group, not a user. | |||
| A group is identified by its name. All group names are unique within | A group is identified by its name. All group names are unique within | |||
| the server. | the server. | |||
| A group member is identified by a user name string. | A group member is identified by a user name string. | |||
| The same user can be a member of multiple groups. | The same user can be a member of multiple groups. | |||
| 3.3.3. Global Enforcement Controls | 3.3.3. Emergency Recovery Session | |||
| There are four global controls that are used to help control how | The server MAY support a "recovery session" mechanism, which will | |||
| bypass all access control enforcement. This is useful for | ||||
| restricting initial access and repairing a broken access control | ||||
| configuration. | ||||
| 3.3.4. Global Enforcement Controls | ||||
| There are five global controls that are used to help control how | ||||
| access control is enforced. | access control is enforced. | |||
| 3.3.3.1. enable-nacm Switch | 3.3.4.1. enable-nacm Switch | |||
| A global "enable-nacm" on/off switch is provided to enable or disable | A global "enable-nacm" on/off switch is provided to enable or disable | |||
| all access control enforcement. When this global switch is set to | all access control enforcement. When this global switch is set to | |||
| "true", then all requests are checked against the access control | "true", then all requests are checked against the access control | |||
| rules, and only permitted if configured to allow the specific access | rules, and only permitted if configured to allow the specific access | |||
| request. When this global switch is set to "false", then all access | request. When this global switch is set to "false", then all access | |||
| requested are permitted. | requested are permitted. | |||
| 3.3.3.2. read-default Switch | 3.3.4.2. read-default Switch | |||
| An on/off "read-default" switch is provided to enable or disable | An on/off "read-default" switch is provided to enable or disable | |||
| default access to receive data in replies and notifications. When | default access to receive data in replies and notifications. When | |||
| the "enable-nacm" global switch is set to "true", then this global | the "enable-nacm" global switch is set to "true", then this global | |||
| switch is relevant, if no matching access control rule is found to | switch is relevant, if no matching access control rule is found to | |||
| explicitly permit or deny read access to the requested NETCONF | explicitly permit or deny read access to the requested NETCONF | |||
| datastore data or notification event type. | datastore data or notification event type. | |||
| When this global switch is set to "permit", and no matching access | When this global switch is set to "permit", and no matching access | |||
| control rule is found for the NETCONF datastore read or notification | control rule is found for the NETCONF datastore read or notification | |||
| event requested, then access is permitted. | event requested, then access is permitted. | |||
| When this global switch is set to "deny", and no matching access | When this global switch is set to "deny", and no matching access | |||
| control rule is found for the NETCONF datastore read or notification | control rule is found for the NETCONF datastore read or notification | |||
| event requested, then access is denied. | event requested, then access is denied. | |||
| 3.3.3.3. write-default Switch | 3.3.4.3. write-default Switch | |||
| An on/off "write-default" switch is provided to enable or disable | An on/off "write-default" switch is provided to enable or disable | |||
| default access to alter configuration data. When the "enable-nacm" | default access to alter configuration data. When the "enable-nacm" | |||
| global switch is set to "true", then this global switch is relevant, | global switch is set to "true", then this global switch is relevant, | |||
| if no matching access control rule is found to explicitly permit or | if no matching access control rule is found to explicitly permit or | |||
| deny write access to the requested NETCONF datastore data. | deny write access to the requested NETCONF datastore data. | |||
| When this global switch is set to "permit", and no matching access | When this global switch is set to "permit", and no matching access | |||
| control rule is found for the NETCONF datastore write requested, then | control rule is found for the NETCONF datastore write requested, then | |||
| access is permitted. | access is permitted. | |||
| When this global switch is set to "deny", and no matching access | When this global switch is set to "deny", and no matching access | |||
| control rule is found for the NETCONF datastore write requested, then | control rule is found for the NETCONF datastore write requested, then | |||
| access is denied. | access is denied. | |||
| 3.3.3.4. exec-default Switch | 3.3.4.4. exec-default Switch | |||
| An on/off "exec-default" switch is provided to enable or disable | An on/off "exec-default" switch is provided to enable or disable | |||
| default access to execute protocol operations. When the "enable- | default access to execute protocol operations. When the "enable- | |||
| nacm" global switch is set to "true", then this global switch is | nacm" global switch is set to "true", then this global switch is | |||
| relevant, if no matching access control rule is found to explicitly | relevant, if no matching access control rule is found to explicitly | |||
| permit or deny access to the requested NETCONF protocol operation. | permit or deny access to the requested NETCONF protocol operation. | |||
| When this global switch is set to "permit", and no matching access | When this global switch is set to "permit", and no matching access | |||
| control rule is found for the NETCONF protocol operation requested, | control rule is found for the NETCONF protocol operation requested, | |||
| then access is permitted. | then access is permitted. | |||
| When this global switch is set to "deny", and no matching access | When this global switch is set to "deny", and no matching access | |||
| control rule is found for the NETCONF protocol operation requested, | control rule is found for the NETCONF protocol operation requested, | |||
| then access is denied. | then access is denied. | |||
| 3.3.4. Access Control Rules | 3.3.4.5. enable-external-groups Switch | |||
| When this global switch is set to "true", the group names reported by | ||||
| the NETCONF transport layer for a session are used together with the | ||||
| locally configured group names, to determine the access control rules | ||||
| for the session. | ||||
| When this switch is set to "false", the group names reported by the | ||||
| NETCONF transport layer are ignored by NACM. | ||||
| 3.3.5. Access Control Rules | ||||
| There are 4 types of rules available in NACM: | There are 4 types of rules available in NACM: | |||
| module rule: Controls access for definitions in a specific YANG | module rule: Controls access for definitions in a specific YANG | |||
| module, identified by its name. | module, identified by its name. | |||
| protocol operation rule: Controls access for a specific protocol | protocol operation rule: Controls access for a specific protocol | |||
| operation, identified by its YANG module and name. | operation, identified by its YANG module and name. | |||
| data node rule: Controls access for a specific data node, identified | data node rule: Controls access for a specific data node, identified | |||
| skipping to change at page 20, line 14 | skipping to change at page 20, line 26 | |||
| rules, based on the supplied user name, group names, and the | rules, based on the supplied user name, group names, and the | |||
| configuration data stored on the server. | configuration data stored on the server. | |||
| 3.4.3. "access-denied" Error Handling | 3.4.3. "access-denied" Error Handling | |||
| The "access-denied" error-tag is generated when the access control | The "access-denied" error-tag is generated when the access control | |||
| system denies access to either a request to invoke a protocol | system denies access to either a request to invoke a protocol | |||
| operation or a request to perform a particular access operation on | operation or a request to perform a particular access operation on | |||
| the configuration datastore. | the configuration datastore. | |||
| A server MUST NOT include any sensitive information in any <error- | A server MUST NOT include any information the client is not allowed | |||
| info> elements within the <rpc-error> response. | to read in any <error-info> elements within the <rpc-error> response. | |||
| 3.4.4. Incoming RPC Message Validation | 3.4.4. Incoming RPC Message Validation | |||
| The diagram below shows the basic conceptual structure of the access | The diagram below shows the basic conceptual structure of the access | |||
| control processing model for incoming NETCONF <rpc> messages, within | control processing model for incoming NETCONF <rpc> messages, within | |||
| a server. | a server. | |||
| NETCONF server | NETCONF server | |||
| +------------+ | +------------+ | |||
| | XML | | | XML | | |||
| skipping to change at page 22, line 13 | skipping to change at page 22, line 13 | |||
| operation is permitted. | operation is permitted. | |||
| 2. If the requesting session is identified as a "recovery session", | 2. If the requesting session is identified as a "recovery session", | |||
| then the protocol operation is permitted. | then the protocol operation is permitted. | |||
| 3. If the requested operation is the NETCONF <close-session> | 3. If the requested operation is the NETCONF <close-session> | |||
| protocol operation, then the protocol operation is permitted. | protocol operation, then the protocol operation is permitted. | |||
| 4. Check all the "group" entries for ones that contain a "user- | 4. Check all the "group" entries for ones that contain a "user- | |||
| name" entry that equals the user name for the session making the | name" entry that equals the user name for the session making the | |||
| request. Add to these groups the set of groups provided by the | request. If the "enable-external-groups" leaf is "true", add to | |||
| transport layer. | these groups the set of groups provided by the transport layer. | |||
| 5. If no groups are found, continue with step 10. | 5. If no groups are found, continue with step 10. | |||
| 6. Process all rule-list entries, in the order they appear in the | 6. Process all rule-list entries, in the order they appear in the | |||
| configuration. If a rule-list's "group" leaf-list does not | configuration. If a rule-list's "group" leaf-list does not | |||
| match any of the user's groups, proceed to the next rule-list | match any of the user's groups, proceed to the next rule-list | |||
| entry. | entry. | |||
| 7. For each rule-list entry found, process all rules, in order, | 7. For each rule-list entry found, process all rules, in order, | |||
| until a rule that matches the requested access operation is | until a rule that matches the requested access operation is | |||
| skipping to change at page 23, line 47 | skipping to change at page 23, line 47 | |||
| The data node access request is authorized by following these steps: | The data node access request is authorized by following these steps: | |||
| 1. If the "enable-nacm" leaf is set to "false", then the access | 1. If the "enable-nacm" leaf is set to "false", then the access | |||
| operation is permitted. | operation is permitted. | |||
| 2. If the requesting session is identified as a "recovery session", | 2. If the requesting session is identified as a "recovery session", | |||
| then the access operation is permitted. | then the access operation is permitted. | |||
| 3. Check all the "group" entries for ones that contain a "user- | 3. Check all the "group" entries for ones that contain a "user- | |||
| name" entry that equals the user name for the session making the | name" entry that equals the user name for the session making the | |||
| request. Add to these groups the set of groups provided by the | request. If the the "enable-external-groups" leaf is "true", | |||
| transport layer. | add to these groups the set of groups provided by the transport | |||
| layer. | ||||
| 4. If no groups are found, continue with step 9. | 4. If no groups are found, continue with step 9. | |||
| 5. Process all rule-list entries, in the order they appear in the | 5. Process all rule-list entries, in the order they appear in the | |||
| configuration. If a rule-list's "group" leaf-list does not | configuration. If a rule-list's "group" leaf-list does not | |||
| match any of the user's groups, proceed to the next rule-list | match any of the user's groups, proceed to the next rule-list | |||
| entry. | entry. | |||
| 6. For each rule-list entry found, process all rules, in order, | 6. For each rule-list entry found, process all rules, in order, | |||
| until a rule that matches the requested access operation is | until a rule that matches the requested access operation is | |||
| skipping to change at page 27, line 7 | skipping to change at page 27, line 7 | |||
| 2. If the session is identified as a "recovery session", then the | 2. If the session is identified as a "recovery session", then the | |||
| notification is permitted. | notification is permitted. | |||
| 3. If the notification is the NETCONF <replayComplete> or | 3. If the notification is the NETCONF <replayComplete> or | |||
| <notificationComplete> event type [RFC5277], then the | <notificationComplete> event type [RFC5277], then the | |||
| notification is permitted. | notification is permitted. | |||
| 4. Check all the "group" entries for ones that contain a "user- | 4. Check all the "group" entries for ones that contain a "user- | |||
| name" entry that equals the user name for the session making the | name" entry that equals the user name for the session making the | |||
| request. Add to these groups the set of groups provided by the | request. If the "enable-external-groups" leaf is "true", add to | |||
| transport layer. | these groups the set of groups provided by the transport layer. | |||
| 5. If no groups are found, continue with step 10. | 5. If no groups are found, continue with step 10. | |||
| 6. Process all rule-list entries, in the order they appear in the | 6. Process all rule-list entries, in the order they appear in the | |||
| configuration. If a rule-list's "group" leaf-list does not | configuration. If a rule-list's "group" leaf-list does not | |||
| match any of the user's groups, proceed to the next rule-list | match any of the user's groups, proceed to the next rule-list | |||
| entry. | entry. | |||
| 7. For each rule-list entry found, process all rules, in order, | 7. For each rule-list entry found, process all rules, in order, | |||
| until a rule that matches the requested access operation is | until a rule that matches the requested access operation is | |||
| skipping to change at page 27, line 48 | skipping to change at page 27, line 48 | |||
| advertised in the server capabilities, and the "notification" | advertised in the server capabilities, and the "notification" | |||
| statement contains a "nacm:default-deny-all" statement, then the | statement contains a "nacm:default-deny-all" statement, then the | |||
| notification is dropped for the associated subscription. | notification is dropped for the associated subscription. | |||
| 11. If the "read-default" leaf is set to "permit", then permit the | 11. If the "read-default" leaf is set to "permit", then permit the | |||
| notification, otherwise drop the notification for the associated | notification, otherwise drop the notification for the associated | |||
| subscription. | subscription. | |||
| 3.5. Data Model Definitions | 3.5. Data Model Definitions | |||
| This section defines the semantics of the conceptual data structures | ||||
| found in the data model in Section 3.5. | ||||
| 3.5.1. Data Organization | 3.5.1. Data Organization | |||
| The following diagram highlights the contents and structure of the | The following diagram highlights the contents and structure of the | |||
| NACM YANG module. | NACM YANG module. | |||
| +--rw nacm | +--rw nacm | |||
| +--rw enable-nacm? boolean | +--rw enable-nacm? boolean | |||
| +--rw read-default? action-type | +--rw read-default? action-type | |||
| +--rw write-default? action-type | +--rw write-default? action-type | |||
| +--rw exec-default? action-type | +--rw exec-default? action-type | |||
| +--rw enable-external-groups? boolean | ||||
| +--ro denied-operations yang:zero-based-counter32 | +--ro denied-operations yang:zero-based-counter32 | |||
| +--ro denied-data-writes yang:zero-based-counter32 | +--ro denied-data-writes yang:zero-based-counter32 | |||
| +--ro denied-notifications yang:zero-based-counter32 | +--ro denied-notifications yang:zero-based-counter32 | |||
| +--rw groups | +--rw groups | |||
| | +--rw group [name] | | +--rw group [name] | |||
| | +--rw name group-name-type | | +--rw name group-name-type | |||
| | +--rw user-name* user-name-type | | +--rw user-name* user-name-type | |||
| +--rw rule-list [name] | +--rw rule-list [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw group* union | +--rw group* union | |||
| skipping to change at page 28, line 47 | skipping to change at page 28, line 43 | |||
| +--rw comment? string | +--rw comment? string | |||
| 3.5.2. YANG Module | 3.5.2. YANG Module | |||
| The following YANG module specifies the normative NETCONF content | The following YANG module specifies the normative NETCONF content | |||
| that MUST by supported by the server. | that MUST by supported by the server. | |||
| The "ietf-netconf-acm" YANG module imports typedefs from [RFC6021]. | The "ietf-netconf-acm" YANG module imports typedefs from [RFC6021]. | |||
| // RFC Ed.: please update the date to the date of publication | // RFC Ed.: please update the date to the date of publication | |||
| <CODE BEGINS> file="ietf-netconf-acm@2011-10-31.yang" | <CODE BEGINS> file="ietf-netconf-acm@2011-12-23.yang" | |||
| module ietf-netconf-acm { | module ietf-netconf-acm { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; | namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-acm"; | |||
| prefix "nacm"; | prefix "nacm"; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
| contact | contact | |||
| skipping to change at page 29, line 24 | skipping to change at page 29, line 21 | |||
| "WG Web: <http://tools.ietf.org/wg/netconf/> | "WG Web: <http://tools.ietf.org/wg/netconf/> | |||
| WG List: <mailto:netconf@ietf.org> | WG List: <mailto:netconf@ietf.org> | |||
| WG Chair: Mehmet Ersue | WG Chair: Mehmet Ersue | |||
| <mailto:mehmet.ersue@nsn.com> | <mailto:mehmet.ersue@nsn.com> | |||
| WG Chair: Bert Wijnen | WG Chair: Bert Wijnen | |||
| <mailto:bertietf@bwijnen.net> | <mailto:bertietf@bwijnen.net> | |||
| Editor: Andy Bierman | Editor: Andy Bierman | |||
| <mailto:andy.bierman@brocade.com> | <mailto:andy@netconfcentral.org> | |||
| Editor: Martin Bjorklund | Editor: Martin Bjorklund | |||
| <mailto:mbj@tail-f.com>"; | <mailto:mbj@tail-f.com>"; | |||
| description | description | |||
| "NETCONF Access Control Model. | "NETCONF Access Control Model. | |||
| Copyright (c) 2011 IETF Trust and the persons identified as | Copyright (c) 2011 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| skipping to change at page 29, line 48 | skipping to change at page 29, line 45 | |||
| License set forth in Section 4.c of the IETF Trust's | License set forth in Section 4.c of the IETF Trust's | |||
| Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| // RFC Ed.: replace XXXX with actual RFC number and | // RFC Ed.: replace XXXX with actual RFC number and | |||
| // remove this note | // remove this note | |||
| // RFC Ed.: remove this note | // RFC Ed.: remove this note | |||
| // Note: extracted from draft-ietf-netconf-access-control-06.txt | // Note: extracted from draft-ietf-netconf-access-control-07.txt | |||
| // RFC Ed.: please update the date to the date of publication | // RFC Ed.: please update the date to the date of publication | |||
| revision "2011-10-31" { | revision "2011-12-23" { | |||
| description | description | |||
| "Initial version"; | "Initial version"; | |||
| reference | reference | |||
| "RFC XXXX: Network Configuration Protocol | "RFC XXXX: Network Configuration Protocol | |||
| Access Control Model"; | Access Control Model"; | |||
| } | } | |||
| /* | /* | |||
| * Extension statements | * Extension statements | |||
| */ | */ | |||
| extension default-deny-write { | extension default-deny-write { | |||
| skipping to change at page 33, line 10 | skipping to change at page 33, line 8 | |||
| 'USER', which contains the name of user of the current | 'USER', which contains the name of user of the current | |||
| session. | session. | |||
| o The function library is the core function library, but | o The function library is the core function library, but | |||
| note that due to the syntax restrictions of an | note that due to the syntax restrictions of an | |||
| instance-identifier, no functions are allowed. | instance-identifier, no functions are allowed. | |||
| o The context node is the root node in the data tree."; | o The context node is the root node in the data tree."; | |||
| } | } | |||
| /* | ||||
| * Data definition statements | ||||
| */ | ||||
| container nacm { | container nacm { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| description | description | |||
| "Parameters for NETCONF Access Control Model."; | "Parameters for NETCONF Access Control Model."; | |||
| leaf enable-nacm { | leaf enable-nacm { | |||
| type boolean; | type boolean; | |||
| default true; | default true; | |||
| description | description | |||
| skipping to change at page 34, line 4 | skipping to change at page 34, line 4 | |||
| particular write request."; | particular write request."; | |||
| } | } | |||
| leaf exec-default { | leaf exec-default { | |||
| type action-type; | type action-type; | |||
| default "permit"; | default "permit"; | |||
| description | description | |||
| "Controls whether exec access is granted if no appropriate | "Controls whether exec access is granted if no appropriate | |||
| rule is found for a particular protocol operation request."; | rule is found for a particular protocol operation request."; | |||
| } | } | |||
| leaf enable-external-groups { | ||||
| type boolean; | ||||
| default true; | ||||
| description | ||||
| "Controls whether the server uses the groups reported by the | ||||
| NETCONF transport layer when it assigns the user to a set of | ||||
| NACM groups. If this leaf has the value 'false', any group | ||||
| names reported by the transport layer are ignored by the | ||||
| server."; | ||||
| } | ||||
| leaf denied-operations { | leaf denied-operations { | |||
| type yang:zero-based-counter32; | type yang:zero-based-counter32; | |||
| config false; | config false; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Number of times a protocol operation request was denied | "Number of times a protocol operation request was denied | |||
| since the server last restarted."; | since the server last restarted."; | |||
| } | } | |||
| leaf denied-data-writes { | leaf denied-data-writes { | |||
| skipping to change at page 34, line 40 | skipping to change at page 35, line 4 | |||
| the event type was denied, since the server | the event type was denied, since the server | |||
| last restarted."; | last restarted."; | |||
| } | } | |||
| container groups { | container groups { | |||
| description | description | |||
| "NETCONF Access Control Groups."; | "NETCONF Access Control Groups."; | |||
| list group { | list group { | |||
| key name; | key name; | |||
| description | description | |||
| "One NACM Group Entry."; | "One NACM Group Entry. This list will only contain | |||
| configured entries, not any entries learned from | ||||
| any transport protocols."; | ||||
| leaf name { | leaf name { | |||
| type group-name-type; | type group-name-type; | |||
| description | description | |||
| "Group name associated with this entry."; | "Group name associated with this entry."; | |||
| } | } | |||
| leaf-list user-name { | leaf-list user-name { | |||
| type user-name-type; | type user-name-type; | |||
| description | description | |||
| skipping to change at page 39, line 6 | skipping to change at page 39, line 22 | |||
| when configuring a NETCONF server with NACM. | when configuring a NETCONF server with NACM. | |||
| 3.7.1. NACM Configuration and Monitoring Considerations | 3.7.1. NACM Configuration and Monitoring Considerations | |||
| Configuration of the access control system is highly sensitive to | Configuration of the access control system is highly sensitive to | |||
| system security. A server may choose not to allow any user | system security. A server may choose not to allow any user | |||
| configuration to some portions of it, such as the global security | configuration to some portions of it, such as the global security | |||
| level, or the groups which allowed access to system resources. | level, or the groups which allowed access to system resources. | |||
| By default, NACM enforcement is enabled. By default, "read" access | By default, NACM enforcement is enabled. By default, "read" access | |||
| to all datastore contents enabled, (unless "nacm:default-deny-all" is | to all datastore contents is enabled, (unless "nacm:default-deny-all" | |||
| specified for the data definition) and "exec" access is enabled for | is specified for the data definition) and "exec" access is enabled | |||
| safe protocol operations. An administrator needs to ensure that NACM | for safe protocol operations. An administrator needs to ensure that | |||
| is enabled, and also decide if the default access parameters are set | NACM is enabled, and also decide if the default access parameters are | |||
| appropriately. Make sure the following data nodes are properly | set appropriately. Make sure the following data nodes are properly | |||
| configured: | configured: | |||
| o /nacm/enable-nacm (default "true") | o /nacm/enable-nacm (default "true") | |||
| o /nacm/read-default (default "permit") | o /nacm/read-default (default "permit") | |||
| o /nacm/write-default (default "deny") | o /nacm/write-default (default "deny") | |||
| o /nacm/exec-default (default "permit") | o /nacm/exec-default (default "permit") | |||
| skipping to change at page 39, line 48 | skipping to change at page 40, line 16 | |||
| representing access control rules (/nacm/rule-list and /nacm/ | representing access control rules (/nacm/rule-list and /nacm/ | |||
| rule-list/rule) are ordered by the client. The server will evaluate | rule-list/rule) are ordered by the client. The server will evaluate | |||
| the access control rules according to their relative conceptual order | the access control rules according to their relative conceptual order | |||
| within the running datastore configuration. | within the running datastore configuration. | |||
| Note that the /nacm/groups data structure contains the administrative | Note that the /nacm/groups data structure contains the administrative | |||
| group names used by the server. These group names may be configured | group names used by the server. These group names may be configured | |||
| locally and/or provided through an external protocol, such as RADIUS | locally and/or provided through an external protocol, such as RADIUS | |||
| [RFC2865] [RFC5607]. | [RFC2865] [RFC5607]. | |||
| An administrator needs to be aware of the security properties of any | ||||
| external protocol used by the NETCONF transport layer to determine | ||||
| group names. For example, if this protocol does not protect against | ||||
| man-in-the-middle attacks, an attacker might be able to inject group | ||||
| names that are configured in NACM, so that a user gets more | ||||
| permissions than it should. In such cases, the administrator may | ||||
| wish to disable the usage of such group names, by setting /nacm/ | ||||
| enable-external-groups to "false". | ||||
| An administrator needs to restrict read access to the following | An administrator needs to restrict read access to the following | |||
| objects within this data model, which reveal access control | objects within this data model, which reveal access control | |||
| configuration which could be considered sensitive. | configuration which could be considered sensitive. | |||
| o /nacm/enable-nacm | o /nacm/enable-nacm | |||
| o /nacm/read-default | o /nacm/read-default | |||
| o /nacm/write-default | o /nacm/write-default | |||
| o /nacm/exec-default | o /nacm/exec-default | |||
| o /nacm/enable-external-groups | ||||
| o /nacm/groups | o /nacm/groups | |||
| o /nacm/rule-list | o /nacm/rule-list | |||
| 3.7.2. General Configuration Issues | 3.7.2. General Configuration Issues | |||
| There is a risk that invocation of non-standard protocol operations | There is a risk that invocation of non-standard protocol operations | |||
| will have undocumented side effects. An administrator needs to | will have undocumented side effects. An administrator needs to | |||
| construct access control rules such that the configuration datastore | construct access control rules such that the configuration datastore | |||
| is protected from such side effects. | is protected from such side effects. | |||
| skipping to change at page 41, line 48 | skipping to change at page 42, line 26 | |||
| o <partial-lock> | o <partial-lock> | |||
| o <partial-unlock> | o <partial-unlock> | |||
| 3.7.3. Data Model Design Considerations | 3.7.3. Data Model Design Considerations | |||
| Designers need to clearly identify any sensitive data, notifications, | Designers need to clearly identify any sensitive data, notifications, | |||
| or protocol operations defined within a YANG module. For such | or protocol operations defined within a YANG module. For such | |||
| definitions, a "nacm:default-deny-write" or "nacm:default-deny-all" | definitions, a "nacm:default-deny-write" or "nacm:default-deny-all" | |||
| statement SHOULD be present, in addition to a clear description of | statement ought to be present, in addition to a clear description of | |||
| the security risks. | the security risks. | |||
| Protocol operations need to be properly documented by the data model | Protocol operations need to be properly documented by the data model | |||
| designer, so it is clear to administrators what data nodes (if any) | designer, so it is clear to administrators what data nodes (if any) | |||
| are affected by the protocol operation, and what information (if any) | are affected by the protocol operation, and what information (if any) | |||
| is returned in the <rpc-reply> message. | is returned in the <rpc-reply> message. | |||
| Data models ought to be designed so that different access levels for | Data models ought to be designed so that different access levels for | |||
| input parameters to protocol operations is not required. Use of | input parameters to protocol operations is not required. Use of | |||
| generic protocol operations should be avoided, and separate protocol | generic protocol operations should be avoided, and separate protocol | |||
| skipping to change at page 43, line 29 | skipping to change at page 43, line 29 | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, | [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, | |||
| October 2010. | October 2010. | |||
| [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | |||
| Bierman, "Network Configuration Protocol (NETCONF)", | Bierman, "Network Configuration Protocol (NETCONF)", | |||
| RFC 6241, June 2011. | RFC 6241, June 2011. | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | ||||
| Shell (SSH)", RFC 6242, June 2011. | ||||
| 4.2. Informative References | 4.2. Informative References | |||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
| "Remote Authentication Dial In User Service (RADIUS)", | "Remote Authentication Dial In User Service (RADIUS)", | |||
| RFC 2865, June 2000. | RFC 2865, June 2000. | |||
| [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In | [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In | |||
| User Service (RADIUS) Authorization for Network Access | User Service (RADIUS) Authorization for Network Access | |||
| Server (NAS) Management", RFC 5607, July 2009. | Server (NAS) Management", RFC 5607, July 2009. | |||
| skipping to change at page 52, line 9 | skipping to change at page 52, line 9 | |||
| This example shows 1 notification rule: | This example shows 1 notification rule: | |||
| deny-config-change: This rule prevents the "limited" or "guest" | deny-config-change: This rule prevents the "limited" or "guest" | |||
| groups from receiving the acme <sys-config-change> event type. | groups from receiving the acme <sys-config-change> event type. | |||
| Appendix B. Change Log | Appendix B. Change Log | |||
| -- RFC Ed.: remove this section before publication. | -- RFC Ed.: remove this section before publication. | |||
| B.1. 05-06 | B.1. 06-07 | |||
| Added the leaf "enable-external-groups". | ||||
| Removed dependency to RFC 6242. | ||||
| Some editorial changes after IESG review. | ||||
| B.2. 05-06 | ||||
| Added clarification to Security Considerations section about | Added clarification to Security Considerations section about | |||
| ordered-by user lists (/nacm/rule-list and /nacm/rule-list/rule). | ordered-by user lists (/nacm/rule-list and /nacm/rule-list/rule). | |||
| Added clarifications to security considerations wrt/ user names and | Added clarifications to security considerations wrt/ user names and | |||
| NETCONF capability changes. | NETCONF capability changes. | |||
| Fixed typos found in review. | Fixed typos found in review. | |||
| B.2. 04-05 | B.3. 04-05 | |||
| Updated Security Considerations section. | Updated Security Considerations section. | |||
| Changed term 'operator' to 'administrator'. | Changed term 'operator' to 'administrator'. | |||
| Used the terms "access operation" and "protocol operation" | Used the terms "access operation" and "protocol operation" | |||
| consistently. | consistently. | |||
| Moved some normative text from section 2 to section 3. Also made it | Moved some normative text from section 2 to section 3. Also made it | |||
| more clear that section 2 is not a requirements section, but | more clear that section 2 is not a requirements section, but | |||
| documentation of the objectives for NACM. | documentation of the objectives for NACM. | |||
| Renamed "nacm:secure" to "nacm:default-deny-write", and "nacm:very- | Renamed "nacm:secure" to "nacm:default-deny-write", and "nacm:very- | |||
| secure" to "nacm:default-deny-all". Explained that "nacm:default- | secure" to "nacm:default-deny-all". Explained that "nacm:default- | |||
| deny-write" is ignored on rpc statements. | deny-write" is ignored on rpc statements. | |||
| Described that <kill-session> and <delete-config> behave as if | Described that <kill-session> and <delete-config> behave as if | |||
| specified with "nacm:default-deny-all". | specified with "nacm:default-deny-all". | |||
| B.3. 03-04 | B.4. 03-04 | |||
| Introduced rule-lists to group related rules together. | Introduced rule-lists to group related rules together. | |||
| Moved "module-rule", "rpc-rule", "notification-rule", and "data-rule" | Moved "module-rule", "rpc-rule", "notification-rule", and "data-rule" | |||
| into one common "rule", with a choice to select between the four | into one common "rule", with a choice to select between the four | |||
| variants. | variants. | |||
| Changed "superuser" to "recovery session", and adjusted text | Changed "superuser" to "recovery session", and adjusted text | |||
| throughout document for this change. | throughout document for this change. | |||
| Clarified behavior of global default NACM parameters, enable-nacm, | Clarified behavior of global default NACM parameters, enable-nacm, | |||
| read-default, write-default, exec-default. | read-default, write-default, exec-default. | |||
| Clarified when access control is applied during system | Clarified when access control is applied during system | |||
| initialization. | initialization. | |||
| B.4. 02-03 | B.5. 02-03 | |||
| Fixed improper usage of RFC 2119 keywords. | Fixed improper usage of RFC 2119 keywords. | |||
| Changed term usage of "database" to "datastore". | Changed term usage of "database" to "datastore". | |||
| Clarified that "secure" and "very-secure" extensions only apply if | Clarified that "secure" and "very-secure" extensions only apply if | |||
| the /nacm/enable-nacm object is "true". | the /nacm/enable-nacm object is "true". | |||
| B.5. 01-02 | B.6. 01-02 | |||
| Removed authentication text and objects. | Removed authentication text and objects. | |||
| Changed module name from ietf-nacm to ietf-netconf-acm. | Changed module name from ietf-nacm to ietf-netconf-acm. | |||
| Updated NETCONF and YANG terminology. | Updated NETCONF and YANG terminology. | |||
| Removed open issues section. | Removed open issues section. | |||
| Changed some must to MUST in requirements section. | Changed some must to MUST in requirements section. | |||
| B.6. 00-01 | B.7. 00-01 | |||
| Updated YANG anf YANG Types references. | Updated YANG anf YANG Types references. | |||
| Updated module namespace URI to standard format. | Updated module namespace URI to standard format. | |||
| Updated module header meta-data to standard format. | Updated module header meta-data to standard format. | |||
| Filled in IANA section. | Filled in IANA section. | |||
| B.7. 00 | B.8. 00 | |||
| Initial version cloned from | Initial version cloned from | |||
| draft-bierman-netconf-access-control-02.txt. | draft-bierman-netconf-access-control-02.txt. | |||
| Authors' Addresses | Authors' Addresses | |||
| Andy Bierman | Andy Bierman | |||
| Brocade | Brocade | |||
| Email: andy.bierman@brocade.com | Email: andy@netconfcentral.org | |||
| Martin Bjorklund | Martin Bjorklund | |||
| Tail-f Systems | Tail-f Systems | |||
| Email: mbj@tail-f.com | Email: mbj@tail-f.com | |||
| End of changes. 53 change blocks. | ||||
| 79 lines changed or deleted | 127 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||