--- 1/draft-ietf-netmod-snmp-cfg-05.txt 2014-07-23 08:14:33.095280842 -0700 +++ 2/draft-ietf-netmod-snmp-cfg-06.txt 2014-07-23 08:14:33.223283958 -0700 @@ -1,123 +1,124 @@ Network Working Group M. Bjorklund Internet-Draft Tail-f Systems Intended status: Standards Track J. Schoenwaelder -Expires: November 20, 2014 Jacobs University - May 19, 2014 +Expires: January 24, 2015 Jacobs University + July 23, 2014 A YANG Data Model for SNMP Configuration - draft-ietf-netmod-snmp-cfg-05 + draft-ietf-netmod-snmp-cfg-06 Abstract This document defines a collection of YANG definitions for configuring SNMP engines. -Status of this Memo +Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 20, 2014. + This Internet-Draft will expire on January 24, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5 - 2.2. General Considerations . . . . . . . . . . . . . . . . . . 5 - 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 6 - 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 6 - 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 6 - 2.6. Notification Configuration . . . . . . . . . . . . . . . . 7 - 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8 - 2.8. Community Configuration . . . . . . . . . . . . . . . . . 9 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2. General Considerations . . . . . . . . . . . . . . . . . 4 + 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . 4 + 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . 4 + 2.5. Target Configuration . . . . . . . . . . . . . . . . . . 5 + 2.6. Notification Configuration . . . . . . . . . . . . . . . 6 + 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 + 2.8. Community Configuration . . . . . . . . . . . . . . . . . 8 2.9. View-based Access Control Model Configuration . . . . . . 9 - 2.10. User-based Security Model Configuration . . . . . . . . . 10 - 2.11. Transport Security Model Configuration . . . . . . . . . . 11 - 2.12. Transport Layer Security Transport Model Configuration . . 12 - 2.13. Secure Shell Transport Model Configuration . . . . . . . . 13 - 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 15 - 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 15 - 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 16 - 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 17 - 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 22 - 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 25 - 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 29 - 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 32 - 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 36 - 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 40 - 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 42 - 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 47 - 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 52 - 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 56 - 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 59 - 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 63 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 69 - 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 72 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 73 - 8.1. Normative References . . . . . . . . . . . . . . . . . . . 73 - 8.2. Informative References . . . . . . . . . . . . . . . . . . 73 - Appendix A. Example configurations . . . . . . . . . . . . . . . 75 - A.1. Engine Configuration Example . . . . . . . . . . . . . . . 75 - A.2. Community Configuration Example . . . . . . . . . . . . . 75 - A.3. User-based Security Model Configuration Example . . . . . 76 - A.4. Target and Notification Configuration Example . . . . . . 78 - A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 79 - A.6. View-based Access Control Model Configuration Example . . 82 + 2.10. User-based Security Model Configuration . . . . . . . . . 9 + 2.11. Transport Security Model Configuration . . . . . . . . . 11 + 2.12. Transport Layer Security Transport Model Configuration . 11 + 2.13. Secure Shell Transport Model Configuration . . . . . . . 12 + 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 13 + 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . 14 + 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 14 + 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 + 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 + 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . 21 + 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . 23 + 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . 27 + 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . 30 + 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . 34 + 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 38 + 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 41 + 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . 46 + 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 51 + 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 55 + 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 58 + 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 62 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 67 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 69 + 8.2. Informative References . . . . . . . . . . . . . . . . . 69 + Appendix A. Example configurations . . . . . . . . . . . . . . . 70 + A.1. Engine Configuration Example . . . . . . . . . . . . . . 71 + A.2. Community Configuration Example . . . . . . . . . . . . . 71 + A.3. User-based Security Model Configuration Example . . . . . 72 + A.4. Target and Notification Configuration Example . . . . . . 73 + A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 + A.6. View-based Access Control Model Configuration Example . . 78 A.7. Transport Layer Security Transport Model Configuration - Example . . . . . . . . . . . . . . . . . . . . . . . . . 84 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 86 + Example . . . . . . . . . . . . . . . . . . . . . . . . . 80 + + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 1. Introduction This document defines a YANG [RFC6020] data model for the configuration of SNMP engines. The configuration model is consistent with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and [RFC6353] but takes advantage of YANG's ability to define hierarchical configuration data models. - The configuration data model in particular targets SNMP deployments - where SNMP runs in read-only mode and NETCONF is used to configure - the SNMP agent. Nevertheless, the data model has been designed to - allow implementations that support write access both via SNMP and - NETCONF in order to interwork with SNMP-managed management - applications manipulating SNMP agent configuration using SNMP. + The configuration data model in particular has been designed for SNMP + deployments where SNMP runs in read-only mode and NETCONF is used to + configure the SNMP agent. Nevertheless, the data model allows + implementations that support write access both via SNMP and NETCONF + in order to interwork with SNMP-managed management applications + manipulating SNMP agent configuration using SNMP. Further details + can be found in Section 3. The YANG data model focuses on configuration. Operational state objects are not explicitely modeled. The operational state of an SNMP agent can either be accessed directly via SNMP or, alternatively, via NETCONF using the read-only translation of the relevant SNMP MIB modules into YANG modules [RFC6643]. This document also defines a YANG data model for mapping a X.509 certificate to a name. @@ -206,21 +207,21 @@ engine. The list "/snmp/engine/listen" provides configuration of the transport endpoints the engine is listening to. In this submodule, SNMP over UDP is defined. SSH, TLS and Datagram Transport Layer Security (DTLS) are also supported, defined in "ietf-snmp-ssh" (Section 2.13) and "ietf-snmp-tls" (Section 2.12), respectively. The "transport" choice is expected to be augmented for other transports. The "/snmp/engine/version" container can be used to enable/disable - the different message processing models. + the different message processing models [RFC3411]. 2.5. Target Configuration The submodule "ietf-snmp-target", which defines configuration parameters that correspond to the objects in SNMP-TARGET-MIB, has the following structure: +--rw snmp +--rw target* [name] | +--rw name snmp:identifier @@ -286,21 +287,22 @@ relationship between "snmpTargetParamsTable" and "snmpNotifyFilterProfileTable". In the YANG model, this sparse relationship is represented with a leafref leaf "notify-filter-profile" in the "/snmp/target-params" list, which refers to an entry in the "/snmp/notify-filter-profile" list. The "snmpNotifyFilterTable" is represented as a list "filter" within the "/snmp/notify-filter-profile" list. This submodule defines the feature "notification-filter". A server - implements this feature if it supports SNMP notification filtering. + implements this feature if it supports SNMP notification filtering + [RFC3413]. 2.7. Proxy Configuration The submodule "ietf-snmp-proxy", which defines configuration parameters that correspond to the objects in SNMP-PROXY-MIB, has the following structure: +--rw snmp +--rw proxy* [name] +--rw name snmp:identifier @@ -308,21 +310,21 @@ +--rw context-engine-id snmp:engine-id +--rw context-name? snmp:context-name +--rw target-params-in? snmp:identifier +--rw single-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier An entry in the list "/snmp/proxy" corresponds to an "snmpProxyEntry". This submodule defines the feature "proxy". A server implements this - feature if it can act as an SNMP Proxy. + feature if it can act as an SNMP Proxy [RFC3413]. 2.8. Community Configuration The submodule "ietf-snmp-community", which defines configuration parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has the following structure: +--rw snmp +--rw community* [index] +--rw index snmp:identifier @@ -1635,20 +1639,23 @@ description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature notification-filter { description "A server implements this feature if it supports SNMP notification filtering."; + reference + "RFC3413: Simple Network Management Protocol (SNMP) + Applications"; } augment /snmp:snmp { list notify { key name; description "Targets that will receive notifications. Entries in this lists are mapped 1-1 to entries in @@ -1819,20 +1828,23 @@ description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature proxy { description "A server implements this feature if it can act as an SNMP Proxy"; + reference + "RFC3413: Simple Network Management Protocol (SNMP) + Applications"; } augment /snmp:snmp { if-feature snmp:proxy; list proxy { key name; description "List of proxy parameters."; @@ -1894,26 +1905,31 @@ } } } } 4.8. Submodule 'ietf-snmp-community' file "ietf-snmp-community.yang" + submodule ietf-snmp-community { belongs-to ietf-snmp { prefix snmp; } + import ietf-netconf-acm { + prefix nacm; + } + include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: @@ -1973,20 +1988,21 @@ "List of communities"; reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; leaf index { type snmp:identifier; description "Index into the community list."; reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; } choice name { + nacm:default-deny-all; description "The community name, either specified as a string or as a binary. The binary name is used when the community name contains characters that are not legal in a string. If not set, the value of 'security-name' is operationally used as the snmpCommunityName."; reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; leaf text-name { @@ -1997,20 +2013,21 @@ } leaf binary-name { type binary; description "A community name represented as a binary value."; } } leaf security-name { type snmp:security-name; mandatory true; + nacm:default-deny-all; description "The snmpCommunitySecurityName of this entry."; reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; } leaf engine-id { if-feature snmp:proxy; type snmp:engine-id; description "If not set, the value of the local SNMP engine is operationally used by the device."; @@ -2087,31 +2104,31 @@ augment /snmp:snmp/snmp:target { when "snmp:v1 or snmp:v2c"; leaf mms { type union { type enumeration { enum "unknown" { value 0; } } type int32 { range "484..max"; - } } default "484"; + description + "The maximum message size."; reference "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; } } } - 4.9. Submodule 'ietf-snmp-vacm' file "ietf-snmp-vacm.yang" submodule ietf-snmp-vacm { belongs-to ietf-snmp { prefix snmp; @@ -3196,21 +3214,24 @@ temporarily access to resources. Implementations supporting SNMP write access must ensure that any SNMP access control rule changes over NETCONF are atomic as well to the SNMP instrumentation. In particular changes involving an internal delete/create cycle (e.g., to move a user to a different group) must be done with sufficient protections such that even a power fail immediately after the delete does not leave the administrator locked out. Security administrators need to ensure that NETCONF access control rules and SNMP access control rules implement a consistent security - policy. + policy. Specifically, the SNMP access control rules should prevent + accidental leakage of sensitive security parameters such as community + strings. See the Security Considerations section of [RFC3584] for + further details. 7. Acknowledgments The authors want to thank Wes Hardaker and David Spakes for their detailed reviews. Additional valuable comments were provided by David Harrington, Borislav Lukovic and Randy Presuhn. Juergen Schoenwaelder was partly funded by Flamingo, a Network of Excellence project (ICT-318488) supported by the European Commission under its Seventh Framework Programme. @@ -3220,73 +3241,73 @@ 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. - Bierman, "Network Configuration Protocol (NETCONF)", - RFC 6241, June 2011. + Bierman, "Network Configuration Protocol (NETCONF)", RFC + 6241, June 2011. [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, June 2011. [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration - Protocol (NETCONF) Access Control Model", RFC 6536, - March 2012. + Protocol (NETCONF) Access Control Model", RFC 6536, March + 2012. [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013. 8.2. Informative References [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network - Management Protocol (SNMP)", STD 62, RFC 3412, - December 2002. + Management Protocol (SNMP)", STD 62, RFC 3412, December + 2002. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network - Management Protocol (SNMP) Applications", STD 62, - RFC 3413, December 2002. + Management Protocol (SNMP) Applications", STD 62, RFC + 3413, December 2002. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network - Management Protocol (SNMP)", STD 62, RFC 3415, - December 2002. + Management Protocol (SNMP)", STD 62, RFC 3415, December + 2002. [RFC3418] Presuhn, R., "Management Information Base (MIB) for the - Simple Network Management Protocol (SNMP)", STD 62, - RFC 3418, December 2002. + Simple Network Management Protocol (SNMP)", STD 62, RFC + 3418, December 2002. [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework", BCP 74, RFC 3584, August 2003. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model - for the Simple Network Management Protocol (SNMP)", - RFC 5591, June 2009. + for the Simple Network Management Protocol (SNMP)", RFC + 5591, June 2009. [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, June 2009. [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", RFC 6353, July 2011. [RFC6643] Schoenwaelder, J., "Translation of Structure of Management