--- 1/draft-ietf-netmod-snmp-cfg-00.txt 2013-02-11 17:03:38.900124000 +0100 +++ 2/draft-ietf-netmod-snmp-cfg-01.txt 2013-02-11 17:03:38.992157751 +0100 @@ -1,19 +1,19 @@ Network Working Group M. Bjorklund Internet-Draft Tail-f Systems Intended status: Standards Track J. Schoenwaelder -Expires: December 7, 2012 Jacobs University - June 5, 2012 +Expires: August 15, 2013 Jacobs University + February 11, 2013 A YANG Data Model for SNMP Configuration - draft-ietf-netmod-snmp-cfg-00 + draft-ietf-netmod-snmp-cfg-01 Abstract This document defines a collection of YANG definitions for configuring SNMP engines. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. @@ -21,25 +21,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 7, 2012. + This Internet-Draft will expire on August 15, 2013. Copyright Notice - Copyright (c) 2012 IETF Trust and the persons identified as the + Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -53,59 +53,61 @@ 2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5 2.5. Notification Configuration . . . . . . . . . . . . . . . . 6 2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 2.7. Community Configuration . . . . . . . . . . . . . . . . . 7 2.8. View-based Access Control Model Configuration . . . . . . 9 2.9. User-based Security Model Configuration . . . . . . . . . 9 2.10. Transport Security Model Configuration . . . . . . . . . . 11 2.11. Transport Layer Security Transport Model Configuration . . 12 + 2.12. Secure Shell Transport Model Configuration . . . . . . . . 13 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 - 3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 26 - 3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 30 + 3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 27 + 3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 31 3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 - 3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 43 + 3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 44 3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 - 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 - 5. Security Considerations . . . . . . . . . . . . . . . . . . . 58 - 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 - 7.1. Normative References . . . . . . . . . . . . . . . . . . . 60 - 7.2. Informative References . . . . . . . . . . . . . . . . . . 60 - Appendix A. Example configurations . . . . . . . . . . . . . . . 62 - A.1. Engine Configuration Example . . . . . . . . . . . . . . . 62 - A.2. Community Configuration Example . . . . . . . . . . . . . 62 - A.3. User-based Security Model Configuration Example . . . . . 63 - A.4. Target and Notification Configuration Example . . . . . . 64 - A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 66 - A.6. View-based Access Control Model Configuration Example . . 68 + 3.12. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 56 + 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 61 + 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63 + 7.1. Normative References . . . . . . . . . . . . . . . . . . . 63 + 7.2. Informative References . . . . . . . . . . . . . . . . . . 63 + Appendix A. Example configurations . . . . . . . . . . . . . . . 65 + A.1. Engine Configuration Example . . . . . . . . . . . . . . . 65 + A.2. Community Configuration Example . . . . . . . . . . . . . 65 + A.3. User-based Security Model Configuration Example . . . . . 66 + A.4. Target and Notification Configuration Example . . . . . . 67 + A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 69 + A.6. View-based Access Control Model Configuration Example . . 71 A.7. Transport Layer Security Transport Model Configuration - Example . . . . . . . . . . . . . . . . . . . . . . . . . 70 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 72 + Example . . . . . . . . . . . . . . . . . . . . . . . . . 73 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75 1. Introduction This document defines a YANG [RFC6020] data model for the configuration of SNMP engines. The configuration model is consistent with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], - [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591] and [RFC6353] - but takes advantage of YANG's ability to define hierarchical - configuration data models. The structure of the model has been - derived from existing proprietary configuration models implemented as - command line interfaces. + [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and + [RFC6353] but takes advantage of YANG's ability to define + hierarchical configuration data models. The structure of the model + has been derived from existing proprietary configuration models + implemented as command line interfaces. The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC2119]. 2. Data Model In order to preserve the modularity of SNMP, the YANG configuration data model is organized in a set of YANG submodules, all sharing the @@ -120,31 +122,34 @@ object the YANG node is mapped to. When there is not a simple 1-1 mapping, the "description" statement explains the mapping. 2.2. Common Definitions The submodule "ietf-snmp-common" defines a set of common typedefs, features, and the top-level container "snmp". All configuration parameters defined in the other submodules are organized under this top-level container. - This submodule defines four YANG features: + This submodule defines five YANG features: proxy: A server implements this feature if it can act as an SNMP Proxy. notification-filter: A server implements this feature if it supports SNMP notification filtering. tsm: A server implements this feature if it supports the Transport Security Model (tsm) [RFC5591]. + sshtm: A server implements this feature if it supports the Secure + Shell (SSH) Transport Model (sshtm) [RFC5592]. + tlstm: A server implements this feature if it supports the Transport Layer Security (TLS) Transport Model (tlstm) [RFC6353]. 2.3. Engine Configuration The submodule "ietf-snmp-engine", which defines configuration parameters that are specific to SNMP engines, has the following structure: +--rw snmp @@ -427,25 +432,23 @@ +--rw usm +--rw user-name snmp:security-name +--rw security-level security-level In the MIB, there is a single table with local and remote users, indexed by the engine id and user name. In the YANG model, there is one list of local users, and a nested list of remote users. In the MIB, there are several objects related to changing the authentication and privacy keys. These objects are not present in - the YANG model. Instead, there is a choice between a password or a - localized key. If a password is given, it is used by the server to - calculate a localized key, which is stored in the configuration. The - clear-text password is never stored. This implies that if the engine - id is changed, all users keys need to be changed as well. + the YANG model. However, the localized key can be changed. This + implies that if the engine id is changed, all users keys need to be + changed as well. 2.10. Transport Security Model Configuration The submodule "ietf-snmp-tsm", which defines configuration parameters that correspond to the objects in SNMP-TSM-MIB, has the following structure: +--rw snmp +--rw tsm +--rw use-prefix? boolean @@ -475,106 +478,137 @@ The submodule "ietf-snmp-tls", which defines configuration parameters that correspond to the objects in SNMP-TLS-TM-MIB, has the following structure: +--rw snmp ... +--rw target [name] | ... | +--rw (transport) + | ... | +--:(tls) | | +--rw tls | | +-- {common (d)tls transport params} | +--:(dtls) | +--rw dtls | +-- {common (d)tls transport params} +--rw tlstm +--rw cert-to-tm-security-name [id] +--rw id uint32 +--rw fingerprint? tls-fingerprint +--rw map-type? identityref +--rw cert-specified-tm-security-name? admin-string The "{common (d)tls transport params}" are: +--rw ip? inet:ip-address +--rw port? inet:port-number +--rw client-fingerprint? tls-fingerprint - +--rw (server-identification)? - +--:(server-fingerprint) - | +--rw server-fingerprint? tls-fingerprint - +--:(server-identity) + +--rw server-fingerprint? tls-fingerprint +--rw server-identity? admin-string It also augments the "/snmp/engine/listen" container with objects for the D(TLS) transport endpoints: +--rw snmp +--rw engine ... +--rw listen + ... +--rw tls [ip port] | +--rw ip inet:ip-address | +--rw port inet:port-number +--rw dtls [ip port] +--rw ip inet:ip-address +--rw port inet:port-number +2.12. Secure Shell Transport Model Configuration + + The submodule "ietf-snmp-ssh", which defines configuration parameters + that correspond to the objects in SNMP-SSH-TM-MIB, has the following + structure: + + +--rw snmp + ... + +--rw target [name] + ... + +--rw (transport) + ... + +--:(ssh) + +--rw ssh + +--rw ip inet:host + +--rw port? inet:port-number + +--rw username? string + + It also augments the "/snmp/engine/listen" container with objects for + the SSH transport endpoints: + + +--rw snmp + +--rw engine + ... + +--rw listen + ... + +--rw ssh [ip port] + 3. Definitions 3.1. Module 'ietf-snmp' file "ietf-snmp.yang" module ietf-snmp { namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; prefix snmp; include ietf-snmp-common { - revision-date 2012-06-05; + revision-date 2013-02-11; } include ietf-snmp-engine { revision-date 2012-06-05; } include ietf-snmp-target { revision-date 2012-06-05; } include ietf-snmp-notification { revision-date 2012-06-05; } include ietf-snmp-proxy { revision-date 2012-06-05; } include ietf-snmp-community { revision-date 2012-06-05; } include ietf-snmp-usm { - revision-date 2012-06-05; + revision-date 2013-02-11; } include ietf-snmp-tsm { revision-date 2012-06-05; } include ietf-snmp-vacm { revision-date 2012-06-05; } include ietf-snmp-tls { - revision-date 2012-06-05; + revision-date 2013-02-11; + } + include ietf-snmp-ssh { + revision-date 2012-11-26; } organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: + WG Chair: David Kessens WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder @@ -596,29 +630,28 @@ This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2012-06-05 { + revision 2012-11-26 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } } - 3.2. Submodule 'ietf-snmp-common' file "ietf-snmp-common.yang" submodule ietf-snmp-common { belongs-to ietf-snmp { prefix snmp; @@ -617,20 +650,24 @@ 3.2. Submodule 'ietf-snmp-common' file "ietf-snmp-common.yang" submodule ietf-snmp-common { belongs-to ietf-snmp { prefix snmp; } + import ietf-yang-types { + prefix yang; + } + organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: WG Chair: David Kessens @@ -649,31 +686,30 @@ Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2012-06-05 { + revision 2013-02-11 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } /* Collection of SNMP features */ feature proxy { description @@ -689,20 +725,28 @@ feature tsm { description "A server implements this feature if it supports the Transport Security Model for SNMP."; reference "RFC5591: Transport Security Model for the Simple Network Management Protocol (SNMP)"; } + feature sshtm { + description + "A server implements this feature if it supports the + Secure Shell Transport Model for SNMP."; + reference + "RFC5592: Secure Shell Transport Model for the + Simple Network Management Protocol (SNMP)"; + } feature tlstm { description "A server implements this feature if it supports the Transport Layer Security Transport Model for SNMP."; reference "RFC6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; } /* Collection of SNMP specific data types */ @@ -784,26 +828,26 @@ enum no-auth-no-priv { value 1; } enum auth-no-priv { value 2; } enum auth-priv { value 3; } } reference "RFC3411: An Architecture for Describing SNMP Management Frameworks"; } typedef engine-id { - type string { + type yang:hex-string { pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; } description "The Engine ID specified as a list of colon-specified hexa- - decimal octets e.g. '4F:4C:41:71'."; + decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; reference "RFC3411: An Architecture for Describing SNMP Management Frameworks"; } typedef wildcard-object-identifier { type string; description "The wildcard-object-identifier type represents an SNMP object identifier where subidentifiers can be given either as a label, @@ -1268,37 +1311,36 @@ leaf name { type snmp:identifier; description "Name of the filter profile"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; } leaf-list include { - type wildcard-object-identifier; + type snmp:wildcard-object-identifier; description "A family of subtrees included in this filter."; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; } leaf-list exclude { - type wildcard-object-identifier; + type snmp:wildcard-object-identifier; description "A family of subtrees excluded from this filter."; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; } - } leaf enable-authen-traps { type boolean; description "Indicates whether the SNMP entity is permitted to generate authenticationFailure traps."; reference "SNMPv2-MIB.snmpEnableAuthenTraps"; } } @@ -1431,30 +1474,30 @@ such case represents one entry in the snmpTargetParamsTable. When the snmpProxyTargetParamsIn object contains a reference to a non-existing snmpTargetParamsEntry, this choice does not contain any case, and vice versa."; } reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; } leaf single-target-out { - when "../type = read or ../type = write"; + when "../type = 'read' or ../type = 'write'"; type snmp:identifier; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/name in a valid configuration."; reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; } leaf multiple-target-out { - when "../type = trap or ../type = inform"; + when "../type = 'trap' or ../type = 'inform'"; type snmp:identifier; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; } } } } @@ -1651,22 +1695,22 @@ augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { case v1 { uses v1-target-params; } case v2c { uses v2c-target-params; } } augment /snmp:snmp/snmp:target { + when "snmp:v1 or snmp:v2c"; leaf mms { - when "snmp:params/snmp:v1 or snmp:params/snmp:v2c"; type union { type enumeration { enum "unknown"; } type int32 { range "484..max"; } } default "484"; reference @@ -1948,20 +1992,27 @@ 3.9. Submodule 'ietf-snmp-usm' file "ietf-snmp-usm.yang" submodule ietf-snmp-usm { belongs-to ietf-snmp { prefix snmp; } + import ietf-yang-types { + prefix yang; + } + import ietf-netconf-acm { + prefix nacm; + } + include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: @@ -1998,34 +2049,32 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)."; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2012-06-05 { + revision 2013-02-11 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; - } grouping key { leaf key { - type string { - pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2})*'; - } + type yang:hex-string; mandatory true; + nacm:default-deny-all; description "Localized key specified as a list of colon-specified hexa-decimal octets"; } } grouping user-list { list user { key "name"; @@ -2108,63 +2158,38 @@ Represents snmpTargetParamsMPModel '3' and snmpTargetParamsSecurityModel '3'"; leaf user-name { type snmp:security-name; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { - type security-level; + type snmp:security-level; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } } augment /snmp:snmp/snmp:target/snmp:params { case usm { uses usm-target-params; } } augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { case usm { uses usm-target-params; - } - } - augment /snmp:snmp/snmp:target { - leaf engine-id { - type leafref { - path "/snmp/usm/remote/engine-id"; - } - must '../usm/user-name' { - error-message - "When engine-id is set, usm/user-name must also be set."; - } - must '/snmp/usm/remote[engine-id=current()]/' - + 'user[name=current()/../usm/user-name]' { - error-message - "When engine-id is set, the usm/user-name must exist in - the /snmp/usm/remote list for this engine-id."; - } - description - "Needed only if this target can receive InformRequest-PDUs - over SNMPv3. - - This object is not present in the SNMP MIBs. In - RFC 3412, it is a implementation specific matter how this - engine-id is handled."; - reference "RFC 3412 7.1.9a"; } } } 3.10. Submodule 'ietf-snmp-tsm' file "ietf-snmp-tsm.yang" @@ -2247,28 +2272,29 @@ } } grouping tsm-target-params { container tsm { description "Transport based security SNMPv3 parameters type. Represents snmpTargetParamsMPModel '3' and snmpTargetParamsSecurityModel '4'"; + leaf security-name { type snmp:security-name; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { - type security-level; + type snmp:security-level; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } } augment /snmp:snmp/snmp:target/snmp:params { if-feature tsm; case tsm { @@ -2289,20 +2315,23 @@ 3.11. Submodule 'ietf-snmp-tls' file "ietf-snmp-tls.yang" submodule ietf-snmp-tls { belongs-to ietf-snmp { prefix snmp; } + import ietf-yang-types { + prefix yang; + } import ietf-inet-types { prefix inet; } include ietf-snmp-common; include ietf-snmp-engine; include ietf-snmp-target; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; @@ -2343,33 +2372,47 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2012-06-05 { + revision 2013-02-11 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } /* Typedefs */ typedef tls-fingerprint { - type string { // FIXME hex-string? - pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; + type yang:hex-string { + pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; } + description + "A fingerprint value that can be used to uniquely reference + other data of potentially arbitrary length. + + An tls-fingerprint value is composed of a 1-octet hashing + algorithm identifier followed by the fingerprint value. The + octet value encoded is taken from the IANA TLS HashAlgorithm + Registry (RFC 5246). The remaining octets are filled using + the results of the hashing algorithm. + + The corresponding TEXTUAL-CONVENTION allows a zero-length + value to be used for objects that are optional. In the YANG + data models, such objects are represented as optional leafs."; + reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; } /* Identities */ identity cert-to-tm-security-name { } identity specified { base cert-to-tm-security-name; reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; @@ -2387,20 +2430,26 @@ identity san-ip-address { base cert-to-tm-security-name; reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; } identity san-any { base cert-to-tm-security-name; reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; } + + identity common-name { + base cert-to-tm-security-name; + reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; + } + augment /snmp:snmp/snmp:engine/snmp:listen { if-feature tlstm; list tls { key "ip port"; description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over TLS."; leaf ip { type inet:ip-address; @@ -2447,77 +2497,210 @@ reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; } leaf fingerprint { type tls-fingerprint; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; } leaf map-type { type identityref { base cert-to-tm-security-name; } + description + "Mappings that use the snmpTlstmCertToTSNData column + need to augment the 'cert-to-tm-security-name' list + with additional configuration objects corresponding + to the snmpTlstmCertToTSNData value. Such objects + should use the 'when' statement to make them + conditional based on the 'map-type'."; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; } - // FIXME: not as flexible as the mib. to get the same - // flexibility, either change this to data (choice of binary - // and string), or remove the identities and use - // augmentation. leaf cert-specified-tm-security-name { - when "../map-type = snmp:specified"; - type admin-string; + when "../map-type = 'snmp:specified'"; + type snmp:admin-string; + description + "Maps to snmpTlstmCertToTSNData when 'map-type' is + 'specified'."; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; + } } } } grouping tls-transport { leaf ip { - type inet:ip-address; - reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; + type inet:host; + mandatory true; + reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress + SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf port { type inet:port-number; default 10161; - reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; + reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress + SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf client-fingerprint { type tls-fingerprint; reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; } - choice server-identification { leaf server-fingerprint { type tls-fingerprint; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; } leaf server-identity { - type admin-string; + type snmp:admin-string; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; } } - } augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case tls { reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; container tls { uses tls-transport; } } } augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case dtls { reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; container dtls { uses tls-transport; + + } + } + } + } + + + +3.12. Submodule 'ietf-snmp-ssh' + + file "ietf-snmp-ssh.yang" + + submodule ietf-snmp-ssh { + + belongs-to ietf-snmp { + prefix snmp; + } + + import ietf-inet-types { + prefix inet; + } + + include ietf-snmp-common; + include ietf-snmp-engine; + include ietf-snmp-target; + + organization + "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; + + contact + "WG Web: + WG List: + + WG Chair: David Kessens + + + WG Chair: Juergen Schoenwaelder + + + Editor: Martin Bjorklund + + + Editor: Juergen Schoenwaelder + "; + + description + "This submodule contains a collection of YANG definitions for + configuring the Secure Shell Transport Model (SSHTM) + of SNMP. + + Copyright (c) 2012 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + + // RFC Ed.: replace XXXX with actual RFC number and remove this + // note. + + reference + "RFC5592: Secure Shell Transport Model for the + Simple Network Management Protocol (SNMP)"; + + // RFC Ed.: update the date below with the date of RFC publication + // and remove this note. + + revision 2012-11-26 { + description + "Initial revision."; + reference + "RFC XXXX: A YANG Data Model for SNMP Configuration"; + } + + augment /snmp:snmp/snmp:engine/snmp:listen { + if-feature sshtm; + list ssh { + key "ip port"; + description + "A list of IPv4 and IPv6 addresses and ports to which the + engine listens for SNMP messages over SSH."; + + leaf ip { + type inet:ip-address; + description + "The IPv4 or IPv6 address on which the engine listens + for SNMP messages over SSH."; + } + leaf port { + type inet:port-number; + description + "The TCP port on which the engine listens for SNMP + messages over SSH."; + } + } + } + + augment /snmp:snmp/snmp:target/snmp:transport { + if-feature sshtm; + case ssh { + reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; + container ssh { + leaf ip { + type inet:host; + mandatory true; + reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress + SNMP-SSH-TM-MIB.SnmpSSHAddress"; + } + leaf port { + type inet:port-number; + default 5161; + reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress + SNMP-SSH-TM-MIB.SnmpSSHAddress"; + } + leaf username { + type string; + reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress + SNMP-SSH-TM-MIB.SnmpSSHAddress"; + } } } } } 4. IANA Considerations This document registers a URI in the IETF XML registry [RFC3688]. @@ -2570,20 +2753,24 @@ reference: RFC XXXX name: ietf-snmp-tsm parent: ietf-snmp reference: RFC XXXX name: ietf-snmp-tls parent: ietf-snmp reference: RFC XXXX + name: ietf-snmp-ssh + parent: ietf-snmp + reference: RFC XXXX + 5. Security Considerations The YANG module and submodules defined in this memo are designed to be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the secure transport layer and the mandatory-to-implement secure transport is SSH [RFC6242]. There are a number of data nodes defined in the YANG module and submodules which are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive @@ -2597,22 +2784,22 @@ Some of the readable data nodes in the YANG module and submodules may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get- config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability: 6. Acknowledgments - The authors want to thank David Spakes for his review and valuable - comments. + The authors want to thank Wes Hardaker and David Spakes for their + reviews and valuable comments. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, @@ -2659,20 +2846,24 @@ of the Internet-standard Network Management Framework", BCP 74, RFC 3584, August 2003. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model for the Simple Network Management Protocol (SNMP)", RFC 5591, June 2009. + [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure + Shell Transport Model for the Simple Network Management + Protocol (SNMP)", RFC 5592, June 2009. + [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", RFC 6353, July 2011. Appendix A. Example configurations A.1. Engine Configuration Example Below is an XML instance document showing a configuration of an SNMP engine listening on UDP port 161 on IPv4 and IPv6 endpoints and