idnits 2.17.1 draft-ietf-netmod-snmp-cfg-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 168 has weird spacing: '...rw port ine...' == Line 240 has weird spacing: '...rw name snm...' == Line 317 has weird spacing: '...ty-name snm...' == Line 332 has weird spacing: '...ty-name snm...' == Line 335 has weird spacing: '...ty-name snm...' == (17 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (April 25, 2013) is 4019 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: October 27, 2013 Jacobs University 6 April 25, 2013 8 A YANG Data Model for SNMP Configuration 9 draft-ietf-netmod-snmp-cfg-02 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on October 27, 2013. 33 Copyright Notice 35 Copyright (c) 2013 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 53 2.2. General Considerations . . . . . . . . . . . . . . . . . . 4 54 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 55 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 56 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 5 57 2.6. Notification Configuration . . . . . . . . . . . . . . . . 6 58 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 59 2.8. Community Configuration . . . . . . . . . . . . . . . . . 7 60 2.9. View-based Access Control Model Configuration . . . . . . 9 61 2.10. User-based Security Model Configuration . . . . . . . . . 9 62 2.11. Transport Security Model Configuration . . . . . . . . . . 11 63 2.12. Transport Layer Security Transport Model Configuration . . 12 64 2.13. Secure Shell Transport Model Configuration . . . . . . . . 13 65 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 66 3.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 67 3.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 20 68 3.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 22 69 3.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 26 70 3.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 29 71 3.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 33 72 3.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 37 73 3.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 40 74 3.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 44 75 3.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 50 76 3.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 54 77 3.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 57 78 3.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 61 79 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64 80 5. Security Considerations . . . . . . . . . . . . . . . . . . . 66 81 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68 82 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 69 83 7.1. Normative References . . . . . . . . . . . . . . . . . . . 69 84 7.2. Informative References . . . . . . . . . . . . . . . . . . 69 85 Appendix A. Example configurations . . . . . . . . . . . . . . . 71 86 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 71 87 A.2. Community Configuration Example . . . . . . . . . . . . . 71 88 A.3. User-based Security Model Configuration Example . . . . . 72 89 A.4. Target and Notification Configuration Example . . . . . . 73 90 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 91 A.6. View-based Access Control Model Configuration Example . . 77 92 A.7. Transport Layer Security Transport Model Configuration 93 Example . . . . . . . . . . . . . . . . . . . . . . . . . 79 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 81 96 1. Introduction 98 This document defines a YANG [RFC6020] data model for the 99 configuration of SNMP engines. The configuration model is consistent 100 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 101 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and 102 [RFC6353] but takes advantage of YANG's ability to define 103 hierarchical configuration data models. The structure of the model 104 has been derived from existing proprietary configuration models 105 implemented as command line interfaces. 107 This document also defines a YANG data model for mapping a X.509 108 certificate to a name. 110 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 112 "OPTIONAL" in this document are to be interpreted as described in BCP 113 14, [RFC2119]. 115 2. Data Model 117 In order to preserve the modularity of SNMP, the YANG configuration 118 data model is organized in a set of YANG submodules, all sharing the 119 same module namespace. This allows to add configuration support for 120 additional SNMP features while keeping the number of namespaces that 121 have to be dealt with down to a minimum. 123 2.1. Tree Diagrams 125 A simplified graphical representation of the data model is used in 126 this document. The meaning of the symbols in these diagrams is as 127 follows: 129 o Brackets "[" and "]" enclose list keys. 131 o Abbreviations before data node names: "rw" means configuration 132 (read-write) and "ro" state data (read-only). 134 o Symbols after data node names: "?" means an optional node and "*" 135 denotes a "leaf-list". 137 o Parentheses enclose choice and case nodes, and case nodes are also 138 marked with a colon (":"). 140 o Ellipsis ("...") stands for contents of subtrees that are not 141 shown. 143 2.2. General Considerations 145 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 146 "reference" statement is used to indicate which corresponding MIB 147 object the YANG node is mapped to. When there is not a simple 1-1 148 mapping, the "description" statement explains the mapping. 150 2.3. Common Definitions 152 The submodule "ietf-snmp-common" defines a set of common typedefs and 153 the top-level container "snmp". All configuration parameters defined 154 in the other submodules are organized under this top-level container. 156 2.4. Engine Configuration 158 The submodule "ietf-snmp-engine", which defines configuration 159 parameters that are specific to SNMP engines, has the following 160 structure: 162 +--rw snmp 163 +--rw engine 164 +--rw enabled? boolean 165 +--rw listen 166 | +--rw udp [ip port] 167 | +--rw ip inet:ip-address 168 | +--rw port inet:port-number 169 +--rw version 170 | +--rw v1? empty 171 | +--rw v2c? empty 172 | +--rw v3? empty 173 +--rw engine-id? snmp:engine-id 174 +--rw enable-authen-traps? boolean 176 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 177 engine. 179 The container "/snmp/engine/listen" provides configuration of the 180 transport endpoints the engine is listening to. In this submodule, 181 SNMP over UDP is defined. TLS and Datagram Transport Layer Security 182 (DTLS) are also supported, defined in "ietf-snmp-tls" (Section 2.12). 183 The "listen" container is expected to be augmented for other 184 transports. 186 The "/snmp/engine/version" container can be used to enable/disable 187 the different message processing models. 189 2.5. Target Configuration 191 The submodule "ietf-snmp-target", which defines configuration 192 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 193 following structure: 195 +--rw snmp 196 +--rw target [name] 197 +--rw name snmp:identifier 198 +--rw (transport) 199 | +--:(udp) 200 | +--rw udp 201 | +--rw ip inet:ip-address 202 | +--rw port? inet:port-number 203 | +--rw prefix-length? uint8 204 +--rw tag* snmp:identifier 205 +--rw timeout? uint32 206 +--rw retries? uint8 207 +--rw (params)? 209 An entry in the list "/snmp/target" corresponds to an 210 "snmpTargetAddrEntry". 212 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 213 mapped to transport-specific YANG nodes. Each transport is 214 configured as a separate case in the "transport" choice. In this 215 submodule, SNMP over UDP is defined. TLS and DTLS are also 216 supported, defined in "ietf-snmp-tls" (Section 2.12). The 217 "transport" choice is expected to be augmented for other transports. 219 In order to provide a simpler configuration model with less cross- 220 references, the "target" list also inlines the 221 "snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This 222 is accomplished with a choice "params", which is augmented by 223 security model specific submodules, currently "ietf-snmp-community" 224 (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" 225 (Section 2.12). 227 The YANG model does not define a separate list that maps directly to 228 "snmpTargetParamsTable". Since "snmpProxyTable" also has a reference 229 to this table, "snmpProxyTable" also has a choice "params" which is 230 augmented by security model specific submodules (Section 2.7). 232 2.6. Notification Configuration 234 The submodule "ietf-snmp-notification", which defines configuration 235 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 236 has the following structure: 238 +--rw snmp 239 +--rw notify [name] 240 | +--rw name snmp:identifier 241 | +--rw tag snmp:identifier 242 | +--rw type? enumeration 243 +--rw notify-filter-profile [name] 244 +--rw name snmp:identifier 245 +--rw include* wildcard-object-identifier 246 +--rw exclude* wildcard-object-identifier 248 It also augments the "target" list defined in the "ietf-snmp-target" 249 submodule (Section 2.5) with one leaf: 251 +--rw snmp 252 +--rw target [name] 253 ... 254 +--rw notify-filter-profile? leafref 256 An entry in the list "/snmp/notify" corresponds to an 257 "snmpNotifyEntry". 259 An entry in the list "/snmp/notify-filter-profile" corresponds to an 260 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 261 relationship between "snmpTargetParamsTable" and 262 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 263 relationship is represented with a leafref leaf 264 "notify-filter-profile" in the "/snmp/target" list, which refers to 265 an entry in the "/snmp/notify-filter-profile" list. 267 The "snmpNotifyFilterTable" is represented as a list "filter" within 268 the "/snmp/notify-filter-profile" list. 270 This submodule defines the feature "notification-filter". A server 271 implements this feature if it supports SNMP notification filtering. 273 2.7. Proxy Configuration 275 The submodule "ietf-snmp-proxy", which defines configuration 276 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 277 following structure: 279 +--rw snmp 280 +--rw proxy [name] 281 +--rw name snmp:identifier 282 +--rw type enumeration 283 +--rw context-engine-id snmp:engine-id 284 +--rw context-name? snmp:context-name 285 +--rw params-in 286 | +--rw (params) 287 +--rw single-target-out? snmp:identifier 288 +--rw multiple-target-out? snmp:identifier 290 An entry in the list "/snmp/proxy" corresponds to an 291 "snmpProxyEntry". 293 Like the "target" list (Section 2.5), the "proxy" list inlines the 294 "snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn". 295 This is accomplished with a choice "params", which is augmented by 296 security model specific submodules, currently "ietf-snmp-community" 297 (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" 298 (Section 2.12). 300 This submodule defines the feature "proxy". A server implements this 301 feature if it can act as an SNMP Proxy. 303 2.8. Community Configuration 305 The submodule "ietf-snmp-community", which defines configuration 306 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 307 the following structure: 309 +--rw snmp 310 +--rw community [index] 311 +--rw index snmp:identifier 312 +--rw (name)? 313 | +--:(text-name) 314 | | +--rw text-name? string 315 | +--:(binary-name) 316 | +--rw binary-name? binary 317 +--rw security-name snmp:security-name 318 +--rw engine-id? snmp:engine-id 319 +--rw context? snmp:context-name 320 +--rw target-tag? snmp:identifier 322 It also augments the "/snmp/target/params" and "/snmp/proxy/ 323 params-in/params" choices with nodes for the Community-Based Security 324 Model used by SNMPv1 and SNMPv2c: 326 +--rw snmp 327 +--rw target [name] 328 | ... 329 | +--rw (params)? 330 | | +--:(v1) 331 | | | +--rw v1 332 | | | +--rw security-name snmp:security-name 333 | | +--:(v2c) 334 | | +--rw v2c 335 | | +--rw security-name snmp:security-name 336 | +--rw mms? union 337 +--rw proxy 338 +--rw params-in 339 +--rw params 340 +--:(v1) 341 | +--rw v1 342 | +--rw security-name snmp:security-name 343 +--:(v2c) 344 +--rw v2c 345 +--rw security-name snmp:security-name 347 An entry in the list "/snmp/community" corresponds to an 348 "snmpCommunityEntry". 350 When a case "v1" or "v2c" is chosen, it implies a 351 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 352 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 353 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 355 2.9. View-based Access Control Model Configuration 357 The submodule "ietf-snmp-vacm", which defines configuration 358 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 359 has the following structure: 361 +--rw snmp 362 +--rw vacm 363 +--rw group [name] 364 | +--rw name group-name 365 | +--rw member [security-name] 366 | | +--rw security-name snmp:security-name 367 | | +--rw security-model* snmp:security-model 368 | +--rw access [context security-model security-level] 369 | +--rw context snmp:context-name 370 | +--rw context-match? enumeration 371 | +--rw security-model snmp:security-model-or-any 372 | +--rw security-level snmp:security-level 373 | +--rw read-view? view-name 374 | +--rw write-view? view-name 375 | +--rw notify-view? vire-name 376 +--rw view [name] 377 +--rw name view-name 378 +--rw include* snmp:wildcard-object-identifier 379 +--rw exclude* snmp:wildcard-object-identifier 381 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 382 structure of nested lists in the YANG model. Groups are defined in 383 the list "/snmp/vacm/group" and for each group there is a sublist 384 "member" that maps to "vacmSecurityToGroupTable", and a sublist 385 "access" that maps to "vacmAccessTable". 387 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 388 view there is a leaf-list of included subtree families and a leaf- 389 list of excluded subtree families. This is more compact and thus a 390 more readable representation of the "vacmViewTreeFamilyTable". 392 2.10. User-based Security Model Configuration 394 The submodule "ietf-snmp-usm", which defines configuration parameters 395 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 396 following structure: 398 +--rw snmp 399 +--rw usm 400 +--rw local 401 | +--rw user [name] 402 | +-- {common user params} 403 +--rw remote [engine-id] 404 +--rw engine-id snmp:engine-id 405 +--rw user [name] 406 +-- {common user params} 408 The "{common user params}" are: 410 +--rw name snmp:identifier 411 +--rw auth? 412 | +--rw (protocol) 413 | +--:(md5) 414 | | +--rw md5 415 | | +-- rw key string 416 | +--:(sha) 417 | +--rw sha 418 | +-- rw key string 419 +--rw priv? 420 +--rw (protocol) 421 +--:(des) 422 | +--rw des 423 | +-- rw key string 424 +--:(aes) 425 +--rw aes 426 +-- rw key string 428 It also augments the "/snmp/target/params" and "/snmp/proxy/ 429 params-in/params" choices with nodes for the SNMP User-based Security 430 Model. 432 +--rw snmp 433 +--rw target [name] 434 ... 435 | +--rw (params)? 436 | +--:(usm) 437 | +--rw usm 438 | +--rw user-name snmp:security-name 439 | +--rw security-level security-level 440 +--rw proxy [name] 441 ... 442 +--rw params-in 443 +--rw (params) 444 +--:(usm) 445 +--rw usm 446 +--rw user-name snmp:security-name 447 +--rw security-level security-level 449 In the MIB, there is a single table with local and remote users, 450 indexed by the engine id and user name. In the YANG model, there is 451 one list of local users, and a nested list of remote users. 453 In the MIB, there are several objects related to changing the 454 authentication and privacy keys. These objects are not present in 455 the YANG model. However, the localized key can be changed. This 456 implies that if the engine id is changed, all users keys need to be 457 changed as well. 459 2.11. Transport Security Model Configuration 461 The submodule "ietf-snmp-tsm", which defines configuration parameters 462 that correspond to the objects in SNMP-TSM-MIB, has the following 463 structure: 465 +--rw snmp 466 +--rw tsm 467 +--rw use-prefix? boolean 469 It also augments the "/snmp/target/params" and "/snmp/proxy/ 470 params-in/params" choices with nodes for the SNMP Transport Security 471 Model. 473 +--rw snmp 474 +--rw target [name] 475 ... 476 | +--rw (params)? 477 | +--:(tsm) 478 | +--rw tsm 479 | +--rw security-name snmp:security-name 480 | +--rw security-level security-level 481 +--rw proxy [name] 482 ... 483 +--rw params-in 484 +--rw (params) 485 +--:(tsm) 486 +--rw tsm 487 +--rw security-name snmp:security-name 488 +--rw security-level security-level 490 This submodule defines the feature "tsm". A server implements this 491 feature if it supports the Transport Security Model (tsm) [RFC5591]. 493 2.12. Transport Layer Security Transport Model Configuration 495 The submodule "ietf-snmp-tls", which defines configuration parameters 496 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 497 structure: 499 +--rw snmp 500 ... 501 +--rw target [name] 502 | ... 503 | +--rw (transport) 504 | ... 505 | +--:(tls) 506 | | +--rw tls 507 | | +-- {common (d)tls transport params} 508 | +--:(dtls) 509 | +--rw dtls 510 | +-- {common (d)tls transport params} 511 +--rw tlstm 512 +--rw cert-to-name [id] 513 +--rw id uint32 514 +--rw fingerprint x509c2n:tls-fingerprint 515 +--rw map-type identityref 516 +--rw name string 518 The "{common (d)tls transport params}" are: 520 +--rw ip? inet:host 521 +--rw port? inet:port-number 522 +--rw client-fingerprint? x509c2n:tls-fingerprint 523 +--rw server-fingerprint? x509c2n:tls-fingerprint 524 +--rw server-identity? snmp:admin-string 526 It also augments the "/snmp/engine/listen" container with objects for 527 the D(TLS) transport endpoints: 529 +--rw snmp 530 +--rw engine 531 ... 532 +--rw listen 533 ... 534 +--rw tls [ip port] 535 | +--rw ip inet:ip-address 536 | +--rw port inet:port-number 537 +--rw dtls [ip port] 538 +--rw ip inet:ip-address 539 +--rw port inet:port-number 541 This submodule defines the feature "tlstm". A server implements this 542 feature if it supports the Transport Layer Security (TLS) Transport 543 Model (tlstm) [RFC6353]. 545 2.13. Secure Shell Transport Model Configuration 547 The submodule "ietf-snmp-ssh", which defines configuration parameters 548 that correspond to the objects in SNMP-SSH-TM-MIB, has the following 549 structure: 551 +--rw snmp 552 ... 553 +--rw target [name] 554 ... 555 +--rw (transport) 556 ... 557 +--:(ssh) 558 +--rw ssh 559 +--rw ip inet:host 560 +--rw port? inet:port-number 561 +--rw username? string 563 It also augments the "/snmp/engine/listen" container with objects for 564 the SSH transport endpoints: 566 +--rw snmp 567 +--rw engine 568 ... 569 +--rw listen 570 ... 571 +--rw ssh [ip port] 573 This submodule defines the feature "sshtm". A server implements this 574 feature if it supports the Secure Shell (SSH) Transport Model (sshtm) 575 [RFC5592]. 577 3. Definitions 579 3.1. Module 'ietf-x509-cert-to-name' 581 file "ietf-x509-cert-to-name.yang" 583 module ietf-x509-cert-to-name { 585 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; 586 prefix x509c2n; 588 import ietf-yang-types { 589 prefix yang; 590 } 592 organization 593 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 595 contact 596 "WG Web: 597 WG List: 599 WG Chair: David Kessens 600 602 WG Chair: Juergen Schoenwaelder 603 605 Editor: Martin Bjorklund 606 608 Editor: Juergen Schoenwaelder 609 "; 611 description 612 "This module contains a collection of YANG definitions for 613 extracting a name from a X.509 certificate. 615 The algorithm used to extract a name from a X.509 certificate 616 was first defined in RFC 6353. 618 Copyright (c) 2013 IETF Trust and the persons identified as 619 authors of the code. All rights reserved. 621 Redistribution and use in source and binary forms, with or 622 without modification, is permitted pursuant to, and subject 623 to the license terms contained in, the Simplified BSD License 624 set forth in Section 4.c of the IETF Trust's Legal Provisions 625 Relating to IETF Documents 626 (http://trustee.ietf.org/license-info). 628 This version of this YANG module is part of RFC XXXX; see 629 the RFC itself for full legal notices."; 630 // RFC Ed.: replace XXXX with actual RFC number and remove this 631 // note. 633 reference 634 "RFC6353: Transport Layer Security (TLS) Transport Model for 635 the Simple Network Management Protocol (SNMP)"; 637 // RFC Ed.: update the date below with the date of RFC publication 638 // and remove this note. 639 revision 2013-03-26 { 640 description 641 "Initial revision."; 642 reference 643 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 645 } 647 typedef tls-fingerprint { 648 type yang:hex-string { 649 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; 650 } 651 description 652 "A fingerprint value that can be used to uniquely reference 653 other data of potentially arbitrary length. 655 An tls-fingerprint value is composed of a 1-octet hashing 656 algorithm identifier followed by the fingerprint value. The 657 first octet value identifying the hashing algorithm is taken 658 from the IANA TLS HashAlgorithm Registry (RFC 5246). The 659 remaining octets are filled using the results of the hashing 660 algorithm."; 661 reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; 662 } 664 /* Identities */ 666 identity cert-to-name { 667 description 668 "Base identity for algorithms to derive a name from a 669 certificate."; 670 } 672 identity specified { 673 base cert-to-name; 674 description 675 "Directly specifies the name to be used for the certificate. 676 The value of the leaf 'name' in 'cert-to-name' list is used."; 677 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 678 } 680 identity san-rfc822-name { 681 base cert-to-name; 682 description 683 "Maps a subjectAltName's rfc822Name to a name. The local part 684 of the rfc822Name is passed unaltered but the host-part of the 685 name must be passed in lowercase. This mapping results in a 686 1:1 correspondence between equivalent subjectAltName 687 rfc822Name values and name values except that the host-part 688 of the name MUST be passed in lowercase. For example, the 689 rfc822Name field FooBar@Example.COM is mapped to name 690 FooBar@example.com."; 691 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 692 } 694 identity san-dns-name { 695 base cert-to-name; 696 description 697 "Maps a subjectAltName's dNSName to a name after first 698 converting it to all lowercase (RFC 5280 does not specify 699 converting to lowercase so this involves an extra step). 700 This mapping results in a 1:1 correspondence between 701 subjectAltName dNSName values and the name values."; 702 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 703 } 705 identity san-ip-address { 706 base cert-to-name; 707 description 708 "Maps a subjectAltName's iPAddress to a name by 709 transforming the binary encoded address as follows: 711 1) for IPv4, the value is converted into a 712 decimal-dotted quad address (e.g., '192.0.2.1'). 714 2) for IPv6 addresses, the value is converted into a 715 32-character all lowercase hexadecimal string 716 without any colon separators. 718 This mapping results in a 1:1 correspondence between 719 subjectAltName iPAddress values and the name values."; 720 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 722 } 724 identity san-any { 725 base cert-to-name; 726 description 727 "Maps any of the following fields using the corresponding 728 mapping algorithms: 730 +------------+-----------------+ 731 | Type | Algorithm | 732 |------------+-----------------| 733 | rfc822Name | san-rfc822-name | 734 | dNSName | san-dns-name | 735 | iPAddress | san-ip-address | 736 +------------+-----------------+ 738 The first matching subjectAltName value found in the 739 certificate of the above types MUST be used when deriving 740 the name. The mapping algorithm specified in the 741 'Algorithm' column MUST be used to derive the name. 743 This mapping results in a 1:1 correspondence between 744 subjectAltName values and name values. The three sub-mapping 745 algorithms produced by this combined algorithm cannot produce 746 conflicting results between themselves."; 747 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 748 } 750 identity common-name { 751 base cert-to-name; 752 description 753 "Maps a certificate's CommonName to a name after converting 754 it to a UTF-8 encoding. The usage of CommonNames is 755 deprecated and users are encouraged to use subjectAltName 756 mapping methods instead. This mapping results in a 1:1 757 correspondence between certificate CommonName values and name 758 values."; 759 reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; 760 } 762 /* 763 * Groupings 764 */ 766 grouping cert-to-name { 767 description 768 "Defines nodes for mapping certificates to names. Modules 769 that uses this grouping should describe how the resulting 770 name is used."; 772 list cert-to-name { 773 key id; 774 description 775 "This list defines how certificates are mapped to names. 776 The name is derived by considering each cert-to-name 777 list entry in order. The cert-to-name entry's fingerprint 778 determines whether the list entry is a match: 780 1) If the cert-to-name list entry's fingerprint value 781 matches that of the presented certificate, then consider 782 the list entry as a successful match. 784 2) If the cert-to-name list entry's fingerprint value 785 matches that of a locally held copy of a trusted CA 786 certificate, and that CA certificate was part of the CA 787 certificate chain to the presented certificate, then 788 consider the list entry as a successful match. 790 Once a matching cert-to-name list entry has been found, the 791 map-type is used to determine how the name associated with 792 the certificate should be determined. See the map-type 793 leaf's description for details on determining the name value. 794 If it is impossible to determine a name from the cert-to-name 795 list entry's data combined with the data presented in the 796 certificate, then additional cert-to-name list entries MUST 797 be searched looking for another potential match. 799 Security administrators are encouraged to make use of 800 certificates with subjectAltName fields that can be mapped to 801 names so that a single root CA certificate can allow all 802 child certificate's subjectAltName to map directly to a name 803 via a 1:1 transformation."; 804 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 806 leaf id { 807 type uint32; 808 description 809 "The id specifies the order in which the entries in the 810 cert-to-name list are searched. Entries with lower 811 numbers are searched first."; 812 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 813 } 815 leaf fingerprint { 816 type x509c2n:tls-fingerprint; 817 mandatory true; 818 description 819 "Specifies a value with which the fingerprint of the 820 certificate presented by the peer is compared. If the 821 fingerprint of the certificate presented by the peer does 822 not match the fingerprint configured, then the entry is 823 skipped and the search for a match continues."; 824 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 825 } 827 leaf map-type { 828 type identityref { 829 base cert-to-name; 830 } 831 mandatory true; 832 description 833 "Specifies the algorithm used to map the certificate 834 presented by the peer to a name. 836 Mappings that need additional configuration objects should 837 use the 'when' statement to make them conditional based on 838 the 'map-type'."; 839 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 840 } 842 leaf name { 843 when "../map-type = 'x509c2n:specified'"; 844 type string; 845 mandatory true; 846 description 847 "Directly specifies the NETCONF username when the 848 'map-type' is 'specified'."; 849 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 850 } 851 } 852 } 853 } 855 857 3.2. Module 'ietf-snmp' 859 file "ietf-snmp.yang" 861 module ietf-snmp { 863 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 864 prefix snmp; 865 // RFC Ed.: update the dates below with the date of RFC publication 866 // and remove this note. 868 include ietf-snmp-common { 869 revision-date 2013-03-26; 870 } 871 include ietf-snmp-engine { 872 revision-date 2013-03-26; 873 } 874 include ietf-snmp-target { 875 revision-date 2013-03-26; 876 } 877 include ietf-snmp-notification { 878 revision-date 2013-03-26; 879 } 880 include ietf-snmp-proxy { 881 revision-date 2013-03-26; 882 } 883 include ietf-snmp-community { 884 revision-date 2013-03-26; 885 } 886 include ietf-snmp-usm { 887 revision-date 2013-03-26; 888 } 889 include ietf-snmp-tsm { 890 revision-date 2013-03-26; 891 } 892 include ietf-snmp-vacm { 893 revision-date 2013-03-26; 894 } 895 include ietf-snmp-tls { 896 revision-date 2013-03-26; 897 } 898 include ietf-snmp-ssh { 899 revision-date 2013-03-26; 900 } 902 organization 903 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 905 contact 906 "WG Web: 907 WG List: 909 WG Chair: David Kessens 910 912 WG Chair: Juergen Schoenwaelder 913 915 Editor: Martin Bjorklund 916 918 Editor: Juergen Schoenwaelder 919 "; 921 description 922 "This module contains a collection of YANG definitions for 923 configuring SNMP engines. 925 Copyright (c) 2013 IETF Trust and the persons identified as 926 authors of the code. All rights reserved. 928 Redistribution and use in source and binary forms, with or 929 without modification, is permitted pursuant to, and subject 930 to the license terms contained in, the Simplified BSD License 931 set forth in Section 4.c of the IETF Trust's Legal Provisions 932 Relating to IETF Documents 933 (http://trustee.ietf.org/license-info). 935 This version of this YANG module is part of RFC XXXX; see 936 the RFC itself for full legal notices."; 938 // RFC Ed.: replace XXXX with actual RFC number and remove this 939 // note. 941 // RFC Ed.: update the date below with the date of RFC publication 942 // and remove this note. 944 revision 2013-03-26 { 945 description 946 "Initial revision."; 947 reference 948 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 949 } 951 } 953 955 3.3. Submodule 'ietf-snmp-common' 957 file "ietf-snmp-common.yang" 959 submodule ietf-snmp-common { 960 belongs-to ietf-snmp { 961 prefix snmp; 962 } 964 import ietf-yang-types { 965 prefix yang; 966 } 968 organization 969 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 971 contact 972 "WG Web: 973 WG List: 975 WG Chair: David Kessens 976 978 WG Chair: Juergen Schoenwaelder 979 981 Editor: Martin Bjorklund 982 984 Editor: Juergen Schoenwaelder 985 "; 987 description 988 "This submodule contains a collection of common YANG definitions 989 for configuring SNMP engines. 991 Copyright (c) 2013 IETF Trust and the persons identified as 992 authors of the code. All rights reserved. 994 Redistribution and use in source and binary forms, with or 995 without modification, is permitted pursuant to, and subject 996 to the license terms contained in, the Simplified BSD License 997 set forth in Section 4.c of the IETF Trust's Legal Provisions 998 Relating to IETF Documents 999 (http://trustee.ietf.org/license-info). 1001 This version of this YANG module is part of RFC XXXX; see 1002 the RFC itself for full legal notices."; 1004 // RFC Ed.: replace XXXX with actual RFC number and remove this 1005 // note. 1007 // RFC Ed.: update the date below with the date of RFC publication 1008 // and remove this note. 1010 revision 2013-03-26 { 1011 description 1012 "Initial revision."; 1013 reference 1014 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1015 } 1017 /* Collection of SNMP specific data types */ 1019 typedef admin-string { 1020 type string { 1021 length "0..255"; 1022 } 1023 description 1024 "Represents and SnmpAdminString as defined in RFC 3411. 1026 Note that the size of an SnmpAdminString is measured in 1027 octets, not characters."; 1028 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 1029 } 1031 typedef identifier { 1032 type admin-string { 1033 length "1..32"; 1034 } 1035 description 1036 "Identifiers are used to name items in the SNMP configuration 1037 data store."; 1038 } 1040 typedef context-name { 1041 type admin-string { 1042 length "0..32"; 1043 } 1044 description 1045 "The context type represents an SNMP context name."; 1046 reference 1047 "RFC3411: An Architecture for Describing SNMP Management 1048 Frameworks"; 1049 } 1051 typedef security-name { 1052 type admin-string { 1053 length "1..32"; 1054 } 1055 description 1056 "The security-name type represents an SNMP security name."; 1057 reference 1058 "RFC3411: An Architecture for Describing SNMP Management 1059 Frameworks"; 1060 } 1062 typedef security-model { 1063 type union { 1064 type enumeration { 1065 enum v1 { value 1; } 1066 enum v2c { value 2; } 1067 enum usm { value 3; } 1068 enum tsm { value 4; } 1069 } 1070 type int32 { 1071 range "1..2147483647"; 1072 } 1073 } 1074 reference 1075 "RFC3411: An Architecture for Describing SNMP Management 1076 Frameworks"; 1077 } 1079 typedef security-model-or-any { 1080 type union { 1081 type enumeration { 1082 enum any { value 0; } 1083 } 1084 type security-model; 1085 } 1086 reference 1087 "RFC3411: An Architecture for Describing SNMP Management 1088 Frameworks"; 1089 } 1091 typedef security-level { 1092 type enumeration { 1093 enum no-auth-no-priv { value 1; } 1094 enum auth-no-priv { value 2; } 1095 enum auth-priv { value 3; } 1096 } 1097 reference 1098 "RFC3411: An Architecture for Describing SNMP Management 1099 Frameworks"; 1100 } 1102 typedef engine-id { 1103 type yang:hex-string { 1104 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 1105 } 1106 description 1107 "The Engine ID specified as a list of colon-specified hexa- 1108 decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; 1109 reference 1110 "RFC3411: An Architecture for Describing SNMP Management 1111 Frameworks"; 1112 } 1114 typedef wildcard-object-identifier { 1115 type string; 1116 description 1117 "The wildcard-object-identifier type represents an SNMP object 1118 identifier where subidentifiers can be given either as a label, 1119 in numeric form, or a wildcard, represented by a *."; 1120 } 1122 container snmp { 1123 description 1124 "Top-level container for SNMP related configuration and 1125 status objects."; 1126 } 1128 } 1130 1132 3.4. Submodule 'ietf-snmp-engine' 1134 file "ietf-snmp-engine.yang" 1136 submodule ietf-snmp-engine { 1138 belongs-to ietf-snmp { 1139 prefix snmp; 1140 } 1142 import ietf-inet-types { 1143 prefix inet; 1144 } 1146 include ietf-snmp-common; 1148 organization 1149 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1151 contact 1152 "WG Web: 1153 WG List: 1155 WG Chair: David Kessens 1156 1158 WG Chair: Juergen Schoenwaelder 1159 1161 Editor: Martin Bjorklund 1162 1164 Editor: Juergen Schoenwaelder 1165 "; 1167 description 1168 "This submodule contains a collection of YANG definitions 1169 for configuring SNMP engines. 1171 Copyright (c) 2013 IETF Trust and the persons identified as 1172 authors of the code. All rights reserved. 1174 Redistribution and use in source and binary forms, with or 1175 without modification, is permitted pursuant to, and subject 1176 to the license terms contained in, the Simplified BSD License 1177 set forth in Section 4.c of the IETF Trust's Legal Provisions 1178 Relating to IETF Documents 1179 (http://trustee.ietf.org/license-info). 1181 This version of this YANG module is part of RFC XXXX; see 1182 the RFC itself for full legal notices."; 1184 // RFC Ed.: replace XXXX with actual RFC number and remove this 1185 // note. 1187 // RFC Ed.: update the date below with the date of RFC publication 1188 // and remove this note. 1190 revision 2013-03-26 { 1191 description 1192 "Initial revision."; 1193 reference 1194 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1195 } 1197 augment /snmp:snmp { 1199 container engine { 1200 description 1201 "Configuration of the SNMP engine."; 1203 leaf enabled { 1204 type boolean; 1205 default "false"; 1206 description 1207 "Enables the SNMP engine."; 1208 } 1210 container listen { 1211 description 1212 "Configuration of the transport endpoints on which the 1213 engine listens. Submodules providing configuration for 1214 additional transports are expected to augment this 1215 container."; 1217 list udp { 1218 key "ip port"; 1219 description 1220 "A list of IPv4 and IPv6 addresses and ports to which the 1221 engine listens."; 1223 leaf ip { 1224 type inet:ip-address; 1225 description 1226 "The IPv4 or IPv6 address on which the engine 1227 listens."; 1228 } 1229 leaf port { 1230 type inet:port-number; 1231 description 1232 "The UDP port on which the engine listens."; 1233 } 1234 } 1235 } 1237 container version { 1238 description 1239 "SNMP version used by the engine"; 1240 leaf v1 { 1241 type empty; 1242 } 1243 leaf v2c { 1244 type empty; 1245 } 1246 leaf v3 { 1247 type empty; 1249 } 1250 } 1252 leaf engine-id { 1253 type snmp:engine-id; 1254 description 1255 "The local SNMP engine's administratively-assigned unique 1256 identifier. 1258 If this leaf is not set, the device automatically 1259 calculates an engine id, as described in RFC 3411. A 1260 server MAY initialize this leaf with the automatically 1261 created value."; 1262 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 1263 } 1265 leaf enable-authen-traps { 1266 type boolean; 1267 description 1268 "Indicates whether the SNMP entity is permitted to 1269 generate authenticationFailure traps."; 1270 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1271 } 1272 } 1273 } 1274 } 1276 1278 3.5. Submodule 'ietf-snmp-target' 1280 file "ietf-snmp-target.yang" 1282 submodule ietf-snmp-target { 1284 belongs-to ietf-snmp { 1285 prefix snmp; 1286 } 1288 import ietf-inet-types { 1289 prefix inet; 1290 } 1292 include ietf-snmp-common; 1294 organization 1295 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1297 contact 1298 "WG Web: 1299 WG List: 1301 WG Chair: David Kessens 1302 1304 WG Chair: Juergen Schoenwaelder 1305 1307 Editor: Martin Bjorklund 1308 1310 Editor: Juergen Schoenwaelder 1311 "; 1313 description 1314 "This submodule contains a collection of YANG definitions 1315 for configuring SNMP targets. 1317 Copyright (c) 2013 IETF Trust and the persons identified as 1318 authors of the code. All rights reserved. 1320 Redistribution and use in source and binary forms, with or 1321 without modification, is permitted pursuant to, and subject 1322 to the license terms contained in, the Simplified BSD License 1323 set forth in Section 4.c of the IETF Trust's Legal Provisions 1324 Relating to IETF Documents 1325 (http://trustee.ietf.org/license-info). 1327 This version of this YANG module is part of RFC XXXX; see 1328 the RFC itself for full legal notices."; 1330 // RFC Ed.: replace XXXX with actual RFC number and remove this 1331 // note. 1333 reference 1334 "RFC3413: Simple Network Management Protocol (SNMP) 1335 Applications"; 1337 // RFC Ed.: update the date below with the date of RFC publication 1338 // and remove this note. 1340 revision 2013-03-26 { 1341 description 1342 "Initial revision."; 1343 reference 1344 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1346 } 1348 augment /snmp:snmp { 1350 list target { 1351 key name; 1352 description 1353 "List of targets."; 1354 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1356 leaf name { 1357 type snmp:identifier; 1358 description 1359 "Identifies the target."; 1360 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1361 } 1362 choice transport { 1363 mandatory true; 1364 description 1365 "Transport address of the target. 1367 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1368 objects are mapped to transport-specific YANG nodes. Each 1369 transport is configured as a separate case in this 1370 choice. Submodules providing configuration for additional 1371 transports are expected to augment this choice."; 1372 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1373 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1374 case udp { 1375 reference "SNMPv2-TM.snmpUDPDomain 1376 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1377 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1378 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1379 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1380 container udp { 1381 leaf ip { 1382 type inet:ip-address; 1383 mandatory true; 1384 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1385 } 1386 leaf port { 1387 type inet:port-number; 1388 default 162; 1389 description 1390 "UDP port number"; 1391 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1392 } 1393 leaf prefix-length { 1394 type uint8; 1395 description 1396 "The value of this leaf must match the value of 1397 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1398 this leaf must be less than or equal to 32. If it 1399 contains an ipv6 address, it must be less than or 1400 equal to 128. 1402 Note that the prefix-length is currently only used 1403 by the Community-based Security Model to filter 1404 incoming messages. Furthermore, the prefix-length 1405 filtering does not cover all possible filters 1406 supported by the corresponding MIB object."; 1407 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1408 } 1409 } 1410 } 1411 } 1412 leaf-list tag { 1413 type snmp:identifier; 1414 description 1415 "List of tag values used to select target address."; 1416 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1417 } 1418 leaf timeout { 1419 type uint32; 1420 units "0.01 seconds"; 1421 default 1500; 1422 description 1423 "Needed only if this target can receive 1424 InformRequest-PDUs."; 1425 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1426 } 1427 leaf retries { 1428 type uint8; 1429 default 3; 1430 description 1431 "Needed only if this target can receive 1432 InformRequest-PDUs."; 1433 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1434 } 1435 choice params { 1436 description 1437 "This choice is augmented with case nodes containing 1438 security model specific configuration parameters. Each 1439 such case represents one entry in the 1440 snmpTargetParamsTable. 1442 When the snmpTargetAddrParams object contains a reference 1443 to a non-existing snmpTargetParamsEntry, this choice does 1444 not contain any case, and vice versa."; 1445 reference "SNMP-TARGET-MIB.snmpTargetAddrParams 1446 SNMP-TARGET-MIB.snmpTargetParamsTable"; 1447 } 1448 } 1449 } 1450 } 1452 1454 3.6. Submodule 'ietf-snmp-notification' 1456 file "ietf-snmp-notification.yang" 1458 submodule ietf-snmp-notification { 1460 belongs-to ietf-snmp { 1461 prefix snmp; 1462 } 1464 include ietf-snmp-common; 1465 include ietf-snmp-target; 1467 organization 1468 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1470 contact 1471 "WG Web: 1472 WG List: 1474 WG Chair: David Kessens 1475 1477 WG Chair: Juergen Schoenwaelder 1478 1480 Editor: Martin Bjorklund 1481 1483 Editor: Juergen Schoenwaelder 1484 "; 1486 description 1487 "This submodule contains a collection of YANG definitions 1488 for configuring SNMP notifications. 1490 Copyright (c) 2013 IETF Trust and the persons identified as 1491 authors of the code. All rights reserved. 1493 Redistribution and use in source and binary forms, with or 1494 without modification, is permitted pursuant to, and subject 1495 to the license terms contained in, the Simplified BSD License 1496 set forth in Section 4.c of the IETF Trust's Legal Provisions 1497 Relating to IETF Documents 1498 (http://trustee.ietf.org/license-info). 1500 This version of this YANG module is part of RFC XXXX; see 1501 the RFC itself for full legal notices."; 1503 // RFC Ed.: replace XXXX with actual RFC number and remove this 1504 // note. 1506 reference 1507 "RFC3413: Simple Network Management Protocol (SNMP) 1508 Applications"; 1510 // RFC Ed.: update the date below with the date of RFC publication 1511 // and remove this note. 1513 revision 2013-03-26 { 1514 description 1515 "Initial revision."; 1516 reference 1517 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1518 } 1520 feature notification-filter { 1521 description 1522 "A server implements this feature if it supports SNMP 1523 notification filtering."; 1524 } 1526 augment /snmp:snmp { 1528 list notify { 1529 key name; 1530 description 1531 "Targets that will receive notifications. 1533 Entries in this lists are mapped 1-1 to entries in 1534 snmpNotifyTable, except that if an entry in snmpNotifyTable 1535 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1536 then the snmpNotifyTable entry is not mapped to an entry in 1537 this list."; 1539 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1541 leaf name { 1542 type snmp:identifier; 1543 description 1544 "An arbitrary name for the list entry."; 1545 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1546 } 1547 leaf tag { 1548 type snmp:identifier; 1549 mandatory true; 1550 description 1551 "Target tag, selects a set of notification targets. 1553 Implementations MAY restrict the values of this leaf 1554 to be one of the available values of /snmp/target/tag in 1555 a valid configuration."; 1556 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1557 } 1558 leaf type { 1559 type enumeration { 1560 enum trap { value 1; } 1561 enum inform { value 2; } 1562 } 1563 default trap; 1564 description 1565 "Defines the notification type to be generated."; 1566 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1567 } 1568 } 1570 list notify-filter-profile { 1571 if-feature snmp:notification-filter; 1572 key name; 1574 description 1575 "Notification filter profiles. 1577 The leaf /snmp/target/notify-filter-profile is used 1578 to associate a filter profile with a target. 1580 If an entry in this list is referred to by one or more 1581 /snmp/target/notify-filter-profile, each such 1582 notify-filter-profile is represented by one 1583 snmpNotifyFilterProfileEntry. 1585 If an entry in this list is not referred to by any 1586 /snmp/target/notify-filter-profile, the entry is not mapped 1587 to snmpNotifyFilterProfileTable."; 1588 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1589 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1591 leaf name { 1592 type snmp:identifier; 1593 description 1594 "Name of the filter profile"; 1595 reference 1596 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1597 } 1599 leaf-list include { 1600 type snmp:wildcard-object-identifier; 1601 description 1602 "A family of subtrees included in this filter."; 1603 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1604 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1605 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1606 } 1608 leaf-list exclude { 1609 type snmp:wildcard-object-identifier; 1610 description 1611 "A family of subtrees excluded from this filter."; 1612 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1613 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1614 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1615 } 1616 } 1618 } 1620 augment /snmp:snmp/snmp:target { 1621 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1622 leaf notify-filter-profile { 1623 if-feature snmp:notification-filter; 1624 type leafref { 1625 path "/snmp/notify-filter-profile/name"; 1626 } 1627 description 1628 "This leafref leaf is used to represent the sparse 1629 relationship between the /snmp/target list and the 1630 /snmp/notify-filter-profile list."; 1631 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1632 } 1633 } 1635 } 1637 1639 3.7. Submodule 'ietf-snmp-proxy' 1641 file "ietf-snmp-proxy.yang" 1643 submodule ietf-snmp-proxy { 1645 belongs-to ietf-snmp { 1646 prefix snmp; 1647 } 1649 include ietf-snmp-common; 1650 include ietf-snmp-target; 1652 organization 1653 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1655 contact 1656 "WG Web: 1657 WG List: 1659 WG Chair: David Kessens 1660 1662 WG Chair: Juergen Schoenwaelder 1663 1665 Editor: Martin Bjorklund 1666 1668 Editor: Juergen Schoenwaelder 1669 "; 1671 description 1672 "This submodule contains a collection of YANG definitions 1673 for configuring SNMP proxies. 1675 Copyright (c) 2013 IETF Trust and the persons identified as 1676 authors of the code. All rights reserved. 1678 Redistribution and use in source and binary forms, with or 1679 without modification, is permitted pursuant to, and subject 1680 to the license terms contained in, the Simplified BSD License 1681 set forth in Section 4.c of the IETF Trust's Legal Provisions 1682 Relating to IETF Documents 1683 (http://trustee.ietf.org/license-info). 1685 This version of this YANG module is part of RFC XXXX; see 1686 the RFC itself for full legal notices."; 1688 // RFC Ed.: replace XXXX with actual RFC number and remove this 1689 // note. 1691 reference 1692 "RFC3413: Simple Network Management Protocol (SNMP) 1693 Applications"; 1695 // RFC Ed.: update the date below with the date of RFC publication 1696 // and remove this note. 1698 revision 2013-03-26 { 1699 description 1700 "Initial revision."; 1701 reference 1702 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1703 } 1705 feature proxy { 1706 description 1707 "A server implements this feature if it can act as an 1708 SNMP Proxy"; 1709 } 1711 augment /snmp:snmp { 1712 if-feature snmp:proxy; 1714 list proxy { 1715 key name; 1717 description 1718 "List of proxy parameters."; 1719 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1721 leaf name { 1722 type snmp:identifier; 1723 description 1724 "Identifies the proxy parameter entry."; 1725 reference "SNMP-PROXY-MIB.snmpProxyName"; 1726 } 1727 leaf type { 1728 type enumeration { 1729 enum read; 1730 enum write; 1731 enum trap; 1732 enum inform; 1733 } 1734 mandatory true; 1735 reference "SNMP-PROXY-MIB.snmpProxyType"; 1736 } 1737 leaf context-engine-id { 1738 type snmp:engine-id; 1739 mandatory true; 1740 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1741 } 1742 leaf context-name { 1743 type snmp:context-name; 1744 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1745 } 1746 container params-in { 1747 choice params { 1748 mandatory true; 1749 description 1750 "This choice is augmented with case nodes containing 1751 security model specific configuration parameters. Each 1752 such case represents one entry in the 1753 snmpTargetParamsTable. 1755 When the snmpProxyTargetParamsIn object contains a 1756 reference to a non-existing snmpTargetParamsEntry, this 1757 choice does not contain any case, and vice versa."; 1758 } 1759 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1760 } 1761 leaf single-target-out { 1762 when "../type = 'read' or ../type = 'write'"; 1763 type snmp:identifier; 1764 description 1765 "Implementations MAY restrict the values of this leaf 1766 to be one of the available values of /snmp/target/name in 1767 a valid configuration."; 1768 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1769 } 1770 leaf multiple-target-out { 1771 when "../type = 'trap' or ../type = 'inform'"; 1772 type snmp:identifier; 1773 description 1774 "Implementations MAY restrict the values of this leaf 1775 to be one of the available values of /snmp/target/tag in 1776 a valid configuration."; 1777 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1778 } 1780 } 1781 } 1782 } 1784 1786 3.8. Submodule 'ietf-snmp-community' 1788 file "ietf-snmp-community.yang" 1790 submodule ietf-snmp-community { 1792 belongs-to ietf-snmp { 1793 prefix snmp; 1794 } 1796 include ietf-snmp-common; 1797 include ietf-snmp-target; 1798 include ietf-snmp-proxy; 1800 organization 1801 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1803 contact 1804 "WG Web: 1805 WG List: 1807 WG Chair: David Kessens 1808 1810 WG Chair: Juergen Schoenwaelder 1811 1813 Editor: Martin Bjorklund 1814 1816 Editor: Juergen Schoenwaelder 1817 "; 1819 description 1820 "This submodule contains a collection of YANG definitions 1821 for configuring community-based SNMP. 1823 Copyright (c) 2013 IETF Trust and the persons identified as 1824 authors of the code. All rights reserved. 1826 Redistribution and use in source and binary forms, with or 1827 without modification, is permitted pursuant to, and subject 1828 to the license terms contained in, the Simplified BSD License 1829 set forth in Section 4.c of the IETF Trust's Legal Provisions 1830 Relating to IETF Documents 1831 (http://trustee.ietf.org/license-info). 1833 This version of this YANG module is part of RFC XXXX; see 1834 the RFC itself for full legal notices."; 1836 // RFC Ed.: replace XXXX with actual RFC number and remove this 1837 // note. 1839 reference 1840 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1841 of the Internet-standard Network Management Framework"; 1843 // RFC Ed.: update the date below with the date of RFC publication 1844 // and remove this note. 1846 revision 2013-03-26 { 1847 description 1848 "Initial revision."; 1849 reference 1850 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1851 } 1853 augment /snmp:snmp { 1855 list community { 1856 key index; 1858 description 1859 "List of communities"; 1860 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1862 leaf index { 1863 type snmp:identifier; 1864 description 1865 "Index into the community list."; 1866 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1867 } 1868 choice name { 1869 description 1870 "The community name, either specified as a string 1871 or as a binary. The binary name is used when the 1872 community name contains characters that are not legal 1873 in a string. 1875 If not set, the value of 'security-name' is operationally 1876 used as the snmpCommunityName."; 1877 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 1878 leaf text-name { 1879 type string; 1880 description 1881 "A community name that can be represented as a 1882 YANG string."; 1883 } 1884 leaf binary-name { 1885 type binary; 1886 description 1887 "A community name represented as a binary value."; 1888 } 1889 } 1890 leaf security-name { 1891 type snmp:security-name; 1892 mandatory true; 1893 description 1894 "The snmpCommunitySecurityName of this entry."; 1895 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 1896 } 1897 leaf engine-id { 1898 if-feature snmp:proxy; 1899 type snmp:engine-id; 1900 description 1901 "If not set, the value of the local SNMP engine is 1902 operationally used by the device."; 1903 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 1904 } 1905 leaf context { 1906 type snmp:context-name; 1907 default ""; 1908 description 1909 "The context in which management information is accessed 1910 when using the community string specified by this entry."; 1911 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 1912 } 1913 leaf target-tag { 1914 type snmp:identifier; 1915 description 1916 "Used to limit access for this community to the specified 1917 targets. 1919 Implementations MAY restrict the values of this leaf 1920 to be one of the available values of /snmp/target/tag in 1921 a valid configuration."; 1922 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 1923 } 1925 } 1926 } 1928 grouping v1-target-params { 1929 container v1 { 1930 description 1931 "SNMPv1 parameters type. 1932 Represents snmpTargetParamsMPModel '0', 1933 snmpTargetParamsSecurityModel '1', and 1934 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 1935 leaf security-name { 1936 type snmp:security-name; 1937 mandatory true; 1938 description 1939 "Implementations MAY restrict the values of this leaf 1940 to be one of the available values of 1941 /snmp/community/security-name in a valid configuration."; 1942 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 1943 } 1944 } 1945 } 1947 grouping v2c-target-params { 1948 container v2c { 1949 description 1950 "SNMPv2 community parameters type. 1951 Represents snmpTargetParamsMPModel '1', 1952 snmpTargetParamsSecurityModel '2', and 1953 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 1954 leaf security-name { 1955 type snmp:security-name; 1956 mandatory true; 1957 description 1958 "Implementations MAY restrict the values of this leaf 1959 to be one of the available values of 1960 /snmp/community/security-name in a valid configuration."; 1961 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 1962 } 1963 } 1964 } 1966 augment /snmp:snmp/snmp:target/snmp:params { 1967 case v1 { 1968 uses v1-target-params; 1969 } 1970 case v2c { 1971 uses v2c-target-params; 1972 } 1974 } 1976 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 1977 case v1 { 1978 uses v1-target-params; 1979 } 1980 case v2c { 1981 uses v2c-target-params; 1982 } 1983 } 1985 augment /snmp:snmp/snmp:target { 1986 when "snmp:v1 or snmp:v2c"; 1987 leaf mms { 1988 type union { 1989 type enumeration { 1990 enum "unknown"; 1991 } 1992 type int32 { 1993 range "484..max"; 1994 } 1995 } 1996 default "484"; 1997 reference 1998 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 1999 } 2000 } 2002 } 2004 2006 3.9. Submodule 'ietf-snmp-vacm' 2008 file "ietf-snmp-vacm.yang" 2010 submodule ietf-snmp-vacm { 2012 belongs-to ietf-snmp { 2013 prefix snmp; 2014 } 2016 include ietf-snmp-common; 2018 organization 2019 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2021 contact 2022 "WG Web: 2023 WG List: 2025 WG Chair: David Kessens 2026 2028 WG Chair: Juergen Schoenwaelder 2029 2031 Editor: Martin Bjorklund 2032 2034 Editor: Juergen Schoenwaelder 2035 "; 2037 description 2038 "This submodule contains a collection of YANG definitions 2039 for configuring the View-based Access Control Model (VACM) 2040 of SNMP. 2042 Copyright (c) 2013 IETF Trust and the persons identified as 2043 authors of the code. All rights reserved. 2045 Redistribution and use in source and binary forms, with or 2046 without modification, is permitted pursuant to, and subject 2047 to the license terms contained in, the Simplified BSD License 2048 set forth in Section 4.c of the IETF Trust's Legal Provisions 2049 Relating to IETF Documents 2050 (http://trustee.ietf.org/license-info). 2052 This version of this YANG module is part of RFC XXXX; see 2053 the RFC itself for full legal notices."; 2055 // RFC Ed.: replace XXXX with actual RFC number and remove this 2056 // note. 2058 reference 2059 "RFC3415: View-based Access Control Model (VACM) for the 2060 Simple Network Management Protocol (SNMP)"; 2062 // RFC Ed.: update the date below with the date of RFC publication 2063 // and remove this note. 2065 revision 2013-03-26 { 2066 description 2067 "Initial revision."; 2068 reference 2069 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2071 } 2073 typedef view-name { 2074 type snmp:identifier; 2075 description 2076 "The view-name type represents an SNMP VACM view name."; 2077 } 2079 typedef group-name { 2080 type snmp:identifier; 2081 description 2082 "The group-name type represents an SNMP VACM group name."; 2083 } 2085 augment /snmp:snmp { 2087 container vacm { 2088 description 2089 "Configuration of the View-based Access Control Model"; 2091 list group { 2092 key name; 2093 description 2094 "VACM Groups. 2096 This data model has a different structure than the MIB. 2097 Groups are explicitly defined in this list, and group 2098 members are defined in the 'member' list (mapped to 2099 vacmSecurityToGroupTable), and access for the group is 2100 defined in the 'access' list (mapped to 2101 vacmAccessTable)."; 2102 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 2103 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2105 leaf name { 2106 type group-name; 2107 description 2108 "The name of this VACM group."; 2109 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 2110 } 2112 list member { 2113 key "security-name"; 2114 min-elements 1; 2115 description 2116 "A member of this VACM group. According to VACM, every 2117 group must have at least one member. 2119 A certain combination of security-name and 2120 security-model MUST NOT be present in more than 2121 one group."; 2122 reference 2123 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 2125 leaf security-name { 2126 type snmp:security-name; 2127 description 2128 "The securityName of a group member."; 2129 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 2130 } 2132 leaf-list security-model { 2133 type snmp:security-model; 2134 min-elements 1; 2135 description 2136 "The security models under which this security-name 2137 is a member of this group."; 2138 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 2139 } 2140 } 2142 list access { 2143 key "context security-model security-level"; 2144 description 2145 "Definition of access right for groups"; 2146 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2148 leaf context { 2149 type snmp:context-name; 2150 description 2151 "The context (prefix) under which the access rights 2152 apply."; 2153 reference 2154 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 2155 } 2157 leaf context-match { 2158 type enumeration { 2159 enum exact; 2160 enum prefix; 2161 } 2162 default exact; 2163 reference 2164 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 2165 } 2166 leaf security-model { 2167 type snmp:security-model-or-any; 2168 description 2169 "The security model under which the access rights 2170 apply."; 2171 reference 2172 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 2173 } 2175 leaf security-level { 2176 type snmp:security-level; 2177 description 2178 "The minimum security level under which the access 2179 rights apply."; 2180 reference 2181 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 2182 } 2184 leaf read-view { 2185 type view-name; 2186 description 2187 "The name of the MIB view of the SNMP context 2188 authorizing read access. If this leaf does not 2189 exist in a configuration, it maps to a zero-length 2190 vacmAccessReadViewName. 2192 Implementations MAY restrict the values of this 2193 leaf to be one of the available values of 2194 /snmp/vacm/view/name in a valid configuration."; 2195 reference 2196 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 2197 } 2199 leaf write-view { 2200 type view-name; 2201 description 2202 "The name of the MIB view of the SNMP context 2203 authorizing write access. If this leaf does not 2204 exist in a configuration, it maps to a zero-length 2205 vacmAccessWriteViewName. 2207 Implementations MAY restrict the values of this 2208 leaf to be one of the available values of 2209 /snmp/vacm/view/name in a valid configuration."; 2210 reference 2211 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 2212 } 2213 leaf notify-view { 2214 type view-name; 2215 description 2216 "The name of the MIB view of the SNMP context 2217 authorizing notify access. If this leaf does not 2218 exist in a configuration, it maps to a zero-length 2219 vacmAccessNotifyViewName. 2221 Implementations MAY restrict the values of this 2222 leaf to be one of the available values of 2223 /snmp/vacm/view/name in a valid configuration."; 2224 reference 2225 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 2226 } 2227 } 2228 } 2230 list view { 2231 key name; 2232 description 2233 "Definition of MIB views."; 2234 reference 2235 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 2237 leaf name { 2238 type view-name; 2239 description 2240 "The name of this VACM MIB view."; 2241 reference 2242 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 2243 } 2245 leaf-list include { 2246 type snmp:wildcard-object-identifier; 2247 description 2248 "A family of subtrees included in this MIB view."; 2249 reference 2250 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2251 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2252 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2253 } 2255 leaf-list exclude { 2256 type snmp:wildcard-object-identifier; 2257 description 2258 "A family of subtrees excluded from this MIB view."; 2259 reference 2260 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2261 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2262 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2263 } 2264 } 2265 } 2266 } 2267 } 2269 2271 3.10. Submodule 'ietf-snmp-usm' 2273 file "ietf-snmp-usm.yang" 2275 submodule ietf-snmp-usm { 2277 belongs-to ietf-snmp { 2278 prefix snmp; 2279 } 2281 import ietf-yang-types { 2282 prefix yang; 2283 } 2284 import ietf-netconf-acm { 2285 prefix nacm; 2286 } 2288 include ietf-snmp-common; 2289 include ietf-snmp-target; 2290 include ietf-snmp-proxy; 2292 organization 2293 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2295 contact 2296 "WG Web: 2297 WG List: 2299 WG Chair: David Kessens 2300 2302 WG Chair: Juergen Schoenwaelder 2303 2305 Editor: Martin Bjorklund 2306 2308 Editor: Juergen Schoenwaelder 2309 "; 2311 description 2312 "This submodule contains a collection of YANG definitions for 2313 configuring the User-based Security Model (USM) of SNMP. 2315 Copyright (c) 2013 IETF Trust and the persons identified as 2316 authors of the code. All rights reserved. 2318 Redistribution and use in source and binary forms, with or 2319 without modification, is permitted pursuant to, and subject 2320 to the license terms contained in, the Simplified BSD License 2321 set forth in Section 4.c of the IETF Trust's Legal Provisions 2322 Relating to IETF Documents 2323 (http://trustee.ietf.org/license-info). 2325 This version of this YANG module is part of RFC XXXX; see 2326 the RFC itself for full legal notices."; 2328 // RFC Ed.: replace XXXX with actual RFC number and remove this 2329 // note. 2331 reference 2332 "RFC3414: User-based Security Model (USM) for version 3 of the 2333 Simple Network Management Protocol (SNMPv3)."; 2335 // RFC Ed.: update the date below with the date of RFC publication 2336 // and remove this note. 2338 revision 2013-03-26 { 2339 description 2340 "Initial revision."; 2341 reference 2342 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2343 } 2345 grouping key { 2346 leaf key { 2347 type yang:hex-string; 2348 mandatory true; 2349 nacm:default-deny-all; 2350 description 2351 "Localized key specified as a list of colon-specified 2352 hexa-decimal octets"; 2353 } 2354 } 2356 grouping user-list { 2357 list user { 2358 key "name"; 2360 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2362 leaf name { 2363 type snmp:identifier; 2364 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2365 } 2366 container auth { 2367 presence "enables authentication"; 2368 description 2369 "Enables authentication of the user"; 2370 choice protocol { 2371 mandatory true; 2372 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2373 container md5 { 2374 uses key; 2375 reference 2376 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2377 } 2378 container sha { 2379 uses key; 2380 reference 2381 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2382 } 2383 } 2384 } 2385 container priv { 2386 must "../auth" { 2387 error-message 2388 "when privacy is used, authentication must also be used"; 2389 } 2390 presence "enables encryption"; 2391 description 2392 "Enables encryption of SNMP messages."; 2394 choice protocol { 2395 mandatory true; 2396 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2397 container des { 2398 uses key; 2399 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2400 } 2401 container aes { 2402 uses key; 2403 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2404 } 2406 } 2407 } 2408 } 2409 } 2411 augment /snmp:snmp { 2413 container usm { 2414 description 2415 "Configuration of the User-based Security Model"; 2416 container local { 2417 uses user-list; 2418 } 2420 list remote { 2421 key "engine-id"; 2423 leaf engine-id { 2424 type snmp:engine-id; 2425 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2426 } 2428 uses user-list; 2429 } 2430 } 2431 } 2433 grouping usm-target-params { 2434 container usm { 2435 description 2436 "User based SNMPv3 parameters type. 2438 Represents snmpTargetParamsMPModel '3' and 2439 snmpTargetParamsSecurityModel '3'"; 2440 leaf user-name { 2441 type snmp:security-name; 2442 mandatory true; 2443 reference 2444 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2445 } 2446 leaf security-level { 2447 type snmp:security-level; 2448 mandatory true; 2449 reference 2450 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2451 } 2452 } 2453 } 2454 augment /snmp:snmp/snmp:target/snmp:params { 2455 case usm { 2456 uses usm-target-params; 2457 } 2458 } 2460 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2461 case usm { 2462 uses usm-target-params; 2463 } 2464 } 2466 } 2468 2470 3.11. Submodule 'ietf-snmp-tsm' 2472 file "ietf-snmp-tsm.yang" 2474 submodule ietf-snmp-tsm { 2476 belongs-to ietf-snmp { 2477 prefix snmp; 2478 } 2480 include ietf-snmp-common; 2481 include ietf-snmp-target; 2482 include ietf-snmp-proxy; 2484 organization 2485 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2487 contact 2488 "WG Web: 2489 WG List: 2491 WG Chair: David Kessens 2492 2494 WG Chair: Juergen Schoenwaelder 2495 2497 Editor: Martin Bjorklund 2498 2500 Editor: Juergen Schoenwaelder 2501 "; 2503 description 2504 "This submodule contains a collection of YANG definitions for 2505 configuring the Transport Security Model (TSM) of SNMP. 2507 Copyright (c) 2013 IETF Trust and the persons identified as 2508 authors of the code. All rights reserved. 2510 Redistribution and use in source and binary forms, with or 2511 without modification, is permitted pursuant to, and subject 2512 to the license terms contained in, the Simplified BSD License 2513 set forth in Section 4.c of the IETF Trust's Legal Provisions 2514 Relating to IETF Documents 2515 (http://trustee.ietf.org/license-info). 2517 This version of this YANG module is part of RFC XXXX; see 2518 the RFC itself for full legal notices."; 2520 // RFC Ed.: replace XXXX with actual RFC number and remove this 2521 // note. 2523 reference 2524 "RFC5591: Transport Security Model for the 2525 Simple Network Management Protocol (SNMP)"; 2527 // RFC Ed.: update the date below with the date of RFC publication 2528 // and remove this note. 2530 revision 2013-03-26 { 2531 description 2532 "Initial revision."; 2533 reference 2534 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2535 } 2537 feature tsm { 2538 description 2539 "A server implements this feature if it supports the 2540 Transport Security Model for SNMP."; 2541 reference 2542 "RFC5591: Transport Security Model for the 2543 Simple Network Management Protocol (SNMP)"; 2544 } 2546 augment /snmp:snmp { 2547 if-feature tsm; 2548 container tsm { 2549 description 2550 "Configuration of the Transport-based Security Model"; 2552 leaf use-prefix { 2553 type boolean; 2554 default false; 2555 reference 2556 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2557 } 2558 } 2559 } 2561 grouping tsm-target-params { 2562 container tsm { 2563 description 2564 "Transport based security SNMPv3 parameters type. 2566 Represents snmpTargetParamsMPModel '3' and 2567 snmpTargetParamsSecurityModel '4'"; 2568 leaf security-name { 2569 type snmp:security-name; 2570 mandatory true; 2571 reference 2572 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2573 } 2574 leaf security-level { 2575 type snmp:security-level; 2576 mandatory true; 2577 reference 2578 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2579 } 2580 } 2581 } 2583 augment /snmp:snmp/snmp:target/snmp:params { 2584 if-feature tsm; 2585 case tsm { 2586 uses tsm-target-params; 2587 } 2588 } 2590 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2591 if-feature tsm; 2592 case tsm { 2593 uses tsm-target-params; 2594 } 2595 } 2596 } 2598 2600 3.12. Submodule 'ietf-snmp-tls' 2602 file "ietf-snmp-tls.yang" 2604 submodule ietf-snmp-tls { 2606 belongs-to ietf-snmp { 2607 prefix snmp; 2608 } 2610 import ietf-inet-types { 2611 prefix inet; 2612 } 2613 import ietf-x509-cert-to-name { 2614 prefix x509c2n; 2615 } 2617 include ietf-snmp-common; 2618 include ietf-snmp-engine; 2619 include ietf-snmp-target; 2621 organization 2622 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2624 contact 2625 "WG Web: 2626 WG List: 2628 WG Chair: David Kessens 2629 2631 WG Chair: Juergen Schoenwaelder 2632 2634 Editor: Martin Bjorklund 2635 2637 Editor: Juergen Schoenwaelder 2638 "; 2640 description 2641 "This submodule contains a collection of YANG definitions for 2642 configuring the Transport Layer Security Transport Model (TLSTM) 2643 of SNMP. 2645 Copyright (c) 2013 IETF Trust and the persons identified as 2646 authors of the code. All rights reserved. 2648 Redistribution and use in source and binary forms, with or 2649 without modification, is permitted pursuant to, and subject 2650 to the license terms contained in, the Simplified BSD License 2651 set forth in Section 4.c of the IETF Trust's Legal Provisions 2652 Relating to IETF Documents 2653 (http://trustee.ietf.org/license-info). 2655 This version of this YANG module is part of RFC XXXX; see 2656 the RFC itself for full legal notices."; 2658 // RFC Ed.: replace XXXX with actual RFC number and remove this 2659 // note. 2661 reference 2662 "RFC6353: Transport Layer Security (TLS) Transport Model for 2663 the Simple Network Management Protocol (SNMP)"; 2665 // RFC Ed.: update the date below with the date of RFC publication 2666 // and remove this note. 2668 revision 2013-03-26 { 2669 description 2670 "Initial revision."; 2671 reference 2672 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2673 } 2675 feature tlstm { 2676 description 2677 "A server implements this feature if it supports the 2678 Transport Layer Security Transport Model for SNMP."; 2679 reference 2680 "RFC6353: Transport Layer Security (TLS) Transport Model for 2681 the Simple Network Management Protocol (SNMP)"; 2682 } 2684 augment /snmp:snmp/snmp:engine/snmp:listen { 2685 if-feature tlstm; 2686 list tls { 2687 key "ip port"; 2688 description 2689 "A list of IPv4 and IPv6 addresses and ports to which the 2690 engine listens for SNMP messages over TLS."; 2692 leaf ip { 2693 type inet:ip-address; 2694 description 2695 "The IPv4 or IPv6 address on which the engine listens 2696 for SNMP messages over TLS."; 2697 } 2698 leaf port { 2699 type inet:port-number; 2700 description 2701 "The TCP port on which the engine listens for SNMP 2702 messages over TLS."; 2703 } 2704 } 2705 list dtls { 2706 key "ip port"; 2707 description 2708 "A list of IPv4 and IPv6 addresses and ports to which the 2709 engine listens for SNMP messages over DTLS."; 2711 leaf ip { 2712 type inet:ip-address; 2713 description 2714 "The IPv4 or IPv6 address on which the engine listens 2715 for SNMP messages over DTLS."; 2716 } 2717 leaf port { 2718 type inet:port-number; 2719 description 2720 "The UDP port on which the engine listens for SNMP messages 2721 over DTLS."; 2722 } 2723 } 2724 } 2726 augment /snmp:snmp { 2727 if-feature tlstm; 2728 container tlstm { 2729 uses x509c2n:cert-to-name { 2730 description 2731 "Defines how certifcates are mapped to names. The 2732 resulting name is used as a security name."; 2733 refine cert-to-name/map-type { 2734 description 2735 "Mappings that use the snmpTlstmCertToTSNData column 2736 need to augment the 'cert-to-name' list 2737 with additional configuration objects corresponding 2738 to the snmpTlstmCertToTSNData value. Such objects 2739 should use the 'when' statement to make them 2740 conditional based on the 'map-type'."; 2741 } 2742 } 2743 } 2745 } 2747 grouping tls-transport { 2748 leaf ip { 2749 type inet:host; 2750 mandatory true; 2751 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2752 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2753 } 2754 leaf port { 2755 type inet:port-number; 2756 default 10161; 2757 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2758 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2759 } 2760 leaf client-fingerprint { 2761 type x509c2n:tls-fingerprint; 2762 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2763 } 2764 leaf server-fingerprint { 2765 type x509c2n:tls-fingerprint; 2766 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2767 } 2768 leaf server-identity { 2769 type snmp:admin-string; 2770 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2771 } 2772 } 2774 augment /snmp:snmp/snmp:target/snmp:transport { 2775 if-feature tlstm; 2776 case tls { 2777 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2778 container tls { 2779 uses tls-transport; 2780 } 2781 } 2782 } 2784 augment /snmp:snmp/snmp:target/snmp:transport { 2785 if-feature tlstm; 2786 case dtls { 2787 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2788 container dtls { 2789 uses tls-transport; 2790 } 2791 } 2792 } 2794 } 2796 2798 3.13. Submodule 'ietf-snmp-ssh' 2800 file "ietf-snmp-ssh.yang" 2802 submodule ietf-snmp-ssh { 2804 belongs-to ietf-snmp { 2805 prefix snmp; 2806 } 2808 import ietf-inet-types { 2809 prefix inet; 2810 } 2812 include ietf-snmp-common; 2813 include ietf-snmp-engine; 2814 include ietf-snmp-target; 2816 organization 2817 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2819 contact 2820 "WG Web: 2821 WG List: 2823 WG Chair: David Kessens 2824 2826 WG Chair: Juergen Schoenwaelder 2827 2829 Editor: Martin Bjorklund 2830 2832 Editor: Juergen Schoenwaelder 2833 "; 2835 description 2836 "This submodule contains a collection of YANG definitions for 2837 configuring the Secure Shell Transport Model (SSHTM) 2838 of SNMP. 2840 Copyright (c) 2013 IETF Trust and the persons identified as 2841 authors of the code. All rights reserved. 2843 Redistribution and use in source and binary forms, with or 2844 without modification, is permitted pursuant to, and subject 2845 to the license terms contained in, the Simplified BSD License 2846 set forth in Section 4.c of the IETF Trust's Legal Provisions 2847 Relating to IETF Documents 2848 (http://trustee.ietf.org/license-info). 2850 This version of this YANG module is part of RFC XXXX; see 2851 the RFC itself for full legal notices."; 2853 // RFC Ed.: replace XXXX with actual RFC number and remove this 2854 // note. 2856 reference 2857 "RFC5592: Secure Shell Transport Model for the 2858 Simple Network Management Protocol (SNMP)"; 2860 // RFC Ed.: update the date below with the date of RFC publication 2861 // and remove this note. 2863 revision 2013-03-26 { 2864 description 2865 "Initial revision."; 2866 reference 2867 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2868 } 2870 feature sshtm { 2871 description 2872 "A server implements this feature if it supports the 2873 Secure Shell Transport Model for SNMP."; 2874 reference 2875 "RFC5592: Secure Shell Transport Model for the 2876 Simple Network Management Protocol (SNMP)"; 2877 } 2879 augment /snmp:snmp/snmp:engine/snmp:listen { 2880 if-feature sshtm; 2881 list ssh { 2882 key "ip port"; 2883 description 2884 "A list of IPv4 and IPv6 addresses and ports to which the 2885 engine listens for SNMP messages over SSH."; 2887 leaf ip { 2888 type inet:ip-address; 2889 description 2890 "The IPv4 or IPv6 address on which the engine listens 2891 for SNMP messages over SSH."; 2892 } 2893 leaf port { 2894 type inet:port-number; 2895 description 2896 "The TCP port on which the engine listens for SNMP 2897 messages over SSH."; 2898 } 2899 } 2900 } 2902 augment /snmp:snmp/snmp:target/snmp:transport { 2903 if-feature sshtm; 2904 case ssh { 2905 reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; 2906 container ssh { 2907 leaf ip { 2908 type inet:host; 2909 mandatory true; 2910 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2911 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 2912 } 2913 leaf port { 2914 type inet:port-number; 2915 default 5161; 2916 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2917 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 2918 } 2919 leaf username { 2920 type string; 2921 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2922 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 2923 } 2924 } 2925 } 2926 } 2927 } 2929 2931 4. IANA Considerations 2933 This document registers a URI in the IETF XML registry [RFC3688]. 2934 Following the format in RFC 3688, the following registration is 2935 requested to be made. 2937 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 2939 Registrant Contact: The NETMOD WG of the IETF. 2941 XML: N/A, the requested URI is an XML namespace. 2943 This document registers a YANG module in the YANG Module Names 2944 registry [RFC6020]. 2946 name: ietf-snmp 2947 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 2948 prefix: snmp 2949 reference: RFC XXXX 2951 The document registers the following YANG submodules in the YANG 2952 Module Names registry [RFC6020]. 2954 name: ietf-snmp-common 2955 parent: ietf-snmp 2956 reference: RFC XXXX 2958 name: ietf-snmp-engine 2959 parent: ietf-snmp 2960 reference: RFC XXXX 2962 name: ietf-snmp-community 2963 parent: ietf-snmp 2964 reference: RFC XXXX 2966 name: ietf-snmp-notification 2967 parent: ietf-snmp 2968 reference: RFC XXXX 2970 name: ietf-snmp-target 2971 parent: ietf-snmp 2972 reference: RFC XXXX 2974 name: ietf-snmp-vacm 2975 parent: ietf-snmp 2976 reference: RFC XXXX 2978 name: ietf-snmp-usm 2979 parent: ietf-snmp 2980 reference: RFC XXXX 2982 name: ietf-snmp-tsm 2983 parent: ietf-snmp 2984 reference: RFC XXXX 2986 name: ietf-snmp-tls 2987 parent: ietf-snmp 2988 reference: RFC XXXX 2990 name: ietf-snmp-ssh 2991 parent: ietf-snmp 2992 reference: RFC XXXX 2994 5. Security Considerations 2996 The YANG module and submodules defined in this memo are designed to 2997 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 2998 layer is the secure transport layer and the mandatory-to-implement 2999 secure transport is SSH [RFC6242]. 3001 There are a number of data nodes defined in the YANG module and 3002 submodules which are writable/creatable/deletable (i.e., config true, 3003 which is the default). These data nodes may be considered sensitive 3004 or vulnerable in some network environments. Write operations (e.g., 3005 edit-config) to these data nodes without proper protection can have a 3006 negative effect on network operations. These are the subtrees and 3007 data nodes and their sensitivity/vulnerability: 3009 o The /snmp/engine subtree contains the configuration of general 3010 parameters of an SNMP engine such as the endpoints to listen on, 3011 the transports and SNMP versions enabled, or the engine's 3012 identity. Write access to this subtree should only be granted to 3013 entities configuring general SNMP engine parameters. 3015 o The /snmp/target subtree contains the configuration of SNMP 3016 targets and in particular which transports to use and their 3017 security parameters. Write access to this subtree should only be 3018 granted to the security administrator and entities configuring 3019 SNMP notification forwarding behavior. 3021 o The /snmp/notify and /snmp/notify-filter-profile subtrees contain 3022 the configuration for SNMP notification forwarding and filtering 3023 mechanism. Write access to this subtree should only be granted to 3024 entities configuring SNMP notification forwarding behavior. 3026 o The /snmp/proxy subtree contains the configuration for SNMP 3027 proxies. Write access to this subtree should only be granted to 3028 entities configuring SNMP proxies. 3030 o The /snmp/community subtree contains the configuration of the 3031 community-based security model. Write access to this subtree 3032 should only be granted to the security administrator. 3034 o The /snmp/usm subtree contains the configuration of the user-based 3035 security model. Write access to this subtree should only be 3036 granted to the security administrator. 3038 o The /snmp/tsm subtree contains the configuration of the transport 3039 layer security model for SNMP. Write access to this subtree 3040 should only be granted to the security administrator. 3042 o The /snmp/tlstm subtree contains the configuration of the SNMP 3043 transport over (D)TLS and in particular the configuration how 3044 certificates are mapped to SNMP security names. Write access to 3045 this subtree should only be granted to the security administrator. 3047 o The /snmp/vacm subtree contains the configuration of the view- 3048 based access control mechanism used by SNMP to authorize access to 3049 management information via SNMP. Write access to this subtree 3050 should only be granted to the security administrator. 3052 Some of the readable data nodes in the YANG module and submodules may 3053 be considered sensitive or vulnerable in some network environments. 3054 It is thus important to control read access (e.g., via get, get- 3055 config, or notification) to these data nodes. These are the subtrees 3056 and data nodes and their sensitivity/vulnerability: 3058 o The /snmp/engine subtree subtree exposes general information about 3059 an SNMP engine such as which version(s) of SNMP are enabled or 3060 which transports are enabled. 3062 o The /snmp/target subtree exposes information which transports are 3063 used to reach certain SNMP targets which transport specific 3064 parameters are used. 3066 o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes 3067 information how notifications are filtered and forwarded to 3068 notification targets. 3070 o The /snmp/proxy subtree exposes information about proxy 3071 relationships. 3073 o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ 3074 vacm subtrees are specifically sensitive since they expose 3075 information about the authentication and authorization policy used 3076 by an SNMP engine. 3078 6. Acknowledgments 3080 The authors want to thank Wes Hardaker and David Spakes for their 3081 reviews and valuable comments. 3083 7. References 3085 7.1. Normative References 3087 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3088 Requirement Levels", BCP 14, RFC 2119, March 1997. 3090 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3091 Network Configuration Protocol (NETCONF)", RFC 6020, 3092 October 2010. 3094 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 3095 Bierman, "Network Configuration Protocol (NETCONF)", 3096 RFC 6241, June 2011. 3098 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3099 Shell (SSH)", RFC 6242, June 2011. 3101 7.2. Informative References 3103 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3104 Architecture for Describing Simple Network Management 3105 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3106 December 2002. 3108 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3109 "Message Processing and Dispatching for the Simple Network 3110 Management Protocol (SNMP)", STD 62, RFC 3412, 3111 December 2002. 3113 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 3114 Management Protocol (SNMP) Applications", STD 62, 3115 RFC 3413, December 2002. 3117 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 3118 (USM) for version 3 of the Simple Network Management 3119 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 3121 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 3122 Access Control Model (VACM) for the Simple Network 3123 Management Protocol (SNMP)", STD 62, RFC 3415, 3124 December 2002. 3126 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 3127 Simple Network Management Protocol (SNMP)", STD 62, 3128 RFC 3418, December 2002. 3130 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 3131 "Coexistence between Version 1, Version 2, and Version 3 3132 of the Internet-standard Network Management Framework", 3133 BCP 74, RFC 3584, August 2003. 3135 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3136 January 2004. 3138 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 3139 for the Simple Network Management Protocol (SNMP)", 3140 RFC 5591, June 2009. 3142 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 3143 Shell Transport Model for the Simple Network Management 3144 Protocol (SNMP)", RFC 5592, June 2009. 3146 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 3147 Model for the Simple Network Management Protocol (SNMP)", 3148 RFC 6353, July 2011. 3150 Appendix A. Example configurations 3152 A.1. Engine Configuration Example 3154 Below is an XML instance document showing a configuration of an SNMP 3155 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 3156 accepting SNMPv2c and SNMPv3 messages. 3158 3159 3160 true 3161 3162 3163 0.0.0.0 3164 161 3165 3166 3167 :: 3168 161 3169 3170 3171 3172 3173 3174 3175 80:00:02:b8:04:61:62:63 3176 3177 3179 A.2. Community Configuration Example 3181 Below is an XML instance document showing a configuration that maps 3182 the community name "public" to the security-name "community-public" 3183 on the local engine with the default context name. The target tag 3184 "community-public-access" filters the access to this community name. 3186 3187 3188 1 3189 public 3190 community-public 3191 community-public-access 3192 3193 3194 bluebox 3195 3196 2001:db8::abcd 3197 161 3198 3199 blue 3200 3201 community-public 3202 3203 3204 3206 A.3. User-based Security Model Configuration Example 3208 Below is an XML instance document showing the configuration of a 3209 local user "joey" who has no authentication or privacy keys. For the 3210 remote SNMP engine identified by the snmpEngineID 3211 '800002b804616263'H, two users are configure. The user "matt" has a 3212 localized SHA authentication key and the user "russ" has a localized 3213 SHA authentication key and an AES encryption key. 3215 3216 3217 3218 3219 joey 3220 3221 3222 3223 00:00:00:00:00:00:00:00:00:00:00:02 3224 3225 matt 3226 3227 3228 3232 66:95:fe:bc:92:88:e3:62:82:23: 3233 5f:c7:15:1f:12:84:97:b3:8f:3f 3235 3236 3237 3238 3239 russ 3240 3241 3242 3246 66:95:fe:bc:92:88:e3:62:82:23: 3247 5f:c7:15:1f:12:84:97:b3:8f:3f 3248 3249 3250 3251 3252 3256 66:95:fe:bc:92:88:e3:62:82:23: 3257 5f:c7:15:1f:12:84 3258 3259 3260 3261 3262 3263 3264 bluebox 3265 3266 2001:db8::abcd 3267 161 3268 3269 blue 3270 3271 matt 3272 auth-no-priv 3273 3274 3275 3277 A.4. Target and Notification Configuration Example 3279 Below is an XML instance document showing the configuration of a 3280 notification generator application (see Appendix A of [RFC3413]). 3281 Note that the USM specific objects are defined in the ietf-snmp- 3282 usm.yang submodule. 3284 3285 3286 addr1 3287 3288 192.0.2.3 3289 162 3290 3291 group1 3292 3293 joe 3294 auth-no-priv 3295 3296 3297 3298 addr2 3299 3300 192.0.2.6 3301 162 3302 3303 group1 3304 3305 joe 3306 auth-no-priv 3307 3308 3309 3310 addr3 3311 3312 192.0.2.9 3313 162 3314 3315 group2 3316 3317 bob 3318 auth-priv 3319 3320 3321 3322 group1 3323 group1 3324 trap 3325 3326 3327 group2 3328 group2 3329 trap 3330 3331 3333 A.5. Proxy Configuration Example 3335 Below is an XML instance document showing the configuration of a 3336 proxy forwarder application. It proxies SNMPv2c messages from 3337 command generators to a file server running a SNMPv1 agent that 3338 recognizes two community strings, "private" and "public", with 3339 different associated read views. The fileserver is represented as 3340 two "target" instances, one for each community string. 3342 If the proxy receives a SNMPv2c message with the community string 3343 "public" from a device in the "Office Network" or "Home Office 3344 Network", it gets tagged as "trusted", and the proxy uses the 3345 "private" community string when sending the message to the file 3346 server. Other SNMPv2c messages with the community string "public" 3347 get tagged as "non-trusted", and the proxy uses the "public" 3348 community string for these messages. There is also a special 3349 "backdoor" community string that can be used from any location to get 3350 "trusted" access. 3352 The "Office Network" and "Home Office Network" are represented as two 3353 "target" instances. 3355 3356 3357 File Server (private) 3358 3359 192.0.2.1 3360 3361 3362 private 3363 3364 3365 3366 File Server (public) 3367 3368 192.0.2.1 3369 3370 3371 public 3372 3373 3374 3375 Office Network 3376 3377 192.0.2.0 3378 24 3379 3380 office 3382 3383 3384 Home Office Network 3385 3386 203.0.113.0 3387 24 3388 3389 home-office 3390 3392 3399 3400 c1 3401 public 3402 80:00:61:81:c8 3403 trusted 3404 office 3405 3406 3407 c2 3408 public 3409 80:00:61:81:c8 3410 trusted 3411 home-office 3412 3413 3414 c3 3415 public 3416 80:00:61:81:c8 3417 not-trusted 3418 3419 3420 c4 3421 backdoor 3422 public 3423 80:00:61:81:c8 3424 trusted 3425 3426 3427 c5 3428 private 3429 80:00:61:81:c8 3430 trusted 3431 3433 3434 p1 3435 read 3436 80:00:61:81:c8 3437 trusted 3438 3439 3440 public 3441 3442 3443 File Server (private) 3444 3445 3446 p2 3447 read 3448 80:00:61:81:c8 3449 not-trusted 3450 3451 3452 public 3453 3454 3455 File Server (public) 3456 3457 3459 If an SNMPv2c Get request with community string "public" is received 3460 from an IP address tagged as "office" or "home-office", or if the 3461 request is received from anywhere else with community string 3462 "backdoor", the implied context is "trusted" and so proxy entry "p1" 3463 matches. The request is forwarded to the file server as SNMPv1 with 3464 community "private" using community table entry "c5" for outbound 3465 params lookup. 3467 If an SNMPv2c Get request with community string "public" is received 3468 from any other IP address, the implied context is "not-trusted" so 3469 proxy entry "p2" matches, and the request is forwarded to the file 3470 server as SNMPv1 with community "public". 3472 A.6. View-based Access Control Model Configuration Example 3474 Below is an XML instance document showing the minimum-secure VACM 3475 configuration (see Appendix A of [RFC3415]). 3477 3478 3479 3480 initial 3481 3482 initial 3483 usm 3484 3485 3486 3487 usm 3488 no-auth-no-priv 3489 restricted 3490 restricted 3491 3492 3493 3494 usm 3495 auth-no-priv 3496 internet 3497 internet 3498 internet 3499 3500 3501 3502 initial 3503 1.3.6.1 3504 3505 3506 restricted 3507 1.3.6.1 3508 3509 3510 3512 The following XML instance document shows the semi-secure VACM 3513 configuration (only the view configuration is different). 3515 3516 3517 3518 initial 3519 3520 initial 3521 usm 3522 3523 3524 3525 usm 3526 no-auth-no-priv 3527 restricted 3528 restricted 3529 3530 3531 3532 usm 3533 auth-no-priv 3534 internet 3535 internet 3536 internet 3537 3538 3539 3540 initial 3541 1.3.6.1 3542 3543 3544 restricted 3545 1.3.6.1.2.1.1 3546 1.3.6.1.2.1.11 3547 1.3.6.1.6.3.10.2.1 3548 1.3.6.1.6.3.11.2.1 3549 1.3.6.1.6.3.15.1.1 3550 3551 3552 3554 A.7. Transport Layer Security Transport Model Configuration Example 3556 Below is an XML instance document showing the configuration of the 3557 certificate to security name mapping (see Appendix A.2 and A.3 of 3558 [RFC6353]). 3560 3563 3564 3565 1 3566 11:0A:05:11:00 3567 x509c2n:san-any 3568 3569 3570 2 3571 11:0A:05:11:00 3572 x509c2n:specified 3573 3574 Joe Cool 3575 3576 3577 3578 3580 Authors' Addresses 3582 Martin Bjorklund 3583 Tail-f Systems 3585 Email: mbj@tail-f.com 3587 Juergen Schoenwaelder 3588 Jacobs University 3590 Email: j.schoenwaelder@jacobs-university.de