draft-ietf-netmod-snmp-cfg-02.txt   draft-ietf-netmod-snmp-cfg-03.txt 
Network Working Group M. Bjorklund Network Working Group M. Bjorklund
Internet-Draft Tail-f Systems Internet-Draft Tail-f Systems
Intended status: Standards Track J. Schoenwaelder Intended status: Standards Track J. Schoenwaelder
Expires: October 27, 2013 Jacobs University Expires: May 9, 2014 Jacobs University
April 25, 2013 November 5, 2013
A YANG Data Model for SNMP Configuration A YANG Data Model for SNMP Configuration
draft-ietf-netmod-snmp-cfg-02 draft-ietf-netmod-snmp-cfg-03
Abstract Abstract
This document defines a collection of YANG definitions for This document defines a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 27, 2013. This Internet-Draft will expire on May 9, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5
2.2. General Considerations . . . . . . . . . . . . . . . . . . 4 2.2. General Considerations . . . . . . . . . . . . . . . . . . 5
2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 4 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 6
2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 4 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 6
2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 5 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 6
2.6. Notification Configuration . . . . . . . . . . . . . . . . 6 2.6. Notification Configuration . . . . . . . . . . . . . . . . 7
2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 7 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8
2.8. Community Configuration . . . . . . . . . . . . . . . . . 7 2.8. Community Configuration . . . . . . . . . . . . . . . . . 9
2.9. View-based Access Control Model Configuration . . . . . . 9 2.9. View-based Access Control Model Configuration . . . . . . 10
2.10. User-based Security Model Configuration . . . . . . . . . 9 2.10. User-based Security Model Configuration . . . . . . . . . 11
2.11. Transport Security Model Configuration . . . . . . . . . . 11 2.11. Transport Security Model Configuration . . . . . . . . . . 13
2.12. Transport Layer Security Transport Model Configuration . . 12 2.12. Transport Layer Security Transport Model Configuration . . 13
2.13. Secure Shell Transport Model Configuration . . . . . . . . 13 2.13. Secure Shell Transport Model Configuration . . . . . . . . 15
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 15 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 16
3.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 15 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 16
3.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 20 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 17
3.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 22 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 26 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 18
3.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 29 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 23
3.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 33 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 25
3.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 37 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 29
3.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 40 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 32
3.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 44 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 36
3.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 50 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 40
3.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 54 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 43
3.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 57 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 47
3.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 61 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 53
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 57
5. Security Considerations . . . . . . . . . . . . . . . . . . . 66 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 60
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 68 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 64
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
7.1. Normative References . . . . . . . . . . . . . . . . . . . 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 69
7.2. Informative References . . . . . . . . . . . . . . . . . . 69 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 71
Appendix A. Example configurations . . . . . . . . . . . . . . . 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 72
A.1. Engine Configuration Example . . . . . . . . . . . . . . . 71 8.1. Normative References . . . . . . . . . . . . . . . . . . . 72
A.2. Community Configuration Example . . . . . . . . . . . . . 71 8.2. Informative References . . . . . . . . . . . . . . . . . . 72
A.3. User-based Security Model Configuration Example . . . . . 72 Appendix A. Example configurations . . . . . . . . . . . . . . . 74
A.4. Target and Notification Configuration Example . . . . . . 73 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 74
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 75 A.2. Community Configuration Example . . . . . . . . . . . . . 74
A.6. View-based Access Control Model Configuration Example . . 77 A.3. User-based Security Model Configuration Example . . . . . 75
A.4. Target and Notification Configuration Example . . . . . . 76
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 78
A.6. View-based Access Control Model Configuration Example . . 80
A.7. Transport Layer Security Transport Model Configuration A.7. Transport Layer Security Transport Model Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . . 79 Example . . . . . . . . . . . . . . . . . . . . . . . . . 82
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 84
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of SNMP engines. The configuration model is consistent configuration of SNMP engines. The configuration model is consistent
with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413],
[RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and
[RFC6353] but takes advantage of YANG's ability to define [RFC6353] but takes advantage of YANG's ability to define
hierarchical configuration data models. The structure of the model hierarchical configuration data models. The structure of the model
has been derived from existing proprietary configuration models has been derived from existing proprietary configuration models
skipping to change at page 4, line 24 skipping to change at page 5, line 24
A simplified graphical representation of the data model is used in A simplified graphical representation of the data model is used in
this document. The meaning of the symbols in these diagrams is as this document. The meaning of the symbols in these diagrams is as
follows: follows:
o Brackets "[" and "]" enclose list keys. o Brackets "[" and "]" enclose list keys.
o Abbreviations before data node names: "rw" means configuration o Abbreviations before data node names: "rw" means configuration
(read-write) and "ro" state data (read-only). (read-write) and "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node and "*" o Symbols after data node names: "?" means an optional node, "!"
denotes a "leaf-list". means a presence container, and "*" denotes a list and leaf-list.
o Parentheses enclose choice and case nodes, and case nodes are also o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not o Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
2.2. General Considerations 2.2. General Considerations
Most YANG nodes are mapped 1-1 to the corresponding MIB object. The Most YANG nodes are mapped 1-1 to the corresponding MIB object. The
"reference" statement is used to indicate which corresponding MIB "reference" statement is used to indicate which corresponding MIB
object the YANG node is mapped to. When there is not a simple 1-1 object the YANG node is mapped to. When there is not a simple 1-1
mapping, the "description" statement explains the mapping. mapping, the "description" statement explains the mapping.
The persistency models in SNMP and NETCONF are quite different. In
NETCONF, the persistency is defined by the datastore, whereas in SNMP
it is defined either explicitly in the data model, or on a row-by-row
basis by using the TEXTUAL-CONVENTION "StorageType". Thus, in the
YANG model defined here, the "StorageType" columns are not present.
For implementation guidelines, see Section 3.
In SNMP, row creation and deletion are controlled by using the
TEXTUAL-CONVENTION "RowStatus". In NETCONF, creation and deletion
are handled by the protocol, not in the data model. Thus, in the
YANG model defined here, the "RowStatus" columns are not present.
2.3. Common Definitions 2.3. Common Definitions
The submodule "ietf-snmp-common" defines a set of common typedefs and The submodule "ietf-snmp-common" defines a set of common typedefs and
the top-level container "snmp". All configuration parameters defined the top-level container "snmp". All configuration parameters defined
in the other submodules are organized under this top-level container. in the other submodules are organized under this top-level container.
2.4. Engine Configuration 2.4. Engine Configuration
The submodule "ietf-snmp-engine", which defines configuration The submodule "ietf-snmp-engine", which defines configuration
parameters that are specific to SNMP engines, has the following parameters that are specific to SNMP engines, has the following
structure: structure:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
+--rw enabled? boolean +--rw enabled? boolean
+--rw listen +--rw listen
| +--rw udp [ip port] | +--rw udp* [ip port]
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port inet:port-number | +--rw port inet:port-number
+--rw version +--rw version
| +--rw v1? empty | +--rw v1? empty
| +--rw v2c? empty | +--rw v2c? empty
| +--rw v3? empty | +--rw v3? empty
+--rw engine-id? snmp:engine-id +--rw engine-id? snmp:engine-id
+--rw enable-authen-traps? boolean +--rw enable-authen-traps? boolean
The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP
skipping to change at page 5, line 39 skipping to change at page 7, line 6
The "/snmp/engine/version" container can be used to enable/disable The "/snmp/engine/version" container can be used to enable/disable
the different message processing models. the different message processing models.
2.5. Target Configuration 2.5. Target Configuration
The submodule "ietf-snmp-target", which defines configuration The submodule "ietf-snmp-target", which defines configuration
parameters that correspond to the objects in SNMP-TARGET-MIB, has the parameters that correspond to the objects in SNMP-TARGET-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw target [name] +--rw target* [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw (transport) +--rw (transport)
| +--:(udp) | +--:(udp)
| +--rw udp | +--rw udp
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port? inet:port-number | +--rw port? inet:port-number
| +--rw prefix-length? uint8 | +--rw prefix-length? uint8
+--rw tag* snmp:identifier +--rw tag* snmp:identifier
+--rw timeout? uint32 +--rw timeout? uint32
+--rw retries? uint8 +--rw retries? uint8
skipping to change at page 6, line 33 skipping to change at page 8, line 6
to this table, "snmpProxyTable" also has a choice "params" which is to this table, "snmpProxyTable" also has a choice "params" which is
augmented by security model specific submodules (Section 2.7). augmented by security model specific submodules (Section 2.7).
2.6. Notification Configuration 2.6. Notification Configuration
The submodule "ietf-snmp-notification", which defines configuration The submodule "ietf-snmp-notification", which defines configuration
parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, parameters that correspond to the objects in SNMP-NOTIFICATION-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw notify [name] +--rw notify* [name]
| +--rw name snmp:identifier | +--rw name snmp:identifier
| +--rw tag snmp:identifier | +--rw tag snmp:identifier
| +--rw type? enumeration | +--rw type? enumeration
+--rw notify-filter-profile [name] +--rw notify-filter-profile* [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw include* wildcard-object-identifier +--rw include* wildcard-object-identifier
+--rw exclude* wildcard-object-identifier +--rw exclude* wildcard-object-identifier
It also augments the "target" list defined in the "ietf-snmp-target" It also augments the "target" list defined in the "ietf-snmp-target"
submodule (Section 2.5) with one leaf: submodule (Section 2.5) with one leaf:
+--rw snmp +--rw snmp
+--rw target [name] +--rw target* [name]
... ...
+--rw notify-filter-profile? leafref +--rw notify-filter-profile? leafref
An entry in the list "/snmp/notify" corresponds to an An entry in the list "/snmp/notify" corresponds to an
"snmpNotifyEntry". "snmpNotifyEntry".
An entry in the list "/snmp/notify-filter-profile" corresponds to an An entry in the list "/snmp/notify-filter-profile" corresponds to an
"snmpNotifyFilterProfileEntry". In the MIB, there is a sparse "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse
relationship between "snmpTargetParamsTable" and relationship between "snmpTargetParamsTable" and
"snmpNotifyFilterProfileTable". In the YANG model, this sparse "snmpNotifyFilterProfileTable". In the YANG model, this sparse
skipping to change at page 7, line 26 skipping to change at page 9, line 6
This submodule defines the feature "notification-filter". A server This submodule defines the feature "notification-filter". A server
implements this feature if it supports SNMP notification filtering. implements this feature if it supports SNMP notification filtering.
2.7. Proxy Configuration 2.7. Proxy Configuration
The submodule "ietf-snmp-proxy", which defines configuration The submodule "ietf-snmp-proxy", which defines configuration
parameters that correspond to the objects in SNMP-PROXY-MIB, has the parameters that correspond to the objects in SNMP-PROXY-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw proxy [name] +--rw proxy* [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw type enumeration +--rw type enumeration
+--rw context-engine-id snmp:engine-id +--rw context-engine-id snmp:engine-id
+--rw context-name? snmp:context-name +--rw context-name? snmp:context-name
+--rw params-in +--rw params-in
| +--rw (params) | +--rw (params)
+--rw single-target-out? snmp:identifier +--rw single-target-out? snmp:identifier
+--rw multiple-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier
An entry in the list "/snmp/proxy" corresponds to an An entry in the list "/snmp/proxy" corresponds to an
skipping to change at page 8, line 7 skipping to change at page 9, line 36
This submodule defines the feature "proxy". A server implements this This submodule defines the feature "proxy". A server implements this
feature if it can act as an SNMP Proxy. feature if it can act as an SNMP Proxy.
2.8. Community Configuration 2.8. Community Configuration
The submodule "ietf-snmp-community", which defines configuration The submodule "ietf-snmp-community", which defines configuration
parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has
the following structure: the following structure:
+--rw snmp +--rw snmp
+--rw community [index] +--rw community* [index]
+--rw index snmp:identifier +--rw index snmp:identifier
+--rw (name)? +--rw (name)?
| +--:(text-name) | +--:(text-name)
| | +--rw text-name? string | | +--rw text-name? string
| +--:(binary-name) | +--:(binary-name)
| +--rw binary-name? binary | +--rw binary-name? binary
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
+--rw engine-id? snmp:engine-id +--rw engine-id? snmp:engine-id
+--rw context? snmp:context-name +--rw context? snmp:context-name
+--rw target-tag? snmp:identifier +--rw target-tag? snmp:identifier
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target/params" and "/snmp/proxy/
params-in/params" choices with nodes for the Community-Based Security params-in/params" choices with nodes for the Community-Based Security
Model used by SNMPv1 and SNMPv2c: Model used by SNMPv1 and SNMPv2c:
+--rw snmp +--rw snmp
+--rw target [name] +--rw target* [name]
| ... | ...
| +--rw (params)? | +--rw (params)?
| | +--:(v1) | | +--:(v1)
| | | +--rw v1 | | | +--rw v1
| | | +--rw security-name snmp:security-name | | | +--rw security-name snmp:security-name
| | +--:(v2c) | | +--:(v2c)
| | +--rw v2c | | +--rw v2c
| | +--rw security-name snmp:security-name | | +--rw security-name snmp:security-name
| +--rw mms? union | +--rw mms? union
+--rw proxy +--rw proxy
skipping to change at page 9, line 13 skipping to change at page 11, line 7
Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv.
2.9. View-based Access Control Model Configuration 2.9. View-based Access Control Model Configuration
The submodule "ietf-snmp-vacm", which defines configuration The submodule "ietf-snmp-vacm", which defines configuration
parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw vacm +--rw vacm
+--rw group [name] +--rw group* [name]
| +--rw name group-name | +--rw name group-name
| +--rw member [security-name] | +--rw member* [security-name]
| | +--rw security-name snmp:security-name | | +--rw security-name snmp:security-name
| | +--rw security-model* snmp:security-model | | +--rw security-model* snmp:security-model
| +--rw access [context security-model security-level] | +--rw access* [context security-model security-level]
| +--rw context snmp:context-name | +--rw context snmp:context-name
| +--rw context-match? enumeration | +--rw context-match? enumeration
| +--rw security-model snmp:security-model-or-any | +--rw security-model snmp:security-model-or-any
| +--rw security-level snmp:security-level | +--rw security-level snmp:security-level
| +--rw read-view? view-name | +--rw read-view? view-name
| +--rw write-view? view-name | +--rw write-view? view-name
| +--rw notify-view? vire-name | +--rw notify-view? vire-name
+--rw view [name] +--rw view* [name]
+--rw name view-name +--rw name view-name
+--rw include* snmp:wildcard-object-identifier +--rw include* snmp:wildcard-object-identifier
+--rw exclude* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a
structure of nested lists in the YANG model. Groups are defined in structure of nested lists in the YANG model. Groups are defined in
the list "/snmp/vacm/group" and for each group there is a sublist the list "/snmp/vacm/group" and for each group there is a sublist
"member" that maps to "vacmSecurityToGroupTable", and a sublist "member" that maps to "vacmSecurityToGroupTable", and a sublist
"access" that maps to "vacmAccessTable". "access" that maps to "vacmAccessTable".
skipping to change at page 10, line 8 skipping to change at page 11, line 45
2.10. User-based Security Model Configuration 2.10. User-based Security Model Configuration
The submodule "ietf-snmp-usm", which defines configuration parameters The submodule "ietf-snmp-usm", which defines configuration parameters
that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw usm +--rw usm
+--rw local +--rw local
| +--rw user [name] | +--rw user* [name]
| +-- {common user params} | +-- {common user params}
+--rw remote [engine-id] +--rw remote* [engine-id]
+--rw engine-id snmp:engine-id +--rw engine-id snmp:engine-id
+--rw user [name] +--rw user* [name]
+-- {common user params} +-- {common user params}
The "{common user params}" are: The "{common user params}" are:
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw auth? +--rw auth!
| +--rw (protocol) | +--rw (protocol)
| +--:(md5) | +--:(md5)
| | +--rw md5 | | +--rw md5
| | +-- rw key string | | +-- rw key string
| +--:(sha) | +--:(sha)
| +--rw sha | +--rw sha
| +-- rw key string | +-- rw key string
+--rw priv? +--rw priv!
+--rw (protocol) +--rw (protocol)
+--:(des) +--:(des)
| +--rw des | +--rw des
| +-- rw key string | +-- rw key string
+--:(aes) +--:(aes)
+--rw aes +--rw aes
+-- rw key string +-- rw key string
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target/params" and "/snmp/proxy/
params-in/params" choices with nodes for the SNMP User-based Security params-in/params" choices with nodes for the SNMP User-based Security
Model. Model.
+--rw snmp +--rw snmp
+--rw target [name] +--rw target* [name]
... ...
| +--rw (params)? | +--rw (params)?
| +--:(usm) | +--:(usm)
| +--rw usm | +--rw usm
| +--rw user-name snmp:security-name | +--rw user-name snmp:security-name
| +--rw security-level security-level | +--rw security-level security-level
+--rw proxy [name] +--rw proxy* [name]
... ...
+--rw params-in +--rw params-in
+--rw (params) +--rw (params)
+--:(usm) +--:(usm)
+--rw usm +--rw usm
+--rw user-name snmp:security-name +--rw user-name snmp:security-name
+--rw security-level security-level +--rw security-level security-level
In the MIB, there is a single table with local and remote users, In the MIB, there is a single table with local and remote users,
indexed by the engine id and user name. In the YANG model, there is indexed by the engine id and user name. In the YANG model, there is
skipping to change at page 12, line 6 skipping to change at page 13, line 20
+--rw snmp +--rw snmp
+--rw tsm +--rw tsm
+--rw use-prefix? boolean +--rw use-prefix? boolean
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target/params" and "/snmp/proxy/
params-in/params" choices with nodes for the SNMP Transport Security params-in/params" choices with nodes for the SNMP Transport Security
Model. Model.
+--rw snmp +--rw snmp
+--rw target [name] +--rw target* [name]
... ...
| +--rw (params)? | +--rw (params)?
| +--:(tsm) | +--:(tsm)
| +--rw tsm | +--rw tsm
| +--rw security-name snmp:security-name | +--rw security-name snmp:security-name
| +--rw security-level security-level | +--rw security-level security-level
+--rw proxy [name] +--rw proxy* [name]
... ...
+--rw params-in +--rw params-in
+--rw (params) +--rw (params)
+--:(tsm) +--:(tsm)
+--rw tsm +--rw tsm
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
+--rw security-level security-level +--rw security-level security-level
This submodule defines the feature "tsm". A server implements this This submodule defines the feature "tsm". A server implements this
feature if it supports the Transport Security Model (tsm) [RFC5591]. feature if it supports the Transport Security Model (tsm) [RFC5591].
2.12. Transport Layer Security Transport Model Configuration 2.12. Transport Layer Security Transport Model Configuration
The submodule "ietf-snmp-tls", which defines configuration parameters The submodule "ietf-snmp-tls", which defines configuration parameters
that correspond to the objects in SNMP-TLS-TM-MIB, has the following that correspond to the objects in SNMP-TLS-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target [name] +--rw target* [name]
| ... | ...
| +--rw (transport) | +--rw (transport)
| ... | ...
| +--:(tls) | +--:(tls)
| | +--rw tls | | +--rw tls
| | +-- {common (d)tls transport params} | | +-- {common (d)tls transport params}
| +--:(dtls) | +--:(dtls)
| +--rw dtls | +--rw dtls
| +-- {common (d)tls transport params} | +-- {common (d)tls transport params}
+--rw tlstm +--rw tlstm
+--rw cert-to-name [id] +--rw cert-to-name* [id]
+--rw id uint32 +--rw id uint32
+--rw fingerprint x509c2n:tls-fingerprint +--rw fingerprint x509c2n:tls-fingerprint
+--rw map-type identityref +--rw map-type identityref
+--rw name string +--rw name string
The "{common (d)tls transport params}" are: The "{common (d)tls transport params}" are:
+--rw ip? inet:host +--rw ip? inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw client-fingerprint? x509c2n:tls-fingerprint +--rw client-fingerprint? x509c2n:tls-fingerprint
skipping to change at page 13, line 19 skipping to change at page 14, line 40
+--rw server-identity? snmp:admin-string +--rw server-identity? snmp:admin-string
It also augments the "/snmp/engine/listen" container with objects for It also augments the "/snmp/engine/listen" container with objects for
the D(TLS) transport endpoints: the D(TLS) transport endpoints:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
... ...
+--rw listen +--rw listen
... ...
+--rw tls [ip port] +--rw tls* [ip port]
| +--rw ip inet:ip-address | +--rw ip inet:ip-address
| +--rw port inet:port-number | +--rw port inet:port-number
+--rw dtls [ip port] +--rw dtls* [ip port]
+--rw ip inet:ip-address +--rw ip inet:ip-address
+--rw port inet:port-number +--rw port inet:port-number
This submodule defines the feature "tlstm". A server implements this This submodule defines the feature "tlstm". A server implements this
feature if it supports the Transport Layer Security (TLS) Transport feature if it supports the Transport Layer Security (TLS) Transport
Model (tlstm) [RFC6353]. Model (tlstm) [RFC6353].
2.13. Secure Shell Transport Model Configuration 2.13. Secure Shell Transport Model Configuration
The submodule "ietf-snmp-ssh", which defines configuration parameters The submodule "ietf-snmp-ssh", which defines configuration parameters
that correspond to the objects in SNMP-SSH-TM-MIB, has the following that correspond to the objects in SNMP-SSH-TM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
... ...
+--rw target [name] +--rw target* [name]
... ...
+--rw (transport) +--rw (transport)
... ...
+--:(ssh) +--:(ssh)
+--rw ssh +--rw ssh
+--rw ip inet:host +--rw ip inet:host
+--rw port? inet:port-number +--rw port? inet:port-number
+--rw username? string +--rw username? string
It also augments the "/snmp/engine/listen" container with objects for It also augments the "/snmp/engine/listen" container with objects for
the SSH transport endpoints: the SSH transport endpoints:
+--rw snmp +--rw snmp
+--rw engine +--rw engine
... ...
+--rw listen +--rw listen
... ...
+--rw ssh [ip port] +--rw ssh* [ip port]
This submodule defines the feature "sshtm". A server implements this This submodule defines the feature "sshtm". A server implements this
feature if it supports the Secure Shell (SSH) Transport Model (sshtm) feature if it supports the Secure Shell (SSH) Transport Model (sshtm)
[RFC5592]. [RFC5592].
3. Definitions 3. Implementation Guidelines
3.1. Module 'ietf-x509-cert-to-name' This section describes some challenges for implementations that
support both the YANG models defined in this document, and either
read-write or read-only SNMP access to the same data, using the
standard MIB modules.
As described in Section 2.2, the persistency models in NETCONF and
SNMP are quite different. This poses a challenge for an
implementation to support both NETCONF and SNMP access to the same
data, in particular if the data is writable over both protocols.
Specifically, the configuration data may exist in some combination of
the three NETCONF configuration datastores, and this data must be
mapped to rows in the SNMP tables, in some SNMP contexts, with proper
values for the StorageType columns.
This problem is not new; it has been handled in many implementations
that support configuration of the SNMP engine over a command line
interface (CLI), which normally have a persistency model similar to
NETCONF.
Since there is not one solution that works for all cases, this
document does not provide a recommended solution. Instead some of
the challenges involved are described below.
3.1. Supporting read-only SNMP Access
If a device implements only :writable-running, it is trivial to map
the contents of "running" to data in the SNMP tables, where all
instances of the StorageType columns have the value "nonVolatile".
If a device implements :candidate, but not :startup, the
implementation may choose to not expose the contents of the
"candidate" datastore over SNMP, and map the contents of "running" as
described above. As an option, the contents of "candidate" might be
accessible in a separate SNMP context.
If a device implements :startup, the handling of StorageType becomes
more difficult. Since the contents of "running" and "startup" might
differ, data in running cannot automatically be mapped to instances
with StorageType "nonVolatile". If a particular entry exists in
"running" but not in "startup", its StorageType should be "volatile".
If a particular entry exists in "startup", but not "running", it
should not be mapped to an SNMP instance, at least not in the default
SNMP context.
3.2. Supporting read-write SNMP access
If the implementation supports read-write access to data over SNMP,
and specifically creation of table rows, special attention has to be
given the handling of the RowStatus and StorageType columns. The
problem is to determine which table rows to store in the
configuration datastores, and which configuration datastore is
appropriate for each row.
The SNMP tables contain a mix of configured data and operational
state, and only rows with an "active" RowStatus column should be
stored in a configuration datastore.
If a device implements only :writable-running, "active" rows with a
"nonVolatile" StorageType column can be stored in "running". Rows
with a "volatile" StorageType column are operational state.
If a device implements :candidate, but not :writable-running, all
configuration changes typically go through the "candidate", even if
they are done over SNMP. An implementation might have to perform
some automatic commit of the "candidate" when data is written over
SNMP, since there is no explicit "commit" operation in SNMP.
If a device implements :startup, "nonVolatile" rows cannot just be
written to "running", they must also be copied into "startup".
"volatile" rows may be treated as operational state and not copied to
any datastore, or copied into "running".
4. Definitions
4.1. Module 'ietf-x509-cert-to-name'
This YANG module imports typedefs from [RFC6991].
<CODE BEGINS> file "ietf-x509-cert-to-name.yang" <CODE BEGINS> file "ietf-x509-cert-to-name.yang"
module ietf-x509-cert-to-name { module ietf-x509-cert-to-name {
namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
prefix x509c2n; prefix x509c2n;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
skipping to change at page 16, line 18 skipping to change at page 19, line 20
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
typedef tls-fingerprint { typedef tls-fingerprint {
type yang:hex-string { type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
skipping to change at page 17, line 51 skipping to change at page 21, line 4
1) for IPv4, the value is converted into a 1) for IPv4, the value is converted into a
decimal-dotted quad address (e.g., '192.0.2.1'). decimal-dotted quad address (e.g., '192.0.2.1').
2) for IPv6 addresses, the value is converted into a 2) for IPv6 addresses, the value is converted into a
32-character all lowercase hexadecimal string 32-character all lowercase hexadecimal string
without any colon separators. without any colon separators.
This mapping results in a 1:1 correspondence between This mapping results in a 1:1 correspondence between
subjectAltName iPAddress values and the name values."; subjectAltName iPAddress values and the name values.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
} }
identity san-any { identity san-any {
base cert-to-name; base cert-to-name;
description description
"Maps any of the following fields using the corresponding "Maps any of the following fields using the corresponding
mapping algorithms: mapping algorithms:
+------------+-----------------+ +------------+-----------------+
| Type | Algorithm | | Type | Algorithm |
skipping to change at page 20, line 43 skipping to change at page 23, line 44
"Directly specifies the NETCONF username when the "Directly specifies the NETCONF username when the
'map-type' is 'specified'."; 'map-type' is 'specified'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.2. Module 'ietf-snmp' 4.2. Module 'ietf-snmp'
<CODE BEGINS> file "ietf-snmp.yang" <CODE BEGINS> file "ietf-snmp.yang"
module ietf-snmp { module ietf-snmp {
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; namespace "urn:ietf:params:xml:ns:yang:ietf-snmp";
prefix snmp; prefix snmp;
// RFC Ed.: update the dates below with the date of RFC publication // RFC Ed.: update the dates below with the date of RFC publication
// and remove this note. // and remove this note.
include ietf-snmp-common { include ietf-snmp-common {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-engine { include ietf-snmp-engine {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-target { include ietf-snmp-target {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-notification { include ietf-snmp-notification {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-proxy { include ietf-snmp-proxy {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-community { include ietf-snmp-community {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-usm { include ietf-snmp-usm {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-tsm { include ietf-snmp-tsm {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-vacm { include ietf-snmp-vacm {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-tls { include ietf-snmp-tls {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
include ietf-snmp-ssh { include ietf-snmp-ssh {
revision-date 2013-03-26; revision-date 2013-11-05;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: David Kessens
skipping to change at page 22, line 35 skipping to change at page 25, line 35
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
} }
<CODE ENDS> <CODE ENDS>
3.3. Submodule 'ietf-snmp-common' 4.3. Submodule 'ietf-snmp-common'
<CODE BEGINS> file "ietf-snmp-common.yang" <CODE BEGINS> file "ietf-snmp-common.yang"
submodule ietf-snmp-common { submodule ietf-snmp-common {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
skipping to change at page 24, line 6 skipping to change at page 27, line 6
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
/* Collection of SNMP specific data types */ /* Collection of SNMP specific data types */
typedef admin-string { typedef admin-string {
type string { type string {
skipping to change at page 26, line 32 skipping to change at page 29, line 32
container snmp { container snmp {
description description
"Top-level container for SNMP related configuration and "Top-level container for SNMP related configuration and
status objects."; status objects.";
} }
} }
<CODE ENDS> <CODE ENDS>
3.4. Submodule 'ietf-snmp-engine' 4.4. Submodule 'ietf-snmp-engine'
<CODE BEGINS> file "ietf-snmp-engine.yang" <CODE BEGINS> file "ietf-snmp-engine.yang"
submodule ietf-snmp-engine { submodule ietf-snmp-engine {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 27, line 42 skipping to change at page 30, line 42
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
container engine { container engine {
description description
skipping to change at page 29, line 34 skipping to change at page 32, line 34
"Indicates whether the SNMP entity is permitted to "Indicates whether the SNMP entity is permitted to
generate authenticationFailure traps."; generate authenticationFailure traps.";
reference "SNMPv2-MIB.snmpEnableAuthenTraps"; reference "SNMPv2-MIB.snmpEnableAuthenTraps";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.5. Submodule 'ietf-snmp-target' 4.5. Submodule 'ietf-snmp-target'
<CODE BEGINS> file "ietf-snmp-target.yang" <CODE BEGINS> file "ietf-snmp-target.yang"
submodule ietf-snmp-target { submodule ietf-snmp-target {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 30, line 48 skipping to change at page 33, line 48
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list target { list target {
skipping to change at page 33, line 17 skipping to change at page 36, line 17
not contain any case, and vice versa."; not contain any case, and vice versa.";
reference "SNMP-TARGET-MIB.snmpTargetAddrParams reference "SNMP-TARGET-MIB.snmpTargetAddrParams
SNMP-TARGET-MIB.snmpTargetParamsTable"; SNMP-TARGET-MIB.snmpTargetParamsTable";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.6. Submodule 'ietf-snmp-notification' 4.6. Submodule 'ietf-snmp-notification'
<CODE BEGINS> file "ietf-snmp-notification.yang" <CODE BEGINS> file "ietf-snmp-notification.yang"
submodule ietf-snmp-notification { submodule ietf-snmp-notification {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 34, line 28 skipping to change at page 37, line 28
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature notification-filter { feature notification-filter {
description description
"A server implements this feature if it supports SNMP "A server implements this feature if it supports SNMP
notification filtering."; notification filtering.";
skipping to change at page 37, line 9 skipping to change at page 40, line 9
relationship between the /snmp/target list and the relationship between the /snmp/target list and the
/snmp/notify-filter-profile list."; /snmp/notify-filter-profile list.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.7. Submodule 'ietf-snmp-proxy' 4.7. Submodule 'ietf-snmp-proxy'
<CODE BEGINS> file "ietf-snmp-proxy.yang" <CODE BEGINS> file "ietf-snmp-proxy.yang"
submodule ietf-snmp-proxy { submodule ietf-snmp-proxy {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 38, line 19 skipping to change at page 41, line 19
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature proxy { feature proxy {
description description
"A server implements this feature if it can act as an "A server implements this feature if it can act as an
SNMP Proxy"; SNMP Proxy";
skipping to change at page 40, line 11 skipping to change at page 43, line 11
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.8. Submodule 'ietf-snmp-community' 4.8. Submodule 'ietf-snmp-community'
<CODE BEGINS> file "ietf-snmp-community.yang" <CODE BEGINS> file "ietf-snmp-community.yang"
submodule ietf-snmp-community { submodule ietf-snmp-community {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 41, line 22 skipping to change at page 44, line 22
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3584: Coexistence between Version 1, Version 2, and Version 3 "RFC3584: Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework"; of the Internet-standard Network Management Framework";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list community { list community {
key index; key index;
skipping to change at page 44, line 37 skipping to change at page 47, line 37
default "484"; default "484";
reference reference
"SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.9. Submodule 'ietf-snmp-vacm' 4.9. Submodule 'ietf-snmp-vacm'
<CODE BEGINS> file "ietf-snmp-vacm.yang" <CODE BEGINS> file "ietf-snmp-vacm.yang"
submodule ietf-snmp-vacm { submodule ietf-snmp-vacm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 45, line 47 skipping to change at page 48, line 47
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3415: View-based Access Control Model (VACM) for the "RFC3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
typedef view-name { typedef view-name {
type snmp:identifier; type snmp:identifier;
description description
skipping to change at page 50, line 14 skipping to change at page 53, line 14
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask
SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.10. Submodule 'ietf-snmp-usm' 4.10. Submodule 'ietf-snmp-usm'
This YANG submodule imports YANG extensions from [RFC6536].
<CODE BEGINS> file "ietf-snmp-usm.yang" <CODE BEGINS> file "ietf-snmp-usm.yang"
submodule ietf-snmp-usm { submodule ietf-snmp-usm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-yang-types { import ietf-yang-types {
skipping to change at page 51, line 33 skipping to change at page 54, line 35
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3414: User-based Security Model (USM) for version 3 of the "RFC3414: User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)."; Simple Network Management Protocol (SNMPv3).";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
grouping key { grouping key {
leaf key { leaf key {
type yang:hex-string; type yang:hex-string;
mandatory true; mandatory true;
skipping to change at page 52, line 51 skipping to change at page 56, line 4
choice protocol { choice protocol {
mandatory true; mandatory true;
reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; reference "SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol";
container des { container des {
uses key; uses key;
reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; reference "SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol";
} }
container aes { container aes {
uses key; uses key;
reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol"; reference "SNMP-USM-AES-MIB.usmAesCfb128Protocol";
}
}
} }
} }
} }
} }
augment /snmp:snmp { augment /snmp:snmp {
container usm { container usm {
description description
"Configuration of the User-based Security Model"; "Configuration of the User-based Security Model";
skipping to change at page 54, line 20 skipping to change at page 57, line 23
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.11. Submodule 'ietf-snmp-tsm' 4.11. Submodule 'ietf-snmp-tsm'
<CODE BEGINS> file "ietf-snmp-tsm.yang" <CODE BEGINS> file "ietf-snmp-tsm.yang"
submodule ietf-snmp-tsm { submodule ietf-snmp-tsm {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
include ietf-snmp-common; include ietf-snmp-common;
skipping to change at page 55, line 32 skipping to change at page 58, line 35
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC5591: Transport Security Model for the "RFC5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature tsm { feature tsm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Security Model for SNMP."; Transport Security Model for SNMP.";
skipping to change at page 56, line 49 skipping to change at page 60, line 4
uses tsm-target-params; uses tsm-target-params;
} }
} }
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
if-feature tsm; if-feature tsm;
case tsm { case tsm {
uses tsm-target-params; uses tsm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.12. Submodule 'ietf-snmp-tls' 4.12. Submodule 'ietf-snmp-tls'
<CODE BEGINS> file "ietf-snmp-tls.yang" <CODE BEGINS> file "ietf-snmp-tls.yang"
submodule ietf-snmp-tls { submodule ietf-snmp-tls {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 58, line 25 skipping to change at page 61, line 28
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature tlstm { feature tlstm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Layer Security Transport Model for SNMP."; Transport Layer Security Transport Model for SNMP.";
skipping to change at page 59, line 39 skipping to change at page 62, line 42
over DTLS."; over DTLS.";
} }
} }
} }
augment /snmp:snmp { augment /snmp:snmp {
if-feature tlstm; if-feature tlstm;
container tlstm { container tlstm {
uses x509c2n:cert-to-name { uses x509c2n:cert-to-name {
description description
"Defines how certifcates are mapped to names. The "Defines how certificates are mapped to names. The
resulting name is used as a security name."; resulting name is used as a security name.";
refine cert-to-name/map-type { refine cert-to-name/map-type {
description description
"Mappings that use the snmpTlstmCertToTSNData column "Mappings that use the snmpTlstmCertToTSNData column
need to augment the 'cert-to-name' list need to augment the 'cert-to-name' list
with additional configuration objects corresponding with additional configuration objects corresponding
to the snmpTlstmCertToTSNData value. Such objects to the snmpTlstmCertToTSNData value. Such objects
should use the 'when' statement to make them should use the 'when' statement to make them
conditional based on the 'map-type'."; conditional based on the 'map-type'.";
} }
} }
} }
} }
grouping tls-transport { grouping tls-transport {
leaf ip { leaf ip {
type inet:host; type inet:host;
mandatory true; mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress"; SNMP-TLS-TM-MIB.SnmpTLSAddress";
} }
leaf port { leaf port {
skipping to change at page 60, line 50 skipping to change at page 64, line 4
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:transport { augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm; if-feature tlstm;
case dtls { case dtls {
reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain";
container dtls { container dtls {
uses tls-transport; uses tls-transport;
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3.13. Submodule 'ietf-snmp-ssh' 4.13. Submodule 'ietf-snmp-ssh'
<CODE BEGINS> file "ietf-snmp-ssh.yang" <CODE BEGINS> file "ietf-snmp-ssh.yang"
submodule ietf-snmp-ssh { submodule ietf-snmp-ssh {
belongs-to ietf-snmp { belongs-to ietf-snmp {
prefix snmp; prefix snmp;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 62, line 25 skipping to change at page 65, line 28
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC5592: Secure Shell Transport Model for the "RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-03-26 { revision 2013-11-05 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature sshtm { feature sshtm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Secure Shell Transport Model for SNMP."; Secure Shell Transport Model for SNMP.";
skipping to change at page 64, line 5 skipping to change at page 67, line 5
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-SSH-TM-MIB.SnmpSSHAddress"; SNMP-SSH-TM-MIB.SnmpSSHAddress";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. IANA Considerations 5. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688]. This document registers a URI in the IETF XML registry [RFC3688].
Following the format in RFC 3688, the following registration is Following the format in RFC 3688, the following registration is
requested to be made. requested to be made.
URI: urn:ietf:params:xml:ns:yang:ietf-snmp URI: urn:ietf:params:xml:ns:yang:ietf-snmp
Registrant Contact: The NETMOD WG of the IETF. Registrant Contact: The NETMOD WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers the following YANG modules in the YANG Module
registry [RFC6020]. Names registry [RFC6020].
name: ietf-snmp name: ietf-snmp
namespace: urn:ietf:params:xml:ns:yang:ietf-snmp namespace: urn:ietf:params:xml:ns:yang:ietf-snmp
prefix: snmp prefix: snmp
reference: RFC XXXX reference: RFC XXXX
name: ietf-x509-cert-to-name
namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name
prefix: x509c2n
reference: RFC XXXX
The document registers the following YANG submodules in the YANG The document registers the following YANG submodules in the YANG
Module Names registry [RFC6020]. Module Names registry [RFC6020].
name: ietf-snmp-common name: ietf-snmp-common
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC XXXX
name: ietf-snmp-engine name: ietf-snmp-engine
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC XXXX
skipping to change at page 66, line 5 skipping to change at page 69, line 5
reference: RFC XXXX reference: RFC XXXX
name: ietf-snmp-tls name: ietf-snmp-tls
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC XXXX
name: ietf-snmp-ssh name: ietf-snmp-ssh
parent: ietf-snmp parent: ietf-snmp
reference: RFC XXXX reference: RFC XXXX
5. Security Considerations 6. Security Considerations
The YANG module and submodules defined in this memo are designed to The YANG module and submodules defined in this memo are designed to
be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF
layer is the secure transport layer and the mandatory-to-implement layer is the secure transport layer and the mandatory-to-implement
secure transport is SSH [RFC6242]. secure transport is SSH [RFC6242].
There are a number of data nodes defined in the YANG module and There are a number of data nodes defined in the YANG module and
submodules which are writable/creatable/deletable (i.e., config true, submodules which are writable/creatable/deletable (i.e., config true,
which is the default). These data nodes may be considered sensitive which is the default). These data nodes may be considered sensitive
or vulnerable in some network environments. Write operations (e.g., or vulnerable in some network environments. Write operations (e.g.,
skipping to change at page 68, line 5 skipping to change at page 71, line 5
notification targets. notification targets.
o The /snmp/proxy subtree exposes information about proxy o The /snmp/proxy subtree exposes information about proxy
relationships. relationships.
o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/
vacm subtrees are specifically sensitive since they expose vacm subtrees are specifically sensitive since they expose
information about the authentication and authorization policy used information about the authentication and authorization policy used
by an SNMP engine. by an SNMP engine.
6. Acknowledgments 7. Acknowledgments
The authors want to thank Wes Hardaker and David Spakes for their The authors want to thank Wes Hardaker and David Spakes for their
reviews and valuable comments. reviews and valuable comments.
7. References Juergen Schoenwaelder was partly funded by Flamingo, a Network of
Excellence project (ICT-318488) supported by the European Commission
under its Seventh Framework Programme.
7.1. Normative References 8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010. October 2010.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
Bierman, "Network Configuration Protocol (NETCONF)", Bierman, "Network Configuration Protocol (NETCONF)",
RFC 6241, June 2011. RFC 6241, June 2011.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, June 2011. Shell (SSH)", RFC 6242, June 2011.
7.2. Informative References [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536,
March 2012.
[RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991,
July 2013.
8.2. Informative References
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network "Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412, Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002. December 2002.
 End of changes. 90 change blocks. 
128 lines changed or deleted 238 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/