Internet Engineering Task Force (IETF) M. Bjorklund Request for Comments: 7407 Tail-f Systems Category: Standards Track J. Schoenwaelder ISSN: 2070-1721 Jacobs University December 2014
Internet Engineering Task Force (IETF) M. Bjorklund Request for Comments: 7407 Tail-f Systems Category: Standards Track J. Schoenwaelder ISSN: 2070-1721 Jacobs University December 2014
A YANG Data Model for SNMP Configuration
一种用于SNMP配置的数据模型
Abstract
摘要
This document defines a collection of YANG definitions for configuring SNMP engines.
本文档定义了一组用于配置SNMP引擎的定义。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7407.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7407.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3 2. Data Model ......................................................3 2.1. Tree Diagrams ..............................................4 2.2. General Considerations .....................................4 2.3. Common Definitions .........................................4 2.4. Engine Configuration .......................................5 2.5. Target Configuration .......................................6 2.6. Notification Configuration .................................7 2.7. Proxy Configuration ........................................8 2.8. Community Configuration ....................................8 2.9. View-Based Access Control Model Configuration ..............9 2.10. User-Based Security Model Configuration ..................10 2.11. Transport Security Model Configuration ...................11 2.12. Transport Layer Security Transport Model Configuration ...12 2.13. Secure Shell Transport Model Configuration ...............13 3. Implementation Guidelines ......................................14 3.1. Supporting read-only SNMP Access ..........................15 3.2. Supporting read-write SNMP Access .........................15 4. Definitions ....................................................16 4.1. Module 'ietf-x509-cert-to-name' ...........................16 4.2. Module 'ietf-snmp' ........................................22 4.3. Submodule 'ietf-snmp-common' ..............................24 4.4. Submodule 'ietf-snmp-engine' ..............................28 4.5. Submodule 'ietf-snmp-target' ..............................32 4.6. Submodule 'ietf-snmp-notification' ........................36 4.7. Submodule 'ietf-snmp-proxy' ...............................41 4.8. Submodule 'ietf-snmp-community' ...........................44 4.9. Submodule 'ietf-snmp-vacm' ................................49 4.10. Submodule 'ietf-snmp-usm' ................................55 4.11. Submodule 'ietf-snmp-tsm' ................................60 4.12. Submodule 'ietf-snmp-tls' ................................63 4.13. Submodule 'ietf-snmp-ssh' ................................68 5. IANA Considerations ............................................71 6. Security Considerations ........................................72 7. References .....................................................75 7.1. Normative References ......................................75 7.2. Informative References ....................................75 Appendix A. Example Configurations ...............................78 A.1. Engine Configuration Example ..............................78 A.2. Community Configuration Example ...........................78 A.3. User-Based Security Model Configuration Example ...........79 A.4. Target and Notification Configuration Example .............81 A.5. Proxy Configuration Example ...............................82
1. Introduction ....................................................3 2. Data Model ......................................................3 2.1. Tree Diagrams ..............................................4 2.2. General Considerations .....................................4 2.3. Common Definitions .........................................4 2.4. Engine Configuration .......................................5 2.5. Target Configuration .......................................6 2.6. Notification Configuration .................................7 2.7. Proxy Configuration ........................................8 2.8. Community Configuration ....................................8 2.9. View-Based Access Control Model Configuration ..............9 2.10. User-Based Security Model Configuration ..................10 2.11. Transport Security Model Configuration ...................11 2.12. Transport Layer Security Transport Model Configuration ...12 2.13. Secure Shell Transport Model Configuration ...............13 3. Implementation Guidelines ......................................14 3.1. Supporting read-only SNMP Access ..........................15 3.2. Supporting read-write SNMP Access .........................15 4. Definitions ....................................................16 4.1. Module 'ietf-x509-cert-to-name' ...........................16 4.2. Module 'ietf-snmp' ........................................22 4.3. Submodule 'ietf-snmp-common' ..............................24 4.4. Submodule 'ietf-snmp-engine' ..............................28 4.5. Submodule 'ietf-snmp-target' ..............................32 4.6. Submodule 'ietf-snmp-notification' ........................36 4.7. Submodule 'ietf-snmp-proxy' ...............................41 4.8. Submodule 'ietf-snmp-community' ...........................44 4.9. Submodule 'ietf-snmp-vacm' ................................49 4.10. Submodule 'ietf-snmp-usm' ................................55 4.11. Submodule 'ietf-snmp-tsm' ................................60 4.12. Submodule 'ietf-snmp-tls' ................................63 4.13. Submodule 'ietf-snmp-ssh' ................................68 5. IANA Considerations ............................................71 6. Security Considerations ........................................72 7. References .....................................................75 7.1. Normative References ......................................75 7.2. Informative References ....................................75 Appendix A. Example Configurations ...............................78 A.1. Engine Configuration Example ..............................78 A.2. Community Configuration Example ...........................78 A.3. User-Based Security Model Configuration Example ...........79 A.4. Target and Notification Configuration Example .............81 A.5. Proxy Configuration Example ...............................82
A.6. View-Based Access Control Model Configuration Example .....85 A.7. Transport Layer Security Transport Model Configuration Example ...................................................87 Acknowledgments ...................................................88 Authors' Addresses ................................................88
A.6. View-Based Access Control Model Configuration Example .....85 A.7. Transport Layer Security Transport Model Configuration Example ...................................................87 Acknowledgments ...................................................88 Authors' Addresses ................................................88
This document defines a YANG [RFC6020] data model for the configuration of SNMP engines. The configuration model is consistent with the MIB modules defined in [RFC3411], [RFC3412], [RFC3413], [RFC3414], [RFC3415], [RFC3417], [RFC3418], [RFC3419], [RFC3584], [RFC3826], [RFC5591], [RFC5592], and [RFC6353] but takes advantage of YANG's ability to define hierarchical configuration data models.
本文档定义了用于配置SNMP引擎的YANG[RFC6020]数据模型。配置模型与[RFC3411]、[RFC3412]、[RFC3413]、[RFC3414]、[RFC3415]、[RFC3417]、[RFC3418]、[RFC3419]、[RFC3584]、[RFC3826]、[RFC5591]、[RFC5592]和[RFC6353]中定义的MIB模块一致,但利用了YANG定义分层配置数据模型的能力。
The configuration data model in particular has been designed for SNMP deployments where SNMP runs in read-only mode and the Network Configuration Protocol (NETCONF) is used to configure the SNMP agent. Nevertheless, the data model allows implementations that support write access both via SNMP and NETCONF in order to interwork with SNMP management applications manipulating SNMP agent configuration using SNMP. Further details can be found in Section 3.
配置数据模型特别适用于SNMP部署,其中SNMP以只读模式运行,网络配置协议(NETCONF)用于配置SNMP代理。然而,数据模型允许通过SNMP和NETCONF支持写访问的实现,以便与使用SNMP操作SNMP代理配置的SNMP管理应用程序交互工作。更多详情见第3节。
The YANG data model focuses on configuration. Operational state objects are not explicitly modeled. The operational state of an SNMP agent can be accessed either directly via SNMP or, alternatively, via NETCONF using the read-only translation of the relevant SNMP MIB modules into YANG modules [RFC6643].
YANG数据模型侧重于配置。操作状态对象没有显式建模。SNMP代理的操作状态可以通过SNMP直接访问,也可以通过NETCONF(使用相关SNMP MIB模块到模块的只读转换)访问[RFC6643]。
This document also defines a YANG data model for mapping an X.509 certificate to a name.
本文档还定义了一个数据模型,用于将X.509证书映射到名称。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照BCP 14[RFC2119]中的描述进行解释。
In order to preserve the modularity of SNMP, the YANG configuration data model is organized in a set of YANG submodules, all sharing the same module namespace. This allows adding configuration support for additional SNMP features while keeping the number of namespaces that have to be dealt with down to a minimum.
为了保持SNMP的模块性,YANG配置数据模型被组织在一组YANG子模块中,所有子模块共享相同的模块名称空间。这允许添加对附加SNMP功能的配置支持,同时将必须处理的名称空间数量降至最低。
A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams is as follows:
本文件中使用了数据模型的简化图形表示。这些图表中符号的含义如下:
o Brackets "[" and "]" enclose list keys.
o 括号“[”和“]”包含列表键。
o Abbreviations before data node names: "rw" means configuration (read-write), and "ro" means state data (read-only).
o 数据节点名称前的缩写:“rw”表示配置(读写),“ro”表示状态数据(只读)。
o Symbols after data node names: "?" means an optional node, "!" means a presence container, and "*" denotes a list and leaf-list.
o 数据节点名称后的符号:“?”表示可选节点,“!”表示状态容器,“*”表示列表和叶列表。
o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":").
o 括号括住选项和事例节点,事例节点也用冒号(“:”)标记。
o Ellipsis ("...") stands for contents of subtrees that are not shown.
o 省略号(“…”)表示未显示的子树的内容。
Most YANG nodes are mapped 1-1 to the corresponding MIB object. The "reference" statement is used to indicate which corresponding MIB object the YANG node is mapped to. When there is not a simple 1-1 mapping, the "description" statement explains the mapping.
大多数节点1-1映射到相应的MIB对象。“reference”语句用于指示YANG节点映射到哪个对应的MIB对象。当没有简单的1-1映射时,“description”语句解释映射。
The persistency models in SNMP and NETCONF are quite different. In NETCONF, the persistency is defined by the datastore, whereas in SNMP, it is defined either explicitly in the data model or on a row-by-row basis using the Textual Convention "StorageType". Thus, in the YANG model defined here, the "StorageType" columns are not present. For implementation guidelines, see Section 3.
SNMP和NETCONF中的持久性模型有很大不同。在NETCONF中,持久性是由数据存储定义的,而在SNMP中,持久性是在数据模型中显式定义的,或者是使用文本约定“StorageType”逐行定义的。因此,在这里定义的YANG模型中,“StorageType”列不存在。有关实施指南,请参见第3节。
In SNMP, row creation and deletion are controlled using the Textual Convention "RowStatus". In NETCONF, creation and deletion are handled by the protocol, not in the data model. Thus, in the YANG model defined here, the "RowStatus" columns are not present.
在SNMP中,使用文本约定“RowStatus”控制行的创建和删除。在NETCONF中,创建和删除由协议处理,而不是在数据模型中。因此,在这里定义的YANG模型中,“RowStatus”列不存在。
The submodule "ietf-snmp-common" defines a set of common typedefs and the top-level container "snmp". All configuration parameters defined in the other submodules are organized under this top-level container.
子模块“ietf snmp common”定义了一组通用类型定义和顶级容器“snmp”。其他子模块中定义的所有配置参数都组织在此顶级容器下。
The submodule "ietf-snmp-engine", which defines configuration parameters that are specific to SNMP engines, has the following structure:
子模块“ietf snmp引擎”定义特定于snmp引擎的配置参数,具有以下结构:
+--rw snmp +--rw engine +--rw enabled? boolean +--rw listen* [name] | +--rw name snmp:identifier | +--rw (transport) | +--:(udp) | +--rw udp | +--rw ip inet:ip-address | +--rw port? inet:port-number +--rw version | +--rw v1? empty | +--rw v2c? empty | +--rw v3? empty +--rw engine-id? snmp:engine-id +--rw enable-authen-traps? boolean
+--rw snmp +--rw engine +--rw enabled? boolean +--rw listen* [name] | +--rw name snmp:identifier | +--rw (transport) | +--:(udp) | +--rw udp | +--rw ip inet:ip-address | +--rw port? inet:port-number +--rw version | +--rw v1? empty | +--rw v2c? empty | +--rw v3? empty +--rw engine-id? snmp:engine-id +--rw enable-authen-traps? boolean
The leaf "/snmp/engine/enabled" can be used to enable/disable an SNMP engine.
叶“/snmp/engine/enabled”可用于启用/禁用snmp引擎。
The list "/snmp/engine/listen" provides configuration of the transport endpoints the engine is listening to. In this submodule, SNMP over UDP is defined. The Secure Shell (SSH) Protocol, Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) are also supported, defined in "ietf-snmp-ssh" (Section 2.13) and "ietf-snmp-tls" (Section 2.12), respectively. The "transport" choice is expected to be augmented for other transports.
列表“/snmp/engine/listen”提供了引擎正在侦听的传输端点的配置。在此子模块中,定义了UDP上的SNMP。安全外壳(SSH)协议、传输层安全性(TLS)和数据报传输层安全性(DTLS)也受支持,分别在“ietf snmp SSH”(第2.13节)和“ietf snmp TLS”(第2.12节)中定义。“运输”选项预计将扩大到其他运输。
The "/snmp/engine/version" container can be used to enable/disable the different message processing models [RFC3411].
“/snmp/engine/version”容器可用于启用/禁用不同的消息处理模型[RFC3411]。
The submodule "ietf-snmp-target", which defines configuration parameters that correspond to the objects in SNMP-TARGET-MIB, has the following structure:
子模块“ietf snmp目标”定义了与snmp-target-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw target* [name] | +--rw name snmp:identifier | +--rw (transport) | | +--:(udp) | | +--rw udp | | +--rw ip inet:ip-address | | +--rw port? inet:port-number | | +--rw prefix-length? uint8 | +--rw tag* snmp:identifier | +--rw timeout? uint32 | +--rw retries? uint8 | +--rw target-params snmp:identifier +--rw target-params* [name] +--rw name snmp:identifier +--rw (params)?
+--rw snmp +--rw target* [name] | +--rw name snmp:identifier | +--rw (transport) | | +--:(udp) | | +--rw udp | | +--rw ip inet:ip-address | | +--rw port? inet:port-number | | +--rw prefix-length? uint8 | +--rw tag* snmp:identifier | +--rw timeout? uint32 | +--rw retries? uint8 | +--rw target-params snmp:identifier +--rw target-params* [name] +--rw name snmp:identifier +--rw (params)?
An entry in the list "/snmp/target" corresponds to an "snmpTargetAddrEntry".
列表“/snmp/target”中的一个条目对应于一个“snmpTargetAddress”。
The "snmpTargetAddrTDomain" and "snmpTargetAddrTAddress" objects are mapped to transport-specific YANG nodes. Each transport is configured as a separate case in the "transport" choice. In this submodule, SNMP over UDP is defined. TLS and DTLS are also supported, defined in "ietf-snmp-tls" (Section 2.12). The "transport" choice is expected to be augmented for other transports.
“snmptagetadrdtdomain”和“snmptagetadrdradress”对象映射到特定于传输的节点。在“传输”选项中,每个传输都配置为单独的情况。在此子模块中,定义了UDP上的SNMP。也支持TLS和DTL,定义见“ietf snmp TLS”(第2.12节)。“运输”选项预计将扩大到其他运输。
An entry in the list "/snmp/target-params" corresponds to an "snmpTargetParamsEntry". This list contains a choice "params", which is augmented by submodules specific to the security model, currently, "ietf-snmp-community" (Section 2.8), "ietf-snmp-usm" (Section 2.10), and "ietf-snmp-tls" (Section 2.12).
列表“/snmp/target params”中的条目对应于“snmpTargetParamsEntry”。此列表包含一个选项“params”,该选项由特定于安全模型的子模块扩展,当前为“ietf snmp社区”(第2.8节)、“ietf snmp usm”(第2.10节)和“ietf snmp tls”(第2.12节)。
The submodule "ietf-snmp-notification", which defines configuration parameters that correspond to the objects in SNMP-NOTIFICATION-MIB, has the following structure:
子模块“ietf snmp notification”定义了与snmp-notification-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw notify* [name] | +--rw name snmp:identifier | +--rw tag snmp:identifier | +--rw type? enumeration +--rw notify-filter-profile* [name] +--rw name snmp:identifier +--rw include* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
+--rw snmp +--rw notify* [name] | +--rw name snmp:identifier | +--rw tag snmp:identifier | +--rw type? enumeration +--rw notify-filter-profile* [name] +--rw name snmp:identifier +--rw include* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
This submodule also augments the "target-params" list defined in the "ietf-snmp-target" submodule (Section 2.5) with one leaf:
此子模块还使用一个叶来扩充“ietf snmp目标”子模块(第2.5节)中定义的“目标参数”列表:
+--rw snmp +--rw target-params* [name] ... +--rw notify-filter-profile? leafref
+--rw snmp +--rw target-params* [name] ... +--rw notify-filter-profile? leafref
An entry in the list "/snmp/notify" corresponds to an "snmpNotifyEntry".
列表“/snmp/notify”中的条目对应于“snmpNotifyEntry”。
An entry in the list "/snmp/notify-filter-profile" corresponds to an "snmpNotifyFilterProfileEntry". In the MIB, there is a sparse relationship between "snmpTargetParamsTable" and "snmpNotifyFilterProfileTable". In the YANG model, this sparse relationship is represented with a leafref leaf "notify-filter-profile" in the "/snmp/target-params" list, which refers to an entry in the "/snmp/notify-filter-profile" list.
列表“/snmp/notify filter profile”中的条目对应于“snmpNotifyFilterProfileEntry”。在MIB中,“snmpTargetParamsTable”和“snmpNotifyFilterProfileTable”之间存在稀疏关系。在YANG模型中,这种稀疏关系用“/snmp/target params”列表中的leafref叶“notify filter profile”表示,它引用“/snmp/notify filter profile”列表中的一个条目。
The "snmpNotifyFilterTable" is represented as a list "filter" within the "/snmp/notify-filter-profile" list.
“snmpNotifyFilterTable”表示为“/snmp/notify filter profile”列表中的列表“filter”。
This submodule defines the feature "notification-filter". A server implements this feature if it supports SNMP notification filtering [RFC3413].
此子模块定义功能“通知过滤器”。如果服务器支持SNMP通知筛选[RFC3413],则会实现此功能。
The submodule "ietf-snmp-proxy", which defines configuration parameters that correspond to the objects in SNMP-PROXY-MIB, has the following structure:
子模块“ietf snmp proxy”定义了与snmp-proxy-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw proxy* [name] +--rw name snmp:identifier +--rw type enumeration +--rw context-engine-id snmp:engine-id +--rw context-name? snmp:context-name +--rw target-params-in? snmp:identifier +--rw single-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier
+--rw snmp +--rw proxy* [name] +--rw name snmp:identifier +--rw type enumeration +--rw context-engine-id snmp:engine-id +--rw context-name? snmp:context-name +--rw target-params-in? snmp:identifier +--rw single-target-out? snmp:identifier +--rw multiple-target-out? snmp:identifier
An entry in the list "/snmp/proxy" corresponds to an "snmpProxyEntry".
列表“/snmp/proxy”中的条目对应于“snmpProxyEntry”。
This submodule defines the feature "proxy". A server implements this feature if it can act as an SNMP proxy [RFC3413].
此子模块定义功能“代理”。如果服务器可以充当SNMP代理[RFC3413],则它将实现此功能。
The submodule "ietf-snmp-community", which defines configuration parameters that correspond to the objects in SNMP-COMMUNITY-MIB, has the following structure:
子模块“ietf snmp社区”定义了与snmp-community-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw community* [index] +--rw index snmp:identifier +--rw (name)? | +--:(text-name) | | +--rw text-name? string | +--:(binary-name) | +--rw binary-name? binary +--rw security-name snmp:security-name +--rw engine-id? snmp:engine-id +--rw context? snmp:context-name +--rw target-tag? snmp:identifier
+--rw snmp +--rw community* [index] +--rw index snmp:identifier +--rw (name)? | +--:(text-name) | | +--rw text-name? string | +--:(binary-name) | +--rw binary-name? binary +--rw security-name snmp:security-name +--rw engine-id? snmp:engine-id +--rw context? snmp:context-name +--rw target-tag? snmp:identifier
This submodule also augments the "/snmp/target-params/params" choice with nodes for the Community-based Security Model used by SNMPv1 and SNMPv2c:
此子模块还通过SNMPv1和SNMPv2c使用的基于社区的安全模型的节点来增加“/snmp/target params/params”选项:
+--rw snmp +--rw target-params* [name] | ... | +--rw (params)? | +--:(v1) | | +--rw v1 | | +--rw security-name snmp:security-name | +--:(v2c) | +--rw v2c | +--rw security-name snmp:security-name +--rw target* [name] +--rw mms? union
+--rw snmp +--rw target-params* [name] | ... | +--rw (params)? | +--:(v1) | | +--rw v1 | | +--rw security-name snmp:security-name | +--:(v2c) | +--rw v2c | +--rw security-name snmp:security-name +--rw target* [name] +--rw mms? union
An entry in the list "/snmp/community" corresponds to an "snmpCommunityEntry".
列表“/snmp/community”中的条目对应于“snmpCommunityEntry”。
When a case "v1" or "v2c" is chosen, it implies an snmpTargetParamsMPModel 0 (SNMPv1) or 1 (SNMPv2), and an snmpTargetParamsSecurityModel 1 (SNMPv1) or 2 (SNMPv2), respectively. Both cases imply an snmpTargetParamsSecurityLevel of noAuthNoPriv.
当选择情况“v1”或“v2c”时,它分别表示SNMPTargetParamsPMModel 0(SNMPv1)或1(SNMPv2)和snmpTargetParamsSecurityModel 1(SNMPv1)或2(SNMPv2)。这两个病例都暗示了诺乌司诺普病毒的SNMPTARGETPARAMSCURITYLEVEL。
The submodule "ietf-snmp-vacm", which defines configuration parameters that correspond to the objects in SNMP-VIEW-BASED-ACM-MIB, has the following structure:
子模块“ietf snmp vacm”定义了与snmp-VIEW-BASED-ACM-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw vacm +--rw group* [name] | +--rw name group-name | +--rw member* [security-name] | | +--rw security-name snmp:security-name | | +--rw security-model* snmp:security-model | +--rw access* [context security-model security-level] | +--rw context snmp:context-name | +--rw context-match? enumeration | +--rw security-model snmp:security-model-or-any | +--rw security-level snmp:security-level | +--rw read-view? view-name | +--rw write-view? view-name | +--rw notify-view? view-name +--rw view* [name] +--rw name view-name +--rw include* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
+--rw snmp +--rw vacm +--rw group* [name] | +--rw name group-name | +--rw member* [security-name] | | +--rw security-name snmp:security-name | | +--rw security-model* snmp:security-model | +--rw access* [context security-model security-level] | +--rw context snmp:context-name | +--rw context-match? enumeration | +--rw security-model snmp:security-model-or-any | +--rw security-level snmp:security-level | +--rw read-view? view-name | +--rw write-view? view-name | +--rw notify-view? view-name +--rw view* [name] +--rw name view-name +--rw include* snmp:wildcard-object-identifier +--rw exclude* snmp:wildcard-object-identifier
The "vacmSecurityToGroupTable" and "vacmAccessTable" are mapped to a structure of nested lists in the YANG model. Groups are defined in the list "/snmp/vacm/group", and for each group, there is a sublist "member" that maps to "vacmSecurityToGroupTable" and a sublist "access" that maps to "vacmAccessTable".
“vacmSecurityToGroupTable”和“vacmAccessTable”映射到YANG模型中的嵌套列表结构。组在列表“/snmp/vacm/group”中定义,对于每个组,都有一个子列表“member”映射到“vacmSecurityToGroupTable”,还有一个子列表“access”映射到“vacmAccessTable”。
MIB views are defined in the list "/snmp/vacm/view", and for each MIB view, there is a leaf-list of included subtree families and a leaf-list of excluded subtree families. This is more compact and thus a more readable representation of the "vacmViewTreeFamilyTable".
MIB视图在列表“/snmp/vacm/view”中定义,对于每个MIB视图,都有一个包含子树族的叶列表和一个排除子树族的叶列表。这更紧凑,因此是“vacmViewTreeFamilyTable”的更可读的表示形式。
The submodule "ietf-snmp-usm", which defines configuration parameters that correspond to the objects in SNMP-USER-BASED-SM-MIB, has the following structure:
子模块“ietf snmp usm”定义了与snmp-USER-BASED-SM-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw usm +--rw local | +--rw user* [name] | +-- {common user params} +--rw remote* [engine-id] +--rw engine-id snmp:engine-id +--rw user* [name] +-- {common user params}
+--rw snmp +--rw usm +--rw local | +--rw user* [name] | +-- {common user params} +--rw remote* [engine-id] +--rw engine-id snmp:engine-id +--rw user* [name] +-- {common user params}
The "{common user params}" are:
“{common user params}”是:
+--rw name snmp:identifier +--rw auth! | +--rw (protocol) | +--:(md5) | | +--rw md5 | | +-- rw key yang:hex-string | +--:(sha) | +--rw sha | +-- rw key yang:hex-string +--rw priv! +--rw (protocol) +--:(des) | +--rw des | +-- rw key yang:hex-string +--:(aes) +--rw aes +-- rw key yang:hex-string
+--rw name snmp:identifier +--rw auth! | +--rw (protocol) | +--:(md5) | | +--rw md5 | | +-- rw key yang:hex-string | +--:(sha) | +--rw sha | +-- rw key yang:hex-string +--rw priv! +--rw (protocol) +--:(des) | +--rw des | +-- rw key yang:hex-string +--:(aes) +--rw aes +-- rw key yang:hex-string
This submodule also augments the "/snmp/target-params/params" choice with nodes for the SNMP User-based Security Model.
此子模块还使用基于snmp用户的安全模型的节点来扩展“/snmp/target params/params”选项。
+--rw snmp +--rw target-params* [name] ... +--rw (params)? +--:(usm) +--rw usm +--rw user-name snmp:security-name +--rw security-level security-level
+--rw snmp +--rw target-params* [name] ... +--rw (params)? +--:(usm) +--rw usm +--rw user-name snmp:security-name +--rw security-level security-level
In the MIB, there is a single table with local and remote users, indexed by the engine ID and user name. In the YANG model, there is one list of local users and a nested list of remote users.
在MIB中,有一个包含本地和远程用户的表,由引擎ID和用户名索引。在YANG模型中,有一个本地用户列表和一个远程用户嵌套列表。
In the MIB, there are several objects related to changing the authentication and privacy keys. These objects are not present in the YANG model. However, the localized key can be changed. This implies that if the engine ID is changed, all users keys need to be changed as well.
在MIB中,有几个对象与更改身份验证和隐私密钥有关。这些对象不存在于YANG模型中。但是,可以更改本地化密钥。这意味着,如果更改了引擎ID,则还需要更改所有用户密钥。
The submodule "ietf-snmp-tsm", which defines configuration parameters that correspond to the objects in SNMP-TSM-MIB, has the following structure:
子模块“ietf snmp tsm”定义了与snmp-tsm-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp +--rw tsm +--rw use-prefix? boolean
+--rw snmp +--rw tsm +--rw use-prefix? boolean
This submodule also augments the "/snmp/target-params/params" choice with nodes for the SNMP Transport Security Model.
此子模块还通过snmp传输安全模型的节点扩展了“/snmp/target params/params”选项。
+--rw snmp +--rw target-params* [name] ... +--rw (params)? +--:(tsm) +--rw tsm +--rw security-name snmp:security-name +--rw security-level security-level
+--rw snmp +--rw target-params* [name] ... +--rw (params)? +--:(tsm) +--rw tsm +--rw security-name snmp:security-name +--rw security-level security-level
This submodule defines the feature "tsm". A server implements this feature if it supports the Transport Security Model (TSM) [RFC5591].
此子模块定义了功能“tsm”。如果服务器支持传输安全模型(TSM)[RFC5591],则它将实现此功能。
The submodule "ietf-snmp-tls", which defines configuration parameters that correspond to the objects in SNMP-TLS-TM-MIB, has the following structure:
子模块“ietf snmp tls”定义了与snmp-tls-TM-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp ... +--rw target* [name] | ... | +--rw (transport) | ... | +--:(tls) | | +--rw tls | | +-- {common (d)tls transport params} | +--:(dtls) | +--rw dtls | +-- {common (d)tls transport params} +--rw tlstm +--rw cert-to-name* [id] +--rw id uint32 +--rw fingerprint x509c2n:tls-fingerprint +--rw map-type identityref +--rw name string
+--rw snmp ... +--rw target* [name] | ... | +--rw (transport) | ... | +--:(tls) | | +--rw tls | | +-- {common (d)tls transport params} | +--:(dtls) | +--rw dtls | +-- {common (d)tls transport params} +--rw tlstm +--rw cert-to-name* [id] +--rw id uint32 +--rw fingerprint x509c2n:tls-fingerprint +--rw map-type identityref +--rw name string
The "{common (d)tls transport params}" are:
“{common(d)tls transport params}”是:
+--rw ip? inet:host +--rw port? inet:port-number +--rw client-fingerprint? x509c2n:tls-fingerprint +--rw server-fingerprint? x509c2n:tls-fingerprint +--rw server-identity? snmp:admin-string
+--rw ip? inet:host +--rw port? inet:port-number +--rw client-fingerprint? x509c2n:tls-fingerprint +--rw server-fingerprint? x509c2n:tls-fingerprint +--rw server-identity? snmp:admin-string
This submodule also augments the "/snmp/engine/listen/transport" choice with objects for the D(TLS) transport endpoints:
此子模块还使用D(TLS)传输端点的对象来扩展“/snmp/engine/listen/transport”选项:
+--rw snmp +--rw engine ... +--rw listen* [name] ... +--rw (transport) ... +--:(tls) | +--rw tls | +--rw ip inet:ip-address | +--rw port? inet:port-number +--:(dtls) +--rw dtls +--rw ip inet:ip-address +--rw port? inet:port-number
+--rw snmp +--rw engine ... +--rw listen* [name] ... +--rw (transport) ... +--:(tls) | +--rw tls | +--rw ip inet:ip-address | +--rw port? inet:port-number +--:(dtls) +--rw dtls +--rw ip inet:ip-address +--rw port? inet:port-number
This submodule defines the feature "tlstm". A server implements this feature if it supports the Transport Layer Security (TLS) Transport Model (TLSTM) [RFC6353].
此子模块定义了功能“tlstm”。如果服务器支持传输层安全性(TLS)传输模型(TLSTM)[RFC6353],则它将实现此功能。
The submodule "ietf-snmp-ssh", which defines configuration parameters that correspond to the objects in SNMP-SSH-TM-MIB, has the following structure:
子模块“ietf snmp ssh”定义了与snmp-ssh-TM-MIB中的对象相对应的配置参数,其结构如下:
+--rw snmp ... +--rw target* [name] ... +--rw (transport) ... +--:(ssh) +--rw ssh +--rw ip inet:host +--rw port? inet:port-number +--rw username? string
+--rw snmp ... +--rw target* [name] ... +--rw (transport) ... +--:(ssh) +--rw ssh +--rw ip inet:host +--rw port? inet:port-number +--rw username? string
It also augments the "/snmp/engine/listen/transport" choice with objects for the SSH transport endpoints:
它还使用SSH传输端点的对象来增加“/snmp/engine/listen/transport”选项:
+--rw snmp +--rw engine ... +--rw listen* [name] ... +--rw (transport) ... +--:(ssh) +--rw ssh +--rw ip inet:host +--rw port? inet:port-number +--rw username? string
+--rw snmp +--rw engine ... +--rw listen* [name] ... +--rw (transport) ... +--:(ssh) +--rw ssh +--rw ip inet:host +--rw port? inet:port-number +--rw username? string
This submodule defines the feature "sshtm". A server implements this feature if it supports the Secure Shell Transport Model (SSHTM) [RFC5592].
此子模块定义功能“sshtm”。如果服务器支持安全外壳传输模型(SSHTM)[RFC5592],则它将实现此功能。
This section describes some challenges for implementations that support both the YANG models defined in this document and either read-write or read-only SNMP access to the same data, using the standard MIB modules.
本节描述了支持本文档中定义的YANG模型以及使用标准MIB模块对相同数据进行读写或只读SNMP访问的实现面临的一些挑战。
As described in Section 2.2, the persistency models in NETCONF and SNMP are quite different. This poses a challenge for an implementation to support both NETCONF and SNMP access to the same data, in particular if the data is writable over both protocols. Specifically, the configuration data may exist in some combination of the three NETCONF configuration datastores, and this data must be mapped to rows in the SNMP tables, in some SNMP contexts, with proper values for the StorageType columns.
如第2.2节所述,NETCONF和SNMP中的持久性模型完全不同。这对实现支持NETCONF和SNMP对同一数据的访问提出了挑战,特别是当数据可通过两种协议写入时。具体地说,配置数据可能存在于三个NETCONF配置数据存储的某些组合中,并且在某些SNMP上下文中,这些数据必须映射到SNMP表中的行,并为StorageType列设置适当的值。
This problem is not new; it has been handled in many implementations that support configuration of the SNMP engine over a command line interface (CLI), which normally have a persistency model similar to NETCONF.
这个问题并不新鲜;在许多支持通过命令行界面(CLI)配置SNMP引擎的实现中都已经处理了该问题,命令行界面通常具有类似于NETCONF的持久性模型。
Since there is not one solution that works for all cases, this document does not provide a recommended solution. Instead, some of the challenges involved are described below.
由于没有一种解决方案适用于所有情况,因此本文档不提供推荐的解决方案。相反,下文描述了一些涉及的挑战。
If a device implements only :writable-running, it is trivial to map the contents of "running" to data in the SNMP tables, where all instances of the StorageType columns have the value "nonVolatile".
如果设备仅实现:writable running,则将“running”的内容映射到SNMP表中的数据是很简单的,其中StorageType列的所有实例都具有值“nonVolatile”。
If a device implements :candidate but not :startup, the implementation may choose to not expose the contents of the "candidate" datastore over SNMP and map the contents of "running" as described above. As an option, the contents of "candidate" might be accessible in a separate SNMP context.
如果设备实现:candidate但不是:startup,则实现可以选择不通过SNMP公开“candidate”数据存储的内容,并如上所述映射“running”的内容。作为一个选项,“候选者”的内容可以在单独的SNMP上下文中访问。
If a device implements :startup, the handling of StorageType becomes more difficult. Since the contents of "running" and "startup" might differ, data in "running" cannot automatically be mapped to instances with StorageType "nonVolatile". If a particular entry exists in "running" but not in "startup", its StorageType should be "volatile". If a particular entry exists in "startup" but not "running", it should not be mapped to an SNMP instance, at least not in the default SNMP context.
如果设备实现:startup,则StorageType的处理将变得更加困难。由于“running”和“startup”的内容可能不同,“running”中的数据无法自动映射到StorageType为“nonVolatile”的实例。如果特定条目存在于“running”中,但不存在于“startup”中,则其StorageType应为“volatile”。如果特定条目存在于“启动”中但不在“运行”中,则不应将其映射到SNMP实例,至少不应映射到默认SNMP上下文中。
If the implementation supports read-write access to data over SNMP, and specifically creation of table rows, special attention has to be given to the handling of the RowStatus and StorageType columns. The problem is to determine which table rows to store in the configuration datastores and which configuration datastore is appropriate for each row.
如果实现支持通过SNMP对数据进行读写访问,特别是创建表行,则必须特别注意RowStatus和StorageType列的处理。问题在于确定要在配置数据存储中存储哪些表行,以及哪些配置数据存储适合每一行。
The SNMP tables contain a mix of configured data and operational state, and only rows with an "active" RowStatus column should be stored in a configuration datastore.
SNMP表包含配置数据和操作状态的混合,配置数据存储中只应存储具有“活动”RowStatus列的行。
If a device implements only :writable-running, "active" rows with a "nonVolatile" StorageType column can be stored in "running". Rows with a "volatile" StorageType column are operational state.
如果设备仅实现:可写运行,则带有“非易失性”StorageType列的“活动”行可以存储在“运行”中。带有“volatile”StorageType列的行是操作状态。
If a device implements :candidate but not :writable-running, all configuration changes typically go through the "candidate", even if they are done over SNMP. An implementation might have to perform some automatic commit of the "candidate" when data is written over SNMP, since there is no explicit "commit" operation in SNMP.
如果设备实现:candidate但不是:writable running,则所有配置更改通常都会通过“candidate”进行,即使它们是通过SNMP完成的。当通过SNMP写入数据时,实现可能必须执行一些“候选”的自动提交,因为SNMP中没有显式的“提交”操作。
If a device implements :startup, "nonVolatile" rows cannot just be written to "running"; they must also be copied into "startup". "volatile" rows may be treated as operational state and not copied to any datastore, or they may be copied into "running".
如果设备实现:启动,“非易失性”行不能仅仅写入“正在运行”;它们还必须复制到“启动”中。“volatile”行可以被视为操作状态,不复制到任何数据存储,也可以复制到“running”中。
Cooperating SNMP management applications may use spin lock objects (snmpTargetSpinLock [RFC3413], usmUserSpinLock [RFC3414], vacmViewSpinLock [RFC3415]) to coordinate concurrent write requests. Implementations supporting modifications of MIB objects protected by a spin lock via NETCONF should ensure that the spin lock objects are properly incremented whenever objects are changed via NETCONF. This allows cooperating SNMP management applications to discover that concurrent modifications are taking place.
协作的SNMP管理应用程序可以使用自旋锁对象(snmpTargetSpinLock[RFC3413]、usmUserSpinLock[RFC3414]、vacmViewSpinLock[RFC3415])来协调并发写入请求。支持通过NETCONF修改受自旋锁保护的MIB对象的实现应确保每当通过NETCONF更改对象时,自旋锁对象都会正确递增。这允许协作的SNMP管理应用程序发现正在进行的并发修改。
This YANG module imports typedefs from [RFC6991].
此模块从[RFC6991]导入typedefs。
<CODE BEGINS> file "ietf-x509-cert-to-name.yang"
<CODE start>文件“ietf-x509-cert-to-name.yang”
module ietf-x509-cert-to-name {
模块ietf-x509-cert-to-name{
namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; prefix x509c2n;
namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; prefix x509c2n;
import ietf-yang-types { prefix yang; }
import ietf-yang-types { prefix yang; }
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This module contains a collection of YANG definitions for extracting a name from an X.509 certificate.
description“此模块包含用于从X.509证书提取名称的定义集合。
The algorithm used to extract a name from an X.509 certificate was first defined in RFC 6353.
用于从X.509证书中提取名称的算法首先在RFC6353中定义。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)";
参考“RFC 6353:简单网络管理协议(SNMP)的传输层安全(TLS)传输模型”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration";
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration";
}
}
typedef tls-fingerprint { type yang:hex-string { pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; } description "A fingerprint value that can be used to uniquely reference other data of potentially arbitrary length.
typedef tls-fingerprint { type yang:hex-string { pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; } description "A fingerprint value that can be used to uniquely reference other data of potentially arbitrary length.
A tls-fingerprint value is composed of a 1-octet hashing algorithm identifier followed by the fingerprint value. The first octet value identifying the hashing algorithm is taken from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The remaining octets are filled using the results of the hashing algorithm."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; }
A tls-fingerprint value is composed of a 1-octet hashing algorithm identifier followed by the fingerprint value. The first octet value identifying the hashing algorithm is taken from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The remaining octets are filled using the results of the hashing algorithm."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; }
/* Identities */
/* Identities */
identity cert-to-name { description "Base identity for algorithms to derive a name from a certificate."; }
identity cert-to-name { description "Base identity for algorithms to derive a name from a certificate."; }
identity specified { base cert-to-name; description "Directly specifies the name to be used for the certificate. The value of the leaf 'name' in the cert-to-name list is used."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; }
identity specified { base cert-to-name; description "Directly specifies the name to be used for the certificate. The value of the leaf 'name' in the cert-to-name list is used."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; }
identity san-rfc822-name { base cert-to-name; description "Maps a subjectAltName's rfc822Name to a name. The local part of the rfc822Name is passed unaltered, but the host-part of the name must be passed in lowercase. For example, the rfc822Name field FooBar@Example.COM is mapped to name FooBar@example.com."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; }
identity san-rfc822-name { base cert-to-name; description "Maps a subjectAltName's rfc822Name to a name. The local part of the rfc822Name is passed unaltered, but the host-part of the name must be passed in lowercase. For example, the rfc822Name field FooBar@Example.COM is mapped to name FooBar@example.com."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; }
identity san-dns-name { base cert-to-name; description "Maps a subjectAltName's dNSName to a name after first converting it to all lowercase (RFC 5280 does not specify converting to lowercase, so this involves an extra step). This mapping results in a 1:1 correspondence between subjectAltName dNSName values and the name values."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; }
identity san-dns-name { base cert-to-name; description "Maps a subjectAltName's dNSName to a name after first converting it to all lowercase (RFC 5280 does not specify converting to lowercase, so this involves an extra step). This mapping results in a 1:1 correspondence between subjectAltName dNSName values and the name values."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; }
identity san-ip-address { base cert-to-name; description "Maps a subjectAltName's iPAddress to a name by transforming the binary-encoded address as follows:
identity san-ip-address { base cert-to-name; description "Maps a subjectAltName's iPAddress to a name by transforming the binary-encoded address as follows:
1) for IPv4, the value is converted into a decimal-dotted quad address (e.g., '192.0.2.1').
1) for IPv4, the value is converted into a decimal-dotted quad address (e.g., '192.0.2.1').translate error, please retry
2) for IPv6 addresses, the value is converted into a 32-character, all-lowercase hexadecimal string without any colon separators.
2) 对于IPv6地址,该值将转换为32个字符、全小写十六进制字符串,不带任何冒号分隔符。
This mapping results in a 1:1 correspondence between subjectAltName iPAddress values and the name values."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; }
This mapping results in a 1:1 correspondence between subjectAltName iPAddress values and the name values."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; }
identity san-any { base cert-to-name; description "Maps any of the following fields using the corresponding mapping algorithms:
identity san-any { base cert-to-name; description "Maps any of the following fields using the corresponding mapping algorithms:
+------------+-----------------+ | Type | Algorithm | |------------+-----------------| | rfc822Name | san-rfc822-name | | dNSName | san-dns-name | | iPAddress | san-ip-address | +------------+-----------------+
+------------+-----------------+ | Type | Algorithm | |------------+-----------------| | rfc822Name | san-rfc822-name | | dNSName | san-dns-name | | iPAddress | san-ip-address | +------------+-----------------+
The first matching subjectAltName value found in the certificate of the above types MUST be used when deriving the name. The mapping algorithm specified in the 'Algorithm' column MUST be used to derive the name.
派生名称时,必须使用在上述类型的证书中找到的第一个匹配subjectAltName值。“算法”列中指定的映射算法必须用于派生名称。
This mapping results in a 1:1 correspondence between subjectAltName values and name values. The three sub-mapping algorithms produced by this combined algorithm cannot produce conflicting results between themselves."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
This mapping results in a 1:1 correspondence between subjectAltName values and name values. The three sub-mapping algorithms produced by this combined algorithm cannot produce conflicting results between themselves."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
}
}
identity common-name { base cert-to-name; description "Maps a certificate's CommonName to a name after converting it to a UTF-8 encoding. The usage of CommonNames is deprecated, and users are encouraged to use subjectAltName mapping methods instead. This mapping results in a 1:1 correspondence between certificate CommonName values and name values."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; }
identity common-name { base cert-to-name; description "Maps a certificate's CommonName to a name after converting it to a UTF-8 encoding. The usage of CommonNames is deprecated, and users are encouraged to use subjectAltName mapping methods instead. This mapping results in a 1:1 correspondence between certificate CommonName values and name values."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; }
/* * Groupings */
/* * Groupings */
grouping cert-to-name { description "Defines nodes for mapping certificates to names. Modules that use this grouping should describe how the resulting name is used.";
grouping cert-to-name { description "Defines nodes for mapping certificates to names. Modules that use this grouping should describe how the resulting name is used.";
list cert-to-name { key id; description "This list defines how certificates are mapped to names. The name is derived by considering each cert-to-name list entry in order. The cert-to-name entry's fingerprint determines whether the list entry is a match:
list cert-to-name { key id; description "This list defines how certificates are mapped to names. The name is derived by considering each cert-to-name list entry in order. The cert-to-name entry's fingerprint determines whether the list entry is a match:
1) If the cert-to-name list entry's fingerprint value matches that of the presented certificate, then consider the list entry a successful match.
1) 如果CURT到名称列表条目的指纹值与所提交证书的匹配,则将列表条目考虑为成功匹配。
2) If the cert-to-name list entry's fingerprint value matches that of a locally held copy of a trusted CA certificate, and that CA certificate was part of the CA certificate chain to the presented certificate, then consider the list entry a successful match.
2) 如果CURT到名称列表条目的指纹值与可信CA证书的本地持有副本相匹配,CA证书是CA证书链到所提交证书的一部分,则将列表条目考虑为成功匹配。
Once a matching cert-to-name list entry has been found, the map-type is used to determine how the name associated with the certificate should be determined. See the map-type
找到匹配的证书到名称列表条目后,将使用映射类型确定如何确定与证书关联的名称。查看地图类型
leaf's description for details on determining the name value. If it is impossible to determine a name from the cert-to-name list entry's data combined with the data presented in the certificate, then additional cert-to-name list entries MUST be searched to look for another potential match.
有关确定名称值的详细信息,请参阅leaf的说明。如果无法从证书到姓名列表项的数据和证书中显示的数据中确定姓名,则必须搜索其他证书到姓名列表项,以查找其他可能的匹配项。
Security administrators are encouraged to make use of certificates with subjectAltName fields that can be mapped to names so that a single root CA certificate can allow all child certificates' subjectAltName fields to map directly to a name via a 1:1 transformation."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
Security administrators are encouraged to make use of certificates with subjectAltName fields that can be mapped to names so that a single root CA certificate can allow all child certificates' subjectAltName fields to map directly to a name via a 1:1 transformation."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
leaf id { type uint32; description "The id specifies the order in which the entries in the cert-to-name list are searched. Entries with lower numbers are searched first."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; }
leaf id { type uint32; description "The id specifies the order in which the entries in the cert-to-name list are searched. Entries with lower numbers are searched first."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; }
leaf fingerprint { type x509c2n:tls-fingerprint; mandatory true; description "Specifies a value with which the fingerprint of the full certificate presented by the peer is compared. If the fingerprint of the full certificate presented by the peer does not match the fingerprint configured, then the entry is skipped, and the search for a match continues."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; }
leaf fingerprint { type x509c2n:tls-fingerprint; mandatory true; description "Specifies a value with which the fingerprint of the full certificate presented by the peer is compared. If the fingerprint of the full certificate presented by the peer does not match the fingerprint configured, then the entry is skipped, and the search for a match continues."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; }
leaf map-type { type identityref { base cert-to-name;
leaf map-type { type identityref { base cert-to-name;
} mandatory true; description "Specifies the algorithm used to map the certificate presented by the peer to a name.
} mandatory true; description "Specifies the algorithm used to map the certificate presented by the peer to a name.
Mappings that need additional configuration objects should use the 'when' statement to make them conditional based on the map-type."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; }
Mappings that need additional configuration objects should use the 'when' statement to make them conditional based on the map-type."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; }
leaf name { when "../map-type = 'x509c2n:specified'"; type string; mandatory true; description "Directly specifies the NETCONF username when the map-type is 'specified'."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; } } } }
leaf name { when "../map-type = 'x509c2n:specified'"; type string; mandatory true; description "Directly specifies the NETCONF username when the map-type is 'specified'."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; } } } }
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp.yang"
<CODE start>文件“ietf snmp.yang”
module ietf-snmp {
模块ietf snmp{
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; prefix snmp;
namespace "urn:ietf:params:xml:ns:yang:ietf-snmp"; prefix snmp;
include ietf-snmp-common { revision-date 2014-12-10; } include ietf-snmp-engine {
include ietf-snmp-common { revision-date 2014-12-10; } include ietf-snmp-engine {
revision-date 2014-12-10; } include ietf-snmp-target { revision-date 2014-12-10; } include ietf-snmp-notification { revision-date 2014-12-10; } include ietf-snmp-proxy { revision-date 2014-12-10; } include ietf-snmp-community { revision-date 2014-12-10; } include ietf-snmp-usm { revision-date 2014-12-10; } include ietf-snmp-tsm { revision-date 2014-12-10; } include ietf-snmp-vacm { revision-date 2014-12-10; } include ietf-snmp-tls { revision-date 2014-12-10; } include ietf-snmp-ssh { revision-date 2014-12-10; }
revision-date 2014-12-10; } include ietf-snmp-target { revision-date 2014-12-10; } include ietf-snmp-notification { revision-date 2014-12-10; } include ietf-snmp-proxy { revision-date 2014-12-10; } include ietf-snmp-community { revision-date 2014-12-10; } include ietf-snmp-usm { revision-date 2014-12-10; } include ietf-snmp-tsm { revision-date 2014-12-10; } include ietf-snmp-vacm { revision-date 2014-12-10; } include ietf-snmp-tls { revision-date 2014-12-10; } include ietf-snmp-ssh { revision-date 2014-12-10; }
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This module contains a collection of YANG definitions for configuring SNMP engines.
description“此模块包含用于配置SNMP引擎的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
}
}
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-common.yang"
<CODE start>文件“ietf snmp common.yang”
submodule ietf-snmp-common {
子模块ietf snmp通用{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-yang-types { prefix yang; }
import ietf-yang-types { prefix yang; }
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of common YANG definitions for configuring SNMP engines.
description“此子模块包含用于配置SNMP引擎的常用定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
/* Collection of SNMP-specific data types */
/* Collection of SNMP-specific data types */
typedef admin-string { type string { length "0..255"; } description "Represents SnmpAdminString as defined in RFC 3411.
typedef admin-string { type string { length "0..255"; } description "Represents SnmpAdminString as defined in RFC 3411.
Note that the size of an SnmpAdminString is measured in octets, not characters.";
请注意,snmpadmin字符串的大小是以八位字节(而不是字符)度量的。“;
reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. SNMP-FRAMEWORK-MIB.SnmpAdminString"; }
reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. SNMP-FRAMEWORK-MIB.SnmpAdminString"; }
typedef identifier { type admin-string { length "1..32"; } description "Identifiers are used to name items in the SNMP configuration datastore."; }
typedef identifier { type admin-string { length "1..32"; } description "Identifiers are used to name items in the SNMP configuration datastore."; }
typedef context-name { type admin-string { length "0..32"; } description "The context type represents an SNMP context name."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef context-name { type admin-string { length "0..32"; } description "The context type represents an SNMP context name."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-name { type admin-string { length "1..32"; } description "The security-name type represents an SNMP security name."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-name { type admin-string { length "1..32"; } description "The security-name type represents an SNMP security name."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-model { type union { type enumeration { enum v1 { value 1; } enum v2c { value 2; } enum usm { value 3; } enum tsm { value 4; } } type int32 { range "1..2147483647"; }
typedef security-model { type union { type enumeration { enum v1 { value 1; } enum v2c { value 2; } enum usm { value 3; } enum tsm { value 4; } } type int32 { range "1..2147483647"; }
} reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
} reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-model-or-any { type union { type enumeration { enum any { value 0; } } type security-model; } reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-model-or-any { type union { type enumeration { enum any { value 0; } } type security-model; } reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-level { type enumeration { enum no-auth-no-priv { value 1; } enum auth-no-priv { value 2; } enum auth-priv { value 3; } } reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef security-level { type enumeration { enum no-auth-no-priv { value 1; } enum auth-no-priv { value 2; } enum auth-priv { value 3; } } reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef engine-id { type yang:hex-string { pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; } description "The engine ID specified as a list of colon-specified hexadecimal octets, e.g., '80:00:02:b8:04:61:62:63'."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef engine-id { type yang:hex-string { pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){4,31}'; } description "The engine ID specified as a list of colon-specified hexadecimal octets, e.g., '80:00:02:b8:04:61:62:63'."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"; }
typedef wildcard-object-identifier { type string; description "The wildcard-object-identifier type represents an SNMP object identifier where subidentifiers can be given either as a label, in numeric form, or a wildcard, represented by an asterisk ('*').";
typedef wildcard-object-identifier { type string; description "The wildcard-object-identifier type represents an SNMP object identifier where subidentifiers can be given either as a label, in numeric form, or a wildcard, represented by an asterisk ('*').";
}
}
typedef tag-value { type string { length "0..255"; } description "Represents SnmpTagValue as defined in RFC 3413.
typedef tag-value { type string { length "0..255"; } description "Represents SnmpTagValue as defined in RFC 3413.
Note that the size of an SnmpTagValue is measured in octets, not characters."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.SnmpTagValue"; }
Note that the size of an SnmpTagValue is measured in octets, not characters."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.SnmpTagValue"; }
container snmp { description "Top-level container for SNMP-related configuration and status objects."; }
container snmp { description "Top-level container for SNMP-related configuration and status objects."; }
}
}
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-engine.yang"
<CODE start>文件“ietf snmp engine.yang”
submodule ietf-snmp-engine {
子模块ietf snmp引擎{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-inet-types { prefix inet; }
import ietf-inet-types { prefix inet; }
include ietf-snmp-common;
包括ietf-snmp通用协议;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/>
contact "WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org>
WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring SNMP engines.
description“此子模块包含用于配置SNMP引擎的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info). 该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
augment /snmp:snmp {
augment /snmp:snmp {
container engine {
集装箱发动机{
description "Configuration of the SNMP engine.";
说明“SNMP引擎的配置。”;
leaf enabled { type boolean; default "false"; description
leaf enabled { type boolean; default "false"; description
"Enables the SNMP engine."; }
"Enables the SNMP engine."; }
list listen { key "name"; description "Configuration of the transport endpoints on which the engine listens.";
list listen { key "name"; description "Configuration of the transport endpoints on which the engine listens.";
leaf name { type snmp:identifier; description "An arbitrary name for the list entry."; }
leaf name { type snmp:identifier; description "An arbitrary name for the list entry."; }
choice transport { mandatory true; description "The transport-protocol-specific parameters for this endpoint. Submodules providing configuration for additional transports are expected to augment this choice."; case udp { container udp { leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens."; } leaf port { type inet:port-number; description "The UDP port on which the engine listens.
choice transport { mandatory true; description "The transport-protocol-specific parameters for this endpoint. Submodules providing configuration for additional transports are expected to augment this choice."; case udp { container udp { leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens."; } leaf port { type inet:port-number; description "The UDP port on which the engine listens.
If the port is not configured, an engine that acts as a Command Responder uses port 161, and an engine that acts as a Notification Receiver uses port 162."; } } } } }
If the port is not configured, an engine that acts as a Command Responder uses port 161, and an engine that acts as a Notification Receiver uses port 162."; } } } } }
container version { description "SNMP version used by the engine."; leaf v1 { type empty; } leaf v2c { type empty; } leaf v3 { type empty; } }
container version { description "SNMP version used by the engine."; leaf v1 { type empty; } leaf v2c { type empty; } leaf v3 { type empty; } }
leaf engine-id { type snmp:engine-id; description "The local SNMP engine's administratively assigned unique identifier.
leaf engine-id { type snmp:engine-id; description "The local SNMP engine's administratively assigned unique identifier.
If this leaf is not set, the device automatically calculates an engine ID, as described in RFC 3411. A server MAY initialize this leaf with the automatically created value."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. SNMP-FRAMEWORK-MIB.snmpEngineID"; }
If this leaf is not set, the device automatically calculates an engine ID, as described in RFC 3411. A server MAY initialize this leaf with the automatically created value."; reference "RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. SNMP-FRAMEWORK-MIB.snmpEngineID"; }
leaf enable-authen-traps { type boolean; description "Indicates whether the SNMP entity is permitted to generate authenticationFailure traps."; reference "RFC 3418: Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) SNMPv2-MIB.snmpEnableAuthenTraps"; } } } }
leaf enable-authen-traps { type boolean; description "Indicates whether the SNMP entity is permitted to generate authenticationFailure traps."; reference "RFC 3418: Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) SNMPv2-MIB.snmpEnableAuthenTraps"; } } } }
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-target.yang"
<CODE start>文件“ietf snmp target.yang”
submodule ietf-snmp-target {
子模块ietf snmp目标{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-inet-types { prefix inet; }
import ietf-inet-types { prefix inet; }
include ietf-snmp-common;
包括ietf-snmp通用协议;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring SNMP targets.
description“此子模块包含用于配置SNMP目标的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications";
参考“RFC 3413:简单网络管理协议(SNMP)应用程序”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
augment /snmp:snmp {
augment /snmp:snmp {
list target { key name; description "List of targets."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.snmpTargetAddrTable";
list target { key name; description "List of targets."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.snmpTargetAddrTable";
leaf name { type snmp:identifier; description "Identifies the target."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.snmpTargetAddrName"; } choice transport { mandatory true; description "Transport address of the target.
leaf name { type snmp:identifier; description "Identifies the target."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.snmpTargetAddrName"; } choice transport { mandatory true; description "Transport address of the target.
The snmpTargetAddrTDomain and snmpTargetAddrTAddress objects are mapped to transport-specific YANG nodes. Each transport is configured as a separate case in this choice. Submodules providing configuration for additional transports are expected to augment this choice.";
SNMPTargetADRDTDOMain和SNMPTargetADRDRDAddress对象映射到特定于传输的节点。在此选项中,每个传输都配置为单独的情况。为其他传输提供配置的子模块预计将扩大此选择。”;
reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.snmpTargetAddrTDomain SNMP-TARGET-MIB.snmpTargetAddrTAddress"; case udp { reference "RFC 3417: Transport Mappings for the Simple Network Management Protocol (SNMP). SNMPv2-TM.snmpUDPDomain RFC 3419: Textual Conventions for Transport Addresses. TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; container udp { leaf ip { type inet:ip-address; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). SNMP-TARGET-MIB.snmpTargetAddrTAddress"; } leaf port { type inet:port-number; default 162; description "UDP port number."; reference "RFC 3413: Simple Network Management Protocol (SNMP). SNMP-TARGET-MIB.snmpTargetAddrTAddress"; } leaf prefix-length { type uint8; description "The value of this leaf must match the value of ../snmp:ip. If ../snmp:ip contains an IPv4 address, this leaf must be less than or equal to 32. If it contains an IPv6 address, it must be less than or equal to 128.
reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications. SNMP-TARGET-MIB.snmpTargetAddrTDomain SNMP-TARGET-MIB.snmpTargetAddrTAddress"; case udp { reference "RFC 3417: Transport Mappings for the Simple Network Management Protocol (SNMP). SNMPv2-TM.snmpUDPDomain RFC 3419: Textual Conventions for Transport Addresses. TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv4z TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6 TRANSPORT-ADDRESS-MIB.transportDomainUdpIpv6z"; container udp { leaf ip { type inet:ip-address; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). SNMP-TARGET-MIB.snmpTargetAddrTAddress"; } leaf port { type inet:port-number; default 162; description "UDP port number."; reference "RFC 3413: Simple Network Management Protocol (SNMP). SNMP-TARGET-MIB.snmpTargetAddrTAddress"; } leaf prefix-length { type uint8; description "The value of this leaf must match the value of ../snmp:ip. If ../snmp:ip contains an IPv4 address, this leaf must be less than or equal to 32. If it contains an IPv6 address, it must be less than or equal to 128.
Note that the prefix-length is currently only used by the Community-based Security Model to filter incoming messages. Furthermore, the prefix-length filtering does not cover all possible filters supported by the corresponding MIB object.";
请注意,前缀长度目前仅由基于社区的安全模型用于过滤传入消息。此外,前缀长度筛选不包括相应MIB对象支持的所有可能筛选器。“;
reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; } } } } leaf-list tag { type snmp:tag-value; description "List of tag values used to select target addresses."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTagList"; } leaf timeout { type uint32; units "0.01 seconds"; default 1500; description "Needed only if this target can receive InformRequest-PDUs."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTimeout"; } leaf retries { type uint8; default 3; description "Needed only if this target can receive InformRequest-PDUs."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; } leaf target-params { type snmp:identifier; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrParams";
reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpTargetAddrTMask"; } } } } leaf-list tag { type snmp:tag-value; description "List of tag values used to select target addresses."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTagList"; } leaf timeout { type uint32; units "0.01 seconds"; default 1500; description "Needed only if this target can receive InformRequest-PDUs."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTimeout"; } leaf retries { type uint8; default 3; description "Needed only if this target can receive InformRequest-PDUs."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrRetryCount"; } leaf target-params { type snmp:identifier; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrParams";
} }
} }
list target-params { key name; description "List of target parameters."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsTable";
list target-params { key name; description "List of target parameters."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsTable";
leaf name { type snmp:identifier; } choice params { description "This choice is augmented with case nodes containing configuration parameters specific to the security model."; } } } }
leaf name { type snmp:identifier; } choice params { description "This choice is augmented with case nodes containing configuration parameters specific to the security model."; } } } }
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-notification.yang"
<CODE start>文件“ietf snmp notification.yang”
submodule ietf-snmp-notification {
子模块ietf snmp通知{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
include ietf-snmp-common; include ietf-snmp-target;
include ietf-snmp-common; include ietf-snmp-target;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring SNMP notifications.
description“此子模块包含用于配置SNMP通知的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications";
参考“RFC 3413:简单网络管理协议(SNMP)应用程序”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
feature notification-filter { description "A server implements this feature if it supports SNMP notification filtering."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications"; }
feature notification-filter { description "A server implements this feature if it supports SNMP notification filtering."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications"; }
augment /snmp:snmp {
augment /snmp:snmp {
list notify { key name; description "Targets that will receive notifications.
list notify { key name; description "Targets that will receive notifications.
Entries in this list are mapped 1-1 to entries in snmpNotifyTable, except that if an entry in snmpNotifyTable has an snmpNotifyTag for which no snmpTargetAddrEntry exists, then the snmpNotifyTable entry is not mapped to an entry in this list."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyTable";
Entries in this list are mapped 1-1 to entries in snmpNotifyTable, except that if an entry in snmpNotifyTable has an snmpNotifyTag for which no snmpTargetAddrEntry exists, then the snmpNotifyTable entry is not mapped to an entry in this list."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyTable";
leaf name { type snmp:identifier; description "An arbitrary name for the list entry."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyName"; } leaf tag { type snmp:tag-value; mandatory true; description "Target tag, selects a set of notification targets.
leaf name { type snmp:identifier; description "An arbitrary name for the list entry."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyName"; } leaf tag { type snmp:tag-value; mandatory true; description "Target tag, selects a set of notification targets.
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyTag"; } leaf type { type enumeration { enum trap { value 1; } enum inform { value 2; } } default trap; description "Defines the notification type to be generated.";
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyTag"; } leaf type { type enumeration { enum trap { value 1; } enum inform { value 2; } } default trap; description "Defines the notification type to be generated.";
reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyType"; } }
reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyType"; } }
list notify-filter-profile { if-feature snmp:notification-filter; key name;
list notify-filter-profile { if-feature snmp:notification-filter; key name;
description "Notification filter profiles.
说明“通知过滤器配置文件”。
The leaf /snmp/target/notify-filter-profile is used to associate a filter profile with a target.
leaf/snmp/target/notify筛选器配置文件用于将筛选器配置文件与目标关联。
If an entry in this list is referred to by one or more /snmp/target/notify-filter-profile items, each such notify-filter-profile is represented by one snmpNotifyFilterProfileEntry.
如果此列表中的条目由一个或多个/snmp/target/notify筛选器配置文件项引用,则每个此类notify筛选器配置文件由一个SNMPNotifyFilterProfile条目表示。
If an entry in this list is not referred to by any /snmp/target/notify-filter-profile, the entry is not mapped to snmpNotifyFilterProfileTable."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable";
If an entry in this list is not referred to by any /snmp/target/notify-filter-profile, the entry is not mapped to snmpNotifyFilterProfileTable."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable SNMP-NOTIFICATION-MIB.snmpNotifyFilterTable";
leaf name { type snmp:identifier; description "Name of the filter profile."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; }
leaf name { type snmp:identifier; description "Name of the filter profile."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; }
leaf-list include { type snmp:wildcard-object-identifier; description "A family of subtrees included in this filter.";
leaf-list include { type snmp:wildcard-object-identifier; description "A family of subtrees included in this filter.";
reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; }
reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; }
leaf-list exclude { type snmp:wildcard-object-identifier; description "A family of subtrees excluded from this filter."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; } }
leaf-list exclude { type snmp:wildcard-object-identifier; description "A family of subtrees excluded from this filter."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterSubtree SNMP-NOTIFICATION-MIB.snmpNotifyFilterMask SNMP-NOTIFICATION-MIB.snmpNotifyFilterType"; } }
}
}
augment /snmp:snmp/snmp:target-params { reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; leaf notify-filter-profile { if-feature snmp:notification-filter; type leafref { path "/snmp/notify-filter-profile/name"; } description "This leafref leaf is used to represent the sparse relationship between the /snmp/target-params list and the /snmp/notify-filter-profile list."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; } }
augment /snmp:snmp/snmp:target-params { reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileTable"; leaf notify-filter-profile { if-feature snmp:notification-filter; type leafref { path "/snmp/notify-filter-profile/name"; } description "This leafref leaf is used to represent the sparse relationship between the /snmp/target-params list and the /snmp/notify-filter-profile list."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-NOTIFICATION-MIB.snmpNotifyFilterProfileName"; } }
}
}
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-proxy.yang"
<CODE start>文件“ietf snmp proxy.yang”
submodule ietf-snmp-proxy {
子模块ietf snmp代理{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
include ietf-snmp-common; include ietf-snmp-target;
include ietf-snmp-common; include ietf-snmp-target;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring SNMP proxies.
description“此子模块包含用于配置SNMP代理的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications";
参考“RFC 3413:简单网络管理协议(SNMP)应用程序”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
feature proxy { description "A server implements this feature if it can act as an SNMP proxy."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications"; }
feature proxy { description "A server implements this feature if it can act as an SNMP proxy."; reference "RFC 3413: Simple Network Management Protocol (SNMP) Applications"; }
augment /snmp:snmp { if-feature snmp:proxy;
augment /snmp:snmp { if-feature snmp:proxy;
list proxy { key name;
list proxy { key name;
description "List of proxy parameters."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyTable";
description "List of proxy parameters."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyTable";
leaf name { type snmp:identifier; description "Identifies the proxy parameter entry."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyName"; } leaf type { type enumeration { enum read { value 1; } enum write { value 2; } enum trap { value 3; } enum inform { value 4; }
leaf name { type snmp:identifier; description "Identifies the proxy parameter entry."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyName"; } leaf type { type enumeration { enum read { value 1; } enum write { value 2; } enum trap { value 3; } enum inform { value 4; }
} mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyType"; } leaf context-engine-id { type snmp:engine-id; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyContextEngineID"; } leaf context-name { type snmp:context-name; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyContextName"; } leaf target-params-in { type snmp:identifier; description "The name of a target parameters list entry.
} mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyType"; } leaf context-engine-id { type snmp:engine-id; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyContextEngineID"; } leaf context-name { type snmp:context-name; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyContextName"; } leaf target-params-in { type snmp:identifier; description "The name of a target parameters list entry.
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target-params/name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; } leaf single-target-out { when "../type = 'read' or ../type = 'write'"; type snmp:identifier; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxySingleTargetOut"; }
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target-params/name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyTargetParamsIn"; } leaf single-target-out { when "../type = 'read' or ../type = 'write'"; type snmp:identifier; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxySingleTargetOut"; }
leaf multiple-target-out { when "../type = 'trap' or ../type = 'inform'"; type snmp:tag-value; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; } } } }
leaf multiple-target-out { when "../type = 'trap' or ../type = 'inform'"; type snmp:tag-value; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-PROXY-MIB.snmpProxyMultipleTargetOut"; } } } }
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-community.yang"
<CODE start>文件“ietf snmp community.yang”
submodule ietf-snmp-community {
子模块ietf snmp社区{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-netconf-acm { prefix nacm; }
import ietf-netconf-acm { prefix nacm; }
include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy;
include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring community-based SNMP.
description“此子模块包含用于配置基于社区的SNMP的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework";
参考“RFC 3584:互联网标准网络管理框架第1版、第2版和第3版之间的共存”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
augment /snmp:snmp {
augment /snmp:snmp {
list community { key index;
list community { key index;
description "List of communities."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityTable";
description "List of communities."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityTable";
leaf index { type snmp:identifier; description "Index into the community list."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityIndex"; } choice name { nacm:default-deny-all; description "The community name, specified as either a string or a binary value. The binary name is used when the community name contains characters that are not legal in a string.
leaf index { type snmp:identifier; description "Index into the community list."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityIndex"; } choice name { nacm:default-deny-all; description "The community name, specified as either a string or a binary value. The binary name is used when the community name contains characters that are not legal in a string.
If not set, the value of 'security-name' is operationally used as the snmpCommunityName."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityName"; leaf text-name { type string; description "A community name that can be represented as a YANG string."; } leaf binary-name { type binary; description "A community name represented as a binary value."; } } leaf security-name { type snmp:security-name; mandatory true; nacm:default-deny-all; description "The snmpCommunitySecurityName of this entry."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunitySecurityName";
If not set, the value of 'security-name' is operationally used as the snmpCommunityName."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityName"; leaf text-name { type string; description "A community name that can be represented as a YANG string."; } leaf binary-name { type binary; description "A community name represented as a binary value."; } } leaf security-name { type snmp:security-name; mandatory true; nacm:default-deny-all; description "The snmpCommunitySecurityName of this entry."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunitySecurityName";
} leaf engine-id { if-feature snmp:proxy; type snmp:engine-id; description "If not set, the value of the local SNMP engine is operationally used by the device."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; } leaf context { type snmp:context-name; default ""; description "The context in which management information is accessed when using the community string specified by this entry."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityContextName"; } leaf target-tag { type snmp:tag-value; description "Used to limit access for this community to the specified targets.
} leaf engine-id { if-feature snmp:proxy; type snmp:engine-id; description "If not set, the value of the local SNMP engine is operationally used by the device."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityContextEngineID"; } leaf context { type snmp:context-name; default ""; description "The context in which management information is accessed when using the community string specified by this entry."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityContextName"; } leaf target-tag { type snmp:tag-value; description "Used to limit access for this community to the specified targets.
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; } } }
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/target/tag in a valid configuration."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpCommunityTransportTag"; } } }
grouping v1-target-params { container v1 { description "SNMPv1 parameters type. Represents snmpTargetParamsMPModel '0',
grouping v1-target-params { container v1 { description "SNMPv1 parameters type. Represents snmpTargetParamsMPModel '0',
snmpTargetParamsSecurityModel '1', and snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; leaf security-name { type snmp:security-name; mandatory true; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/community/security-name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } } }
snmpTargetParamsSecurityModel '1', and snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; leaf security-name { type snmp:security-name; mandatory true; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/community/security-name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } } }
grouping v2c-target-params { container v2c { description "SNMPv2 community parameters type. Represents snmpTargetParamsMPModel '1', snmpTargetParamsSecurityModel '2', and snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; leaf security-name { type snmp:security-name; mandatory true; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/community/security-name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } } }
grouping v2c-target-params { container v2c { description "SNMPv2 community parameters type. Represents snmpTargetParamsMPModel '1', snmpTargetParamsSecurityModel '2', and snmpTargetParamsSecurityLevel 'noAuthNoPriv'."; leaf security-name { type snmp:security-name; mandatory true; description "Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/community/security-name in a valid configuration."; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } } }
augment /snmp:snmp/snmp:target-params/snmp:params { case v1 { uses v1-target-params; } case v2c { uses v2c-target-params; } }
augment /snmp:snmp/snmp:target-params/snmp:params { case v1 { uses v1-target-params; } case v2c { uses v2c-target-params; } }
augment /snmp:snmp/snmp:target { when "snmp:v1 or snmp:v2c"; leaf mms { type union { type enumeration { enum "unknown" { value 0; } } type int32 { range "484..max"; } } default "484"; description "The maximum message size."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; } }
augment /snmp:snmp/snmp:target { when "snmp:v1 or snmp:v2c"; leaf mms { type union { type enumeration { enum "unknown" { value 0; } } type int32 { range "484..max"; } } default "484"; description "The maximum message size."; reference "RFC 3584: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework. SNMP-COMMUNITY-MIB.snmpTargetAddrMMS"; } }
}
}
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-vacm.yang"
<CODE start>文件“ietf snmp vacm.yang”
submodule ietf-snmp-vacm {
子模块ietf snmp vacm{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
include ietf-snmp-common;
包括ietf-snmp通用协议;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring the View-based Access Control Model (VACM) of SNMP.
description“此子模块包含用于配置SNMP的基于视图的访问控制模型(VACM)的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)";
参考“RFC 3415:简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
typedef view-name { type snmp:identifier; description "The view-name type represents an SNMP VACM view name."; }
typedef view-name { type snmp:identifier; description "The view-name type represents an SNMP VACM view name."; }
typedef group-name { type snmp:identifier; description "The group-name type represents an SNMP VACM group name.";
typedef group-name { type snmp:identifier; description "The group-name type represents an SNMP VACM group name.";
}
}
augment /snmp:snmp {
augment /snmp:snmp {
container vacm { description "Configuration of the View-based Access Control Model.";
container vacm { description "Configuration of the View-based Access Control Model.";
list group { key name; description "VACM groups.
list group { key name; description "VACM groups.
This data model has a different structure than the MIB. Groups are explicitly defined in this list, and group members are defined in the 'member' list (mapped to vacmSecurityToGroupTable), and access for the group is defined in the 'access' list (mapped to vacmAccessTable)."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
This data model has a different structure than the MIB. Groups are explicitly defined in this list, and group members are defined in the 'member' list (mapped to vacmSecurityToGroupTable), and access for the group is defined in the 'access' list (mapped to vacmAccessTable)."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
leaf name { type group-name; description "The name of this VACM group."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; }
leaf name { type group-name; description "The name of this VACM group."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmGroupName"; }
list member { key "security-name"; description "A member of this VACM group.
list member { key "security-name"; description "A member of this VACM group.
A specific combination of security-name and security-model MUST NOT be present in more than one group."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable";
A specific combination of security-name and security-model MUST NOT be present in more than one group."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityToGroupTable";
leaf security-name { type snmp:security-name; description "The securityName of a group member."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; }
leaf security-name { type snmp:security-name; description "The securityName of a group member."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityName"; }
leaf-list security-model { type snmp:security-model; min-elements 1; description "The security models under which this security-name is a member of this group."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; } }
leaf-list security-model { type snmp:security-model; min-elements 1; description "The security models under which this security-name is a member of this group."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmSecurityModel"; } }
list access { key "context security-model security-level"; description "Definition of access right for groups."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
list access { key "context security-model security-level"; description "Definition of access right for groups."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessTable";
leaf context { type snmp:context-name; description "The context (prefix) under which the access rights apply."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; }
leaf context { type snmp:context-name; description "The context (prefix) under which the access rights apply."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextPrefix"; }
leaf context-match { type enumeration { enum exact { value 1; } enum prefix { value 2; } }
leaf context-match { type enumeration { enum exact { value 1; } enum prefix { value 2; } }
default exact; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; }
default exact; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessContextMatch"; }
leaf security-model { type snmp:security-model-or-any; description "The security model under which the access rights apply."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; }
leaf security-model { type snmp:security-model-or-any; description "The security model under which the access rights apply."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityModel"; }
leaf security-level { type snmp:security-level; description "The minimum security level under which the access rights apply."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; }
leaf security-level { type snmp:security-level; description "The minimum security level under which the access rights apply."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessSecurityLevel"; }
leaf read-view { type view-name; description "The name of the MIB view of the SNMP context authorizing read access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessReadViewName.
leaf read-view { type view-name; description "The name of the MIB view of the SNMP context authorizing read access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessReadViewName.
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/vacm/view/name in a valid configuration."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; }
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/vacm/view/name in a valid configuration."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessReadViewName"; }
leaf write-view { type view-name;
leaf write-view { type view-name;
description "The name of the MIB view of the SNMP context authorizing write access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessWriteViewName.
description“授权写访问的SNMP上下文的MIB视图的名称。如果配置中不存在此叶,则它将映射到零长度的vacmAccessWriteViewName。
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/vacm/view/name in a valid configuration."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; }
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/vacm/view/name in a valid configuration."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessWriteViewName"; }
leaf notify-view { type view-name; description "The name of the MIB view of the SNMP context authorizing notify access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessNotifyViewName.
leaf notify-view { type view-name; description "The name of the MIB view of the SNMP context authorizing notify access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessNotifyViewName.
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/vacm/view/name in a valid configuration."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; } } }
Implementations MAY restrict the values of this leaf to be one of the available values of /snmp/vacm/view/name in a valid configuration."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmAccessNotifyViewName"; } } }
list view { key name; description "Definition of MIB views."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable";
list view { key name; description "Definition of MIB views."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyTable";
leaf name { type view-name; description "The name of this VACM MIB view.";
leaf name { type view-name; description "The name of this VACM MIB view.";
reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; }
reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyName"; }
leaf-list include { type snmp:wildcard-object-identifier; description "A family of subtrees included in this MIB view."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; }
leaf-list include { type snmp:wildcard-object-identifier; description "A family of subtrees included in this MIB view."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; }
leaf-list exclude { type snmp:wildcard-object-identifier; description "A family of subtrees excluded from this MIB view."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; } } } } }
leaf-list exclude { type snmp:wildcard-object-identifier; description "A family of subtrees excluded from this MIB view."; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilySubtree SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyMask SNMP-VIEW-BASED-ACM-MIB.vacmViewTreeFamilyType"; } } } } }
<CODE ENDS>
<代码结束>
This YANG submodule imports YANG extensions from [RFC6536].
此YANG子模块从[RFC6536]导入YANG扩展。
<CODE BEGINS> file "ietf-snmp-usm.yang"
<CODE start>文件“ietf snmp usm.yang”
submodule ietf-snmp-usm {
子模块ietf snmp usm{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-yang-types { prefix yang; } import ietf-netconf-acm { prefix nacm; }
import ietf-yang-types { prefix yang; } import ietf-netconf-acm { prefix nacm; }
include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy;
include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring the User-based Security Model (USM) of SNMP.
description“此子模块包含用于配置SNMP的基于用户的安全模型(USM)的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)";
参考“RFC 3414:简单网络管理协议(SNMPv3)第3版基于用户的安全模型(USM)”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
grouping key { leaf key { type yang:hex-string; mandatory true; nacm:default-deny-all; description "Localized key specified as a list of colon-specified hexadecimal octets."; } }
grouping key { leaf key { type yang:hex-string; mandatory true; nacm:default-deny-all; description "Localized key specified as a list of colon-specified hexadecimal octets."; } }
grouping user-list { list user { key "name";
grouping user-list { list user { key "name";
reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserTable";
参考“RFC 3414:简单网络管理协议(SNMPv3)第3版的基于用户的安全模型(USM)。SNMP-User-based-SM-MIB.usmUserTable”;
leaf name { type snmp:identifier; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserName"; } container auth { presence "enables authentication"; description "Enables authentication of the user."; choice protocol { mandatory true; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol";
leaf name { type snmp:identifier; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserName"; } container auth { presence "enables authentication"; description "Enables authentication of the user."; choice protocol { mandatory true; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserAuthProtocol";
container md5 { uses key; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; } container sha { uses key; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; } } } container priv { must "../auth" { error-message "when privacy (confidentiality) is used, " + "authentication must also be used"; } presence "enables encryption"; description "Enables encryption of SNMP messages.";
container md5 { uses key; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmHMACMD5AuthProtocol"; } container sha { uses key; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmHMACSHAAuthProtocol"; } } } container priv { must "../auth" { error-message "when privacy (confidentiality) is used, " + "authentication must also be used"; } presence "enables encryption"; description "Enables encryption of SNMP messages.";
choice protocol { mandatory true; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; container des { uses key; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; } container aes { uses key;
choice protocol { mandatory true; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserPrivProtocol"; container des { uses key; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmDESPrivProtocol"; } container aes { uses key;
reference "RFC 3826: The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model. SNMP-USM-AES-MIB.usmAesCfb128Protocol"; } } } } }
reference "RFC 3826: The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model. SNMP-USM-AES-MIB.usmAesCfb128Protocol"; } } } } }
augment /snmp:snmp {
augment /snmp:snmp {
container usm { description "Configuration of the User-based Security Model."; container local { uses user-list; }
container usm { description "Configuration of the User-based Security Model."; container local { uses user-list; }
list remote { key "engine-id";
list remote { key "engine-id";
leaf engine-id { type snmp:engine-id; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserEngineID"; }
leaf engine-id { type snmp:engine-id; reference "RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). SNMP-USER-BASED-SM-MIB.usmUserEngineID"; }
uses user-list; } } }
uses user-list; } } }
grouping usm-target-params { container usm { description "User-based SNMPv3 parameters type.
grouping usm-target-params { container usm { description "User-based SNMPv3 parameters type.
Represents snmpTargetParamsMPModel '3' and snmpTargetParamsSecurityModel '3'."; leaf user-name { type snmp:security-name; mandatory true;
Represents snmpTargetParamsMPModel '3' and snmpTargetParamsSecurityModel '3'."; leaf user-name { type snmp:security-name; mandatory true;
reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { type snmp:security-level; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } }
reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { type snmp:security-level; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } }
augment /snmp:snmp/snmp:target-params/snmp:params { case usm { uses usm-target-params; } }
augment /snmp:snmp/snmp:target-params/snmp:params { case usm { uses usm-target-params; } }
}
}
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-tsm.yang"
<CODE start>文件“ietf snmp tsm.yang”
submodule ietf-snmp-tsm {
子模块ietf snmp tsm{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy;
include ietf-snmp-common; include ietf-snmp-target; include ietf-snmp-proxy;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring the Transport Security Model (TSM) of SNMP.
description“此子模块包含用于配置SNMP传输安全模型(TSM)的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 5591: Transport Security Model for the Simple Network Management Protocol (SNMP)";
参考“RFC 5591:简单网络管理协议(SNMP)的传输安全模型”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
feature tsm { description "A server implements this feature if it supports the Transport Security Model for SNMP."; reference "RFC 5591: Transport Security Model for the Simple Network Management Protocol (SNMP)"; }
feature tsm { description "A server implements this feature if it supports the Transport Security Model for SNMP."; reference "RFC 5591: Transport Security Model for the Simple Network Management Protocol (SNMP)"; }
augment /snmp:snmp { if-feature tsm; container tsm { description "Configuration of the Transport Security Model.";
augment /snmp:snmp { if-feature tsm; container tsm { description "Configuration of the Transport Security Model.";
leaf use-prefix { type boolean; default false; reference "RFC 5591: Transport Security Model for the Simple Network Management Protocol (SNMP). SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; } } }
leaf use-prefix { type boolean; default false; reference "RFC 5591: Transport Security Model for the Simple Network Management Protocol (SNMP). SNMP-TSM-MIB.snmpTsmConfigurationUsePrefix"; } } }
grouping tsm-target-params { container tsm { description "Transport-based security SNMPv3 parameters type.
grouping tsm-target-params { container tsm { description "Transport-based security SNMPv3 parameters type.
Represents snmpTargetParamsMPModel '3' and snmpTargetParamsSecurityModel '4'."; leaf security-name { type snmp:security-name; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { type snmp:security-level; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } }
Represents snmpTargetParamsMPModel '3' and snmpTargetParamsSecurityModel '4'."; leaf security-name { type snmp:security-name; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityName"; } leaf security-level { type snmp:security-level; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetParamsSecurityLevel"; } } }
augment /snmp:snmp/snmp:target-params/snmp:params { if-feature tsm; case tsm { uses tsm-target-params; }
augment /snmp:snmp/snmp:target-params/snmp:params { if-feature tsm; case tsm { uses tsm-target-params; }
}
}
}
}
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-tls.yang"
<CODE start>文件“ietf snmp tls.yang”
submodule ietf-snmp-tls {
子模块ietf snmp tls{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-inet-types { prefix inet; } import ietf-x509-cert-to-name { prefix x509c2n; }
import ietf-inet-types { prefix inet; } import ietf-x509-cert-to-name { prefix x509c2n; }
include ietf-snmp-common; include ietf-snmp-engine; include ietf-snmp-target;
include ietf-snmp-common; include ietf-snmp-engine; include ietf-snmp-target;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring the Transport Layer Security Transport Model (TLSTM) of SNMP.
description“此子模块包含用于配置SNMP的传输层安全传输模型(TLSTM)的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)";
参考“RFC 6353:简单网络管理协议(SNMP)的传输层安全(TLS)传输模型”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
feature tlstm { description "A server implements this feature if it supports the Transport Layer Security Transport Model for SNMP."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; }
feature tlstm { description "A server implements this feature if it supports the Transport Layer Security Transport Model for SNMP."; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; }
augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { if-feature tlstm; case tls { container tls { description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over TLS.";
augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { if-feature tlstm; case tls { container tls { description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over TLS.";
leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over TLS."; } leaf port { type inet:port-number; description "The TCP port on which the engine listens for SNMP messages over TLS.
leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over TLS."; } leaf port { type inet:port-number; description "The TCP port on which the engine listens for SNMP messages over TLS.
If the port is not configured, an engine that acts as a Command Responder uses port 10161, and an engine that acts as a Notification Receiver uses port 10162."; } } } case dtls { container dtls { description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over DTLS.";
If the port is not configured, an engine that acts as a Command Responder uses port 10161, and an engine that acts as a Notification Receiver uses port 10162."; } } } case dtls { container dtls { description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over DTLS.";
leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over DTLS."; } leaf port { type inet:port-number; description "The UDP port on which the engine listens for SNMP messages over DTLS.
leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over DTLS."; } leaf port { type inet:port-number; description "The UDP port on which the engine listens for SNMP messages over DTLS.
If the port is not configured, an engine that acts as a Command Responder uses port 10161, and an engine that acts as a Notification Receiver uses port 10162."; } } } }
If the port is not configured, an engine that acts as a Command Responder uses port 10161, and an engine that acts as a Notification Receiver uses port 10162."; } } } }
augment /snmp:snmp { if-feature tlstm; container tlstm { uses x509c2n:cert-to-name { description "Defines how certificates are mapped to names. The resulting name is used as a security name."; refine cert-to-name/map-type { description "Mappings that use the snmpTlstmCertToTSNData column need to augment the cert-to-name list with additional configuration objects corresponding to the snmpTlstmCertToTSNData value. Such objects should use the 'when' statement to make them conditional based on the map-type."; } } } }
augment /snmp:snmp { if-feature tlstm; container tlstm { uses x509c2n:cert-to-name { description "Defines how certificates are mapped to names. The resulting name is used as a security name."; refine cert-to-name/map-type { description "Mappings that use the snmpTlstmCertToTSNData column need to augment the cert-to-name list with additional configuration objects corresponding to the snmpTlstmCertToTSNData value. Such objects should use the 'when' statement to make them conditional based on the map-type."; } } } }
grouping tls-transport { leaf ip { type inet:host; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf port { type inet:port-number; default 10161; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf client-fingerprint { type x509c2n:tls-fingerprint; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP).
grouping tls-transport { leaf ip { type inet:host; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf port { type inet:port-number; default 10161; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf client-fingerprint { type x509c2n:tls-fingerprint; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; } leaf server-fingerprint { type x509c2n:tls-fingerprint; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; } leaf server-identity { type snmp:admin-string; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; } }
SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; } leaf server-fingerprint { type x509c2n:tls-fingerprint; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; } leaf server-identity { type snmp:admin-string; reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; } }
augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case tls { reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; container tls { uses tls-transport; } } }
augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case tls { reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; container tls { uses tls-transport; } } }
augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case dtls { reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; container dtls { uses tls-transport; } } } }
augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case dtls { reference "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; container dtls { uses tls-transport; } } } }
<CODE ENDS>
<代码结束>
<CODE BEGINS> file "ietf-snmp-ssh.yang"
<CODE start>文件“ietf snmp ssh.yang”
submodule ietf-snmp-ssh {
子模块ietf snmp ssh{
belongs-to ietf-snmp { prefix snmp; }
belongs-to ietf-snmp { prefix snmp; }
import ietf-inet-types { prefix inet; }
import ietf-inet-types { prefix inet; }
include ietf-snmp-common; include ietf-snmp-engine; include ietf-snmp-target;
include ietf-snmp-common; include ietf-snmp-engine; include ietf-snmp-target;
organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
组织“IETF NETMOD(NETCONF数据建模语言)工作组”;
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
contact "WG Web: <http://tools.ietf.org/wg/netmod/> WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Thomas Nadeau <mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
WG Chair: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Martin Bjorklund <mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
Editor: Juergen Schoenwaelder <mailto:j.schoenwaelder@jacobs-university.de>";
description "This submodule contains a collection of YANG definitions for configuring the Secure Shell Transport Model (SSHTM) of SNMP.
description“此子模块包含用于配置SNMP的安全外壳传输模型(SSHTM)的定义集合。
Copyright (c) 2014 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2014 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License
根据简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改
set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
IETF信托法律条款第4.c节中规定的IETF文件(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7407的一部分;有关完整的法律通知,请参见RFC本身。“;
reference "RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)";
参考“RFC 5592:简单网络管理协议(SNMP)的安全外壳传输模型”;
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
revision 2014-12-10 { description "Initial revision."; reference "RFC 7407: A YANG Data Model for SNMP Configuration"; }
feature sshtm { description "A server implements this feature if it supports the Secure Shell Transport Model for SNMP."; reference "RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)"; }
feature sshtm { description "A server implements this feature if it supports the Secure Shell Transport Model for SNMP."; reference "RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)"; }
augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { if-feature sshtm; case ssh { container ssh { description "The IPv4 or IPv6 address and port to which the engine listens for SNMP messages over SSH.";
augment /snmp:snmp/snmp:engine/snmp:listen/snmp:transport { if-feature sshtm; case ssh { container ssh { description "The IPv4 or IPv6 address and port to which the engine listens for SNMP messages over SSH.";
leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over SSH."; } leaf port { type inet:port-number; description "The TCP port on which the engine listens for SNMP messages over SSH.
leaf ip { type inet:ip-address; mandatory true; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over SSH."; } leaf port { type inet:port-number; description "The TCP port on which the engine listens for SNMP messages over SSH.
If the port is not configured, an engine that acts as a Command Responder uses port 5161, and an engine that acts as a Notification Receiver uses port 5162."; } } } }
If the port is not configured, an engine that acts as a Command Responder uses port 5161, and an engine that acts as a Notification Receiver uses port 5162."; } } } }
augment /snmp:snmp/snmp:target/snmp:transport { if-feature sshtm; case ssh { reference "RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.snmpSSHDomain"; container ssh { leaf ip { type inet:host; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.SnmpSSHAddress"; } leaf port { type inet:port-number; default 5161; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.SnmpSSHAddress"; } leaf username { type string; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.SnmpSSHAddress";
augment /snmp:snmp/snmp:target/snmp:transport { if-feature sshtm; case ssh { reference "RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.snmpSSHDomain"; container ssh { leaf ip { type inet:host; mandatory true; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.SnmpSSHAddress"; } leaf port { type inet:port-number; default 5161; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.SnmpSSHAddress"; } leaf username { type string; reference "RFC 3413: Simple Network Management Protocol (SNMP). Applications. SNMP-TARGET-MIB.snmpTargetAddrTAddress RFC 5592: Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). SNMP-SSH-TM-MIB.SnmpSSHAddress";
} } } } }
} } } } }
<CODE ENDS>
<代码结束>
This document registers two URIs in the "IETF XML Registry" [RFC3688]. Following the format in RFC 3688, the following registrations have been made.
本文档在“IETF XML注册表”[RFC3688]中注册了两个URI。按照RFC 3688中的格式,进行了以下注册。
URI: urn:ietf:params:xml:ns:yang:ietf-snmp Registrant Contact: The NETMOD WG of the IETF. XML: N/A, the requested URI is an XML namespace.
URI:urn:ietf:params:xml:ns:yang:ietf-snmp注册人联系人:ietf的NETMOD工作组。XML:N/A,请求的URI是一个XML名称空间。
URI: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name Registrant Contact: The NETMOD WG of the IETF. XML: N/A, the requested URI is an XML namespace.
URI:urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name注册人联系人:ietf的NETMOD工作组。XML:N/A,请求的URI是一个XML名称空间。
This document registers the following YANG modules in the "YANG Module Names" registry [RFC6020].
本文件在“YANG模块名称”注册表[RFC6020]中注册以下YANG模块。
name: ietf-snmp namespace: urn:ietf:params:xml:ns:yang:ietf-snmp prefix: snmp reference: RFC 7407
name: ietf-snmp namespace: urn:ietf:params:xml:ns:yang:ietf-snmp prefix: snmp reference: RFC 7407
name: ietf-x509-cert-to-name namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name prefix: x509c2n reference: RFC 7407 The document registers the following YANG submodules in the "YANG Module Names" registry [RFC6020].
名称:ietf-x509-cert-to-name命名空间:urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name前缀:x509c2n参考:RFC 7407文档在“yang模块名称”注册表中注册以下yang子模块[RFC6020]。
name: ietf-snmp-common parent: ietf-snmp reference: RFC 7407
名称:ietf snmp公共父级:ietf snmp参考:RFC 7407
name: ietf-snmp-engine parent: ietf-snmp reference: RFC 7407
名称:ietf snmp引擎父级:ietf snmp参考:RFC 7407
name: ietf-snmp-community parent: ietf-snmp reference: RFC 7407
名称:ietf snmp社区父级:ietf snmp参考:RFC 7407
name: ietf-snmp-notification parent: ietf-snmp reference: RFC 7407
名称:ietf snmp通知父级:ietf snmp参考:RFC 7407
name: ietf-snmp-target parent: ietf-snmp reference: RFC 7407
名称:ietf snmp目标父级:ietf snmp参考:RFC 7407
name: ietf-snmp-vacm parent: ietf-snmp reference: RFC 7407
名称:ietf snmp vacm父级:ietf snmp参考:RFC 7407
name: ietf-snmp-usm parent: ietf-snmp reference: RFC 7407
名称:ietf snmp usm父级:ietf snmp参考:RFC 7407
name: ietf-snmp-tsm parent: ietf-snmp reference: RFC 7407
名称:ietf snmp tsm父级:ietf snmp参考:RFC 7407
name: ietf-snmp-tls parent: ietf-snmp reference: RFC 7407
名称:ietf snmp tls父级:ietf snmp参考:RFC 7407
name: ietf-snmp-ssh parent: ietf-snmp reference: RFC 7407
名称:ietf snmp ssh父级:ietf snmp参考:RFC 7407
The YANG module and submodules defined in this memo are designed to be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the secure transport layer and the mandatory to implement secure transport is SSH [RFC6242]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF users to a pre-configured subset of all available NETCONF protocol operations and content.
本备忘录中定义的YANG模块和子模块旨在通过NETCONF协议[RFC6241]访问。最低的NETCONF层是安全传输层,实现安全传输的必需层是SSH[RFC6242]。NETCONF访问控制模型[RFC6536]提供了将特定NETCONF用户的访问限制为所有可用NETCONF协议操作和内容的预配置子集的方法。
There are a number of data nodes defined in the YANG module and submodules which are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g.,
YANG模块和子模块中定义了许多可写/可创建/可删除的数据节点(即config true,这是默认值)。在某些网络环境中,这些数据节点可能被视为敏感或易受攻击。写入操作(例如。,
edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability:
对这些数据节点进行编辑(配置),如果没有适当的保护,可能会对网络操作产生负面影响。这些是子树和数据节点及其敏感性/漏洞:
o The "/snmp/engine" subtree contains the configuration of general parameters of an SNMP engine such as the endpoints to listen on, the transports and SNMP versions enabled, or the engine's identity. Write access to this subtree should only be granted to entities configuring general SNMP engine parameters.
o “/snmp/engine”子树包含snmp引擎的常规参数配置,例如要侦听的端点、启用的传输和snmp版本,或引擎的标识。对此子树的写入访问权限应仅授予配置常规SNMP引擎参数的实体。
o The "/snmp/target" subtree contains the configuration of SNMP targets and, in particular, which transports to use and their security parameters. Write access to this subtree should only be granted to the security administrator and entities configuring SNMP notification forwarding behavior.
o “/snmp/target”子树包含snmp目标的配置,尤其是要使用的传输及其安全参数。对此子树的写入访问权限应仅授予安全管理员和配置SNMP通知转发行为的实体。
o The "/snmp/notify" and "/snmp/notify-filter-profile" subtrees contain the configuration for the SNMP notification forwarding and filtering mechanism. Write access to these subtrees should only be granted to entities configuring SNMP notification forwarding behavior.
o “/snmp/notify”和“/snmp/notify filter profile”子树包含snmp通知转发和筛选机制的配置。对这些子树的写入访问权限应仅授予配置SNMP通知转发行为的实体。
o The "/snmp/proxy" subtree contains the configuration for SNMP proxies. Write access to this subtree should only be granted to entities configuring SNMP proxies.
o “/snmp/proxy”子树包含snmp代理的配置。对此子树的写入访问权限应仅授予配置SNMP代理的实体。
o The "/snmp/community" subtree contains the configuration of the Community-based Security Model. Write access to this subtree should only be granted to the security administrator.
o “/snmp/community”子树包含基于社区的安全模型的配置。对此子树的写入权限应仅授予安全管理员。
o The "/snmp/usm" subtree contains the configuration of the User-based Security Model. Write access to this subtree should only be granted to the security administrator.
o “/snmp/usm”子树包含基于用户的安全模型的配置。对此子树的写入权限应仅授予安全管理员。
o The "/snmp/tsm" subtree contains the configuration of the Transport Layer Security (TLS) Transport Model for SNMP. Write access to this subtree should only be granted to the security administrator.
o “/snmp/tsm”子树包含snmp的传输层安全(TLS)传输模型的配置。对此子树的写入权限应仅授予安全管理员。
o The "/snmp/tlstm" subtree contains the configuration of the SNMP transport over (D)TLS and, in particular, the configuration of how certificates are mapped to SNMP security names. Write access to this subtree should only be granted to the security administrator.
o “/snmp/tlstm”子树包含通过(D)TLS的snmp传输的配置,特别是证书如何映射到snmp安全名称的配置。对此子树的写入权限应仅授予安全管理员。
o The "/snmp/vacm" subtree contains the configuration of the View-based Access Control Model used by SNMP to authorize access to management information via SNMP. Write access to this subtree should only be granted to the security administrator.
o “/snmp/vacm”子树包含snmp用于授权通过snmp访问管理信息的基于视图的访问控制模型的配置。对此子树的写入权限应仅授予安全管理员。
Some of the readable data nodes in the YANG module and submodules may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:
在某些网络环境中,模块和子模块中的一些可读数据节点可能被视为敏感或易受攻击。因此,控制对这些数据节点的读取访问(例如,通过get、get config或通知)非常重要。这些是子树和数据节点及其敏感性/漏洞:
o The "/snmp/engine" subtree exposes general information about an SNMP engine such as which version(s) of SNMP are enabled or which transports are enabled.
o “/snmp/engine”子树公开有关snmp引擎的一般信息,例如启用了哪些版本的snmp或启用了哪些传输。
o The "/snmp/target" subtree exposes information about which transports are used to reach certain SNMP targets and which transport-specific parameters are used.
o “/snmp/target”子树公开有关使用哪些传输来到达特定snmp目标以及使用哪些传输特定参数的信息。
o The "/snmp/notify" and "/snmp/notify-filter-profile" subtrees expose information about how notifications are filtered and forwarded to notification targets.
o “/snmp/notify”和“/snmp/notify filter profile”子树公开了有关如何过滤通知并将其转发给通知目标的信息。
o The "/snmp/proxy" subtree exposes information about proxy relationships.
o “/snmp/proxy”子树公开有关代理关系的信息。
o The "/snmp/community", "/snmp/usm", "/snmp/tsm", "/snmp/tlstm", and "/snmp/vacm" subtrees are specifically sensitive since they expose information about the authentication and authorization policy used by an SNMP engine.
o “/snmp/community”、“/snmp/usm”、“/snmp/tsm”、“/snmp/tlstm”和“/snmp/vacm”子树特别敏感,因为它们公开了有关snmp引擎使用的身份验证和授权策略的信息。
Changes to the SNMP access control rules should be done in an atomic way (through a single edit-config or a single commit), or care must be taken that they are done in a sequence that does not temporarily open access to resources. Implementations supporting SNMP write access must ensure that any SNMP access control rule changes over NETCONF are also atomic to the SNMP instrumentation. In particular, changes involving an internal delete/create cycle (e.g., to move a user to a different group) must be done with sufficient protections such that even a power fail immediately after the delete does not leave the administrator locked out.
对SNMP访问控制规则的更改应该以原子方式(通过单个编辑配置或单个提交)完成,或者必须注意,更改的顺序不会临时打开对资源的访问。支持SNMP写访问的实现必须确保通过NETCONF进行的任何SNMP访问控制规则更改对SNMP检测也是原子的。特别是,涉及内部删除/创建周期的更改(例如,将用户移动到不同的组)必须具有足够的保护,以便即使在删除后立即断电也不会使管理员处于锁定状态。
Security administrators need to ensure that NETCONF access control rules and SNMP access control rules implement a consistent security policy. Specifically, the SNMP access control rules should prevent accidental leakage of sensitive security parameters such as community strings. See the Security Considerations section of [RFC3584] for further details.
安全管理员需要确保NETCONF访问控制规则和SNMP访问控制规则实现一致的安全策略。具体而言,SNMP访问控制规则应防止敏感安全参数(如社区字符串)意外泄漏。有关更多详细信息,请参阅[RFC3584]的安全注意事项部分。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010, <http://www.rfc-editor.org/info/rfc6020>.
[RFC6020]Bjorklund,M.“YANG-网络配置协议的数据建模语言(NETCONF)”,RFC 602020,2010年10月<http://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011, <http://www.rfc-editor.org/info/rfc6241>.
[RFC6241]Enns,R.,Bjorklund,M.,Schoenwaeld,J.,和A.Bierman,“网络配置协议(NETCONF)”,RFC 62412011年6月<http://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, June 2011, <http://www.rfc-editor.org/info/rfc6242>.
[RFC6242]Wasserman,M.“在安全外壳上使用NETCONF协议(SSH)”,RFC 62422011年6月<http://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, March 2012, <http://www.rfc-editor.org/info/rfc6536>.
[RFC6536]Bierman,A.和M.Bjorklund,“网络配置协议(NETCONF)访问控制模型”,RFC 65362012年3月<http://www.rfc-editor.org/info/rfc6536>.
[RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, July 2013, <http://www.rfc-editor.org/info/rfc6991>.
[RFC6991]Schoenwaeld,J.,“常见的杨氏数据类型”,RFC 69912013年7月<http://www.rfc-editor.org/info/rfc6991>.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002, <http://www.rfc-editor.org/info/rfc3411>.
[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月<http://www.rfc-editor.org/info/rfc3411>.
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, December 2002, <http://www.rfc-editor.org/info/rfc3412>.
[RFC3412]Case,J.,Harrington,D.,Presohn,R.,和B.Wijnen,“简单网络管理协议(SNMP)的消息处理和调度”,STD 62,RFC 3412,2002年12月<http://www.rfc-editor.org/info/rfc3412>.
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002, <http://www.rfc-editor.org/info/rfc3413>.
[RFC3413]Levi,D.,Meyer,P.,和B.Stewart,“简单网络管理协议(SNMP)应用”,STD 62,RFC 3413,2002年12月<http://www.rfc-editor.org/info/rfc3413>.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002, <http://www.rfc-editor.org/info/rfc3414>.
[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)第3版基于用户的安全模型(USM)”,STD 62,RFC 3414,2002年12月<http://www.rfc-editor.org/info/rfc3414>.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002, <http://www.rfc-editor.org/info/rfc3415>.
[RFC3415]Wijnen,B.,Presohn,R.,和K.McCloghrie,“简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,STD 62,RFC 3415,2002年12月<http://www.rfc-editor.org/info/rfc3415>.
[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3417, December 2002, <http://www.rfc-editor.org/info/rfc3417>.
[RFC3417]Presohn,R.,“简单网络管理协议(SNMP)的传输映射”,STD 62,RFC 34172002年12月<http://www.rfc-editor.org/info/rfc3417>.
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002, <http://www.rfc-editor.org/info/rfc3418>.
[RFC3418]Presohn,R.,“简单网络管理协议(SNMP)的管理信息库(MIB)”,STD 62,RFC 3418,2002年12月<http://www.rfc-editor.org/info/rfc3418>.
[RFC3419] Daniele, M. and J. Schoenwaelder, "Textual Conventions for Transport Addresses", RFC 3419, December 2002, <http://www.rfc-editor.org/info/rfc3419>.
[RFC3419]Daniele,M.和J.Schoenwaeld,“运输地址的文本约定”,RFC 3419,2002年12月<http://www.rfc-editor.org/info/rfc3419>.
[RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework", BCP 74, RFC 3584, August 2003, <http://www.rfc-editor.org/info/rfc3584>.
[RFC3584]Frye,R.,Levi,D.,Routhier,S.,和B.Wijnen,“互联网标准网络管理框架版本1,版本2和版本3之间的共存”,BCP 74,RFC 3584,2003年8月<http://www.rfc-editor.org/info/rfc3584>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004, <http://www.rfc-editor.org/info/rfc3688>.
[RFC3688]Mealling,M.“IETF XML注册表”,BCP 81,RFC 3688,2004年1月<http://www.rfc-editor.org/info/rfc3688>.
[RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, June 2004, <http://www.rfc-editor.org/info/rfc3826>.
[RFC3826]Blumenthal,U.,Maino,F.,和K.McCloghrie,“基于SNMP用户的安全模型中的高级加密标准(AES)密码算法”,RFC 3826,2004年6月<http://www.rfc-editor.org/info/rfc3826>.
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 5591, June 2009, <http://www.rfc-editor.org/info/rfc5591>.
[RFC5591]Harrington,D.和W.Hardaker,“简单网络管理协议(SNMP)的传输安全模型”,STD 78,RFC 5591,2009年6月<http://www.rfc-editor.org/info/rfc5591>.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, June 2009, <http://www.rfc-editor.org/info/rfc5592>.
[RFC5592]Harrington,D.,Salowey,J.,和W.Hardaker,“简单网络管理协议(SNMP)的安全外壳传输模型”,RFC 55922009年6月<http://www.rfc-editor.org/info/rfc5592>.
[RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)", STD 78, RFC 6353, July 2011, <http://www.rfc-editor.org/info/rfc6353>.
[RFC6353]Hardaker,W.“简单网络管理协议(SNMP)的传输层安全(TLS)传输模型”,STD 78,RFC 63532011年7月<http://www.rfc-editor.org/info/rfc6353>.
[RFC6643] Schoenwaelder, J., "Translation of Structure of Management Information Version 2 (SMIv2) MIB Modules to YANG Modules", RFC 6643, July 2012, <http://www.rfc-editor.org/info/rfc6643>.
[RFC6643]Schoenwaeld,J.,“管理信息版本2(SMIv2)MIB模块结构到YANG模块的翻译”,RFC 66432012年7月<http://www.rfc-editor.org/info/rfc6643>.
Below is an XML instance document showing a configuration of an SNMP engine listening on UDP port 161 on IPv4 and IPv6 endpoints and accepting SNMPv2c and SNMPv3 messages.
下面是一个XML实例文档,其中显示了SNMP引擎的配置,该引擎侦听IPv4和IPv6端点上的UDP端口161并接受SNMPv2c和SNMPv3消息。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <engine> <enabled>true</enabled> <listen> <name>all-ipv4-udp</name> <udp> <ip>0.0.0.0</ip> <port>161</port> </udp> </listen> <listen> <name>all-ipv6-udp</name> <udp> <ip>::</ip> <port>161</port> </udp> </listen> <version> <v2c/> <v3/> </version> <engine-id>80:00:02:b8:04:61:62:63</engine-id> </engine> </snmp>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <engine> <enabled>true</enabled> <listen> <name>all-ipv4-udp</name> <udp> <ip>0.0.0.0</ip> <port>161</port> </udp> </listen> <listen> <name>all-ipv6-udp</name> <udp> <ip>::</ip> <port>161</port> </udp> </listen> <version> <v2c/> <v3/> </version> <engine-id>80:00:02:b8:04:61:62:63</engine-id> </engine> </snmp>
Below is an XML instance document showing a configuration that maps the community name "public" to the security-name "community-public" on the local engine with the default context name. The target tag "community-public-access" filters the access to this community name.
下面是一个XML实例文档,其中显示了一个配置,该配置将社区名称“public”映射到本地引擎上具有默认上下文名称的安全名称“community public”。目标标记“community public access”过滤对此社区名称的访问。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <community> <index>1</index> <text-name>public</text-name> <security-name>community-public</security-name> <target-tag>community-public-access</target-tag> </community> <target>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <community> <index>1</index> <text-name>public</text-name> <security-name>community-public</security-name> <target-tag>community-public-access</target-tag> </community> <target>
<name>management-station</name> <udp> <ip>2001:db8::abcd</ip> <port>161</port> </udp> <tag>blue</tag> <tag>community-public-access</tag> <target-params>v2c-public</target-params> </target> <target-params> <name>v2c-public</name> <v2c> <security-name>community-public</security-name> </v2c> </target-params> </snmp>
<name>management-station</name> <udp> <ip>2001:db8::abcd</ip> <port>161</port> </udp> <tag>blue</tag> <tag>community-public-access</tag> <target-params>v2c-public</target-params> </target> <target-params> <name>v2c-public</name> <v2c> <security-name>community-public</security-name> </v2c> </target-params> </snmp>
Below is an XML instance document showing the configuration of a local user "joey" who has no authentication or privacy keys. For the remote SNMP engine identified by the snmpEngineID '800002b804616263'H, two users are configured. The user "matt" has a localized SHA authentication key, and the user "russ" has a localized SHA authentication key and an AES encryption key.
下面是一个XML实例文档,显示了没有身份验证或隐私密钥的本地用户“joey”的配置。对于snmpEngineID'800002b804616263'H标识的远程SNMP引擎,配置了两个用户。用户“matt”具有本地化的SHA认证密钥,用户“russ”具有本地化的SHA认证密钥和AES加密密钥。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <usm> <local> <user> <name>joey</name> </user> </local> <remote> <engine-id>00:00:00:00:00:00:00:00:00:00:00:02</engine-id> <user> <name>matt</name> <auth> <sha> <!-- The 'key' value is split into two lines to conform to the RFC formatting rules. --> <key>66:95:fe:bc:92:88:e3:62:82:23: 5f:c7:15:1f:12:84:97:b3:8f:3f</key> </sha> </auth> </user>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <usm> <local> <user> <name>joey</name> </user> </local> <remote> <engine-id>00:00:00:00:00:00:00:00:00:00:00:02</engine-id> <user> <name>matt</name> <auth> <sha> <!-- The 'key' value is split into two lines to conform to the RFC formatting rules. --> <key>66:95:fe:bc:92:88:e3:62:82:23: 5f:c7:15:1f:12:84:97:b3:8f:3f</key> </sha> </auth> </user>
<user> <name>russ</name> <auth> <sha> <!-- The 'key' value is split into two lines to conform to the RFC formatting rules. --> <key>66:95:fe:bc:92:88:e3:62:82:23: 5f:c7:15:1f:12:84:97:b3:8f:3f</key> </sha> </auth> <priv> <aes> <!-- The 'key' value is split into two lines to conform to the RFC formatting rules. --> <key>66:95:fe:bc:92:88:e3:62:82:23: 5f:c7:15:1f:12:84</key> </aes> </priv> </user> </remote> </usm> <target> <name>bluebox</name> <udp> <ip>2001:db8::abcd</ip> <port>161</port> </udp> <tag>blue</tag> <target-params>matt-auth</target-params> </target> <target-params> <name>matt-auth</name> <usm> <user-name>matt</user-name> <security-level>auth-no-priv</security-level> </usm> </target-params> </snmp>
<user> <name>russ</name> <auth> <sha> <!-- The 'key' value is split into two lines to conform to the RFC formatting rules. --> <key>66:95:fe:bc:92:88:e3:62:82:23: 5f:c7:15:1f:12:84:97:b3:8f:3f</key> </sha> </auth> <priv> <aes> <!-- The 'key' value is split into two lines to conform to the RFC formatting rules. --> <key>66:95:fe:bc:92:88:e3:62:82:23: 5f:c7:15:1f:12:84</key> </aes> </priv> </user> </remote> </usm> <target> <name>bluebox</name> <udp> <ip>2001:db8::abcd</ip> <port>161</port> </udp> <tag>blue</tag> <target-params>matt-auth</target-params> </target> <target-params> <name>matt-auth</name> <usm> <user-name>matt</user-name> <security-level>auth-no-priv</security-level> </usm> </target-params> </snmp>
Below is an XML instance document showing the configuration of a notification generator application (see Appendix A of [RFC3413]). Note that the USM-specific objects are defined in the "ietf-snmp-usm" submodule.
下面是显示通知生成器应用程序配置的XML实例文档(请参见[RFC3413]的附录a)。请注意,USM特定对象在“ietf snmp USM”子模块中定义。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <target> <name>addr1</name> <udp> <ip>192.0.2.3</ip> <port>162</port> </udp> <tag>group1</tag> <target-params>joe-auth</target-params> </target> <target> <name>addr2</name> <udp> <ip>192.0.2.6</ip> <port>162</port> </udp> <tag>group1</tag> <target-params>joe-auth</target-params> </target> <target> <name>addr3</name> <udp> <ip>192.0.2.9</ip> <port>162</port> </udp> <tag>group2</tag> <target-params>bob-priv</target-params> </target> <target-params> <name>joe-auth</name> <usm> <user-name>joe</user-name> <security-level>auth-no-priv</security-level> </usm> </target-params> <target-params> <name>bob-priv</name> <usm> <user-name>bob</user-name> <security-level>auth-priv</security-level> </usm>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <target> <name>addr1</name> <udp> <ip>192.0.2.3</ip> <port>162</port> </udp> <tag>group1</tag> <target-params>joe-auth</target-params> </target> <target> <name>addr2</name> <udp> <ip>192.0.2.6</ip> <port>162</port> </udp> <tag>group1</tag> <target-params>joe-auth</target-params> </target> <target> <name>addr3</name> <udp> <ip>192.0.2.9</ip> <port>162</port> </udp> <tag>group2</tag> <target-params>bob-priv</target-params> </target> <target-params> <name>joe-auth</name> <usm> <user-name>joe</user-name> <security-level>auth-no-priv</security-level> </usm> </target-params> <target-params> <name>bob-priv</name> <usm> <user-name>bob</user-name> <security-level>auth-priv</security-level> </usm>
</target-params> <notify> <name>group1</name> <tag>group1</tag> <type>trap</type> </notify> <notify> <name>group2</name> <tag>group2</tag> <type>trap</type> </notify> </snmp>
</target-params> <notify> <name>group1</name> <tag>group1</tag> <type>trap</type> </notify> <notify> <name>group2</name> <tag>group2</tag> <type>trap</type> </notify> </snmp>
Below is an XML instance document showing the configuration of a proxy forwarder application. It proxies SNMPv2c messages from command generators to a file server running an SNMPv1 agent that recognizes two community strings, "private" and "public", with different associated read views. The file server is represented as two "target" instances, one for each community string.
下面是一个XML实例文档,显示了代理转发器应用程序的配置。它将SNMPv2c消息从命令生成器代理到运行SNMPv1代理的文件服务器,该代理识别两个社区字符串“private”和“public”,并具有不同的关联读取视图。文件服务器表示为两个“目标”实例,每个社区字符串一个。
If the proxy receives an SNMPv2c message with the community string "public" from a device in the "Office Network" or "Home Office Network", it gets tagged as "trusted", and the proxy uses the "private" community string when sending the message to the file server. Other SNMPv2c messages with the community string "public" get tagged as "non-trusted", and the proxy uses the "public" community string for these messages. There is also a special "backdoor" community string that can be used from any location to get "trusted" access.
如果代理从“办公网络”或“家庭办公网络”中的设备接收到带有社区字符串“public”的SNMPv2c消息,则会将其标记为“受信任”,并且代理在将消息发送到文件服务器时使用“private”社区字符串。其他带有社区字符串“public”的SNMPv2c消息被标记为“不受信任”,代理使用“public”社区字符串处理这些消息。还有一个特殊的“后门”社区字符串,可以从任何位置使用它来获得“受信任”的访问。
The "Office Network" and "Home Office Network" are represented as two "target" instances. These "target" instances have target-params "none", which refers to a non-existing target-params entry.
“办公网络”和“家庭办公网络”表示为两个“目标”实例。这些“目标”实例的目标参数为“无”,这是指不存在的目标参数条目。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <target> <name>File Server (private)</name> <udp> <ip>192.0.2.1</ip> </udp> <target-params>v1-private</target-params> </target> <target> <name>File Server (public)</name> <udp> <ip>192.0.2.1</ip>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <target> <name>File Server (private)</name> <udp> <ip>192.0.2.1</ip> </udp> <target-params>v1-private</target-params> </target> <target> <name>File Server (public)</name> <udp> <ip>192.0.2.1</ip>
</udp> <target-params>v1-public</target-params> </target> <target> <name>Office Network</name> <udp> <ip>192.0.2.0</ip> <prefix-length>24</prefix-length> </udp> <tag>office</tag> <target-params>none</target-params> </target> <target> <name>Home Office Network</name> <udp> <ip>203.0.113.0</ip> <prefix-length>24</prefix-length> </udp> <tag>home-office</tag> <target-params>none</target-params> </target> <target-params> <name>v1-private</name> <v1> <security-name>private</security-name> </v1> </target-params> <target-params> <name>v1-public</name> <v1> <security-name>public</security-name> </v1> </target-params> <target-params> <name>v2c-public</name> <v2c> <security-name>public</security-name> </v2c> </target-params>
</udp> <target-params>v1-public</target-params> </target> <target> <name>Office Network</name> <udp> <ip>192.0.2.0</ip> <prefix-length>24</prefix-length> </udp> <tag>office</tag> <target-params>none</target-params> </target> <target> <name>Home Office Network</name> <udp> <ip>203.0.113.0</ip> <prefix-length>24</prefix-length> </udp> <tag>home-office</tag> <target-params>none</target-params> </target> <target-params> <name>v1-private</name> <v1> <security-name>private</security-name> </v1> </target-params> <target-params> <name>v1-public</name> <v1> <security-name>public</security-name> </v1> </target-params> <target-params> <name>v2c-public</name> <v2c> <security-name>public</security-name> </v2c> </target-params>
<!-- Communities c1, c2, c3, and c4 are used for incoming messages that should be forwarded.
<!-- 社区c1、c2、c3和c4用于应转发的传入消息。
Communities c3 and c5 are used for outgoing messages to the file server. --> <community>
社区c3和c5用于向文件服务器发送消息。--><社区>
<index>c1</index> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> <target-tag>office</target-tag> </community> <community> <index>c2</index> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> <target-tag>home-office</target-tag> </community> <community> <index>c3</index> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>not-trusted</context> </community> <community> <index>c4</index> <text-name>backdoor</text-name> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> </community> <community> <index>c5</index> <security-name>private</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> </community>
<index>c1</index> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> <target-tag>office</target-tag> </community> <community> <index>c2</index> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> <target-tag>home-office</target-tag> </community> <community> <index>c3</index> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>not-trusted</context> </community> <community> <index>c4</index> <text-name>backdoor</text-name> <security-name>public</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> </community> <community> <index>c5</index> <security-name>private</security-name> <engine-id>80:00:61:81:c8</engine-id> <context>trusted</context> </community>
<proxy> <name>p1</name> <type>read</type> <context-engine-id>80:00:61:81:c8</context-engine-id> <context-name>trusted</context-name> <target-params-in>v2c-public</target-params-in> <single-target-out>File Server (private)</single-target-out> </proxy> <proxy> <name>p2</name> <type>read</type> <context-engine-id>80:00:61:81:c8</context-engine-id> <context-name>not-trusted</context-name> <target-params-in>v2c-public</target-params-in> <single-target-out>File Server (public)</single-target-out>
<proxy> <name>p1</name> <type>read</type> <context-engine-id>80:00:61:81:c8</context-engine-id> <context-name>trusted</context-name> <target-params-in>v2c-public</target-params-in> <single-target-out>File Server (private)</single-target-out> </proxy> <proxy> <name>p2</name> <type>read</type> <context-engine-id>80:00:61:81:c8</context-engine-id> <context-name>not-trusted</context-name> <target-params-in>v2c-public</target-params-in> <single-target-out>File Server (public)</single-target-out>
</proxy> </snmp>
</proxy> </snmp>
If an SNMPv2c Get request with community string "public" is received from an IP address tagged as "office" or "home-office", or if the request is received from anywhere else with community string "backdoor", the implied context is "trusted" so proxy entry "p1" matches. The request is forwarded to the file server as SNMPv1 with community "private" using community table entry "c5" for outbound params lookup.
如果从标记为“office”或“home office”的IP地址接收到带有社区字符串“public”的SNMPv2c Get请求,或者如果从带有社区字符串“backdoor”的任何其他位置接收到该请求,则隐含上下文为“trusted”,因此代理条目“p1”匹配。请求作为SNMPv1转发到文件服务器,使用社区表条目“c5”进行出站参数查找,社区为“private”。
If an SNMPv2c Get request with community string "public" is received from any other IP address, the implied context is "not-trusted" so proxy entry "p2" matches, and the request is forwarded to the file server as SNMPv1 with community "public".
如果从任何其他IP地址接收到社区字符串为“public”的SNMPv2c Get请求,则隐含上下文为“不受信任”,因此代理条目“p2”匹配,并且请求作为社区字符串为“public”的SNMPv1转发到文件服务器。
Below is an XML instance document showing the minimum-secure VACM configuration (see Appendix A of [RFC3415]).
下面是显示最小安全VACM配置的XML实例文档(参见[RFC3415]的附录A)。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <vacm> <group> <name>initial</name> <member> <security-name>initial</security-name> <security-model>usm</security-model> </member> <access> <context></context> <security-model>usm</security-model> <security-level>no-auth-no-priv</security-level> <read-view>restricted</read-view> <notify-view>restricted</notify-view> </access> <access> <context></context> <security-model>usm</security-model> <security-level>auth-no-priv</security-level> <read-view>internet</read-view> <write-view>internet</write-view> <notify-view>internet</notify-view> </access> </group> <view> <name>initial</name> <include>1.3.6.1</include>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <vacm> <group> <name>initial</name> <member> <security-name>initial</security-name> <security-model>usm</security-model> </member> <access> <context></context> <security-model>usm</security-model> <security-level>no-auth-no-priv</security-level> <read-view>restricted</read-view> <notify-view>restricted</notify-view> </access> <access> <context></context> <security-model>usm</security-model> <security-level>auth-no-priv</security-level> <read-view>internet</read-view> <write-view>internet</write-view> <notify-view>internet</notify-view> </access> </group> <view> <name>initial</name> <include>1.3.6.1</include>
</view> <view> <name>restricted</name> <include>1.3.6.1</include> </view> </vacm> </snmp>
</view> <view> <name>restricted</name> <include>1.3.6.1</include> </view> </vacm> </snmp>
The following XML instance document shows the semi-secure VACM configuration (only the view configuration is different).
下面的XML实例文档显示了半安全VACM配置(只有视图配置不同)。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <vacm> <group> <name>initial</name> <member> <security-name>initial</security-name> <security-model>usm</security-model> </member> <access> <context></context> <security-model>usm</security-model> <security-level>no-auth-no-priv</security-level> <read-view>restricted</read-view> <notify-view>restricted</notify-view> </access> <access> <context></context> <security-model>usm</security-model> <security-level>auth-no-priv</security-level> <read-view>internet</read-view> <write-view>internet</write-view> <notify-view>internet</notify-view> </access> </group> <view> <name>initial</name> <include>1.3.6.1</include> </view> <view> <name>restricted</name> <include>1.3.6.1.2.1.1</include> <include>1.3.6.1.2.1.11</include> <include>1.3.6.1.6.3.10.2.1</include> <include>1.3.6.1.6.3.11.2.1</include> <include>1.3.6.1.6.3.15.1.1</include> </view> </vacm>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp"> <vacm> <group> <name>initial</name> <member> <security-name>initial</security-name> <security-model>usm</security-model> </member> <access> <context></context> <security-model>usm</security-model> <security-level>no-auth-no-priv</security-level> <read-view>restricted</read-view> <notify-view>restricted</notify-view> </access> <access> <context></context> <security-model>usm</security-model> <security-level>auth-no-priv</security-level> <read-view>internet</read-view> <write-view>internet</write-view> <notify-view>internet</notify-view> </access> </group> <view> <name>initial</name> <include>1.3.6.1</include> </view> <view> <name>restricted</name> <include>1.3.6.1.2.1.1</include> <include>1.3.6.1.2.1.11</include> <include>1.3.6.1.6.3.10.2.1</include> <include>1.3.6.1.6.3.11.2.1</include> <include>1.3.6.1.6.3.15.1.1</include> </view> </vacm>
</snmp>
</snmp>
Below is an XML instance document showing the configuration of the mapping of certificate to security name (see Appendices A.2 and A.3 of [RFC6353]).
下面是一个XML实例文档,显示了证书到安全名称的映射配置(请参见[RFC6353]的附录A.2和A.3)。
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp" xmlns:x509c2n= "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"> <tlstm> <cert-to-name> <id>1</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:san-any</map-type> </cert-to-name> <cert-to-name> <id>2</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:specified</map-type> <name> Joe Cool </name> </cert-to-name> </tlstm> </snmp>
<snmp xmlns="urn:ietf:params:xml:ns:yang:ietf-snmp" xmlns:x509c2n= "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"> <tlstm> <cert-to-name> <id>1</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:san-any</map-type> </cert-to-name> <cert-to-name> <id>2</id> <fingerprint>11:0A:05:11:00</fingerprint> <map-type>x509c2n:specified</map-type> <name> Joe Cool </name> </cert-to-name> </tlstm> </snmp>
Acknowledgments
致谢
The authors want to thank Wes Hardaker and David Spakes for their detailed reviews. Additional valuable comments were provided by David Harrington, Borislav Lukovic, and Randy Presuhn.
作者要感谢韦斯·哈达克和大卫·斯帕克斯的详细评论。David Harrington、Borislav Lukovic和Randy Presohn提供了其他有价值的评论。
Juergen Schoenwaelder was partly funded by Flamingo, a Network of Excellence project (ICT-318488) supported by the European Commission under its Seventh Framework Programme.
Juergen Schoenwaeld的部分资金来自Flamingo,这是一个卓越网络项目(ICT-318488),由欧盟委员会在其第七个框架计划下支持。
Authors' Addresses
作者地址
Martin Bjorklund Tail-f Systems
Martin Bjorklund Tail-f系统
EMail: mbj@tail-f.com
EMail: mbj@tail-f.com
Juergen Schoenwaelder Jacobs University
尤尔根·舍恩瓦埃尔德·雅各布斯大学
EMail: j.schoenwaelder@jacobs-university.de
EMail: j.schoenwaelder@jacobs-university.de