IEEE Std 802.1Qcp-2018 pdf download – Local and m etropolitan area ne tworks— Brid ge s and Brid ge d Ne two rks— Amendment 30: YAN G Da ta Model.
48. YANG Data Model This clause specifies YANG data models that provide control and status monitoring of IEEE 802.1Q Bridges. Specifically, a) Two-Port MAC Relays, b) Customer VLAN bridges, and c) Provider bridges. The YANG bridge data management models are derived from UML models specified in 48.3. The UML models are based on Clause 12. NOTE 1—OMG UML 2.5 [B78] conventions together with C++ language constructs are used in this clause as a representation to convey model structure and relationships. NOTE 2—The MIB modules specified in Clause 17 were also derived from Clause 12. Consequently, the capabilities and structure of the YANG data models should closely aligned with that represented by the MIBs. However the YANG data model has not been derived from the MIB, and there has been no attempt to include data or modeling constructs that might appear in the MIB but not in the information model. 48.1 YANG Framework This clause has been developed according to the YANG guidelines published in IETF RFC 6087 [B68] as applicable to IEEE standards. The YANG framework applies hierarchy in the following areas: 1) The uniform resource name (URN), as specified in IEEE Std 802d. The structure of the URN is such that ieee is the root (i.e., name-space identifier), followed by the standard, then the working group developing the standard. 2) The YANG objects form a hierarchy of configuration and operational data structures that define the YANG model. These hierarchical relationships are described in 48.3.
48.2 Security considerations The YANG modules defined in this clause are designed to be accessed via a network configuration protocol, e.g., NETCONF protocol (IETF RFC 6536 [B71]). In the case of NETCONF, the lowest NETCONF layer is the secure transport layer and the mandatory to implement secure transport is SSH (IETF RFC 6242 [B70]). The NETCONF access control model provides the means to restrict access for particular NETCONF users to a preconfigured subset of all available NETCONF protocol operations and content. It is the responsibility of a system’s implementor and administrator to ensure that the protocol entities in the system that support NETCONF, and any other remote configuration protocols that make use of these YANG modules, are properly configured to allow access only to those principals (users) that have legitimate rights to read or write data nodes. This standard does not specify how the credentials of those users are to be stored or validated. 48.2.1 Security considerations of the ieee802-dot1q-bridge and ieee802-dot1q-vlan-bridge YANG modules There are a number of management objects defined in the ieee802-dot1q-bridge and ieee802-dot1q-vlan- bridge YANG modules that are configurable (i.e., read-write) and/or operational (i.e., read-only). Such objects may be considered sensitive or vulnerable in some network environments. A network configuration protocol, such as NETCONF (IETF RFC 6241 [B69]), can support protocol operations that can edit or delete YANG module configuration data (e.g., edit-config, delete-config, copy-config). If this is done in a non-secure environment without proper protection, then negative effects on the network operation is possible.