idnits 2.17.1 draft-bjorklund-netmod-snmp-cfg-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 159 has weird spacing: '...rw port ine...' == Line 230 has weird spacing: '...rw name snm...' == Line 302 has weird spacing: '...ty-name snm...' == Line 317 has weird spacing: '...mmunity lea...' == Line 320 has weird spacing: '...mmunity lea...' == (12 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (March 12, 2012) is 4427 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: September 13, 2012 Jacobs University 6 March 12, 2012 8 A YANG Data Model for SNMP Configuration 9 draft-bjorklund-netmod-snmp-cfg-02 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on September 13, 2012. 33 Copyright Notice 35 Copyright (c) 2012 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 3. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.1. General Considerations . . . . . . . . . . . . . . . . . . 5 54 3.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 5 55 3.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 5 56 3.4. Target Configuration . . . . . . . . . . . . . . . . . . . 6 57 3.5. Notification Configuration . . . . . . . . . . . . . . . . 7 58 3.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8 59 3.7. Community Configuration . . . . . . . . . . . . . . . . . 8 60 3.8. View-based Access Control Model Configuration . . . . . . 9 61 3.9. User-based Security Model Configuration . . . . . . . . . 10 62 3.10. Transport Security Model Configuration . . . . . . . . . . 12 63 3.11. Transport Layer Security Transport Model Configuration . . 12 64 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 65 4.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 66 4.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 67 4.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 68 4.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 69 4.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 26 70 4.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 30 71 4.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 72 4.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 73 4.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 43 74 4.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 75 4.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 76 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 58 78 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59 79 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 80 8.1. Normative References . . . . . . . . . . . . . . . . . . . 60 81 8.2. Informative References . . . . . . . . . . . . . . . . . . 60 82 Appendix A. Example configurations . . . . . . . . . . . . . . . 62 83 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 62 84 A.2. Community Configuration Example . . . . . . . . . . . . . 62 85 A.3. User-based Security Model Configuration Example . . . . . 63 86 A.4. Target and Notification Configuration Example . . . . . . 64 87 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 66 88 A.6. View-based Access Control Model Configuration Example . . 68 89 A.7. Transport Layer Security Transport Model Configuration 90 Example . . . . . . . . . . . . . . . . . . . . . . . . . 70 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 72 93 1. Introduction 95 This document defines a YANG [RFC6020] data model for the 96 configuration of SNMP engines. The configuration model is consistent 97 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 98 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591] and [RFC6353] 99 but takes advantage of YANG's ability to define hierarchical 100 configuration data models. The structure of the model has been 101 derived from existing proprietary configuration models implemented as 102 command line interfaces. 104 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 106 "OPTIONAL" in this document are to be interpreted as described in BCP 107 14, [RFC2119]. 109 2. Overview 111 In order to preserve the modularity of SNMP, the YANG configuration 112 data model is organized in a set of YANG submodules, all sharing the 113 same module namespace. This allows to add configuration support for 114 additional SNMP features while keeping the number of namespaces that 115 have to be dealt with down to a minimum. 117 3. Data Model 119 3.1. General Considerations 121 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 122 "reference" statement is used to indicate which corresponding MIB 123 object the YANG node is mapped to. When there is not a simple 1-1 124 mapping, the "description" statement explains the mapping. 126 3.2. Common Definitions 128 The submodule "ietf-snmp-common" defines a set of common typedefs, 129 features, and the top-level container "snmp". All configuration 130 parameters defined in the other submodules are organized under this 131 top-level container. 133 This submodule defines four YANG features: 135 proxy: A server implements this feature if it can act as an SNMP 136 Proxy. 138 notification-filter: A server implements this feature if it supports 139 SNMP notification filtering. 141 tsm: A server implements this feature if it supports the Transport 142 Security Model (tsm) [RFC5591]. 144 tlstm: A server implements this feature if it supports the Transport 145 Layer Security (TLS) Transport Model (tlstm) [RFC6353]. 147 3.3. Engine Configuration 149 The submodule "ietf-snmp-engine", which defines configuration 150 parameters that are specific to SNMP engines, has the following 151 structure: 153 +--rw snmp 154 +--rw engine 155 +--rw enabled? boolean 156 +--rw listen 157 | +--rw udp [ip port] 158 | +--rw ip inet:ip-address 159 | +--rw port inet:port-number 160 +--rw version 161 | +--rw v1? empty 162 | +--rw v2c? empty 163 | +--rw v3? empty 164 +--rw engine-id? snmp:engine-id 166 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 167 engine. 169 The container "/snmp/engine/listen" provides configuration of the 170 transport endpoints the engine is listening to. In this submodule, 171 SNMP over UDP is defined. TLS and Datagram Transport Layer Security 172 (DTLS) are also supported, defined in "ietf-snmp-tls" (Section 3.11). 173 The "listen" container is expected to be augmented for other 174 transports. 176 The "/snmp/engine/version" container can be used to enable/disable 177 the different message processing models. 179 3.4. Target Configuration 181 The submodule "ietf-snmp-target", which defines configuration 182 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 183 following structure: 185 +--rw snmp 186 +--rw target [name] 187 +--rw name snmp:identifier 188 +--rw (transport) 189 | +--:(udp) 190 | +--rw udp 191 | +--rw ip inet:ip-address 192 | +--rw port? inet:port-number 193 | +--rw prefix-length? uint8 194 +--rw tag* snmp:identifier 195 +--rw timeout? uint32 196 +--rw retries? uint8 197 +--rw (params)? 199 An entry in the list "/snmp/target" corresponds to an 200 "snmpTargetAddrEntry". 202 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 203 mapped to transport-specific YANG nodes. Each transport is 204 configured as a separate case in the "transport" choice. In this 205 submodule, SNMP over UDP is defined. TLS and DTLS are also 206 supported, defined in "ietf-snmp-tls" (Section 3.11). The 207 "transport" choice is expected to be augmented for other transports. 209 In order to provide a simpler configuration model with less cross- 210 references, the "target" list also inlines the 211 "snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This 212 is accomplished with a choice "params", which is augmented by 213 security model specific submodules, currently "ietf-snmp-community" 214 (Section 3.7), "ietf-snmp-usm" (Section 3.9), and "ietf-snmp-tls" 215 (Section 3.11). 217 The YANG model does not define a separate list that maps directly to 218 "snmpTargetParamsTable". Since "snmpProxyTable" also has a reference 219 to this table, "snmpProxyTable" also has a choice "params" which is 220 augmented by security model specific submodules (Section 3.6). 222 3.5. Notification Configuration 224 The submodule "ietf-snmp-notification", which defines configuration 225 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 226 has the following structure: 228 +--rw snmp 229 +--rw notify [name] 230 | +--rw name snmp:identifier 231 | +--rw tag leafref 232 | +--rw type? enumeration 233 +--rw notify-filter-profile [name] 234 | +--rw name snmp:identifier 235 | +--rw include* wildcard-object-identifier 236 | +--rw exclude* wildcard-object-identifier 237 +--rw enable-authen-traps? boolean 239 It also augments the "target" list defined in the "ietf-snmp-target" 240 submodule (Section 3.4) with one leaf: 242 +--rw snmp 243 +--rw target [name] 244 ... 245 +--rw notify-filter-profile? leafref 247 An entry in the list "/snmp/notify" corresponds to an 248 "snmpNotifyEntry". 250 An entry in the list "/snmp/notify-filter-profile" corresponds to an 251 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 252 relationship between "snmpTargetParamsTable" and 253 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 254 relationship is represented with a leafref leaf 255 "notify-filter-profile" in the "/snmp/target" list, which refers to 256 an entry in the "/snmp/notify-filter-profile" list. 258 The "snmpNotifyFilterTable" is represented as a list "filter" within 259 the "/snmp/notify-filter-profile" list. 261 3.6. Proxy Configuration 263 The submodule "ietf-snmp-proxy", which defines configuration 264 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 265 following structure: 267 +--rw snmp 268 +--rw proxy [name] 269 +--rw name snmp:identifier 270 +--rw type enumeration 271 +--rw context-engine-id snmp:engine-id 272 +--rw context-name? snmp:context-name 273 +--rw params-in 274 | +--rw (params) 275 +--rw single-target-out? leafref 276 +--rw multiple-target-out? leafref 278 An entry in the list "/snmp/proxy" corresponds to an 279 "snmpProxyEntry". 281 Like the "target" list (Section 3.4), the "proxy" list inlines the 282 "snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn". 283 This is accomplished with a choice "params", which is augmented by 284 security model specific submodules, currently "ietf-snmp-community" 285 (Section 3.7), "ietf-snmp-usm" (Section 3.9), and "ietf-snmp-tls" 286 (Section 3.11). 288 3.7. Community Configuration 290 The submodule "ietf-snmp-community", which defines configuration 291 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 292 the following structure: 294 +--rw snmp 295 +--rw community [index] 296 +--rw index snmp:identifier 297 +--rw (name)? 298 | +--:(text-name) 299 | | +--rw text-name? string 300 | +--:(binary-name) 301 | +--rw binary-name? binary 302 +--rw security-name snmp:security-name 303 +--rw engine-id? snmp:engine-id 304 +--rw context? snmp:context-name 305 +--rw target-tag? leafref 307 It also augments the "/snmp/target/params" and "/snmp/proxy/ 308 params-in/params" choices with nodes for the Community-Based Security 309 Model used by SNMPv1 and SNMPv2c: 311 +--rw snmp 312 +--rw target [name] 313 | ... 314 | +--rw (params)? 315 | | +--:(v1) 316 | | | +--rw v1 317 | | | +--rw community leafref 318 | | +--:(v2c) 319 | | +--rw v2c 320 | | +--rw community leafref 321 | +--rw mms? union 322 +--rw proxy 323 +--rw params-in 324 +--rw params 325 +--:(v1) 326 | +--rw v1 327 | +--rw community leafref 328 +--:(v2c) 329 +--rw v2c 330 +--rw community leafref 332 An entry in the list "/snmp/community" corresponds to an 333 "snmpCommunityEntry". 335 When a case "v1" or "v2c" is chosen, it implies a 336 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 337 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 338 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 340 3.8. View-based Access Control Model Configuration 342 The submodule "ietf-snmp-vacm", which defines configuration 343 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 344 has the following structure: 346 +--rw snmp 347 +--rw vacm 348 +--rw group [name] 349 | +--rw name group-name 350 | +--rw member [security-name] 351 | | +--rw security-name snmp:security-name 352 | | +--rw security-model* snmp:security-model 353 | +--rw access [context security-model security-level] 354 | +--rw context snmp:context-name 355 | +--rw context-match? enumeration 356 | +--rw security-model snmp:security-model-or-any 357 | +--rw security-level snmp:security-level 358 | +--rw read-view? leafref 359 | +--rw write-view? leafref 360 | +--rw notify-view? leafref 361 +--rw view [name] 362 +--rw name view-name 363 +--rw include* snmp:wildcard-object-identifier 364 +--rw exclude* snmp:wildcard-object-identifier 366 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 367 structure of nested lists in the YANG model. Groups are defined in 368 the list "/snmp/vacm/group" and for each group there is a sublist 369 "member" that maps to "vacmSecurityToGroupTable", and a sublist 370 "access" that maps to "vacmAccessTable". 372 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 373 view there is a leaf-list of included subtree families and a leaf- 374 list of excluded subtree families. This is more compact and thus a 375 more readable representation of the "vacmViewTreeFamilyTable". 377 3.9. User-based Security Model Configuration 379 The submodule "ietf-snmp-usm", which defines configuration parameters 380 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 381 following structure: 383 +--rw snmp 384 +--rw usm 385 +--rw local 386 | +--rw user [name] 387 | +-- {common user params} 388 +--rw remote [engine-id] 389 +--rw engine-id snmp:engine-id 390 +--rw user [name] 391 +-- {common user params} 393 The "{common user params}" are: 395 +--rw name snmp:identifier 396 +--rw auth? 397 | +--rw (protocol) 398 | +--:(md5) 399 | | +--rw md5 400 | | +-- {common key params} 401 | +--:(sha) 402 | +--rw sha 403 | +-- {common key params} 404 +--rw priv? 405 +--rw (protocol) 406 +--:(des) 407 | +--rw des 408 | +-- {common key params} 409 +--:(aes) 410 +--rw aes 411 +-- {common key params} 413 The "{common key params}" are: 415 +--rw (key-type)? 416 +--:(password) 417 | +--rw password? string 418 +--:(key) 419 +--rw key? string 421 It also augments the "/snmp/target/params" and "/snmp/proxy/ 422 params-in/params" choices with nodes for the SNMP User-based Security 423 Model. 425 +--rw snmp 426 +--rw target [name] 427 ... 428 | +--rw (params)? 429 | +--:(usm) 430 | +--rw usm 431 | +--rw user-name snmp:security-name 432 | +--rw security-level security-level 433 +--rw proxy [name] 434 ... 435 +--rw params-in 436 +--rw (params) 437 +--:(usm) 438 +--rw usm 439 +--rw user-name snmp:security-name 440 +--rw security-level security-level 442 In the MIB, there is a single table with local and remote users, 443 indexed by the engine id and user name. In the YANG model, there is 444 one list of local users, and a nested list of remote users. 446 In the MIB, there are several objects related to changing the 447 authentication and privacy keys. These objects are not present in 448 the YANG model. Instead, there is a choice between a password or a 449 localized key. If a password is given, it is used by the server to 450 calculate a localized key, which is stored in the configuration. The 451 clear-text password is never stored. This implies that if the engine 452 id is changed, all users keys need to be changed as well. 454 3.10. Transport Security Model Configuration 456 The submodule "ietf-snmp-tsm", which defines configuration parameters 457 that correspond to the objects in SNMP-TSM-MIB, has the following 458 structure: 460 +--rw snmp 461 +--rw tsm 462 +--rw use-prefix? boolean 464 It also augments the "/snmp/target/params" and "/snmp/proxy/ 465 params-in/params" choices with nodes for the SNMP Transport Security 466 Model. 468 +--rw snmp 469 +--rw target [name] 470 ... 471 | +--rw (params)? 472 | +--:(tsm) 473 | +--rw tsm 474 | +--rw security-name snmp:security-name 475 | +--rw security-level security-level 476 +--rw proxy [name] 477 ... 478 +--rw params-in 479 +--rw (params) 480 +--:(tsm) 481 +--rw tsm 482 +--rw security-name snmp:security-name 483 +--rw security-level security-level 485 3.11. Transport Layer Security Transport Model Configuration 487 The submodule "ietf-snmp-tls", which defines configuration parameters 488 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 489 structure: 491 +--rw snmp 492 ... 493 +--rw target [name] 494 | ... 495 | +--rw (transport) 496 | +--:(tls) 497 | | +--rw tls 498 | | +-- {common (d)tls transport params} 499 | +--:(dtls) 500 | +--rw dtls 501 | +-- {common (d)tls transport params} 502 +--rw tlstm 503 +--rw cert-to-security-name [id] 504 +--rw id uint32 505 +--rw fingerprint? tls-fingerprint 506 +--rw map-type? identityref 507 +--rw cert-specified-security-name? admin-string 509 The "{common (d)tls transport params}" are: 511 +--rw ip? inet:ip-address 512 +--rw port? inet:port-number 513 +--rw client-fingerprint? tls-fingerprint 514 +--rw (server-identification)? 515 +--:(server-fingerprint) 516 | +--rw server-fingerprint? tls-fingerprint 517 +--:(server-identity) 518 +--rw server-identity? admin-string 520 It also augments the "/snmp/engine/listen" container with objects for 521 the D(TLS) transport endpoints: 523 +--rw snmp 524 +--rw engine 525 ... 526 +--rw listen 527 +--rw tls [ip port] 528 | +--rw ip inet:ip-address 529 | +--rw port inet:port-number 530 +--rw dtls [ip port] 531 +--rw ip inet:ip-address 532 +--rw port inet:port-number 534 4. Definitions 536 4.1. Module 'ietf-snmp' 538 file "ietf-snmp.yang" 540 module ietf-snmp { 542 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 543 prefix snmp; 545 include ietf-snmp-common { 546 revision-date 2012-03-07; 547 } 548 include ietf-snmp-engine { 549 revision-date 2012-03-07; 550 } 551 include ietf-snmp-target { 552 revision-date 2012-03-07; 553 } 554 include ietf-snmp-notification { 555 revision-date 2012-03-07; 556 } 557 include ietf-snmp-proxy { 558 revision-date 2012-03-07; 559 } 560 include ietf-snmp-community { 561 revision-date 2012-03-07; 562 } 563 include ietf-snmp-usm { 564 revision-date 2012-03-07; 565 } 566 include ietf-snmp-tsm { 567 revision-date 2012-03-07; 568 } 569 include ietf-snmp-vacm { 570 revision-date 2012-03-07; 571 } 572 include ietf-snmp-tls { 573 revision-date 2012-03-07; 574 } 576 organization 577 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 579 contact 580 "WG Web: 581 WG List: 582 WG Chair: David Kessens 583 585 WG Chair: Juergen Schoenwaelder 586 588 Editor: Martin Bjorklund 589 591 Editor: Juergen Schoenwaelder 592 "; 594 description 595 "This module contains a collection of YANG definitions for 596 configuring SNMP engines. 598 Copyright (c) 2011 IETF Trust and the persons identified as 599 authors of the code. All rights reserved. 601 Redistribution and use in source and binary forms, with or 602 without modification, is permitted pursuant to, and subject 603 to the license terms contained in, the Simplified BSD License 604 set forth in Section 4.c of the IETF Trust's Legal Provisions 605 Relating to IETF Documents 606 (http://trustee.ietf.org/license-info). 608 This version of this YANG module is part of RFC XXXX; see 609 the RFC itself for full legal notices."; 611 // RFC Ed.: replace XXXX with actual RFC number and remove this 612 // note. 614 // RFC Ed.: update the date below with the date of RFC publication 615 // and remove this note. 617 revision 2012-03-07 { 618 description 619 "Initial revision."; 620 reference 621 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 622 } 624 } 626 628 4.2. Submodule 'ietf-snmp-common' 630 file "ietf-snmp-common.yang" 632 submodule ietf-snmp-common { 634 belongs-to ietf-snmp { 635 prefix snmp; 636 } 638 organization 639 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 641 contact 642 "WG Web: 643 WG List: 645 WG Chair: David Kessens 646 648 WG Chair: Juergen Schoenwaelder 649 651 Editor: Martin Bjorklund 652 654 Editor: Juergen Schoenwaelder 655 "; 657 description 658 "This submodule contains a collection of common YANG definitions 659 for configuring SNMP engines. 661 Copyright (c) 2011 IETF Trust and the persons identified as 662 authors of the code. All rights reserved. 664 Redistribution and use in source and binary forms, with or 665 without modification, is permitted pursuant to, and subject 666 to the license terms contained in, the Simplified BSD License 667 set forth in Section 4.c of the IETF Trust's Legal Provisions 668 Relating to IETF Documents 669 (http://trustee.ietf.org/license-info). 671 This version of this YANG module is part of RFC XXXX; see 672 the RFC itself for full legal notices."; 674 // RFC Ed.: replace XXXX with actual RFC number and remove this 675 // note. 677 // RFC Ed.: update the date below with the date of RFC publication 678 // and remove this note. 680 revision 2012-03-07 { 681 description 682 "Initial revision."; 683 reference 684 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 685 } 687 /* Collection of SNMP features */ 689 feature proxy { 690 description 691 "A server implements this feature if it can act as an 692 SNMP Proxy"; 693 } 695 feature notification-filter { 696 description 697 "A server implements this feature if it supports SNMP 698 notification filtering."; 699 } 701 feature tsm { 702 description 703 "A server implements this feature if it supports the 704 Transport Security Model for SNMP."; 705 reference 706 "RFC5591: Transport Security Model for the 707 Simple Network Management Protocol (SNMP)"; 708 } 710 feature tlstm { 711 description 712 "A server implements this feature if it supports the 713 Transport Layer Security Transport Model for SNMP."; 714 reference 715 "RFC6353: Transport Layer Security (TLS) Transport Model for 716 the Simple Network Management Protocol (SNMP)"; 717 } 719 /* Collection of SNMP specific data types */ 721 typedef admin-string { 722 type string { 723 length "0..255"; 724 } 725 description 726 "Represents and SnmpAdminString as defined in RFC 3411. 728 Note that the size of an SnmpAdminString is measured in 729 octets, not characters."; 730 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 731 } 733 typedef identifier { 734 type admin-string { 735 length "1..32"; 736 } 737 description 738 "Identifiers are used to name items in the SNMP configuration 739 data store."; 740 } 742 typedef context-name { 743 type admin-string { 744 length "0..32"; 745 } 746 description 747 "The context type represents an SNMP context name."; 748 } 750 typedef security-name { 751 type admin-string { 752 length "1..32"; 753 } 754 description 755 "The security-name type represents an SNMP security name."; 756 reference 757 ""; 758 } 760 typedef security-model { 761 type union { 762 type enumeration { 763 enum v1 { value 1; } 764 enum v2c { value 2; } 765 enum usm { value 3; } 766 enum tsm { value 4; } 767 } 768 type int32 { 769 range "1..2147483647"; 770 } 771 } 772 reference 773 "RFC3411: An Architecture for Describing SNMP Management 774 Frameworks"; 775 } 777 typedef security-model-or-any { 778 type union { 779 type enumeration { 780 enum any { value 0; } 781 } 782 type security-model; 783 } 784 reference 785 "RFC3411: An Architecture for Describing SNMP Management 786 Frameworks"; 787 } 789 typedef security-level { 790 type enumeration { 791 enum no-auth-no-priv { value 1; } 792 enum auth-no-priv { value 2; } 793 enum auth-priv { value 3; } 794 } 795 reference 796 "RFC3411: An Architecture for Describing SNMP Management 797 Frameworks"; 798 } 800 typedef engine-id { 801 type string { 802 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 803 } 804 description 805 "The Engine ID specified as a list of colon-specified hexa- 806 decimal octets e.g. '4F:4C:41:71'."; 807 reference 808 "RFC3411: An Architecture for Describing SNMP Management 809 Frameworks"; 810 } 812 typedef wildcard-object-identifier { 813 type string; 814 description 815 "The wildcard-object-identifier type represents an SNMP object 816 identifier where subidentifiers can be given either as a label, 817 in numeric form, or a wildcard, represented by a *."; 818 } 820 container snmp { 821 description 822 "Top-level container for SNMP related configuration and 823 status objects."; 824 } 826 } 828 830 4.3. Submodule 'ietf-snmp-engine' 832 file "ietf-snmp-engine.yang" 834 submodule ietf-snmp-engine { 836 belongs-to ietf-snmp { 837 prefix snmp; 838 } 840 import ietf-inet-types { 841 prefix inet; 842 } 844 include ietf-snmp-common; 846 organization 847 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 849 contact 850 "WG Web: 851 WG List: 853 WG Chair: David Kessens 854 856 WG Chair: Juergen Schoenwaelder 857 859 Editor: Martin Bjorklund 860 862 Editor: Juergen Schoenwaelder 863 "; 865 description 866 "This submodule contains a collection of YANG definitions 867 for configuring SNMP engines. 869 Copyright (c) 2011 IETF Trust and the persons identified as 870 authors of the code. All rights reserved. 872 Redistribution and use in source and binary forms, with or 873 without modification, is permitted pursuant to, and subject 874 to the license terms contained in, the Simplified BSD License 875 set forth in Section 4.c of the IETF Trust's Legal Provisions 876 Relating to IETF Documents 877 (http://trustee.ietf.org/license-info). 879 This version of this YANG module is part of RFC XXXX; see 880 the RFC itself for full legal notices."; 882 // RFC Ed.: replace XXXX with actual RFC number and remove this 883 // note. 885 // RFC Ed.: update the date below with the date of RFC publication 886 // and remove this note. 888 revision 2012-03-07 { 889 description 890 "Initial revision."; 891 reference 892 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 893 } 895 augment /snmp:snmp { 897 container engine { 899 description 900 "Configuration of the SNMP engine."; 902 leaf enabled { 903 type boolean; 904 default "false"; 905 description 906 "Enables the SNMP engine."; 907 } 909 container listen { 910 description 911 "Configuration of the transport endpoints on which the 912 engine listens. Submodules providing configuration for 913 additional transports are expected to augment this 914 container."; 916 list udp { 917 key "ip port"; 918 description 919 "A list of IPv4 and IPv6 addresses and ports to which the 920 engine listens."; 922 leaf ip { 923 type inet:ip-address; 924 description 925 "The IPv4 or IPv6 address on which the engine 926 listens."; 927 } 928 leaf port { 929 type inet:port-number; 930 description 931 "The UDP port on which the engine listens."; 932 } 933 } 934 } 936 container version { 937 description 938 "SNMP version used by the engine"; 939 leaf v1 { 940 type empty; 941 } 942 leaf v2c { 943 type empty; 944 } 945 leaf v3 { 946 type empty; 947 } 948 } 950 leaf engine-id { 951 type snmp:engine-id; 952 description 953 "The local SNMP engine's administratively-assigned unique 954 identifier. 956 If this leaf is not set, the device automatically 957 calculates an engine id, as described in RFC 3411. A 958 server MAY initialize this leaf with the automatically 959 created value."; 960 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 961 } 962 } 963 } 964 } 965 967 4.4. Submodule 'ietf-snmp-target' 969 file "ietf-snmp-target.yang" 971 submodule ietf-snmp-target { 973 belongs-to ietf-snmp { 974 prefix snmp; 975 } 977 import ietf-inet-types { 978 prefix inet; 979 } 981 include ietf-snmp-common; 983 organization 984 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 986 contact 987 "WG Web: 988 WG List: 990 WG Chair: David Kessens 991 993 WG Chair: Juergen Schoenwaelder 994 996 Editor: Martin Bjorklund 997 999 Editor: Juergen Schoenwaelder 1000 "; 1002 description 1003 "This submodule contains a collection of YANG definitions 1004 for configuring SNMP targets. 1006 Copyright (c) 2011 IETF Trust and the persons identified as 1007 authors of the code. All rights reserved. 1009 Redistribution and use in source and binary forms, with or 1010 without modification, is permitted pursuant to, and subject 1011 to the license terms contained in, the Simplified BSD License 1012 set forth in Section 4.c of the IETF Trust's Legal Provisions 1013 Relating to IETF Documents 1014 (http://trustee.ietf.org/license-info). 1016 This version of this YANG module is part of RFC XXXX; see 1017 the RFC itself for full legal notices."; 1019 // RFC Ed.: replace XXXX with actual RFC number and remove this 1020 // note. 1022 reference 1023 "RFC3413: Simple Network Management Protocol (SNMP) 1024 Applications"; 1026 // RFC Ed.: update the date below with the date of RFC publication 1027 // and remove this note. 1029 revision 2012-03-07 { 1030 description 1031 "Initial revision."; 1032 reference 1033 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1034 } 1036 augment /snmp:snmp { 1038 list target { 1039 key name; 1040 description 1041 "List of targets."; 1042 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1044 leaf name { 1045 type snmp:identifier; 1046 description 1047 "Identifies the target."; 1048 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1049 } 1050 choice transport { 1051 mandatory true; 1052 description 1053 "Transport address of the target. 1055 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1056 objects are mapped to transport-specific YANG nodes. Each 1057 transport is configured as a separate case in this 1058 choice. Submodules providing configuration for additional 1059 transports are expected to augment this choice."; 1060 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1061 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1062 case udp { 1063 reference "SNMPv2-TM.snmpUDPDomain 1064 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1065 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1066 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1067 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1068 container udp { 1069 leaf ip { 1070 type inet:ip-address; 1071 mandatory true; 1072 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1073 } 1074 leaf port { 1075 type inet:port-number; 1076 default 162; 1077 description 1078 "UDP port number"; 1079 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1080 } 1081 leaf prefix-length { 1082 type uint8; 1083 description 1084 "The value of this leaf must match the value of 1085 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1086 this leaf must be less than or equal to 32. If it 1087 contains an ipv6 address, it must be less than or 1088 equal to 128. 1090 Note that the prefix-length is currently only used 1091 by the Community-based Security Model to filter 1092 incoming messages. Furthermore, the prefix-length 1093 filtering does not cover all possible filters 1094 supported by the corresponding MIB object."; 1095 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1096 } 1097 } 1098 } 1099 } 1100 leaf-list tag { 1101 type snmp:identifier; 1102 description 1103 "List of tag values used to select target address."; 1104 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1105 } 1106 leaf timeout { 1107 type uint32; 1108 units "0.01 seconds"; 1109 default 1500; 1110 description 1111 "Needed only if this target can receive 1112 InformRequest-PDUs."; 1113 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1114 } 1115 leaf retries { 1116 type uint8; 1117 default 3; 1118 description 1119 "Needed only if this target can receive 1120 InformRequest-PDUs."; 1121 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1122 } 1123 choice params { 1124 description 1125 "This choice is augmented with case nodes containing 1126 security model specific configuration parameters. Each 1127 such case represents one entry in the 1128 snmpTargetParamsTable. 1130 When the snmpTargetAddrParams object contains a reference 1131 to a non-existing snmpTargetParamsEntry, this choice does 1132 not contain any case, and vice versa."; 1133 reference "SNMP-TARGET-MIB.snmpTargetAddrParams 1134 SNMP-TARGET-MIB.snmpTargetParamsTable"; 1135 } 1136 } 1137 } 1138 } 1140 1142 4.5. Submodule 'ietf-snmp-notification' 1144 file "ietf-snmp-notification.yang" 1146 submodule ietf-snmp-notification { 1148 belongs-to ietf-snmp { 1149 prefix snmp; 1150 } 1152 include ietf-snmp-common; 1153 include ietf-snmp-target; 1155 organization 1156 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1158 contact 1159 "WG Web: 1160 WG List: 1162 WG Chair: David Kessens 1163 1165 WG Chair: Juergen Schoenwaelder 1166 1168 Editor: Martin Bjorklund 1169 1171 Editor: Juergen Schoenwaelder 1172 "; 1174 description 1175 "This submodule contains a collection of YANG definitions 1176 for configuring SNMP notifications. 1178 Copyright (c) 2011 IETF Trust and the persons identified as 1179 authors of the code. All rights reserved. 1181 Redistribution and use in source and binary forms, with or 1182 without modification, is permitted pursuant to, and subject 1183 to the license terms contained in, the Simplified BSD License 1184 set forth in Section 4.c of the IETF Trust's Legal Provisions 1185 Relating to IETF Documents 1186 (http://trustee.ietf.org/license-info). 1188 This version of this YANG module is part of RFC XXXX; see 1189 the RFC itself for full legal notices."; 1191 // RFC Ed.: replace XXXX with actual RFC number and remove this 1192 // note. 1194 reference 1195 "RFC3413: Simple Network Management Protocol (SNMP) 1196 Applications"; 1198 // RFC Ed.: update the date below with the date of RFC publication 1199 // and remove this note. 1201 revision 2012-03-07 { 1202 description 1203 "Initial revision."; 1204 reference 1205 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1207 } 1209 augment /snmp:snmp { 1211 list notify { 1212 key name; 1213 description 1214 "Targets that will receive notifications. 1216 Entries in this lists are mapped 1-1 to entries in 1217 snmpNotifyTable, except that if an entry in snmpNotifyTable 1218 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1219 then the snmpNotifyTable entry is not mapped to an entry in 1220 this list."; 1221 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1223 leaf name { 1224 type snmp:identifier; 1225 description 1226 "An arbitrary name for the list entry."; 1227 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1228 } 1229 leaf tag { 1230 type leafref { 1231 path "/snmp/target/tag"; 1232 } 1233 mandatory true; 1234 description 1235 "Target tag, selects a set of notification targets."; 1236 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1237 } 1238 leaf type { 1239 type enumeration { 1240 enum trap { value 1; } 1241 enum inform { value 2; } 1242 } 1243 default trap; 1244 description 1245 "Defines the notification type to be generated."; 1246 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1247 } 1248 } 1250 list notify-filter-profile { 1251 if-feature snmp:notification-filter; 1252 key name; 1254 description 1255 "Notification filter profiles. 1257 The leaf /snmp/target/notify-filter-profile is used 1258 to associate a filter profile with a target. 1260 If an entry in this list is referred to by one or more 1261 /snmp/target/notify-filter-profile, each such 1262 notify-filter-profile is represented by one 1263 snmpNotifyFilterProfileEntry. 1265 If an entry in this list is not referred to by any 1266 /snmp/target/notify-filter-profile, the entry is not mapped 1267 to snmpNotifyFilterProfileTable."; 1268 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1269 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1271 leaf name { 1272 type snmp:identifier; 1273 description 1274 "Name of the filter profile"; 1275 reference 1276 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1277 } 1279 leaf-list include { 1280 type wildcard-object-identifier; 1281 description 1282 "A family of subtrees included in this filter."; 1283 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1284 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1285 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1286 } 1288 leaf-list exclude { 1289 type wildcard-object-identifier; 1290 description 1291 "A family of subtrees excluded from this filter."; 1292 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1293 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1294 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1295 } 1296 } 1298 leaf enable-authen-traps { 1299 type boolean; 1300 description 1301 "Indicates whether the SNMP entity is permitted to 1302 generate authenticationFailure traps."; 1304 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1305 } 1306 } 1308 augment /snmp:snmp/snmp:target { 1309 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1310 leaf notify-filter-profile { 1311 if-feature snmp:notification-filter; 1312 type leafref { 1313 path "/snmp/notify-filter-profile/name"; 1314 } 1315 description 1316 "This leafref leaf is used to represent the sparse 1317 relationship between the /snmp/target list and the 1318 /snmp/notify-filter-profile list."; 1320 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1321 } 1322 } 1324 } 1326 1328 4.6. Submodule 'ietf-snmp-proxy' 1330 file "ietf-snmp-proxy.yang" 1332 submodule ietf-snmp-proxy { 1334 belongs-to ietf-snmp { 1335 prefix snmp; 1336 } 1338 include ietf-snmp-common; 1339 include ietf-snmp-target; 1341 organization 1342 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1344 contact 1345 "WG Web: 1346 WG List: 1348 WG Chair: David Kessens 1349 1351 WG Chair: Juergen Schoenwaelder 1352 1354 Editor: Martin Bjorklund 1355 1357 Editor: Juergen Schoenwaelder 1358 "; 1360 description 1361 "This submodule contains a collection of YANG definitions 1362 for configuring SNMP proxies. 1364 Copyright (c) 2011 IETF Trust and the persons identified as 1365 authors of the code. All rights reserved. 1367 Redistribution and use in source and binary forms, with or 1368 without modification, is permitted pursuant to, and subject 1369 to the license terms contained in, the Simplified BSD License 1370 set forth in Section 4.c of the IETF Trust's Legal Provisions 1371 Relating to IETF Documents 1372 (http://trustee.ietf.org/license-info). 1374 This version of this YANG module is part of RFC XXXX; see 1375 the RFC itself for full legal notices."; 1377 // RFC Ed.: replace XXXX with actual RFC number and remove this 1378 // note. 1380 reference 1381 "RFC3413: Simple Network Management Protocol (SNMP) 1382 Applications"; 1384 // RFC Ed.: update the date below with the date of RFC publication 1385 // and remove this note. 1387 revision 2012-03-07 { 1388 description 1389 "Initial revision."; 1390 reference 1391 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1392 } 1394 augment /snmp:snmp { 1395 if-feature snmp:proxy; 1397 list proxy { 1398 key name; 1399 description 1400 "List of proxy parameters."; 1401 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1403 leaf name { 1404 type snmp:identifier; 1405 description 1406 "Identifies the proxy parameter entry."; 1407 reference "SNMP-PROXY-MIB.snmpProxyName"; 1408 } 1409 leaf type { 1410 type enumeration { 1411 enum read; 1412 enum write; 1413 enum trap; 1414 enum inform; 1415 } 1416 mandatory true; 1417 reference "SNMP-PROXY-MIB.snmpProxyType"; 1418 } 1419 leaf context-engine-id { 1420 type snmp:engine-id; 1421 mandatory true; 1422 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1423 } 1424 leaf context-name { 1425 type snmp:context-name; 1426 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1427 } 1428 container params-in { 1429 choice params { 1430 mandatory true; 1431 description 1432 "This choice is augmented with case nodes containing 1433 security model specific configuration parameters. Each 1434 such case represents one entry in the 1435 snmpTargetParamsTable. 1437 When the snmpProxyTargetParamsIn object contains a 1438 reference to a non-existing snmpTargetParamsEntry, this 1439 choice does not contain any case, and vice versa."; 1440 } 1441 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1442 } 1443 leaf single-target-out { 1444 when "../type = read or ../type = write"; 1445 type leafref { 1446 path "/snmp:snmp/snmp:target/snmp:name"; 1448 } 1449 description 1450 "When the snmpProxySingleTargetOut object contains 1451 a value which does not select an snmpTargetAddrEntry, 1452 this leaf does not exist."; 1453 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1454 } 1455 leaf multiple-target-out { 1456 when "../type = trap or ../type = inform"; 1457 type leafref { 1458 path "/snmp:snmp/snmp:target/snmp:tag"; 1459 } 1460 description 1461 "When the snmpProxyMultipleTargetOut object contains 1462 a value which does not select any snmpTargetAddrEntries, 1463 this leaf does not exist."; 1464 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1465 } 1466 } 1467 } 1468 } 1470 1472 4.7. Submodule 'ietf-snmp-community' 1474 file "ietf-snmp-community.yang" 1476 submodule ietf-snmp-community { 1478 belongs-to ietf-snmp { 1479 prefix snmp; 1480 } 1482 include ietf-snmp-common; 1483 include ietf-snmp-target; 1484 include ietf-snmp-proxy; 1486 organization 1487 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1489 contact 1490 "WG Web: 1491 WG List: 1492 WG Chair: David Kessens 1493 1495 WG Chair: Juergen Schoenwaelder 1496 1498 Editor: Martin Bjorklund 1499 1501 Editor: Juergen Schoenwaelder 1502 "; 1504 description 1505 "This submodule contains a collection of YANG definitions 1506 for configuring community-based SNMP. 1508 Copyright (c) 2011 IETF Trust and the persons identified as 1509 authors of the code. All rights reserved. 1511 Redistribution and use in source and binary forms, with or 1512 without modification, is permitted pursuant to, and subject 1513 to the license terms contained in, the Simplified BSD License 1514 set forth in Section 4.c of the IETF Trust's Legal Provisions 1515 Relating to IETF Documents 1516 (http://trustee.ietf.org/license-info). 1518 This version of this YANG module is part of RFC XXXX; see 1519 the RFC itself for full legal notices."; 1521 // RFC Ed.: replace XXXX with actual RFC number and remove this 1522 // note. 1524 reference 1525 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1526 of the Internet-standard Network Management Framework"; 1528 // RFC Ed.: update the date below with the date of RFC publication 1529 // and remove this note. 1531 revision 2012-03-07 { 1532 description 1533 "Initial revision."; 1534 reference 1535 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1536 } 1538 augment /snmp:snmp { 1539 list community { 1540 key index; 1542 description 1543 "List of communities"; 1544 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1546 leaf index { 1547 type snmp:identifier; 1548 description 1549 "Index into the community list."; 1550 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1551 } 1552 choice name { 1553 description 1554 "The community name, either specified as a string 1555 or as a binary. The binary name is used when the 1556 community name contains characters that are not legal 1557 in a string. 1559 If not set, the value of 'security-name' is operationally 1560 used as the snmpCommunityName."; 1561 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 1562 leaf text-name { 1563 type string; 1564 description 1565 "A community name that can be represented as a 1566 YANG string."; 1567 } 1568 leaf binary-name { 1569 type binary; 1570 description 1571 "A community name represented as a binary value."; 1572 } 1573 } 1574 leaf security-name { 1575 type snmp:security-name; 1576 mandatory true; 1577 description 1578 "The snmpCommunitySecurityName of this entry."; 1579 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 1580 } 1581 leaf engine-id { 1582 if-feature snmp:proxy; 1583 type snmp:engine-id; 1584 description 1585 "If not set, the value of the local SNMP engine is 1586 operationally used by the device."; 1588 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 1589 } 1590 leaf context { 1591 type snmp:context-name; 1592 default ""; 1593 description 1594 "The context in which management information is accessed 1595 when using the community string specified by this entry."; 1596 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 1597 } 1598 leaf target-tag { 1599 type leafref { 1600 path "/snmp/target/tag"; 1601 } 1602 description 1603 "Used to limit access for this community to the specified 1604 targets."; 1605 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 1606 } 1607 } 1608 } 1610 grouping v1-target-params { 1611 container v1 { 1612 description 1613 "SNMPv1 parameters type. 1614 Represents snmpTargetParamsMPModel '0', 1615 snmpTargetParamsSecurityModel '1', and 1616 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 1617 leaf community { 1618 type leafref { 1619 path "/snmp/community/security-name"; 1620 } 1621 mandatory true; 1622 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 1623 } 1624 } 1625 } 1627 grouping v2c-target-params { 1628 container v2c { 1629 description 1630 "SNMPv2 community parameters type. 1631 Represents snmpTargetParamsMPModel '1', 1632 snmpTargetParamsSecurityModel '2', and 1633 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 1634 leaf community { 1635 type leafref { 1636 path "/snmp/community/security-name"; 1637 } 1638 mandatory true; 1639 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 1640 } 1641 } 1642 } 1644 augment /snmp:snmp/snmp:target/snmp:params { 1645 case v1 { 1646 uses v1-target-params; 1647 } 1648 case v2c { 1649 uses v2c-target-params; 1650 } 1651 } 1653 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 1654 case v1 { 1655 uses v1-target-params; 1656 } 1657 case v2c { 1658 uses v2c-target-params; 1659 } 1660 } 1662 augment /snmp:snmp/snmp:target { 1663 leaf mms { 1664 when "snmp:params/snmp:v1 or snmp:params/snmp:v2c"; 1665 type union { 1666 type enumeration { 1667 enum "unknown"; 1668 } 1669 type int32 { 1670 range "484..max"; 1671 } 1672 } 1673 default "484"; 1674 reference 1675 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 1676 } 1677 } 1679 } 1681 1683 4.8. Submodule 'ietf-snmp-vacm' 1685 file "ietf-snmp-vacm.yang" 1687 submodule ietf-snmp-vacm { 1689 belongs-to ietf-snmp { 1690 prefix snmp; 1691 } 1693 include ietf-snmp-common; 1695 organization 1696 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1698 contact 1699 "WG Web: 1700 WG List: 1702 WG Chair: David Kessens 1703 1705 WG Chair: Juergen Schoenwaelder 1706 1708 Editor: Martin Bjorklund 1709 1711 Editor: Juergen Schoenwaelder 1712 "; 1714 description 1715 "This submodule contains a collection of YANG definitions 1716 for configuring the View-based Access Control Model (VACM) 1717 of SNMP. 1719 Copyright (c) 2011 IETF Trust and the persons identified as 1720 authors of the code. All rights reserved. 1722 Redistribution and use in source and binary forms, with or 1723 without modification, is permitted pursuant to, and subject 1724 to the license terms contained in, the Simplified BSD License 1725 set forth in Section 4.c of the IETF Trust's Legal Provisions 1726 Relating to IETF Documents 1727 (http://trustee.ietf.org/license-info). 1729 This version of this YANG module is part of RFC XXXX; see 1730 the RFC itself for full legal notices."; 1732 // RFC Ed.: replace XXXX with actual RFC number and remove this 1733 // note. 1735 reference 1736 "RFC3415: View-based Access Control Model (VACM) for the 1737 Simple Network Management Protocol (SNMP)"; 1739 // RFC Ed.: update the date below with the date of RFC publication 1740 // and remove this note. 1742 revision 2012-03-07 { 1743 description 1744 "Initial revision."; 1745 reference 1746 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1747 } 1749 typedef view-name { 1750 type snmp:identifier; 1751 description 1752 "The view-name type represents an SNMP VACM view name."; 1753 } 1755 typedef group-name { 1756 type snmp:identifier; 1757 description 1758 "The group-name type represents an SNMP VACM group name."; 1759 } 1761 augment /snmp:snmp { 1763 container vacm { 1764 description 1765 "Configuration of the View-based Access Control Model"; 1767 list group { 1768 key name; 1769 description 1770 "VACM Groups. 1772 This data model has a different structure than the MIB. 1773 Groups are explicitly defined in this list, and group 1774 members are defined in the 'member' list (mapped to 1775 vacmSecurityToGroupTable), and access for the group is 1776 defined in the 'access' list (mapped to 1777 vacmAccessTable)."; 1778 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 1779 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 1781 leaf name { 1782 type group-name; 1783 description 1784 "The name of this VACM group."; 1785 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 1786 } 1788 list member { 1789 key "security-name"; 1790 min-elements 1; 1791 description 1792 "A member of this VACM group. According to VACM, every 1793 group must have at least one member. 1795 A certain combination of security-name and 1796 security-model MUST NOT be present in more than 1797 one group."; 1798 reference 1799 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 1801 leaf security-name { 1802 type snmp:security-name; 1803 description 1804 "The securityName of a group member."; 1805 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 1806 } 1808 leaf-list security-model { 1809 type snmp:security-model; 1810 min-elements 1; 1811 description 1812 "The security models under which this security-name 1813 is a member of this group."; 1814 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 1815 } 1816 } 1818 list access { 1819 key "context security-model security-level"; 1820 description 1821 "Definition of access right for groups"; 1822 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 1824 leaf context { 1825 type snmp:context-name; 1826 description 1827 "The context (prefix) under which the access rights 1828 apply."; 1830 reference 1831 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 1832 } 1834 leaf context-match { 1835 type enumeration { 1836 enum exact; 1837 enum prefix; 1838 } 1839 default exact; 1840 reference 1841 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 1842 } 1844 leaf security-model { 1845 type snmp:security-model-or-any; 1846 description 1847 "The security model under which the access rights 1848 apply."; 1849 reference 1850 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 1851 } 1853 leaf security-level { 1854 type snmp:security-level; 1855 description 1856 "The minimum security level under which the access 1857 rights apply."; 1858 reference 1859 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 1860 } 1862 leaf read-view { 1863 type leafref { 1864 path "/snmp/vacm/view/name"; 1865 } 1866 description 1867 "The name of the MIB view of the SNMP context 1868 authorizing read access. If this leaf does not 1869 exist in a configuration, it maps to a zero-length 1870 vacmAccessReadViewName."; 1871 reference 1872 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 1873 } 1875 leaf write-view { 1876 type leafref { 1877 path "/snmp/vacm/view/name"; 1879 } 1880 description 1881 "The name of the MIB view of the SNMP context 1882 authorizing write access. If this leaf does not 1883 exist in a configuration, it maps to a zero-length 1884 vacmAccessWriteViewName."; 1885 reference 1886 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 1887 } 1889 leaf notify-view { 1890 type leafref { 1891 path "/snmp/vacm/view/name"; 1892 } 1893 description 1894 "The name of the MIB view of the SNMP context 1895 authorizing notify access. If this leaf does not 1896 exist in a configuration, it maps to a zero-length 1897 vacmAccessNotifyViewName."; 1898 reference 1899 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 1900 } 1901 } 1902 } 1904 list view { 1905 key name; 1906 description 1907 "Definition of MIB views."; 1908 reference 1909 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 1911 leaf name { 1912 type view-name; 1913 description 1914 "The name of this VACM MIB view."; 1915 reference 1916 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 1917 } 1919 leaf-list include { 1920 type snmp:wildcard-object-identifier; 1921 description 1922 "A family of subtrees included in this MIB view."; 1923 reference 1924 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 1925 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 1926 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 1928 } 1930 leaf-list exclude { 1931 type snmp:wildcard-object-identifier; 1932 description 1933 "A family of subtrees excluded from this MIB view."; 1934 reference 1935 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 1936 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 1937 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 1938 } 1939 } 1940 } 1941 } 1942 } 1944 1946 4.9. Submodule 'ietf-snmp-usm' 1948 file "ietf-snmp-usm.yang" 1950 submodule ietf-snmp-usm { 1952 belongs-to ietf-snmp { 1953 prefix snmp; 1954 } 1956 include ietf-snmp-common; 1957 include ietf-snmp-target; 1958 include ietf-snmp-proxy; 1960 organization 1961 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1963 contact 1964 "WG Web: 1965 WG List: 1967 WG Chair: David Kessens 1968 1970 WG Chair: Juergen Schoenwaelder 1971 1973 Editor: Martin Bjorklund 1974 1976 Editor: Juergen Schoenwaelder 1977 "; 1979 description 1980 "This submodule contains a collection of YANG definitions for 1981 configuring the User-based Security Model (USM) of SNMP. 1983 Copyright (c) 2011 IETF Trust and the persons identified as 1984 authors of the code. All rights reserved. 1986 Redistribution and use in source and binary forms, with or 1987 without modification, is permitted pursuant to, and subject 1988 to the license terms contained in, the Simplified BSD License 1989 set forth in Section 4.c of the IETF Trust's Legal Provisions 1990 Relating to IETF Documents 1991 (http://trustee.ietf.org/license-info). 1993 This version of this YANG module is part of RFC XXXX; see 1994 the RFC itself for full legal notices."; 1996 // RFC Ed.: replace XXXX with actual RFC number and remove this 1997 // note. 1999 reference 2000 "RFC3414: User-based Security Model (USM) for version 3 of the 2001 Simple Network Management Protocol (SNMPv3)."; 2003 // RFC Ed.: update the date below with the date of RFC publication 2004 // and remove this note. 2006 revision 2012-03-07 { 2007 description 2008 "Initial revision."; 2009 reference 2010 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2011 } 2013 grouping key { 2014 choice key-type { 2015 leaf password { 2016 type string; 2017 description 2018 "If this leaf is set, the server uses its value to create 2019 a localized key, according to the algorithm described in 2020 RFC 3414. The resulting localized key is stored in the 2021 configuration, in the 'key' leaf. The clear-text password 2022 is never stored, and thus never returned in a read 2023 operation. 2025 Note that if the engine id is changed, the passwords for 2026 the engine's users need to be set again, in order to 2027 re-calculate the localized keys."; 2028 } 2029 leaf key { 2030 type string { 2031 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2})*'; 2032 } 2033 description 2034 "Localized key specified as a list of colon-specified 2035 hexa-decimal octets"; 2036 } 2037 } 2038 } 2040 grouping user-list { 2041 list user { 2042 key "name"; 2044 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2046 leaf name { 2047 type snmp:identifier { 2048 length "1..32"; 2049 } 2050 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2051 } 2052 container auth { 2053 presence "enables authentication"; 2054 description 2055 "Enables authentication of the user"; 2056 choice protocol { 2057 mandatory true; 2058 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2059 container md5 { 2060 uses key; 2061 reference 2062 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2063 } 2064 container sha { 2065 uses key; 2066 reference 2067 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2068 } 2069 } 2070 } 2071 container priv { 2072 must "../auth" { 2073 error-message 2074 "when privacy is used, authentication must also be used"; 2075 } 2076 presence "enables encryption"; 2077 description 2078 "Enables encryption of SNMP messages."; 2080 choice protocol { 2081 mandatory true; 2082 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2083 container des { 2084 uses key; 2085 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2086 } 2087 container aes { 2088 uses key; 2089 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2090 } 2091 } 2092 } 2093 } 2094 } 2096 augment /snmp:snmp { 2098 container usm { 2099 description 2100 "Configuration of the User-based Security Model"; 2101 container local { 2102 uses user-list; 2103 } 2105 list remote { 2106 key "engine-id"; 2108 leaf engine-id { 2109 type snmp:engine-id; 2110 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2111 } 2113 uses user-list; 2114 } 2115 } 2116 } 2118 grouping usm-target-params { 2119 container usm { 2120 description 2121 "User based SNMPv3 parameters type. 2123 Represents snmpTargetParamsMPModel '3' and 2124 snmpTargetParamsSecurityModel '3'"; 2125 leaf user-name { 2126 type snmp:security-name; 2127 mandatory true; 2128 reference 2129 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2130 } 2131 leaf security-level { 2132 type security-level; 2133 mandatory true; 2134 reference 2135 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2136 } 2137 } 2138 } 2140 augment /snmp:snmp/snmp:target/snmp:params { 2141 case usm { 2142 uses usm-target-params; 2143 } 2144 } 2146 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2147 case usm { 2148 uses usm-target-params; 2149 } 2150 } 2152 augment /snmp:snmp/snmp:target { 2153 leaf engine-id { 2154 type leafref { 2155 path "/snmp/usm/remote/engine-id"; 2156 } 2157 must '../usm/user-name' { 2158 error-message 2159 "When engine-id is set, usm/user-name must also be set."; 2160 } 2161 must '/snmp/usm/remote[engine-id=current()]/' 2162 + 'user[name=current()/../usm/user-name]' { 2163 error-message 2164 "When engine-id is set, the usm/user-name must exist in 2165 the /snmp/usm/remote list for this engine-id."; 2166 } 2167 description 2168 "Needed only if this target can receive InformRequest-PDUs 2169 over SNMPv3. 2171 This object is not present in the SNMP MIBs. In 2172 RFC 3412, it is a implementation specific matter how this 2173 engine-id is handled."; 2174 reference "RFC 3412 7.1.9a"; 2175 } 2176 } 2178 } 2180 2182 4.10. Submodule 'ietf-snmp-tsm' 2184 file "ietf-snmp-tsm.yang" 2186 submodule ietf-snmp-tsm { 2188 belongs-to ietf-snmp { 2189 prefix snmp; 2190 } 2192 include ietf-snmp-common; 2193 include ietf-snmp-target; 2194 include ietf-snmp-proxy; 2196 organization 2197 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2199 contact 2200 "WG Web: 2201 WG List: 2203 WG Chair: David Kessens 2204 2206 WG Chair: Juergen Schoenwaelder 2207 2209 Editor: Martin Bjorklund 2210 2212 Editor: Juergen Schoenwaelder 2213 "; 2215 description 2216 "This submodule contains a collection of YANG definitions for 2217 configuring the Transport Security Model (TSM) of SNMP. 2219 Copyright (c) 2011 IETF Trust and the persons identified as 2220 authors of the code. All rights reserved. 2222 Redistribution and use in source and binary forms, with or 2223 without modification, is permitted pursuant to, and subject 2224 to the license terms contained in, the Simplified BSD License 2225 set forth in Section 4.c of the IETF Trust's Legal Provisions 2226 Relating to IETF Documents 2227 (http://trustee.ietf.org/license-info). 2229 This version of this YANG module is part of RFC XXXX; see 2230 the RFC itself for full legal notices."; 2232 // RFC Ed.: replace XXXX with actual RFC number and remove this 2233 // note. 2235 reference 2236 "RFC5591: Transport Security Model for the 2237 Simple Network Management Protocol (SNMP)"; 2239 // RFC Ed.: update the date below with the date of RFC publication 2240 // and remove this note. 2242 revision 2012-03-07 { 2243 description 2244 "Initial revision."; 2245 reference 2246 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2247 } 2249 augment /snmp:snmp { 2250 if-feature tsm; 2251 container tsm { 2252 description 2253 "Configuration of the Transport-based Security Model"; 2255 leaf use-prefix { 2256 type boolean; 2257 default false; 2258 reference 2259 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2260 } 2261 } 2262 } 2264 grouping tsm-target-params { 2265 container tsm { 2266 description 2267 "Transport based security SNMPv3 parameters type. 2269 Represents snmpTargetParamsMPModel '3' and 2270 snmpTargetParamsSecurityModel '4'"; 2271 leaf security-name { 2272 type snmp:security-name; 2273 mandatory true; 2274 reference 2275 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2276 } 2277 leaf security-level { 2278 type security-level; 2279 mandatory true; 2280 reference 2281 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2282 } 2283 } 2284 } 2286 augment /snmp:snmp/snmp:target/snmp:params { 2287 if-feature tsm; 2288 case tsm { 2289 uses tsm-target-params; 2290 } 2291 } 2293 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2294 if-feature tsm; 2295 case tsm { 2296 uses tsm-target-params; 2297 } 2298 } 2299 } 2301 2303 4.11. Submodule 'ietf-snmp-tls' 2305 file "ietf-snmp-tls.yang" 2307 submodule ietf-snmp-tls { 2309 belongs-to ietf-snmp { 2310 prefix snmp; 2311 } 2312 import ietf-inet-types { 2313 prefix inet; 2314 } 2316 include ietf-snmp-common; 2317 include ietf-snmp-target; 2319 organization 2320 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2322 contact 2323 "WG Web: 2324 WG List: 2326 WG Chair: David Kessens 2327 2329 WG Chair: Juergen Schoenwaelder 2330 2332 Editor: Martin Bjorklund 2333 2335 Editor: Juergen Schoenwaelder 2336 "; 2338 description 2339 "This submodule contains a collection of YANG definitions for 2340 configuring the Transport Layer Security Transport Model (TLSTM) 2341 of SNMP. 2343 Copyright (c) 2011 IETF Trust and the persons identified as 2344 authors of the code. All rights reserved. 2346 Redistribution and use in source and binary forms, with or 2347 without modification, is permitted pursuant to, and subject 2348 to the license terms contained in, the Simplified BSD License 2349 set forth in Section 4.c of the IETF Trust's Legal Provisions 2350 Relating to IETF Documents 2351 (http://trustee.ietf.org/license-info). 2353 This version of this YANG module is part of RFC XXXX; see 2354 the RFC itself for full legal notices."; 2356 // RFC Ed.: replace XXXX with actual RFC number and remove this 2357 // note. 2359 reference 2360 "RFC6353: Transport Layer Security (TLS) Transport Model for 2361 the Simple Network Management Protocol (SNMP)"; 2363 // RFC Ed.: update the date below with the date of RFC publication 2364 // and remove this note. 2366 revision 2012-03-07 { 2367 description 2368 "Initial revision."; 2369 reference 2370 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2371 } 2373 /* Typedefs */ 2375 typedef tls-fingerprint { 2376 type string { // FIXME hex-string? 2377 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 2378 } 2379 } 2381 /* Identities */ 2383 identity cert-to-security-name { 2384 } 2386 identity specified { 2387 base cert-to-security-name; 2388 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 2389 } 2391 identity san-rfc822-name { 2392 base cert-to-security-name; 2393 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 2394 } 2396 identity san-dns-name { 2397 base cert-to-security-name; 2398 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 2399 } 2401 identity san-ip-address { 2402 base cert-to-security-name; 2403 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 2404 } 2406 identity san-any { 2407 base cert-to-security-name; 2408 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 2409 } 2411 augment /snmp:snmp/snmp:engine/snmp:listen { 2412 if-feature tlstm; 2413 list tls { 2414 key "ip port"; 2415 description 2416 "A list of IPv4 and IPv6 addresses and ports to which the 2417 engine listens for SNMP messages over TLS."; 2419 leaf ip { 2420 type inet:ip-address; 2421 description 2422 "The IPv4 or IPv6 address on which the engine listens 2423 for SNMP messages over TLS."; 2424 } 2425 leaf port { 2426 type inet:port-number; 2427 description 2428 "The TCP port on which the engine listens for SNMP 2429 messages over TLS."; 2430 } 2431 // FIXME: configure server cert here? 2432 } 2433 list dtls { 2434 key "ip port"; 2435 description 2436 "A list of IPv4 and IPv6 addresses and ports to which the 2437 engine listens for SNMP messages over DTLS."; 2439 leaf ip { 2440 type inet:ip-address; 2441 description 2442 "The IPv4 or IPv6 address on which the engine listens 2443 for SNMP messages over DTLS."; 2444 } 2445 leaf port { 2446 type inet:port-number; 2447 description 2448 "The UDP port on which the engine listens for SNMP messages 2449 over DTLS."; 2450 } 2451 // FIXME: configure server cert here? 2452 } 2453 } 2455 augment /snmp:snmp { 2456 if-feature tlstm; 2457 container tlstm { 2458 list cert-to-security-name { // cert-to-tsn? 2459 key id; 2460 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 2462 leaf id { 2463 type uint32; 2464 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 2465 } 2466 leaf fingerprint { 2467 type tls-fingerprint; 2468 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 2469 } 2470 leaf map-type { 2471 type identityref { 2472 base cert-to-security-name; 2473 } 2474 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 2475 } 2476 leaf cert-specified-security-name { 2477 when "../map-type = snmp:specified"; 2478 type admin-string; 2479 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 2480 } 2481 } 2482 } 2483 } 2485 grouping tls-transport { 2486 leaf ip { 2487 type inet:ip-address; 2488 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 2489 } 2490 leaf port { 2491 type inet:port-number; 2492 default 10161; 2493 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 2494 } 2495 leaf client-fingerprint { 2496 type tls-fingerprint; 2497 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2498 } 2499 choice server-identification { 2500 leaf server-fingerprint { 2501 type tls-fingerprint; 2502 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2503 } 2504 leaf server-identity { 2505 type admin-string; 2506 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2507 } 2508 } 2509 } 2511 augment /snmp:snmp/snmp:target/snmp:transport { 2512 if-feature tlstm; 2513 case tls { 2514 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2515 container tls { 2516 uses tls-transport; 2517 } 2518 } 2519 } 2521 augment /snmp:snmp/snmp:target/snmp:transport { 2522 if-feature tlstm; 2523 case dtls { 2524 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2525 container dtls { 2526 uses tls-transport; 2527 } 2528 } 2529 } 2530 } 2532 2534 5. IANA Considerations 2536 This document registers a URI in the IETF XML registry [RFC3688]. 2537 Following the format in RFC 3688, the following registration is 2538 requested to be made. 2540 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 2542 Registrant Contact: The NETMOD WG of the IETF. 2544 XML: N/A, the requested URI is an XML namespace. 2546 This document registers a YANG module in the YANG Module Names 2547 registry [RFC6020]. 2549 name: ietf-snmp 2550 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 2551 prefix: snmp 2552 reference: RFC XXXX 2554 The document registers the following YANG submodules in the YANG 2555 Module Names registry [RFC6020]. 2557 name: ietf-snmp-common 2558 parent: ietf-snmp 2559 reference: RFC XXXX 2561 name: ietf-snmp-engine 2562 parent: ietf-snmp 2563 reference: RFC XXXX 2565 name: ietf-snmp-community 2566 parent: ietf-snmp 2567 reference: RFC XXXX 2569 name: ietf-snmp-notification 2570 parent: ietf-snmp 2571 reference: RFC XXXX 2573 name: ietf-snmp-target 2574 parent: ietf-snmp 2575 reference: RFC XXXX 2577 name: ietf-snmp-vacm 2578 parent: ietf-snmp 2579 reference: RFC XXXX 2581 name: ietf-snmp-usm 2582 parent: ietf-snmp 2583 reference: RFC XXXX 2585 name: ietf-snmp-tsm 2586 parent: ietf-snmp 2587 reference: RFC XXXX 2589 name: ietf-snmp-tls 2590 parent: ietf-snmp 2591 reference: RFC XXXX 2593 6. Security Considerations 2595 The YANG module and submodules defined in this memo are designed to 2596 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 2597 layer is the secure transport layer and the mandatory-to-implement 2598 secure transport is SSH [RFC6242]. 2600 There are a number of data nodes defined in the YANG module and 2601 submodules which are writable/creatable/deletable (i.e., config true, 2602 which is the default). These data nodes may be considered sensitive 2603 or vulnerable in some network environments. Write operations (e.g., 2604 edit-config) to these data nodes without proper protection can have a 2605 negative effect on network operations. These are the subtrees and 2606 data nodes and their sensitivity/vulnerability: 2608 2610 Some of the readable data nodes in the YANG module and submodules may 2611 be considered sensitive or vulnerable in some network environments. 2612 It is thus important to control read access (e.g., via get, get- 2613 config, or notification) to these data nodes. These are the subtrees 2614 and data nodes and their sensitivity/vulnerability: 2616 2618 7. Acknowledgments 2620 The authors want to thank David Spakes for his review and valuable 2621 comments. 2623 8. References 2625 8.1. Normative References 2627 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2628 Requirement Levels", BCP 14, RFC 2119, March 1997. 2630 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 2631 Network Configuration Protocol (NETCONF)", RFC 6020, 2632 October 2010. 2634 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 2635 Bierman, "Network Configuration Protocol (NETCONF)", 2636 RFC 6241, June 2011. 2638 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2639 Shell (SSH)", RFC 6242, June 2011. 2641 8.2. Informative References 2643 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 2644 Architecture for Describing Simple Network Management 2645 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 2646 December 2002. 2648 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 2649 "Message Processing and Dispatching for the Simple Network 2650 Management Protocol (SNMP)", STD 62, RFC 3412, 2651 December 2002. 2653 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 2654 Management Protocol (SNMP) Applications", STD 62, 2655 RFC 3413, December 2002. 2657 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 2658 (USM) for version 3 of the Simple Network Management 2659 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 2661 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 2662 Access Control Model (VACM) for the Simple Network 2663 Management Protocol (SNMP)", STD 62, RFC 3415, 2664 December 2002. 2666 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 2667 Simple Network Management Protocol (SNMP)", STD 62, 2668 RFC 3418, December 2002. 2670 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 2671 "Coexistence between Version 1, Version 2, and Version 3 2672 of the Internet-standard Network Management Framework", 2673 BCP 74, RFC 3584, August 2003. 2675 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2676 January 2004. 2678 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 2679 for the Simple Network Management Protocol (SNMP)", 2680 RFC 5591, June 2009. 2682 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 2683 Model for the Simple Network Management Protocol (SNMP)", 2684 RFC 6353, July 2011. 2686 Appendix A. Example configurations 2688 A.1. Engine Configuration Example 2690 Below is an XML instance document showing a configuration of an SNMP 2691 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 2692 accepting SNMPv2c and SNMPv3 messages. 2694 2695 2696 true 2697 2698 2699 0.0.0.0 2700 161 2701 2702 2703 :: 2704 161 2705 2706 2707 2708 2709 2710 2711 80:00:02:b8:04:61:62:63 2712 2713 2715 A.2. Community Configuration Example 2717 Below is an XML instance document showing a configuration that maps 2718 the community name "public" to the security-name "community-public" 2719 on the local engine with the default context name. The target tag 2720 "community-public-access" filters the access to this community name. 2722 2723 2724 1 2725 public 2726 community-public 2727 community-public-access 2728 2729 2730 bluebox 2731 2732 2001:db8::abcd 2733 161 2734 2735 blue 2736 2737 community-public 2738 2739 2740 2742 A.3. User-based Security Model Configuration Example 2744 Below is an XML instance document showing the configuration of a 2745 local user "joey" who has no authentication or privacy keys. For the 2746 remote SNMP engine identified by the snmpEngineID 2747 '800002b804616263'H, two users are configure. The user "matt" has a 2748 localized SHA authentication key and the user "russ" has a localized 2749 SHA authentication key and an AES encryption key. 2751 2752 2753 2754 2755 joey 2756 2757 2758 2759 00:00:00:00:00:00:00:00:00:00:00:02 2760 2761 matt 2762 2763 2764 2768 66:95:fe:bc:92:88:e3:62:82:23: 2769 5f:c7:15:1f:12:84:97:b3:8f:3f 2771 2772 2773 2774 2775 russ 2776 2777 2778 2782 66:95:fe:bc:92:88:e3:62:82:23: 2783 5f:c7:15:1f:12:84:97:b3:8f:3f 2784 2785 2786 2787 2788 2792 66:95:fe:bc:92:88:e3:62:82:23: 2793 5f:c7:15:1f:12:84 2794 2795 2796 2797 2798 2799 2800 bluebox 2801 2802 2001:db8::abcd 2803 161 2804 2805 blue 2806 2807 matt 2808 auth-no-priv 2809 2810 2811 2813 A.4. Target and Notification Configuration Example 2815 Below is an XML instance document showing the configuration of a 2816 notification generator application (see Appendix A of [RFC3413]). 2817 Note that the USM specific objects are defined in the ietf-snmp- 2818 usm.yang submodule. 2820 2821 2822 addr1 2823 2824 192.0.2.3 2825 162 2826 2827 group1 2828 2829 joe 2830 auth-no-priv 2831 2832 2833 2834 addr2 2835 2836 192.0.2.6 2837 162 2838 2839 group1 2840 2841 joe 2842 auth-no-priv 2843 2844 2845 2846 addr3 2847 2848 192.0.2.9 2849 162 2850 2851 group2 2852 2853 bob 2854 auth-priv 2855 2856 2857 2858 group1 2859 group1 2860 trap 2861 2862 2863 group2 2864 group2 2865 trap 2866 2867 2869 A.5. Proxy Configuration Example 2871 Below is an XML instance document showing the configuration of a 2872 proxy forwarder application. It proxies SNMPv2c messages from 2873 command generators to a file server running a SNMPv1 agent that 2874 recognizes two community strings, "private" and "public", with 2875 different associated read views. The fileserver is represented as 2876 two "target" instances, one for each community string. 2878 If the proxy receives a SNMPv2c message with the community string 2879 "public" from a device in the "Office Network" or "Home Office 2880 Network", it gets tagged as "trusted", and the proxy uses the 2881 "private" community string when sending the message to the file 2882 server. Other SNMPv2c messages with the community string "public" 2883 get tagged as "non-trusted", and the proxy uses the "public" 2884 community string for these messages. There is also a special 2885 "backdoor" community string that can be used from any location to get 2886 "trusted" access. 2888 The "Office Network" and "Home Office Network" are represented as two 2889 "target" instances. 2891 2892 2893 File Server (private) 2894 2895 192.0.2.1 2896 2897 2898 private 2899 2900 2901 2902 File Server (public) 2903 2904 192.0.2.1 2905 2906 2907 public 2908 2909 2910 2911 Office Network 2912 2913 192.0.2.0 2914 24 2915 2916 office 2918 2919 2920 Home Office Network 2921 2922 203.0.113.0 2923 24 2924 2925 home-office 2926 2928 2935 2936 c1 2937 public 2938 80:00:61:81:c8 2939 trusted 2940 office 2941 2942 2943 c2 2944 public 2945 80:00:61:81:c8 2946 trusted 2947 home-office 2948 2949 2950 c3 2951 public 2952 80:00:61:81:c8 2953 not-trusted 2954 2955 2956 c4 2957 backdoor 2958 public 2959 80:00:61:81:c8 2960 trusted 2961 2962 2963 c5 2964 private 2965 80:00:61:81:c8 2966 trusted 2967 2969 2970 p1 2971 read 2972 80:00:61:81:c8 2973 trusted 2974 2975 2976 public 2977 2978 2979 File Server (private) 2980 2981 2982 p2 2983 read 2984 80:00:61:81:c8 2985 not-trusted 2986 2987 2988 public 2989 2990 2991 File Server (public) 2992 2993 2995 If an SNMPv2c Get request with community string "public" is received 2996 from an IP address tagged as "office" or "home-office", or if the 2997 request is received from anywhere else with community string 2998 "backdoor", the implied context is "trusted" and so proxy entry "p1" 2999 matches. The request is forwarded to the file server as SNMPv1 with 3000 community "private" using community table entry "c5" for outbound 3001 params lookup. 3003 If an SNMPv2c Get request with community string "public" is received 3004 from any other IP address, the implied context is "not-trusted" so 3005 proxy entry "p2" matches, and the request is forwarded to the file 3006 server as SNMPv1 with community "public". 3008 A.6. View-based Access Control Model Configuration Example 3010 Below is an XML instance document showing the minimum-secure VACM 3011 configuration (see Appendix A of [RFC3415]). 3013 3014 3015 3016 initial 3017 3018 initial 3019 usm 3020 3021 3022 3023 usm 3024 no-auth-no-priv 3025 restricted 3026 restricted 3027 3028 3029 3030 usm 3031 auth-no-priv 3032 internet 3033 internet 3034 internet 3035 3036 3037 3038 initial 3039 1.3.6.1 3040 3041 3042 restricted 3043 1.3.6.1 3044 3045 3046 3048 The following XML instance document shows the semi-secure VACM 3049 configuration (only the view configuration is different). 3051 3052 3053 3054 initial 3055 3056 initial 3057 usm 3058 3059 3060 3061 usm 3062 no-auth-no-priv 3063 restricted 3064 restricted 3065 3066 3067 3068 usm 3069 auth-no-priv 3070 internet 3071 internet 3072 internet 3073 3074 3075 3076 initial 3077 1.3.6.1 3078 3079 3080 restricted 3081 1.3.6.1.2.1.1 3082 1.3.6.1.2.1.11 3083 1.3.6.1.6.3.10.2.1 3084 1.3.6.1.6.3.11.2.1 3085 1.3.6.1.6.3.15.1.1 3086 3087 3088 3090 A.7. Transport Layer Security Transport Model Configuration Example 3092 Below is an XML instance document showing the configuration of the 3093 certificate to security name mapping (see Appendix A.2 and A.3 of 3094 [RFC6353]). 3096 3097 3098 3099 1 3100 11:0A:05:11:00 3101 san-any 3102 3103 3104 2 3105 11:0A:05:11:00 3106 specified 3107 3108 Joe Cool 3109 3110 3111 3112 3114 Authors' Addresses 3116 Martin Bjorklund 3117 Tail-f Systems 3119 Email: mbj@tail-f.com 3121 Juergen Schoenwaelder 3122 Jacobs University 3124 Email: j.schoenwaelder@jacobs-university.de