idnits 2.17.1 draft-ietf-netmod-snmp-cfg-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 193 has weird spacing: '...rw name snm...' == Line 237 has weird spacing: '...-params snmp:...' == Line 239 has weird spacing: '...rw name snm...' == Line 266 has weird spacing: '...rw name snm...' == Line 336 has weird spacing: '...ty-name snm...' == (13 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (August 13, 2014) is 3537 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: February 14, 2015 Jacobs University 6 August 13, 2014 8 A YANG Data Model for SNMP Configuration 9 draft-ietf-netmod-snmp-cfg-07 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on February 14, 2015. 33 Copyright Notice 35 Copyright (c) 2014 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 53 2.2. General Considerations . . . . . . . . . . . . . . . . . 4 54 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . 4 55 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . 4 56 2.5. Target Configuration . . . . . . . . . . . . . . . . . . 5 57 2.6. Notification Configuration . . . . . . . . . . . . . . . 6 58 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 59 2.8. Community Configuration . . . . . . . . . . . . . . . . . 8 60 2.9. View-based Access Control Model Configuration . . . . . . 8 61 2.10. User-based Security Model Configuration . . . . . . . . . 9 62 2.11. Transport Security Model Configuration . . . . . . . . . 10 63 2.12. Transport Layer Security Transport Model Configuration . 11 64 2.13. Secure Shell Transport Model Configuration . . . . . . . 12 65 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 13 66 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . 14 67 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 14 68 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 69 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 70 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . 21 71 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . 23 72 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . 27 73 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . 30 74 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . 34 75 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 38 76 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 41 77 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . 45 78 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 51 79 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 55 80 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 57 81 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 62 82 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 83 6. Security Considerations . . . . . . . . . . . . . . . . . . . 66 84 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 85 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 86 8.1. Normative References . . . . . . . . . . . . . . . . . . 69 87 8.2. Informative References . . . . . . . . . . . . . . . . . 69 88 Appendix A. Example configurations . . . . . . . . . . . . . . . 70 89 A.1. Engine Configuration Example . . . . . . . . . . . . . . 70 90 A.2. Community Configuration Example . . . . . . . . . . . . . 71 91 A.3. User-based Security Model Configuration Example . . . . . 72 92 A.4. Target and Notification Configuration Example . . . . . . 74 93 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 94 A.6. View-based Access Control Model Configuration Example . . 78 95 A.7. Transport Layer Security Transport Model Configuration 96 Example . . . . . . . . . . . . . . . . . . . . . . . . . 80 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81 99 1. Introduction 101 This document defines a YANG [RFC6020] data model for the 102 configuration of SNMP engines. The configuration model is consistent 103 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 104 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and 105 [RFC6353] but takes advantage of YANG's ability to define 106 hierarchical configuration data models. 108 The configuration data model in particular has been designed for SNMP 109 deployments where SNMP runs in read-only mode and NETCONF is used to 110 configure the SNMP agent. Nevertheless, the data model allows 111 implementations that support write access both via SNMP and NETCONF 112 in order to interwork with SNMP-managed management applications 113 manipulating SNMP agent configuration using SNMP. Further details 114 can be found in Section 3. 116 The YANG data model focuses on configuration. Operational state 117 objects are not explicitely modeled. The operational state of an 118 SNMP agent can either be accessed directly via SNMP or, 119 alternatively, via NETCONF using the read-only translation of the 120 relevant SNMP MIB modules into YANG modules [RFC6643]. 122 This document also defines a YANG data model for mapping a X.509 123 certificate to a name. 125 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 127 "OPTIONAL" in this document are to be interpreted as described in BCP 128 14, [RFC2119]. 130 2. Data Model 132 In order to preserve the modularity of SNMP, the YANG configuration 133 data model is organized in a set of YANG submodules, all sharing the 134 same module namespace. This allows adding configuration support for 135 additional SNMP features while keeping the number of namespaces that 136 have to be dealt with down to a minimum. 138 2.1. Tree Diagrams 140 A simplified graphical representation of the data model is used in 141 this document. The meaning of the symbols in these diagrams is as 142 follows: 144 o Brackets "[" and "]" enclose list keys. 146 o Abbreviations before data node names: "rw" means configuration 147 (read-write) and "ro" state data (read-only). 149 o Symbols after data node names: "?" means an optional node, "!" 150 means a presence container, and "*" denotes a list and leaf-list. 152 o Parentheses enclose choice and case nodes, and case nodes are also 153 marked with a colon (":"). 155 o Ellipsis ("...") stands for contents of subtrees that are not 156 shown. 158 2.2. General Considerations 160 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 161 "reference" statement is used to indicate which corresponding MIB 162 object the YANG node is mapped to. When there is not a simple 1-1 163 mapping, the "description" statement explains the mapping. 165 The persistency models in SNMP and NETCONF are quite different. In 166 NETCONF, the persistency is defined by the datastore, whereas in SNMP 167 it is defined either explicitly in the data model, or on a row-by-row 168 basis by using the TEXTUAL-CONVENTION "StorageType". Thus, in the 169 YANG model defined here, the "StorageType" columns are not present. 170 For implementation guidelines, see Section 3. 172 In SNMP, row creation and deletion are controlled by using the 173 TEXTUAL-CONVENTION "RowStatus". In NETCONF, creation and deletion 174 are handled by the protocol, not in the data model. Thus, in the 175 YANG model defined here, the "RowStatus" columns are not present. 177 2.3. Common Definitions 179 The submodule "ietf-snmp-common" defines a set of common typedefs and 180 the top-level container "snmp". All configuration parameters defined 181 in the other submodules are organized under this top-level container. 183 2.4. Engine Configuration 185 The submodule "ietf-snmp-engine", which defines configuration 186 parameters that are specific to SNMP engines, has the following 187 structure: 189 +--rw snmp 190 +--rw engine 191 +--rw enabled? boolean 192 +--rw listen* [name] 193 | +--rw name snmp:identifier 194 | +--rw (transport) 195 | +--:(udp) 196 | +--rw udp 197 | +--rw ip inet:ip-address 198 | +--rw port? inet:port-number 199 +--rw version 200 | +--rw v1? empty 201 | +--rw v2c? empty 202 | +--rw v3? empty 203 +--rw engine-id? snmp:engine-id 204 +--rw enable-authen-traps? boolean 206 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 207 engine. 209 The list "/snmp/engine/listen" provides configuration of the 210 transport endpoints the engine is listening to. In this submodule, 211 SNMP over UDP is defined. SSH, TLS and Datagram Transport Layer 212 Security (DTLS) are also supported, defined in "ietf-snmp-ssh" 213 (Section 2.13) and "ietf-snmp-tls" (Section 2.12), respectively. The 214 "transport" choice is expected to be augmented for other transports. 216 The "/snmp/engine/version" container can be used to enable/disable 217 the different message processing models [RFC3411]. 219 2.5. Target Configuration 221 The submodule "ietf-snmp-target", which defines configuration 222 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 223 following structure: 225 +--rw snmp 226 +--rw target* [name] 227 | +--rw name snmp:identifier 228 | +--rw (transport) 229 | | +--:(udp) 230 | | +--rw udp 231 | | +--rw ip inet:ip-address 232 | | +--rw port? inet:port-number 233 | | +--rw prefix-length? uint8 234 | +--rw tag* snmp:identifier 235 | +--rw timeout? uint32 236 | +--rw retries? uint8 237 | +--rw target-params snmp:identifier 238 +--rw target-params* [name] 239 +--rw name snmp:identifier 240 +--rw (params)? 242 An entry in the list "/snmp/target" corresponds to an 243 "snmpTargetAddrEntry". 245 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 246 mapped to transport-specific YANG nodes. Each transport is 247 configured as a separate case in the "transport" choice. In this 248 submodule, SNMP over UDP is defined. TLS and DTLS are also 249 supported, defined in "ietf-snmp-tls" (Section 2.12). The 250 "transport" choice is expected to be augmented for other transports. 252 An entry in the list "/snmp/target-params" corresponds to an 253 "snmpTargetParamsEntry". This list contains a choice "params", which 254 is augmented by security model specific submodules, currently 255 "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10), 256 and "ietf-snmp-tls" (Section 2.12). 258 2.6. Notification Configuration 260 The submodule "ietf-snmp-notification", which defines configuration 261 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 262 has the following structure: 264 +--rw snmp 265 +--rw notify* [name] 266 | +--rw name snmp:identifier 267 | +--rw tag snmp:identifier 268 | +--rw type? enumeration 269 +--rw notify-filter-profile* [name] 270 +--rw name snmp:identifier 271 +--rw include* snmp:wildcard-object-identifier 272 +--rw exclude* snmp:wildcard-object-identifier 274 It also augments the "target-params" list defined in the 275 "ietf-snmp-target" submodule (Section 2.5) with one leaf: 277 +--rw snmp 278 +--rw target-params* [name] 279 ... 280 +--rw notify-filter-profile? leafref 282 An entry in the list "/snmp/notify" corresponds to an 283 "snmpNotifyEntry". 285 An entry in the list "/snmp/notify-filter-profile" corresponds to an 286 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 287 relationship between "snmpTargetParamsTable" and 288 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 289 relationship is represented with a leafref leaf 290 "notify-filter-profile" in the "/snmp/target-params" list, which 291 refers to an entry in the "/snmp/notify-filter-profile" list. 293 The "snmpNotifyFilterTable" is represented as a list "filter" within 294 the "/snmp/notify-filter-profile" list. 296 This submodule defines the feature "notification-filter". A server 297 implements this feature if it supports SNMP notification filtering 298 [RFC3413]. 300 2.7. Proxy Configuration 302 The submodule "ietf-snmp-proxy", which defines configuration 303 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 304 following structure: 306 +--rw snmp 307 +--rw proxy* [name] 308 +--rw name snmp:identifier 309 +--rw type enumeration 310 +--rw context-engine-id snmp:engine-id 311 +--rw context-name? snmp:context-name 312 +--rw target-params-in? snmp:identifier 313 +--rw single-target-out? snmp:identifier 314 +--rw multiple-target-out? snmp:identifier 316 An entry in the list "/snmp/proxy" corresponds to an 317 "snmpProxyEntry". 319 This submodule defines the feature "proxy". A server implements this 320 feature if it can act as an SNMP Proxy [RFC3413]. 322 2.8. Community Configuration 324 The submodule "ietf-snmp-community", which defines configuration 325 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 326 the following structure: 328 +--rw snmp 329 +--rw community* [index] 330 +--rw index snmp:identifier 331 +--rw (name)? 332 | +--:(text-name) 333 | | +--rw text-name? string 334 | +--:(binary-name) 335 | +--rw binary-name? binary 336 +--rw security-name snmp:security-name 337 +--rw engine-id? snmp:engine-id 338 +--rw context? snmp:context-name 339 +--rw target-tag? snmp:identifier 341 It also augments the "/snmp/target-params/params" choice with nodes 342 for the Community-Based Security Model used by SNMPv1 and SNMPv2c: 344 +--rw snmp 345 +--rw target-params* [name] 346 | ... 347 | +--rw (params)? 348 | +--:(v1) 349 | | +--rw v1 350 | | +--rw security-name snmp:security-name 351 | +--:(v2c) 352 | +--rw v2c 353 | +--rw security-name snmp:security-name 354 +--rw target* [name] 355 +--rw mms? union 357 An entry in the list "/snmp/community" corresponds to an 358 "snmpCommunityEntry". 360 When a case "v1" or "v2c" is chosen, it implies a 361 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 362 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 363 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 365 2.9. View-based Access Control Model Configuration 367 The submodule "ietf-snmp-vacm", which defines configuration 368 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 369 has the following structure: 371 +--rw snmp 372 +--rw vacm 373 +--rw group* [name] 374 | +--rw name group-name 375 | +--rw member* [security-name] 376 | | +--rw security-name snmp:security-name 377 | | +--rw security-model* snmp:security-model 378 | +--rw access* [context security-model security-level] 379 | +--rw context snmp:context-name 380 | +--rw context-match? enumeration 381 | +--rw security-model snmp:security-model-or-any 382 | +--rw security-level snmp:security-level 383 | +--rw read-view? view-name 384 | +--rw write-view? view-name 385 | +--rw notify-view? vire-name 386 +--rw view* [name] 387 +--rw name view-name 388 +--rw include* snmp:wildcard-object-identifier 389 +--rw exclude* snmp:wildcard-object-identifier 391 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 392 structure of nested lists in the YANG model. Groups are defined in 393 the list "/snmp/vacm/group" and for each group there is a sublist 394 "member" that maps to "vacmSecurityToGroupTable", and a sublist 395 "access" that maps to "vacmAccessTable". 397 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 398 view there is a leaf-list of included subtree families and a leaf- 399 list of excluded subtree families. This is more compact and thus a 400 more readable representation of the "vacmViewTreeFamilyTable". 402 2.10. User-based Security Model Configuration 404 The submodule "ietf-snmp-usm", which defines configuration parameters 405 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 406 following structure: 408 +--rw snmp 409 +--rw usm 410 +--rw local 411 | +--rw user* [name] 412 | +-- {common user params} 413 +--rw remote* [engine-id] 414 +--rw engine-id snmp:engine-id 415 +--rw user* [name] 416 +-- {common user params} 418 The "{common user params}" are: 420 +--rw name snmp:identifier 421 +--rw auth! 422 | +--rw (protocol) 423 | +--:(md5) 424 | | +--rw md5 425 | | +-- rw key yang:hex-string 426 | +--:(sha) 427 | +--rw sha 428 | +-- rw key yang:hex-string 429 +--rw priv! 430 +--rw (protocol) 431 +--:(des) 432 | +--rw des 433 | +-- rw key yang:hex-string 434 +--:(aes) 435 +--rw aes 436 +-- rw key yang:hex-string 438 It also augments the "/snmp/target-params/params" choice with nodes 439 for the SNMP User-based Security Model. 441 +--rw snmp 442 +--rw target-params* [name] 443 ... 444 +--rw (params)? 445 +--:(usm) 446 +--rw usm 447 +--rw user-name snmp:security-name 448 +--rw security-level security-level 450 In the MIB, there is a single table with local and remote users, 451 indexed by the engine id and user name. In the YANG model, there is 452 one list of local users, and a nested list of remote users. 454 In the MIB, there are several objects related to changing the 455 authentication and privacy keys. These objects are not present in 456 the YANG model. However, the localized key can be changed. This 457 implies that if the engine id is changed, all users keys need to be 458 changed as well. 460 2.11. Transport Security Model Configuration 462 The submodule "ietf-snmp-tsm", which defines configuration parameters 463 that correspond to the objects in SNMP-TSM-MIB, has the following 464 structure: 466 +--rw snmp 467 +--rw tsm 468 +--rw use-prefix? boolean 470 It also augments the "/snmp/target-params/params" choice with nodes 471 for the SNMP Transport Security Model. 473 +--rw snmp 474 +--rw target-params* [name] 475 ... 476 +--rw (params)? 477 +--:(tsm) 478 +--rw tsm 479 +--rw security-name snmp:security-name 480 +--rw security-level security-level 482 This submodule defines the feature "tsm". A server implements this 483 feature if it supports the Transport Security Model (tsm) [RFC5591]. 485 2.12. Transport Layer Security Transport Model Configuration 487 The submodule "ietf-snmp-tls", which defines configuration parameters 488 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 489 structure: 491 +--rw snmp 492 ... 493 +--rw target* [name] 494 | ... 495 | +--rw (transport) 496 | ... 497 | +--:(tls) 498 | | +--rw tls 499 | | +-- {common (d)tls transport params} 500 | +--:(dtls) 501 | +--rw dtls 502 | +-- {common (d)tls transport params} 503 +--rw tlstm 504 +--rw cert-to-name* [id] 505 +--rw id uint32 506 +--rw fingerprint x509c2n:tls-fingerprint 507 +--rw map-type identityref 508 +--rw name string 510 The "{common (d)tls transport params}" are: 512 +--rw ip? inet:host 513 +--rw port? inet:port-number 514 +--rw client-fingerprint? x509c2n:tls-fingerprint 515 +--rw server-fingerprint? x509c2n:tls-fingerprint 516 +--rw server-identity? snmp:admin-string 518 It also augments the "/snmp/engine/listen/transport" choice with 519 objects for the D(TLS) transport endpoints: 521 +--rw snmp 522 +--rw engine 523 ... 524 +--rw listen* [name] 525 ... 526 +--rw (transport) 527 ... 528 +--:(tls) 529 | +--rw tls 530 | +--rw ip inet:ip-address 531 | +--rw port? inet:port-number 532 +--:(dtls) 533 +--rw dtls 534 +--rw ip inet:ip-address 535 +--rw port? inet:port-number 537 This submodule defines the feature "tlstm". A server implements this 538 feature if it supports the Transport Layer Security (TLS) Transport 539 Model (tlstm) [RFC6353]. 541 2.13. Secure Shell Transport Model Configuration 543 The submodule "ietf-snmp-ssh", which defines configuration parameters 544 that correspond to the objects in SNMP-SSH-TM-MIB, has the following 545 structure: 547 +--rw snmp 548 ... 549 +--rw target* [name] 550 ... 551 +--rw (transport) 552 ... 553 +--:(ssh) 554 +--rw ssh 555 +--rw ip inet:host 556 +--rw port? inet:port-number 557 +--rw username? string 559 It also augments the "/snmp/engine/listen/transport" choice with 560 objects for the SSH transport endpoints: 562 +--rw snmp 563 +--rw engine 564 ... 565 +--rw listen* [name] 566 ... 567 +--rw (transport) 568 ... 569 +--:(ssh) 570 +--rw ssh 571 +--rw ip inet:host 572 +--rw port? inet:port-number 573 +--rw username? string 575 This submodule defines the feature "sshtm". A server implements this 576 feature if it supports the Secure Shell (SSH) Transport Model (sshtm) 577 [RFC5592]. 579 3. Implementation Guidelines 581 This section describes some challenges for implementations that 582 support both the YANG models defined in this document, and either 583 read-write or read-only SNMP access to the same data, using the 584 standard MIB modules. 586 As described in Section 2.2, the persistency models in NETCONF and 587 SNMP are quite different. This poses a challenge for an 588 implementation to support both NETCONF and SNMP access to the same 589 data, in particular if the data is writable over both protocols. 590 Specifically, the configuration data may exist in some combination of 591 the three NETCONF configuration datastores, and this data must be 592 mapped to rows in the SNMP tables, in some SNMP contexts, with proper 593 values for the StorageType columns. 595 This problem is not new; it has been handled in many implementations 596 that support configuration of the SNMP engine over a command line 597 interface (CLI), which normally have a persistency model similar to 598 NETCONF. 600 Since there is not one solution that works for all cases, this 601 document does not provide a recommended solution. Instead some of 602 the challenges involved are described below. 604 3.1. Supporting read-only SNMP Access 606 If a device implements only :writable-running, it is trivial to map 607 the contents of "running" to data in the SNMP tables, where all 608 instances of the StorageType columns have the value "nonVolatile". 610 If a device implements :candidate, but not :startup, the 611 implementation may choose to not expose the contents of the 612 "candidate" datastore over SNMP, and map the contents of "running" as 613 described above. As an option, the contents of "candidate" might be 614 accessible in a separate SNMP context. 616 If a device implements :startup, the handling of StorageType becomes 617 more difficult. Since the contents of "running" and "startup" might 618 differ, data in running cannot automatically be mapped to instances 619 with StorageType "nonVolatile". If a particular entry exists in 620 "running" but not in "startup", its StorageType should be "volatile". 621 If a particular entry exists in "startup", but not "running", it 622 should not be mapped to an SNMP instance, at least not in the default 623 SNMP context. 625 3.2. Supporting read-write SNMP access 627 If the implementation supports read-write access to data over SNMP, 628 and specifically creation of table rows, special attention has to be 629 given the handling of the RowStatus and StorageType columns. The 630 problem is to determine which table rows to store in the 631 configuration datastores, and which configuration datastore is 632 appropriate for each row. 634 The SNMP tables contain a mix of configured data and operational 635 state, and only rows with an "active" RowStatus column should be 636 stored in a configuration datastore. 638 If a device implements only :writable-running, "active" rows with a 639 "nonVolatile" StorageType column can be stored in "running". Rows 640 with a "volatile" StorageType column are operational state. 642 If a device implements :candidate, but not :writable-running, all 643 configuration changes typically go through the "candidate", even if 644 they are done over SNMP. An implementation might have to perform 645 some automatic commit of the "candidate" when data is written over 646 SNMP, since there is no explicit "commit" operation in SNMP. 648 If a device implements :startup, "nonVolatile" rows cannot just be 649 written to "running", they must also be copied into "startup". 650 "volatile" rows may be treated as operational state and not copied to 651 any datastore, or copied into "running". 653 Cooperating SNMP management applications may use spin lock objects 654 (snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414], 655 vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests. 656 Implementations supporting modifications of MIB objects protected by 657 a spin lock via NETCONF should ensure that the spin lock objects are 658 properly incremented whenever objects are changed via NETCONF. This 659 allows cooperating SNMP management applications to discover that 660 concurrent modifications are taking place. 662 4. Definitions 664 4.1. Module 'ietf-x509-cert-to-name' 666 This YANG module imports typedefs from [RFC6991]. 668 file "ietf-x509-cert-to-name.yang" 670 module ietf-x509-cert-to-name { 672 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; 673 prefix x509c2n; 675 import ietf-yang-types { 676 prefix yang; 677 } 679 organization 680 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 682 contact 683 "WG Web: 684 WG List: 686 WG Chair: Thomas Nadeau 687 689 WG Chair: Juergen Schoenwaelder 690 692 Editor: Martin Bjorklund 693 695 Editor: Juergen Schoenwaelder 696 "; 698 description 699 "This module contains a collection of YANG definitions for 700 extracting a name from a X.509 certificate. 702 The algorithm used to extract a name from a X.509 certificate 703 was first defined in RFC 6353. 705 Copyright (c) 2014 IETF Trust and the persons identified as 706 authors of the code. All rights reserved. 708 Redistribution and use in source and binary forms, with or 709 without modification, is permitted pursuant to, and subject 710 to the license terms contained in, the Simplified BSD License 711 set forth in Section 4.c of the IETF Trust's Legal Provisions 712 Relating to IETF Documents 713 (http://trustee.ietf.org/license-info). 715 This version of this YANG module is part of RFC XXXX; see 716 the RFC itself for full legal notices."; 717 // RFC Ed.: replace XXXX with actual RFC number and remove this 718 // note. 720 reference 721 "RFC6353: Transport Layer Security (TLS) Transport Model for 722 the Simple Network Management Protocol (SNMP)"; 724 // RFC Ed.: update the date below with the date of RFC publication 725 // and remove this note. 727 revision 2014-05-06 { 728 description 729 "Initial revision."; 730 reference 731 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 733 } 735 typedef tls-fingerprint { 736 type yang:hex-string { 737 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; 738 } 739 description 740 "A fingerprint value that can be used to uniquely reference 741 other data of potentially arbitrary length. 743 An tls-fingerprint value is composed of a 1-octet hashing 744 algorithm identifier followed by the fingerprint value. The 745 first octet value identifying the hashing algorithm is taken 746 from the IANA TLS HashAlgorithm Registry (RFC 5246). The 747 remaining octets are filled using the results of the hashing 748 algorithm."; 749 reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; 751 } 753 /* Identities */ 755 identity cert-to-name { 756 description 757 "Base identity for algorithms to derive a name from a 758 certificate."; 759 } 761 identity specified { 762 base cert-to-name; 763 description 764 "Directly specifies the name to be used for the certificate. 765 The value of the leaf 'name' in 'cert-to-name' list is used."; 766 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 767 } 769 identity san-rfc822-name { 770 base cert-to-name; 771 description 772 "Maps a subjectAltName's rfc822Name to a name. The local part 773 of the rfc822Name is passed unaltered but the host-part of the 774 name must be passed in lowercase. This mapping results in a 775 1:1 correspondence between equivalent subjectAltName 776 rfc822Name values and name values except that the host-part 777 of the name MUST be passed in lowercase. For example, the 778 rfc822Name field FooBar@Example.COM is mapped to name 779 FooBar@example.com."; 780 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 781 } 783 identity san-dns-name { 784 base cert-to-name; 785 description 786 "Maps a subjectAltName's dNSName to a name after first 787 converting it to all lowercase (RFC 5280 does not specify 788 converting to lowercase so this involves an extra step). 789 This mapping results in a 1:1 correspondence between 790 subjectAltName dNSName values and the name values."; 791 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 792 } 794 identity san-ip-address { 795 base cert-to-name; 796 description 797 "Maps a subjectAltName's iPAddress to a name by 798 transforming the binary encoded address as follows: 800 1) for IPv4, the value is converted into a 801 decimal-dotted quad address (e.g., '192.0.2.1'). 803 2) for IPv6 addresses, the value is converted into a 804 32-character all lowercase hexadecimal string 805 without any colon separators. 807 This mapping results in a 1:1 correspondence between 808 subjectAltName iPAddress values and the name values."; 809 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 810 } 812 identity san-any { 813 base cert-to-name; 814 description 815 "Maps any of the following fields using the corresponding 816 mapping algorithms: 818 +------------+-----------------+ 819 | Type | Algorithm | 820 |------------+-----------------| 821 | rfc822Name | san-rfc822-name | 822 | dNSName | san-dns-name | 823 | iPAddress | san-ip-address | 824 +------------+-----------------+ 826 The first matching subjectAltName value found in the 827 certificate of the above types MUST be used when deriving 828 the name. The mapping algorithm specified in the 829 'Algorithm' column MUST be used to derive the name. 831 This mapping results in a 1:1 correspondence between 832 subjectAltName values and name values. The three sub-mapping 833 algorithms produced by this combined algorithm cannot produce 834 conflicting results between themselves."; 835 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 836 } 838 identity common-name { 839 base cert-to-name; 840 description 841 "Maps a certificate's CommonName to a name after converting 842 it to a UTF-8 encoding. The usage of CommonNames is 843 deprecated and users are encouraged to use subjectAltName 844 mapping methods instead. This mapping results in a 1:1 845 correspondence between certificate CommonName values and name 846 values."; 847 reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; 849 } 851 /* 852 * Groupings 853 */ 855 grouping cert-to-name { 856 description 857 "Defines nodes for mapping certificates to names. Modules 858 that uses this grouping should describe how the resulting 859 name is used."; 861 list cert-to-name { 862 key id; 863 description 864 "This list defines how certificates are mapped to names. 865 The name is derived by considering each cert-to-name 866 list entry in order. The cert-to-name entry's fingerprint 867 determines whether the list entry is a match: 869 1) If the cert-to-name list entry's fingerprint value 870 matches that of the presented certificate, then consider 871 the list entry as a successful match. 873 2) If the cert-to-name list entry's fingerprint value 874 matches that of a locally held copy of a trusted CA 875 certificate, and that CA certificate was part of the CA 876 certificate chain to the presented certificate, then 877 consider the list entry as a successful match. 879 Once a matching cert-to-name list entry has been found, the 880 map-type is used to determine how the name associated with 881 the certificate should be determined. See the map-type 882 leaf's description for details on determining the name value. 883 If it is impossible to determine a name from the cert-to-name 884 list entry's data combined with the data presented in the 885 certificate, then additional cert-to-name list entries MUST 886 be searched looking for another potential match. 888 Security administrators are encouraged to make use of 889 certificates with subjectAltName fields that can be mapped to 890 names so that a single root CA certificate can allow all 891 child certificate's subjectAltName to map directly to a name 892 via a 1:1 transformation."; 893 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 895 leaf id { 896 type uint32; 897 description 898 "The id specifies the order in which the entries in the 899 cert-to-name list are searched. Entries with lower 900 numbers are searched first."; 901 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 902 } 904 leaf fingerprint { 905 type x509c2n:tls-fingerprint; 906 mandatory true; 907 description 908 "Specifies a value with which the fingerprint of the 909 certificate presented by the peer is compared. If the 910 fingerprint of the certificate presented by the peer does 911 not match the fingerprint configured, then the entry is 912 skipped and the search for a match continues."; 913 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 914 } 916 leaf map-type { 917 type identityref { 918 base cert-to-name; 919 } 920 mandatory true; 921 description 922 "Specifies the algorithm used to map the certificate 923 presented by the peer to a name. 925 Mappings that need additional configuration objects should 926 use the 'when' statement to make them conditional based on 927 the 'map-type'."; 928 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 929 } 931 leaf name { 932 when "../map-type = 'x509c2n:specified'"; 933 type string; 934 mandatory true; 935 description 936 "Directly specifies the NETCONF username when the 937 'map-type' is 'specified'."; 938 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 939 } 940 } 941 } 942 } 944 946 4.2. Module 'ietf-snmp' 948 file "ietf-snmp.yang" 950 module ietf-snmp { 952 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 953 prefix snmp; 955 // RFC Ed.: update the dates below with the date of RFC publication 956 // and remove this note. 958 include ietf-snmp-common { 959 revision-date 2014-05-06; 960 } 961 include ietf-snmp-engine { 962 revision-date 2014-05-06; 963 } 964 include ietf-snmp-target { 965 revision-date 2014-05-06; 966 } 967 include ietf-snmp-notification { 968 revision-date 2014-05-06; 969 } 970 include ietf-snmp-proxy { 971 revision-date 2014-05-06; 972 } 973 include ietf-snmp-community { 974 revision-date 2014-05-06; 975 } 976 include ietf-snmp-usm { 977 revision-date 2014-05-06; 978 } 979 include ietf-snmp-tsm { 980 revision-date 2014-05-06; 981 } 982 include ietf-snmp-vacm { 983 revision-date 2014-05-06; 984 } 985 include ietf-snmp-tls { 986 revision-date 2014-05-06; 987 } 988 include ietf-snmp-ssh { 989 revision-date 2014-05-06; 990 } 992 organization 993 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 995 contact 996 "WG Web: 997 WG List: 999 WG Chair: Thomas Nadeau 1000 1002 WG Chair: Juergen Schoenwaelder 1003 1005 Editor: Martin Bjorklund 1006 1008 Editor: Juergen Schoenwaelder 1009 "; 1011 description 1012 "This module contains a collection of YANG definitions for 1013 configuring SNMP engines. 1015 Copyright (c) 2014 IETF Trust and the persons identified as 1016 authors of the code. All rights reserved. 1018 Redistribution and use in source and binary forms, with or 1019 without modification, is permitted pursuant to, and subject 1020 to the license terms contained in, the Simplified BSD License 1021 set forth in Section 4.c of the IETF Trust's Legal Provisions 1022 Relating to IETF Documents 1023 (http://trustee.ietf.org/license-info). 1025 This version of this YANG module is part of RFC XXXX; see 1026 the RFC itself for full legal notices."; 1028 // RFC Ed.: replace XXXX with actual RFC number and remove this 1029 // note. 1031 // RFC Ed.: update the date below with the date of RFC publication 1032 // and remove this note. 1034 revision 2014-05-06 { 1035 description 1036 "Initial revision."; 1037 reference 1038 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1039 } 1041 } 1042 1044 4.3. Submodule 'ietf-snmp-common' 1046 file "ietf-snmp-common.yang" 1048 submodule ietf-snmp-common { 1050 belongs-to ietf-snmp { 1051 prefix snmp; 1052 } 1054 import ietf-yang-types { 1055 prefix yang; 1056 } 1058 organization 1059 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1061 contact 1062 "WG Web: 1063 WG List: 1065 WG Chair: Thomas Nadeau 1066 1068 WG Chair: Juergen Schoenwaelder 1069 1071 Editor: Martin Bjorklund 1072 1074 Editor: Juergen Schoenwaelder 1075 "; 1077 description 1078 "This submodule contains a collection of common YANG definitions 1079 for configuring SNMP engines. 1081 Copyright (c) 2014 IETF Trust and the persons identified as 1082 authors of the code. All rights reserved. 1084 Redistribution and use in source and binary forms, with or 1085 without modification, is permitted pursuant to, and subject 1086 to the license terms contained in, the Simplified BSD License 1087 set forth in Section 4.c of the IETF Trust's Legal Provisions 1088 Relating to IETF Documents 1089 (http://trustee.ietf.org/license-info). 1090 This version of this YANG module is part of RFC XXXX; see 1091 the RFC itself for full legal notices."; 1093 // RFC Ed.: replace XXXX with actual RFC number and remove this 1094 // note. 1096 // RFC Ed.: update the date below with the date of RFC publication 1097 // and remove this note. 1099 revision 2014-05-06 { 1100 description 1101 "Initial revision."; 1102 reference 1103 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1104 } 1106 /* Collection of SNMP specific data types */ 1108 typedef admin-string { 1109 type string { 1110 length "0..255"; 1111 } 1112 description 1113 "Represents and SnmpAdminString as defined in RFC 3411. 1115 Note that the size of an SnmpAdminString is measured in 1116 octets, not characters."; 1117 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 1118 } 1120 typedef identifier { 1121 type admin-string { 1122 length "1..32"; 1123 } 1124 description 1125 "Identifiers are used to name items in the SNMP configuration 1126 data store."; 1127 } 1129 typedef context-name { 1130 type admin-string { 1131 length "0..32"; 1132 } 1133 description 1134 "The context type represents an SNMP context name."; 1135 reference 1136 "RFC3411: An Architecture for Describing SNMP Management 1137 Frameworks"; 1139 } 1141 typedef security-name { 1142 type admin-string { 1143 length "1..32"; 1144 } 1145 description 1146 "The security-name type represents an SNMP security name."; 1147 reference 1148 "RFC3411: An Architecture for Describing SNMP Management 1149 Frameworks"; 1150 } 1152 typedef security-model { 1153 type union { 1154 type enumeration { 1155 enum v1 { value 1; } 1156 enum v2c { value 2; } 1157 enum usm { value 3; } 1158 enum tsm { value 4; } 1159 } 1160 type int32 { 1161 range "1..2147483647"; 1162 } 1163 } 1164 reference 1165 "RFC3411: An Architecture for Describing SNMP Management 1166 Frameworks"; 1167 } 1169 typedef security-model-or-any { 1170 type union { 1171 type enumeration { 1172 enum any { value 0; } 1173 } 1174 type security-model; 1175 } 1176 reference 1177 "RFC3411: An Architecture for Describing SNMP Management 1178 Frameworks"; 1179 } 1181 typedef security-level { 1182 type enumeration { 1183 enum no-auth-no-priv { value 1; } 1184 enum auth-no-priv { value 2; } 1185 enum auth-priv { value 3; } 1186 } 1187 reference 1188 "RFC3411: An Architecture for Describing SNMP Management 1189 Frameworks"; 1190 } 1192 typedef engine-id { 1193 type yang:hex-string { 1194 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 1195 } 1196 description 1197 "The Engine ID specified as a list of colon-specified hexa- 1198 decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; 1199 reference 1200 "RFC3411: An Architecture for Describing SNMP Management 1201 Frameworks"; 1202 } 1204 typedef wildcard-object-identifier { 1205 type string; 1206 description 1207 "The wildcard-object-identifier type represents an SNMP object 1208 identifier where subidentifiers can be given either as a label, 1209 in numeric form, or a wildcard, represented by a *."; 1210 } 1212 typedef tag-value { 1213 type string { 1214 length "0..255"; 1215 } 1216 description 1217 "Represents and SnmpTagValue as defined in RFC 3413. 1219 Note that the size of an SnmpTagValue is measured in 1220 octets, not characters."; 1221 reference "SNMP-TARGET-MIB.SnmpTagValue"; 1222 } 1224 container snmp { 1225 description 1226 "Top-level container for SNMP related configuration and 1227 status objects."; 1228 } 1230 } 1232 1234 4.4. Submodule 'ietf-snmp-engine' 1236 file "ietf-snmp-engine.yang" 1238 submodule ietf-snmp-engine { 1240 belongs-to ietf-snmp { 1241 prefix snmp; 1242 } 1244 import ietf-inet-types { 1245 prefix inet; 1246 } 1248 include ietf-snmp-common; 1250 organization 1251 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1253 contact 1254 "WG Web: 1255 WG List: 1257 WG Chair: Thomas Nadeau 1258 1260 WG Chair: Juergen Schoenwaelder 1261 1263 Editor: Martin Bjorklund 1264 1266 Editor: Juergen Schoenwaelder 1267 "; 1269 description 1270 "This submodule contains a collection of YANG definitions 1271 for configuring SNMP engines. 1273 Copyright (c) 2014 IETF Trust and the persons identified as 1274 authors of the code. All rights reserved. 1276 Redistribution and use in source and binary forms, with or 1277 without modification, is permitted pursuant to, and subject 1278 to the license terms contained in, the Simplified BSD License 1279 set forth in Section 4.c of the IETF Trust's Legal Provisions 1280 Relating to IETF Documents 1281 (http://trustee.ietf.org/license-info). 1282 This version of this YANG module is part of RFC XXXX; see 1283 the RFC itself for full legal notices."; 1285 // RFC Ed.: replace XXXX with actual RFC number and remove this 1286 // note. 1288 // RFC Ed.: update the date below with the date of RFC publication 1289 // and remove this note. 1291 revision 2014-05-06 { 1292 description 1293 "Initial revision."; 1294 reference 1295 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1296 } 1298 augment /snmp:snmp { 1300 container engine { 1302 description 1303 "Configuration of the SNMP engine."; 1305 leaf enabled { 1306 type boolean; 1307 default "false"; 1308 description 1309 "Enables the SNMP engine."; 1310 } 1312 list listen { 1313 key "name"; 1314 description 1315 "Configuration of the transport endpoints on which the 1316 engine listens."; 1318 leaf name { 1319 type snmp:identifier; 1320 description 1321 "An arbitrary name for the list entry."; 1322 } 1324 choice transport { 1325 mandatory true; 1326 description 1327 "The transport protocol specific parameters for this 1328 endpoint. Submodules providing configuration for 1329 additional transports are expected to augment this 1330 choice."; 1331 case udp { 1332 container udp { 1333 leaf ip { 1334 type inet:ip-address; 1335 mandatory true; 1336 description 1337 "The IPv4 or IPv6 address on which the engine 1338 listens."; 1339 } 1340 leaf port { 1341 type inet:port-number; 1342 description 1343 "The UDP port on which the engine listens. 1345 If the port is not configured, an engine that 1346 acts as a Command Responder uses port 161, and 1347 an engine that acts as a Notification Receiver 1348 uses port 162."; 1349 } 1350 } 1351 } 1352 } 1353 } 1355 container version { 1356 description 1357 "SNMP version used by the engine"; 1358 leaf v1 { 1359 type empty; 1360 } 1361 leaf v2c { 1362 type empty; 1363 } 1364 leaf v3 { 1365 type empty; 1366 } 1367 } 1369 leaf engine-id { 1370 type snmp:engine-id; 1371 description 1372 "The local SNMP engine's administratively-assigned unique 1373 identifier. 1375 If this leaf is not set, the device automatically 1376 calculates an engine id, as described in RFC 3411. A 1377 server MAY initialize this leaf with the automatically 1378 created value."; 1379 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 1380 } 1382 leaf enable-authen-traps { 1383 type boolean; 1384 description 1385 "Indicates whether the SNMP entity is permitted to 1386 generate authenticationFailure traps."; 1387 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1388 } 1389 } 1390 } 1391 } 1393 1395 4.5. Submodule 'ietf-snmp-target' 1397 file "ietf-snmp-target.yang" 1399 submodule ietf-snmp-target { 1401 belongs-to ietf-snmp { 1402 prefix snmp; 1403 } 1405 import ietf-inet-types { 1406 prefix inet; 1407 } 1409 include ietf-snmp-common; 1411 organization 1412 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1414 contact 1415 "WG Web: 1416 WG List: 1418 WG Chair: Thomas Nadeau 1419 1421 WG Chair: Juergen Schoenwaelder 1422 1424 Editor: Martin Bjorklund 1425 1427 Editor: Juergen Schoenwaelder 1428 "; 1430 description 1431 "This submodule contains a collection of YANG definitions 1432 for configuring SNMP targets. 1434 Copyright (c) 2014 IETF Trust and the persons identified as 1435 authors of the code. All rights reserved. 1437 Redistribution and use in source and binary forms, with or 1438 without modification, is permitted pursuant to, and subject 1439 to the license terms contained in, the Simplified BSD License 1440 set forth in Section 4.c of the IETF Trust's Legal Provisions 1441 Relating to IETF Documents 1442 (http://trustee.ietf.org/license-info). 1444 This version of this YANG module is part of RFC XXXX; see 1445 the RFC itself for full legal notices."; 1447 // RFC Ed.: replace XXXX with actual RFC number and remove this 1448 // note. 1450 reference 1451 "RFC3413: Simple Network Management Protocol (SNMP) 1452 Applications"; 1454 // RFC Ed.: update the date below with the date of RFC publication 1455 // and remove this note. 1457 revision 2014-05-06 { 1458 description 1459 "Initial revision."; 1460 reference 1461 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1462 } 1464 augment /snmp:snmp { 1466 list target { 1467 key name; 1468 description 1469 "List of targets."; 1470 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1472 leaf name { 1473 type snmp:identifier; 1474 description 1475 "Identifies the target."; 1476 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1477 } 1478 choice transport { 1479 mandatory true; 1480 description 1481 "Transport address of the target. 1483 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1484 objects are mapped to transport-specific YANG nodes. Each 1485 transport is configured as a separate case in this 1486 choice. Submodules providing configuration for additional 1487 transports are expected to augment this choice."; 1488 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1489 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1490 case udp { 1491 reference "SNMPv2-TM.snmpUDPDomain 1492 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1493 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1494 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1495 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1496 container udp { 1497 leaf ip { 1498 type inet:ip-address; 1499 mandatory true; 1500 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1501 } 1502 leaf port { 1503 type inet:port-number; 1504 default 162; 1505 description 1506 "UDP port number"; 1507 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1508 } 1509 leaf prefix-length { 1510 type uint8; 1511 description 1512 "The value of this leaf must match the value of 1513 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1514 this leaf must be less than or equal to 32. If it 1515 contains an ipv6 address, it must be less than or 1516 equal to 128. 1518 Note that the prefix-length is currently only used 1519 by the Community-based Security Model to filter 1520 incoming messages. Furthermore, the prefix-length 1521 filtering does not cover all possible filters 1522 supported by the corresponding MIB object."; 1524 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1525 } 1526 } 1527 } 1528 } 1529 leaf-list tag { 1530 type snmp:tag-value; 1531 description 1532 "List of tag values used to select target address."; 1533 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1534 } 1535 leaf timeout { 1536 type uint32; 1537 units "0.01 seconds"; 1538 default 1500; 1539 description 1540 "Needed only if this target can receive 1541 InformRequest-PDUs."; 1542 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1543 } 1544 leaf retries { 1545 type uint8; 1546 default 3; 1547 description 1548 "Needed only if this target can receive 1549 InformRequest-PDUs."; 1550 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1551 } 1552 leaf target-params { 1553 type snmp:identifier; 1554 mandatory true; 1555 reference "SNMP-TARGET-MIB.snmpTargetAddrParams"; 1556 } 1557 } 1559 list target-params { 1560 key name; 1561 description 1562 "List of target parameters."; 1563 reference "SNMP-TARGET-MIB.snmpTargetParamsTable"; 1565 leaf name { 1566 type snmp:identifier; 1567 } 1568 choice params { 1569 description 1570 "This choice is augmented with case nodes containing 1571 security model specific configuration parameters."; 1573 } 1574 } 1575 } 1576 } 1578 1580 4.6. Submodule 'ietf-snmp-notification' 1582 file "ietf-snmp-notification.yang" 1584 submodule ietf-snmp-notification { 1586 belongs-to ietf-snmp { 1587 prefix snmp; 1588 } 1590 include ietf-snmp-common; 1591 include ietf-snmp-target; 1593 organization 1594 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1596 contact 1597 "WG Web: 1598 WG List: 1600 WG Chair: Thomas Nadeau 1601 1603 WG Chair: Juergen Schoenwaelder 1604 1606 Editor: Martin Bjorklund 1607 1609 Editor: Juergen Schoenwaelder 1610 "; 1612 description 1613 "This submodule contains a collection of YANG definitions 1614 for configuring SNMP notifications. 1616 Copyright (c) 2014 IETF Trust and the persons identified as 1617 authors of the code. All rights reserved. 1619 Redistribution and use in source and binary forms, with or 1620 without modification, is permitted pursuant to, and subject 1621 to the license terms contained in, the Simplified BSD License 1622 set forth in Section 4.c of the IETF Trust's Legal Provisions 1623 Relating to IETF Documents 1624 (http://trustee.ietf.org/license-info). 1626 This version of this YANG module is part of RFC XXXX; see 1627 the RFC itself for full legal notices."; 1629 // RFC Ed.: replace XXXX with actual RFC number and remove this 1630 // note. 1632 reference 1633 "RFC3413: Simple Network Management Protocol (SNMP) 1634 Applications"; 1636 // RFC Ed.: update the date below with the date of RFC publication 1637 // and remove this note. 1639 revision 2014-05-06 { 1640 description 1641 "Initial revision."; 1642 reference 1643 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1644 } 1646 feature notification-filter { 1647 description 1648 "A server implements this feature if it supports SNMP 1649 notification filtering."; 1650 reference 1651 "RFC3413: Simple Network Management Protocol (SNMP) 1652 Applications"; 1653 } 1655 augment /snmp:snmp { 1657 list notify { 1658 key name; 1659 description 1660 "Targets that will receive notifications. 1662 Entries in this lists are mapped 1-1 to entries in 1663 snmpNotifyTable, except that if an entry in snmpNotifyTable 1664 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1665 then the snmpNotifyTable entry is not mapped to an entry in 1666 this list."; 1667 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1668 leaf name { 1669 type snmp:identifier; 1670 description 1671 "An arbitrary name for the list entry."; 1672 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1673 } 1674 leaf tag { 1675 type snmp:tag-value; 1676 mandatory true; 1677 description 1678 "Target tag, selects a set of notification targets. 1680 Implementations MAY restrict the values of this leaf 1681 to be one of the available values of /snmp/target/tag in 1682 a valid configuration."; 1683 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1684 } 1685 leaf type { 1686 type enumeration { 1687 enum trap { value 1; } 1688 enum inform { value 2; } 1689 } 1690 default trap; 1691 description 1692 "Defines the notification type to be generated."; 1693 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1694 } 1695 } 1697 list notify-filter-profile { 1698 if-feature snmp:notification-filter; 1699 key name; 1701 description 1702 "Notification filter profiles. 1704 The leaf /snmp/target/notify-filter-profile is used 1705 to associate a filter profile with a target. 1707 If an entry in this list is referred to by one or more 1708 /snmp/target/notify-filter-profile, each such 1709 notify-filter-profile is represented by one 1710 snmpNotifyFilterProfileEntry. 1712 If an entry in this list is not referred to by any 1713 /snmp/target/notify-filter-profile, the entry is not mapped 1714 to snmpNotifyFilterProfileTable."; 1715 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1716 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1718 leaf name { 1719 type snmp:identifier; 1720 description 1721 "Name of the filter profile"; 1722 reference 1723 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1724 } 1726 leaf-list include { 1727 type snmp:wildcard-object-identifier; 1728 description 1729 "A family of subtrees included in this filter."; 1730 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1731 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1732 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1733 } 1735 leaf-list exclude { 1736 type snmp:wildcard-object-identifier; 1737 description 1738 "A family of subtrees excluded from this filter."; 1739 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1740 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1741 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1742 } 1743 } 1745 } 1747 augment /snmp:snmp/snmp:target-params { 1748 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1749 leaf notify-filter-profile { 1750 if-feature snmp:notification-filter; 1751 type leafref { 1752 path "/snmp/notify-filter-profile/name"; 1753 } 1754 description 1755 "This leafref leaf is used to represent the sparse 1756 relationship between the /snmp/target-params list and the 1757 /snmp/notify-filter-profile list."; 1758 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1759 } 1760 } 1762 } 1763 1765 4.7. Submodule 'ietf-snmp-proxy' 1767 file "ietf-snmp-proxy.yang" 1769 submodule ietf-snmp-proxy { 1771 belongs-to ietf-snmp { 1772 prefix snmp; 1773 } 1775 include ietf-snmp-common; 1776 include ietf-snmp-target; 1778 organization 1779 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1781 contact 1782 "WG Web: 1783 WG List: 1785 WG Chair: Thomas Nadeau 1786 1788 WG Chair: Juergen Schoenwaelder 1789 1791 Editor: Martin Bjorklund 1792 1794 Editor: Juergen Schoenwaelder 1795 "; 1797 description 1798 "This submodule contains a collection of YANG definitions 1799 for configuring SNMP proxies. 1801 Copyright (c) 2014 IETF Trust and the persons identified as 1802 authors of the code. All rights reserved. 1804 Redistribution and use in source and binary forms, with or 1805 without modification, is permitted pursuant to, and subject 1806 to the license terms contained in, the Simplified BSD License 1807 set forth in Section 4.c of the IETF Trust's Legal Provisions 1808 Relating to IETF Documents 1809 (http://trustee.ietf.org/license-info). 1810 This version of this YANG module is part of RFC XXXX; see 1811 the RFC itself for full legal notices."; 1813 // RFC Ed.: replace XXXX with actual RFC number and remove this 1814 // note. 1816 reference 1817 "RFC3413: Simple Network Management Protocol (SNMP) 1818 Applications"; 1820 // RFC Ed.: update the date below with the date of RFC publication 1821 // and remove this note. 1823 revision 2014-05-06 { 1824 description 1825 "Initial revision."; 1826 reference 1827 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1828 } 1830 feature proxy { 1831 description 1832 "A server implements this feature if it can act as an 1833 SNMP Proxy"; 1834 reference 1835 "RFC3413: Simple Network Management Protocol (SNMP) 1836 Applications"; 1837 } 1839 augment /snmp:snmp { 1840 if-feature snmp:proxy; 1842 list proxy { 1843 key name; 1845 description 1846 "List of proxy parameters."; 1847 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1849 leaf name { 1850 type snmp:identifier; 1851 description 1852 "Identifies the proxy parameter entry."; 1853 reference "SNMP-PROXY-MIB.snmpProxyName"; 1854 } 1855 leaf type { 1856 type enumeration { 1857 enum read { value 1; } 1858 enum write { value 2; } 1859 enum trap { value 3; } 1860 enum inform { value 4; } 1861 } 1862 mandatory true; 1863 reference "SNMP-PROXY-MIB.snmpProxyType"; 1864 } 1865 leaf context-engine-id { 1866 type snmp:engine-id; 1867 mandatory true; 1868 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1869 } 1870 leaf context-name { 1871 type snmp:context-name; 1872 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1873 } 1874 leaf target-params-in { 1875 type snmp:identifier; 1876 description 1877 "The name of a target parameters list entry. 1879 Implementations MAY restrict the values of this 1880 leaf to be one of the available values of 1881 /snmp/target-params/name in a valid configuration."; 1882 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1883 } 1884 leaf single-target-out { 1885 when "../type = 'read' or ../type = 'write'"; 1886 type snmp:identifier; 1887 description 1888 "Implementations MAY restrict the values of this leaf 1889 to be one of the available values of /snmp/target/name in 1890 a valid configuration."; 1891 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1892 } 1893 leaf multiple-target-out { 1894 when "../type = 'trap' or ../type = 'inform'"; 1895 type snmp:tag-value; 1896 description 1897 "Implementations MAY restrict the values of this leaf 1898 to be one of the available values of /snmp/target/tag in 1899 a valid configuration."; 1900 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1901 } 1902 } 1903 } 1904 } 1905 1907 4.8. Submodule 'ietf-snmp-community' 1909 file "ietf-snmp-community.yang" 1911 submodule ietf-snmp-community { 1913 belongs-to ietf-snmp { 1914 prefix snmp; 1915 } 1917 import ietf-netconf-acm { 1918 prefix nacm; 1919 } 1921 include ietf-snmp-common; 1922 include ietf-snmp-target; 1923 include ietf-snmp-proxy; 1925 organization 1926 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1928 contact 1929 "WG Web: 1930 WG List: 1932 WG Chair: Thomas Nadeau 1933 1935 WG Chair: Juergen Schoenwaelder 1936 1938 Editor: Martin Bjorklund 1939 1941 Editor: Juergen Schoenwaelder 1942 "; 1944 description 1945 "This submodule contains a collection of YANG definitions 1946 for configuring community-based SNMP. 1948 Copyright (c) 2014 IETF Trust and the persons identified as 1949 authors of the code. All rights reserved. 1951 Redistribution and use in source and binary forms, with or 1952 without modification, is permitted pursuant to, and subject 1953 to the license terms contained in, the Simplified BSD License 1954 set forth in Section 4.c of the IETF Trust's Legal Provisions 1955 Relating to IETF Documents 1956 (http://trustee.ietf.org/license-info). 1958 This version of this YANG module is part of RFC XXXX; see 1959 the RFC itself for full legal notices."; 1961 // RFC Ed.: replace XXXX with actual RFC number and remove this 1962 // note. 1964 reference 1965 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1966 of the Internet-standard Network Management Framework"; 1968 // RFC Ed.: update the date below with the date of RFC publication 1969 // and remove this note. 1971 revision 2014-05-06 { 1972 description 1973 "Initial revision."; 1974 reference 1975 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1976 } 1978 augment /snmp:snmp { 1980 list community { 1981 key index; 1983 description 1984 "List of communities"; 1985 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1987 leaf index { 1988 type snmp:identifier; 1989 description 1990 "Index into the community list."; 1991 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1992 } 1993 choice name { 1994 nacm:default-deny-all; 1995 description 1996 "The community name, either specified as a string 1997 or as a binary. The binary name is used when the 1998 community name contains characters that are not legal 1999 in a string. 2001 If not set, the value of 'security-name' is operationally 2002 used as the snmpCommunityName."; 2003 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 2004 leaf text-name { 2005 type string; 2006 description 2007 "A community name that can be represented as a 2008 YANG string."; 2009 } 2010 leaf binary-name { 2011 type binary; 2012 description 2013 "A community name represented as a binary value."; 2014 } 2015 } 2016 leaf security-name { 2017 type snmp:security-name; 2018 mandatory true; 2019 nacm:default-deny-all; 2020 description 2021 "The snmpCommunitySecurityName of this entry."; 2022 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 2023 } 2024 leaf engine-id { 2025 if-feature snmp:proxy; 2026 type snmp:engine-id; 2027 description 2028 "If not set, the value of the local SNMP engine is 2029 operationally used by the device."; 2030 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 2031 } 2032 leaf context { 2033 type snmp:context-name; 2034 default ""; 2035 description 2036 "The context in which management information is accessed 2037 when using the community string specified by this entry."; 2038 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 2039 } 2040 leaf target-tag { 2041 type snmp:tag-value; 2042 description 2043 "Used to limit access for this community to the specified 2044 targets. 2046 Implementations MAY restrict the values of this leaf 2047 to be one of the available values of /snmp/target/tag in 2048 a valid configuration."; 2050 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 2051 } 2052 } 2053 } 2055 grouping v1-target-params { 2056 container v1 { 2057 description 2058 "SNMPv1 parameters type. 2059 Represents snmpTargetParamsMPModel '0', 2060 snmpTargetParamsSecurityModel '1', and 2061 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2062 leaf security-name { 2063 type snmp:security-name; 2064 mandatory true; 2065 description 2066 "Implementations MAY restrict the values of this leaf 2067 to be one of the available values of 2068 /snmp/community/security-name in a valid configuration."; 2069 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2070 } 2071 } 2072 } 2074 grouping v2c-target-params { 2075 container v2c { 2076 description 2077 "SNMPv2 community parameters type. 2078 Represents snmpTargetParamsMPModel '1', 2079 snmpTargetParamsSecurityModel '2', and 2080 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2081 leaf security-name { 2082 type snmp:security-name; 2083 mandatory true; 2084 description 2085 "Implementations MAY restrict the values of this leaf 2086 to be one of the available values of 2087 /snmp/community/security-name in a valid configuration."; 2088 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2089 } 2090 } 2091 } 2093 augment /snmp:snmp/snmp:target-params/snmp:params { 2094 case v1 { 2095 uses v1-target-params; 2096 } 2097 case v2c { 2098 uses v2c-target-params; 2099 } 2100 } 2102 augment /snmp:snmp/snmp:target { 2103 when "snmp:v1 or snmp:v2c"; 2104 leaf mms { 2105 type union { 2106 type enumeration { 2107 enum "unknown" { value 0; } 2108 } 2109 type int32 { 2110 range "484..max"; 2111 } 2112 } 2113 default "484"; 2114 description 2115 "The maximum message size."; 2116 reference 2117 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 2118 } 2119 } 2121 } 2123 2125 4.9. Submodule 'ietf-snmp-vacm' 2127 file "ietf-snmp-vacm.yang" 2129 submodule ietf-snmp-vacm { 2131 belongs-to ietf-snmp { 2132 prefix snmp; 2133 } 2135 include ietf-snmp-common; 2137 organization 2138 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2140 contact 2141 "WG Web: 2142 WG List: 2144 WG Chair: Thomas Nadeau 2145 2147 WG Chair: Juergen Schoenwaelder 2148 2150 Editor: Martin Bjorklund 2151 2153 Editor: Juergen Schoenwaelder 2154 "; 2156 description 2157 "This submodule contains a collection of YANG definitions 2158 for configuring the View-based Access Control Model (VACM) 2159 of SNMP. 2161 Copyright (c) 2014 IETF Trust and the persons identified as 2162 authors of the code. All rights reserved. 2164 Redistribution and use in source and binary forms, with or 2165 without modification, is permitted pursuant to, and subject 2166 to the license terms contained in, the Simplified BSD License 2167 set forth in Section 4.c of the IETF Trust's Legal Provisions 2168 Relating to IETF Documents 2169 (http://trustee.ietf.org/license-info). 2171 This version of this YANG module is part of RFC XXXX; see 2172 the RFC itself for full legal notices."; 2174 // RFC Ed.: replace XXXX with actual RFC number and remove this 2175 // note. 2177 reference 2178 "RFC3415: View-based Access Control Model (VACM) for the 2179 Simple Network Management Protocol (SNMP)"; 2181 // RFC Ed.: update the date below with the date of RFC publication 2182 // and remove this note. 2184 revision 2014-05-06 { 2185 description 2186 "Initial revision."; 2187 reference 2188 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2189 } 2191 typedef view-name { 2192 type snmp:identifier; 2193 description 2194 "The view-name type represents an SNMP VACM view name."; 2196 } 2198 typedef group-name { 2199 type snmp:identifier; 2200 description 2201 "The group-name type represents an SNMP VACM group name."; 2202 } 2204 augment /snmp:snmp { 2206 container vacm { 2207 description 2208 "Configuration of the View-based Access Control Model"; 2210 list group { 2211 key name; 2212 description 2213 "VACM Groups. 2215 This data model has a different structure than the MIB. 2216 Groups are explicitly defined in this list, and group 2217 members are defined in the 'member' list (mapped to 2218 vacmSecurityToGroupTable), and access for the group is 2219 defined in the 'access' list (mapped to 2220 vacmAccessTable)."; 2221 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 2222 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2224 leaf name { 2225 type group-name; 2226 description 2227 "The name of this VACM group."; 2228 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 2229 } 2231 list member { 2232 key "security-name"; 2233 description 2234 "A member of this VACM group. 2236 A certain combination of security-name and 2237 security-model MUST NOT be present in more than 2238 one group."; 2239 reference 2240 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 2242 leaf security-name { 2243 type snmp:security-name; 2244 description 2245 "The securityName of a group member."; 2246 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 2247 } 2249 leaf-list security-model { 2250 type snmp:security-model; 2251 min-elements 1; 2252 description 2253 "The security models under which this security-name 2254 is a member of this group."; 2255 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 2256 } 2257 } 2259 list access { 2260 key "context security-model security-level"; 2261 description 2262 "Definition of access right for groups"; 2263 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2265 leaf context { 2266 type snmp:context-name; 2267 description 2268 "The context (prefix) under which the access rights 2269 apply."; 2270 reference 2271 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 2272 } 2274 leaf context-match { 2275 type enumeration { 2276 enum exact { value 1; } 2277 enum prefix { value 2; } 2278 } 2279 default exact; 2280 reference 2281 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 2282 } 2284 leaf security-model { 2285 type snmp:security-model-or-any; 2286 description 2287 "The security model under which the access rights 2288 apply."; 2289 reference 2290 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 2291 } 2292 leaf security-level { 2293 type snmp:security-level; 2294 description 2295 "The minimum security level under which the access 2296 rights apply."; 2297 reference 2298 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 2299 } 2301 leaf read-view { 2302 type view-name; 2303 description 2304 "The name of the MIB view of the SNMP context 2305 authorizing read access. If this leaf does not 2306 exist in a configuration, it maps to a zero-length 2307 vacmAccessReadViewName. 2309 Implementations MAY restrict the values of this 2310 leaf to be one of the available values of 2311 /snmp/vacm/view/name in a valid configuration."; 2312 reference 2313 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 2314 } 2316 leaf write-view { 2317 type view-name; 2318 description 2319 "The name of the MIB view of the SNMP context 2320 authorizing write access. If this leaf does not 2321 exist in a configuration, it maps to a zero-length 2322 vacmAccessWriteViewName. 2324 Implementations MAY restrict the values of this 2325 leaf to be one of the available values of 2326 /snmp/vacm/view/name in a valid configuration."; 2327 reference 2328 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 2329 } 2331 leaf notify-view { 2332 type view-name; 2333 description 2334 "The name of the MIB view of the SNMP context 2335 authorizing notify access. If this leaf does not 2336 exist in a configuration, it maps to a zero-length 2337 vacmAccessNotifyViewName. 2339 Implementations MAY restrict the values of this 2340 leaf to be one of the available values of 2341 /snmp/vacm/view/name in a valid configuration."; 2342 reference 2343 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 2344 } 2345 } 2346 } 2348 list view { 2349 key name; 2350 description 2351 "Definition of MIB views."; 2352 reference 2353 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 2355 leaf name { 2356 type view-name; 2357 description 2358 "The name of this VACM MIB view."; 2359 reference 2360 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 2361 } 2363 leaf-list include { 2364 type snmp:wildcard-object-identifier; 2365 description 2366 "A family of subtrees included in this MIB view."; 2367 reference 2368 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2369 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2370 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2371 } 2373 leaf-list exclude { 2374 type snmp:wildcard-object-identifier; 2375 description 2376 "A family of subtrees excluded from this MIB view."; 2377 reference 2378 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2379 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2380 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2381 } 2382 } 2383 } 2384 } 2385 } 2387 2389 4.10. Submodule 'ietf-snmp-usm' 2391 This YANG submodule imports YANG extensions from [RFC6536]. 2393 file "ietf-snmp-usm.yang" 2395 submodule ietf-snmp-usm { 2397 belongs-to ietf-snmp { 2398 prefix snmp; 2399 } 2401 import ietf-yang-types { 2402 prefix yang; 2403 } 2404 import ietf-netconf-acm { 2405 prefix nacm; 2406 } 2408 include ietf-snmp-common; 2409 include ietf-snmp-target; 2410 include ietf-snmp-proxy; 2412 organization 2413 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2415 contact 2416 "WG Web: 2417 WG List: 2419 WG Chair: Thomas Nadeau 2420 2422 WG Chair: Juergen Schoenwaelder 2423 2425 Editor: Martin Bjorklund 2426 2428 Editor: Juergen Schoenwaelder 2429 "; 2431 description 2432 "This submodule contains a collection of YANG definitions for 2433 configuring the User-based Security Model (USM) of SNMP. 2435 Copyright (c) 2014 IETF Trust and the persons identified as 2436 authors of the code. All rights reserved. 2438 Redistribution and use in source and binary forms, with or 2439 without modification, is permitted pursuant to, and subject 2440 to the license terms contained in, the Simplified BSD License 2441 set forth in Section 4.c of the IETF Trust's Legal Provisions 2442 Relating to IETF Documents 2443 (http://trustee.ietf.org/license-info). 2445 This version of this YANG module is part of RFC XXXX; see 2446 the RFC itself for full legal notices."; 2448 // RFC Ed.: replace XXXX with actual RFC number and remove this 2449 // note. 2451 reference 2452 "RFC3414: User-based Security Model (USM) for version 3 of the 2453 Simple Network Management Protocol (SNMPv3)."; 2455 // RFC Ed.: update the date below with the date of RFC publication 2456 // and remove this note. 2458 revision 2014-05-06 { 2459 description 2460 "Initial revision."; 2461 reference 2462 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2463 } 2465 grouping key { 2466 leaf key { 2467 type yang:hex-string; 2468 mandatory true; 2469 nacm:default-deny-all; 2470 description 2471 "Localized key specified as a list of colon-specified 2472 hexa-decimal octets"; 2473 } 2474 } 2476 grouping user-list { 2477 list user { 2478 key "name"; 2480 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2482 leaf name { 2483 type snmp:identifier; 2484 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2485 } 2486 container auth { 2487 presence "enables authentication"; 2488 description 2489 "Enables authentication of the user"; 2490 choice protocol { 2491 mandatory true; 2492 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2493 container md5 { 2494 uses key; 2495 reference 2496 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2497 } 2498 container sha { 2499 uses key; 2500 reference 2501 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2502 } 2503 } 2504 } 2505 container priv { 2506 must "../auth" { 2507 error-message 2508 "when privacy is used, authentication must also be used"; 2509 } 2510 presence "enables encryption"; 2511 description 2512 "Enables encryption of SNMP messages."; 2514 choice protocol { 2515 mandatory true; 2516 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2517 container des { 2518 uses key; 2519 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2520 } 2521 container aes { 2522 uses key; 2523 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2524 } 2525 } 2526 } 2527 } 2528 } 2530 augment /snmp:snmp { 2532 container usm { 2533 description 2534 "Configuration of the User-based Security Model"; 2535 container local { 2536 uses user-list; 2537 } 2539 list remote { 2540 key "engine-id"; 2542 leaf engine-id { 2543 type snmp:engine-id; 2544 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2545 } 2547 uses user-list; 2548 } 2549 } 2550 } 2552 grouping usm-target-params { 2553 container usm { 2554 description 2555 "User based SNMPv3 parameters type. 2557 Represents snmpTargetParamsMPModel '3' and 2558 snmpTargetParamsSecurityModel '3'"; 2559 leaf user-name { 2560 type snmp:security-name; 2561 mandatory true; 2562 reference 2563 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2564 } 2565 leaf security-level { 2566 type snmp:security-level; 2567 mandatory true; 2568 reference 2569 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2570 } 2571 } 2572 } 2574 augment /snmp:snmp/snmp:target-params/snmp:params { 2575 case usm { 2576 uses usm-target-params; 2577 } 2578 } 2580 } 2581 2583 4.11. Submodule 'ietf-snmp-tsm' 2585 file "ietf-snmp-tsm.yang" 2587 submodule ietf-snmp-tsm { 2589 belongs-to ietf-snmp { 2590 prefix snmp; 2591 } 2593 include ietf-snmp-common; 2594 include ietf-snmp-target; 2595 include ietf-snmp-proxy; 2597 organization 2598 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2600 contact 2601 "WG Web: 2602 WG List: 2604 WG Chair: Thomas Nadeau 2605 2607 WG Chair: Juergen Schoenwaelder 2608 2610 Editor: Martin Bjorklund 2611 2613 Editor: Juergen Schoenwaelder 2614 "; 2616 description 2617 "This submodule contains a collection of YANG definitions for 2618 configuring the Transport Security Model (TSM) of SNMP. 2620 Copyright (c) 2014 IETF Trust and the persons identified as 2621 authors of the code. All rights reserved. 2623 Redistribution and use in source and binary forms, with or 2624 without modification, is permitted pursuant to, and subject 2625 to the license terms contained in, the Simplified BSD License 2626 set forth in Section 4.c of the IETF Trust's Legal Provisions 2627 Relating to IETF Documents 2628 (http://trustee.ietf.org/license-info). 2629 This version of this YANG module is part of RFC XXXX; see 2630 the RFC itself for full legal notices."; 2632 // RFC Ed.: replace XXXX with actual RFC number and remove this 2633 // note. 2635 reference 2636 "RFC5591: Transport Security Model for the 2637 Simple Network Management Protocol (SNMP)"; 2639 // RFC Ed.: update the date below with the date of RFC publication 2640 // and remove this note. 2642 revision 2014-05-06 { 2643 description 2644 "Initial revision."; 2645 reference 2646 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2647 } 2649 feature tsm { 2650 description 2651 "A server implements this feature if it supports the 2652 Transport Security Model for SNMP."; 2653 reference 2654 "RFC5591: Transport Security Model for the 2655 Simple Network Management Protocol (SNMP)"; 2656 } 2658 augment /snmp:snmp { 2659 if-feature tsm; 2660 container tsm { 2661 description 2662 "Configuration of the Transport-based Security Model"; 2664 leaf use-prefix { 2665 type boolean; 2666 default false; 2667 reference 2668 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2669 } 2670 } 2671 } 2673 grouping tsm-target-params { 2674 container tsm { 2675 description 2676 "Transport based security SNMPv3 parameters type. 2678 Represents snmpTargetParamsMPModel '3' and 2679 snmpTargetParamsSecurityModel '4'"; 2680 leaf security-name { 2681 type snmp:security-name; 2682 mandatory true; 2683 reference 2684 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2685 } 2686 leaf security-level { 2687 type snmp:security-level; 2688 mandatory true; 2689 reference 2690 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2691 } 2692 } 2693 } 2695 augment /snmp:snmp/snmp:target-params/snmp:params { 2696 if-feature tsm; 2697 case tsm { 2698 uses tsm-target-params; 2699 } 2700 } 2702 } 2704 2706 4.12. Submodule 'ietf-snmp-tls' 2708 file "ietf-snmp-tls.yang" 2710 submodule ietf-snmp-tls { 2712 belongs-to ietf-snmp { 2713 prefix snmp; 2714 } 2716 import ietf-inet-types { 2717 prefix inet; 2718 } 2719 import ietf-x509-cert-to-name { 2720 prefix x509c2n; 2721 } 2723 include ietf-snmp-common; 2724 include ietf-snmp-engine; 2725 include ietf-snmp-target; 2726 organization 2727 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2729 contact 2730 "WG Web: 2731 WG List: 2733 WG Chair: Thomas Nadeau 2734 2736 WG Chair: Juergen Schoenwaelder 2737 2739 Editor: Martin Bjorklund 2740 2742 Editor: Juergen Schoenwaelder 2743 "; 2745 description 2746 "This submodule contains a collection of YANG definitions for 2747 configuring the Transport Layer Security Transport Model (TLSTM) 2748 of SNMP. 2750 Copyright (c) 2014 IETF Trust and the persons identified as 2751 authors of the code. All rights reserved. 2753 Redistribution and use in source and binary forms, with or 2754 without modification, is permitted pursuant to, and subject 2755 to the license terms contained in, the Simplified BSD License 2756 set forth in Section 4.c of the IETF Trust's Legal Provisions 2757 Relating to IETF Documents 2758 (http://trustee.ietf.org/license-info). 2760 This version of this YANG module is part of RFC XXXX; see 2761 the RFC itself for full legal notices."; 2763 // RFC Ed.: replace XXXX with actual RFC number and remove this 2764 // note. 2766 reference 2767 "RFC6353: Transport Layer Security (TLS) Transport Model for 2768 the Simple Network Management Protocol (SNMP)"; 2770 // RFC Ed.: update the date below with the date of RFC publication 2771 // and remove this note. 2773 revision 2014-05-06 { 2774 description 2775 "Initial revision."; 2776 reference 2777 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2778 } 2780 feature tlstm { 2781 description 2782 "A server implements this feature if it supports the 2783 Transport Layer Security Transport Model for SNMP."; 2784 reference 2785 "RFC6353: Transport Layer Security (TLS) Transport Model for 2786 the Simple Network Management Protocol (SNMP)"; 2787 } 2789 augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { 2790 if-feature tlstm; 2791 case tls { 2792 container tls { 2793 description 2794 "A list of IPv4 and IPv6 addresses and ports to which the 2795 engine listens for SNMP messages over TLS."; 2797 leaf ip { 2798 type inet:ip-address; 2799 mandatory true; 2800 description 2801 "The IPv4 or IPv6 address on which the engine listens 2802 for SNMP messages over TLS."; 2803 } 2804 leaf port { 2805 type inet:port-number; 2806 description 2807 "The TCP port on which the engine listens for SNMP 2808 messages over TLS. 2810 If the port is not configured, an engine that 2811 acts as a Command Responder uses port 10161, and 2812 an engine that acts as a Notification Receiver 2813 uses port 10162."; 2814 } 2815 } 2816 } 2817 case dtls { 2818 container dtls { 2819 description 2820 "A list of IPv4 and IPv6 addresses and ports to which the 2821 engine listens for SNMP messages over DTLS."; 2823 leaf ip { 2824 type inet:ip-address; 2825 mandatory true; 2826 description 2827 "The IPv4 or IPv6 address on which the engine listens 2828 for SNMP messages over DTLS."; 2829 } 2830 leaf port { 2831 type inet:port-number; 2832 description 2833 "The UDP port on which the engine listens for SNMP 2834 messages over DTLS. 2836 If the port is not configured, an engine that 2837 acts as a Command Responder uses port 10161, and 2838 an engine that acts as a Notification Receiver 2839 uses port 10162."; 2840 } 2841 } 2842 } 2843 } 2845 augment /snmp:snmp { 2846 if-feature tlstm; 2847 container tlstm { 2848 uses x509c2n:cert-to-name { 2849 description 2850 "Defines how certificates are mapped to names. The 2851 resulting name is used as a security name."; 2852 refine cert-to-name/map-type { 2853 description 2854 "Mappings that use the snmpTlstmCertToTSNData column 2855 need to augment the 'cert-to-name' list 2856 with additional configuration objects corresponding 2857 to the snmpTlstmCertToTSNData value. Such objects 2858 should use the 'when' statement to make them 2859 conditional based on the 'map-type'."; 2860 } 2861 } 2862 } 2863 } 2865 grouping tls-transport { 2866 leaf ip { 2867 type inet:host; 2868 mandatory true; 2869 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2870 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2872 } 2873 leaf port { 2874 type inet:port-number; 2875 default 10161; 2876 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2877 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2878 } 2879 leaf client-fingerprint { 2880 type x509c2n:tls-fingerprint; 2881 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2882 } 2883 leaf server-fingerprint { 2884 type x509c2n:tls-fingerprint; 2885 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2886 } 2887 leaf server-identity { 2888 type snmp:admin-string; 2889 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2890 } 2891 } 2893 augment /snmp:snmp/snmp:target/snmp:transport { 2894 if-feature tlstm; 2895 case tls { 2896 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2897 container tls { 2898 uses tls-transport; 2899 } 2900 } 2901 } 2903 augment /snmp:snmp/snmp:target/snmp:transport { 2904 if-feature tlstm; 2905 case dtls { 2906 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2907 container dtls { 2908 uses tls-transport; 2909 } 2910 } 2911 } 2912 } 2914 2916 4.13. Submodule 'ietf-snmp-ssh' 2918 file "ietf-snmp-ssh.yang" 2920 submodule ietf-snmp-ssh { 2922 belongs-to ietf-snmp { 2923 prefix snmp; 2924 } 2926 import ietf-inet-types { 2927 prefix inet; 2928 } 2930 include ietf-snmp-common; 2931 include ietf-snmp-engine; 2932 include ietf-snmp-target; 2934 organization 2935 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2937 contact 2938 "WG Web: 2939 WG List: 2941 WG Chair: Thomas Nadeau 2942 2944 WG Chair: Juergen Schoenwaelder 2945 2947 Editor: Martin Bjorklund 2948 2950 Editor: Juergen Schoenwaelder 2951 "; 2953 description 2954 "This submodule contains a collection of YANG definitions for 2955 configuring the Secure Shell Transport Model (SSHTM) 2956 of SNMP. 2958 Copyright (c) 2014 IETF Trust and the persons identified as 2959 authors of the code. All rights reserved. 2961 Redistribution and use in source and binary forms, with or 2962 without modification, is permitted pursuant to, and subject 2963 to the license terms contained in, the Simplified BSD License 2964 set forth in Section 4.c of the IETF Trust's Legal Provisions 2965 Relating to IETF Documents 2966 (http://trustee.ietf.org/license-info). 2968 This version of this YANG module is part of RFC XXXX; see 2969 the RFC itself for full legal notices."; 2971 // RFC Ed.: replace XXXX with actual RFC number and remove this 2972 // note. 2974 reference 2975 "RFC5592: Secure Shell Transport Model for the 2976 Simple Network Management Protocol (SNMP)"; 2978 // RFC Ed.: update the date below with the date of RFC publication 2979 // and remove this note. 2981 revision 2014-05-06 { 2982 description 2983 "Initial revision."; 2984 reference 2985 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2986 } 2988 feature sshtm { 2989 description 2990 "A server implements this feature if it supports the 2991 Secure Shell Transport Model for SNMP."; 2992 reference 2993 "RFC5592: Secure Shell Transport Model for the 2994 Simple Network Management Protocol (SNMP)"; 2995 } 2997 augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { 2998 if-feature sshtm; 2999 case ssh { 3000 container ssh { 3001 description 3002 "The IPv4 or IPv6 address and port to which the 3003 engine listens for SNMP messages over SSH."; 3005 leaf ip { 3006 type inet:ip-address; 3007 mandatory true; 3008 description 3009 "The IPv4 or IPv6 address on which the engine listens 3010 for SNMP messages over SSH."; 3011 } 3012 leaf port { 3013 type inet:port-number; 3014 description 3015 "The TCP port on which the engine listens for SNMP 3016 messages over SSH. 3018 If the port is not configured, an engine that 3019 acts as a Command Responder uses port 5161, and 3020 an engine that acts as a Notification Receiver 3021 uses port 5162."; 3022 } 3023 } 3024 } 3025 } 3027 augment /snmp:snmp/snmp:target/snmp:transport { 3028 if-feature sshtm; 3029 case ssh { 3030 reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; 3031 container ssh { 3032 leaf ip { 3033 type inet:host; 3034 mandatory true; 3035 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3036 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3037 } 3038 leaf port { 3039 type inet:port-number; 3040 default 5161; 3041 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3042 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3043 } 3044 leaf username { 3045 type string; 3046 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3047 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3048 } 3049 } 3050 } 3051 } 3052 } 3054 3056 5. IANA Considerations 3058 This document registers two URIs in the IETF XML registry [RFC3688]. 3059 Following the format in RFC 3688, the following registrations are 3060 requested to be made. 3062 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 3063 Registrant Contact: The NETMOD WG of the IETF. 3064 XML: N/A, the requested URI is an XML namespace. 3066 URI: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name 3067 Registrant Contact: The NETMOD WG of the IETF. 3068 XML: N/A, the requested URI is an XML namespace. 3070 This document registers the following YANG modules in the YANG Module 3071 Names registry [RFC6020]. 3073 name: ietf-snmp 3074 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 3075 prefix: snmp 3076 reference: RFC XXXX 3078 name: ietf-x509-cert-to-name 3079 namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name 3080 prefix: x509c2n 3081 reference: RFC XXXX 3083 The document registers the following YANG submodules in the YANG 3084 Module Names registry [RFC6020]. 3086 name: ietf-snmp-common 3087 parent: ietf-snmp 3088 reference: RFC XXXX 3090 name: ietf-snmp-engine 3091 parent: ietf-snmp 3092 reference: RFC XXXX 3094 name: ietf-snmp-community 3095 parent: ietf-snmp 3096 reference: RFC XXXX 3098 name: ietf-snmp-notification 3099 parent: ietf-snmp 3100 reference: RFC XXXX 3102 name: ietf-snmp-target 3103 parent: ietf-snmp 3104 reference: RFC XXXX 3106 name: ietf-snmp-vacm 3107 parent: ietf-snmp 3108 reference: RFC XXXX 3110 name: ietf-snmp-usm 3111 parent: ietf-snmp 3112 reference: RFC XXXX 3114 name: ietf-snmp-tsm 3115 parent: ietf-snmp 3116 reference: RFC XXXX 3118 name: ietf-snmp-tls 3119 parent: ietf-snmp 3120 reference: RFC XXXX 3122 name: ietf-snmp-ssh 3123 parent: ietf-snmp 3124 reference: RFC XXXX 3126 6. Security Considerations 3128 The YANG module and submodules defined in this memo are designed to 3129 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 3130 layer is the secure transport layer and the mandatory-to-implement 3131 secure transport is SSH [RFC6242]. 3133 There are a number of data nodes defined in the YANG module and 3134 submodules which are writable/creatable/deletable (i.e., config true, 3135 which is the default). These data nodes may be considered sensitive 3136 or vulnerable in some network environments. Write operations (e.g., 3137 edit-config) to these data nodes without proper protection can have a 3138 negative effect on network operations. These are the subtrees and 3139 data nodes and their sensitivity/vulnerability: 3141 o The /snmp/engine subtree contains the configuration of general 3142 parameters of an SNMP engine such as the endpoints to listen on, 3143 the transports and SNMP versions enabled, or the engine's 3144 identity. Write access to this subtree should only be granted to 3145 entities configuring general SNMP engine parameters. 3147 o The /snmp/target subtree contains the configuration of SNMP 3148 targets and in particular which transports to use and their 3149 security parameters. Write access to this subtree should only be 3150 granted to the security administrator and entities configuring 3151 SNMP notification forwarding behavior. 3153 o The /snmp/notify and /snmp/notify-filter-profile subtrees contain 3154 the configuration for SNMP notification forwarding and filtering 3155 mechanism. Write access to this subtree should only be granted to 3156 entities configuring SNMP notification forwarding behavior. 3158 o The /snmp/proxy subtree contains the configuration for SNMP 3159 proxies. Write access to this subtree should only be granted to 3160 entities configuring SNMP proxies. 3162 o The /snmp/community subtree contains the configuration of the 3163 community-based security model. Write access to this subtree 3164 should only be granted to the security administrator. 3166 o The /snmp/usm subtree contains the configuration of the user-based 3167 security model. Write access to this subtree should only be 3168 granted to the security administrator. 3170 o The /snmp/tsm subtree contains the configuration of the transport 3171 layer security model for SNMP. Write access to this subtree 3172 should only be granted to the security administrator. 3174 o The /snmp/tlstm subtree contains the configuration of the SNMP 3175 transport over (D)TLS and in particular the configuration how 3176 certificates are mapped to SNMP security names. Write access to 3177 this subtree should only be granted to the security administrator. 3179 o The /snmp/vacm subtree contains the configuration of the view- 3180 based access control mechanism used by SNMP to authorize access to 3181 management information via SNMP. Write access to this subtree 3182 should only be granted to the security administrator. 3184 Some of the readable data nodes in the YANG module and submodules may 3185 be considered sensitive or vulnerable in some network environments. 3186 It is thus important to control read access (e.g., via get, get- 3187 config, or notification) to these data nodes. These are the subtrees 3188 and data nodes and their sensitivity/vulnerability: 3190 o The /snmp/engine subtree subtree exposes general information about 3191 an SNMP engine such as which version(s) of SNMP are enabled or 3192 which transports are enabled. 3194 o The /snmp/target subtree exposes information which transports are 3195 used to reach certain SNMP targets which transport specific 3196 parameters are used. 3198 o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes 3199 information how notifications are filtered and forwarded to 3200 notification targets. 3202 o The /snmp/proxy subtree exposes information about proxy 3203 relationships. 3205 o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ 3206 vacm subtrees are specifically sensitive since they expose 3207 information about the authentication and authorization policy used 3208 by an SNMP engine. 3210 Changes to the SNMP access control rules should be done either in an 3211 atomic way (through a single edit-config or a single commit) or care 3212 must be taken that they are done in a sequence that does not open 3213 temporarily access to resources. Implementations supporting SNMP 3214 write access must ensure that any SNMP access control rule changes 3215 over NETCONF are atomic as well to the SNMP instrumentation. In 3216 particular changes involving an internal delete/create cycle (e.g., 3217 to move a user to a different group) must be done with sufficient 3218 protections such that even a power fail immediately after the delete 3219 does not leave the administrator locked out. 3221 Security administrators need to ensure that NETCONF access control 3222 rules and SNMP access control rules implement a consistent security 3223 policy. Specifically, the SNMP access control rules should prevent 3224 accidental leakage of sensitive security parameters such as community 3225 strings. See the Security Considerations section of [RFC3584] for 3226 further details. 3228 7. Acknowledgments 3230 The authors want to thank Wes Hardaker and David Spakes for their 3231 detailed reviews. Additional valuable comments were provided by 3232 David Harrington, Borislav Lukovic and Randy Presuhn. 3234 Juergen Schoenwaelder was partly funded by Flamingo, a Network of 3235 Excellence project (ICT-318488) supported by the European Commission 3236 under its Seventh Framework Programme. 3238 8. References 3240 8.1. Normative References 3242 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3243 Requirement Levels", BCP 14, RFC 2119, March 1997. 3245 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3246 Network Configuration Protocol (NETCONF)", RFC 6020, 3247 October 2010. 3249 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 3250 Bierman, "Network Configuration Protocol (NETCONF)", RFC 3251 6241, June 2011. 3253 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3254 Shell (SSH)", RFC 6242, June 2011. 3256 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 3257 Protocol (NETCONF) Access Control Model", RFC 6536, March 3258 2012. 3260 [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, 3261 July 2013. 3263 8.2. Informative References 3265 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3266 Architecture for Describing Simple Network Management 3267 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3268 December 2002. 3270 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3271 "Message Processing and Dispatching for the Simple Network 3272 Management Protocol (SNMP)", STD 62, RFC 3412, December 3273 2002. 3275 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 3276 Management Protocol (SNMP) Applications", STD 62, RFC 3277 3413, December 2002. 3279 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 3280 (USM) for version 3 of the Simple Network Management 3281 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 3283 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 3284 Access Control Model (VACM) for the Simple Network 3285 Management Protocol (SNMP)", STD 62, RFC 3415, December 3286 2002. 3288 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 3289 Simple Network Management Protocol (SNMP)", STD 62, RFC 3290 3418, December 2002. 3292 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 3293 "Coexistence between Version 1, Version 2, and Version 3 3294 of the Internet-standard Network Management Framework", 3295 BCP 74, RFC 3584, August 2003. 3297 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3298 January 2004. 3300 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 3301 for the Simple Network Management Protocol (SNMP)", RFC 3302 5591, June 2009. 3304 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 3305 Shell Transport Model for the Simple Network Management 3306 Protocol (SNMP)", RFC 5592, June 2009. 3308 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 3309 Model for the Simple Network Management Protocol (SNMP)", 3310 RFC 6353, July 2011. 3312 [RFC6643] Schoenwaelder, J., "Translation of Structure of Management 3313 Information Version 2 (SMIv2) MIB Modules to YANG 3314 Modules", RFC 6643, July 2012. 3316 Appendix A. Example configurations 3318 A.1. Engine Configuration Example 3320 Below is an XML instance document showing a configuration of an SNMP 3321 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 3322 accepting SNMPv2c and SNMPv3 messages. 3324 3325 3326 true 3327 3328 all-ipv4-udp 3329 3330 0.0.0.0 3331 161 3332 3333 3334 3335 all-ipv6-udp 3336 3337 :: 3338 161 3339 3340 3341 3342 3343 3344 3345 80:00:02:b8:04:61:62:63 3346 3347 3349 A.2. Community Configuration Example 3351 Below is an XML instance document showing a configuration that maps 3352 the community name "public" to the security-name "community-public" 3353 on the local engine with the default context name. The target tag 3354 "community-public-access" filters the access to this community name. 3356 3357 3358 1 3359 public 3360 community-public 3361 community-public-access 3362 3363 3364 management-station 3365 3366 2001:db8::abcd 3367 161 3368 3369 blue 3370 community-public-access 3371 v2c-public 3372 3373 3374 v2c-public 3375 3376 community-public 3377 3378 3379 3381 A.3. User-based Security Model Configuration Example 3383 Below is an XML instance document showing the configuration of a 3384 local user "joey" who has no authentication or privacy keys. For the 3385 remote SNMP engine identified by the snmpEngineID 3386 '800002b804616263'H, two users are configure. The user "matt" has a 3387 localized SHA authentication key and the user "russ" has a localized 3388 SHA authentication key and an AES encryption key. 3390 3391 3392 3393 3394 joey 3395 3396 3397 3398 00:00:00:00:00:00:00:00:00:00:00:02 3399 3400 matt 3401 3402 3403 3407 66:95:fe:bc:92:88:e3:62:82:23: 3408 5f:c7:15:1f:12:84:97:b3:8f:3f 3409 3410 3411 3412 3413 russ 3414 3415 3416 3420 66:95:fe:bc:92:88:e3:62:82:23: 3421 5f:c7:15:1f:12:84:97:b3:8f:3f 3422 3423 3424 3425 3426 3430 66:95:fe:bc:92:88:e3:62:82:23: 3431 5f:c7:15:1f:12:84 3432 3433 3434 3435 3436 3437 3438 bluebox 3439 3440 2001:db8::abcd 3441 161 3442 3443 blue 3444 matt-auth 3445 3446 3447 matt-auth 3448 3449 matt 3450 auth-no-priv 3451 3453 3454 3456 A.4. Target and Notification Configuration Example 3458 Below is an XML instance document showing the configuration of a 3459 notification generator application (see Appendix A of [RFC3413]). 3460 Note that the USM specific objects are defined in the ietf-snmp- 3461 usm.yang submodule. 3463 3464 3465 addr1 3466 3467 192.0.2.3 3468 162 3469 3470 group1 3471 joe-auth 3472 3473 3474 addr2 3475 3476 192.0.2.6 3477 162 3478 3479 group1 3480 joe-auth 3481 3482 3483 addr3 3484 3485 192.0.2.9 3486 162 3487 3488 group2 3489 bob-priv 3490 3491 3492 joe-auth 3493 3494 joe 3495 auth-no-priv 3496 3497 3498 3499 bob-priv 3500 3501 bob 3502 auth-priv 3503 3504 3505 3506 group1 3507 group1 3508 trap 3509 3510 3511 group2 3512 group2 3513 trap 3514 3515 3517 A.5. Proxy Configuration Example 3519 Below is an XML instance document showing the configuration of a 3520 proxy forwarder application. It proxies SNMPv2c messages from 3521 command generators to a file server running a SNMPv1 agent that 3522 recognizes two community strings, "private" and "public", with 3523 different associated read views. The fileserver is represented as 3524 two "target" instances, one for each community string. 3526 If the proxy receives a SNMPv2c message with the community string 3527 "public" from a device in the "Office Network" or "Home Office 3528 Network", it gets tagged as "trusted", and the proxy uses the 3529 "private" community string when sending the message to the file 3530 server. Other SNMPv2c messages with the community string "public" 3531 get tagged as "non-trusted", and the proxy uses the "public" 3532 community string for these messages. There is also a special 3533 "backdoor" community string that can be used from any location to get 3534 "trusted" access. 3536 The "Office Network" and "Home Office Network" are represented as two 3537 "target" instances. These "target" instances have target-params 3538 "none", which refers to a non-existing target-params entry. 3540 3541 3542 File Server (private) 3543 3544 192.0.2.1 3545 3546 v1-private 3547 3548 3549 File Server (public) 3550 3551 192.0.2.1 3552 3553 v1-public 3554 3555 3556 Office Network 3557 3558 192.0.2.0 3559 24 3560 3561 office 3562 none 3563 3564 3565 Home Office Network 3566 3567 203.0.113.0 3568 24 3569 3570 home-office 3571 none 3572 3573 3574 v1-private 3575 3576 private 3577 3578 3579 3580 v1-public 3581 3582 public 3583 3584 3585 3586 v2c-public 3587 3588 public 3589 3590 3592 3599 3600 c1 3601 public 3602 80:00:61:81:c8 3603 trusted 3604 office 3605 3606 3607 c2 3608 public 3609 80:00:61:81:c8 3610 trusted 3611 home-office 3612 3613 3614 c3 3615 public 3616 80:00:61:81:c8 3617 not-trusted 3618 3619 3620 c4 3621 backdoor 3622 public 3623 80:00:61:81:c8 3624 trusted 3625 3626 3627 c5 3628 private 3629 80:00:61:81:c8 3630 trusted 3631 3633 3634 p1 3635 read 3636 80:00:61:81:c8 3637 trusted 3638 v2c-public 3639 File Server (private) 3640 3641 3642 p2 3643 read 3644 80:00:61:81:c8 3645 not-trusted 3646 v2c-public 3647 File Server (public) 3648 3649 3651 If an SNMPv2c Get request with community string "public" is received 3652 from an IP address tagged as "office" or "home-office", or if the 3653 request is received from anywhere else with community string 3654 "backdoor", the implied context is "trusted" and so proxy entry "p1" 3655 matches. The request is forwarded to the file server as SNMPv1 with 3656 community "private" using community table entry "c5" for outbound 3657 params lookup. 3659 If an SNMPv2c Get request with community string "public" is received 3660 from any other IP address, the implied context is "not-trusted" so 3661 proxy entry "p2" matches, and the request is forwarded to the file 3662 server as SNMPv1 with community "public". 3664 A.6. View-based Access Control Model Configuration Example 3666 Below is an XML instance document showing the minimum-secure VACM 3667 configuration (see Appendix A of [RFC3415]). 3669 3670 3671 3672 initial 3673 3674 initial 3675 usm 3676 3677 3678 3679 usm 3680 no-auth-no-priv 3681 restricted 3682 restricted 3683 3684 3685 3686 usm 3687 auth-no-priv 3688 internet 3689 internet 3690 internet 3691 3692 3693 3694 initial 3695 1.3.6.1 3696 3697 3698 restricted 3699 1.3.6.1 3700 3701 3702 3704 The following XML instance document shows the semi-secure VACM 3705 configuration (only the view configuration is different). 3707 3708 3709 3710 initial 3711 3712 initial 3713 usm 3714 3715 3716 3717 usm 3718 no-auth-no-priv 3719 restricted 3720 restricted 3721 3722 3723 3724 usm 3725 auth-no-priv 3726 internet 3727 internet 3728 internet 3729 3730 3731 3732 initial 3733 1.3.6.1 3734 3735 3736 restricted 3737 1.3.6.1.2.1.1 3738 1.3.6.1.2.1.11 3739 1.3.6.1.6.3.10.2.1 3740 1.3.6.1.6.3.11.2.1 3741 1.3.6.1.6.3.15.1.1 3742 3743 3744 3746 A.7. Transport Layer Security Transport Model Configuration Example 3748 Below is an XML instance document showing the configuration of the 3749 certificate to security name mapping (see Appendix A.2 and A.3 of 3750 [RFC6353]). 3752 3755 3756 3757 1 3758 11:0A:05:11:00 3759 x509c2n:san-any 3760 3761 3762 2 3763 11:0A:05:11:00 3764 x509c2n:specified 3765 3766 Joe Cool 3767 3768 3769 3770 3772 Authors' Addresses 3774 Martin Bjorklund 3775 Tail-f Systems 3777 Email: mbj@tail-f.com 3779 Juergen Schoenwaelder 3780 Jacobs University 3782 Email: j.schoenwaelder@jacobs-university.de