Hughes LAN Systems, Inc.
J. Davin
MIT Laboratory for Computer Science
J. Galvin
Trusted Information Systems, Inc.
July 1992
Definitions of Managed Objects
for Administration of SNMP Parties
Status of this Memo
-
This document specifies an IAB standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "IAB Official Protocol Standards" for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Abstract
-
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it describes a representation of the SNMP parties defined in [8] as objects defined according to the Internet Standard SMI [1]. These definitions are consistent with the SNMP Security protocols set forth in [9].
Table of Contents
-
1. The Network Management Framework ........................... 2 2. Objects .................................................... 2 2.1 Format of Definitions ..................................... 3 3. Overview ................................................... 3 3.1 Structure ................................................. 3 3.2 Instance Identifiers ...................................... 3 3.3 Textual Conventions ....................................... 4 4. Definitions ................................................ 4 4.1 The SNMP Party Public Database Group ...................... 9 4.2 The SNMP Party Secrets Database Group ..................... 15 4.3 The SNMP Access Privileges Database Group ................. 18 4.4 The MIB View Database Group ............................... 21 5. Acknowledgments ............................................ 25 6. References ................................................. 25 7. Security Considerations..................................... 26 8. Authors' Addresses.......................................... 26
1. The Network Management Framework
-
the Internet-standard Network Management Framework consists of three components. They are:
-
RFC 1155 which defines the SMI, the mechanisms used for describing and naming objects for the purpose of management. RFC 1212 defines a more concise description mechanism, which is wholly consistent with the SMI.
RFC 1156 which defines MIB-I, the core set of managed objects for the Internet suite of protocols. RFC 1213, defines MIB-II, an evolution of MIB-I based on implementation experience and new operational requirements.
RFC 1157 which defines the SNMP, the protocol used for network access to managed objects.
The Framework permits new objects to be defined for the purpose of experimentation and evaluation.
-
2. Objects
-
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) [5] defined in the SMI. In particular, each object has a name, a syntax, and an encoding. The name is an object identifier, an administratively assigned name, which specifies an object type. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the OBJECT DESCRIPTOR, to also refer to the object type.
The syntax of an object type defines the abstract data structure corresponding to that object type. The ASN.1 language is used for this purpose. However, the SMI [1] purposely restricts the ASN.1 constructs which may be used. These restrictions are explicitly made for simplicity.
The encoding of an object type is simply how that object type is represented using the object type's syntax. Implicitly tied to the notion of an object type's syntax and encoding is how the object type is represented when being transmitted on the network.
The SMI specifies the use of the basic encoding rules of ASN.1 [6], subject to the additional requirements imposed by the SNMP.
2.1. Format of Definitions
-
Section 4 contains the specification of all object types contained in this MIB module. The object types are defined using the conventions defined in the SMI, as amended by the extensions specified in [7].
3. Overview
3.1. Structure
-
This MIB contains the definitions for four tables, a number of OBJECT IDENTIFIER assignments, and some conventions for initial use with some of the assignments. The four tables are the SNMP Party Public database, the SNMP Party Secrets database, the SNMP Access Control database, and the SNMP Views database.
The SNMP Party Public database and the SNMP Party Secrets database are defined as separate tables specifically for the purpose of positioning them in different parts of the MIB tree namespace. In particular, the SNMP Party Secrets database contains secret information, for which security demands that access to it be limited to parties which use both authentication and privacy. It is therefore positioned in a separate branch of the MIB tree so as to provide for the easiest means of accommodating the required limitation.
In contrast, the SNMP Party Public database contains public information about SNMP parties. In particular, it contains the parties' clocks which need to be read-able (but not write-able) by unauthenticated queries, since an unauthenticated query of a party's clock is the first step of the procedure to re-establish clock synchronization (see [9]).
The objects in this MIB are organized into four groups. All four of the groups are mandatory for those SNMP implementations that realize the security framework and mechanisms defined in [8] and [9].
3.2. Instance Identifiers
-
In all four of the tables in this MIB, the object instances are identified by values which have an underlying syntax of OBJECT IDENTIFIER. For the Party Public database and the Party Secrets database, the index variable is the party identifier. For the Access Control database and the Views database, two index variables are defined, both of which have a syntax of OBJECT IDENTIFIER. (See the INDEX clauses in the MIB definitions below for the specific variables.)
According to RFC 1212 [7], section 4.1.6, the syntax of the object(s) specified in an INDEX clause indicates how to form the instance- identifier. In particular, for each index object which is object identifier-valued, its contribution to the instance identifier is:
-
`n+1' sub-identifiers, where `n' is the number of sub-identifiers in the value (the first sub-identifier is `n' itself, following this, each sub-identifier in the value is copied).
-
3.3. Textual Conventions
-
The datatypes, Party, Clock, and TAddress, are used as textual conventions in this document. These textual conventions have NO effect on either the syntax nor the semantics of any managed object. Objects defined using these conventions are always encoded by means of the rules that define their primitive type. Hence, no changes to the SMI or the SNMP are necessary to accommodate these textual conventions which are adopted merely for the convenience of readers.
4. Definitions
-
-
-
RFC1353-MIB DEFINITIONS ::= BEGIN
IMPORTS
-
system, mib, private, internet FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212;
-
snmpParties OBJECT IDENTIFIER ::= { mib-2 20 }
partyAdmin OBJECT IDENTIFIER ::= { snmpParties 1 }
partyPublic OBJECT IDENTIFIER ::= { snmpParties 2 }
-
snmpSecrets OBJECT IDENTIFIER ::= { mib-2 21 } partyPrivate OBJECT IDENTIFIER ::= { snmpSecrets 1 } partyAccess OBJECT IDENTIFIER ::= { snmpSecrets 2 } partyViews OBJECT IDENTIFIER ::= { snmpSecrets 3 } -- Textual Conventions -- A textual convention denoting a SNMP party identifier:
-
-
Party ::= OBJECT IDENTIFIER
-
-- A party's authentication clock - a non-negative integer -- which is incremented as specified/allowed by the party's -- Authentication Protocol. -- For noAuth, a party's authentication clock is unused and -- its value is undefined. -- For md5AuthProtocol, a party's authentication clock is a -- relative clock with 1-second granularity. Clock ::= INTEGER (0..2147483647) -- A textual convention denoting a transport service -- address. -- For rfc1351Domain, a TAddress is 6 octets long, -- the initial 4 octets containing the IP-address in -- network-byte order and the last 2 containing the -- UDP port in network-byte order.
-
-
TAddress ::= OCTET STRING
-
--- Definitions of Security Protocols
-
-
partyProtocols
-
OBJECT IDENTIFIER ::= { partyAdmin 1 } noAuth -- The protocol without authentication OBJECT IDENTIFIER ::= { partyProtocols 1 }
-
noPriv -- The protocol without privacy
OBJECT IDENTIFIER ::= { partyProtocols 3 }
desPrivProtocol -- The DES Privacy Protocol
OBJECT IDENTIFIER ::= { partyProtocols 4 }
-
md5AuthProtocol -- The MD5 Authentication Protocol OBJECT IDENTIFIER ::= { partyProtocols 5 } --- definitions of Transport Domains
-
-
transportDomains
-
OBJECT IDENTIFIER ::= { partyAdmin 2 } rfc1351Domain --- RFC-1351 (SNMP over UDP, using SNMP Parties) OBJECT IDENTIFIER ::= { transportDomains 1 } --- definitions of Proxy Domains
-
-
proxyDomains
-
OBJECT IDENTIFIER ::= { partyAdmin 3 } noProxy --- Local operation OBJECT IDENTIFIER ::= { proxyDomains 1 } --- Definition of Initial Party Identifiers
-
-
-- When devices are installed, they need to be configured -- with an initial set of SNMP parties. The configuration -- of SNMP parties requires (among other things) the
-- assignment of several OBJECT IDENTIFIERs. Any local -- network administration can obtain the delegated
-- authority necessary to assign its own OBJECT
-- IDENTIFIERs. However, to provide for those
-- administrations who have not obtained the necessary -- authority, this document allocates a branch of the
-- naming tree for use with the following conventions.initialPartyId
-
OBJECT IDENTIFIER ::= { partyAdmin 4 }
-
-
-- Note these are identified as "initial" party identifiers -- since these allow secure SNMP communication to proceed, -- thereby allowing further SNMP parties to be configured -- through use of the SNMP itself.
-- The following definitions identify a party identifier, -- and specify the initial values of various object
-- instances indexed by that identifier. In addition, -- the initial MIB view and access control parameters
-- assigned, by convention, to these parties are identified.
-
-- Party Identifiers for use as initial SNMP parties -- at IP address a.b.c.d -- partyIdentity = { initialPartyId a b c d 1 } -- partyTDomain = { rfc1351Domain } -- partyTAddress = a.b.c.d, 161 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { noAuth } -- partyAuthClock = 0 -- partySecretsAuthPrivate = ''h (the empty string) -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 0
-
-- partyPrivProtocol = { noPriv }
-- partySecretsPrivPrivate = ''h (the empty string)
-- partyPrivPublic = ''h (the empty string)
-
-- partyIdentity = { initialPartyId a b c d 2 } -- partyTDomain = { rfc1351Domain } -- partyTAddress = assigned by local administration -- partyProxyFor = { noProxy } -- partyAuthProtocol = { noAuth } -- partyAuthClock = 0 -- partySecretsAuthPrivate = ''h (the empty string) -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 0 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 3 } -- partyTDomain = { rfc1351Domain } -- partyTAddress = a.b.c.d, 161 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 4 } -- partyTDomain = { rfc1351Domain } -- partyTAddress = assigned by local administration -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 5 } -- partyTDomain = { rfc1351Domain } -- partyTAddress = a.b.c.d, 161 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { desPrivProtocol } -- partySecretsPrivPrivate = assigned by local administration -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 6 } -- partyTDomain = { rfc1351Domain } -- partyTAddress = assigned by local administration -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { desPrivProtocol } -- partySecretsPrivPrivate = assigned by local administration -- partyPrivPublic = ''h (the empty string)
-
-
-- The initial access control parameters assigned, by
-- convention, to these parties are:
-
-
-- aclTarget = { initialPartyId a b c d 1 }
-- aclSubject = { initialPartyId a b c d 2 }
-- aclPrivileges = 3 (Get & Get-Next)
-- aclTarget = { initialPartyId a b c d 2 }
-- aclSubject = { initialPartyId a b c d 1 }
-- aclPrivileges = 20 (GetResponse & Trap)
-- aclTarget = { initialPartyId a b c d 3 }
-- aclSubject = { initialPartyId a b c d 4 }
-- aclPrivileges = 11 (Get, Get-Next & Set)
-- aclTarget = { initialPartyId a b c d 4 }
-- aclSubject = { initialPartyId a b c d 3 }
-- aclPrivileges = 20 (GetResponse & Trap)
-- aclTarget = { initialPartyId a b c d 5 }
-- aclSubject = { initialPartyId a b c d 6 }
-- aclPrivileges = 11 (Get, Get-Next & Set)
-- aclTarget = { initialPartyId a b c d 6 }
-- aclSubject = { initialPartyId a b c d 5 }
-- aclPrivileges = 20 (GetResponse & Trap)
-
-
-
-- The initial MIB views assigned, by convention, to
-- these parties are:
-
-- viewParty = { initialPartyId a b c d 1 } -- viewSubtree = { system } -- viewStatus = { included } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 1 } -- viewSubtree = { snmpParties } -- viewStatus = { included } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 3 } -- viewSubtree = { internet } -- viewStatus = { included } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 3 } -- viewSubtree = { partyPrivate } -- viewStatus = { excluded } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 5 } -- viewSubtree = { internet } -- viewStatus = { included } -- viewMask = { ''h } -- The SNMP Party Public Database Group -- -- The non-secret party information. -- -- Implementation of the objects in this group is mandatory.
-
-
partyTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF PartyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The SNMP Party Public database.
-
-
-
-
-
An agent must ensure that there is, at all times, a one-to-one correspondence between entries in this table and entries in the partySecretsTable.
The creation/deletion of instances in this table via SNMP Set-Requests is not allowed. Instead, entries in this table are created/deleted as a side-effect of the creation/deletion of corresponding entries in the partySecretsTable.
-
-
-
-
Thus, a SNMP Set-Request whose varbinds contain a reference to a non-existent instance of a partyTable object, but no reference to the corresponding instance of a partySecretsTable object, will be rejected." ::= { partyPublic 1 }
-
-
partyEntry OBJECT-TYPE
-
SYNTAX PartyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Locally held non-secret information about a particular SNMP party, which is available for access by network management. Note that this does not include all locally held information about a party. In particular, it does not include the 'last-timestamp' (i.e., the timestamp of the last authentic message received) or the 'nonce' values." INDEX { partyIdentity } ::= { partyTable 1 }
-
-
PartyEntry ::=
-
SEQUENCE {
-
partyIdentity Party, partyTDomain OBJECT IDENTIFIER, partyTAddress TAddress, partyProxyFor Party, partyAuthProtocol OBJECT IDENTIFIER, partyAuthClock Clock, partyAuthPublic OCTET STRING, partyAuthLifetime INTEGER, partyPrivProtocol OBJECT IDENTIFIER, partyPrivPublic OCTET STRING, partyMaxMessageSize INTEGER, partyStatus INTEGER } partyIdentity OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "A party identifier uniquely identifying a particular SNMP party." ::= { partyEntry 1 } partyTDomain OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "Indicates the kind of transport service by which the party receives network management traffic. An example of a transport domain is 'rfc1351Domain' (SNMP over UDP)." DEFVAL { rfc1351Domain } ::= { partyEntry 2 } partyTAddress OBJECT-TYPE SYNTAX TAddress ACCESS read-write STATUS mandatory DESCRIPTION "The transport service address by which the party receives network management traffic, formatted according to the corresponding value of partyTDomain. For rfc1351Domain, partyTAddress is formatted as a 4-octet IP Address concatenated with a 2-octet UDP port number." DEFVAL { '000000000000'h } ::= { partyEntry 3 }
-
-
partyProxyFor OBJECT-TYPE
-
SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The identity of a second SNMP party or other management entity with which interaction may be necessary to satisfy received management requests. In this context, the distinguished value { noProxy } signifies that the party responds to received management requests by entirely local mechanisms." DEFVAL { noProxy } ::= { partyEntry 4 }
-
-
partyAuthProtocol OBJECT-TYPE
-
SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "The authentication protocol by which all messages generated by the party are authenticated as to origin and integrity. In this context, the value { noAuth } signifies that messages generated by the party are not authenticated." DEFVAL { md5AuthProtocol } ::= { partyEntry 5 }
-
-
partyAuthClock OBJECT-TYPE
-
SYNTAX Clock ACCESS read-write STATUS mandatory DESCRIPTION "The authentication clock which represents the local notion of the current time specific to the party. This value must not be decremented unless the party's secret information is changed simultaneously, at which time the party's nonce and last-timestamp values must also be reset to zero, and the new value of the clock, respectively." DEFVAL { 0 } ::= { partyEntry 6 }
-
-
partyAuthPublic OBJECT-TYPE
-
SYNTAX OCTET STRING -- for md5AuthProtocol: (SIZE (0..16)) ACCESS read-write STATUS mandatory DESCRIPTION "A publically-readable value for the party.
-
-
-
-
-
Depending on the party's authentication protocol, this value may be needed to support the party's authentication protocol. Alternatively, it may be used by a manager during the procedure for altering secret information about a party. (For example, by altering the value of an instance of this object in the same SNMP Set-Request used to update an instance of partyAuthPrivate, a subsequent Get-Request can determine if the Set- Request was successful in the event that no response to the Set-Request is received, see RFC 1352.)
-
-
-
-
The length of the value is dependent on the party's authentication protocol. If not used by the authentication protocol, it is recommended that agents support values of any length up to and including the length of the corresponding partyAuthPrivate object." DEFVAL { ''h } -- the empty string ::= { partyEntry 7 }
-
-
partyAuthLifetime OBJECT-TYPE
-
SYNTAX INTEGER (0..2147483647) ACCESS read-write STATUS mandatory DESCRIPTION "The lifetime (in units of seconds) which represents an administrative upper bound on acceptable delivery delay for protocol messages generated by the party." DEFVAL { 300 } ::= { partyEntry 8 }
-
-
partyPrivProtocol OBJECT-TYPE
-
SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "The privacy protocol by which all protocol messages received by the party are protected from disclosure. In this context, the value { noPriv } signifies that messages received by the party are not protected." DEFVAL { noPriv } ::= { partyEntry 9 }
-
-
partyPrivPublic OBJECT-TYPE
-
SYNTAX OCTET STRING -- for desPrivProtocol: (SIZE (0..16)) ACCESS read-write STATUS mandatory DESCRIPTION
-
-
-
-
-
"A publically-readable value for the party.
Depending on the party's privacy protocol, this value may be needed to support the party's privacy protocol. Alternatively, it may be used by a manager as a part of its procedure for altering secret information about a party. (For example, by altering the value of an instance of this object in the same SNMP Set-Request used to update an instance of partyPrivPrivate, a subsequent Get-Request can determine if the Set-Request was successful in the event that no response to the Set-Request is received, see RFC 1352.)
-
-
-
-
The length of the value is dependent on the party's privacy protocol. If not used by the privacy protocol, it is recommended that agents support values of any length up to and including the length of the corresponding partyPrivPrivate object." DEFVAL { ''h } -- the empty string ::= { partyEntry 10 }
-
-
partyMaxMessageSize OBJECT-TYPE
-
SYNTAX INTEGER (484..65507) ACCESS read-write STATUS mandatory DESCRIPTION "The maximum length in octets of a SNMP message which this party will accept. For parties which execute at an agent, the agent initializes this object to the maximum length supported by the agent, and does not let the object be set to any larger value. For parties which do not execute at the agent, the agent must allow the manager to set this object to any legal value, even if it is larger than the agent can generate." DEFVAL { 484 } ::= { partyEntry 11 }
-
-
partyStatus OBJECT-TYPE
-
SYNTAX INTEGER { valid(1), invalid(2) } ACCESS read-only STATUS mandatory DESCRIPTION "The status of the locally-held information on a particular SNMP party.
-
-
-
-
-
The instance of this object for a particular party and the instance of partySecretsStatus for the same party always have the same value.
-
-
-
-
This object will typically provide unrestricted read-only access to the status of parties. In contrast, partySecretsStatus will typically provide restricted read-write access to the status of parties." ::= { partyEntry 12 } -- The SNMP Party Secrets Database Group
-
-
-- The secret party information
--
-- Implementation of the objects in this group is mandatory.
-
partySecretsTable OBJECT-TYPE SYNTAX SEQUENCE OF PartySecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The SNMP Party Secrets database." ::= { partyPrivate 1 }
-
-
partySecretsEntry OBJECT-TYPE
-
SYNTAX PartySecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Locally held secret information about a particular SNMP party, which is available for access by network management. When a SNMP Set-Request is used to update the values of instances of objects in this table, it is recommended that the same SNMP Set-Request also alter the value of a non-secret object instance (e.g., an instance of partyAuthPublic or partyPrivPublic). This allows a Get-Request of that non-secret object instance to determine if the Set-Request was successful in the event that no response which matches the Set-Request is received, see RFC 1352." INDEX { partySecretsIdentity } ::= { partySecretsTable 1 }
-
-
PartySecretsEntry ::=
-
SEQUENCE { partySecretsIdentity Party, partySecretsAuthPrivate OCTET STRING, partySecretsPrivPrivate OCTET STRING, partySecretsStatus INTEGER } partySecretsIdentity OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "A party identifier uniquely identifying a particular SNMP party." ::= { partySecretsEntry 1 }
-
-
partySecretsAuthPrivate OBJECT-TYPE
-
SYNTAX OCTET STRING -- for md5AuthProtocol: (SIZE (16)) ACCESS read-write STATUS mandatory DESCRIPTION "An encoding of the party's private authentication key which may be needed to support the authentication protocol. Although the value of this variable may be altered by a management operation (e.g., a SNMP Set-Request), its value can never be retrieved by a management operation: when read, the value of this variable is the zero length OCTET STRING.
-
-
-
-
-
The private authentication key is NOT directly represented by the value of this variable, but rather it is represented according to an encoding. This encoding is the bitwise exclusive-OR of the old key with the new key, i.e., of the old private authentication key (prior to the alteration) with the new private authentication key (after the alteration). Thus, when processing a received protocol Set operation, the new private authentication key is obtained from the value of this variable as the result of a bitwise exclusive-OR of the variable's value and the old private authentication key. In calculating the
-
-
-
-
exclusive-OR, if the old key is shorter than the new key, zero-valued padding is appended to the old key. If no value for the old key exists, a zero-length OCTET STRING is used in the calculation." DEFVAL { ''h } -- the empty string ::= { partySecretsEntry 2 }
-
-
partySecretsPrivPrivate OBJECT-TYPE
-
SYNTAX OCTET STRING -- for desPrivProtocol: (SIZE (16)) ACCESS read-write STATUS mandatory DESCRIPTION "An encoding of the party's private encryption key which may be needed to support the privacy protocol. Although the value of this variable may be altered by a management operation (e.g., a SNMP Set-Request), its value can never be retrieved by a management operation: when read, the value of this variable is the zero length OCTET STRING. The private encryption key is NOT directly represented by the value of this variable, but rather it is represented according to an encoding. This encoding is the bitwise exclusive-OR of the old key with the new key, i.e., of the old private encryption key (prior to the alteration) with the new private encryption key (after the alteration). Thus, when processing a received protocol Set operation, the new private encryption key is obtained from the value of this variable as the result of a bitwise exclusive-OR of the variable's value and the old private encryption key. In calculating the exclusive-OR, if the old key is shorter than the new key, zero-valued padding is appended to the old key. If no value for the old key exists, a zero-length OCTET STRING is used in the calculation." DEFVAL { ''h } -- the empty string ::= { partySecretsEntry 3 }
-
-
partySecretsStatus OBJECT-TYPE
-
SYNTAX INTEGER { valid(1), invalid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "The status of the locally-held information on a particular SNMP party.
-
-
-
-
-
Setting an instance of this object to the value 'valid(1)' has the effect of ensuring that valid local knowledge exists for the corresponding party. For valid local knowledge to exist, there must be corresponding instances of each object in this table and in the partyTable. Thus, the creation of instances in the partyTable (but not in the aclTable or viewTable) occurs as a direct result of the creation of instances in this table.
Setting an instance of this object to the value 'invalid(2)' has the effect of invalidating all local knowledge of the corresponding party, including the invalidating of any/all entries in the partyTable, the partySecretsTable, the aclTable, and the viewTable which reference said party.
-
-
-
-
It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive from agents tabular information corresponding to entries not currently in use. Proper interpretation of such entries requires examination of the relevant partySecretsStatus object." DEFVAL { valid } ::= { partySecretsEntry 4 }
-
-
-- The SNMP Access Privileges Database Group
-- This group of objects allows the SNMP itself to be used to -- configure new SNMP parties, or to manipulate the access -- privileges of existing parties.
--
-- Implementation of the objects in this group is mandatory.
-
aclTable OBJECT-TYPE SYNTAX SEQUENCE OF AclEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The access privileges database." ::= { partyAccess 1 }
-
-
aclEntry OBJECT-TYPE
-
SYNTAX AclEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The access privileges for a particular requesting SNMP party in accessing a particular target SNMP party." INDEX { aclTarget, aclSubject } ::= { aclTable 1 }
-
-
AclEntry ::=
-
SEQUENCE { aclTarget Party, aclSubject Party, aclPrivileges INTEGER, aclStatus INTEGER }
-
-
aclTarget OBJECT-TYPE
-
SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The target SNMP party whose performance of management operations is constrained by this set of access privileges." ::= { aclEntry 1 }
-
-
aclSubject OBJECT-TYPE
-
SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The subject SNMP party whose requests for management operations to be performed is constrained by this set of access privileges." ::= { aclEntry 2 }
-
-
aclPrivileges OBJECT-TYPE
-
SYNTAX INTEGER (0..31) ACCESS read-write STATUS mandatory DESCRIPTION
-
-
-
-
-
"The access privileges which govern what management operations a particular target party may perform when requested by a particular subject party. These privileges are specified as a sum of values, where each value specifies a SNMP PDU type by which the subject party may request a permitted operation. The value for a particular PDU type is computed as 2 raised to the value of the ASN.1 context-specific tag for the appropriate SNMP PDU type. The values (for the tags defined in RFC 1157) are defined in RFC 1351 as:
-
-
-
-
Get : 1 GetNext : 2 GetResponse : 4 Set : 8 Trap : 16 The null set is represented by the value zero." DEFVAL { 3 } -- Get & Get-Next ::= { aclEntry 3 }
-
-
aclStatus OBJECT-TYPE
-
SYNTAX INTEGER { valid(1), invalid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "The status of the access privileges for a particular requesting SNMP party in accessing a particular target SNMP party. Setting an instance of this object to the value 'invalid(2)' has the effect of invalidating the corresponding access privileges. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive from agents tabular information corresponding to entries not currently in use. Proper interpretation of such entries requires examination of the relevant aclStatus object." DEFVAL { valid } ::= { aclEntry 4 } -- The MIB View Database Group
-
-
-- This group of objects allows the SNMP itself to be used to -- configure new SNMP parties, or to manipulate the MIB -- MIB views of existing parties.
--
-- Implementation of the objects in this group is mandatory.viewTable OBJECT-TYPE
-
SYNTAX SEQUENCE OF ViewEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The table contained in the local database which defines local MIB views. Each SNMP party has a single MIB view which is defined by two collections of view subtrees: the included view subtrees, and the excluded view subtrees. Every such subtree, both included and excluded, is defined in this table.
-
-
-
-
-
To determine if a particular object instance is in a particular SNMP party's MIB view, compare the object instance's Object Identifier with each entry (for this party) in this table. If none match, then the object instance is not in the MIB view. If one or more match, then the object instance is included in, or excluded from, the MIB view according to the value of viewStatus in the entry whose value of viewSubtree has the most sub-identifiers. If multiple entries match and have the same number of sub-identifiers, then the lexicographically greatest instance of viewStatus determines the inclusion or exclusion.
An object instance's Object Identifier X matches an entry in this table when the number of sub- identifiers in X is at least as many as in the value of viewSubtree for the entry, and each sub- identifier in the value of viewSubtree matches its corresponding sub-identifier in X. Two sub- identifiers match either if the corresponding bit of viewMask is zero (the 'wild card' value), or if they are equal.
Due to this 'wild card' capability, we introduce the term, a 'family' of view subtrees, to refer to
-
-
-
-
the set of subtrees defined by a particular combination of values of viewSubtree and viewMask. In the case where no 'wild card' is defined in viewMask, the family of view subtrees reduces to a single view subtree." ::= { partyViews 1 }
-
-
viewEntry OBJECT-TYPE
-
SYNTAX ViewEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Information on a particular family of view subtrees included in or excluded from a particular SNMP party's MIB view." INDEX { viewParty, viewSubtree } ::= { viewTable 1 }
-
-
ViewEntry ::=
-
SEQUENCE { viewParty Party, viewSubtree OBJECT IDENTIFIER, viewStatus INTEGER, viewMask OCTET STRING } viewParty OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The SNMP party whose single MIB view includes or excludes a particular family of view subtrees." ::= { viewEntry 1 }
-
-
viewSubtree OBJECT-TYPE
-
SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "The view subtree which, in combination with the corresponding instance of viewMask, defines a family of view subtrees. This family is included in, or excluded from the particular SNMP party's MIB view, according to the value of the corresponding instance of viewStatus." ::= { viewEntry 2 }
-
-
viewStatus OBJECT-TYPE
-
SYNTAX INTEGER { included(1), excluded(2), invalid(3) } ACCESS read-write STATUS mandatory DESCRIPTION "The status of a particular family of view subtrees within the particular SNMP party's MIB view. The value 'included(1)' indicates that the corresponding instances of viewSubtree and viewMask define a family of view subtrees included in the MIB view. The value 'excluded(2)' indicates that the corresponding instances of viewSubtree and viewMask define a family of view subtrees excluded from the MIB view.
-
-
-
-
-
Setting an instance of this object to the value 'invalid(3)' has the effect of invalidating the presence or absence of the corresponding family of view subtrees in the corresponding SNMP party's MIB view.
-
-
-
-
It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive from agents tabular information corresponding to entries not currently in use. Proper interpretation of such entries requires examination of the relevant viewStatus object." DEFVAL { included } ::= { viewEntry 3 } viewMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..16)) ACCESS read-write STATUS mandatory DESCRIPTION "The bit mask which, in combination with the corresponding instance of viewSubtree, defines a family of view subtrees.
-
-
-
-
-
Each bit of this bit mask corresponds to a sub- identifier of viewSubtree, with the most significant bit of the i-th octet of this octet string value (extended if necessary, see below) corresponding to the (8*i - 7)-th sub-identifier, and the least significant bit of the i-th octet of this octet string corresponding to the (8*i)-th sub-identifier, where i is in the range 1 through 16.
Each bit of this bit mask specifies whether or not the corresponding sub-identifiers must match when determining if an Object Identifier is in this family of view subtrees; a '1' indicates that an exact match must occur; a '0' indicates 'wild card', i.e., any sub-identifier value matches.
Thus, the Object Identifier X of an object instance is contained in a family of view subtrees if the following criteria are met:
-
for each sub-identifier of the value of viewSubtree, either:
-
the i-th bit of viewMask is 0, or
the i-th sub-identifier of X is equal to the i-th sub-identifier of the value of viewSubtree.
-
If the value of this bit mask is M bits long and there are more than M sub-identifiers in the corresponding instance of viewSubtree, then the bit mask is extended with 1's to be the required length.
-
-
-
-
-
Note that when the value of this object is the zero-length string, this extension rule results in a mask of all-1's being used (i.e., no 'wild card'), and the family of view subtrees is the one view subtree uniquely identified by the corresponding instance of viewSubtree." DEFVAL { ''h } ::= { viewEntry 4 } END
-
5. Acknowledgments
-
This document was produced on behalf of the SNMP Security Working Group of the Internet Engineering Task Force. The authors wish to thank the members of the working group, and others who contributed to this effort.
6. References
-
[1] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP based internets", RFC 1155, Performance Systems International, Hughes LAN Systems, May 1990. [2] McCloghrie, K., and M. Rose, "Management Information Base for Network Management of TCP/IP-based Internets", RFC 1156, Hughes LAN Systems and Performance Systems International, May 1990. [3] Case, J., M. Fedor, M. Schoffstall, and J. Davin, The Simple Network Management Protocol", RFC 1157, University of Tennessee at Knoxville, Performance Systems International, Performance Systems International, and the MIT Laboratory for Computer Science, May 1990. [4] McCloghrie K., and M. Rose, Editors, "Management Information Base for Network Management of TCP/IP-based internets", RFC 1213, Performance Systems International, March 1991. [5] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization, International Standard 8824, December 1987. [6] Information processing systems - Open Systems Interconnection - Specification of Basic Encoding Rules for Abstract Notation One (ASN.1), International Organization for Standardization, International Standard 8825, December 1987. [7] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions", RFC 1212, Performance Systems International, Hughes LAN Systems, March 1991. [8] Davin, J., Galvin, J., and K. McCloghrie, "SNMP Administrative Model", RFC 1351, MIT Laboratory for Computer Science, Trusted Information Systems, Inc., Hughes LAN Systems, Inc., July 1992. [9] Galvin, J., McCloghrie, K., and J. Davin, "SNMP Security Protocols", RFC 1352, Trusted Information Systems, Inc., Hughes LAN Systems, Inc., MIT Laboratory for Computer Science, July
-
Security Considerstions
-
Security issues are discussed in section 3.1. and in RFCs 1351 and 1352.
Authors' Addresses
-
Keith McCloghrie
Hughes LAN Systems, Inc.
Mountain View, CA 94043Phone: (415) 966-7934 EMail: kzm@hls.com
James R. Davin
MIT Laboratory for Computer Science
545 Technology Square
Cambridge, MA 02139Phone: (617) 253-6020 EMail: jrd@ptt.lcs.mit.edu
James M. Galvin
Trusted Information Systems, Inc.
3060 Washington Road, Route 97
Glenwood, MD 21738Phone: (301) 854-6889 EMail: galvin@tis.com