submodule ietf-snmp-tls { belongs-to ietf-snmp { prefix snmp; } import ietf-inet-types { prefix inet; } import ietf-x509-cert-to-name { prefix x509c2n; } include ietf-snmp-common; include ietf-snmp-engine; include ietf-snmp-target; organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: WG Chair: David Kessens WG Chair: Juergen Schoenwaelder Editor: Martin Bjorklund Editor: Juergen Schoenwaelder "; description "This submodule contains a collection of YANG definitions for configuring the Transport Layer Security Transport Model (TLSTM) of SNMP. Copyright (c) 2013 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with actual RFC number and remove this // note. reference "RFC6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; // RFC Ed.: update the date below with the date of RFC publication // and remove this note. revision 2013-03-26 { description "Initial revision."; reference "RFC XXXX: A YANG Data Model for SNMP Configuration"; } feature tlstm { description "A server implements this feature if it supports the Transport Layer Security Transport Model for SNMP."; reference "RFC6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)"; } augment /snmp:snmp/snmp:engine/snmp:listen { if-feature tlstm; list tls { key "ip port"; description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over TLS."; leaf ip { type inet:ip-address; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over TLS."; } leaf port { type inet:port-number; description "The TCP port on which the engine listens for SNMP messages over TLS."; } } list dtls { key "ip port"; description "A list of IPv4 and IPv6 addresses and ports to which the engine listens for SNMP messages over DTLS."; leaf ip { type inet:ip-address; description "The IPv4 or IPv6 address on which the engine listens for SNMP messages over DTLS."; } leaf port { type inet:port-number; description "The UDP port on which the engine listens for SNMP messages over DTLS."; } } } augment /snmp:snmp { if-feature tlstm; container tlstm { uses x509c2n:cert-to-name { description "Defines how certifcates are mapped to names. The resulting name is used as a security name."; refine cert-to-name/map-type { description "Mappings that use the snmpTlstmCertToTSNData column need to augment the 'cert-to-name' list with additional configuration objects corresponding to the snmpTlstmCertToTSNData value. Such objects should use the 'when' statement to make them conditional based on the 'map-type'."; } } } } grouping tls-transport { leaf ip { type inet:host; mandatory true; reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf port { type inet:port-number; default 10161; reference "SNMP-TARGET-MIB.snmpTargetAddrTAddress SNMP-TLS-TM-MIB.SnmpTLSAddress"; } leaf client-fingerprint { type x509c2n:tls-fingerprint; reference "SNMP-TLS-TM-MIB.snmpTlstmParamsClientFingerprint"; } leaf server-fingerprint { type x509c2n:tls-fingerprint; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerFingerprint"; } leaf server-identity { type snmp:admin-string; reference "SNMP-TLS-TM-MIB.snmpTlstmAddrServerIdentity"; } } augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case tls { reference "SNMP-TLS-TM-MIB.snmpTLSTCPDomain"; container tls { uses tls-transport; } } } augment /snmp:snmp/snmp:target/snmp:transport { if-feature tlstm; case dtls { reference "SNMP-TLS-TM-MIB.snmpDTLSUDPDomain"; container dtls { uses tls-transport; } } } }