--- 1/draft-ietf-ospf-yang-27.txt 2019-08-26 08:13:14.343248806 -0700 +++ 2/draft-ietf-ospf-yang-28.txt 2019-08-26 08:13:14.563254380 -0700 @@ -1,25 +1,25 @@ Internet D. Yeung Internet-Draft Arrcus Intended status: Standards Track Y. Qu -Expires: February 23, 2020 Futurewei +Expires: February 27, 2020 Futurewei J. Zhang Juniper Networks I. Chen The MITRE Corporation A. Lindem Cisco Systems - August 22, 2019 + August 26, 2019 YANG Data Model for OSPF Protocol - draft-ietf-ospf-yang-27 + draft-ietf-ospf-yang-28 Abstract This document defines a YANG data model that can be used to configure and manage OSPF. The model is based on YANG 1.1 as defined in RFC 7950 and conforms to the Network Management Datastore Architecture (NMDA) as described in RFC 8342. Status of This Memo @@ -29,21 +29,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on February 23, 2020. + This Internet-Draft will expire on February 27, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -62,28 +62,28 @@ 2.1. OSPF Operational State . . . . . . . . . . . . . . . . . 3 2.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. OSPFv2 and OSPFv3 . . . . . . . . . . . . . . . . . . . . 5 2.4. Optional Features . . . . . . . . . . . . . . . . . . . . 5 2.5. OSPF Router Configuration/Operational State . . . . . . . 7 2.6. OSPF Area Configuration/Operational State . . . . . . . . 10 2.7. OSPF Interface Configuration/Operational State . . . . . 16 2.8. OSPF Notifications . . . . . . . . . . . . . . . . . . . 19 2.9. OSPF RPC Operations . . . . . . . . . . . . . . . . . . . 23 3. OSPF YANG Module . . . . . . . . . . . . . . . . . . . . . . 23 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 119 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 120 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 121 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 121 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 121 - 7.2. Informative References . . . . . . . . . . . . . . . . . 127 - Appendix A. Contributors' Addresses . . . . . . . . . . . . . . 128 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 128 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 120 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 123 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 123 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 124 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 124 + 7.2. Informative References . . . . . . . . . . . . . . . . . 129 + Appendix A. Contributors' Addresses . . . . . . . . . . . . . . 131 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 131 1. Overview YANG [RFC6020][RFC7950] is a data definition language used to define the contents of a conceptual data store that allows networked devices to be managed using NETCONF [RFC6241], RESTCONF [RFC8040], and other Network Management protocols. Furthermore, YANG data models can be used as the basis for implementation of other interfaces, such as CLI and programmatic APIs. @@ -397,20 +397,21 @@ | +--ro route* [prefix] | +--ro prefix inet:ip-prefix | +--ro next-hops | | +--ro next-hop* [next-hop] | | +--ro outgoing-interface? if:interface-ref | | +--ro next-hop inet:ip-address | +--ro metric? uint32 | +--ro route-type? route-type | +--ro route-tag? uint32 +--ro statistics + | +--ro discontinuity-time yang:date-and-time | +--ro originate-new-lsa-count? yang:counter32 | +--ro rx-new-lsas-count? yang:counter32 | +--ro as-scope-lsa-count? yang:gauge32 | +--ro as-scope-lsa-chksum-sum? uint32 | +--ro database | +--ro as-scope-lsa-type* | +--ro lsa-type? uint16 | +--ro lsa-count? yang:gauge32 | +--ro lsa-cksum-sum? int32 +--ro database @@ -489,20 +489,21 @@ | | +--rw name -> ../../../../../../../../ | | ../../../rt:ribs/rib/name | | +--rw summary? boolean | | +--rw default-cost? ospf-metric | | +--rw ranges | | +--rw range* [prefix] | | +--rw prefix inet:ip-prefix | | +--rw advertise? boolean | | +--rw cost? ospf-metric | +--ro statistics + | | +--ro discontinuity-time yang:date-and-time | | +--ro spf-runs-count? yang:counter32 | | +--ro abr-count? yang:gauge32 | | +--ro asbr-count? yang:gauge32 | | +--ro ar-nssa-translator-event-count? | | yang:counter32 | | +--ro area-scope-lsa-count? yang:gauge32 | | +--ro area-scope-lsa-cksum-sum? int32 | | +--ro database | | +--ro area-scope-lsa-type* | | +--ro lsa-type? uint16 @@ -619,20 +619,21 @@ | | +--ro state? if-state-type | | +--ro hello-timer? rt-types: | | | rtimer-value-seconds16 | | +--ro wait-timer? rt-types: | | | rtimer-value-seconds16 | | +--ro dr-router-id? rt-types:router-id | | +--ro dr-ip-addr? inet:ip-address | | +--ro bdr-router-id? rt-types:router-id | | +--ro bdr-ip-addr? inet:ip-address | | +--ro statistics + | | | +--ro discontinuity-time yang:date-and-time | | | +--ro if-event-count? yang:counter32 | | | +--ro link-scope-lsa-count? yang:gauge32 | | | +--ro link-scope-lsa-cksum-sum? | | | uint32 | | | +--ro database | | | +--ro link-scope-lsa-type* | | | +--ro lsa-type? uint16 | | | +--ro lsa-count? yang:gauge32 | | | +--ro lsa-cksum-sum? int32 | | +--ro neighbors @@ -641,20 +642,22 @@ | | | rt-types:router-id | | | +--ro address? inet:ip-address | | | +--ro dr-router-id? rt-types:router-id | | | +--ro dr-ip-addr? inet:ip-address | | | +--ro bdr-router-id? rt-types:router-id | | | +--ro bdr-ip-addr? inet:ip-address | | | +--ro state? nbr-state-type | | | +--ro dead-timer? rt-types: | | | | rtimer-value-seconds16 | | | +--ro statistics + | | | +--ro discontinuity-time + | | | yang:date-and-time | | | +--ro nbr-event-count? | | | yang:counter32 | | | +--ro nbr-retrans-qlen? | | | yang:gauge32 | | +--ro database | | +--ro link-scope-lsa-type* [lsa-type] | | +--ro lsa-type uint16 | | +--ro link-scope-lsas . . . . @@ -708,20 +711,21 @@ | | +--ro state? if-state-type | | +--ro hello-timer? rt-types: | | | rtimer-value-seconds16 | | +--ro wait-timer? rt-types: | | | rtimer-value-seconds16 | | +--ro dr-router-id? rt-types:router-id | | +--ro dr-ip-addr? inet:ip-address | | +--ro bdr-router-id? rt-types:router-id | | +--ro bdr-ip-addr? inet:ip-address | | +--ro statistics + | | | +--ro discontinuity-time yang:date-and-time | | | +--ro if-event-count? yang:counter32 | | | +--ro link-scope-lsa-count? yang:gauge32 | | | +--ro link-scope-lsa-cksum-sum? | | | uint32 | | | +--ro database | | | +--ro link-scope-lsa-type* | | | +--ro lsa-type? uint16 | | | +--ro lsa-count? yang:gauge32 | | | +--ro lsa-cksum-sum? int32 | | +--ro neighbors @@ -1087,21 +1092,21 @@ -> /rt:routing/control-plane-protocols/ control-plane-protocol/name 3. OSPF YANG Module The following RFCs and drafts are not referenced in the document text but are referenced in the ietf-ospf.yang module: [RFC0905], [RFC4576], [RFC4973], [RFC5250], [RFC5309], [RFC5642], [RFC5881], [RFC6991], [RFC7770], [RFC7884], [RFC8294], and [RFC8476]. - file "ietf-ospf@2019-08-22.yang" + file "ietf-ospf@2019-08-26.yang" module ietf-ospf { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ospf"; prefix ospf; import ietf-inet-types { prefix "inet"; reference "RFC 6991: Common YANG Data Types"; } @@ -1192,21 +1198,21 @@ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2019-08-22 { + revision 2019-08-26 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for OSPF."; } feature multi-topology { description "Support Multiple-Topology Routing (MTR)."; reference "RFC 4915: Multi-Topology Routing"; @@ -2301,21 +2303,21 @@ } description "List of informational capability flags. This will return all the 32-bit informational flags irrespective of whether or not they are known to the device."; } list functional-capabilities { leaf functional-flag { type uint32; description - "Individual informational capability flag."; + "Individual functional capability flag."; } description "List of functional capability flags. This will return all the 32-bit functional flags irrespective of whether or not they are known to the device."; } } grouping dynamic-hostname-tlv { description "Dynamic Hostname TLV"; @@ -3240,27 +3246,44 @@ } leaf adv-router { type rt-types:router-id; description "Advertising router."; } } grouping instance-stat { description "Per-instance statistics"; + leaf discontinuity-time { + type yang:date-and-time; + description + "The time on the most recent occasion at which any one or + more of this OSPF instance's counters suffered a + discontinuity. If no such discontinuities have occurred + since the OSPF instance was last re-initialized, then + this node contains the time the OSPF instance was + re-initialized which normally occurs when it was + created."; + } leaf originate-new-lsa-count { type yang:counter32; - description "The number of new LSAs originated."; + description + "The number of new LSAs originated. Discontinuities in the + value of this counter can occur when the OSPF instance is + re-initialized."; } leaf rx-new-lsas-count { type yang:counter32; - description "The number of LSAs received."; + description + "The number of new LSAs received. Discontinuities in the + value of this counter can occur when the OSPF instance is + re-initialized."; } leaf as-scope-lsa-count { type yang:gauge32; description "The number of AS-scope LSAs."; } leaf as-scope-lsa-chksum-sum { type uint32; description "The module 2**32 sum of the LSA checksums for AS-scope LSAs. The value should be treated as @@ -3290,44 +3313,60 @@ treated as unsigned when comparing two sums of checksums. While differing checksums indicate a different combination of LSAs, equivalent checksums don't guarantee that the LSAs are the same given that multiple combinations of LSAs can result in the same checksum."; } } } uses instance-fast-reroute-state; + } grouping area-stat { description "Per-area statistics."; + leaf discontinuity-time { + type yang:date-and-time; + description + "The time on the most recent occasion at which any one or + more of this OSPF area's counters suffered a + discontinuity. If no such discontinuities have occurred + since the OSPF area was last re-initialized, then + this node contains the time the OSPF area was + re-initialized which normally occurs when it was + created."; + } leaf spf-runs-count { type yang:counter32; description - "The number of times the intra-area SPF has run."; + "The number of times the intra-area SPF has run. + Discontinuities in the value of this counter can occur + when the OSPF area is re-initialized."; } leaf abr-count { type yang:gauge32; description "The total number of Area Border Routers (ABRs) reachable within this area."; } leaf asbr-count { type yang:gauge32; description "The total number of AS Boundary Routers (ASBRs)."; } leaf ar-nssa-translator-event-count { type yang:counter32; description - "The number of NSSA translator-state changes."; + "The number of NSSA translator-state changes. + Discontinuities in the value of this counter can occur + when the OSPF area is re-initialized."; } leaf area-scope-lsa-count { type yang:gauge32; description "The number of area-scope LSAs in the area."; } leaf area-scope-lsa-cksum-sum { type uint32; description "The module 2**32 sum of the LSA checksums @@ -3361,25 +3400,39 @@ don't guarantee that the LSAs are the same given that multiple combinations of LSAs can result in the same checksum."; } } } } grouping interface-stat { description "Per-interface statistics"; + leaf discontinuity-time { + type yang:date-and-time; + description + "The time on the most recent occasion at which any one or + more of this OSPF interface's counters suffered a + discontinuity. If no such discontinuities have occurred + since the OSPF interface was last re-initialized, then + this node contains the time the OSPF interface was + re-initialized which normally occurs when it was + created."; + + } leaf if-event-count { type yang:counter32; description "The number of times this interface has changed its - state or an error has occurred."; + state or an error has occurred. Discontinuities in the + value of this counter can occur when the OSPF interface + is re-initialized."; } leaf link-scope-lsa-count { type yang:gauge32; description "The number of link-scope LSAs."; } leaf link-scope-lsa-cksum-sum { type uint32; description "The module 2**32 sum of the LSA checksums for link-scope LSAs. The value should be treated as @@ -3406,30 +3459,45 @@ description "The module 2**32 sum of the LSA checksums for the LSAs of this type. The value should be treated as unsigned when comparing two sums of checksums. While differing checksums indicate a different combination of LSAs, equivalent checksums don't guarantee that the LSAs are the same given that multiple combinations of LSAs can result in the same checksum."; } + } } } + grouping neighbor-stat { description "Per-neighbor statistics."; + leaf discontinuity-time { + type yang:date-and-time; + description + "The time on the most recent occasion at which any one or + more of this OSPF neighbor's counters suffered a + discontinuity. If no such discontinuities have occurred + since the OSPF neighbor was last re-initialized, then + this node contains the time the OSPF neighbor was + re-initialized which normally occurs when the neighbor + is dynamically discovered andcreated."; + } leaf nbr-event-count { type yang:counter32; description "The number of times this neighbor has changed - state or an error has occurred."; + state or an error has occurred. Discontinuities in the + value of this counter can occur when the OSPF neighbor + is re-initialized."; } leaf nbr-retrans-qlen { type yang:gauge32; description "The current length of the retransmission queue."; } } grouping instance-fast-reroute-config { description @@ -5708,33 +5779,83 @@ The NETCONF Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a pre- configured subset of all available NETCONF or RESTCONF protocol operations and content. There are a number of data nodes defined in ietf-ospf.yang module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a - negative effect on network operations. For OSPF, the ability to - modify OSPF configuration will allow the entire OSPF domain to be - compromised including peering with unauthorized routers to misroute - traffic or mount a massive Denial-of-Service (DoS) attack. + negative effect on network operations. Writable data node represent + configuration of each instance, area, virtual link, sham-link, and + interface. These correspond to the following schema nodes: + + /ospf + + /ospf/areas/ + + /ospf/areas/area[area-id] + + /ospf/virtual-links/ + + /ospf/virtual-links/virtual-link[transit-area-id router-id] + + /ospf/areas/area[area-id]/interfaces + + /ospf/areas/area[area-id]/interfaces/interface[name] + + /ospf/area/area[area-id]/sham-links + + /ospf/area/area[area-id]/sham-links/sham-link[local-id remote-id] + + For OSPF, the ability to modify OSPF configuration will allow the + entire OSPF domain to be compromised including peering with + unauthorized routers to misroute traffic or mount a massive Denial- + of-Service (DoS) attack. For example, adding OSPF on any unprotected + interface could allow an OSPF adjacency to be formed with an + unauthorized and malicious neighbor. Once an adjacency is formed, + traffic could be hijacked. As a simpler example, a Denial-of-Service + attack could be mounted by changing the cost of an OSPF interface to + be asymmetric such that a hard routing loop ensues. In general, + unauthorized modification of most OSPF features will pose there own + set of security risks and the "Security Considerations" in the + respective reference RFCs should be consulted. Some of the readable data nodes in the ietf-ospf.yang module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. The exposure of the Link State Database (LSDB) will expose the detailed topology of the network. - This may be undesirable since both due to the fact that exposure may - facilitate other attacks. Additionally, network operators may - consider their topologies to be sensitive confidential data. + There is a separate Link State Database for each instance, area, + virtual link, sham-link, and interface. These correspond to the + following schema nodes: + + /ospf/database + + /ospf/areas/area[area-id]/database + + /ospf/virtual-links/virtual-link[transit-area-id router- + id]/database + + /ospf/areas/area[area-id]/interfaces/interface[name]/database + + /ospf/area/area[area-id]/sham-links/sham-link[local-id remote- + id]/database + + Exposure of the Link State Database includes information beyond the + scope of the OSPF router and this may be undesirable since exposure + may facilitate other attacks. Additionally, in the case of an area + LSDB, the complete IP network topology and, if deployed, the traffic + engineering topology of the OSPF area can be reconstucted. Network + operators may consider their topologies to be sensitive confidential + data. For OSPF authentication, configuration is supported via the specification of key-chains [RFC8177] or the direct specification of key and authentication algorithm. Hence, authentication configuration using the "auth-table-trailer" case in the "authentication" container inherits the security considerations of [RFC8177]. This includes the considerations with respect to the local storage and handling of authentication keys. Additionally, local specification of OSPF authentication keys and the @@ -5746,20 +5867,26 @@ encryption of keys using the Advanced Encryption Standard (AES) Key Wrap Padding Algorithm [RFC5649]. Some of the RPC operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. The OSPF YANG module supports the "clear-neighbor" and "clear-database" RPCs. If access to either of these is compromised, they can result in temporary network outages be employed to mount DoS attacks. + The actual authentication key data (whether locally specified or part + of a key-chain) is sensitive and needs to be kept secret from + unauthorized parties; compromise of the key data would allow an + attacker to forge OSPF traffic that would be accepted as authentic, + potentially compromising the entirety OSPF domain. + 5. IANA Considerations This document registers a URI in the IETF XML registry [RFC3688]. Following the format in [RFC3688], the following registration is requested to be made: URI: urn:ietf:params:xml:ns:yang:ietf-ospf Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace.