Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 7895 YumaWorks
Category: Standards Track M. Bjorklund
ISSN: 2070-1721 Tail-f Systems
K. Watsen
Juniper Networks
June 2016
Internet Engineering Task Force (IETF) A. Bierman
Request for Comments: 7895 YumaWorks
Category: Standards Track M. Bjorklund
ISSN: 2070-1721 Tail-f Systems
K. Watsen
Juniper Networks
June 2016
YANG Module Library
杨氏模块库
Abstract
摘要
This document describes a YANG library that provides information about all the YANG modules used by a network management server (e.g., a Network Configuration Protocol (NETCONF) server). Simple caching mechanisms are provided to allow clients to minimize retrieval of this information.
本文档描述了一个YANG库,该库提供了有关网络管理服务器(例如,网络配置协议(NETCONF)服务器)使用的所有YANG模块的信息。提供了简单的缓存机制,以允许客户端最小化对该信息的检索。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7895.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7895.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
2. YANG Module Library . . . . . . . . . . . . . . . . . . . . . 4
2.1. modules-state . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. modules-state/module-set-id . . . . . . . . . . . . . 4
2.1.2. modules-state/module . . . . . . . . . . . . . . . . 5
2.2. YANG Library Module . . . . . . . . . . . . . . . . . . . 5
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
3.1. YANG Module Registry . . . . . . . . . . . . . . . . . . 11
4. Security Considerations . . . . . . . . . . . . . . . . . . . 11
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Normative References . . . . . . . . . . . . . . . . . . 12
5.2. Informative References . . . . . . . . . . . . . . . . . 12
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
2. YANG Module Library . . . . . . . . . . . . . . . . . . . . . 4
2.1. modules-state . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. modules-state/module-set-id . . . . . . . . . . . . . 4
2.1.2. modules-state/module . . . . . . . . . . . . . . . . 5
2.2. YANG Library Module . . . . . . . . . . . . . . . . . . . 5
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
3.1. YANG Module Registry . . . . . . . . . . . . . . . . . . 11
4. Security Considerations . . . . . . . . . . . . . . . . . . . 11
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Normative References . . . . . . . . . . . . . . . . . . 12
5.2. Informative References . . . . . . . . . . . . . . . . . 12
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
There is a need for standard mechanisms to identify the YANG modules and submodules that are in use by a server that implements YANG data models. If a large number of YANG modules are utilized by the server, then the YANG library contents needed can be relatively large. This information changes very infrequently, so it is important that clients be able to cache the YANG library contents and easily identify whether their cache is out of date.
需要标准机制来识别实现YANG数据模型的服务器正在使用的YANG模块和子模块。如果服务器使用大量的YANG模块,那么所需的YANG库内容可能会相对较大。这些信息很少发生更改,因此客户机能够缓存YANG library内容并轻松识别其缓存是否过期非常重要。
YANG library information can be different on every server and can change at runtime or across a server reboot.
每个服务器上的库信息可能不同,并且可能在运行时或服务器重新启动时更改。
If the server implements multiple protocols to access the YANG-defined data, each such protocol has its own conceptual instantiation of the YANG library.
如果服务器实现了多个协议来访问YANG定义的数据,则每个协议都有自己的YANG库概念实例化。
The following information is needed by a client application (for each YANG module in the library) to fully utilize the YANG data modeling language:
客户端应用程序(对于库中的每个YANG模块)需要以下信息,以充分利用YANG数据建模语言:
o name: The name of the YANG module.
o 名称:模块的名称。
o revision: Each YANG module and submodule within the library has a revision. This is derived from the most recent revision statement within the module or submodule. If no such revision statement exists, the module's or submodule's revision is the zero-length string.
o 修订版:库中的每个模块和子模块都有一个修订版。这是从模块或子模块中的最新修订语句派生的。如果不存在此类修订语句,则模块或子模块的修订为零长度字符串。
o submodule list: The name and revision of each submodule used by the module MUST be identified.
o 子模块列表:必须标识模块使用的每个子模块的名称和版本。
o feature list: The name of each YANG feature supported by the server MUST be identified.
o 功能列表:必须标识服务器支持的每个功能的名称。
o deviation list: The name of each YANG module used for deviation statements MUST be identified.
o 偏差清单:必须确定用于偏差声明的每个模块的名称。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照BCP 14、[RFC2119]中所述进行解释。
The following terms are defined in [RFC6241]:
[RFC6241]中定义了以下术语:
o client
o 客户
o server
o 服务器
The following terms are defined in [YANG1.1]:
[1.1]中定义了以下术语:
o module
o 单元
o submodule
o 子模块
The following terms are used within this document:
本文件中使用了以下术语:
o YANG library: A collection of YANG modules and submodules used by a server.
o YANG库:服务器使用的YANG模块和子模块的集合。
A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams is as follows:
本文件中使用了数据模型的简化图形表示。这些图表中符号的含义如下:
o Brackets "[" and "]" enclose list keys.
o 括号“[”和“]”包含列表键。
o Abbreviations before data node names: "rw" means configuration data (read-write) and "ro" state data (read-only).
o 数据节点名称前的缩写:“rw”表示配置数据(读写)和“ro”状态数据(只读)。
o Symbols after data node names: "?" means an optional node, "!" means a presence container, and "*" denotes a list and leaf-list.
o 数据节点名称后的符号:“?”表示可选节点,“!”表示状态容器,“*”表示列表和叶列表。
o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":").
o 括号括住选项和事例节点,事例节点也用冒号(“:”)标记。
o Ellipsis ("...") stands for contents of subtrees that are not shown.
o 省略号(“…”)表示未显示的子树的内容。
The "ietf-yang-library" module provides information about the YANG library used by a server. This module is defined using YANG version 1, but it supports the description of YANG modules written in any revision of YANG.
“ietf yang library”模块提供有关服务器使用的yang library的信息。本模块是使用YANG版本1定义的,但它支持YANG任何版本中对YANG模块的描述。
Following is the YANG Tree Diagram for the "ietf-yang-library" module:
以下是“ietf杨库”模块的杨树图:
+--ro modules-state
+--ro module-set-id string
+--ro module* [name revision]
+--ro name yang:yang-identifier
+--ro revision union
+--ro schema? inet:uri
+--ro namespace inet:uri
+--ro feature* yang:yang-identifier
+--ro deviation* [name revision]
| +--ro name yang:yang-identifier
| +--ro revision union
+--ro conformance-type enumeration
+--ro submodule* [name revision]
+--ro name yang:yang-identifier
+--ro revision union
+--ro schema? inet:uri
+--ro modules-state
+--ro module-set-id string
+--ro module* [name revision]
+--ro name yang:yang-identifier
+--ro revision union
+--ro schema? inet:uri
+--ro namespace inet:uri
+--ro feature* yang:yang-identifier
+--ro deviation* [name revision]
| +--ro name yang:yang-identifier
| +--ro revision union
+--ro conformance-type enumeration
+--ro submodule* [name revision]
+--ro name yang:yang-identifier
+--ro revision union
+--ro schema? inet:uri
This mandatory container holds the identifiers for the YANG data model modules supported by the server.
此强制容器包含服务器支持的数据模型模块的标识符。
This mandatory leaf contains a unique implementation-specific identifier representing the current set of modules and submodules on a specific server. The value of this leaf MUST change whenever the set of modules and submodules in the YANG library changes. There is no requirement that the same set always results in the same "module-set-id" value.
此强制叶包含唯一的特定于实现的标识符,表示特定服务器上的当前模块集和子模块。每当库中的模块集和子模块集更改时,此叶的值必须更改。不要求相同的集合总是产生相同的“模块集合id”值。
This leaf allows a client to fetch the module list once, cache it, and only refetch it if the value of this leaf has been changed.
此叶允许客户端获取一次模块列表,缓存它,并且仅当此叶的值已更改时才重新蚀刻它。
If the value of this leaf changes, the server also generates a "yang-library-change" notification, with the new value of "module-set-id".
如果此叶的值更改,服务器还将生成一个“yang library change”通知,新值为“module set id”。
Note that for a NETCONF server that implements YANG 1.1 [YANG1.1], a change of the "module-set-id" value results in a new value for the :yang-library capability defined in [YANG1.1]. Thus, if such a server implements NETCONF notifications [RFC5277], and the notification "netconf-capability-change" [RFC6470], a "netconf-capability-change" notification is generated whenever the "module-set-id" changes.
请注意,对于实现YANG 1.1[YANG 1.1]的NETCONF服务器,“模块集id”值的更改将导致[YANG 1.1]中定义的:YANG库功能的新值。因此,如果这样的服务器实现了NETCONF通知[RFC5277]和通知“NETCONF能力更改”[RFC6470],则每当“模块集id”更改时,就会生成“NETCONF能力更改”通知。
This mandatory list contains one entry for each YANG data model module supported by the server. There MUST be an entry in this list for each revision of each YANG module that is used by the server. It is possible for multiple revisions of the same module to be imported, in addition to an entry for the revision that is implemented by the server.
此强制列表包含服务器支持的每个数据模型模块的一个条目。对于服务器使用的每个模块的每个版本,此列表中必须有一个条目。除了服务器实现的版本条目外,还可以导入同一模块的多个版本。
The "ietf-yang-library" module defines monitoring information for the YANG modules used by a server.
“ietf yang library”模块定义了服务器使用的yang模块的监控信息。
The "ietf-yang-types" and "ietf-inet-types" modules from [RFC6991] are used by this module for some type definitions.
[RFC6991]中的“ietf yang类型”和“ietf inet类型”模块由该模块用于某些类型定义。
<CODE BEGINS> file "ietf-yang-library@2016-06-21.yang"
<CODE BEGINS> file "ietf-yang-library@2016-06-21.yang"
module ietf-yang-library {
namespace "urn:ietf:params:xml:ns:yang:ietf-yang-library";
prefix "yanglib";
module ietf-yang-library {
namespace "urn:ietf:params:xml:ns:yang:ietf-yang-library";
prefix "yanglib";
import ietf-yang-types {
prefix yang;
}
import ietf-inet-types {
prefix inet;
}
import ietf-yang-types {
prefix yang;
}
import ietf-inet-types {
prefix inet;
}
organization "IETF NETCONF (Network Configuration) Working Group";
组织“IETF网络配置工作组”;
contact
"WG Web: <https://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
contact
"WG Web: <https://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
WG Chair: Mehmet Ersue
<mailto:mehmet.ersue@nsn.com>
WG Chair: Mehmet Ersue
<mailto:mehmet.ersue@nsn.com>
WG Chair: Mahesh Jethanandani
<mailto:mjethanandani@gmail.com>
WG Chair: Mahesh Jethanandani
<mailto:mjethanandani@gmail.com>
Editor: Andy Bierman
<mailto:andy@yumaworks.com>
Editor: Andy Bierman
<mailto:andy@yumaworks.com>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>
Editor: Kent Watsen
<mailto:kwatsen@juniper.net>";
Editor: Kent Watsen
<mailto:kwatsen@juniper.net>";
description "This module contains monitoring information about the YANG modules and submodules that are used within a YANG-based server.
description“此模块包含有关基于YANG的服务器中使用的YANG模块和子模块的监控信息。
Copyright (c) 2016 IETF Trust and the persons identified as authors of the code. All rights reserved.
版权所有(c)2016 IETF信托基金和被确定为代码作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7895; see the RFC itself for full legal notices.";
该模块的此版本是RFC 7895的一部分;有关完整的法律通知,请参见RFC本身。“;
revision 2016-06-21 {
description
"Initial revision.";
reference
"RFC 7895: YANG Module Library.";
}
revision 2016-06-21 {
description
"Initial revision.";
reference
"RFC 7895: YANG Module Library.";
}
/*
* Typedefs
*/
/*
* Typedefs
*/
typedef revision-identifier {
type string {
pattern '\d{4}-\d{2}-\d{2}';
}
description
"Represents a specific date in YYYY-MM-DD format.";
}
typedef revision-identifier {
type string {
pattern '\d{4}-\d{2}-\d{2}';
}
description
"Represents a specific date in YYYY-MM-DD format.";
}
/*
* Groupings
*/
/*
* Groupings
*/
grouping module-list {
description
"The module data structure is represented as a grouping
so it can be reused in configuration or another monitoring
data structure.";
grouping module-list {
description
"The module data structure is represented as a grouping
so it can be reused in configuration or another monitoring
data structure.";
grouping common-leafs {
description
"Common parameters for YANG modules and submodules.";
grouping common-leafs {
description
"Common parameters for YANG modules and submodules.";
leaf name {
type yang:yang-identifier;
description
"The YANG module or submodule name.";
}
leaf revision {
type union {
type revision-identifier;
type string { length 0; }
}
description
"The YANG module or submodule revision date.
A zero-length string is used if no revision statement
is present in the YANG module or submodule.";
}
}
leaf name {
type yang:yang-identifier;
description
"The YANG module or submodule name.";
}
leaf revision {
type union {
type revision-identifier;
type string { length 0; }
}
description
"The YANG module or submodule revision date.
A zero-length string is used if no revision statement
is present in the YANG module or submodule.";
}
}
grouping schema-leaf {
description
"Common schema leaf parameter for modules and submodules.";
grouping schema-leaf {
description
"Common schema leaf parameter for modules and submodules.";
leaf schema {
type inet:uri;
description
"Contains a URL that represents the YANG schema
resource for this module or submodule.
leaf schema {
type inet:uri;
description
"Contains a URL that represents the YANG schema
resource for this module or submodule.
This leaf will only be present if there is a URL
available for retrieval of the schema for this entry.";
}
}
This leaf will only be present if there is a URL
available for retrieval of the schema for this entry.";
}
}
list module {
key "name revision";
description
"Each entry represents one revision of one module
currently supported by the server.";
list module {
key "name revision";
description
"Each entry represents one revision of one module
currently supported by the server.";
uses common-leafs;
uses schema-leaf;
uses common-leafs;
uses schema-leaf;
leaf namespace {
type inet:uri;
mandatory true;
description
"The XML namespace identifier for this module.";
}
leaf-list feature {
type yang:yang-identifier;
description
"List of YANG feature names from this module that are
supported by the server, regardless of whether they are
defined in the module or any included submodule.";
}
list deviation {
key "name revision";
description
"List of YANG deviation module names and revisions
used by this server to modify the conformance of
the module associated with this entry. Note that
the same module can be used for deviations for
multiple modules, so the same entry MAY appear
within multiple 'module' entries.
leaf namespace {
type inet:uri;
mandatory true;
description
"The XML namespace identifier for this module.";
}
leaf-list feature {
type yang:yang-identifier;
description
"List of YANG feature names from this module that are
supported by the server, regardless of whether they are
defined in the module or any included submodule.";
}
list deviation {
key "name revision";
description
"List of YANG deviation module names and revisions
used by this server to modify the conformance of
the module associated with this entry. Note that
the same module can be used for deviations for
multiple modules, so the same entry MAY appear
within multiple 'module' entries.
The deviation module MUST be present in the 'module'
list, with the same name and revision values.
The 'conformance-type' value will be 'implement' for
the deviation module.";
uses common-leafs;
The deviation module MUST be present in the 'module'
list, with the same name and revision values.
The 'conformance-type' value will be 'implement' for
the deviation module.";
uses common-leafs;
}
leaf conformance-type {
type enumeration {
enum implement {
description
"Indicates that the server implements one or more
protocol-accessible objects defined in the YANG module
identified in this entry. This includes deviation
statements defined in the module.
}
leaf conformance-type {
type enumeration {
enum implement {
description
"Indicates that the server implements one or more
protocol-accessible objects defined in the YANG module
identified in this entry. This includes deviation
statements defined in the module.
For YANG version 1.1 modules, there is at most one module entry with conformance type 'implement' for a particular module name, since YANG 1.1 requires that, at most, one revision of a module is implemented.
对于YANG版本1.1模块,对于特定模块名称,最多有一个符合性类型为“implement”的模块条目,因为YANG 1.1要求最多实现一个模块版本。
For YANG version 1 modules, there SHOULD NOT be more
than one module entry for a particular module name.";
}
enum import {
description
"Indicates that the server imports reusable definitions
from the specified revision of the module but does
not implement any protocol-accessible objects from
this revision.
For YANG version 1 modules, there SHOULD NOT be more
than one module entry for a particular module name.";
}
enum import {
description
"Indicates that the server imports reusable definitions
from the specified revision of the module but does
not implement any protocol-accessible objects from
this revision.
Multiple module entries for the same module name MAY
exist. This can occur if multiple modules import the
same module but specify different revision dates in
the import statements.";
}
}
mandatory true;
description
"Indicates the type of conformance the server is claiming
for the YANG module identified by this entry.";
}
list submodule {
key "name revision";
description
"Each entry represents one submodule within the
parent module.";
uses common-leafs;
uses schema-leaf;
}
}
}
Multiple module entries for the same module name MAY
exist. This can occur if multiple modules import the
same module but specify different revision dates in
the import statements.";
}
}
mandatory true;
description
"Indicates the type of conformance the server is claiming
for the YANG module identified by this entry.";
}
list submodule {
key "name revision";
description
"Each entry represents one submodule within the
parent module.";
uses common-leafs;
uses schema-leaf;
}
}
}
/*
* Operational state data nodes
*/
/*
* Operational state data nodes
*/
container modules-state {
config false;
description
"Contains YANG module monitoring information.";
container modules-state {
config false;
description
"Contains YANG module monitoring information.";
leaf module-set-id {
type string;
mandatory true;
description
"Contains a server-specific identifier representing
the current set of modules and submodules. The
server MUST change the value of this leaf if the
information represented by the 'module' list instances
has changed.";
}
leaf module-set-id {
type string;
mandatory true;
description
"Contains a server-specific identifier representing
the current set of modules and submodules. The
server MUST change the value of this leaf if the
information represented by the 'module' list instances
has changed.";
}
uses module-list;
}
uses module-list;
}
/*
* Notifications
*/
/*
* Notifications
*/
notification yang-library-change {
description
"Generated when the set of modules and submodules supported
by the server has changed.";
leaf module-set-id {
type leafref {
path "/yanglib:modules-state/yanglib:module-set-id";
}
mandatory true;
description
"Contains the module-set-id value representing the
set of modules and submodules supported at the server at
the time the notification is generated.";
}
}
notification yang-library-change {
description
"Generated when the set of modules and submodules supported
by the server has changed.";
leaf module-set-id {
type leafref {
path "/yanglib:modules-state/yanglib:module-set-id";
}
mandatory true;
description
"Contains the module-set-id value representing the
set of modules and submodules supported at the server at
the time the notification is generated.";
}
}
}
}
<CODE ENDS>
<代码结束>
This document registers one URI in the "IETF XML Registry" [RFC3688]. Following the format in RFC 3688, the following registration has been made.
本文档在“IETF XML注册表”[RFC3688]中注册了一个URI。按照RFC 3688中的格式,进行了以下注册。
URI: urn:ietf:params:xml:ns:yang:ietf-yang-library Registrant Contact: The NETCONF WG of the IETF. XML: N/A, the requested URI is an XML namespace.
URI:urn:ietf:params:xml:ns:yang:ietf-yang图书馆注册人联系人:ietf的NETCONF工作组。XML:N/A,请求的URI是一个XML名称空间。
This document registers one YANG module in the "YANG Module Names" registry [RFC6020].
本文件在“阳模块名称”注册表[RFC6020]中注册了一个阳模块。
name: ietf-yang-library
namespace: urn:ietf:params:xml:ns:yang:ietf-yang-library
prefix: yanglib
reference: RFC 7895
name: ietf-yang-library
namespace: urn:ietf:params:xml:ns:yang:ietf-yang-library
prefix: yanglib
reference: RFC 7895
The YANG module defined in this memo is designed to be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the secure transport layer and the mandatory-to-implement secure transport is SSH [RFC6242]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF users to a pre-configured subset of all available NETCONF protocol operations and content.
本备忘录中定义的模块旨在通过NETCONF协议[RFC6241]访问。最低的NETCONF层是安全传输层,实现安全传输的必需层是SSH[RFC6242]。NETCONF访问控制模型[RFC6536]提供了将特定NETCONF用户的访问限制为所有可用NETCONF协议操作和内容的预配置子集的方法。
Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:
在某些网络环境中,此模块中的某些可读数据节点可能被视为敏感或易受攻击。因此,控制对这些数据节点的读取访问(例如,通过get、get config或通知)非常重要。这些是子树和数据节点及其敏感性/漏洞:
o /modules-state/module: The module list used in a server implementation may help an attacker identify the server capabilities and server implementations with known bugs. Although some of this information may be available to all users via the NETCONF <hello> message (or similar messages in other management protocols), this YANG module potentially exposes additional details that could be of some assistance to an attacker. Server vulnerabilities may be specific to particular modules, module revisions, module features, or even module deviations. This information is included in each module entry. For example, if a particular operation on a particular data node is known to cause a server to crash or significantly degrade device performance, then
o /模块状态/模块:服务器实现中使用的模块列表可能有助于攻击者识别具有已知错误的服务器功能和服务器实现。尽管所有用户都可以通过NETCONF<hello>消息(或其他管理协议中的类似消息)获得其中的一些信息,但此模块可能会暴露额外的细节,可能对攻击者有所帮助。服务器漏洞可能特定于特定模块、模块修订、模块功能,甚至模块偏差。此信息包含在每个模块条目中。例如,如果已知特定数据节点上的特定操作会导致服务器崩溃或显著降低设备性能,则
the module list information will help an attacker identify server implementations with such a defect, in order to launch a denial-of-service attack on the device.
模块列表信息将帮助攻击者识别具有此类缺陷的服务器实现,以便在设备上发起拒绝服务攻击。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <http://www.rfc-editor.org/info/rfc3688>.
[RFC3688]Mealling,M.,“IETF XML注册表”,BCP 81,RFC 3688,DOI 10.17487/RFC3688,2004年1月<http://www.rfc-editor.org/info/rfc3688>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, <http://www.rfc-editor.org/info/rfc6020>.
[RFC6020]Bjorklund,M.,Ed.“YANG-网络配置协议的数据建模语言(NETCONF)”,RFC 6020,DOI 10.17487/RFC6020,2010年10月<http://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <http://www.rfc-editor.org/info/rfc6241>.
[RFC6241]Enns,R.,Ed.,Bjorklund,M.,Ed.,Schoenwaeld,J.,Ed.,和A.Bierman,Ed.,“网络配置协议(NETCONF)”,RFC 6241,DOI 10.17487/RFC6241,2011年6月<http://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <http://www.rfc-editor.org/info/rfc6242>.
[RFC6242]Wasserman,M.“在安全外壳上使用NETCONF协议(SSH)”,RFC 6242,DOI 10.17487/RFC6242,2011年6月<http://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, DOI 10.17487/RFC6536, March 2012, <http://www.rfc-editor.org/info/rfc6536>.
[RFC6536]Bierman,A.和M.Bjorklund,“网络配置协议(NETCONF)访问控制模型”,RFC 6536,DOI 10.17487/RFC6536,2012年3月<http://www.rfc-editor.org/info/rfc6536>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, <http://www.rfc-editor.org/info/rfc6991>.
[RFC6991]Schoenwaeld,J.,Ed.,“常见杨数据类型”,RFC 6991,DOI 10.17487/RFC69911913年7月<http://www.rfc-editor.org/info/rfc6991>.
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, <http://www.rfc-editor.org/info/rfc5277>.
[RFC5277]Chisholm,S.和H.Trevino,“NETCONF事件通知”,RFC 5277,DOI 10.17487/RFC5277,2008年7月<http://www.rfc-editor.org/info/rfc5277>.
[RFC6470] Bierman, A., "Network Configuration Protocol (NETCONF) Base Notifications", RFC 6470, DOI 10.17487/RFC6470, February 2012, <http://www.rfc-editor.org/info/rfc6470>.
[RFC6470]Bierman,A.,“网络配置协议(NETCONF)基本通知”,RFC 6470,DOI 10.17487/RFC6470,2012年2月<http://www.rfc-editor.org/info/rfc6470>.
[YANG1.1] Bjorklund, M., "The YANG 1.1 Data Modeling Language", Work in Progress, draft-ietf-netmod-rfc6020bis-12, April 2016.
[YANG1.1]Bjorklund,M.,“YANG 1.1数据建模语言”,正在进行的工作,草稿-ietf-netmod-rfc6020bis-12,2016年4月。
Acknowledgements
致谢
Contributions to this material by Andy Bierman are based upon work supported by the Space & Terrestrial Communications Directorate (S&TCD) under Contract No. W15P7T-13-C-A616. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Space & Terrestrial Communications Directorate (S&TCD).
Andy Bierman对本材料的贡献基于空间与地面通信理事会(S&TCD)根据编号为W15P7T-13-C-A616的合同支持的工作。本材料中表达的任何意见、调查结果、结论或建议均为作者的意见、调查结果、结论或建议,不一定反映空间与地面通信局(s&TCD)的意见。
Authors' Addresses
作者地址
Andy Bierman YumaWorks
安迪·比尔曼·尤马沃斯
Email: andy@yumaworks.com
Email: andy@yumaworks.com
Martin Bjorklund Tail-f Systems
Martin Bjorklund Tail-f系统
Email: mbj@tail-f.com
Email: mbj@tail-f.com
Kent Watsen Juniper Networks
肯特沃特森刺柏网络公司
Email: kwatsen@juniper.net
Email: kwatsen@juniper.net