| draft-ietf-netmod-snmp-cfg-00.txt | draft-ietf-netmod-snmp-cfg-01.txt | |||
|---|---|---|---|---|
| Network Working Group M. Bjorklund | Network Working Group M. Bjorklund | |||
| Internet-Draft Tail-f Systems | Internet-Draft Tail-f Systems | |||
| Intended status: Standards Track J. Schoenwaelder | Intended status: Standards Track J. Schoenwaelder | |||
| Expires: December 7, 2012 Jacobs University | Expires: August 15, 2013 Jacobs University | |||
| June 5, 2012 | February 11, 2013 | |||
| A YANG Data Model for SNMP Configuration | A YANG Data Model for SNMP Configuration | |||
| draft-ietf-netmod-snmp-cfg-00 | draft-ietf-netmod-snmp-cfg-01 | |||
| Abstract | Abstract | |||
| This document defines a collection of YANG definitions for | This document defines a collection of YANG definitions for | |||
| configuring SNMP engines. | configuring SNMP engines. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 32 | skipping to change at page 1, line 32 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 7, 2012. | This Internet-Draft will expire on August 15, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 20 | skipping to change at page 2, line 20 | |||
| 2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 | 2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 | 2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5 | 2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.5. Notification Configuration . . . . . . . . . . . . . . . . 6 | 2.5. Notification Configuration . . . . . . . . . . . . . . . . 6 | |||
| 2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 | 2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 | |||
| 2.7. Community Configuration . . . . . . . . . . . . . . . . . 7 | 2.7. Community Configuration . . . . . . . . . . . . . . . . . 7 | |||
| 2.8. View-based Access Control Model Configuration . . . . . . 9 | 2.8. View-based Access Control Model Configuration . . . . . . 9 | |||
| 2.9. User-based Security Model Configuration . . . . . . . . . 9 | 2.9. User-based Security Model Configuration . . . . . . . . . 9 | |||
| 2.10. Transport Security Model Configuration . . . . . . . . . . 11 | 2.10. Transport Security Model Configuration . . . . . . . . . . 11 | |||
| 2.11. Transport Layer Security Transport Model Configuration . . 12 | 2.11. Transport Layer Security Transport Model Configuration . . 12 | |||
| 2.12. Secure Shell Transport Model Configuration . . . . . . . . 13 | ||||
| 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 | 3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 | 3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 | |||
| 3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 | 3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 | |||
| 3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 | 3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 | |||
| 3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 26 | 3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 27 | |||
| 3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 30 | 3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 31 | |||
| 3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 | 3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 | |||
| 3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 | 3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 | |||
| 3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 43 | 3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 44 | |||
| 3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 | 3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 | |||
| 3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 | 3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 | 3.12. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 56 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 58 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 61 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 60 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 60 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 63 | |||
| Appendix A. Example configurations . . . . . . . . . . . . . . . 62 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 63 | |||
| A.1. Engine Configuration Example . . . . . . . . . . . . . . . 62 | Appendix A. Example configurations . . . . . . . . . . . . . . . 65 | |||
| A.2. Community Configuration Example . . . . . . . . . . . . . 62 | A.1. Engine Configuration Example . . . . . . . . . . . . . . . 65 | |||
| A.3. User-based Security Model Configuration Example . . . . . 63 | A.2. Community Configuration Example . . . . . . . . . . . . . 65 | |||
| A.4. Target and Notification Configuration Example . . . . . . 64 | A.3. User-based Security Model Configuration Example . . . . . 66 | |||
| A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 66 | A.4. Target and Notification Configuration Example . . . . . . 67 | |||
| A.6. View-based Access Control Model Configuration Example . . 68 | A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 69 | |||
| A.6. View-based Access Control Model Configuration Example . . 71 | ||||
| A.7. Transport Layer Security Transport Model Configuration | A.7. Transport Layer Security Transport Model Configuration | |||
| Example . . . . . . . . . . . . . . . . . . . . . . . . . 70 | Example . . . . . . . . . . . . . . . . . . . . . . . . . 73 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 72 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG [RFC6020] data model for the | This document defines a YANG [RFC6020] data model for the | |||
| configuration of SNMP engines. The configuration model is consistent | configuration of SNMP engines. The configuration model is consistent | |||
| with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], | with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], | |||
| [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591] and [RFC6353] | [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and | |||
| but takes advantage of YANG's ability to define hierarchical | [RFC6353] but takes advantage of YANG's ability to define | |||
| configuration data models. The structure of the model has been | hierarchical configuration data models. The structure of the model | |||
| derived from existing proprietary configuration models implemented as | has been derived from existing proprietary configuration models | |||
| command line interfaces. | implemented as command line interfaces. | |||
| The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14, [RFC2119]. | 14, [RFC2119]. | |||
| 2. Data Model | 2. Data Model | |||
| In order to preserve the modularity of SNMP, the YANG configuration | In order to preserve the modularity of SNMP, the YANG configuration | |||
| data model is organized in a set of YANG submodules, all sharing the | data model is organized in a set of YANG submodules, all sharing the | |||
| skipping to change at page 4, line 27 | skipping to change at page 4, line 27 | |||
| object the YANG node is mapped to. When there is not a simple 1-1 | object the YANG node is mapped to. When there is not a simple 1-1 | |||
| mapping, the "description" statement explains the mapping. | mapping, the "description" statement explains the mapping. | |||
| 2.2. Common Definitions | 2.2. Common Definitions | |||
| The submodule "ietf-snmp-common" defines a set of common typedefs, | The submodule "ietf-snmp-common" defines a set of common typedefs, | |||
| features, and the top-level container "snmp". All configuration | features, and the top-level container "snmp". All configuration | |||
| parameters defined in the other submodules are organized under this | parameters defined in the other submodules are organized under this | |||
| top-level container. | top-level container. | |||
| This submodule defines four YANG features: | This submodule defines five YANG features: | |||
| proxy: A server implements this feature if it can act as an SNMP | proxy: A server implements this feature if it can act as an SNMP | |||
| Proxy. | Proxy. | |||
| notification-filter: A server implements this feature if it supports | notification-filter: A server implements this feature if it supports | |||
| SNMP notification filtering. | SNMP notification filtering. | |||
| tsm: A server implements this feature if it supports the Transport | tsm: A server implements this feature if it supports the Transport | |||
| Security Model (tsm) [RFC5591]. | Security Model (tsm) [RFC5591]. | |||
| sshtm: A server implements this feature if it supports the Secure | ||||
| Shell (SSH) Transport Model (sshtm) [RFC5592]. | ||||
| tlstm: A server implements this feature if it supports the Transport | tlstm: A server implements this feature if it supports the Transport | |||
| Layer Security (TLS) Transport Model (tlstm) [RFC6353]. | Layer Security (TLS) Transport Model (tlstm) [RFC6353]. | |||
| 2.3. Engine Configuration | 2.3. Engine Configuration | |||
| The submodule "ietf-snmp-engine", which defines configuration | The submodule "ietf-snmp-engine", which defines configuration | |||
| parameters that are specific to SNMP engines, has the following | parameters that are specific to SNMP engines, has the following | |||
| structure: | structure: | |||
| +--rw snmp | +--rw snmp | |||
| skipping to change at page 11, line 28 | skipping to change at page 11, line 28 | |||
| +--rw usm | +--rw usm | |||
| +--rw user-name snmp:security-name | +--rw user-name snmp:security-name | |||
| +--rw security-level security-level | +--rw security-level security-level | |||
| In the MIB, there is a single table with local and remote users, | In the MIB, there is a single table with local and remote users, | |||
| indexed by the engine id and user name. In the YANG model, there is | indexed by the engine id and user name. In the YANG model, there is | |||
| one list of local users, and a nested list of remote users. | one list of local users, and a nested list of remote users. | |||
| In the MIB, there are several objects related to changing the | In the MIB, there are several objects related to changing the | |||
| authentication and privacy keys. These objects are not present in | authentication and privacy keys. These objects are not present in | |||
| the YANG model. Instead, there is a choice between a password or a | the YANG model. However, the localized key can be changed. This | |||
| localized key. If a password is given, it is used by the server to | implies that if the engine id is changed, all users keys need to be | |||
| calculate a localized key, which is stored in the configuration. The | changed as well. | |||
| clear-text password is never stored. This implies that if the engine | ||||
| id is changed, all users keys need to be changed as well. | ||||
| 2.10. Transport Security Model Configuration | 2.10. Transport Security Model Configuration | |||
| The submodule "ietf-snmp-tsm", which defines configuration parameters | The submodule "ietf-snmp-tsm", which defines configuration parameters | |||
| that correspond to the objects in SNMP-TSM-MIB, has the following | that correspond to the objects in SNMP-TSM-MIB, has the following | |||
| structure: | structure: | |||
| +--rw snmp | +--rw snmp | |||
| +--rw tsm | +--rw tsm | |||
| +--rw use-prefix? boolean | +--rw use-prefix? boolean | |||
| skipping to change at page 12, line 33 | skipping to change at page 12, line 33 | |||
| The submodule "ietf-snmp-tls", which defines configuration parameters | The submodule "ietf-snmp-tls", which defines configuration parameters | |||
| that correspond to the objects in SNMP-TLS-TM-MIB, has the following | that correspond to the objects in SNMP-TLS-TM-MIB, has the following | |||
| structure: | structure: | |||
| +--rw snmp | +--rw snmp | |||
| ... | ... | |||
| +--rw target [name] | +--rw target [name] | |||
| | ... | | ... | |||
| | +--rw (transport) | | +--rw (transport) | |||
| | ... | ||||
| | +--:(tls) | | +--:(tls) | |||
| | | +--rw tls | | | +--rw tls | |||
| | | +-- {common (d)tls transport params} | | | +-- {common (d)tls transport params} | |||
| | +--:(dtls) | | +--:(dtls) | |||
| | +--rw dtls | | +--rw dtls | |||
| | +-- {common (d)tls transport params} | | +-- {common (d)tls transport params} | |||
| +--rw tlstm | +--rw tlstm | |||
| +--rw cert-to-tm-security-name [id] | +--rw cert-to-tm-security-name [id] | |||
| +--rw id uint32 | +--rw id uint32 | |||
| +--rw fingerprint? tls-fingerprint | +--rw fingerprint? tls-fingerprint | |||
| +--rw map-type? identityref | +--rw map-type? identityref | |||
| +--rw cert-specified-tm-security-name? admin-string | +--rw cert-specified-tm-security-name? admin-string | |||
| The "{common (d)tls transport params}" are: | The "{common (d)tls transport params}" are: | |||
| +--rw ip? inet:ip-address | +--rw ip? inet:ip-address | |||
| +--rw port? inet:port-number | +--rw port? inet:port-number | |||
| +--rw client-fingerprint? tls-fingerprint | +--rw client-fingerprint? tls-fingerprint | |||
| +--rw (server-identification)? | +--rw server-fingerprint? tls-fingerprint | |||
| +--:(server-fingerprint) | +--rw server-identity? admin-string | |||
| | +--rw server-fingerprint? tls-fingerprint | ||||
| +--:(server-identity) | ||||
| +--rw server-identity? admin-string | ||||
| It also augments the "/snmp/engine/listen" container with objects for | It also augments the "/snmp/engine/listen" container with objects for | |||
| the D(TLS) transport endpoints: | the D(TLS) transport endpoints: | |||
| +--rw snmp | +--rw snmp | |||
| +--rw engine | +--rw engine | |||
| ... | ... | |||
| +--rw listen | +--rw listen | |||
| ... | ||||
| +--rw tls [ip port] | +--rw tls [ip port] | |||
| | +--rw ip inet:ip-address | | +--rw ip inet:ip-address | |||
| | +--rw port inet:port-number | | +--rw port inet:port-number | |||
| +--rw dtls [ip port] | +--rw dtls [ip port] | |||
| +--rw ip inet:ip-address | +--rw ip inet:ip-address | |||
| +--rw port inet:port-number | +--rw port inet:port-number | |||
| 2.12. Secure Shell Transport Model Configuration | ||||
| The submodule "ietf-snmp-ssh", which defines configuration parameters | ||||
| that correspond to the objects in SNMP-SSH-TM-MIB, has the following | ||||
| structure: | ||||
| +--rw snmp | ||||
| ... | ||||
| +--rw target [name] | ||||
| ... | ||||
| +--rw (transport) | ||||
| ... | ||||
| +--:(ssh) | ||||
| +--rw ssh | ||||
| +--rw ip inet:host | ||||
| +--rw port? inet:port-number | ||||
| +--rw username? string | ||||
| It also augments the "/snmp/engine/listen" container with objects for | ||||
| the SSH transport endpoints: | ||||
| +--rw snmp | ||||
| +--rw engine | ||||
| ... | ||||
| +--rw listen | ||||
| ... | ||||
| +--rw ssh [ip port] | ||||
| 3. Definitions | 3. Definitions | |||
| 3.1. Module 'ietf-snmp' | 3.1. Module 'ietf-snmp' | |||
| <CODE BEGINS> file "ietf-snmp.yang" | <CODE BEGINS> file "ietf-snmp.yang" | |||
| module ietf-snmp { | module ietf-snmp { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; | namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; | |||
| prefix snmp; | prefix snmp; | |||
| include ietf-snmp-common { | include ietf-snmp-common { | |||
| revision-date 2012-06-05; | revision-date 2013-02-11; | |||
| } | } | |||
| include ietf-snmp-engine { | include ietf-snmp-engine { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-target { | include ietf-snmp-target { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-notification { | include ietf-snmp-notification { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-proxy { | include ietf-snmp-proxy { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-community { | include ietf-snmp-community { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-usm { | include ietf-snmp-usm { | |||
| revision-date 2012-06-05; | revision-date 2013-02-11; | |||
| } | } | |||
| include ietf-snmp-tsm { | include ietf-snmp-tsm { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-vacm { | include ietf-snmp-vacm { | |||
| revision-date 2012-06-05; | revision-date 2012-06-05; | |||
| } | } | |||
| include ietf-snmp-tls { | include ietf-snmp-tls { | |||
| revision-date 2012-06-05; | revision-date 2013-02-11; | |||
| } | ||||
| include ietf-snmp-ssh { | ||||
| revision-date 2012-11-26; | ||||
| } | } | |||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | "WG Web: <http://tools.ietf.org/wg/netmod/> | |||
| WG List: <mailto:netmod@ietf.org> | WG List: <mailto:netmod@ietf.org> | |||
| WG Chair: David Kessens | WG Chair: David Kessens | |||
| <mailto:david.kessens@nsn.com> | <mailto:david.kessens@nsn.com> | |||
| WG Chair: Juergen Schoenwaelder | WG Chair: Juergen Schoenwaelder | |||
| <mailto:j.schoenwaelder@jacobs-university.de> | <mailto:j.schoenwaelder@jacobs-university.de> | |||
| Editor: Martin Bjorklund | Editor: Martin Bjorklund | |||
| <mailto:mbj@tail-f.com> | <mailto:mbj@tail-f.com> | |||
| Editor: Juergen Schoenwaelder | Editor: Juergen Schoenwaelder | |||
| skipping to change at page 15, line 39 | skipping to change at page 15, line 44 | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision 2012-06-05 { | revision 2012-11-26 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for SNMP Configuration"; | "RFC XXXX: A YANG Data Model for SNMP Configuration"; | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 3.2. Submodule 'ietf-snmp-common' | 3.2. Submodule 'ietf-snmp-common' | |||
| <CODE BEGINS> file "ietf-snmp-common.yang" | <CODE BEGINS> file "ietf-snmp-common.yang" | |||
| submodule ietf-snmp-common { | submodule ietf-snmp-common { | |||
| belongs-to ietf-snmp { | belongs-to ietf-snmp { | |||
| prefix snmp; | prefix snmp; | |||
| skipping to change at page 16, line 15 | skipping to change at page 16, line 16 | |||
| 3.2. Submodule 'ietf-snmp-common' | 3.2. Submodule 'ietf-snmp-common' | |||
| <CODE BEGINS> file "ietf-snmp-common.yang" | <CODE BEGINS> file "ietf-snmp-common.yang" | |||
| submodule ietf-snmp-common { | submodule ietf-snmp-common { | |||
| belongs-to ietf-snmp { | belongs-to ietf-snmp { | |||
| prefix snmp; | prefix snmp; | |||
| } | } | |||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | "WG Web: <http://tools.ietf.org/wg/netmod/> | |||
| WG List: <mailto:netmod@ietf.org> | WG List: <mailto:netmod@ietf.org> | |||
| WG Chair: David Kessens | WG Chair: David Kessens | |||
| <mailto:david.kessens@nsn.com> | <mailto:david.kessens@nsn.com> | |||
| skipping to change at page 16, line 47 | skipping to change at page 17, line 4 | |||
| Copyright (c) 2011 IETF Trust and the persons identified as | Copyright (c) 2011 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision 2012-06-05 { | revision 2013-02-11 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for SNMP Configuration"; | "RFC XXXX: A YANG Data Model for SNMP Configuration"; | |||
| } | } | |||
| /* Collection of SNMP features */ | /* Collection of SNMP features */ | |||
| feature proxy { | feature proxy { | |||
| description | description | |||
| skipping to change at page 17, line 38 | skipping to change at page 17, line 43 | |||
| feature tsm { | feature tsm { | |||
| description | description | |||
| "A server implements this feature if it supports the | "A server implements this feature if it supports the | |||
| Transport Security Model for SNMP."; | Transport Security Model for SNMP."; | |||
| reference | reference | |||
| "RFC5591: Transport Security Model for the | "RFC5591: Transport Security Model for the | |||
| Simple Network Management Protocol (SNMP)"; | Simple Network Management Protocol (SNMP)"; | |||
| } | } | |||
| feature sshtm { | ||||
| description | ||||
| "A server implements this feature if it supports the | ||||
| Secure Shell Transport Model for SNMP."; | ||||
| reference | ||||
| "RFC5592: Secure Shell Transport Model for the | ||||
| Simple Network Management Protocol (SNMP)"; | ||||
| } | ||||
| feature tlstm { | feature tlstm { | |||
| description | description | |||
| "A server implements this feature if it supports the | "A server implements this feature if it supports the | |||
| Transport Layer Security Transport Model for SNMP."; | Transport Layer Security Transport Model for SNMP."; | |||
| reference | reference | |||
| "RFC6353: Transport Layer Security (TLS) Transport Model for | "RFC6353: Transport Layer Security (TLS) Transport Model for | |||
| the Simple Network Management Protocol (SNMP)"; | the Simple Network Management Protocol (SNMP)"; | |||
| } | } | |||
| /* Collection of SNMP specific data types */ | /* Collection of SNMP specific data types */ | |||
| skipping to change at page 19, line 36 | skipping to change at page 19, line 51 | |||
| enum no-auth-no-priv { value 1; } | enum no-auth-no-priv { value 1; } | |||
| enum auth-no-priv { value 2; } | enum auth-no-priv { value 2; } | |||
| enum auth-priv { value 3; } | enum auth-priv { value 3; } | |||
| } | } | |||
| reference | reference | |||
| "RFC3411: An Architecture for Describing SNMP Management | "RFC3411: An Architecture for Describing SNMP Management | |||
| Frameworks"; | Frameworks"; | |||
| } | } | |||
| typedef engine-id { | typedef engine-id { | |||
| type string { | type yang:hex-string { | |||
| pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; | pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; | |||
| } | } | |||
| description | description | |||
| "The Engine ID specified as a list of colon-specified hexa- | "The Engine ID specified as a list of colon-specified hexa- | |||
| decimal octets e.g. '4F:4C:41:71'."; | decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; | |||
| reference | reference | |||
| "RFC3411: An Architecture for Describing SNMP Management | "RFC3411: An Architecture for Describing SNMP Management | |||
| Frameworks"; | Frameworks"; | |||
| } | } | |||
| typedef wildcard-object-identifier { | typedef wildcard-object-identifier { | |||
| type string; | type string; | |||
| description | description | |||
| "The wildcard-object-identifier type represents an SNMP object | "The wildcard-object-identifier type represents an SNMP object | |||
| identifier where subidentifiers can be given either as a label, | identifier where subidentifiers can be given either as a label, | |||
| skipping to change at page 29, line 37 | skipping to change at page 29, line 52 | |||
| leaf name { | leaf name { | |||
| type snmp:identifier; | type snmp:identifier; | |||
| description | description | |||
| "Name of the filter profile"; | "Name of the filter profile"; | |||
| reference | reference | |||
| "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; | "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; | |||
| } | } | |||
| leaf-list include { | leaf-list include { | |||
| type wildcard-object-identifier; | type snmp:wildcard-object-identifier; | |||
| description | description | |||
| "A family of subtrees included in this filter."; | "A family of subtrees included in this filter."; | |||
| reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree | reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree | |||
| SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask | SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask | |||
| SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; | SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; | |||
| } | } | |||
| leaf-list exclude { | leaf-list exclude { | |||
| type wildcard-object-identifier; | type snmp:wildcard-object-identifier; | |||
| description | description | |||
| "A family of subtrees excluded from this filter."; | "A family of subtrees excluded from this filter."; | |||
| reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree | reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree | |||
| SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask | SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask | |||
| SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; | SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; | |||
| } | } | |||
| } | } | |||
| leaf enable-authen-traps { | leaf enable-authen-traps { | |||
| type boolean; | type boolean; | |||
| description | description | |||
| "Indicates whether the SNMP entity is permitted to | "Indicates whether the SNMP entity is permitted to | |||
| generate authenticationFailure traps."; | generate authenticationFailure traps."; | |||
| reference "SNMPv2-MIB.snmpEnableAuthenTraps"; | reference "SNMPv2-MIB.snmpEnableAuthenTraps"; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 33, line 7 | skipping to change at page 33, line 24 | |||
| such case represents one entry in the | such case represents one entry in the | |||
| snmpTargetParamsTable. | snmpTargetParamsTable. | |||
| When the snmpProxyTargetParamsIn object contains a | When the snmpProxyTargetParamsIn object contains a | |||
| reference to a non-existing snmpTargetParamsEntry, this | reference to a non-existing snmpTargetParamsEntry, this | |||
| choice does not contain any case, and vice versa."; | choice does not contain any case, and vice versa."; | |||
| } | } | |||
| reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; | reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; | |||
| } | } | |||
| leaf single-target-out { | leaf single-target-out { | |||
| when "../type = read or ../type = write"; | when "../type = 'read' or ../type = 'write'"; | |||
| type snmp:identifier; | type snmp:identifier; | |||
| description | description | |||
| "Implementations MAY restrict the values of this leaf | "Implementations MAY restrict the values of this leaf | |||
| to be one of the available values of /snmp/target/name in | to be one of the available values of /snmp/target/name in | |||
| a valid configuration."; | a valid configuration."; | |||
| reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; | reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; | |||
| } | } | |||
| leaf multiple-target-out { | leaf multiple-target-out { | |||
| when "../type = trap or ../type = inform"; | when "../type = 'trap' or ../type = 'inform'"; | |||
| type snmp:identifier; | type snmp:identifier; | |||
| description | description | |||
| "Implementations MAY restrict the values of this leaf | "Implementations MAY restrict the values of this leaf | |||
| to be one of the available values of /snmp/target/tag in | to be one of the available values of /snmp/target/tag in | |||
| a valid configuration."; | a valid configuration."; | |||
| reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; | reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| skipping to change at page 37, line 39 | skipping to change at page 38, line 4 | |||
| augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { | augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { | |||
| case v1 { | case v1 { | |||
| uses v1-target-params; | uses v1-target-params; | |||
| } | } | |||
| case v2c { | case v2c { | |||
| uses v2c-target-params; | uses v2c-target-params; | |||
| } | } | |||
| } | } | |||
| augment /snmp:snmp/snmp:target { | augment /snmp:snmp/snmp:target { | |||
| when "snmp:v1 or snmp:v2c"; | ||||
| leaf mms { | leaf mms { | |||
| when "snmp:params/snmp:v1 or snmp:params/snmp:v2c"; | ||||
| type union { | type union { | |||
| type enumeration { | type enumeration { | |||
| enum "unknown"; | enum "unknown"; | |||
| } | } | |||
| type int32 { | type int32 { | |||
| range "484..max"; | range "484..max"; | |||
| } | } | |||
| } | } | |||
| default "484"; | default "484"; | |||
| reference | reference | |||
| skipping to change at page 43, line 46 | skipping to change at page 44, line 15 | |||
| 3.9. Submodule 'ietf-snmp-usm' | 3.9. Submodule 'ietf-snmp-usm' | |||
| <CODE BEGINS> file "ietf-snmp-usm.yang" | <CODE BEGINS> file "ietf-snmp-usm.yang" | |||
| submodule ietf-snmp-usm { | submodule ietf-snmp-usm { | |||
| belongs-to ietf-snmp { | belongs-to ietf-snmp { | |||
| prefix snmp; | prefix snmp; | |||
| } | } | |||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| import ietf-netconf-acm { | ||||
| prefix nacm; | ||||
| } | ||||
| include ietf-snmp-common; | include ietf-snmp-common; | |||
| include ietf-snmp-target; | include ietf-snmp-target; | |||
| include ietf-snmp-proxy; | include ietf-snmp-proxy; | |||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | "WG Web: <http://tools.ietf.org/wg/netmod/> | |||
| WG List: <mailto:netmod@ietf.org> | WG List: <mailto:netmod@ietf.org> | |||
| skipping to change at page 44, line 48 | skipping to change at page 45, line 23 | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| reference | reference | |||
| "RFC3414: User-based Security Model (USM) for version 3 of the | "RFC3414: User-based Security Model (USM) for version 3 of the | |||
| Simple Network Management Protocol (SNMPv3)."; | Simple Network Management Protocol (SNMPv3)."; | |||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision 2012-06-05 { | revision 2013-02-11 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for SNMP Configuration"; | "RFC XXXX: A YANG Data Model for SNMP Configuration"; | |||
| } | } | |||
| grouping key { | grouping key { | |||
| leaf key { | leaf key { | |||
| type string { | type yang:hex-string; | |||
| pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2})*'; | ||||
| } | ||||
| mandatory true; | mandatory true; | |||
| nacm:default-deny-all; | ||||
| description | description | |||
| "Localized key specified as a list of colon-specified | "Localized key specified as a list of colon-specified | |||
| hexa-decimal octets"; | hexa-decimal octets"; | |||
| } | } | |||
| } | } | |||
| grouping user-list { | grouping user-list { | |||
| list user { | list user { | |||
| key "name"; | key "name"; | |||
| skipping to change at page 47, line 12 | skipping to change at page 47, line 36 | |||
| Represents snmpTargetParamsMPModel '3' and | Represents snmpTargetParamsMPModel '3' and | |||
| snmpTargetParamsSecurityModel '3'"; | snmpTargetParamsSecurityModel '3'"; | |||
| leaf user-name { | leaf user-name { | |||
| type snmp:security-name; | type snmp:security-name; | |||
| mandatory true; | mandatory true; | |||
| reference | reference | |||
| "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; | "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; | |||
| } | } | |||
| leaf security-level { | leaf security-level { | |||
| type security-level; | type snmp:security-level; | |||
| mandatory true; | mandatory true; | |||
| reference | reference | |||
| "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; | "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment /snmp:snmp/snmp:target/snmp:params { | augment /snmp:snmp/snmp:target/snmp:params { | |||
| case usm { | case usm { | |||
| uses usm-target-params; | uses usm-target-params; | |||
| } | } | |||
| } | } | |||
| augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { | augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { | |||
| case usm { | case usm { | |||
| uses usm-target-params; | uses usm-target-params; | |||
| } | ||||
| } | ||||
| augment /snmp:snmp/snmp:target { | ||||
| leaf engine-id { | ||||
| type leafref { | ||||
| path "/snmp/usm/remote/engine-id"; | ||||
| } | ||||
| must '../usm/user-name' { | ||||
| error-message | ||||
| "When engine-id is set, usm/user-name must also be set."; | ||||
| } | ||||
| must '/snmp/usm/remote[engine-id=current()]/' | ||||
| + 'user[name=current()/../usm/user-name]' { | ||||
| error-message | ||||
| "When engine-id is set, the usm/user-name must exist in | ||||
| the /snmp/usm/remote list for this engine-id."; | ||||
| } | ||||
| description | ||||
| "Needed only if this target can receive InformRequest-PDUs | ||||
| over SNMPv3. | ||||
| This object is not present in the SNMP MIBs. In | ||||
| RFC 3412, it is a implementation specific matter how this | ||||
| engine-id is handled."; | ||||
| reference "RFC 3412 7.1.9a"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 3.10. Submodule 'ietf-snmp-tsm' | 3.10. Submodule 'ietf-snmp-tsm' | |||
| <CODE BEGINS> file "ietf-snmp-tsm.yang" | <CODE BEGINS> file "ietf-snmp-tsm.yang" | |||
| skipping to change at page 50, line 7 | skipping to change at page 50, line 4 | |||
| } | } | |||
| } | } | |||
| grouping tsm-target-params { | grouping tsm-target-params { | |||
| container tsm { | container tsm { | |||
| description | description | |||
| "Transport based security SNMPv3 parameters type. | "Transport based security SNMPv3 parameters type. | |||
| Represents snmpTargetParamsMPModel '3' and | Represents snmpTargetParamsMPModel '3' and | |||
| snmpTargetParamsSecurityModel '4'"; | snmpTargetParamsSecurityModel '4'"; | |||
| leaf security-name { | leaf security-name { | |||
| type snmp:security-name; | type snmp:security-name; | |||
| mandatory true; | mandatory true; | |||
| reference | reference | |||
| "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; | "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; | |||
| } | } | |||
| leaf security-level { | leaf security-level { | |||
| type security-level; | type snmp:security-level; | |||
| mandatory true; | mandatory true; | |||
| reference | reference | |||
| "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; | "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment /snmp:snmp/snmp:target/snmp:params { | augment /snmp:snmp/snmp:target/snmp:params { | |||
| if-feature tsm; | if-feature tsm; | |||
| case tsm { | case tsm { | |||
| skipping to change at page 50, line 49 | skipping to change at page 50, line 47 | |||
| 3.11. Submodule 'ietf-snmp-tls' | 3.11. Submodule 'ietf-snmp-tls' | |||
| <CODE BEGINS> file "ietf-snmp-tls.yang" | <CODE BEGINS> file "ietf-snmp-tls.yang" | |||
| submodule ietf-snmp-tls { | submodule ietf-snmp-tls { | |||
| belongs-to ietf-snmp { | belongs-to ietf-snmp { | |||
| prefix snmp; | prefix snmp; | |||
| } | } | |||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| } | } | |||
| include ietf-snmp-common; | include ietf-snmp-common; | |||
| include ietf-snmp-engine; | include ietf-snmp-engine; | |||
| include ietf-snmp-target; | include ietf-snmp-target; | |||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| skipping to change at page 52, line 8 | skipping to change at page 52, line 8 | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| reference | reference | |||
| "RFC6353: Transport Layer Security (TLS) Transport Model for | "RFC6353: Transport Layer Security (TLS) Transport Model for | |||
| the Simple Network Management Protocol (SNMP)"; | the Simple Network Management Protocol (SNMP)"; | |||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision 2012-06-05 { | revision 2013-02-11 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for SNMP Configuration"; | "RFC XXXX: A YANG Data Model for SNMP Configuration"; | |||
| } | } | |||
| /* Typedefs */ | /* Typedefs */ | |||
| typedef tls-fingerprint { | typedef tls-fingerprint { | |||
| type string { // FIXME hex-string? | type yang:hex-string { | |||
| pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; | pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; | |||
| } | } | |||
| description | ||||
| "A fingerprint value that can be used to uniquely reference | ||||
| other data of potentially arbitrary length. | ||||
| An tls-fingerprint value is composed of a 1-octet hashing | ||||
| algorithm identifier followed by the fingerprint value. The | ||||
| octet value encoded is taken from the IANA TLS HashAlgorithm | ||||
| Registry (RFC 5246). The remaining octets are filled using | ||||
| the results of the hashing algorithm. | ||||
| The corresponding TEXTUAL-CONVENTION allows a zero-length | ||||
| value to be used for objects that are optional. In the YANG | ||||
| data models, such objects are represented as optional leafs."; | ||||
| reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; | ||||
| } | } | |||
| /* Identities */ | /* Identities */ | |||
| identity cert-to-tm-security-name { | identity cert-to-tm-security-name { | |||
| } | } | |||
| identity specified { | identity specified { | |||
| base cert-to-tm-security-name; | base cert-to-tm-security-name; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; | |||
| skipping to change at page 53, line 4 | skipping to change at page 53, line 17 | |||
| identity san-ip-address { | identity san-ip-address { | |||
| base cert-to-tm-security-name; | base cert-to-tm-security-name; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; | |||
| } | } | |||
| identity san-any { | identity san-any { | |||
| base cert-to-tm-security-name; | base cert-to-tm-security-name; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; | |||
| } | } | |||
| identity common-name { | ||||
| base cert-to-tm-security-name; | ||||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; | ||||
| } | ||||
| augment /snmp:snmp/snmp:engine/snmp:listen { | augment /snmp:snmp/snmp:engine/snmp:listen { | |||
| if-feature tlstm; | if-feature tlstm; | |||
| list tls { | list tls { | |||
| key "ip port"; | key "ip port"; | |||
| description | description | |||
| "A list of IPv4 and IPv6 addresses and ports to which the | "A list of IPv4 and IPv6 addresses and ports to which the | |||
| engine listens for SNMP messages over TLS."; | engine listens for SNMP messages over TLS."; | |||
| leaf ip { | leaf ip { | |||
| type inet:ip-address; | type inet:ip-address; | |||
| skipping to change at page 54, line 16 | skipping to change at page 54, line 36 | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; | |||
| } | } | |||
| leaf fingerprint { | leaf fingerprint { | |||
| type tls-fingerprint; | type tls-fingerprint; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; | |||
| } | } | |||
| leaf map-type { | leaf map-type { | |||
| type identityref { | type identityref { | |||
| base cert-to-tm-security-name; | base cert-to-tm-security-name; | |||
| } | } | |||
| description | ||||
| "Mappings that use the snmpTlstmCertToTSNData column | ||||
| need to augment the 'cert-to-tm-security-name' list | ||||
| with additional configuration objects corresponding | ||||
| to the snmpTlstmCertToTSNData value. Such objects | ||||
| should use the 'when' statement to make them | ||||
| conditional based on the 'map-type'."; | ||||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; | |||
| } | } | |||
| // FIXME: not as flexible as the mib. to get the same | ||||
| // flexibility, either change this to data (choice of binary | ||||
| // and string), or remove the identities and use | ||||
| // augmentation. | ||||
| leaf cert-specified-tm-security-name { | leaf cert-specified-tm-security-name { | |||
| when "../map-type = snmp:specified"; | when "../map-type = 'snmp:specified'"; | |||
| type admin-string; | type snmp:admin-string; | |||
| description | ||||
| "Maps to snmpTlstmCertToTSNData when 'map-type' is | ||||
| 'specified'."; | ||||
| reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; | reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping tls-transport { | grouping tls-transport { | |||
| leaf ip { | leaf ip { | |||
| type inet:ip-address; | type inet:host; | |||
| reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; | mandatory true; | |||
| reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress | ||||
| SNMP-TLS-TM-MIB.SnmpTLSAddress"; | ||||
| } | } | |||
| leaf port { | leaf port { | |||
| type inet:port-number; | type inet:port-number; | |||
| default 10161; | default 10161; | |||
| reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; | reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress | |||
| SNMP-TLS-TM-MIB.SnmpTLSAddress"; | ||||
| } | } | |||
| leaf client-fingerprint { | leaf client-fingerprint { | |||
| type tls-fingerprint; | type tls-fingerprint; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; | reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; | |||
| } | } | |||
| choice server-identification { | leaf server-fingerprint { | |||
| leaf server-fingerprint { | type tls-fingerprint; | |||
| type tls-fingerprint; | reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; | } | |||
| } | leaf server-identity { | |||
| leaf server-identity { | type snmp:admin-string; | |||
| type admin-string; | reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; | |||
| reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; | ||||
| } | ||||
| } | } | |||
| } | } | |||
| augment /snmp:snmp/snmp:target/snmp:transport { | augment /snmp:snmp/snmp:target/snmp:transport { | |||
| if-feature tlstm; | if-feature tlstm; | |||
| case tls { | case tls { | |||
| reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; | reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; | |||
| container tls { | container tls { | |||
| uses tls-transport; | uses tls-transport; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| augment /snmp:snmp/snmp:target/snmp:transport { | augment /snmp:snmp/snmp:target/snmp:transport { | |||
| if-feature tlstm; | if-feature tlstm; | |||
| case dtls { | case dtls { | |||
| reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; | reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; | |||
| container dtls { | container dtls { | |||
| uses tls-transport; | uses tls-transport; | |||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| 3.12. Submodule 'ietf-snmp-ssh' | ||||
| <CODE BEGINS> file "ietf-snmp-ssh.yang" | ||||
| submodule ietf-snmp-ssh { | ||||
| belongs-to ietf-snmp { | ||||
| prefix snmp; | ||||
| } | ||||
| import ietf-inet-types { | ||||
| prefix inet; | ||||
| } | ||||
| include ietf-snmp-common; | ||||
| include ietf-snmp-engine; | ||||
| include ietf-snmp-target; | ||||
| organization | ||||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | ||||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | ||||
| WG List: <mailto:netmod@ietf.org> | ||||
| WG Chair: David Kessens | ||||
| <mailto:david.kessens@nsn.com> | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| <mailto:j.schoenwaelder@jacobs-university.de> | ||||
| Editor: Martin Bjorklund | ||||
| <mailto:mbj@tail-f.com> | ||||
| Editor: Juergen Schoenwaelder | ||||
| <mailto:j.schoenwaelder@jacobs-university.de>"; | ||||
| description | ||||
| "This submodule contains a collection of YANG definitions for | ||||
| configuring the Secure Shell Transport Model (SSHTM) | ||||
| of SNMP. | ||||
| Copyright (c) 2012 IETF Trust and the persons identified as | ||||
| authors of the code. All rights reserved. | ||||
| Redistribution and use in source and binary forms, with or | ||||
| without modification, is permitted pursuant to, and subject | ||||
| to the license terms contained in, the Simplified BSD License | ||||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | ||||
| Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info). | ||||
| This version of this YANG module is part of RFC XXXX; see | ||||
| the RFC itself for full legal notices."; | ||||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | ||||
| // note. | ||||
| reference | ||||
| "RFC5592: Secure Shell Transport Model for the | ||||
| Simple Network Management Protocol (SNMP)"; | ||||
| // RFC Ed.: update the date below with the date of RFC publication | ||||
| // and remove this note. | ||||
| revision 2012-11-26 { | ||||
| description | ||||
| "Initial revision."; | ||||
| reference | ||||
| "RFC XXXX: A YANG Data Model for SNMP Configuration"; | ||||
| } | ||||
| augment /snmp:snmp/snmp:engine/snmp:listen { | ||||
| if-feature sshtm; | ||||
| list ssh { | ||||
| key "ip port"; | ||||
| description | ||||
| "A list of IPv4 and IPv6 addresses and ports to which the | ||||
| engine listens for SNMP messages over SSH."; | ||||
| leaf ip { | ||||
| type inet:ip-address; | ||||
| description | ||||
| "The IPv4 or IPv6 address on which the engine listens | ||||
| for SNMP messages over SSH."; | ||||
| } | ||||
| leaf port { | ||||
| type inet:port-number; | ||||
| description | ||||
| "The TCP port on which the engine listens for SNMP | ||||
| messages over SSH."; | ||||
| } | ||||
| } | ||||
| } | ||||
| augment /snmp:snmp/snmp:target/snmp:transport { | ||||
| if-feature sshtm; | ||||
| case ssh { | ||||
| reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; | ||||
| container ssh { | ||||
| leaf ip { | ||||
| type inet:host; | ||||
| mandatory true; | ||||
| reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress | ||||
| SNMP-SSH-TM-MIB.SnmpSSHAddress"; | ||||
| } | ||||
| leaf port { | ||||
| type inet:port-number; | ||||
| default 5161; | ||||
| reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress | ||||
| SNMP-SSH-TM-MIB.SnmpSSHAddress"; | ||||
| } | ||||
| leaf username { | ||||
| type string; | ||||
| reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress | ||||
| SNMP-SSH-TM-MIB.SnmpSSHAddress"; | ||||
| } | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document registers a URI in the IETF XML registry [RFC3688]. | This document registers a URI in the IETF XML registry [RFC3688]. | |||
| skipping to change at page 58, line 5 | skipping to change at page 60, line 41 | |||
| reference: RFC XXXX | reference: RFC XXXX | |||
| name: ietf-snmp-tsm | name: ietf-snmp-tsm | |||
| parent: ietf-snmp | parent: ietf-snmp | |||
| reference: RFC XXXX | reference: RFC XXXX | |||
| name: ietf-snmp-tls | name: ietf-snmp-tls | |||
| parent: ietf-snmp | parent: ietf-snmp | |||
| reference: RFC XXXX | reference: RFC XXXX | |||
| name: ietf-snmp-ssh | ||||
| parent: ietf-snmp | ||||
| reference: RFC XXXX | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| The YANG module and submodules defined in this memo are designed to | The YANG module and submodules defined in this memo are designed to | |||
| be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF | be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF | |||
| layer is the secure transport layer and the mandatory-to-implement | layer is the secure transport layer and the mandatory-to-implement | |||
| secure transport is SSH [RFC6242]. | secure transport is SSH [RFC6242]. | |||
| There are a number of data nodes defined in the YANG module and | There are a number of data nodes defined in the YANG module and | |||
| submodules which are writable/creatable/deletable (i.e., config true, | submodules which are writable/creatable/deletable (i.e., config true, | |||
| which is the default). These data nodes may be considered sensitive | which is the default). These data nodes may be considered sensitive | |||
| skipping to change at page 59, line 7 | skipping to change at page 62, line 7 | |||
| Some of the readable data nodes in the YANG module and submodules may | Some of the readable data nodes in the YANG module and submodules may | |||
| be considered sensitive or vulnerable in some network environments. | be considered sensitive or vulnerable in some network environments. | |||
| It is thus important to control read access (e.g., via get, get- | It is thus important to control read access (e.g., via get, get- | |||
| config, or notification) to these data nodes. These are the subtrees | config, or notification) to these data nodes. These are the subtrees | |||
| and data nodes and their sensitivity/vulnerability: | and data nodes and their sensitivity/vulnerability: | |||
| <list subtrees and data nodes and state why they are sensitive> | <list subtrees and data nodes and state why they are sensitive> | |||
| 6. Acknowledgments | 6. Acknowledgments | |||
| The authors want to thank David Spakes for his review and valuable | The authors want to thank Wes Hardaker and David Spakes for their | |||
| comments. | reviews and valuable comments. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| skipping to change at page 61, line 15 | skipping to change at page 64, line 15 | |||
| of the Internet-standard Network Management Framework", | of the Internet-standard Network Management Framework", | |||
| BCP 74, RFC 3584, August 2003. | BCP 74, RFC 3584, August 2003. | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| January 2004. | January 2004. | |||
| [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model | [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model | |||
| for the Simple Network Management Protocol (SNMP)", | for the Simple Network Management Protocol (SNMP)", | |||
| RFC 5591, June 2009. | RFC 5591, June 2009. | |||
| [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure | ||||
| Shell Transport Model for the Simple Network Management | ||||
| Protocol (SNMP)", RFC 5592, June 2009. | ||||
| [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport | [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport | |||
| Model for the Simple Network Management Protocol (SNMP)", | Model for the Simple Network Management Protocol (SNMP)", | |||
| RFC 6353, July 2011. | RFC 6353, July 2011. | |||
| Appendix A. Example configurations | Appendix A. Example configurations | |||
| A.1. Engine Configuration Example | A.1. Engine Configuration Example | |||
| Below is an XML instance document showing a configuration of an SNMP | Below is an XML instance document showing a configuration of an SNMP | |||
| engine listening on UDP port 161 on IPv4 and IPv6 endpoints and | engine listening on UDP port 161 on IPv4 and IPv6 endpoints and | |||
| End of changes. 62 change blocks. | ||||
| 109 lines changed or deleted | 297 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||