idnits 2.17.1 draft-ietf-netmod-snmp-cfg-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 156 has weird spacing: '...rw port ine...' == Line 227 has weird spacing: '...rw name snm...' == Line 299 has weird spacing: '...ty-name snm...' == Line 314 has weird spacing: '...ty-name snm...' == Line 317 has weird spacing: '...ty-name snm...' == (16 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (June 5, 2012) is 4314 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: December 7, 2012 Jacobs University 6 June 5, 2012 8 A YANG Data Model for SNMP Configuration 9 draft-ietf-netmod-snmp-cfg-00 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on December 7, 2012. 33 Copyright Notice 35 Copyright (c) 2012 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 2.1. General Considerations . . . . . . . . . . . . . . . . . . 4 53 2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 54 2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 55 2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5 56 2.5. Notification Configuration . . . . . . . . . . . . . . . . 6 57 2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 58 2.7. Community Configuration . . . . . . . . . . . . . . . . . 7 59 2.8. View-based Access Control Model Configuration . . . . . . 9 60 2.9. User-based Security Model Configuration . . . . . . . . . 9 61 2.10. Transport Security Model Configuration . . . . . . . . . . 11 62 2.11. Transport Layer Security Transport Model Configuration . . 12 63 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 64 3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 65 3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 66 3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 67 3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 68 3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 26 69 3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 30 70 3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 71 3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 72 3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 43 73 3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 74 3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 75 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 76 5. Security Considerations . . . . . . . . . . . . . . . . . . . 58 77 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59 78 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 79 7.1. Normative References . . . . . . . . . . . . . . . . . . . 60 80 7.2. Informative References . . . . . . . . . . . . . . . . . . 60 81 Appendix A. Example configurations . . . . . . . . . . . . . . . 62 82 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 62 83 A.2. Community Configuration Example . . . . . . . . . . . . . 62 84 A.3. User-based Security Model Configuration Example . . . . . 63 85 A.4. Target and Notification Configuration Example . . . . . . 64 86 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 66 87 A.6. View-based Access Control Model Configuration Example . . 68 88 A.7. Transport Layer Security Transport Model Configuration 89 Example . . . . . . . . . . . . . . . . . . . . . . . . . 70 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 72 92 1. Introduction 94 This document defines a YANG [RFC6020] data model for the 95 configuration of SNMP engines. The configuration model is consistent 96 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 97 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591] and [RFC6353] 98 but takes advantage of YANG's ability to define hierarchical 99 configuration data models. The structure of the model has been 100 derived from existing proprietary configuration models implemented as 101 command line interfaces. 103 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in BCP 106 14, [RFC2119]. 108 2. Data Model 110 In order to preserve the modularity of SNMP, the YANG configuration 111 data model is organized in a set of YANG submodules, all sharing the 112 same module namespace. This allows to add configuration support for 113 additional SNMP features while keeping the number of namespaces that 114 have to be dealt with down to a minimum. 116 2.1. General Considerations 118 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 119 "reference" statement is used to indicate which corresponding MIB 120 object the YANG node is mapped to. When there is not a simple 1-1 121 mapping, the "description" statement explains the mapping. 123 2.2. Common Definitions 125 The submodule "ietf-snmp-common" defines a set of common typedefs, 126 features, and the top-level container "snmp". All configuration 127 parameters defined in the other submodules are organized under this 128 top-level container. 130 This submodule defines four YANG features: 132 proxy: A server implements this feature if it can act as an SNMP 133 Proxy. 135 notification-filter: A server implements this feature if it supports 136 SNMP notification filtering. 138 tsm: A server implements this feature if it supports the Transport 139 Security Model (tsm) [RFC5591]. 141 tlstm: A server implements this feature if it supports the Transport 142 Layer Security (TLS) Transport Model (tlstm) [RFC6353]. 144 2.3. Engine Configuration 146 The submodule "ietf-snmp-engine", which defines configuration 147 parameters that are specific to SNMP engines, has the following 148 structure: 150 +--rw snmp 151 +--rw engine 152 +--rw enabled? boolean 153 +--rw listen 154 | +--rw udp [ip port] 155 | +--rw ip inet:ip-address 156 | +--rw port inet:port-number 157 +--rw version 158 | +--rw v1? empty 159 | +--rw v2c? empty 160 | +--rw v3? empty 161 +--rw engine-id? snmp:engine-id 163 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 164 engine. 166 The container "/snmp/engine/listen" provides configuration of the 167 transport endpoints the engine is listening to. In this submodule, 168 SNMP over UDP is defined. TLS and Datagram Transport Layer Security 169 (DTLS) are also supported, defined in "ietf-snmp-tls" (Section 2.11). 170 The "listen" container is expected to be augmented for other 171 transports. 173 The "/snmp/engine/version" container can be used to enable/disable 174 the different message processing models. 176 2.4. Target Configuration 178 The submodule "ietf-snmp-target", which defines configuration 179 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 180 following structure: 182 +--rw snmp 183 +--rw target [name] 184 +--rw name snmp:identifier 185 +--rw (transport) 186 | +--:(udp) 187 | +--rw udp 188 | +--rw ip inet:ip-address 189 | +--rw port? inet:port-number 190 | +--rw prefix-length? uint8 191 +--rw tag* snmp:identifier 192 +--rw timeout? uint32 193 +--rw retries? uint8 194 +--rw (params)? 196 An entry in the list "/snmp/target" corresponds to an 197 "snmpTargetAddrEntry". 199 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 200 mapped to transport-specific YANG nodes. Each transport is 201 configured as a separate case in the "transport" choice. In this 202 submodule, SNMP over UDP is defined. TLS and DTLS are also 203 supported, defined in "ietf-snmp-tls" (Section 2.11). The 204 "transport" choice is expected to be augmented for other transports. 206 In order to provide a simpler configuration model with less cross- 207 references, the "target" list also inlines the 208 "snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This 209 is accomplished with a choice "params", which is augmented by 210 security model specific submodules, currently "ietf-snmp-community" 211 (Section 2.7), "ietf-snmp-usm" (Section 2.9), and "ietf-snmp-tls" 212 (Section 2.11). 214 The YANG model does not define a separate list that maps directly to 215 "snmpTargetParamsTable". Since "snmpProxyTable" also has a reference 216 to this table, "snmpProxyTable" also has a choice "params" which is 217 augmented by security model specific submodules (Section 2.6). 219 2.5. Notification Configuration 221 The submodule "ietf-snmp-notification", which defines configuration 222 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 223 has the following structure: 225 +--rw snmp 226 +--rw notify [name] 227 | +--rw name snmp:identifier 228 | +--rw tag snmp:identifier 229 | +--rw type? enumeration 230 +--rw notify-filter-profile [name] 231 | +--rw name snmp:identifier 232 | +--rw include* wildcard-object-identifier 233 | +--rw exclude* wildcard-object-identifier 234 +--rw enable-authen-traps? boolean 236 It also augments the "target" list defined in the "ietf-snmp-target" 237 submodule (Section 2.4) with one leaf: 239 +--rw snmp 240 +--rw target [name] 241 ... 242 +--rw notify-filter-profile? leafref 244 An entry in the list "/snmp/notify" corresponds to an 245 "snmpNotifyEntry". 247 An entry in the list "/snmp/notify-filter-profile" corresponds to an 248 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 249 relationship between "snmpTargetParamsTable" and 250 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 251 relationship is represented with a leafref leaf 252 "notify-filter-profile" in the "/snmp/target" list, which refers to 253 an entry in the "/snmp/notify-filter-profile" list. 255 The "snmpNotifyFilterTable" is represented as a list "filter" within 256 the "/snmp/notify-filter-profile" list. 258 2.6. Proxy Configuration 260 The submodule "ietf-snmp-proxy", which defines configuration 261 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 262 following structure: 264 +--rw snmp 265 +--rw proxy [name] 266 +--rw name snmp:identifier 267 +--rw type enumeration 268 +--rw context-engine-id snmp:engine-id 269 +--rw context-name? snmp:context-name 270 +--rw params-in 271 | +--rw (params) 272 +--rw single-target-out? snmp:identifier 273 +--rw multiple-target-out? snmp:identifier 275 An entry in the list "/snmp/proxy" corresponds to an 276 "snmpProxyEntry". 278 Like the "target" list (Section 2.4), the "proxy" list inlines the 279 "snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn". 280 This is accomplished with a choice "params", which is augmented by 281 security model specific submodules, currently "ietf-snmp-community" 282 (Section 2.7), "ietf-snmp-usm" (Section 2.9), and "ietf-snmp-tls" 283 (Section 2.11). 285 2.7. Community Configuration 287 The submodule "ietf-snmp-community", which defines configuration 288 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 289 the following structure: 291 +--rw snmp 292 +--rw community [index] 293 +--rw index snmp:identifier 294 +--rw (name)? 295 | +--:(text-name) 296 | | +--rw text-name? string 297 | +--:(binary-name) 298 | +--rw binary-name? binary 299 +--rw security-name snmp:security-name 300 +--rw engine-id? snmp:engine-id 301 +--rw context? snmp:context-name 302 +--rw target-tag? snmp:identifier 304 It also augments the "/snmp/target/params" and "/snmp/proxy/ 305 params-in/params" choices with nodes for the Community-Based Security 306 Model used by SNMPv1 and SNMPv2c: 308 +--rw snmp 309 +--rw target [name] 310 | ... 311 | +--rw (params)? 312 | | +--:(v1) 313 | | | +--rw v1 314 | | | +--rw security-name snmp:security-name 315 | | +--:(v2c) 316 | | +--rw v2c 317 | | +--rw security-name snmp:security-name 318 | +--rw mms? union 319 +--rw proxy 320 +--rw params-in 321 +--rw params 322 +--:(v1) 323 | +--rw v1 324 | +--rw security-name snmp:security-name 325 +--:(v2c) 326 +--rw v2c 327 +--rw security-name snmp:security-name 329 An entry in the list "/snmp/community" corresponds to an 330 "snmpCommunityEntry". 332 When a case "v1" or "v2c" is chosen, it implies a 333 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 334 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 335 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 337 2.8. View-based Access Control Model Configuration 339 The submodule "ietf-snmp-vacm", which defines configuration 340 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 341 has the following structure: 343 +--rw snmp 344 +--rw vacm 345 +--rw group [name] 346 | +--rw name group-name 347 | +--rw member [security-name] 348 | | +--rw security-name snmp:security-name 349 | | +--rw security-model* snmp:security-model 350 | +--rw access [context security-model security-level] 351 | +--rw context snmp:context-name 352 | +--rw context-match? enumeration 353 | +--rw security-model snmp:security-model-or-any 354 | +--rw security-level snmp:security-level 355 | +--rw read-view? view-name 356 | +--rw write-view? view-name 357 | +--rw notify-view? vire-name 358 +--rw view [name] 359 +--rw name view-name 360 +--rw include* snmp:wildcard-object-identifier 361 +--rw exclude* snmp:wildcard-object-identifier 363 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 364 structure of nested lists in the YANG model. Groups are defined in 365 the list "/snmp/vacm/group" and for each group there is a sublist 366 "member" that maps to "vacmSecurityToGroupTable", and a sublist 367 "access" that maps to "vacmAccessTable". 369 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 370 view there is a leaf-list of included subtree families and a leaf- 371 list of excluded subtree families. This is more compact and thus a 372 more readable representation of the "vacmViewTreeFamilyTable". 374 2.9. User-based Security Model Configuration 376 The submodule "ietf-snmp-usm", which defines configuration parameters 377 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 378 following structure: 380 +--rw snmp 381 +--rw usm 382 +--rw local 383 | +--rw user [name] 384 | +-- {common user params} 385 +--rw remote [engine-id] 386 +--rw engine-id snmp:engine-id 387 +--rw user [name] 388 +-- {common user params} 390 The "{common user params}" are: 392 +--rw name snmp:identifier 393 +--rw auth? 394 | +--rw (protocol) 395 | +--:(md5) 396 | | +--rw md5 397 | | +-- rw key string 398 | +--:(sha) 399 | +--rw sha 400 | +-- rw key string 401 +--rw priv? 402 +--rw (protocol) 403 +--:(des) 404 | +--rw des 405 | +-- rw key string 406 +--:(aes) 407 +--rw aes 408 +-- rw key string 410 It also augments the "/snmp/target/params" and "/snmp/proxy/ 411 params-in/params" choices with nodes for the SNMP User-based Security 412 Model. 414 +--rw snmp 415 +--rw target [name] 416 ... 417 | +--rw (params)? 418 | +--:(usm) 419 | +--rw usm 420 | +--rw user-name snmp:security-name 421 | +--rw security-level security-level 422 +--rw proxy [name] 423 ... 424 +--rw params-in 425 +--rw (params) 426 +--:(usm) 427 +--rw usm 428 +--rw user-name snmp:security-name 429 +--rw security-level security-level 431 In the MIB, there is a single table with local and remote users, 432 indexed by the engine id and user name. In the YANG model, there is 433 one list of local users, and a nested list of remote users. 435 In the MIB, there are several objects related to changing the 436 authentication and privacy keys. These objects are not present in 437 the YANG model. Instead, there is a choice between a password or a 438 localized key. If a password is given, it is used by the server to 439 calculate a localized key, which is stored in the configuration. The 440 clear-text password is never stored. This implies that if the engine 441 id is changed, all users keys need to be changed as well. 443 2.10. Transport Security Model Configuration 445 The submodule "ietf-snmp-tsm", which defines configuration parameters 446 that correspond to the objects in SNMP-TSM-MIB, has the following 447 structure: 449 +--rw snmp 450 +--rw tsm 451 +--rw use-prefix? boolean 453 It also augments the "/snmp/target/params" and "/snmp/proxy/ 454 params-in/params" choices with nodes for the SNMP Transport Security 455 Model. 457 +--rw snmp 458 +--rw target [name] 459 ... 460 | +--rw (params)? 461 | +--:(tsm) 462 | +--rw tsm 463 | +--rw security-name snmp:security-name 464 | +--rw security-level security-level 465 +--rw proxy [name] 466 ... 467 +--rw params-in 468 +--rw (params) 469 +--:(tsm) 470 +--rw tsm 471 +--rw security-name snmp:security-name 472 +--rw security-level security-level 474 2.11. Transport Layer Security Transport Model Configuration 476 The submodule "ietf-snmp-tls", which defines configuration parameters 477 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 478 structure: 480 +--rw snmp 481 ... 482 +--rw target [name] 483 | ... 484 | +--rw (transport) 485 | +--:(tls) 486 | | +--rw tls 487 | | +-- {common (d)tls transport params} 488 | +--:(dtls) 489 | +--rw dtls 490 | +-- {common (d)tls transport params} 491 +--rw tlstm 492 +--rw cert-to-tm-security-name [id] 493 +--rw id uint32 494 +--rw fingerprint? tls-fingerprint 495 +--rw map-type? identityref 496 +--rw cert-specified-tm-security-name? admin-string 498 The "{common (d)tls transport params}" are: 500 +--rw ip? inet:ip-address 501 +--rw port? inet:port-number 502 +--rw client-fingerprint? tls-fingerprint 503 +--rw (server-identification)? 504 +--:(server-fingerprint) 505 | +--rw server-fingerprint? tls-fingerprint 506 +--:(server-identity) 507 +--rw server-identity? admin-string 509 It also augments the "/snmp/engine/listen" container with objects for 510 the D(TLS) transport endpoints: 512 +--rw snmp 513 +--rw engine 514 ... 515 +--rw listen 516 +--rw tls [ip port] 517 | +--rw ip inet:ip-address 518 | +--rw port inet:port-number 519 +--rw dtls [ip port] 520 +--rw ip inet:ip-address 521 +--rw port inet:port-number 523 3. Definitions 525 3.1. Module 'ietf-snmp' 527 file "ietf-snmp.yang" 529 module ietf-snmp { 531 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 532 prefix snmp; 534 include ietf-snmp-common { 535 revision-date 2012-06-05; 536 } 537 include ietf-snmp-engine { 538 revision-date 2012-06-05; 539 } 540 include ietf-snmp-target { 541 revision-date 2012-06-05; 542 } 543 include ietf-snmp-notification { 544 revision-date 2012-06-05; 545 } 546 include ietf-snmp-proxy { 547 revision-date 2012-06-05; 548 } 549 include ietf-snmp-community { 550 revision-date 2012-06-05; 551 } 552 include ietf-snmp-usm { 553 revision-date 2012-06-05; 554 } 555 include ietf-snmp-tsm { 556 revision-date 2012-06-05; 557 } 558 include ietf-snmp-vacm { 559 revision-date 2012-06-05; 560 } 561 include ietf-snmp-tls { 562 revision-date 2012-06-05; 563 } 565 organization 566 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 568 contact 569 "WG Web: 570 WG List: 571 WG Chair: David Kessens 572 574 WG Chair: Juergen Schoenwaelder 575 577 Editor: Martin Bjorklund 578 580 Editor: Juergen Schoenwaelder 581 "; 583 description 584 "This module contains a collection of YANG definitions for 585 configuring SNMP engines. 587 Copyright (c) 2011 IETF Trust and the persons identified as 588 authors of the code. All rights reserved. 590 Redistribution and use in source and binary forms, with or 591 without modification, is permitted pursuant to, and subject 592 to the license terms contained in, the Simplified BSD License 593 set forth in Section 4.c of the IETF Trust's Legal Provisions 594 Relating to IETF Documents 595 (http://trustee.ietf.org/license-info). 597 This version of this YANG module is part of RFC XXXX; see 598 the RFC itself for full legal notices."; 600 // RFC Ed.: replace XXXX with actual RFC number and remove this 601 // note. 603 // RFC Ed.: update the date below with the date of RFC publication 604 // and remove this note. 606 revision 2012-06-05 { 607 description 608 "Initial revision."; 609 reference 610 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 611 } 613 } 615 617 3.2. Submodule 'ietf-snmp-common' 619 file "ietf-snmp-common.yang" 621 submodule ietf-snmp-common { 623 belongs-to ietf-snmp { 624 prefix snmp; 625 } 627 organization 628 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 630 contact 631 "WG Web: 632 WG List: 634 WG Chair: David Kessens 635 637 WG Chair: Juergen Schoenwaelder 638 640 Editor: Martin Bjorklund 641 643 Editor: Juergen Schoenwaelder 644 "; 646 description 647 "This submodule contains a collection of common YANG definitions 648 for configuring SNMP engines. 650 Copyright (c) 2011 IETF Trust and the persons identified as 651 authors of the code. All rights reserved. 653 Redistribution and use in source and binary forms, with or 654 without modification, is permitted pursuant to, and subject 655 to the license terms contained in, the Simplified BSD License 656 set forth in Section 4.c of the IETF Trust's Legal Provisions 657 Relating to IETF Documents 658 (http://trustee.ietf.org/license-info). 660 This version of this YANG module is part of RFC XXXX; see 661 the RFC itself for full legal notices."; 663 // RFC Ed.: replace XXXX with actual RFC number and remove this 664 // note. 666 // RFC Ed.: update the date below with the date of RFC publication 667 // and remove this note. 669 revision 2012-06-05 { 670 description 671 "Initial revision."; 672 reference 673 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 674 } 676 /* Collection of SNMP features */ 678 feature proxy { 679 description 680 "A server implements this feature if it can act as an 681 SNMP Proxy"; 682 } 684 feature notification-filter { 685 description 686 "A server implements this feature if it supports SNMP 687 notification filtering."; 688 } 690 feature tsm { 691 description 692 "A server implements this feature if it supports the 693 Transport Security Model for SNMP."; 694 reference 695 "RFC5591: Transport Security Model for the 696 Simple Network Management Protocol (SNMP)"; 697 } 699 feature tlstm { 700 description 701 "A server implements this feature if it supports the 702 Transport Layer Security Transport Model for SNMP."; 703 reference 704 "RFC6353: Transport Layer Security (TLS) Transport Model for 705 the Simple Network Management Protocol (SNMP)"; 706 } 708 /* Collection of SNMP specific data types */ 710 typedef admin-string { 711 type string { 712 length "0..255"; 713 } 714 description 715 "Represents and SnmpAdminString as defined in RFC 3411. 717 Note that the size of an SnmpAdminString is measured in 718 octets, not characters."; 719 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 720 } 722 typedef identifier { 723 type admin-string { 724 length "1..32"; 725 } 726 description 727 "Identifiers are used to name items in the SNMP configuration 728 data store."; 729 } 731 typedef context-name { 732 type admin-string { 733 length "0..32"; 734 } 735 description 736 "The context type represents an SNMP context name."; 737 reference 738 "RFC3411: An Architecture for Describing SNMP Management 739 Frameworks"; 740 } 742 typedef security-name { 743 type admin-string { 744 length "1..32"; 745 } 746 description 747 "The security-name type represents an SNMP security name."; 748 reference 749 "RFC3411: An Architecture for Describing SNMP Management 750 Frameworks"; 751 } 753 typedef security-model { 754 type union { 755 type enumeration { 756 enum v1 { value 1; } 757 enum v2c { value 2; } 758 enum usm { value 3; } 759 enum tsm { value 4; } 760 } 761 type int32 { 762 range "1..2147483647"; 763 } 764 } 765 reference 766 "RFC3411: An Architecture for Describing SNMP Management 767 Frameworks"; 768 } 770 typedef security-model-or-any { 771 type union { 772 type enumeration { 773 enum any { value 0; } 774 } 775 type security-model; 776 } 777 reference 778 "RFC3411: An Architecture for Describing SNMP Management 779 Frameworks"; 780 } 782 typedef security-level { 783 type enumeration { 784 enum no-auth-no-priv { value 1; } 785 enum auth-no-priv { value 2; } 786 enum auth-priv { value 3; } 787 } 788 reference 789 "RFC3411: An Architecture for Describing SNMP Management 790 Frameworks"; 791 } 793 typedef engine-id { 794 type string { 795 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 796 } 797 description 798 "The Engine ID specified as a list of colon-specified hexa- 799 decimal octets e.g. '4F:4C:41:71'."; 800 reference 801 "RFC3411: An Architecture for Describing SNMP Management 802 Frameworks"; 803 } 805 typedef wildcard-object-identifier { 806 type string; 807 description 808 "The wildcard-object-identifier type represents an SNMP object 809 identifier where subidentifiers can be given either as a label, 810 in numeric form, or a wildcard, represented by a *."; 811 } 813 container snmp { 814 description 815 "Top-level container for SNMP related configuration and 816 status objects."; 817 } 819 } 821 823 3.3. Submodule 'ietf-snmp-engine' 825 file "ietf-snmp-engine.yang" 827 submodule ietf-snmp-engine { 829 belongs-to ietf-snmp { 830 prefix snmp; 831 } 833 import ietf-inet-types { 834 prefix inet; 835 } 837 include ietf-snmp-common; 839 organization 840 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 842 contact 843 "WG Web: 844 WG List: 846 WG Chair: David Kessens 847 849 WG Chair: Juergen Schoenwaelder 850 852 Editor: Martin Bjorklund 853 855 Editor: Juergen Schoenwaelder 856 "; 858 description 859 "This submodule contains a collection of YANG definitions 860 for configuring SNMP engines. 862 Copyright (c) 2011 IETF Trust and the persons identified as 863 authors of the code. All rights reserved. 865 Redistribution and use in source and binary forms, with or 866 without modification, is permitted pursuant to, and subject 867 to the license terms contained in, the Simplified BSD License 868 set forth in Section 4.c of the IETF Trust's Legal Provisions 869 Relating to IETF Documents 870 (http://trustee.ietf.org/license-info). 872 This version of this YANG module is part of RFC XXXX; see 873 the RFC itself for full legal notices."; 875 // RFC Ed.: replace XXXX with actual RFC number and remove this 876 // note. 878 // RFC Ed.: update the date below with the date of RFC publication 879 // and remove this note. 881 revision 2012-06-05 { 882 description 883 "Initial revision."; 884 reference 885 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 886 } 888 augment /snmp:snmp { 890 container engine { 892 description 893 "Configuration of the SNMP engine."; 895 leaf enabled { 896 type boolean; 897 default "false"; 898 description 899 "Enables the SNMP engine."; 900 } 902 container listen { 903 description 904 "Configuration of the transport endpoints on which the 905 engine listens. Submodules providing configuration for 906 additional transports are expected to augment this 907 container."; 909 list udp { 910 key "ip port"; 911 description 912 "A list of IPv4 and IPv6 addresses and ports to which the 913 engine listens."; 915 leaf ip { 916 type inet:ip-address; 917 description 918 "The IPv4 or IPv6 address on which the engine 919 listens."; 920 } 921 leaf port { 922 type inet:port-number; 923 description 924 "The UDP port on which the engine listens."; 925 } 926 } 927 } 929 container version { 930 description 931 "SNMP version used by the engine"; 932 leaf v1 { 933 type empty; 934 } 935 leaf v2c { 936 type empty; 937 } 938 leaf v3 { 939 type empty; 940 } 941 } 943 leaf engine-id { 944 type snmp:engine-id; 945 description 946 "The local SNMP engine's administratively-assigned unique 947 identifier. 949 If this leaf is not set, the device automatically 950 calculates an engine id, as described in RFC 3411. A 951 server MAY initialize this leaf with the automatically 952 created value."; 953 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 955 } 956 } 957 } 958 } 960 962 3.4. Submodule 'ietf-snmp-target' 964 file "ietf-snmp-target.yang" 966 submodule ietf-snmp-target { 968 belongs-to ietf-snmp { 969 prefix snmp; 970 } 972 import ietf-inet-types { 973 prefix inet; 974 } 976 include ietf-snmp-common; 978 organization 979 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 981 contact 982 "WG Web: 983 WG List: 985 WG Chair: David Kessens 986 988 WG Chair: Juergen Schoenwaelder 989 991 Editor: Martin Bjorklund 992 994 Editor: Juergen Schoenwaelder 995 "; 997 description 998 "This submodule contains a collection of YANG definitions 999 for configuring SNMP targets. 1001 Copyright (c) 2011 IETF Trust and the persons identified as 1002 authors of the code. All rights reserved. 1004 Redistribution and use in source and binary forms, with or 1005 without modification, is permitted pursuant to, and subject 1006 to the license terms contained in, the Simplified BSD License 1007 set forth in Section 4.c of the IETF Trust's Legal Provisions 1008 Relating to IETF Documents 1009 (http://trustee.ietf.org/license-info). 1011 This version of this YANG module is part of RFC XXXX; see 1012 the RFC itself for full legal notices."; 1014 // RFC Ed.: replace XXXX with actual RFC number and remove this 1015 // note. 1017 reference 1018 "RFC3413: Simple Network Management Protocol (SNMP) 1019 Applications"; 1021 // RFC Ed.: update the date below with the date of RFC publication 1022 // and remove this note. 1024 revision 2012-06-05 { 1025 description 1026 "Initial revision."; 1027 reference 1028 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1029 } 1031 augment /snmp:snmp { 1033 list target { 1034 key name; 1035 description 1036 "List of targets."; 1037 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1039 leaf name { 1040 type snmp:identifier; 1041 description 1042 "Identifies the target."; 1043 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1044 } 1045 choice transport { 1046 mandatory true; 1047 description 1048 "Transport address of the target. 1050 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1051 objects are mapped to transport-specific YANG nodes. Each 1052 transport is configured as a separate case in this 1053 choice. Submodules providing configuration for additional 1054 transports are expected to augment this choice."; 1055 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1056 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1057 case udp { 1058 reference "SNMPv2-TM.snmpUDPDomain 1059 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1060 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1061 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1062 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1063 container udp { 1064 leaf ip { 1065 type inet:ip-address; 1066 mandatory true; 1067 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1068 } 1069 leaf port { 1070 type inet:port-number; 1071 default 162; 1072 description 1073 "UDP port number"; 1074 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1075 } 1076 leaf prefix-length { 1077 type uint8; 1078 description 1079 "The value of this leaf must match the value of 1080 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1081 this leaf must be less than or equal to 32. If it 1082 contains an ipv6 address, it must be less than or 1083 equal to 128. 1085 Note that the prefix-length is currently only used 1086 by the Community-based Security Model to filter 1087 incoming messages. Furthermore, the prefix-length 1088 filtering does not cover all possible filters 1089 supported by the corresponding MIB object."; 1090 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1091 } 1092 } 1093 } 1094 } 1095 leaf-list tag { 1096 type snmp:identifier; 1097 description 1098 "List of tag values used to select target address."; 1099 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1101 } 1102 leaf timeout { 1103 type uint32; 1104 units "0.01 seconds"; 1105 default 1500; 1106 description 1107 "Needed only if this target can receive 1108 InformRequest-PDUs."; 1109 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1110 } 1111 leaf retries { 1112 type uint8; 1113 default 3; 1114 description 1115 "Needed only if this target can receive 1116 InformRequest-PDUs."; 1117 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1118 } 1119 choice params { 1120 description 1121 "This choice is augmented with case nodes containing 1122 security model specific configuration parameters. Each 1123 such case represents one entry in the 1124 snmpTargetParamsTable. 1126 When the snmpTargetAddrParams object contains a reference 1127 to a non-existing snmpTargetParamsEntry, this choice does 1128 not contain any case, and vice versa."; 1129 reference "SNMP-TARGET-MIB.snmpTargetAddrParams 1130 SNMP-TARGET-MIB.snmpTargetParamsTable"; 1131 } 1132 } 1133 } 1134 } 1136 1138 3.5. Submodule 'ietf-snmp-notification' 1140 file "ietf-snmp-notification.yang" 1142 submodule ietf-snmp-notification { 1144 belongs-to ietf-snmp { 1145 prefix snmp; 1146 } 1148 include ietf-snmp-common; 1149 include ietf-snmp-target; 1151 organization 1152 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1154 contact 1155 "WG Web: 1156 WG List: 1158 WG Chair: David Kessens 1159 1161 WG Chair: Juergen Schoenwaelder 1162 1164 Editor: Martin Bjorklund 1165 1167 Editor: Juergen Schoenwaelder 1168 "; 1170 description 1171 "This submodule contains a collection of YANG definitions 1172 for configuring SNMP notifications. 1174 Copyright (c) 2011 IETF Trust and the persons identified as 1175 authors of the code. All rights reserved. 1177 Redistribution and use in source and binary forms, with or 1178 without modification, is permitted pursuant to, and subject 1179 to the license terms contained in, the Simplified BSD License 1180 set forth in Section 4.c of the IETF Trust's Legal Provisions 1181 Relating to IETF Documents 1182 (http://trustee.ietf.org/license-info). 1184 This version of this YANG module is part of RFC XXXX; see 1185 the RFC itself for full legal notices."; 1187 // RFC Ed.: replace XXXX with actual RFC number and remove this 1188 // note. 1190 reference 1191 "RFC3413: Simple Network Management Protocol (SNMP) 1192 Applications"; 1194 // RFC Ed.: update the date below with the date of RFC publication 1195 // and remove this note. 1197 revision 2012-06-05 { 1198 description 1199 "Initial revision."; 1200 reference 1201 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1202 } 1204 augment /snmp:snmp { 1206 list notify { 1207 key name; 1208 description 1209 "Targets that will receive notifications. 1211 Entries in this lists are mapped 1-1 to entries in 1212 snmpNotifyTable, except that if an entry in snmpNotifyTable 1213 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1214 then the snmpNotifyTable entry is not mapped to an entry in 1215 this list."; 1216 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1218 leaf name { 1219 type snmp:identifier; 1220 description 1221 "An arbitrary name for the list entry."; 1222 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1223 } 1224 leaf tag { 1225 type snmp:identifier; 1226 mandatory true; 1227 description 1228 "Target tag, selects a set of notification targets. 1230 Implementations MAY restrict the values of this leaf 1231 to be one of the available values of /snmp/target/tag in 1232 a valid configuration."; 1233 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1234 } 1235 leaf type { 1236 type enumeration { 1237 enum trap { value 1; } 1238 enum inform { value 2; } 1239 } 1240 default trap; 1241 description 1242 "Defines the notification type to be generated."; 1243 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1244 } 1246 } 1248 list notify-filter-profile { 1249 if-feature snmp:notification-filter; 1250 key name; 1252 description 1253 "Notification filter profiles. 1255 The leaf /snmp/target/notify-filter-profile is used 1256 to associate a filter profile with a target. 1258 If an entry in this list is referred to by one or more 1259 /snmp/target/notify-filter-profile, each such 1260 notify-filter-profile is represented by one 1261 snmpNotifyFilterProfileEntry. 1263 If an entry in this list is not referred to by any 1264 /snmp/target/notify-filter-profile, the entry is not mapped 1265 to snmpNotifyFilterProfileTable."; 1266 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1267 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1269 leaf name { 1270 type snmp:identifier; 1271 description 1272 "Name of the filter profile"; 1273 reference 1274 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1275 } 1277 leaf-list include { 1278 type wildcard-object-identifier; 1279 description 1280 "A family of subtrees included in this filter."; 1281 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1282 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1283 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1284 } 1286 leaf-list exclude { 1287 type wildcard-object-identifier; 1288 description 1289 "A family of subtrees excluded from this filter."; 1290 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1291 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1292 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1293 } 1295 } 1297 leaf enable-authen-traps { 1298 type boolean; 1299 description 1300 "Indicates whether the SNMP entity is permitted to 1301 generate authenticationFailure traps."; 1302 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1303 } 1304 } 1306 augment /snmp:snmp/snmp:target { 1307 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1308 leaf notify-filter-profile { 1309 if-feature snmp:notification-filter; 1310 type leafref { 1311 path "/snmp/notify-filter-profile/name"; 1312 } 1313 description 1314 "This leafref leaf is used to represent the sparse 1315 relationship between the /snmp/target list and the 1316 /snmp/notify-filter-profile list."; 1317 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1318 } 1319 } 1321 } 1323 1325 3.6. Submodule 'ietf-snmp-proxy' 1327 file "ietf-snmp-proxy.yang" 1329 submodule ietf-snmp-proxy { 1331 belongs-to ietf-snmp { 1332 prefix snmp; 1333 } 1335 include ietf-snmp-common; 1336 include ietf-snmp-target; 1338 organization 1339 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1341 contact 1342 "WG Web: 1343 WG List: 1345 WG Chair: David Kessens 1346 1348 WG Chair: Juergen Schoenwaelder 1349 1351 Editor: Martin Bjorklund 1352 1354 Editor: Juergen Schoenwaelder 1355 "; 1357 description 1358 "This submodule contains a collection of YANG definitions 1359 for configuring SNMP proxies. 1361 Copyright (c) 2011 IETF Trust and the persons identified as 1362 authors of the code. All rights reserved. 1364 Redistribution and use in source and binary forms, with or 1365 without modification, is permitted pursuant to, and subject 1366 to the license terms contained in, the Simplified BSD License 1367 set forth in Section 4.c of the IETF Trust's Legal Provisions 1368 Relating to IETF Documents 1369 (http://trustee.ietf.org/license-info). 1371 This version of this YANG module is part of RFC XXXX; see 1372 the RFC itself for full legal notices."; 1374 // RFC Ed.: replace XXXX with actual RFC number and remove this 1375 // note. 1377 reference 1378 "RFC3413: Simple Network Management Protocol (SNMP) 1379 Applications"; 1381 // RFC Ed.: update the date below with the date of RFC publication 1382 // and remove this note. 1384 revision 2012-06-05 { 1385 description 1386 "Initial revision."; 1387 reference 1388 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1389 } 1390 augment /snmp:snmp { 1391 if-feature snmp:proxy; 1393 list proxy { 1394 key name; 1396 description 1397 "List of proxy parameters."; 1398 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1400 leaf name { 1401 type snmp:identifier; 1402 description 1403 "Identifies the proxy parameter entry."; 1404 reference "SNMP-PROXY-MIB.snmpProxyName"; 1405 } 1406 leaf type { 1407 type enumeration { 1408 enum read; 1409 enum write; 1410 enum trap; 1411 enum inform; 1412 } 1413 mandatory true; 1414 reference "SNMP-PROXY-MIB.snmpProxyType"; 1415 } 1416 leaf context-engine-id { 1417 type snmp:engine-id; 1418 mandatory true; 1419 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1420 } 1421 leaf context-name { 1422 type snmp:context-name; 1423 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1424 } 1425 container params-in { 1426 choice params { 1427 mandatory true; 1428 description 1429 "This choice is augmented with case nodes containing 1430 security model specific configuration parameters. Each 1431 such case represents one entry in the 1432 snmpTargetParamsTable. 1434 When the snmpProxyTargetParamsIn object contains a 1435 reference to a non-existing snmpTargetParamsEntry, this 1436 choice does not contain any case, and vice versa."; 1437 } 1438 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1439 } 1440 leaf single-target-out { 1441 when "../type = read or ../type = write"; 1442 type snmp:identifier; 1443 description 1444 "Implementations MAY restrict the values of this leaf 1445 to be one of the available values of /snmp/target/name in 1446 a valid configuration."; 1447 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1448 } 1449 leaf multiple-target-out { 1450 when "../type = trap or ../type = inform"; 1451 type snmp:identifier; 1452 description 1453 "Implementations MAY restrict the values of this leaf 1454 to be one of the available values of /snmp/target/tag in 1455 a valid configuration."; 1456 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1457 } 1458 } 1459 } 1460 } 1462 1464 3.7. Submodule 'ietf-snmp-community' 1466 file "ietf-snmp-community.yang" 1468 submodule ietf-snmp-community { 1470 belongs-to ietf-snmp { 1471 prefix snmp; 1472 } 1474 include ietf-snmp-common; 1475 include ietf-snmp-target; 1476 include ietf-snmp-proxy; 1478 organization 1479 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1481 contact 1482 "WG Web: 1483 WG List: 1485 WG Chair: David Kessens 1486 1488 WG Chair: Juergen Schoenwaelder 1489 1491 Editor: Martin Bjorklund 1492 1494 Editor: Juergen Schoenwaelder 1495 "; 1497 description 1498 "This submodule contains a collection of YANG definitions 1499 for configuring community-based SNMP. 1501 Copyright (c) 2011 IETF Trust and the persons identified as 1502 authors of the code. All rights reserved. 1504 Redistribution and use in source and binary forms, with or 1505 without modification, is permitted pursuant to, and subject 1506 to the license terms contained in, the Simplified BSD License 1507 set forth in Section 4.c of the IETF Trust's Legal Provisions 1508 Relating to IETF Documents 1509 (http://trustee.ietf.org/license-info). 1511 This version of this YANG module is part of RFC XXXX; see 1512 the RFC itself for full legal notices."; 1514 // RFC Ed.: replace XXXX with actual RFC number and remove this 1515 // note. 1517 reference 1518 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1519 of the Internet-standard Network Management Framework"; 1521 // RFC Ed.: update the date below with the date of RFC publication 1522 // and remove this note. 1524 revision 2012-06-05 { 1525 description 1526 "Initial revision."; 1527 reference 1528 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1529 } 1530 augment /snmp:snmp { 1532 list community { 1533 key index; 1535 description 1536 "List of communities"; 1537 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1539 leaf index { 1540 type snmp:identifier; 1541 description 1542 "Index into the community list."; 1543 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1544 } 1545 choice name { 1546 description 1547 "The community name, either specified as a string 1548 or as a binary. The binary name is used when the 1549 community name contains characters that are not legal 1550 in a string. 1552 If not set, the value of 'security-name' is operationally 1553 used as the snmpCommunityName."; 1554 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 1555 leaf text-name { 1556 type string; 1557 description 1558 "A community name that can be represented as a 1559 YANG string."; 1560 } 1561 leaf binary-name { 1562 type binary; 1563 description 1564 "A community name represented as a binary value."; 1565 } 1566 } 1567 leaf security-name { 1568 type snmp:security-name; 1569 mandatory true; 1570 description 1571 "The snmpCommunitySecurityName of this entry."; 1572 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 1573 } 1574 leaf engine-id { 1575 if-feature snmp:proxy; 1576 type snmp:engine-id; 1577 description 1578 "If not set, the value of the local SNMP engine is 1579 operationally used by the device."; 1580 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 1581 } 1582 leaf context { 1583 type snmp:context-name; 1584 default ""; 1585 description 1586 "The context in which management information is accessed 1587 when using the community string specified by this entry."; 1588 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 1589 } 1590 leaf target-tag { 1591 type snmp:identifier; 1592 description 1593 "Used to limit access for this community to the specified 1594 targets. 1596 Implementations MAY restrict the values of this leaf 1597 to be one of the available values of /snmp/target/tag in 1598 a valid configuration."; 1599 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 1600 } 1601 } 1602 } 1604 grouping v1-target-params { 1605 container v1 { 1606 description 1607 "SNMPv1 parameters type. 1608 Represents snmpTargetParamsMPModel '0', 1609 snmpTargetParamsSecurityModel '1', and 1610 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 1611 leaf security-name { 1612 type snmp:security-name; 1613 mandatory true; 1614 description 1615 "Implementations MAY restrict the values of this leaf 1616 to be one of the available values of 1617 /snmp/community/security-name in a valid configuration."; 1618 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 1619 } 1620 } 1621 } 1623 grouping v2c-target-params { 1624 container v2c { 1625 description 1626 "SNMPv2 community parameters type. 1627 Represents snmpTargetParamsMPModel '1', 1628 snmpTargetParamsSecurityModel '2', and 1629 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 1630 leaf security-name { 1631 type snmp:security-name; 1632 mandatory true; 1633 description 1634 "Implementations MAY restrict the values of this leaf 1635 to be one of the available values of 1636 /snmp/community/security-name in a valid configuration."; 1637 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 1638 } 1639 } 1640 } 1642 augment /snmp:snmp/snmp:target/snmp:params { 1643 case v1 { 1644 uses v1-target-params; 1645 } 1646 case v2c { 1647 uses v2c-target-params; 1648 } 1649 } 1651 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 1652 case v1 { 1653 uses v1-target-params; 1654 } 1655 case v2c { 1656 uses v2c-target-params; 1657 } 1658 } 1660 augment /snmp:snmp/snmp:target { 1661 leaf mms { 1662 when "snmp:params/snmp:v1 or snmp:params/snmp:v2c"; 1663 type union { 1664 type enumeration { 1665 enum "unknown"; 1666 } 1667 type int32 { 1668 range "484..max"; 1669 } 1670 } 1671 default "484"; 1672 reference 1673 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 1675 } 1676 } 1678 } 1680 1682 3.8. Submodule 'ietf-snmp-vacm' 1684 file "ietf-snmp-vacm.yang" 1686 submodule ietf-snmp-vacm { 1688 belongs-to ietf-snmp { 1689 prefix snmp; 1690 } 1692 include ietf-snmp-common; 1694 organization 1695 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1697 contact 1698 "WG Web: 1699 WG List: 1701 WG Chair: David Kessens 1702 1704 WG Chair: Juergen Schoenwaelder 1705 1707 Editor: Martin Bjorklund 1708 1710 Editor: Juergen Schoenwaelder 1711 "; 1713 description 1714 "This submodule contains a collection of YANG definitions 1715 for configuring the View-based Access Control Model (VACM) 1716 of SNMP. 1718 Copyright (c) 2011 IETF Trust and the persons identified as 1719 authors of the code. All rights reserved. 1721 Redistribution and use in source and binary forms, with or 1722 without modification, is permitted pursuant to, and subject 1723 to the license terms contained in, the Simplified BSD License 1724 set forth in Section 4.c of the IETF Trust's Legal Provisions 1725 Relating to IETF Documents 1726 (http://trustee.ietf.org/license-info). 1728 This version of this YANG module is part of RFC XXXX; see 1729 the RFC itself for full legal notices."; 1731 // RFC Ed.: replace XXXX with actual RFC number and remove this 1732 // note. 1734 reference 1735 "RFC3415: View-based Access Control Model (VACM) for the 1736 Simple Network Management Protocol (SNMP)"; 1738 // RFC Ed.: update the date below with the date of RFC publication 1739 // and remove this note. 1741 revision 2012-06-05 { 1742 description 1743 "Initial revision."; 1744 reference 1745 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1746 } 1748 typedef view-name { 1749 type snmp:identifier; 1750 description 1751 "The view-name type represents an SNMP VACM view name."; 1752 } 1754 typedef group-name { 1755 type snmp:identifier; 1756 description 1757 "The group-name type represents an SNMP VACM group name."; 1758 } 1760 augment /snmp:snmp { 1762 container vacm { 1763 description 1764 "Configuration of the View-based Access Control Model"; 1766 list group { 1767 key name; 1768 description 1769 "VACM Groups. 1771 This data model has a different structure than the MIB. 1772 Groups are explicitly defined in this list, and group 1773 members are defined in the 'member' list (mapped to 1774 vacmSecurityToGroupTable), and access for the group is 1775 defined in the 'access' list (mapped to 1776 vacmAccessTable)."; 1777 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 1778 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 1780 leaf name { 1781 type group-name; 1782 description 1783 "The name of this VACM group."; 1784 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 1785 } 1787 list member { 1788 key "security-name"; 1789 min-elements 1; 1790 description 1791 "A member of this VACM group. According to VACM, every 1792 group must have at least one member. 1794 A certain combination of security-name and 1795 security-model MUST NOT be present in more than 1796 one group."; 1797 reference 1798 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 1800 leaf security-name { 1801 type snmp:security-name; 1802 description 1803 "The securityName of a group member."; 1804 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 1805 } 1807 leaf-list security-model { 1808 type snmp:security-model; 1809 min-elements 1; 1810 description 1811 "The security models under which this security-name 1812 is a member of this group."; 1813 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 1814 } 1815 } 1817 list access { 1818 key "context security-model security-level"; 1819 description 1820 "Definition of access right for groups"; 1821 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 1823 leaf context { 1824 type snmp:context-name; 1825 description 1826 "The context (prefix) under which the access rights 1827 apply."; 1828 reference 1829 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 1830 } 1832 leaf context-match { 1833 type enumeration { 1834 enum exact; 1835 enum prefix; 1836 } 1837 default exact; 1838 reference 1839 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 1840 } 1842 leaf security-model { 1843 type snmp:security-model-or-any; 1844 description 1845 "The security model under which the access rights 1846 apply."; 1847 reference 1848 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 1849 } 1851 leaf security-level { 1852 type snmp:security-level; 1853 description 1854 "The minimum security level under which the access 1855 rights apply."; 1856 reference 1857 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 1858 } 1860 leaf read-view { 1861 type view-name; 1862 description 1863 "The name of the MIB view of the SNMP context 1864 authorizing read access. If this leaf does not 1865 exist in a configuration, it maps to a zero-length 1866 vacmAccessReadViewName. 1868 Implementations MAY restrict the values of this 1869 leaf to be one of the available values of 1870 /snmp/vacm/view/name in a valid configuration."; 1871 reference 1872 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 1873 } 1875 leaf write-view { 1876 type view-name; 1877 description 1878 "The name of the MIB view of the SNMP context 1879 authorizing write access. If this leaf does not 1880 exist in a configuration, it maps to a zero-length 1881 vacmAccessWriteViewName. 1883 Implementations MAY restrict the values of this 1884 leaf to be one of the available values of 1885 /snmp/vacm/view/name in a valid configuration."; 1886 reference 1887 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 1888 } 1890 leaf notify-view { 1891 type view-name; 1892 description 1893 "The name of the MIB view of the SNMP context 1894 authorizing notify access. If this leaf does not 1895 exist in a configuration, it maps to a zero-length 1896 vacmAccessNotifyViewName. 1898 Implementations MAY restrict the values of this 1899 leaf to be one of the available values of 1900 /snmp/vacm/view/name in a valid configuration."; 1901 reference 1902 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 1903 } 1904 } 1905 } 1907 list view { 1908 key name; 1909 description 1910 "Definition of MIB views."; 1911 reference 1912 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 1914 leaf name { 1915 type view-name; 1916 description 1917 "The name of this VACM MIB view."; 1918 reference 1919 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 1920 } 1922 leaf-list include { 1923 type snmp:wildcard-object-identifier; 1924 description 1925 "A family of subtrees included in this MIB view."; 1926 reference 1927 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 1928 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 1929 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 1930 } 1932 leaf-list exclude { 1933 type snmp:wildcard-object-identifier; 1934 description 1935 "A family of subtrees excluded from this MIB view."; 1936 reference 1937 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 1938 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 1939 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 1940 } 1941 } 1942 } 1943 } 1944 } 1946 1948 3.9. Submodule 'ietf-snmp-usm' 1950 file "ietf-snmp-usm.yang" 1952 submodule ietf-snmp-usm { 1954 belongs-to ietf-snmp { 1955 prefix snmp; 1956 } 1958 include ietf-snmp-common; 1959 include ietf-snmp-target; 1960 include ietf-snmp-proxy; 1962 organization 1963 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1965 contact 1966 "WG Web: 1967 WG List: 1969 WG Chair: David Kessens 1970 1972 WG Chair: Juergen Schoenwaelder 1973 1975 Editor: Martin Bjorklund 1976 1978 Editor: Juergen Schoenwaelder 1979 "; 1981 description 1982 "This submodule contains a collection of YANG definitions for 1983 configuring the User-based Security Model (USM) of SNMP. 1985 Copyright (c) 2011 IETF Trust and the persons identified as 1986 authors of the code. All rights reserved. 1988 Redistribution and use in source and binary forms, with or 1989 without modification, is permitted pursuant to, and subject 1990 to the license terms contained in, the Simplified BSD License 1991 set forth in Section 4.c of the IETF Trust's Legal Provisions 1992 Relating to IETF Documents 1993 (http://trustee.ietf.org/license-info). 1995 This version of this YANG module is part of RFC XXXX; see 1996 the RFC itself for full legal notices."; 1998 // RFC Ed.: replace XXXX with actual RFC number and remove this 1999 // note. 2001 reference 2002 "RFC3414: User-based Security Model (USM) for version 3 of the 2003 Simple Network Management Protocol (SNMPv3)."; 2005 // RFC Ed.: update the date below with the date of RFC publication 2006 // and remove this note. 2008 revision 2012-06-05 { 2009 description 2010 "Initial revision."; 2011 reference 2012 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2014 } 2016 grouping key { 2017 leaf key { 2018 type string { 2019 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2})*'; 2020 } 2021 mandatory true; 2022 description 2023 "Localized key specified as a list of colon-specified 2024 hexa-decimal octets"; 2025 } 2026 } 2028 grouping user-list { 2029 list user { 2030 key "name"; 2032 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2034 leaf name { 2035 type snmp:identifier; 2036 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2037 } 2038 container auth { 2039 presence "enables authentication"; 2040 description 2041 "Enables authentication of the user"; 2042 choice protocol { 2043 mandatory true; 2044 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2045 container md5 { 2046 uses key; 2047 reference 2048 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2049 } 2050 container sha { 2051 uses key; 2052 reference 2053 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2054 } 2055 } 2056 } 2057 container priv { 2058 must "../auth" { 2059 error-message 2060 "when privacy is used, authentication must also be used"; 2061 } 2062 presence "enables encryption"; 2063 description 2064 "Enables encryption of SNMP messages."; 2066 choice protocol { 2067 mandatory true; 2068 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2069 container des { 2070 uses key; 2071 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2072 } 2073 container aes { 2074 uses key; 2075 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2076 } 2077 } 2078 } 2079 } 2080 } 2082 augment /snmp:snmp { 2084 container usm { 2085 description 2086 "Configuration of the User-based Security Model"; 2087 container local { 2088 uses user-list; 2089 } 2091 list remote { 2092 key "engine-id"; 2094 leaf engine-id { 2095 type snmp:engine-id; 2096 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2097 } 2099 uses user-list; 2100 } 2101 } 2102 } 2104 grouping usm-target-params { 2105 container usm { 2106 description 2107 "User based SNMPv3 parameters type. 2109 Represents snmpTargetParamsMPModel '3' and 2110 snmpTargetParamsSecurityModel '3'"; 2111 leaf user-name { 2112 type snmp:security-name; 2113 mandatory true; 2114 reference 2115 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2116 } 2117 leaf security-level { 2118 type security-level; 2119 mandatory true; 2120 reference 2121 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2122 } 2123 } 2124 } 2126 augment /snmp:snmp/snmp:target/snmp:params { 2127 case usm { 2128 uses usm-target-params; 2129 } 2130 } 2132 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2133 case usm { 2134 uses usm-target-params; 2135 } 2136 } 2138 augment /snmp:snmp/snmp:target { 2139 leaf engine-id { 2140 type leafref { 2141 path "/snmp/usm/remote/engine-id"; 2142 } 2143 must '../usm/user-name' { 2144 error-message 2145 "When engine-id is set, usm/user-name must also be set."; 2146 } 2147 must '/snmp/usm/remote[engine-id=current()]/' 2148 + 'user[name=current()/../usm/user-name]' { 2149 error-message 2150 "When engine-id is set, the usm/user-name must exist in 2151 the /snmp/usm/remote list for this engine-id."; 2152 } 2153 description 2154 "Needed only if this target can receive InformRequest-PDUs 2155 over SNMPv3. 2157 This object is not present in the SNMP MIBs. In 2158 RFC 3412, it is a implementation specific matter how this 2159 engine-id is handled."; 2160 reference "RFC 3412 7.1.9a"; 2161 } 2162 } 2164 } 2166 2168 3.10. Submodule 'ietf-snmp-tsm' 2170 file "ietf-snmp-tsm.yang" 2172 submodule ietf-snmp-tsm { 2174 belongs-to ietf-snmp { 2175 prefix snmp; 2176 } 2178 include ietf-snmp-common; 2179 include ietf-snmp-target; 2180 include ietf-snmp-proxy; 2182 organization 2183 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2185 contact 2186 "WG Web: 2187 WG List: 2189 WG Chair: David Kessens 2190 2192 WG Chair: Juergen Schoenwaelder 2193 2195 Editor: Martin Bjorklund 2196 2198 Editor: Juergen Schoenwaelder 2199 "; 2201 description 2202 "This submodule contains a collection of YANG definitions for 2203 configuring the Transport Security Model (TSM) of SNMP. 2205 Copyright (c) 2011 IETF Trust and the persons identified as 2206 authors of the code. All rights reserved. 2208 Redistribution and use in source and binary forms, with or 2209 without modification, is permitted pursuant to, and subject 2210 to the license terms contained in, the Simplified BSD License 2211 set forth in Section 4.c of the IETF Trust's Legal Provisions 2212 Relating to IETF Documents 2213 (http://trustee.ietf.org/license-info). 2215 This version of this YANG module is part of RFC XXXX; see 2216 the RFC itself for full legal notices."; 2218 // RFC Ed.: replace XXXX with actual RFC number and remove this 2219 // note. 2221 reference 2222 "RFC5591: Transport Security Model for the 2223 Simple Network Management Protocol (SNMP)"; 2225 // RFC Ed.: update the date below with the date of RFC publication 2226 // and remove this note. 2228 revision 2012-06-05 { 2229 description 2230 "Initial revision."; 2231 reference 2232 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2233 } 2235 augment /snmp:snmp { 2236 if-feature tsm; 2237 container tsm { 2238 description 2239 "Configuration of the Transport-based Security Model"; 2241 leaf use-prefix { 2242 type boolean; 2243 default false; 2244 reference 2245 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2246 } 2247 } 2248 } 2250 grouping tsm-target-params { 2251 container tsm { 2252 description 2253 "Transport based security SNMPv3 parameters type. 2255 Represents snmpTargetParamsMPModel '3' and 2256 snmpTargetParamsSecurityModel '4'"; 2257 leaf security-name { 2258 type snmp:security-name; 2259 mandatory true; 2260 reference 2261 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2262 } 2263 leaf security-level { 2264 type security-level; 2265 mandatory true; 2266 reference 2267 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2268 } 2269 } 2270 } 2272 augment /snmp:snmp/snmp:target/snmp:params { 2273 if-feature tsm; 2274 case tsm { 2275 uses tsm-target-params; 2276 } 2277 } 2279 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2280 if-feature tsm; 2281 case tsm { 2282 uses tsm-target-params; 2283 } 2284 } 2285 } 2287 2289 3.11. Submodule 'ietf-snmp-tls' 2291 file "ietf-snmp-tls.yang" 2293 submodule ietf-snmp-tls { 2295 belongs-to ietf-snmp { 2296 prefix snmp; 2297 } 2299 import ietf-inet-types { 2300 prefix inet; 2301 } 2302 include ietf-snmp-common; 2303 include ietf-snmp-engine; 2304 include ietf-snmp-target; 2306 organization 2307 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2309 contact 2310 "WG Web: 2311 WG List: 2313 WG Chair: David Kessens 2314 2316 WG Chair: Juergen Schoenwaelder 2317 2319 Editor: Martin Bjorklund 2320 2322 Editor: Juergen Schoenwaelder 2323 "; 2325 description 2326 "This submodule contains a collection of YANG definitions for 2327 configuring the Transport Layer Security Transport Model (TLSTM) 2328 of SNMP. 2330 Copyright (c) 2011 IETF Trust and the persons identified as 2331 authors of the code. All rights reserved. 2333 Redistribution and use in source and binary forms, with or 2334 without modification, is permitted pursuant to, and subject 2335 to the license terms contained in, the Simplified BSD License 2336 set forth in Section 4.c of the IETF Trust's Legal Provisions 2337 Relating to IETF Documents 2338 (http://trustee.ietf.org/license-info). 2340 This version of this YANG module is part of RFC XXXX; see 2341 the RFC itself for full legal notices."; 2343 // RFC Ed.: replace XXXX with actual RFC number and remove this 2344 // note. 2346 reference 2347 "RFC6353: Transport Layer Security (TLS) Transport Model for 2348 the Simple Network Management Protocol (SNMP)"; 2350 // RFC Ed.: update the date below with the date of RFC publication 2351 // and remove this note. 2353 revision 2012-06-05 { 2354 description 2355 "Initial revision."; 2356 reference 2357 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2358 } 2360 /* Typedefs */ 2362 typedef tls-fingerprint { 2363 type string { // FIXME hex-string? 2364 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 2365 } 2366 } 2368 /* Identities */ 2370 identity cert-to-tm-security-name { 2371 } 2373 identity specified { 2374 base cert-to-tm-security-name; 2375 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 2376 } 2378 identity san-rfc822-name { 2379 base cert-to-tm-security-name; 2380 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 2381 } 2383 identity san-dns-name { 2384 base cert-to-tm-security-name; 2385 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 2386 } 2388 identity san-ip-address { 2389 base cert-to-tm-security-name; 2390 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 2391 } 2393 identity san-any { 2394 base cert-to-tm-security-name; 2395 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 2396 } 2397 augment /snmp:snmp/snmp:engine/snmp:listen { 2398 if-feature tlstm; 2399 list tls { 2400 key "ip port"; 2401 description 2402 "A list of IPv4 and IPv6 addresses and ports to which the 2403 engine listens for SNMP messages over TLS."; 2405 leaf ip { 2406 type inet:ip-address; 2407 description 2408 "The IPv4 or IPv6 address on which the engine listens 2409 for SNMP messages over TLS."; 2410 } 2411 leaf port { 2412 type inet:port-number; 2413 description 2414 "The TCP port on which the engine listens for SNMP 2415 messages over TLS."; 2416 } 2417 } 2418 list dtls { 2419 key "ip port"; 2420 description 2421 "A list of IPv4 and IPv6 addresses and ports to which the 2422 engine listens for SNMP messages over DTLS."; 2424 leaf ip { 2425 type inet:ip-address; 2426 description 2427 "The IPv4 or IPv6 address on which the engine listens 2428 for SNMP messages over DTLS."; 2429 } 2430 leaf port { 2431 type inet:port-number; 2432 description 2433 "The UDP port on which the engine listens for SNMP messages 2434 over DTLS."; 2435 } 2436 } 2437 } 2439 augment /snmp:snmp { 2440 if-feature tlstm; 2441 container tlstm { 2442 list cert-to-tm-security-name { 2443 key id; 2444 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 2445 leaf id { 2446 type uint32; 2447 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 2448 } 2449 leaf fingerprint { 2450 type tls-fingerprint; 2451 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 2452 } 2453 leaf map-type { 2454 type identityref { 2455 base cert-to-tm-security-name; 2456 } 2457 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 2458 } 2459 // FIXME: not as flexible as the mib. to get the same 2460 // flexibility, either change this to data (choice of binary 2461 // and string), or remove the identities and use 2462 // augmentation. 2463 leaf cert-specified-tm-security-name { 2464 when "../map-type = snmp:specified"; 2465 type admin-string; 2466 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 2467 } 2468 } 2469 } 2470 } 2472 grouping tls-transport { 2473 leaf ip { 2474 type inet:ip-address; 2475 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 2476 } 2477 leaf port { 2478 type inet:port-number; 2479 default 10161; 2480 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 2481 } 2482 leaf client-fingerprint { 2483 type tls-fingerprint; 2484 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2485 } 2486 choice server-identification { 2487 leaf server-fingerprint { 2488 type tls-fingerprint; 2489 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2490 } 2491 leaf server-identity { 2492 type admin-string; 2493 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2494 } 2495 } 2496 } 2498 augment /snmp:snmp/snmp:target/snmp:transport { 2499 if-feature tlstm; 2500 case tls { 2501 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2502 container tls { 2503 uses tls-transport; 2504 } 2505 } 2506 } 2508 augment /snmp:snmp/snmp:target/snmp:transport { 2509 if-feature tlstm; 2510 case dtls { 2511 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2512 container dtls { 2513 uses tls-transport; 2514 } 2515 } 2516 } 2517 } 2519 2521 4. IANA Considerations 2523 This document registers a URI in the IETF XML registry [RFC3688]. 2524 Following the format in RFC 3688, the following registration is 2525 requested to be made. 2527 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 2529 Registrant Contact: The NETMOD WG of the IETF. 2531 XML: N/A, the requested URI is an XML namespace. 2533 This document registers a YANG module in the YANG Module Names 2534 registry [RFC6020]. 2536 name: ietf-snmp 2537 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 2538 prefix: snmp 2539 reference: RFC XXXX 2541 The document registers the following YANG submodules in the YANG 2542 Module Names registry [RFC6020]. 2544 name: ietf-snmp-common 2545 parent: ietf-snmp 2546 reference: RFC XXXX 2548 name: ietf-snmp-engine 2549 parent: ietf-snmp 2550 reference: RFC XXXX 2552 name: ietf-snmp-community 2553 parent: ietf-snmp 2554 reference: RFC XXXX 2556 name: ietf-snmp-notification 2557 parent: ietf-snmp 2558 reference: RFC XXXX 2560 name: ietf-snmp-target 2561 parent: ietf-snmp 2562 reference: RFC XXXX 2564 name: ietf-snmp-vacm 2565 parent: ietf-snmp 2566 reference: RFC XXXX 2568 name: ietf-snmp-usm 2569 parent: ietf-snmp 2570 reference: RFC XXXX 2572 name: ietf-snmp-tsm 2573 parent: ietf-snmp 2574 reference: RFC XXXX 2576 name: ietf-snmp-tls 2577 parent: ietf-snmp 2578 reference: RFC XXXX 2580 5. Security Considerations 2582 The YANG module and submodules defined in this memo are designed to 2583 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 2584 layer is the secure transport layer and the mandatory-to-implement 2585 secure transport is SSH [RFC6242]. 2587 There are a number of data nodes defined in the YANG module and 2588 submodules which are writable/creatable/deletable (i.e., config true, 2589 which is the default). These data nodes may be considered sensitive 2590 or vulnerable in some network environments. Write operations (e.g., 2591 edit-config) to these data nodes without proper protection can have a 2592 negative effect on network operations. These are the subtrees and 2593 data nodes and their sensitivity/vulnerability: 2595 2597 Some of the readable data nodes in the YANG module and submodules may 2598 be considered sensitive or vulnerable in some network environments. 2599 It is thus important to control read access (e.g., via get, get- 2600 config, or notification) to these data nodes. These are the subtrees 2601 and data nodes and their sensitivity/vulnerability: 2603 2605 6. Acknowledgments 2607 The authors want to thank David Spakes for his review and valuable 2608 comments. 2610 7. References 2612 7.1. Normative References 2614 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2615 Requirement Levels", BCP 14, RFC 2119, March 1997. 2617 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 2618 Network Configuration Protocol (NETCONF)", RFC 6020, 2619 October 2010. 2621 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 2622 Bierman, "Network Configuration Protocol (NETCONF)", 2623 RFC 6241, June 2011. 2625 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2626 Shell (SSH)", RFC 6242, June 2011. 2628 7.2. Informative References 2630 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 2631 Architecture for Describing Simple Network Management 2632 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 2633 December 2002. 2635 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 2636 "Message Processing and Dispatching for the Simple Network 2637 Management Protocol (SNMP)", STD 62, RFC 3412, 2638 December 2002. 2640 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 2641 Management Protocol (SNMP) Applications", STD 62, 2642 RFC 3413, December 2002. 2644 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 2645 (USM) for version 3 of the Simple Network Management 2646 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 2648 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 2649 Access Control Model (VACM) for the Simple Network 2650 Management Protocol (SNMP)", STD 62, RFC 3415, 2651 December 2002. 2653 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 2654 Simple Network Management Protocol (SNMP)", STD 62, 2655 RFC 3418, December 2002. 2657 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 2658 "Coexistence between Version 1, Version 2, and Version 3 2659 of the Internet-standard Network Management Framework", 2660 BCP 74, RFC 3584, August 2003. 2662 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2663 January 2004. 2665 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 2666 for the Simple Network Management Protocol (SNMP)", 2667 RFC 5591, June 2009. 2669 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 2670 Model for the Simple Network Management Protocol (SNMP)", 2671 RFC 6353, July 2011. 2673 Appendix A. Example configurations 2675 A.1. Engine Configuration Example 2677 Below is an XML instance document showing a configuration of an SNMP 2678 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 2679 accepting SNMPv2c and SNMPv3 messages. 2681 2682 2683 true 2684 2685 2686 0.0.0.0 2687 161 2688 2689 2690 :: 2691 161 2692 2693 2694 2695 2696 2697 2698 80:00:02:b8:04:61:62:63 2699 2700 2702 A.2. Community Configuration Example 2704 Below is an XML instance document showing a configuration that maps 2705 the community name "public" to the security-name "community-public" 2706 on the local engine with the default context name. The target tag 2707 "community-public-access" filters the access to this community name. 2709 2710 2711 1 2712 public 2713 community-public 2714 community-public-access 2715 2716 2717 bluebox 2718 2719 2001:db8::abcd 2720 161 2721 2722 blue 2723 2724 community-public 2725 2726 2727 2729 A.3. User-based Security Model Configuration Example 2731 Below is an XML instance document showing the configuration of a 2732 local user "joey" who has no authentication or privacy keys. For the 2733 remote SNMP engine identified by the snmpEngineID 2734 '800002b804616263'H, two users are configure. The user "matt" has a 2735 localized SHA authentication key and the user "russ" has a localized 2736 SHA authentication key and an AES encryption key. 2738 2739 2740 2741 2742 joey 2743 2744 2745 2746 00:00:00:00:00:00:00:00:00:00:00:02 2747 2748 matt 2749 2750 2751 2755 66:95:fe:bc:92:88:e3:62:82:23: 2756 5f:c7:15:1f:12:84:97:b3:8f:3f 2758 2759 2760 2761 2762 russ 2763 2764 2765 2769 66:95:fe:bc:92:88:e3:62:82:23: 2770 5f:c7:15:1f:12:84:97:b3:8f:3f 2771 2772 2773 2774 2775 2779 66:95:fe:bc:92:88:e3:62:82:23: 2780 5f:c7:15:1f:12:84 2781 2782 2783 2784 2785 2786 2787 bluebox 2788 2789 2001:db8::abcd 2790 161 2791 2792 blue 2793 2794 matt 2795 auth-no-priv 2796 2797 2798 2800 A.4. Target and Notification Configuration Example 2802 Below is an XML instance document showing the configuration of a 2803 notification generator application (see Appendix A of [RFC3413]). 2804 Note that the USM specific objects are defined in the ietf-snmp- 2805 usm.yang submodule. 2807 2808 2809 addr1 2810 2811 192.0.2.3 2812 162 2813 2814 group1 2815 2816 joe 2817 auth-no-priv 2818 2819 2820 2821 addr2 2822 2823 192.0.2.6 2824 162 2825 2826 group1 2827 2828 joe 2829 auth-no-priv 2830 2831 2832 2833 addr3 2834 2835 192.0.2.9 2836 162 2837 2838 group2 2839 2840 bob 2841 auth-priv 2842 2843 2844 2845 group1 2846 group1 2847 trap 2848 2849 2850 group2 2851 group2 2852 trap 2853 2854 2856 A.5. Proxy Configuration Example 2858 Below is an XML instance document showing the configuration of a 2859 proxy forwarder application. It proxies SNMPv2c messages from 2860 command generators to a file server running a SNMPv1 agent that 2861 recognizes two community strings, "private" and "public", with 2862 different associated read views. The fileserver is represented as 2863 two "target" instances, one for each community string. 2865 If the proxy receives a SNMPv2c message with the community string 2866 "public" from a device in the "Office Network" or "Home Office 2867 Network", it gets tagged as "trusted", and the proxy uses the 2868 "private" community string when sending the message to the file 2869 server. Other SNMPv2c messages with the community string "public" 2870 get tagged as "non-trusted", and the proxy uses the "public" 2871 community string for these messages. There is also a special 2872 "backdoor" community string that can be used from any location to get 2873 "trusted" access. 2875 The "Office Network" and "Home Office Network" are represented as two 2876 "target" instances. 2878 2879 2880 File Server (private) 2881 2882 192.0.2.1 2883 2884 2885 private 2886 2887 2888 2889 File Server (public) 2890 2891 192.0.2.1 2892 2893 2894 public 2895 2896 2897 2898 Office Network 2899 2900 192.0.2.0 2901 24 2902 2903 office 2905 2906 2907 Home Office Network 2908 2909 203.0.113.0 2910 24 2911 2912 home-office 2913 2915 2922 2923 c1 2924 public 2925 80:00:61:81:c8 2926 trusted 2927 office 2928 2929 2930 c2 2931 public 2932 80:00:61:81:c8 2933 trusted 2934 home-office 2935 2936 2937 c3 2938 public 2939 80:00:61:81:c8 2940 not-trusted 2941 2942 2943 c4 2944 backdoor 2945 public 2946 80:00:61:81:c8 2947 trusted 2948 2949 2950 c5 2951 private 2952 80:00:61:81:c8 2953 trusted 2954 2956 2957 p1 2958 read 2959 80:00:61:81:c8 2960 trusted 2961 2962 2963 public 2964 2965 2966 File Server (private) 2967 2968 2969 p2 2970 read 2971 80:00:61:81:c8 2972 not-trusted 2973 2974 2975 public 2976 2977 2978 File Server (public) 2979 2980 2982 If an SNMPv2c Get request with community string "public" is received 2983 from an IP address tagged as "office" or "home-office", or if the 2984 request is received from anywhere else with community string 2985 "backdoor", the implied context is "trusted" and so proxy entry "p1" 2986 matches. The request is forwarded to the file server as SNMPv1 with 2987 community "private" using community table entry "c5" for outbound 2988 params lookup. 2990 If an SNMPv2c Get request with community string "public" is received 2991 from any other IP address, the implied context is "not-trusted" so 2992 proxy entry "p2" matches, and the request is forwarded to the file 2993 server as SNMPv1 with community "public". 2995 A.6. View-based Access Control Model Configuration Example 2997 Below is an XML instance document showing the minimum-secure VACM 2998 configuration (see Appendix A of [RFC3415]). 3000 3001 3002 3003 initial 3004 3005 initial 3006 usm 3007 3008 3009 3010 usm 3011 no-auth-no-priv 3012 restricted 3013 restricted 3014 3015 3016 3017 usm 3018 auth-no-priv 3019 internet 3020 internet 3021 internet 3022 3023 3024 3025 initial 3026 1.3.6.1 3027 3028 3029 restricted 3030 1.3.6.1 3031 3032 3033 3035 The following XML instance document shows the semi-secure VACM 3036 configuration (only the view configuration is different). 3038 3039 3040 3041 initial 3042 3043 initial 3044 usm 3045 3046 3047 3048 usm 3049 no-auth-no-priv 3050 restricted 3051 restricted 3052 3053 3054 3055 usm 3056 auth-no-priv 3057 internet 3058 internet 3059 internet 3060 3061 3062 3063 initial 3064 1.3.6.1 3065 3066 3067 restricted 3068 1.3.6.1.2.1.1 3069 1.3.6.1.2.1.11 3070 1.3.6.1.6.3.10.2.1 3071 1.3.6.1.6.3.11.2.1 3072 1.3.6.1.6.3.15.1.1 3073 3074 3075 3077 A.7. Transport Layer Security Transport Model Configuration Example 3079 Below is an XML instance document showing the configuration of the 3080 certificate to security name mapping (see Appendix A.2 and A.3 of 3081 [RFC6353]). 3083 3084 3085 3086 1 3087 11:0A:05:11:00 3088 san-any 3089 3090 3091 2 3092 11:0A:05:11:00 3093 specified 3094 3095 Joe Cool 3096 3097 3098 3099 3101 Authors' Addresses 3103 Martin Bjorklund 3104 Tail-f Systems 3106 Email: mbj@tail-f.com 3108 Juergen Schoenwaelder 3109 Jacobs University 3111 Email: j.schoenwaelder@jacobs-university.de