submodule ietf-snmp-tls {
belongs-to ietf-snmp {
prefix snmp;
}
import ietf-yang-types {
prefix yang;
}
import ietf-inet-types {
prefix inet;
}
include ietf-snmp-common;
include ietf-snmp-engine;
include ietf-snmp-target;
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web:
WG List:
WG Chair: David Kessens
WG Chair: Juergen Schoenwaelder
Editor: Martin Bjorklund
Editor: Juergen Schoenwaelder
";
description
"This submodule contains a collection of YANG definitions for
configuring the Transport Layer Security Transport Model (TLSTM)
of SNMP.
Copyright (c) 2011 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
reference
"RFC6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)";
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2013-02-11 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for SNMP Configuration";
}
/* Typedefs */
typedef tls-fingerprint {
type yang:hex-string {
pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
}
description
"A fingerprint value that can be used to uniquely reference
other data of potentially arbitrary length.
An tls-fingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The
octet value encoded is taken from the IANA TLS HashAlgorithm
Registry (RFC 5246). The remaining octets are filled using
the results of the hashing algorithm.
The corresponding TEXTUAL-CONVENTION allows a zero-length
value to be used for objects that are optional. In the YANG
data models, such objects are represented as optional leafs.";
reference "SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
}
/* Identities */
identity cert-to-tm-security-name {
}
identity specified {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
}
identity san-rfc822-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
}
identity san-dns-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
}
identity san-ip-address {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
}
identity san-any {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
}
identity common-name {
base cert-to-tm-security-name;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
}
augment /snmp:snmp/snmp:engine/snmp:listen {
if-feature tlstm;
list tls {
key "ip port";
description
"A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over TLS.";
leaf ip {
type inet:ip-address;
description
"The IPv4 or IPv6 address on which the engine listens
for SNMP messages over TLS.";
}
leaf port {
type inet:port-number;
description
"The TCP port on which the engine listens for SNMP
messages over TLS.";
}
}
list dtls {
key "ip port";
description
"A list of IPv4 and IPv6 addresses and ports to which the
engine listens for SNMP messages over DTLS.";
leaf ip {
type inet:ip-address;
description
"The IPv4 or IPv6 address on which the engine listens
for SNMP messages over DTLS.";
}
leaf port {
type inet:port-number;
description
"The UDP port on which the engine listens for SNMP messages
over DTLS.";
}
}
}
augment /snmp:snmp {
if-feature tlstm;
container tlstm {
list cert-to-tm-security-name {
key id;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
leaf id {
type uint32;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
}
leaf fingerprint {
type tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
}
leaf map-type {
type identityref {
base cert-to-tm-security-name;
}
description
"Mappings that use the snmpTlstmCertToTSNData column
need to augment the 'cert-to-tm-security-name' list
with additional configuration objects corresponding
to the snmpTlstmCertToTSNData value. Such objects
should use the 'when' statement to make them
conditional based on the 'map-type'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
}
leaf cert-specified-tm-security-name {
when "../map-type = 'snmp:specified'";
type snmp:admin-string;
description
"Maps to snmpTlstmCertToTSNData when 'map-type' is
'specified'.";
reference "SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
}
}
}
}
grouping tls-transport {
leaf ip {
type inet:host;
mandatory true;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress";
}
leaf port {
type inet:port-number;
default 10161;
reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress
SNMP-TLS-TM-MIB.SnmpTLSAddress";
}
leaf client-fingerprint {
type tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint";
}
leaf server-fingerprint {
type tls-fingerprint;
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint";
}
leaf server-identity {
type snmp:admin-string;
reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity";
}
}
augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm;
case tls {
reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain";
container tls {
uses tls-transport;
}
}
}
augment /snmp:snmp/snmp:target/snmp:transport {
if-feature tlstm;
case dtls {
reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain";
container dtls {
uses tls-transport;
}
}
}
}