--- 1/draft-ietf-netmod-snmp-cfg-03.txt 2014-02-10 10:14:38.013736205 -0800 +++ 2/draft-ietf-netmod-snmp-cfg-04.txt 2014-02-10 10:14:38.141739301 -0800 @@ -1,19 +1,19 @@ Network Working Group M. Bjorklund Internet-Draft Tail-f Systems Intended status: Standards Track J. Schoenwaelder -Expires: May 9, 2014 Jacobs University - November 5, 2013 +Expires: August 14, 2014 Jacobs University + February 10, 2014 A YANG Data Model for SNMP Configuration - draft-ietf-netmod-snmp-cfg-03 + draft-ietf-netmod-snmp-cfg-04 Abstract This document defines a collection of YANG definitions for configuring SNMP engines. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. @@ -21,25 +21,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 9, 2014. + This Internet-Draft will expire on August 14, 2014. Copyright Notice - Copyright (c) 2013 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -50,69 +50,80 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5 2.2. General Considerations . . . . . . . . . . . . . . . . . . 5 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 6 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 6 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 6 2.6. Notification Configuration . . . . . . . . . . . . . . . . 7 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8 2.8. Community Configuration . . . . . . . . . . . . . . . . . 9 - 2.9. View-based Access Control Model Configuration . . . . . . 10 - 2.10. User-based Security Model Configuration . . . . . . . . . 11 - 2.11. Transport Security Model Configuration . . . . . . . . . . 13 - 2.12. Transport Layer Security Transport Model Configuration . . 13 - 2.13. Secure Shell Transport Model Configuration . . . . . . . . 15 - 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 16 - 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 16 - 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 17 - 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 18 - 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 23 + 2.9. View-based Access Control Model Configuration . . . . . . 9 + 2.10. User-based Security Model Configuration . . . . . . . . . 10 + 2.11. Transport Security Model Configuration . . . . . . . . . . 11 + 2.12. Transport Layer Security Transport Model Configuration . . 12 + 2.13. Secure Shell Transport Model Configuration . . . . . . . . 13 + 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 15 + 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 15 + 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 16 + 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 17 + 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 22 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 25 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 29 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 32 - 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 36 - 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 40 - 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 43 - 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 47 - 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 53 - 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 57 - 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 60 - 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 64 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 69 + 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 35 + 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 39 + 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 42 + 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 46 + 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 52 + 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 56 + 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 59 + 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 63 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 68 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 72 8.1. Normative References . . . . . . . . . . . . . . . . . . . 72 8.2. Informative References . . . . . . . . . . . . . . . . . . 72 Appendix A. Example configurations . . . . . . . . . . . . . . . 74 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 74 A.2. Community Configuration Example . . . . . . . . . . . . . 74 A.3. User-based Security Model Configuration Example . . . . . 75 - A.4. Target and Notification Configuration Example . . . . . . 76 + A.4. Target and Notification Configuration Example . . . . . . 77 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 78 - A.6. View-based Access Control Model Configuration Example . . 80 + A.6. View-based Access Control Model Configuration Example . . 81 A.7. Transport Layer Security Transport Model Configuration - Example . . . . . . . . . . . . . . . . . . . . . . . . . 82 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 84 + Example . . . . . . . . . . . . . . . . . . . . . . . . . 83 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 85 1. Introduction This document defines a YANG [RFC6020] data model for the configuration of SNMP engines. The configuration model is consistent with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and [RFC6353] but takes advantage of YANG's ability to define - hierarchical configuration data models. The structure of the model - has been derived from existing proprietary configuration models - implemented as command line interfaces. + hierarchical configuration data models. + + The configuration data model in particular targets SNMP deployments + where SNMP runs in read-only mode and NETCONF is used to configure + the SNMP agent. Nevertheless, the data model has been designed to + allow implementations that support write access both via SNMP and + NETCONF in order to interwork with SNMP-managed management + applications manipulating SNMP agent configuration using SNMP. + + The YANG data model focuses on configuration. Operational state + objects are not explicitely modeled. The operational state of an + SNMP agent can either be accessed directly via SNMP or, + alternatively, via NETCONF using the read-only translation of the + relevant SNMP MIB modules into YANG modules [RFC6643]. This document also defines a YANG data model for mapping a X.509 certificate to a name. The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC2119]. 2. Data Model @@ -202,123 +213,111 @@ the different message processing models. 2.5. Target Configuration The submodule "ietf-snmp-target", which defines configuration parameters that correspond to the objects in SNMP-TARGET-MIB, has the following structure: +--rw snmp +--rw target* [name] + | +--rw name snmp:identifier + | +--rw (transport) + | | +--:(udp) + | | +--rw udp + | | +--rw ip inet:ip-address + | | +--rw port? inet:port-number + | | +--rw prefix-length? uint8 + | +--rw tag* snmp:identifier + | +--rw timeout? uint32 + | +--rw retries? uint8 + | +--rw target-params snmp:identifier + +--rw target-params* [name] +--rw name snmp:identifier - +--rw (transport) - | +--:(udp) - | +--rw udp - | +--rw ip inet:ip-address - | +--rw port? inet:port-number - | +--rw prefix-length? uint8 - +--rw tag* snmp:identifier - +--rw timeout? uint32 - +--rw retries? uint8 +--rw (params)? An entry in the list "/snmp/target" corresponds to an "snmpTargetAddrEntry". The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are mapped to transport-specific YANG nodes. Each transport is configured as a separate case in the "transport" choice. In this submodule, SNMP over UDP is defined. TLS and DTLS are also supported, defined in "ietf-snmp-tls" (Section 2.12). The "transport" choice is expected to be augmented for other transports. - In order to provide a simpler configuration model with less cross- - references, the "target" list also inlines the - "snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This - is accomplished with a choice "params", which is augmented by - security model specific submodules, currently "ietf-snmp-community" - (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" - (Section 2.12). - - The YANG model does not define a separate list that maps directly to - "snmpTargetParamsTable". Since "snmpProxyTable" also has a reference - to this table, "snmpProxyTable" also has a choice "params" which is - augmented by security model specific submodules (Section 2.7). + An entry in the list "/snmp/target-params" corresponds to an + "snmpTargetParamsEntry". This list contains a choice "params", which + is augmented by security model specific submodules, currently + "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10), + and "ietf-snmp-tls" (Section 2.12). 2.6. Notification Configuration The submodule "ietf-snmp-notification", which defines configuration parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, has the following structure: +--rw snmp +--rw notify* [name] | +--rw name snmp:identifier | +--rw tag snmp:identifier | +--rw type? enumeration +--rw notify-filter-profile* [name] +--rw name snmp:identifier +--rw include* wildcard-object-identifier +--rw exclude* wildcard-object-identifier - It also augments the "target" list defined in the "ietf-snmp-target" - submodule (Section 2.5) with one leaf: + It also augments the "target-params" list defined in the + "ietf-snmp-target" submodule (Section 2.5) with one leaf: +--rw snmp - +--rw target* [name] + +--rw target-params* [name] ... +--rw notify-filter-profile? leafref An entry in the list "/snmp/notify" corresponds to an "snmpNotifyEntry". An entry in the list "/snmp/notify-filter-profile" corresponds to an "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse relationship between "snmpTargetParamsTable" and "snmpNotifyFilterProfileTable". In the YANG model, this sparse relationship is represented with a leafref leaf - "notify-filter-profile" in the "/snmp/target" list, which refers to - an entry in the "/snmp/notify-filter-profile" list. + "notify-filter-profile" in the "/snmp/target-params" list, which + refers to an entry in the "/snmp/notify-filter-profile" list. The "snmpNotifyFilterTable" is represented as a list "filter" within the "/snmp/notify-filter-profile" list. This submodule defines the feature "notification-filter". A server implements this feature if it supports SNMP notification filtering. 2.7. Proxy Configuration The submodule "ietf-snmp-proxy", which defines configuration parameters that correspond to the objects in SNMP-PROXY-MIB, has the following structure: +--rw snmp +--rw proxy* [name] +--rw name snmp:identifier +--rw type enumeration +--rw context-engine-id snmp:engine-id +--rw context-name? snmp:context-name - +--rw params-in - | +--rw (params) + +--rw target-params-in? snmp:identifier +--rw single-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier An entry in the list "/snmp/proxy" corresponds to an "snmpProxyEntry". - Like the "target" list (Section 2.5), the "proxy" list inlines the - "snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn". - This is accomplished with a choice "params", which is augmented by - security model specific submodules, currently "ietf-snmp-community" - (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" - (Section 2.12). - This submodule defines the feature "proxy". A server implements this feature if it can act as an SNMP Proxy. 2.8. Community Configuration The submodule "ietf-snmp-community", which defines configuration parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has the following structure: +--rw snmp @@ -327,44 +326,34 @@ +--rw (name)? | +--:(text-name) | | +--rw text-name? string | +--:(binary-name) | +--rw binary-name? binary +--rw security-name snmp:security-name +--rw engine-id? snmp:engine-id +--rw context? snmp:context-name +--rw target-tag? snmp:identifier - It also augments the "/snmp/target/params" and "/snmp/proxy/ - params-in/params" choices with nodes for the Community-Based Security - Model used by SNMPv1 and SNMPv2c: + It also augments the "/snmp/target-params/params" choice with nodes + for the Community-Based Security Model used by SNMPv1 and SNMPv2c: +--rw snmp - +--rw target* [name] - | ... - | +--rw (params)? - | | +--:(v1) - | | | +--rw v1 - | | | +--rw security-name snmp:security-name - | | +--:(v2c) - | | +--rw v2c + +--rw target-params* [name] + ... + +--rw (params)? + | +--:(v1) + | | +--rw v1 | | +--rw security-name snmp:security-name - | +--rw mms? union - +--rw proxy - +--rw params-in - +--rw params - +--:(v1) - | +--rw v1 + | +--:(v2c) + | +--rw v2c | +--rw security-name snmp:security-name - +--:(v2c) - +--rw v2c - +--rw security-name snmp:security-name + +--rw mms? union An entry in the list "/snmp/community" corresponds to an "snmpCommunityEntry". When a case "v1" or "v2c" is chosen, it implies a snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. 2.9. View-based Access Control Model Configuration @@ -433,36 +422,27 @@ | +-- rw key string +--rw priv! +--rw (protocol) +--:(des) | +--rw des | +-- rw key string +--:(aes) +--rw aes +-- rw key string - It also augments the "/snmp/target/params" and "/snmp/proxy/ - params-in/params" choices with nodes for the SNMP User-based Security - Model. + It also augments the "/snmp/target-params/params" choice with nodes + for the SNMP User-based Security Model. +--rw snmp - +--rw target* [name] - ... - | +--rw (params)? - | +--:(usm) - | +--rw usm - | +--rw user-name snmp:security-name - | +--rw security-level security-level - +--rw proxy* [name] + +--rw target-params* [name] ... - +--rw params-in - +--rw (params) + +--rw (params)? +--:(usm) +--rw usm +--rw user-name snmp:security-name +--rw security-level security-level In the MIB, there is a single table with local and remote users, indexed by the engine id and user name. In the YANG model, there is one list of local users, and a nested list of remote users. In the MIB, there are several objects related to changing the @@ -474,36 +454,27 @@ 2.11. Transport Security Model Configuration The submodule "ietf-snmp-tsm", which defines configuration parameters that correspond to the objects in SNMP-TSM-MIB, has the following structure: +--rw snmp +--rw tsm +--rw use-prefix? boolean - It also augments the "/snmp/target/params" and "/snmp/proxy/ - params-in/params" choices with nodes for the SNMP Transport Security - Model. + It also augments the "/snmp/target-params/params" choice with nodes + for the SNMP Transport Security Model. +--rw snmp - +--rw target* [name] - ... - | +--rw (params)? - | +--:(tsm) - | +--rw tsm - | +--rw security-name snmp:security-name - | +--rw security-level security-level - +--rw proxy* [name] + +--rw target-params* [name] ... - +--rw params-in - +--rw (params) + +--rw (params)? +--:(tsm) +--rw tsm +--rw security-name snmp:security-name +--rw security-level security-level This submodule defines the feature "tsm". A server implements this feature if it supports the Transport Security Model (tsm) [RFC5591]. 2.12. Transport Layer Security Transport Model Configuration @@ -656,20 +627,29 @@ configuration changes typically go through the "candidate", even if they are done over SNMP. An implementation might have to perform some automatic commit of the "candidate" when data is written over SNMP, since there is no explicit "commit" operation in SNMP. If a device implements :startup, "nonVolatile" rows cannot just be written to "running", they must also be copied into "startup". "volatile" rows may be treated as operational state and not copied to any datastore, or copied into "running". + Cooperating SNMP management applications may use spin lock objects + (snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414], + vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests. + Implementations supporting modifications of MIB objects protected by + a spin lock via NETCONF should ensure that the spin lock objects are + properly incremented whenever objects are changed via NETCONF. This + allows cooperating SNMP management applications to discover that + concurrent modifications are taking place. + 4. Definitions 4.1. Module 'ietf-x509-cert-to-name' This YANG module imports typedefs from [RFC6991]. file "ietf-x509-cert-to-name.yang" module ietf-x509-cert-to-name { @@ -680,61 +660,62 @@ prefix yang; } organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This module contains a collection of YANG definitions for extracting a name from a X.509 certificate. The algorithm used to extract a name from a X.509 certificate was first defined in RFC 6353. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } typedef tls-fingerprint { type yang:hex-string { pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; @@ -942,103 +923,103 @@ } } 4.2. Module 'ietf-snmp' file "ietf-snmp.yang" module ietf-snmp { - namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; prefix snmp; + // RFC Ed.: update the dates below with the date of RFC publication // and remove this note. include ietf-snmp-common { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-engine { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-target { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-notification { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-proxy { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-community { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-usm { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-tsm { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-vacm { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-tls { - revision-date 2013-11-05; + revision-date 2014-02-09; } include ietf-snmp-ssh { - revision-date 2013-11-05; + revision-date 2014-02-09; } organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This module contains a collection of YANG definitions for configuring SNMP engines. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } } @@ -1055,56 +1037,56 @@ prefix yang; } organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of common YANG definitions for configuring SNMP engines. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } /* Collection of SNMP specific data types */ typedef admin-string { type string { @@ -1202,20 +1183,32 @@ } typedef wildcard-object-identifier { type string; description "The wildcard-object-identifier type represents an SNMP object identifier where subidentifiers can be given either as a label, in numeric form, or a wildcard, represented by a *."; } + typedef tag-value { + type string { + length "0..255"; + } + description + "Represents and SnmpTagValue as defined in RFC 3413. + + Note that the size of an SnmpTagValue is measured in + octets, not characters."; + reference "SNMP-TARGET-MIB.SnmpTagValue"; + } + container snmp { description "Top-level container for SNMP related configuration and status objects."; } } @@ -1235,65 +1228,65 @@ include ietf-snmp-common; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring SNMP engines. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } augment /snmp:snmp { container engine { + description "Configuration of the SNMP engine."; leaf enabled { type boolean; default "false"; description "Enables the SNMP engine."; } @@ -1381,46 +1374,45 @@ include ietf-snmp-common; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring SNMP targets. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3413: Simple Network Management Protocol (SNMP) Applications"; @@ -1420,26 +1412,25 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3413: Simple Network Management Protocol (SNMP) Applications"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; - } augment /snmp:snmp { list target { key name; description "List of targets."; reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; @@ -1493,21 +1484,21 @@ by the Community-based Security Model to filter incoming messages. Furthermore, the prefix-length filtering does not cover all possible filters supported by the corresponding MIB object."; reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; } } } } leaf-list tag { - type snmp:identifier; + type snmp:tag-value; description "List of tag values used to select target address."; reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; } leaf timeout { type uint32; units "0.01 seconds"; default 1500; description "Needed only if this target can receive @@ -1515,32 +1506,40 @@ reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; } leaf retries { type uint8; default 3; description "Needed only if this target can receive InformRequest-PDUs."; reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; } + leaf target-params { + type snmp:identifier; + mandatory true; + reference "SNMP-TARGET-MIB.snmpTargetAddrParams"; + } + } + + list target-params { + key name; + description + "List of target parameters."; + reference "SNMP-TARGET-MIB.snmpTargetParamsTable"; + + leaf name { + type snmp:identifier; + } choice params { description "This choice is augmented with case nodes containing - security model specific configuration parameters. Each - such case represents one entry in the - snmpTargetParamsTable. - - When the snmpTargetAddrParams object contains a reference - to a non-existing snmpTargetParamsEntry, this choice does - not contain any case, and vice versa."; - reference "SNMP-TARGET-MIB.snmpTargetAddrParams - SNMP-TARGET-MIB.snmpTargetParamsTable"; + security model specific configuration parameters."; } } } } 4.6. Submodule 'ietf-snmp-notification' file "ietf-snmp-notification.yang" @@ -1554,37 +1552,37 @@ include ietf-snmp-common; include ietf-snmp-target; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring SNMP notifications. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -1593,21 +1591,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3413: Simple Network Management Protocol (SNMP) Applications"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature notification-filter { description "A server implements this feature if it supports SNMP notification filtering."; @@ -1618,31 +1616,30 @@ list notify { key name; description "Targets that will receive notifications. Entries in this lists are mapped 1-1 to entries in snmpNotifyTable, except that if an entry in snmpNotifyTable has a snmpNotifyTag for which no snmpTargetAddrEntry exists, then the snmpNotifyTable entry is not mapped to an entry in this list."; - reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; leaf name { type snmp:identifier; description "An arbitrary name for the list entry."; reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; } leaf tag { - type snmp:identifier; + type snmp:tag-value; mandatory true; description "Target tag, selects a set of notification targets. Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; } leaf type { @@ -1700,30 +1698,30 @@ description "A family of subtrees excluded from this filter."; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; } } } - augment /snmp:snmp/snmp:target { + augment /snmp:snmp/snmp:target-params { reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; leaf notify-filter-profile { if-feature snmp:notification-filter; type leafref { path "/snmp/notify-filter-profile/name"; } description "This leafref leaf is used to represent the sparse - relationship between the /snmp/target list and the + relationship between the /snmp/target-params list and the /snmp/notify-filter-profile list."; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; } } } 4.7. Submodule 'ietf-snmp-proxy' @@ -1738,38 +1736,37 @@ include ietf-snmp-common; include ietf-snmp-target; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring SNMP proxies. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -1778,21 +1775,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3413: Simple Network Management Protocol (SNMP) Applications"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature proxy { description "A server implements this feature if it can act as an SNMP Proxy"; @@ -1809,51 +1806,47 @@ reference "SNMP-PROXY-MIB.snmpProxyTable"; leaf name { type snmp:identifier; description "Identifies the proxy parameter entry."; reference "SNMP-PROXY-MIB.snmpProxyName"; } leaf type { type enumeration { - enum read; - enum write; - enum trap; - enum inform; + enum read { value 1; } + enum write { value 2; } + enum trap { value 3; } + enum inform { value 4; } } mandatory true; reference "SNMP-PROXY-MIB.snmpProxyType"; } leaf context-engine-id { type snmp:engine-id; mandatory true; reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; } leaf context-name { type snmp:context-name; reference "SNMP-PROXY-MIB.snmpProxyContextName"; } - container params-in { - choice params { - mandatory true; + leaf target-params-in { + type snmp:identifier; description - "This choice is augmented with case nodes containing - security model specific configuration parameters. Each - such case represents one entry in the - snmpTargetParamsTable. + "The name of a target parameters list entry. - When the snmpProxyTargetParamsIn object contains a - reference to a non-existing snmpTargetParamsEntry, this - choice does not contain any case, and vice versa."; - } + Implementations MAY restrict the values of this + leaf to be one of the available values of + /snmp/target-params/name in a valid configuration."; reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; + } leaf single-target-out { when "../type = 'read' or ../type = 'write'"; type snmp:identifier; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/name in a valid configuration."; reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; } @@ -1852,28 +1845,27 @@ when "../type = 'read' or ../type = 'write'"; type snmp:identifier; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/name in a valid configuration."; reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; } leaf multiple-target-out { when "../type = 'trap' or ../type = 'inform'"; - type snmp:identifier; + type snmp:tag-value; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; } - } } } 4.8. Submodule 'ietf-snmp-community' file "ietf-snmp-community.yang" @@ -1887,37 +1879,37 @@ include ietf-snmp-target; include ietf-snmp-proxy; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring community-based SNMP. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -1926,21 +1918,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } augment /snmp:snmp { list community { key index; @@ -1994,31 +1985,30 @@ } leaf context { type snmp:context-name; default ""; description "The context in which management information is accessed when using the community string specified by this entry."; reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; } leaf target-tag { - type snmp:identifier; + type snmp:tag-value; description "Used to limit access for this community to the specified targets. Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; } - } } grouping v1-target-params { container v1 { description "SNMPv1 parameters type. Represents snmpTargetParamsMPModel '0', snmpTargetParamsSecurityModel '1', and snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; @@ -2046,45 +2036,35 @@ mandatory true; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/community/security-name in a valid configuration."; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } } } - augment /snmp:snmp/snmp:target/snmp:params { - case v1 { - uses v1-target-params; - } - case v2c { - uses v2c-target-params; - } - - } - - augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { + augment /snmp:snmp/snmp:target-params/snmp:params { case v1 { uses v1-target-params; } case v2c { uses v2c-target-params; } } augment /snmp:snmp/snmp:target { when "snmp:v1 or snmp:v2c"; leaf mms { type union { type enumeration { - enum "unknown"; + enum "unknown" { value 0; } } type int32 { range "484..max"; } } default "484"; reference "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; } } @@ -2105,38 +2085,38 @@ include ietf-snmp-common; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring the View-based Access Control Model (VACM) of SNMP. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -2145,26 +2125,25 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; - } typedef view-name { type snmp:identifier; description "The view-name type represents an SNMP VACM view name."; } typedef group-name { type snmp:identifier; @@ -2191,27 +2170,24 @@ vacmAccessTable)."; reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; leaf name { type group-name; description "The name of this VACM group."; reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; } - list member { key "security-name"; - min-elements 1; description - "A member of this VACM group. According to VACM, every - group must have at least one member. + "A member of this VACM group. A certain combination of security-name and security-model MUST NOT be present in more than one group."; reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; leaf security-name { type snmp:security-name; description @@ -2239,27 +2215,28 @@ type snmp:context-name; description "The context (prefix) under which the access rights apply."; reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; } leaf context-match { type enumeration { - enum exact; - enum prefix; + enum exact { value 1; } + enum prefix { value 2; } } default exact; reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; } + leaf security-model { type snmp:security-model-or-any; description "The security model under which the access rights apply."; reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; } leaf security-level { @@ -2381,37 +2359,37 @@ include ietf-snmp-target; include ietf-snmp-proxy; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring the User-based Security Model (USM) of SNMP. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -2420,21 +2398,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)."; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } grouping key { leaf key { type yang:hex-string; mandatory true; @@ -2534,30 +2512,23 @@ reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { type snmp:security-level; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } - - } - - augment /snmp:snmp/snmp:target/snmp:params { - case usm { - uses usm-target-params; - } } - augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { + augment /snmp:snmp/snmp:target-params/snmp:params { case usm { uses usm-target-params; } } } 4.11. Submodule 'ietf-snmp-tsm' @@ -2574,37 +2545,37 @@ include ietf-snmp-target; include ietf-snmp-proxy; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring the Transport Security Model (TSM) of SNMP. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -2613,21 +2584,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC5591: Transport Security Model for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature tsm { description "A server implements this feature if it supports the Transport Security Model for SNMP."; @@ -2666,28 +2637,21 @@ } leaf security-level { type snmp:security-level; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } } - augment /snmp:snmp/snmp:target/snmp:params { - if-feature tsm; - case tsm { - uses tsm-target-params; - } - } - - augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { + augment /snmp:snmp/snmp:target-params/snmp:params { if-feature tsm; case tsm { uses tsm-target-params; } } } @@ -2712,38 +2676,38 @@ include ietf-snmp-engine; include ietf-snmp-target; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring the Transport Layer Security Transport Model (TLSTM) of SNMP. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -2752,21 +2716,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature tlstm { description "A server implements this feature if it supports the Transport Layer Security Transport Model for SNMP."; @@ -2907,38 +2871,38 @@ include ietf-snmp-engine; include ietf-snmp-target; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: - WG Chair: David Kessens - + WG Chair: Thomas Nadeau + WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring the Secure Shell Transport Model (SSHTM) of SNMP. - Copyright (c) 2013 IETF Trust and the persons identified as + Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -2947,21 +2911,21 @@ // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. - revision 2013-11-05 { + revision 2014-02-09 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature sshtm { description "A server implements this feature if it supports the Secure Shell Transport Model for SNMP."; @@ -3167,24 +3131,40 @@ notification targets. o The /snmp/proxy subtree exposes information about proxy relationships. o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ vacm subtrees are specifically sensitive since they expose information about the authentication and authorization policy used by an SNMP engine. + Changes to the SNMP access control rules should be done either in an + atomic way (through a single edit-config or a single commit) or care + must be taken that they are done in a sequence that does not open + temporarily access to resources. Implementations supporting SNMP + write access must ensure that any SNMP access control rule changes + over NETCONF are atomic as well to the SNMP instrumentation. In + particular changes involving an internal delete/create cycle (e.g., + to move a user to a different group) must be done with sufficient + protections such that even a power fail immediately after the delete + does not leave the administrator locked out. + + Security administrators need to ensure that NETCONF access control + rules and SNMP access control rules implement a consistent security + policy. + 7. Acknowledgments The authors want to thank Wes Hardaker and David Spakes for their - reviews and valuable comments. + detailed reviews. Additional valuable comments were provided by + David Harrington, Borislav Lukovic and Randy Presuhn. Juergen Schoenwaelder was partly funded by Flamingo, a Network of Excellence project (ICT-318488) supported by the European Commission under its Seventh Framework Programme. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate @@ -3250,20 +3230,24 @@ RFC 5591, June 2009. [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, June 2009. [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", RFC 6353, July 2011. + [RFC6643] Schoenwaelder, J., "Translation of Structure of Management + Information Version 2 (SMIv2) MIB Modules to YANG + Modules", RFC 6643, July 2012. + Appendix A. Example configurations A.1. Engine Configuration Example Below is an XML instance document showing a configuration of an SNMP engine listening on UDP port 161 on IPv4 and IPv6 endpoints and accepting SNMPv2c and SNMPv3 messages. @@ -3294,30 +3278,35 @@ "community-public-access" filters the access to this community name. 1 public community-public community-public-access - bluebox + management-station 2001:db8::abcd 161 blue + community-public-access + v2c-public + + + v2c-public community-public - + A.3. User-based Security Model Configuration Example Below is an XML instance document showing the configuration of a local user "joey" who has no authentication or privacy keys. For the remote SNMP engine identified by the snmpEngineID '800002b804616263'H, two users are configure. The user "matt" has a localized SHA authentication key and the user "russ" has a localized SHA authentication key and an AES encryption key. @@ -3370,71 +3358,81 @@ bluebox 2001:db8::abcd 161 blue + matt-auth + + + matt-auth matt auth-no-priv - + + A.4. Target and Notification Configuration Example Below is an XML instance document showing the configuration of a notification generator application (see Appendix A of [RFC3413]). Note that the USM specific objects are defined in the ietf-snmp- usm.yang submodule. addr1 192.0.2.3 162 group1 - - joe - auth-no-priv - + joe-auth addr2 192.0.2.6 162 group1 - - joe - auth-no-priv - + joe-auth addr3 192.0.2.9 162 group2 + bob-priv + + + joe-auth + + joe + auth-no-priv + + + + bob-priv bob auth-priv - + group1 group1 trap group2 group2 trap @@ -3453,58 +3451,74 @@ "public" from a device in the "Office Network" or "Home Office Network", it gets tagged as "trusted", and the proxy uses the "private" community string when sending the message to the file server. Other SNMPv2c messages with the community string "public" get tagged as "non-trusted", and the proxy uses the "public" community string for these messages. There is also a special "backdoor" community string that can be used from any location to get "trusted" access. The "Office Network" and "Home Office Network" are represented as two - "target" instances. + "target" instances. These "target" instances have target-params + "none", which refers to a non-existing target-params entry. File Server (private) 192.0.2.1 - - private - + v1-private File Server (public) 192.0.2.1 - - public - + v1-public Office Network 192.0.2.0 24 office - + none Home Office Network 203.0.113.0 24 home-office + none + + v1-private + + private + + + + v1-public + + public + + + + v2c-public + + public + + c1 @@ -3538,37 +3552,29 @@ private 80:00:61:81:c8 trusted p1 read 80:00:61:81:c8 trusted - - - public - - + v2c-public File Server (private) p2 read 80:00:61:81:c8 not-trusted - - - public - - + v2c-public File Server (public) If an SNMPv2c Get request with community string "public" is received from an IP address tagged as "office" or "home-office", or if the request is received from anywhere else with community string "backdoor", the implied context is "trusted" and so proxy entry "p1" matches. The request is forwarded to the file server as SNMPv1 with community "private" using community table entry "c5" for outbound