idnits 2.17.1 draft-ietf-netmod-snmp-cfg-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 193 has weird spacing: '...rw name snm...' == Line 237 has weird spacing: '...-params snmp:...' == Line 239 has weird spacing: '...rw name snm...' == Line 266 has weird spacing: '...rw name snm...' == Line 336 has weird spacing: '...ty-name snm...' == (13 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (September 18, 2014) is 3505 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Bjorklund 3 Internet-Draft Tail-f Systems 4 Intended status: Standards Track J. Schoenwaelder 5 Expires: March 22, 2015 Jacobs University 6 September 18, 2014 8 A YANG Data Model for SNMP Configuration 9 draft-ietf-netmod-snmp-cfg-08 11 Abstract 13 This document defines a collection of YANG definitions for 14 configuring SNMP engines. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on March 22, 2015. 33 Copyright Notice 35 Copyright (c) 2014 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 53 2.2. General Considerations . . . . . . . . . . . . . . . . . 4 54 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . 4 55 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . 4 56 2.5. Target Configuration . . . . . . . . . . . . . . . . . . 5 57 2.6. Notification Configuration . . . . . . . . . . . . . . . 6 58 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 59 2.8. Community Configuration . . . . . . . . . . . . . . . . . 8 60 2.9. View-based Access Control Model Configuration . . . . . . 8 61 2.10. User-based Security Model Configuration . . . . . . . . . 9 62 2.11. Transport Security Model Configuration . . . . . . . . . 10 63 2.12. Transport Layer Security Transport Model Configuration . 11 64 2.13. Secure Shell Transport Model Configuration . . . . . . . 12 65 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 13 66 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . 14 67 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 14 68 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 69 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 70 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . 21 71 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . 23 72 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . 27 73 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . 30 74 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . 34 75 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 38 76 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 41 77 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . 45 78 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 51 79 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 55 80 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 57 81 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 62 82 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 83 6. Security Considerations . . . . . . . . . . . . . . . . . . . 66 84 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 85 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 86 8.1. Normative References . . . . . . . . . . . . . . . . . . 69 87 8.2. Informative References . . . . . . . . . . . . . . . . . 69 88 Appendix A. Example configurations . . . . . . . . . . . . . . . 70 89 A.1. Engine Configuration Example . . . . . . . . . . . . . . 70 90 A.2. Community Configuration Example . . . . . . . . . . . . . 71 91 A.3. User-based Security Model Configuration Example . . . . . 72 92 A.4. Target and Notification Configuration Example . . . . . . 74 93 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 94 A.6. View-based Access Control Model Configuration Example . . 78 95 A.7. Transport Layer Security Transport Model Configuration 96 Example . . . . . . . . . . . . . . . . . . . . . . . . . 80 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81 99 1. Introduction 101 This document defines a YANG [RFC6020] data model for the 102 configuration of SNMP engines. The configuration model is consistent 103 with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], 104 [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and 105 [RFC6353] but takes advantage of YANG's ability to define 106 hierarchical configuration data models. 108 The configuration data model in particular has been designed for SNMP 109 deployments where SNMP runs in read-only mode and NETCONF is used to 110 configure the SNMP agent. Nevertheless, the data model allows 111 implementations that support write access both via SNMP and NETCONF 112 in order to interwork with SNMP-managed management applications 113 manipulating SNMP agent configuration using SNMP. Further details 114 can be found in Section 3. 116 The YANG data model focuses on configuration. Operational state 117 objects are not explicitely modeled. The operational state of an 118 SNMP agent can either be accessed directly via SNMP or, 119 alternatively, via NETCONF using the read-only translation of the 120 relevant SNMP MIB modules into YANG modules [RFC6643]. 122 This document also defines a YANG data model for mapping a X.509 123 certificate to a name. 125 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 127 "OPTIONAL" in this document are to be interpreted as described in BCP 128 14, [RFC2119]. 130 2. Data Model 132 In order to preserve the modularity of SNMP, the YANG configuration 133 data model is organized in a set of YANG submodules, all sharing the 134 same module namespace. This allows adding configuration support for 135 additional SNMP features while keeping the number of namespaces that 136 have to be dealt with down to a minimum. 138 2.1. Tree Diagrams 140 A simplified graphical representation of the data model is used in 141 this document. The meaning of the symbols in these diagrams is as 142 follows: 144 o Brackets "[" and "]" enclose list keys. 146 o Abbreviations before data node names: "rw" means configuration 147 (read-write) and "ro" state data (read-only). 149 o Symbols after data node names: "?" means an optional node, "!" 150 means a presence container, and "*" denotes a list and leaf-list. 152 o Parentheses enclose choice and case nodes, and case nodes are also 153 marked with a colon (":"). 155 o Ellipsis ("...") stands for contents of subtrees that are not 156 shown. 158 2.2. General Considerations 160 Most YANG nodes are mapped 1-1 to the corresponding MIB object. The 161 "reference" statement is used to indicate which corresponding MIB 162 object the YANG node is mapped to. When there is not a simple 1-1 163 mapping, the "description" statement explains the mapping. 165 The persistency models in SNMP and NETCONF are quite different. In 166 NETCONF, the persistency is defined by the datastore, whereas in SNMP 167 it is defined either explicitly in the data model, or on a row-by-row 168 basis by using the TEXTUAL-CONVENTION "StorageType". Thus, in the 169 YANG model defined here, the "StorageType" columns are not present. 170 For implementation guidelines, see Section 3. 172 In SNMP, row creation and deletion are controlled by using the 173 TEXTUAL-CONVENTION "RowStatus". In NETCONF, creation and deletion 174 are handled by the protocol, not in the data model. Thus, in the 175 YANG model defined here, the "RowStatus" columns are not present. 177 2.3. Common Definitions 179 The submodule "ietf-snmp-common" defines a set of common typedefs and 180 the top-level container "snmp". All configuration parameters defined 181 in the other submodules are organized under this top-level container. 183 2.4. Engine Configuration 185 The submodule "ietf-snmp-engine", which defines configuration 186 parameters that are specific to SNMP engines, has the following 187 structure: 189 +--rw snmp 190 +--rw engine 191 +--rw enabled? boolean 192 +--rw listen* [name] 193 | +--rw name snmp:identifier 194 | +--rw (transport) 195 | +--:(udp) 196 | +--rw udp 197 | +--rw ip inet:ip-address 198 | +--rw port? inet:port-number 199 +--rw version 200 | +--rw v1? empty 201 | +--rw v2c? empty 202 | +--rw v3? empty 203 +--rw engine-id? snmp:engine-id 204 +--rw enable-authen-traps? boolean 206 The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP 207 engine. 209 The list "/snmp/engine/listen" provides configuration of the 210 transport endpoints the engine is listening to. In this submodule, 211 SNMP over UDP is defined. SSH, TLS and Datagram Transport Layer 212 Security (DTLS) are also supported, defined in "ietf-snmp-ssh" 213 (Section 2.13) and "ietf-snmp-tls" (Section 2.12), respectively. The 214 "transport" choice is expected to be augmented for other transports. 216 The "/snmp/engine/version" container can be used to enable/disable 217 the different message processing models [RFC3411]. 219 2.5. Target Configuration 221 The submodule "ietf-snmp-target", which defines configuration 222 parameters that correspond to the objects in SNMP-TARGET-MIB, has the 223 following structure: 225 +--rw snmp 226 +--rw target* [name] 227 | +--rw name snmp:identifier 228 | +--rw (transport) 229 | | +--:(udp) 230 | | +--rw udp 231 | | +--rw ip inet:ip-address 232 | | +--rw port? inet:port-number 233 | | +--rw prefix-length? uint8 234 | +--rw tag* snmp:identifier 235 | +--rw timeout? uint32 236 | +--rw retries? uint8 237 | +--rw target-params snmp:identifier 238 +--rw target-params* [name] 239 +--rw name snmp:identifier 240 +--rw (params)? 242 An entry in the list "/snmp/target" corresponds to an 243 "snmpTargetAddrEntry". 245 The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are 246 mapped to transport-specific YANG nodes. Each transport is 247 configured as a separate case in the "transport" choice. In this 248 submodule, SNMP over UDP is defined. TLS and DTLS are also 249 supported, defined in "ietf-snmp-tls" (Section 2.12). The 250 "transport" choice is expected to be augmented for other transports. 252 An entry in the list "/snmp/target-params" corresponds to an 253 "snmpTargetParamsEntry". This list contains a choice "params", which 254 is augmented by security model specific submodules, currently 255 "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10), 256 and "ietf-snmp-tls" (Section 2.12). 258 2.6. Notification Configuration 260 The submodule "ietf-snmp-notification", which defines configuration 261 parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, 262 has the following structure: 264 +--rw snmp 265 +--rw notify* [name] 266 | +--rw name snmp:identifier 267 | +--rw tag snmp:identifier 268 | +--rw type? enumeration 269 +--rw notify-filter-profile* [name] 270 +--rw name snmp:identifier 271 +--rw include* snmp:wildcard-object-identifier 272 +--rw exclude* snmp:wildcard-object-identifier 274 It also augments the "target-params" list defined in the 275 "ietf-snmp-target" submodule (Section 2.5) with one leaf: 277 +--rw snmp 278 +--rw target-params* [name] 279 ... 280 +--rw notify-filter-profile? leafref 282 An entry in the list "/snmp/notify" corresponds to an 283 "snmpNotifyEntry". 285 An entry in the list "/snmp/notify-filter-profile" corresponds to an 286 "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse 287 relationship between "snmpTargetParamsTable" and 288 "snmpNotifyFilterProfileTable". In the YANG model, this sparse 289 relationship is represented with a leafref leaf 290 "notify-filter-profile" in the "/snmp/target-params" list, which 291 refers to an entry in the "/snmp/notify-filter-profile" list. 293 The "snmpNotifyFilterTable" is represented as a list "filter" within 294 the "/snmp/notify-filter-profile" list. 296 This submodule defines the feature "notification-filter". A server 297 implements this feature if it supports SNMP notification filtering 298 [RFC3413]. 300 2.7. Proxy Configuration 302 The submodule "ietf-snmp-proxy", which defines configuration 303 parameters that correspond to the objects in SNMP-PROXY-MIB, has the 304 following structure: 306 +--rw snmp 307 +--rw proxy* [name] 308 +--rw name snmp:identifier 309 +--rw type enumeration 310 +--rw context-engine-id snmp:engine-id 311 +--rw context-name? snmp:context-name 312 +--rw target-params-in? snmp:identifier 313 +--rw single-target-out? snmp:identifier 314 +--rw multiple-target-out? snmp:identifier 316 An entry in the list "/snmp/proxy" corresponds to an 317 "snmpProxyEntry". 319 This submodule defines the feature "proxy". A server implements this 320 feature if it can act as an SNMP Proxy [RFC3413]. 322 2.8. Community Configuration 324 The submodule "ietf-snmp-community", which defines configuration 325 parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has 326 the following structure: 328 +--rw snmp 329 +--rw community* [index] 330 +--rw index snmp:identifier 331 +--rw (name)? 332 | +--:(text-name) 333 | | +--rw text-name? string 334 | +--:(binary-name) 335 | +--rw binary-name? binary 336 +--rw security-name snmp:security-name 337 +--rw engine-id? snmp:engine-id 338 +--rw context? snmp:context-name 339 +--rw target-tag? snmp:identifier 341 It also augments the "/snmp/target-params/params" choice with nodes 342 for the Community-Based Security Model used by SNMPv1 and SNMPv2c: 344 +--rw snmp 345 +--rw target-params* [name] 346 | ... 347 | +--rw (params)? 348 | +--:(v1) 349 | | +--rw v1 350 | | +--rw security-name snmp:security-name 351 | +--:(v2c) 352 | +--rw v2c 353 | +--rw security-name snmp:security-name 354 +--rw target* [name] 355 +--rw mms? union 357 An entry in the list "/snmp/community" corresponds to an 358 "snmpCommunityEntry". 360 When a case "v1" or "v2c" is chosen, it implies a 361 snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a 362 snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. 363 Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 365 2.9. View-based Access Control Model Configuration 367 The submodule "ietf-snmp-vacm", which defines configuration 368 parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, 369 has the following structure: 371 +--rw snmp 372 +--rw vacm 373 +--rw group* [name] 374 | +--rw name group-name 375 | +--rw member* [security-name] 376 | | +--rw security-name snmp:security-name 377 | | +--rw security-model* snmp:security-model 378 | +--rw access* [context security-model security-level] 379 | +--rw context snmp:context-name 380 | +--rw context-match? enumeration 381 | +--rw security-model snmp:security-model-or-any 382 | +--rw security-level snmp:security-level 383 | +--rw read-view? view-name 384 | +--rw write-view? view-name 385 | +--rw notify-view? vire-name 386 +--rw view* [name] 387 +--rw name view-name 388 +--rw include* snmp:wildcard-object-identifier 389 +--rw exclude* snmp:wildcard-object-identifier 391 The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a 392 structure of nested lists in the YANG model. Groups are defined in 393 the list "/snmp/vacm/group" and for each group there is a sublist 394 "member" that maps to "vacmSecurityToGroupTable", and a sublist 395 "access" that maps to "vacmAccessTable". 397 MIB views are defined in the list "/snmp/vacm/view" and for each MIB 398 view there is a leaf-list of included subtree families and a leaf- 399 list of excluded subtree families. This is more compact and thus a 400 more readable representation of the "vacmViewTreeFamilyTable". 402 2.10. User-based Security Model Configuration 404 The submodule "ietf-snmp-usm", which defines configuration parameters 405 that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the 406 following structure: 408 +--rw snmp 409 +--rw usm 410 +--rw local 411 | +--rw user* [name] 412 | +-- {common user params} 413 +--rw remote* [engine-id] 414 +--rw engine-id snmp:engine-id 415 +--rw user* [name] 416 +-- {common user params} 418 The "{common user params}" are: 420 +--rw name snmp:identifier 421 +--rw auth! 422 | +--rw (protocol) 423 | +--:(md5) 424 | | +--rw md5 425 | | +-- rw key yang:hex-string 426 | +--:(sha) 427 | +--rw sha 428 | +-- rw key yang:hex-string 429 +--rw priv! 430 +--rw (protocol) 431 +--:(des) 432 | +--rw des 433 | +-- rw key yang:hex-string 434 +--:(aes) 435 +--rw aes 436 +-- rw key yang:hex-string 438 It also augments the "/snmp/target-params/params" choice with nodes 439 for the SNMP User-based Security Model. 441 +--rw snmp 442 +--rw target-params* [name] 443 ... 444 +--rw (params)? 445 +--:(usm) 446 +--rw usm 447 +--rw user-name snmp:security-name 448 +--rw security-level security-level 450 In the MIB, there is a single table with local and remote users, 451 indexed by the engine id and user name. In the YANG model, there is 452 one list of local users, and a nested list of remote users. 454 In the MIB, there are several objects related to changing the 455 authentication and privacy keys. These objects are not present in 456 the YANG model. However, the localized key can be changed. This 457 implies that if the engine id is changed, all users keys need to be 458 changed as well. 460 2.11. Transport Security Model Configuration 462 The submodule "ietf-snmp-tsm", which defines configuration parameters 463 that correspond to the objects in SNMP-TSM-MIB, has the following 464 structure: 466 +--rw snmp 467 +--rw tsm 468 +--rw use-prefix? boolean 470 It also augments the "/snmp/target-params/params" choice with nodes 471 for the SNMP Transport Security Model. 473 +--rw snmp 474 +--rw target-params* [name] 475 ... 476 +--rw (params)? 477 +--:(tsm) 478 +--rw tsm 479 +--rw security-name snmp:security-name 480 +--rw security-level security-level 482 This submodule defines the feature "tsm". A server implements this 483 feature if it supports the Transport Security Model (tsm) [RFC5591]. 485 2.12. Transport Layer Security Transport Model Configuration 487 The submodule "ietf-snmp-tls", which defines configuration parameters 488 that correspond to the objects in SNMP-TLS-TM-MIB, has the following 489 structure: 491 +--rw snmp 492 ... 493 +--rw target* [name] 494 | ... 495 | +--rw (transport) 496 | ... 497 | +--:(tls) 498 | | +--rw tls 499 | | +-- {common (d)tls transport params} 500 | +--:(dtls) 501 | +--rw dtls 502 | +-- {common (d)tls transport params} 503 +--rw tlstm 504 +--rw cert-to-name* [id] 505 +--rw id uint32 506 +--rw fingerprint x509c2n:tls-fingerprint 507 +--rw map-type identityref 508 +--rw name string 510 The "{common (d)tls transport params}" are: 512 +--rw ip? inet:host 513 +--rw port? inet:port-number 514 +--rw client-fingerprint? x509c2n:tls-fingerprint 515 +--rw server-fingerprint? x509c2n:tls-fingerprint 516 +--rw server-identity? snmp:admin-string 518 It also augments the "/snmp/engine/listen/transport" choice with 519 objects for the D(TLS) transport endpoints: 521 +--rw snmp 522 +--rw engine 523 ... 524 +--rw listen* [name] 525 ... 526 +--rw (transport) 527 ... 528 +--:(tls) 529 | +--rw tls 530 | +--rw ip inet:ip-address 531 | +--rw port? inet:port-number 532 +--:(dtls) 533 +--rw dtls 534 +--rw ip inet:ip-address 535 +--rw port? inet:port-number 537 This submodule defines the feature "tlstm". A server implements this 538 feature if it supports the Transport Layer Security (TLS) Transport 539 Model (tlstm) [RFC6353]. 541 2.13. Secure Shell Transport Model Configuration 543 The submodule "ietf-snmp-ssh", which defines configuration parameters 544 that correspond to the objects in SNMP-SSH-TM-MIB, has the following 545 structure: 547 +--rw snmp 548 ... 549 +--rw target* [name] 550 ... 551 +--rw (transport) 552 ... 553 +--:(ssh) 554 +--rw ssh 555 +--rw ip inet:host 556 +--rw port? inet:port-number 557 +--rw username? string 559 It also augments the "/snmp/engine/listen/transport" choice with 560 objects for the SSH transport endpoints: 562 +--rw snmp 563 +--rw engine 564 ... 565 +--rw listen* [name] 566 ... 567 +--rw (transport) 568 ... 569 +--:(ssh) 570 +--rw ssh 571 +--rw ip inet:host 572 +--rw port? inet:port-number 573 +--rw username? string 575 This submodule defines the feature "sshtm". A server implements this 576 feature if it supports the Secure Shell (SSH) Transport Model (sshtm) 577 [RFC5592]. 579 3. Implementation Guidelines 581 This section describes some challenges for implementations that 582 support both the YANG models defined in this document, and either 583 read-write or read-only SNMP access to the same data, using the 584 standard MIB modules. 586 As described in Section 2.2, the persistency models in NETCONF and 587 SNMP are quite different. This poses a challenge for an 588 implementation to support both NETCONF and SNMP access to the same 589 data, in particular if the data is writable over both protocols. 590 Specifically, the configuration data may exist in some combination of 591 the three NETCONF configuration datastores, and this data must be 592 mapped to rows in the SNMP tables, in some SNMP contexts, with proper 593 values for the StorageType columns. 595 This problem is not new; it has been handled in many implementations 596 that support configuration of the SNMP engine over a command line 597 interface (CLI), which normally have a persistency model similar to 598 NETCONF. 600 Since there is not one solution that works for all cases, this 601 document does not provide a recommended solution. Instead some of 602 the challenges involved are described below. 604 3.1. Supporting read-only SNMP Access 606 If a device implements only :writable-running, it is trivial to map 607 the contents of "running" to data in the SNMP tables, where all 608 instances of the StorageType columns have the value "nonVolatile". 610 If a device implements :candidate, but not :startup, the 611 implementation may choose to not expose the contents of the 612 "candidate" datastore over SNMP, and map the contents of "running" as 613 described above. As an option, the contents of "candidate" might be 614 accessible in a separate SNMP context. 616 If a device implements :startup, the handling of StorageType becomes 617 more difficult. Since the contents of "running" and "startup" might 618 differ, data in running cannot automatically be mapped to instances 619 with StorageType "nonVolatile". If a particular entry exists in 620 "running" but not in "startup", its StorageType should be "volatile". 621 If a particular entry exists in "startup", but not "running", it 622 should not be mapped to an SNMP instance, at least not in the default 623 SNMP context. 625 3.2. Supporting read-write SNMP access 627 If the implementation supports read-write access to data over SNMP, 628 and specifically creation of table rows, special attention has to be 629 given the handling of the RowStatus and StorageType columns. The 630 problem is to determine which table rows to store in the 631 configuration datastores, and which configuration datastore is 632 appropriate for each row. 634 The SNMP tables contain a mix of configured data and operational 635 state, and only rows with an "active" RowStatus column should be 636 stored in a configuration datastore. 638 If a device implements only :writable-running, "active" rows with a 639 "nonVolatile" StorageType column can be stored in "running". Rows 640 with a "volatile" StorageType column are operational state. 642 If a device implements :candidate, but not :writable-running, all 643 configuration changes typically go through the "candidate", even if 644 they are done over SNMP. An implementation might have to perform 645 some automatic commit of the "candidate" when data is written over 646 SNMP, since there is no explicit "commit" operation in SNMP. 648 If a device implements :startup, "nonVolatile" rows cannot just be 649 written to "running", they must also be copied into "startup". 650 "volatile" rows may be treated as operational state and not copied to 651 any datastore, or copied into "running". 653 Cooperating SNMP management applications may use spin lock objects 654 (snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414], 655 vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests. 656 Implementations supporting modifications of MIB objects protected by 657 a spin lock via NETCONF should ensure that the spin lock objects are 658 properly incremented whenever objects are changed via NETCONF. This 659 allows cooperating SNMP management applications to discover that 660 concurrent modifications are taking place. 662 4. Definitions 664 4.1. Module 'ietf-x509-cert-to-name' 666 This YANG module imports typedefs from [RFC6991]. 668 file "ietf-x509-cert-to-name.yang" 670 module ietf-x509-cert-to-name { 672 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; 673 prefix x509c2n; 675 import ietf-yang-types { 676 prefix yang; 677 } 679 organization 680 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 682 contact 683 "WG Web: 684 WG List: 686 WG Chair: Thomas Nadeau 687 689 WG Chair: Juergen Schoenwaelder 690 692 Editor: Martin Bjorklund 693 695 Editor: Juergen Schoenwaelder 696 "; 698 description 699 "This module contains a collection of YANG definitions for 700 extracting a name from a X.509 certificate. 702 The algorithm used to extract a name from a X.509 certificate 703 was first defined in RFC 6353. 705 Copyright (c) 2014 IETF Trust and the persons identified as 706 authors of the code. All rights reserved. 708 Redistribution and use in source and binary forms, with or 709 without modification, is permitted pursuant to, and subject 710 to the license terms contained in, the Simplified BSD License 711 set forth in Section 4.c of the IETF Trust's Legal Provisions 712 Relating to IETF Documents 713 (http://trustee.ietf.org/license-info). 715 This version of this YANG module is part of RFC XXXX; see 716 the RFC itself for full legal notices."; 717 // RFC Ed.: replace XXXX with actual RFC number and remove this 718 // note. 720 reference 721 "RFC6353: Transport Layer Security (TLS) Transport Model for 722 the Simple Network Management Protocol (SNMP)"; 724 // RFC Ed.: update the date below with the date of RFC publication 725 // and remove this note. 727 revision 2014-05-06 { 728 description 729 "Initial revision."; 730 reference 731 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 733 } 735 typedef tls-fingerprint { 736 type yang:hex-string { 737 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; 738 } 739 description 740 "A fingerprint value that can be used to uniquely reference 741 other data of potentially arbitrary length. 743 An tls-fingerprint value is composed of a 1-octet hashing 744 algorithm identifier followed by the fingerprint value. The 745 first octet value identifying the hashing algorithm is taken 746 from the IANA TLS HashAlgorithm Registry (RFC 5246). The 747 remaining octets are filled using the results of the hashing 748 algorithm."; 749 reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; 751 } 753 /* Identities */ 755 identity cert-to-name { 756 description 757 "Base identity for algorithms to derive a name from a 758 certificate."; 759 } 761 identity specified { 762 base cert-to-name; 763 description 764 "Directly specifies the name to be used for the certificate. 765 The value of the leaf 'name' in 'cert-to-name' list is used."; 766 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; 767 } 769 identity san-rfc822-name { 770 base cert-to-name; 771 description 772 "Maps a subjectAltName's rfc822Name to a name. The local part 773 of the rfc822Name is passed unaltered but the host-part of the 774 name must be passed in lowercase. For example, the 775 rfc822Name field FooBar@Example.COM is mapped to name 776 FooBar@example.com."; 777 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; 778 } 780 identity san-dns-name { 781 base cert-to-name; 782 description 783 "Maps a subjectAltName's dNSName to a name after first 784 converting it to all lowercase (RFC 5280 does not specify 785 converting to lowercase so this involves an extra step). 786 This mapping results in a 1:1 correspondence between 787 subjectAltName dNSName values and the name values."; 788 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; 789 } 791 identity san-ip-address { 792 base cert-to-name; 793 description 794 "Maps a subjectAltName's iPAddress to a name by 795 transforming the binary encoded address as follows: 797 1) for IPv4, the value is converted into a 798 decimal-dotted quad address (e.g., '192.0.2.1'). 800 2) for IPv6 addresses, the value is converted into a 801 32-character all lowercase hexadecimal string 802 without any colon separators. 804 This mapping results in a 1:1 correspondence between 805 subjectAltName iPAddress values and the name values."; 806 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; 807 } 809 identity san-any { 810 base cert-to-name; 811 description 812 "Maps any of the following fields using the corresponding 813 mapping algorithms: 815 +------------+-----------------+ 816 | Type | Algorithm | 817 |------------+-----------------| 818 | rfc822Name | san-rfc822-name | 819 | dNSName | san-dns-name | 820 | iPAddress | san-ip-address | 821 +------------+-----------------+ 823 The first matching subjectAltName value found in the 824 certificate of the above types MUST be used when deriving 825 the name. The mapping algorithm specified in the 826 'Algorithm' column MUST be used to derive the name. 828 This mapping results in a 1:1 correspondence between 829 subjectAltName values and name values. The three sub-mapping 830 algorithms produced by this combined algorithm cannot produce 831 conflicting results between themselves."; 832 reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; 833 } 835 identity common-name { 836 base cert-to-name; 837 description 838 "Maps a certificate's CommonName to a name after converting 839 it to a UTF-8 encoding. The usage of CommonNames is 840 deprecated and users are encouraged to use subjectAltName 841 mapping methods instead. This mapping results in a 1:1 842 correspondence between certificate CommonName values and name 843 values."; 844 reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; 845 } 847 /* 848 * Groupings 849 */ 851 grouping cert-to-name { 852 description 853 "Defines nodes for mapping certificates to names. Modules 854 that uses this grouping should describe how the resulting 855 name is used."; 857 list cert-to-name { 858 key id; 859 description 860 "This list defines how certificates are mapped to names. 861 The name is derived by considering each cert-to-name 862 list entry in order. The cert-to-name entry's fingerprint 863 determines whether the list entry is a match: 865 1) If the cert-to-name list entry's fingerprint value 866 matches that of the presented certificate, then consider 867 the list entry as a successful match. 869 2) If the cert-to-name list entry's fingerprint value 870 matches that of a locally held copy of a trusted CA 871 certificate, and that CA certificate was part of the CA 872 certificate chain to the presented certificate, then 873 consider the list entry as a successful match. 875 Once a matching cert-to-name list entry has been found, the 876 map-type is used to determine how the name associated with 877 the certificate should be determined. See the map-type 878 leaf's description for details on determining the name value. 879 If it is impossible to determine a name from the cert-to-name 880 list entry's data combined with the data presented in the 881 certificate, then additional cert-to-name list entries MUST 882 be searched looking for another potential match. 884 Security administrators are encouraged to make use of 885 certificates with subjectAltName fields that can be mapped to 886 names so that a single root CA certificate can allow all 887 child certificate's subjectAltName to map directly to a name 888 via a 1:1 transformation."; 889 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; 891 leaf id { 892 type uint32; 893 description 894 "The id specifies the order in which the entries in the 895 cert-to-name list are searched. Entries with lower 896 numbers are searched first."; 897 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; 898 } 900 leaf fingerprint { 901 type x509c2n:tls-fingerprint; 902 mandatory true; 903 description 904 "Specifies a value with which the fingerprint of the 905 full certificate presented by the peer is compared. If 906 the fingerprint of the full certificate presented by the 907 peer does not match the fingerprint configured, then the 908 entry is skipped and the search for a match continues."; 909 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; 910 } 912 leaf map-type { 913 type identityref { 914 base cert-to-name; 915 } 916 mandatory true; 917 description 918 "Specifies the algorithm used to map the certificate 919 presented by the peer to a name. 921 Mappings that need additional configuration objects should 922 use the 'when' statement to make them conditional based on 923 the 'map-type'."; 924 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; 925 } 927 leaf name { 928 when "../map-type = 'x509c2n:specified'"; 929 type string; 930 mandatory true; 931 description 932 "Directly specifies the NETCONF username when the 933 'map-type' is 'specified'."; 934 reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; 935 } 936 } 937 } 938 } 940 942 4.2. Module 'ietf-snmp' 944 file "ietf-snmp.yang" 946 module ietf-snmp { 948 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; 949 prefix snmp; 951 // RFC Ed.: update the dates below with the date of RFC publication 952 // and remove this note. 954 include ietf-snmp-common { 955 revision-date 2014-05-06; 956 } 957 include ietf-snmp-engine { 958 revision-date 2014-05-06; 959 } 960 include ietf-snmp-target { 961 revision-date 2014-05-06; 962 } 963 include ietf-snmp-notification { 964 revision-date 2014-05-06; 965 } 966 include ietf-snmp-proxy { 967 revision-date 2014-05-06; 968 } 969 include ietf-snmp-community { 970 revision-date 2014-05-06; 971 } 972 include ietf-snmp-usm { 973 revision-date 2014-05-06; 974 } 975 include ietf-snmp-tsm { 976 revision-date 2014-05-06; 977 } 978 include ietf-snmp-vacm { 979 revision-date 2014-05-06; 980 } 981 include ietf-snmp-tls { 982 revision-date 2014-05-06; 983 } 984 include ietf-snmp-ssh { 985 revision-date 2014-05-06; 986 } 988 organization 989 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 991 contact 992 "WG Web: 993 WG List: 995 WG Chair: Thomas Nadeau 996 998 WG Chair: Juergen Schoenwaelder 999 1001 Editor: Martin Bjorklund 1002 1004 Editor: Juergen Schoenwaelder 1005 "; 1007 description 1008 "This module contains a collection of YANG definitions for 1009 configuring SNMP engines. 1011 Copyright (c) 2014 IETF Trust and the persons identified as 1012 authors of the code. All rights reserved. 1014 Redistribution and use in source and binary forms, with or 1015 without modification, is permitted pursuant to, and subject 1016 to the license terms contained in, the Simplified BSD License 1017 set forth in Section 4.c of the IETF Trust's Legal Provisions 1018 Relating to IETF Documents 1019 (http://trustee.ietf.org/license-info). 1021 This version of this YANG module is part of RFC XXXX; see 1022 the RFC itself for full legal notices."; 1024 // RFC Ed.: replace XXXX with actual RFC number and remove this 1025 // note. 1027 // RFC Ed.: update the date below with the date of RFC publication 1028 // and remove this note. 1030 revision 2014-05-06 { 1031 description 1032 "Initial revision."; 1033 reference 1034 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1035 } 1037 } 1038 1040 4.3. Submodule 'ietf-snmp-common' 1042 file "ietf-snmp-common.yang" 1044 submodule ietf-snmp-common { 1046 belongs-to ietf-snmp { 1047 prefix snmp; 1048 } 1050 import ietf-yang-types { 1051 prefix yang; 1052 } 1054 organization 1055 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1057 contact 1058 "WG Web: 1059 WG List: 1061 WG Chair: Thomas Nadeau 1062 1064 WG Chair: Juergen Schoenwaelder 1065 1067 Editor: Martin Bjorklund 1068 1070 Editor: Juergen Schoenwaelder 1071 "; 1073 description 1074 "This submodule contains a collection of common YANG definitions 1075 for configuring SNMP engines. 1077 Copyright (c) 2014 IETF Trust and the persons identified as 1078 authors of the code. All rights reserved. 1080 Redistribution and use in source and binary forms, with or 1081 without modification, is permitted pursuant to, and subject 1082 to the license terms contained in, the Simplified BSD License 1083 set forth in Section 4.c of the IETF Trust's Legal Provisions 1084 Relating to IETF Documents 1085 (http://trustee.ietf.org/license-info). 1086 This version of this YANG module is part of RFC XXXX; see 1087 the RFC itself for full legal notices."; 1089 // RFC Ed.: replace XXXX with actual RFC number and remove this 1090 // note. 1092 // RFC Ed.: update the date below with the date of RFC publication 1093 // and remove this note. 1095 revision 2014-05-06 { 1096 description 1097 "Initial revision."; 1098 reference 1099 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1100 } 1102 /* Collection of SNMP specific data types */ 1104 typedef admin-string { 1105 type string { 1106 length "0..255"; 1107 } 1108 description 1109 "Represents and SnmpAdminString as defined in RFC 3411. 1111 Note that the size of an SnmpAdminString is measured in 1112 octets, not characters."; 1113 reference "SNMP-FRAMEWORK-MIB.SnmpAdminString"; 1114 } 1116 typedef identifier { 1117 type admin-string { 1118 length "1..32"; 1119 } 1120 description 1121 "Identifiers are used to name items in the SNMP configuration 1122 data store."; 1123 } 1125 typedef context-name { 1126 type admin-string { 1127 length "0..32"; 1128 } 1129 description 1130 "The context type represents an SNMP context name."; 1131 reference 1132 "RFC3411: An Architecture for Describing SNMP Management 1133 Frameworks"; 1135 } 1137 typedef security-name { 1138 type admin-string { 1139 length "1..32"; 1140 } 1141 description 1142 "The security-name type represents an SNMP security name."; 1143 reference 1144 "RFC3411: An Architecture for Describing SNMP Management 1145 Frameworks"; 1146 } 1148 typedef security-model { 1149 type union { 1150 type enumeration { 1151 enum v1 { value 1; } 1152 enum v2c { value 2; } 1153 enum usm { value 3; } 1154 enum tsm { value 4; } 1155 } 1156 type int32 { 1157 range "1..2147483647"; 1158 } 1159 } 1160 reference 1161 "RFC3411: An Architecture for Describing SNMP Management 1162 Frameworks"; 1163 } 1165 typedef security-model-or-any { 1166 type union { 1167 type enumeration { 1168 enum any { value 0; } 1169 } 1170 type security-model; 1171 } 1172 reference 1173 "RFC3411: An Architecture for Describing SNMP Management 1174 Frameworks"; 1175 } 1177 typedef security-level { 1178 type enumeration { 1179 enum no-auth-no-priv { value 1; } 1180 enum auth-no-priv { value 2; } 1181 enum auth-priv { value 3; } 1182 } 1183 reference 1184 "RFC3411: An Architecture for Describing SNMP Management 1185 Frameworks"; 1186 } 1188 typedef engine-id { 1189 type yang:hex-string { 1190 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; 1191 } 1192 description 1193 "The Engine ID specified as a list of colon-specified hexa- 1194 decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; 1195 reference 1196 "RFC3411: An Architecture for Describing SNMP Management 1197 Frameworks"; 1198 } 1200 typedef wildcard-object-identifier { 1201 type string; 1202 description 1203 "The wildcard-object-identifier type represents an SNMP object 1204 identifier where subidentifiers can be given either as a label, 1205 in numeric form, or a wildcard, represented by a *."; 1206 } 1208 typedef tag-value { 1209 type string { 1210 length "0..255"; 1211 } 1212 description 1213 "Represents and SnmpTagValue as defined in RFC 3413. 1215 Note that the size of an SnmpTagValue is measured in 1216 octets, not characters."; 1217 reference "SNMP-TARGET-MIB.SnmpTagValue"; 1218 } 1220 container snmp { 1221 description 1222 "Top-level container for SNMP related configuration and 1223 status objects."; 1224 } 1226 } 1228 1230 4.4. Submodule 'ietf-snmp-engine' 1232 file "ietf-snmp-engine.yang" 1234 submodule ietf-snmp-engine { 1236 belongs-to ietf-snmp { 1237 prefix snmp; 1238 } 1240 import ietf-inet-types { 1241 prefix inet; 1242 } 1244 include ietf-snmp-common; 1246 organization 1247 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1249 contact 1250 "WG Web: 1251 WG List: 1253 WG Chair: Thomas Nadeau 1254 1256 WG Chair: Juergen Schoenwaelder 1257 1259 Editor: Martin Bjorklund 1260 1262 Editor: Juergen Schoenwaelder 1263 "; 1265 description 1266 "This submodule contains a collection of YANG definitions 1267 for configuring SNMP engines. 1269 Copyright (c) 2014 IETF Trust and the persons identified as 1270 authors of the code. All rights reserved. 1272 Redistribution and use in source and binary forms, with or 1273 without modification, is permitted pursuant to, and subject 1274 to the license terms contained in, the Simplified BSD License 1275 set forth in Section 4.c of the IETF Trust's Legal Provisions 1276 Relating to IETF Documents 1277 (http://trustee.ietf.org/license-info). 1278 This version of this YANG module is part of RFC XXXX; see 1279 the RFC itself for full legal notices."; 1281 // RFC Ed.: replace XXXX with actual RFC number and remove this 1282 // note. 1284 // RFC Ed.: update the date below with the date of RFC publication 1285 // and remove this note. 1287 revision 2014-05-06 { 1288 description 1289 "Initial revision."; 1290 reference 1291 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1292 } 1294 augment /snmp:snmp { 1296 container engine { 1298 description 1299 "Configuration of the SNMP engine."; 1301 leaf enabled { 1302 type boolean; 1303 default "false"; 1304 description 1305 "Enables the SNMP engine."; 1306 } 1308 list listen { 1309 key "name"; 1310 description 1311 "Configuration of the transport endpoints on which the 1312 engine listens."; 1314 leaf name { 1315 type snmp:identifier; 1316 description 1317 "An arbitrary name for the list entry."; 1318 } 1320 choice transport { 1321 mandatory true; 1322 description 1323 "The transport protocol specific parameters for this 1324 endpoint. Submodules providing configuration for 1325 additional transports are expected to augment this 1326 choice."; 1327 case udp { 1328 container udp { 1329 leaf ip { 1330 type inet:ip-address; 1331 mandatory true; 1332 description 1333 "The IPv4 or IPv6 address on which the engine 1334 listens."; 1335 } 1336 leaf port { 1337 type inet:port-number; 1338 description 1339 "The UDP port on which the engine listens. 1341 If the port is not configured, an engine that 1342 acts as a Command Responder uses port 161, and 1343 an engine that acts as a Notification Receiver 1344 uses port 162."; 1345 } 1346 } 1347 } 1348 } 1349 } 1351 container version { 1352 description 1353 "SNMP version used by the engine"; 1354 leaf v1 { 1355 type empty; 1356 } 1357 leaf v2c { 1358 type empty; 1359 } 1360 leaf v3 { 1361 type empty; 1362 } 1363 } 1365 leaf engine-id { 1366 type snmp:engine-id; 1367 description 1368 "The local SNMP engine's administratively-assigned unique 1369 identifier. 1371 If this leaf is not set, the device automatically 1372 calculates an engine id, as described in RFC 3411. A 1373 server MAY initialize this leaf with the automatically 1374 created value."; 1375 reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; 1376 } 1378 leaf enable-authen-traps { 1379 type boolean; 1380 description 1381 "Indicates whether the SNMP entity is permitted to 1382 generate authenticationFailure traps."; 1383 reference "SNMPv2-MIB.snmpEnableAuthenTraps"; 1384 } 1385 } 1386 } 1387 } 1389 1391 4.5. Submodule 'ietf-snmp-target' 1393 file "ietf-snmp-target.yang" 1395 submodule ietf-snmp-target { 1397 belongs-to ietf-snmp { 1398 prefix snmp; 1399 } 1401 import ietf-inet-types { 1402 prefix inet; 1403 } 1405 include ietf-snmp-common; 1407 organization 1408 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1410 contact 1411 "WG Web: 1412 WG List: 1414 WG Chair: Thomas Nadeau 1415 1417 WG Chair: Juergen Schoenwaelder 1418 1420 Editor: Martin Bjorklund 1421 1423 Editor: Juergen Schoenwaelder 1424 "; 1426 description 1427 "This submodule contains a collection of YANG definitions 1428 for configuring SNMP targets. 1430 Copyright (c) 2014 IETF Trust and the persons identified as 1431 authors of the code. All rights reserved. 1433 Redistribution and use in source and binary forms, with or 1434 without modification, is permitted pursuant to, and subject 1435 to the license terms contained in, the Simplified BSD License 1436 set forth in Section 4.c of the IETF Trust's Legal Provisions 1437 Relating to IETF Documents 1438 (http://trustee.ietf.org/license-info). 1440 This version of this YANG module is part of RFC XXXX; see 1441 the RFC itself for full legal notices."; 1443 // RFC Ed.: replace XXXX with actual RFC number and remove this 1444 // note. 1446 reference 1447 "RFC3413: Simple Network Management Protocol (SNMP) 1448 Applications"; 1450 // RFC Ed.: update the date below with the date of RFC publication 1451 // and remove this note. 1453 revision 2014-05-06 { 1454 description 1455 "Initial revision."; 1456 reference 1457 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1458 } 1460 augment /snmp:snmp { 1462 list target { 1463 key name; 1464 description 1465 "List of targets."; 1466 reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; 1468 leaf name { 1469 type snmp:identifier; 1470 description 1471 "Identifies the target."; 1472 reference "SNMP-TARGET-MIB.snmpTargetAddrName"; 1473 } 1474 choice transport { 1475 mandatory true; 1476 description 1477 "Transport address of the target. 1479 The snmpTargetAddrTDomain and snmpTargetAddrTAddress 1480 objects are mapped to transport-specific YANG nodes. Each 1481 transport is configured as a separate case in this 1482 choice. Submodules providing configuration for additional 1483 transports are expected to augment this choice."; 1484 reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain 1485 SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1486 case udp { 1487 reference "SNMPv2-TM.snmpUDPDomain 1488 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 1489 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z 1490 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 1491 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; 1492 container udp { 1493 leaf ip { 1494 type inet:ip-address; 1495 mandatory true; 1496 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1497 } 1498 leaf port { 1499 type inet:port-number; 1500 default 162; 1501 description 1502 "UDP port number"; 1503 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; 1504 } 1505 leaf prefix-length { 1506 type uint8; 1507 description 1508 "The value of this leaf must match the value of 1509 ../snmp:ip. If ../snmp:ip contains an ipv4 address, 1510 this leaf must be less than or equal to 32. If it 1511 contains an ipv6 address, it must be less than or 1512 equal to 128. 1514 Note that the prefix-length is currently only used 1515 by the Community-based Security Model to filter 1516 incoming messages. Furthermore, the prefix-length 1517 filtering does not cover all possible filters 1518 supported by the corresponding MIB object."; 1520 reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; 1521 } 1522 } 1523 } 1524 } 1525 leaf-list tag { 1526 type snmp:tag-value; 1527 description 1528 "List of tag values used to select target address."; 1529 reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; 1530 } 1531 leaf timeout { 1532 type uint32; 1533 units "0.01 seconds"; 1534 default 1500; 1535 description 1536 "Needed only if this target can receive 1537 InformRequest-PDUs."; 1538 reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; 1539 } 1540 leaf retries { 1541 type uint8; 1542 default 3; 1543 description 1544 "Needed only if this target can receive 1545 InformRequest-PDUs."; 1546 reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; 1547 } 1548 leaf target-params { 1549 type snmp:identifier; 1550 mandatory true; 1551 reference "SNMP-TARGET-MIB.snmpTargetAddrParams"; 1552 } 1553 } 1555 list target-params { 1556 key name; 1557 description 1558 "List of target parameters."; 1559 reference "SNMP-TARGET-MIB.snmpTargetParamsTable"; 1561 leaf name { 1562 type snmp:identifier; 1563 } 1564 choice params { 1565 description 1566 "This choice is augmented with case nodes containing 1567 security model specific configuration parameters."; 1569 } 1570 } 1571 } 1572 } 1574 1576 4.6. Submodule 'ietf-snmp-notification' 1578 file "ietf-snmp-notification.yang" 1580 submodule ietf-snmp-notification { 1582 belongs-to ietf-snmp { 1583 prefix snmp; 1584 } 1586 include ietf-snmp-common; 1587 include ietf-snmp-target; 1589 organization 1590 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1592 contact 1593 "WG Web: 1594 WG List: 1596 WG Chair: Thomas Nadeau 1597 1599 WG Chair: Juergen Schoenwaelder 1600 1602 Editor: Martin Bjorklund 1603 1605 Editor: Juergen Schoenwaelder 1606 "; 1608 description 1609 "This submodule contains a collection of YANG definitions 1610 for configuring SNMP notifications. 1612 Copyright (c) 2014 IETF Trust and the persons identified as 1613 authors of the code. All rights reserved. 1615 Redistribution and use in source and binary forms, with or 1616 without modification, is permitted pursuant to, and subject 1617 to the license terms contained in, the Simplified BSD License 1618 set forth in Section 4.c of the IETF Trust's Legal Provisions 1619 Relating to IETF Documents 1620 (http://trustee.ietf.org/license-info). 1622 This version of this YANG module is part of RFC XXXX; see 1623 the RFC itself for full legal notices."; 1625 // RFC Ed.: replace XXXX with actual RFC number and remove this 1626 // note. 1628 reference 1629 "RFC3413: Simple Network Management Protocol (SNMP) 1630 Applications"; 1632 // RFC Ed.: update the date below with the date of RFC publication 1633 // and remove this note. 1635 revision 2014-05-06 { 1636 description 1637 "Initial revision."; 1638 reference 1639 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1640 } 1642 feature notification-filter { 1643 description 1644 "A server implements this feature if it supports SNMP 1645 notification filtering."; 1646 reference 1647 "RFC3413: Simple Network Management Protocol (SNMP) 1648 Applications"; 1649 } 1651 augment /snmp:snmp { 1653 list notify { 1654 key name; 1655 description 1656 "Targets that will receive notifications. 1658 Entries in this lists are mapped 1-1 to entries in 1659 snmpNotifyTable, except that if an entry in snmpNotifyTable 1660 has a snmpNotifyTag for which no snmpTargetAddrEntry exists, 1661 then the snmpNotifyTable entry is not mapped to an entry in 1662 this list."; 1663 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; 1664 leaf name { 1665 type snmp:identifier; 1666 description 1667 "An arbitrary name for the list entry."; 1668 reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; 1669 } 1670 leaf tag { 1671 type snmp:tag-value; 1672 mandatory true; 1673 description 1674 "Target tag, selects a set of notification targets. 1676 Implementations MAY restrict the values of this leaf 1677 to be one of the available values of /snmp/target/tag in 1678 a valid configuration."; 1679 reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; 1680 } 1681 leaf type { 1682 type enumeration { 1683 enum trap { value 1; } 1684 enum inform { value 2; } 1685 } 1686 default trap; 1687 description 1688 "Defines the notification type to be generated."; 1689 reference "SNMP-NOTIFICATION-MIB.snmpNotifyType"; 1690 } 1691 } 1693 list notify-filter-profile { 1694 if-feature snmp:notification-filter; 1695 key name; 1697 description 1698 "Notification filter profiles. 1700 The leaf /snmp/target/notify-filter-profile is used 1701 to associate a filter profile with a target. 1703 If an entry in this list is referred to by one or more 1704 /snmp/target/notify-filter-profile, each such 1705 notify-filter-profile is represented by one 1706 snmpNotifyFilterProfileEntry. 1708 If an entry in this list is not referred to by any 1709 /snmp/target/notify-filter-profile, the entry is not mapped 1710 to snmpNotifyFilterProfileTable."; 1711 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable 1712 SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; 1714 leaf name { 1715 type snmp:identifier; 1716 description 1717 "Name of the filter profile"; 1718 reference 1719 "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1720 } 1722 leaf-list include { 1723 type snmp:wildcard-object-identifier; 1724 description 1725 "A family of subtrees included in this filter."; 1726 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1727 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1728 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1729 } 1731 leaf-list exclude { 1732 type snmp:wildcard-object-identifier; 1733 description 1734 "A family of subtrees excluded from this filter."; 1735 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree 1736 SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask 1737 SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; 1738 } 1739 } 1741 } 1743 augment /snmp:snmp/snmp:target-params { 1744 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; 1745 leaf notify-filter-profile { 1746 if-feature snmp:notification-filter; 1747 type leafref { 1748 path "/snmp/notify-filter-profile/name"; 1749 } 1750 description 1751 "This leafref leaf is used to represent the sparse 1752 relationship between the /snmp/target-params list and the 1753 /snmp/notify-filter-profile list."; 1754 reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; 1755 } 1756 } 1758 } 1759 1761 4.7. Submodule 'ietf-snmp-proxy' 1763 file "ietf-snmp-proxy.yang" 1765 submodule ietf-snmp-proxy { 1767 belongs-to ietf-snmp { 1768 prefix snmp; 1769 } 1771 include ietf-snmp-common; 1772 include ietf-snmp-target; 1774 organization 1775 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1777 contact 1778 "WG Web: 1779 WG List: 1781 WG Chair: Thomas Nadeau 1782 1784 WG Chair: Juergen Schoenwaelder 1785 1787 Editor: Martin Bjorklund 1788 1790 Editor: Juergen Schoenwaelder 1791 "; 1793 description 1794 "This submodule contains a collection of YANG definitions 1795 for configuring SNMP proxies. 1797 Copyright (c) 2014 IETF Trust and the persons identified as 1798 authors of the code. All rights reserved. 1800 Redistribution and use in source and binary forms, with or 1801 without modification, is permitted pursuant to, and subject 1802 to the license terms contained in, the Simplified BSD License 1803 set forth in Section 4.c of the IETF Trust's Legal Provisions 1804 Relating to IETF Documents 1805 (http://trustee.ietf.org/license-info). 1806 This version of this YANG module is part of RFC XXXX; see 1807 the RFC itself for full legal notices."; 1809 // RFC Ed.: replace XXXX with actual RFC number and remove this 1810 // note. 1812 reference 1813 "RFC3413: Simple Network Management Protocol (SNMP) 1814 Applications"; 1816 // RFC Ed.: update the date below with the date of RFC publication 1817 // and remove this note. 1819 revision 2014-05-06 { 1820 description 1821 "Initial revision."; 1822 reference 1823 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1824 } 1826 feature proxy { 1827 description 1828 "A server implements this feature if it can act as an 1829 SNMP Proxy"; 1830 reference 1831 "RFC3413: Simple Network Management Protocol (SNMP) 1832 Applications"; 1833 } 1835 augment /snmp:snmp { 1836 if-feature snmp:proxy; 1838 list proxy { 1839 key name; 1841 description 1842 "List of proxy parameters."; 1843 reference "SNMP-PROXY-MIB.snmpProxyTable"; 1845 leaf name { 1846 type snmp:identifier; 1847 description 1848 "Identifies the proxy parameter entry."; 1849 reference "SNMP-PROXY-MIB.snmpProxyName"; 1850 } 1851 leaf type { 1852 type enumeration { 1853 enum read { value 1; } 1854 enum write { value 2; } 1855 enum trap { value 3; } 1856 enum inform { value 4; } 1857 } 1858 mandatory true; 1859 reference "SNMP-PROXY-MIB.snmpProxyType"; 1860 } 1861 leaf context-engine-id { 1862 type snmp:engine-id; 1863 mandatory true; 1864 reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; 1865 } 1866 leaf context-name { 1867 type snmp:context-name; 1868 reference "SNMP-PROXY-MIB.snmpProxyContextName"; 1869 } 1870 leaf target-params-in { 1871 type snmp:identifier; 1872 description 1873 "The name of a target parameters list entry. 1875 Implementations MAY restrict the values of this 1876 leaf to be one of the available values of 1877 /snmp/target-params/name in a valid configuration."; 1878 reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; 1879 } 1880 leaf single-target-out { 1881 when "../type = 'read' or ../type = 'write'"; 1882 type snmp:identifier; 1883 description 1884 "Implementations MAY restrict the values of this leaf 1885 to be one of the available values of /snmp/target/name in 1886 a valid configuration."; 1887 reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; 1888 } 1889 leaf multiple-target-out { 1890 when "../type = 'trap' or ../type = 'inform'"; 1891 type snmp:tag-value; 1892 description 1893 "Implementations MAY restrict the values of this leaf 1894 to be one of the available values of /snmp/target/tag in 1895 a valid configuration."; 1896 reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; 1897 } 1898 } 1899 } 1900 } 1901 1903 4.8. Submodule 'ietf-snmp-community' 1905 file "ietf-snmp-community.yang" 1907 submodule ietf-snmp-community { 1909 belongs-to ietf-snmp { 1910 prefix snmp; 1911 } 1913 import ietf-netconf-acm { 1914 prefix nacm; 1915 } 1917 include ietf-snmp-common; 1918 include ietf-snmp-target; 1919 include ietf-snmp-proxy; 1921 organization 1922 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 1924 contact 1925 "WG Web: 1926 WG List: 1928 WG Chair: Thomas Nadeau 1929 1931 WG Chair: Juergen Schoenwaelder 1932 1934 Editor: Martin Bjorklund 1935 1937 Editor: Juergen Schoenwaelder 1938 "; 1940 description 1941 "This submodule contains a collection of YANG definitions 1942 for configuring community-based SNMP. 1944 Copyright (c) 2014 IETF Trust and the persons identified as 1945 authors of the code. All rights reserved. 1947 Redistribution and use in source and binary forms, with or 1948 without modification, is permitted pursuant to, and subject 1949 to the license terms contained in, the Simplified BSD License 1950 set forth in Section 4.c of the IETF Trust's Legal Provisions 1951 Relating to IETF Documents 1952 (http://trustee.ietf.org/license-info). 1954 This version of this YANG module is part of RFC XXXX; see 1955 the RFC itself for full legal notices."; 1957 // RFC Ed.: replace XXXX with actual RFC number and remove this 1958 // note. 1960 reference 1961 "RFC3584: Coexistence between Version 1, Version 2, and Version 3 1962 of the Internet-standard Network Management Framework"; 1964 // RFC Ed.: update the date below with the date of RFC publication 1965 // and remove this note. 1967 revision 2014-05-06 { 1968 description 1969 "Initial revision."; 1970 reference 1971 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 1972 } 1974 augment /snmp:snmp { 1976 list community { 1977 key index; 1979 description 1980 "List of communities"; 1981 reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; 1983 leaf index { 1984 type snmp:identifier; 1985 description 1986 "Index into the community list."; 1987 reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; 1988 } 1989 choice name { 1990 nacm:default-deny-all; 1991 description 1992 "The community name, either specified as a string 1993 or as a binary. The binary name is used when the 1994 community name contains characters that are not legal 1995 in a string. 1997 If not set, the value of 'security-name' is operationally 1998 used as the snmpCommunityName."; 1999 reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; 2000 leaf text-name { 2001 type string; 2002 description 2003 "A community name that can be represented as a 2004 YANG string."; 2005 } 2006 leaf binary-name { 2007 type binary; 2008 description 2009 "A community name represented as a binary value."; 2010 } 2011 } 2012 leaf security-name { 2013 type snmp:security-name; 2014 mandatory true; 2015 nacm:default-deny-all; 2016 description 2017 "The snmpCommunitySecurityName of this entry."; 2018 reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; 2019 } 2020 leaf engine-id { 2021 if-feature snmp:proxy; 2022 type snmp:engine-id; 2023 description 2024 "If not set, the value of the local SNMP engine is 2025 operationally used by the device."; 2026 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; 2027 } 2028 leaf context { 2029 type snmp:context-name; 2030 default ""; 2031 description 2032 "The context in which management information is accessed 2033 when using the community string specified by this entry."; 2034 reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; 2035 } 2036 leaf target-tag { 2037 type snmp:tag-value; 2038 description 2039 "Used to limit access for this community to the specified 2040 targets. 2042 Implementations MAY restrict the values of this leaf 2043 to be one of the available values of /snmp/target/tag in 2044 a valid configuration."; 2046 reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; 2047 } 2048 } 2049 } 2051 grouping v1-target-params { 2052 container v1 { 2053 description 2054 "SNMPv1 parameters type. 2055 Represents snmpTargetParamsMPModel '0', 2056 snmpTargetParamsSecurityModel '1', and 2057 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2058 leaf security-name { 2059 type snmp:security-name; 2060 mandatory true; 2061 description 2062 "Implementations MAY restrict the values of this leaf 2063 to be one of the available values of 2064 /snmp/community/security-name in a valid configuration."; 2065 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2066 } 2067 } 2068 } 2070 grouping v2c-target-params { 2071 container v2c { 2072 description 2073 "SNMPv2 community parameters type. 2074 Represents snmpTargetParamsMPModel '1', 2075 snmpTargetParamsSecurityModel '2', and 2076 snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; 2077 leaf security-name { 2078 type snmp:security-name; 2079 mandatory true; 2080 description 2081 "Implementations MAY restrict the values of this leaf 2082 to be one of the available values of 2083 /snmp/community/security-name in a valid configuration."; 2084 reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2085 } 2086 } 2087 } 2089 augment /snmp:snmp/snmp:target-params/snmp:params { 2090 case v1 { 2091 uses v1-target-params; 2092 } 2093 case v2c { 2094 uses v2c-target-params; 2095 } 2096 } 2098 augment /snmp:snmp/snmp:target { 2099 when "snmp:v1 or snmp:v2c"; 2100 leaf mms { 2101 type union { 2102 type enumeration { 2103 enum "unknown" { value 0; } 2104 } 2105 type int32 { 2106 range "484..max"; 2107 } 2108 } 2109 default "484"; 2110 description 2111 "The maximum message size."; 2112 reference 2113 "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; 2114 } 2115 } 2117 } 2119 2121 4.9. Submodule 'ietf-snmp-vacm' 2123 file "ietf-snmp-vacm.yang" 2125 submodule ietf-snmp-vacm { 2127 belongs-to ietf-snmp { 2128 prefix snmp; 2129 } 2131 include ietf-snmp-common; 2133 organization 2134 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2136 contact 2137 "WG Web: 2138 WG List: 2140 WG Chair: Thomas Nadeau 2141 2143 WG Chair: Juergen Schoenwaelder 2144 2146 Editor: Martin Bjorklund 2147 2149 Editor: Juergen Schoenwaelder 2150 "; 2152 description 2153 "This submodule contains a collection of YANG definitions 2154 for configuring the View-based Access Control Model (VACM) 2155 of SNMP. 2157 Copyright (c) 2014 IETF Trust and the persons identified as 2158 authors of the code. All rights reserved. 2160 Redistribution and use in source and binary forms, with or 2161 without modification, is permitted pursuant to, and subject 2162 to the license terms contained in, the Simplified BSD License 2163 set forth in Section 4.c of the IETF Trust's Legal Provisions 2164 Relating to IETF Documents 2165 (http://trustee.ietf.org/license-info). 2167 This version of this YANG module is part of RFC XXXX; see 2168 the RFC itself for full legal notices."; 2170 // RFC Ed.: replace XXXX with actual RFC number and remove this 2171 // note. 2173 reference 2174 "RFC3415: View-based Access Control Model (VACM) for the 2175 Simple Network Management Protocol (SNMP)"; 2177 // RFC Ed.: update the date below with the date of RFC publication 2178 // and remove this note. 2180 revision 2014-05-06 { 2181 description 2182 "Initial revision."; 2183 reference 2184 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2185 } 2187 typedef view-name { 2188 type snmp:identifier; 2189 description 2190 "The view-name type represents an SNMP VACM view name."; 2192 } 2194 typedef group-name { 2195 type snmp:identifier; 2196 description 2197 "The group-name type represents an SNMP VACM group name."; 2198 } 2200 augment /snmp:snmp { 2202 container vacm { 2203 description 2204 "Configuration of the View-based Access Control Model"; 2206 list group { 2207 key name; 2208 description 2209 "VACM Groups. 2211 This data model has a different structure than the MIB. 2212 Groups are explicitly defined in this list, and group 2213 members are defined in the 'member' list (mapped to 2214 vacmSecurityToGroupTable), and access for the group is 2215 defined in the 'access' list (mapped to 2216 vacmAccessTable)."; 2217 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable 2218 SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2220 leaf name { 2221 type group-name; 2222 description 2223 "The name of this VACM group."; 2224 reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; 2225 } 2227 list member { 2228 key "security-name"; 2229 description 2230 "A member of this VACM group. 2232 A certain combination of security-name and 2233 security-model MUST NOT be present in more than 2234 one group."; 2235 reference 2236 "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; 2238 leaf security-name { 2239 type snmp:security-name; 2240 description 2241 "The securityName of a group member."; 2242 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; 2243 } 2245 leaf-list security-model { 2246 type snmp:security-model; 2247 min-elements 1; 2248 description 2249 "The security models under which this security-name 2250 is a member of this group."; 2251 reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; 2252 } 2253 } 2255 list access { 2256 key "context security-model security-level"; 2257 description 2258 "Definition of access right for groups"; 2259 reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; 2261 leaf context { 2262 type snmp:context-name; 2263 description 2264 "The context (prefix) under which the access rights 2265 apply."; 2266 reference 2267 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; 2268 } 2270 leaf context-match { 2271 type enumeration { 2272 enum exact { value 1; } 2273 enum prefix { value 2; } 2274 } 2275 default exact; 2276 reference 2277 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; 2278 } 2280 leaf security-model { 2281 type snmp:security-model-or-any; 2282 description 2283 "The security model under which the access rights 2284 apply."; 2285 reference 2286 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; 2287 } 2288 leaf security-level { 2289 type snmp:security-level; 2290 description 2291 "The minimum security level under which the access 2292 rights apply."; 2293 reference 2294 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; 2295 } 2297 leaf read-view { 2298 type view-name; 2299 description 2300 "The name of the MIB view of the SNMP context 2301 authorizing read access. If this leaf does not 2302 exist in a configuration, it maps to a zero-length 2303 vacmAccessReadViewName. 2305 Implementations MAY restrict the values of this 2306 leaf to be one of the available values of 2307 /snmp/vacm/view/name in a valid configuration."; 2308 reference 2309 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; 2310 } 2312 leaf write-view { 2313 type view-name; 2314 description 2315 "The name of the MIB view of the SNMP context 2316 authorizing write access. If this leaf does not 2317 exist in a configuration, it maps to a zero-length 2318 vacmAccessWriteViewName. 2320 Implementations MAY restrict the values of this 2321 leaf to be one of the available values of 2322 /snmp/vacm/view/name in a valid configuration."; 2323 reference 2324 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; 2325 } 2327 leaf notify-view { 2328 type view-name; 2329 description 2330 "The name of the MIB view of the SNMP context 2331 authorizing notify access. If this leaf does not 2332 exist in a configuration, it maps to a zero-length 2333 vacmAccessNotifyViewName. 2335 Implementations MAY restrict the values of this 2336 leaf to be one of the available values of 2337 /snmp/vacm/view/name in a valid configuration."; 2338 reference 2339 "SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; 2340 } 2341 } 2342 } 2344 list view { 2345 key name; 2346 description 2347 "Definition of MIB views."; 2348 reference 2349 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; 2351 leaf name { 2352 type view-name; 2353 description 2354 "The name of this VACM MIB view."; 2355 reference 2356 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; 2357 } 2359 leaf-list include { 2360 type snmp:wildcard-object-identifier; 2361 description 2362 "A family of subtrees included in this MIB view."; 2363 reference 2364 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2365 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2366 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2367 } 2369 leaf-list exclude { 2370 type snmp:wildcard-object-identifier; 2371 description 2372 "A family of subtrees excluded from this MIB view."; 2373 reference 2374 "SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree 2375 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask 2376 SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; 2377 } 2378 } 2379 } 2380 } 2381 } 2383 2385 4.10. Submodule 'ietf-snmp-usm' 2387 This YANG submodule imports YANG extensions from [RFC6536]. 2389 file "ietf-snmp-usm.yang" 2391 submodule ietf-snmp-usm { 2393 belongs-to ietf-snmp { 2394 prefix snmp; 2395 } 2397 import ietf-yang-types { 2398 prefix yang; 2399 } 2400 import ietf-netconf-acm { 2401 prefix nacm; 2402 } 2404 include ietf-snmp-common; 2405 include ietf-snmp-target; 2406 include ietf-snmp-proxy; 2408 organization 2409 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2411 contact 2412 "WG Web: 2413 WG List: 2415 WG Chair: Thomas Nadeau 2416 2418 WG Chair: Juergen Schoenwaelder 2419 2421 Editor: Martin Bjorklund 2422 2424 Editor: Juergen Schoenwaelder 2425 "; 2427 description 2428 "This submodule contains a collection of YANG definitions for 2429 configuring the User-based Security Model (USM) of SNMP. 2431 Copyright (c) 2014 IETF Trust and the persons identified as 2432 authors of the code. All rights reserved. 2434 Redistribution and use in source and binary forms, with or 2435 without modification, is permitted pursuant to, and subject 2436 to the license terms contained in, the Simplified BSD License 2437 set forth in Section 4.c of the IETF Trust's Legal Provisions 2438 Relating to IETF Documents 2439 (http://trustee.ietf.org/license-info). 2441 This version of this YANG module is part of RFC XXXX; see 2442 the RFC itself for full legal notices."; 2444 // RFC Ed.: replace XXXX with actual RFC number and remove this 2445 // note. 2447 reference 2448 "RFC3414: User-based Security Model (USM) for version 3 of the 2449 Simple Network Management Protocol (SNMPv3)."; 2451 // RFC Ed.: update the date below with the date of RFC publication 2452 // and remove this note. 2454 revision 2014-05-06 { 2455 description 2456 "Initial revision."; 2457 reference 2458 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2459 } 2461 grouping key { 2462 leaf key { 2463 type yang:hex-string; 2464 mandatory true; 2465 nacm:default-deny-all; 2466 description 2467 "Localized key specified as a list of colon-specified 2468 hexa-decimal octets"; 2469 } 2470 } 2472 grouping user-list { 2473 list user { 2474 key "name"; 2476 reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; 2478 leaf name { 2479 type snmp:identifier; 2480 reference "SNMP-USER-BASED-SM-MIB.usmUserName"; 2481 } 2482 container auth { 2483 presence "enables authentication"; 2484 description 2485 "Enables authentication of the user"; 2486 choice protocol { 2487 mandatory true; 2488 reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; 2489 container md5 { 2490 uses key; 2491 reference 2492 "SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; 2493 } 2494 container sha { 2495 uses key; 2496 reference 2497 "SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; 2498 } 2499 } 2500 } 2501 container priv { 2502 must "../auth" { 2503 error-message 2504 "when privacy (confidentiality) is used, " 2505 + "authentication must also be used"; 2506 } 2507 presence "enables encryption"; 2508 description 2509 "Enables encryption of SNMP messages."; 2511 choice protocol { 2512 mandatory true; 2513 reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; 2514 container des { 2515 uses key; 2516 reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; 2517 } 2518 container aes { 2519 uses key; 2520 reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; 2521 } 2522 } 2523 } 2524 } 2525 } 2527 augment /snmp:snmp { 2529 container usm { 2530 description 2531 "Configuration of the User-based Security Model"; 2532 container local { 2533 uses user-list; 2534 } 2536 list remote { 2537 key "engine-id"; 2539 leaf engine-id { 2540 type snmp:engine-id; 2541 reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; 2542 } 2544 uses user-list; 2545 } 2546 } 2547 } 2549 grouping usm-target-params { 2550 container usm { 2551 description 2552 "User based SNMPv3 parameters type. 2554 Represents snmpTargetParamsMPModel '3' and 2555 snmpTargetParamsSecurityModel '3'"; 2556 leaf user-name { 2557 type snmp:security-name; 2558 mandatory true; 2559 reference 2560 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2561 } 2562 leaf security-level { 2563 type snmp:security-level; 2564 mandatory true; 2565 reference 2566 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2567 } 2568 } 2569 } 2571 augment /snmp:snmp/snmp:target-params/snmp:params { 2572 case usm { 2573 uses usm-target-params; 2574 } 2575 } 2577 } 2578 2580 4.11. Submodule 'ietf-snmp-tsm' 2582 file "ietf-snmp-tsm.yang" 2584 submodule ietf-snmp-tsm { 2586 belongs-to ietf-snmp { 2587 prefix snmp; 2588 } 2590 include ietf-snmp-common; 2591 include ietf-snmp-target; 2592 include ietf-snmp-proxy; 2594 organization 2595 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2597 contact 2598 "WG Web: 2599 WG List: 2601 WG Chair: Thomas Nadeau 2602 2604 WG Chair: Juergen Schoenwaelder 2605 2607 Editor: Martin Bjorklund 2608 2610 Editor: Juergen Schoenwaelder 2611 "; 2613 description 2614 "This submodule contains a collection of YANG definitions for 2615 configuring the Transport Security Model (TSM) of SNMP. 2617 Copyright (c) 2014 IETF Trust and the persons identified as 2618 authors of the code. All rights reserved. 2620 Redistribution and use in source and binary forms, with or 2621 without modification, is permitted pursuant to, and subject 2622 to the license terms contained in, the Simplified BSD License 2623 set forth in Section 4.c of the IETF Trust's Legal Provisions 2624 Relating to IETF Documents 2625 (http://trustee.ietf.org/license-info). 2626 This version of this YANG module is part of RFC XXXX; see 2627 the RFC itself for full legal notices."; 2629 // RFC Ed.: replace XXXX with actual RFC number and remove this 2630 // note. 2632 reference 2633 "RFC5591: Transport Security Model for the 2634 Simple Network Management Protocol (SNMP)"; 2636 // RFC Ed.: update the date below with the date of RFC publication 2637 // and remove this note. 2639 revision 2014-05-06 { 2640 description 2641 "Initial revision."; 2642 reference 2643 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2644 } 2646 feature tsm { 2647 description 2648 "A server implements this feature if it supports the 2649 Transport Security Model for SNMP."; 2650 reference 2651 "RFC5591: Transport Security Model for the 2652 Simple Network Management Protocol (SNMP)"; 2653 } 2655 augment /snmp:snmp { 2656 if-feature tsm; 2657 container tsm { 2658 description 2659 "Configuration of the Transport-based Security Model"; 2661 leaf use-prefix { 2662 type boolean; 2663 default false; 2664 reference 2665 "SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; 2666 } 2667 } 2668 } 2670 grouping tsm-target-params { 2671 container tsm { 2672 description 2673 "Transport based security SNMPv3 parameters type. 2675 Represents snmpTargetParamsMPModel '3' and 2676 snmpTargetParamsSecurityModel '4'"; 2677 leaf security-name { 2678 type snmp:security-name; 2679 mandatory true; 2680 reference 2681 "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; 2682 } 2683 leaf security-level { 2684 type snmp:security-level; 2685 mandatory true; 2686 reference 2687 "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; 2688 } 2689 } 2690 } 2692 augment /snmp:snmp/snmp:target-params/snmp:params { 2693 if-feature tsm; 2694 case tsm { 2695 uses tsm-target-params; 2696 } 2697 } 2699 } 2701 2703 4.12. Submodule 'ietf-snmp-tls' 2705 file "ietf-snmp-tls.yang" 2707 submodule ietf-snmp-tls { 2709 belongs-to ietf-snmp { 2710 prefix snmp; 2711 } 2713 import ietf-inet-types { 2714 prefix inet; 2715 } 2716 import ietf-x509-cert-to-name { 2717 prefix x509c2n; 2718 } 2720 include ietf-snmp-common; 2721 include ietf-snmp-engine; 2722 include ietf-snmp-target; 2723 organization 2724 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2726 contact 2727 "WG Web: 2728 WG List: 2730 WG Chair: Thomas Nadeau 2731 2733 WG Chair: Juergen Schoenwaelder 2734 2736 Editor: Martin Bjorklund 2737 2739 Editor: Juergen Schoenwaelder 2740 "; 2742 description 2743 "This submodule contains a collection of YANG definitions for 2744 configuring the Transport Layer Security Transport Model (TLSTM) 2745 of SNMP. 2747 Copyright (c) 2014 IETF Trust and the persons identified as 2748 authors of the code. All rights reserved. 2750 Redistribution and use in source and binary forms, with or 2751 without modification, is permitted pursuant to, and subject 2752 to the license terms contained in, the Simplified BSD License 2753 set forth in Section 4.c of the IETF Trust's Legal Provisions 2754 Relating to IETF Documents 2755 (http://trustee.ietf.org/license-info). 2757 This version of this YANG module is part of RFC XXXX; see 2758 the RFC itself for full legal notices."; 2760 // RFC Ed.: replace XXXX with actual RFC number and remove this 2761 // note. 2763 reference 2764 "RFC6353: Transport Layer Security (TLS) Transport Model for 2765 the Simple Network Management Protocol (SNMP)"; 2767 // RFC Ed.: update the date below with the date of RFC publication 2768 // and remove this note. 2770 revision 2014-05-06 { 2771 description 2772 "Initial revision."; 2773 reference 2774 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2775 } 2777 feature tlstm { 2778 description 2779 "A server implements this feature if it supports the 2780 Transport Layer Security Transport Model for SNMP."; 2781 reference 2782 "RFC6353: Transport Layer Security (TLS) Transport Model for 2783 the Simple Network Management Protocol (SNMP)"; 2784 } 2786 augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { 2787 if-feature tlstm; 2788 case tls { 2789 container tls { 2790 description 2791 "A list of IPv4 and IPv6 addresses and ports to which the 2792 engine listens for SNMP messages over TLS."; 2794 leaf ip { 2795 type inet:ip-address; 2796 mandatory true; 2797 description 2798 "The IPv4 or IPv6 address on which the engine listens 2799 for SNMP messages over TLS."; 2800 } 2801 leaf port { 2802 type inet:port-number; 2803 description 2804 "The TCP port on which the engine listens for SNMP 2805 messages over TLS. 2807 If the port is not configured, an engine that 2808 acts as a Command Responder uses port 10161, and 2809 an engine that acts as a Notification Receiver 2810 uses port 10162."; 2811 } 2812 } 2813 } 2814 case dtls { 2815 container dtls { 2816 description 2817 "A list of IPv4 and IPv6 addresses and ports to which the 2818 engine listens for SNMP messages over DTLS."; 2820 leaf ip { 2821 type inet:ip-address; 2822 mandatory true; 2823 description 2824 "The IPv4 or IPv6 address on which the engine listens 2825 for SNMP messages over DTLS."; 2826 } 2827 leaf port { 2828 type inet:port-number; 2829 description 2830 "The UDP port on which the engine listens for SNMP 2831 messages over DTLS. 2833 If the port is not configured, an engine that 2834 acts as a Command Responder uses port 10161, and 2835 an engine that acts as a Notification Receiver 2836 uses port 10162."; 2837 } 2838 } 2839 } 2840 } 2842 augment /snmp:snmp { 2843 if-feature tlstm; 2844 container tlstm { 2845 uses x509c2n:cert-to-name { 2846 description 2847 "Defines how certificates are mapped to names. The 2848 resulting name is used as a security name."; 2849 refine cert-to-name/map-type { 2850 description 2851 "Mappings that use the snmpTlstmCertToTSNData column 2852 need to augment the 'cert-to-name' list 2853 with additional configuration objects corresponding 2854 to the snmpTlstmCertToTSNData value. Such objects 2855 should use the 'when' statement to make them 2856 conditional based on the 'map-type'."; 2857 } 2858 } 2859 } 2860 } 2862 grouping tls-transport { 2863 leaf ip { 2864 type inet:host; 2865 mandatory true; 2866 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2867 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2869 } 2870 leaf port { 2871 type inet:port-number; 2872 default 10161; 2873 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 2874 SNMP-TLS-TM-MIB.SnmpTLSAddress"; 2875 } 2876 leaf client-fingerprint { 2877 type x509c2n:tls-fingerprint; 2878 reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; 2879 } 2880 leaf server-fingerprint { 2881 type x509c2n:tls-fingerprint; 2882 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; 2883 } 2884 leaf server-identity { 2885 type snmp:admin-string; 2886 reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; 2887 } 2888 } 2890 augment /snmp:snmp/snmp:target/snmp:transport { 2891 if-feature tlstm; 2892 case tls { 2893 reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; 2894 container tls { 2895 uses tls-transport; 2896 } 2897 } 2898 } 2900 augment /snmp:snmp/snmp:target/snmp:transport { 2901 if-feature tlstm; 2902 case dtls { 2903 reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; 2904 container dtls { 2905 uses tls-transport; 2906 } 2907 } 2908 } 2909 } 2911 2913 4.13. Submodule 'ietf-snmp-ssh' 2915 file "ietf-snmp-ssh.yang" 2917 submodule ietf-snmp-ssh { 2919 belongs-to ietf-snmp { 2920 prefix snmp; 2921 } 2923 import ietf-inet-types { 2924 prefix inet; 2925 } 2927 include ietf-snmp-common; 2928 include ietf-snmp-engine; 2929 include ietf-snmp-target; 2931 organization 2932 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 2934 contact 2935 "WG Web: 2936 WG List: 2938 WG Chair: Thomas Nadeau 2939 2941 WG Chair: Juergen Schoenwaelder 2942 2944 Editor: Martin Bjorklund 2945 2947 Editor: Juergen Schoenwaelder 2948 "; 2950 description 2951 "This submodule contains a collection of YANG definitions for 2952 configuring the Secure Shell Transport Model (SSHTM) 2953 of SNMP. 2955 Copyright (c) 2014 IETF Trust and the persons identified as 2956 authors of the code. All rights reserved. 2958 Redistribution and use in source and binary forms, with or 2959 without modification, is permitted pursuant to, and subject 2960 to the license terms contained in, the Simplified BSD License 2961 set forth in Section 4.c of the IETF Trust's Legal Provisions 2962 Relating to IETF Documents 2963 (http://trustee.ietf.org/license-info). 2965 This version of this YANG module is part of RFC XXXX; see 2966 the RFC itself for full legal notices."; 2968 // RFC Ed.: replace XXXX with actual RFC number and remove this 2969 // note. 2971 reference 2972 "RFC5592: Secure Shell Transport Model for the 2973 Simple Network Management Protocol (SNMP)"; 2975 // RFC Ed.: update the date below with the date of RFC publication 2976 // and remove this note. 2978 revision 2014-05-06 { 2979 description 2980 "Initial revision."; 2981 reference 2982 "RFC XXXX: A YANG Data Model for SNMP Configuration"; 2983 } 2985 feature sshtm { 2986 description 2987 "A server implements this feature if it supports the 2988 Secure Shell Transport Model for SNMP."; 2989 reference 2990 "RFC5592: Secure Shell Transport Model for the 2991 Simple Network Management Protocol (SNMP)"; 2992 } 2994 augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { 2995 if-feature sshtm; 2996 case ssh { 2997 container ssh { 2998 description 2999 "The IPv4 or IPv6 address and port to which the 3000 engine listens for SNMP messages over SSH."; 3002 leaf ip { 3003 type inet:ip-address; 3004 mandatory true; 3005 description 3006 "The IPv4 or IPv6 address on which the engine listens 3007 for SNMP messages over SSH."; 3008 } 3009 leaf port { 3010 type inet:port-number; 3011 description 3012 "The TCP port on which the engine listens for SNMP 3013 messages over SSH. 3015 If the port is not configured, an engine that 3016 acts as a Command Responder uses port 5161, and 3017 an engine that acts as a Notification Receiver 3018 uses port 5162."; 3019 } 3020 } 3021 } 3022 } 3024 augment /snmp:snmp/snmp:target/snmp:transport { 3025 if-feature sshtm; 3026 case ssh { 3027 reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; 3028 container ssh { 3029 leaf ip { 3030 type inet:host; 3031 mandatory true; 3032 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3033 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3034 } 3035 leaf port { 3036 type inet:port-number; 3037 default 5161; 3038 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3039 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3040 } 3041 leaf username { 3042 type string; 3043 reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress 3044 SNMP-SSH-TM-MIB.SnmpSSHAddress"; 3045 } 3046 } 3047 } 3048 } 3049 } 3051 3053 5. IANA Considerations 3055 This document registers two URIs in the IETF XML registry [RFC3688]. 3056 Following the format in RFC 3688, the following registrations are 3057 requested to be made. 3059 URI: urn:ietf:params:xml:ns:yang:ietf-snmp 3060 Registrant Contact: The NETMOD WG of the IETF. 3061 XML: N/A, the requested URI is an XML namespace. 3063 URI: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name 3064 Registrant Contact: The NETMOD WG of the IETF. 3065 XML: N/A, the requested URI is an XML namespace. 3067 This document registers the following YANG modules in the YANG Module 3068 Names registry [RFC6020]. 3070 name: ietf-snmp 3071 namespace: urn:ietf:params:xml:ns:yang:ietf-snmp 3072 prefix: snmp 3073 reference: RFC XXXX 3075 name: ietf-x509-cert-to-name 3076 namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name 3077 prefix: x509c2n 3078 reference: RFC XXXX 3080 The document registers the following YANG submodules in the YANG 3081 Module Names registry [RFC6020]. 3083 name: ietf-snmp-common 3084 parent: ietf-snmp 3085 reference: RFC XXXX 3087 name: ietf-snmp-engine 3088 parent: ietf-snmp 3089 reference: RFC XXXX 3091 name: ietf-snmp-community 3092 parent: ietf-snmp 3093 reference: RFC XXXX 3095 name: ietf-snmp-notification 3096 parent: ietf-snmp 3097 reference: RFC XXXX 3099 name: ietf-snmp-target 3100 parent: ietf-snmp 3101 reference: RFC XXXX 3103 name: ietf-snmp-vacm 3104 parent: ietf-snmp 3105 reference: RFC XXXX 3107 name: ietf-snmp-usm 3108 parent: ietf-snmp 3109 reference: RFC XXXX 3111 name: ietf-snmp-tsm 3112 parent: ietf-snmp 3113 reference: RFC XXXX 3115 name: ietf-snmp-tls 3116 parent: ietf-snmp 3117 reference: RFC XXXX 3119 name: ietf-snmp-ssh 3120 parent: ietf-snmp 3121 reference: RFC XXXX 3123 6. Security Considerations 3125 The YANG module and submodules defined in this memo are designed to 3126 be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF 3127 layer is the secure transport layer and the mandatory-to-implement 3128 secure transport is SSH [RFC6242]. 3130 There are a number of data nodes defined in the YANG module and 3131 submodules which are writable/creatable/deletable (i.e., config true, 3132 which is the default). These data nodes may be considered sensitive 3133 or vulnerable in some network environments. Write operations (e.g., 3134 edit-config) to these data nodes without proper protection can have a 3135 negative effect on network operations. These are the subtrees and 3136 data nodes and their sensitivity/vulnerability: 3138 o The /snmp/engine subtree contains the configuration of general 3139 parameters of an SNMP engine such as the endpoints to listen on, 3140 the transports and SNMP versions enabled, or the engine's 3141 identity. Write access to this subtree should only be granted to 3142 entities configuring general SNMP engine parameters. 3144 o The /snmp/target subtree contains the configuration of SNMP 3145 targets and in particular which transports to use and their 3146 security parameters. Write access to this subtree should only be 3147 granted to the security administrator and entities configuring 3148 SNMP notification forwarding behavior. 3150 o The /snmp/notify and /snmp/notify-filter-profile subtrees contain 3151 the configuration for SNMP notification forwarding and filtering 3152 mechanism. Write access to this subtree should only be granted to 3153 entities configuring SNMP notification forwarding behavior. 3155 o The /snmp/proxy subtree contains the configuration for SNMP 3156 proxies. Write access to this subtree should only be granted to 3157 entities configuring SNMP proxies. 3159 o The /snmp/community subtree contains the configuration of the 3160 community-based security model. Write access to this subtree 3161 should only be granted to the security administrator. 3163 o The /snmp/usm subtree contains the configuration of the user-based 3164 security model. Write access to this subtree should only be 3165 granted to the security administrator. 3167 o The /snmp/tsm subtree contains the configuration of the transport 3168 layer security model for SNMP. Write access to this subtree 3169 should only be granted to the security administrator. 3171 o The /snmp/tlstm subtree contains the configuration of the SNMP 3172 transport over (D)TLS and in particular the configuration how 3173 certificates are mapped to SNMP security names. Write access to 3174 this subtree should only be granted to the security administrator. 3176 o The /snmp/vacm subtree contains the configuration of the view- 3177 based access control mechanism used by SNMP to authorize access to 3178 management information via SNMP. Write access to this subtree 3179 should only be granted to the security administrator. 3181 Some of the readable data nodes in the YANG module and submodules may 3182 be considered sensitive or vulnerable in some network environments. 3183 It is thus important to control read access (e.g., via get, get- 3184 config, or notification) to these data nodes. These are the subtrees 3185 and data nodes and their sensitivity/vulnerability: 3187 o The /snmp/engine subtree subtree exposes general information about 3188 an SNMP engine such as which version(s) of SNMP are enabled or 3189 which transports are enabled. 3191 o The /snmp/target subtree exposes information which transports are 3192 used to reach certain SNMP targets which transport specific 3193 parameters are used. 3195 o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes 3196 information how notifications are filtered and forwarded to 3197 notification targets. 3199 o The /snmp/proxy subtree exposes information about proxy 3200 relationships. 3202 o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ 3203 vacm subtrees are specifically sensitive since they expose 3204 information about the authentication and authorization policy used 3205 by an SNMP engine. 3207 Changes to the SNMP access control rules should be done either in an 3208 atomic way (through a single edit-config or a single commit) or care 3209 must be taken that they are done in a sequence that does not open 3210 temporarily access to resources. Implementations supporting SNMP 3211 write access must ensure that any SNMP access control rule changes 3212 over NETCONF are atomic as well to the SNMP instrumentation. In 3213 particular changes involving an internal delete/create cycle (e.g., 3214 to move a user to a different group) must be done with sufficient 3215 protections such that even a power fail immediately after the delete 3216 does not leave the administrator locked out. 3218 Security administrators need to ensure that NETCONF access control 3219 rules and SNMP access control rules implement a consistent security 3220 policy. Specifically, the SNMP access control rules should prevent 3221 accidental leakage of sensitive security parameters such as community 3222 strings. See the Security Considerations section of [RFC3584] for 3223 further details. 3225 7. Acknowledgments 3227 The authors want to thank Wes Hardaker and David Spakes for their 3228 detailed reviews. Additional valuable comments were provided by 3229 David Harrington, Borislav Lukovic and Randy Presuhn. 3231 Juergen Schoenwaelder was partly funded by Flamingo, a Network of 3232 Excellence project (ICT-318488) supported by the European Commission 3233 under its Seventh Framework Programme. 3235 8. References 3237 8.1. Normative References 3239 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3240 Requirement Levels", BCP 14, RFC 2119, March 1997. 3242 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3243 Network Configuration Protocol (NETCONF)", RFC 6020, 3244 October 2010. 3246 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 3247 Bierman, "Network Configuration Protocol (NETCONF)", RFC 3248 6241, June 2011. 3250 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3251 Shell (SSH)", RFC 6242, June 2011. 3253 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 3254 Protocol (NETCONF) Access Control Model", RFC 6536, March 3255 2012. 3257 [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, 3258 July 2013. 3260 8.2. Informative References 3262 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3263 Architecture for Describing Simple Network Management 3264 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3265 December 2002. 3267 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3268 "Message Processing and Dispatching for the Simple Network 3269 Management Protocol (SNMP)", STD 62, RFC 3412, December 3270 2002. 3272 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 3273 Management Protocol (SNMP) Applications", STD 62, RFC 3274 3413, December 2002. 3276 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 3277 (USM) for version 3 of the Simple Network Management 3278 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 3280 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 3281 Access Control Model (VACM) for the Simple Network 3282 Management Protocol (SNMP)", STD 62, RFC 3415, December 3283 2002. 3285 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 3286 Simple Network Management Protocol (SNMP)", STD 62, RFC 3287 3418, December 2002. 3289 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 3290 "Coexistence between Version 1, Version 2, and Version 3 3291 of the Internet-standard Network Management Framework", 3292 BCP 74, RFC 3584, August 2003. 3294 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3295 January 2004. 3297 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 3298 for the Simple Network Management Protocol (SNMP)", RFC 3299 5591, June 2009. 3301 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 3302 Shell Transport Model for the Simple Network Management 3303 Protocol (SNMP)", RFC 5592, June 2009. 3305 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 3306 Model for the Simple Network Management Protocol (SNMP)", 3307 RFC 6353, July 2011. 3309 [RFC6643] Schoenwaelder, J., "Translation of Structure of Management 3310 Information Version 2 (SMIv2) MIB Modules to YANG 3311 Modules", RFC 6643, July 2012. 3313 Appendix A. Example configurations 3315 A.1. Engine Configuration Example 3317 Below is an XML instance document showing a configuration of an SNMP 3318 engine listening on UDP port 161 on IPv4 and IPv6 endpoints and 3319 accepting SNMPv2c and SNMPv3 messages. 3321 3322 3323 true 3324 3325 all-ipv4-udp 3326 3327 0.0.0.0 3328 161 3329 3330 3331 3332 all-ipv6-udp 3333 3334 :: 3335 161 3336 3337 3338 3339 3340 3341 3342 80:00:02:b8:04:61:62:63 3343 3344 3346 A.2. Community Configuration Example 3348 Below is an XML instance document showing a configuration that maps 3349 the community name "public" to the security-name "community-public" 3350 on the local engine with the default context name. The target tag 3351 "community-public-access" filters the access to this community name. 3353 3354 3355 1 3356 public 3357 community-public 3358 community-public-access 3359 3360 3361 management-station 3362 3363 2001:db8::abcd 3364 161 3365 3366 blue 3367 community-public-access 3368 v2c-public 3369 3370 3371 v2c-public 3372 3373 community-public 3374 3375 3376 3378 A.3. User-based Security Model Configuration Example 3380 Below is an XML instance document showing the configuration of a 3381 local user "joey" who has no authentication or privacy keys. For the 3382 remote SNMP engine identified by the snmpEngineID 3383 '800002b804616263'H, two users are configure. The user "matt" has a 3384 localized SHA authentication key and the user "russ" has a localized 3385 SHA authentication key and an AES encryption key. 3387 3388 3389 3390 3391 joey 3392 3393 3394 3395 00:00:00:00:00:00:00:00:00:00:00:02 3396 3397 matt 3398 3399 3400 3404 66:95:fe:bc:92:88:e3:62:82:23: 3405 5f:c7:15:1f:12:84:97:b3:8f:3f 3406 3407 3408 3409 3410 russ 3411 3412 3413 3417 66:95:fe:bc:92:88:e3:62:82:23: 3418 5f:c7:15:1f:12:84:97:b3:8f:3f 3419 3420 3421 3422 3423 3427 66:95:fe:bc:92:88:e3:62:82:23: 3428 5f:c7:15:1f:12:84 3429 3430 3431 3432 3433 3434 3435 bluebox 3436 3437 2001:db8::abcd 3438 161 3439 3440 blue 3441 matt-auth 3442 3443 3444 matt-auth 3445 3446 matt 3447 auth-no-priv 3448 3450 3451 3453 A.4. Target and Notification Configuration Example 3455 Below is an XML instance document showing the configuration of a 3456 notification generator application (see Appendix A of [RFC3413]). 3457 Note that the USM specific objects are defined in the ietf-snmp- 3458 usm.yang submodule. 3460 3461 3462 addr1 3463 3464 192.0.2.3 3465 162 3466 3467 group1 3468 joe-auth 3469 3470 3471 addr2 3472 3473 192.0.2.6 3474 162 3475 3476 group1 3477 joe-auth 3478 3479 3480 addr3 3481 3482 192.0.2.9 3483 162 3484 3485 group2 3486 bob-priv 3487 3488 3489 joe-auth 3490 3491 joe 3492 auth-no-priv 3493 3494 3495 3496 bob-priv 3497 3498 bob 3499 auth-priv 3500 3501 3502 3503 group1 3504 group1 3505 trap 3506 3507 3508 group2 3509 group2 3510 trap 3511 3512 3514 A.5. Proxy Configuration Example 3516 Below is an XML instance document showing the configuration of a 3517 proxy forwarder application. It proxies SNMPv2c messages from 3518 command generators to a file server running a SNMPv1 agent that 3519 recognizes two community strings, "private" and "public", with 3520 different associated read views. The fileserver is represented as 3521 two "target" instances, one for each community string. 3523 If the proxy receives a SNMPv2c message with the community string 3524 "public" from a device in the "Office Network" or "Home Office 3525 Network", it gets tagged as "trusted", and the proxy uses the 3526 "private" community string when sending the message to the file 3527 server. Other SNMPv2c messages with the community string "public" 3528 get tagged as "non-trusted", and the proxy uses the "public" 3529 community string for these messages. There is also a special 3530 "backdoor" community string that can be used from any location to get 3531 "trusted" access. 3533 The "Office Network" and "Home Office Network" are represented as two 3534 "target" instances. These "target" instances have target-params 3535 "none", which refers to a non-existing target-params entry. 3537 3538 3539 File Server (private) 3540 3541 192.0.2.1 3542 3543 v1-private 3544 3545 3546 File Server (public) 3547 3548 192.0.2.1 3549 3550 v1-public 3551 3552 3553 Office Network 3554 3555 192.0.2.0 3556 24 3557 3558 office 3559 none 3560 3561 3562 Home Office Network 3563 3564 203.0.113.0 3565 24 3566 3567 home-office 3568 none 3569 3570 3571 v1-private 3572 3573 private 3574 3575 3576 3577 v1-public 3578 3579 public 3580 3581 3582 3583 v2c-public 3584 3585 public 3586 3587 3589 3596 3597 c1 3598 public 3599 80:00:61:81:c8 3600 trusted 3601 office 3602 3603 3604 c2 3605 public 3606 80:00:61:81:c8 3607 trusted 3608 home-office 3609 3610 3611 c3 3612 public 3613 80:00:61:81:c8 3614 not-trusted 3615 3616 3617 c4 3618 backdoor 3619 public 3620 80:00:61:81:c8 3621 trusted 3622 3623 3624 c5 3625 private 3626 80:00:61:81:c8 3627 trusted 3628 3630 3631 p1 3632 read 3633 80:00:61:81:c8 3634 trusted 3635 v2c-public 3636 File Server (private) 3637 3638 3639 p2 3640 read 3641 80:00:61:81:c8 3642 not-trusted 3643 v2c-public 3644 File Server (public) 3645 3646 3648 If an SNMPv2c Get request with community string "public" is received 3649 from an IP address tagged as "office" or "home-office", or if the 3650 request is received from anywhere else with community string 3651 "backdoor", the implied context is "trusted" and so proxy entry "p1" 3652 matches. The request is forwarded to the file server as SNMPv1 with 3653 community "private" using community table entry "c5" for outbound 3654 params lookup. 3656 If an SNMPv2c Get request with community string "public" is received 3657 from any other IP address, the implied context is "not-trusted" so 3658 proxy entry "p2" matches, and the request is forwarded to the file 3659 server as SNMPv1 with community "public". 3661 A.6. View-based Access Control Model Configuration Example 3663 Below is an XML instance document showing the minimum-secure VACM 3664 configuration (see Appendix A of [RFC3415]). 3666 3667 3668 3669 initial 3670 3671 initial 3672 usm 3673 3674 3675 3676 usm 3677 no-auth-no-priv 3678 restricted 3679 restricted 3680 3681 3682 3683 usm 3684 auth-no-priv 3685 internet 3686 internet 3687 internet 3688 3689 3690 3691 initial 3692 1.3.6.1 3693 3694 3695 restricted 3696 1.3.6.1 3697 3698 3699 3701 The following XML instance document shows the semi-secure VACM 3702 configuration (only the view configuration is different). 3704 3705 3706 3707 initial 3708 3709 initial 3710 usm 3711 3712 3713 3714 usm 3715 no-auth-no-priv 3716 restricted 3717 restricted 3718 3719 3720 3721 usm 3722 auth-no-priv 3723 internet 3724 internet 3725 internet 3726 3727 3728 3729 initial 3730 1.3.6.1 3731 3732 3733 restricted 3734 1.3.6.1.2.1.1 3735 1.3.6.1.2.1.11 3736 1.3.6.1.6.3.10.2.1 3737 1.3.6.1.6.3.11.2.1 3738 1.3.6.1.6.3.15.1.1 3739 3740 3741 3743 A.7. Transport Layer Security Transport Model Configuration Example 3745 Below is an XML instance document showing the configuration of the 3746 certificate to security name mapping (see Appendix A.2 and A.3 of 3747 [RFC6353]). 3749 3752 3753 3754 1 3755 11:0A:05:11:00 3756 x509c2n:san-any 3757 3758 3759 2 3760 11:0A:05:11:00 3761 x509c2n:specified 3762 3763 Joe Cool 3764 3765 3766 3767 3769 Authors' Addresses 3771 Martin Bjorklund 3772 Tail-f Systems 3774 Email: mbj@tail-f.com 3776 Juergen Schoenwaelder 3777 Jacobs University 3779 Email: j.schoenwaelder@jacobs-university.de