Network Configuration Access Control Model
RFC 8341

Document Type RFC - Internet Standard (March 2018; No errata)
Obsoletes RFC 6536
Also known as STD 91
Last updated 2018-03-16
Replaces draft-bierman-netconf-rfc6536bis
Stream IETF
Formats plain text pdf html bibtex
Yang Validation 0 errors, 0 warnings.
Reviews OPSDIR will not review this version
Additional URLs
- Yang catalog entry for ietf-netconf-acm@2017-12-11.yang
- Yang impact analysis for draft-ietf-netconf-rfc6536bis
Stream WG state Submitted to IESG for Publication
Document shepherd Mahesh Jethanandani
Shepherd write-up Show (last changed 2017-08-22)
IESG IESG state RFC 8341 (Internet Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Benoit Claise
Send notices to Mahesh Jethanandani <mjethanandani@gmail.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                        A. Bierman
Request for Comments: 8341                                     YumaWorks
STD: 91                                                     M. Bjorklund
Obsoletes: 6536                                           Tail-f Systems
Category: Standards Track                                     March 2018
ISSN: 2070-1721

               Network Configuration Access Control Model

Abstract

   The standardization of network configuration interfaces for use with
   the Network Configuration Protocol (NETCONF) or the RESTCONF protocol
   requires a structured and secure operating environment that promotes
   human usability and multi-vendor interoperability.  There is a need
   for standard mechanisms to restrict NETCONF or RESTCONF protocol
   access for particular users to a preconfigured subset of all
   available NETCONF or RESTCONF protocol operations and content.  This
   document defines such an access control model.

   This document obsoletes RFC 6536.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8341.

Bierman & Bjorklund          Standards Track                    [Page 1]
RFC 8341                          NACM                        March 2018

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................4
      1.1. Terminology ................................................4
      1.2. Changes since RFC 6536 .....................................6
   2. Access Control Design Objectives ................................7
      2.1. Access Control Points ......................................7
      2.2. Simplicity .................................................8
      2.3. Procedural Interface .......................................8
      2.4. Datastore Access ...........................................8
      2.5. Users and Groups ...........................................8
      2.6. Maintenance ................................................9
      2.7. Configuration Capabilities .................................9
      2.8. Identifying Security-Sensitive Content .....................9
   3. NETCONF Access Control Model (NACM) ............................10
      3.1. Overview ..................................................10
           3.1.1. Features ...........................................10
           3.1.2. External Dependencies ..............................11
           3.1.3. Message Processing Model ...........................11
      3.2. Datastore Access ..........................................14
           3.2.1. Mapping New Datastores to NACM .....................14
           3.2.2. Access Rights ......................................14
           3.2.3. RESTCONF Methods ...................................15
           3.2.4. <get> and <get-config> Operations ..................16
           3.2.5. <edit-config> Operation ............................16
           3.2.6. <copy-config> Operation ............................18
           3.2.7. <delete-config> Operation ..........................18
           3.2.8. <commit> Operation .................................19
           3.2.9. <discard-changes> Operation ........................19
           3.2.10. <kill-session> Operation ..........................19

Bierman & Bjorklund          Standards Track                    [Page 2]
RFC 8341                          NACM                        March 2018

      3.3. Model Components ..........................................19
           3.3.1. Users ..............................................19
           3.3.2. Groups .............................................20
           3.3.3. Emergency Recovery Session .........................20
           3.3.4. Global Enforcement Controls ........................20
Show full document text