draft-ietf-netmod-snmp-cfg-03.txt   draft-ietf-netmod-snmp-cfg-04.txt 
Network Working Group M. Bjorklund Network Working Group M. Bjorklund
Internet-Draft Tail-f Systems Internet-Draft Tail-f Systems
Intended status: Standards Track J. Schoenwaelder Intended status: Standards Track J. Schoenwaelder
Expires: May 9, 2014 Jacobs University Expires: August 14, 2014 Jacobs University
November 5, 2013 February 10, 2014
A YANG Data Model for SNMP Configuration A YANG Data Model for SNMP Configuration
draft-ietf-netmod-snmp-cfg-03 draft-ietf-netmod-snmp-cfg-04
Abstract Abstract
This document defines a collection of YANG definitions for This document defines a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 9, 2014. This Internet-Draft will expire on August 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 17 skipping to change at page 2, line 17
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5
2.2. General Considerations . . . . . . . . . . . . . . . . . . 5 2.2. General Considerations . . . . . . . . . . . . . . . . . . 5
2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 6 2.3. Common Definitions . . . . . . . . . . . . . . . . . . . . 6
2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 6 2.4. Engine Configuration . . . . . . . . . . . . . . . . . . . 6
2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 6 2.5. Target Configuration . . . . . . . . . . . . . . . . . . . 6
2.6. Notification Configuration . . . . . . . . . . . . . . . . 7 2.6. Notification Configuration . . . . . . . . . . . . . . . . 7
2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8 2.7. Proxy Configuration . . . . . . . . . . . . . . . . . . . 8
2.8. Community Configuration . . . . . . . . . . . . . . . . . 9 2.8. Community Configuration . . . . . . . . . . . . . . . . . 9
2.9. View-based Access Control Model Configuration . . . . . . 10 2.9. View-based Access Control Model Configuration . . . . . . 9
2.10. User-based Security Model Configuration . . . . . . . . . 11 2.10. User-based Security Model Configuration . . . . . . . . . 10
2.11. Transport Security Model Configuration . . . . . . . . . . 13 2.11. Transport Security Model Configuration . . . . . . . . . . 11
2.12. Transport Layer Security Transport Model Configuration . . 13 2.12. Transport Layer Security Transport Model Configuration . . 12
2.13. Secure Shell Transport Model Configuration . . . . . . . . 15 2.13. Secure Shell Transport Model Configuration . . . . . . . . 13
3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 16 3. Implementation Guidelines . . . . . . . . . . . . . . . . . . 15
3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 16 3.1. Supporting read-only SNMP Access . . . . . . . . . . . . . 15
3.2. Supporting read-write SNMP access . . . . . . . . . . . . 17 3.2. Supporting read-write SNMP access . . . . . . . . . . . . 16
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 18 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 18 4.1. Module 'ietf-x509-cert-to-name' . . . . . . . . . . . . . 17
4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 23 4.2. Module 'ietf-snmp' . . . . . . . . . . . . . . . . . . . . 22
4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 25 4.3. Submodule 'ietf-snmp-common' . . . . . . . . . . . . . . . 25
4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 29 4.4. Submodule 'ietf-snmp-engine' . . . . . . . . . . . . . . . 29
4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 32 4.5. Submodule 'ietf-snmp-target' . . . . . . . . . . . . . . . 32
4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 36 4.6. Submodule 'ietf-snmp-notification' . . . . . . . . . . . . 35
4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 40 4.7. Submodule 'ietf-snmp-proxy' . . . . . . . . . . . . . . . 39
4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 43 4.8. Submodule 'ietf-snmp-community' . . . . . . . . . . . . . 42
4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 47 4.9. Submodule 'ietf-snmp-vacm' . . . . . . . . . . . . . . . . 46
4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 53 4.10. Submodule 'ietf-snmp-usm' . . . . . . . . . . . . . . . . 52
4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 57 4.11. Submodule 'ietf-snmp-tsm' . . . . . . . . . . . . . . . . 56
4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 60 4.12. Submodule 'ietf-snmp-tls' . . . . . . . . . . . . . . . . 59
4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 64 4.13. Submodule 'ietf-snmp-ssh' . . . . . . . . . . . . . . . . 63
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66
6. Security Considerations . . . . . . . . . . . . . . . . . . . 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 68
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 71 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 71
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 72 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 72
8.1. Normative References . . . . . . . . . . . . . . . . . . . 72 8.1. Normative References . . . . . . . . . . . . . . . . . . . 72
8.2. Informative References . . . . . . . . . . . . . . . . . . 72 8.2. Informative References . . . . . . . . . . . . . . . . . . 72
Appendix A. Example configurations . . . . . . . . . . . . . . . 74 Appendix A. Example configurations . . . . . . . . . . . . . . . 74
A.1. Engine Configuration Example . . . . . . . . . . . . . . . 74 A.1. Engine Configuration Example . . . . . . . . . . . . . . . 74
A.2. Community Configuration Example . . . . . . . . . . . . . 74 A.2. Community Configuration Example . . . . . . . . . . . . . 74
A.3. User-based Security Model Configuration Example . . . . . 75 A.3. User-based Security Model Configuration Example . . . . . 75
A.4. Target and Notification Configuration Example . . . . . . 76 A.4. Target and Notification Configuration Example . . . . . . 77
A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 78 A.5. Proxy Configuration Example . . . . . . . . . . . . . . . 78
A.6. View-based Access Control Model Configuration Example . . 80 A.6. View-based Access Control Model Configuration Example . . 81
A.7. Transport Layer Security Transport Model Configuration A.7. Transport Layer Security Transport Model Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . . 82 Example . . . . . . . . . . . . . . . . . . . . . . . . . 83
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 85
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of SNMP engines. The configuration model is consistent configuration of SNMP engines. The configuration model is consistent
with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413],
[RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and [RFC3414], [RFC3415], [RFC3418], [RFC3584], [RFC5591], [RFC5592], and
[RFC6353] but takes advantage of YANG's ability to define [RFC6353] but takes advantage of YANG's ability to define
hierarchical configuration data models. The structure of the model hierarchical configuration data models.
has been derived from existing proprietary configuration models
implemented as command line interfaces. The configuration data model in particular targets SNMP deployments
where SNMP runs in read-only mode and NETCONF is used to configure
the SNMP agent. Nevertheless, the data model has been designed to
allow implementations that support write access both via SNMP and
NETCONF in order to interwork with SNMP-managed management
applications manipulating SNMP agent configuration using SNMP.
The YANG data model focuses on configuration. Operational state
objects are not explicitely modeled. The operational state of an
SNMP agent can either be accessed directly via SNMP or,
alternatively, via NETCONF using the read-only translation of the
relevant SNMP MIB modules into YANG modules [RFC6643].
This document also defines a YANG data model for mapping a X.509 This document also defines a YANG data model for mapping a X.509
certificate to a name. certificate to a name.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14, [RFC2119]. 14, [RFC2119].
2. Data Model 2. Data Model
skipping to change at page 7, line 7 skipping to change at page 7, line 7
the different message processing models. the different message processing models.
2.5. Target Configuration 2.5. Target Configuration
The submodule "ietf-snmp-target", which defines configuration The submodule "ietf-snmp-target", which defines configuration
parameters that correspond to the objects in SNMP-TARGET-MIB, has the parameters that correspond to the objects in SNMP-TARGET-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw target* [name] +--rw target* [name]
+--rw name snmp:identifier | +--rw name snmp:identifier
+--rw (transport) | +--rw (transport)
| +--:(udp) | | +--:(udp)
| +--rw udp | | +--rw udp
| +--rw ip inet:ip-address | | +--rw ip inet:ip-address
| +--rw port? inet:port-number | | +--rw port? inet:port-number
| +--rw prefix-length? uint8 | | +--rw prefix-length? uint8
+--rw tag* snmp:identifier | +--rw tag* snmp:identifier
+--rw timeout? uint32 | +--rw timeout? uint32
+--rw retries? uint8 | +--rw retries? uint8
| +--rw target-params snmp:identifier
+--rw target-params* [name]
+--rw name snmp:identifier
+--rw (params)? +--rw (params)?
An entry in the list "/snmp/target" corresponds to an An entry in the list "/snmp/target" corresponds to an
"snmpTargetAddrEntry". "snmpTargetAddrEntry".
The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are
mapped to transport-specific YANG nodes. Each transport is mapped to transport-specific YANG nodes. Each transport is
configured as a separate case in the "transport" choice. In this configured as a separate case in the "transport" choice. In this
submodule, SNMP over UDP is defined. TLS and DTLS are also submodule, SNMP over UDP is defined. TLS and DTLS are also
supported, defined in "ietf-snmp-tls" (Section 2.12). The supported, defined in "ietf-snmp-tls" (Section 2.12). The
"transport" choice is expected to be augmented for other transports. "transport" choice is expected to be augmented for other transports.
In order to provide a simpler configuration model with less cross- An entry in the list "/snmp/target-params" corresponds to an
references, the "target" list also inlines the "snmpTargetParamsEntry". This list contains a choice "params", which
"snmpTargetParamsEntry" pointed to by "snmpTargetAddrParams". This is augmented by security model specific submodules, currently
is accomplished with a choice "params", which is augmented by "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10),
security model specific submodules, currently "ietf-snmp-community" and "ietf-snmp-tls" (Section 2.12).
(Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls"
(Section 2.12).
The YANG model does not define a separate list that maps directly to
"snmpTargetParamsTable". Since "snmpProxyTable" also has a reference
to this table, "snmpProxyTable" also has a choice "params" which is
augmented by security model specific submodules (Section 2.7).
2.6. Notification Configuration 2.6. Notification Configuration
The submodule "ietf-snmp-notification", which defines configuration The submodule "ietf-snmp-notification", which defines configuration
parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, parameters that correspond to the objects in SNMP-NOTIFICATION-MIB,
has the following structure: has the following structure:
+--rw snmp +--rw snmp
+--rw notify* [name] +--rw notify* [name]
| +--rw name snmp:identifier | +--rw name snmp:identifier
| +--rw tag snmp:identifier | +--rw tag snmp:identifier
| +--rw type? enumeration | +--rw type? enumeration
+--rw notify-filter-profile* [name] +--rw notify-filter-profile* [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw include* wildcard-object-identifier +--rw include* wildcard-object-identifier
+--rw exclude* wildcard-object-identifier +--rw exclude* wildcard-object-identifier
It also augments the "target" list defined in the "ietf-snmp-target" It also augments the "target-params" list defined in the
submodule (Section 2.5) with one leaf: "ietf-snmp-target" submodule (Section 2.5) with one leaf:
+--rw snmp +--rw snmp
+--rw target* [name] +--rw target-params* [name]
... ...
+--rw notify-filter-profile? leafref +--rw notify-filter-profile? leafref
An entry in the list "/snmp/notify" corresponds to an An entry in the list "/snmp/notify" corresponds to an
"snmpNotifyEntry". "snmpNotifyEntry".
An entry in the list "/snmp/notify-filter-profile" corresponds to an An entry in the list "/snmp/notify-filter-profile" corresponds to an
"snmpNotifyFilterProfileEntry". In the MIB, there is a sparse "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse
relationship between "snmpTargetParamsTable" and relationship between "snmpTargetParamsTable" and
"snmpNotifyFilterProfileTable". In the YANG model, this sparse "snmpNotifyFilterProfileTable". In the YANG model, this sparse
relationship is represented with a leafref leaf relationship is represented with a leafref leaf
"notify-filter-profile" in the "/snmp/target" list, which refers to "notify-filter-profile" in the "/snmp/target-params" list, which
an entry in the "/snmp/notify-filter-profile" list. refers to an entry in the "/snmp/notify-filter-profile" list.
The "snmpNotifyFilterTable" is represented as a list "filter" within The "snmpNotifyFilterTable" is represented as a list "filter" within
the "/snmp/notify-filter-profile" list. the "/snmp/notify-filter-profile" list.
This submodule defines the feature "notification-filter". A server This submodule defines the feature "notification-filter". A server
implements this feature if it supports SNMP notification filtering. implements this feature if it supports SNMP notification filtering.
2.7. Proxy Configuration 2.7. Proxy Configuration
The submodule "ietf-snmp-proxy", which defines configuration The submodule "ietf-snmp-proxy", which defines configuration
parameters that correspond to the objects in SNMP-PROXY-MIB, has the parameters that correspond to the objects in SNMP-PROXY-MIB, has the
following structure: following structure:
+--rw snmp +--rw snmp
+--rw proxy* [name] +--rw proxy* [name]
+--rw name snmp:identifier +--rw name snmp:identifier
+--rw type enumeration +--rw type enumeration
+--rw context-engine-id snmp:engine-id +--rw context-engine-id snmp:engine-id
+--rw context-name? snmp:context-name +--rw context-name? snmp:context-name
+--rw params-in +--rw target-params-in? snmp:identifier
| +--rw (params)
+--rw single-target-out? snmp:identifier +--rw single-target-out? snmp:identifier
+--rw multiple-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier
An entry in the list "/snmp/proxy" corresponds to an An entry in the list "/snmp/proxy" corresponds to an
"snmpProxyEntry". "snmpProxyEntry".
Like the "target" list (Section 2.5), the "proxy" list inlines the
"snmpTargetParamsEntry" pointed to by "snmpProxyTargetParamsIn".
This is accomplished with a choice "params", which is augmented by
security model specific submodules, currently "ietf-snmp-community"
(Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls"
(Section 2.12).
This submodule defines the feature "proxy". A server implements this This submodule defines the feature "proxy". A server implements this
feature if it can act as an SNMP Proxy. feature if it can act as an SNMP Proxy.
2.8. Community Configuration 2.8. Community Configuration
The submodule "ietf-snmp-community", which defines configuration The submodule "ietf-snmp-community", which defines configuration
parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has
the following structure: the following structure:
+--rw snmp +--rw snmp
skipping to change at page 9, line 48 skipping to change at page 9, line 24
+--rw (name)? +--rw (name)?
| +--:(text-name) | +--:(text-name)
| | +--rw text-name? string | | +--rw text-name? string
| +--:(binary-name) | +--:(binary-name)
| +--rw binary-name? binary | +--rw binary-name? binary
+--rw security-name snmp:security-name +--rw security-name snmp:security-name
+--rw engine-id? snmp:engine-id +--rw engine-id? snmp:engine-id
+--rw context? snmp:context-name +--rw context? snmp:context-name
+--rw target-tag? snmp:identifier +--rw target-tag? snmp:identifier
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target-params/params" choice with nodes
params-in/params" choices with nodes for the Community-Based Security for the Community-Based Security Model used by SNMPv1 and SNMPv2c:
Model used by SNMPv1 and SNMPv2c:
+--rw snmp +--rw snmp
+--rw target* [name] +--rw target-params* [name]
| ... ...
| +--rw (params)? +--rw (params)?
| | +--:(v1) | +--:(v1)
| | | +--rw v1 | | +--rw v1
| | | +--rw security-name snmp:security-name | | +--rw security-name snmp:security-name
| | +--:(v2c) | +--:(v2c)
| | +--rw v2c | +--rw v2c
| | +--rw security-name snmp:security-name | +--rw security-name snmp:security-name
| +--rw mms? union +--rw mms? union
+--rw proxy
+--rw params-in
+--rw params
+--:(v1)
| +--rw v1
| +--rw security-name snmp:security-name
+--:(v2c)
+--rw v2c
+--rw security-name snmp:security-name
An entry in the list "/snmp/community" corresponds to an An entry in the list "/snmp/community" corresponds to an
"snmpCommunityEntry". "snmpCommunityEntry".
When a case "v1" or "v2c" is chosen, it implies a When a case "v1" or "v2c" is chosen, it implies a
snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and a
snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively.
Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv. Both cases implies a snmpTargetParamsSecurityLevel of noAuthNoPriv.
2.9. View-based Access Control Model Configuration 2.9. View-based Access Control Model Configuration
skipping to change at page 12, line 23 skipping to change at page 11, line 23
| +-- rw key string | +-- rw key string
+--rw priv! +--rw priv!
+--rw (protocol) +--rw (protocol)
+--:(des) +--:(des)
| +--rw des | +--rw des
| +-- rw key string | +-- rw key string
+--:(aes) +--:(aes)
+--rw aes +--rw aes
+-- rw key string +-- rw key string
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target-params/params" choice with nodes
params-in/params" choices with nodes for the SNMP User-based Security for the SNMP User-based Security Model.
Model.
+--rw snmp +--rw snmp
+--rw target* [name] +--rw target-params* [name]
...
| +--rw (params)?
| +--:(usm)
| +--rw usm
| +--rw user-name snmp:security-name
| +--rw security-level security-level
+--rw proxy* [name]
... ...
+--rw params-in +--rw (params)?
+--rw (params) +--:(usm)
+--:(usm) +--rw usm
+--rw usm +--rw user-name snmp:security-name
+--rw user-name snmp:security-name +--rw security-level security-level
+--rw security-level security-level
In the MIB, there is a single table with local and remote users, In the MIB, there is a single table with local and remote users,
indexed by the engine id and user name. In the YANG model, there is indexed by the engine id and user name. In the YANG model, there is
one list of local users, and a nested list of remote users. one list of local users, and a nested list of remote users.
In the MIB, there are several objects related to changing the In the MIB, there are several objects related to changing the
authentication and privacy keys. These objects are not present in authentication and privacy keys. These objects are not present in
the YANG model. However, the localized key can be changed. This the YANG model. However, the localized key can be changed. This
implies that if the engine id is changed, all users keys need to be implies that if the engine id is changed, all users keys need to be
changed as well. changed as well.
skipping to change at page 13, line 15 skipping to change at page 12, line 6
2.11. Transport Security Model Configuration 2.11. Transport Security Model Configuration
The submodule "ietf-snmp-tsm", which defines configuration parameters The submodule "ietf-snmp-tsm", which defines configuration parameters
that correspond to the objects in SNMP-TSM-MIB, has the following that correspond to the objects in SNMP-TSM-MIB, has the following
structure: structure:
+--rw snmp +--rw snmp
+--rw tsm +--rw tsm
+--rw use-prefix? boolean +--rw use-prefix? boolean
It also augments the "/snmp/target/params" and "/snmp/proxy/ It also augments the "/snmp/target-params/params" choice with nodes
params-in/params" choices with nodes for the SNMP Transport Security for the SNMP Transport Security Model.
Model.
+--rw snmp +--rw snmp
+--rw target* [name] +--rw target-params* [name]
...
| +--rw (params)?
| +--:(tsm)
| +--rw tsm
| +--rw security-name snmp:security-name
| +--rw security-level security-level
+--rw proxy* [name]
... ...
+--rw params-in +--rw (params)?
+--rw (params) +--:(tsm)
+--:(tsm) +--rw tsm
+--rw tsm +--rw security-name snmp:security-name
+--rw security-name snmp:security-name +--rw security-level security-level
+--rw security-level security-level
This submodule defines the feature "tsm". A server implements this This submodule defines the feature "tsm". A server implements this
feature if it supports the Transport Security Model (tsm) [RFC5591]. feature if it supports the Transport Security Model (tsm) [RFC5591].
2.12. Transport Layer Security Transport Model Configuration 2.12. Transport Layer Security Transport Model Configuration
The submodule "ietf-snmp-tls", which defines configuration parameters The submodule "ietf-snmp-tls", which defines configuration parameters
that correspond to the objects in SNMP-TLS-TM-MIB, has the following that correspond to the objects in SNMP-TLS-TM-MIB, has the following
structure: structure:
skipping to change at page 18, line 5 skipping to change at page 16, line 33
configuration changes typically go through the "candidate", even if configuration changes typically go through the "candidate", even if
they are done over SNMP. An implementation might have to perform they are done over SNMP. An implementation might have to perform
some automatic commit of the "candidate" when data is written over some automatic commit of the "candidate" when data is written over
SNMP, since there is no explicit "commit" operation in SNMP. SNMP, since there is no explicit "commit" operation in SNMP.
If a device implements :startup, "nonVolatile" rows cannot just be If a device implements :startup, "nonVolatile" rows cannot just be
written to "running", they must also be copied into "startup". written to "running", they must also be copied into "startup".
"volatile" rows may be treated as operational state and not copied to "volatile" rows may be treated as operational state and not copied to
any datastore, or copied into "running". any datastore, or copied into "running".
Cooperating SNMP management applications may use spin lock objects
(snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414],
vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests.
Implementations supporting modifications of MIB objects protected by
a spin lock via NETCONF should ensure that the spin lock objects are
properly incremented whenever objects are changed via NETCONF. This
allows cooperating SNMP management applications to discover that
concurrent modifications are taking place.
4. Definitions 4. Definitions
4.1. Module 'ietf-x509-cert-to-name' 4.1. Module 'ietf-x509-cert-to-name'
This YANG module imports typedefs from [RFC6991]. This YANG module imports typedefs from [RFC6991].
<CODE BEGINS> file "ietf-x509-cert-to-name.yang" <CODE BEGINS> file "ietf-x509-cert-to-name.yang"
module ietf-x509-cert-to-name { module ietf-x509-cert-to-name {
skipping to change at page 18, line 29 skipping to change at page 17, line 29
prefix yang; prefix yang;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This module contains a collection of YANG definitions for "This module contains a collection of YANG definitions for
extracting a name from a X.509 certificate. extracting a name from a X.509 certificate.
The algorithm used to extract a name from a X.509 certificate The algorithm used to extract a name from a X.509 certificate
was first defined in RFC 6353. was first defined in RFC 6353.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 {
revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
typedef tls-fingerprint { typedef tls-fingerprint {
type yang:hex-string { type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
skipping to change at page 23, line 49 skipping to change at page 23, line 4
} }
} }
<CODE ENDS> <CODE ENDS>
4.2. Module 'ietf-snmp' 4.2. Module 'ietf-snmp'
<CODE BEGINS> file "ietf-snmp.yang" <CODE BEGINS> file "ietf-snmp.yang"
module ietf-snmp { module ietf-snmp {
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; namespace "urn:ietf:params:xml:ns:yang:ietf-snmp";
prefix snmp; prefix snmp;
// RFC Ed.: update the dates below with the date of RFC publication // RFC Ed.: update the dates below with the date of RFC publication
// and remove this note. // and remove this note.
include ietf-snmp-common { include ietf-snmp-common {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-engine { include ietf-snmp-engine {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-target { include ietf-snmp-target {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-notification { include ietf-snmp-notification {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-proxy { include ietf-snmp-proxy {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-community { include ietf-snmp-community {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-usm { include ietf-snmp-usm {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-tsm { include ietf-snmp-tsm {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-vacm { include ietf-snmp-vacm {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-tls { include ietf-snmp-tls {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
include ietf-snmp-ssh { include ietf-snmp-ssh {
revision-date 2013-11-05; revision-date 2014-02-09;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This module contains a collection of YANG definitions for "This module contains a collection of YANG definitions for
configuring SNMP engines. configuring SNMP engines.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
} }
<CODE ENDS> <CODE ENDS>
skipping to change at page 26, line 19 skipping to change at page 25, line 26
prefix yang; prefix yang;
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of common YANG definitions "This submodule contains a collection of common YANG definitions
for configuring SNMP engines. for configuring SNMP engines.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
/* Collection of SNMP specific data types */ /* Collection of SNMP specific data types */
typedef admin-string { typedef admin-string {
type string { type string {
skipping to change at page 29, line 22 skipping to change at page 28, line 27
} }
typedef wildcard-object-identifier { typedef wildcard-object-identifier {
type string; type string;
description description
"The wildcard-object-identifier type represents an SNMP object "The wildcard-object-identifier type represents an SNMP object
identifier where subidentifiers can be given either as a label, identifier where subidentifiers can be given either as a label,
in numeric form, or a wildcard, represented by a *."; in numeric form, or a wildcard, represented by a *.";
} }
typedef tag-value {
type string {
length "0..255";
}
description
"Represents and SnmpTagValue as defined in RFC 3413.
Note that the size of an SnmpTagValue is measured in
octets, not characters.";
reference "SNMP-TARGET-MIB.SnmpTagValue";
}
container snmp { container snmp {
description description
"Top-level container for SNMP related configuration and "Top-level container for SNMP related configuration and
status objects."; status objects.";
} }
} }
<CODE ENDS> <CODE ENDS>
skipping to change at page 30, line 7 skipping to change at page 29, line 28
include ietf-snmp-common; include ietf-snmp-common;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP engines. for configuring SNMP engines.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
container engine { container engine {
description description
"Configuration of the SNMP engine."; "Configuration of the SNMP engine.";
leaf enabled { leaf enabled {
type boolean; type boolean;
default "false"; default "false";
description description
"Enables the SNMP engine."; "Enables the SNMP engine.";
} }
skipping to change at page 33, line 9 skipping to change at page 32, line 28
include ietf-snmp-common; include ietf-snmp-common;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP targets. for configuring SNMP targets.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
skipping to change at page 33, line 48 skipping to change at page 33, line 17
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list target { list target {
key name; key name;
description description
"List of targets."; "List of targets.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTable"; reference "SNMP-TARGET-MIB.snmpTargetAddrTable";
skipping to change at page 35, line 23 skipping to change at page 34, line 41
by the Community-based Security Model to filter by the Community-based Security Model to filter
incoming messages. Furthermore, the prefix-length incoming messages. Furthermore, the prefix-length
filtering does not cover all possible filters filtering does not cover all possible filters
supported by the corresponding MIB object."; supported by the corresponding MIB object.";
reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; reference "SNMP-COMMUNITY-MIB.snmpTargetAddrTMask";
} }
} }
} }
} }
leaf-list tag { leaf-list tag {
type snmp:identifier; type snmp:tag-value;
description description
"List of tag values used to select target address."; "List of tag values used to select target address.";
reference "SNMP-TARGET-MIB.snmpTargetAddrTagList"; reference "SNMP-TARGET-MIB.snmpTargetAddrTagList";
} }
leaf timeout { leaf timeout {
type uint32; type uint32;
units "0.01 seconds"; units "0.01 seconds";
default 1500; default 1500;
description description
"Needed only if this target can receive "Needed only if this target can receive
skipping to change at page 35, line 45 skipping to change at page 35, line 15
reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout"; reference "SNMP-TARGET-MIB.snmpTargetAddrTimeout";
} }
leaf retries { leaf retries {
type uint8; type uint8;
default 3; default 3;
description description
"Needed only if this target can receive "Needed only if this target can receive
InformRequest-PDUs."; InformRequest-PDUs.";
reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; reference "SNMP-TARGET-MIB.snmpTargetAddrRetryCount";
} }
leaf target-params {
type snmp:identifier;
mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrParams";
}
}
list target-params {
key name;
description
"List of target parameters.";
reference "SNMP-TARGET-MIB.snmpTargetParamsTable";
leaf name {
type snmp:identifier;
}
choice params { choice params {
description description
"This choice is augmented with case nodes containing "This choice is augmented with case nodes containing
security model specific configuration parameters. Each security model specific configuration parameters.";
such case represents one entry in the
snmpTargetParamsTable.
When the snmpTargetAddrParams object contains a reference
to a non-existing snmpTargetParamsEntry, this choice does
not contain any case, and vice versa.";
reference "SNMP-TARGET-MIB.snmpTargetAddrParams
SNMP-TARGET-MIB.snmpTargetParamsTable";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.6. Submodule 'ietf-snmp-notification' 4.6. Submodule 'ietf-snmp-notification'
<CODE BEGINS> file "ietf-snmp-notification.yang" <CODE BEGINS> file "ietf-snmp-notification.yang"
skipping to change at page 36, line 37 skipping to change at page 36, line 14
include ietf-snmp-common; include ietf-snmp-common;
include ietf-snmp-target; include ietf-snmp-target;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP notifications. for configuring SNMP notifications.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 37, line 28 skipping to change at page 37, line 5
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature notification-filter { feature notification-filter {
description description
"A server implements this feature if it supports SNMP "A server implements this feature if it supports SNMP
notification filtering."; notification filtering.";
skipping to change at page 38, line 4 skipping to change at page 37, line 30
list notify { list notify {
key name; key name;
description description
"Targets that will receive notifications. "Targets that will receive notifications.
Entries in this lists are mapped 1-1 to entries in Entries in this lists are mapped 1-1 to entries in
snmpNotifyTable, except that if an entry in snmpNotifyTable snmpNotifyTable, except that if an entry in snmpNotifyTable
has a snmpNotifyTag for which no snmpTargetAddrEntry exists, has a snmpNotifyTag for which no snmpTargetAddrEntry exists,
then the snmpNotifyTable entry is not mapped to an entry in then the snmpNotifyTable entry is not mapped to an entry in
this list."; this list.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"An arbitrary name for the list entry."; "An arbitrary name for the list entry.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyName"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyName";
} }
leaf tag { leaf tag {
type snmp:identifier; type snmp:tag-value;
mandatory true; mandatory true;
description description
"Target tag, selects a set of notification targets. "Target tag, selects a set of notification targets.
Implementations MAY restrict the values of this leaf Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyTag";
} }
leaf type { leaf type {
skipping to change at page 39, line 37 skipping to change at page 39, line 14
description description
"A family of subtrees excluded from this filter."; "A family of subtrees excluded from this filter.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree
SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask
SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; SNMP-NOTIFICATION-MIB.snmpNotifyFilterType";
} }
} }
} }
augment /snmp:snmp/snmp:target { augment /snmp:snmp/snmp:target-params {
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable";
leaf notify-filter-profile { leaf notify-filter-profile {
if-feature snmp:notification-filter; if-feature snmp:notification-filter;
type leafref { type leafref {
path "/snmp/notify-filter-profile/name"; path "/snmp/notify-filter-profile/name";
} }
description description
"This leafref leaf is used to represent the sparse "This leafref leaf is used to represent the sparse
relationship between the /snmp/target list and the relationship between the /snmp/target-params list and the
/snmp/notify-filter-profile list."; /snmp/notify-filter-profile list.";
reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; reference "SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.7. Submodule 'ietf-snmp-proxy' 4.7. Submodule 'ietf-snmp-proxy'
skipping to change at page 40, line 28 skipping to change at page 40, line 4
include ietf-snmp-common; include ietf-snmp-common;
include ietf-snmp-target; include ietf-snmp-target;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau
WG Chair: David Kessens <mailto:tnadeau@lucidvision.com>
<mailto:david.kessens@nsn.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring SNMP proxies. for configuring SNMP proxies.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 41, line 19 skipping to change at page 40, line 43
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3413: Simple Network Management Protocol (SNMP) "RFC3413: Simple Network Management Protocol (SNMP)
Applications"; Applications";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature proxy { feature proxy {
description description
"A server implements this feature if it can act as an "A server implements this feature if it can act as an
SNMP Proxy"; SNMP Proxy";
skipping to change at page 41, line 50 skipping to change at page 41, line 26
reference "SNMP-PROXY-MIB.snmpProxyTable"; reference "SNMP-PROXY-MIB.snmpProxyTable";
leaf name { leaf name {
type snmp:identifier; type snmp:identifier;
description description
"Identifies the proxy parameter entry."; "Identifies the proxy parameter entry.";
reference "SNMP-PROXY-MIB.snmpProxyName"; reference "SNMP-PROXY-MIB.snmpProxyName";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum read; enum read { value 1; }
enum write; enum write { value 2; }
enum trap; enum trap { value 3; }
enum inform; enum inform { value 4; }
} }
mandatory true; mandatory true;
reference "SNMP-PROXY-MIB.snmpProxyType"; reference "SNMP-PROXY-MIB.snmpProxyType";
} }
leaf context-engine-id { leaf context-engine-id {
type snmp:engine-id; type snmp:engine-id;
mandatory true; mandatory true;
reference "SNMP-PROXY-MIB.snmpProxyContextEngineID"; reference "SNMP-PROXY-MIB.snmpProxyContextEngineID";
} }
leaf context-name { leaf context-name {
type snmp:context-name; type snmp:context-name;
reference "SNMP-PROXY-MIB.snmpProxyContextName"; reference "SNMP-PROXY-MIB.snmpProxyContextName";
} }
container params-in { leaf target-params-in {
choice params { type snmp:identifier;
mandatory true; description
description "The name of a target parameters list entry.
"This choice is augmented with case nodes containing
security model specific configuration parameters. Each
such case represents one entry in the
snmpTargetParamsTable.
When the snmpProxyTargetParamsIn object contains a Implementations MAY restrict the values of this
reference to a non-existing snmpTargetParamsEntry, this leaf to be one of the available values of
choice does not contain any case, and vice versa."; /snmp/target-params/name in a valid configuration.";
}
reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; reference "SNMP-PROXY-MIB.snmpProxyTargetParamsIn";
} }
leaf single-target-out { leaf single-target-out {
when "../type = 'read' or ../type = 'write'"; when "../type = 'read' or ../type = 'write'";
type snmp:identifier; type snmp:identifier;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/name in to be one of the available values of /snmp/target/name in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut";
} }
skipping to change at page 42, line 45 skipping to change at page 42, line 17
when "../type = 'read' or ../type = 'write'"; when "../type = 'read' or ../type = 'write'";
type snmp:identifier; type snmp:identifier;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/name in to be one of the available values of /snmp/target/name in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxySingleTargetOut";
} }
leaf multiple-target-out { leaf multiple-target-out {
when "../type = 'trap' or ../type = 'inform'"; when "../type = 'trap' or ../type = 'inform'";
type snmp:identifier; type snmp:tag-value;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; reference "SNMP-PROXY-MIB.snmpProxyMultipleTargetOut";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.8. Submodule 'ietf-snmp-community' 4.8. Submodule 'ietf-snmp-community'
<CODE BEGINS> file "ietf-snmp-community.yang" <CODE BEGINS> file "ietf-snmp-community.yang"
skipping to change at page 43, line 32 skipping to change at page 42, line 51
include ietf-snmp-target; include ietf-snmp-target;
include ietf-snmp-proxy; include ietf-snmp-proxy;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring community-based SNMP. for configuring community-based SNMP.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 44, line 22 skipping to change at page 43, line 41
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3584: Coexistence between Version 1, Version 2, and Version 3 "RFC3584: Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework"; of the Internet-standard Network Management Framework";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
augment /snmp:snmp { augment /snmp:snmp {
list community { list community {
key index; key index;
skipping to change at page 45, line 42 skipping to change at page 45, line 12
} }
leaf context { leaf context {
type snmp:context-name; type snmp:context-name;
default ""; default "";
description description
"The context in which management information is accessed "The context in which management information is accessed
when using the community string specified by this entry."; when using the community string specified by this entry.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName"; reference "SNMP-COMMUNITY-MIB.snmpCommunityContextName";
} }
leaf target-tag { leaf target-tag {
type snmp:identifier; type snmp:tag-value;
description description
"Used to limit access for this community to the specified "Used to limit access for this community to the specified
targets. targets.
Implementations MAY restrict the values of this leaf Implementations MAY restrict the values of this leaf
to be one of the available values of /snmp/target/tag in to be one of the available values of /snmp/target/tag in
a valid configuration."; a valid configuration.";
reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; reference "SNMP-COMMUNITY-MIB.snmpCommunityTransportTag";
} }
} }
} }
grouping v1-target-params { grouping v1-target-params {
container v1 { container v1 {
description description
"SNMPv1 parameters type. "SNMPv1 parameters type.
Represents snmpTargetParamsMPModel '0', Represents snmpTargetParamsMPModel '0',
snmpTargetParamsSecurityModel '1', and snmpTargetParamsSecurityModel '1', and
snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; snmpTargetParamsSecurityLevel 'noAuthNoPriv'.";
skipping to change at page 46, line 46 skipping to change at page 46, line 15
mandatory true; mandatory true;
description description
"Implementations MAY restrict the values of this leaf "Implementations MAY restrict the values of this leaf
to be one of the available values of to be one of the available values of
/snmp/community/security-name in a valid configuration."; /snmp/community/security-name in a valid configuration.";
reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; reference "SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:params { augment /snmp:snmp/snmp:target-params/snmp:params {
case v1 {
uses v1-target-params;
}
case v2c {
uses v2c-target-params;
}
}
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
case v1 { case v1 {
uses v1-target-params; uses v1-target-params;
} }
case v2c { case v2c {
uses v2c-target-params; uses v2c-target-params;
} }
} }
augment /snmp:snmp/snmp:target { augment /snmp:snmp/snmp:target {
when "snmp:v1 or snmp:v2c"; when "snmp:v1 or snmp:v2c";
leaf mms { leaf mms {
type union { type union {
type enumeration { type enumeration {
enum "unknown"; enum "unknown" { value 0; }
} }
type int32 { type int32 {
range "484..max"; range "484..max";
} }
} }
default "484"; default "484";
reference reference
"SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; "SNMP-COMMUNITY-MIB.snmpTargetAddrMMS";
} }
} }
skipping to change at page 48, line 7 skipping to change at page 47, line 16
include ietf-snmp-common; include ietf-snmp-common;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions "This submodule contains a collection of YANG definitions
for configuring the View-based Access Control Model (VACM) for configuring the View-based Access Control Model (VACM)
of SNMP. of SNMP.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 48, line 47 skipping to change at page 48, line 8
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3415: View-based Access Control Model (VACM) for the "RFC3415: View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
typedef view-name { typedef view-name {
type snmp:identifier; type snmp:identifier;
description description
"The view-name type represents an SNMP VACM view name."; "The view-name type represents an SNMP VACM view name.";
} }
typedef group-name { typedef group-name {
type snmp:identifier; type snmp:identifier;
skipping to change at page 49, line 45 skipping to change at page 49, line 4
vacmAccessTable)."; vacmAccessTable).";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable reference "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable
SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable"; SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
leaf name { leaf name {
type group-name; type group-name;
description description
"The name of this VACM group."; "The name of this VACM group.";
reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; reference "SNMP-VIEW-BASED-ACM-MIB.vacmGroupName";
} }
list member { list member {
key "security-name"; key "security-name";
min-elements 1;
description description
"A member of this VACM group. According to VACM, every "A member of this VACM group.
group must have at least one member.
A certain combination of security-name and A certain combination of security-name and
security-model MUST NOT be present in more than security-model MUST NOT be present in more than
one group."; one group.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable"; "SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable";
leaf security-name { leaf security-name {
type snmp:security-name; type snmp:security-name;
description description
skipping to change at page 50, line 45 skipping to change at page 49, line 49
type snmp:context-name; type snmp:context-name;
description description
"The context (prefix) under which the access rights "The context (prefix) under which the access rights
apply."; apply.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix";
} }
leaf context-match { leaf context-match {
type enumeration { type enumeration {
enum exact; enum exact { value 1; }
enum prefix; enum prefix { value 2; }
} }
default exact; default exact;
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; "SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch";
} }
leaf security-model { leaf security-model {
type snmp:security-model-or-any; type snmp:security-model-or-any;
description description
"The security model under which the access rights "The security model under which the access rights
apply."; apply.";
reference reference
"SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; "SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel";
} }
leaf security-level { leaf security-level {
skipping to change at page 53, line 44 skipping to change at page 52, line 49
include ietf-snmp-target; include ietf-snmp-target;
include ietf-snmp-proxy; include ietf-snmp-proxy;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the User-based Security Model (USM) of SNMP. configuring the User-based Security Model (USM) of SNMP.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 54, line 35 skipping to change at page 53, line 41
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC3414: User-based Security Model (USM) for version 3 of the "RFC3414: User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)."; Simple Network Management Protocol (SNMPv3).";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
grouping key { grouping key {
leaf key { leaf key {
type yang:hex-string; type yang:hex-string;
mandatory true; mandatory true;
skipping to change at page 57, line 4 skipping to change at page 56, line 10
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityName";
} }
leaf security-level { leaf security-level {
type snmp:security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
}
augment /snmp:snmp/snmp:target/snmp:params {
case usm {
uses usm-target-params;
}
} }
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params { augment /snmp:snmp/snmp:target-params/snmp:params {
case usm { case usm {
uses usm-target-params; uses usm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4.11. Submodule 'ietf-snmp-tsm' 4.11. Submodule 'ietf-snmp-tsm'
skipping to change at page 57, line 44 skipping to change at page 56, line 43
include ietf-snmp-target; include ietf-snmp-target;
include ietf-snmp-proxy; include ietf-snmp-proxy;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the Transport Security Model (TSM) of SNMP. configuring the Transport Security Model (TSM) of SNMP.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 58, line 35 skipping to change at page 57, line 35
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC5591: Transport Security Model for the "RFC5591: Transport Security Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature tsm { feature tsm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Security Model for SNMP."; Transport Security Model for SNMP.";
skipping to change at page 59, line 39 skipping to change at page 58, line 39
} }
leaf security-level { leaf security-level {
type snmp:security-level; type snmp:security-level;
mandatory true; mandatory true;
reference reference
"SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; "SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel";
} }
} }
} }
augment /snmp:snmp/snmp:target/snmp:params { augment /snmp:snmp/snmp:target-params/snmp:params {
if-feature tsm;
case tsm {
uses tsm-target-params;
}
}
augment /snmp:snmp/snmp:proxy/snmp:params-in/snmp:params {
if-feature tsm; if-feature tsm;
case tsm { case tsm {
uses tsm-target-params; uses tsm-target-params;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
skipping to change at page 60, line 37 skipping to change at page 59, line 33
include ietf-snmp-engine; include ietf-snmp-engine;
include ietf-snmp-target; include ietf-snmp-target;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the Transport Layer Security Transport Model (TLSTM) configuring the Transport Layer Security Transport Model (TLSTM)
of SNMP. of SNMP.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 61, line 28 skipping to change at page 60, line 25
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC6353: Transport Layer Security (TLS) Transport Model for "RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)"; the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature tlstm { feature tlstm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Transport Layer Security Transport Model for SNMP."; Transport Layer Security Transport Model for SNMP.";
skipping to change at page 64, line 37 skipping to change at page 63, line 34
include ietf-snmp-engine; include ietf-snmp-engine;
include ietf-snmp-target; include ietf-snmp-target;
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/netmod/> "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org> WG List: <mailto:netmod@ietf.org>
WG Chair: David Kessens WG Chair: Thomas Nadeau
<mailto:david.kessens@nsn.com> <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de> <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund Editor: Martin Bjorklund
<mailto:mbj@tail-f.com> <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>"; <mailto:j.schoenwaelder@jacobs-university.de>";
description description
"This submodule contains a collection of YANG definitions for "This submodule contains a collection of YANG definitions for
configuring the Secure Shell Transport Model (SSHTM) configuring the Secure Shell Transport Model (SSHTM)
of SNMP. of SNMP.
Copyright (c) 2013 IETF Trust and the persons identified as Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 65, line 28 skipping to change at page 64, line 25
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
reference reference
"RFC5592: Secure Shell Transport Model for the "RFC5592: Secure Shell Transport Model for the
Simple Network Management Protocol (SNMP)"; Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision 2013-11-05 { revision 2014-02-09 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for SNMP Configuration"; "RFC XXXX: A YANG Data Model for SNMP Configuration";
} }
feature sshtm { feature sshtm {
description description
"A server implements this feature if it supports the "A server implements this feature if it supports the
Secure Shell Transport Model for SNMP."; Secure Shell Transport Model for SNMP.";
skipping to change at page 71, line 5 skipping to change at page 69, line 41
notification targets. notification targets.
o The /snmp/proxy subtree exposes information about proxy o The /snmp/proxy subtree exposes information about proxy
relationships. relationships.
o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/ o The /snmp/community, /snmp/usm, /snmp/tsm, /snmp/tlstm, and /snmp/
vacm subtrees are specifically sensitive since they expose vacm subtrees are specifically sensitive since they expose
information about the authentication and authorization policy used information about the authentication and authorization policy used
by an SNMP engine. by an SNMP engine.
Changes to the SNMP access control rules should be done either in an
atomic way (through a single edit-config or a single commit) or care
must be taken that they are done in a sequence that does not open
temporarily access to resources. Implementations supporting SNMP
write access must ensure that any SNMP access control rule changes
over NETCONF are atomic as well to the SNMP instrumentation. In
particular changes involving an internal delete/create cycle (e.g.,
to move a user to a different group) must be done with sufficient
protections such that even a power fail immediately after the delete
does not leave the administrator locked out.
Security administrators need to ensure that NETCONF access control
rules and SNMP access control rules implement a consistent security
policy.
7. Acknowledgments 7. Acknowledgments
The authors want to thank Wes Hardaker and David Spakes for their The authors want to thank Wes Hardaker and David Spakes for their
reviews and valuable comments. detailed reviews. Additional valuable comments were provided by
David Harrington, Borislav Lukovic and Randy Presuhn.
Juergen Schoenwaelder was partly funded by Flamingo, a Network of Juergen Schoenwaelder was partly funded by Flamingo, a Network of
Excellence project (ICT-318488) supported by the European Commission Excellence project (ICT-318488) supported by the European Commission
under its Seventh Framework Programme. under its Seventh Framework Programme.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 74, line 5 skipping to change at page 73, line 30
RFC 5591, June 2009. RFC 5591, June 2009.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009. Protocol (SNMP)", RFC 5592, June 2009.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport
Model for the Simple Network Management Protocol (SNMP)", Model for the Simple Network Management Protocol (SNMP)",
RFC 6353, July 2011. RFC 6353, July 2011.
[RFC6643] Schoenwaelder, J., "Translation of Structure of Management
Information Version 2 (SMIv2) MIB Modules to YANG
Modules", RFC 6643, July 2012.
Appendix A. Example configurations Appendix A. Example configurations
A.1. Engine Configuration Example A.1. Engine Configuration Example
Below is an XML instance document showing a configuration of an SNMP Below is an XML instance document showing a configuration of an SNMP
engine listening on UDP port 161 on IPv4 and IPv6 endpoints and engine listening on UDP port 161 on IPv4 and IPv6 endpoints and
accepting SNMPv2c and SNMPv3 messages. accepting SNMPv2c and SNMPv3 messages.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<engine> <engine>
skipping to change at page 75, line 13 skipping to change at page 75, line 13
"community-public-access" filters the access to this community name. "community-public-access" filters the access to this community name.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<community> <community>
<index>1</index> <index>1</index>
<text-name>public</text-name> <text-name>public</text-name>
<security-name>community-public</security-name> <security-name>community-public</security-name>
<target-tag>community-public-access</target-tag> <target-tag>community-public-access</target-tag>
</community> </community>
<target> <target>
<name>bluebox</name> <name>management-station</name>
<udp> <udp>
<ip>2001:db8::abcd</ip> <ip>2001:db8::abcd</ip>
<port>161</port> <port>161</port>
</udp> </udp>
<tag>blue</tag> <tag>blue</tag>
<tag>community-public-access</tag>
<target-params>v2c-public</target-params>
</target>
<target-params>
<name>v2c-public</name>
<v2c> <v2c>
<security-name>community-public</security-name> <security-name>community-public</security-name>
</v2c> </v2c>
</target> </target-params>
</snmp> </snmp>
A.3. User-based Security Model Configuration Example A.3. User-based Security Model Configuration Example
Below is an XML instance document showing the configuration of a Below is an XML instance document showing the configuration of a
local user "joey" who has no authentication or privacy keys. For the local user "joey" who has no authentication or privacy keys. For the
remote SNMP engine identified by the snmpEngineID remote SNMP engine identified by the snmpEngineID
'800002b804616263'H, two users are configure. The user "matt" has a '800002b804616263'H, two users are configure. The user "matt" has a
localized SHA authentication key and the user "russ" has a localized localized SHA authentication key and the user "russ" has a localized
SHA authentication key and an AES encryption key. SHA authentication key and an AES encryption key.
skipping to change at page 76, line 40 skipping to change at page 76, line 44
</user> </user>
</remote> </remote>
</usm> </usm>
<target> <target>
<name>bluebox</name> <name>bluebox</name>
<udp> <udp>
<ip>2001:db8::abcd</ip> <ip>2001:db8::abcd</ip>
<port>161</port> <port>161</port>
</udp> </udp>
<tag>blue</tag> <tag>blue</tag>
<target-params>matt-auth</target-params>
</target>
<target-params>
<name>matt-auth</name>
<usm> <usm>
<user-name>matt</user-name> <user-name>matt</user-name>
<security-level>auth-no-priv</security-level> <security-level>auth-no-priv</security-level>
</usm> </usm>
</target>
</target-params>
</snmp> </snmp>
A.4. Target and Notification Configuration Example A.4. Target and Notification Configuration Example
Below is an XML instance document showing the configuration of a Below is an XML instance document showing the configuration of a
notification generator application (see Appendix A of [RFC3413]). notification generator application (see Appendix A of [RFC3413]).
Note that the USM specific objects are defined in the ietf-snmp- Note that the USM specific objects are defined in the ietf-snmp-
usm.yang submodule. usm.yang submodule.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<target> <target>
<name>addr1</name> <name>addr1</name>
<udp> <udp>
<ip>192.0.2.3</ip> <ip>192.0.2.3</ip>
<port>162</port> <port>162</port>
</udp> </udp>
<tag>group1</tag> <tag>group1</tag>
<usm> <target-params>joe-auth</target-params>
<user-name>joe</user-name>
<security-level>auth-no-priv</security-level>
</usm>
</target> </target>
<target> <target>
<name>addr2</name> <name>addr2</name>
<udp> <udp>
<ip>192.0.2.6</ip> <ip>192.0.2.6</ip>
<port>162</port> <port>162</port>
</udp> </udp>
<tag>group1</tag> <tag>group1</tag>
<usm> <target-params>joe-auth</target-params>
<user-name>joe</user-name>
<security-level>auth-no-priv</security-level>
</usm>
</target> </target>
<target> <target>
<name>addr3</name> <name>addr3</name>
<udp> <udp>
<ip>192.0.2.9</ip> <ip>192.0.2.9</ip>
<port>162</port> <port>162</port>
</udp> </udp>
<tag>group2</tag> <tag>group2</tag>
<target-params>bob-priv</target-params>
</target>
<target-params>
<name>joe-auth</name>
<usm>
<user-name>joe</user-name>
<security-level>auth-no-priv</security-level>
</usm>
</target-params>
<target-params>
<name>bob-priv</name>
<usm> <usm>
<user-name>bob</user-name> <user-name>bob</user-name>
<security-level>auth-priv</security-level> <security-level>auth-priv</security-level>
</usm> </usm>
</target> </target-params>
<notify> <notify>
<name>group1</name> <name>group1</name>
<tag>group1</tag> <tag>group1</tag>
<type>trap</type> <type>trap</type>
</notify> </notify>
<notify> <notify>
<name>group2</name> <name>group2</name>
<tag>group2</tag> <tag>group2</tag>
<type>trap</type> <type>trap</type>
</notify> </notify>
skipping to change at page 78, line 25 skipping to change at page 78, line 40
"public" from a device in the "Office Network" or "Home Office "public" from a device in the "Office Network" or "Home Office
Network", it gets tagged as "trusted", and the proxy uses the Network", it gets tagged as "trusted", and the proxy uses the
"private" community string when sending the message to the file "private" community string when sending the message to the file
server. Other SNMPv2c messages with the community string "public" server. Other SNMPv2c messages with the community string "public"
get tagged as "non-trusted", and the proxy uses the "public" get tagged as "non-trusted", and the proxy uses the "public"
community string for these messages. There is also a special community string for these messages. There is also a special
"backdoor" community string that can be used from any location to get "backdoor" community string that can be used from any location to get
"trusted" access. "trusted" access.
The "Office Network" and "Home Office Network" are represented as two The "Office Network" and "Home Office Network" are represented as two
"target" instances. "target" instances. These "target" instances have target-params
"none", which refers to a non-existing target-params entry.
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp">
<target> <target>
<name>File Server (private)</name> <name>File Server (private)</name>
<udp> <udp>
<ip>192.0.2.1</ip> <ip>192.0.2.1</ip>
</udp> </udp>
<v1> <target-params>v1-private</target-params>
<security-name>private</security-name>
</v1>
</target> </target>
<target> <target>
<name>File Server (public)</name> <name>File Server (public)</name>
<udp> <udp>
<ip>192.0.2.1</ip> <ip>192.0.2.1</ip>
</udp> </udp>
<v1> <target-params>v1-public</target-params>
<security-name>public</security-name>
</v1>
</target> </target>
<target> <target>
<name>Office Network</name> <name>Office Network</name>
<udp> <udp>
<ip>192.0.2.0</ip> <ip>192.0.2.0</ip>
<prefix-length>24</prefix-length> <prefix-length>24</prefix-length>
</udp> </udp>
<tag>office</tag> <tag>office</tag>
<target-params>none</target-params>
</target> </target>
<target> <target>
<name>Home Office Network</name> <name>Home Office Network</name>
<udp> <udp>
<ip>203.0.113.0</ip> <ip>203.0.113.0</ip>
<prefix-length>24</prefix-length> <prefix-length>24</prefix-length>
</udp> </udp>
<tag>home-office</tag> <tag>home-office</tag>
<target-params>none</target-params>
</target> </target>
<target-params>
<name>v1-private</name>
<v1>
<security-name>private</security-name>
</v1>
</target-params>
<target-params>
<name>v1-public</name>
<v1>
<security-name>public</security-name>
</v1>
</target-params>
<target-params>
<name>v2c-public</name>
<v2c>
<security-name>public</security-name>
</v2c>
</target-params>
<!-- <!--
Communities c1,c2,c3, and c4 are used for incoming messages Communities c1,c2,c3, and c4 are used for incoming messages
that should be forwarded. that should be forwarded.
Communities c3 and c5 are used for outgoing messages to the Communities c3 and c5 are used for outgoing messages to the
file server. file server.
--> -->
<community> <community>
<index>c1</index> <index>c1</index>
<security-name>public</security-name> <security-name>public</security-name>
<engine-id>80:00:61:81:c8</engine-id> <engine-id>80:00:61:81:c8</engine-id>
<context>trusted</context> <context>trusted</context>
<target-tag>office</target-tag> <target-tag>office</target-tag>
</community> </community>
<community> <community>
<index>c2</index> <index>c2</index>
<security-name>public</security-name> <security-name>public</security-name>
<engine-id>80:00:61:81:c8</engine-id> <engine-id>80:00:61:81:c8</engine-id>
<context>trusted</context> <context>trusted</context>
<target-tag>home-office</target-tag> <target-tag>home-office</target-tag>
</community> </community>
<community> <community>
<index>c3</index> <index>c3</index>
<security-name>public</security-name> <security-name>public</security-name>
<engine-id>80:00:61:81:c8</engine-id> <engine-id>80:00:61:81:c8</engine-id>
<context>not-trusted</context> <context>not-trusted</context>
</community> </community>
<community> <community>
<index>c4</index> <index>c4</index>
<text-name>backdoor</text-name> <text-name>backdoor</text-name>
<security-name>public</security-name> <security-name>public</security-name>
<engine-id>80:00:61:81:c8</engine-id> <engine-id>80:00:61:81:c8</engine-id>
<context>trusted</context> <context>trusted</context>
</community> </community>
<community> <community>
<index>c5</index> <index>c5</index>
<security-name>private</security-name> <security-name>private</security-name>
<engine-id>80:00:61:81:c8</engine-id> <engine-id>80:00:61:81:c8</engine-id>
<context>trusted</context> <context>trusted</context>
</community> </community>
<proxy> <proxy>
<name>p1</name> <name>p1</name>
<type>read</type> <type>read</type>
<context-engine-id>80:00:61:81:c8</context-engine-id> <context-engine-id>80:00:61:81:c8</context-engine-id>
<context-name>trusted</context-name> <context-name>trusted</context-name>
<params-in> <target-params-in>v2c-public</target-params-in>
<v2c> <single-target-out>File Server (private)</single-target-out>
<security-name>public</security-name>
</v2c>
</params-in>
<single-target-out>File Server (private)</single-target-out>
</proxy> </proxy>
<proxy> <proxy>
<name>p2</name> <name>p2</name>
<type>read</type> <type>read</type>
<context-engine-id>80:00:61:81:c8</context-engine-id> <context-engine-id>80:00:61:81:c8</context-engine-id>
<context-name>not-trusted</context-name> <context-name>not-trusted</context-name>
<params-in> <target-params-in>v2c-public</target-params-in>
<v2c> <single-target-out>File Server (public)</single-target-out>
<security-name>public</security-name>
</v2c>
</params-in>
<single-target-out>File Server (public)</single-target-out>
</proxy> </proxy>
</snmp> </snmp>
If an SNMPv2c Get request with community string "public" is received If an SNMPv2c Get request with community string "public" is received
from an IP address tagged as "office" or "home-office", or if the from an IP address tagged as "office" or "home-office", or if the
request is received from anywhere else with community string request is received from anywhere else with community string
"backdoor", the implied context is "trusted" and so proxy entry "p1" "backdoor", the implied context is "trusted" and so proxy entry "p1"
matches. The request is forwarded to the file server as SNMPv1 with matches. The request is forwarded to the file server as SNMPv1 with
community "private" using community table entry "c5" for outbound community "private" using community table entry "c5" for outbound
params lookup. params lookup.
 End of changes. 134 change blocks. 
326 lines changed or deleted 333 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/