draft-ietf-netmod-snmp-cfg-01.txt   draft-ietf-netmod-snmp-cfg-02.txt 
Network Working Group M. Bjorklund Network Working Group M. Bjorklund
Internet-Draft Tail-f Systems Internet-Draft Tail-f Systems
Intended status: Standards Track J. Schoenwaelder Intended status: Standards Track J. Schoenwaelder
Expires: August 15, 2013 Jacobs University Expires: October 27, 2013 Jacobs University
February 11, 2013 April 25, 2013
A YANG Data Model for SNMP Configuration A YANG Data Model for SNMP Configuration
draft-ietf-netmod-snmp-cfg-01 draft-ietf-netmod-snmp-cfg-02
Abstract Abstract
This document defines a collection of YANG definitions for This document defines a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 15, 2013. This Internet-Draft will expire on October 27, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. General Considerations . . . . . . . . . . . . . . . . . . 4 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 2.2. General Considerations . . . . . . . . . . . . . . . . . . 4
2.3. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 4
2.4. Target Configuration . . . . . . . . . . . . . . . . . . . 5 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 4
2.5. Notification Configuration . . . . . . . . . . . . . . . . 6 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 5
2.6. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 2.6. Notification Configuration . . . . . . . . . . . . . . . . 6
2.7. Community Configuration . . . . . . . . . . . . . . . . . 7 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7
2.8. View-based Access Control Model Configuration . . . . . . 9 2.8. Community Configuration . . . . . . . . . . . . . . . . . 7
2.9. User-based Security Model Configuration . . . . . . . . . 9 2.9. View-based Access Control Model Configuration . . . . . . 9
2.10. Transport Security Model Configuration . . . . . . . . . . 11 2.10. User-based Security Model Configuration . . . . . . . . . 9
2.11. Transport Layer Security Transport Model Configuration . . 12 2.11. Transport Security Model Configuration . . . . . . . . . . 11
2.12. Secure Shell Transport Model Configuration . . . . . . . . 13 2.12. Transport Layer Security Transport Model Configuration . . 12
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.13. Secure Shell Transport Model Configuration . . . . . . . . 13
3.1. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 14 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 16 3.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15
3.3. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 20 3.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 20
3.4. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 23 3.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 22
3.5. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 27 3.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 26
3.6. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 31 3.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 29
3.7. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 33 3.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 33
3.8. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 38 3.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 37
3.9. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 44 3.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 40
3.10. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 48 3.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 44
3.11. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 50 3.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 50
3.12. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 56 3.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 54
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 3.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 57
5. Security Considerations . . . . . . . . . . . . . . . . . . . 61 3.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 61
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 66
7.1. Normative References . . . . . . . . . . . . . . . . . . . 63 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68
7.2. Informative References . . . . . . . . . . . . . . . . . . 63 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Appendix A. Example configurations . . . . . . . . . . . . . . . 65 7.1. Normative References . . . . . . . . . . . . . . . . . . . 69
A.1. Engine Configuration Example . . . . . . . . . . . . . . . 65 7.2. Informative References . . . . . . . . . . . . . . . . . . 69
A.2. Community Configuration Example . . . . . . . . . . . . . 65 Appendix A. Example configurations . . . . . . . . . . . . . . . 71
A.3. User-based Security Model Configuration Example . . . . . 66 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 71
A.4. Target and Notification Configuration Example . . . . . . 67 A.2. Community Configuration Example . . . . . . . . . . . . . 71
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 69 A.3. User-based Security Model Configuration Example . . . . . 72
A.6. View-based Access Control Model Configuration Example . . 71 A.4. Target and Notification Configuration Example . . . . . . 73
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75
A.6. View-based Access Control Model Configuration Example . . 77
A.7. Transport Layer Security Transport Model Configuration A.7. Transport Layer Security Transport Model Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . . 73 Example . . . . . . . . . . . . . . . . . . . . . . . . . 79
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 81
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of SNMP engines. The configuration model is consistent configuration of SNMP engines. The configuration model is consistent
with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413],
[RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and
[RFC6353] but takes advantage of YANG's ability to define [RFC6353] but takes advantage of YANG's ability to define
hierarchical configuration data models. The structure of the model hierarchical configuration data models. The structure of the model
has been derived from existing proprietary configuration models has been derived from existing proprietary configuration models
implemented as command line interfaces. implemented as command line interfaces.
This document also defines a YANG data model for mapping a X.509
certificate to a name.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14, [RFC2119]. 14, [RFC2119].
2. Data Model 2. Data Model
In order to preserve the modularity of SNMP, the YANG configuration In order to preserve the modularity of SNMP, the YANG configuration
data model is organized in a set of YANG submodules, all sharing the data model is organized in a set of YANG submodules, all sharing the
same module namespace. This allows to add configuration support for same module namespace. This allows to add configuration support for
additional SNMP features while keeping the number of namespaces that additional SNMP features while keeping the number of namespaces that
have to be dealt with down to a minimum. have to be dealt with down to a minimum.
2.1. General Considerations 2.1. Tree Diagrams
Most YANG nodes are mapped 1-1 to the corresponding MIB object. The A simplified graphical representation of the data model is used in
"reference" statement is used to indicate which corresponding MIB this document. The meaning of the symbols in these diagrams is as
object the YANG node is mapped to. When there is not a simple 1-1 follows:
mapping, the "description" statement explains the mapping.
2.2. Common Definitions o Brackets "[" and "]" enclose list keys.
The submodule "ietf-snmp-common" defines a set of common typedefs, o Abbreviations before data node names: "rw" means configuration
features, and the top-level container "snmp". All configuration (read-write) and "ro" state data (read-only).
parameters defined in the other submodules are organized under this
top-level container.
This submodule defines five YANG features: o Symbols after data node names: "?" means an optional node and "*"
denotes a "leaf-list".
proxy: A server implements this feature if it can act as an SNMP o Parentheses enclose choice and case nodes, and case nodes are also
Proxy. marked with a colon (":").
notification-filter: A server implements this feature if it supports o Ellipsis ("...") stands for contents of subtrees that are not
SNMP notification filtering. shown.
tsm: A server implements this feature if it supports the Transport 2.2. General Considerations
Security Model (tsm) [RFC5591].
sshtm: A server implements this feature if it supports the Secure Most YANG nodes are mapped 1-1 to the corresponding MIB object. The
Shell (SSH) Transport Model (sshtm) [RFC5592]. "reference" statement is used to indicate which corresponding MIB
object the YANG node is mapped to. When there is not a simple 1-1
mapping, the "description" statement explains the mapping.
tlstm: A server implements this feature if it supports the Transport 2.3. Common Definitions
Layer Security (TLS) Transport Model (tlstm) [RFC6353].
2.3. Engine Configuration The submodule "ietf-snmp-common" defines a set of common typedefs and
the top-level container "snmp". All configuration parameters defined
in the other submodules are organized under this top-level container.
2.4. Engine Configuration
The submodule "ietf-snmp-engine", which defines configuration The submodule "ietf-snmp-engine", which defines configuration
parameters that are specific to SNMP engines, has the following parameters that are specific to SNMP engines, has the following
structure: structure:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
+--rw enabled? boolean +--rw enabled? boolean
+--rw listen +--rw listen
| +--rw udp [ip port] | +--rw udp [ip port]
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port inet:port-number | +--rw port inet:port-number
+--rw version +--rw version
| +--rw v1? empty | +--rw v1? empty
| +--rw v2c? empty | +--rw v2c? empty
| +--rw v3? empty | +--rw v3? empty
+--rw engine-id? snmp:engine-id +--rw engine-id? snmp:engine-id
+--rw enable-authen-traps? boolean
The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP
engine. engine.
The container "/snmp/engine/listen" provides configuration of the The container "/snmp/engine/listen" provides configuration of the
transport endpoints the engine is listening to. In this submodule, transport endpoints the engine is listening to. In this submodule,
SNMP over UDP is defined. TLS and Datagram Transport Layer Security SNMP over UDP is defined. TLS and Datagram Transport Layer Security
(DTLS) are also supported, defined in "ietf-snmp-tls" (Section 2.11). (DTLS) are also supported, defined in "ietf-snmp-tls" (Section 2.12).
The "listen" container is expected to be augmented for other The "listen" container is expected to be augmented for other
transports. transports.
The "/snmp/engine/version" container can be used to enable/disable The "/snmp/engine/version" container can be used to enable/disable
the different message processing models. the different message processing models.
2.4. Target Configuration 2.5. Target Configuration
The submodule "ietf-snmp-target", which defines configuration The submodule "ietf-snmp-target", which defines configuration
parameters that correspond to the objects in SNMP-TARGET-MIB, has the parameters that correspond to the objects in SNMP-TARGET-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw target [name] +--rw target [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw (transport) +--rw (transport)
| +--:(udp) | +--:(udp)
skipping to change at page 6, line 9 skipping to change at page 6, line 10
+--rw retries? uint8 +--rw retries? uint8
+--rw (params)? +--rw (params)?
An entry in the list "/snmp/target" corresponds to an An entry in the list "/snmp/target" corresponds to an
"snmpTargetAddrEntry". "snmpTargetAddrEntry".
The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are
mapped to transport-specific YANG nodes. Each transport is mapped to transport-specific YANG nodes. Each transport is
configured as a separate case in the "transport" choice. In this configured as a separate case in the "transport" choice. In this
submodule, SNMP over UDP is defined. TLS and DTLS are also submodule, SNMP over UDP is defined. TLS and DTLS are also
supported, defined in "ietf-snmp-tls" (Section 2.11). The supported, defined in "ietf-snmp-tls" (Section 2.12). The
"transport" choice is expected to be augmented for other transports. "transport" choice is expected to be augmented for other transports.
In order to provide a simpler configuration model with less cross- In order to provide a simpler configuration model with less cross-
references, the "target" list also inlines the references, the "target" list also inlines the
"snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This "snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This
is accomplished with a choice "params", which is augmented by is accomplished with a choice "params", which is augmented by
security model specific submodules, currently "ietf-snmp-community" security model specific submodules, currently "ietf-snmp-community"
(Section 2.7), "ietf-snmp-usm" (Section 2.9), and "ietf-snmp-tls" (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls"
(Section 2.11). (Section 2.12).
The YANG model does not define a separate list that maps directly to The YANG model does not define a separate list that maps directly to
"snmpTargetParamsTable". Since "snmpProxyTable" also has a reference "snmpTargetParamsTable". Since "snmpProxyTable" also has a reference
to this table, "snmpProxyTable" also has a choice "params" which is to this table, "snmpProxyTable" also has a choice "params" which is
augmented by security model specific submodules (Section 2.6). augmented by security model specific submodules (Section 2.7).
2.5. Notification Configuration 2.6. Notification Configuration
The submodule "ietf-snmp-notification", which defines configuration The submodule "ietf-snmp-notification", which defines configuration
parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, parameters that correspond to the objects in SNMP-NOTIFICATION-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw notify [name] +--rw notify [name]
| +--rw name snmp:identifier | +--rw name snmp:identifier
| +--rw tag snmp:identifier | +--rw tag snmp:identifier
| +--rw type? enumeration | +--rw type? enumeration
+--rw notify-filter-profile [name] +--rw notify-filter-profile [name]
| +--rw name snmp:identifier +--rw name snmp:identifier
| +--rw include* wildcard-object-identifier +--rw include* wildcard-object-identifier
| +--rw exclude* wildcard-object-identifier +--rw exclude* wildcard-object-identifier
+--rw enable-authen-traps? boolean
It also augments the "target" list defined in the "ietf-snmp-target" It also augments the "target" list defined in the "ietf-snmp-target"
submodule (Section 2.4) with one leaf: submodule (Section 2.5) with one leaf:
+--rw snmp +--rw snmp
+--rw target [name] +--rw target [name]
... ...
+--rw notify-filter-profile? leafref +--rw notify-filter-profile? leafref
An entry in the list "/snmp/notify" corresponds to an An entry in the list "/snmp/notify" corresponds to an
"snmpNotifyEntry". "snmpNotifyEntry".
An entry in the list "/snmp/notify-filter-profile" corresponds to an An entry in the list "/snmp/notify-filter-profile" corresponds to an
"snmpNotifyFilterProfileEntry". In the MIB, there is a sparse "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse
relationship between "snmpTargetParamsTable" and relationship between "snmpTargetParamsTable" and
"snmpNotifyFilterProfileTable". In the YANG model, this sparse "snmpNotifyFilterProfileTable". In the YANG model, this sparse
relationship is represented with a leafref leaf relationship is represented with a leafref leaf
"notify-filter-profile" in the "/snmp/target" list, which refers to "notify-filter-profile" in the "/snmp/target" list, which refers to
an entry in the "/snmp/notify-filter-profile" list. an entry in the "/snmp/notify-filter-profile" list.
The "snmpNotifyFilterTable" is represented as a list "filter" within The "snmpNotifyFilterTable" is represented as a list "filter" within
the "/snmp/notify-filter-profile" list. the "/snmp/notify-filter-profile" list.
2.6. Proxy Configuration This submodule defines the feature "notification-filter". A server
implements this feature if it supports SNMP notification filtering.
2.7. Proxy Configuration
The submodule "ietf-snmp-proxy", which defines configuration The submodule "ietf-snmp-proxy", which defines configuration
parameters that correspond to the objects in SNMP-PROXY-MIB, has the parameters that correspond to the objects in SNMP-PROXY-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw proxy [name] +--rw proxy [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw type enumeration +--rw type enumeration
+--rw context-engine-id snmp:engine-id +--rw context-engine-id snmp:engine-id
+--rw context-name? snmp:context-name +--rw context-name? snmp:context-name
+--rw params-in +--rw params-in
| +--rw (params) | +--rw (params)
+--rw single-target-out? snmp:identifier +--rw single-target-out? snmp:identifier
+--rw multiple-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier
An entry in the list "/snmp/proxy" corresponds to an An entry in the list "/snmp/proxy" corresponds to an
"snmpProxyEntry". "snmpProxyEntry".
Like the "target" list (Section 2.4), the "proxy" list inlines the Like the "target" list (Section 2.5), the "proxy" list inlines the
"snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn". "snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn".
This is accomplished with a choice "params", which is augmented by This is accomplished with a choice "params", which is augmented by
security model specific submodules, currently "ietf-snmp-community" security model specific submodules, currently "ietf-snmp-community"
(Section 2.7), "ietf-snmp-usm" (Section 2.9), and "ietf-snmp-tls" (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls"
(Section 2.11). (Section 2.12).
2.7. Community Configuration This submodule defines the feature "proxy". A server implements this
feature if it can act as an SNMP Proxy.
2.8. Community Configuration
The submodule "ietf-snmp-community", which defines configuration The submodule "ietf-snmp-community", which defines configuration
parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has
the following structure: the following structure:
+--rw snmp +--rw snmp
+--rw community [index] +--rw community [index]
+--rw index snmp:identifier +--rw index snmp:identifier
+--rw (name)? +--rw (name)?
| +--:(text-name) | +--:(text-name)
skipping to change at page 9, line 5 skipping to change at page 9, line 5
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
An entry in the list "/snmp/community" corresponds to an An entry in the list "/snmp/community" corresponds to an
"snmpCommunityEntry". "snmpCommunityEntry".
When a case "v1" or "v2c" is chosen, it implies a When a case "v1" or "v2c" is chosen, it implies a
snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a
snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively.
Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv.
2.8. View-based Access Control Model Configuration 2.9. View-based Access Control Model Configuration
The submodule "ietf-snmp-vacm", which defines configuration The submodule "ietf-snmp-vacm", which defines configuration
parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw vacm +--rw vacm
+--rw group [name] +--rw group [name]
| +--rw name group-name | +--rw name group-name
| +--rw member [security-name] | +--rw member [security-name]
skipping to change at page 9, line 42 skipping to change at page 9, line 42
structure of nested lists in the YANG model. Groups are defined in structure of nested lists in the YANG model. Groups are defined in
the list "/snmp/vacm/group" and for each group there is a sublist the list "/snmp/vacm/group" and for each group there is a sublist
"member" that maps to "vacmSecurityToGroupTable", and a sublist "member" that maps to "vacmSecurityToGroupTable", and a sublist
"access" that maps to "vacmAccessTable". "access" that maps to "vacmAccessTable".
MIB views are defined in the list "/snmp/vacm/view" and for each MIB MIB views are defined in the list "/snmp/vacm/view" and for each MIB
view there is a leaf-list of included subtree families and a leaf- view there is a leaf-list of included subtree families and a leaf-
list of excluded subtree families. This is more compact and thus a list of excluded subtree families. This is more compact and thus a
more readable representation of the "vacmViewTreeFamilyTable". more readable representation of the "vacmViewTreeFamilyTable".
2.9. User-based Security Model Configuration 2.10. User-based Security Model Configuration
The submodule "ietf-snmp-usm", which defines configuration parameters The submodule "ietf-snmp-usm", which defines configuration parameters
that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw usm +--rw usm
+--rw local +--rw local
| +--rw user [name] | +--rw user [name]
| +-- {common user params} | +-- {common user params}
skipping to change at page 11, line 32 skipping to change at page 11, line 32
In the MIB, there is a single table with local and remote users, In the MIB, there is a single table with local and remote users,
indexed by the engine id and user name. In the YANG model, there is indexed by the engine id and user name. In the YANG model, there is
one list of local users, and a nested list of remote users. one list of local users, and a nested list of remote users.
In the MIB, there are several objects related to changing the In the MIB, there are several objects related to changing the
authentication and privacy keys. These objects are not present in authentication and privacy keys. These objects are not present in
the YANG model. However, the localized key can be changed. This the YANG model. However, the localized key can be changed. This
implies that if the engine id is changed, all users keys need to be implies that if the engine id is changed, all users keys need to be
changed as well. changed as well.
2.10. Transport Security Model Configuration 2.11. Transport Security Model Configuration
The submodule "ietf-snmp-tsm", which defines configuration parameters The submodule "ietf-snmp-tsm", which defines configuration parameters
that correspond to the objects in SNMP-TSM-MIB, has the following that correspond to the objects in SNMP-TSM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
+--rw tsm +--rw tsm
+--rw use-prefix? boolean +--rw use-prefix? boolean
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target/params" and "/snmp/proxy/
skipping to change at page 12, line 22 skipping to change at page 12, line 22
| +--rw security-level security-level | +--rw security-level security-level
+--rw proxy [name] +--rw proxy [name]
... ...
+--rw params-in +--rw params-in
+--rw (params) +--rw (params)
+--:(tsm) +--:(tsm)
+--rw tsm +--rw tsm
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
+--rw security-level security-level +--rw security-level security-level
2.11. Transport Layer Security Transport Model Configuration This submodule defines the feature "tsm". A server implements this
feature if it supports the Transport Security Model (tsm) [RFC5591].
2.12. Transport Layer Security Transport Model Configuration
The submodule "ietf-snmp-tls", which defines configuration parameters The submodule "ietf-snmp-tls", which defines configuration parameters
that correspond to the objects in SNMP-TLS-TM-MIB, has the following that correspond to the objects in SNMP-TLS-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target [name] +--rw target [name]
| ... | ...
| +--rw (transport) | +--rw (transport)
| ... | ...
| +--:(tls) | +--:(tls)
| | +--rw tls | | +--rw tls
| | +-- {common (d)tls transport params} | | +-- {common (d)tls transport params}
| +--:(dtls) | +--:(dtls)
| +--rw dtls | +--rw dtls
| +-- {common (d)tls transport params} | +-- {common (d)tls transport params}
+--rw tlstm +--rw tlstm
+--rw cert-to-tm-security-name [id] +--rw cert-to-name [id]
+--rw id uint32 +--rw id uint32
+--rw fingerprint? tls-fingerprint +--rw fingerprint x509c2n:tls-fingerprint
+--rw map-type? identityref +--rw map-type identityref
+--rw cert-specified-tm-security-name? admin-string +--rw name string
The "{common (d)tls transport params}" are: The "{common (d)tls transport params}" are:
+--rw ip? inet:ip-address +--rw ip? inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw client-fingerprint? tls-fingerprint +--rw client-fingerprint? x509c2n:tls-fingerprint
+--rw server-fingerprint? tls-fingerprint +--rw server-fingerprint? x509c2n:tls-fingerprint
+--rw server-identity? admin-string +--rw server-identity? snmp:admin-string
It also augments the "/snmp/engine/listen" container with objects for It also augments the "/snmp/engine/listen" container with objects for
the D(TLS) transport endpoints: the D(TLS) transport endpoints:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
... ...
+--rw listen +--rw listen
... ...
+--rw tls [ip port] +--rw tls [ip port]
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port inet:port-number | +--rw port inet:port-number
+--rw dtls [ip port] +--rw dtls [ip port]
+--rw ip inet:ip-address +--rw ip inet:ip-address
+--rw port inet:port-number +--rw port inet:port-number
2.12. Secure Shell Transport Model Configuration This submodule defines the feature "tlstm". A server implements this
feature if it supports the Transport Layer Security (TLS) Transport
Model (tlstm) [RFC6353].
2.13. Secure Shell Transport Model Configuration
The submodule "ietf-snmp-ssh", which defines configuration parameters The submodule "ietf-snmp-ssh", which defines configuration parameters
that correspond to the objects in SNMP-SSH-TM-MIB, has the following that correspond to the objects in SNMP-SSH-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target [name] +--rw target [name]
... ...
+--rw (transport) +--rw (transport)
skipping to change at page 14, line 5 skipping to change at page 14, line 12
It also augments the "/snmp/engine/listen" container with objects for It also augments the "/snmp/engine/listen" container with objects for
the SSH transport endpoints: the SSH transport endpoints:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
... ...
+--rw listen +--rw listen
... ...
+--rw ssh [ip port] +--rw ssh [ip port]
This submodule defines the feature "sshtm". A server implements this
feature if it supports the Secure Shell (SSH) Transport Model (sshtm)
[RFC5592].
3. Definitions 3. Definitions
3.1. Module 'ietf-snmp' 3.1. Module 'ietf-x509-cert-to-name'
<CODE BEGINS> file "ietf-x509-cert-to-name.yang"
module ietf-x509-cert-to-name {
namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
prefix x509c2n;
import ietf-yang-types {
prefix yang;
}
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens
<mailto:david.kessens@nsn.com>
WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>";
description
"This module contains a collection of YANG definitions for
extracting a name from a X.509 certificate.
The algorithm used to extract a name from a X.509 certificate
was first defined in RFC 6353.
Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference
"RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2013-03-26 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for SNMP Configuration";
}
typedef tls-fingerprint {
type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
}
description
"A fingerprint value that can be used to uniquely reference
other data of potentially arbitrary length.
An tls-fingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The
first octet value identifying the hashing algorithm is taken
from the IANA TLS HashAlgorithm Registry (RFC 5246). The
remaining octets are filled using the results of the hashing
algorithm.";
reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
}
/* Identities */
identity cert-to-name {
description
"Base identity for algorithms to derive a name from a
certificate.";
}
identity specified {
base cert-to-name;
description
"Directly specifies the name to be used for the certificate.
The value of the leaf 'name' in 'cert-to-name' list is used.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
}
identity san-rfc822-name {
base cert-to-name;
description
"Maps a subjectAltName's rfc822Name to a name. The local part
of the rfc822Name is passed unaltered but the host-part of the
name must be passed in lowercase. This mapping results in a
1:1 correspondence between equivalent subjectAltName
rfc822Name values and name values except that the host-part
of the name MUST be passed in lowercase. For example, the
rfc822Name field FooBar@Example.COM is mapped to name
FooBar@example.com.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
}
identity san-dns-name {
base cert-to-name;
description
"Maps a subjectAltName's dNSName to a name after first
converting it to all lowercase (RFC 5280 does not specify
converting to lowercase so this involves an extra step).
This mapping results in a 1:1 correspondence between
subjectAltName dNSName values and the name values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
}
identity san-ip-address {
base cert-to-name;
description
"Maps a subjectAltName's iPAddress to a name by
transforming the binary encoded address as follows:
1) for IPv4, the value is converted into a
decimal-dotted quad address (e.g., '192.0.2.1').
2) for IPv6 addresses, the value is converted into a
32-character all lowercase hexadecimal string
without any colon separators.
This mapping results in a 1:1 correspondence between
subjectAltName iPAddress values and the name values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
}
identity san-any {
base cert-to-name;
description
"Maps any of the following fields using the corresponding
mapping algorithms:
+------------+-----------------+
| Type | Algorithm |
|------------+-----------------|
| rfc822Name | san-rfc822-name |
| dNSName | san-dns-name |
| iPAddress | san-ip-address |
+------------+-----------------+
The first matching subjectAltName value found in the
certificate of the above types MUST be used when deriving
the name. The mapping algorithm specified in the
'Algorithm' column MUST be used to derive the name.
This mapping results in a 1:1 correspondence between
subjectAltName values and name values. The three sub-mapping
algorithms produced by this combined algorithm cannot produce
conflicting results between themselves.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
}
identity common-name {
base cert-to-name;
description
"Maps a certificate's CommonName to a name after converting
it to a UTF-8 encoding. The usage of CommonNames is
deprecated and users are encouraged to use subjectAltName
mapping methods instead. This mapping results in a 1:1
correspondence between certificate CommonName values and name
values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
}
/*
* Groupings
*/
grouping cert-to-name {
description
"Defines nodes for mapping certificates to names. Modules
that uses this grouping should describe how the resulting
name is used.";
list cert-to-name {
key id;
description
"This list defines how certificates are mapped to names.
The name is derived by considering each cert-to-name
list entry in order. The cert-to-name entry's fingerprint
determines whether the list entry is a match:
1) If the cert-to-name list entry's fingerprint value
matches that of the presented certificate, then consider
the list entry as a successful match.
2) If the cert-to-name list entry's fingerprint value
matches that of a locally held copy of a trusted CA
certificate, and that CA certificate was part of the CA
certificate chain to the presented certificate, then
consider the list entry as a successful match.
Once a matching cert-to-name list entry has been found, the
map-type is used to determine how the name associated with
the certificate should be determined. See the map-type
leaf's description for details on determining the name value.
If it is impossible to determine a name from the cert-to-name
list entry's data combined with the data presented in the
certificate, then additional cert-to-name list entries MUST
be searched looking for another potential match.
Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all
child certificate's subjectAltName to map directly to a name
via a 1:1 transformation.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
leaf id {
type uint32;
description
"The id specifies the order in which the entries in the
cert-to-name list are searched. Entries with lower
numbers are searched first.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
}
leaf fingerprint {
type x509c2n:tls-fingerprint;
mandatory true;
description
"Specifies a value with which the fingerprint of the
certificate presented by the peer is compared. If the
fingerprint of the certificate presented by the peer does
not match the fingerprint configured, then the entry is
skipped and the search for a match continues.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
}
leaf map-type {
type identityref {
base cert-to-name;
}
mandatory true;
description
"Specifies the algorithm used to map the certificate
presented by the peer to a name.
Mappings that need additional configuration objects should
use the 'when' statement to make them conditional based on
the 'map-type'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
}
leaf name {
when "../map-type = 'x509c2n:specified'";
type string;
mandatory true;
description
"Directly specifies the NETCONF username when the
'map-type' is 'specified'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
}
}
}
}
<CODE ENDS>
3.2. Module 'ietf-snmp'
<CODE BEGINS> file "ietf-snmp.yang" <CODE BEGINS> file "ietf-snmp.yang"
module ietf-snmp { module ietf-snmp {
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; namespace "urn:ietf:params:xml:ns:yang:ietf-snmp";
prefix snmp; prefix snmp;
// RFC Ed.: update the dates below with the date of RFC publication
// and remove this note.
include ietf-snmp-common { include ietf-snmp-common {
revision-date 2013-02-11; revision-date 2013-03-26;
} }
include ietf-snmp-engine { include ietf-snmp-engine {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-target { include ietf-snmp-target {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-notification { include ietf-snmp-notification {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-proxy { include ietf-snmp-proxy {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-community { include ietf-snmp-community {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-usm { include ietf-snmp-usm {
revision-date 2013-02-11; revision-date 2013-03-26;
} }
include ietf-snmp-tsm { include ietf-snmp-tsm {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-vacm { include ietf-snmp-vacm {
revision-date 2012-06-05; revision-date 2013-03-26;
} }
include ietf-snmp-tls { include ietf-snmp-tls {
revision-date 2013-02-11; revision-date 2013-03-26;
} }
include ietf-snmp-ssh { include ietf-snmp-ssh {
revision-date 2012-11-26; revision-date 2013-03-26;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: David Kessens
skipping to change at page 15, line 25 skipping to change at page 22, line 16
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This module contains a collection of YANG definitions for "This module contains a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-11-26 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
} }
<CODE ENDS> <CODE ENDS>
3.2. Submodule 'ietf-snmp-common' 3.3. Submodule 'ietf-snmp-common'
<CODE BEGINS> file "ietf-snmp-common.yang" <CODE BEGINS> file "ietf-snmp-common.yang"
submodule ietf-snmp-common { submodule ietf-snmp-common {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
skipping to change at page 16, line 43 skipping to change at page 23, line 35
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of common YANG definitions "This submodule contains a collection of common YANG definitions
for configuring SNMP engines. for configuring SNMP engines.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-02-11 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
/* Collection of SNMP features */
feature proxy {
description
"A server implements this feature if it can act as an
SNMP Proxy";
}
feature notification-filter {
description
"A server implements this feature if it supports SNMP
notification filtering.";
}
feature tsm {
description
"A server implements this feature if it supports the
Transport Security Model for SNMP.";
reference
"RFC5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)";
}
feature sshtm {
description
"A server implements this feature if it supports the
Secure Shell Transport Model for SNMP.";
reference
"RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)";
}
feature tlstm {
description
"A server implements this feature if it supports the
Transport Layer Security Transport Model for SNMP.";
reference
"RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)";
}
/* Collection of SNMP specific data types */ /* Collection of SNMP specific data types */
typedef admin-string { typedef admin-string {
type string { type string {
length "0..255"; length "0..255";
} }
description description
"Represents and SnmpAdminString as defined in RFC 3411. "Represents and SnmpAdminString as defined in RFC 3411.
Note that the size of an SnmpAdminString is measured in Note that the size of an SnmpAdminString is measured in
skipping to change at page 20, line 32 skipping to change at page 26, line 32
container snmp { container snmp {
description description
"Top-level container for SNMP related configuration and "Top-level container for SNMP related configuration and
status objects."; status objects.";
} }
} }
<CODE ENDS> <CODE ENDS>
3.3. Submodule 'ietf-snmp-engine' 3.4. Submodule 'ietf-snmp-engine'
<CODE BEGINS> file "ietf-snmp-engine.yang" <CODE BEGINS> file "ietf-snmp-engine.yang"
submodule ietf-snmp-engine { submodule ietf-snmp-engine {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 21, line 23 skipping to change at page 27, line 23
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP engines. for configuring SNMP engines.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
container engine { container engine {
description description
skipping to change at page 23, line 20 skipping to change at page 29, line 20
description description
"The local SNMP engine's administratively-assigned unique "The local SNMP engine's administratively-assigned unique
identifier. identifier.
If this leaf is not set, the device automatically If this leaf is not set, the device automatically
calculates an engine id, as described in RFC 3411. A calculates an engine id, as described in RFC 3411. A
server MAY initialize this leaf with the automatically server MAY initialize this leaf with the automatically
created value."; created value.";
reference "SNMP-FRAMEWORK-MIB.snmpEngineID"; reference "SNMP-FRAMEWORK-MIB.snmpEngineID";
} }
leaf enable-authen-traps {
type boolean;
description
"Indicates whether the SNMP entity is permitted to
generate authenticationFailure traps.";
reference "SNMPv2-MIB.snmpEnableAuthenTraps";
}
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.4. Submodule 'ietf-snmp-target' 3.5. Submodule 'ietf-snmp-target'
<CODE BEGINS> file "ietf-snmp-target.yang" <CODE BEGINS> file "ietf-snmp-target.yang"
submodule ietf-snmp-target { submodule ietf-snmp-target {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 24, line 16 skipping to change at page 30, line 25
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP targets. for configuring SNMP targets.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 24, line 39 skipping to change at page 30, line 48
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list target { list target {
key name; key name;
description description
"List of targets."; "List of targets.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; reference "SNMP-TARGET-MIB.snmpTargetAddrTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"Identifies the target."; "Identifies the target.";
reference "SNMP-TARGET-MIB.snmpTargetAddrName"; reference "SNMP-TARGET-MIB.snmpTargetAddrName";
} }
choice transport { choice transport {
mandatory true; mandatory true;
skipping to change at page 27, line 4 skipping to change at page 33, line 13
snmpTargetParamsTable. snmpTargetParamsTable.
When the snmpTargetAddrParams object contains a reference When the snmpTargetAddrParams object contains a reference
to a non-existing snmpTargetParamsEntry, this choice does to a non-existing snmpTargetParamsEntry, this choice does
not contain any case, and vice versa."; not contain any case, and vice versa.";
reference "SNMP-TARGET-MIB.snmpTargetAddrParams reference "SNMP-TARGET-MIB.snmpTargetAddrParams
SNMP-TARGET-MIB.snmpTargetParamsTable"; SNMP-TARGET-MIB.snmpTargetParamsTable";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.5. Submodule 'ietf-snmp-notification' 3.6. Submodule 'ietf-snmp-notification'
<CODE BEGINS> file "ietf-snmp-notification.yang" <CODE BEGINS> file "ietf-snmp-notification.yang"
submodule ietf-snmp-notification { submodule ietf-snmp-notification {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 27, line 45 skipping to change at page 34, line 5
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP notifications. for configuring SNMP notifications.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 28, line 19 skipping to change at page 34, line 28
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature notification-filter {
description
"A server implements this feature if it supports SNMP
notification filtering.";
}
augment /snmp:snmp { augment /snmp:snmp {
list notify { list notify {
key name; key name;
description description
"Targets that will receive notifications. "Targets that will receive notifications.
Entries in this lists are mapped 1-1 to entries in Entries in this lists are mapped 1-1 to entries in
snmpNotifyTable, except that if an entry in snmpNotifyTable snmpNotifyTable, except that if an entry in snmpNotifyTable
has a snmpNotifyTag for which no snmpTargetAddrEntry exists, has a snmpNotifyTag for which no snmpTargetAddrEntry exists,
skipping to change at page 30, line 21 skipping to change at page 36, line 35
leaf-list exclude { leaf-list exclude {
type snmp:wildcard-object-identifier; type snmp:wildcard-object-identifier;
description description
"A family of subtrees excluded from this filter."; "A family of subtrees excluded from this filter.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; SNMP-NOTIFICATION-MIB.snmpNotifyFilterType";
} }
} }
leaf enable-authen-traps {
type boolean;
description
"Indicates whether the SNMP entity is permitted to
generate authenticationFailure traps.";
reference "SNMPv2-MIB.snmpEnableAuthenTraps";
}
} }
augment /snmp:snmp/snmp:target { augment /snmp:snmp/snmp:target {
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable";
leaf notify-filter-profile { leaf notify-filter-profile {
if-feature snmp:notification-filter; if-feature snmp:notification-filter;
type leafref { type leafref {
path "/snmp/notify-filter-profile/name"; path "/snmp/notify-filter-profile/name";
} }
description description
skipping to change at page 31, line 5 skipping to change at page 37, line 9
relationship between the /snmp/target list and the relationship between the /snmp/target list and the
/snmp/notify-filter-profile list."; /snmp/notify-filter-profile list.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.6. Submodule 'ietf-snmp-proxy' 3.7. Submodule 'ietf-snmp-proxy'
<CODE BEGINS> file "ietf-snmp-proxy.yang" <CODE BEGINS> file "ietf-snmp-proxy.yang"
submodule ietf-snmp-proxy { submodule ietf-snmp-proxy {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 31, line 41 skipping to change at page 37, line 45
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP proxies. for configuring SNMP proxies.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 32, line 15 skipping to change at page 38, line 19
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature proxy {
description
"A server implements this feature if it can act as an
SNMP Proxy";
}
augment /snmp:snmp { augment /snmp:snmp {
if-feature snmp:proxy; if-feature snmp:proxy;
list proxy { list proxy {
key name; key name;
description description
"List of proxy parameters."; "List of proxy parameters.";
reference "SNMP-PROXY-MIB.snmpProxyTable"; reference "SNMP-PROXY-MIB.snmpProxyTable";
skipping to change at page 33, line 41 skipping to change at page 40, line 4
} }
leaf multiple-target-out { leaf multiple-target-out {
when "../type = 'trap' or ../type = 'inform'"; when "../type = 'trap' or ../type = 'inform'";
type snmp:identifier; type snmp:identifier;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.7. Submodule 'ietf-snmp-community' 3.8. Submodule 'ietf-snmp-community'
<CODE BEGINS> file "ietf-snmp-community.yang" <CODE BEGINS> file "ietf-snmp-community.yang"
submodule ietf-snmp-community { submodule ietf-snmp-community {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
include ietf-snmp-target; include ietf-snmp-target;
include ietf-snmp-proxy; include ietf-snmp-proxy;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
skipping to change at page 34, line 35 skipping to change at page 40, line 48
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring community-based SNMP. for configuring community-based SNMP.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 35, line 10 skipping to change at page 41, line 22
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3584: Coexistence between Version 1, Version 2, and Version 3 "RFC3584: Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework"; of the Internet-standard Network Management Framework";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list community { list community {
key index; key index;
skipping to change at page 38, line 24 skipping to change at page 44, line 37
default "484"; default "484";
reference reference
"SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.8. Submodule 'ietf-snmp-vacm' 3.9. Submodule 'ietf-snmp-vacm'
<CODE BEGINS> file "ietf-snmp-vacm.yang" <CODE BEGINS> file "ietf-snmp-vacm.yang"
submodule ietf-snmp-vacm { submodule ietf-snmp-vacm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 39, line 13 skipping to change at page 45, line 24
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring the View-based Access Control Model (VACM) for configuring the View-based Access Control Model (VACM)
of SNMP. of SNMP.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 39, line 36 skipping to change at page 45, line 47
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3415: View-based Access Control Model (VACM) for the "RFC3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
typedef view-name { typedef view-name {
type snmp:identifier; type snmp:identifier;
description description
"The view-name type represents an SNMP VACM view name."; "The view-name type represents an SNMP VACM view name.";
} }
typedef group-name { typedef group-name {
type snmp:identifier; type snmp:identifier;
skipping to change at page 44, line 5 skipping to change at page 50, line 14
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.9. Submodule 'ietf-snmp-usm' 3.10. Submodule 'ietf-snmp-usm'
<CODE BEGINS> file "ietf-snmp-usm.yang" <CODE BEGINS> file "ietf-snmp-usm.yang"
submodule ietf-snmp-usm { submodule ietf-snmp-usm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types { import ietf-yang-types {
skipping to change at page 44, line 49 skipping to change at page 51, line 10
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the User-based Security Model (USM) of SNMP. configuring the User-based Security Model (USM) of SNMP.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 45, line 23 skipping to change at page 51, line 33
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3414: User-based Security Model (USM) for version 3 of the "RFC3414: User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)."; Simple Network Management Protocol (SNMPv3).";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-02-11 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
grouping key { grouping key {
leaf key { leaf key {
type yang:hex-string; type yang:hex-string;
mandatory true; mandatory true;
skipping to change at page 47, line 43 skipping to change at page 54, line 4
"SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
leaf security-level { leaf security-level {
type snmp:security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:params { augment /snmp:snmp/snmp:target/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
} }
} }
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.10. Submodule 'ietf-snmp-tsm' 3.11. Submodule 'ietf-snmp-tsm'
<CODE BEGINS> file "ietf-snmp-tsm.yang" <CODE BEGINS> file "ietf-snmp-tsm.yang"
submodule ietf-snmp-tsm { submodule ietf-snmp-tsm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 48, line 49 skipping to change at page 55, line 9
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the Transport Security Model (TSM) of SNMP. configuring the Transport Security Model (TSM) of SNMP.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 49, line 23 skipping to change at page 55, line 32
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC5591: Transport Security Model for the "RFC5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-06-05 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature tsm {
description
"A server implements this feature if it supports the
Transport Security Model for SNMP.";
reference
"RFC5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)";
}
augment /snmp:snmp { augment /snmp:snmp {
if-feature tsm; if-feature tsm;
container tsm { container tsm {
description description
"Configuration of the Transport-based Security Model"; "Configuration of the Transport-based Security Model";
leaf use-prefix { leaf use-prefix {
type boolean; type boolean;
default false; default false;
reference reference
skipping to change at page 50, line 37 skipping to change at page 57, line 5
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
if-feature tsm; if-feature tsm;
case tsm { case tsm {
uses tsm-target-params; uses tsm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.11. Submodule 'ietf-snmp-tls' 3.12. Submodule 'ietf-snmp-tls'
<CODE BEGINS> file "ietf-snmp-tls.yang" <CODE BEGINS> file "ietf-snmp-tls.yang"
submodule ietf-snmp-tls { submodule ietf-snmp-tls {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types {
prefix yang;
}
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
} }
import ietf-x509-cert-to-name {
prefix x509c2n;
}
include ietf-snmp-common; include ietf-snmp-common;
include ietf-snmp-engine; include ietf-snmp-engine;
include ietf-snmp-target; include ietf-snmp-target;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
skipping to change at page 51, line 32 skipping to change at page 57, line 50
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the Transport Layer Security Transport Model (TLSTM) configuring the Transport Layer Security Transport Model (TLSTM)
of SNMP. of SNMP.
Copyright (c) 2011 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 52, line 8 skipping to change at page 58, line 25
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-02-11 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
/* Typedefs */ feature tlstm {
typedef tls-fingerprint {
type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
}
description description
"A fingerprint value that can be used to uniquely reference "A server implements this feature if it supports the
other data of potentially arbitrary length. Transport Layer Security Transport Model for SNMP.";
reference
An tls-fingerprint value is composed of a 1-octet hashing "RFC6353: Transport Layer Security (TLS) Transport Model for
algorithm identifier followed by the fingerprint value. The the Simple Network Management Protocol (SNMP)";
octet value encoded is taken from the IANA TLS HashAlgorithm
Registry (RFC 5246). The remaining octets are filled using
the results of the hashing algorithm.
The corresponding TEXTUAL-CONVENTION allows a zero-length
value to be used for objects that are optional. In the YANG
data models, such objects are represented as optional leafs.";
reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
}
/* Identities */
identity cert-to-tm-security-name {
}
identity specified {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
}
identity san-rfc822-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
}
identity san-dns-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
}
identity san-ip-address {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
}
identity san-any {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
}
identity common-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
} }
augment /snmp:snmp/snmp:engine/snmp:listen { augment /snmp:snmp/snmp:engine/snmp:listen {
if-feature tlstm; if-feature tlstm;
list tls { list tls {
key "ip port"; key "ip port";
description description
"A list of IPv4 and IPv6 addresses and ports to which the "A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over TLS."; engine listens for SNMP messages over TLS.";
skipping to change at page 54, line 20 skipping to change at page 59, line 37
description description
"The UDP port on which the engine listens for SNMP messages "The UDP port on which the engine listens for SNMP messages
over DTLS."; over DTLS.";
} }
} }
} }
augment /snmp:snmp { augment /snmp:snmp {
if-feature tlstm; if-feature tlstm;
container tlstm { container tlstm {
list cert-to-tm-security-name { uses x509c2n:cert-to-name {
key id; description
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; "Defines how certifcates are mapped to names. The
resulting name is used as a security name.";
leaf id { refine cert-to-name/map-type {
type uint32;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
}
leaf fingerprint {
type tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
}
leaf map-type {
type identityref {
base cert-to-tm-security-name;
}
description description
"Mappings that use the snmpTlstmCertToTSNData column "Mappings that use the snmpTlstmCertToTSNData column
need to augment the 'cert-to-tm-security-name' list need to augment the 'cert-to-name' list
with additional configuration objects corresponding with additional configuration objects corresponding
to the snmpTlstmCertToTSNData value. Such objects to the snmpTlstmCertToTSNData value. Such objects
should use the 'when' statement to make them should use the 'when' statement to make them
conditional based on the 'map-type'."; conditional based on the 'map-type'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
}
leaf cert-specified-tm-security-name {
when "../map-type = 'snmp:specified'";
type snmp:admin-string;
description
"Maps to snmpTlstmCertToTSNData when 'map-type' is
'specified'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
} }
} }
} }
} }
grouping tls-transport { grouping tls-transport {
leaf ip { leaf ip {
type inet:host; type inet:host;
mandatory true; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress"; SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf port { leaf port {
skipping to change at page 55, line 24 skipping to change at page 60, line 21
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress"; SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
default 10161; default 10161;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress"; SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf client-fingerprint { leaf client-fingerprint {
type tls-fingerprint; type x509c2n:tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint";
} }
leaf server-fingerprint { leaf server-fingerprint {
type tls-fingerprint; type x509c2n:tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint";
} }
leaf server-identity { leaf server-identity {
type snmp:admin-string; type snmp:admin-string;
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity";
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
skipping to change at page 56, line 4 skipping to change at page 60, line 50
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
case dtls { case dtls {
reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain";
container dtls { container dtls {
uses tls-transport; uses tls-transport;
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.12. Submodule 'ietf-snmp-ssh' 3.13. Submodule 'ietf-snmp-ssh'
<CODE BEGINS> file "ietf-snmp-ssh.yang" <CODE BEGINS> file "ietf-snmp-ssh.yang"
submodule ietf-snmp-ssh { submodule ietf-snmp-ssh {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 57, line 5 skipping to change at page 61, line 51
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the Secure Shell Transport Model (SSHTM) configuring the Secure Shell Transport Model (SSHTM)
of SNMP. of SNMP.
Copyright (c) 2012 IETF Trust and the persons identified as Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 57, line 28 skipping to change at page 62, line 25
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC5592: Secure Shell Transport Model for the "RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2012-11-26 { revision 2013-03-26 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature sshtm {
description
"A server implements this feature if it supports the
Secure Shell Transport Model for SNMP.";
reference
"RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)";
}
augment /snmp:snmp/snmp:engine/snmp:listen { augment /snmp:snmp/snmp:engine/snmp:listen {
if-feature sshtm; if-feature sshtm;
list ssh { list ssh {
key "ip port"; key "ip port";
description description
"A list of IPv4 and IPv6 addresses and ports to which the "A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over SSH."; engine listens for SNMP messages over SSH.";
leaf ip { leaf ip {
type inet:ip-address; type inet:ip-address;
skipping to change at page 61, line 20 skipping to change at page 66, line 20
secure transport is SSH [RFC6242]. secure transport is SSH [RFC6242].
There are a number of data nodes defined in the YANG module and There are a number of data nodes defined in the YANG module and
submodules which are writable/creatable/deletable (i.e., config true, submodules which are writable/creatable/deletable (i.e., config true,
which is the default). These data nodes may be considered sensitive which is the default). These data nodes may be considered sensitive
or vulnerable in some network environments. Write operations (e.g., or vulnerable in some network environments. Write operations (e.g.,
edit-config) to these data nodes without proper protection can have a edit-config) to these data nodes without proper protection can have a
negative effect on network operations. These are the subtrees and negative effect on network operations. These are the subtrees and
data nodes and their sensitivity/vulnerability: data nodes and their sensitivity/vulnerability:
<list subtrees and data nodes and state why they are sensitive> o The /snmp/engine subtree contains the configuration of general
parameters of an SNMP engine such as the endpoints to listen on,
the transports and SNMP versions enabled, or the engine's
identity. Write access to this subtree should only be granted to
entities configuring general SNMP engine parameters.
o The /snmp/target subtree contains the configuration of SNMP
targets and in particular which transports to use and their
security parameters. Write access to this subtree should only be
granted to the security administrator and entities configuring
SNMP notification forwarding behavior.
o The /snmp/notify and /snmp/notify-filter-profile subtrees contain
the configuration for SNMP notification forwarding and filtering
mechanism. Write access to this subtree should only be granted to
entities configuring SNMP notification forwarding behavior.
o The /snmp/proxy subtree contains the configuration for SNMP
proxies. Write access to this subtree should only be granted to
entities configuring SNMP proxies.
o The /snmp/community subtree contains the configuration of the
community-based security model. Write access to this subtree
should only be granted to the security administrator.
o The /snmp/usm subtree contains the configuration of the user-based
security model. Write access to this subtree should only be
granted to the security administrator.
o The /snmp/tsm subtree contains the configuration of the transport
layer security model for SNMP. Write access to this subtree
should only be granted to the security administrator.
o The /snmp/tlstm subtree contains the configuration of the SNMP
transport over (D)TLS and in particular the configuration how
certificates are mapped to SNMP security names. Write access to
this subtree should only be granted to the security administrator.
o The /snmp/vacm subtree contains the configuration of the view-
based access control mechanism used by SNMP to authorize access to
management information via SNMP. Write access to this subtree
should only be granted to the security administrator.
Some of the readable data nodes in the YANG module and submodules may Some of the readable data nodes in the YANG module and submodules may
be considered sensitive or vulnerable in some network environments. be considered sensitive or vulnerable in some network environments.
It is thus important to control read access (e.g., via get, get- It is thus important to control read access (e.g., via get, get-
config, or notification) to these data nodes. These are the subtrees config, or notification) to these data nodes. These are the subtrees
and data nodes and their sensitivity/vulnerability: and data nodes and their sensitivity/vulnerability:
<list subtrees and data nodes and state why they are sensitive> o The /snmp/engine subtree subtree exposes general information about
an SNMP engine such as which version(s) of SNMP are enabled or
which transports are enabled.
o The /snmp/target subtree exposes information which transports are
used to reach certain SNMP targets which transport specific
parameters are used.
o The /snmp/notify and /snmp/notify-filter-profile subtrees exposes
information how notifications are filtered and forwarded to
notification targets.
o The /snmp/proxy subtree exposes information about proxy
relationships.
o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/
vacm subtrees are specifically sensitive since they expose
information about the authentication and authorization policy used
by an SNMP engine.
6. Acknowledgments 6. Acknowledgments
The authors want to thank Wes Hardaker and David Spakes for their The authors want to thank Wes Hardaker and David Spakes for their
reviews and valuable comments. reviews and valuable comments.
7. References 7. References
7.1. Normative References 7.1. Normative References
skipping to change at page 74, line 5 skipping to change at page 80, line 5
</view> </view>
</vacm> </vacm>
</snmp> </snmp>
A.7. Transport Layer Security Transport Model Configuration Example A.7. Transport Layer Security Transport Model Configuration Example
Below is an XML instance document showing the configuration of the Below is an XML instance document showing the configuration of the
certificate to security name mapping (see Appendix A.2 and A.3 of certificate to security name mapping (see Appendix A.2 and A.3 of
[RFC6353]). [RFC6353]).
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"
xmlns:x509c2n=
"urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">
<tlstm> <tlstm>
<cert-to-tm-security-name> <cert-to-name>
<id>1</id> <id>1</id>
<fingerprint>11:0A:05:11:00</fingerprint> <fingerprint>11:0A:05:11:00</fingerprint>
<map-type>san-any</map-type> <map-type>x509c2n:san-any</map-type>
</cert-to-tm-security-name> </cert-to-name>
<cert-to-tm-security-name> <cert-to-name>
<id>2</id> <id>2</id>
<fingerprint>11:0A:05:11:00</fingerprint> <fingerprint>11:0A:05:11:00</fingerprint>
<map-type>specified</map-type> <map-type>x509c2n:specified</map-type>
<cert-specified-tm-security-name> <name>
Joe Cool Joe Cool
</cert-specified-tm-security-name> </name>
</cert-to-tm-security-name> </cert-to-name>
</tlstm> </tlstm>
</snmp> </snmp>
Authors' Addresses Authors' Addresses
Martin Bjorklund Martin Bjorklund
Tail-f Systems Tail-f Systems
Email: mbj@tail-f.com Email: mbj@tail-f.com
 End of changes. 126 change blocks. 
298 lines changed or deleted 588 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/