Zum Hauptinhalt springen

6. Security Considerations

Dieser Abschnitt bewahrt den RFC-Text zum TACACS+ client YANG model, einschliesslich RFC 9105 changes, TLS 1.3 support, ietf-system-tacacs-plus module, credential references, NACM-sensitive nodes, IANA registrations, JSON examples und full tree.

Originaler RFC-Text

6.  Security Considerations

This section is modeled after the template described in Section 3.7.1
of [RFC9907].

The "ietf-system-tacacs-plus" YANG module defines a data model that
is designed to be accessed via YANG-based management protocols, such
as the Network Configuration Protocol (NETCONF) [RFC6241] and
RESTCONF [RFC8040]. These YANG-based management protocols (1) have
to use a secure transport layer (e.g., Secure Shell (SSH) [RFC4252],
TLS [RFC8446], and QUIC [RFC9000]) and (2) have to use mutual
authentication.

The Network Configuration Access Control Model (NACM) [RFC8341]
provides the means to restrict access for particular NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or
RESTCONF protocol operations and content.

There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., "config true", which is the
default). All writable data nodes are likely to be sensitive or
vulnerable in some network environments. Write operations (e.g.,
edit-config) and delete operations to these data nodes without proper
protection or authentication can have a negative effect on network
operations. The following subtrees and data nodes have particular
sensitivities/vulnerabilities:

'server': This list contains the data nodes used to control the
TACACS+ servers used by the device. Unauthorized access to this
list could enable an attacker to assume complete control over the
device by pointing to a compromised TACACS+ server, or to modify
the counters to hide attacks against the device.

'shared-secret': This leaf controls the key known to both the
TACACS+ client and server. Unauthorized access to this leaf could
make the device vulnerable to attacks; therefore, it has been
restricted using the "default-deny-all" access control defined in
[RFC8341]. When setting, it is highly recommended that the leaf
is at least 32 characters long and sufficiently complex with a mix
of different character types, i.e., upper case, lower case,
numeric, and punctuation.

'client-identity' and 'server-authentication': Any modification to a
key or reference to a key may dramatically alter the implemented
security policy. For this reason, the NACM extension "default-
deny-write" has been set.

There are no particularly sensitive readable data nodes.

There are no particularly sensitive RPC or action operations.

This YANG module uses groupings from other YANG modules that define
nodes that may be considered sensitive or vulnerable in network
environments. Refer to Section 5.3 of [RFC9642] and Section 5.3 of
[RFC9645] for information as to which nodes may be considered
sensitive or vulnerable in network environments.