From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc1351.txt | 1963 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1963 insertions(+) create mode 100644 doc/rfc/rfc1351.txt (limited to 'doc/rfc/rfc1351.txt') diff --git a/doc/rfc/rfc1351.txt b/doc/rfc/rfc1351.txt new file mode 100644 index 0000000..deb2a87 --- /dev/null +++ b/doc/rfc/rfc1351.txt @@ -0,0 +1,1963 @@ + + + + + + +Network Working Group J. Davin +Request for Comments: 1351 MIT Laboratory for Computer Science + J. Galvin + Trusted Information Systems, Inc. + K. McCloghrie + Hughes LAN Systems, Inc. + July 1992 + + + SNMP Administrative Model + +Status of this Memo + + This document specifies an IAB standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "IAB + Official Protocol Standards" for the standardization state and status + of this protocol. Distribution of this memo is unlimited. + +Table of Contents + + 1. Abstract . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 + 3. Elements of the Model . . . . . . . . . . . . . . . . . . . 2 + 3.1 SNMP Party . . . . . . . . . . . . . . . . . . . . . . . . 2 + 3.2 SNMP Protocol Entity . . . . . . . . . . . . . . . . . . . 6 + 3.3 SNMP Management Station . . . . . . . . . . . . . . . . . . 6 + 3.4 SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . 7 + 3.5 View Subtree . . . . . . . . . . . . . . . . . . . . . . . 7 + 3.6 MIB View . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 3.7 SNMP Management Communication . . . . . . . . . . . . . . . 8 + 3.8 SNMP Authenticated Management Communication . . . . . . . . 9 + 3.9 SNMP Private Management Communication . . . . . . . . . . 9 + 3.10 SNMP Management Communication Class . . . . . . . . . . . . 10 + 3.11 SNMP Access Control Policy . . . . . . . . . . . . . . . . 11 + 3.12 SNMP Proxy Party . . . . . . . . . . . . . . . . . . . . . 12 + 3.13 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 13 + 3.13.1 Generating a Request . . . . . . . . . . . . . . . . . . 13 + 3.13.2 Processing a Received Communication . . . . . . . . . . . 15 + 3.13.3 Generating a Response . . . . . . . . . . . . . . . . . . 17 + 4. Application of the Model . . . . . . . . . . . . . . . . . 17 + 4.1 Non-Secure Minimal Agent Configuration . . . . . . . . . . 17 + 4.2 Secure Minimal Agent Configuration . . . . . . . . . . . . 20 + 4.3 Proxy Configuration . . . . . . . . . . . . . . . . . . . 21 + 4.3.1 Foreign Proxy Configuration . . . . . . . . . . . . . . . 22 + 4.3.2 Native Proxy Configuration . . . . . . . . . . . . . . . 25 + 4.4 Public Key Configuration . . . . . . . . . . . . . . . . . 27 + 4.5 MIB View Configurations . . . . . . . . . . . . . . . . . . 29 + + + +Davin, Galvin, & McCloghrie [Page 1] + +RFC 1351 SNMP Administrative Model July 1992 + + + 5. Compatibility . . . . . . . . . . . . . . . . . . . . . . . 33 + 6. Security Considerations . . . . . . . . . . . . . . . . . . 33 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . + 8. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 34 + +1. Abstract + + This memo presents an elaboration of the SNMP administrative model + set forth in [1]. This model provides a unified conceptual basis for + administering SNMP protocol entities to support + + o authentication and integrity, + + o privacy, + + o access control, and + + o the cooperation of multiple protocol entities. + + Please send comments to the SNMP Security Developers mailing list + (snmp-sec-dev@tis.com). + +2. Introduction + + This memo presents an elaboration of the SNMP administrative model + set forth in [1]. It describes how the elaborated administrative + model is applied to realize effective network management in a variety + of configurations and environments. + + The model described here entails the use of distinct identities for + peers that exchange SNMP messages. Thus, it represents a departure + from the community-based administrative model set forth in [1]. By + unambiguously identifying the source and intended recipient of each + SNMP message, this new strategy improves upon the historical + community scheme both by supporting a more convenient access control + model and allowing for effective use of asymmetric (public key) + security protocols in the future. + +3. Elements of the Model + +3.1 SNMP Party + + A SNMP party is a conceptual, virtual execution context whose + operation is restricted (for security or other purposes) to an + administratively defined subset of all possible operations of a + particular SNMP protocol entity (see Section 3.2). Whenever a SNMP + protocol entity processes a SNMP message, it does so by acting as a + SNMP party and is thereby restricted to the set of operations defined + + + +Davin, Galvin, & McCloghrie [Page 2] + +RFC 1351 SNMP Administrative Model July 1992 + + + for that party. The set of possible operations specified for a SNMP + party may be overlapping or disjoint with respect to the sets of + other SNMP parties; it may also be a proper or improper subset of all + possible operations of the SNMP protocol entity. + + Architecturally, each SNMP party comprises + + o a single, unique party identity, + + o a single authentication protocol and associated + parameters by which all protocol messages originated by + the party are authenticated as to origin and integrity, + + o a single privacy protocol and associated parameters by + which all protocol messages received by the party are + protected from disclosure, + + o a single MIB view (see Section 3.6) to which all + management operations performed by the party are + applied, and + + o a logical network location at which the party executes, + characterized by a transport protocol domain and + transport addressing information. + + Conceptually, each SNMP party may be represented by an ASN.1 value + with the following syntax: + + + SnmpParty ::= SEQUENCE { + partyIdentity + OBJECT IDENTIFIER, + partyTDomain + OBJECT IDENTIFIER, + partyTAddr + OCTET STRING, + partyProxyFor + OBJECT IDENTIFIER, + partyMaxMessageSize + INTEGER, + partyAuthProtocol + OBJECT IDENTIFIER, + partyAuthClock + INTEGER, + partyAuthLastMsg + INTEGER, + partyAuthNonce + INTEGER, + + + +Davin, Galvin, & McCloghrie [Page 3] + +RFC 1351 SNMP Administrative Model July 1992 + + + partyAuthPrivate + OCTET STRING, + partyAuthPublic + OCTET STRING, + partyAuthLifetime + INTEGER, + partyPrivProtocol + OBJECT IDENTIFIER, + partyPrivPrivate + OCTET STRING, + partyPrivPublic + OCTET STRING + } + + + For each SnmpParty value that represents a SNMP party, the following + statements are true: + + o Its partyIdentity component is the party identity. + + o Its partyTDomain component is called the transport + domain and indicates the kind of transport service by + which the party receives network management traffic. + An example of a transport domain is + rfc1351Domain (SNMP over UDP, using SNMP + parties). + + o Its partyTAddr component is called the transport + addressing information and represents a transport + service address by which the party receives network + management traffic. + + o Its partyProxyFor component is called the proxied + party and represents the identity of a second SNMP + party or other management entity with which + interaction may be necessary to satisfy received + management requests. In this context, the value + noProxy signifies that the party responds to received + management requests by entirely local mechanisms. + + o Its partyMaxMessageSize component is called the + maximum message size and represents the length in + octets of the largest SNMP message this party is + prepared to accept. + + o Its partyAuthProtocol component is called the + authentication protocol and identifies a protocol and a + mechanism by which all messages generated by the party + + + +Davin, Galvin, & McCloghrie [Page 4] + +RFC 1351 SNMP Administrative Model July 1992 + + + are authenticated as to integrity and origin. In this + context, the value noAuth signifies that messages + generated by the party are not authenticated as to + integrity and origin. + + o Its partyAuthClock component is called the + authentication clock and represents a notion of the + current time that is specific to the party. The + significance of this component is specific to the + authentication protocol. + + o Its partyAuthLastMsg component is called the + last-timestamp and represents a notion of time + associated with the most recent, authentic protocol + message generated by the party. The significance of this + component is specific to the authentication protocol. + + o Its partyAuthNonce component is called the nonce + and represents a monotonically increasing integer + associated with the most recent, authentic protocol + message generated by the party. The significance of this + component is specific to the authentication protocol. + + o Its partyAuthPrivate component is called the private + authentication key and represents any secret value + needed to support the authentication protocol. The + significance of this component is specific to the + authentication protocol. + + o Its partyAuthPublic component is called the public + authentication key and represents any public value that + may be needed to support the authentication protocol. + The significance of this component is specific to the + authentication protocol. + + o Its partyAuthLifetime component is called the + lifetime and represents an administrative upper bound + on acceptable delivery delay for protocol messages + generated by the party. The significance of this + component is specific to the authentication protocol. + + o Its partyPrivProtocol component is called the privacy + protocol and identifies a protocol and a mechanism by + which all protocol messages received by the party are + protected from disclosure. In this context, the value + noPriv signifies that messages received by the party are + not protected from disclosure. + + + + +Davin, Galvin, & McCloghrie [Page 5] + +RFC 1351 SNMP Administrative Model July 1992 + + + o Its partyPrivPrivate component is called the private + privacy key and represents any secret value needed to + support the privacy protocol. The significance of this + component is specific to the privacy protocol. + + o Its partyPrivPublic component is called the public + privacy key and represents any public value that may be + needed to support the privacy protocol. The significance + of this component is specific to the privacy protocol. + + If, for all SNMP parties realized by a SNMP protocol entity, the + authentication protocol is noAuth and the privacy protocol is noPriv, + then that protocol entity is called non-secure. + +3.2 SNMP Protocol Entity + + A SNMP protocol entity is an actual process which performs network + management operations by generating and/or responding to SNMP + protocol messages in the manner specified in [1]. When a protocol + entity is acting as a particular SNMP party (see Section 3.1), the + operation of that entity must be restricted to the subset of all + possible operations that is administratively defined for that party. + + By definition, the operation of a SNMP protocol entity requires no + concurrency between processing of any single protocol message (by a + particular SNMP party) and processing of any other protocol message + (by a potentially different SNMP party). Accordingly, implementation + of a SNMP protocol entity to support more than one party need not be + multi-threaded. However, there may be situations where implementors + may choose to use multi-threading. + + Architecturally, every SNMP entity maintains a local database that + represents all SNMP parties known to it -- those whose operation is + realized locally, those whose operation is realized by proxy + interactions with remote parties or devices, and those whose + operation is realized by remote entities. In addition, every SNMP + protocol entity maintains a local database that represents an access + control policy (see Section 3.11) that defines the access privileges + accorded to known SNMP parties. + +3.3 SNMP Management Station + + A SNMP management station is the operational role assumed by a SNMP + party when it initiates SNMP management operations by the generation + of appropriate SNMP protocol messages or when it receives and + processes trap notifications. + + Sometimes, the term SNMP management station is applied to partial + + + +Davin, Galvin, & McCloghrie [Page 6] + +RFC 1351 SNMP Administrative Model July 1992 + + + implementations of the SNMP (in graphics workstations, for example) + that focus upon this operational role. Such partial implementations + may provide for convenient, local invocation of management services, + but they may provide little or no support for performing SNMP + management operations on behalf of remote protocol users. + +3.4 SNMP Agent + + A SNMP agent is the operational role assumed by a SNMP party when it + performs SNMP management operations in response to received SNMP + protocol messages such as those generated by a SNMP management + station (see Section 3.3). + + Sometimes, the term SNMP agent is applied to partial implementations + of the SNMP (in embedded systems, for example) that focus upon this + operational role. Such partial implementations provide for + realization of SNMP management operations on behalf of remote users + of management services, but they may provide little or no support for + local invocation of such services. + +3.5 View Subtree + + A view subtree is the set of all MIB object instances which have a + common ASN.1 OBJECT IDENTIFIER prefix to their names. A view subtree + is identified by the OBJECT IDENTIFIER value which is the longest + OBJECT IDENTIFIER prefix common to all (potential) MIB object + instances in that subtree. + +3.6 MIB View + + A MIB view is a subset of the set of all instances of all object + types defined according to the Internet-standard SMI [2] (i.e., of + the universal set of all instances of all MIB objects), subject to + the following constraints: + + o Each element of a MIB view is uniquely named by an + ASN.1 OBJECT IDENTIFIER value. As such, + identically named instances of a particular object type + (e.g., in different agents) must be contained within + different MIB views. That is, a particular object + instance name resolves within a particular MIB view to + at most one object instance. + + o Every MIB view is defined as a collection of view + subtrees. + + + + + + +Davin, Galvin, & McCloghrie [Page 7] + +RFC 1351 SNMP Administrative Model July 1992 + + +3.7 SNMP Management Communication + + A SNMP management communication is a communication from one specified + SNMP party to a second specified SNMP party about management + information that is represented in the MIB view of the appropriate + party. In particular, a SNMP management communication may be + + o a query by the originating party about information in + the MIB view of the addressed party (e.g., getRequest + and getNextRequest), + + o an indicative assertion to the addressed party about + information in the MIB view of the originating party + (e.g., getResponse or trapNotification), or + + o an imperative assertion by the originating party about + information in the MIB view of the addressed party + (e.g., setRequest). + + A management communication is represented by an ASN.1 value with the + syntax + + + SnmpMgmtCom ::= [1] IMPLICIT SEQUENCE { + dstParty + OBJECT IDENTIFIER, + srcParty + OBJECT IDENTIFIER, + pdu + PDUs + } + + + For each SnmpMgmtCom value that represents a SNMP management + communication, the following statements are true: + + o Its dstParty component is called the destination and + identifies the SNMP party to which the communication + is directed. + + o Its srcParty component is called the source and + identifies the SNMP party from which the + communication is originated. + + o Its pdu component has the form and significance + attributed to it in [1]. + + + + + +Davin, Galvin, & McCloghrie [Page 8] + +RFC 1351 SNMP Administrative Model July 1992 + + +3.8 SNMP Authenticated Management Communication + + A SNMP authenticated management communication is a SNMP management + communication (see Section 3.7) for which the originating SNMP party + is (possibly) reliably identified and for which the integrity of the + transmission of the communication is (possibly) protected. An + authenticated management communication is represented by an ASN.1 + value with the syntax + + + SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE { + authInfo + ANY, - defined by authentication protocol + authData + SnmpMgmtCom + } + + + For each SnmpAuthMsg value that represents a SNMP authenticated + management communication, the following statements are true: + + o Its authInfo component is called the authentication + information and represents information required in + support of the authentication protocol used by the + SNMP party originating the message. The detailed + significance of the authentication information is specific + to the authentication protocol in use; it has no effect on + the application semantics of the communication other + than its use by the authentication protocol in + determining whether the communication is authentic or + not. + + o Its authData component is called the authentication + data and represents a SNMP management + communication. + +3.9 SNMP Private Management Communication + + A SNMP private management communication is a SNMP authenticated + management communication (see Section 3.8) that is (possibly) + protected from disclosure. A private management communication is + represented by an ASN.1 value with the syntax + + + + + + + + + +Davin, Galvin, & McCloghrie [Page 9] + +RFC 1351 SNMP Administrative Model July 1992 + + + SnmpPrivMsg ::= [1] IMPLICIT SEQUENCE { + privDst + OBJECT IDENTIFIER, + privData + [1] IMPLICIT OCTET STRING + } + + + For each SnmpPrivMsg value that represents a SNMP private management + communication, the following statements are true: + + o Its privDst component is called the privacy destination + and identifies the SNMP party to which the + communication is directed. + + o Its privData component is called the privacy data and + represents the (possibly encrypted) serialization + (according to the conventions of [3] and [1]) of a SNMP + authenticated management communication (see + Section 3.8). + +3.10 SNMP Management Communication Class + + A SNMP management communication class corresponds to a specific SNMP + PDU type defined in [1]. A management communication class is + represented by an ASN.1 INTEGER value according to the type of the + identifying PDU (see Table 1). + + Get 1 + GetNext 2 + GetResponse 4 + Set 8 + Trap 16 + + Table 1: Management Communication Classes + + The value by which a communication class is represented is computed + as 2 raised to the value of the ASN.1 context-specific tag for the + appropriate SNMP PDU. + + A set of management communication classes is represented by the ASN.1 + INTEGER value that is the sum of the representations of the + communication classes in that set. The null set is represented by the + value zero. + + + + + + + +Davin, Galvin, & McCloghrie [Page 10] + +RFC 1351 SNMP Administrative Model July 1992 + + +3.11 SNMP Access Control Policy + + A SNMP access control policy is a specification of a local access + policy in terms of the network management communication classes which + are authorized between pairs of SNMP parties. Architecturally, such a + specification comprises three parts: + + o the targets of SNMP access control - the SNMP parties + that may perform management operations as requested + by management communications received from other + parties, + + o the subjects of SNMP access control - the SNMP parties + that may request, by sending management + communications to other parties, that management + operations be performed, and + + o the policy that specifies the classes of SNMP + management communications that a particular target is + authorized to accept from a particular subject. + + Access to individual MIB object instances is determined implicitly + since by definition each (target) SNMP party performs operations on + exactly one MIB view. Thus, defining the permitted access of a + (reliably) identified subject party to a particular target party + effectively defines the access permitted by that subject to that + target's MIB view and, accordingly, to particular MIB object + instances. + + Conceptually, a SNMP access policy is represented by a collection of + ASN.1 values with the following syntax: + + + AclEntry ::= SEQUENCE { + aclTarget + OBJECT IDENTIFIER, + aclSubject + OBJECT IDENTIFIER, + aclPrivileges + INTEGER + } + + + For each such value that represents one part of a SNMP access policy, + the following statements are true: + + + + + + +Davin, Galvin, & McCloghrie [Page 11] + +RFC 1351 SNMP Administrative Model July 1992 + + + o Its aclTarget component is called the target and + identifies the SNMP party to which the partial policy + permits access. + + o Its aclSubject component is called the subject and + identifies the SNMP party to which the partial policy + grants privileges. + + o Its aclPrivileges component is called the privileges and + represents a set of SNMP management communication + classes that are authorized to be processed by the + specified target party when received from the specified + subject party. + +3.12 SNMP Proxy Party + + A SNMP proxy party is a SNMP party that performs management + operations by communicating with another, logically remote party. + + When communication between a logically remote party and a SNMP proxy + party is via the SNMP (over any transport protocol), then the proxy + party is called a SNMP native proxy party. Deployment of SNMP native + proxy parties is a means whereby the processing or bandwidth costs of + management may be amortized or shifted -- thereby facilitating the + construction of large management systems. + + When communication between a logically remote party and a SNMP proxy + party is not via the SNMP, then the proxy party is called a SNMP + foreign proxy party. Deployment of foreign proxy parties is a means + whereby otherwise unmanageable devices or portions of an internet may + be managed via the SNMP. + + The transparency principle that defines the behavior of a SNMP party + in general applies in particular to a SNMP proxy party: + + The manner in which one SNMP party processes + SNMP protocol messages received from another + SNMP party is entirely transparent to the latter. + + The transparency principle derives directly from the historical SNMP + philosophy of divorcing architecture from implementation. To this + dichotomy are attributable many of the most valuable benefits in both + the information and distribution models of the management framework, + and it is the architectural cornerstone upon which large management + systems may be built. Consistent with this philosophy, although the + implementation of SNMP proxy agents in certain environments may + resemble that of a transport-layer bridge, this particular + implementation strategy (or any other!) does not merit special + + + +Davin, Galvin, & McCloghrie [Page 12] + +RFC 1351 SNMP Administrative Model July 1992 + + + recognition either in the SNMP management architecture or in standard + mechanisms for proxy administration. + + Implicit in the transparency principle is the requirement that the + semantics of SNMP management operations are preserved between any two + SNMP peers. In particular, the "as if simultaneous" semantics of a + Set operation are extremely difficult to guarantee if its scope + extends to management information resident at multiple network + locations. For this reason, proxy configurations that admit Set + operations that apply to information at multiple locations are + discouraged, although such operations are not explicitly precluded by + the architecture in those rare cases where they might be supported in + a conformant way. + + Also implicit in the transparency principle is the requirement that, + throughout its interaction with a proxy agent, a management station + is supplied with no information about the nature or progress of the + proxy mechanisms by which its requests are realized. That is, it + should seem to the management station -- except for any distinction + in underlying transport address -- as if it were interacting via SNMP + directly with the proxied device. Thus, a timeout in the + communication between a proxy agent and its proxied device should be + represented as a timeout in the communication between the management + station and the proxy agent. Similarly, an error response from a + proxied device should -- as much as possible -- be represented by the + corresponding error response in the interaction between the proxy + agent and management station. + +3.13 Procedures + + This section describes the procedures followed by a SNMP protocol + entity in processing SNMP messages. These procedures are independent + of the particular authentication and privacy protocols that may be in + use. + +3.13.1 Generating a Request + + This section describes the procedure followed by a SNMP protocol + entity whenever either a management request or a trap notification is + to be transmitted by a SNMP party. + + 1. An ASN.1 SnmpMgmtCom value is constructed for + which the srcParty component identifies the originating + party, for which the dstParty component identifies the + receiving party, and for which the other component + represents the desired management operation. + + + + + +Davin, Galvin, & McCloghrie [Page 13] + +RFC 1351 SNMP Administrative Model July 1992 + + + 2. The local database is consulted to determine the + authentication protocol and other relevant information + for the originating SNMP party. + + 3. An ASN.1 SnmpAuthMsg value is constructed with + the following properties: + + o Its authInfo component is constructed according + to the authentication protocol specified for the + originating party. + + In particular, if the authentication protocol for the + originating SNMP party is identified as noAuth, + then this component corresponds to the OCTET + STRING value of zero length. + + o Its authData component is the constructed + SnmpMgmtCom value. + + 4. The local database is consulted to determine the privacy + protocol and other relevant information for the receiving + SNMP party. + + 5. An ASN.1 SnmpPrivMsg value is constructed with the + following properties: + + o Its privDst component identifies the receiving + SNMP party. + + o Its privData component is the (possibly + encrypted) serialization of the SnmpAuthMsg + value according to the conventions of [3] and [1]. + + In particular, if the privacy protocol for the + receiving SNMP party is identified as noPriv, then + the privData component is unencrypted. + Otherwise, the privData component is processed + according to the privacy protocol. + + 6. The constructed SnmpPrivMsg value is serialized + according to the conventions of [3] and [1]. + + 7. The serialized SnmpPrivMsg value is transmitted + using the transport address and transport domain for + the receiving SNMP party. + + + + + + +Davin, Galvin, & McCloghrie [Page 14] + +RFC 1351 SNMP Administrative Model July 1992 + + +3.13.2 Processing a Received Communication + + This section describes the procedure followed by a SNMP protocol + entity whenever a management communication is received. + + 1. If the received message is not the serialization (according + to the conventions of [3] and [1]) of an ASN.1 + SnmpPrivMsg value, then that message is discarded + without further processing. + + 2. The local database is consulted for information about + the receiving SNMP party identified by the privDst + component of the SnmpPrivMsg value. + + 3. If information about the receiving SNMP party is absent + from the local database, or specifies a transport domain + and address which indicates that the receiving party's + operation is not realized by the local SNMP protocol + entity, then the received message is discarded without + further processing. + + 4. An ASN.1 OCTET STRING value is constructed + (possibly by decryption, according to the privacy + protocol in use) from the privData component of said + SnmpPrivMsg value. + + In particular, if the privacy protocol recorded for the + party is noPriv, then the OCTET STRING value + corresponds exactly to the privData component of the + SnmpPrivMsg value. + + 5. If the OCTET STRING value is not the serialization + (according to the conventions of [3] and [1]) of an ASN.1 + SnmpAuthMsg value, then the received message is + discarded without further processing. + + 6. If the dstParty component of the authData + component of the obtained SnmpAuthMsg value is + not the same as the privDst component of the + SnmpPrivMsg value, then the received message is + discarded without further processing. + + 7. The local database is consulted for information about + the originating SNMP party identified by the srcParty + component of the authData component of the + SnmpAuthMsg value. + + + + + +Davin, Galvin, & McCloghrie [Page 15] + +RFC 1351 SNMP Administrative Model July 1992 + + + 8. If information about the originating SNMP party is + absent from the local database, then the received + message is discarded without further processing. + + 9. The obtained SnmpAuthMsg value is evaluated + according to the authentication protocol and other + relevant information associated with the originating + SNMP party in the local database. + + In particular, if the authentication protocol is identified + as noAuth, then the SnmpAuthMsg value is always + evaluated as authentic. + + 10. If the SnmpAuthMsg value is evaluated as + unauthentic, then the received message is discarded + without further processing, and an authentication failure + is noted. + + 11. The ASN.1 SnmpMgmtCom value is extracted from + the authData component of the SnmpAuthMsg + value. + + 12. The local database is consulted for access privileges + permitted by the local access policy to the originating + SNMP party with respect to the receiving SNMP party. + + 13. The management communication class is determined + from the ASN.1 tag value associated with the + SnmpMgmtCom value. + + 14. If the management communication class of the received + message is either 16 or 4 (i.e., Trap or GetResponse) and + this class is not among the access privileges, then the + received message is discarded without further processing. + + 15. If the management communication class of the received + message is not among the access privileges, then the + received message is discarded without further processing + after generation and transmission of a response message. + This response message is directed to the originating + SNMP party on behalf of the receiving SNMP party. Its + var-bind-list and request-id components are identical + to those of the received request. Its error-index + component is zero and its error-status component is + readOnly. + + 16. If the proxied party associated with the receiving SNMP + party in the local database is identified as noProxy, + + + +Davin, Galvin, & McCloghrie [Page 16] + +RFC 1351 SNMP Administrative Model July 1992 + + + then the management operation represented by the + SnmpMgmtCom value is performed by the receiving + SNMP protocol entity with respect to the MIB view + identified with the receiving SNMP party according to + the procedures set forth in [1]. + + 17. If the proxied party associated with the receiving SNMP + party in the local database is not identified as noProxy, + then the management operation represented by the + SnmpMgmtCom value is performed through + appropriate cooperation between the receiving SNMP + party and the identified proxied party. + + In particular, if the transport domain associated with + the identified proxied party in the local database is + rfc1351Domain, then the operation requested by + the received message is performed by the generation of a + corresponding request to the proxied party on behalf of + the receiving party. If the received message requires a + response from the local SNMP protocol entity, then that + response is subsequently generated from the response (if + any) received from the proxied party corresponding to + the newly generated request. + +3.13.3 Generating a Response + + This section describes the procedure followed by a SNMP protocol + entity whenever a response to a management request is generated. + + The procedure for generating a response to a SNMP management request + is identical to the procedure for transmitting a request (see Section + 3.13.1), except for the derivation of the transport domain and + address information. In this case, the response is transmitted using + the transport domain and address from which the corresponding request + originated -- even if that is different from the transport + information recorded in the local database. + +4. Application of the Model + + This section describes how the administrative model set forth above + is applied to realize effective network management in a variety of + configurations and environments. Several types of administrative + configurations are identified, and an example of each is presented. + +4.1 Non-Secure Minimal Agent Configuration + + This section presents an example configuration for a minimal, non- + secure SNMP agent that interacts with one or more SNMP management + + + +Davin, Galvin, & McCloghrie [Page 17] + +RFC 1351 SNMP Administrative Model July 1992 + + + stations. Table 2 presents information about SNMP parties that is + known both to the minimal agent and to the manager, while Table 3 + presents similarly common information about the local access policy. + + As represented in Table 2, the example agent party operates at UDP + port 161 at IP address 1.2.3.4 using the party identity gracie; the + example manager operates at UDP port 2001 at IP address 1.2.3.5 using + the identity george. At minimum, a non-secure SNMP agent + implementation must provide for administrative configuration (and + non-volatile storage) of the identities and transport addresses of + two SNMP parties: itself and a remote peer. Strictly speaking, other + information about these two parties (including access policy + information) need not be configurable. + + Suppose that the managing party george wishes to interrogate the + agent named gracie by issuing a SNMP GetNext request message. The + manager consults its local database of party information. Because the + authentication protocol for the party george is recorded as noAuth, + the GetNext request message generated by the manager is not + + Identity gracie george + (agent) (manager) + Domain rfc1351Domain rfc1351Domain + Address 1.2.3.4, 161 1.2.3.5, 2001 + Proxied Party noProxy noProxy + Auth Prot noAuth noAuth + Auth Priv Key "" "" + Auth Pub Key "" "" + Auth Clock 0 0 + Auth Last Msg 0 0 + Auth Lifetime 0 0 + Priv Prot noPriv noPriv + Priv Priv Key "" "" + Priv Pub Key "" "" + + Table 2: Party Information for Minimal Agent + + + + Target Subject Privileges + gracie george 3 + george gracie 20 + + Table 3: Access Information for Minimal Agent + + authenticated as to origin and integrity. Because, according to the + manager's database, the privacy protocol for the party gracie is + noPriv, the GetNext request message is not protected from disclosure. + + + +Davin, Galvin, & McCloghrie [Page 18] + +RFC 1351 SNMP Administrative Model July 1992 + + + Rather, it is simply assembled, serialized, and transmitted to the + transport address (IP address 1.2.3.4, UDP port 161) associated in + the manager's database with the party gracie. + + When the GetNext request message is received at the agent, the + identity of the party to which it is directed (gracie) is extracted + from the message, and the receiving protocol entity consults its + local database of party information. Because the privacy protocol for + the party gracie is recorded as noPriv, the received message is + assumed not to be protected from disclosure. Similarly, the identity + of the originating party (george) is extracted, and the local party + database is consulted. Because the authentication protocol for the + party george is recorded as noAuth, the received message is + immediately accepted as authentic. + + The received message is fully processed only if the access policy + database local to the agent authorizes GetNext request communications + by the party george with respect to the agent party gracie. The + access policy database presented as Table 3 authorizes such + communications (as well as Get operations). + + When the received request is processed, a GetResponse message is + generated with gracie as the source party and george, the party from + which the request originated, as the destination party. Because the + authentication protocol for gracie is recorded in the local party + database as noAuth, the generated GetResponse message is not + authenticated as to origin or integrity. Because, according to the + local database, the privacy protocol for the party george is noPriv, + the response message is not protected from disclosure. The response + message is transmitted to the transport address from which the + corresponding request originated -- without regard for the transport + address associated with george in the local database. + + When the generated response is received by the manager, the identity + of the party to which it is directed (george) is extracted from the + message, and the manager consults its local database of party + information. Because the privacy protocol for the party george is + recorded as noPriv, the received response is assumed not to be + protected from disclosure. Similarly, the identity of the originating + party (gracie) is extracted, and the local party database is + consulted. Because the authentication protocol for the party gracie + is recorded as noAuth, the received response is immediately accepted + as authentic. + + The received message is fully processed only if the access policy + database local to the manager authorizes GetResponse communications + by the party gracie with respect to the manager party george. The + access policy database presented as Table 3 authorizes such response + + + +Davin, Galvin, & McCloghrie [Page 19] + +RFC 1351 SNMP Administrative Model July 1992 + + + messages (as well as Trap messages). + +4.2 Secure Minimal Agent Configuration + + This section presents an example configuration for a secure, minimal + SNMP agent that interacts with a single SNMP management station. + Table 4 presents information about SNMP parties that is known both to + the minimal agent and to the manager, while Table 5 presents + similarly common information about the local access policy. + + The interaction of manager and agent in this configuration is very + similar to that sketched above for the non-secure minimal agent -- + except that all protocol messages are authenticated as to origin and + integrity and protected from disclosure. This example requires + encryption in order to support distribution of secret keys via the + SNMP itself. A more elaborate example comprising an additional pair + of SNMP parties could support the exchange of non-secret information + in authenticated messages without incurring the cost of encryption. + + An actual secure agent configuration may require SNMP parties for + which the authentication and privacy protocols are noAuth and noPriv, + respectively, in order to support clock synchronization (see [4]). + For clarity, these additional parties are not represented in this + example. + + Identity ollie stan + (agent) (manager) + Domain rfc1351Domain rfc1351Domain + Address 1.2.3.4, 161 1.2.3.5, 2001 + Proxied Party noProxy noProxy + Auth Prot md5AuthProtocol md5AuthProtocol + Auth Priv Key "0123456789ABCDEF" "GHIJKL0123456789" + Auth Pub Key "" "" + Auth Clock 0 0 + Auth Last Msg 0 0 + Auth Lifetime 500 500 + Priv Prot desPrivProtocol desPrivProtocol + Priv Priv Key "MNOPQR0123456789" "STUVWX0123456789" + Priv Pub Key "" "" + + Table 4: Party Information for Secure Minimal Agent + + + Target Subject Privileges + ollie stan 3 + stan ollie 20 + + Table 5: Access Information for Secure Minimal Agent + + + +Davin, Galvin, & McCloghrie [Page 20] + +RFC 1351 SNMP Administrative Model July 1992 + + + As represented in Table 4, the example agent party operates at UDP + port 161 at IP address 1.2.3.4 using the party identity ollie; the + example manager operates at UDP port 2001 at IP address 1.2.3.5 using + the identity stan. At minimum, a secure SNMP agent implementation + must provide for administrative configuration (and non-volatile + storage) of relevant information about two SNMP parties: itself and a + remote peer. Both ollie and stan authenticate all messages that they + generate by using the SNMP authentication protocol md5AuthProtocol + and their distinct, private authentication keys. Although these + private authentication key values ("0123456789ABCDEF" and + "GHIJKL0123456789") are presented here for expository purposes, + knowledge of private authentication keys is not normally afforded to + human beings and is confined to those portions of the protocol + implementation that require it. + + When using the md5AuthProtocol, the public authentication key for + each SNMP party is never used in authentication and verification of + SNMP exchanges. Also, because the md5AuthProtocol is symmetric in + character, the private authentication key for each party must be + known to another SNMP party with which authenticated communication is + desired. In contrast, asymmetric (public key) authentication + protocols would not depend upon sharing of a private key for their + operation. + + All protocol messages originated by the party stan are encrypted on + transmission using the desPrivProtocol privacy protocol and the + private key "STUVWX0123456789"; they are decrypted upon reception + according to the same protocol and key. Similarly, all messages + originated by the party ollie are encrypted on transmission using the + desPrivProtocol protocol and private privacy key "MNOPQR0123456789"; + they are correspondingly decrypted on reception. As with + authentication keys, knowledge of private privacy keys is not + normally afforded to human beings and is confined to those portions + of the protocol implementation that require it. + +4.3 Proxy Configuration + + This section presents examples of SNMP proxy configurations. On one + hand, foreign proxy configurations provide the capability to manage + non-SNMP devices. On the other hand, native proxy configurations + allow an administrator to shift the computational burden of rich + management functionality away from network devices whose primary task + is not management. To the extent that SNMP proxy agents function as + points of aggregation for management information, proxy + configurations may also reduce the bandwidth requirements of large- + scale management activities. + + The example configurations in this section are simplified for + + + +Davin, Galvin, & McCloghrie [Page 21] + +RFC 1351 SNMP Administrative Model July 1992 + + + clarity: actual configurations may require additional parties in + order to support clock synchronization and distribution of secrets. + +4.3.1 Foreign Proxy Configuration + + This section presents an example configuration by which a SNMP + management station may manage network elements that do not themselves + support the SNMP. This configuration centers on a SNMP proxy agent + that realizes SNMP management operations by interacting with a non- + SNMP device using a proprietary protocol. + + Table 6 presents information about SNMP parties that is recorded in + the local database of the SNMP proxy agent. Table 7 presents + information about SNMP parties that is recorded in the local database + of the SNMP management station. Table 8 presents information about + the access policy specified by the local administration. + + As represented in Table 6, the proxy agent party operates at UDP port + 161 at IP address 1.2.3.5 using the party identity moe; the example + manager operates at UDP port 2002 at IP address 1.2.3.4 using the + identity larry. Both larry and moe authenticate all messages that + they generate by using the protocol md5AuthProtocol and their + distinct, private authentication keys. Although these private + authentication key values ("0123456789ABCDEF" and + + Identity larry moe curly + (manager) (proxy) (proxied) + Domain rfc1351Domain rfc1351Domain acmeMgmtPrtcl + Address 1.2.3.4, 2002 1.2.3.5, 161 0x98765432 + Proxied Party noProxy curly noProxy + Auth Prot md5AuthProtocol md5AuthProtocol noAuth + Auth Priv Key "0123456789ABCDEF" "GHIJKL0123456789" "" + Auth Pub Key "" "" "" + Auth Clock 0 0 0 + Auth Last Msg 0 0 0 + Auth Lifetime 500 500 0 + Priv Prot noPriv noPriv noPriv + Priv Priv Key "" "" "" + Priv Pub Key "" "" "" + + Table 6: Party Information for Proxy Agent + + + + + + + + + + +Davin, Galvin, & McCloghrie [Page 22] + +RFC 1351 SNMP Administrative Model July 1992 + + + Identity larry moe + (manager) (proxy) + Domain rfc1351Domain rfc1351Domain + Address 1.2.3.4, 2002 1.2.3.5, 161 + Proxied Party noProxy noProxy + Auth Prot md5AuthProtocol md5AuthProtocol + Auth Priv Key "0123456789ABCDEF" "GHIJKL0123456789" + Auth Pub Key "" "" + Auth Clock 0 0 + Auth Last Msg 0 0 + Auth Lifetime 500 500 + Priv Prot noPriv noPriv + Priv Priv Key "" "" + Priv Pub Key "" "" + + Table 7: Party Information for Management Station + + + + Target Subject Privileges + moe larry 3 + larry moe 20 + + Table 8: Access Information for Foreign Proxy + + "GHIJKL0123456789") are presented here for expository purposes, + knowledge of private keys is not normally afforded to human beings + and is confined to those portions of the protocol implementation that + require it. + + Although all SNMP agents that use cryptographic keys in their + communication with other protocol entities will almost certainly + engage in private SNMP exchanges to distribute those keys, in order + to simplify this example, neither the management station nor the + proxy agent sends or receives private SNMP communications. Thus, the + privacy protocol for each of them is recorded as noPriv. + + The party curly does not send or receive SNMP protocol messages; + rather, all communication with that party proceeds via a hypothetical + proprietary protocol identified by the value acmeMgmtPrtcl. Because + the party curly does not participate in the SNMP, many of the + attributes recorded for that party in a local database are ignored. + + In order to interrogate the proprietary device associated with the + party curly, the management station larry constructs a SNMP GetNext + request and transmits it to the party moe operating (see Table 7) at + UDP port 161, and IP address 1.2.3.5. This request is authenticated + using the private authentication key "0123456789ABCDEF." + + + +Davin, Galvin, & McCloghrie [Page 23] + +RFC 1351 SNMP Administrative Model July 1992 + + + When that request is received by the party moe, the originator of the + message is verified as being the party larry by using local knowledge + (see Table 6) of the private authentication key "0123456789ABCDEF." + Because party larry is authorized to issue GetNext requests with + respect to party moe by the relevant access control policy (Table 8), + the request is accepted. Because the local database records the + proxied party for party moe as curly, the request is satisfied by its + translation into appropriate operations of the acmeMgmtPrtcl directed + at party curly. These new operations are transmitted to the party + curly at the address 0x98765432 in the acmeMgmtPrtcl domain. + + When and if the proprietary protocol exchange between the proxy agent + and the proprietary device concludes, a SNMP GetResponse management + operation is constructed by the SNMP party moe to relay the results + to party larry. This response communication is authenticated as to + origin and integrity using the authentication protocol + md5AuthProtocol and private authentication key "GHIJKL0123456789" + specified for transmissions from party moe. It is then transmitted to + the SNMP party larry operating at the management station at IP + address 1.2.3.4 and UDP port 2002 (the source address for the + corresponding request). + + When this response is received by the party larry, the originator of + the message is verified as being the party moe by using local + knowledge (see Table 7) of the private authentication key + "GHIJKL0123456789." Because party moe is authorized to issue + GetResponse communications with respect to party larry by the + relevant access control policy (Table 8), the response is accepted, + and the interrogation of the proprietary device is complete. + + It is especially useful to observe that the database of SNMP parties + recorded at the proxy agent (Table 6) need be neither static nor + configured exclusively by the management station. For instance, + suppose that, in this example, the acmeMgmtPrtcl was a proprietary, + MAC-layer mechanism for managing stations attached to a local area + network. In such an environment, the SNMP party moe would reside at a + SNMP proxy agent attached to such a LAN and could, by participating + in the LAN protocols, detect the attachment and disconnection of + various stations on the LAN. In this scenario, the SNMP proxy agent + could easily adjust its local database of SNMP parties to support + indirect management of the LAN stations by the SNMP management + station. For each new LAN station detected, the SNMP proxy agent + would add to its database both an entry analogous to that for party + curly (representing the new LAN station itself) and an entry + analogous to that for party moe (representing a proxy for that new + station in the SNMP domain). + + By using the SNMP to interrogate the database of parties held locally + + + +Davin, Galvin, & McCloghrie [Page 24] + +RFC 1351 SNMP Administrative Model July 1992 + + + by the SNMP proxy agent, a SNMP management station can discover and + interact with new stations as they are attached to the LAN. + +4.3.2 Native Proxy Configuration + + This section presents an example configuration that supports SNMP + native proxy operations -- indirect interaction between a SNMP agent + and a management station that is mediated by a second SNMP (proxy) + agent. + + This example configuration is similar to that presented in the + discussion of SNMP foreign proxy above. In this example, however, the + party associated with the identity curly receives messages via the + SNMP, and, accordingly interacts with the SNMP proxy agent moe using + authenticated SNMP communications. + + Table 9 presents information about SNMP parties that is recorded in + the local database of the SNMP proxy agent. Table 7 presents + information about SNMP parties that is recorded in the local database + of the SNMP management station. Table 10 presents information about + the access policy specified by the local administration. + + As represented in Table 9, the proxy party operates at UDP port 161 + at IP address 1.2.3.5 using the party identity moe; + + Identity larry moe curly + (manager) (proxy) (proxied) + Domain rfc1351Domain rfc1351Domain rfc1351Domain + Address 1.2.3.4, 2002 1.2.3.5, 161 1.2.3.6, 16 + Proxied Party noProxy curly noProxy + Auth Prot md5AuthProtocol md5AuthProtocol md5AuthProtocol + Auth Priv Key "0123456789ABCDEF" "GHIJKL0123456789" "MNOPQR0123456789" + Auth Pub Key "" "" "" + Auth Clock 0 0 0 + Auth Last Msg 0 0 0 + Auth Lifetime 500 500 500 + Priv Prot noPriv noPriv noPriv + Priv Priv Key "" "" "" + Priv Pub Key "" "" "" + + Table 9: Party Information for Proxy Agent + + + + + + + + + + +Davin, Galvin, & McCloghrie [Page 25] + +RFC 1351 SNMP Administrative Model July 1992 + + + Target Subject Privileges + moe larry 3 + larry moe 20 + curly moe 3 + moe curly 20 + + Table 10: Access Information for Native Proxy + + the example manager operates at UDP port 2002 at IP address 1.2.3.4 + using the identity larry; the proxied party operates at UDP port 161 + at IP address 1.2.3.6 using the party identity curly. Messages + generated by all three SNMP parties are authenticated as to origin + and integrity by using the authentication protocol md5AuthProtocol + and distinct, private authentication keys. Although these private key + values ("0123456789ABCDEF," "GHIJKL0123456789," and + "MNOPQR0123456789") are presented here for expository purposes, + knowledge of private keys is not normally afforded to human beings + and is confined to those portions of the protocol implementation that + require it. + + In order to interrogate the proxied device associated with the party + curly, the management station larry constructs a SNMP GetNext request + and transmits it to the party moe operating (see Table 7) at UDP port + 161 and IP address 1.2.3.5. This request is authenticated using the + private authentication key "0123456789ABCDEF." + + When that request is received by the party moe, the originator of the + message is verified as being the party larry by using local knowledge + (see Table 9) of the private authentication key "0123456789ABCDEF." + Because party larry is authorized to issue GetNext (and Get) requests + with respect to party moe by the relevant access control policy + (Table 10), the request is accepted. Because the local database + records the proxied party for party moe as curly, the request is + satisfied by its translation into a corresponding SNMP GetNext + request directed from party moe to party curly. This new + communication is authenticated using the private authentication key + "GHIJKL0123456789" and transmitted to party curly at the IP address + 1.2.3.6. + + When this new request is received by the party curly, the originator + of the message is verified as being the party moe by using local + knowledge (see Table 9) of the private authentication key + "GHIJKL0123456789." Because party moe is authorized to issue GetNext + (and Get) requests with respect to party curly by the relevant access + control policy (Table 10), the request is accepted. Because the local + database records the proxied party for party curly as noProxy, the + GetNext request is satisfied by local mechanisms. A SNMP GetResponse + message representing the results of the query is then generated by + + + +Davin, Galvin, & McCloghrie [Page 26] + +RFC 1351 SNMP Administrative Model July 1992 + + + party curly. This response communication is authenticated as to + origin and integrity using the private authentication key + "MNOPQR0123456789" and transmitted to party moe at IP address 1.2.3.5 + (the source address for the corresponding request). + + When this response is received by party moe, the originator of the + message is verified as being the party curly by using local knowledge + (see Table 9) of the private authentication key "MNOPQR0123456789." + Because party curly is authorized to issue GetResponse communications + with respect to party moe by the relevant access control policy + (Table 10), the response is not rejected. Instead, it is translated + into a response to the original GetNext request from party larry. + This response is authenticated as to origin and integrity using the + private authentication key "GHIJKL0123456789" and is transmitted to + the party larry at IP address 1.2.3.4 (the source address for the + original request). + + When this response is received by the party larry, the originator of + the message is verified as being the party moe by using local + knowledge (see Table 7) of the private authentication key + "GHIJKL0123456789." Because party moe is authorized to issue + GetResponse communications with respect to party larry by the + relevant access control policy (Table 10), the response is accepted, + and the interrogation is complete. + +4.4 Public Key Configuration + + This section presents an example configuration predicated upon a + hypothetical security protocol. This hypothetical protocol would be + based on asymmetric (public key) cryptography as a means for + providing data origin authentication (but not protection against + disclosure). This example illustrates the consistency of the + administrative model with public key technology, and the extension of + the example to support protection against disclosure should be + apparent. + + + + + + + + + + + + + + + + +Davin, Galvin, & McCloghrie [Page 27] + +RFC 1351 SNMP Administrative Model July 1992 + + + Identity ollie stan + (agent) (manager) + Domain rfc1351Domain rfc1351Domain + Address 1.2.3.4, 161 1.2.3.5, 2004 + Proxied Party noProxy noProxy + Auth Prot pkAuthProtocol pkAuthProtocol + Auth Priv Key "0123456789ABCDEF" "" + Auth Pub Key "" "ghijkl0123456789" + Auth Clock 0 0 + Auth Last Msg 0 0 + Auth Lifetime 500 500 + Priv Prot noPriv noPriv + Priv Priv Key "" "" + Priv Pub Key "" "" + + Table 11: Party Information for Public Key Agent + + The example configuration comprises a single SNMP agent that + interacts with a single SNMP management station. Tables 11 and 12 + present information about SNMP parties that is by the agent and + manager, respectively, while Table 5 presents information about the + local access policy that is known to both manager and agent. + + As represented in Table 11, the example agent party operates at UDP + port 161 at IP address 1.2.3.4 using the party identity ollie; the + example manager operates at UDP port 2004 at IP address 1.2.3.5 using + the identity stan. Both ollie and stan authenticate all messages that + they generate as to origin and integrity by using the hypothetical + SNMP authentication protocol pkAuthProtocol and their distinct, + private + + Identity ollie stan + (agent) (manager) + Domain rfc1351Domain rfc1351Domain + Address 1.2.3.4, 161 1.2.3.5, 2004 + Proxied Party noProxy noProxy + Auth Prot pkAuthProtocol pkAuthProtocol + Auth Priv Key "" "GHIJKL0123456789" + Auth Pub Key "0123456789abcdef" "" + Auth Clock 0 0 + Auth Last Msg 0 0 + Auth Lifetime 500 500 + Priv Prot noPriv noPriv + Priv Priv Key "" "" + Priv Pub Key "" "" + + Table 12: Party Information for Public Key Management + Station + + + +Davin, Galvin, & McCloghrie [Page 28] + +RFC 1351 SNMP Administrative Model July 1992 + + + authentication keys. Although these private authentication key values + ("0123456789ABCDEF" and "GHIJKL0123456789") are presented here for + expository purposes, knowledge of private keys is not normally + afforded to human beings and is confined to those portions of the + protocol implementation that require it. + + In most respects, the interaction between manager and agent in this + configuration is almost identical to that in the example of the + minimal, secure SNMP agent described above. The most significant + difference is that neither SNMP party in the public key configuration + has knowledge of the private key by which the other party + authenticates its transmissions. Instead, for each received + authenticated SNMP communication, the identity of the originator is + verified by applying an asymmetric cryptographic algorithm to the + received message together with the public authentication key for the + originating party. Thus, in this configuration, the agent knows the + manager's public key ("ghijkl0123456789") but not its private key + ("GHIJKL0123456789"); similarly, the manager knows the agent's public + key ("0123456789abcdef") but not its private key + ("0123456789ABCDEF"). + + For simplicity, privacy protocols are not addressed in this example + configuration, although their use would be necessary to the secure, + automated distribution of secret keys. + +4.5 MIB View Configurations + + This section describes a convention for the definition of MIB views + and, using that convention, presents example configurations of MIB + views for SNMP parties. + + A MIB view is defined by a collection of view subtrees (see Section + 3.6), and any MIB view may be represented in this way. Because MIB + view definitions may, in certain cases, comprise a very large number + of view subtrees, a convention for abbreviating MIB view definitions + is desirable. + + The convention adopted in [5] supports abbreviation of MIB view + definitions in terms of families of view subtrees that are either + included in or excluded from the definition of the relevant MIB view. + By this convention, a table locally maintained by each SNMP entity + defines the MIB view associated with each SNMP party realized by that + entity. Each entry in the table represents a family of view subtrees + that (according to the status of that entry) is either included in or + excluded from the MIB view of some SNMP party. Each table entry + represents a subtree family as a pairing of an OBJECT IDENTIFIER + value (called the family name) together with a bitstring value + (called the family mask). The family mask indicates which + + + +Davin, Galvin, & McCloghrie [Page 29] + +RFC 1351 SNMP Administrative Model July 1992 + + + subidentifiers of the associated family name are significant to the + definition of the represented subtree family. For each possible MIB + object instance, that instance belongs to the view subtree family + represented by a particular table entry if + + o the OBJECT IDENTIFIER name of that MIB + object instance comprises at least as many subidentifiers + as does the family name for said table entry, and + + o each subidentifier in the name of said MIB object + instance matches the corresponding subidentifier of the + relevant family name whenever the corresponding bit of + the associated family mask is non-zero. + + The appearance of a MIB object instance in the MIB view for a + particular SNMP party is related to the membership of that instance + in the subtree families associated with that party in local table + entries: + + o If a MIB object instance belongs to none of the relevant + subtree families, then that instance is not in the MIB + view for the relevant SNMP party. + + o If a MIB object instance belongs to the subtree family + represented by exactly one of the relevant table entries, + then that instance is included in, or excluded from, the + relevant MIB view according to the status of that entry. + + o If a MIB object instance belongs to the subtree families + represented by more than one of the relevant table + entries, then that instance is included in, or excluded + from, the relevant MIB view according to the status of + the single such table entry for which, first, the associated + family name comprises the greatest number of + subidentifiers, and, second, the associated family name is + lexicographically greatest. + + The subtree family represented by a table entry for which the + associated family mask is all ones corresponds to the single view + subtree identified by the family name for that entry. Because the + convention of [5] provides for implicit extension of family mask + values with ones, the subtree family represented by a table entry + with a family mask of zero length always corresponds to a single view + subtree. + + + + + + + +Davin, Galvin, & McCloghrie [Page 30] + +RFC 1351 SNMP Administrative Model July 1992 + + + Party Identity Status Family Name Family Mask + lucy include internet ""h + + Table 13: View Definition for Minimal Agent + + Using this convention for abbreviating MIB view definitions, some of + the most common definitions of MIB views may be conveniently + expressed. For example, Table 13 illustrates the MIB view definitions + required for a minimal SNMP entity that locally realizes a single + SNMP party for which the associated MIB view embraces all instances + of all MIB objects defined within the internet network management + framework. The represented table has a single entry. The SNMP party + (lucy) for which that entry defines the MIB view is identified in the + first column. The status of that entry (include) signifies that any + MIB object instance belonging to the subtree family represented by + that entry may appear in the MIB view for party lucy. The family name + for that entry is internet, and the zero-length family mask value + signifies that the relevant subtree family corresponds to the single + view subtree rooted at that node. + + Another example of MIB view definition (see Table 14) is that of a + SNMP protocol entity that locally realizes multiple SNMP parties with + distinct MIB views. The MIB view associated with the party lucy + comprises all instances of all MIB objects defined within the + internet network management framework, except those pertaining to the + administration of SNMP parties. In contrast, the MIB view attributed + to the party ricky contains only MIB object instances defined in the + system group of the internet-standard MIB together with those object + instances by which SNMP parties are administered. + + A more complicated example of MIB view configuration illustrates the + abbreviation of related collections of view subtrees by view subtree + families (see Table 15). In this + + + Party Identity Status Family Name Family Mask + lucy include internet ""h + lucy exclude snmpParties ""h + ricky include system ""h + ricky include snmpParties ""h + + Table 14: View Definition for Multiple Parties + + example, the MIB view associated with party lucy includes all object + instances in the system group of the internet-standard MIB together + with some information related to the second network interface + attached to the managed device. However, this interface-related + information does not include the speed of the interface. The family + + + +Davin, Galvin, & McCloghrie [Page 31] + +RFC 1351 SNMP Administrative Model July 1992 + + + mask value "FFA0"h in the second table entry signifies that a MIB + object instance belongs to the relevant subtree family if the initial + prefix of its name places it within the ifEntry portion of the + registration hierarchy and if the eleventh subidentifier of its name + is 2. The MIB object instance representing the speed of the second + network interface belongs to the subtree families represented by both + the second and third entries of the table, but that particular + instance is excluded from the MIB view for party lucy because the + lexicographically greater of the relevant family names appears in the + table entry with status exclude. + + The MIB view for party ricky is also defined in this example. The + MIB view attributed to the party ricky includes all object instances + in the icmp group of the internet-standard MIB, together with all + information relevant to the fifth network interface attached to the + managed device. In addition, the MIB view attributed to party ricky + includes the number of octets received on the fourth attached network + interface. + + While, as suggested by the examples above, a wide range of MIB view + configurations are efficiently supported by the abbreviated + representation of [5], prudent MIB design can sometimes further + reduce the size and complexity of the most + + + Party Identity Status Family Name Family Mask + lucy include system ""h + lucy include { ifEntry 0 2 } "FFA0"h + lucy exclude { ifSpeed 2 } ""h + ricky include icmp ""h + ricky include { ifEntry 0 5 } "FFA0"h + ricky include { ifInOctets 4 } ""h + + Table 15: More Elaborate View Definitions + + likely MIB view definitions. On one hand, it is critical that + mechanisms for MIB view configuration impose no absolute constraints + either upon the access policies of local administrations or upon the + structure of MIB namespaces; on the other hand, where the most common + access policies are known, the configuration costs of realizing those + policies may be slightly reduced by assigning to distinct portions of + the registration hierarchy those MIB objects for which local policies + most frequently require distinct treatment. The relegation in [5] of + certain objects to a distinct arc in the MIB namespace is an example + of this kind of optimization. + + + + + + +Davin, Galvin, & McCloghrie [Page 32] + +RFC 1351 SNMP Administrative Model July 1992 + + +5. Compatibility + + Ideally, all SNMP management stations and agents would communicate + exclusively using the secure facilities described in this memo. In + reality, many SNMP agents may implement only the insecure SNMP + mechanisms described in [1] for some time to come. + + New SNMP agent implementations should never implement both the + insecure mechanisms of [1] and the facilities described here. Rather, + consistent with the SNMP philosophy, the burden of supporting both + sorts of communication should fall entirely upon managers. Perhaps + the best way to realize both old and new modes of communication is by + the use of a SNMP proxy agent deployed locally on the same system + with a management station implementation. The management station + implementation itself operates exclusively by using the newer, secure + modes of communication, and the local proxy agent translates the + requests of the manager into older, insecure modes as needed. + + It should be noted that proxy agent implementations may require + additional information beyond that described in this memo in order to + accomplish the requisite translation tasks implicit in the definition + of the proxy function. This information could easily be retrieved + from a filestore. + +6. Security Considerations + + It is important to note that, in the example configuration for native + proxy operations presented in this memo, the use of symmetric + cryptography does not securely prevent direct communication between + the SNMP management station and the proxied SNMP agent. + + While secure isolation of the management station and the proxied + agent can, according to the administrative model set forth in this + memo, be realized using symmetric cryptography, the required + configuration is more complex and is not described in this memo. + Rather, it is recommended that native proxy configurations that + require secure isolation of management station from proxied agent be + implemented using security protocols based on asymmetric (or "public + key") cryptography. However, no SNMP security protocols based on + asymmetric cryptography are currently defined. + + In order to participate in the administrative model set forth in this + memo, SNMP implementations must support local, non-volatile storage + of the local party database. Accordingly, every attempt has been made + to minimize the amount of non-volatile storage required. + + + + + + +Davin, Galvin, & McCloghrie [Page 33] + +RFC 1351 SNMP Administrative Model July 1992 + + +7. References + + [1] Case, J., M. Fedor, M. Schoffstall, and J. Davin, The Simple + Network Management Protocol", RFC 1157, University of Tennessee + at Knoxville, Performance Systems International, Performance + Systems International, and the MIT Laboratory for Computer + Science, May 1990. (Obsoletes RFC 1098.) + + [2] Rose, M., and K. McCloghrie, "Structure and Identification of + Management Information for TCP/IP based internets", RFC 1155, + Performance Systems International, Hughes LAN Systems, May 1990. + (Obsoletes RFC 1065.) + + [3] Information Processing -- Open Systems Interconnection -- + Specification of Basic Encoding Rules for Abstract Syntax + Notation One (ASN.1), International Organization for + Standardization/International Electrotechnical Institute, 1987, + International Standard 8825. + + [4] Galvin, J., McCloghrie, K., and J. Davin, "SNMP Security + Protocols", RFC 1352, Trusted Information Systems, Inc., Hughes + LAN Systems, Inc., MIT Laboratory for Computer Science, July + 1992. + + [5] McCloghrie, K., Davin, J., and J. Galvin, "Definitions of Managed + Objects for Administration of SNMP Parties", RFC 1353, Hughes LAN + Systems, Inc., MIT Laboratory for Computer Science, Trusted + Information Systems, Inc., July 1992. + +8. Authors' Addresses + + James R. Davin + MIT Laboratory for Computer Science + 545 Technology Square + Cambridge, MA 02139 + + Phone: (617) 253-6020 + EMail: jrd@ptt.lcs.mit.edu + + + James M. Galvin + Trusted Information Systems, Inc. + 3060 Washington Road, Route 97 + Glenwood, MD 21738 + + Phone: (301) 854-6889 + EMail: galvin@tis.com + + + + +Davin, Galvin, & McCloghrie [Page 34] + +RFC 1351 SNMP Administrative Model July 1992 + + + Keith McCloghrie + Hughes LAN Systems, Inc. + 1225 Charleston Road + Mountain View, CA 94043 + + Phone: (415) 966-7934 + EMail: kzm@hls.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Davin, Galvin, & McCloghrie [Page 35] + \ No newline at end of file -- cgit v1.2.3