draft-ietf-netmod-snmp-cfg-00.txt   draft-ietf-netmod-snmp-cfg-01.txt 
Network Working Group M. Bjorklund Network Working Group M. Bjorklund
Internet-Draft Tail-f Systems Internet-Draft Tail-f Systems
Intended status: Standards Track J. Schoenwaelder Intended status: Standards Track J. Schoenwaelder
Expires: December 7, 2012 Jacobs University Expires: August 15, 2013 Jacobs University
June 5, 2012 February 11, 2013
A YANG Data Model for SNMP Configuration A YANG Data Model for SNMP Configuration
draft-ietf-netmod-snmp-cfg-00 draft-ietf-netmod-snmp-cfg-01
Abstract Abstract
This document defines a collection of YANG definitions for This document defines a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 7, 2012. This Internet-Draft will expire on August 15, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 20 skipping to change at page 2, line 20
2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4
2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4
2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5 2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5
2.5. Notification Configuration . . . . . . . . . . . . . . . . 6 2.5. Notification Configuration . . . . . . . . . . . . . . . . 6
2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7
2.7. Community Configuration . . . . . . . . . . . . . . . . . 7 2.7. Community Configuration . . . . . . . . . . . . . . . . . 7
2.8. View-based Access Control Model Configuration . . . . . . 9 2.8. View-based Access Control Model Configuration . . . . . . 9
2.9. User-based Security Model Configuration . . . . . . . . . 9 2.9. User-based Security Model Configuration . . . . . . . . . 9
2.10. Transport Security Model Configuration . . . . . . . . . . 11 2.10. Transport Security Model Configuration . . . . . . . . . . 11
2.11. Transport Layer Security Transport Model Configuration . . 12 2.11. Transport Layer Security Transport Model Configuration . . 12
2.12. Secure Shell Transport Model Configuration . . . . . . . . 13
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14
3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16
3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20
3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23
3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 26 3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 27
3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 30 3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 31
3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33
3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38
3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 43 3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 44
3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48
3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 3.12. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 56
5. Security Considerations . . . . . . . . . . . . . . . . . . . 58 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 59 5. Security Considerations . . . . . . . . . . . . . . . . . . . 61
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62
7.1. Normative References . . . . . . . . . . . . . . . . . . . 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2. Informative References . . . . . . . . . . . . . . . . . . 60 7.1. Normative References . . . . . . . . . . . . . . . . . . . 63
Appendix A. Example configurations . . . . . . . . . . . . . . . 62 7.2. Informative References . . . . . . . . . . . . . . . . . . 63
A.1. Engine Configuration Example . . . . . . . . . . . . . . . 62 Appendix A. Example configurations . . . . . . . . . . . . . . . 65
A.2. Community Configuration Example . . . . . . . . . . . . . 62 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 65
A.3. User-based Security Model Configuration Example . . . . . 63 A.2. Community Configuration Example . . . . . . . . . . . . . 65
A.4. Target and Notification Configuration Example . . . . . . 64 A.3. User-based Security Model Configuration Example . . . . . 66
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 66 A.4. Target and Notification Configuration Example . . . . . . 67
A.6. View-based Access Control Model Configuration Example . . 68 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 69
A.6. View-based Access Control Model Configuration Example . . 71
A.7. Transport Layer Security Transport Model Configuration A.7. Transport Layer Security Transport Model Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . . 70 Example . . . . . . . . . . . . . . . . . . . . . . . . . 73
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of SNMP engines. The configuration model is consistent configuration of SNMP engines. The configuration model is consistent
with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413],
[RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591] and [RFC6353] [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and
but takes advantage of YANG's ability to define hierarchical [RFC6353] but takes advantage of YANG's ability to define
configuration data models. The structure of the model has been hierarchical configuration data models. The structure of the model
derived from existing proprietary configuration models implemented as has been derived from existing proprietary configuration models
command line interfaces. implemented as command line interfaces.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14, [RFC2119]. 14, [RFC2119].
2. Data Model 2. Data Model
In order to preserve the modularity of SNMP, the YANG configuration In order to preserve the modularity of SNMP, the YANG configuration
data model is organized in a set of YANG submodules, all sharing the data model is organized in a set of YANG submodules, all sharing the
skipping to change at page 4, line 27 skipping to change at page 4, line 27
object the YANG node is mapped to. When there is not a simple 1-1 object the YANG node is mapped to. When there is not a simple 1-1
mapping, the "description" statement explains the mapping. mapping, the "description" statement explains the mapping.
2.2. Common Definitions 2.2. Common Definitions
The submodule "ietf-snmp-common" defines a set of common typedefs, The submodule "ietf-snmp-common" defines a set of common typedefs,
features, and the top-level container "snmp". All configuration features, and the top-level container "snmp". All configuration
parameters defined in the other submodules are organized under this parameters defined in the other submodules are organized under this
top-level container. top-level container.
This submodule defines four YANG features: This submodule defines five YANG features:
proxy: A server implements this feature if it can act as an SNMP proxy: A server implements this feature if it can act as an SNMP
Proxy. Proxy.
notification-filter: A server implements this feature if it supports notification-filter: A server implements this feature if it supports
SNMP notification filtering. SNMP notification filtering.
tsm: A server implements this feature if it supports the Transport tsm: A server implements this feature if it supports the Transport
Security Model (tsm) [RFC5591]. Security Model (tsm) [RFC5591].
sshtm: A server implements this feature if it supports the Secure
Shell (SSH) Transport Model (sshtm) [RFC5592].
tlstm: A server implements this feature if it supports the Transport tlstm: A server implements this feature if it supports the Transport
Layer Security (TLS) Transport Model (tlstm) [RFC6353]. Layer Security (TLS) Transport Model (tlstm) [RFC6353].
2.3. Engine Configuration 2.3. Engine Configuration
The submodule "ietf-snmp-engine", which defines configuration The submodule "ietf-snmp-engine", which defines configuration
parameters that are specific to SNMP engines, has the following parameters that are specific to SNMP engines, has the following
structure: structure:
+--rw snmp +--rw snmp
skipping to change at page 11, line 28 skipping to change at page 11, line 28
+--rw usm +--rw usm
+--rw user-name snmp:security-name +--rw user-name snmp:security-name
+--rw security-level security-level +--rw security-level security-level
In the MIB, there is a single table with local and remote users, In the MIB, there is a single table with local and remote users,
indexed by the engine id and user name. In the YANG model, there is indexed by the engine id and user name. In the YANG model, there is
one list of local users, and a nested list of remote users. one list of local users, and a nested list of remote users.
In the MIB, there are several objects related to changing the In the MIB, there are several objects related to changing the
authentication and privacy keys. These objects are not present in authentication and privacy keys. These objects are not present in
the YANG model. Instead, there is a choice between a password or a the YANG model. However, the localized key can be changed. This
localized key. If a password is given, it is used by the server to implies that if the engine id is changed, all users keys need to be
calculate a localized key, which is stored in the configuration. The changed as well.
clear-text password is never stored. This implies that if the engine
id is changed, all users keys need to be changed as well.
2.10. Transport Security Model Configuration 2.10. Transport Security Model Configuration
The submodule "ietf-snmp-tsm", which defines configuration parameters The submodule "ietf-snmp-tsm", which defines configuration parameters
that correspond to the objects in SNMP-TSM-MIB, has the following that correspond to the objects in SNMP-TSM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
+--rw tsm +--rw tsm
+--rw use-prefix? boolean +--rw use-prefix? boolean
skipping to change at page 12, line 33 skipping to change at page 12, line 33
The submodule "ietf-snmp-tls", which defines configuration parameters The submodule "ietf-snmp-tls", which defines configuration parameters
that correspond to the objects in SNMP-TLS-TM-MIB, has the following that correspond to the objects in SNMP-TLS-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target [name] +--rw target [name]
| ... | ...
| +--rw (transport) | +--rw (transport)
| ...
| +--:(tls) | +--:(tls)
| | +--rw tls | | +--rw tls
| | +-- {common (d)tls transport params} | | +-- {common (d)tls transport params}
| +--:(dtls) | +--:(dtls)
| +--rw dtls | +--rw dtls
| +-- {common (d)tls transport params} | +-- {common (d)tls transport params}
+--rw tlstm +--rw tlstm
+--rw cert-to-tm-security-name [id] +--rw cert-to-tm-security-name [id]
+--rw id uint32 +--rw id uint32
+--rw fingerprint? tls-fingerprint +--rw fingerprint? tls-fingerprint
+--rw map-type? identityref +--rw map-type? identityref
+--rw cert-specified-tm-security-name? admin-string +--rw cert-specified-tm-security-name? admin-string
The "{common (d)tls transport params}" are: The "{common (d)tls transport params}" are:
+--rw ip? inet:ip-address +--rw ip? inet:ip-address
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw client-fingerprint? tls-fingerprint +--rw client-fingerprint? tls-fingerprint
+--rw (server-identification)? +--rw server-fingerprint? tls-fingerprint
+--:(server-fingerprint) +--rw server-identity? admin-string
| +--rw server-fingerprint? tls-fingerprint
+--:(server-identity)
+--rw server-identity? admin-string
It also augments the "/snmp/engine/listen" container with objects for It also augments the "/snmp/engine/listen" container with objects for
the D(TLS) transport endpoints: the D(TLS) transport endpoints:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
... ...
+--rw listen +--rw listen
...
+--rw tls [ip port] +--rw tls [ip port]
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port inet:port-number | +--rw port inet:port-number
+--rw dtls [ip port] +--rw dtls [ip port]
+--rw ip inet:ip-address +--rw ip inet:ip-address
+--rw port inet:port-number +--rw port inet:port-number
2.12. Secure Shell Transport Model Configuration
The submodule "ietf-snmp-ssh", which defines configuration parameters
that correspond to the objects in SNMP-SSH-TM-MIB, has the following
structure:
+--rw snmp
...
+--rw target [name]
...
+--rw (transport)
...
+--:(ssh)
+--rw ssh
+--rw ip inet:host
+--rw port? inet:port-number
+--rw username? string
It also augments the "/snmp/engine/listen" container with objects for
the SSH transport endpoints:
+--rw snmp
+--rw engine
...
+--rw listen
...
+--rw ssh [ip port]
3. Definitions 3. Definitions
3.1. Module 'ietf-snmp' 3.1. Module 'ietf-snmp'
<CODE BEGINS> file "ietf-snmp.yang" <CODE BEGINS> file "ietf-snmp.yang"
module ietf-snmp { module ietf-snmp {
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; namespace "urn:ietf:params:xml:ns:yang:ietf-snmp";
prefix snmp; prefix snmp;
include ietf-snmp-common { include ietf-snmp-common {
revision-date 2012-06-05; revision-date 2013-02-11;
} }
include ietf-snmp-engine { include ietf-snmp-engine {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-target { include ietf-snmp-target {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-notification { include ietf-snmp-notification {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-proxy { include ietf-snmp-proxy {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-community { include ietf-snmp-community {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-usm { include ietf-snmp-usm {
revision-date 2012-06-05; revision-date 2013-02-11;
} }
include ietf-snmp-tsm { include ietf-snmp-tsm {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-vacm { include ietf-snmp-vacm {
revision-date 2012-06-05; revision-date 2012-06-05;
} }
include ietf-snmp-tls { include ietf-snmp-tls {
revision-date 2012-06-05; revision-date 2013-02-11;
}
include ietf-snmp-ssh {
revision-date 2012-11-26;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: David Kessens
<mailto:david.kessens@nsn.com> <mailto:david.kessens@nsn.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
skipping to change at page 15, line 39 skipping to change at page 15, line 44
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2012-11-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
} }
<CODE ENDS> <CODE ENDS>
3.2. Submodule 'ietf-snmp-common' 3.2. Submodule 'ietf-snmp-common'
<CODE BEGINS> file "ietf-snmp-common.yang" <CODE BEGINS> file "ietf-snmp-common.yang"
submodule ietf-snmp-common { submodule ietf-snmp-common {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
skipping to change at page 16, line 15 skipping to change at page 16, line 16
3.2. Submodule 'ietf-snmp-common' 3.2. Submodule 'ietf-snmp-common'
<CODE BEGINS> file "ietf-snmp-common.yang" <CODE BEGINS> file "ietf-snmp-common.yang"
submodule ietf-snmp-common { submodule ietf-snmp-common {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types {
prefix yang;
}
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: David Kessens
<mailto:david.kessens@nsn.com> <mailto:david.kessens@nsn.com>
skipping to change at page 16, line 47 skipping to change at page 17, line 4
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2011 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-02-11 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
/* Collection of SNMP features */ /* Collection of SNMP features */
feature proxy { feature proxy {
description description
skipping to change at page 17, line 38 skipping to change at page 17, line 43
feature tsm { feature tsm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Security Model for SNMP."; Transport Security Model for SNMP.";
reference reference
"RFC5591: Transport Security Model for the "RFC5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
} }
feature sshtm {
description
"A server implements this feature if it supports the
Secure Shell Transport Model for SNMP.";
reference
"RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)";
}
feature tlstm { feature tlstm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Layer Security Transport Model for SNMP."; Transport Layer Security Transport Model for SNMP.";
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
} }
/* Collection of SNMP specific data types */ /* Collection of SNMP specific data types */
skipping to change at page 19, line 36 skipping to change at page 19, line 51
enum no-auth-no-priv { value 1; } enum no-auth-no-priv { value 1; }
enum auth-no-priv { value 2; } enum auth-no-priv { value 2; }
enum auth-priv { value 3; } enum auth-priv { value 3; }
} }
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC3411: An Architecture for Describing SNMP Management
Frameworks"; Frameworks";
} }
typedef engine-id { typedef engine-id {
type string { type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}';
} }
description description
"The Engine ID specified as a list of colon-specified hexa- "The Engine ID specified as a list of colon-specified hexa-
decimal octets e.g. '4F:4C:41:71'."; decimal octets, e.g., '80:00:02:b8:04:61:62:63'.";
reference reference
"RFC3411: An Architecture for Describing SNMP Management "RFC3411: An Architecture for Describing SNMP Management
Frameworks"; Frameworks";
} }
typedef wildcard-object-identifier { typedef wildcard-object-identifier {
type string; type string;
description description
"The wildcard-object-identifier type represents an SNMP object "The wildcard-object-identifier type represents an SNMP object
identifier where subidentifiers can be given either as a label, identifier where subidentifiers can be given either as a label,
skipping to change at page 29, line 37 skipping to change at page 29, line 52
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"Name of the filter profile"; "Name of the filter profile";
reference reference
"SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName";
} }
leaf-list include { leaf-list include {
type wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees included in this filter."; "A family of subtrees included in this filter.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; SNMP-NOTIFICATION-MIB.snmpNotifyFilterType";
} }
leaf-list exclude { leaf-list exclude {
type wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees excluded from this filter."; "A family of subtrees excluded from this filter.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; SNMP-NOTIFICATION-MIB.snmpNotifyFilterType";
} }
} }
leaf enable-authen-traps { leaf enable-authen-traps {
type boolean; type boolean;
description description
"Indicates whether the SNMP entity is permitted to "Indicates whether the SNMP entity is permitted to
generate authenticationFailure traps."; generate authenticationFailure traps.";
reference "SNMPv2-MIB.snmpEnableAuthenTraps"; reference "SNMPv2-MIB.snmpEnableAuthenTraps";
} }
} }
skipping to change at page 33, line 7 skipping to change at page 33, line 24
such case represents one entry in the such case represents one entry in the
snmpTargetParamsTable. snmpTargetParamsTable.
When the snmpProxyTargetParamsIn object contains a When the snmpProxyTargetParamsIn object contains a
reference to a non-existing snmpTargetParamsEntry, this reference to a non-existing snmpTargetParamsEntry, this
choice does not contain any case, and vice versa."; choice does not contain any case, and vice versa.";
} }
reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn";
} }
leaf single-target-out { leaf single-target-out {
when "../type = read or ../type = write"; when "../type = 'read' or ../type = 'write'";
type snmp:identifier; type snmp:identifier;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/name in to be one of the available values of /snmp/target/name in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut";
} }
leaf multiple-target-out { leaf multiple-target-out {
when "../type = trap or ../type = inform"; when "../type = 'trap' or ../type = 'inform'";
type snmp:identifier; type snmp:identifier;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut";
} }
} }
} }
} }
skipping to change at page 37, line 39 skipping to change at page 38, line 4
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
case v1 { case v1 {
uses v1-target-params; uses v1-target-params;
} }
case v2c { case v2c {
uses v2c-target-params; uses v2c-target-params;
} }
} }
augment /snmp:snmp/snmp:target { augment /snmp:snmp/snmp:target {
when "snmp:v1 or snmp:v2c";
leaf mms { leaf mms {
when "snmp:params/snmp:v1 or snmp:params/snmp:v2c";
type union { type union {
type enumeration { type enumeration {
enum "unknown"; enum "unknown";
} }
type int32 { type int32 {
range "484..max"; range "484..max";
} }
} }
default "484"; default "484";
reference reference
skipping to change at page 43, line 46 skipping to change at page 44, line 15
3.9. Submodule 'ietf-snmp-usm' 3.9. Submodule 'ietf-snmp-usm'
<CODE BEGINS> file "ietf-snmp-usm.yang" <CODE BEGINS> file "ietf-snmp-usm.yang"
submodule ietf-snmp-usm { submodule ietf-snmp-usm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types {
prefix yang;
}
import ietf-netconf-acm {
prefix nacm;
}
include ietf-snmp-common; include ietf-snmp-common;
include ietf-snmp-target; include ietf-snmp-target;
include ietf-snmp-proxy; include ietf-snmp-proxy;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
skipping to change at page 44, line 48 skipping to change at page 45, line 23
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3414: User-based Security Model (USM) for version 3 of the "RFC3414: User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)."; Simple Network Management Protocol (SNMPv3).";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-02-11 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
grouping key { grouping key {
leaf key { leaf key {
type string { type yang:hex-string;
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2})*';
}
mandatory true; mandatory true;
nacm:default-deny-all;
description description
"Localized key specified as a list of colon-specified "Localized key specified as a list of colon-specified
hexa-decimal octets"; hexa-decimal octets";
} }
} }
grouping user-list { grouping user-list {
list user { list user {
key "name"; key "name";
skipping to change at page 47, line 12 skipping to change at page 47, line 36
Represents snmpTargetParamsMPModel '3' and Represents snmpTargetParamsMPModel '3' and
snmpTargetParamsSecurityModel '3'"; snmpTargetParamsSecurityModel '3'";
leaf user-name { leaf user-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
leaf security-level { leaf security-level {
type security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:params { augment /snmp:snmp/snmp:target/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
} }
} }
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
}
}
augment /snmp:snmp/snmp:target {
leaf engine-id {
type leafref {
path "/snmp/usm/remote/engine-id";
}
must '../usm/user-name' {
error-message
"When engine-id is set, usm/user-name must also be set.";
}
must '/snmp/usm/remote[engine-id=current()]/'
+ 'user[name=current()/../usm/user-name]' {
error-message
"When engine-id is set, the usm/user-name must exist in
the /snmp/usm/remote list for this engine-id.";
}
description
"Needed only if this target can receive InformRequest-PDUs
over SNMPv3.
This object is not present in the SNMP MIBs. In
RFC 3412, it is a implementation specific matter how this
engine-id is handled.";
reference "RFC 3412 7.1.9a";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.10. Submodule 'ietf-snmp-tsm' 3.10. Submodule 'ietf-snmp-tsm'
<CODE BEGINS> file "ietf-snmp-tsm.yang" <CODE BEGINS> file "ietf-snmp-tsm.yang"
skipping to change at page 50, line 7 skipping to change at page 50, line 4
} }
} }
grouping tsm-target-params { grouping tsm-target-params {
container tsm { container tsm {
description description
"Transport based security SNMPv3 parameters type. "Transport based security SNMPv3 parameters type.
Represents snmpTargetParamsMPModel '3' and Represents snmpTargetParamsMPModel '3' and
snmpTargetParamsSecurityModel '4'"; snmpTargetParamsSecurityModel '4'";
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
leaf security-level { leaf security-level {
type security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:params { augment /snmp:snmp/snmp:target/snmp:params {
if-feature tsm; if-feature tsm;
case tsm { case tsm {
skipping to change at page 50, line 49 skipping to change at page 50, line 47
3.11. Submodule 'ietf-snmp-tls' 3.11. Submodule 'ietf-snmp-tls'
<CODE BEGINS> file "ietf-snmp-tls.yang" <CODE BEGINS> file "ietf-snmp-tls.yang"
submodule ietf-snmp-tls { submodule ietf-snmp-tls {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types {
prefix yang;
}
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
} }
include ietf-snmp-common; include ietf-snmp-common;
include ietf-snmp-engine; include ietf-snmp-engine;
include ietf-snmp-target; include ietf-snmp-target;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
skipping to change at page 52, line 8 skipping to change at page 52, line 8
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-02-11 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
/* Typedefs */ /* Typedefs */
typedef tls-fingerprint { typedef tls-fingerprint {
type string { // FIXME hex-string? type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
} }
description
"A fingerprint value that can be used to uniquely reference
other data of potentially arbitrary length.
An tls-fingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The
octet value encoded is taken from the IANA TLS HashAlgorithm
Registry (RFC 5246). The remaining octets are filled using
the results of the hashing algorithm.
The corresponding TEXTUAL-CONVENTION allows a zero-length
value to be used for objects that are optional. In the YANG
data models, such objects are represented as optional leafs.";
reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
} }
/* Identities */ /* Identities */
identity cert-to-tm-security-name { identity cert-to-tm-security-name {
} }
identity specified { identity specified {
base cert-to-tm-security-name; base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
skipping to change at page 53, line 4 skipping to change at page 53, line 17
identity san-ip-address { identity san-ip-address {
base cert-to-tm-security-name; base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
} }
identity san-any { identity san-any {
base cert-to-tm-security-name; base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
} }
identity common-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
}
augment /snmp:snmp/snmp:engine/snmp:listen { augment /snmp:snmp/snmp:engine/snmp:listen {
if-feature tlstm; if-feature tlstm;
list tls { list tls {
key "ip port"; key "ip port";
description description
"A list of IPv4 and IPv6 addresses and ports to which the "A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over TLS."; engine listens for SNMP messages over TLS.";
leaf ip { leaf ip {
type inet:ip-address; type inet:ip-address;
skipping to change at page 54, line 16 skipping to change at page 54, line 36
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
} }
leaf fingerprint { leaf fingerprint {
type tls-fingerprint; type tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
} }
leaf map-type { leaf map-type {
type identityref { type identityref {
base cert-to-tm-security-name; base cert-to-tm-security-name;
} }
description
"Mappings that use the snmpTlstmCertToTSNData column
need to augment the 'cert-to-tm-security-name' list
with additional configuration objects corresponding
to the snmpTlstmCertToTSNData value. Such objects
should use the 'when' statement to make them
conditional based on the 'map-type'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
} }
// FIXME: not as flexible as the mib. to get the same
// flexibility, either change this to data (choice of binary
// and string), or remove the identities and use
// augmentation.
leaf cert-specified-tm-security-name { leaf cert-specified-tm-security-name {
when "../map-type = snmp:specified"; when "../map-type = 'snmp:specified'";
type admin-string; type snmp:admin-string;
description
"Maps to snmpTlstmCertToTSNData when 'map-type' is
'specified'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
} }
} }
} }
} }
grouping tls-transport { grouping tls-transport {
leaf ip { leaf ip {
type inet:ip-address; type inet:host;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default 10161; default 10161;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress"; reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf client-fingerprint { leaf client-fingerprint {
type tls-fingerprint; type tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint";
} }
choice server-identification { leaf server-fingerprint {
leaf server-fingerprint { type tls-fingerprint;
type tls-fingerprint; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint";
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; }
} leaf server-identity {
leaf server-identity { type snmp:admin-string;
type admin-string; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity";
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity";
}
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
case tls { case tls {
reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain";
container tls { container tls {
uses tls-transport; uses tls-transport;
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
case dtls { case dtls {
reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain";
container dtls { container dtls {
uses tls-transport; uses tls-transport;
}
}
}
}
<CODE ENDS>
3.12. Submodule 'ietf-snmp-ssh'
<CODE BEGINS> file "ietf-snmp-ssh.yang"
submodule ietf-snmp-ssh {
belongs-to ietf-snmp {
prefix snmp;
}
import ietf-inet-types {
prefix inet;
}
include ietf-snmp-common;
include ietf-snmp-engine;
include ietf-snmp-target;
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens
<mailto:david.kessens@nsn.com>
WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>";
description
"This submodule contains a collection of YANG definitions for
configuring the Secure Shell Transport Model (SSHTM)
of SNMP.
Copyright (c) 2012 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference
"RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2012-11-26 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for SNMP Configuration";
}
augment /snmp:snmp/snmp:engine/snmp:listen {
if-feature sshtm;
list ssh {
key "ip port";
description
"A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over SSH.";
leaf ip {
type inet:ip-address;
description
"The IPv4 or IPv6 address on which the engine listens
for SNMP messages over SSH.";
}
leaf port {
type inet:port-number;
description
"The TCP port on which the engine listens for SNMP
messages over SSH.";
}
}
}
augment /snmp:snmp/snmp:target/snmp:transport {
if-feature sshtm;
case ssh {
reference "SNMP-SSH-TM-MIB.snmpSSHDomain";
container ssh {
leaf ip {
type inet:host;
mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-SSH-TM-MIB.SnmpSSHAddress";
}
leaf port {
type inet:port-number;
default 5161;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-SSH-TM-MIB.SnmpSSHAddress";
}
leaf username {
type string;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-SSH-TM-MIB.SnmpSSHAddress";
}
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. IANA Considerations 4. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688]. This document registers a URI in the IETF XML registry [RFC3688].
skipping to change at page 58, line 5 skipping to change at page 60, line 41
reference: RFC XXXX reference: RFC XXXX
name: ietf-snmp-tsm name: ietf-snmp-tsm
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC XXXX
name: ietf-snmp-tls name: ietf-snmp-tls
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC XXXX
name: ietf-snmp-ssh
parent: ietf-snmp
reference: RFC XXXX
5. Security Considerations 5. Security Considerations
The YANG module and submodules defined in this memo are designed to The YANG module and submodules defined in this memo are designed to
be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF
layer is the secure transport layer and the mandatory-to-implement layer is the secure transport layer and the mandatory-to-implement
secure transport is SSH [RFC6242]. secure transport is SSH [RFC6242].
There are a number of data nodes defined in the YANG module and There are a number of data nodes defined in the YANG module and
submodules which are writable/creatable/deletable (i.e., config true, submodules which are writable/creatable/deletable (i.e., config true,
which is the default). These data nodes may be considered sensitive which is the default). These data nodes may be considered sensitive
skipping to change at page 59, line 7 skipping to change at page 62, line 7
Some of the readable data nodes in the YANG module and submodules may Some of the readable data nodes in the YANG module and submodules may
be considered sensitive or vulnerable in some network environments. be considered sensitive or vulnerable in some network environments.
It is thus important to control read access (e.g., via get, get- It is thus important to control read access (e.g., via get, get-
config, or notification) to these data nodes. These are the subtrees config, or notification) to these data nodes. These are the subtrees
and data nodes and their sensitivity/vulnerability: and data nodes and their sensitivity/vulnerability:
<list subtrees and data nodes and state why they are sensitive> <list subtrees and data nodes and state why they are sensitive>
6. Acknowledgments 6. Acknowledgments
The authors want to thank David Spakes for his review and valuable The authors want to thank Wes Hardaker and David Spakes for their
comments. reviews and valuable comments.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, Network Configuration Protocol (NETCONF)", RFC 6020,
skipping to change at page 61, line 15 skipping to change at page 64, line 15
of the Internet-standard Network Management Framework", of the Internet-standard Network Management Framework",
BCP 74, RFC 3584, August 2003. BCP 74, RFC 3584, August 2003.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model
for the Simple Network Management Protocol (SNMP)", for the Simple Network Management Protocol (SNMP)",
RFC 5591, June 2009. RFC 5591, June 2009.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)", Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011. RFC 6353, July 2011.
Appendix A. Example configurations Appendix A. Example configurations
A.1. Engine Configuration Example A.1. Engine Configuration Example
Below is an XML instance document showing a configuration of an SNMP Below is an XML instance document showing a configuration of an SNMP
engine listening on UDP port 161 on IPv4 and IPv6 endpoints and engine listening on UDP port 161 on IPv4 and IPv6 endpoints and
 End of changes. 62 change blocks. 
109 lines changed or deleted 297 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/