--- 1/draft-ietf-lisp-yang-08.txt 2018-10-18 15:13:31.160343042 -0700 +++ 2/draft-ietf-lisp-yang-09.txt 2018-10-18 15:13:31.308346618 -0700 @@ -1,25 +1,25 @@ LISP Working Group V. Ermagan Internet-Draft A. Rodriguez-Natal Intended status: Experimental F. Coras -Expires: December 31, 2018 C. Moberg +Expires: April 21, 2019 C. Moberg R. Rahman Cisco Systems A. Cabellos-Aparicio Technical University of Catalonia F. Maino Cisco Systems - June 29, 2018 + October 18, 2018 LISP YANG Model - draft-ietf-lisp-yang-08 + draft-ietf-lisp-yang-09 Abstract This document describes a YANG data model to use with the Locator/ID Separation Protocol (LISP). The YANG modules in this document conform to the Network Management Datastore Architecture (NMDA). Status of This Memo @@ -30,21 +30,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 31, 2018. + This Internet-Draft will expire on April 21, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -61,38 +61,38 @@ 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2. LISP Module . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Module Structure . . . . . . . . . . . . . . . . . . . . 3 2.2. Module Definition . . . . . . . . . . . . . . . . . . . . 6 3. LISP-ITR Module . . . . . . . . . . . . . . . . . . . . . . . 16 3.1. Module Structure . . . . . . . . . . . . . . . . . . . . 16 3.2. Module Definition . . . . . . . . . . . . . . . . . . . . 21 4. LISP-ETR Module . . . . . . . . . . . . . . . . . . . . . . . 25 4.1. Module Structure . . . . . . . . . . . . . . . . . . . . 25 4.2. Module Definition . . . . . . . . . . . . . . . . . . . . 27 - 5. LISP-Map-Server Module . . . . . . . . . . . . . . . . . . . 31 + 5. LISP-Map-Server Module . . . . . . . . . . . . . . . . . . . 32 5.1. Module Structure . . . . . . . . . . . . . . . . . . . . 32 5.2. Module Definition . . . . . . . . . . . . . . . . . . . . 40 6. LISP-Map-Resolver Module . . . . . . . . . . . . . . . . . . 46 - 6.1. Module Structure . . . . . . . . . . . . . . . . . . . . 46 + 6.1. Module Structure . . . . . . . . . . . . . . . . . . . . 47 6.2. Module Definition . . . . . . . . . . . . . . . . . . . . 47 7. LISP-Address-Types Module . . . . . . . . . . . . . . . . . . 49 7.1. Module Definition . . . . . . . . . . . . . . . . . . . . 49 - 7.2. Data Model examples . . . . . . . . . . . . . . . . . . . 63 + 7.2. Data Model examples . . . . . . . . . . . . . . . . . . . 64 7.2.1. LISP protocol instance . . . . . . . . . . . . . . . 64 7.2.2. LISP ITR . . . . . . . . . . . . . . . . . . . . . . 65 - 7.2.3. LISP ETR . . . . . . . . . . . . . . . . . . . . . . 65 - 7.2.4. LISP Map-Server . . . . . . . . . . . . . . . . . . . 67 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 68 - 10. Security Considerations . . . . . . . . . . . . . . . . . . . 70 - 11. Normative References . . . . . . . . . . . . . . . . . . . . 70 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 71 + 7.2.3. LISP ETR . . . . . . . . . . . . . . . . . . . . . . 66 + 7.2.4. LISP Map-Server . . . . . . . . . . . . . . . . . . . 68 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 69 + 10. Security Considerations . . . . . . . . . . . . . . . . . . . 71 + 11. Normative References . . . . . . . . . . . . . . . . . . . . 74 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 76 1. Introduction The Locator/ID Separation Protocol (LISP) defines several network elements subject to be configured. This document presents the YANG data models required for basic configuration of all major LISP [RFC6830] elements. The models also capture some essential operational data elements as well. 1.1. Requirements Language @@ -686,20 +686,26 @@ type uint64; description "Site ID"; } leaf xtr-id { type lisp:xtr-id-type; description "xTR ID"; } } container virtual-networks { + when "../lisp-role/lisp-role-type = 'itr' or + ../lisp-role/lisp-role-type = 'pitr' or + ../lisp-role/lisp-role-type = 'etr' or + ../lisp-role/lisp-role-type = 'petr'" { + description "Only when ITR, PITR, ETR or PETR."; + } description "Virtual networks"; list virtual-network { key vni; description "List of virtual networks"; leaf vni { type lcaf:instance-id-type; description "Virtual network identifier"; } @@ -3307,33 +3316,186 @@ URI: urn:ietf:params:xml:ns:yang:ietf-lisp-address-types Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace. -------------------------------------------------------------------- 10. Security Considerations - Security Considerations TBD + The YANG modules specified in this document define a schema for data + that is designed to be accessed via network management protocols such + as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer + is the secure transport layer, and the mandatory-to-implement secure + transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer + is HTTPS, and the mandatory-to-implement secure transport is TLS + [RFC8446]. + + The NETCONF access control model [RFC8341] provides the means to + restrict access for particular NETCONF or RESTCONF users to a pre- + configured subset of all available NETCONF or RESTCONF protocol + operations and content. + + The security considerations of LISP control-plane [RFC6833] and LISP + data-plane [RFC6830] as well as the LISP threat analysis [RFC7835] + apply to this YANG model. + + There are a number of data nodes defined in this YANG module that are + writable/creatable/deletable (i.e., config true, which is the + default). These data nodes may be considered sensitive or vulnerable + in some network environments. Write operations (e.g., edit-config) + to these data nodes without proper protection can have a negative + effect on network operations. These are the subtrees and data nodes + and their sensitivity/vulnerability: + + /rt:routing/rt:control-plane-protocols/rt:control-plane-protocol/ + lisp:lisp/ + + Access to the locator-sets node may modify which interfaces are used + for data and/or control traffic as well as affect the load balancing + of data-plane traffic. Access to the lisp-role node may prevent the + device from perform its intended data-plane and/or control-plane + operation. Access to the router-id node allows to modify the unique + identifier of the device, which may result in disruption of its LISP + control-plane operation. Access to the virtual-networks node may + allow to redirect data-plane traffic to erroneous local or remote + network instances. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:map-server + + Access to the sites node can prevent authorized devices from + registering mappings in the Map-Server and/or allow unauthorized + devices to so. Access to the virtual-network-ids node can result in + corrupted mapping sate that may propagate across the LISP network, + potentially resulting in forwarding of data-plane traffic to + arbitrary destinations and general disruption of the data-plane + operation. Access to mapping-system-type and/or ddt-mapping-system + nodes may prevent the device to connect to the Mapping System + infrastructure and consequentially to attract Map-Request messages. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:map-resolver + + Access to mapping-system-type, ms-address and/or ddt-mapping-system + nodes may prevent the device to connect to the Mapping System + infrastructure and forward Map-Request messages. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:itr + + Access to the rloc-probing node can increase the control-plane + overhead in the device or affect the capability of the device to + detect failures on the underlay. Access to the itr-rlocs node may + prevent the device from getting Map-Reply messages. Access to the + map-resolvers node can prevent the device from sending its Map- + Request messages to valid Map-Resolvers. Access to the proxy-etrs + nodes can affect the capability of the device to send data-plane + traffic towards non-LISP destinations. Access to the map-cache node + can result in forwarding of data-plane traffic to arbitrary + destinations and general disruption of data-plane operation. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:etr + + Access to the map-servers node can prevent the device from + registering its local mappings into the Mapping System. Access to + the local-eids node can disrupt data-plane operation on the device + and/or result in the device registering corrupted mappings into the + Mapping System. + + Some of the readable data nodes in this YANG module may be considered + sensitive or vulnerable in some network environments. It is thus + important to control read access (e.g., via get, get-config, or + notification) to these data nodes. These are the subtrees and data + nodes and their sensitivity/vulnerability: + + /rt:routing/rt:control-plane-protocols/rt:control-plane-protocol/ + lisp:lisp + + Access to the locator-sets node can expose the locators the device is + using for its control and/or data operation. Access to the lisp-role + node can disclose the LISP roles instantiated at the device which + facilitates mounting attacks against the device. Access to the + router-id node can expose the unique identifier of device which may + allow a third party to track its control-plane operation and/or + impersonate the device. Access to the virtual-networks node can leak + the local mapping between LISP Instance IDs and local network + instances. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:map-server + + Access to the sites node can expose the credentials used to register + mappings and allow unauthorized devices to do so. Access to the + virtual-network-ids node can expose the mappings currently registered + in the device, which has privacy implications. Access to the + mapping-system-type node may reveal the Mapping System in use which + can be used to mount attacks against the device and/or the Mapping + System. Access to the summary and counters nodes may expose + operational statistics of the device. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:map-resolver + + Access to the mapping-system-type node may reveal the Mapping System + in use which can be used to mount attacks against the device and/or + the Mapping System. Access to the ms-address and/or ddt-mapping- + system nodes can leak the information about the Mapping System + infrastructure used by the device, which can be used to block + communication and/or mount attacks against it. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:itr + + Access to the rloc-probing node can expose if and how the device is + using control-plane signaling to probe underlay locators. Access to + the itr-rlocs node may disclose the addresses the device is using to + receive Map-Reply messages. Access to the map-resolvers node can + expose the Map-Resolvers used by the device, which can be used to + mount attacks against the device and/or the Mapping System. Access + to the proxy-etrs node can disclose the PETRs used by the device, + which can be used to mount attacks against the device and/or PETRs. + Access to the map-cache node can expose the mappings currently cached + in the device, which has privacy implications. + + /rt:routing/rt:control-plane-protocols/rt:control-plane- + protocol/lisp:lisp/lisp:etr + + Access to the map-servers node can expose the credentials used by the + device to register mappings into the Mapping System allowing an + unauthorized device to impersonate and register mappings on behalf + the authorized device. Access to the local-eids node can expose the + local EIDs currently being served by the device, which has privacy + implications. 11. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . + [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., + and A. Bierman, Ed., "Network Configuration Protocol + (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, + . + + [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure + Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, + . + [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January 2013, . [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, "Interworking between Locator/ID Separation Protocol (LISP) and Non-LISP Sites", RFC 6832, DOI 10.17487/RFC6832, January 2013, . @@ -3341,42 +3503,60 @@ [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation Protocol (LISP) Map-Server Interface", RFC 6833, DOI 10.17487/RFC6833, January 2013, . [RFC6836] Fuller, V., Farinacci, D., Meyer, D., and D. Lewis, "Locator/ID Separation Protocol Alternative Logical Topology (LISP+ALT)", RFC 6836, DOI 10.17487/RFC6836, January 2013, . + [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID + Separation Protocol (LISP) Threat Analysis", RFC 7835, + DOI 10.17487/RFC7835, April 2016, + . + + [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF + Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, + . + [RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060, February 2017, . [RFC8111] Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A. Smirnov, "Locator/ID Separation Protocol Delegated Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111, May 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, . + [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration + Access Control Model", STD 91, RFC 8341, + DOI 10.17487/RFC8341, March 2018, + . + [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for Routing Management (NMDA Version)", RFC 8349, DOI 10.17487/RFC8349, March 2018, . + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + . + Authors' Addresses Vina Ermagan Cisco Systems San Jose, CA USA Email: vermagan@cisco.com Alberto Rodriguez-Natal