Security Automation and Continuous Monitoring (SACM) Q. Lin
Internet-Draft L. Xia
Intended status: Standards Track Huawei
Expires: April 25, 2019 H. Birkholz
Fraunhofer SIT
October 22, 2018
The Data Model of Network Infrastructure Device Management Plane
Security Baseline
draft-lin-sacm-nid-mp-security-baseline-04
Abstract
This document provides security baseline for network device
management plane, which is represented by YANG data model. The
corresponding configuration values and status values of the YANG data
model can be transported between Security Automation and Continuous
Monitoring (SACM) components and used for network device security
posture assessment.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Lin, et al. Expires April 25, 2019 [Page 1]
Internet-Draft Network Device Management Plane Security October 2018
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 4
5.1. Administration Security . . . . . . . . . . . . . . . . . 5
5.1.1. Administrative Account Security . . . . . . . . . . . 5
5.1.2. Administrator Access Security . . . . . . . . . . . . 6
5.1.3. AAA . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1.4. Administrator Access Statistics . . . . . . . . . . . 10
5.2. System Management Security . . . . . . . . . . . . . . . 11
5.2.1. SNMP Management Security . . . . . . . . . . . . . . 11
5.2.2. NETCONF Management Security . . . . . . . . . . . . . 13
5.3. Port Management Security . . . . . . . . . . . . . . . . 13
5.4. Log Security . . . . . . . . . . . . . . . . . . . . . . 14
5.5. File Security . . . . . . . . . . . . . . . . . . . . . . 14
6. Network Infrastructure Device Security Baseline Yang Module . 15
6.1. Module 'ietf-admin-account-security' . . . . . . . . . . 15
6.2. Module 'ietf-admin-access-security' . . . . . . . . . . . 18
6.3. Module 'ietf-aaa-security' . . . . . . . . . . . . . . . 28
6.4. Module 'ietf-admin-access-statistics' . . . . . . . . . . 35
6.5. Module 'ietf-snmp-security' . . . . . . . . . . . . . . . 38
6.6. Module 'ietf-netconf-security' . . . . . . . . . . . . . 46
6.7. Module 'ietf-port-management-security' . . . . . . . . . 50
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 52
9. Security Considerations . . . . . . . . . . . . . . . . . . . 52
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.1. Normative References . . . . . . . . . . . . . . . . . . 52
10.2. Informative References . . . . . . . . . . . . . . . . . 53
Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56
1. Introduction
Besides user devices and servers, network devices such as routers,
switches, and firewalls are crucial to enterprise network security.
The security baseline defined in this document refers to a minimal
set of security controls that are essential to provide network
security. Organizations can define additional security controls
based on the security baseline. Then the security posture of network
Lin, et al. Expires April 25, 2019 [Page 2]
Internet-Draft Network Device Management Plane Security October 2018
devices can be assessed by comparing the configuration values and
status values with the required security controls.
Network devices typically perform three planes of operation:
management plane, control plane and data plane. All the planes
should be protected and monitored. This document focuses on security
baseline for management plane. Management plane provides
configuration and monitoring services to network administrators or
device owners. Unauthorized access, insecure access channels, weak
cryptographic algorithms are common security issues that break
management plane security. A number of security best practices have
been proposed to deal with these security issues, such as disabling
unused services and ports, discarding insecure access channels, and
enforcing strong user authentication and authorization. In this
document, we provide a minimal set of security controls that are
expected to be widely applicable to common network devices. To
assess security posture of network devices, the configurations that
are effective on network devices and the current status of the
networks devices will be compared with the reference values defined
by an organization or a third party.
YANG data model is used to describe the security baseline defined in
this document. [I-D.birkholz-sacm-yang-content] defines a method to
construct the YANG data model scheme for network device security
posture assessment by brokering YANG push telemetry through SACM
statements. In this document, we follow the same way to define the
YANG output for network device security posture based on the
[I-D.ietf-sacm-information-model].
Besides management plane, the security baselines for control plane,
data plane, and infrastructure layer of network infrastructure
devices are described in [I-D.dong-sacm-nid-cp-security-baseline],
[I-D.xia-sacm-nid-dp-security-baseline] and
[I-D.dong-sacm-nid-infra-security-baseline] respectively.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Terminology
This document uses the terms defined in [RFC7950] and [RFC8342].
Lin, et al. Expires April 25, 2019 [Page 3]
Internet-Draft Network Device Management Plane Security October 2018
4. Tree Diagrams
Tree diagram defined in [RFC8340] is used to represent the YANG data
model of network device management plane security. The meaning of
the symbols used in the tree diagram and the syntax are as follows:
o A module is identified by "module:" followed the module-name. The
top-level data nodes defined in the module, offset by 2 spaces.
Submodules are represented in the same fashion as modules, but are
identified by "submodule:" followed the (sub)module-name.
o Groupings, offset by 2 spaces, and identified by the keyword
"grouping" followed by the name of the grouping and a colon (":")
character.
o Each node in the tree is prefaces with "+--". Schema nodes that
are children of another node are offset from the parent by 3
spaces.
o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" means state data (read-only), and "-u"
indicates the use of a predefined grouping.
o Symbols after data node names: "?" means an optional leaf, choice,
anydata, or anyxml, "!" means a presence container, and "*"
denotes a "list" or "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o At times when the composition of the nodes within a module schema
is not important in the context of the presented tree, sibling
nodes and their children can be collapsed using the notation "..."
in place of the text lines used to represent the summarized nodes.
o Curly brackets and a question mark "{...}?" are combined to
represent the features that node depends on.
5. Data Model Structure
The security baseline defined in this document consists of security
configuration and runtime security status for administration, system
management, port management, log, files.
o Administration security
Lin, et al. Expires April 25, 2019 [Page 4]
Internet-Draft Network Device Management Plane Security October 2018
o System management security
o Port management security
o Log security
o File security
A multitude of YANG modules for network devices and network protocols
have been defined in IETF. Several RFCs and drafts model some parts
of management plane security. But an overall data model of
management plane security is still missing. New modules, groupings,
and nodes are defined in this document as supplements. And the
existing YANG modules are reused. Appendix A provides a summary of
existing YANG modules and the relationship to the security baseline
defined in this document.
5.1. Administration Security
5.1.1. Administrative Account Security
In order to provide administrative accounts, security controls on
account properties and passwords should be applied. The commonly
applied security controls include limiting the length of account
name, checking the password complied to the complexity policy,
forbidding the use of some strings in password, blocking accounts
after several login fails, etc. The following data model illustrates
these kinds of security controls.
Lin, et al. Expires April 25, 2019 [Page 5]
Internet-Draft Network Device Management Plane Security October 2018
module: ietf-admin-account-security
+--rw ietf-admin-account-security
+--rw account-security-policy {account-security}?
| +--rw policy-status? boolean
| +--rw account-aging-period? uint64
| +--rw account-name-minlen? uint64
+--rw pwd-security-policy {pwd-security}?
| +--rw expire-days? uint64
| +--rw prompt-days? uint64
| +--rw change-check? boolean
| +--rw complexity-check? boolean
| +--ro history-pwd-num? uint64
| +--rw pwd-minlen? uint64
| +--rw forbidden-word-rules?
| +--rw forbidden-word-rule* [forbidden-word]
| +--rw forbidden-word string
+--rw login-failed-limit {login-failed-block}?
+--rw failed-times? uint64
+--rw period? uint64
+--rw reactive-time? uint64
5.1.2. Administrator Access Security
Network devices typically can be managed through command line
interface (CLI) or web user interface. Insecure access channels
(e.g., Telnet), can expose the devices to threats and attacks.
Therefore, SSH-based access channels and HTTPS-based web channels
should be used. Besides, the right version of the protocols should
be chosen. For example, SSHv1 is considered not secure, SSHv2 is
recommended. And draft [I-D.ietf-tls-oldversions-deprecate] will
formally deprecates Transport Layer Security (TLS) versions 1.0
[RFC2246] and 1.1 [RFC4346] and moves these documents to the historic
state.
Lin, et al. Expires April 25, 2019 [Page 6]
Internet-Draft Network Device Management Plane Security October 2018
module: ietf-admin-access-security
+--rw ietf-admin-access-security
+--rw console
| +--rw auth-mode? auth-mode-type
| +--rw privilege-level? uint8
+--rw vtys
| +--rw vty* [vty-number]
| +--rw vty-number uint8
| +--rw auth-mode auth-mode-type
| +--rw privilege-level uint8
| +--rw acl-name-list* string
| +--rw ip-block-enable boolean
| +--rw ip-block-limit {ip-block-config}?
| +--rw failed-times? uint64
| +--rw period? uint64
| +--rw reactive-time? uint64
+--rw ssh
| +--rw ssh-enable? boolean
| +---u ssh-server-attribute-grouping
| +---u ssh-security-harden-grouping
| +--rw ip-block-enable boolean
| +--rw ip-block-limit {ip-block-config}?
| +--rw failed-times? uint64
| +--rw period? uint64
| +--rw reactive-time? uint64
+--rw web {web-interface}?
+--rw privilege-level? uint8
+--rw http-server-interface? string
+--rw https-ipv4-enable? boolean
+--rw https-ipv6-enable? boolean
+--rw https-source-port? inet:port-number
+--rw https-timeout? uint32
+--rw acl-name-list*? string
+--rw ip-block-enable boolean
+--rw ip-block-limit {ip-block-config}?
| +--rw failed-times? uint64
| +--rw period? uint64
| +--rw reactive-time? uint64
+---u tls-server-attribute-grouping
[I-D.ietf-netconf-ssh-client-server] defines "ssh-server-grouping"
for configuring SSH server and does not consider the underlying
transport parameters. And it reuses the groupings defined in
[I-D.ietf-netconf-keystore]. Because this document focuses on the
security configurations that are actively in use when the network
device acts as a SSH server, the "ssh-server-attribute-grouping"
defined here tailors the "private-key" node and the "certificate-
Lin, et al. Expires April 25, 2019 [Page 7]
Internet-Draft Network Device Management Plane Security October 2018
expiration" notification of "ssh-server-grouping". The tree diagram
of grouping "ssh-server-attribute-grouping":
grouping ssh-server-attribute-grouping:
+--rw server-identity
| +--rw host-key* [name]
| +--rw name string
| +--rw (host-key-type)
| +--:(public-key)
| | +--rw (local-or-keystore)
| | +--:(local)
| | | +---u ks:public-key-grouping
| | +--:(keystore) {ks:keystore-implemented}?
| | +--rw ref? ks:asymmetric-key-certificate-ref
| +--:(certificate) {sshcmn:ssh-x509-certs}?
| +--rw (local-or-keystore)
| +--:(local)
| | +---u ks:public-key-grouping
| | +---u ks:trust-anchor-cert-grouping
| +--:(keystore) {ks:keystore-implemented}?
| +--rw ref? ks:asymmetric-key-certificate-ref
+--rw client-cert-auth {sshcmn:ssh-x509-certs}?
| +--rw pinned-ca-certs? ta:pinned-certificates-ref
| +--rw pinned-client-certs? ta:pinned-certificates-ref
+--rw transport-params {ssh-server-transport-params-config}?
+---u sshcmn:transport-params-grouping
Besides the security configurations defined "ssh-server-attribute-
grouping", there are several other features related the secure use
and configuration of SSH, such as which SSH version is used, whether
the network device support to be compatible with earlier SSH
versions, whether the port number has been changed, etc. The "ssh-
security-harden-grouping" includes these kind of security
configurations and state. The tree diagram of grouping "ssh-
security-harden-grouping":
grouping ssh-security-harden-grouping:
+--ro ssh-version uint32
+--rw ssh-server-port? inet:port-number
+--rw ssh-rekey-interval? uint32
+--rw ssh-timeout? uint32
+--rw ssh-retry-times? uint32
+--rw ssh1x-compatible? boolean
+--rw ssh-server-interface? string
[I-D.ietf-netconf-tls-client-server] defines "tls-server-grouping"
for configuring TLS server and does not consider the underlying
transport parameters. And it reuses the groupings defined in
Lin, et al. Expires April 25, 2019 [Page 8]
Internet-Draft Network Device Management Plane Security October 2018
[I-D.ietf-netconf-keystore]. Because this document focuses on the
security configurations that are actively in use when the network
device acts as a web server and build connections through HTTPS, the
"tls-server-attribute-grouping" defined here tailors the "private-
key" node and the "certificate-expiration" notification of "tls-
server-grouping". The tree diagram of grouping "tls-server-
attribute-grouping":
grouping tls-server-attribute-security-grouping:
+--rw server-identity
| +--rw (local-or-keystore)
| +--:(local)
| | +---u ks:public-key-grouping
| | +---u ks:trust-anchor-cert-grouping
| +--:(keystore) {ks:keystore-implemented}?
| +--rw ref? ks:asymmetric-key-certificate-ref
+--rw client-auth
| +--rw pinned-ca-certs? ta:pinned-certificates-ref
| +--rw pinned-client-certs? ta:pinned-certificates-ref
+--rw hello-params {tls-server-hello-params-config}?
+--rw tls-versions
| +--rw tls-version* identityref
+--rw cipher-suites
+--rw cipher-suite* identityref
5.1.3. AAA
Authentication, Authorization, and Accounting (AAA) provides user
management for network devices. RADIUS (Remote Authentication Dial
In User Service) and TACACS+ (Terminal Access Controller Access
Control System) are the commonly used AAA mechanisms. In order to
implement AAA, network devices act as AAA clients to communicate with
AAA servers. [RFC7317] defined YANG module for client to configure
the RADIUS authentication server information. In this document,
authentication, authorization and accounting schemes, as well as AAA
server lists are all included.
Lin, et al. Expires April 25, 2019 [Page 9]
Internet-Draft Network Device Management Plane Security October 2018
module: ietf-aaa-security
+--rw ietf-aaa-security
+--rw authentication-scheme* [authen-scheme-name]
| +--rw authen-scheme-name string
| +--rw authen-mode* aaa-authen-mode
| +--rw authen-type? radius-authen-type
| +--rw authen-fail-policy? boolean
+--rw authorization-scheme* [author-scheme-name]
| +--rw author-scheme-name string
| +--rw author-mode* aaa-author-mode
| +--rw cmd-author-mode* aaa-cmd-author-mode
+--rw accounting-scheme* [account-scheme-name]
| +--rw account-scheme-name string
| +--rw account-mode? aaa-account-name
+--rw radius-security
| +--rw radius-authen-servers* [address]
| | +--rw address inet:host
| | +--rw port? inet:port-number
| +--rw radius-author-servers*? [address]
| | +--rw address inet:host
| | +--rw port? inet:port-number
| +--rw radius-account-servers* [address]
| +--rw address inet:host
| +--rw port? inet:port-number
+--rw tacacs-security {tacacs-supported}?
+--rw tacacs-authen-servers* [address]
| +--rw address inet:host
| +--rw port? inet:port-number
+--rw tacacs-author-servers*? [address]
| +--rw address inet:host
| +--rw port? inet:port-number
+--rw tacacs-account-servers* [address]
+--rw address inet:host
+--rw port? inet:port-number
5.1.4. Administrator Access Statistics
The statistics of the current online administrators, the failed login
attempts and the blocked addresses are useful for the monitoring of
network infrastructure devices.
Lin, et al. Expires April 25, 2019 [Page 10]
Internet-Draft Network Device Management Plane Security October 2018
module: ietf-admin-access-statistics
+--ro ietf-admin-access-statistics
+--ro online
| +--ro total-online-users uint32
| +--ro online-admin-list {display-online-info}?
| +--ro online-users* [account-name]
| +--ro account-name string
| +--ro ip-address inet:ip-address-no-zone
| +--ro mac-address yang:mac-address
+--ro ip-block-list
+--ro blocked-ip* [ip-address]
+--ro ip-address inet:ip-address-no-zone
+--ro vpn-instance string
+--ro state ip-block-state-type
+--ro authen-fail-account uint32
5.2. System Management Security
5.2.1. SNMP Management Security
Simple Network Management Protocol (SNMP) is a network management
standard to monitor network devices. Three SNMP versions are
available: SNMPv1, SNMPv2c, and SNMPv3. [RFC7407] defines community-
based security model for SNMPv1 and SNMPv2c, view-based access
control model and user-based security model, transport security model
for SNMPv3. SNMPv1 and SNMPv2c are lack of authentication and
message encryption, which could facilitate unauthorized access to
network devices. SNMPv3 needs to be used to authenticate and encrypt
payloads. The "ietf-snmp-security" module defined in this section
reuses the definitions in [RFC7407], but some modifications and
eliminations are made. As this module only focuses on security
controls and status of SNMP, the detailed transport information such
as IP address and port are not included, while the transport protocol
used is under consideration. And the subtree for key configuration
is also not needed for user-based security model, but the
authentication protocol or encryption protocol used is included.
module: ietf-snmp-security
+--rw ietf-snmp-security
+--rw snmp-enable? boolean
+--rw engine
| +--rw enabled? boolean
| +--rw listen* [name]
| | +--rw name snmp:identifier
| | +--rw transport snmp-transport-type
| +--rw version snmp-version-type
| +--rw enable-authen-traps? boolean
+--rw target* [name]
Lin, et al. Expires April 25, 2019 [Page 11]
Internet-Draft Network Device Management Plane Security October 2018
| +--rw name snmp:identifier
| +--rw transport snmp-transport-type
| +--rw target-params snmp:identifier
+--rw target-params* [name]
| +--rw name snmp:identifier
| +--rw (params)?
| +--:(usm)
| | +---u snmp:usm-target-params
| +--:(tsm) {snmp:tsm}?
| | +---u snmp:tsm-target-params
+--rw vacm
| +--ro vacm-enable? boolean
| +--rw group* [name]
| | +--rw name snmp:group-name
| | +--rw member* [security-name]
| | | +--rw security-name snmp:security-name
| | | +--rw security-model* snmp:security-model
| | +--rw access* [context security-model security-level]
| | +--rw context snmp:context-name
| | +--rw context-match? enumeration
| | +--rw security-model snmp:security-model-or-any
| | +--rw security-level snmp:security-level
| | +--rw read-view? snmp:view-name
| | +--rw write-view? snmp:view-name
| | +--rw notify-view? snmp:view-name
| +--rw view* [name]
| +--rw name vacm:view-name
| +--rw include* snmp:wildcard-object-identifier
| +--rw exclude* snmp:wildcard-object-identifier
+--rw usm
| +--ro usm-enable? boolean
| +--rw local
| | +---u user-auth-priv
| +--rw remote
| +---u user-auth-priv
+--rw tsm {tsm}?
+--ro tsm-enable? boolean
The tree diagram of grouping "user-auth-priv":
grouping user-auth-priv:
+--rw user* [name]
+--rw name snmp:identifier
+--rw auth-protocol auth-pro-type
+--rw priv-protocol priv-pro-type
Lin, et al. Expires April 25, 2019 [Page 12]
Internet-Draft Network Device Management Plane Security October 2018
5.2.2. NETCONF Management Security
The NETCONF server model defined in
[I-D.ietf-netconf-netconf-client-server] supports both the SSH and
TLS transport protocols. The "ietf-netconf-security" module defined
in this section only reused the security related subtrees and
replaces the SSH and TLS related groupings with those defined in
"ietf-admin-access-security" module.
module: ietf-netconf-security
+--rw ietf-netconf-security
+--rw netconf-enable? boolean
+--rw listen {ncs:listen}?
| +--rw endpoint* [name]
| +--rw name string
| +--rw (transport)
| +--:(ssh) {ssh-listen}?
| | +--rw port inet:port-number
| | +---u accsec:ssh-server-attribute-grouping
| +--:(tls) {tls-listen}?
| +--rw port inet:port-number
| +---u accsec:tls-server-attribute-grouping
+--rw call-home {call-home}?
+--rw netconf-client* [name]
+--rw name string
+--rw endpoints
+--rw endpoint* [name]
+--rw name string
+--rw (transport)
+--:(ssh) {ssh-call-home}?
| +--rw port inet:port-number
| +---u accsec:ssh-server-attribute-grouping
+--:(tls) {tls-call-home}?
+--rw port inet:port-number
+---u accsec:tls-server-attribute-grouping
5.3. Port Management Security
As it is suggested to disable unused service and ports, the current
status (open or shut-down) of the ports that are available on the
network devices can be retrieved and compared with the communication
matrix to check the device security posture.
module: ietf-port-management-security
+--rw ietf-port-management-security
+--rw port-list* [port-number]
+--rw port-number inet:port-number
+--rw port-status boolean
Lin, et al. Expires April 25, 2019 [Page 13]
Internet-Draft Network Device Management Plane Security October 2018
5.4. Log Security
To monitor the running status and diagnose faults or attacks on
network devices, the activities of network administrators, the
operations conducted on devices, and the security notification of
abnormal events need to be recorded. Besides, policy should be
defined to deal with log overflow. Log records can be outputted to
console, or stored locally, or outputted to remote Syslog server.
The following defined "ietf-log-security" module reuses the security
configuration of log remote transfer in
[I-D.ietf-netmod-syslog-model], and adds access control for locally
stored log files.
module: ietf-log-security
+--rw ietf-log-security
+--rw alert-notification
| +--rw login-fail-threshold uint8
| +--rw system-abnormal boolean
| +--rw attack boolean
| +--rw log-overflow-lost boolean
+--rw (log-overflow-action)
| +--:(rewrite-when-overflow) boolean
| | +--ro rewrite-numbers uint16
| +--:(discard-new-logs) boolean
| +--ro discard-numbers uint16
+--rw (log-mode)
+--:(file) {file-action}?
| +--rw user-level-for-read uint8
| +--rw user-level-for-delete uint8
+--:(remote) {remote-action}? [I-D.ietf-netmod-syslog-model]
+--rw destination* [name]
+--rw name string
+--rw (transport)
| ...
+--rw signing! {signed-messages}?
...
5.5. File Security
Patches, packages, configuration files, password files are critical
system files for network infrastructure devices. Only administrators
with certain security privilege levels are allowed to access or
operate on these files. For file transfer security, secure protocol
should be used.
Lin, et al. Expires April 25, 2019 [Page 14]
Internet-Draft Network Device Management Plane Security October 2018
module: ietf-file-security
+--rw ietf-file-security
+--rw role-based-access-control boolean
+--rw transport-protocol file-pro-type
+--rw (transport)
| +--:(sftp) {sftp}?
| | +--rw sftp-enable boolean
| | +--rw sftp-server-port inet:port-number
| | +---u accsec:ssh-server-attribute-grouping
| | +---u accsec:ssh-security-harden-grouping
| +--:(scp) {scp}?
| | +--rw scp-enable boolean
| | +--rw scp-server-port inet:port-number
| | +---u accsec:ssh-server-attribute-grouping
| | +---u accsec:ssh-security-harden-grouping
| +--:(ftps) {ftps}?
| | +--rw ftps-enable boolean
| | +--rw ftps-server-port inet:port-number
| | +---u accsec:tls-server-attribute-grouping
+--rw ip-block-enable boolean
+--rw ip-block-limit {ip-block-config}?
+--rw failed-times uint64
+--rw period uint64
+--rw reactive-time uint64
6. Network Infrastructure Device Security Baseline Yang Module
6.1. Module 'ietf-admin-account-security'
<CODE BEGINS> file "ietf-admin-account-security@2018-10-16.yang"
module ietf-admin-account-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-admin-account-security";
prefix acsec;
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
Lin, et al. Expires April 25, 2019 [Page 15]
Internet-Draft Network Device Management Plane Security October 2018
description
"This YANG module defines ietf-admin-account-security YANG module, which contains configurations that are actively in use for account security control, password security control and administrative account block.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
/*
* features
*/
feature account-security {
description
"If the network device supports this feature, then several security controls on administrative accounts can be conducted.";
}
feature pwd-security {
description
"If the network device supports this feature, then several security controls on password can be conducted.";
}
feature login-failed-block {
description
"If the network device supports this feature, an adminstrative account will be blocked for a certain time range when this account login failed several times in a certain period.";
}
/*
* containers
*/
container account-security-policy {
if-feature account-security;
leaf policy-status {
type boolean;
description
"The status of account security policy: enabled, or disabled.";
}
leaf account-aging-period {
type uint64;
description
"The aging period of an administrative account.";
}
leaf account-name-minlen {
type uint64;
description
"The minimum length of an administrative account name.";
}
Lin, et al. Expires April 25, 2019 [Page 16]
Internet-Draft Network Device Management Plane Security October 2018
description
"If the network device supports some security controls on administrative accounts, the configuration that is actively in use will be collected.";
}
container pwd-security-policy {
if-feature pwd-security;
leaf expire-days {
type uint64;
description
"The password validity period.";
}
leaf prompt-days {
type uint64;
description
"The period for warning before the password expires.";
}
leaf change-check {
type boolean;
description
"Whether it is mandatory to change the password when logining for the first time: enabled, or disabled.";
}
leaf complexity-check {
type boolean;
description
"The status of password complexity check: enabled, or disabled.";
}
leaf history-pwd-num {
type uint64;
config false;
description
"The newly configured password should not be the same as the several past passwords.";
}
leaf pwd-minlen {
type uint64;
description
"The minimum length of a password.";
}
container forbidden-word-rules {
list forbidden-word-rule {
key "forbidden-word";
leaf forbidden-word {
type string;
description
"A forbidden word in password.";
}
description
"A list of forbidden words that are not allowed to be used in password.";
}
Lin, et al. Expires April 25, 2019 [Page 17]
Internet-Draft Network Device Management Plane Security October 2018
description
"Password blacklist.";
}
description
"If the network device supports some security controls on administrative passwords, the configuration that is actively in use will be collected.";
}
container login-failed-limit {
if-feature login-failed-block;
leaf failed-times {
type uint64;
description
"The failed time in a certain period.";
}
leaf peroid {
type uint64;
description
"The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description
"The reactive time after which the account is not blocked.";
}
description
"If the network device suppor this feature, an account will be blocked for a certain time range when it failed to login for several times in a certain period.";
}
}
<CODE ENDS>
6.2. Module 'ietf-admin-access-security'
module ietf-admin-access-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-admin-access-security";
prefix accsec;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991 - Common YANG Data Types.";
}
import ietf-ssh-common {
prefix sshcmn;
reference
"draft-ietf-netconf-ssh-client-server - YANG Groupings for SSH Clients and SSH Servers";
}
Lin, et al. Expires April 25, 2019 [Page 18]
Internet-Draft Network Device Management Plane Security October 2018
import ietf-tls-common {
prefix tlscmn;
reference
"draft-ietf-netconf-tls-client-server - YANG Groupings for TLS Clients and SSH Servers";
}
import ietf-keystore {
prefix ks;
reference
"draft-ietf-netconf-keystore - YANG Data Model for a Centralized Keystore Mechanism";
}
import ietf-trust-anchors {
prefix ta;
reference
"draft-ietf-netconf-trust-anchors - YANG Data Model for Global Trust Anchors";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines ietf-admin-access-security YANG module, which contains security configurations that are actively in use for different access channels.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
/*
* features
*/
feature web-interface {
description
"If the network device supports web interface for administration, then administrative account can access this device through web interface.";
}
Lin, et al. Expires April 25, 2019 [Page 19]
Internet-Draft Network Device Management Plane Security October 2018
feature ip-block-config {
description
"If the network device supports the configuration of ip block function, then it can be configured to block the access from a list of IP addresses.";
}
feature ssh-server-transport-params-config {
description
"SSH transport layer parameters are configurable on an SSH server.";
}
feature tls-server-hello-params-config {
description
"TLS hello message parameters are configurable on a TLS server.";
}
/*
* typedefs
*/
typedef auth-mode-type {
type enumeration {
enum "none" {
description
"Authentication mode: none.";
}
enum "password" {
description
"Authentication mode: password.";
}
enum "aaa" {
description
"Authentication mode: aaa.";
}
}
description
"The Authentication mode of console and vty interface.";
}
/*
* groupings
*/
grouping ssh-server-attribute-grouping {
container server-identity {
list host-key {
key "name";
leaf name {
type string;
description
"The name of the host-key.";
Lin, et al. Expires April 25, 2019 [Page 20]
Internet-Draft Network Device Management Plane Security October 2018
}
choice host-key-type {
mandatory true;
case public-key {
choice local-or-keystore {
case local {
uses ks:public-key-grouping;
description
"The public key and the corresponding algorithm.";
}
case keystore {
if-feature ks:keystore-implemented;
leaf ref {
type ks:asymmetric-key-certificate-ref;
description
"A reference to a value that exists in the keystore.";
}
description
"The reference of the key pair that stored in the keystore. ";
}
description
"The key pair is locally stored or can be referenced from the keystore.";
}
description
"The host key type is asymmetric key pair.";
}
case certificate {
if-feature sshcmn:ssh-x509-certs;
choice local-or-keystore {
case local {
uses ks:public-key-grouping;
uses ks:trust-anchor-cert-grouping;
description
"The certificate and the corresponding public key are stored locally.";
}
case keystore {
if-feature ks:keystore-implemented;
leaf ref {
type ks:asymmetric-key-certificate-ref;
description
"The certificate is referenced by a value that exists in the keystore.";
}
description
"The reference of the certificate that stored in the keystore.";
}
description
"The certificate is stored locally or can be referenced from the keystore.";
}
Lin, et al. Expires April 25, 2019 [Page 21]
Internet-Draft Network Device Management Plane Security October 2018
description
"The host key type is certificate.";
}
description
"Two types of host key: asymmetric key pair, certificate.";
}
description
"A list of host keys of the network device";
}
description
"The list of host keys the network device (acts as SSH server) will use to construct its list of algorithms, when sending its SSH-MSG-KEXINIT message, ase defined in Section 7.1 of RFC 4253.";
}
container client-cert-auth {
if-feature sshcmn:ssh-x509-certs;
leaf pinned-ca-certs {
type ta:pinned-certificates-ref;
description
"A reference to a list of certificate authority (CA) certificates used by the SSH server to authenticate SSH client certificates.";
reference
"draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors";
}
leaf pinned-client-certs {
type ta:pinned-certificates-ref;
description
"A reference to a list of client certificates used by the SSH server to authenticate SSH client certificates.";
reference
"draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors";
}
description
"A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates.";
}
container transport-params {
if-feature ssh-server-transport-params-config;
uses sshcmn:transport-params-grouping;
description
"Configurable parameters of the SSH transport layer.";
}
description
"A reusable grouping of configurations that are actively in use for network devices which act as SSH servers.";
}
grouping ssh-security-harden-grouping {
leaf ssh-version {
type uint32;
config false;
mandatory true;
description
"The SSH version that the network device supports.";
Lin, et al. Expires April 25, 2019 [Page 22]
Internet-Draft Network Device Management Plane Security October 2018
}
leaf ssh-server-port {
type inet:port-number;
description
"The port number of SSH server.";
}
leaf ssh-rekey-interval {
type uint32;
description
"The interval for updating the key pair of the SSH server.";
}
leaf ssh-timeout {
type uint32;
description
"The authentication timeout period of SSH.";
}
leaf ssh-retry-times {
type uint32;
description
"The authentication retry times.";
}
leaf ssh1x-compatible {
type boolean;
description
"The status of version-compatible function on the SSH server: enabled, disabled.";
}
leaf ssh-server-interface {
type string;
description
"The source interface of SSH server.";
}
description
"A set of SSH configuration status to enhance security.";
}
grouping tls-server-attribute-grouping {
container server-identity {
choice local-or-keystore {
case local {
uses ks:public-key-grouping;
uses ks:trust-anchor-cert-grouping;
description
"The certificate and the corresponding public key are stored locally.";
}
case keystore {
if-feature ks:keystore-implemented;
leaf ref {
type ks:asymmetric-key-certificate-ref;
Lin, et al. Expires April 25, 2019 [Page 23]
Internet-Draft Network Device Management Plane Security October 2018
description
"The certificate is referenced by a value that exists in the keystore.";
}
description
"The reference of the certificate that stored in the keystore.";
}
description
"The certificate is stored locally or can be referenced from the keystore.";
}
description
"A locally-defined or referenced end-entity certificate, including any configured intermediate certificates, the TLS server will present when establishing a TLS connection in its Certificate message, as defined in Section 7.4.2 in RFC5246.";
}
container client-auth {
leaf pinned-ca-certs {
type ta:pinned-certificates-ref;
description
"A reference to a list of certificate authority (CA) certificates used by the TLS server to authenticate TLS client certificates.";
reference
"draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors";
}
leaf pinned-client-certs {
type ta:pinned-certificates-ref;
description
"A reference to a list of client certificates used by the TLS server to authenticate TLS client certificates.";
reference
"draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors";
}
description
"A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates.";
}
container hello-params {
if-feature tls-server-hello-params-config;
uses tlscmn:hello-params-grouping;
description
"Configurable parameters for the TLS hello message.";
}
description
"A reusable grouping of configurations that are actively in use for network devices which act as TLS servers.";
}
/*
* containers
*/
container console {
leaf auth-mode {
type auth-mode-type;
description
Lin, et al. Expires April 25, 2019 [Page 24]
Internet-Draft Network Device Management Plane Security October 2018
"The authentication mode used when administrative accounts login through console interface: none, password, AAA.";
}
leaf privilege-level {
type uint8;
description
"User privilege level.";
}
description
"Security configurations that are actively in use for console interface.";
}
container vtys {
list vty {
key "vty-number";
leaf vty-number {
type uint8;
description
"The number of the vty interface.";
}
leaf auth-mode {
type auth-mode-type;
mandatory true;
description
"The authentication mode used when administrator login through vty interface: none, password, AAA.";
}
leaf privilege-level {
type uint8;
mandatory true;
description
"User privilege level.";
}
leaf-list acl-name-list {
type string;
description
"The name of the acl.";
}
leaf ip-block-enable {
type boolean;
mandatory true;
description
"The status of ip block function: enabled, or disabled.";
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description
"The failed times in a certain perid.";
Lin, et al. Expires April 25, 2019 [Page 25]
Internet-Draft Network Device Management Plane Security October 2018
}
leaf peroid {
type uint64;
description
"The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description
"The reactive time after which the address is not blocked.";
}
description
"If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description
"Security configurations that are actively in use for a vty interface.";
}
description
"A list of security configurations that are actively in use for each vty interface.";
}
container ssh {
uses ssh-server-attribute-grouping;
uses ssh-security-harden-grouping;
leaf ssh-enable {
type boolean;
description
"The status of SSH server: enabled, or disabled.";
}
leaf ip-block-enable {
type boolean;
description
"The status of ip block function: enabled, or disabled.";
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description
"The failed times in a certain perid.";
}
leaf peroid {
type uint64;
description
"The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
Lin, et al. Expires April 25, 2019 [Page 26]
Internet-Draft Network Device Management Plane Security October 2018
description
"The reactive time after which the address is not blocked.";
}
description
"If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description
"Security configurations that are actively in use for SSH-based access channel.";
}
container web {
if-feature web-interface;
uses tls-server-attribute-grouping;
leaf auth-mode {
type auth-mode-type;
description
"The authentication mode used when administrator login through web interface: none, password, AAA.";
}
leaf privilege-level {
type uint8;
description
"User privilege level.";
}
leaf http-server-interface {
type string;
description
"The source interface of web server.";
}
leaf https-ipv4-enable {
type boolean;
description
"The status of ipv4 https server: enabled, disabled.";
}
leaf https-ipv6-enable {
type boolean;
description
"The status of ipv6 https server: enabled, disabled.";
}
leaf https-source-port {
type inet:port-number;
description
"The port number of web server.";
}
leaf https-timeout {
type uint32;
description
"The authentication timeout period of https.";
}
Lin, et al. Expires April 25, 2019 [Page 27]
Internet-Draft Network Device Management Plane Security October 2018
leaf ip-block-enable {
type boolean;
description
"The status of ip block function: enabled, or disabled.";
}
container ip-block-limit {
if-feature ip-block-config;
leaf failed-times {
type uint64;
description
"The failed times in a certain perid.";
}
leaf peroid {
type uint64;
description
"The certain period in which the failed times are counted.";
}
leaf reactive-time {
type uint64;
description
"The reactive time after which the address is not blocked.";
}
description
"If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
}
description
"If the network device supports web interface. The configuration status of the web server.";
}
}
6.3. Module 'ietf-aaa-security'
<CODE BEGINS> file "ietf-aaa-security@2018-10-16.yang"
module ietf-aaa-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-aaa-security";
prefix aaasec;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991 - Common YANG Data Types.";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
Lin, et al. Expires April 25, 2019 [Page 28]
Internet-Draft Network Device Management Plane Security October 2018
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines ietf-aaa-security YANG module, which contains configurations of AAA.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
/*
* features
*/
feature tacacs-supported {
description
"Whether the device supports TACACS+ based Authentication, Authorization, and Accounting.";
}
/*
* typedefs
*/
typedef aaa-authen-mode {
type enumeration {
enum "invalid" {
description
"Invalid authentication mode.";
}
enum "local" {
description
"Local authentication mode.";
}
enum "tacacs" {
description
"TACACS authentication mode. ";
}
enum "radius" {
description
"RADIUS authentication mode. ";
}
Lin, et al. Expires April 25, 2019 [Page 29]
Internet-Draft Network Device Management Plane Security October 2018
enum "none" {
description
"In this mode, users can pass with authentication.";
}
enum "radius-proxy" {
description
"RADIUS proxy authentication mode.";
}
}
description
"Diffrent types of authentication modes.";
}
typedef radius-authen-type {
type enumeration {
enum "pap" {
description
"PAP authentication.";
}
enum "chap" {
description
"CHAP authentication.";
}
}
description
"Different authentication types of RADIUS authentication.";
}
typedef aaa-author-mode {
type enumeration {
enum "invalid" {
description
"Invalid authorization mode.";
}
enum "local" {
description
"Local authorization mode.";
}
enum "tacacs" {
description
"TACACS authorization mode.";
}
enum "if-authenticated" {
description
"If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed.";
}
enum "none" {
description
Lin, et al. Expires April 25, 2019 [Page 30]
Internet-Draft Network Device Management Plane Security October 2018
"Users can pass without authorization.";
}
}
description
"Different types of AAA authorization modes.";
}
typedef aaa-cmd-author-mode {
type enumeration {
enum "invalid" {
description
"Invalid command line authorization mode.";
}
enum "local" {
description
"Local command line authorization mode.";
}
enum "tacacs" {
description
"Specifies that the TACACS mode is applied.";
}
}
description
"Different types of command line authorization modes.";
}
typedef aaa-account-mode {
type enumeration {
enum "invalid" {
description
"invalid accounting mode.";
}
enum "radius" {
description
"RADIUS accounting mode. ";
}
enum "tacacs" {
description
"TACACS accounting mode. ";
}
enum "none" {
description
"In this mode, users do not be accounting.";
}
}
description
"Different types of accounting modes.";
}
Lin, et al. Expires April 25, 2019 [Page 31]
Internet-Draft Network Device Management Plane Security October 2018
/*
* lists & containers
*/
list authentication-scheme {
key "authen-scheme-name";
leaf authen-scheme-name {
type string;
description
"The name of the authentication scheme.";
}
leaf-list authen-mode {
type aaa-authen-mode;
description
"A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond.";
}
leaf authen-type {
type radius-authen-type;
description
"Authentication type of RADIUS: PAP, CHAP.";
}
leaf authen-fail-policy {
type boolean;
description
"The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control.";
}
description
"Authentication scheme list.";
}
list authorization-scheme {
key "author-scheme-name";
leaf author-scheme-name {
type string;
description
"The name of the authorization scheme.";
}
leaf-list auhtor-mode {
type aaa-author-mode;
description
"A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond.";
}
leaf-list cmd-auhtor-mode {
type aaa-cmd-author-mode;
description
"A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond.";
}
description
"Authorization scheme list.";
Lin, et al. Expires April 25, 2019 [Page 32]
Internet-Draft Network Device Management Plane Security October 2018
}
list accounting-scheme {
key "account-scheme-name";
leaf account-scheme-name {
type string;
description
"The name of the accounting scheme.";
}
leaf account-mode {
type aaa-account-mode;
description
"Accounting mode.";
}
description
"Accounting scheme list.";
}
container radius-security {
list radius-authen-servers {
key "address";
leaf address {
type inet:host;
description
"The ip address of the authentication server.";
}
leaf port {
type inet:port-number;
description
"The port number of the authentication server.";
}
description
"A list of RADIUS authentication servers";
}
list radius-author-servers {
key "address";
leaf address {
type inet:host;
description
"The ip address of the authorization server.";
}
leaf port {
type inet:port-number;
description
"The port number of the authorization server.";
}
description
"A list of RADIUS authorization servers";
Lin, et al. Expires April 25, 2019 [Page 33]
Internet-Draft Network Device Management Plane Security October 2018
}
list radius-account-servers {
key "address";
leaf address {
type inet:host;
description
"The ip address of the accounting server.";
}
leaf port {
type inet:port-number;
description
"The port number of the accounting server.";
}
description
"A list of RADIUS accounting servers";
}
description
"RADIUS authentication servers, authorization servers and accounting servers.";
}
container tacacs-security {
if-feature tacacs-supported;
list tacacs-authen-servers {
key "address";
leaf address {
type inet:host;
description
"The ip address of the authentication server.";
}
leaf port {
type inet:port-number;
description
"The port number of the authentication server.";
}
description
"A list of TACACS+ and TACACS+ compatible authentication servers";
}
list tacacs-author-servers {
key "address";
leaf address {
type inet:host;
description
"The ip address of the authorization server.";
}
leaf port {
type inet:port-number;
description
"The port number of the authorization server.";
Lin, et al. Expires April 25, 2019 [Page 34]
Internet-Draft Network Device Management Plane Security October 2018
}
description
"A list of TACACS+ and TACACS+ compatible authorization servers";
}
list tacacs-account-servers {
key "address";
leaf address {
type inet:host;
description
"The ip address of the accounting server.";
}
leaf port {
type inet:port-number;
description
"The port number of the accounting server.";
}
description
"A list of TACACS+ and TACACS+ compatible accounting servers";
}
description
"TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers.";
}
}
<CODE ENDS>
6.4. Module 'ietf-admin-access-statistics'
<CODE BEGINS> file "ietf-admin-access-statistics@2018-10-16.yang"
module ietf-admin-access-statistics {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-admin-access-statistics";
prefix stat;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991 - Common YANG Data Types.";
}
import ietf-yang-types {
prefix yang;
reference
"RFC 6991 - Common YANG Data Types.";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
Lin, et al. Expires April 25, 2019 [Page 35]
Internet-Draft Network Device Management Plane Security October 2018
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines ietf-admin-access-statistics YANG module, which contains online administrator lists, ip addresses authentication failure or blocked ip addresses.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
/*
* features
*/
feature display-online-info {
description
"If the device supports reporting the details of administrative accounts that are currenlty online.";
}
/*
* typedef
*/
typedef ip-block-state-type {
type enumeration {
enum "authenfail" {
description
"Authentication fialed State";
}
enum "blocked" {
description
"BLOCKED State";
}
}
description
"The status of an login failed IP address.";
}
/*
* containers
Lin, et al. Expires April 25, 2019 [Page 36]
Internet-Draft Network Device Management Plane Security October 2018
*/
container online {
leaf total-online-users {
type uint32;
config false;
description
"The number of administrators that are current online.";
}
container online-admin-list {
if-feature display-online-info;
list online-users {
key "account-name";
leaf account-name {
type string;
description
"The account name of the online account.";
}
leaf ip-address {
type inet:ip-address-no-zone;
config false;
description
"The ip address of the online account.";
}
leaf mac-address {
type yang:mac-address;
config false;
description
"The MAC address of the online account.";
}
description
"Online adminstrator list.";
}
description
"If the device supports providing information of online administrators, a list of account details are provided.";
}
description
"Online administrator statistics and details.";
}
container ip-block-list {
list blocked-ip {
key "ip-address";
leaf ip-address {
type inet:ip-address-no-zone;
description
"The blocked IP address.";
}
leaf vpn-instance {
Lin, et al. Expires April 25, 2019 [Page 37]
Internet-Draft Network Device Management Plane Security October 2018
type string;
config false;
description
"The VPN instance of the blocked IP address.";
}
leaf state {
type ip-block-state-type;
config false;
description
"The status of an login failed IP address.";
}
leaf authen-fail-account {
type uint32;
config false;
description
"The number of the login failed attempts.";
}
description
"The list of blocked IP addresses and related information.";
}
description
"The information of blocked IP addresses and related information.";
}
}
<CODE ENDS>
6.5. Module 'ietf-snmp-security'
<CODE BEGINS> file "ietf-snmp-security@2018-10-16.yang"
module ietf-snmp-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp-security";
prefix snmpsec;
import ietf-snmp {
prefix snmp;
reference
"RFC 7407.";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
Lin, et al. Expires April 25, 2019 [Page 38]
Internet-Draft Network Device Management Plane Security October 2018
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines ietf-snmp-security YANG module.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
feature tsm {
description
"Whether the network device supports Transport Security Model for SNMP.";
}
/*
* typedef
*/
typedef snmp-transport-type {
type enumeration {
enum "udp" {
description
"SNMP over UDP.";
}
enum "ssh" {
description
"SNMP over SSH.";
}
enum "tls" {
description
"SNMP over TLS.";
}
enum "dtls" {
description
"SNMP over DTLS.";
}
}
description
"The transport channels on which the SNMP engine listens.";
}
typedef snmp-version-type {
type enumeration {
Lin, et al. Expires April 25, 2019 [Page 39]
Internet-Draft Network Device Management Plane Security October 2018
enum "v1" {
description
"SNMPv1";
}
enum "v2c" {
description
"SNMPv2c";
}
enum "v3" {
description
"SNMPv3";
}
}
description
"The version of SNMP protocol";
}
typedef auth-pro-type {
type enumeration {
enum "none" {
description
"Do not enable the authentication of messages sent on behalf of the user.";
}
enum "md5" {
description
"HMAC-MD5-96 authentication protocol";
}
enum "sha" {
description
"HMAC-SHA-96 authentication protocol";
}
}
description
"An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol which is used: MD5, SHA.";
reference
"RFC 3414";
}
typedef priv-pro-type {
type enumeration {
enum "none" {
description
"Do not enable the encryption of messages sent on behalf of the user.";
}
enum "des" {
description
"DES is used to encrypt messages sent on behalf of the user.";
}
Lin, et al. Expires April 25, 2019 [Page 40]
Internet-Draft Network Device Management Plane Security October 2018
enum "aes" {
description
"AES is used to encrypt messages sent on behalf of the user.";
}
}
description
"An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used: EDS, AES.";
reference
"RFC 3414 & RFC 3826";
}
/*
* grouping
*/
grouping user-auth-priv {
list user {
key "name";
leaf name {
type snmp:identifier;
description
"The identifier that represents a user.";
}
leaf auth-protocol {
type auth-pro-type;
description
"The type of authentication protocol: none, md5, sha.";
}
leaf priv-protocol {
type priv-pro-type;
description
"The type of encryption protocol: none, des, aes.";
}
description
"A list of users and their corresponding authProtocol, privProtocol.";
}
description
"A grouping that represents a list of users and their corresponding authProtocol, privProtocol.";
reference
"RFC 3414";
}
leaf snmp-enable {
type boolean;
description
"whether SNMP is used.";
}
/*
Lin, et al. Expires April 25, 2019 [Page 41]
Internet-Draft Network Device Management Plane Security October 2018
* containers
*/
container engine {
leaf enabled {
type boolean;
description
"The status of the SNMP engine: enabled, disabled.";
}
list listen {
key "name";
leaf name {
type snmp:identifier;
description
"The name of a transport channel on which the SNMP engine listens.";
}
leaf transport {
type snmp-transport-type;
description
"The transport protocol that SNMP uses.";
}
description
"A list of transport channels on which the SNMP engine listens.";
}
leaf version {
type snmp-version-type;
description
"SNMP version used by the SNMP engine.";
}
leaf enable-authen-traps {
type boolean;
description
"Whether the SNMP entity is permitted to generate authenticationFailure traps.";
reference
"RFC 3418: Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) SNMPv2-MIB.snmpEnableAuthenTraps";
}
description
"The security configurations for SNMP engine.";
}
list target {
key name;
leaf name {
type snmp:identifier;
description
"The name identifies the target.";
}
leaf transport {
type snmp-transport-type;
Lin, et al. Expires April 25, 2019 [Page 42]
Internet-Draft Network Device Management Plane Security October 2018
description
"The transport protocol used.";
}
leaf target-parmas {
type snmp:identifier;
description
"Parameters for the target.";
}
description
"The list of targets.";
reference
"RFC 3413 & RFC 7407";
}
list target-params {
key name;
leaf name {
type snmp:identifier;
description
"The name identifies the target params.";
}
choice params {
case usm {
uses snmp:usm-target-params;
description
"Reuse the grouping defined in ietf-snmp-usm";
}
case tsm {
if-feature snmp:tsm;
uses snmp:tsm-target-params;
description
"Reuse the grouping defined in ietf-snmp-tsm";
}
description
"The parameters specific to each security model.";
}
description
"List of target parameters.";
}
container vacm {
leaf vacm-enable {
type boolean;
config false;
description
"Whether VACM based security configurations are used.";
}
list group {
Lin, et al. Expires April 25, 2019 [Page 43]
Internet-Draft Network Device Management Plane Security October 2018
key name;
leaf name {
type snmp:group-name;
description
"The name of this VACM group.";
}
list member {
key "security-name";
leaf security-name {
type snmp:security-name;
description
"The securityName of a group member.";
}
leaf-list security-model {
type snmp:security-model;
min-elements 1;
description
"The security models under which this security-name is a member of this group.";
}
description
"A member of this VACM group.";
}
list access {
key "context security-model security-level";
leaf context {
type snmp:context-name;
description
"The context under which the access rights apply.";
}
leaf context-match {
type enumeration {
enum exact {
value 1;
description
"The context match type: exact.";
}
enum prefix {
value 2;
description
"The context match type: prefix";
}
}
description
"The match type of the context.";
}
leaf security-model {
type snmp:security-model-or-any;
description
Lin, et al. Expires April 25, 2019 [Page 44]
Internet-Draft Network Device Management Plane Security October 2018
"The security model under which the access rights apply.";
}
leaf security-level {
type snmp:security-level;
description
"The minimum security level under which the access rights apply.";
}
leaf read-view {
type snmp:view-name;
description
"The name of the MIB view of the SNMP context authorizing read access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessReadViewName.";
}
leaf wirte-view {
type snmp:view-name;
description
"The name of the MIB view of the SNMP context authorizing write access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessWriteViewName.";
}
leaf notify-view {
type snmp:view-name;
description
"The name of the MIB view of the SNMP context authorizing notify access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessNotifyViewName.";
}
description
"Definition of access right for groups.";
}
description
"VACM groups";
reference
"RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)";
}
list view {
key name;
leaf name {
type snmp:view-name;
description
"The name of this MIB view.";
}
leaf-list include {
type snmp:wildcard-object-identifier;
description
"A family of subtrees included in this MIB view.";
}
leaf-list exclude {
type snmp:wildcard-object-identifier;
description
"A family of subtrees excluded in this MIB view.";
}
description
Lin, et al. Expires April 25, 2019 [Page 45]
Internet-Draft Network Device Management Plane Security October 2018
"Definition of MIB views.";
}
description
"The security configurations for View-based Access Control Model (VACM).";
}
container usm {
leaf usm-enable {
type boolean;
config false;
description
"Whether USM based security configurations are used.";
}
container local {
uses user-auth-priv;
description
"A list of local users and their corresponding authentication and privacy protocols.";
}
container remote {
uses user-auth-priv;
description
"A list of remote users and their corresponding authentication and privacy protocols.";
}
description
"Configuration of the User-based Security Model.";
}
container tsm {
if-feature tsm;
leaf tsm-enable {
type boolean;
config false;
description
"Whether TSM based security configurations are used.";
}
description
"Configuration of Transport Security Model.";
}
}
<CODE ENDS>
6.6. Module 'ietf-netconf-security'
module ietf-netconf-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-security";
prefix netsec;
Lin, et al. Expires April 25, 2019 [Page 46]
Internet-Draft Network Device Management Plane Security October 2018
import ietf-admin-access-security {
prefix accsec;
}
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines ietf-netconf-security YANG module.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
/*
* features
*/
feature listen {
description
"The 'listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF client connections using at least one transport (e.g., SSH, TLS, etc.).";
}
feature ssh-listen {
description
"The 'ssh-listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF over SSH client connections.";
reference
"RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";
}
Lin, et al. Expires April 25, 2019 [Page 47]
Internet-Draft Network Device Management Plane Security October 2018
feature tls-listen {
description
"The 'tls-listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF over TLS client connections.";
reference
"RFC 7589: Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication";
}
feature call-home {
description
"The 'call-home' feature indicates that the NETCONF server supports initiating NETCONF call home connections to NETCONF clients using at least one transport (e.g., SSH, TLS, etc.).";
reference
"RFC 8071: NETCONF Call Home and RESTCONF Call Home";
}
feature ssh-call-home {
description
"The 'ssh-call-home' feature indicates that the NETCONF server supports initiating a NETCONF over SSH call home connection to NETCONF clients.";
reference
"RFC 8071: NETCONF Call Home and RESTCONF Call Home";
}
feature tls-call-home {
description
"The 'tls-call-home' feature indicates that the NETCONF server supports initiating a NETCONF over TLS call home connection to NETCONF clients.";
reference
"RFC 8071: NETCONF Call Home and RESTCONF Call Home";
}
/*
* leaf & containers
*/
leaf netconf-enable {
type boolean;
description
"Whether the NETCONF protocol is used.";
}
container listen {
if-feature listen;
list endpoint {
key name;
leaf name {
type string;
description
"The name of the NETCONF listen endpoint.";
}
choice transport {
Lin, et al. Expires April 25, 2019 [Page 48]
Internet-Draft Network Device Management Plane Security October 2018
case ssh {
if-feature ssh-listen;
leaf port {
type inet:port-number;
description
"The local port number to listen on.";
}
uses accsec:ssh-server-attribute-grouping;
description
"SSH based listening.";
}
case tls {
if-feature tls-listen;
leaf port {
type inet:port-number;
description
"The local port number to listen on.";
}
uses accsec:tls-server-attribute-grouping;
description
"TLS based listening.";
}
description
"The transport protocol used.";
}
description
"List of endpoints to listen for NETCONF connections.";
}
description
"Configurations related the listen behavior.";
}
container call-home {
if-feature call-home;
list netconf-client {
key name;
leaf name {
type string;
description
"The name of the remote NETCONF client.";
}
container endpoints {
list endpoint {
key name;
leaf name {
type string;
description
"The name for this endpoint.";
Lin, et al. Expires April 25, 2019 [Page 49]
Internet-Draft Network Device Management Plane Security October 2018
}
choice transport {
case ssh {
if-feature ssh-call-home;
leaf port {
type inet:port-number;
description
"The IP port for this endpoint.";
}
uses accsec:ssh-server-attribute-grouping;
description
"SSH based call-home.";
}
case tls {
if-feature tls-call-home;
leaf port {
type inet:port-number;
description
"The IP port for this endpoint.";
}
uses accsec:tls-server-attribute-grouping;
description
"TLS based call-home.";
}
description
"The used transport protocol.";
}
description
"A list of endpoints for this NETCONF server to try to connect in sequence.";
}
description
"List of endpoints";
}
description
"List of NETCONF clients the NETCONF server is to initiate call-home connections to in parallel.";
}
description
"Configurations related to call-home behavior.";
}
}
6.7. Module 'ietf-port-management-security'
<CODE BEGINS> file "ietf-port-management-security@2018-10-16.yang"
module ietf-port-management-security {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-port-management-security";
prefix acsec;
Lin, et al. Expires April 25, 2019 [Page 50]
Internet-Draft Network Device Management Plane Security October 2018
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
organization
"IETF SACM (Security Automation and Continuous Monitoring) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/sacm/
WG List: sacm@ietf.org
Editor: Qiushi Lin
linqiushi@huawei.com;
Editor: Liang Xia
frank.xialiang@huawei.com
Editor: Henk Birkholz
henk.birkholz@sit.fraunhofer.de";
description
"This YANG module defines ietf-port-management-security YANG module.";
revision 2018-10-16 {
description "Initial version.";
reference
"draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline";
}
list port-list {
key port-number;
leaf port-number {
type inet:port-number;
description
"The port number.";
}
leaf port-status {
type boolean;
description
"The status of the port: open or shut-down.";
}
description
"The status of all the ports in the device.";
}
}
<CODE ENDS>
Lin, et al. Expires April 25, 2019 [Page 51]
Internet-Draft Network Device Management Plane Security October 2018
7. Acknowledgements
8. IANA Considerations
This document requires no IANA actions.
9. Security Considerations
Secure transport should be used to retrieve the current status of
management plane security baseline.
10. References
10.1. Normative References
[I-D.birkholz-sacm-yang-content]
Birkholz, H. and N. Cam-Winget, "YANG subscribed
notifications via SACM Statements", draft-birkholz-sacm-
yang-content-01 (work in progress), January 2018.
[I-D.dong-sacm-nid-cp-security-baseline]
Dong, Y. and L. Xia, "The Data Model of Network
Infrastructure Device Control Plane Security Baseline",
draft-dong-sacm-nid-cp-security-baseline-00 (work in
progress), September 2017.
[I-D.dong-sacm-nid-infra-security-baseline]
Dong, Y. and L. Xia, "The Data Model of Network
Infrastructure Device Infrastructure Layer Security
Baseline", draft-dong-sacm-nid-infra-security-baseline-01
(work in progress), May 2018.
[I-D.ietf-netconf-keystore]
Watsen, K., "YANG Data Model for a Centralized Keystore
Mechanism", draft-ietf-netconf-keystore-06 (work in
progress), September 2018.
[I-D.ietf-netconf-netconf-client-server]
Watsen, K., "NETCONF Client and Server Models", draft-
ietf-netconf-netconf-client-server-07 (work in progress),
September 2018.
[I-D.ietf-netconf-ssh-client-server]
Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and
SSH Servers", draft-ietf-netconf-ssh-client-server-07
(work in progress), September 2018.
Lin, et al. Expires April 25, 2019 [Page 52]
Internet-Draft Network Device Management Plane Security October 2018
[I-D.ietf-netconf-tls-client-server]
Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and
TLS Servers", draft-ietf-netconf-tls-client-server-07
(work in progress), September 2018.
[I-D.ietf-netmod-acl-model]
Jethanandani, M., Agarwal, S., Huang, L., and D. Blair,
"Network Access Control List (ACL) YANG Data Model",
draft-ietf-netmod-acl-model-20 (work in progress), October
2018.
[I-D.ietf-netmod-syslog-model]
Wildes, C. and K. Koushik, "A YANG Data Model for Syslog
Configuration", draft-ietf-netmod-syslog-model-26 (work in
progress), March 2018.
[I-D.ietf-sacm-information-model]
Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus,
M., Haynes, D., and H. Birkholz, "SACM Information Model",
draft-ietf-sacm-information-model-10 (work in progress),
April 2017.
[I-D.xia-sacm-nid-dp-security-baseline]
Xia, L. and G. Zheng, "The Data Model of Network
Infrastructure Device Data Plane Security Baseline",
draft-xia-sacm-nid-dp-security-baseline-02 (work in
progress), June 2018.
[RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for
System Management", RFC 7317, DOI 10.17487/RFC7317, August
2014, <https://www.rfc-editor.org/info/rfc7317>.
[RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
December 2014, <https://www.rfc-editor.org/info/rfc7407>.
10.2. Informative References
[I-D.ietf-tls-oldversions-deprecate]
Moriarty, K. and S. Farrell, "Deprecating TLSv1.0 and
TLSv1.1", draft-ietf-tls-oldversions-deprecate-00 (work in
progress), September 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Lin, et al. Expires April 25, 2019 [Page 53]
Internet-Draft Network Device Management Plane Security October 2018
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
Appendix A.
The following is the whole structure of the YANG tree diagram for
network infrastructure device management plane. The existed RFCs and
drafts that related this document are listed at the right side.
Lin, et al. Expires April 25, 2019 [Page 54]
Internet-Draft Network Device Management Plane Security October 2018
+----------------+--------------------------------------------------+
| Modules | Related RFCs/Drafts |
+----------------+--------------------------------------------------+
| ietf-admin- | None |
| account- | |
| security | |
| | |
| ietf-admin- | draft-ietf-netconf-keystore,draft-ietf-netconf- |
| access- | ssh-client-server,draft-ietf-netconf-tls-client- |
| security | server |
| | |
| ietf-aaa- | RFC7317 |
| security | |
| | |
| ietf-admin- | None |
| access- | |
| statistics | |
| | |
| ietf-snmp- | RFC7407 |
| security | |
| | |
| ietf-netconf- | draft-ietf-netconf-netconf-client-server,draft- |
| security | ietf-netconf-keystore |
| | |
| ietf-port- | None |
| management- | |
| security | |
| | |
| ietf-log- | draft-ietf-netmod-syslog-model |
| security | |
| | |
| ietf-file- | draft-ietf-netconf-keystore,draft-ietf-netconf- |
| security | ssh-client-server,draft-ietf-netconf-tls-client- |
| | server |
+----------------+--------------------------------------------------+
The modules defined in this document and related RFCs/drafts
Draft [I-D.ietf-netconf-tls-client-server] and draft
[I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS-
specific configuration and SSH-specific configuration respectively.
The transport-level configuration, such as what ports to listen-on or
connect-to, is not included. Besides, as these grouping focus on
configurations, the configuration of private-key and "certificate-
expiration" notification are not needed. Draft
[I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model
based on the data models defined in the above two documents.
Lin, et al. Expires April 25, 2019 [Page 55]
Internet-Draft Network Device Management Plane Security October 2018
[RFC7317] defines a YANG data model for system management of device
containing a NETCONF sever. It summarizes data modules for NETCONF
user authentication, and defined YANG module for client to configure
the RADIUS authentication server information. Three methods are
defined for user authentication: public key for local users over SSH,
password for local users over any secure transport, password for
RADIUS users over any secure transport.
[RFC7407] defines a YANG model for SNMP configuration it is not
limited security related configurations and status.
Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog
configuration, including TLS based transport security and syslog
messages signing.
Authors' Addresses
Qiushi Lin
Huawei
Huawei Industrial Base
Shenzhen, Guangdong 518129
China
Email: linqiushi@huawei.com
Liang Xia
Huawei
101 Software Avenue, Yuhuatai District
Nanjing, Jiangsu 210012
China
Email: Frank.xialiang@huawei.com
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
Darmstadt 64295
Germany
Email: henk.birkholz@sit.fraunhofer.de
Lin, et al. Expires April 25, 2019 [Page 56]