idnits 2.17.1 draft-ietf-netmod-snmp-cfg-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 193 has weird spacing: '...rw name snm...' == Line 237 has weird spacing: '...-params snmp:...' == Line 239 has weird spacing: '...rw name snm...' == Line 266 has weird spacing: '...rw name snm...' == Line 336 has weird spacing: '...ty-name snm...' == (13 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 23, 2014) is 3564 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: January 24, 2015 Jacobs University 6 July 23, 2014 8 A YANG Data Model for SNMP Configuration 9 draft-ietf-netmod-snmp-cfg-06 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on January 24, 2015. 33 Copyright Notice 35 Copyright (c) 2014 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 52 2.2. General Considerations . . . . . . . . . . . . . . . . . 4 53 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . 4 54 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . 4 55 2.5. Target Configuration . . . . . . . . . . . . . . . . . . 5 56 2.6. Notification Configuration . . . . . . . . . . . . . . . 6 57 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 58 2.8. Community Configuration . . . . . . . . . . . . . . . . . 8 59 2.9. View-based Access Control Model Configuration . . . . . . 9 60 2.10. User-based Security Model Configuration . . . . . . . . . 9 61 2.11. Transport Security Model Configuration . . . . . . . . . 11 62 2.12. Transport Layer Security Transport Model Configuration . 11 63 2.13. Secure Shell Transport Model Configuration . . . . . . . 12 64 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 13 65 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . 14 66 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 14 67 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 68 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 69 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . 21 70 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . 23 71 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . 27 72 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . 30 73 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . 34 74 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 38 75 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 41 76 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . 46 77 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 51 78 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 55 79 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 58 80 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 62 81 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 82 6. Security Considerations . . . . . . . . . . . . . . . . . . . 67 83 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 84 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 85 8.1. Normative References . . . . . . . . . . . . . . . . . . 69 86 8.2. Informative References . . . . . . . . . . . . . . . . . 69 87 Appendix A. Example configurations . . . . . . . . . . . . . . . 70 88 A.1. Engine Configuration Example . . . . . . . . . . . . . . 71 89 A.2. Community Configuration Example . . . . . . . . . . . . . 71 90 A.3. User-based Security Model Configuration Example . . . . . 72 91 A.4. Target and Notification Configuration Example . . . . . . 73 92 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 93 A.6. View-based Access Control Model Configuration Example . . 78 94 A.7. Transport Layer Security Transport Model Configuration 95 Example . . . . . . . . . . . . . . . . . . . . . . . . . 80 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 99 1. Introduction 101 This document defines a YANG [RFC6020] data model for the 102 configuration of SNMP engines. The configuration model is consistent 103 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 104 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and 105 [RFC6353] but takes advantage of YANG's ability to define 106 hierarchical configuration data models. 108 The configuration data model in particular has been designed for SNMP 109 deployments where SNMP runs in read-only mode and NETCONF is used to 110 configure the SNMP agent. Nevertheless, the data model allows 111 implementations that support write access both via SNMP and NETCONF 112 in order to interwork with SNMP-managed management applications 113 manipulating SNMP agent configuration using SNMP. Further details 114 can be found in Section 3. 116 The YANG data model focuses on configuration. Operational state 117 objects are not explicitely modeled. The operational state of an 118 SNMP agent can either be accessed directly via SNMP or, 119 alternatively, via NETCONF using the read-only translation of the 120 relevant SNMP MIB modules into YANG modules [RFC6643]. 122 This document also defines a YANG data model for mapping a X.509 123 certificate to a name. 125 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 127 "OPTIONAL" in this document are to be interpreted as described in BCP 128 14, [RFC2119]. 130 2. Data Model 132 In order to preserve the modularity of SNMP, the YANG configuration 133 data model is organized in a set of YANG submodules, all sharing the 134 same module namespace. This allows to add configuration support for 135 additional SNMP features while keeping the number of namespaces that 136 have to be dealt with down to a minimum. 138 2.1. Tree Diagrams 140 A simplified graphical representation of the data model is used in 141 this document. The meaning of the symbols in these diagrams is as 142 follows: 144 o Brackets "[" and "]" enclose list keys. 146 o Abbreviations before data node names: "rw" means configuration 147 (read-write) and "ro" state data (read-only). 149 o Symbols after data node names: "?" means an optional node, "!" 150 means a presence container, and "*" denotes a list and leaf-list. 152 o Parentheses enclose choice and case nodes, and case nodes are also 153 marked with a colon (":"). 155 o Ellipsis ("...") stands for contents of subtrees that are not 156 shown. 158 2.2. General Considerations 160 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 161 "reference" statement is used to indicate which corresponding MIB 162 object the YANG node is mapped to. When there is not a simple 1-1 163 mapping, the "description" statement explains the mapping. 165 The persistency models in SNMP and NETCONF are quite different. In 166 NETCONF, the persistency is defined by the datastore, whereas in SNMP 167 it is defined either explicitly in the data model, or on a row-by-row 168 basis by using the TEXTUAL-CONVENTION "StorageType". Thus, in the 169 YANG model defined here, the "StorageType" columns are not present. 170 For implementation guidelines, see Section 3. 172 In SNMP, row creation and deletion are controlled by using the 173 TEXTUAL-CONVENTION "RowStatus". In NETCONF, creation and deletion 174 are handled by the protocol, not in the data model. Thus, in the 175 YANG model defined here, the "RowStatus" columns are not present. 177 2.3. Common Definitions 179 The submodule "ietf-snmp-common" defines a set of common typedefs and 180 the top-level container "snmp". All configuration parameters defined 181 in the other submodules are organized under this top-level container. 183 2.4. Engine Configuration 185 The submodule "ietf-snmp-engine", which defines configuration 186 parameters that are specific to SNMP engines, has the following 187 structure: 189 +--rw snmp 190 +--rw engine 191 +--rw enabled? boolean 192 +--rw listen* [name] 193 | +--rw name snmp:identifier 194 | +--rw (transport) 195 | +--:(udp) 196 | +--rw udp 197 | +--rw ip inet:ip-address 198 | +--rw port? inet:port-number 199 +--rw version 200 | +--rw v1? empty 201 | +--rw v2c? empty 202 | +--rw v3? empty 203 +--rw engine-id? snmp:engine-id 204 +--rw enable-authen-traps? boolean 206 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 207 engine. 209 The list "/snmp/engine/listen" provides configuration of the 210 transport endpoints the engine is listening to. In this submodule, 211 SNMP over UDP is defined. SSH, TLS and Datagram Transport Layer 212 Security (DTLS) are also supported, defined in "ietf-snmp-ssh" 213 (Section 2.13) and "ietf-snmp-tls" (Section 2.12), respectively. The 214 "transport" choice is expected to be augmented for other transports. 216 The "/snmp/engine/version" container can be used to enable/disable 217 the different message processing models [RFC3411]. 219 2.5. Target Configuration 221 The submodule "ietf-snmp-target", which defines configuration 222 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 223 following structure: 225 +--rw snmp 226 +--rw target* [name] 227 | +--rw name snmp:identifier 228 | +--rw (transport) 229 | | +--:(udp) 230 | | +--rw udp 231 | | +--rw ip inet:ip-address 232 | | +--rw port? inet:port-number 233 | | +--rw prefix-length? uint8 234 | +--rw tag* snmp:identifier 235 | +--rw timeout? uint32 236 | +--rw retries? uint8 237 | +--rw target-params snmp:identifier 238 +--rw target-params* [name] 239 +--rw name snmp:identifier 240 +--rw (params)? 242 An entry in the list "/snmp/target" corresponds to an 243 "snmpTargetAddrEntry". 245 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 246 mapped to transport-specific YANG nodes. Each transport is 247 configured as a separate case in the "transport" choice. In this 248 submodule, SNMP over UDP is defined. TLS and DTLS are also 249 supported, defined in "ietf-snmp-tls" (Section 2.12). The 250 "transport" choice is expected to be augmented for other transports. 252 An entry in the list "/snmp/target-params" corresponds to an 253 "snmpTargetParamsEntry". This list contains a choice "params", which 254 is augmented by security model specific submodules, currently 255 "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10), 256 and "ietf-snmp-tls" (Section 2.12). 258 2.6. Notification Configuration 260 The submodule "ietf-snmp-notification", which defines configuration 261 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 262 has the following structure: 264 +--rw snmp 265 +--rw notify* [name] 266 | +--rw name snmp:identifier 267 | +--rw tag snmp:identifier 268 | +--rw type? enumeration 269 +--rw notify-filter-profile* [name] 270 +--rw name snmp:identifier 271 +--rw include* snmp:wildcard-object-identifier 272 +--rw exclude* snmp:wildcard-object-identifier 274 It also augments the "target-params" list defined in the 275 "ietf-snmp-target" submodule (Section 2.5) with one leaf: 277 +--rw snmp 278 +--rw target-params* [name] 279 ... 280 +--rw notify-filter-profile? leafref 282 An entry in the list "/snmp/notify" corresponds to an 283 "snmpNotifyEntry". 285 An entry in the list "/snmp/notify-filter-profile" corresponds to an 286 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 287 relationship between "snmpTargetParamsTable" and 288 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 289 relationship is represented with a leafref leaf 290 "notify-filter-profile" in the "/snmp/target-params" list, which 291 refers to an entry in the "/snmp/notify-filter-profile" list. 293 The "snmpNotifyFilterTable" is represented as a list "filter" within 294 the "/snmp/notify-filter-profile" list. 296 This submodule defines the feature "notification-filter". A server 297 implements this feature if it supports SNMP notification filtering 298 [RFC3413]. 300 2.7. Proxy Configuration 302 The submodule "ietf-snmp-proxy", which defines configuration 303 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 304 following structure: 306 +--rw snmp 307 +--rw proxy* [name] 308 +--rw name snmp:identifier 309 +--rw type enumeration 310 +--rw context-engine-id snmp:engine-id 311 +--rw context-name? snmp:context-name 312 +--rw target-params-in? snmp:identifier 313 +--rw single-target-out? snmp:identifier 314 +--rw multiple-target-out? snmp:identifier 316 An entry in the list "/snmp/proxy" corresponds to an 317 "snmpProxyEntry". 319 This submodule defines the feature "proxy". A server implements this 320 feature if it can act as an SNMP Proxy [RFC3413]. 322 2.8. Community Configuration 324 The submodule "ietf-snmp-community", which defines configuration 325 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 326 the following structure: 328 +--rw snmp 329 +--rw community* [index] 330 +--rw index snmp:identifier 331 +--rw (name)? 332 | +--:(text-name) 333 | | +--rw text-name? string 334 | +--:(binary-name) 335 | +--rw binary-name? binary 336 +--rw security-name snmp:security-name 337 +--rw engine-id? snmp:engine-id 338 +--rw context? snmp:context-name 339 +--rw target-tag? snmp:identifier 341 It also augments the "/snmp/target-params/params" choice with nodes 342 for the Community-Based Security Model used by SNMPv1 and SNMPv2c: 344 +--rw snmp 345 +--rw target-params* [name] 346 | ... 347 | +--rw (params)? 348 | +--:(v1) 349 | | +--rw v1 350 | | +--rw security-name snmp:security-name 351 | +--:(v2c) 352 | +--rw v2c 353 | +--rw security-name snmp:security-name 354 +--rw target* [name] 355 +--rw mms? union 357 An entry in the list "/snmp/community" corresponds to an 358 "snmpCommunityEntry". 360 When a case "v1" or "v2c" is chosen, it implies a 361 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 362 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 363 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 365 2.9. View-based Access Control Model Configuration 367 The submodule "ietf-snmp-vacm", which defines configuration 368 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 369 has the following structure: 371 +--rw snmp 372 +--rw vacm 373 +--rw group* [name] 374 | +--rw name group-name 375 | +--rw member* [security-name] 376 | | +--rw security-name snmp:security-name 377 | | +--rw security-model* snmp:security-model 378 | +--rw access* [context security-model security-level] 379 | +--rw context snmp:context-name 380 | +--rw context-match? enumeration 381 | +--rw security-model snmp:security-model-or-any 382 | +--rw security-level snmp:security-level 383 | +--rw read-view? view-name 384 | +--rw write-view? view-name 385 | +--rw notify-view? vire-name 386 +--rw view* [name] 387 +--rw name view-name 388 +--rw include* snmp:wildcard-object-identifier 389 +--rw exclude* snmp:wildcard-object-identifier 391 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 392 structure of nested lists in the YANG model. Groups are defined in 393 the list "/snmp/vacm/group" and for each group there is a sublist 394 "member" that maps to "vacmSecurityToGroupTable", and a sublist 395 "access" that maps to "vacmAccessTable". 397 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 398 view there is a leaf-list of included subtree families and a leaf- 399 list of excluded subtree families. This is more compact and thus a 400 more readable representation of the "vacmViewTreeFamilyTable". 402 2.10. User-based Security Model Configuration 404 The submodule "ietf-snmp-usm", which defines configuration parameters 405 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 406 following structure: 408 +--rw snmp 409 +--rw usm 410 +--rw local 411 | +--rw user* [name] 412 | +-- {common user params} 413 +--rw remote* [engine-id] 414 +--rw engine-id snmp:engine-id 415 +--rw user* [name] 416 +-- {common user params} 418 The "{common user params}" are: 420 +--rw name snmp:identifier 421 +--rw auth! 422 | +--rw (protocol) 423 | +--:(md5) 424 | | +--rw md5 425 | | +-- rw key yang:hex-string 426 | +--:(sha) 427 | +--rw sha 428 | +-- rw key yang:hex-string 429 +--rw priv! 430 +--rw (protocol) 431 +--:(des) 432 | +--rw des 433 | +-- rw key yang:hex-string 434 +--:(aes) 435 +--rw aes 436 +-- rw key yang:hex-string 438 It also augments the "/snmp/target-params/params" choice with nodes 439 for the SNMP User-based Security Model. 441 +--rw snmp 442 +--rw target-params* [name] 443 ... 444 +--rw (params)? 445 +--:(usm) 446 +--rw usm 447 +--rw user-name snmp:security-name 448 +--rw security-level security-level 450 In the MIB, there is a single table with local and remote users, 451 indexed by the engine id and user name. In the YANG model, there is 452 one list of local users, and a nested list of remote users. 454 In the MIB, there are several objects related to changing the 455 authentication and privacy keys. These objects are not present in 456 the YANG model. However, the localized key can be changed. This 457 implies that if the engine id is changed, all users keys need to be 458 changed as well. 460 2.11. Transport Security Model Configuration 462 The submodule "ietf-snmp-tsm", which defines configuration parameters 463 that correspond to the objects in SNMP-TSM-MIB, has the following 464 structure: 466 +--rw snmp 467 +--rw tsm 468 +--rw use-prefix? boolean 470 It also augments the "/snmp/target-params/params" choice with nodes 471 for the SNMP Transport Security Model. 473 +--rw snmp 474 +--rw target-params* [name] 475 ... 476 +--rw (params)? 477 +--:(tsm) 478 +--rw tsm 479 +--rw security-name snmp:security-name 480 +--rw security-level security-level 482 This submodule defines the feature "tsm". A server implements this 483 feature if it supports the Transport Security Model (tsm) [RFC5591]. 485 2.12. Transport Layer Security Transport Model Configuration 487 The submodule "ietf-snmp-tls", which defines configuration parameters 488 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 489 structure: 491 +--rw snmp 492 ... 493 +--rw target* [name] 494 | ... 495 | +--rw (transport) 496 | ... 497 | +--:(tls) 498 | | +--rw tls 499 | | +-- {common (d)tls transport params} 500 | +--:(dtls) 501 | +--rw dtls 502 | +-- {common (d)tls transport params} 503 +--rw tlstm 504 +--rw cert-to-name* [id] 505 +--rw id uint32 506 +--rw fingerprint x509c2n:tls-fingerprint 507 +--rw map-type identityref 508 +--rw name string 510 The "{common (d)tls transport params}" are: 512 +--rw ip? inet:host 513 +--rw port? inet:port-number 514 +--rw client-fingerprint? x509c2n:tls-fingerprint 515 +--rw server-fingerprint? x509c2n:tls-fingerprint 516 +--rw server-identity? snmp:admin-string 518 It also augments the "/snmp/engine/listen/transport" choice with 519 objects for the D(TLS) transport endpoints: 521 +--rw snmp 522 +--rw engine 523 ... 524 +--rw listen* [name] 525 ... 526 +--rw (transport) 527 ... 528 +--:(tls) 529 | +--rw tls 530 | +--rw ip inet:ip-address 531 | +--rw port? inet:port-number 532 +--:(dtls) 533 +--rw dtls 534 +--rw ip inet:ip-address 535 +--rw port? inet:port-number 537 This submodule defines the feature "tlstm". A server implements this 538 feature if it supports the Transport Layer Security (TLS) Transport 539 Model (tlstm) [RFC6353]. 541 2.13. Secure Shell Transport Model Configuration 542 The submodule "ietf-snmp-ssh", which defines configuration parameters 543 that correspond to the objects in SNMP-SSH-TM-MIB, has the following 544 structure: 546 +--rw snmp 547 ... 548 +--rw target* [name] 549 ... 550 +--rw (transport) 551 ... 552 +--:(ssh) 553 +--rw ssh 554 +--rw ip inet:host 555 +--rw port? inet:port-number 556 +--rw username? string 558 It also augments the "/snmp/engine/listen/transport" choice with 559 objects for the SSH transport endpoints: 561 +--rw snmp 562 +--rw engine 563 ... 564 +--rw listen* [name] 565 ... 566 +--rw (transport) 567 ... 568 +--:(ssh) 569 +--rw ssh 570 +--rw ip inet:host 571 +--rw port? inet:port-number 572 +--rw username? string 574 This submodule defines the feature "sshtm". A server implements this 575 feature if it supports the Secure Shell (SSH) Transport Model (sshtm) 576 [RFC5592]. 578 3. Implementation Guidelines 580 This section describes some challenges for implementations that 581 support both the YANG models defined in this document, and either 582 read-write or read-only SNMP access to the same data, using the 583 standard MIB modules. 585 As described in Section 2.2, the persistency models in NETCONF and 586 SNMP are quite different. This poses a challenge for an 587 implementation to support both NETCONF and SNMP access to the same 588 data, in particular if the data is writable over both protocols. 589 Specifically, the configuration data may exist in some combination of 590 the three NETCONF configuration datastores, and this data must be 591 mapped to rows in the SNMP tables, in some SNMP contexts, with proper 592 values for the StorageType columns. 594 This problem is not new; it has been handled in many implementations 595 that support configuration of the SNMP engine over a command line 596 interface (CLI), which normally have a persistency model similar to 597 NETCONF. 599 Since there is not one solution that works for all cases, this 600 document does not provide a recommended solution. Instead some of 601 the challenges involved are described below. 603 3.1. Supporting read-only SNMP Access 605 If a device implements only :writable-running, it is trivial to map 606 the contents of "running" to data in the SNMP tables, where all 607 instances of the StorageType columns have the value "nonVolatile". 609 If a device implements :candidate, but not :startup, the 610 implementation may choose to not expose the contents of the 611 "candidate" datastore over SNMP, and map the contents of "running" as 612 described above. As an option, the contents of "candidate" might be 613 accessible in a separate SNMP context. 615 If a device implements :startup, the handling of StorageType becomes 616 more difficult. Since the contents of "running" and "startup" might 617 differ, data in running cannot automatically be mapped to instances 618 with StorageType "nonVolatile". If a particular entry exists in 619 "running" but not in "startup", its StorageType should be "volatile". 620 If a particular entry exists in "startup", but not "running", it 621 should not be mapped to an SNMP instance, at least not in the default 622 SNMP context. 624 3.2. Supporting read-write SNMP access 626 If the implementation supports read-write access to data over SNMP, 627 and specifically creation of table rows, special attention has to be 628 given the handling of the RowStatus and StorageType columns. The 629 problem is to determine which table rows to store in the 630 configuration datastores, and which configuration datastore is 631 appropriate for each row. 633 The SNMP tables contain a mix of configured data and operational 634 state, and only rows with an "active" RowStatus column should be 635 stored in a configuration datastore. 637 If a device implements only :writable-running, "active" rows with a 638 "nonVolatile" StorageType column can be stored in "running". Rows 639 with a "volatile" StorageType column are operational state. 641 If a device implements :candidate, but not :writable-running, all 642 configuration changes typically go through the "candidate", even if 643 they are done over SNMP. An implementation might have to perform 644 some automatic commit of the "candidate" when data is written over 645 SNMP, since there is no explicit "commit" operation in SNMP. 647 If a device implements :startup, "nonVolatile" rows cannot just be 648 written to "running", they must also be copied into "startup". 649 "volatile" rows may be treated as operational state and not copied to 650 any datastore, or copied into "running". 652 Cooperating SNMP management applications may use spin lock objects 653 (snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414], 654 vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests. 655 Implementations supporting modifications of MIB objects protected by 656 a spin lock via NETCONF should ensure that the spin lock objects are 657 properly incremented whenever objects are changed via NETCONF. This 658 allows cooperating SNMP management applications to discover that 659 concurrent modifications are taking place. 661 4. Definitions 663 4.1. Module 'ietf-x509-cert-to-name' 665 This YANG module imports typedefs from [RFC6991]. 667 file "ietf-x509-cert-to-name.yang" 669 module ietf-x509-cert-to-name { 671 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; 672 prefix x509c2n; 674 import ietf-yang-types { 675 prefix yang; 676 } 678 organization 679 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 681 contact 682 "WG Web: 683 WG List: 684 WG Chair: Thomas Nadeau 685 687 WG Chair: Juergen Schoenwaelder 688 690 Editor: Martin Bjorklund 691 693 Editor: Juergen Schoenwaelder 694 "; 696 description 697 "This module contains a collection of YANG definitions for 698 extracting a name from a X.509 certificate. 700 The algorithm used to extract a name from a X.509 certificate 701 was first defined in RFC 6353. 703 Copyright (c) 2014 IETF Trust and the persons identified as 704 authors of the code. All rights reserved. 706 Redistribution and use in source and binary forms, with or 707 without modification, is permitted pursuant to, and subject 708 to the license terms contained in, the Simplified BSD License 709 set forth in Section 4.c of the IETF Trust's Legal Provisions 710 Relating to IETF Documents 711 (http://trustee.ietf.org/license-info). 713 This version of this YANG module is part of RFC XXXX; see 714 the RFC itself for full legal notices."; 715 // RFC Ed.: replace XXXX with actual RFC number and remove this 716 // note. 718 reference 719 "RFC6353: Transport Layer Security (TLS) Transport Model for 720 the Simple Network Management Protocol (SNMP)"; 722 // RFC Ed.: update the date below with the date of RFC publication 723 // and remove this note. 725 revision 2014-05-06 { 726 description 727 "Initial revision."; 728 reference 729 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 731 } 732 typedef tls-fingerprint { 733 type yang:hex-string { 734 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; 735 } 736 description 737 "A fingerprint value that can be used to uniquely reference 738 other data of potentially arbitrary length. 740 An tls-fingerprint value is composed of a 1-octet hashing 741 algorithm identifier followed by the fingerprint value. The 742 first octet value identifying the hashing algorithm is taken 743 from the IANA TLS HashAlgorithm Registry (RFC 5246). The 744 remaining octets are filled using the results of the hashing 745 algorithm."; 746 reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; 747 } 749 /* Identities */ 751 identity cert-to-name { 752 description 753 "Base identity for algorithms to derive a name from a 754 certificate."; 755 } 757 identity specified { 758 base cert-to-name; 759 description 760 "Directly specifies the name to be used for the certificate. 761 The value of the leaf 'name' in 'cert-to-name' list is used."; 762 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 763 } 765 identity san-rfc822-name { 766 base cert-to-name; 767 description 768 "Maps a subjectAltName's rfc822Name to a name. The local part 769 of the rfc822Name is passed unaltered but the host-part of the 770 name must be passed in lowercase. This mapping results in a 771 1:1 correspondence between equivalent subjectAltName 772 rfc822Name values and name values except that the host-part 773 of the name MUST be passed in lowercase. For example, the 774 rfc822Name field FooBar@Example.COM is mapped to name 775 FooBar@example.com."; 776 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 777 } 779 identity san-dns-name { 780 base cert-to-name; 781 description 782 "Maps a subjectAltName's dNSName to a name after first 783 converting it to all lowercase (RFC 5280 does not specify 784 converting to lowercase so this involves an extra step). 785 This mapping results in a 1:1 correspondence between 786 subjectAltName dNSName values and the name values."; 787 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 788 } 790 identity san-ip-address { 791 base cert-to-name; 792 description 793 "Maps a subjectAltName's iPAddress to a name by 794 transforming the binary encoded address as follows: 796 1) for IPv4, the value is converted into a 797 decimal-dotted quad address (e.g., '192.0.2.1'). 799 2) for IPv6 addresses, the value is converted into a 800 32-character all lowercase hexadecimal string 801 without any colon separators. 803 This mapping results in a 1:1 correspondence between 804 subjectAltName iPAddress values and the name values."; 805 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 806 } 808 identity san-any { 809 base cert-to-name; 810 description 811 "Maps any of the following fields using the corresponding 812 mapping algorithms: 814 +------------+-----------------+ 815 | Type | Algorithm | 816 |------------+-----------------| 817 | rfc822Name | san-rfc822-name | 818 | dNSName | san-dns-name | 819 | iPAddress | san-ip-address | 820 +------------+-----------------+ 822 The first matching subjectAltName value found in the 823 certificate of the above types MUST be used when deriving 824 the name. The mapping algorithm specified in the 825 'Algorithm' column MUST be used to derive the name. 827 This mapping results in a 1:1 correspondence between 828 subjectAltName values and name values. The three sub-mapping 829 algorithms produced by this combined algorithm cannot produce 830 conflicting results between themselves."; 831 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 832 } 834 identity common-name { 835 base cert-to-name; 836 description 837 "Maps a certificate's CommonName to a name after converting 838 it to a UTF-8 encoding. The usage of CommonNames is 839 deprecated and users are encouraged to use subjectAltName 840 mapping methods instead. This mapping results in a 1:1 841 correspondence between certificate CommonName values and name 842 values."; 843 reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; 844 } 846 /* 847 * Groupings 848 */ 850 grouping cert-to-name { 851 description 852 "Defines nodes for mapping certificates to names. Modules 853 that uses this grouping should describe how the resulting 854 name is used."; 856 list cert-to-name { 857 key id; 858 description 859 "This list defines how certificates are mapped to names. 860 The name is derived by considering each cert-to-name 861 list entry in order. The cert-to-name entry's fingerprint 862 determines whether the list entry is a match: 864 1) If the cert-to-name list entry's fingerprint value 865 matches that of the presented certificate, then consider 866 the list entry as a successful match. 868 2) If the cert-to-name list entry's fingerprint value 869 matches that of a locally held copy of a trusted CA 870 certificate, and that CA certificate was part of the CA 871 certificate chain to the presented certificate, then 872 consider the list entry as a successful match. 874 Once a matching cert-to-name list entry has been found, the 875 map-type is used to determine how the name associated with 876 the certificate should be determined. See the map-type 877 leaf's description for details on determining the name value. 878 If it is impossible to determine a name from the cert-to-name 879 list entry's data combined with the data presented in the 880 certificate, then additional cert-to-name list entries MUST 881 be searched looking for another potential match. 883 Security administrators are encouraged to make use of 884 certificates with subjectAltName fields that can be mapped to 885 names so that a single root CA certificate can allow all 886 child certificate's subjectAltName to map directly to a name 887 via a 1:1 transformation."; 888 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 890 leaf id { 891 type uint32; 892 description 893 "The id specifies the order in which the entries in the 894 cert-to-name list are searched. Entries with lower 895 numbers are searched first."; 896 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 897 } 899 leaf fingerprint { 900 type x509c2n:tls-fingerprint; 901 mandatory true; 902 description 903 "Specifies a value with which the fingerprint of the 904 certificate presented by the peer is compared. If the 905 fingerprint of the certificate presented by the peer does 906 not match the fingerprint configured, then the entry is 907 skipped and the search for a match continues."; 908 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 909 } 911 leaf map-type { 912 type identityref { 913 base cert-to-name; 914 } 915 mandatory true; 916 description 917 "Specifies the algorithm used to map the certificate 918 presented by the peer to a name. 920 Mappings that need additional configuration objects should 921 use the 'when' statement to make them conditional based on 922 the 'map-type'."; 923 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 925 } 927 leaf name { 928 when "../map-type = 'x509c2n:specified'"; 929 type string; 930 mandatory true; 931 description 932 "Directly specifies the NETCONF username when the 933 'map-type' is 'specified'."; 934 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 935 } 936 } 937 } 938 } 940 942 4.2. Module 'ietf-snmp' 944 file "ietf-snmp.yang" 946 module ietf-snmp { 948 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 949 prefix snmp; 951 // RFC Ed.: update the dates below with the date of RFC publication 952 // and remove this note. 954 include ietf-snmp-common { 955 revision-date 2014-05-06; 956 } 957 include ietf-snmp-engine { 958 revision-date 2014-05-06; 959 } 960 include ietf-snmp-target { 961 revision-date 2014-05-06; 962 } 963 include ietf-snmp-notification { 964 revision-date 2014-05-06; 965 } 966 include ietf-snmp-proxy { 967 revision-date 2014-05-06; 968 } 969 include ietf-snmp-community { 970 revision-date 2014-05-06; 971 } 972 include ietf-snmp-usm { 973 revision-date 2014-05-06; 974 } 975 include ietf-snmp-tsm { 976 revision-date 2014-05-06; 977 } 978 include ietf-snmp-vacm { 979 revision-date 2014-05-06; 980 } 981 include ietf-snmp-tls { 982 revision-date 2014-05-06; 983 } 984 include ietf-snmp-ssh { 985 revision-date 2014-05-06; 986 } 988 organization 989 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 991 contact 992 "WG Web: 993 WG List: 995 WG Chair: Thomas Nadeau 996 998 WG Chair: Juergen Schoenwaelder 999 1001 Editor: Martin Bjorklund 1002 1004 Editor: Juergen Schoenwaelder 1005 "; 1007 description 1008 "This module contains a collection of YANG definitions for 1009 configuring SNMP engines. 1011 Copyright (c) 2014 IETF Trust and the persons identified as 1012 authors of the code. All rights reserved. 1014 Redistribution and use in source and binary forms, with or 1015 without modification, is permitted pursuant to, and subject 1016 to the license terms contained in, the Simplified BSD License 1017 set forth in Section 4.c of the IETF Trust's Legal Provisions 1018 Relating to IETF Documents 1019 (http://trustee.ietf.org/license-info). 1020 This version of this YANG module is part of RFC XXXX; see 1021 the RFC itself for full legal notices."; 1023 // RFC Ed.: replace XXXX with actual RFC number and remove this 1024 // note. 1026 // RFC Ed.: update the date below with the date of RFC publication 1027 // and remove this note. 1029 revision 2014-05-06 { 1030 description 1031 "Initial revision."; 1032 reference 1033 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1034 } 1036 } 1038 1040 4.3. Submodule 'ietf-snmp-common' 1042 file "ietf-snmp-common.yang" 1044 submodule ietf-snmp-common { 1046 belongs-to ietf-snmp { 1047 prefix snmp; 1048 } 1050 import ietf-yang-types { 1051 prefix yang; 1052 } 1054 organization 1055 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1057 contact 1058 "WG Web: 1059 WG List: 1061 WG Chair: Thomas Nadeau 1062 1064 WG Chair: Juergen Schoenwaelder 1065 1067 Editor: Martin Bjorklund 1068 1070 Editor: Juergen Schoenwaelder 1071 "; 1073 description 1074 "This submodule contains a collection of common YANG definitions 1075 for configuring SNMP engines. 1077 Copyright (c) 2014 IETF Trust and the persons identified as 1078 authors of the code. All rights reserved. 1080 Redistribution and use in source and binary forms, with or 1081 without modification, is permitted pursuant to, and subject 1082 to the license terms contained in, the Simplified BSD License 1083 set forth in Section 4.c of the IETF Trust's Legal Provisions 1084 Relating to IETF Documents 1085 (http://trustee.ietf.org/license-info). 1087 This version of this YANG module is part of RFC XXXX; see 1088 the RFC itself for full legal notices."; 1090 // RFC Ed.: replace XXXX with actual RFC number and remove this 1091 // note. 1093 // RFC Ed.: update the date below with the date of RFC publication 1094 // and remove this note. 1096 revision 2014-05-06 { 1097 description 1098 "Initial revision."; 1099 reference 1100 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1101 } 1103 /* Collection of SNMP specific data types */ 1105 typedef admin-string { 1106 type string { 1107 length "0..255"; 1108 } 1109 description 1110 "Represents and SnmpAdminString as defined in RFC 3411. 1112 Note that the size of an SnmpAdminString is measured in 1113 octets, not characters."; 1114 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 1116 } 1118 typedef identifier { 1119 type admin-string { 1120 length "1..32"; 1121 } 1122 description 1123 "Identifiers are used to name items in the SNMP configuration 1124 data store."; 1125 } 1127 typedef context-name { 1128 type admin-string { 1129 length "0..32"; 1130 } 1131 description 1132 "The context type represents an SNMP context name."; 1133 reference 1134 "RFC3411: An Architecture for Describing SNMP Management 1135 Frameworks"; 1136 } 1138 typedef security-name { 1139 type admin-string { 1140 length "1..32"; 1141 } 1142 description 1143 "The security-name type represents an SNMP security name."; 1144 reference 1145 "RFC3411: An Architecture for Describing SNMP Management 1146 Frameworks"; 1147 } 1149 typedef security-model { 1150 type union { 1151 type enumeration { 1152 enum v1 { value 1; } 1153 enum v2c { value 2; } 1154 enum usm { value 3; } 1155 enum tsm { value 4; } 1156 } 1157 type int32 { 1158 range "1..2147483647"; 1159 } 1160 } 1161 reference 1162 "RFC3411: An Architecture for Describing SNMP Management 1163 Frameworks"; 1165 } 1167 typedef security-model-or-any { 1168 type union { 1169 type enumeration { 1170 enum any { value 0; } 1171 } 1172 type security-model; 1173 } 1174 reference 1175 "RFC3411: An Architecture for Describing SNMP Management 1176 Frameworks"; 1177 } 1179 typedef security-level { 1180 type enumeration { 1181 enum no-auth-no-priv { value 1; } 1182 enum auth-no-priv { value 2; } 1183 enum auth-priv { value 3; } 1184 } 1185 reference 1186 "RFC3411: An Architecture for Describing SNMP Management 1187 Frameworks"; 1188 } 1190 typedef engine-id { 1191 type yang:hex-string { 1192 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 1193 } 1194 description 1195 "The Engine ID specified as a list of colon-specified hexa- 1196 decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; 1197 reference 1198 "RFC3411: An Architecture for Describing SNMP Management 1199 Frameworks"; 1200 } 1202 typedef wildcard-object-identifier { 1203 type string; 1204 description 1205 "The wildcard-object-identifier type represents an SNMP object 1206 identifier where subidentifiers can be given either as a label, 1207 in numeric form, or a wildcard, represented by a *."; 1208 } 1210 typedef tag-value { 1211 type string { 1212 length "0..255"; 1214 } 1215 description 1216 "Represents and SnmpTagValue as defined in RFC 3413. 1218 Note that the size of an SnmpTagValue is measured in 1219 octets, not characters."; 1220 reference "SNMP-TARGET-MIB.SnmpTagValue"; 1221 } 1223 container snmp { 1224 description 1225 "Top-level container for SNMP related configuration and 1226 status objects."; 1227 } 1229 } 1231 1233 4.4. Submodule 'ietf-snmp-engine' 1235 file "ietf-snmp-engine.yang" 1237 submodule ietf-snmp-engine { 1239 belongs-to ietf-snmp { 1240 prefix snmp; 1241 } 1243 import ietf-inet-types { 1244 prefix inet; 1245 } 1247 include ietf-snmp-common; 1249 organization 1250 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1252 contact 1253 "WG Web: 1254 WG List: 1256 WG Chair: Thomas Nadeau 1257 1259 WG Chair: Juergen Schoenwaelder 1260 1262 Editor: Martin Bjorklund 1263 1265 Editor: Juergen Schoenwaelder 1266 "; 1268 description 1269 "This submodule contains a collection of YANG definitions 1270 for configuring SNMP engines. 1272 Copyright (c) 2014 IETF Trust and the persons identified as 1273 authors of the code. All rights reserved. 1275 Redistribution and use in source and binary forms, with or 1276 without modification, is permitted pursuant to, and subject 1277 to the license terms contained in, the Simplified BSD License 1278 set forth in Section 4.c of the IETF Trust's Legal Provisions 1279 Relating to IETF Documents 1280 (http://trustee.ietf.org/license-info). 1282 This version of this YANG module is part of RFC XXXX; see 1283 the RFC itself for full legal notices."; 1285 // RFC Ed.: replace XXXX with actual RFC number and remove this 1286 // note. 1288 // RFC Ed.: update the date below with the date of RFC publication 1289 // and remove this note. 1291 revision 2014-05-06 { 1292 description 1293 "Initial revision."; 1294 reference 1295 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1296 } 1298 augment /snmp:snmp { 1300 container engine { 1302 description 1303 "Configuration of the SNMP engine."; 1305 leaf enabled { 1306 type boolean; 1307 default "false"; 1308 description 1309 "Enables the SNMP engine."; 1311 } 1313 list listen { 1314 key "name"; 1315 description 1316 "Configuration of the transport endpoints on which the 1317 engine listens."; 1319 leaf name { 1320 type snmp:identifier; 1321 description 1322 "An arbitrary name for the list entry."; 1323 } 1325 choice transport { 1326 mandatory true; 1327 description 1328 "The transport protocol specific parameters for this 1329 endpoint. Submodules providing configuration for 1330 additional transports are expected to augment this 1331 choice."; 1332 case udp { 1333 container udp { 1334 leaf ip { 1335 type inet:ip-address; 1336 mandatory true; 1337 description 1338 "The IPv4 or IPv6 address on which the engine 1339 listens."; 1340 } 1341 leaf port { 1342 type inet:port-number; 1343 description 1344 "The UDP port on which the engine listens. 1346 If the port is not configured, an engine that 1347 acts as a Command Responder uses port 161, and 1348 an engine that acts as a Notification Receiver 1349 uses port 162."; 1350 } 1351 } 1352 } 1353 } 1354 } 1356 container version { 1357 description 1358 "SNMP version used by the engine"; 1360 leaf v1 { 1361 type empty; 1362 } 1363 leaf v2c { 1364 type empty; 1365 } 1366 leaf v3 { 1367 type empty; 1368 } 1369 } 1371 leaf engine-id { 1372 type snmp:engine-id; 1373 description 1374 "The local SNMP engine's administratively-assigned unique 1375 identifier. 1377 If this leaf is not set, the device automatically 1378 calculates an engine id, as described in RFC 3411. A 1379 server MAY initialize this leaf with the automatically 1380 created value."; 1381 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 1382 } 1384 leaf enable-authen-traps { 1385 type boolean; 1386 description 1387 "Indicates whether the SNMP entity is permitted to 1388 generate authenticationFailure traps."; 1389 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1390 } 1391 } 1392 } 1393 } 1395 1397 4.5. Submodule 'ietf-snmp-target' 1399 file "ietf-snmp-target.yang" 1401 submodule ietf-snmp-target { 1403 belongs-to ietf-snmp { 1404 prefix snmp; 1405 } 1406 import ietf-inet-types { 1407 prefix inet; 1408 } 1410 include ietf-snmp-common; 1412 organization 1413 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1415 contact 1416 "WG Web: 1417 WG List: 1419 WG Chair: Thomas Nadeau 1420 1422 WG Chair: Juergen Schoenwaelder 1423 1425 Editor: Martin Bjorklund 1426 1428 Editor: Juergen Schoenwaelder 1429 "; 1431 description 1432 "This submodule contains a collection of YANG definitions 1433 for configuring SNMP targets. 1435 Copyright (c) 2014 IETF Trust and the persons identified as 1436 authors of the code. All rights reserved. 1438 Redistribution and use in source and binary forms, with or 1439 without modification, is permitted pursuant to, and subject 1440 to the license terms contained in, the Simplified BSD License 1441 set forth in Section 4.c of the IETF Trust's Legal Provisions 1442 Relating to IETF Documents 1443 (http://trustee.ietf.org/license-info). 1445 This version of this YANG module is part of RFC XXXX; see 1446 the RFC itself for full legal notices."; 1448 // RFC Ed.: replace XXXX with actual RFC number and remove this 1449 // note. 1451 reference 1452 "RFC3413: Simple Network Management Protocol (SNMP) 1453 Applications"; 1455 // RFC Ed.: update the date below with the date of RFC publication 1456 // and remove this note. 1458 revision 2014-05-06 { 1459 description 1460 "Initial revision."; 1461 reference 1462 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1463 } 1465 augment /snmp:snmp { 1467 list target { 1468 key name; 1469 description 1470 "List of targets."; 1471 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1473 leaf name { 1474 type snmp:identifier; 1475 description 1476 "Identifies the target."; 1477 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1478 } 1479 choice transport { 1480 mandatory true; 1481 description 1482 "Transport address of the target. 1484 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1485 objects are mapped to transport-specific YANG nodes. Each 1486 transport is configured as a separate case in this 1487 choice. Submodules providing configuration for additional 1488 transports are expected to augment this choice."; 1489 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1490 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1491 case udp { 1492 reference "SNMPv2-TM.snmpUDPDomain 1493 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1494 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1495 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1496 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1497 container udp { 1498 leaf ip { 1499 type inet:ip-address; 1500 mandatory true; 1501 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1502 } 1503 leaf port { 1504 type inet:port-number; 1505 default 162; 1506 description 1507 "UDP port number"; 1508 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1509 } 1510 leaf prefix-length { 1511 type uint8; 1512 description 1513 "The value of this leaf must match the value of 1514 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1515 this leaf must be less than or equal to 32. If it 1516 contains an ipv6 address, it must be less than or 1517 equal to 128. 1519 Note that the prefix-length is currently only used 1520 by the Community-based Security Model to filter 1521 incoming messages. Furthermore, the prefix-length 1522 filtering does not cover all possible filters 1523 supported by the corresponding MIB object."; 1524 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1525 } 1526 } 1527 } 1528 } 1529 leaf-list tag { 1530 type snmp:tag-value; 1531 description 1532 "List of tag values used to select target address."; 1533 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1534 } 1535 leaf timeout { 1536 type uint32; 1537 units "0.01 seconds"; 1538 default 1500; 1539 description 1540 "Needed only if this target can receive 1541 InformRequest-PDUs."; 1542 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1543 } 1544 leaf retries { 1545 type uint8; 1546 default 3; 1547 description 1548 "Needed only if this target can receive 1549 InformRequest-PDUs."; 1550 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1552 } 1553 leaf target-params { 1554 type snmp:identifier; 1555 mandatory true; 1556 reference "SNMP-TARGET-MIB.snmpTargetAddrParams"; 1557 } 1558 } 1560 list target-params { 1561 key name; 1562 description 1563 "List of target parameters."; 1564 reference "SNMP-TARGET-MIB.snmpTargetParamsTable"; 1566 leaf name { 1567 type snmp:identifier; 1568 } 1569 choice params { 1570 description 1571 "This choice is augmented with case nodes containing 1572 security model specific configuration parameters."; 1573 } 1574 } 1575 } 1576 } 1578 1580 4.6. Submodule 'ietf-snmp-notification' 1582 file "ietf-snmp-notification.yang" 1584 submodule ietf-snmp-notification { 1586 belongs-to ietf-snmp { 1587 prefix snmp; 1588 } 1590 include ietf-snmp-common; 1591 include ietf-snmp-target; 1593 organization 1594 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1596 contact 1597 "WG Web: 1598 WG List: 1599 WG Chair: Thomas Nadeau 1600 1602 WG Chair: Juergen Schoenwaelder 1603 1605 Editor: Martin Bjorklund 1606 1608 Editor: Juergen Schoenwaelder 1609 "; 1611 description 1612 "This submodule contains a collection of YANG definitions 1613 for configuring SNMP notifications. 1615 Copyright (c) 2014 IETF Trust and the persons identified as 1616 authors of the code. All rights reserved. 1618 Redistribution and use in source and binary forms, with or 1619 without modification, is permitted pursuant to, and subject 1620 to the license terms contained in, the Simplified BSD License 1621 set forth in Section 4.c of the IETF Trust's Legal Provisions 1622 Relating to IETF Documents 1623 (http://trustee.ietf.org/license-info). 1625 This version of this YANG module is part of RFC XXXX; see 1626 the RFC itself for full legal notices."; 1628 // RFC Ed.: replace XXXX with actual RFC number and remove this 1629 // note. 1631 reference 1632 "RFC3413: Simple Network Management Protocol (SNMP) 1633 Applications"; 1635 // RFC Ed.: update the date below with the date of RFC publication 1636 // and remove this note. 1638 revision 2014-05-06 { 1639 description 1640 "Initial revision."; 1641 reference 1642 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1643 } 1645 feature notification-filter { 1646 description 1647 "A server implements this feature if it supports SNMP 1648 notification filtering."; 1649 reference 1650 "RFC3413: Simple Network Management Protocol (SNMP) 1651 Applications"; 1652 } 1654 augment /snmp:snmp { 1656 list notify { 1657 key name; 1658 description 1659 "Targets that will receive notifications. 1661 Entries in this lists are mapped 1-1 to entries in 1662 snmpNotifyTable, except that if an entry in snmpNotifyTable 1663 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1664 then the snmpNotifyTable entry is not mapped to an entry in 1665 this list."; 1666 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1668 leaf name { 1669 type snmp:identifier; 1670 description 1671 "An arbitrary name for the list entry."; 1672 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1673 } 1674 leaf tag { 1675 type snmp:tag-value; 1676 mandatory true; 1677 description 1678 "Target tag, selects a set of notification targets. 1680 Implementations MAY restrict the values of this leaf 1681 to be one of the available values of /snmp/target/tag in 1682 a valid configuration."; 1683 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1684 } 1685 leaf type { 1686 type enumeration { 1687 enum trap { value 1; } 1688 enum inform { value 2; } 1689 } 1690 default trap; 1691 description 1692 "Defines the notification type to be generated."; 1693 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1694 } 1696 } 1698 list notify-filter-profile { 1699 if-feature snmp:notification-filter; 1700 key name; 1702 description 1703 "Notification filter profiles. 1705 The leaf /snmp/target/notify-filter-profile is used 1706 to associate a filter profile with a target. 1708 If an entry in this list is referred to by one or more 1709 /snmp/target/notify-filter-profile, each such 1710 notify-filter-profile is represented by one 1711 snmpNotifyFilterProfileEntry. 1713 If an entry in this list is not referred to by any 1714 /snmp/target/notify-filter-profile, the entry is not mapped 1715 to snmpNotifyFilterProfileTable."; 1716 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1717 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1719 leaf name { 1720 type snmp:identifier; 1721 description 1722 "Name of the filter profile"; 1723 reference 1724 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1725 } 1727 leaf-list include { 1728 type snmp:wildcard-object-identifier; 1729 description 1730 "A family of subtrees included in this filter."; 1731 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1732 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1733 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1734 } 1736 leaf-list exclude { 1737 type snmp:wildcard-object-identifier; 1738 description 1739 "A family of subtrees excluded from this filter."; 1740 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1741 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1742 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1743 } 1745 } 1747 } 1749 augment /snmp:snmp/snmp:target-params { 1750 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1751 leaf notify-filter-profile { 1752 if-feature snmp:notification-filter; 1753 type leafref { 1754 path "/snmp/notify-filter-profile/name"; 1755 } 1756 description 1757 "This leafref leaf is used to represent the sparse 1758 relationship between the /snmp/target-params list and the 1759 /snmp/notify-filter-profile list."; 1760 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1761 } 1762 } 1764 } 1766 1768 4.7. Submodule 'ietf-snmp-proxy' 1770 file "ietf-snmp-proxy.yang" 1772 submodule ietf-snmp-proxy { 1774 belongs-to ietf-snmp { 1775 prefix snmp; 1776 } 1778 include ietf-snmp-common; 1779 include ietf-snmp-target; 1781 organization 1782 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1784 contact 1785 "WG Web: 1786 WG List: 1788 WG Chair: Thomas Nadeau 1789 1791 WG Chair: Juergen Schoenwaelder 1792 1794 Editor: Martin Bjorklund 1795 1797 Editor: Juergen Schoenwaelder 1798 "; 1800 description 1801 "This submodule contains a collection of YANG definitions 1802 for configuring SNMP proxies. 1804 Copyright (c) 2014 IETF Trust and the persons identified as 1805 authors of the code. All rights reserved. 1807 Redistribution and use in source and binary forms, with or 1808 without modification, is permitted pursuant to, and subject 1809 to the license terms contained in, the Simplified BSD License 1810 set forth in Section 4.c of the IETF Trust's Legal Provisions 1811 Relating to IETF Documents 1812 (http://trustee.ietf.org/license-info). 1814 This version of this YANG module is part of RFC XXXX; see 1815 the RFC itself for full legal notices."; 1817 // RFC Ed.: replace XXXX with actual RFC number and remove this 1818 // note. 1820 reference 1821 "RFC3413: Simple Network Management Protocol (SNMP) 1822 Applications"; 1824 // RFC Ed.: update the date below with the date of RFC publication 1825 // and remove this note. 1827 revision 2014-05-06 { 1828 description 1829 "Initial revision."; 1830 reference 1831 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1832 } 1834 feature proxy { 1835 description 1836 "A server implements this feature if it can act as an 1837 SNMP Proxy"; 1838 reference 1839 "RFC3413: Simple Network Management Protocol (SNMP) 1840 Applications"; 1841 } 1843 augment /snmp:snmp { 1844 if-feature snmp:proxy; 1846 list proxy { 1847 key name; 1849 description 1850 "List of proxy parameters."; 1851 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1853 leaf name { 1854 type snmp:identifier; 1855 description 1856 "Identifies the proxy parameter entry."; 1857 reference "SNMP-PROXY-MIB.snmpProxyName"; 1858 } 1859 leaf type { 1860 type enumeration { 1861 enum read { value 1; } 1862 enum write { value 2; } 1863 enum trap { value 3; } 1864 enum inform { value 4; } 1865 } 1866 mandatory true; 1867 reference "SNMP-PROXY-MIB.snmpProxyType"; 1868 } 1869 leaf context-engine-id { 1870 type snmp:engine-id; 1871 mandatory true; 1872 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1873 } 1874 leaf context-name { 1875 type snmp:context-name; 1876 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1877 } 1878 leaf target-params-in { 1879 type snmp:identifier; 1880 description 1881 "The name of a target parameters list entry. 1883 Implementations MAY restrict the values of this 1884 leaf to be one of the available values of 1885 /snmp/target-params/name in a valid configuration."; 1886 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1887 } 1888 leaf single-target-out { 1889 when "../type = 'read' or ../type = 'write'"; 1890 type snmp:identifier; 1891 description 1892 "Implementations MAY restrict the values of this leaf 1893 to be one of the available values of /snmp/target/name in 1894 a valid configuration."; 1895 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1896 } 1897 leaf multiple-target-out { 1898 when "../type = 'trap' or ../type = 'inform'"; 1899 type snmp:tag-value; 1900 description 1901 "Implementations MAY restrict the values of this leaf 1902 to be one of the available values of /snmp/target/tag in 1903 a valid configuration."; 1904 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1905 } 1906 } 1907 } 1908 } 1910 1912 4.8. Submodule 'ietf-snmp-community' 1914 file "ietf-snmp-community.yang" 1916 submodule ietf-snmp-community { 1918 belongs-to ietf-snmp { 1919 prefix snmp; 1920 } 1922 import ietf-netconf-acm { 1923 prefix nacm; 1924 } 1926 include ietf-snmp-common; 1927 include ietf-snmp-target; 1928 include ietf-snmp-proxy; 1930 organization 1931 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1933 contact 1934 "WG Web: 1935 WG List: 1937 WG Chair: Thomas Nadeau 1938 1940 WG Chair: Juergen Schoenwaelder 1941 1943 Editor: Martin Bjorklund 1944 1946 Editor: Juergen Schoenwaelder 1947 "; 1949 description 1950 "This submodule contains a collection of YANG definitions 1951 for configuring community-based SNMP. 1953 Copyright (c) 2014 IETF Trust and the persons identified as 1954 authors of the code. All rights reserved. 1956 Redistribution and use in source and binary forms, with or 1957 without modification, is permitted pursuant to, and subject 1958 to the license terms contained in, the Simplified BSD License 1959 set forth in Section 4.c of the IETF Trust's Legal Provisions 1960 Relating to IETF Documents 1961 (http://trustee.ietf.org/license-info). 1963 This version of this YANG module is part of RFC XXXX; see 1964 the RFC itself for full legal notices."; 1966 // RFC Ed.: replace XXXX with actual RFC number and remove this 1967 // note. 1969 reference 1970 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1971 of the Internet-standard Network Management Framework"; 1973 // RFC Ed.: update the date below with the date of RFC publication 1974 // and remove this note. 1976 revision 2014-05-06 { 1977 description 1978 "Initial revision."; 1979 reference 1980 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1981 } 1982 augment /snmp:snmp { 1984 list community { 1985 key index; 1987 description 1988 "List of communities"; 1989 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1991 leaf index { 1992 type snmp:identifier; 1993 description 1994 "Index into the community list."; 1995 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1996 } 1997 choice name { 1998 nacm:default-deny-all; 1999 description 2000 "The community name, either specified as a string 2001 or as a binary. The binary name is used when the 2002 community name contains characters that are not legal 2003 in a string. 2005 If not set, the value of 'security-name' is operationally 2006 used as the snmpCommunityName."; 2007 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 2008 leaf text-name { 2009 type string; 2010 description 2011 "A community name that can be represented as a 2012 YANG string."; 2013 } 2014 leaf binary-name { 2015 type binary; 2016 description 2017 "A community name represented as a binary value."; 2018 } 2019 } 2020 leaf security-name { 2021 type snmp:security-name; 2022 mandatory true; 2023 nacm:default-deny-all; 2024 description 2025 "The snmpCommunitySecurityName of this entry."; 2026 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 2027 } 2028 leaf engine-id { 2029 if-feature snmp:proxy; 2030 type snmp:engine-id; 2031 description 2032 "If not set, the value of the local SNMP engine is 2033 operationally used by the device."; 2034 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 2035 } 2036 leaf context { 2037 type snmp:context-name; 2038 default ""; 2039 description 2040 "The context in which management information is accessed 2041 when using the community string specified by this entry."; 2042 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 2043 } 2044 leaf target-tag { 2045 type snmp:tag-value; 2046 description 2047 "Used to limit access for this community to the specified 2048 targets. 2050 Implementations MAY restrict the values of this leaf 2051 to be one of the available values of /snmp/target/tag in 2052 a valid configuration."; 2053 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 2054 } 2055 } 2056 } 2058 grouping v1-target-params { 2059 container v1 { 2060 description 2061 "SNMPv1 parameters type. 2062 Represents snmpTargetParamsMPModel '0', 2063 snmpTargetParamsSecurityModel '1', and 2064 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2065 leaf security-name { 2066 type snmp:security-name; 2067 mandatory true; 2068 description 2069 "Implementations MAY restrict the values of this leaf 2070 to be one of the available values of 2071 /snmp/community/security-name in a valid configuration."; 2072 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2073 } 2074 } 2075 } 2077 grouping v2c-target-params { 2078 container v2c { 2079 description 2080 "SNMPv2 community parameters type. 2081 Represents snmpTargetParamsMPModel '1', 2082 snmpTargetParamsSecurityModel '2', and 2083 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2084 leaf security-name { 2085 type snmp:security-name; 2086 mandatory true; 2087 description 2088 "Implementations MAY restrict the values of this leaf 2089 to be one of the available values of 2090 /snmp/community/security-name in a valid configuration."; 2091 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2092 } 2093 } 2094 } 2096 augment /snmp:snmp/snmp:target-params/snmp:params { 2097 case v1 { 2098 uses v1-target-params; 2099 } 2100 case v2c { 2101 uses v2c-target-params; 2102 } 2103 } 2105 augment /snmp:snmp/snmp:target { 2106 when "snmp:v1 or snmp:v2c"; 2107 leaf mms { 2108 type union { 2109 type enumeration { 2110 enum "unknown" { value 0; } 2111 } 2112 type int32 { 2113 range "484..max"; 2114 } 2115 } 2116 default "484"; 2117 description 2118 "The maximum message size."; 2119 reference 2120 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 2121 } 2122 } 2124 } 2125 2127 4.9. Submodule 'ietf-snmp-vacm' 2129 file "ietf-snmp-vacm.yang" 2131 submodule ietf-snmp-vacm { 2133 belongs-to ietf-snmp { 2134 prefix snmp; 2135 } 2137 include ietf-snmp-common; 2139 organization 2140 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2142 contact 2143 "WG Web: 2144 WG List: 2146 WG Chair: Thomas Nadeau 2147 2149 WG Chair: Juergen Schoenwaelder 2150 2152 Editor: Martin Bjorklund 2153 2155 Editor: Juergen Schoenwaelder 2156 "; 2158 description 2159 "This submodule contains a collection of YANG definitions 2160 for configuring the View-based Access Control Model (VACM) 2161 of SNMP. 2163 Copyright (c) 2014 IETF Trust and the persons identified as 2164 authors of the code. All rights reserved. 2166 Redistribution and use in source and binary forms, with or 2167 without modification, is permitted pursuant to, and subject 2168 to the license terms contained in, the Simplified BSD License 2169 set forth in Section 4.c of the IETF Trust's Legal Provisions 2170 Relating to IETF Documents 2171 (http://trustee.ietf.org/license-info). 2172 This version of this YANG module is part of RFC XXXX; see 2173 the RFC itself for full legal notices."; 2175 // RFC Ed.: replace XXXX with actual RFC number and remove this 2176 // note. 2178 reference 2179 "RFC3415: View-based Access Control Model (VACM) for the 2180 Simple Network Management Protocol (SNMP)"; 2182 // RFC Ed.: update the date below with the date of RFC publication 2183 // and remove this note. 2185 revision 2014-05-06 { 2186 description 2187 "Initial revision."; 2188 reference 2189 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2190 } 2192 typedef view-name { 2193 type snmp:identifier; 2194 description 2195 "The view-name type represents an SNMP VACM view name."; 2196 } 2198 typedef group-name { 2199 type snmp:identifier; 2200 description 2201 "The group-name type represents an SNMP VACM group name."; 2202 } 2204 augment /snmp:snmp { 2206 container vacm { 2207 description 2208 "Configuration of the View-based Access Control Model"; 2210 list group { 2211 key name; 2212 description 2213 "VACM Groups. 2215 This data model has a different structure than the MIB. 2216 Groups are explicitly defined in this list, and group 2217 members are defined in the 'member' list (mapped to 2218 vacmSecurityToGroupTable), and access for the group is 2219 defined in the 'access' list (mapped to 2220 vacmAccessTable)."; 2221 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 2222 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2224 leaf name { 2225 type group-name; 2226 description 2227 "The name of this VACM group."; 2228 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 2229 } 2231 list member { 2232 key "security-name"; 2233 description 2234 "A member of this VACM group. 2236 A certain combination of security-name and 2237 security-model MUST NOT be present in more than 2238 one group."; 2239 reference 2240 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 2242 leaf security-name { 2243 type snmp:security-name; 2244 description 2245 "The securityName of a group member."; 2246 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 2247 } 2249 leaf-list security-model { 2250 type snmp:security-model; 2251 min-elements 1; 2252 description 2253 "The security models under which this security-name 2254 is a member of this group."; 2255 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 2256 } 2257 } 2259 list access { 2260 key "context security-model security-level"; 2261 description 2262 "Definition of access right for groups"; 2263 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2265 leaf context { 2266 type snmp:context-name; 2267 description 2268 "The context (prefix) under which the access rights 2269 apply."; 2270 reference 2271 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 2272 } 2274 leaf context-match { 2275 type enumeration { 2276 enum exact { value 1; } 2277 enum prefix { value 2; } 2278 } 2279 default exact; 2280 reference 2281 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 2282 } 2284 leaf security-model { 2285 type snmp:security-model-or-any; 2286 description 2287 "The security model under which the access rights 2288 apply."; 2289 reference 2290 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 2291 } 2293 leaf security-level { 2294 type snmp:security-level; 2295 description 2296 "The minimum security level under which the access 2297 rights apply."; 2298 reference 2299 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 2300 } 2302 leaf read-view { 2303 type view-name; 2304 description 2305 "The name of the MIB view of the SNMP context 2306 authorizing read access. If this leaf does not 2307 exist in a configuration, it maps to a zero-length 2308 vacmAccessReadViewName. 2310 Implementations MAY restrict the values of this 2311 leaf to be one of the available values of 2312 /snmp/vacm/view/name in a valid configuration."; 2313 reference 2314 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 2315 } 2316 leaf write-view { 2317 type view-name; 2318 description 2319 "The name of the MIB view of the SNMP context 2320 authorizing write access. If this leaf does not 2321 exist in a configuration, it maps to a zero-length 2322 vacmAccessWriteViewName. 2324 Implementations MAY restrict the values of this 2325 leaf to be one of the available values of 2326 /snmp/vacm/view/name in a valid configuration."; 2327 reference 2328 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 2329 } 2331 leaf notify-view { 2332 type view-name; 2333 description 2334 "The name of the MIB view of the SNMP context 2335 authorizing notify access. If this leaf does not 2336 exist in a configuration, it maps to a zero-length 2337 vacmAccessNotifyViewName. 2339 Implementations MAY restrict the values of this 2340 leaf to be one of the available values of 2341 /snmp/vacm/view/name in a valid configuration."; 2342 reference 2343 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 2344 } 2345 } 2346 } 2348 list view { 2349 key name; 2350 description 2351 "Definition of MIB views."; 2352 reference 2353 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 2355 leaf name { 2356 type view-name; 2357 description 2358 "The name of this VACM MIB view."; 2359 reference 2360 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 2361 } 2363 leaf-list include { 2364 type snmp:wildcard-object-identifier; 2365 description 2366 "A family of subtrees included in this MIB view."; 2367 reference 2368 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2369 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2370 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2371 } 2373 leaf-list exclude { 2374 type snmp:wildcard-object-identifier; 2375 description 2376 "A family of subtrees excluded from this MIB view."; 2377 reference 2378 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2379 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2380 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2381 } 2382 } 2383 } 2384 } 2385 } 2387 2389 4.10. Submodule 'ietf-snmp-usm' 2391 This YANG submodule imports YANG extensions from [RFC6536]. 2393 file "ietf-snmp-usm.yang" 2395 submodule ietf-snmp-usm { 2397 belongs-to ietf-snmp { 2398 prefix snmp; 2399 } 2401 import ietf-yang-types { 2402 prefix yang; 2403 } 2404 import ietf-netconf-acm { 2405 prefix nacm; 2406 } 2408 include ietf-snmp-common; 2409 include ietf-snmp-target; 2410 include ietf-snmp-proxy; 2411 organization 2412 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2414 contact 2415 "WG Web: 2416 WG List: 2418 WG Chair: Thomas Nadeau 2419 2421 WG Chair: Juergen Schoenwaelder 2422 2424 Editor: Martin Bjorklund 2425 2427 Editor: Juergen Schoenwaelder 2428 "; 2430 description 2431 "This submodule contains a collection of YANG definitions for 2432 configuring the User-based Security Model (USM) of SNMP. 2434 Copyright (c) 2014 IETF Trust and the persons identified as 2435 authors of the code. All rights reserved. 2437 Redistribution and use in source and binary forms, with or 2438 without modification, is permitted pursuant to, and subject 2439 to the license terms contained in, the Simplified BSD License 2440 set forth in Section 4.c of the IETF Trust's Legal Provisions 2441 Relating to IETF Documents 2442 (http://trustee.ietf.org/license-info). 2444 This version of this YANG module is part of RFC XXXX; see 2445 the RFC itself for full legal notices."; 2447 // RFC Ed.: replace XXXX with actual RFC number and remove this 2448 // note. 2450 reference 2451 "RFC3414: User-based Security Model (USM) for version 3 of the 2452 Simple Network Management Protocol (SNMPv3)."; 2454 // RFC Ed.: update the date below with the date of RFC publication 2455 // and remove this note. 2457 revision 2014-05-06 { 2458 description 2459 "Initial revision."; 2460 reference 2461 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2462 } 2464 grouping key { 2465 leaf key { 2466 type yang:hex-string; 2467 mandatory true; 2468 nacm:default-deny-all; 2469 description 2470 "Localized key specified as a list of colon-specified 2471 hexa-decimal octets"; 2472 } 2473 } 2475 grouping user-list { 2476 list user { 2477 key "name"; 2479 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2481 leaf name { 2482 type snmp:identifier; 2483 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2484 } 2485 container auth { 2486 presence "enables authentication"; 2487 description 2488 "Enables authentication of the user"; 2489 choice protocol { 2490 mandatory true; 2491 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2492 container md5 { 2493 uses key; 2494 reference 2495 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2496 } 2497 container sha { 2498 uses key; 2499 reference 2500 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2501 } 2502 } 2503 } 2504 container priv { 2505 must "../auth" { 2506 error-message 2507 "when privacy is used, authentication must also be used"; 2508 } 2509 presence "enables encryption"; 2510 description 2511 "Enables encryption of SNMP messages."; 2513 choice protocol { 2514 mandatory true; 2515 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2516 container des { 2517 uses key; 2518 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2519 } 2520 container aes { 2521 uses key; 2522 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2523 } 2524 } 2525 } 2526 } 2527 } 2529 augment /snmp:snmp { 2531 container usm { 2532 description 2533 "Configuration of the User-based Security Model"; 2534 container local { 2535 uses user-list; 2536 } 2538 list remote { 2539 key "engine-id"; 2541 leaf engine-id { 2542 type snmp:engine-id; 2543 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2544 } 2546 uses user-list; 2547 } 2548 } 2549 } 2551 grouping usm-target-params { 2552 container usm { 2553 description 2554 "User based SNMPv3 parameters type. 2556 Represents snmpTargetParamsMPModel '3' and 2557 snmpTargetParamsSecurityModel '3'"; 2558 leaf user-name { 2559 type snmp:security-name; 2560 mandatory true; 2561 reference 2562 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2563 } 2564 leaf security-level { 2565 type snmp:security-level; 2566 mandatory true; 2567 reference 2568 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2569 } 2570 } 2571 } 2573 augment /snmp:snmp/snmp:target-params/snmp:params { 2574 case usm { 2575 uses usm-target-params; 2576 } 2577 } 2579 } 2581 2583 4.11. Submodule 'ietf-snmp-tsm' 2585 file "ietf-snmp-tsm.yang" 2587 submodule ietf-snmp-tsm { 2589 belongs-to ietf-snmp { 2590 prefix snmp; 2591 } 2593 include ietf-snmp-common; 2594 include ietf-snmp-target; 2595 include ietf-snmp-proxy; 2597 organization 2598 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2600 contact 2601 "WG Web: 2602 WG List: 2603 WG Chair: Thomas Nadeau 2604 2606 WG Chair: Juergen Schoenwaelder 2607 2609 Editor: Martin Bjorklund 2610 2612 Editor: Juergen Schoenwaelder 2613 "; 2615 description 2616 "This submodule contains a collection of YANG definitions for 2617 configuring the Transport Security Model (TSM) of SNMP. 2619 Copyright (c) 2014 IETF Trust and the persons identified as 2620 authors of the code. All rights reserved. 2622 Redistribution and use in source and binary forms, with or 2623 without modification, is permitted pursuant to, and subject 2624 to the license terms contained in, the Simplified BSD License 2625 set forth in Section 4.c of the IETF Trust's Legal Provisions 2626 Relating to IETF Documents 2627 (http://trustee.ietf.org/license-info). 2629 This version of this YANG module is part of RFC XXXX; see 2630 the RFC itself for full legal notices."; 2632 // RFC Ed.: replace XXXX with actual RFC number and remove this 2633 // note. 2635 reference 2636 "RFC5591: Transport Security Model for the 2637 Simple Network Management Protocol (SNMP)"; 2639 // RFC Ed.: update the date below with the date of RFC publication 2640 // and remove this note. 2642 revision 2014-05-06 { 2643 description 2644 "Initial revision."; 2645 reference 2646 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2647 } 2649 feature tsm { 2650 description 2651 "A server implements this feature if it supports the 2652 Transport Security Model for SNMP."; 2653 reference 2654 "RFC5591: Transport Security Model for the 2655 Simple Network Management Protocol (SNMP)"; 2656 } 2658 augment /snmp:snmp { 2659 if-feature tsm; 2660 container tsm { 2661 description 2662 "Configuration of the Transport-based Security Model"; 2664 leaf use-prefix { 2665 type boolean; 2666 default false; 2667 reference 2668 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2669 } 2670 } 2671 } 2673 grouping tsm-target-params { 2674 container tsm { 2675 description 2676 "Transport based security SNMPv3 parameters type. 2678 Represents snmpTargetParamsMPModel '3' and 2679 snmpTargetParamsSecurityModel '4'"; 2680 leaf security-name { 2681 type snmp:security-name; 2682 mandatory true; 2683 reference 2684 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2685 } 2686 leaf security-level { 2687 type snmp:security-level; 2688 mandatory true; 2689 reference 2690 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2691 } 2692 } 2693 } 2695 augment /snmp:snmp/snmp:target-params/snmp:params { 2696 if-feature tsm; 2697 case tsm { 2698 uses tsm-target-params; 2700 } 2701 } 2703 } 2705 2707 4.12. Submodule 'ietf-snmp-tls' 2709 file "ietf-snmp-tls.yang" 2711 submodule ietf-snmp-tls { 2713 belongs-to ietf-snmp { 2714 prefix snmp; 2715 } 2717 import ietf-inet-types { 2718 prefix inet; 2719 } 2720 import ietf-x509-cert-to-name { 2721 prefix x509c2n; 2722 } 2724 include ietf-snmp-common; 2725 include ietf-snmp-engine; 2726 include ietf-snmp-target; 2728 organization 2729 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2731 contact 2732 "WG Web: 2733 WG List: 2735 WG Chair: Thomas Nadeau 2736 2738 WG Chair: Juergen Schoenwaelder 2739 2741 Editor: Martin Bjorklund 2742 2744 Editor: Juergen Schoenwaelder 2745 "; 2747 description 2748 "This submodule contains a collection of YANG definitions for 2749 configuring the Transport Layer Security Transport Model (TLSTM) 2750 of SNMP. 2752 Copyright (c) 2014 IETF Trust and the persons identified as 2753 authors of the code. All rights reserved. 2755 Redistribution and use in source and binary forms, with or 2756 without modification, is permitted pursuant to, and subject 2757 to the license terms contained in, the Simplified BSD License 2758 set forth in Section 4.c of the IETF Trust's Legal Provisions 2759 Relating to IETF Documents 2760 (http://trustee.ietf.org/license-info). 2762 This version of this YANG module is part of RFC XXXX; see 2763 the RFC itself for full legal notices."; 2765 // RFC Ed.: replace XXXX with actual RFC number and remove this 2766 // note. 2768 reference 2769 "RFC6353: Transport Layer Security (TLS) Transport Model for 2770 the Simple Network Management Protocol (SNMP)"; 2772 // RFC Ed.: update the date below with the date of RFC publication 2773 // and remove this note. 2775 revision 2014-05-06 { 2776 description 2777 "Initial revision."; 2778 reference 2779 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2780 } 2782 feature tlstm { 2783 description 2784 "A server implements this feature if it supports the 2785 Transport Layer Security Transport Model for SNMP."; 2786 reference 2787 "RFC6353: Transport Layer Security (TLS) Transport Model for 2788 the Simple Network Management Protocol (SNMP)"; 2789 } 2791 augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { 2792 if-feature tlstm; 2793 case tls { 2794 container tls { 2795 description 2796 "A list of IPv4 and IPv6 addresses and ports to which the 2797 engine listens for SNMP messages over TLS."; 2799 leaf ip { 2800 type inet:ip-address; 2801 mandatory true; 2802 description 2803 "The IPv4 or IPv6 address on which the engine listens 2804 for SNMP messages over TLS."; 2805 } 2806 leaf port { 2807 type inet:port-number; 2808 description 2809 "The TCP port on which the engine listens for SNMP 2810 messages over TLS. 2812 If the port is not configured, an engine that 2813 acts as a Command Responder uses port 10161, and 2814 an engine that acts as a Notification Receiver 2815 uses port 10162."; 2816 } 2817 } 2818 } 2819 case dtls { 2820 container dtls { 2821 description 2822 "A list of IPv4 and IPv6 addresses and ports to which the 2823 engine listens for SNMP messages over DTLS."; 2825 leaf ip { 2826 type inet:ip-address; 2827 mandatory true; 2828 description 2829 "The IPv4 or IPv6 address on which the engine listens 2830 for SNMP messages over DTLS."; 2831 } 2832 leaf port { 2833 type inet:port-number; 2834 description 2835 "The UDP port on which the engine listens for SNMP 2836 messages over DTLS. 2838 If the port is not configured, an engine that 2839 acts as a Command Responder uses port 10161, and 2840 an engine that acts as a Notification Receiver 2841 uses port 10162."; 2842 } 2844 } 2845 } 2846 } 2848 augment /snmp:snmp { 2849 if-feature tlstm; 2850 container tlstm { 2851 uses x509c2n:cert-to-name { 2852 description 2853 "Defines how certificates are mapped to names. The 2854 resulting name is used as a security name."; 2855 refine cert-to-name/map-type { 2856 description 2857 "Mappings that use the snmpTlstmCertToTSNData column 2858 need to augment the 'cert-to-name' list 2859 with additional configuration objects corresponding 2860 to the snmpTlstmCertToTSNData value. Such objects 2861 should use the 'when' statement to make them 2862 conditional based on the 'map-type'."; 2863 } 2864 } 2865 } 2866 } 2868 grouping tls-transport { 2869 leaf ip { 2870 type inet:host; 2871 mandatory true; 2872 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2873 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2874 } 2875 leaf port { 2876 type inet:port-number; 2877 default 10161; 2878 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2879 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2880 } 2881 leaf client-fingerprint { 2882 type x509c2n:tls-fingerprint; 2883 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2884 } 2885 leaf server-fingerprint { 2886 type x509c2n:tls-fingerprint; 2887 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2888 } 2889 leaf server-identity { 2890 type snmp:admin-string; 2891 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2893 } 2894 } 2896 augment /snmp:snmp/snmp:target/snmp:transport { 2897 if-feature tlstm; 2898 case tls { 2899 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2900 container tls { 2901 uses tls-transport; 2902 } 2903 } 2904 } 2906 augment /snmp:snmp/snmp:target/snmp:transport { 2907 if-feature tlstm; 2908 case dtls { 2909 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2910 container dtls { 2911 uses tls-transport; 2912 } 2913 } 2914 } 2915 } 2917 2919 4.13. Submodule 'ietf-snmp-ssh' 2921 file "ietf-snmp-ssh.yang" 2923 submodule ietf-snmp-ssh { 2925 belongs-to ietf-snmp { 2926 prefix snmp; 2927 } 2929 import ietf-inet-types { 2930 prefix inet; 2931 } 2933 include ietf-snmp-common; 2934 include ietf-snmp-engine; 2935 include ietf-snmp-target; 2937 organization 2938 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2940 contact 2941 "WG Web: 2942 WG List: 2944 WG Chair: Thomas Nadeau 2945 2947 WG Chair: Juergen Schoenwaelder 2948 2950 Editor: Martin Bjorklund 2951 2953 Editor: Juergen Schoenwaelder 2954 "; 2956 description 2957 "This submodule contains a collection of YANG definitions for 2958 configuring the Secure Shell Transport Model (SSHTM) 2959 of SNMP. 2961 Copyright (c) 2014 IETF Trust and the persons identified as 2962 authors of the code. All rights reserved. 2964 Redistribution and use in source and binary forms, with or 2965 without modification, is permitted pursuant to, and subject 2966 to the license terms contained in, the Simplified BSD License 2967 set forth in Section 4.c of the IETF Trust's Legal Provisions 2968 Relating to IETF Documents 2969 (http://trustee.ietf.org/license-info). 2971 This version of this YANG module is part of RFC XXXX; see 2972 the RFC itself for full legal notices."; 2974 // RFC Ed.: replace XXXX with actual RFC number and remove this 2975 // note. 2977 reference 2978 "RFC5592: Secure Shell Transport Model for the 2979 Simple Network Management Protocol (SNMP)"; 2981 // RFC Ed.: update the date below with the date of RFC publication 2982 // and remove this note. 2984 revision 2014-05-06 { 2985 description 2986 "Initial revision."; 2987 reference 2988 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2989 } 2991 feature sshtm { 2992 description 2993 "A server implements this feature if it supports the 2994 Secure Shell Transport Model for SNMP."; 2995 reference 2996 "RFC5592: Secure Shell Transport Model for the 2997 Simple Network Management Protocol (SNMP)"; 2998 } 3000 augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { 3001 if-feature sshtm; 3002 case ssh { 3003 container ssh { 3004 description 3005 "The IPv4 or IPv6 address and port to which the 3006 engine listens for SNMP messages over SSH."; 3008 leaf ip { 3009 type inet:ip-address; 3010 mandatory true; 3011 description 3012 "The IPv4 or IPv6 address on which the engine listens 3013 for SNMP messages over SSH."; 3014 } 3015 leaf port { 3016 type inet:port-number; 3017 description 3018 "The TCP port on which the engine listens for SNMP 3019 messages over SSH. 3021 If the port is not configured, an engine that 3022 acts as a Command Responder uses port 5161, and 3023 an engine that acts as a Notification Receiver 3024 uses port 5162."; 3025 } 3026 } 3027 } 3028 } 3030 augment /snmp:snmp/snmp:target/snmp:transport { 3031 if-feature sshtm; 3032 case ssh { 3033 reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; 3034 container ssh { 3035 leaf ip { 3036 type inet:host; 3037 mandatory true; 3038 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3039 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3040 } 3041 leaf port { 3042 type inet:port-number; 3043 default 5161; 3044 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3045 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3046 } 3047 leaf username { 3048 type string; 3049 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3050 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3051 } 3052 } 3053 } 3054 } 3055 } 3057 3059 5. IANA Considerations 3061 This document registers a URI in the IETF XML registry [RFC3688]. 3062 Following the format in RFC 3688, the following registration is 3063 requested to be made. 3065 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 3067 Registrant Contact: The NETMOD WG of the IETF. 3069 XML: N/A, the requested URI is an XML namespace. 3071 This document registers the following YANG modules in the YANG Module 3072 Names registry [RFC6020]. 3074 name: ietf-snmp 3075 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 3076 prefix: snmp 3077 reference: RFC XXXX 3079 name: ietf-x509-cert-to-name 3080 namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name 3081 prefix: x509c2n 3082 reference: RFC XXXX 3084 The document registers the following YANG submodules in the YANG 3085 Module Names registry [RFC6020]. 3087 name: ietf-snmp-common 3088 parent: ietf-snmp 3089 reference: RFC XXXX 3091 name: ietf-snmp-engine 3092 parent: ietf-snmp 3093 reference: RFC XXXX 3095 name: ietf-snmp-community 3096 parent: ietf-snmp 3097 reference: RFC XXXX 3099 name: ietf-snmp-notification 3100 parent: ietf-snmp 3101 reference: RFC XXXX 3103 name: ietf-snmp-target 3104 parent: ietf-snmp 3105 reference: RFC XXXX 3107 name: ietf-snmp-vacm 3108 parent: ietf-snmp 3109 reference: RFC XXXX 3111 name: ietf-snmp-usm 3112 parent: ietf-snmp 3113 reference: RFC XXXX 3115 name: ietf-snmp-tsm 3116 parent: ietf-snmp 3117 reference: RFC XXXX 3119 name: ietf-snmp-tls 3120 parent: ietf-snmp 3121 reference: RFC XXXX 3123 name: ietf-snmp-ssh 3124 parent: ietf-snmp 3125 reference: RFC XXXX 3127 6. Security Considerations 3129 The YANG module and submodules defined in this memo are designed to 3130 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 3131 layer is the secure transport layer and the mandatory-to-implement 3132 secure transport is SSH [RFC6242]. 3134 There are a number of data nodes defined in the YANG module and 3135 submodules which are writable/creatable/deletable (i.e., config true, 3136 which is the default). These data nodes may be considered sensitive 3137 or vulnerable in some network environments. Write operations (e.g., 3138 edit-config) to these data nodes without proper protection can have a 3139 negative effect on network operations. These are the subtrees and 3140 data nodes and their sensitivity/vulnerability: 3142 o The /snmp/engine subtree contains the configuration of general 3143 parameters of an SNMP engine such as the endpoints to listen on, 3144 the transports and SNMP versions enabled, or the engine's 3145 identity. Write access to this subtree should only be granted to 3146 entities configuring general SNMP engine parameters. 3148 o The /snmp/target subtree contains the configuration of SNMP 3149 targets and in particular which transports to use and their 3150 security parameters. Write access to this subtree should only be 3151 granted to the security administrator and entities configuring 3152 SNMP notification forwarding behavior. 3154 o The /snmp/notify and /snmp/notify-filter-profile subtrees contain 3155 the configuration for SNMP notification forwarding and filtering 3156 mechanism. Write access to this subtree should only be granted to 3157 entities configuring SNMP notification forwarding behavior. 3159 o The /snmp/proxy subtree contains the configuration for SNMP 3160 proxies. Write access to this subtree should only be granted to 3161 entities configuring SNMP proxies. 3163 o The /snmp/community subtree contains the configuration of the 3164 community-based security model. Write access to this subtree 3165 should only be granted to the security administrator. 3167 o The /snmp/usm subtree contains the configuration of the user-based 3168 security model. Write access to this subtree should only be 3169 granted to the security administrator. 3171 o The /snmp/tsm subtree contains the configuration of the transport 3172 layer security model for SNMP. Write access to this subtree 3173 should only be granted to the security administrator. 3175 o The /snmp/tlstm subtree contains the configuration of the SNMP 3176 transport over (D)TLS and in particular the configuration how 3177 certificates are mapped to SNMP security names. Write access to 3178 this subtree should only be granted to the security administrator. 3180 o The /snmp/vacm subtree contains the configuration of the view- 3181 based access control mechanism used by SNMP to authorize access to 3182 management information via SNMP. Write access to this subtree 3183 should only be granted to the security administrator. 3185 Some of the readable data nodes in the YANG module and submodules may 3186 be considered sensitive or vulnerable in some network environments. 3187 It is thus important to control read access (e.g., via get, get- 3188 config, or notification) to these data nodes. These are the subtrees 3189 and data nodes and their sensitivity/vulnerability: 3191 o The /snmp/engine subtree subtree exposes general information about 3192 an SNMP engine such as which version(s) of SNMP are enabled or 3193 which transports are enabled. 3195 o The /snmp/target subtree exposes information which transports are 3196 used to reach certain SNMP targets which transport specific 3197 parameters are used. 3199 o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes 3200 information how notifications are filtered and forwarded to 3201 notification targets. 3203 o The /snmp/proxy subtree exposes information about proxy 3204 relationships. 3206 o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ 3207 vacm subtrees are specifically sensitive since they expose 3208 information about the authentication and authorization policy used 3209 by an SNMP engine. 3211 Changes to the SNMP access control rules should be done either in an 3212 atomic way (through a single edit-config or a single commit) or care 3213 must be taken that they are done in a sequence that does not open 3214 temporarily access to resources. Implementations supporting SNMP 3215 write access must ensure that any SNMP access control rule changes 3216 over NETCONF are atomic as well to the SNMP instrumentation. In 3217 particular changes involving an internal delete/create cycle (e.g., 3218 to move a user to a different group) must be done with sufficient 3219 protections such that even a power fail immediately after the delete 3220 does not leave the administrator locked out. 3222 Security administrators need to ensure that NETCONF access control 3223 rules and SNMP access control rules implement a consistent security 3224 policy. Specifically, the SNMP access control rules should prevent 3225 accidental leakage of sensitive security parameters such as community 3226 strings. See the Security Considerations section of [RFC3584] for 3227 further details. 3229 7. Acknowledgments 3231 The authors want to thank Wes Hardaker and David Spakes for their 3232 detailed reviews. Additional valuable comments were provided by 3233 David Harrington, Borislav Lukovic and Randy Presuhn. 3235 Juergen Schoenwaelder was partly funded by Flamingo, a Network of 3236 Excellence project (ICT-318488) supported by the European Commission 3237 under its Seventh Framework Programme. 3239 8. References 3241 8.1. Normative References 3243 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3244 Requirement Levels", BCP 14, RFC 2119, March 1997. 3246 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3247 Network Configuration Protocol (NETCONF)", RFC 6020, 3248 October 2010. 3250 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 3251 Bierman, "Network Configuration Protocol (NETCONF)", RFC 3252 6241, June 2011. 3254 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3255 Shell (SSH)", RFC 6242, June 2011. 3257 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 3258 Protocol (NETCONF) Access Control Model", RFC 6536, March 3259 2012. 3261 [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, 3262 July 2013. 3264 8.2. Informative References 3266 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3267 Architecture for Describing Simple Network Management 3268 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3269 December 2002. 3271 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3272 "Message Processing and Dispatching for the Simple Network 3273 Management Protocol (SNMP)", STD 62, RFC 3412, December 3274 2002. 3276 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 3277 Management Protocol (SNMP) Applications", STD 62, RFC 3278 3413, December 2002. 3280 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 3281 (USM) for version 3 of the Simple Network Management 3282 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 3284 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 3285 Access Control Model (VACM) for the Simple Network 3286 Management Protocol (SNMP)", STD 62, RFC 3415, December 3287 2002. 3289 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 3290 Simple Network Management Protocol (SNMP)", STD 62, RFC 3291 3418, December 2002. 3293 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 3294 "Coexistence between Version 1, Version 2, and Version 3 3295 of the Internet-standard Network Management Framework", 3296 BCP 74, RFC 3584, August 2003. 3298 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3299 January 2004. 3301 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 3302 for the Simple Network Management Protocol (SNMP)", RFC 3303 5591, June 2009. 3305 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 3306 Shell Transport Model for the Simple Network Management 3307 Protocol (SNMP)", RFC 5592, June 2009. 3309 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 3310 Model for the Simple Network Management Protocol (SNMP)", 3311 RFC 6353, July 2011. 3313 [RFC6643] Schoenwaelder, J., "Translation of Structure of Management 3314 Information Version 2 (SMIv2) MIB Modules to YANG 3315 Modules", RFC 6643, July 2012. 3317 Appendix A. Example configurations 3318 A.1. Engine Configuration Example 3320 Below is an XML instance document showing a configuration of an SNMP 3321 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 3322 accepting SNMPv2c and SNMPv3 messages. 3324 3325 3326 true 3327 3328 all-ipv4-udp 3329 3330 0.0.0.0 3331 161 3332 3333 3334 3335 all-ipv6-udp 3336 3337 :: 3338 161 3339 3340 3341 3342 3343 3344 3345 80:00:02:b8:04:61:62:63 3346 3347 3349 A.2. Community Configuration Example 3351 Below is an XML instance document showing a configuration that maps 3352 the community name "public" to the security-name "community-public" 3353 on the local engine with the default context name. The target tag 3354 "community-public-access" filters the access to this community name. 3356 3357 3358 1 3359 public 3360 community-public 3361 community-public-access 3362 3363 3364 management-station 3365 3366 2001:db8::abcd 3367 161 3368 3369 blue 3370 community-public-access 3371 v2c-public 3372 3373 3374 v2c-public 3375 3376 community-public 3377 3378 3379 3381 A.3. User-based Security Model Configuration Example 3383 Below is an XML instance document showing the configuration of a 3384 local user "joey" who has no authentication or privacy keys. For the 3385 remote SNMP engine identified by the snmpEngineID 3386 '800002b804616263'H, two users are configure. The user "matt" has a 3387 localized SHA authentication key and the user "russ" has a localized 3388 SHA authentication key and an AES encryption key. 3390 3391 3392 3393 3394 joey 3395 3396 3397 3398 00:00:00:00:00:00:00:00:00:00:00:02 3399 3400 matt 3401 3402 3403 3407 66:95:fe:bc:92:88:e3:62:82:23: 3408 5f:c7:15:1f:12:84:97:b3:8f:3f 3409 3410 3411 3412 3413 russ 3414 3415 3416 3420 66:95:fe:bc:92:88:e3:62:82:23: 3421 5f:c7:15:1f:12:84:97:b3:8f:3f 3422 3423 3424 3425 3426 3430 66:95:fe:bc:92:88:e3:62:82:23: 3431 5f:c7:15:1f:12:84 3432 3433 3434 3435 3436 3437 3438 bluebox 3439 3440 2001:db8::abcd 3441 161 3442 3443 blue 3444 matt-auth 3445 3446 3447 matt-auth 3448 3449 matt 3450 auth-no-priv 3451 3452 3453 3455 A.4. Target and Notification Configuration Example 3457 Below is an XML instance document showing the configuration of a 3458 notification generator application (see Appendix A of [RFC3413]). 3460 Note that the USM specific objects are defined in the ietf-snmp- 3461 usm.yang submodule. 3463 3464 3465 addr1 3466 3467 192.0.2.3 3468 162 3469 3470 group1 3471 joe-auth 3472 3473 3474 addr2 3475 3476 192.0.2.6 3477 162 3478 3479 group1 3480 joe-auth 3481 3482 3483 addr3 3484 3485 192.0.2.9 3486 162 3487 3488 group2 3489 bob-priv 3490 3491 3492 joe-auth 3493 3494 joe 3495 auth-no-priv 3496 3497 3498 3499 bob-priv 3500 3501 bob 3502 auth-priv 3503 3504 3505 3506 group1 3507 group1 3508 trap 3509 3510 3511 group2 3512 group2 3513 trap 3514 3515 3517 A.5. Proxy Configuration Example 3519 Below is an XML instance document showing the configuration of a 3520 proxy forwarder application. It proxies SNMPv2c messages from 3521 command generators to a file server running a SNMPv1 agent that 3522 recognizes two community strings, "private" and "public", with 3523 different associated read views. The fileserver is represented as 3524 two "target" instances, one for each community string. 3526 If the proxy receives a SNMPv2c message with the community string 3527 "public" from a device in the "Office Network" or "Home Office 3528 Network", it gets tagged as "trusted", and the proxy uses the 3529 "private" community string when sending the message to the file 3530 server. Other SNMPv2c messages with the community string "public" 3531 get tagged as "non-trusted", and the proxy uses the "public" 3532 community string for these messages. There is also a special 3533 "backdoor" community string that can be used from any location to get 3534 "trusted" access. 3536 The "Office Network" and "Home Office Network" are represented as two 3537 "target" instances. These "target" instances have target-params 3538 "none", which refers to a non-existing target-params entry. 3540 3541 3542 File Server (private) 3543 3544 192.0.2.1 3545 3546 v1-private 3547 3548 3549 File Server (public) 3550 3551 192.0.2.1 3552 3553 v1-public 3554 3555 3556 Office Network 3557 3558 192.0.2.0 3559 24 3560 3561 office 3562 none 3563 3564 3565 Home Office Network 3566 3567 203.0.113.0 3568 24 3569 3570 home-office 3571 none 3572 3573 3574 v1-private 3575 3576 private 3577 3578 3579 3580 v1-public 3581 3582 public 3583 3584 3585 3586 v2c-public 3587 3588 public 3589 3590 3592 3599 3600 c1 3601 public 3602 80:00:61:81:c8 3603 trusted 3604 office 3605 3606 3607 c2 3608 public 3609 80:00:61:81:c8 3610 trusted 3611 home-office 3612 3613 3614 c3 3615 public 3616 80:00:61:81:c8 3617 not-trusted 3618 3619 3620 c4 3621 backdoor 3622 public 3623 80:00:61:81:c8 3624 trusted 3625 3626 3627 c5 3628 private 3629 80:00:61:81:c8 3630 trusted 3631 3633 3634 p1 3635 read 3636 80:00:61:81:c8 3637 trusted 3638 v2c-public 3639 File Server (private) 3640 3641 3642 p2 3643 read 3644 80:00:61:81:c8 3645 not-trusted 3646 v2c-public 3647 File Server (public) 3648 3649 3650 If an SNMPv2c Get request with community string "public" is received 3651 from an IP address tagged as "office" or "home-office", or if the 3652 request is received from anywhere else with community string 3653 "backdoor", the implied context is "trusted" and so proxy entry "p1" 3654 matches. The request is forwarded to the file server as SNMPv1 with 3655 community "private" using community table entry "c5" for outbound 3656 params lookup. 3658 If an SNMPv2c Get request with community string "public" is received 3659 from any other IP address, the implied context is "not-trusted" so 3660 proxy entry "p2" matches, and the request is forwarded to the file 3661 server as SNMPv1 with community "public". 3663 A.6. View-based Access Control Model Configuration Example 3665 Below is an XML instance document showing the minimum-secure VACM 3666 configuration (see Appendix A of [RFC3415]). 3668 3669 3670 3671 initial 3672 3673 initial 3674 usm 3675 3676 3677 3678 usm 3679 no-auth-no-priv 3680 restricted 3681 restricted 3682 3683 3684 3685 usm 3686 auth-no-priv 3687 internet 3688 internet 3689 internet 3690 3691 3692 3693 initial 3694 1.3.6.1 3695 3696 3697 restricted 3698 1.3.6.1 3699 3700 3701 3703 The following XML instance document shows the semi-secure VACM 3704 configuration (only the view configuration is different). 3706 3707 3708 3709 initial 3710 3711 initial 3712 usm 3713 3714 3715 3716 usm 3717 no-auth-no-priv 3718 restricted 3719 restricted 3720 3721 3722 3723 usm 3724 auth-no-priv 3725 internet 3726 internet 3727 internet 3728 3729 3730 3731 initial 3732 1.3.6.1 3733 3734 3735 restricted 3736 1.3.6.1.2.1.1 3737 1.3.6.1.2.1.11 3738 1.3.6.1.6.3.10.2.1 3739 1.3.6.1.6.3.11.2.1 3740 1.3.6.1.6.3.15.1.1 3741 3742 3743 3745 A.7. Transport Layer Security Transport Model Configuration Example 3747 Below is an XML instance document showing the configuration of the 3748 certificate to security name mapping (see Appendix A.2 and A.3 of 3749 [RFC6353]). 3751 3754 3755 3756 1 3757 11:0A:05:11:00 3758 x509c2n:san-any 3759 3760 3761 2 3762 11:0A:05:11:00 3763 x509c2n:specified 3764 3765 Joe Cool 3766 3767 3768 3769 3771 Authors' Addresses 3773 Martin Bjorklund 3774 Tail-f Systems 3776 Email: mbj@tail-f.com 3778 Juergen Schoenwaelder 3779 Jacobs University 3781 Email: j.schoenwaelder@jacobs-university.de