Security Automation and Continuous Monitoring (SACM) Q. Lin
Internet-Draft L. Xia
Intended status: Standards Track Huawei
Expires: January 3, 2019 H. Birkholz
Fraunhofer SIT
July 2, 2018

The Data Model of Network Infrastructure Device Management Plane Security Baseline
draft-lin-sacm-nid-mp-security-baseline-03

Abstract

This document provides security baseline for network infrastructure device management plane, which is represented by YANG data model. The corresponding values of this YANG data model can be transported between Security Automation and Continuous Monitoring (SACM) components and used for network infrastructure device security evaluation.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on January 3, 2019.

Copyright Notice

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

Besides user devices and servers, network infrastructure devices such as routers, switches, and firewalls are crucial to enterprise network security. The security baseline defined in this document is a minimal set of security controls that are essential to provide network security. The security posture of network devices can then be assessed by compare the applied security controls with security baseline and organization-specific security controls.

Network devices are typically perform three planes of operation: management plane, control plane and data plane. All the planes should be protected and monitored to secure the network. This document focuses on security baseline for network device management plane. Management plane provides configuration and monitoring services to network administrator or device owner. Unauthorized access, insecure access channels, weak cryptographic algorithms are common security issues that break management plane security. A number of security best practices have been proposed to deal with these security issues, such as disabling unused services and ports, discarding insecure access channels, and enforcing strong user authentication and authorization. In this document, we provide a minimal set of security controls that are expected to be widely applicable to common network devices. In order to conduct security posture assessment,the values of these security controls that applied on network devices will then be compared with the reference values defined by an organization or third party. As for interoperability and extensibility, additional security controls can be specified by organizations or provided by specific vendors.

YANG data model is used in this document to describe the security baseline for network device management plane. [I-D.birkholz-sacm-yang-content] defines a method to construct the YANG data model scheme for the security posture assessment of the network device by brokering YANG push telemetry via SACM statements. In this document, we follow the same way to define the YANG output for network device security posture based on the [I-D.ietf-sacm-information-model].

Besides management plane security baseline, the security baselines for control plane, data plane, and infrastructure layer of network infrastructure devices are described in [I-D.dong-sacm-nid-cp-security-baseline], [I-D.xia-sacm-nid-dp-security-baseline] and [I-D.dong-sacm-nid-infra-security-baseline] respectively.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3. Terminology

This document uses the terms defined in [RFC6020].

4. Tree Diagrams

Tree diagram defined in [RFC8340] is used to represent the YANG data model of network device management plane security. The meaning of the symbols used in the tree diagram and the syntax are as follows:

5. Data Model Structure

This document focuses on network infrastructure device management plane security, including security of administrator management, system management protocols, sytem ports, log, and local file system. Both security configuration and runtime state of security controls are taken into consideration. Four submodules will be illustrated in the following sections to represent the security baseline for:

There exists a multitude of YANG models for network devices and network protocols. For management plane security, several RFCs and drafts have defined some related parts. But an overall data model of management plane security is still missing. Moreover, the related data models may only focus on part of the security functions. Besides defining new submodules and groupings, the following sections will also reuse the existing YANG modules and provide additional attributes or groupings for the missing parts. Appendix A provides a summary of existing YANG modules and the relationship to the security baseline defined in this document.

5.1. Administrator Management Security

The "admin-management-security" submodule is divided into four parts:

submodule: admin-management-security
  +--rw admin-management-security
     +--rw admin-security-policy
     +--rw admin-login-security
     +--rw aaa-security
     +--ro admin-access-statistics
        

5.1.1. Administrator Security Policy

In order to provide basic protection of administrator accounts, security controls on account properties and passwords should be applied. The commonly applied security controls include limiting the length of account name, checking the password complied to the complexity policy, forbidding the use of some strings in password, blocking accounts after several login fails, etc. The following data model illustrates these kinds of security controls.

  +--rw admin-security-policy
     +--rw account-security-policy
     |  +--rw security-policy        boolean    
     |  +--rw account-aging-period   uint64     
     |  +--rw account-name-minlen    uint64
     +--rw pwd-security-policy
     |  +--rw expire-days            uint64
     |  +--rw prompt-days            uint64
     |  +--rw change-check           boolean
     |  +--rw complexity-check       boolean
     |  +--rw history-pwd-num        uint64
     |  +--rw pwd-minlen             uint64
     +--rw forbidden-word-rules
     |  +--rw forbidden-word-rule* [forbidden-word]
     |     +--rw forbidden-word      string
     +--rw login-failed-limit
        +--rw failed-times           uint64
        +--rw period                 uint64
        +--rw reactive-time          uint64
            

5.1.2. Administrator Login Security

Network infrastructure devices typically can be managed through command line interface (CLI) or web user interface. The web user interface provides basic maintenance and management functions. Sometimes an administrator still needs to use the CLI to implement complex or fine-grained management. If insecure access channels have to be used, several security controls should be enforced.

  +--rw admin-login-security
     +--rw console
     |  +--rw auth-mode          auth-mode-type         
     |  +--rw privilege-level    uint8
     +--rw vtys
     |  +--rw vty* [vty-number]
     |     +--rw vty-number        uint8
     |     +--rw auth-mode         auth-mode-type
     |     +--rw privilege-level   uint8
     |     +--rw acl-name-list*?   string
     |     +--rw ip-block-enable   boolean
     |     +--rw ip-block-limit {ip-block-config}?
     |        +--rw failed-times   uint64
     |        +--rw period         uint64
     |        +--rw reactive-time  uint64
     +--rw telnet
     |  +--rw telnet-ipv4-enable   boolean
     |  +--rw telnet-ipv4-server-port?  inet:port-number
     |  +--rw telnet-ipv6-enable   boolean
     |  +--rw telnet-ipv6-server-port?  inet:port-number
     |  +--rw telnet-server-interface?  string
     |  +--rw acl-name-list*           string
     |  +--rw ip-block-enable   boolean
     |  +--rw ip-block-limit {ip-block-config}?
     |     +--rw failed-times   uint64
     |     +--rw period         uint64
     |     +--rw reactive-time  uint64
     +--rw ssh
     |  +--rw ssh-enable          boolean
     |  +--u ssh-server-grouping [I-D.ietf-netconf-ssh-client-server]
     |  +--u ssh-security-hardening
     +--rw web  {web-interface}?
        +--rw auth-mode         auth-mode-type
        +--rw privilege-level    uint8
        +--rw http-server-interface?         string
        +--rw https-ipv4-enable           boolean       
        +--rw https-ipv6-enable           boolean
        +--rw https-source-port?          inet:port-number      
        +--rw https-timeout?              uint32
        +--rw ip-block-enable             boolean
        +--rw ip-block-limit {ip-block-config}?
        |  +--rw failed-times   uint64
        |  +--rw period         uint64
        |  +--rw reactive-time  uint64
        +--u tls-server-grouping       
                           [I-D.ietf-netconf-tls-client-server]            
           

In the above structure, several groupings are used.

The structure of grouping "ssh-security-hardening" :

grouping ssh-security-hardening:
  +--rw ssh-security-hardening
     +--rw ssh-server-port?           inet:port-number
     +--rw ssh-rekey-interval?        uint32
     +--rw ssh-timeout?               uint32
     +--rw ssh-retry-times?           uint32
     +--rw ssh-compatible-ssh1x-enable  boolean
     +--rw ssh-server-interface?         string
     +--rw ip-block-enable            boolean   
     +--rw ip-block-limit {ip-block-config}?
        +--rw failed-times   uint64
        +--rw period         uint64
        +--rw reactive-time  uint64
            

5.1.3. AAA

Authentication, Authorization, and Accounting (AAA) provides user management for network devices. RADIUS (Remote Authentication Dial In User Service) and TACACS+ (Terminal Access Controller Access Control System) are the commonly used AAA mechanisms. In order to implement AAA, network devices act as AAA clients to communicate with AAA servers. [RFC7317] defined YANG module for client to configure the RADIUS authentication server information. In this document, authentication, authorization and accounting schemes, as well as AAA server lists are all included.

   +--rw aaa-security
      +--rw authentication-scheme* [authen-scheme-name]
      |  +--rw authen-scheme-name   string 
      |  +--rw authen-mode*         aaa-authen-mode     
      |  +--rw authen-type?         radius-authen-type
      |  +--rw authen-fail-policy   boolean
      +--rw authorization-scheme* [author-scheme-name]
      |  +--rw author-scheme-name   string
      |  +--rw author-mode*         aaa-author-mode
      |  +--rw cmd-author-mode*     aaa-cmd-author-mode
      +--rw accounting-scheme* [account-scheme-name]
      |  +--rw account-scheme-name  string
      |  +--rw account-mode         aaa-account-name
      +--rw radius-security
      |  +--rw radius-authen-servers* [address]
      |  |  +--rw address         inet:host
      |  |  +--rw port            inet:port-number     
      |  +--rw radius-author-servers*? [address]
      |  |  +--rw address         inet:host
      |  |  +--rw port            inet:port-number
      |  +--rw radius-account-servers* [address]
      |     +--rw address         inet:host
      |     +--rw port            inet:port-number
      +--rw tacacs-security
         +--rw tacacs-authen-servers* [address]
         |  +--rw address         inet:host
         |  +--rw port            inet:port-number     
         +--rw tacacs-author-servers*? [address]
         |  +--rw address         inet:host
         |  +--rw port            inet:port-number
         +--rw tacacs-account-servers* [address]
            +--rw address         inet:host
            +--rw port            inet:port-number
               

5.1.4. Administrator Access Statistics

The statistics of the current online administrators, the failed login attempts and the blocked addresses are useful for the monitoring of network infrastructure devices. The structure is as follows:

  +--ro admin-access-statistics
     +--ro total-online-users        uint32
     +--ro online-admin-list  {display-online-info}?
     |  +--ro online-users* [account-name]
     |     +--ro account-name           string
     |     +--ro ip-address             inet:ip-address-no-zone
     |     +--ro mac-address            yang:mac-address
     +--ro ip-block-list
        +--ro blocked-ip* [ip-address]
           +--ro ip-address         inet:ip-address-no-zone
           +--ro vpn-instance         string
           +--rw state                ip-block-state-type  
           +--rw authen-fail-account  uint32          
            

5.2. System Management Security

The "system-management-security" submodule is divided into three parts:

submodule: system-management-security
  +--rw system-management-security
     +--rw snmp-security 
     +--rw netconf-security
     +--rw port-management-security                         
        

5.2.1. SNMP Management Security

Simple Network Management Protocol (SNMP) is a network management standard to monitor network devices. Three SNMP versions are available: SNMPv1, SNMPv2c, and SNMPv3. [RFC7407] defines community-based security model for SNMPv1 and SNMPv2c, view-based access control model and user-based security model for SNMPv3. The following module reuses the subtrees defined in RFC7407 for SNMP security configuration, and only supplements ACL configuration for VACM group.

  +--rw snmp-security                [RFC7407]
     +--rw target* [name]
     |  ...
     +--rw target-params* [name]
     |  ...
     +--rw community* [index]
     |   ...
     +--rw vacm
     |   +--rw group* [name]
     |      +--rw name                 snmp:group-name
     |      +--rw access* [context security-model security-level]
     |         ...
     |         +--rw acl-name-list*    string
     +--rw usm
        ...                     
            

5.2.2. NETCONF Management Security

The NETCONF server model defined in [I-D.ietf-netconf-netconf-client-server] supports both the SSH and TLS transport protocols. To conduct more security controls on NETCONF based operations, authorization rules can be used to control which operations can be done and which resources can be accessed.

  +--rw netconf-security
     +--rw listen {listen}?        [I-D.ietf-netconf-netconf-client-server]
     |  ...
     +--rw call-home {call-home}?  [I-D.ietf-netconf-netconf-client-server]
     |  ...         
     +--rw netconf-authorization?
        +--rw task-group-rules* [task-group-name]
        |  +--rw task-group-name             string
        |  +--rw task-group-rule*   [rule-name]
        |     +--rw rule-name                string
        |     +--rw rule-type                identityref
        +--rw user-group-rules* [user-group-name]
           +--rw user-group-name             string
           +--rw user-group-rule*   [rule-name]
              +--rw rule-name                string
              +--rw rule-type                identityref
     

5.2.3. Port Management Security

As it is suggested to disable unused service and ports, the current status (open or shut-down) of the ports that are available on the network devices can be retrieved and compared with the communication matrix to check the device security posture.

  +--rw port-management-security
     +--rw port-list*  [port-number]
        +--rw port-number       inet:port-number
        +--rw port-status        boolean        
        

5.3. Log Security

To monitor the running status and diagnose faults or attacks on network devices, the activities of network administrators, the operations conducted on devices, and the security notification of abnormal events are needed to be recorded in logs. Besides, policy should be defined to deal with log overflow. Log records can be outputted to console, or stored locally, or outputted to remote Syslog server. The following defined "log-mode" subtree reuses the security configuration of log remote transfer in [I-D.ietf-netmod-syslog-model], and adds access control for locally stored log files.

submodule: log-security
  +--rw log-security
     +--rw alert-notification
     |  +--rw login-fail-threshold         uint8
     |  +--rw system-abnormal              boolean
     |  +--rw attack                       boolean
     |  +--rw log-overflow-lost            boolean
     +--rw (log-overflow-action)
     |  +--:(rewrite-when-overflow)        boolean
     |  |  +--ro rewrite-numbers           uint16
     |  +--:(discard-new-logs)             boolean
     |     +--ro discard-numbers           uint16
     +--rw (log-mode)
        +--:(file) {file-action}?
        |  +--rw user-level-for-read       uint8
        |  +--rw user-level-for-delete     uint8
        +--:(remote) {remote-action}?      [I-D.ietf-netmod-syslog-model]
           +--rw destination* [name]
              +--rw name                   string
              +--rw (transport)        
              |  ...
              +--rw signing! {signed-messages}?
                 ...
            

5.4. File Security

Patches, packages, configuration files, password files are critical system files for network infrastructure devices. To provide security, only administrators with certain security privilege levels are allowed to access or operate on these files. For file transfer security, secure protocol should be used. If insecure protocol has to be used, security hardening needs to be implemented.

  +--rw file-security
     +--rw role-based-access-control   boolean
     +--rw ftp-transfer
     |  +--rw ftp-enable               boolean
     |  +--rw ftp-server-port          inet:port-number
     |  +--rw ip-block-enable            boolean    
     |  +--rw ip-block-limit {ip-block-config}?
     |     +--rw failed-times   uint64
     |     +--rw period         uint64
     |     +--rw reactive-time  uint64           
     +--rw sftp-transfer
     |  +--rw sftp-enable              boolean
     |  +--rw sftp-server-port         inet:port-number
     |  +--u ssh-server-grouping 
     |               [I-D.ietf-netconf-ssh-client-server] 
     |  +--u ssh-security-hardening  
     +--rw scp-transfer
     |  +--rw scp-enable               boolean
     |  +--rw scp-server-port          inet:port-number
     |  +--u ssh-server-grouping 
     |               [I-D.ietf-netconf-ssh-client-server] 
     |  +--u ssh-security-hardening 
     +--rw ftps-transfer
        +--rw ftps-enable              boolean
        +--rw ftps-server-port         inet:port-number
        +--u tls-server-grouping 
                              [I-D.ietf-netconf-tls-client-server]
        +--rw ip-block-enable            boolean    
        +--rw ip-block-limit {ip-block-config}?
           +--rw failed-times   uint64
           +--rw period         uint64
           +--rw reactive-time  uint64                    

6. Network Infrastructure Device Security Baseline Yang Module

<CODE BEGINS> file "ietf-management-plane-security@2018-06-29.yang" 
module ietf-management-plane-security {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-management-plane-security";
  prefix mp-sec;
        
  import ietf-inet-types {
    prefix inet;
      reference "RFC 6991 - Common YANG Data Types.";
  }
  
  import ietf-yang-types {
    prefix yang;
    reference
      "RFC 6991 - Common YANG Data Types.";
  }
    
  import ietf-tls-server {
    prefix tlss;
      reference "draft-ietf-netconf-tls-client-server";
    }
    
  import ietf-ssh-server {
    prefix sshs;
      reference "draft-ietf-netconf-ssh-client-server";
    } 
        
  organization
    "IETF SACM (Security Automation and Continuous Monitoring) Working Group";
    
  contact
    "WG Web: http://tools.ietf.org/wg/sacm/
    WG List: sacm@ietf.org
    
    Editor: Qiushi Lin
            linqiushi@huawei.com;
    Editor: Liang Xia
            frank.xialiang@huawei.com
	Editor: Henk Birkholz
            henk.birkholz@sit.fraunhofer.de";                   
    
  description
    "This YANG module defines groupings that are used by ietf-management-plane-security YANG module. Their usage is not limited to ietf-management-plane-security and can be used anywhere as applicable.";
            
  revision 2018-06-29 {
    description "Initial version.";
	reference "draft-lin-sacm-nid-mp-security-baseline-03";
  }
    
  /*
  * features
  */
  feature web-interface {
    description "The network device supports web interface for administrator to manage itself.";
  }
    
  feature ip-block-config {
    description "Whether the network device supports the configuration of ip block function.";
  }    
        
  feature display-online-info {
    description "Whether the device supports providing a list of online administrators.";
  }       
    
  /*
  * typedefs
  */
  typedef auth-mode-type {
    type enumeration {
      enum "none" {
        description "Authentication mode: none.";
      }
      enum "password" {
        description "Authentication mode: password.";
      }
      enum "aaa" {
         description "Authentication mode: aaa.";
      }
    }
    description "The Authentication mode of console and vty interface.";
   }
    
  typedef aaa-authen-mode {
    type enumeration {
      enum "invalid" {
        description "Invalid authentication mode.";
      }
      enum "local" {
        description "Local authentication mode.";
      }
      enum "tacacs" {
        description "TACACS authentication mode. ";
      }
      enum "radius" {
        description "RADIUS authentication mode. ";
       }
      enum "none" {
        description "In this mode, users can pass with authentication.";
      }
      enum "radius-proxy" {
        description "RADIUS proxy authentication mode.";
      }
    }
    description "Diffrent types of authentication modes.";
  }
    
  typedef radius-authen-type {
    type enumeration {
      enum "pap" {
        description "PAP authentication";
      }
      enum "chap" {
        description "CHAP authentication.";
      }
    }
    description "Different authentication types of RADIUS authentication.";
  }
    
  typedef aaa-author-mode {
    type enumeration {
      enum "invalid" {
        description "Invalid authorization mode.";
      }
      enum "local" {
        description "Local authorization mode.";
      }
      enum "tacacs" {
        description "TACACS authorization mode.";
      }
      enum "if-authenticated" {
        description "If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed.";
      }
      enum "none" {
        description "Users can pass without authorization.";
      }
    }
    description "Different types of AAA authorization modes.";
  }
    
  typedef aaa-cmd-author-mode {
    type enumeration {
      enum "invalid" {
        description "Invalid command line authorization mode.";
      }
      enum "local" {
        description "Local command line authorization mode.";
      }
      enum "tacacs" {
        description "Specifies that the TACACS mode is applied.";
      }
    }
    description "Different types of command line authorization modes.";
  }
    
  typedef aaa-account-mode {
    type enumeration {
      enum "invalid" {
        description "invalid accounting mode.";
      }
      enum "radius" {
        description "RADIUS accounting mode. ";
      }
      enum "tacacs" {
        description "TACACS accounting mode. ";
      }
      enum "none" {
        description "In this mode, users do not be accounting.";
      }
    }
    description "Different types of accounting modes.";
  }
    
  typedef ip-block-state-type {
    type enumeration {
      enum "authenfail" {
        description "Authentication fialed State";
      }
      enum "blocked" {
        description "BLOCKED State";
      }
    }
    description "The status of an login failed IP address";
  }
    
  /*
  * groupings
  */
  grouping ssh-security-hardening {
    leaf ssh-server-port {
      type inet:port-number;
      description "The port number of SSH server.";
    }
    leaf ssh-rekey-interval {
      type uint32;
      description "The interval for updating the key pair of the SSH server.";
    }
    leaf ssh-timeout {
      type uint32;
      description "The authentication timeout period of SSH.";
    }
    leaf ssh-retry-times {
      type uint32;
      description "The authentication retry times.";
    }
    leaf ssh-compatible-ssh1x-enable {
      type boolean;
      description "The status of version-compatible function on the SSH server: enabled, disabled.";
    }
    leaf ssh-server-interface {
      type string;
      description "The source interface of SSH server.";    
    }
    leaf ip-block-enable {
      type boolean;
      description "The status of ip block function: enabled, or disabled.";
    }
    container ip-block-limit {
      if-feature ip-block-config;
      leaf failed-times {
        type uint64;
		description "The failed times in a certain perid.";
      }
      leaf peroid {
        type uint64;
		description "The certain period in which the failed times are counted.";
      }
      leaf reactive-time {
        type uint64;
		description "The reactive time after which the address is not blocked.";
      }
      description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
    }
	description "A set of SSH configuration status to enhance security.";
  }
    
  /*
  * admin-security-policy
  */
  container admin-security-policy {
    container account-sec-policy {
      leaf security-policy {
        type boolean;
        description "The status of account security policy: enabled, or disabled.";
      }
      leaf account-aging-period {
        type uint64;
        description "The aging period of an administrator.";
      }
      leaf account-name-minlen {
        type uint64;
        description "The minimum length of an administrator account name";
      }
      description "Get configuration data about administrator account security policy.";
    }
    container pwd-sec-policy {
      leaf expire-days {
        type uint64;
        description "The password validity period.";
      }
      leaf prompt-days {
        type uint64;
        description "The period for advance warning before the password expires.";
      }
      leaf change-check {
        type boolean;
        description "The status of mandatory password change when a password is used for the first time: enabled, or disabled.";
      }
      leaf complexity-check {
        type boolean;
        description "The status of password complexity check: enable, or disable.";
      }
      leaf history-pwd-num {
        type uint64;
        description "The newly configured password should not be the same as the several past passwords.";
      }
      leaf pwd-minlen {
        type uint64;
        description "The minimum length of a password.";
      }
      description "Get configuration data about password security policy.";
    }
    container forbidden-word-rules {
      list forbidden-word-rule {
        key "forbidden-word";
        leaf forbidden-word {
          type string;
          description "A forbidden word in password.";
        }
        description "A list of forbidden words that are not allowed to be used in password.";
      }
      description "Password blacklist.";
    }
    container login-failed-limit {
      leaf failed-times {
        type uint64;
		description "The failed time in a certain period.";
      }
      leaf peroid {
        type uint64;
		description "The certain period in which the failed times are counted.";
      }
      leaf reactive-time {
        type uint64;
		description "The reactive time after which the account is not blocked.";
      }
      description "If an account login failed several times in a certain period, this account will be blocked for a certain time range.";
    }
    description "Get configuration data about administrator security policy.";
  }
    
    
  /*
  * admin-login-security
  */
  grouping admin-login-security {
    container console {
      leaf auth-mode {
        type auth-mode-type;
        description "The authentication mode used when administrator login through console interface: none, password, AAA.";
      }
      leaf privilege-level {
        type uint8;
        description "User privilege level.";
      }
      description "Status of security contorls for console interface.";
    }
    container vtys {
      list vty {
        key "vty-number";
        leaf vty-number {
          type uint8;
          description "The number of the vty interface.";
        }
        leaf auth-mode {
          type auth-mode-type;
          description "The authentication mode used when administrator login through vty interface: none, password, AAA.";
        }
        leaf privilege-level {
          type uint8;
          description "User privilege level.";
        }
        leaf-list acl-name-list {
          type string;
          description "The name of the acl.";
        }
        leaf ip-block-enable {
          type boolean;
          description "The status of ip block function: enabled, or disabled.";
        }
        container ip-block-limit {
          if-feature ip-block-config;
		  leaf failed-times {
            type uint64;
		    description "The failed times in a certain perid.";
          }
          leaf peroid {
            type uint64;
		    description "The certain period in which the failed times are counted.";
          }
          leaf reactive-time {
            type uint64;
		    description "The reactive time after which the address is not blocked.";
          }
          description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
        }
		description "A list of vty interface configuration status.";
      }
      description "Configuration status of security contorls for vty interface.";
    }
    container telnet {
      leaf telnet-ipv4-enable {
        type boolean;
        description "The status of ipv4 telnet server: enabled, or disabled.";
      }
      leaf telnet-ipv4-server-port {
        type inet:port-number;
        description "The port number of ipv4 telnet server.";
      }
      leaf telnet-ipv6-enable {
        type boolean;
        description "The status of ipv6 telnet server: enabled, or disabled.";
      }
      leaf telnet-ipv6-server-port {
        type inet:port-number;
        description "The port number of ipv6 telnet server.";
      }
      leaf telnet-server-interface {
        type string;
        description "The source interface of telnet server.";
      }
      leaf-list acl-name-list {
        type string;
        description "The name of the acl.";
      }
      leaf ip-block-enable {
        type boolean;
        description "Whether the ip block function is enabled: enabled, disabled.";
      }
      container ip-block-limit {
        if-feature ip-block-config;
        leaf failed-times {
          type uint64;
		  description "The failed times in a certain perid.";
        }
        leaf peroid {
          type uint64;
		  description "The certain period in which the failed times are counted.";
        }
        leaf reactive-time {
          type uint64;
		  description "The reactive time after which the address is not blocked.";
        }
        description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
      }
      description "Configuration status of security contorls for telnet login.";
    }
    container ssh {
      leaf ssh-enable {
        type boolean;
        description "The status of SSH server: enabled, or disabled.";
      }
      uses sshs:ssh-server-grouping;
      uses ssh-security-hardening;
      description "Configuration status of security contorls for SSH login.";
    }
    container web {
      if-feature web-interface;
      uses tlss:tls-server-grouping;
      leaf auth-mode {
        type auth-mode-type;
        description "The authentication mode used when administrator login through web interface: none, password, AAA.";
      }
      leaf privilege-level {
        type uint8;
        description "User privilege level.";
      }
      leaf http-server-interface {
        type string;
        description "The source interface of web server.";
      }
      leaf https-ipv4-enable {
        type boolean;
        description "The status of ipv4 https server: enabled, disabled.";
      }
      leaf https-ipv6-enable {
        type boolean;
        description "The status of ipv6 https server: enabled, disabled.";
      }
      leaf https-source-port {
        type inet:port-number;
        description "The port number of web server.";
      }
      leaf https-timeout {
        type uint32;
        description "The authentication timeout period of https.";
      }
      leaf ip-block-enable {
        type boolean;
        description "The status of ip block function: enabled, or disabled.";
      }
      container ip-block-limit {
        if-feature ip-block-config;
        leaf failed-times {
          type uint64;
		  description "The failed times in a certain perid.";
        }
        leaf peroid {
          type uint64;
		  description "The certain period in which the failed times are counted.";
        }
        leaf reactive-time {
          type uint64;
		  description "The reactive time after which the address is not blocked.";
        }
        description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
      }
      description "If the network device supports web interface. The configuration status of the web server.";
    }
    description "Configuration status of different types of login interfaces.";
  }
    
  container aaa-security {
    list authentication-scheme {
      key "authen-scheme-name";
      leaf authen-scheme-name {
        type string;
        description "The name of the authentication scheme.";
      }
      leaf-list authen-mode {
        type aaa-authen-mode;
        description "A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond.";
      }
      leaf authen-type {
        type radius-authen-type;
        description "Authentication type of RADIUS: PAP, CHAP.";
      }
      leaf authen-fail-policy {
        type boolean;
        description "The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control.";
      }
      description "Authentication scheme list.";
    } 
    list authorization-scheme {
      key "author-scheme-name";
      leaf author-scheme-name {
        type string;
        description "The name of the authorization scheme.";
      }
      leaf-list auhtor-mode {
        type aaa-author-mode;
        description "A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond.";
      }
      leaf-list cmd-auhtor-mode {
        type aaa-cmd-author-mode;
        description "A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond.";
      }
      description "Authorization scheme list.";
    }
    list accounting-scheme {
      key "account-scheme-name";
      leaf account-scheme-name {
        type string;
        description "The name of the accounting scheme.";
      }
      leaf account-mode {
        type aaa-account-mode;
        description "Accounting mode.";
      }
      description "Accounting scheme list.";
    }
    container radius-security {
      list radius-authen-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authentication server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authentication server.";
        }
		description "A list of RADIUS authentication servers";
      }
      list radius-author-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authorization server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authorization server.";
        }
		description "A list of RADIUS authorization servers";
      }
      list radius-account-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the accounting server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the accounting server.";
        }
		description "A list of RADIUS accounting servers";
      }
      description "RADIUS authentication servers, authorization servers and accounting servers.";
    }
    container tacacs-security {
      list tacacs-authen-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authentication server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authentication server.";
        }
        description "A list of TACACS+ and TACACS+ compatible authentication servers";
      }
      list tacacs-author-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authorization server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authorization server.";
        }
        description "A list of TACACS+ and TACACS+ compatible authorization servers";
      }
      list tacacs-account-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the accounting server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the accounting server.";
        }
		description "A list of TACACS+ and TACACS+ compatible accounting servers";
      }
      description "TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers.";
    }
    description "Configuration status of AAA.";
  }
    
  container admin-access-statistics {
    config false;
    leaf total-online-users {
      type uint32;
      config false;
      description "The number of administrators that are current online.";
    }
    container online-admin-list {
      if-feature display-online-info;
      config false;   
      list online-users {
        key "account-name";
        leaf account-name {
          type string;
          config false;
          description "The account name of the online account.";
        }
        leaf ip-address {
          type inet:ip-address-no-zone;
          config false;
		  description "The ip address of the online account.";
        }
        leaf mac-address {
          type yang:mac-address;
          config false;
		  description "The MAC address of the online account.";
        }
        description "Online adminstrator list.";
      } 
      description "If the device supports providing information of online administrators, a list of account details are provided.";
    }
    description "online administrator lists, ip addresses authentication failure or blocked ip addresses. ";
  }
}
 

7. Acknowledgements

8. IANA Considerations

This document requires no IANA actions.

9. Security Considerations

Secure transport should be used to retrieve the current status of management plane security baseline.

10. References

10.1. Normative References

[I-D.birkholz-sacm-yang-content] Birkholz, H. and N. Cam-Winget, "YANG subscribed notifications via SACM Statements", Internet-Draft draft-birkholz-sacm-yang-content-01, January 2018.
[I-D.dong-sacm-nid-cp-security-baseline] Dong, Y. and L. Xia, "The Data Model of Network Infrastructure Device Control Plane Security Baseline", Internet-Draft draft-dong-sacm-nid-cp-security-baseline-00, September 2017.
[I-D.dong-sacm-nid-infra-security-baseline] Dong, Y. and L. Xia, "The Data Model of Network Infrastructure Device Infrastructure Layer Security Baseline", Internet-Draft draft-dong-sacm-nid-infra-security-baseline-01, May 2018.
[I-D.ietf-netconf-netconf-client-server] Watsen, K. and G. Wu, "NETCONF Client and Server Models", Internet-Draft draft-ietf-netconf-netconf-client-server-06, June 2018.
[I-D.ietf-netconf-ssh-client-server] Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and SSH Servers", Internet-Draft draft-ietf-netconf-ssh-client-server-06, June 2018.
[I-D.ietf-netconf-tls-client-server] Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and TLS Servers", Internet-Draft draft-ietf-netconf-tls-client-server-06, June 2018.
[I-D.ietf-netmod-acl-model] Jethanandani, M., Huang, L., Agarwal, S. and D. Blair, "Network Access Control List (ACL) YANG Data Model", Internet-Draft draft-ietf-netmod-acl-model-19, April 2018.
[I-D.ietf-netmod-syslog-model] Wildes, C. and K. Koushik, "A YANG Data Model for Syslog Configuration", Internet-Draft draft-ietf-netmod-syslog-model-26, March 2018.
[I-D.ietf-sacm-information-model] Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, M., Haynes, D. and H. Birkholz, "SACM Information Model", Internet-Draft draft-ietf-sacm-information-model-10, April 2017.
[I-D.xia-sacm-nid-dp-security-baseline] Xia, L. and G. Zheng, "The Data Model of Network Infrastructure Device Data Plane Security Baseline", Internet-Draft draft-xia-sacm-nid-dp-security-baseline-02, June 2018.
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for System Management", RFC 7317, DOI 10.17487/RFC7317, August 2014.
[RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, December 2014.

10.2. Informative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010.
[RFC8340] Bjorklund, M. and L. Berger, "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018.

Appendix A.

The following is the whole structure of the YANG tree diagram for network infrastructure device management plane. The existed RFCs and drafts that related this document are listed at the right side.

module: nid-management-plane-security
  +--rw admin-management-security
  |  +--rw admin-security-policy
  |  +--rw admin-login-security     [I-D.ietf-netconf-ssh-client-server]
  |                                 [I-D.ietf-netconf-tls-client-server]
  |  +--rw aaa-security      [RFC7317]
  |  +--rw admin-access-statistics
  +--rw system-management-security
  |  +--rw snmp-security            [RFC7407]
  |  +--rw netconf-security         [I-D.ietf-netconf-netconf-client-server]
  |  +--rw port-management-security
  +--rw log-security
  |  +--rw alert-notification
  |  +--rw log-overflow-action
  |  +--rw log-mode                [I-D.ietf-netmod-syslog-model]
  +--rw file-security              [I-D.ietf-netconf-ssh-client-server]
                                   [I-D.ietf-netconf-tls-client-server]  
    

Draft [I-D.ietf-netconf-tls-client-server] and draft [I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS-specific configuration and SSH-specific configuration respectively. The transport-level configuration, such as what ports to listen-on or connect-to, is not included. Draft [I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model based on the data models defined in the above two documents.

[RFC7317] defines a YANG data model for system management of device containing a NETCONF sever. It summarizes data modules for NETCONF user authentication, and defined YANG module for client to configure the RADIUS authentication server information. Three methods are defined for user authentication: public key for local users over SSH, password for local users over any secure transport, password for RADIUS users over any secure transport.

[RFC7407] defines a YANG model for SNMP configuration, including community-based security module for SNMPv1 and SNMPv2c, as well as view-based access control module and user-based security module for SNMPv3.

Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog configuration, including TLS based transport security and syslog messages signing.

Authors' Addresses

Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China EMail: linqiushi@huawei.com
Liang Xia Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China EMail: Frank.xialiang@huawei.com
Henk Birkholz Fraunhofer SIT Rheinstrasse 75 Darmstadt, 64295 Germany EMail: henk.birkholz@sit.fraunhofer.de