idnits 2.17.1 draft-ietf-netmod-snmp-cfg-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 183 has weird spacing: '...rw port ine...' == Line 255 has weird spacing: '...rw name snm...' == Line 332 has weird spacing: '...ty-name snm...' == Line 347 has weird spacing: '...ty-name snm...' == Line 350 has weird spacing: '...ty-name snm...' == (17 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (November 5, 2013) is 3822 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: May 9, 2014 Jacobs University 6 November 5, 2013 8 A YANG Data Model for SNMP Configuration 9 draft-ietf-netmod-snmp-cfg-03 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on May 9, 2014. 33 Copyright Notice 35 Copyright (c) 2013 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5 52 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5 53 2.2. General Considerations . . . . . . . . . . . . . . . . . . 5 54 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 6 55 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 6 56 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 6 57 2.6. Notification Configuration . . . . . . . . . . . . . . . . 7 58 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8 59 2.8. Community Configuration . . . . . . . . . . . . . . . . . 9 60 2.9. View-based Access Control Model Configuration . . . . . . 10 61 2.10. User-based Security Model Configuration . . . . . . . . . 11 62 2.11. Transport Security Model Configuration . . . . . . . . . . 13 63 2.12. Transport Layer Security Transport Model Configuration . . 13 64 2.13. Secure Shell Transport Model Configuration . . . . . . . . 15 65 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 16 66 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 16 67 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 17 68 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 18 69 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 18 70 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 23 71 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 25 72 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 29 73 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 32 74 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 36 75 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 40 76 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 43 77 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 47 78 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 53 79 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 57 80 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 60 81 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 64 82 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 83 6. Security Considerations . . . . . . . . . . . . . . . . . . . 69 84 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 71 85 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 72 86 8.1. Normative References . . . . . . . . . . . . . . . . . . . 72 87 8.2. Informative References . . . . . . . . . . . . . . . . . . 72 88 Appendix A. Example configurations . . . . . . . . . . . . . . . 74 89 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 74 90 A.2. Community Configuration Example . . . . . . . . . . . . . 74 91 A.3. User-based Security Model Configuration Example . . . . . 75 92 A.4. Target and Notification Configuration Example . . . . . . 76 93 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 78 94 A.6. View-based Access Control Model Configuration Example . . 80 95 A.7. Transport Layer Security Transport Model Configuration 96 Example . . . . . . . . . . . . . . . . . . . . . . . . . 82 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 84 99 1. Introduction 101 This document defines a YANG [RFC6020] data model for the 102 configuration of SNMP engines. The configuration model is consistent 103 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 104 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and 105 [RFC6353] but takes advantage of YANG's ability to define 106 hierarchical configuration data models. The structure of the model 107 has been derived from existing proprietary configuration models 108 implemented as command line interfaces. 110 This document also defines a YANG data model for mapping a X.509 111 certificate to a name. 113 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 114 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 115 "OPTIONAL" in this document are to be interpreted as described in BCP 116 14, [RFC2119]. 118 2. Data Model 120 In order to preserve the modularity of SNMP, the YANG configuration 121 data model is organized in a set of YANG submodules, all sharing the 122 same module namespace. This allows to add configuration support for 123 additional SNMP features while keeping the number of namespaces that 124 have to be dealt with down to a minimum. 126 2.1. Tree Diagrams 128 A simplified graphical representation of the data model is used in 129 this document. The meaning of the symbols in these diagrams is as 130 follows: 132 o Brackets "[" and "]" enclose list keys. 134 o Abbreviations before data node names: "rw" means configuration 135 (read-write) and "ro" state data (read-only). 137 o Symbols after data node names: "?" means an optional node, "!" 138 means a presence container, and "*" denotes a list and leaf-list. 140 o Parentheses enclose choice and case nodes, and case nodes are also 141 marked with a colon (":"). 143 o Ellipsis ("...") stands for contents of subtrees that are not 144 shown. 146 2.2. General Considerations 148 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 149 "reference" statement is used to indicate which corresponding MIB 150 object the YANG node is mapped to. When there is not a simple 1-1 151 mapping, the "description" statement explains the mapping. 153 The persistency models in SNMP and NETCONF are quite different. In 154 NETCONF, the persistency is defined by the datastore, whereas in SNMP 155 it is defined either explicitly in the data model, or on a row-by-row 156 basis by using the TEXTUAL-CONVENTION "StorageType". Thus, in the 157 YANG model defined here, the "StorageType" columns are not present. 158 For implementation guidelines, see Section 3. 160 In SNMP, row creation and deletion are controlled by using the 161 TEXTUAL-CONVENTION "RowStatus". In NETCONF, creation and deletion 162 are handled by the protocol, not in the data model. Thus, in the 163 YANG model defined here, the "RowStatus" columns are not present. 165 2.3. Common Definitions 167 The submodule "ietf-snmp-common" defines a set of common typedefs and 168 the top-level container "snmp". All configuration parameters defined 169 in the other submodules are organized under this top-level container. 171 2.4. Engine Configuration 173 The submodule "ietf-snmp-engine", which defines configuration 174 parameters that are specific to SNMP engines, has the following 175 structure: 177 +--rw snmp 178 +--rw engine 179 +--rw enabled? boolean 180 +--rw listen 181 | +--rw udp* [ip port] 182 | +--rw ip inet:ip-address 183 | +--rw port inet:port-number 184 +--rw version 185 | +--rw v1? empty 186 | +--rw v2c? empty 187 | +--rw v3? empty 188 +--rw engine-id? snmp:engine-id 189 +--rw enable-authen-traps? boolean 191 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 192 engine. 194 The container "/snmp/engine/listen" provides configuration of the 195 transport endpoints the engine is listening to. In this submodule, 196 SNMP over UDP is defined. TLS and Datagram Transport Layer Security 197 (DTLS) are also supported, defined in "ietf-snmp-tls" (Section 2.12). 198 The "listen" container is expected to be augmented for other 199 transports. 201 The "/snmp/engine/version" container can be used to enable/disable 202 the different message processing models. 204 2.5. Target Configuration 206 The submodule "ietf-snmp-target", which defines configuration 207 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 208 following structure: 210 +--rw snmp 211 +--rw target* [name] 212 +--rw name snmp:identifier 213 +--rw (transport) 214 | +--:(udp) 215 | +--rw udp 216 | +--rw ip inet:ip-address 217 | +--rw port? inet:port-number 218 | +--rw prefix-length? uint8 219 +--rw tag* snmp:identifier 220 +--rw timeout? uint32 221 +--rw retries? uint8 222 +--rw (params)? 224 An entry in the list "/snmp/target" corresponds to an 225 "snmpTargetAddrEntry". 227 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 228 mapped to transport-specific YANG nodes. Each transport is 229 configured as a separate case in the "transport" choice. In this 230 submodule, SNMP over UDP is defined. TLS and DTLS are also 231 supported, defined in "ietf-snmp-tls" (Section 2.12). The 232 "transport" choice is expected to be augmented for other transports. 234 In order to provide a simpler configuration model with less cross- 235 references, the "target" list also inlines the 236 "snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This 237 is accomplished with a choice "params", which is augmented by 238 security model specific submodules, currently "ietf-snmp-community" 239 (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" 240 (Section 2.12). 242 The YANG model does not define a separate list that maps directly to 243 "snmpTargetParamsTable". Since "snmpProxyTable" also has a reference 244 to this table, "snmpProxyTable" also has a choice "params" which is 245 augmented by security model specific submodules (Section 2.7). 247 2.6. Notification Configuration 249 The submodule "ietf-snmp-notification", which defines configuration 250 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 251 has the following structure: 253 +--rw snmp 254 +--rw notify* [name] 255 | +--rw name snmp:identifier 256 | +--rw tag snmp:identifier 257 | +--rw type? enumeration 258 +--rw notify-filter-profile* [name] 259 +--rw name snmp:identifier 260 +--rw include* wildcard-object-identifier 261 +--rw exclude* wildcard-object-identifier 263 It also augments the "target" list defined in the "ietf-snmp-target" 264 submodule (Section 2.5) with one leaf: 266 +--rw snmp 267 +--rw target* [name] 268 ... 269 +--rw notify-filter-profile? leafref 271 An entry in the list "/snmp/notify" corresponds to an 272 "snmpNotifyEntry". 274 An entry in the list "/snmp/notify-filter-profile" corresponds to an 275 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 276 relationship between "snmpTargetParamsTable" and 277 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 278 relationship is represented with a leafref leaf 279 "notify-filter-profile" in the "/snmp/target" list, which refers to 280 an entry in the "/snmp/notify-filter-profile" list. 282 The "snmpNotifyFilterTable" is represented as a list "filter" within 283 the "/snmp/notify-filter-profile" list. 285 This submodule defines the feature "notification-filter". A server 286 implements this feature if it supports SNMP notification filtering. 288 2.7. Proxy Configuration 290 The submodule "ietf-snmp-proxy", which defines configuration 291 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 292 following structure: 294 +--rw snmp 295 +--rw proxy* [name] 296 +--rw name snmp:identifier 297 +--rw type enumeration 298 +--rw context-engine-id snmp:engine-id 299 +--rw context-name? snmp:context-name 300 +--rw params-in 301 | +--rw (params) 302 +--rw single-target-out? snmp:identifier 303 +--rw multiple-target-out? snmp:identifier 305 An entry in the list "/snmp/proxy" corresponds to an 306 "snmpProxyEntry". 308 Like the "target" list (Section 2.5), the "proxy" list inlines the 309 "snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn". 310 This is accomplished with a choice "params", which is augmented by 311 security model specific submodules, currently "ietf-snmp-community" 312 (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" 313 (Section 2.12). 315 This submodule defines the feature "proxy". A server implements this 316 feature if it can act as an SNMP Proxy. 318 2.8. Community Configuration 320 The submodule "ietf-snmp-community", which defines configuration 321 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 322 the following structure: 324 +--rw snmp 325 +--rw community* [index] 326 +--rw index snmp:identifier 327 +--rw (name)? 328 | +--:(text-name) 329 | | +--rw text-name? string 330 | +--:(binary-name) 331 | +--rw binary-name? binary 332 +--rw security-name snmp:security-name 333 +--rw engine-id? snmp:engine-id 334 +--rw context? snmp:context-name 335 +--rw target-tag? snmp:identifier 337 It also augments the "/snmp/target/params" and "/snmp/proxy/ 338 params-in/params" choices with nodes for the Community-Based Security 339 Model used by SNMPv1 and SNMPv2c: 341 +--rw snmp 342 +--rw target* [name] 343 | ... 344 | +--rw (params)? 345 | | +--:(v1) 346 | | | +--rw v1 347 | | | +--rw security-name snmp:security-name 348 | | +--:(v2c) 349 | | +--rw v2c 350 | | +--rw security-name snmp:security-name 351 | +--rw mms? union 352 +--rw proxy 353 +--rw params-in 354 +--rw params 355 +--:(v1) 356 | +--rw v1 357 | +--rw security-name snmp:security-name 358 +--:(v2c) 359 +--rw v2c 360 +--rw security-name snmp:security-name 362 An entry in the list "/snmp/community" corresponds to an 363 "snmpCommunityEntry". 365 When a case "v1" or "v2c" is chosen, it implies a 366 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 367 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 368 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 370 2.9. View-based Access Control Model Configuration 372 The submodule "ietf-snmp-vacm", which defines configuration 373 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 374 has the following structure: 376 +--rw snmp 377 +--rw vacm 378 +--rw group* [name] 379 | +--rw name group-name 380 | +--rw member* [security-name] 381 | | +--rw security-name snmp:security-name 382 | | +--rw security-model* snmp:security-model 383 | +--rw access* [context security-model security-level] 384 | +--rw context snmp:context-name 385 | +--rw context-match? enumeration 386 | +--rw security-model snmp:security-model-or-any 387 | +--rw security-level snmp:security-level 388 | +--rw read-view? view-name 389 | +--rw write-view? view-name 390 | +--rw notify-view? vire-name 391 +--rw view* [name] 392 +--rw name view-name 393 +--rw include* snmp:wildcard-object-identifier 394 +--rw exclude* snmp:wildcard-object-identifier 396 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 397 structure of nested lists in the YANG model. Groups are defined in 398 the list "/snmp/vacm/group" and for each group there is a sublist 399 "member" that maps to "vacmSecurityToGroupTable", and a sublist 400 "access" that maps to "vacmAccessTable". 402 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 403 view there is a leaf-list of included subtree families and a leaf- 404 list of excluded subtree families. This is more compact and thus a 405 more readable representation of the "vacmViewTreeFamilyTable". 407 2.10. User-based Security Model Configuration 409 The submodule "ietf-snmp-usm", which defines configuration parameters 410 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 411 following structure: 413 +--rw snmp 414 +--rw usm 415 +--rw local 416 | +--rw user* [name] 417 | +-- {common user params} 418 +--rw remote* [engine-id] 419 +--rw engine-id snmp:engine-id 420 +--rw user* [name] 421 +-- {common user params} 423 The "{common user params}" are: 425 +--rw name snmp:identifier 426 +--rw auth! 427 | +--rw (protocol) 428 | +--:(md5) 429 | | +--rw md5 430 | | +-- rw key string 431 | +--:(sha) 432 | +--rw sha 433 | +-- rw key string 434 +--rw priv! 435 +--rw (protocol) 436 +--:(des) 437 | +--rw des 438 | +-- rw key string 439 +--:(aes) 440 +--rw aes 441 +-- rw key string 443 It also augments the "/snmp/target/params" and "/snmp/proxy/ 444 params-in/params" choices with nodes for the SNMP User-based Security 445 Model. 447 +--rw snmp 448 +--rw target* [name] 449 ... 450 | +--rw (params)? 451 | +--:(usm) 452 | +--rw usm 453 | +--rw user-name snmp:security-name 454 | +--rw security-level security-level 455 +--rw proxy* [name] 456 ... 457 +--rw params-in 458 +--rw (params) 459 +--:(usm) 460 +--rw usm 461 +--rw user-name snmp:security-name 462 +--rw security-level security-level 464 In the MIB, there is a single table with local and remote users, 465 indexed by the engine id and user name. In the YANG model, there is 466 one list of local users, and a nested list of remote users. 468 In the MIB, there are several objects related to changing the 469 authentication and privacy keys. These objects are not present in 470 the YANG model. However, the localized key can be changed. This 471 implies that if the engine id is changed, all users keys need to be 472 changed as well. 474 2.11. Transport Security Model Configuration 476 The submodule "ietf-snmp-tsm", which defines configuration parameters 477 that correspond to the objects in SNMP-TSM-MIB, has the following 478 structure: 480 +--rw snmp 481 +--rw tsm 482 +--rw use-prefix? boolean 484 It also augments the "/snmp/target/params" and "/snmp/proxy/ 485 params-in/params" choices with nodes for the SNMP Transport Security 486 Model. 488 +--rw snmp 489 +--rw target* [name] 490 ... 491 | +--rw (params)? 492 | +--:(tsm) 493 | +--rw tsm 494 | +--rw security-name snmp:security-name 495 | +--rw security-level security-level 496 +--rw proxy* [name] 497 ... 498 +--rw params-in 499 +--rw (params) 500 +--:(tsm) 501 +--rw tsm 502 +--rw security-name snmp:security-name 503 +--rw security-level security-level 505 This submodule defines the feature "tsm". A server implements this 506 feature if it supports the Transport Security Model (tsm) [RFC5591]. 508 2.12. Transport Layer Security Transport Model Configuration 510 The submodule "ietf-snmp-tls", which defines configuration parameters 511 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 512 structure: 514 +--rw snmp 515 ... 516 +--rw target* [name] 517 | ... 518 | +--rw (transport) 519 | ... 520 | +--:(tls) 521 | | +--rw tls 522 | | +-- {common (d)tls transport params} 523 | +--:(dtls) 524 | +--rw dtls 525 | +-- {common (d)tls transport params} 526 +--rw tlstm 527 +--rw cert-to-name* [id] 528 +--rw id uint32 529 +--rw fingerprint x509c2n:tls-fingerprint 530 +--rw map-type identityref 531 +--rw name string 533 The "{common (d)tls transport params}" are: 535 +--rw ip? inet:host 536 +--rw port? inet:port-number 537 +--rw client-fingerprint? x509c2n:tls-fingerprint 538 +--rw server-fingerprint? x509c2n:tls-fingerprint 539 +--rw server-identity? snmp:admin-string 541 It also augments the "/snmp/engine/listen" container with objects for 542 the D(TLS) transport endpoints: 544 +--rw snmp 545 +--rw engine 546 ... 547 +--rw listen 548 ... 549 +--rw tls* [ip port] 550 | +--rw ip inet:ip-address 551 | +--rw port inet:port-number 552 +--rw dtls* [ip port] 553 +--rw ip inet:ip-address 554 +--rw port inet:port-number 556 This submodule defines the feature "tlstm". A server implements this 557 feature if it supports the Transport Layer Security (TLS) Transport 558 Model (tlstm) [RFC6353]. 560 2.13. Secure Shell Transport Model Configuration 562 The submodule "ietf-snmp-ssh", which defines configuration parameters 563 that correspond to the objects in SNMP-SSH-TM-MIB, has the following 564 structure: 566 +--rw snmp 567 ... 568 +--rw target* [name] 569 ... 570 +--rw (transport) 571 ... 572 +--:(ssh) 573 +--rw ssh 574 +--rw ip inet:host 575 +--rw port? inet:port-number 576 +--rw username? string 578 It also augments the "/snmp/engine/listen" container with objects for 579 the SSH transport endpoints: 581 +--rw snmp 582 +--rw engine 583 ... 584 +--rw listen 585 ... 586 +--rw ssh* [ip port] 588 This submodule defines the feature "sshtm". A server implements this 589 feature if it supports the Secure Shell (SSH) Transport Model (sshtm) 590 [RFC5592]. 592 3. Implementation Guidelines 594 This section describes some challenges for implementations that 595 support both the YANG models defined in this document, and either 596 read-write or read-only SNMP access to the same data, using the 597 standard MIB modules. 599 As described in Section 2.2, the persistency models in NETCONF and 600 SNMP are quite different. This poses a challenge for an 601 implementation to support both NETCONF and SNMP access to the same 602 data, in particular if the data is writable over both protocols. 603 Specifically, the configuration data may exist in some combination of 604 the three NETCONF configuration datastores, and this data must be 605 mapped to rows in the SNMP tables, in some SNMP contexts, with proper 606 values for the StorageType columns. 608 This problem is not new; it has been handled in many implementations 609 that support configuration of the SNMP engine over a command line 610 interface (CLI), which normally have a persistency model similar to 611 NETCONF. 613 Since there is not one solution that works for all cases, this 614 document does not provide a recommended solution. Instead some of 615 the challenges involved are described below. 617 3.1. Supporting read-only SNMP Access 619 If a device implements only :writable-running, it is trivial to map 620 the contents of "running" to data in the SNMP tables, where all 621 instances of the StorageType columns have the value "nonVolatile". 623 If a device implements :candidate, but not :startup, the 624 implementation may choose to not expose the contents of the 625 "candidate" datastore over SNMP, and map the contents of "running" as 626 described above. As an option, the contents of "candidate" might be 627 accessible in a separate SNMP context. 629 If a device implements :startup, the handling of StorageType becomes 630 more difficult. Since the contents of "running" and "startup" might 631 differ, data in running cannot automatically be mapped to instances 632 with StorageType "nonVolatile". If a particular entry exists in 633 "running" but not in "startup", its StorageType should be "volatile". 634 If a particular entry exists in "startup", but not "running", it 635 should not be mapped to an SNMP instance, at least not in the default 636 SNMP context. 638 3.2. Supporting read-write SNMP access 640 If the implementation supports read-write access to data over SNMP, 641 and specifically creation of table rows, special attention has to be 642 given the handling of the RowStatus and StorageType columns. The 643 problem is to determine which table rows to store in the 644 configuration datastores, and which configuration datastore is 645 appropriate for each row. 647 The SNMP tables contain a mix of configured data and operational 648 state, and only rows with an "active" RowStatus column should be 649 stored in a configuration datastore. 651 If a device implements only :writable-running, "active" rows with a 652 "nonVolatile" StorageType column can be stored in "running". Rows 653 with a "volatile" StorageType column are operational state. 655 If a device implements :candidate, but not :writable-running, all 656 configuration changes typically go through the "candidate", even if 657 they are done over SNMP. An implementation might have to perform 658 some automatic commit of the "candidate" when data is written over 659 SNMP, since there is no explicit "commit" operation in SNMP. 661 If a device implements :startup, "nonVolatile" rows cannot just be 662 written to "running", they must also be copied into "startup". 663 "volatile" rows may be treated as operational state and not copied to 664 any datastore, or copied into "running". 666 4. Definitions 668 4.1. Module 'ietf-x509-cert-to-name' 670 This YANG module imports typedefs from [RFC6991]. 672 file "ietf-x509-cert-to-name.yang" 674 module ietf-x509-cert-to-name { 676 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; 677 prefix x509c2n; 679 import ietf-yang-types { 680 prefix yang; 681 } 683 organization 684 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 686 contact 687 "WG Web: 688 WG List: 690 WG Chair: David Kessens 691 693 WG Chair: Juergen Schoenwaelder 694 696 Editor: Martin Bjorklund 697 699 Editor: Juergen Schoenwaelder 700 "; 702 description 703 "This module contains a collection of YANG definitions for 704 extracting a name from a X.509 certificate. 706 The algorithm used to extract a name from a X.509 certificate 707 was first defined in RFC 6353. 709 Copyright (c) 2013 IETF Trust and the persons identified as 710 authors of the code. All rights reserved. 712 Redistribution and use in source and binary forms, with or 713 without modification, is permitted pursuant to, and subject 714 to the license terms contained in, the Simplified BSD License 715 set forth in Section 4.c of the IETF Trust's Legal Provisions 716 Relating to IETF Documents 717 (http://trustee.ietf.org/license-info). 719 This version of this YANG module is part of RFC XXXX; see 720 the RFC itself for full legal notices."; 721 // RFC Ed.: replace XXXX with actual RFC number and remove this 722 // note. 724 reference 725 "RFC6353: Transport Layer Security (TLS) Transport Model for 726 the Simple Network Management Protocol (SNMP)"; 728 // RFC Ed.: update the date below with the date of RFC publication 729 // and remove this note. 730 revision 2013-11-05 { 731 description 732 "Initial revision."; 733 reference 734 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 736 } 738 typedef tls-fingerprint { 739 type yang:hex-string { 740 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; 741 } 742 description 743 "A fingerprint value that can be used to uniquely reference 744 other data of potentially arbitrary length. 746 An tls-fingerprint value is composed of a 1-octet hashing 747 algorithm identifier followed by the fingerprint value. The 748 first octet value identifying the hashing algorithm is taken 749 from the IANA TLS HashAlgorithm Registry (RFC 5246). The 750 remaining octets are filled using the results of the hashing 751 algorithm."; 752 reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; 753 } 755 /* Identities */ 757 identity cert-to-name { 758 description 759 "Base identity for algorithms to derive a name from a 760 certificate."; 761 } 762 identity specified { 763 base cert-to-name; 764 description 765 "Directly specifies the name to be used for the certificate. 766 The value of the leaf 'name' in 'cert-to-name' list is used."; 767 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 768 } 770 identity san-rfc822-name { 771 base cert-to-name; 772 description 773 "Maps a subjectAltName's rfc822Name to a name. The local part 774 of the rfc822Name is passed unaltered but the host-part of the 775 name must be passed in lowercase. This mapping results in a 776 1:1 correspondence between equivalent subjectAltName 777 rfc822Name values and name values except that the host-part 778 of the name MUST be passed in lowercase. For example, the 779 rfc822Name field FooBar@Example.COM is mapped to name 780 FooBar@example.com."; 781 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 782 } 784 identity san-dns-name { 785 base cert-to-name; 786 description 787 "Maps a subjectAltName's dNSName to a name after first 788 converting it to all lowercase (RFC 5280 does not specify 789 converting to lowercase so this involves an extra step). 790 This mapping results in a 1:1 correspondence between 791 subjectAltName dNSName values and the name values."; 792 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 793 } 795 identity san-ip-address { 796 base cert-to-name; 797 description 798 "Maps a subjectAltName's iPAddress to a name by 799 transforming the binary encoded address as follows: 801 1) for IPv4, the value is converted into a 802 decimal-dotted quad address (e.g., '192.0.2.1'). 804 2) for IPv6 addresses, the value is converted into a 805 32-character all lowercase hexadecimal string 806 without any colon separators. 808 This mapping results in a 1:1 correspondence between 809 subjectAltName iPAddress values and the name values."; 811 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 812 } 814 identity san-any { 815 base cert-to-name; 816 description 817 "Maps any of the following fields using the corresponding 818 mapping algorithms: 820 +------------+-----------------+ 821 | Type | Algorithm | 822 |------------+-----------------| 823 | rfc822Name | san-rfc822-name | 824 | dNSName | san-dns-name | 825 | iPAddress | san-ip-address | 826 +------------+-----------------+ 828 The first matching subjectAltName value found in the 829 certificate of the above types MUST be used when deriving 830 the name. The mapping algorithm specified in the 831 'Algorithm' column MUST be used to derive the name. 833 This mapping results in a 1:1 correspondence between 834 subjectAltName values and name values. The three sub-mapping 835 algorithms produced by this combined algorithm cannot produce 836 conflicting results between themselves."; 837 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 838 } 840 identity common-name { 841 base cert-to-name; 842 description 843 "Maps a certificate's CommonName to a name after converting 844 it to a UTF-8 encoding. The usage of CommonNames is 845 deprecated and users are encouraged to use subjectAltName 846 mapping methods instead. This mapping results in a 1:1 847 correspondence between certificate CommonName values and name 848 values."; 849 reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; 850 } 852 /* 853 * Groupings 854 */ 856 grouping cert-to-name { 857 description 858 "Defines nodes for mapping certificates to names. Modules 859 that uses this grouping should describe how the resulting 860 name is used."; 862 list cert-to-name { 863 key id; 864 description 865 "This list defines how certificates are mapped to names. 866 The name is derived by considering each cert-to-name 867 list entry in order. The cert-to-name entry's fingerprint 868 determines whether the list entry is a match: 870 1) If the cert-to-name list entry's fingerprint value 871 matches that of the presented certificate, then consider 872 the list entry as a successful match. 874 2) If the cert-to-name list entry's fingerprint value 875 matches that of a locally held copy of a trusted CA 876 certificate, and that CA certificate was part of the CA 877 certificate chain to the presented certificate, then 878 consider the list entry as a successful match. 880 Once a matching cert-to-name list entry has been found, the 881 map-type is used to determine how the name associated with 882 the certificate should be determined. See the map-type 883 leaf's description for details on determining the name value. 884 If it is impossible to determine a name from the cert-to-name 885 list entry's data combined with the data presented in the 886 certificate, then additional cert-to-name list entries MUST 887 be searched looking for another potential match. 889 Security administrators are encouraged to make use of 890 certificates with subjectAltName fields that can be mapped to 891 names so that a single root CA certificate can allow all 892 child certificate's subjectAltName to map directly to a name 893 via a 1:1 transformation."; 894 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 896 leaf id { 897 type uint32; 898 description 899 "The id specifies the order in which the entries in the 900 cert-to-name list are searched. Entries with lower 901 numbers are searched first."; 902 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 903 } 905 leaf fingerprint { 906 type x509c2n:tls-fingerprint; 907 mandatory true; 908 description 909 "Specifies a value with which the fingerprint of the 910 certificate presented by the peer is compared. If the 911 fingerprint of the certificate presented by the peer does 912 not match the fingerprint configured, then the entry is 913 skipped and the search for a match continues."; 914 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 915 } 917 leaf map-type { 918 type identityref { 919 base cert-to-name; 920 } 921 mandatory true; 922 description 923 "Specifies the algorithm used to map the certificate 924 presented by the peer to a name. 926 Mappings that need additional configuration objects should 927 use the 'when' statement to make them conditional based on 928 the 'map-type'."; 929 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 930 } 932 leaf name { 933 when "../map-type = 'x509c2n:specified'"; 934 type string; 935 mandatory true; 936 description 937 "Directly specifies the NETCONF username when the 938 'map-type' is 'specified'."; 939 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 940 } 941 } 942 } 943 } 945 947 4.2. Module 'ietf-snmp' 949 file "ietf-snmp.yang" 951 module ietf-snmp { 953 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 954 prefix snmp; 955 // RFC Ed.: update the dates below with the date of RFC publication 956 // and remove this note. 958 include ietf-snmp-common { 959 revision-date 2013-11-05; 960 } 961 include ietf-snmp-engine { 962 revision-date 2013-11-05; 963 } 964 include ietf-snmp-target { 965 revision-date 2013-11-05; 966 } 967 include ietf-snmp-notification { 968 revision-date 2013-11-05; 969 } 970 include ietf-snmp-proxy { 971 revision-date 2013-11-05; 972 } 973 include ietf-snmp-community { 974 revision-date 2013-11-05; 975 } 976 include ietf-snmp-usm { 977 revision-date 2013-11-05; 978 } 979 include ietf-snmp-tsm { 980 revision-date 2013-11-05; 981 } 982 include ietf-snmp-vacm { 983 revision-date 2013-11-05; 984 } 985 include ietf-snmp-tls { 986 revision-date 2013-11-05; 987 } 988 include ietf-snmp-ssh { 989 revision-date 2013-11-05; 990 } 992 organization 993 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 995 contact 996 "WG Web: 997 WG List: 999 WG Chair: David Kessens 1000 1002 WG Chair: Juergen Schoenwaelder 1003 1005 Editor: Martin Bjorklund 1006 1008 Editor: Juergen Schoenwaelder 1009 "; 1011 description 1012 "This module contains a collection of YANG definitions for 1013 configuring SNMP engines. 1015 Copyright (c) 2013 IETF Trust and the persons identified as 1016 authors of the code. All rights reserved. 1018 Redistribution and use in source and binary forms, with or 1019 without modification, is permitted pursuant to, and subject 1020 to the license terms contained in, the Simplified BSD License 1021 set forth in Section 4.c of the IETF Trust's Legal Provisions 1022 Relating to IETF Documents 1023 (http://trustee.ietf.org/license-info). 1025 This version of this YANG module is part of RFC XXXX; see 1026 the RFC itself for full legal notices."; 1028 // RFC Ed.: replace XXXX with actual RFC number and remove this 1029 // note. 1031 // RFC Ed.: update the date below with the date of RFC publication 1032 // and remove this note. 1034 revision 2013-11-05 { 1035 description 1036 "Initial revision."; 1037 reference 1038 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1039 } 1041 } 1043 1045 4.3. Submodule 'ietf-snmp-common' 1047 file "ietf-snmp-common.yang" 1049 submodule ietf-snmp-common { 1050 belongs-to ietf-snmp { 1051 prefix snmp; 1052 } 1054 import ietf-yang-types { 1055 prefix yang; 1056 } 1058 organization 1059 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1061 contact 1062 "WG Web: 1063 WG List: 1065 WG Chair: David Kessens 1066 1068 WG Chair: Juergen Schoenwaelder 1069 1071 Editor: Martin Bjorklund 1072 1074 Editor: Juergen Schoenwaelder 1075 "; 1077 description 1078 "This submodule contains a collection of common YANG definitions 1079 for configuring SNMP engines. 1081 Copyright (c) 2013 IETF Trust and the persons identified as 1082 authors of the code. All rights reserved. 1084 Redistribution and use in source and binary forms, with or 1085 without modification, is permitted pursuant to, and subject 1086 to the license terms contained in, the Simplified BSD License 1087 set forth in Section 4.c of the IETF Trust's Legal Provisions 1088 Relating to IETF Documents 1089 (http://trustee.ietf.org/license-info). 1091 This version of this YANG module is part of RFC XXXX; see 1092 the RFC itself for full legal notices."; 1094 // RFC Ed.: replace XXXX with actual RFC number and remove this 1095 // note. 1097 // RFC Ed.: update the date below with the date of RFC publication 1098 // and remove this note. 1100 revision 2013-11-05 { 1101 description 1102 "Initial revision."; 1103 reference 1104 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1105 } 1107 /* Collection of SNMP specific data types */ 1109 typedef admin-string { 1110 type string { 1111 length "0..255"; 1112 } 1113 description 1114 "Represents and SnmpAdminString as defined in RFC 3411. 1116 Note that the size of an SnmpAdminString is measured in 1117 octets, not characters."; 1118 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 1119 } 1121 typedef identifier { 1122 type admin-string { 1123 length "1..32"; 1124 } 1125 description 1126 "Identifiers are used to name items in the SNMP configuration 1127 data store."; 1128 } 1130 typedef context-name { 1131 type admin-string { 1132 length "0..32"; 1133 } 1134 description 1135 "The context type represents an SNMP context name."; 1136 reference 1137 "RFC3411: An Architecture for Describing SNMP Management 1138 Frameworks"; 1139 } 1141 typedef security-name { 1142 type admin-string { 1143 length "1..32"; 1144 } 1145 description 1146 "The security-name type represents an SNMP security name."; 1147 reference 1148 "RFC3411: An Architecture for Describing SNMP Management 1149 Frameworks"; 1150 } 1152 typedef security-model { 1153 type union { 1154 type enumeration { 1155 enum v1 { value 1; } 1156 enum v2c { value 2; } 1157 enum usm { value 3; } 1158 enum tsm { value 4; } 1159 } 1160 type int32 { 1161 range "1..2147483647"; 1162 } 1163 } 1164 reference 1165 "RFC3411: An Architecture for Describing SNMP Management 1166 Frameworks"; 1167 } 1169 typedef security-model-or-any { 1170 type union { 1171 type enumeration { 1172 enum any { value 0; } 1173 } 1174 type security-model; 1175 } 1176 reference 1177 "RFC3411: An Architecture for Describing SNMP Management 1178 Frameworks"; 1179 } 1181 typedef security-level { 1182 type enumeration { 1183 enum no-auth-no-priv { value 1; } 1184 enum auth-no-priv { value 2; } 1185 enum auth-priv { value 3; } 1186 } 1187 reference 1188 "RFC3411: An Architecture for Describing SNMP Management 1189 Frameworks"; 1190 } 1192 typedef engine-id { 1193 type yang:hex-string { 1194 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 1195 } 1196 description 1197 "The Engine ID specified as a list of colon-specified hexa- 1198 decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; 1199 reference 1200 "RFC3411: An Architecture for Describing SNMP Management 1201 Frameworks"; 1202 } 1204 typedef wildcard-object-identifier { 1205 type string; 1206 description 1207 "The wildcard-object-identifier type represents an SNMP object 1208 identifier where subidentifiers can be given either as a label, 1209 in numeric form, or a wildcard, represented by a *."; 1210 } 1212 container snmp { 1213 description 1214 "Top-level container for SNMP related configuration and 1215 status objects."; 1216 } 1218 } 1220 1222 4.4. Submodule 'ietf-snmp-engine' 1224 file "ietf-snmp-engine.yang" 1226 submodule ietf-snmp-engine { 1228 belongs-to ietf-snmp { 1229 prefix snmp; 1230 } 1232 import ietf-inet-types { 1233 prefix inet; 1234 } 1236 include ietf-snmp-common; 1238 organization 1239 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1241 contact 1242 "WG Web: 1243 WG List: 1245 WG Chair: David Kessens 1246 1248 WG Chair: Juergen Schoenwaelder 1249 1251 Editor: Martin Bjorklund 1252 1254 Editor: Juergen Schoenwaelder 1255 "; 1257 description 1258 "This submodule contains a collection of YANG definitions 1259 for configuring SNMP engines. 1261 Copyright (c) 2013 IETF Trust and the persons identified as 1262 authors of the code. All rights reserved. 1264 Redistribution and use in source and binary forms, with or 1265 without modification, is permitted pursuant to, and subject 1266 to the license terms contained in, the Simplified BSD License 1267 set forth in Section 4.c of the IETF Trust's Legal Provisions 1268 Relating to IETF Documents 1269 (http://trustee.ietf.org/license-info). 1271 This version of this YANG module is part of RFC XXXX; see 1272 the RFC itself for full legal notices."; 1274 // RFC Ed.: replace XXXX with actual RFC number and remove this 1275 // note. 1277 // RFC Ed.: update the date below with the date of RFC publication 1278 // and remove this note. 1280 revision 2013-11-05 { 1281 description 1282 "Initial revision."; 1283 reference 1284 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1285 } 1287 augment /snmp:snmp { 1289 container engine { 1290 description 1291 "Configuration of the SNMP engine."; 1293 leaf enabled { 1294 type boolean; 1295 default "false"; 1296 description 1297 "Enables the SNMP engine."; 1298 } 1300 container listen { 1301 description 1302 "Configuration of the transport endpoints on which the 1303 engine listens. Submodules providing configuration for 1304 additional transports are expected to augment this 1305 container."; 1307 list udp { 1308 key "ip port"; 1309 description 1310 "A list of IPv4 and IPv6 addresses and ports to which the 1311 engine listens."; 1313 leaf ip { 1314 type inet:ip-address; 1315 description 1316 "The IPv4 or IPv6 address on which the engine 1317 listens."; 1318 } 1319 leaf port { 1320 type inet:port-number; 1321 description 1322 "The UDP port on which the engine listens."; 1323 } 1324 } 1325 } 1327 container version { 1328 description 1329 "SNMP version used by the engine"; 1330 leaf v1 { 1331 type empty; 1332 } 1333 leaf v2c { 1334 type empty; 1335 } 1336 leaf v3 { 1337 type empty; 1339 } 1340 } 1342 leaf engine-id { 1343 type snmp:engine-id; 1344 description 1345 "The local SNMP engine's administratively-assigned unique 1346 identifier. 1348 If this leaf is not set, the device automatically 1349 calculates an engine id, as described in RFC 3411. A 1350 server MAY initialize this leaf with the automatically 1351 created value."; 1352 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 1353 } 1355 leaf enable-authen-traps { 1356 type boolean; 1357 description 1358 "Indicates whether the SNMP entity is permitted to 1359 generate authenticationFailure traps."; 1360 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1361 } 1362 } 1363 } 1364 } 1366 1368 4.5. Submodule 'ietf-snmp-target' 1370 file "ietf-snmp-target.yang" 1372 submodule ietf-snmp-target { 1374 belongs-to ietf-snmp { 1375 prefix snmp; 1376 } 1378 import ietf-inet-types { 1379 prefix inet; 1380 } 1382 include ietf-snmp-common; 1384 organization 1385 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1387 contact 1388 "WG Web: 1389 WG List: 1391 WG Chair: David Kessens 1392 1394 WG Chair: Juergen Schoenwaelder 1395 1397 Editor: Martin Bjorklund 1398 1400 Editor: Juergen Schoenwaelder 1401 "; 1403 description 1404 "This submodule contains a collection of YANG definitions 1405 for configuring SNMP targets. 1407 Copyright (c) 2013 IETF Trust and the persons identified as 1408 authors of the code. All rights reserved. 1410 Redistribution and use in source and binary forms, with or 1411 without modification, is permitted pursuant to, and subject 1412 to the license terms contained in, the Simplified BSD License 1413 set forth in Section 4.c of the IETF Trust's Legal Provisions 1414 Relating to IETF Documents 1415 (http://trustee.ietf.org/license-info). 1417 This version of this YANG module is part of RFC XXXX; see 1418 the RFC itself for full legal notices."; 1420 // RFC Ed.: replace XXXX with actual RFC number and remove this 1421 // note. 1423 reference 1424 "RFC3413: Simple Network Management Protocol (SNMP) 1425 Applications"; 1427 // RFC Ed.: update the date below with the date of RFC publication 1428 // and remove this note. 1430 revision 2013-11-05 { 1431 description 1432 "Initial revision."; 1433 reference 1434 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1436 } 1438 augment /snmp:snmp { 1440 list target { 1441 key name; 1442 description 1443 "List of targets."; 1444 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1446 leaf name { 1447 type snmp:identifier; 1448 description 1449 "Identifies the target."; 1450 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1451 } 1452 choice transport { 1453 mandatory true; 1454 description 1455 "Transport address of the target. 1457 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1458 objects are mapped to transport-specific YANG nodes. Each 1459 transport is configured as a separate case in this 1460 choice. Submodules providing configuration for additional 1461 transports are expected to augment this choice."; 1462 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1463 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1464 case udp { 1465 reference "SNMPv2-TM.snmpUDPDomain 1466 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1467 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1468 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1469 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1470 container udp { 1471 leaf ip { 1472 type inet:ip-address; 1473 mandatory true; 1474 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1475 } 1476 leaf port { 1477 type inet:port-number; 1478 default 162; 1479 description 1480 "UDP port number"; 1481 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1482 } 1483 leaf prefix-length { 1484 type uint8; 1485 description 1486 "The value of this leaf must match the value of 1487 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1488 this leaf must be less than or equal to 32. If it 1489 contains an ipv6 address, it must be less than or 1490 equal to 128. 1492 Note that the prefix-length is currently only used 1493 by the Community-based Security Model to filter 1494 incoming messages. Furthermore, the prefix-length 1495 filtering does not cover all possible filters 1496 supported by the corresponding MIB object."; 1497 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1498 } 1499 } 1500 } 1501 } 1502 leaf-list tag { 1503 type snmp:identifier; 1504 description 1505 "List of tag values used to select target address."; 1506 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1507 } 1508 leaf timeout { 1509 type uint32; 1510 units "0.01 seconds"; 1511 default 1500; 1512 description 1513 "Needed only if this target can receive 1514 InformRequest-PDUs."; 1515 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1516 } 1517 leaf retries { 1518 type uint8; 1519 default 3; 1520 description 1521 "Needed only if this target can receive 1522 InformRequest-PDUs."; 1523 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1524 } 1525 choice params { 1526 description 1527 "This choice is augmented with case nodes containing 1528 security model specific configuration parameters. Each 1529 such case represents one entry in the 1530 snmpTargetParamsTable. 1532 When the snmpTargetAddrParams object contains a reference 1533 to a non-existing snmpTargetParamsEntry, this choice does 1534 not contain any case, and vice versa."; 1535 reference "SNMP-TARGET-MIB.snmpTargetAddrParams 1536 SNMP-TARGET-MIB.snmpTargetParamsTable"; 1537 } 1538 } 1539 } 1540 } 1542 1544 4.6. Submodule 'ietf-snmp-notification' 1546 file "ietf-snmp-notification.yang" 1548 submodule ietf-snmp-notification { 1550 belongs-to ietf-snmp { 1551 prefix snmp; 1552 } 1554 include ietf-snmp-common; 1555 include ietf-snmp-target; 1557 organization 1558 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1560 contact 1561 "WG Web: 1562 WG List: 1564 WG Chair: David Kessens 1565 1567 WG Chair: Juergen Schoenwaelder 1568 1570 Editor: Martin Bjorklund 1571 1573 Editor: Juergen Schoenwaelder 1574 "; 1576 description 1577 "This submodule contains a collection of YANG definitions 1578 for configuring SNMP notifications. 1580 Copyright (c) 2013 IETF Trust and the persons identified as 1581 authors of the code. All rights reserved. 1583 Redistribution and use in source and binary forms, with or 1584 without modification, is permitted pursuant to, and subject 1585 to the license terms contained in, the Simplified BSD License 1586 set forth in Section 4.c of the IETF Trust's Legal Provisions 1587 Relating to IETF Documents 1588 (http://trustee.ietf.org/license-info). 1590 This version of this YANG module is part of RFC XXXX; see 1591 the RFC itself for full legal notices."; 1593 // RFC Ed.: replace XXXX with actual RFC number and remove this 1594 // note. 1596 reference 1597 "RFC3413: Simple Network Management Protocol (SNMP) 1598 Applications"; 1600 // RFC Ed.: update the date below with the date of RFC publication 1601 // and remove this note. 1603 revision 2013-11-05 { 1604 description 1605 "Initial revision."; 1606 reference 1607 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1608 } 1610 feature notification-filter { 1611 description 1612 "A server implements this feature if it supports SNMP 1613 notification filtering."; 1614 } 1616 augment /snmp:snmp { 1618 list notify { 1619 key name; 1620 description 1621 "Targets that will receive notifications. 1623 Entries in this lists are mapped 1-1 to entries in 1624 snmpNotifyTable, except that if an entry in snmpNotifyTable 1625 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1626 then the snmpNotifyTable entry is not mapped to an entry in 1627 this list."; 1629 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1631 leaf name { 1632 type snmp:identifier; 1633 description 1634 "An arbitrary name for the list entry."; 1635 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1636 } 1637 leaf tag { 1638 type snmp:identifier; 1639 mandatory true; 1640 description 1641 "Target tag, selects a set of notification targets. 1643 Implementations MAY restrict the values of this leaf 1644 to be one of the available values of /snmp/target/tag in 1645 a valid configuration."; 1646 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1647 } 1648 leaf type { 1649 type enumeration { 1650 enum trap { value 1; } 1651 enum inform { value 2; } 1652 } 1653 default trap; 1654 description 1655 "Defines the notification type to be generated."; 1656 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1657 } 1658 } 1660 list notify-filter-profile { 1661 if-feature snmp:notification-filter; 1662 key name; 1664 description 1665 "Notification filter profiles. 1667 The leaf /snmp/target/notify-filter-profile is used 1668 to associate a filter profile with a target. 1670 If an entry in this list is referred to by one or more 1671 /snmp/target/notify-filter-profile, each such 1672 notify-filter-profile is represented by one 1673 snmpNotifyFilterProfileEntry. 1675 If an entry in this list is not referred to by any 1676 /snmp/target/notify-filter-profile, the entry is not mapped 1677 to snmpNotifyFilterProfileTable."; 1678 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1679 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1681 leaf name { 1682 type snmp:identifier; 1683 description 1684 "Name of the filter profile"; 1685 reference 1686 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1687 } 1689 leaf-list include { 1690 type snmp:wildcard-object-identifier; 1691 description 1692 "A family of subtrees included in this filter."; 1693 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1694 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1695 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1696 } 1698 leaf-list exclude { 1699 type snmp:wildcard-object-identifier; 1700 description 1701 "A family of subtrees excluded from this filter."; 1702 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1703 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1704 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1705 } 1706 } 1708 } 1710 augment /snmp:snmp/snmp:target { 1711 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1712 leaf notify-filter-profile { 1713 if-feature snmp:notification-filter; 1714 type leafref { 1715 path "/snmp/notify-filter-profile/name"; 1716 } 1717 description 1718 "This leafref leaf is used to represent the sparse 1719 relationship between the /snmp/target list and the 1720 /snmp/notify-filter-profile list."; 1721 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1722 } 1723 } 1725 } 1727 1729 4.7. Submodule 'ietf-snmp-proxy' 1731 file "ietf-snmp-proxy.yang" 1733 submodule ietf-snmp-proxy { 1735 belongs-to ietf-snmp { 1736 prefix snmp; 1737 } 1739 include ietf-snmp-common; 1740 include ietf-snmp-target; 1742 organization 1743 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1745 contact 1746 "WG Web: 1747 WG List: 1749 WG Chair: David Kessens 1750 1752 WG Chair: Juergen Schoenwaelder 1753 1755 Editor: Martin Bjorklund 1756 1758 Editor: Juergen Schoenwaelder 1759 "; 1761 description 1762 "This submodule contains a collection of YANG definitions 1763 for configuring SNMP proxies. 1765 Copyright (c) 2013 IETF Trust and the persons identified as 1766 authors of the code. All rights reserved. 1768 Redistribution and use in source and binary forms, with or 1769 without modification, is permitted pursuant to, and subject 1770 to the license terms contained in, the Simplified BSD License 1771 set forth in Section 4.c of the IETF Trust's Legal Provisions 1772 Relating to IETF Documents 1773 (http://trustee.ietf.org/license-info). 1775 This version of this YANG module is part of RFC XXXX; see 1776 the RFC itself for full legal notices."; 1778 // RFC Ed.: replace XXXX with actual RFC number and remove this 1779 // note. 1781 reference 1782 "RFC3413: Simple Network Management Protocol (SNMP) 1783 Applications"; 1785 // RFC Ed.: update the date below with the date of RFC publication 1786 // and remove this note. 1788 revision 2013-11-05 { 1789 description 1790 "Initial revision."; 1791 reference 1792 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1793 } 1795 feature proxy { 1796 description 1797 "A server implements this feature if it can act as an 1798 SNMP Proxy"; 1799 } 1801 augment /snmp:snmp { 1802 if-feature snmp:proxy; 1804 list proxy { 1805 key name; 1807 description 1808 "List of proxy parameters."; 1809 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1811 leaf name { 1812 type snmp:identifier; 1813 description 1814 "Identifies the proxy parameter entry."; 1815 reference "SNMP-PROXY-MIB.snmpProxyName"; 1816 } 1817 leaf type { 1818 type enumeration { 1819 enum read; 1820 enum write; 1821 enum trap; 1822 enum inform; 1823 } 1824 mandatory true; 1825 reference "SNMP-PROXY-MIB.snmpProxyType"; 1826 } 1827 leaf context-engine-id { 1828 type snmp:engine-id; 1829 mandatory true; 1830 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1831 } 1832 leaf context-name { 1833 type snmp:context-name; 1834 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1835 } 1836 container params-in { 1837 choice params { 1838 mandatory true; 1839 description 1840 "This choice is augmented with case nodes containing 1841 security model specific configuration parameters. Each 1842 such case represents one entry in the 1843 snmpTargetParamsTable. 1845 When the snmpProxyTargetParamsIn object contains a 1846 reference to a non-existing snmpTargetParamsEntry, this 1847 choice does not contain any case, and vice versa."; 1848 } 1849 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1850 } 1851 leaf single-target-out { 1852 when "../type = 'read' or ../type = 'write'"; 1853 type snmp:identifier; 1854 description 1855 "Implementations MAY restrict the values of this leaf 1856 to be one of the available values of /snmp/target/name in 1857 a valid configuration."; 1858 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1859 } 1860 leaf multiple-target-out { 1861 when "../type = 'trap' or ../type = 'inform'"; 1862 type snmp:identifier; 1863 description 1864 "Implementations MAY restrict the values of this leaf 1865 to be one of the available values of /snmp/target/tag in 1866 a valid configuration."; 1867 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1868 } 1870 } 1871 } 1872 } 1874 1876 4.8. Submodule 'ietf-snmp-community' 1878 file "ietf-snmp-community.yang" 1880 submodule ietf-snmp-community { 1882 belongs-to ietf-snmp { 1883 prefix snmp; 1884 } 1886 include ietf-snmp-common; 1887 include ietf-snmp-target; 1888 include ietf-snmp-proxy; 1890 organization 1891 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1893 contact 1894 "WG Web: 1895 WG List: 1897 WG Chair: David Kessens 1898 1900 WG Chair: Juergen Schoenwaelder 1901 1903 Editor: Martin Bjorklund 1904 1906 Editor: Juergen Schoenwaelder 1907 "; 1909 description 1910 "This submodule contains a collection of YANG definitions 1911 for configuring community-based SNMP. 1913 Copyright (c) 2013 IETF Trust and the persons identified as 1914 authors of the code. All rights reserved. 1916 Redistribution and use in source and binary forms, with or 1917 without modification, is permitted pursuant to, and subject 1918 to the license terms contained in, the Simplified BSD License 1919 set forth in Section 4.c of the IETF Trust's Legal Provisions 1920 Relating to IETF Documents 1921 (http://trustee.ietf.org/license-info). 1923 This version of this YANG module is part of RFC XXXX; see 1924 the RFC itself for full legal notices."; 1926 // RFC Ed.: replace XXXX with actual RFC number and remove this 1927 // note. 1929 reference 1930 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1931 of the Internet-standard Network Management Framework"; 1933 // RFC Ed.: update the date below with the date of RFC publication 1934 // and remove this note. 1936 revision 2013-11-05 { 1937 description 1938 "Initial revision."; 1939 reference 1940 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1941 } 1943 augment /snmp:snmp { 1945 list community { 1946 key index; 1948 description 1949 "List of communities"; 1950 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1952 leaf index { 1953 type snmp:identifier; 1954 description 1955 "Index into the community list."; 1956 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1957 } 1958 choice name { 1959 description 1960 "The community name, either specified as a string 1961 or as a binary. The binary name is used when the 1962 community name contains characters that are not legal 1963 in a string. 1965 If not set, the value of 'security-name' is operationally 1966 used as the snmpCommunityName."; 1967 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 1968 leaf text-name { 1969 type string; 1970 description 1971 "A community name that can be represented as a 1972 YANG string."; 1973 } 1974 leaf binary-name { 1975 type binary; 1976 description 1977 "A community name represented as a binary value."; 1978 } 1979 } 1980 leaf security-name { 1981 type snmp:security-name; 1982 mandatory true; 1983 description 1984 "The snmpCommunitySecurityName of this entry."; 1985 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 1986 } 1987 leaf engine-id { 1988 if-feature snmp:proxy; 1989 type snmp:engine-id; 1990 description 1991 "If not set, the value of the local SNMP engine is 1992 operationally used by the device."; 1993 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 1994 } 1995 leaf context { 1996 type snmp:context-name; 1997 default ""; 1998 description 1999 "The context in which management information is accessed 2000 when using the community string specified by this entry."; 2001 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 2002 } 2003 leaf target-tag { 2004 type snmp:identifier; 2005 description 2006 "Used to limit access for this community to the specified 2007 targets. 2009 Implementations MAY restrict the values of this leaf 2010 to be one of the available values of /snmp/target/tag in 2011 a valid configuration."; 2012 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 2013 } 2015 } 2016 } 2018 grouping v1-target-params { 2019 container v1 { 2020 description 2021 "SNMPv1 parameters type. 2022 Represents snmpTargetParamsMPModel '0', 2023 snmpTargetParamsSecurityModel '1', and 2024 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2025 leaf security-name { 2026 type snmp:security-name; 2027 mandatory true; 2028 description 2029 "Implementations MAY restrict the values of this leaf 2030 to be one of the available values of 2031 /snmp/community/security-name in a valid configuration."; 2032 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2033 } 2034 } 2035 } 2037 grouping v2c-target-params { 2038 container v2c { 2039 description 2040 "SNMPv2 community parameters type. 2041 Represents snmpTargetParamsMPModel '1', 2042 snmpTargetParamsSecurityModel '2', and 2043 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2044 leaf security-name { 2045 type snmp:security-name; 2046 mandatory true; 2047 description 2048 "Implementations MAY restrict the values of this leaf 2049 to be one of the available values of 2050 /snmp/community/security-name in a valid configuration."; 2051 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2052 } 2053 } 2054 } 2056 augment /snmp:snmp/snmp:target/snmp:params { 2057 case v1 { 2058 uses v1-target-params; 2059 } 2060 case v2c { 2061 uses v2c-target-params; 2062 } 2064 } 2066 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2067 case v1 { 2068 uses v1-target-params; 2069 } 2070 case v2c { 2071 uses v2c-target-params; 2072 } 2073 } 2075 augment /snmp:snmp/snmp:target { 2076 when "snmp:v1 or snmp:v2c"; 2077 leaf mms { 2078 type union { 2079 type enumeration { 2080 enum "unknown"; 2081 } 2082 type int32 { 2083 range "484..max"; 2084 } 2085 } 2086 default "484"; 2087 reference 2088 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 2089 } 2090 } 2092 } 2094 2096 4.9. Submodule 'ietf-snmp-vacm' 2098 file "ietf-snmp-vacm.yang" 2100 submodule ietf-snmp-vacm { 2102 belongs-to ietf-snmp { 2103 prefix snmp; 2104 } 2106 include ietf-snmp-common; 2108 organization 2109 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2111 contact 2112 "WG Web: 2113 WG List: 2115 WG Chair: David Kessens 2116 2118 WG Chair: Juergen Schoenwaelder 2119 2121 Editor: Martin Bjorklund 2122 2124 Editor: Juergen Schoenwaelder 2125 "; 2127 description 2128 "This submodule contains a collection of YANG definitions 2129 for configuring the View-based Access Control Model (VACM) 2130 of SNMP. 2132 Copyright (c) 2013 IETF Trust and the persons identified as 2133 authors of the code. All rights reserved. 2135 Redistribution and use in source and binary forms, with or 2136 without modification, is permitted pursuant to, and subject 2137 to the license terms contained in, the Simplified BSD License 2138 set forth in Section 4.c of the IETF Trust's Legal Provisions 2139 Relating to IETF Documents 2140 (http://trustee.ietf.org/license-info). 2142 This version of this YANG module is part of RFC XXXX; see 2143 the RFC itself for full legal notices."; 2145 // RFC Ed.: replace XXXX with actual RFC number and remove this 2146 // note. 2148 reference 2149 "RFC3415: View-based Access Control Model (VACM) for the 2150 Simple Network Management Protocol (SNMP)"; 2152 // RFC Ed.: update the date below with the date of RFC publication 2153 // and remove this note. 2155 revision 2013-11-05 { 2156 description 2157 "Initial revision."; 2158 reference 2159 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2161 } 2163 typedef view-name { 2164 type snmp:identifier; 2165 description 2166 "The view-name type represents an SNMP VACM view name."; 2167 } 2169 typedef group-name { 2170 type snmp:identifier; 2171 description 2172 "The group-name type represents an SNMP VACM group name."; 2173 } 2175 augment /snmp:snmp { 2177 container vacm { 2178 description 2179 "Configuration of the View-based Access Control Model"; 2181 list group { 2182 key name; 2183 description 2184 "VACM Groups. 2186 This data model has a different structure than the MIB. 2187 Groups are explicitly defined in this list, and group 2188 members are defined in the 'member' list (mapped to 2189 vacmSecurityToGroupTable), and access for the group is 2190 defined in the 'access' list (mapped to 2191 vacmAccessTable)."; 2192 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 2193 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2195 leaf name { 2196 type group-name; 2197 description 2198 "The name of this VACM group."; 2199 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 2200 } 2202 list member { 2203 key "security-name"; 2204 min-elements 1; 2205 description 2206 "A member of this VACM group. According to VACM, every 2207 group must have at least one member. 2209 A certain combination of security-name and 2210 security-model MUST NOT be present in more than 2211 one group."; 2212 reference 2213 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 2215 leaf security-name { 2216 type snmp:security-name; 2217 description 2218 "The securityName of a group member."; 2219 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 2220 } 2222 leaf-list security-model { 2223 type snmp:security-model; 2224 min-elements 1; 2225 description 2226 "The security models under which this security-name 2227 is a member of this group."; 2228 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 2229 } 2230 } 2232 list access { 2233 key "context security-model security-level"; 2234 description 2235 "Definition of access right for groups"; 2236 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2238 leaf context { 2239 type snmp:context-name; 2240 description 2241 "The context (prefix) under which the access rights 2242 apply."; 2243 reference 2244 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 2245 } 2247 leaf context-match { 2248 type enumeration { 2249 enum exact; 2250 enum prefix; 2251 } 2252 default exact; 2253 reference 2254 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 2255 } 2256 leaf security-model { 2257 type snmp:security-model-or-any; 2258 description 2259 "The security model under which the access rights 2260 apply."; 2261 reference 2262 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 2263 } 2265 leaf security-level { 2266 type snmp:security-level; 2267 description 2268 "The minimum security level under which the access 2269 rights apply."; 2270 reference 2271 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 2272 } 2274 leaf read-view { 2275 type view-name; 2276 description 2277 "The name of the MIB view of the SNMP context 2278 authorizing read access. If this leaf does not 2279 exist in a configuration, it maps to a zero-length 2280 vacmAccessReadViewName. 2282 Implementations MAY restrict the values of this 2283 leaf to be one of the available values of 2284 /snmp/vacm/view/name in a valid configuration."; 2285 reference 2286 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 2287 } 2289 leaf write-view { 2290 type view-name; 2291 description 2292 "The name of the MIB view of the SNMP context 2293 authorizing write access. If this leaf does not 2294 exist in a configuration, it maps to a zero-length 2295 vacmAccessWriteViewName. 2297 Implementations MAY restrict the values of this 2298 leaf to be one of the available values of 2299 /snmp/vacm/view/name in a valid configuration."; 2300 reference 2301 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 2302 } 2303 leaf notify-view { 2304 type view-name; 2305 description 2306 "The name of the MIB view of the SNMP context 2307 authorizing notify access. If this leaf does not 2308 exist in a configuration, it maps to a zero-length 2309 vacmAccessNotifyViewName. 2311 Implementations MAY restrict the values of this 2312 leaf to be one of the available values of 2313 /snmp/vacm/view/name in a valid configuration."; 2314 reference 2315 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 2316 } 2317 } 2318 } 2320 list view { 2321 key name; 2322 description 2323 "Definition of MIB views."; 2324 reference 2325 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 2327 leaf name { 2328 type view-name; 2329 description 2330 "The name of this VACM MIB view."; 2331 reference 2332 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 2333 } 2335 leaf-list include { 2336 type snmp:wildcard-object-identifier; 2337 description 2338 "A family of subtrees included in this MIB view."; 2339 reference 2340 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2341 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2342 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2343 } 2345 leaf-list exclude { 2346 type snmp:wildcard-object-identifier; 2347 description 2348 "A family of subtrees excluded from this MIB view."; 2349 reference 2350 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2351 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2352 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2353 } 2354 } 2355 } 2356 } 2357 } 2359 2361 4.10. Submodule 'ietf-snmp-usm' 2363 This YANG submodule imports YANG extensions from [RFC6536]. 2365 file "ietf-snmp-usm.yang" 2367 submodule ietf-snmp-usm { 2369 belongs-to ietf-snmp { 2370 prefix snmp; 2371 } 2373 import ietf-yang-types { 2374 prefix yang; 2375 } 2376 import ietf-netconf-acm { 2377 prefix nacm; 2378 } 2380 include ietf-snmp-common; 2381 include ietf-snmp-target; 2382 include ietf-snmp-proxy; 2384 organization 2385 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2387 contact 2388 "WG Web: 2389 WG List: 2391 WG Chair: David Kessens 2392 2394 WG Chair: Juergen Schoenwaelder 2395 2397 Editor: Martin Bjorklund 2398 2400 Editor: Juergen Schoenwaelder 2401 "; 2403 description 2404 "This submodule contains a collection of YANG definitions for 2405 configuring the User-based Security Model (USM) of SNMP. 2407 Copyright (c) 2013 IETF Trust and the persons identified as 2408 authors of the code. All rights reserved. 2410 Redistribution and use in source and binary forms, with or 2411 without modification, is permitted pursuant to, and subject 2412 to the license terms contained in, the Simplified BSD License 2413 set forth in Section 4.c of the IETF Trust's Legal Provisions 2414 Relating to IETF Documents 2415 (http://trustee.ietf.org/license-info). 2417 This version of this YANG module is part of RFC XXXX; see 2418 the RFC itself for full legal notices."; 2420 // RFC Ed.: replace XXXX with actual RFC number and remove this 2421 // note. 2423 reference 2424 "RFC3414: User-based Security Model (USM) for version 3 of the 2425 Simple Network Management Protocol (SNMPv3)."; 2427 // RFC Ed.: update the date below with the date of RFC publication 2428 // and remove this note. 2430 revision 2013-11-05 { 2431 description 2432 "Initial revision."; 2433 reference 2434 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2435 } 2437 grouping key { 2438 leaf key { 2439 type yang:hex-string; 2440 mandatory true; 2441 nacm:default-deny-all; 2442 description 2443 "Localized key specified as a list of colon-specified 2444 hexa-decimal octets"; 2445 } 2446 } 2447 grouping user-list { 2448 list user { 2449 key "name"; 2451 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2453 leaf name { 2454 type snmp:identifier; 2455 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2456 } 2457 container auth { 2458 presence "enables authentication"; 2459 description 2460 "Enables authentication of the user"; 2461 choice protocol { 2462 mandatory true; 2463 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2464 container md5 { 2465 uses key; 2466 reference 2467 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2468 } 2469 container sha { 2470 uses key; 2471 reference 2472 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2473 } 2474 } 2475 } 2476 container priv { 2477 must "../auth" { 2478 error-message 2479 "when privacy is used, authentication must also be used"; 2480 } 2481 presence "enables encryption"; 2482 description 2483 "Enables encryption of SNMP messages."; 2485 choice protocol { 2486 mandatory true; 2487 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2488 container des { 2489 uses key; 2490 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2491 } 2492 container aes { 2493 uses key; 2494 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2496 } 2497 } 2498 } 2499 } 2500 } 2502 augment /snmp:snmp { 2504 container usm { 2505 description 2506 "Configuration of the User-based Security Model"; 2507 container local { 2508 uses user-list; 2509 } 2511 list remote { 2512 key "engine-id"; 2514 leaf engine-id { 2515 type snmp:engine-id; 2516 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2517 } 2519 uses user-list; 2520 } 2521 } 2522 } 2524 grouping usm-target-params { 2525 container usm { 2526 description 2527 "User based SNMPv3 parameters type. 2529 Represents snmpTargetParamsMPModel '3' and 2530 snmpTargetParamsSecurityModel '3'"; 2531 leaf user-name { 2532 type snmp:security-name; 2533 mandatory true; 2534 reference 2535 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2536 } 2537 leaf security-level { 2538 type snmp:security-level; 2539 mandatory true; 2540 reference 2541 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2542 } 2543 } 2545 } 2547 augment /snmp:snmp/snmp:target/snmp:params { 2548 case usm { 2549 uses usm-target-params; 2550 } 2551 } 2553 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2554 case usm { 2555 uses usm-target-params; 2556 } 2557 } 2559 } 2561 2563 4.11. Submodule 'ietf-snmp-tsm' 2565 file "ietf-snmp-tsm.yang" 2567 submodule ietf-snmp-tsm { 2569 belongs-to ietf-snmp { 2570 prefix snmp; 2571 } 2573 include ietf-snmp-common; 2574 include ietf-snmp-target; 2575 include ietf-snmp-proxy; 2577 organization 2578 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2580 contact 2581 "WG Web: 2582 WG List: 2584 WG Chair: David Kessens 2585 2587 WG Chair: Juergen Schoenwaelder 2588 2590 Editor: Martin Bjorklund 2591 2593 Editor: Juergen Schoenwaelder 2594 "; 2596 description 2597 "This submodule contains a collection of YANG definitions for 2598 configuring the Transport Security Model (TSM) of SNMP. 2600 Copyright (c) 2013 IETF Trust and the persons identified as 2601 authors of the code. All rights reserved. 2603 Redistribution and use in source and binary forms, with or 2604 without modification, is permitted pursuant to, and subject 2605 to the license terms contained in, the Simplified BSD License 2606 set forth in Section 4.c of the IETF Trust's Legal Provisions 2607 Relating to IETF Documents 2608 (http://trustee.ietf.org/license-info). 2610 This version of this YANG module is part of RFC XXXX; see 2611 the RFC itself for full legal notices."; 2613 // RFC Ed.: replace XXXX with actual RFC number and remove this 2614 // note. 2616 reference 2617 "RFC5591: Transport Security Model for the 2618 Simple Network Management Protocol (SNMP)"; 2620 // RFC Ed.: update the date below with the date of RFC publication 2621 // and remove this note. 2623 revision 2013-11-05 { 2624 description 2625 "Initial revision."; 2626 reference 2627 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2628 } 2630 feature tsm { 2631 description 2632 "A server implements this feature if it supports the 2633 Transport Security Model for SNMP."; 2634 reference 2635 "RFC5591: Transport Security Model for the 2636 Simple Network Management Protocol (SNMP)"; 2637 } 2639 augment /snmp:snmp { 2640 if-feature tsm; 2641 container tsm { 2642 description 2643 "Configuration of the Transport-based Security Model"; 2645 leaf use-prefix { 2646 type boolean; 2647 default false; 2648 reference 2649 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2650 } 2651 } 2652 } 2654 grouping tsm-target-params { 2655 container tsm { 2656 description 2657 "Transport based security SNMPv3 parameters type. 2659 Represents snmpTargetParamsMPModel '3' and 2660 snmpTargetParamsSecurityModel '4'"; 2661 leaf security-name { 2662 type snmp:security-name; 2663 mandatory true; 2664 reference 2665 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2666 } 2667 leaf security-level { 2668 type snmp:security-level; 2669 mandatory true; 2670 reference 2671 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2672 } 2673 } 2674 } 2676 augment /snmp:snmp/snmp:target/snmp:params { 2677 if-feature tsm; 2678 case tsm { 2679 uses tsm-target-params; 2680 } 2681 } 2683 augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { 2684 if-feature tsm; 2685 case tsm { 2686 uses tsm-target-params; 2687 } 2688 } 2690 } 2692 2694 4.12. Submodule 'ietf-snmp-tls' 2696 file "ietf-snmp-tls.yang" 2698 submodule ietf-snmp-tls { 2700 belongs-to ietf-snmp { 2701 prefix snmp; 2702 } 2704 import ietf-inet-types { 2705 prefix inet; 2706 } 2707 import ietf-x509-cert-to-name { 2708 prefix x509c2n; 2709 } 2711 include ietf-snmp-common; 2712 include ietf-snmp-engine; 2713 include ietf-snmp-target; 2715 organization 2716 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2718 contact 2719 "WG Web: 2720 WG List: 2722 WG Chair: David Kessens 2723 2725 WG Chair: Juergen Schoenwaelder 2726 2728 Editor: Martin Bjorklund 2729 2731 Editor: Juergen Schoenwaelder 2732 "; 2734 description 2735 "This submodule contains a collection of YANG definitions for 2736 configuring the Transport Layer Security Transport Model (TLSTM) 2737 of SNMP. 2739 Copyright (c) 2013 IETF Trust and the persons identified as 2740 authors of the code. All rights reserved. 2742 Redistribution and use in source and binary forms, with or 2743 without modification, is permitted pursuant to, and subject 2744 to the license terms contained in, the Simplified BSD License 2745 set forth in Section 4.c of the IETF Trust's Legal Provisions 2746 Relating to IETF Documents 2747 (http://trustee.ietf.org/license-info). 2749 This version of this YANG module is part of RFC XXXX; see 2750 the RFC itself for full legal notices."; 2752 // RFC Ed.: replace XXXX with actual RFC number and remove this 2753 // note. 2755 reference 2756 "RFC6353: Transport Layer Security (TLS) Transport Model for 2757 the Simple Network Management Protocol (SNMP)"; 2759 // RFC Ed.: update the date below with the date of RFC publication 2760 // and remove this note. 2762 revision 2013-11-05 { 2763 description 2764 "Initial revision."; 2765 reference 2766 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2767 } 2769 feature tlstm { 2770 description 2771 "A server implements this feature if it supports the 2772 Transport Layer Security Transport Model for SNMP."; 2773 reference 2774 "RFC6353: Transport Layer Security (TLS) Transport Model for 2775 the Simple Network Management Protocol (SNMP)"; 2776 } 2778 augment /snmp:snmp/snmp:engine/snmp:listen { 2779 if-feature tlstm; 2780 list tls { 2781 key "ip port"; 2782 description 2783 "A list of IPv4 and IPv6 addresses and ports to which the 2784 engine listens for SNMP messages over TLS."; 2786 leaf ip { 2787 type inet:ip-address; 2788 description 2789 "The IPv4 or IPv6 address on which the engine listens 2790 for SNMP messages over TLS."; 2791 } 2792 leaf port { 2793 type inet:port-number; 2794 description 2795 "The TCP port on which the engine listens for SNMP 2796 messages over TLS."; 2797 } 2798 } 2799 list dtls { 2800 key "ip port"; 2801 description 2802 "A list of IPv4 and IPv6 addresses and ports to which the 2803 engine listens for SNMP messages over DTLS."; 2805 leaf ip { 2806 type inet:ip-address; 2807 description 2808 "The IPv4 or IPv6 address on which the engine listens 2809 for SNMP messages over DTLS."; 2810 } 2811 leaf port { 2812 type inet:port-number; 2813 description 2814 "The UDP port on which the engine listens for SNMP messages 2815 over DTLS."; 2816 } 2817 } 2818 } 2820 augment /snmp:snmp { 2821 if-feature tlstm; 2822 container tlstm { 2823 uses x509c2n:cert-to-name { 2824 description 2825 "Defines how certificates are mapped to names. The 2826 resulting name is used as a security name."; 2827 refine cert-to-name/map-type { 2828 description 2829 "Mappings that use the snmpTlstmCertToTSNData column 2830 need to augment the 'cert-to-name' list 2831 with additional configuration objects corresponding 2832 to the snmpTlstmCertToTSNData value. Such objects 2833 should use the 'when' statement to make them 2834 conditional based on the 'map-type'."; 2836 } 2837 } 2838 } 2839 } 2841 grouping tls-transport { 2842 leaf ip { 2843 type inet:host; 2844 mandatory true; 2845 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2846 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2847 } 2848 leaf port { 2849 type inet:port-number; 2850 default 10161; 2851 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2852 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2853 } 2854 leaf client-fingerprint { 2855 type x509c2n:tls-fingerprint; 2856 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2857 } 2858 leaf server-fingerprint { 2859 type x509c2n:tls-fingerprint; 2860 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2861 } 2862 leaf server-identity { 2863 type snmp:admin-string; 2864 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2865 } 2866 } 2868 augment /snmp:snmp/snmp:target/snmp:transport { 2869 if-feature tlstm; 2870 case tls { 2871 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2872 container tls { 2873 uses tls-transport; 2874 } 2875 } 2876 } 2878 augment /snmp:snmp/snmp:target/snmp:transport { 2879 if-feature tlstm; 2880 case dtls { 2881 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2882 container dtls { 2883 uses tls-transport; 2885 } 2886 } 2887 } 2888 } 2890 2892 4.13. Submodule 'ietf-snmp-ssh' 2894 file "ietf-snmp-ssh.yang" 2896 submodule ietf-snmp-ssh { 2898 belongs-to ietf-snmp { 2899 prefix snmp; 2900 } 2902 import ietf-inet-types { 2903 prefix inet; 2904 } 2906 include ietf-snmp-common; 2907 include ietf-snmp-engine; 2908 include ietf-snmp-target; 2910 organization 2911 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2913 contact 2914 "WG Web: 2915 WG List: 2917 WG Chair: David Kessens 2918 2920 WG Chair: Juergen Schoenwaelder 2921 2923 Editor: Martin Bjorklund 2924 2926 Editor: Juergen Schoenwaelder 2927 "; 2929 description 2930 "This submodule contains a collection of YANG definitions for 2931 configuring the Secure Shell Transport Model (SSHTM) 2932 of SNMP. 2934 Copyright (c) 2013 IETF Trust and the persons identified as 2935 authors of the code. All rights reserved. 2937 Redistribution and use in source and binary forms, with or 2938 without modification, is permitted pursuant to, and subject 2939 to the license terms contained in, the Simplified BSD License 2940 set forth in Section 4.c of the IETF Trust's Legal Provisions 2941 Relating to IETF Documents 2942 (http://trustee.ietf.org/license-info). 2944 This version of this YANG module is part of RFC XXXX; see 2945 the RFC itself for full legal notices."; 2947 // RFC Ed.: replace XXXX with actual RFC number and remove this 2948 // note. 2950 reference 2951 "RFC5592: Secure Shell Transport Model for the 2952 Simple Network Management Protocol (SNMP)"; 2954 // RFC Ed.: update the date below with the date of RFC publication 2955 // and remove this note. 2957 revision 2013-11-05 { 2958 description 2959 "Initial revision."; 2960 reference 2961 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2962 } 2964 feature sshtm { 2965 description 2966 "A server implements this feature if it supports the 2967 Secure Shell Transport Model for SNMP."; 2968 reference 2969 "RFC5592: Secure Shell Transport Model for the 2970 Simple Network Management Protocol (SNMP)"; 2971 } 2973 augment /snmp:snmp/snmp:engine/snmp:listen { 2974 if-feature sshtm; 2975 list ssh { 2976 key "ip port"; 2977 description 2978 "A list of IPv4 and IPv6 addresses and ports to which the 2979 engine listens for SNMP messages over SSH."; 2981 leaf ip { 2982 type inet:ip-address; 2983 description 2984 "The IPv4 or IPv6 address on which the engine listens 2985 for SNMP messages over SSH."; 2986 } 2987 leaf port { 2988 type inet:port-number; 2989 description 2990 "The TCP port on which the engine listens for SNMP 2991 messages over SSH."; 2992 } 2993 } 2994 } 2996 augment /snmp:snmp/snmp:target/snmp:transport { 2997 if-feature sshtm; 2998 case ssh { 2999 reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; 3000 container ssh { 3001 leaf ip { 3002 type inet:host; 3003 mandatory true; 3004 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3005 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3006 } 3007 leaf port { 3008 type inet:port-number; 3009 default 5161; 3010 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3011 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3012 } 3013 leaf username { 3014 type string; 3015 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3016 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3017 } 3018 } 3019 } 3020 } 3021 } 3023 3025 5. IANA Considerations 3027 This document registers a URI in the IETF XML registry [RFC3688]. 3028 Following the format in RFC 3688, the following registration is 3029 requested to be made. 3031 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 3033 Registrant Contact: The NETMOD WG of the IETF. 3035 XML: N/A, the requested URI is an XML namespace. 3037 This document registers the following YANG modules in the YANG Module 3038 Names registry [RFC6020]. 3040 name: ietf-snmp 3041 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 3042 prefix: snmp 3043 reference: RFC XXXX 3045 name: ietf-x509-cert-to-name 3046 namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name 3047 prefix: x509c2n 3048 reference: RFC XXXX 3050 The document registers the following YANG submodules in the YANG 3051 Module Names registry [RFC6020]. 3053 name: ietf-snmp-common 3054 parent: ietf-snmp 3055 reference: RFC XXXX 3057 name: ietf-snmp-engine 3058 parent: ietf-snmp 3059 reference: RFC XXXX 3061 name: ietf-snmp-community 3062 parent: ietf-snmp 3063 reference: RFC XXXX 3065 name: ietf-snmp-notification 3066 parent: ietf-snmp 3067 reference: RFC XXXX 3069 name: ietf-snmp-target 3070 parent: ietf-snmp 3071 reference: RFC XXXX 3073 name: ietf-snmp-vacm 3074 parent: ietf-snmp 3075 reference: RFC XXXX 3077 name: ietf-snmp-usm 3078 parent: ietf-snmp 3079 reference: RFC XXXX 3081 name: ietf-snmp-tsm 3082 parent: ietf-snmp 3083 reference: RFC XXXX 3085 name: ietf-snmp-tls 3086 parent: ietf-snmp 3087 reference: RFC XXXX 3089 name: ietf-snmp-ssh 3090 parent: ietf-snmp 3091 reference: RFC XXXX 3093 6. Security Considerations 3095 The YANG module and submodules defined in this memo are designed to 3096 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 3097 layer is the secure transport layer and the mandatory-to-implement 3098 secure transport is SSH [RFC6242]. 3100 There are a number of data nodes defined in the YANG module and 3101 submodules which are writable/creatable/deletable (i.e., config true, 3102 which is the default). These data nodes may be considered sensitive 3103 or vulnerable in some network environments. Write operations (e.g., 3104 edit-config) to these data nodes without proper protection can have a 3105 negative effect on network operations. These are the subtrees and 3106 data nodes and their sensitivity/vulnerability: 3108 o The /snmp/engine subtree contains the configuration of general 3109 parameters of an SNMP engine such as the endpoints to listen on, 3110 the transports and SNMP versions enabled, or the engine's 3111 identity. Write access to this subtree should only be granted to 3112 entities configuring general SNMP engine parameters. 3114 o The /snmp/target subtree contains the configuration of SNMP 3115 targets and in particular which transports to use and their 3116 security parameters. Write access to this subtree should only be 3117 granted to the security administrator and entities configuring 3118 SNMP notification forwarding behavior. 3120 o The /snmp/notify and /snmp/notify-filter-profile subtrees contain 3121 the configuration for SNMP notification forwarding and filtering 3122 mechanism. Write access to this subtree should only be granted to 3123 entities configuring SNMP notification forwarding behavior. 3125 o The /snmp/proxy subtree contains the configuration for SNMP 3126 proxies. Write access to this subtree should only be granted to 3127 entities configuring SNMP proxies. 3129 o The /snmp/community subtree contains the configuration of the 3130 community-based security model. Write access to this subtree 3131 should only be granted to the security administrator. 3133 o The /snmp/usm subtree contains the configuration of the user-based 3134 security model. Write access to this subtree should only be 3135 granted to the security administrator. 3137 o The /snmp/tsm subtree contains the configuration of the transport 3138 layer security model for SNMP. Write access to this subtree 3139 should only be granted to the security administrator. 3141 o The /snmp/tlstm subtree contains the configuration of the SNMP 3142 transport over (D)TLS and in particular the configuration how 3143 certificates are mapped to SNMP security names. Write access to 3144 this subtree should only be granted to the security administrator. 3146 o The /snmp/vacm subtree contains the configuration of the view- 3147 based access control mechanism used by SNMP to authorize access to 3148 management information via SNMP. Write access to this subtree 3149 should only be granted to the security administrator. 3151 Some of the readable data nodes in the YANG module and submodules may 3152 be considered sensitive or vulnerable in some network environments. 3153 It is thus important to control read access (e.g., via get, get- 3154 config, or notification) to these data nodes. These are the subtrees 3155 and data nodes and their sensitivity/vulnerability: 3157 o The /snmp/engine subtree subtree exposes general information about 3158 an SNMP engine such as which version(s) of SNMP are enabled or 3159 which transports are enabled. 3161 o The /snmp/target subtree exposes information which transports are 3162 used to reach certain SNMP targets which transport specific 3163 parameters are used. 3165 o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes 3166 information how notifications are filtered and forwarded to 3167 notification targets. 3169 o The /snmp/proxy subtree exposes information about proxy 3170 relationships. 3172 o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ 3173 vacm subtrees are specifically sensitive since they expose 3174 information about the authentication and authorization policy used 3175 by an SNMP engine. 3177 7. Acknowledgments 3179 The authors want to thank Wes Hardaker and David Spakes for their 3180 reviews and valuable comments. 3182 Juergen Schoenwaelder was partly funded by Flamingo, a Network of 3183 Excellence project (ICT-318488) supported by the European Commission 3184 under its Seventh Framework Programme. 3186 8. References 3188 8.1. Normative References 3190 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3191 Requirement Levels", BCP 14, RFC 2119, March 1997. 3193 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3194 Network Configuration Protocol (NETCONF)", RFC 6020, 3195 October 2010. 3197 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 3198 Bierman, "Network Configuration Protocol (NETCONF)", 3199 RFC 6241, June 2011. 3201 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3202 Shell (SSH)", RFC 6242, June 2011. 3204 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 3205 Protocol (NETCONF) Access Control Model", RFC 6536, 3206 March 2012. 3208 [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, 3209 July 2013. 3211 8.2. Informative References 3213 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3214 Architecture for Describing Simple Network Management 3215 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3216 December 2002. 3218 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3219 "Message Processing and Dispatching for the Simple Network 3220 Management Protocol (SNMP)", STD 62, RFC 3412, 3221 December 2002. 3223 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 3224 Management Protocol (SNMP) Applications", STD 62, 3225 RFC 3413, December 2002. 3227 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 3228 (USM) for version 3 of the Simple Network Management 3229 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 3231 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 3232 Access Control Model (VACM) for the Simple Network 3233 Management Protocol (SNMP)", STD 62, RFC 3415, 3234 December 2002. 3236 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 3237 Simple Network Management Protocol (SNMP)", STD 62, 3238 RFC 3418, December 2002. 3240 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 3241 "Coexistence between Version 1, Version 2, and Version 3 3242 of the Internet-standard Network Management Framework", 3243 BCP 74, RFC 3584, August 2003. 3245 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3246 January 2004. 3248 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 3249 for the Simple Network Management Protocol (SNMP)", 3250 RFC 5591, June 2009. 3252 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 3253 Shell Transport Model for the Simple Network Management 3254 Protocol (SNMP)", RFC 5592, June 2009. 3256 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 3257 Model for the Simple Network Management Protocol (SNMP)", 3258 RFC 6353, July 2011. 3260 Appendix A. Example configurations 3262 A.1. Engine Configuration Example 3264 Below is an XML instance document showing a configuration of an SNMP 3265 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 3266 accepting SNMPv2c and SNMPv3 messages. 3268 3269 3270 true 3271 3272 3273 0.0.0.0 3274 161 3275 3276 3277 :: 3278 161 3279 3280 3281 3282 3283 3284 3285 80:00:02:b8:04:61:62:63 3286 3287 3289 A.2. Community Configuration Example 3291 Below is an XML instance document showing a configuration that maps 3292 the community name "public" to the security-name "community-public" 3293 on the local engine with the default context name. The target tag 3294 "community-public-access" filters the access to this community name. 3296 3297 3298 1 3299 public 3300 community-public 3301 community-public-access 3302 3303 3304 bluebox 3305 3306 2001:db8::abcd 3307 161 3308 3309 blue 3310 3311 community-public 3312 3313 3314 3316 A.3. User-based Security Model Configuration Example 3318 Below is an XML instance document showing the configuration of a 3319 local user "joey" who has no authentication or privacy keys. For the 3320 remote SNMP engine identified by the snmpEngineID 3321 '800002b804616263'H, two users are configure. The user "matt" has a 3322 localized SHA authentication key and the user "russ" has a localized 3323 SHA authentication key and an AES encryption key. 3325 3326 3327 3328 3329 joey 3330 3331 3332 3333 00:00:00:00:00:00:00:00:00:00:00:02 3334 3335 matt 3336 3337 3338 3342 66:95:fe:bc:92:88:e3:62:82:23: 3343 5f:c7:15:1f:12:84:97:b3:8f:3f 3345 3346 3347 3348 3349 russ 3350 3351 3352 3356 66:95:fe:bc:92:88:e3:62:82:23: 3357 5f:c7:15:1f:12:84:97:b3:8f:3f 3358 3359 3360 3361 3362 3366 66:95:fe:bc:92:88:e3:62:82:23: 3367 5f:c7:15:1f:12:84 3368 3369 3370 3371 3372 3373 3374 bluebox 3375 3376 2001:db8::abcd 3377 161 3378 3379 blue 3380 3381 matt 3382 auth-no-priv 3383 3384 3385 3387 A.4. Target and Notification Configuration Example 3389 Below is an XML instance document showing the configuration of a 3390 notification generator application (see Appendix A of [RFC3413]). 3391 Note that the USM specific objects are defined in the ietf-snmp- 3392 usm.yang submodule. 3394 3395 3396 addr1 3397 3398 192.0.2.3 3399 162 3400 3401 group1 3402 3403 joe 3404 auth-no-priv 3405 3406 3407 3408 addr2 3409 3410 192.0.2.6 3411 162 3412 3413 group1 3414 3415 joe 3416 auth-no-priv 3417 3418 3419 3420 addr3 3421 3422 192.0.2.9 3423 162 3424 3425 group2 3426 3427 bob 3428 auth-priv 3429 3430 3431 3432 group1 3433 group1 3434 trap 3435 3436 3437 group2 3438 group2 3439 trap 3440 3441 3443 A.5. Proxy Configuration Example 3445 Below is an XML instance document showing the configuration of a 3446 proxy forwarder application. It proxies SNMPv2c messages from 3447 command generators to a file server running a SNMPv1 agent that 3448 recognizes two community strings, "private" and "public", with 3449 different associated read views. The fileserver is represented as 3450 two "target" instances, one for each community string. 3452 If the proxy receives a SNMPv2c message with the community string 3453 "public" from a device in the "Office Network" or "Home Office 3454 Network", it gets tagged as "trusted", and the proxy uses the 3455 "private" community string when sending the message to the file 3456 server. Other SNMPv2c messages with the community string "public" 3457 get tagged as "non-trusted", and the proxy uses the "public" 3458 community string for these messages. There is also a special 3459 "backdoor" community string that can be used from any location to get 3460 "trusted" access. 3462 The "Office Network" and "Home Office Network" are represented as two 3463 "target" instances. 3465 3466 3467 File Server (private) 3468 3469 192.0.2.1 3470 3471 3472 private 3473 3474 3475 3476 File Server (public) 3477 3478 192.0.2.1 3479 3480 3481 public 3482 3483 3484 3485 Office Network 3486 3487 192.0.2.0 3488 24 3489 3490 office 3492 3493 3494 Home Office Network 3495 3496 203.0.113.0 3497 24 3498 3499 home-office 3500 3502 3509 3510 c1 3511 public 3512 80:00:61:81:c8 3513 trusted 3514 office 3515 3516 3517 c2 3518 public 3519 80:00:61:81:c8 3520 trusted 3521 home-office 3522 3523 3524 c3 3525 public 3526 80:00:61:81:c8 3527 not-trusted 3528 3529 3530 c4 3531 backdoor 3532 public 3533 80:00:61:81:c8 3534 trusted 3535 3536 3537 c5 3538 private 3539 80:00:61:81:c8 3540 trusted 3541 3543 3544 p1 3545 read 3546 80:00:61:81:c8 3547 trusted 3548 3549 3550 public 3551 3552 3553 File Server (private) 3554 3555 3556 p2 3557 read 3558 80:00:61:81:c8 3559 not-trusted 3560 3561 3562 public 3563 3564 3565 File Server (public) 3566 3567 3569 If an SNMPv2c Get request with community string "public" is received 3570 from an IP address tagged as "office" or "home-office", or if the 3571 request is received from anywhere else with community string 3572 "backdoor", the implied context is "trusted" and so proxy entry "p1" 3573 matches. The request is forwarded to the file server as SNMPv1 with 3574 community "private" using community table entry "c5" for outbound 3575 params lookup. 3577 If an SNMPv2c Get request with community string "public" is received 3578 from any other IP address, the implied context is "not-trusted" so 3579 proxy entry "p2" matches, and the request is forwarded to the file 3580 server as SNMPv1 with community "public". 3582 A.6. View-based Access Control Model Configuration Example 3584 Below is an XML instance document showing the minimum-secure VACM 3585 configuration (see Appendix A of [RFC3415]). 3587 3588 3589 3590 initial 3591 3592 initial 3593 usm 3594 3595 3596 3597 usm 3598 no-auth-no-priv 3599 restricted 3600 restricted 3601 3602 3603 3604 usm 3605 auth-no-priv 3606 internet 3607 internet 3608 internet 3609 3610 3611 3612 initial 3613 1.3.6.1 3614 3615 3616 restricted 3617 1.3.6.1 3618 3619 3620 3622 The following XML instance document shows the semi-secure VACM 3623 configuration (only the view configuration is different). 3625 3626 3627 3628 initial 3629 3630 initial 3631 usm 3632 3633 3634 3635 usm 3636 no-auth-no-priv 3637 restricted 3638 restricted 3639 3640 3641 3642 usm 3643 auth-no-priv 3644 internet 3645 internet 3646 internet 3647 3648 3649 3650 initial 3651 1.3.6.1 3652 3653 3654 restricted 3655 1.3.6.1.2.1.1 3656 1.3.6.1.2.1.11 3657 1.3.6.1.6.3.10.2.1 3658 1.3.6.1.6.3.11.2.1 3659 1.3.6.1.6.3.15.1.1 3660 3661 3662 3664 A.7. Transport Layer Security Transport Model Configuration Example 3666 Below is an XML instance document showing the configuration of the 3667 certificate to security name mapping (see Appendix A.2 and A.3 of 3668 [RFC6353]). 3670 3673 3674 3675 1 3676 11:0A:05:11:00 3677 x509c2n:san-any 3678 3679 3680 2 3681 11:0A:05:11:00 3682 x509c2n:specified 3683 3684 Joe Cool 3685 3686 3687 3688 3690 Authors' Addresses 3692 Martin Bjorklund 3693 Tail-f Systems 3695 Email: mbj@tail-f.com 3697 Juergen Schoenwaelder 3698 Jacobs University 3700 Email: j.schoenwaelder@jacobs-university.de