draft-ietf-netmod-snmp-cfg-08.txt   rfc7407.txt 
Network Working Group M. Bjorklund Internet Engineering Task Force (IETF) M. Bjorklund
Internet-Draft Tail-f Systems Request for Comments: 7407 Tail-f Systems
Intended status: Standards Track J. Schoenwaelder Category: Standards Track J. Schoenwaelder
Expires: March 22, 2015 Jacobs University ISSN: 2070-1721 Jacobs University
September 18, 2014 December 2014
A YANG Data Model for SNMP Configuration A YANG Data Model for SNMP Configuration
draft-ietf-netmod-snmp-cfg-08
Abstract Abstract
This document defines a collection of YANG definitions for This document defines a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on March 22, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7407.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................3
2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Data Model ......................................................3
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagrams ..............................................4
2.2. General Considerations . . . . . . . . . . . . . . . . . 4 2.2. General Considerations .....................................4
2.3. Common Definitions . . . . . . . . . . . . . . . . . . . 4 2.3. Common Definitions .........................................4
2.4. Engine Configuration . . . . . . . . . . . . . . . . . . 4 2.4. Engine Configuration .......................................5
2.5. Target Configuration . . . . . . . . . . . . . . . . . . 5 2.5. Target Configuration .......................................6
2.6. Notification Configuration . . . . . . . . . . . . . . . 6 2.6. Notification Configuration .................................7
2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 2.7. Proxy Configuration ........................................8
2.8. Community Configuration . . . . . . . . . . . . . . . . . 8 2.8. Community Configuration ....................................8
2.9. View-based Access Control Model Configuration . . . . . . 8 2.9. View-Based Access Control Model Configuration ..............9
2.10. User-based Security Model Configuration . . . . . . . . . 9 2.10. User-Based Security Model Configuration ..................10
2.11. Transport Security Model Configuration . . . . . . . . . 10 2.11. Transport Security Model Configuration ...................11
2.12. Transport Layer Security Transport Model Configuration . 11 2.12. Transport Layer Security Transport Model Configuration ...12
2.13. Secure Shell Transport Model Configuration . . . . . . . 12 2.13. Secure Shell Transport Model Configuration ...............13
3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 13 3. Implementation Guidelines ......................................14
3.1. Supporting read-only SNMP Access . . . . . . . . . . . . 14 3.1. Supporting read-only SNMP Access ..........................15
3.2. Supporting read-write SNMP access . . . . . . . . . . . . 14 3.2. Supporting read-write SNMP Access .........................15
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 4. Definitions ....................................................16
4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 4.1. Module 'ietf-x509-cert-to-name' ...........................16
4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . 21 4.2. Module 'ietf-snmp' ........................................22
4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . 23 4.3. Submodule 'ietf-snmp-common' ..............................24
4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . 27 4.4. Submodule 'ietf-snmp-engine' ..............................28
4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . 30 4.5. Submodule 'ietf-snmp-target' ..............................32
4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . 34 4.6. Submodule 'ietf-snmp-notification' ........................36
4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 38 4.7. Submodule 'ietf-snmp-proxy' ...............................41
4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 41 4.8. Submodule 'ietf-snmp-community' ...........................44
4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . 45 4.9. Submodule 'ietf-snmp-vacm' ................................49
4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 51 4.10. Submodule 'ietf-snmp-usm' ................................55
4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 55 4.11. Submodule 'ietf-snmp-tsm' ................................60
4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 57 4.12. Submodule 'ietf-snmp-tls' ................................63
4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 62 4.13. Submodule 'ietf-snmp-ssh' ................................68
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 65 5. IANA Considerations ............................................71
6. Security Considerations . . . . . . . . . . . . . . . . . . . 66 6. Security Considerations ........................................72
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 7. References .....................................................75
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 7.1. Normative References ......................................75
8.1. Normative References . . . . . . . . . . . . . . . . . . 69 7.2. Informative References ....................................75
8.2. Informative References . . . . . . . . . . . . . . . . . 69 Appendix A. Example Configurations ...............................78
Appendix A. Example configurations . . . . . . . . . . . . . . . 70 A.1. Engine Configuration Example ..............................78
A.1. Engine Configuration Example . . . . . . . . . . . . . . 70 A.2. Community Configuration Example ...........................78
A.2. Community Configuration Example . . . . . . . . . . . . . 71 A.3. User-Based Security Model Configuration Example ...........79
A.3. User-based Security Model Configuration Example . . . . . 72 A.4. Target and Notification Configuration Example .............81
A.4. Target and Notification Configuration Example . . . . . . 74 A.5. Proxy Configuration Example ...............................82
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 A.6. View-Based Access Control Model Configuration Example .....85
A.6. View-based Access Control Model Configuration Example . . 78
A.7. Transport Layer Security Transport Model Configuration A.7. Transport Layer Security Transport Model Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . . 80 Example ...................................................87
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 81 Acknowledgments ...................................................88
Authors' Addresses ................................................88
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of SNMP engines. The configuration model is consistent configuration of SNMP engines. The configuration model is consistent
with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413],
[RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and [RFC3414], [RFC3415], [RFC3417], [RFC3418], [RFC3419], [RFC3584],
[RFC6353] but takes advantage of YANG's ability to define [RFC3826], [RFC5591], [RFC5592], and [RFC6353] but takes advantage of
hierarchical configuration data models. YANG's ability to define hierarchical configuration data models.
The configuration data model in particular has been designed for SNMP The configuration data model in particular has been designed for SNMP
deployments where SNMP runs in read-only mode and NETCONF is used to deployments where SNMP runs in read-only mode and the Network
configure the SNMP agent. Nevertheless, the data model allows Configuration Protocol (NETCONF) is used to configure the SNMP agent.
implementations that support write access both via SNMP and NETCONF Nevertheless, the data model allows implementations that support
in order to interwork with SNMP-managed management applications write access both via SNMP and NETCONF in order to interwork with
manipulating SNMP agent configuration using SNMP. Further details SNMP management applications manipulating SNMP agent configuration
can be found in Section 3. using SNMP. Further details can be found in Section 3.
The YANG data model focuses on configuration. Operational state The YANG data model focuses on configuration. Operational state
objects are not explicitely modeled. The operational state of an objects are not explicitly modeled. The operational state of an SNMP
SNMP agent can either be accessed directly via SNMP or, agent can be accessed either directly via SNMP or, alternatively, via
alternatively, via NETCONF using the read-only translation of the NETCONF using the read-only translation of the relevant SNMP MIB
relevant SNMP MIB modules into YANG modules [RFC6643]. modules into YANG modules [RFC6643].
This document also defines a YANG data model for mapping a X.509 This document also defines a YANG data model for mapping an X.509
certificate to a name. certificate to a name.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14, [RFC2119]. 14 [RFC2119].
2. Data Model 2. Data Model
In order to preserve the modularity of SNMP, the YANG configuration In order to preserve the modularity of SNMP, the YANG configuration
data model is organized in a set of YANG submodules, all sharing the data model is organized in a set of YANG submodules, all sharing the
same module namespace. This allows adding configuration support for same module namespace. This allows adding configuration support for
additional SNMP features while keeping the number of namespaces that additional SNMP features while keeping the number of namespaces that
have to be dealt with down to a minimum. have to be dealt with down to a minimum.
2.1. Tree Diagrams 2.1. Tree Diagrams
A simplified graphical representation of the data model is used in A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as this document. The meaning of the symbols in these diagrams is as
follows: follows:
o Brackets "[" and "]" enclose list keys. o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only). (read-write), and "ro" means state data (read-only).
o Symbols after data node names: "?" means an optional node, "!" o Symbols after data node names: "?" means an optional node, "!"
means a presence container, and "*" denotes a list and leaf-list. means a presence container, and "*" denotes a list and leaf-list.
o Parentheses enclose choice and case nodes, and case nodes are also o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not o Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
2.2. General Considerations 2.2. General Considerations
Most YANG nodes are mapped 1-1 to the corresponding MIB object. The Most YANG nodes are mapped 1-1 to the corresponding MIB object. The
"reference" statement is used to indicate which corresponding MIB "reference" statement is used to indicate which corresponding MIB
object the YANG node is mapped to. When there is not a simple 1-1 object the YANG node is mapped to. When there is not a simple 1-1
mapping, the "description" statement explains the mapping. mapping, the "description" statement explains the mapping.
The persistency models in SNMP and NETCONF are quite different. In The persistency models in SNMP and NETCONF are quite different. In
NETCONF, the persistency is defined by the datastore, whereas in SNMP NETCONF, the persistency is defined by the datastore, whereas in
it is defined either explicitly in the data model, or on a row-by-row SNMP, it is defined either explicitly in the data model or on a row-
basis by using the TEXTUAL-CONVENTION "StorageType". Thus, in the by-row basis using the Textual Convention "StorageType". Thus, in
YANG model defined here, the "StorageType" columns are not present. the YANG model defined here, the "StorageType" columns are not
For implementation guidelines, see Section 3. present. For implementation guidelines, see Section 3.
In SNMP, row creation and deletion are controlled by using the In SNMP, row creation and deletion are controlled using the Textual
TEXTUAL-CONVENTION "RowStatus". In NETCONF, creation and deletion Convention "RowStatus". In NETCONF, creation and deletion are
are handled by the protocol, not in the data model. Thus, in the handled by the protocol, not in the data model. Thus, in the YANG
YANG model defined here, the "RowStatus" columns are not present. model defined here, the "RowStatus" columns are not present.
2.3. Common Definitions 2.3. Common Definitions
The submodule "ietf-snmp-common" defines a set of common typedefs and The submodule "ietf-snmp-common" defines a set of common typedefs and
the top-level container "snmp". All configuration parameters defined the top-level container "snmp". All configuration parameters defined
in the other submodules are organized under this top-level container. in the other submodules are organized under this top-level container.
2.4. Engine Configuration 2.4. Engine Configuration
The submodule "ietf-snmp-engine", which defines configuration The submodule "ietf-snmp-engine", which defines configuration
skipping to change at page 5, line 27 skipping to change at page 5, line 33
| +--rw v2c? empty | +--rw v2c? empty
| +--rw v3? empty | +--rw v3? empty
+--rw engine-id? snmp:engine-id +--rw engine-id? snmp:engine-id
+--rw enable-authen-traps? boolean +--rw enable-authen-traps? boolean
The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP
engine. engine.
The list "/snmp/engine/listen" provides configuration of the The list "/snmp/engine/listen" provides configuration of the
transport endpoints the engine is listening to. In this submodule, transport endpoints the engine is listening to. In this submodule,
SNMP over UDP is defined. SSH, TLS and Datagram Transport Layer SNMP over UDP is defined. The Secure Shell (SSH) Protocol, Transport
Security (DTLS) are also supported, defined in "ietf-snmp-ssh" Layer Security (TLS), and Datagram Transport Layer Security (DTLS)
(Section 2.13) and "ietf-snmp-tls" (Section 2.12), respectively. The are also supported, defined in "ietf-snmp-ssh" (Section 2.13) and
"transport" choice is expected to be augmented for other transports. "ietf-snmp-tls" (Section 2.12), respectively. The "transport" choice
is expected to be augmented for other transports.
The "/snmp/engine/version" container can be used to enable/disable The "/snmp/engine/version" container can be used to enable/disable
the different message processing models [RFC3411]. the different message processing models [RFC3411].
2.5. Target Configuration 2.5. Target Configuration
The submodule "ietf-snmp-target", which defines configuration The submodule "ietf-snmp-target", which defines configuration
parameters that correspond to the objects in SNMP-TARGET-MIB, has the parameters that correspond to the objects in SNMP-TARGET-MIB, has the
following structure: following structure:
skipping to change at page 6, line 34 skipping to change at page 6, line 40
The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are
mapped to transport-specific YANG nodes. Each transport is mapped to transport-specific YANG nodes. Each transport is
configured as a separate case in the "transport" choice. In this configured as a separate case in the "transport" choice. In this
submodule, SNMP over UDP is defined. TLS and DTLS are also submodule, SNMP over UDP is defined. TLS and DTLS are also
supported, defined in "ietf-snmp-tls" (Section 2.12). The supported, defined in "ietf-snmp-tls" (Section 2.12). The
"transport" choice is expected to be augmented for other transports. "transport" choice is expected to be augmented for other transports.
An entry in the list "/snmp/target-params" corresponds to an An entry in the list "/snmp/target-params" corresponds to an
"snmpTargetParamsEntry". This list contains a choice "params", which "snmpTargetParamsEntry". This list contains a choice "params", which
is augmented by security model specific submodules, currently is augmented by submodules specific to the security model, currently,
"ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10), "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10),
and "ietf-snmp-tls" (Section 2.12). and "ietf-snmp-tls" (Section 2.12).
2.6. Notification Configuration 2.6. Notification Configuration
The submodule "ietf-snmp-notification", which defines configuration The submodule "ietf-snmp-notification", which defines configuration
parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, parameters that correspond to the objects in SNMP-NOTIFICATION-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw notify* [name] +--rw notify* [name]
| +--rw name snmp:identifier | +--rw name snmp:identifier
| +--rw tag snmp:identifier | +--rw tag snmp:identifier
| +--rw type? enumeration | +--rw type? enumeration
+--rw notify-filter-profile* [name] +--rw notify-filter-profile* [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw include* snmp:wildcard-object-identifier +--rw include* snmp:wildcard-object-identifier
+--rw exclude* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
It also augments the "target-params" list defined in the This submodule also augments the "target-params" list defined in the
"ietf-snmp-target" submodule (Section 2.5) with one leaf: "ietf-snmp-target" submodule (Section 2.5) with one leaf:
+--rw snmp +--rw snmp
+--rw target-params* [name] +--rw target-params* [name]
... ...
+--rw notify-filter-profile? leafref +--rw notify-filter-profile? leafref
An entry in the list "/snmp/notify" corresponds to an An entry in the list "/snmp/notify" corresponds to an
"snmpNotifyEntry". "snmpNotifyEntry".
skipping to change at page 7, line 51 skipping to change at page 8, line 25
+--rw context-engine-id snmp:engine-id +--rw context-engine-id snmp:engine-id
+--rw context-name? snmp:context-name +--rw context-name? snmp:context-name
+--rw target-params-in? snmp:identifier +--rw target-params-in? snmp:identifier
+--rw single-target-out? snmp:identifier +--rw single-target-out? snmp:identifier
+--rw multiple-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier
An entry in the list "/snmp/proxy" corresponds to an An entry in the list "/snmp/proxy" corresponds to an
"snmpProxyEntry". "snmpProxyEntry".
This submodule defines the feature "proxy". A server implements this This submodule defines the feature "proxy". A server implements this
feature if it can act as an SNMP Proxy [RFC3413]. feature if it can act as an SNMP proxy [RFC3413].
2.8. Community Configuration 2.8. Community Configuration
The submodule "ietf-snmp-community", which defines configuration The submodule "ietf-snmp-community", which defines configuration
parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has
the following structure: the following structure:
+--rw snmp +--rw snmp
+--rw community* [index] +--rw community* [index]
+--rw index snmp:identifier +--rw index snmp:identifier
+--rw (name)? +--rw (name)?
| +--:(text-name) | +--:(text-name)
| | +--rw text-name? string | | +--rw text-name? string
| +--:(binary-name) | +--:(binary-name)
| +--rw binary-name? binary | +--rw binary-name? binary
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
+--rw engine-id? snmp:engine-id +--rw engine-id? snmp:engine-id
+--rw context? snmp:context-name +--rw context? snmp:context-name
+--rw target-tag? snmp:identifier +--rw target-tag? snmp:identifier
It also augments the "/snmp/target-params/params" choice with nodes This submodule also augments the "/snmp/target-params/params" choice
for the Community-Based Security Model used by SNMPv1 and SNMPv2c: with nodes for the Community-based Security Model used by SNMPv1 and
SNMPv2c:
+--rw snmp +--rw snmp
+--rw target-params* [name] +--rw target-params* [name]
| ... | ...
| +--rw (params)? | +--rw (params)?
| +--:(v1) | +--:(v1)
| | +--rw v1 | | +--rw v1
| | +--rw security-name snmp:security-name | | +--rw security-name snmp:security-name
| +--:(v2c) | +--:(v2c)
| +--rw v2c | +--rw v2c
| +--rw security-name snmp:security-name | +--rw security-name snmp:security-name
+--rw target* [name] +--rw target* [name]
+--rw mms? union +--rw mms? union
An entry in the list "/snmp/community" corresponds to an An entry in the list "/snmp/community" corresponds to an
"snmpCommunityEntry". "snmpCommunityEntry".
When a case "v1" or "v2c" is chosen, it implies a When a case "v1" or "v2c" is chosen, it implies an
snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and an
snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively.
Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. Both cases imply an snmpTargetParamsSecurityLevel of noAuthNoPriv.
2.9. View-based Access Control Model Configuration 2.9. View-Based Access Control Model Configuration
The submodule "ietf-snmp-vacm", which defines configuration The submodule "ietf-snmp-vacm", which defines configuration
parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw vacm +--rw vacm
+--rw group* [name] +--rw group* [name]
| +--rw name group-name | +--rw name group-name
| +--rw member* [security-name] | +--rw member* [security-name]
| | +--rw security-name snmp:security-name | | +--rw security-name snmp:security-name
| | +--rw security-model* snmp:security-model | | +--rw security-model* snmp:security-model
| +--rw access* [context security-model security-level] | +--rw access* [context security-model security-level]
| +--rw context snmp:context-name | +--rw context snmp:context-name
| +--rw context-match? enumeration | +--rw context-match? enumeration
| +--rw security-model snmp:security-model-or-any | +--rw security-model snmp:security-model-or-any
| +--rw security-level snmp:security-level | +--rw security-level snmp:security-level
| +--rw read-view? view-name | +--rw read-view? view-name
| +--rw write-view? view-name | +--rw write-view? view-name
| +--rw notify-view? vire-name | +--rw notify-view? view-name
+--rw view* [name] +--rw view* [name]
+--rw name view-name +--rw name view-name
+--rw include* snmp:wildcard-object-identifier +--rw include* snmp:wildcard-object-identifier
+--rw exclude* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a
structure of nested lists in the YANG model. Groups are defined in structure of nested lists in the YANG model. Groups are defined in
the list "/snmp/vacm/group" and for each group there is a sublist the list "/snmp/vacm/group", and for each group, there is a sublist
"member" that maps to "vacmSecurityToGroupTable", and a sublist "member" that maps to "vacmSecurityToGroupTable" and a sublist
"access" that maps to "vacmAccessTable". "access" that maps to "vacmAccessTable".
MIB views are defined in the list "/snmp/vacm/view" and for each MIB MIB views are defined in the list "/snmp/vacm/view", and for each MIB
view there is a leaf-list of included subtree families and a leaf- view, there is a leaf-list of included subtree families and a leaf-
list of excluded subtree families. This is more compact and thus a list of excluded subtree families. This is more compact and thus a
more readable representation of the "vacmViewTreeFamilyTable". more readable representation of the "vacmViewTreeFamilyTable".
2.10. User-based Security Model Configuration 2.10. User-Based Security Model Configuration
The submodule "ietf-snmp-usm", which defines configuration parameters The submodule "ietf-snmp-usm", which defines configuration parameters
that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw usm +--rw usm
+--rw local +--rw local
| +--rw user* [name] | +--rw user* [name]
| +-- {common user params} | +-- {common user params}
skipping to change at page 10, line 23 skipping to change at page 11, line 5
| +-- rw key yang:hex-string | +-- rw key yang:hex-string
+--rw priv! +--rw priv!
+--rw (protocol) +--rw (protocol)
+--:(des) +--:(des)
| +--rw des | +--rw des
| +-- rw key yang:hex-string | +-- rw key yang:hex-string
+--:(aes) +--:(aes)
+--rw aes +--rw aes
+-- rw key yang:hex-string +-- rw key yang:hex-string
It also augments the "/snmp/target-params/params" choice with nodes This submodule also augments the "/snmp/target-params/params" choice
for the SNMP User-based Security Model. with nodes for the SNMP User-based Security Model.
+--rw snmp +--rw snmp
+--rw target-params* [name] +--rw target-params* [name]
... ...
+--rw (params)? +--rw (params)?
+--:(usm) +--:(usm)
+--rw usm +--rw usm
+--rw user-name snmp:security-name +--rw user-name snmp:security-name
+--rw security-level security-level +--rw security-level security-level
In the MIB, there is a single table with local and remote users, In the MIB, there is a single table with local and remote users,
indexed by the engine id and user name. In the YANG model, there is indexed by the engine ID and user name. In the YANG model, there is
one list of local users, and a nested list of remote users. one list of local users and a nested list of remote users.
In the MIB, there are several objects related to changing the In the MIB, there are several objects related to changing the
authentication and privacy keys. These objects are not present in authentication and privacy keys. These objects are not present in
the YANG model. However, the localized key can be changed. This the YANG model. However, the localized key can be changed. This
implies that if the engine id is changed, all users keys need to be implies that if the engine ID is changed, all users keys need to be
changed as well. changed as well.
2.11. Transport Security Model Configuration 2.11. Transport Security Model Configuration
The submodule "ietf-snmp-tsm", which defines configuration parameters The submodule "ietf-snmp-tsm", which defines configuration parameters
that correspond to the objects in SNMP-TSM-MIB, has the following that correspond to the objects in SNMP-TSM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
+--rw tsm +--rw tsm
+--rw use-prefix? boolean +--rw use-prefix? boolean
It also augments the "/snmp/target-params/params" choice with nodes This submodule also augments the "/snmp/target-params/params" choice
for the SNMP Transport Security Model. with nodes for the SNMP Transport Security Model.
+--rw snmp +--rw snmp
+--rw target-params* [name] +--rw target-params* [name]
... ...
+--rw (params)? +--rw (params)?
+--:(tsm) +--:(tsm)
+--rw tsm +--rw tsm
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
+--rw security-level security-level +--rw security-level security-level
This submodule defines the feature "tsm". A server implements this This submodule defines the feature "tsm". A server implements this
feature if it supports the Transport Security Model (tsm) [RFC5591]. feature if it supports the Transport Security Model (TSM) [RFC5591].
2.12. Transport Layer Security Transport Model Configuration 2.12. Transport Layer Security Transport Model Configuration
The submodule "ietf-snmp-tls", which defines configuration parameters The submodule "ietf-snmp-tls", which defines configuration parameters
that correspond to the objects in SNMP-TLS-TM-MIB, has the following that correspond to the objects in SNMP-TLS-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target* [name] +--rw target* [name]
skipping to change at page 12, line 11 skipping to change at page 13, line 5
+--rw name string +--rw name string
The "{common (d)tls transport params}" are: The "{common (d)tls transport params}" are:
+--rw ip? inet:host +--rw ip? inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw client-fingerprint? x509c2n:tls-fingerprint +--rw client-fingerprint? x509c2n:tls-fingerprint
+--rw server-fingerprint? x509c2n:tls-fingerprint +--rw server-fingerprint? x509c2n:tls-fingerprint
+--rw server-identity? snmp:admin-string +--rw server-identity? snmp:admin-string
It also augments the "/snmp/engine/listen/transport" choice with This submodule also augments the "/snmp/engine/listen/transport"
objects for the D(TLS) transport endpoints: choice with objects for the D(TLS) transport endpoints:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
... ...
+--rw listen* [name] +--rw listen* [name]
... ...
+--rw (transport) +--rw (transport)
... ...
+--:(tls) +--:(tls)
| +--rw tls | +--rw tls
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port? inet:port-number | +--rw port? inet:port-number
+--:(dtls) +--:(dtls)
+--rw dtls +--rw dtls
+--rw ip inet:ip-address +--rw ip inet:ip-address
+--rw port? inet:port-number +--rw port? inet:port-number
This submodule defines the feature "tlstm". A server implements this This submodule defines the feature "tlstm". A server implements this
feature if it supports the Transport Layer Security (TLS) Transport feature if it supports the Transport Layer Security (TLS) Transport
Model (tlstm) [RFC6353]. Model (TLSTM) [RFC6353].
2.13. Secure Shell Transport Model Configuration 2.13. Secure Shell Transport Model Configuration
The submodule "ietf-snmp-ssh", which defines configuration parameters The submodule "ietf-snmp-ssh", which defines configuration parameters
that correspond to the objects in SNMP-SSH-TM-MIB, has the following that correspond to the objects in SNMP-SSH-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target* [name] +--rw target* [name]
skipping to change at page 13, line 22 skipping to change at page 14, line 22
... ...
+--rw (transport) +--rw (transport)
... ...
+--:(ssh) +--:(ssh)
+--rw ssh +--rw ssh
+--rw ip inet:host +--rw ip inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw username? string +--rw username? string
This submodule defines the feature "sshtm". A server implements this This submodule defines the feature "sshtm". A server implements this
feature if it supports the Secure Shell (SSH) Transport Model (sshtm) feature if it supports the Secure Shell Transport Model (SSHTM)
[RFC5592]. [RFC5592].
3. Implementation Guidelines 3. Implementation Guidelines
This section describes some challenges for implementations that This section describes some challenges for implementations that
support both the YANG models defined in this document, and either support both the YANG models defined in this document and either
read-write or read-only SNMP access to the same data, using the read-write or read-only SNMP access to the same data, using the
standard MIB modules. standard MIB modules.
As described in Section 2.2, the persistency models in NETCONF and As described in Section 2.2, the persistency models in NETCONF and
SNMP are quite different. This poses a challenge for an SNMP are quite different. This poses a challenge for an
implementation to support both NETCONF and SNMP access to the same implementation to support both NETCONF and SNMP access to the same
data, in particular if the data is writable over both protocols. data, in particular if the data is writable over both protocols.
Specifically, the configuration data may exist in some combination of Specifically, the configuration data may exist in some combination of
the three NETCONF configuration datastores, and this data must be the three NETCONF configuration datastores, and this data must be
mapped to rows in the SNMP tables, in some SNMP contexts, with proper mapped to rows in the SNMP tables, in some SNMP contexts, with proper
values for the StorageType columns. values for the StorageType columns.
This problem is not new; it has been handled in many implementations This problem is not new; it has been handled in many implementations
that support configuration of the SNMP engine over a command line that support configuration of the SNMP engine over a command line
interface (CLI), which normally have a persistency model similar to interface (CLI), which normally have a persistency model similar to
NETCONF. NETCONF.
Since there is not one solution that works for all cases, this Since there is not one solution that works for all cases, this
document does not provide a recommended solution. Instead some of document does not provide a recommended solution. Instead, some of
the challenges involved are described below. the challenges involved are described below.
3.1. Supporting read-only SNMP Access 3.1. Supporting read-only SNMP Access
If a device implements only :writable-running, it is trivial to map If a device implements only :writable-running, it is trivial to map
the contents of "running" to data in the SNMP tables, where all the contents of "running" to data in the SNMP tables, where all
instances of the StorageType columns have the value "nonVolatile". instances of the StorageType columns have the value "nonVolatile".
If a device implements :candidate, but not :startup, the If a device implements :candidate but not :startup, the
implementation may choose to not expose the contents of the implementation may choose to not expose the contents of the
"candidate" datastore over SNMP, and map the contents of "running" as "candidate" datastore over SNMP and map the contents of "running" as
described above. As an option, the contents of "candidate" might be described above. As an option, the contents of "candidate" might be
accessible in a separate SNMP context. accessible in a separate SNMP context.
If a device implements :startup, the handling of StorageType becomes If a device implements :startup, the handling of StorageType becomes
more difficult. Since the contents of "running" and "startup" might more difficult. Since the contents of "running" and "startup" might
differ, data in running cannot automatically be mapped to instances differ, data in "running" cannot automatically be mapped to instances
with StorageType "nonVolatile". If a particular entry exists in with StorageType "nonVolatile". If a particular entry exists in
"running" but not in "startup", its StorageType should be "volatile". "running" but not in "startup", its StorageType should be "volatile".
If a particular entry exists in "startup", but not "running", it If a particular entry exists in "startup" but not "running", it
should not be mapped to an SNMP instance, at least not in the default should not be mapped to an SNMP instance, at least not in the default
SNMP context. SNMP context.
3.2. Supporting read-write SNMP access 3.2. Supporting read-write SNMP Access
If the implementation supports read-write access to data over SNMP, If the implementation supports read-write access to data over SNMP,
and specifically creation of table rows, special attention has to be and specifically creation of table rows, special attention has to be
given the handling of the RowStatus and StorageType columns. The given to the handling of the RowStatus and StorageType columns. The
problem is to determine which table rows to store in the problem is to determine which table rows to store in the
configuration datastores, and which configuration datastore is configuration datastores and which configuration datastore is
appropriate for each row. appropriate for each row.
The SNMP tables contain a mix of configured data and operational The SNMP tables contain a mix of configured data and operational
state, and only rows with an "active" RowStatus column should be state, and only rows with an "active" RowStatus column should be
stored in a configuration datastore. stored in a configuration datastore.
If a device implements only :writable-running, "active" rows with a If a device implements only :writable-running, "active" rows with a
"nonVolatile" StorageType column can be stored in "running". Rows "nonVolatile" StorageType column can be stored in "running". Rows
with a "volatile" StorageType column are operational state. with a "volatile" StorageType column are operational state.
If a device implements :candidate, but not :writable-running, all If a device implements :candidate but not :writable-running, all
configuration changes typically go through the "candidate", even if configuration changes typically go through the "candidate", even if
they are done over SNMP. An implementation might have to perform they are done over SNMP. An implementation might have to perform
some automatic commit of the "candidate" when data is written over some automatic commit of the "candidate" when data is written over
SNMP, since there is no explicit "commit" operation in SNMP. SNMP, since there is no explicit "commit" operation in SNMP.
If a device implements :startup, "nonVolatile" rows cannot just be If a device implements :startup, "nonVolatile" rows cannot just be
written to "running", they must also be copied into "startup". written to "running"; they must also be copied into "startup".
"volatile" rows may be treated as operational state and not copied to "volatile" rows may be treated as operational state and not copied to
any datastore, or copied into "running". any datastore, or they may be copied into "running".
Cooperating SNMP management applications may use spin lock objects Cooperating SNMP management applications may use spin lock objects
(snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414], (snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414],
vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests. vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests.
Implementations supporting modifications of MIB objects protected by Implementations supporting modifications of MIB objects protected by
a spin lock via NETCONF should ensure that the spin lock objects are a spin lock via NETCONF should ensure that the spin lock objects are
properly incremented whenever objects are changed via NETCONF. This properly incremented whenever objects are changed via NETCONF. This
allows cooperating SNMP management applications to discover that allows cooperating SNMP management applications to discover that
concurrent modifications are taking place. concurrent modifications are taking place.
skipping to change at page 15, line 52 skipping to change at page 16, line 52
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This module contains a collection of YANG definitions for "This module contains a collection of YANG definitions for
extracting a name from a X.509 certificate. extracting a name from an X.509 certificate.
The algorithm used to extract a name from a X.509 certificate The algorithm used to extract a name from an X.509 certificate
was first defined in RFC 6353. was first defined in RFC 6353.
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC 6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
typedef tls-fingerprint { typedef tls-fingerprint {
type yang:hex-string { type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
} }
description description
"A fingerprint value that can be used to uniquely reference "A fingerprint value that can be used to uniquely reference
other data of potentially arbitrary length. other data of potentially arbitrary length.
An tls-fingerprint value is composed of a 1-octet hashing A tls-fingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The algorithm identifier followed by the fingerprint value. The
first octet value identifying the hashing algorithm is taken first octet value identifying the hashing algorithm is taken
from the IANA TLS HashAlgorithm Registry (RFC 5246). The from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
remaining octets are filled using the results of the hashing remaining octets are filled using the results of the hashing
algorithm."; algorithm.";
reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
} }
/* Identities */ /* Identities */
identity cert-to-name { identity cert-to-name {
description description
"Base identity for algorithms to derive a name from a "Base identity for algorithms to derive a name from a
certificate."; certificate.";
} }
identity specified { identity specified {
base cert-to-name; base cert-to-name;
skipping to change at page 17, line 19 skipping to change at page 18, line 16
identity cert-to-name { identity cert-to-name {
description description
"Base identity for algorithms to derive a name from a "Base identity for algorithms to derive a name from a
certificate."; certificate.";
} }
identity specified { identity specified {
base cert-to-name; base cert-to-name;
description description
"Directly specifies the name to be used for the certificate. "Directly specifies the name to be used for the certificate.
The value of the leaf 'name' in 'cert-to-name' list is used."; The value of the leaf 'name' in the cert-to-name list is
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; used.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
} }
identity san-rfc822-name { identity san-rfc822-name {
base cert-to-name; base cert-to-name;
description description
"Maps a subjectAltName's rfc822Name to a name. The local part "Maps a subjectAltName's rfc822Name to a name. The local part
of the rfc822Name is passed unaltered but the host-part of the of the rfc822Name is passed unaltered, but the host-part of
name must be passed in lowercase. For example, the the name must be passed in lowercase. For example, the
rfc822Name field FooBar@Example.COM is mapped to name rfc822Name field FooBar@Example.COM is mapped to name
FooBar@example.com."; FooBar@example.com.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
} }
identity san-dns-name { identity san-dns-name {
base cert-to-name; base cert-to-name;
description description
"Maps a subjectAltName's dNSName to a name after first "Maps a subjectAltName's dNSName to a name after first
converting it to all lowercase (RFC 5280 does not specify converting it to all lowercase (RFC 5280 does not specify
converting to lowercase so this involves an extra step). converting to lowercase, so this involves an extra step).
This mapping results in a 1:1 correspondence between This mapping results in a 1:1 correspondence between
subjectAltName dNSName values and the name values."; subjectAltName dNSName values and the name values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
} }
identity san-ip-address { identity san-ip-address {
base cert-to-name; base cert-to-name;
description description
"Maps a subjectAltName's iPAddress to a name by "Maps a subjectAltName's iPAddress to a name by
transforming the binary encoded address as follows: transforming the binary-encoded address as follows:
1) for IPv4, the value is converted into a 1) for IPv4, the value is converted into a
decimal-dotted quad address (e.g., '192.0.2.1'). decimal-dotted quad address (e.g., '192.0.2.1').
2) for IPv6 addresses, the value is converted into a 2) for IPv6 addresses, the value is converted into a
32-character all lowercase hexadecimal string 32-character, all-lowercase hexadecimal string
without any colon separators. without any colon separators.
This mapping results in a 1:1 correspondence between This mapping results in a 1:1 correspondence between
subjectAltName iPAddress values and the name values."; subjectAltName iPAddress values and the name values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
} }
identity san-any { identity san-any {
base cert-to-name; base cert-to-name;
description description
"Maps any of the following fields using the corresponding "Maps any of the following fields using the corresponding
mapping algorithms: mapping algorithms:
+------------+-----------------+ +------------+-----------------+
| Type | Algorithm | | Type | Algorithm |
skipping to change at page 18, line 37 skipping to change at page 19, line 48
The first matching subjectAltName value found in the The first matching subjectAltName value found in the
certificate of the above types MUST be used when deriving certificate of the above types MUST be used when deriving
the name. The mapping algorithm specified in the the name. The mapping algorithm specified in the
'Algorithm' column MUST be used to derive the name. 'Algorithm' column MUST be used to derive the name.
This mapping results in a 1:1 correspondence between This mapping results in a 1:1 correspondence between
subjectAltName values and name values. The three sub-mapping subjectAltName values and name values. The three sub-mapping
algorithms produced by this combined algorithm cannot produce algorithms produced by this combined algorithm cannot produce
conflicting results between themselves."; conflicting results between themselves.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
} }
identity common-name { identity common-name {
base cert-to-name; base cert-to-name;
description description
"Maps a certificate's CommonName to a name after converting "Maps a certificate's CommonName to a name after converting
it to a UTF-8 encoding. The usage of CommonNames is it to a UTF-8 encoding. The usage of CommonNames is
deprecated and users are encouraged to use subjectAltName deprecated, and users are encouraged to use subjectAltName
mapping methods instead. This mapping results in a 1:1 mapping methods instead. This mapping results in a 1:1
correspondence between certificate CommonName values and name correspondence between certificate CommonName values and name
values."; values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
} }
/* /*
* Groupings * Groupings
*/ */
grouping cert-to-name { grouping cert-to-name {
description description
"Defines nodes for mapping certificates to names. Modules "Defines nodes for mapping certificates to names. Modules
that uses this grouping should describe how the resulting that use this grouping should describe how the resulting
name is used."; name is used.";
list cert-to-name { list cert-to-name {
key id; key id;
description description
"This list defines how certificates are mapped to names. "This list defines how certificates are mapped to names.
The name is derived by considering each cert-to-name The name is derived by considering each cert-to-name
list entry in order. The cert-to-name entry's fingerprint list entry in order. The cert-to-name entry's fingerprint
determines whether the list entry is a match: determines whether the list entry is a match:
1) If the cert-to-name list entry's fingerprint value 1) If the cert-to-name list entry's fingerprint value
matches that of the presented certificate, then consider matches that of the presented certificate, then consider
the list entry as a successful match. the list entry a successful match.
2) If the cert-to-name list entry's fingerprint value 2) If the cert-to-name list entry's fingerprint value
matches that of a locally held copy of a trusted CA matches that of a locally held copy of a trusted CA
certificate, and that CA certificate was part of the CA certificate, and that CA certificate was part of the CA
certificate chain to the presented certificate, then certificate chain to the presented certificate, then
consider the list entry as a successful match. consider the list entry a successful match.
Once a matching cert-to-name list entry has been found, the Once a matching cert-to-name list entry has been found, the
map-type is used to determine how the name associated with map-type is used to determine how the name associated with
the certificate should be determined. See the map-type the certificate should be determined. See the map-type
leaf's description for details on determining the name value. leaf's description for details on determining the name value.
If it is impossible to determine a name from the cert-to-name If it is impossible to determine a name from the cert-to-name
list entry's data combined with the data presented in the list entry's data combined with the data presented in the
certificate, then additional cert-to-name list entries MUST certificate, then additional cert-to-name list entries MUST
be searched looking for another potential match. be searched to look for another potential match.
Security administrators are encouraged to make use of Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all names so that a single root CA certificate can allow all
child certificate's subjectAltName to map directly to a name child certificates' subjectAltName fields to map directly to
via a 1:1 transformation."; a name via a 1:1 transformation.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
leaf id { leaf id {
type uint32; type uint32;
description description
"The id specifies the order in which the entries in the "The id specifies the order in which the entries in the
cert-to-name list are searched. Entries with lower cert-to-name list are searched. Entries with lower
numbers are searched first."; numbers are searched first.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
} }
leaf fingerprint { leaf fingerprint {
type x509c2n:tls-fingerprint; type x509c2n:tls-fingerprint;
mandatory true; mandatory true;
description description
"Specifies a value with which the fingerprint of the "Specifies a value with which the fingerprint of the
full certificate presented by the peer is compared. If full certificate presented by the peer is compared. If
the fingerprint of the full certificate presented by the the fingerprint of the full certificate presented by the
peer does not match the fingerprint configured, then the peer does not match the fingerprint configured, then the
entry is skipped and the search for a match continues."; entry is skipped, and the search for a match continues.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
} }
leaf map-type { leaf map-type {
type identityref { type identityref {
base cert-to-name; base cert-to-name;
} }
mandatory true; mandatory true;
description description
"Specifies the algorithm used to map the certificate "Specifies the algorithm used to map the certificate
presented by the peer to a name. presented by the peer to a name.
Mappings that need additional configuration objects should Mappings that need additional configuration objects should
use the 'when' statement to make them conditional based on use the 'when' statement to make them conditional based on
the 'map-type'."; the map-type.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
} }
leaf name { leaf name {
when "../map-type = 'x509c2n:specified'"; when "../map-type = 'x509c2n:specified'";
type string; type string;
mandatory true; mandatory true;
description description
"Directly specifies the NETCONF username when the "Directly specifies the NETCONF username when the
'map-type' is 'specified'."; map-type is 'specified'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.2. Module 'ietf-snmp' 4.2. Module 'ietf-snmp'
<CODE BEGINS> file "ietf-snmp.yang" <CODE BEGINS> file "ietf-snmp.yang"
module ietf-snmp { module ietf-snmp {
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; namespace "urn:ietf:params:xml:ns:yang:ietf-snmp";
prefix snmp; prefix snmp;
// RFC Ed.: update the dates below with the date of RFC publication
// and remove this note.
include ietf-snmp-common { include ietf-snmp-common {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-engine { include ietf-snmp-engine {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-target { include ietf-snmp-target {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-notification { include ietf-snmp-notification {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-proxy { include ietf-snmp-proxy {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-community { include ietf-snmp-community {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-usm { include ietf-snmp-usm {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-tsm { include ietf-snmp-tsm {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-vacm { include ietf-snmp-vacm {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-tls { include ietf-snmp-tls {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
include ietf-snmp-ssh { include ietf-snmp-ssh {
revision-date 2014-05-06; revision-date 2014-12-10;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau WG Chair: Thomas Nadeau
skipping to change at page 22, line 35 skipping to change at page 24, line 19
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this revision 2014-12-10 {
// note.
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
} }
<CODE ENDS> <CODE ENDS>
4.3. Submodule 'ietf-snmp-common' 4.3. Submodule 'ietf-snmp-common'
<CODE BEGINS> file "ietf-snmp-common.yang" <CODE BEGINS> file "ietf-snmp-common.yang"
submodule ietf-snmp-common { submodule ietf-snmp-common {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
skipping to change at page 24, line 4 skipping to change at page 25, line 29
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this This version of this YANG module is part of RFC 7407; see
// note. the RFC itself for full legal notices.";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
/* Collection of SNMP specific data types */ /* Collection of SNMP-specific data types */
typedef admin-string { typedef admin-string {
type string { type string {
length "0..255"; length "0..255";
} }
description description
"Represents and SnmpAdminString as defined in RFC 3411. "Represents SnmpAdminString as defined in RFC 3411.
Note that the size of an SnmpAdminString is measured in Note that the size of an SnmpAdminString is measured in
octets, not characters."; octets, not characters.";
reference "SNMP-FRAMEWORK-MIB.SnmpAdminString";
reference
"RFC 3411: An Architecture for Describing Simple Network
Management Protocol (SNMP) Management Frameworks.
SNMP-FRAMEWORK-MIB.SnmpAdminString";
} }
typedef identifier { typedef identifier {
type admin-string { type admin-string {
length "1..32"; length "1..32";
} }
description description
"Identifiers are used to name items in the SNMP configuration "Identifiers are used to name items in the SNMP configuration
data store."; datastore.";
} }
typedef context-name { typedef context-name {
type admin-string { type admin-string {
length "0..32"; length "0..32";
} }
description description
"The context type represents an SNMP context name."; "The context type represents an SNMP context name.";
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC 3411: An Architecture for Describing Simple Network
Frameworks"; Management Protocol (SNMP) Management Frameworks";
} }
typedef security-name { typedef security-name {
type admin-string { type admin-string {
length "1..32"; length "1..32";
} }
description description
"The security-name type represents an SNMP security name."; "The security-name type represents an SNMP security name.";
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC 3411: An Architecture for Describing Simple Network
Frameworks"; Management Protocol (SNMP) Management Frameworks";
} }
typedef security-model { typedef security-model {
type union { type union {
type enumeration { type enumeration {
enum v1 { value 1; } enum v1 { value 1; }
enum v2c { value 2; } enum v2c { value 2; }
enum usm { value 3; } enum usm { value 3; }
enum tsm { value 4; } enum tsm { value 4; }
} }
skipping to change at page 25, line 29 skipping to change at page 27, line 4
type union { type union {
type enumeration { type enumeration {
enum v1 { value 1; } enum v1 { value 1; }
enum v2c { value 2; } enum v2c { value 2; }
enum usm { value 3; } enum usm { value 3; }
enum tsm { value 4; } enum tsm { value 4; }
} }
type int32 { type int32 {
range "1..2147483647"; range "1..2147483647";
} }
} }
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC 3411: An Architecture for Describing Simple Network
Frameworks"; Management Protocol (SNMP) Management Frameworks";
} }
typedef security-model-or-any { typedef security-model-or-any {
type union { type union {
type enumeration { type enumeration {
enum any { value 0; } enum any { value 0; }
} }
type security-model; type security-model;
} }
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC 3411: An Architecture for Describing Simple Network
Frameworks"; Management Protocol (SNMP) Management Frameworks";
} }
typedef security-level { typedef security-level {
type enumeration { type enumeration {
enum no-auth-no-priv { value 1; } enum no-auth-no-priv { value 1; }
enum auth-no-priv { value 2; } enum auth-no-priv { value 2; }
enum auth-priv { value 3; } enum auth-priv { value 3; }
} }
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC 3411: An Architecture for Describing Simple Network
Frameworks"; Management Protocol (SNMP) Management Frameworks";
} }
typedef engine-id { typedef engine-id {
type yang:hex-string { type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}';
} }
description description
"The Engine ID specified as a list of colon-specified hexa- "The engine ID specified as a list of colon-specified
decimal octets, e.g., '80:00:02:b8:04:61:62:63'."; hexadecimal octets, e.g., '80:00:02:b8:04:61:62:63'.";
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC 3411: An Architecture for Describing Simple Network
Frameworks"; Management Protocol (SNMP) Management Frameworks";
} }
typedef wildcard-object-identifier { typedef wildcard-object-identifier {
type string; type string;
description description
"The wildcard-object-identifier type represents an SNMP object "The wildcard-object-identifier type represents an SNMP object
identifier where subidentifiers can be given either as a label, identifier where subidentifiers can be given either as a label,
in numeric form, or a wildcard, represented by a *."; in numeric form, or a wildcard, represented by an asterisk
('*').";
} }
typedef tag-value { typedef tag-value {
type string { type string {
length "0..255"; length "0..255";
} }
description description
"Represents and SnmpTagValue as defined in RFC 3413. "Represents SnmpTagValue as defined in RFC 3413.
Note that the size of an SnmpTagValue is measured in Note that the size of an SnmpTagValue is measured in
octets, not characters."; octets, not characters.";
reference "SNMP-TARGET-MIB.SnmpTagValue"; reference
"RFC 3413: Simple Network Management Protocol (SNMP)
Applications.
SNMP-TARGET-MIB.SnmpTagValue";
} }
container snmp { container snmp {
description description
"Top-level container for SNMP related configuration and "Top-level container for SNMP-related configuration and
status objects."; status objects.";
} }
} }
<CODE ENDS> <CODE ENDS>
4.4. Submodule 'ietf-snmp-engine' 4.4. Submodule 'ietf-snmp-engine'
<CODE BEGINS> file "ietf-snmp-engine.yang" <CODE BEGINS> file "ietf-snmp-engine.yang"
skipping to change at page 28, line 4 skipping to change at page 29, line 31
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this revision 2014-12-10 {
// note.
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
container engine { container engine {
description description
"Configuration of the SNMP engine."; "Configuration of the SNMP engine.";
leaf enabled { leaf enabled {
skipping to change at page 28, line 49 skipping to change at page 30, line 22
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"An arbitrary name for the list entry."; "An arbitrary name for the list entry.";
} }
choice transport { choice transport {
mandatory true; mandatory true;
description description
"The transport protocol specific parameters for this "The transport-protocol-specific parameters for this
endpoint. Submodules providing configuration for endpoint. Submodules providing configuration for
additional transports are expected to augment this additional transports are expected to augment this
choice."; choice.";
case udp { case udp {
container udp { container udp {
leaf ip { leaf ip {
type inet:ip-address; type inet:ip-address;
mandatory true; mandatory true;
description description
"The IPv4 or IPv6 address on which the engine "The IPv4 or IPv6 address on which the engine
skipping to change at page 29, line 28 skipping to change at page 31, line 4
If the port is not configured, an engine that If the port is not configured, an engine that
acts as a Command Responder uses port 161, and acts as a Command Responder uses port 161, and
an engine that acts as a Notification Receiver an engine that acts as a Notification Receiver
uses port 162."; uses port 162.";
} }
} }
} }
} }
} }
container version { container version {
description description
"SNMP version used by the engine"; "SNMP version used by the engine.";
leaf v1 { leaf v1 {
type empty; type empty;
} }
leaf v2c { leaf v2c {
type empty; type empty;
} }
leaf v3 { leaf v3 {
type empty; type empty;
} }
} }
leaf engine-id { leaf engine-id {
type snmp:engine-id; type snmp:engine-id;
description description
"The local SNMP engine's administratively-assigned unique "The local SNMP engine's administratively assigned unique
identifier. identifier.
If this leaf is not set, the device automatically If this leaf is not set, the device automatically
calculates an engine id, as described in RFC 3411. A calculates an engine ID, as described in RFC 3411. A
server MAY initialize this leaf with the automatically server MAY initialize this leaf with the automatically
created value."; created value.";
reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; reference
"RFC 3411: An Architecture for Describing Simple Network
Management Protocol (SNMP) Management
Frameworks.
SNMP-FRAMEWORK-MIB.snmpEngineID";
} }
leaf enable-authen-traps { leaf enable-authen-traps {
type boolean; type boolean;
description description
"Indicates whether the SNMP entity is permitted to "Indicates whether the SNMP entity is permitted to
generate authenticationFailure traps."; generate authenticationFailure traps.";
reference "SNMPv2-MIB.snmpEnableAuthenTraps"; reference
"RFC 3418: Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)
SNMPv2-MIB.snmpEnableAuthenTraps";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.5. Submodule 'ietf-snmp-target' 4.5. Submodule 'ietf-snmp-target'
<CODE BEGINS> file "ietf-snmp-target.yang" <CODE BEGINS> file "ietf-snmp-target.yang"
skipping to change at page 31, line 21 skipping to change at page 33, line 4
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC 3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list target { list target {
key name; key name;
description description
"List of targets."; "List of targets.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; reference
"RFC 3413: Simple Network Management Protocol (SNMP)
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"Identifies the target."; "Identifies the target.";
reference "SNMP-TARGET-MIB.snmpTargetAddrName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP)
Applications.
SNMP-TARGET-MIB.snmpTargetAddrName";
} }
choice transport { choice transport {
mandatory true; mandatory true;
description description
"Transport address of the target. "Transport address of the target.
The snmpTargetAddrTDomain and snmpTargetAddrTAddress The snmpTargetAddrTDomain and snmpTargetAddrTAddress
objects are mapped to transport-specific YANG nodes. Each objects are mapped to transport-specific YANG nodes. Each
transport is configured as a separate case in this transport is configured as a separate case in this
choice. Submodules providing configuration for additional choice. Submodules providing configuration for additional
transports are expected to augment this choice."; transports are expected to augment this choice.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTDomain
SNMP-TARGET-MIB.snmpTargetAddrTAddress"; reference
"RFC 3413: Simple Network Management Protocol (SNMP)
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTDomain
SNMP-TARGET-MIB.snmpTargetAddrTAddress";
case udp { case udp {
reference "SNMPv2-TM.snmpUDPDomain reference
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 "RFC 3417: Transport Mappings for the Simple Network
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z Management Protocol (SNMP).
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 SNMPv2-TM.snmpUDPDomain
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; RFC 3419: Textual Conventions for Transport Addresses.
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6
TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z";
container udp { container udp {
leaf ip { leaf ip {
type inet:ip-address; type inet:ip-address;
mandatory true; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
SNMP-TARGET-MIB.snmpTargetAddrTAddress";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default 162; default 162;
description description
"UDP port number"; "UDP port number.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
SNMP-TARGET-MIB.snmpTargetAddrTAddress";
} }
leaf prefix-length { leaf prefix-length {
type uint8; type uint8;
description description
"The value of this leaf must match the value of "The value of this leaf must match the value of
../snmp:ip. If ../snmp:ip contains an ipv4 address, ../snmp:ip. If ../snmp:ip contains an IPv4 address,
this leaf must be less than or equal to 32. If it this leaf must be less than or equal to 32. If it
contains an ipv6 address, it must be less than or contains an IPv6 address, it must be less than or
equal to 128. equal to 128.
Note that the prefix-length is currently only used Note that the prefix-length is currently only used
by the Community-based Security Model to filter by the Community-based Security Model to filter
incoming messages. Furthermore, the prefix-length incoming messages. Furthermore, the prefix-length
filtering does not cover all possible filters filtering does not cover all possible filters
supported by the corresponding MIB object."; supported by the corresponding MIB object.";
reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpTargetAddrTMask";
} }
} }
} }
} }
leaf-list tag { leaf-list tag {
type snmp:tag-value; type snmp:tag-value;
description description
"List of tag values used to select target address."; "List of tag values used to select target addresses.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTagList";
} }
leaf timeout { leaf timeout {
type uint32; type uint32;
units "0.01 seconds"; units "0.01 seconds";
default 1500; default 1500;
description description
"Needed only if this target can receive "Needed only if this target can receive
InformRequest-PDUs."; InformRequest-PDUs.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTimeout";
} }
leaf retries { leaf retries {
type uint8; type uint8;
default 3; default 3;
description description
"Needed only if this target can receive "Needed only if this target can receive
InformRequest-PDUs."; InformRequest-PDUs.";
reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrRetryCount";
} }
leaf target-params { leaf target-params {
type snmp:identifier; type snmp:identifier;
mandatory true; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrParams"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrParams";
} }
} }
list target-params { list target-params {
key name; key name;
description description
"List of target parameters."; "List of target parameters.";
reference "SNMP-TARGET-MIB.snmpTargetParamsTable"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
} }
choice params { choice params {
description description
"This choice is augmented with case nodes containing "This choice is augmented with case nodes containing
security model specific configuration parameters."; configuration parameters specific to the security model.";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.6. Submodule 'ietf-snmp-notification' 4.6. Submodule 'ietf-snmp-notification'
<CODE BEGINS> file "ietf-snmp-notification.yang" <CODE BEGINS> file "ietf-snmp-notification.yang"
skipping to change at page 35, line 9 skipping to change at page 37, line 28
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC 3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
feature notification-filter { feature notification-filter {
description description
"A server implements this feature if it supports SNMP "A server implements this feature if it supports SNMP
notification filtering."; notification filtering.";
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC 3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
} }
augment /snmp:snmp { augment /snmp:snmp {
list notify { list notify {
key name; key name;
description description
"Targets that will receive notifications. "Targets that will receive notifications.
Entries in this lists are mapped 1-1 to entries in Entries in this list are mapped 1-1 to entries in
snmpNotifyTable, except that if an entry in snmpNotifyTable snmpNotifyTable, except that if an entry in snmpNotifyTable
has a snmpNotifyTag for which no snmpTargetAddrEntry exists, has an snmpNotifyTag for which no snmpTargetAddrEntry
then the snmpNotifyTable entry is not mapped to an entry in exists, then the snmpNotifyTable entry is not mapped to an
this list."; entry in this list.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"An arbitrary name for the list entry."; "An arbitrary name for the list entry.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyName";
} }
leaf tag { leaf tag {
type snmp:tag-value; type snmp:tag-value;
mandatory true; mandatory true;
description description
"Target tag, selects a set of notification targets. "Target tag, selects a set of notification targets.
Implementations MAY restrict the values of this leaf Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyTag";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum trap { value 1; } enum trap { value 1; }
enum inform { value 2; } enum inform { value 2; }
} }
default trap; default trap;
description description
"Defines the notification type to be generated."; "Defines the notification type to be generated.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyType";
reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyType";
} }
} }
list notify-filter-profile { list notify-filter-profile {
if-feature snmp:notification-filter; if-feature snmp:notification-filter;
key name; key name;
description description
"Notification filter profiles. "Notification filter profiles.
The leaf /snmp/target/notify-filter-profile is used The leaf /snmp/target/notify-filter-profile is used
to associate a filter profile with a target. to associate a filter profile with a target.
If an entry in this list is referred to by one or more If an entry in this list is referred to by one or more
/snmp/target/notify-filter-profile, each such /snmp/target/notify-filter-profile items, each such
notify-filter-profile is represented by one notify-filter-profile is represented by one
snmpNotifyFilterProfileEntry. snmpNotifyFilterProfileEntry.
If an entry in this list is not referred to by any If an entry in this list is not referred to by any
/snmp/target/notify-filter-profile, the entry is not mapped /snmp/target/notify-filter-profile, the entry is not mapped
to snmpNotifyFilterProfileTable."; to snmpNotifyFilterProfileTable.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable reference
SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable
SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"Name of the filter profile"; "Name of the filter profile.";
reference reference
"SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName";
} }
leaf-list include { leaf-list include {
type snmp:wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees included in this filter."; "A family of subtrees included in this filter.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask reference
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType";
} }
leaf-list exclude { leaf-list exclude {
type snmp:wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees excluded from this filter."; "A family of subtrees excluded from this filter.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree reference
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask "RFC 3413: Simple Network Management Protocol (SNMP).
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType";
} }
} }
} }
augment /snmp:snmp/snmp:target-params { augment /snmp:snmp/snmp:target-params {
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable";
leaf notify-filter-profile { leaf notify-filter-profile {
if-feature snmp:notification-filter; if-feature snmp:notification-filter;
type leafref { type leafref {
path "/snmp/notify-filter-profile/name"; path "/snmp/notify-filter-profile/name";
} }
description description
"This leafref leaf is used to represent the sparse "This leafref leaf is used to represent the sparse
relationship between the /snmp/target-params list and the relationship between the /snmp/target-params list and the
/snmp/notify-filter-profile list."; /snmp/notify-filter-profile list.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.7. Submodule 'ietf-snmp-proxy' 4.7. Submodule 'ietf-snmp-proxy'
<CODE BEGINS> file "ietf-snmp-proxy.yang" <CODE BEGINS> file "ietf-snmp-proxy.yang"
submodule ietf-snmp-proxy { submodule ietf-snmp-proxy {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
skipping to change at page 39, line 4 skipping to change at page 41, line 50
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this This version of this YANG module is part of RFC 7407; see
// note. the RFC itself for full legal notices.";
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC 3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
feature proxy { feature proxy {
description description
"A server implements this feature if it can act as an "A server implements this feature if it can act as an
SNMP Proxy"; SNMP proxy.";
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC 3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
} }
augment /snmp:snmp { augment /snmp:snmp {
if-feature snmp:proxy; if-feature snmp:proxy;
list proxy { list proxy {
key name; key name;
description description
"List of proxy parameters."; "List of proxy parameters.";
reference "SNMP-PROXY-MIB.snmpProxyTable"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"Identifies the proxy parameter entry."; "Identifies the proxy parameter entry.";
reference "SNMP-PROXY-MIB.snmpProxyName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyName";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum read { value 1; } enum read { value 1; }
enum write { value 2; } enum write { value 2; }
enum trap { value 3; } enum trap { value 3; }
enum inform { value 4; } enum inform { value 4; }
} }
mandatory true; mandatory true;
reference "SNMP-PROXY-MIB.snmpProxyType"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyType";
} }
leaf context-engine-id { leaf context-engine-id {
type snmp:engine-id; type snmp:engine-id;
mandatory true; mandatory true;
reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyContextEngineID";
} }
leaf context-name { leaf context-name {
type snmp:context-name; type snmp:context-name;
reference "SNMP-PROXY-MIB.snmpProxyContextName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyContextName";
} }
leaf target-params-in { leaf target-params-in {
type snmp:identifier; type snmp:identifier;
description description
"The name of a target parameters list entry. "The name of a target parameters list entry.
Implementations MAY restrict the values of this Implementations MAY restrict the values of this
leaf to be one of the available values of leaf to be one of the available values of
/snmp/target-params/name in a valid configuration."; /snmp/target-params/name in a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyTargetParamsIn";
} }
leaf single-target-out { leaf single-target-out {
when "../type = 'read' or ../type = 'write'"; when "../type = 'read' or ../type = 'write'";
type snmp:identifier; type snmp:identifier;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/name in to be one of the available values of /snmp/target/name in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxySingleTargetOut";
} }
leaf multiple-target-out { leaf multiple-target-out {
when "../type = 'trap' or ../type = 'inform'"; when "../type = 'trap' or ../type = 'inform'";
type snmp:tag-value; type snmp:tag-value;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-PROXY-MIB.snmpProxyMultipleTargetOut";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.8. Submodule 'ietf-snmp-community' 4.8. Submodule 'ietf-snmp-community'
<CODE BEGINS> file "ietf-snmp-community.yang" <CODE BEGINS> file "ietf-snmp-community.yang"
submodule ietf-snmp-community { submodule ietf-snmp-community {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
skipping to change at page 42, line 9 skipping to change at page 45, line 25
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC3584: Coexistence between Version 1, Version 2, and Version 3 "RFC 3584: Coexistence between Version 1, Version 2, and
of the Internet-standard Network Management Framework"; Version 3 of the Internet-standard Network
Management Framework";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list community { list community {
key index; key index;
description description
"List of communities"; "List of communities.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityTable"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunityTable";
leaf index { leaf index {
type snmp:identifier; type snmp:identifier;
description description
"Index into the community list."; "Index into the community list.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityIndex"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunityIndex";
} }
choice name { choice name {
nacm:default-deny-all; nacm:default-deny-all;
description description
"The community name, either specified as a string "The community name, specified as either a string or
or as a binary. The binary name is used when the a binary value. The binary name is used when the
community name contains characters that are not legal community name contains characters that are not legal
in a string. in a string.
If not set, the value of 'security-name' is operationally If not set, the value of 'security-name' is operationally
used as the snmpCommunityName."; used as the snmpCommunityName.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityName"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunityName";
leaf text-name { leaf text-name {
type string; type string;
description description
"A community name that can be represented as a "A community name that can be represented as a
YANG string."; YANG string.";
} }
leaf binary-name { leaf binary-name {
type binary; type binary;
description description
"A community name represented as a binary value."; "A community name represented as a binary value.";
} }
} }
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
nacm:default-deny-all; nacm:default-deny-all;
description description
"The snmpCommunitySecurityName of this entry."; "The snmpCommunitySecurityName of this entry.";
reference "SNMP-COMMUNITY-MIB.snmpCommunitySecurityName"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunitySecurityName";
} }
leaf engine-id { leaf engine-id {
if-feature snmp:proxy; if-feature snmp:proxy;
type snmp:engine-id; type snmp:engine-id;
description description
"If not set, the value of the local SNMP engine is "If not set, the value of the local SNMP engine is
operationally used by the device."; operationally used by the device.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID";
} }
leaf context { leaf context {
type snmp:context-name; type snmp:context-name;
default ""; default "";
description description
"The context in which management information is accessed "The context in which management information is accessed
when using the community string specified by this entry."; when using the community string specified by this entry.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; reference
"RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunityContextName";
} }
leaf target-tag { leaf target-tag {
type snmp:tag-value; type snmp:tag-value;
description description
"Used to limit access for this community to the specified "Used to limit access for this community to the specified
targets. targets.
Implementations MAY restrict the values of this leaf Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference
reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; "RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpCommunityTransportTag";
} }
} }
} }
grouping v1-target-params { grouping v1-target-params {
container v1 { container v1 {
description description
"SNMPv1 parameters type. "SNMPv1 parameters type.
Represents snmpTargetParamsMPModel '0', Represents snmpTargetParamsMPModel '0',
snmpTargetParamsSecurityModel '1', and snmpTargetParamsSecurityModel '1', and
snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; snmpTargetParamsSecurityLevel 'noAuthNoPriv'.";
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of to be one of the available values of
/snmp/community/security-name in a valid configuration."; /snmp/community/security-name in a valid configuration.";
reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
} }
} }
grouping v2c-target-params { grouping v2c-target-params {
container v2c { container v2c {
description description
"SNMPv2 community parameters type. "SNMPv2 community parameters type.
Represents snmpTargetParamsMPModel '1', Represents snmpTargetParamsMPModel '1',
snmpTargetParamsSecurityModel '2', and snmpTargetParamsSecurityModel '2', and
snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; snmpTargetParamsSecurityLevel 'noAuthNoPriv'.";
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of to be one of the available values of
/snmp/community/security-name in a valid configuration."; /snmp/community/security-name in a valid configuration.";
reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; reference
"RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
} }
} }
augment /snmp:snmp/snmp:target-params/snmp:params { augment /snmp:snmp/snmp:target-params/snmp:params {
case v1 { case v1 {
uses v1-target-params; uses v1-target-params;
} }
case v2c { case v2c {
uses v2c-target-params; uses v2c-target-params;
skipping to change at page 45, line 23 skipping to change at page 49, line 19
enum "unknown" { value 0; } enum "unknown" { value 0; }
} }
type int32 { type int32 {
range "484..max"; range "484..max";
} }
} }
default "484"; default "484";
description description
"The maximum message size."; "The maximum message size.";
reference reference
"SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; "RFC 3584: Coexistence between Version 1, Version 2,
and Version 3 of the Internet-standard
Network Management Framework.
SNMP-COMMUNITY-MIB.snmpTargetAddrMMS";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.9. Submodule 'ietf-snmp-vacm' 4.9. Submodule 'ietf-snmp-vacm'
<CODE BEGINS> file "ietf-snmp-vacm.yang" <CODE BEGINS> file "ietf-snmp-vacm.yang"
skipping to change at page 46, line 29 skipping to change at page 50, line 29
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC3415: View-based Access Control Model (VACM) for the "RFC 3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
typedef view-name { typedef view-name {
type snmp:identifier; type snmp:identifier;
description description
"The view-name type represents an SNMP VACM view name."; "The view-name type represents an SNMP VACM view name.";
} }
typedef group-name { typedef group-name {
type snmp:identifier; type snmp:identifier;
description description
"The group-name type represents an SNMP VACM group name."; "The group-name type represents an SNMP VACM group name.";
} }
augment /snmp:snmp { augment /snmp:snmp {
container vacm { container vacm {
description description
"Configuration of the View-based Access Control Model"; "Configuration of the View-based Access Control Model.";
list group { list group {
key name; key name;
description description
"VACM Groups. "VACM groups.
This data model has a different structure than the MIB. This data model has a different structure than the MIB.
Groups are explicitly defined in this list, and group Groups are explicitly defined in this list, and group
members are defined in the 'member' list (mapped to members are defined in the 'member' list (mapped to
vacmSecurityToGroupTable), and access for the group is vacmSecurityToGroupTable), and access for the group is
defined in the 'access' list (mapped to defined in the 'access' list (mapped to
vacmAccessTable)."; vacmAccessTable).";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable reference
SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; "RFC 3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable
SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
leaf name { leaf name {
type group-name; type group-name;
description description
"The name of this VACM group."; "The name of this VACM group.";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; reference
"RFC 3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmGroupName";
} }
list member { list member {
key "security-name"; key "security-name";
description description
"A member of this VACM group. "A member of this VACM group.
A certain combination of security-name and A specific combination of security-name and
security-model MUST NOT be present in more than security-model MUST NOT be present in more than
one group."; one group.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; "RFC 3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable";
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
description description
"The securityName of a group member."; "The securityName of a group member.";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; reference
"RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName";
} }
leaf-list security-model { leaf-list security-model {
type snmp:security-model; type snmp:security-model;
min-elements 1; min-elements 1;
description description
"The security models under which this security-name "The security models under which this security-name
is a member of this group."; is a member of this group.";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; reference
"RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel";
} }
} }
list access { list access {
key "context security-model security-level"; key "context security-model security-level";
description description
"Definition of access right for groups"; "Definition of access right for groups.";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; reference
"RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
leaf context { leaf context {
type snmp:context-name; type snmp:context-name;
description description
"The context (prefix) under which the access rights "The context (prefix) under which the access rights
apply."; apply.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix";
} }
leaf context-match { leaf context-match {
type enumeration { type enumeration {
enum exact { value 1; } enum exact { value 1; }
enum prefix { value 2; } enum prefix { value 2; }
} }
default exact; default exact;
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch";
} }
leaf security-model { leaf security-model {
type snmp:security-model-or-any; type snmp:security-model-or-any;
description description
"The security model under which the access rights "The security model under which the access rights
apply."; apply.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel";
} }
leaf security-level { leaf security-level {
type snmp:security-level; type snmp:security-level;
description description
"The minimum security level under which the access "The minimum security level under which the access
rights apply."; rights apply.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel";
} }
leaf read-view { leaf read-view {
type view-name; type view-name;
description description
"The name of the MIB view of the SNMP context "The name of the MIB view of the SNMP context
authorizing read access. If this leaf does not authorizing read access. If this leaf does not
exist in a configuration, it maps to a zero-length exist in a configuration, it maps to a zero-length
vacmAccessReadViewName. vacmAccessReadViewName.
Implementations MAY restrict the values of this Implementations MAY restrict the values of this
leaf to be one of the available values of leaf to be one of the available values of
/snmp/vacm/view/name in a valid configuration."; /snmp/vacm/view/name in a valid configuration.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName";
} }
leaf write-view { leaf write-view {
type view-name; type view-name;
description description
"The name of the MIB view of the SNMP context "The name of the MIB view of the SNMP context
authorizing write access. If this leaf does not authorizing write access. If this leaf does not
exist in a configuration, it maps to a zero-length exist in a configuration, it maps to a zero-length
vacmAccessWriteViewName. vacmAccessWriteViewName.
Implementations MAY restrict the values of this Implementations MAY restrict the values of this
leaf to be one of the available values of leaf to be one of the available values of
/snmp/vacm/view/name in a valid configuration."; /snmp/vacm/view/name in a valid configuration.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName";
} }
leaf notify-view { leaf notify-view {
type view-name; type view-name;
description description
"The name of the MIB view of the SNMP context "The name of the MIB view of the SNMP context
authorizing notify access. If this leaf does not authorizing notify access. If this leaf does not
exist in a configuration, it maps to a zero-length exist in a configuration, it maps to a zero-length
vacmAccessNotifyViewName. vacmAccessNotifyViewName.
Implementations MAY restrict the values of this Implementations MAY restrict the values of this
leaf to be one of the available values of leaf to be one of the available values of
/snmp/vacm/view/name in a valid configuration."; /snmp/vacm/view/name in a valid configuration.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName";
} }
} }
} }
list view { list view {
key name; key name;
description description
"Definition of MIB views."; "Definition of MIB views.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable";
leaf name { leaf name {
type view-name; type view-name;
description description
"The name of this VACM MIB view."; "The name of this VACM MIB view.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName";
} }
leaf-list include { leaf-list include {
type snmp:wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees included in this MIB view."; "A family of subtrees included in this MIB view.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree "RFC 3415: View-based Access Control Model (VACM) for
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType";
} }
leaf-list exclude { leaf-list exclude {
type snmp:wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees excluded from this MIB view."; "A family of subtrees excluded from this MIB view.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree "RFC 3415: View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP).
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
skipping to change at page 52, line 12 skipping to change at page 56, line 48
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC3414: User-based Security Model (USM) for version 3 of the "RFC 3414: User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)."; Simple Network Management Protocol (SNMPv3)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
grouping key { grouping key {
leaf key { leaf key {
type yang:hex-string; type yang:hex-string;
mandatory true; mandatory true;
nacm:default-deny-all; nacm:default-deny-all;
description description
"Localized key specified as a list of colon-specified "Localized key specified as a list of colon-specified
hexa-decimal octets"; hexadecimal octets.";
} }
} }
grouping user-list { grouping user-list {
list user { list user {
key "name"; key "name";
reference "SNMP-USER-BASED-SM-MIB.usmUserTable"; reference
"RFC 3414: User-based Security Model (USM) for version 3
of the Simple Network Management Protocol (SNMPv3).
SNMP-USER-BASED-SM-MIB.usmUserTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
reference "SNMP-USER-BASED-SM-MIB.usmUserName"; reference
"RFC 3414: User-based Security Model (USM) for version 3
of the Simple Network Management Protocol (SNMPv3).
SNMP-USER-BASED-SM-MIB.usmUserName";
} }
container auth { container auth {
presence "enables authentication"; presence "enables authentication";
description description
"Enables authentication of the user"; "Enables authentication of the user.";
choice protocol { choice protocol {
mandatory true; mandatory true;
reference "SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol"; reference
"RFC 3414: User-based Security Model (USM) for version 3
of the Simple Network Management Protocol (SNMPv3).
SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol";
container md5 { container md5 {
uses key; uses key;
reference reference
"SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; "RFC 3414: User-based Security Model (USM) for
version 3 of the Simple Network Management Protocol
(SNMPv3).
SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol";
} }
container sha { container sha {
uses key; uses key;
reference reference
"SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; "RFC 3414: User-based Security Model (USM) for
version 3 of the Simple Network Management Protocol
(SNMPv3).
SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol";
} }
} }
} }
container priv { container priv {
must "../auth" { must "../auth" {
error-message error-message
"when privacy (confidentiality) is used, " "when privacy (confidentiality) is used, "
+ "authentication must also be used"; + "authentication must also be used";
} }
presence "enables encryption"; presence "enables encryption";
description description
"Enables encryption of SNMP messages."; "Enables encryption of SNMP messages.";
choice protocol { choice protocol {
mandatory true; mandatory true;
reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; reference
"RFC 3414: User-based Security Model (USM) for version 3
of the Simple Network Management Protocol (SNMPv3).
SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol";
container des { container des {
uses key; uses key;
reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; reference
"RFC 3414: User-based Security Model (USM) for
version 3 of the Simple Network Management Protocol
(SNMPv3).
SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol";
} }
container aes { container aes {
uses key; uses key;
reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; reference
"RFC 3826: The Advanced Encryption Standard (AES)
Cipher Algorithm in the SNMP User-based Security
Model.
SNMP-USM-AES-MIB.usmAesCfb128Protocol";
} }
} }
} }
} }
} }
augment /snmp:snmp { augment /snmp:snmp {
container usm { container usm {
description description
"Configuration of the User-based Security Model"; "Configuration of the User-based Security Model.";
container local { container local {
uses user-list; uses user-list;
} }
list remote { list remote {
key "engine-id"; key "engine-id";
leaf engine-id { leaf engine-id {
type snmp:engine-id; type snmp:engine-id;
reference "SNMP-USER-BASED-SM-MIB.usmUserEngineID"; reference
"RFC 3414: User-based Security Model (USM) for version 3
of the Simple Network Management Protocol (SNMPv3).
SNMP-USER-BASED-SM-MIB.usmUserEngineID";
} }
uses user-list; uses user-list;
} }
} }
} }
grouping usm-target-params { grouping usm-target-params {
container usm { container usm {
description description
"User based SNMPv3 parameters type. "User-based SNMPv3 parameters type.
Represents snmpTargetParamsMPModel '3' and Represents snmpTargetParamsMPModel '3' and
snmpTargetParamsSecurityModel '3'"; snmpTargetParamsSecurityModel '3'.";
leaf user-name { leaf user-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
leaf security-level { leaf security-level {
type snmp:security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
} }
augment /snmp:snmp/snmp:target-params/snmp:params { augment /snmp:snmp/snmp:target-params/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
} }
} }
skipping to change at page 56, line 4 skipping to change at page 61, line 29
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this This version of this YANG module is part of RFC 7407; see
// note. the RFC itself for full legal notices.";
reference reference
"RFC5591: Transport Security Model for the "RFC 5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
feature tsm { feature tsm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Security Model for SNMP."; Transport Security Model for SNMP.";
reference reference
"RFC5591: Transport Security Model for the "RFC 5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
} }
augment /snmp:snmp { augment /snmp:snmp {
if-feature tsm; if-feature tsm;
container tsm { container tsm {
description description
"Configuration of the Transport-based Security Model"; "Configuration of the Transport Security Model.";
leaf use-prefix { leaf use-prefix {
type boolean; type boolean;
default false; default false;
reference reference
"SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; "RFC 5591: Transport Security Model for the Simple
Network Management Protocol (SNMP).
SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix";
} }
} }
} }
grouping tsm-target-params { grouping tsm-target-params {
container tsm { container tsm {
description description
"Transport based security SNMPv3 parameters type. "Transport-based security SNMPv3 parameters type.
Represents snmpTargetParamsMPModel '3' and Represents snmpTargetParamsMPModel '3' and
snmpTargetParamsSecurityModel '4'"; snmpTargetParamsSecurityModel '4'.";
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
leaf security-level { leaf security-level {
type snmp:security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
} }
augment /snmp:snmp/snmp:target-params/snmp:params { augment /snmp:snmp/snmp:target-params/snmp:params {
if-feature tsm; if-feature tsm;
case tsm { case tsm {
uses tsm-target-params; uses tsm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.12. Submodule 'ietf-snmp-tls' 4.12. Submodule 'ietf-snmp-tls'
<CODE BEGINS> file "ietf-snmp-tls.yang" <CODE BEGINS> file "ietf-snmp-tls.yang"
skipping to change at page 58, line 38 skipping to change at page 64, line 20
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC 6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
feature tlstm { feature tlstm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Layer Security Transport Model for SNMP."; Transport Layer Security Transport Model for SNMP.";
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC 6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
} }
augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport {
if-feature tlstm; if-feature tlstm;
case tls { case tls {
container tls { container tls {
description description
"A list of IPv4 and IPv6 addresses and ports to which the "A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over TLS."; engine listens for SNMP messages over TLS.";
skipping to change at page 60, line 37 skipping to change at page 66, line 14
augment /snmp:snmp { augment /snmp:snmp {
if-feature tlstm; if-feature tlstm;
container tlstm { container tlstm {
uses x509c2n:cert-to-name { uses x509c2n:cert-to-name {
description description
"Defines how certificates are mapped to names. The "Defines how certificates are mapped to names. The
resulting name is used as a security name."; resulting name is used as a security name.";
refine cert-to-name/map-type { refine cert-to-name/map-type {
description description
"Mappings that use the snmpTlstmCertToTSNData column "Mappings that use the snmpTlstmCertToTSNData column
need to augment the 'cert-to-name' list need to augment the cert-to-name list with
with additional configuration objects corresponding additional configuration objects corresponding
to the snmpTlstmCertToTSNData value. Such objects to the snmpTlstmCertToTSNData value. Such objects
should use the 'when' statement to make them should use the 'when' statement to make them
conditional based on the 'map-type'."; conditional based on the map-type.";
} }
} }
} }
} }
grouping tls-transport { grouping tls-transport {
leaf ip { leaf ip {
type inet:host; type inet:host;
mandatory true; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference
SNMP-TLS-TM-MIB.SnmpTLSAddress"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTAddress
RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default 10161; default 10161;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference
SNMP-TLS-TM-MIB.SnmpTLSAddress"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTAddress
RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf client-fingerprint { leaf client-fingerprint {
type x509c2n:tls-fingerprint; type x509c2n:tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint";
} }
leaf server-fingerprint { leaf server-fingerprint {
type x509c2n:tls-fingerprint; type x509c2n:tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint";
} }
leaf server-identity { leaf server-identity {
type snmp:admin-string; type snmp:admin-string;
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity";
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
case tls { case tls {
reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTLSTCPDomain";
container tls { container tls {
uses tls-transport; uses tls-transport;
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
case dtls { case dtls {
reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpDTLSUDPDomain";
container dtls { container dtls {
uses tls-transport; uses tls-transport;
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.13. Submodule 'ietf-snmp-ssh' 4.13. Submodule 'ietf-snmp-ssh'
skipping to change at page 63, line 8 skipping to change at page 69, line 8
Copyright (c) 2014 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference reference
"RFC5592: Secure Shell Transport Model for the "RFC 5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-05-06 { revision 2014-12-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC 7407: A YANG Data Model for SNMP Configuration";
} }
feature sshtm { feature sshtm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Secure Shell Transport Model for SNMP."; Secure Shell Transport Model for SNMP.";
reference reference
"RFC5592: Secure Shell Transport Model for the "RFC 5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
} }
augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport {
if-feature sshtm; if-feature sshtm;
case ssh { case ssh {
container ssh { container ssh {
description description
"The IPv4 or IPv6 address and port to which the "The IPv4 or IPv6 address and port to which the
engine listens for SNMP messages over SSH."; engine listens for SNMP messages over SSH.";
skipping to change at page 64, line 22 skipping to change at page 70, line 17
an engine that acts as a Notification Receiver an engine that acts as a Notification Receiver
uses port 5162."; uses port 5162.";
} }
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature sshtm; if-feature sshtm;
case ssh { case ssh {
reference "SNMP-SSH-TM-MIB.snmpSSHDomain"; reference
"RFC 5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP).
SNMP-SSH-TM-MIB.snmpSSHDomain";
container ssh { container ssh {
leaf ip { leaf ip {
type inet:host; type inet:host;
mandatory true; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference
SNMP-SSH-TM-MIB.SnmpSSHAddress"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTAddress
RFC 5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP).
SNMP-SSH-TM-MIB.SnmpSSHAddress";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default 5161; default 5161;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference
SNMP-SSH-TM-MIB.SnmpSSHAddress"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTAddress
RFC 5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP).
SNMP-SSH-TM-MIB.SnmpSSHAddress";
} }
leaf username { leaf username {
type string; type string;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference
SNMP-SSH-TM-MIB.SnmpSSHAddress"; "RFC 3413: Simple Network Management Protocol (SNMP).
Applications.
SNMP-TARGET-MIB.snmpTargetAddrTAddress
RFC 5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP).
SNMP-SSH-TM-MIB.SnmpSSHAddress";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
5. IANA Considerations 5. IANA Considerations
This document registers two URIs in the IETF XML registry [RFC3688]. This document registers two URIs in the "IETF XML Registry"
Following the format in RFC 3688, the following registrations are [RFC3688]. Following the format in RFC 3688, the following
requested to be made. registrations have been made.
URI: urn:ietf:params:xml:ns:yang:ietf-snmp URI: urn:ietf:params:xml:ns:yang:ietf-snmp
Registrant Contact: The NETMOD WG of the IETF. Registrant Contact: The NETMOD WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name URI: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name
Registrant Contact: The NETMOD WG of the IETF. Registrant Contact: The NETMOD WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers the following YANG modules in the YANG Module This document registers the following YANG modules in the "YANG
Names registry [RFC6020]. Module Names" registry [RFC6020].
name: ietf-snmp name: ietf-snmp
namespace: urn:ietf:params:xml:ns:yang:ietf-snmp namespace: urn:ietf:params:xml:ns:yang:ietf-snmp
prefix: snmp prefix: snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-x509-cert-to-name name: ietf-x509-cert-to-name
namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name
prefix: x509c2n prefix: x509c2n
reference: RFC XXXX reference: RFC 7407
The document registers the following YANG submodules in the "YANG
The document registers the following YANG submodules in the YANG Module Names" registry [RFC6020].
Module Names registry [RFC6020].
name: ietf-snmp-common name: ietf-snmp-common
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-engine name: ietf-snmp-engine
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-community name: ietf-snmp-community
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-notification name: ietf-snmp-notification
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-target name: ietf-snmp-target
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-vacm name: ietf-snmp-vacm
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-usm name: ietf-snmp-usm
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-tsm name: ietf-snmp-tsm
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-tls name: ietf-snmp-tls
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
name: ietf-snmp-ssh name: ietf-snmp-ssh
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC 7407
6. Security Considerations 6. Security Considerations
The YANG module and submodules defined in this memo are designed to The YANG module and submodules defined in this memo are designed to
be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF
layer is the secure transport layer and the mandatory-to-implement layer is the secure transport layer and the mandatory to implement
secure transport is SSH [RFC6242]. secure transport is SSH [RFC6242]. The NETCONF access control model
[RFC6536] provides the means to restrict access for particular
NETCONF users to a pre-configured subset of all available NETCONF
protocol operations and content.
There are a number of data nodes defined in the YANG module and There are a number of data nodes defined in the YANG module and
submodules which are writable/creatable/deletable (i.e., config true, submodules which are writable/creatable/deletable (i.e., config true,
which is the default). These data nodes may be considered sensitive which is the default). These data nodes may be considered sensitive
or vulnerable in some network environments. Write operations (e.g., or vulnerable in some network environments. Write operations (e.g.,
edit-config) to these data nodes without proper protection can have a edit-config) to these data nodes without proper protection can have a
negative effect on network operations. These are the subtrees and negative effect on network operations. These are the subtrees and
data nodes and their sensitivity/vulnerability: data nodes and their sensitivity/vulnerability:
o The /snmp/engine subtree contains the configuration of general o The "/snmp/engine" subtree contains the configuration of general
parameters of an SNMP engine such as the endpoints to listen on, parameters of an SNMP engine such as the endpoints to listen on,
the transports and SNMP versions enabled, or the engine's the transports and SNMP versions enabled, or the engine's
identity. Write access to this subtree should only be granted to identity. Write access to this subtree should only be granted to
entities configuring general SNMP engine parameters. entities configuring general SNMP engine parameters.
o The /snmp/target subtree contains the configuration of SNMP o The "/snmp/target" subtree contains the configuration of SNMP
targets and in particular which transports to use and their targets and, in particular, which transports to use and their
security parameters. Write access to this subtree should only be security parameters. Write access to this subtree should only be
granted to the security administrator and entities configuring granted to the security administrator and entities configuring
SNMP notification forwarding behavior. SNMP notification forwarding behavior.
o The /snmp/notify and /snmp/notify-filter-profile subtrees contain o The "/snmp/notify" and "/snmp/notify-filter-profile" subtrees
the configuration for SNMP notification forwarding and filtering contain the configuration for the SNMP notification forwarding and
mechanism. Write access to this subtree should only be granted to filtering mechanism. Write access to these subtrees should only
entities configuring SNMP notification forwarding behavior. be granted to entities configuring SNMP notification forwarding
behavior.
o The /snmp/proxy subtree contains the configuration for SNMP o The "/snmp/proxy" subtree contains the configuration for SNMP
proxies. Write access to this subtree should only be granted to proxies. Write access to this subtree should only be granted to
entities configuring SNMP proxies. entities configuring SNMP proxies.
o The /snmp/community subtree contains the configuration of the o The "/snmp/community" subtree contains the configuration of the
community-based security model. Write access to this subtree Community-based Security Model. Write access to this subtree
should only be granted to the security administrator. should only be granted to the security administrator.
o The /snmp/usm subtree contains the configuration of the user-based o The "/snmp/usm" subtree contains the configuration of the User-
security model. Write access to this subtree should only be based Security Model. Write access to this subtree should only be
granted to the security administrator. granted to the security administrator.
o The /snmp/tsm subtree contains the configuration of the transport o The "/snmp/tsm" subtree contains the configuration of the
layer security model for SNMP. Write access to this subtree Transport Layer Security (TLS) Transport Model for SNMP. Write
should only be granted to the security administrator. access to this subtree should only be granted to the security
administrator.
o The /snmp/tlstm subtree contains the configuration of the SNMP o The "/snmp/tlstm" subtree contains the configuration of the SNMP
transport over (D)TLS and in particular the configuration how transport over (D)TLS and, in particular, the configuration of how
certificates are mapped to SNMP security names. Write access to certificates are mapped to SNMP security names. Write access to
this subtree should only be granted to the security administrator. this subtree should only be granted to the security administrator.
o The /snmp/vacm subtree contains the configuration of the view- o The "/snmp/vacm" subtree contains the configuration of the View-
based access control mechanism used by SNMP to authorize access to based Access Control Model used by SNMP to authorize access to
management information via SNMP. Write access to this subtree management information via SNMP. Write access to this subtree
should only be granted to the security administrator. should only be granted to the security administrator.
Some of the readable data nodes in the YANG module and submodules may Some of the readable data nodes in the YANG module and submodules may
be considered sensitive or vulnerable in some network environments. be considered sensitive or vulnerable in some network environments.
It is thus important to control read access (e.g., via get, get- It is thus important to control read access (e.g., via get, get-
config, or notification) to these data nodes. These are the subtrees config, or notification) to these data nodes. These are the subtrees
and data nodes and their sensitivity/vulnerability: and data nodes and their sensitivity/vulnerability:
o The /snmp/engine subtree subtree exposes general information about o The "/snmp/engine" subtree exposes general information about an
an SNMP engine such as which version(s) of SNMP are enabled or SNMP engine such as which version(s) of SNMP are enabled or which
which transports are enabled. transports are enabled.
o The /snmp/target subtree exposes information which transports are o The "/snmp/target" subtree exposes information about which
used to reach certain SNMP targets which transport specific transports are used to reach certain SNMP targets and which
parameters are used. transport-specific parameters are used.
o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes o The "/snmp/notify" and "/snmp/notify-filter-profile" subtrees
information how notifications are filtered and forwarded to expose information about how notifications are filtered and
notification targets. forwarded to notification targets.
o The /snmp/proxy subtree exposes information about proxy o The "/snmp/proxy" subtree exposes information about proxy
relationships. relationships.
o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ o The "/snmp/community", "/snmp/usm", "/snmp/tsm", "/snmp/tlstm",
vacm subtrees are specifically sensitive since they expose and "/snmp/vacm" subtrees are specifically sensitive since they
information about the authentication and authorization policy used expose information about the authentication and authorization
by an SNMP engine. policy used by an SNMP engine.
Changes to the SNMP access control rules should be done either in an Changes to the SNMP access control rules should be done in an atomic
atomic way (through a single edit-config or a single commit) or care way (through a single edit-config or a single commit), or care must
must be taken that they are done in a sequence that does not open be taken that they are done in a sequence that does not temporarily
temporarily access to resources. Implementations supporting SNMP open access to resources. Implementations supporting SNMP write
write access must ensure that any SNMP access control rule changes access must ensure that any SNMP access control rule changes over
over NETCONF are atomic as well to the SNMP instrumentation. In NETCONF are also atomic to the SNMP instrumentation. In particular,
particular changes involving an internal delete/create cycle (e.g., changes involving an internal delete/create cycle (e.g., to move a
to move a user to a different group) must be done with sufficient user to a different group) must be done with sufficient protections
protections such that even a power fail immediately after the delete such that even a power fail immediately after the delete does not
does not leave the administrator locked out. leave the administrator locked out.
Security administrators need to ensure that NETCONF access control Security administrators need to ensure that NETCONF access control
rules and SNMP access control rules implement a consistent security rules and SNMP access control rules implement a consistent security
policy. Specifically, the SNMP access control rules should prevent policy. Specifically, the SNMP access control rules should prevent
accidental leakage of sensitive security parameters such as community accidental leakage of sensitive security parameters such as community
strings. See the Security Considerations section of [RFC3584] for strings. See the Security Considerations section of [RFC3584] for
further details. further details.
7. Acknowledgments 7. References
The authors want to thank Wes Hardaker and David Spakes for their
detailed reviews. Additional valuable comments were provided by
David Harrington, Borislav Lukovic and Randy Presuhn.
Juergen Schoenwaelder was partly funded by Flamingo, a Network of
Excellence project (ICT-318488) supported by the European Commission
under its Seventh Framework Programme.
8. References
8.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010. October 2010, <http://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
Bierman, "Network Configuration Protocol (NETCONF)", RFC Bierman, "Network Configuration Protocol (NETCONF)", RFC
6241, June 2011. 6241, June 2011, <http://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, June 2011. Shell (SSH)", RFC 6242, June 2011,
<http://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, March Protocol (NETCONF) Access Control Model", RFC 6536, March
2012. 2012, <http://www.rfc-editor.org/info/rfc6536>.
[RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991,
July 2013. July 2013, <http://www.rfc-editor.org/info/rfc6991>.
8.2. Informative References 7.2. Informative References
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002, <http://www.rfc-editor.org/info/rfc3411>.
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network "Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412, December Management Protocol (SNMP)", STD 62, RFC 3412, December
2002. 2002, <http://www.rfc-editor.org/info/rfc3412>.
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, RFC Management Protocol (SNMP) Applications", STD 62, RFC
3413, December 2002. 3413, December 2002,
<http://www.rfc-editor.org/info/rfc3413>.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. Protocol (SNMPv3)", STD 62, RFC 3414, December 2002,
<http://www.rfc-editor.org/info/rfc3414>.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, December Management Protocol (SNMP)", STD 62, RFC 3415, December
2002. 2002, <http://www.rfc-editor.org/info/rfc3415>.
[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3417, December
2002, <http://www.rfc-editor.org/info/rfc3417>.
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the [RFC3418] Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62, RFC Simple Network Management Protocol (SNMP)", STD 62, RFC
3418, December 2002. 3418, December 2002,
<http://www.rfc-editor.org/info/rfc3418>.
[RFC3419] Daniele, M. and J. Schoenwaelder, "Textual Conventions for
Transport Addresses", RFC 3419, December 2002,
<http://www.rfc-editor.org/info/rfc3419>.
[RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen,
"Coexistence between Version 1, Version 2, and Version 3 "Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework", of the Internet-standard Network Management Framework",
BCP 74, RFC 3584, August 2003. BCP 74, RFC 3584, August 2003,
<http://www.rfc-editor.org/info/rfc3584>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004, <http://www.rfc-editor.org/info/rfc3688>.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The
Advanced Encryption Standard (AES) Cipher Algorithm in the
SNMP User-based Security Model", RFC 3826, June 2004,
<http://www.rfc-editor.org/info/rfc3826>.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
for the Simple Network Management Protocol (SNMP)", RFC for the Simple Network Management Protocol (SNMP)", STD
5591, June 2009. 78, RFC 5591, June 2009,
<http://www.rfc-editor.org/info/rfc5591>.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009. Protocol (SNMP)", RFC 5592, June 2009,
<http://www.rfc-editor.org/info/rfc5592>.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)", Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011. STD 78, RFC 6353, July 2011,
<http://www.rfc-editor.org/info/rfc6353>.
[RFC6643] Schoenwaelder, J., "Translation of Structure of Management [RFC6643] Schoenwaelder, J., "Translation of Structure of Management
Information Version 2 (SMIv2) MIB Modules to YANG Information Version 2 (SMIv2) MIB Modules to YANG
Modules", RFC 6643, July 2012. Modules", RFC 6643, July 2012,
<http://www.rfc-editor.org/info/rfc6643>.
Appendix A. Example configurations Appendix A. Example Configurations
A.1. Engine Configuration Example A.1. Engine Configuration Example
Below is an XML instance document showing a configuration of an SNMP Below is an XML instance document showing a configuration of an SNMP
engine listening on UDP port 161 on IPv4 and IPv6 endpoints and engine listening on UDP port 161 on IPv4 and IPv6 endpoints and
accepting SNMPv2c and SNMPv3 messages. accepting SNMPv2c and SNMPv3 messages.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<engine> <engine>
<enabled>true</enabled> <enabled>true</enabled>
skipping to change at page 72, line 30 skipping to change at page 79, line 21
<target-params>v2c-public</target-params> <target-params>v2c-public</target-params>
</target> </target>
<target-params> <target-params>
<name>v2c-public</name> <name>v2c-public</name>
<v2c> <v2c>
<security-name>community-public</security-name> <security-name>community-public</security-name>
</v2c> </v2c>
</target-params> </target-params>
</snmp> </snmp>
A.3. User-based Security Model Configuration Example A.3. User-Based Security Model Configuration Example
Below is an XML instance document showing the configuration of a Below is an XML instance document showing the configuration of a
local user "joey" who has no authentication or privacy keys. For the local user "joey" who has no authentication or privacy keys. For the
remote SNMP engine identified by the snmpEngineID remote SNMP engine identified by the snmpEngineID
'800002b804616263'H, two users are configure. The user "matt" has a '800002b804616263'H, two users are configured. The user "matt" has a
localized SHA authentication key and the user "russ" has a localized localized SHA authentication key, and the user "russ" has a localized
SHA authentication key and an AES encryption key. SHA authentication key and an AES encryption key.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<usm> <usm>
<local> <local>
<user> <user>
<name>joey</name> <name>joey</name>
</user> </user>
</local> </local>
<remote> <remote>
<engine-id>00:00:00:00:00:00:00:00:00:00:00:02</engine-id> <engine-id>00:00:00:00:00:00:00:00:00:00:00:02</engine-id>
<user> <user>
<name>matt</name> <name>matt</name>
<auth> <auth>
<sha> <sha>
<!-- <!--
The 'key' value is split into two lines to match The 'key' value is split into two lines to conform to
the RFC formatting rules. the RFC formatting rules.
--> -->
<key>66:95:fe:bc:92:88:e3:62:82:23: <key>66:95:fe:bc:92:88:e3:62:82:23:
5f:c7:15:1f:12:84:97:b3:8f:3f</key> 5f:c7:15:1f:12:84:97:b3:8f:3f</key>
</sha> </sha>
</auth> </auth>
</user> </user>
<user> <user>
<name>russ</name> <name>russ</name>
<auth> <auth>
<sha> <sha>
<!-- <!--
The 'key' value is split into two lines to match The 'key' value is split into two lines to conform to
the RFC formatting rules. the RFC formatting rules.
--> -->
<key>66:95:fe:bc:92:88:e3:62:82:23: <key>66:95:fe:bc:92:88:e3:62:82:23:
5f:c7:15:1f:12:84:97:b3:8f:3f</key> 5f:c7:15:1f:12:84:97:b3:8f:3f</key>
</sha> </sha>
</auth> </auth>
<priv> <priv>
<aes> <aes>
<!-- <!--
The 'key' value is split into two lines to match The 'key' value is split into two lines to conform to
the RFC formatting rules. the RFC formatting rules.
--> -->
<key>66:95:fe:bc:92:88:e3:62:82:23: <key>66:95:fe:bc:92:88:e3:62:82:23:
5f:c7:15:1f:12:84</key> 5f:c7:15:1f:12:84</key>
</aes> </aes>
</priv> </priv>
</user> </user>
</remote> </remote>
</usm> </usm>
<target> <target>
skipping to change at page 74, line 4 skipping to change at page 80, line 44
</udp> </udp>
<tag>blue</tag> <tag>blue</tag>
<target-params>matt-auth</target-params> <target-params>matt-auth</target-params>
</target> </target>
<target-params> <target-params>
<name>matt-auth</name> <name>matt-auth</name>
<usm> <usm>
<user-name>matt</user-name> <user-name>matt</user-name>
<security-level>auth-no-priv</security-level> <security-level>auth-no-priv</security-level>
</usm> </usm>
</target-params> </target-params>
</snmp> </snmp>
A.4. Target and Notification Configuration Example A.4. Target and Notification Configuration Example
Below is an XML instance document showing the configuration of a Below is an XML instance document showing the configuration of a
notification generator application (see Appendix A of [RFC3413]). notification generator application (see Appendix A of [RFC3413]).
Note that the USM specific objects are defined in the ietf-snmp- Note that the USM-specific objects are defined in the "ietf-snmp-usm"
usm.yang submodule. submodule.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<target> <target>
<name>addr1</name> <name>addr1</name>
<udp> <udp>
<ip>192.0.2.3</ip> <ip>192.0.2.3</ip>
<port>162</port> <port>162</port>
</udp> </udp>
<tag>group1</tag> <tag>group1</tag>
<target-params>joe-auth</target-params> <target-params>joe-auth</target-params>
skipping to change at page 75, line 24 skipping to change at page 82, line 22
<name>group2</name> <name>group2</name>
<tag>group2</tag> <tag>group2</tag>
<type>trap</type> <type>trap</type>
</notify> </notify>
</snmp> </snmp>
A.5. Proxy Configuration Example A.5. Proxy Configuration Example
Below is an XML instance document showing the configuration of a Below is an XML instance document showing the configuration of a
proxy forwarder application. It proxies SNMPv2c messages from proxy forwarder application. It proxies SNMPv2c messages from
command generators to a file server running a SNMPv1 agent that command generators to a file server running an SNMPv1 agent that
recognizes two community strings, "private" and "public", with recognizes two community strings, "private" and "public", with
different associated read views. The fileserver is represented as different associated read views. The file server is represented as
two "target" instances, one for each community string. two "target" instances, one for each community string.
If the proxy receives a SNMPv2c message with the community string If the proxy receives an SNMPv2c message with the community string
"public" from a device in the "Office Network" or "Home Office "public" from a device in the "Office Network" or "Home Office
Network", it gets tagged as "trusted", and the proxy uses the Network", it gets tagged as "trusted", and the proxy uses the
"private" community string when sending the message to the file "private" community string when sending the message to the file
server. Other SNMPv2c messages with the community string "public" server. Other SNMPv2c messages with the community string "public"
get tagged as "non-trusted", and the proxy uses the "public" get tagged as "non-trusted", and the proxy uses the "public"
community string for these messages. There is also a special community string for these messages. There is also a special
"backdoor" community string that can be used from any location to get "backdoor" community string that can be used from any location to get
"trusted" access. "trusted" access.
The "Office Network" and "Home Office Network" are represented as two The "Office Network" and "Home Office Network" are represented as two
skipping to change at page 76, line 48 skipping to change at page 83, line 46
</v1> </v1>
</target-params> </target-params>
<target-params> <target-params>
<name>v2c-public</name> <name>v2c-public</name>
<v2c> <v2c>
<security-name>public</security-name> <security-name>public</security-name>
</v2c> </v2c>
</target-params> </target-params>
<!-- <!--
Communities c1,c2,c3, and c4 are used for incoming messages Communities c1, c2, c3, and c4 are used for incoming messages
that should be forwarded. that should be forwarded.
Communities c3 and c5 are used for outgoing messages to the Communities c3 and c5 are used for outgoing messages to the
file server. file server.
--> -->
<community> <community>
<index>c1</index> <index>c1</index>
<security-name>public</security-name> <security-name>public</security-name>
<engine-id>80:00:61:81:c8</engine-id> <engine-id>80:00:61:81:c8</engine-id>
<context>trusted</context> <context>trusted</context>
skipping to change at page 78, line 7 skipping to change at page 85, line 4
<target-params-in>v2c-public</target-params-in> <target-params-in>v2c-public</target-params-in>
<single-target-out>File Server (private)</single-target-out> <single-target-out>File Server (private)</single-target-out>
</proxy> </proxy>
<proxy> <proxy>
<name>p2</name> <name>p2</name>
<type>read</type> <type>read</type>
<context-engine-id>80:00:61:81:c8</context-engine-id> <context-engine-id>80:00:61:81:c8</context-engine-id>
<context-name>not-trusted</context-name> <context-name>not-trusted</context-name>
<target-params-in>v2c-public</target-params-in> <target-params-in>v2c-public</target-params-in>
<single-target-out>File Server (public)</single-target-out> <single-target-out>File Server (public)</single-target-out>
</proxy> </proxy>
</snmp> </snmp>
If an SNMPv2c Get request with community string "public" is received If an SNMPv2c Get request with community string "public" is received
from an IP address tagged as "office" or "home-office", or if the from an IP address tagged as "office" or "home-office", or if the
request is received from anywhere else with community string request is received from anywhere else with community string
"backdoor", the implied context is "trusted" and so proxy entry "p1" "backdoor", the implied context is "trusted" so proxy entry "p1"
matches. The request is forwarded to the file server as SNMPv1 with matches. The request is forwarded to the file server as SNMPv1 with
community "private" using community table entry "c5" for outbound community "private" using community table entry "c5" for outbound
params lookup. params lookup.
If an SNMPv2c Get request with community string "public" is received If an SNMPv2c Get request with community string "public" is received
from any other IP address, the implied context is "not-trusted" so from any other IP address, the implied context is "not-trusted" so
proxy entry "p2" matches, and the request is forwarded to the file proxy entry "p2" matches, and the request is forwarded to the file
server as SNMPv1 with community "public". server as SNMPv1 with community "public".
A.6. View-based Access Control Model Configuration Example A.6. View-Based Access Control Model Configuration Example
Below is an XML instance document showing the minimum-secure VACM Below is an XML instance document showing the minimum-secure VACM
configuration (see Appendix A of [RFC3415]). configuration (see Appendix A of [RFC3415]).
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<vacm> <vacm>
<group> <group>
<name>initial</name> <name>initial</name>
<member> <member>
<security-name>initial</security-name> <security-name>initial</security-name>
skipping to change at page 80, line 42 skipping to change at page 87, line 4
</view> </view>
<view> <view>
<name>restricted</name> <name>restricted</name>
<include>1.3.6.1.2.1.1</include> <include>1.3.6.1.2.1.1</include>
<include>1.3.6.1.2.1.11</include> <include>1.3.6.1.2.1.11</include>
<include>1.3.6.1.6.3.10.2.1</include> <include>1.3.6.1.6.3.10.2.1</include>
<include>1.3.6.1.6.3.11.2.1</include> <include>1.3.6.1.6.3.11.2.1</include>
<include>1.3.6.1.6.3.15.1.1</include> <include>1.3.6.1.6.3.15.1.1</include>
</view> </view>
</vacm> </vacm>
</snmp> </snmp>
A.7. Transport Layer Security Transport Model Configuration Example A.7. Transport Layer Security Transport Model Configuration Example
Below is an XML instance document showing the configuration of the Below is an XML instance document showing the configuration of the
certificate to security name mapping (see Appendix A.2 and A.3 of mapping of certificate to security name (see Appendices A.2 and A.3
[RFC6353]). of [RFC6353]).
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp" <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"
xmlns:x509c2n= xmlns:x509c2n=
"urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"> "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">
<tlstm> <tlstm>
<cert-to-name> <cert-to-name>
<id>1</id> <id>1</id>
<fingerprint>11:0A:05:11:00</fingerprint> <fingerprint>11:0A:05:11:00</fingerprint>
<map-type>x509c2n:san-any</map-type> <map-type>x509c2n:san-any</map-type>
</cert-to-name> </cert-to-name>
skipping to change at page 81, line 25 skipping to change at page 88, line 5
<id>2</id> <id>2</id>
<fingerprint>11:0A:05:11:00</fingerprint> <fingerprint>11:0A:05:11:00</fingerprint>
<map-type>x509c2n:specified</map-type> <map-type>x509c2n:specified</map-type>
<name> <name>
Joe Cool Joe Cool
</name> </name>
</cert-to-name> </cert-to-name>
</tlstm> </tlstm>
</snmp> </snmp>
Acknowledgments
The authors want to thank Wes Hardaker and David Spakes for their
detailed reviews. Additional valuable comments were provided by
David Harrington, Borislav Lukovic, and Randy Presuhn.
Juergen Schoenwaelder was partly funded by Flamingo, a Network of
Excellence project (ICT-318488) supported by the European Commission
under its Seventh Framework Programme.
Authors' Addresses Authors' Addresses
Martin Bjorklund Martin Bjorklund
Tail-f Systems Tail-f Systems
Email: mbj@tail-f.com EMail: mbj@tail-f.com
Juergen Schoenwaelder Juergen Schoenwaelder
Jacobs University Jacobs University
Email: j.schoenwaelder@jacobs-university.de EMail: j.schoenwaelder@jacobs-university.de
 End of changes. 366 change blocks. 
618 lines changed or deleted 879 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/