| Internet-Draft | YANG Data Models for Security Configurat | October 2024 |
| Hu, et al. | Expires 24 April 2025 | [Page] |
Security configuration refers to the status setting of product security features/functions to reduce network security risks during product use. This document defines YANG data models for the security configuration check.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 April 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Weak or incorrect configurations are the main factors of network insecurity. Insecure configurations can be exploited to easily launch a network intrusion by attackers. It is reported that more than 95 per cent of the attacks are successful because of missing software updates or bad system configurations. The top 3 high-risk configuration items are default password, unnecessary opened ports, and insecure protocol or algorithm. The default accounts and passwords make it easy for attackers to guess and successfully access the network. The unnecessary opened ports increase the exposed surface of the attack. Although security protocols can improve security, using known vulnerable algorithms or protocol versions will greatly reduce the attack difficulty.¶
Security configuration checks can reduce network security risks during the usage of devices. The first step of the security configuration check is to collect security configuration information from devices. Then, the value of the collected configuration item will be compared with the security configuration benchmark to determine whether the configuration item is secure. The security configuration benchmark is the recommended value of the configuration item to ensure basic device security.¶
In the past, the IETF has existing work on security posture definition, collection, and assessment, including the concluded Network Endpoint Assessment (NEA)[RFC5209] and Security Automation and Continuous Monitoring (SACM) working groups [RFC8248]. The security configuration benchmark of the management plane [I-D.lin-sacm-nid-mp-security-baseline] has been defined in SACM. This document focuses on the first step of the security configuration check and defines YANG data models for security configurations to be collected. In this document, the security configuration check will be categorized first. Second, the YANG data models will be built according to the categories.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The meaning of the symbols in this diagram is defined in [RFC8340].¶
Figure 1 depicts the categorization of the security configuration check:¶
+-----------------------------+
| Security Configuration Check|
+---------------+-------------+
|
+-------------+------------+-----------+-----------+
| | | | |
| | | | |
| | | | |
+-----v-----+ +-----v----+ +-----v----+ +----v---+ +-----v-----+
| Weak | | Insecure | | Insecure | | Short | | Unchanged |
| Algorithm | | Protocol | | Features | | Key | | Default |
+-----------+ +----------+ | Status | | Length | | Settings |
+----------+ +--------+ +-----------+
The security configuration check is categorized into weak algorithms, insecure protocols, insecure feature status, short key length and unchanged default settings.¶
Here, algorithms refer to any algorithms used in any softwares or protocols for security purpose, such as key exchange, encryption, signature, and integrity check. The weak algorithms are the algorithms that is considered insecure, such as MD5, 3DES.¶
Take TLS as an example, security algorithms used in TLS are called cipher-suites.
With the existing definitions of YANG Groupings for TLS Clients and TLS Servers [RFC9645], the algorithms supported by TLS can be retrieved with NETCONF [RFC6241] Subtree Filtering mechanism as the following example:¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<get-data
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda"
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
<datastore>ds:operational</datastore>
<subtree-filter>
<hello-params
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<cipher-suites>
<cipher-suite>
<cipher-suite/>
</cipher-suite>
</cipher-suites>
</hello-params>
</subtree-filter>
</get-data>
</rpc>
¶
In addition, the real-time change of the above information can be notified on time with NETCONF pub/sub mechanisms [RFC8641] as the following example:¶
<netconf:rpc xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<establish-subscription
xmlns="urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications"
xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<yp:datastore
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
ds:operational
</yp:datastore>
<yp:datastore-subtree-filter>
<hello-params
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-common"
xmlns:tlscmn="urn:ietf:params:xml:ns:yang:ietf-tls-common">
<cipher-suites>
<cipher-suite>
<cipher-suite/>
</cipher-suite>
</cipher-suites>
</hello-params>
</yp:datastore-subtree-filter>
<yp:on-change/>
</establish-subscription>
</netconf:rpc>
¶
Here, protocols refer to any protocol used in a device for the communication to any other devices in any layers. Insecure protocols can be the protocol without security mechanisms, such as TCP and HTTP, or the older version of the protocols, such as TLSv1.1 and SNMPv1.¶
Common Protocols and their YANG models are listed as follows:¶
| Protocols | YANG models |
|---|---|
| TLS/DTLS | [RFC9645] |
| SNMP | [RFC7407] |
| SSH | [RFC9644] |
| IPsec | [RFC9061] |
| HTTP | [I-D.ietf-netconf-http-client-server] |
| TCP | [RFC9648] |
| UDP | [I-D.ietf-netconf-udp-client-server] |
Take SNMP as an example. With the existing definitions of a YANG data model for SNMP configuration [RFC7407], the protocol version of SNMP can be retrieved with NETCONF [RFC6241] Subtree Filtering mechanism as the following example:¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<get-data
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda"
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
<datastore>ds:operational</datastore>
<subtree-filter>
<snmp
xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<engine>
<version>
<version/>
</version>
</engine>
</snmp>
</subtree-filter>
</get-data>
</rpc>
¶
In addition, the real-time change of the above information can be notified on time with NETCONF pub/sub mechanisms [RFC8641] as the following example:¶
<netconf:rpc xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<establish-subscription
xmlns="urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications"
xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<yp:datastore
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
ds:operational
</yp:datastore>
<yp:datastore-subtree-filter>
<snmp
xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<engine>
<version>
<version/>
</version>
</engine>
</snmp>
</yp:datastore-subtree-filter>
<yp:on-change/>
</establish-subscription>
</netconf:rpc>
¶
Security features include security functions and configurations. Insecure features are classified as follows:¶
all interfaces listening¶
all interfaces binding¶
unconfigured security configurations¶
disabled security functions¶
Listening or binding all interfaces may cause the exposed attack surface to increase. Setting the security configurations and enabling the security functions will enhance the device's security.¶
The submodule "ietf-security-config-features", which defines the configuration parameters of security features, has the following structure:¶
submodule: ietf-security-config-features
+--rw security cofig
+--rw security features* [name]
+--rw id? unit64
+--rw name string
+--rw description? string
+--rw status boolean
¶
The "status" true means the security feature is enabled or configured, and false means the security feature is disabled or unconfigured.¶
The submodel "ietf-security-config-features" can be used with NETCONF [RFC6241] Subtree Filtering mechanism for configuration information collection. The feature status information can be retrieved with NETCONF [RFC6241] Subtree Filtering mechanism as the following example:¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<get-data
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda"
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
<datastore>ds:operational</datastore>
<subtree-filter>
<security-config
xmlns="urn:ietf:params:xml:ns:yang:ietf-security-config">
<security features>
<name>
<name/>
</name>
<status>
<status/>
</status>
</security features>
</security-config>
</subtree-filter>
</get-data>
</rpc>
¶
In addition, the real-time change of the above information can be notified on time with NETCONF pub/sub mechanisms [RFC8641] as the following example:¶
<netconf:rpc xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<establish-subscription
xmlns="urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications"
xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<yp:datastore
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
ds:operational
</yp:datastore>
<yp:datastore-subtree-filter>
<security-config
xmlns="urn:ietf:params:xml:ns:yang:ietf-security-config">
<security features>
<name>
<name/>
</name>
<status>
<status/>
</status>
</security features>
</security-config>
</yp:datastore-subtree-filter>
<yp:on-change/>
</establish-subscription>
</netconf:rpc>
¶
Short Key length means the key is not long enough to meet the security requirement. The submodule "ietf-security-config-key", which defines configuration parameters of key length, has the following structure:¶
submodule: ietf-security-config-key
+--rw security cofig
+--rw key* [key id]
+--rw key id unit64
+--rw usage? string
+--rw length unit64
¶
The "usage" describes the key is used by which algorithm of which protocol or software.¶
The submodel "ietf-security-config-key" can be used with NETCONF [RFC6241] Subtree Filtering mechanism for configuration information collection. The key length information can be retrieved with NETCONF [RFC6241] Subtree Filtering mechanism as the following example:¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<get-data
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda"
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
<datastore>ds:operational</datastore>
<subtree-filter>
<security-config
xmlns="urn:ietf:params:xml:ns:yang:ietf-security-config">
<key>
<key id>
<key id/>
</key id>
<length>
<length/>
</length>
</key>
</security-config>
</subtree-filter>
</get-data>
</rpc>
¶
In addition, the real-time change of the above information can be notified on time with NETCONF pub/sub mechanisms [RFC8641] as the following example:¶
<netconf:rpc xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<establish-subscription
xmlns="urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications"
xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<yp:datastore
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
ds:operational
</yp:datastore>
<yp:datastore-subtree-filter>
<security-config
xmlns="urn:ietf:params:xml:ns:yang:ietf-security-config">
<key>
<key id>
<key id/>
</key id>
<length>
<length/>
</length>
</key>
</yp:datastore-subtree-filter>
<yp:on-change/>
</establish-subscription>
</netconf:rpc>
¶
Default settings required to be changed include the default security-related configurations set by manufacturers and the default port defined by protocols. Unchanged default settings are classified as follows:¶
Unchanged default certificates¶
Unchanged default PKI domains¶
Unchanged default keys¶
Unchanged default ports¶
Using the default certificates, PKI domains, or keys set by manufacturers may have a risk of being cracked. Using the default port number of a protocol may cause being sniffed and monitored.¶
The submodule "ietf-security-config-default-settings", which defines configuration parameters of default settings, has the following structure:¶
submodule: ietf-security-config-default-settings
+--rw security cofig
+--rw default settings* [name]
+--rw type enumeration
{certificates, PKI domains, keys, ports}
+--rw id? unit64
+--rw name string
+--rw description? string
+--rw changed boolean
¶
The "changed" true means the default setting has been changed, and false means unchanged.¶
The submodel "ietf-security-config-default-settings" can be used with NETCONF [RFC6241] Subtree Filtering mechanism for configuration information collection. The default setting information can be retrieved with NETCONF [RFC6241] Subtree Filtering mechanism as the following example:¶
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<get-data
xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda"
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
<datastore>ds:operational</datastore>
<subtree-filter>
<security-config
xmlns="urn:ietf:params:xml:ns:yang:ietf-security-config">
<default settings>
<type>
<type/>
</type>
<name>
<name/>
</name>
<changed>
<changed/>
</changed>
</default settings>
</security-config>
</subtree-filter>
</get-data>
</rpc>
¶
In addition, the real-time change of the above information can be notified on time with NETCONF pub/sub mechanisms [RFC8641] as the following example:¶
<netconf:rpc xmlns:netconf="urn:ietf:params:xml:ns:netconf:base:1.0"
message-id="101">
<establish-subscription
xmlns="urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications"
xmlns:yp="urn:ietf:params:xml:ns:yang:ietf-yang-push">
<yp:datastore
xmlns:ds="urn:ietf:params:xml:ns:yang:ietf-datastores">
ds:operational
</yp:datastore>
<yp:datastore-subtree-filter>
<security-config
xmlns="urn:ietf:params:xml:ns:yang:ietf-security-config">
<default settings>
<type>
<type/>
</type>
<name>
<name/>
</name>
<changed>
<changed/>
</changed>
</default settings>
</yp:datastore-subtree-filter>
<yp:on-change/>
</establish-subscription>
</netconf:rpc>
¶
Xubin LIN
China Southern Power Grid
linxb2@csg.cn¶