draft-ietf-snmpv3-coex-01.txt   draft-ietf-snmpv3-coex-02.txt 
skipping to change at page 1, line 13 skipping to change at page 1, line 13
INTERNET-DRAFT Rob Frye INTERNET-DRAFT Rob Frye
MCI Communications Corp. MCI Communications Corp.
David B. Levi David B. Levi
SNMP Research, Inc. SNMP Research, Inc.
Shawn A. Routhier Shawn A. Routhier
Integrated Systems Inc. Integrated Systems Inc.
Bert Wijnen Bert Wijnen
IBM T.J. Watson Research IBM T.J. Watson Research
Coexistence between Version 1, Version 2, and Version 3 Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework of the Internet-standard Network Management Framework
<draft-ietf-snmpv3-coex-01.txt> <draft-ietf-snmpv3-coex-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net Directories on ftp.ietf.org (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim). Rim).
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (date). All Rights Reserved. Copyright (C) The Internet Society (date). All Rights Reserved.
Abstract Abstract
The purpose of this document is to describe coexistence between The purpose of this document is to describe coexistence between
skipping to change at page 11, line 31 skipping to change at page 11, line 31
Typically this editing can occur when the information module Typically this editing can occur when the information module
undergoes review. undergoes review.
2.4. Capabilities Statements 2.4. Capabilities Statements
In the SMIv1, RFC1303 [5] uses the MODULE-CONFORMANCE macro to In the SMIv1, RFC1303 [5] uses the MODULE-CONFORMANCE macro to
describe an agent's capabilities with respect to one or more MIB describe an agent's capabilities with respect to one or more MIB
modules. Converting such a description for use with the SMIv2 modules. Converting such a description for use with the SMIv2
requires these changes: requires these changes:
(1) The macro name AGENT-CAPABILITIES MUST be used instead of MODULE- (1) The macro name AGENT-CAPABILITIES SHOULD be used instead of MODULE-
CONFORMANCE. CONFORMANCE.
(2) The STATUS clause MUST be added, with a value of 'current'. (2) The STATUS clause SHOULD be added, with a value of 'current'.
(3) All occurrences of the CREATION-REQUIRES clause MUST either be (3) All occurrences of the CREATION-REQUIRES clause SHOULD either be
omitted if appropriate, or be changed such that the semantics are omitted if appropriate, or be changed such that the semantics are
consistent with RFC1904 [9]. consistent with RFC1904 [9].
In order to ease coexistence, object groups defined in an SMIv1 In order to ease coexistence, object groups defined in an SMIv1
compliant MIB module may be referenced by the INCLUDES clause of an compliant MIB module may be referenced by the INCLUDES clause of an
invocation of the AGENT-CAPABILITIES macro: upon encountering a invocation of the AGENT-CAPABILITIES macro: upon encountering a
reference to an OBJECT IDENTIFIER subtree defined in an SMIv1 MIB reference to an OBJECT IDENTIFIER subtree defined in an SMIv1 MIB
module, all leaf objects which are subordinate to the subtree and module, all leaf objects which are subordinate to the subtree and
have a STATUS clause value of mandatory are deemed to be INCLUDEd. have a STATUS clause value of mandatory are deemed to be INCLUDEd.
(Note that this method is ambiguous when different revisions of an (Note that this method is ambiguous when different revisions of an
skipping to change at page 13, line 45 skipping to change at page 13, line 45
In addition, it MAY be desirable to translate notification parameters In addition, it MAY be desirable to translate notification parameters
in a notification receiver application in order to present in a notification receiver application in order to present
notifications to the end user in a consistent format. notifications to the end user in a consistent format.
Note that for the purposes of this section, the set of notification Note that for the purposes of this section, the set of notification
parameters is independent of whether the notification is to be sent parameters is independent of whether the notification is to be sent
as a trap or an inform. as a trap or an inform.
SNMPv1 notification parameters consist of: SNMPv1 notification parameters consist of:
- An enterprise value (OBJECT IDENTIFIER). - An enterprise parameter (OBJECT IDENTIFIER).
- An agent-addr value (NetworkAddress). - An agent-addr parameter (NetworkAddress).
- A generic-trap value (INTEGER). - A generic-trap parameter (INTEGER).
- A specific-trap value (INTEGER). - A specific-trap parameter (INTEGER).
- A time-stamp value (TimeTicks). - A time-stamp parameter (TimeTicks).
- A list of variable-bindings (VarBindList). - A list of variable-bindings (VarBindList).
SNMPv2 notification parameters consist of: SNMPv2 notification parameters consist of:
- A sysUpTime value (TimeTicks). This appears in the first - A sysUpTime parameter (TimeTicks). This appears in the first
variable-binding in an SNMPv2-Trap-PDU or InformRequest-PDU. variable-binding in an SNMPv2-Trap-PDU or InformRequest-PDU.
- An snmpTrapOID value (OBJECT IDENTIFIER). This appears in the - An snmpTrapOID parameter (OBJECT IDENTIFIER). This appears in
second variable-binding in an SNMPv2-Trap-PDU or the second variable-binding in an SNMPv2-Trap-PDU or
InformRequest-PDU. InformRequest-PDU.
- A list of variable-bindings (VarBindList). This refers to all - A list of variable-bindings (VarBindList). This refers to all
but the first two variable-bindings in an SNMPv2-Trap-PDU or but the first two variable-bindings in an SNMPv2-Trap-PDU or
InformRequest-PDU. InformRequest-PDU.
3.1. Translating SNMPv1 Notification Parameters to SNMPv2 Notification 3.1. Translating SNMPv1 Notification Parameters to SNMPv2 Notification
Parameters Parameters
The following procedure describes how to translate SNMPv1 The following procedure describes how to translate SNMPv1
notification parameters into SNMPv2 notification parameters: notification parameters into SNMPv2 notification parameters:
(1) The SNMPv2 sysUpTime value SHALL be taken directly from the SNMPv1 (1) The SNMPv2 sysUpTime parameter SHALL be taken directly from the
time-stamp value. SNMPv1 time-stamp parameter.
(2) If the SNMPv1 generic-trap value is 'enterpriseSpecific(6)', the (2) If the SNMPv1 generic-trap parameter is 'enterpriseSpecific(6)',
SNMPv2 snmpTrapOID value SHALL be the concatentation of the SNMPv1 the SNMPv2 snmpTrapOID parameter SHALL be the concatentation of the
enterprise value and two additional sub-identifiers, '0', and the SNMPv1 enterprise parameter and two additional sub-identifiers,
SNMPv1 specific-trap value. '0', and the SNMPv1 specific-trap parameter.
(3) If the SNMPv1 generic-trap value is not 'enterpriseSpecific(6)', (3) If the SNMPv1 generic-trap parameter is not
the SNMPv2 snmpTrapOID value SHALL be the corresponding trap as 'enterpriseSpecific(6)', the SNMPv2 snmpTrapOID parameter SHALL be
defined in section 2 of RFC1907 [12]: the corresponding trap as defined in section 2 of RFC1907 [12]:
generic-trap value snmpTrapOID.0 generic-trap parameter snmpTrapOID.0
================== ============= ====================== =============
0 1.3.6.1.6.3.1.1.5.1 (coldStart) 0 1.3.6.1.6.3.1.1.5.1 (coldStart)
1 1.3.6.1.6.3.1.1.5.2 (warmStart) 1 1.3.6.1.6.3.1.1.5.2 (warmStart)
2 1.3.6.1.6.3.1.1.5.3 (linkDown) 2 1.3.6.1.6.3.1.1.5.3 (linkDown)
3 1.3.6.1.6.3.1.1.5.4 (linkUp) 3 1.3.6.1.6.3.1.1.5.4 (linkUp)
4 1.3.6.1.6.3.1.1.5.5 (authenticationFailure) 4 1.3.6.1.6.3.1.1.5.5 (authenticationFailure)
5 1.3.6.1.6.3.1.1.5.6 (egpNeighborLoss) 5 1.3.6.1.6.3.1.1.5.6 (egpNeighborLoss)
(4) The SNMPv2 variable-bindings SHALL be the SNMPv1 variable-bindings. (4) The SNMPv2 variable-bindings SHALL be the SNMPv1 variable-bindings.
In addition, if the translation is being performed by a proxy in In addition, if the translation is being performed by a proxy in
order to forward a received trap, three additional variable- order to forward a received trap, three additional variable-
bindings will be appended, if these three additional variable- bindings will be appended, if these three additional variable-
bindings do not already exist in the SNMPv1 variable-bindings. The bindings do not already exist in the SNMPv1 variable-bindings. The
name portion of the first variable binding SHALL contain name portion of the first variable binding SHALL contain
snmpTrapAddress.0, and the value SHALL contain the SNMPv1 agent- snmpTrapAddress.0, and the value SHALL contain the SNMPv1 agent-
addr value. The name portion of the second variable binding SHALL addr parameter. The name portion of the second variable binding
contain snmpTrapCommunity.0, and the value SHALL contain the value SHALL contain snmpTrapCommunity.0, and the value SHALL contain the
of the community-string field from the received SNMPv1 message value of the community-string field from the received SNMPv1
which contained the SNMPv1 Trap-PDU. The name portion of the third message which contained the SNMPv1 Trap-PDU. The name portion of
variable binding SHALL contain snmpTrapEnterprise.0 [12], and the the third variable binding SHALL contain snmpTrapEnterprise.0 [12],
value SHALL be the SNMPv1 enterprise value. and the value SHALL be the SNMPv1 enterprise parameter.
3.2. Translating SNMPv2 Notification Parameters to SNMPv1 Notification 3.2. Translating SNMPv2 Notification Parameters to SNMPv1 Notification
Parameters Parameters
The following procedure describes how to translate SNMPv2 The following procedure describes how to translate SNMPv2
notification parameters into SNMPv1 notification parameters: notification parameters into SNMPv1 notification parameters:
(1) The SNMPv1 enterprise value SHALL be determined as follows: (1) The SNMPv1 enterprise parameter SHALL be determined as follows:
- If the SNMPv2 snmpTrapOID value is one of the standard traps - If the SNMPv2 snmpTrapOID parameter is one of the standard
as defined in RFC1907 [12], then the SNMPv1 enterprise value traps as defined in RFC1907 [12], then the SNMPv1 enterprise
SHALL be set to the value of the variable-binding in the parameter SHALL be set to the value of the variable-binding in
SNMPv2 variable-bindings whose name is snmpTrapEnterprise.0 if the SNMPv2 variable-bindings whose name is
that variable-binding exists. If it does not exist, the snmpTrapEnterprise.0 if that variable-binding exists. If it
SNMPv1 enterprise value SHALL be set to the value 'snmpTraps' does not exist, the SNMPv1 enterprise parameter SHALL be set
as defined in RFC1907 [12]. to the value 'snmpTraps' as defined in RFC1907 [12].
- If the SNMPv2 snmpTrapOID value is not one of the standard - If the SNMPv2 snmpTrapOID parameter is not one of the standard
traps as defined in RFC1907 [12], then the SNMPv1 enterprise traps as defined in RFC1907 [12], then the SNMPv1 enterprise
value SHALL be set to the SNMPv2 snmpTrapOID value as follows: parameter SHALL be set to the SNMPv2 snmpTrapOID parameter as
follows:
- If the next-to-last sub-identifier of the snmpTrapOID is - If the next-to-last sub-identifier of the snmpTrapOID is
zero, then the SMIv1 enterprise SHALL be the SMIv2 zero, then the SMIv1 enterprise SHALL be the SMIv2
snmpTrapOID with the last 2 sub-identifiers removed, snmpTrapOID with the last 2 sub-identifiers removed,
otherwise otherwise
- If the next-to-last sub-identifier of the snmpTrapOID is - If the next-to-last sub-identifier of the snmpTrapOID is
non-zero, then the SMIv1 enterprise SHALL be the SMIv2 non-zero, then the SMIv1 enterprise SHALL be the SMIv2
snmpTrapOID with the last sub-identifier removed. snmpTrapOID with the last sub-identifier removed.
(2) The SNMPv1 agent-addr value SHALL be determined based on the (2) The SNMPv1 agent-addr parameter SHALL be determined based on the
situation in which the translation occurs. situation in which the translation occurs.
- If the translation occurs within a notification originator - If the translation occurs within a notification originator
application, and the notification is to be sent over UDP, the application, and the notification is to be sent over IP, the
SNMPv1 agent-addr value SHALL be set to the IP address of the SNMPv1 agent-addr parameter SHALL be set to the IP address of
SNMP entity in which the notification originator resides. If the SNMP entity in which the notification originator resides.
the notification is to be sent over some other transport, the If the notification is to be sent over some other transport,
SNMPv1 agent-addr value SHALL be set to 0.0.0.0. the SNMPv1 agent-addr parameter SHALL be set to 0.0.0.0.
- If the translation occurs within a proxy application, the - If the translation occurs within a proxy application, the
proxy must attempt to determine the original source of the proxy must attempt to determine the original source of the
notification. If the SNMPv2 variable-bindings contains a notification. If the SNMPv2 variable-bindings contains a
variable binding whose name is snmpTrapAddress.0, the agent- variable binding whose name is snmpTrapAddress.0, the agent-
addr value SHALL be set to the value of that variable binding. addr parameter SHALL be set to the value of that variable
Otherwise, If this source was an IP or UDP address, that binding. Otherwise, Otherwise, the SNMPv1 agent-addr
address SHALL be used for the SNMPv1 agent-addr value. parameter SHALL be set to 0.0.0.0.
Otherwise, the SNMPv1 agent-addr value SHALL be set to
0.0.0.0.
(3) If the SNMPv2 snmpTrapOID value is one of the standard traps as (3) If the SNMPv2 snmpTrapOID parameter is one of the standard traps as
defined in RFC1907 [12], the SNMPv1 generic-trap value SHALL be set defined in RFC1907 [12], the SNMPv1 generic-trap parameter SHALL be
as follows: set as follows:
value of snmpTrapOID.0 generic-trap snmpTrapOID.0 parameter generic-trap
=============================== ============ =============================== ============
1.3.6.1.6.3.1.1.5.1 (coldStart) 0 1.3.6.1.6.3.1.1.5.1 (coldStart) 0
1.3.6.1.6.3.1.1.5.2 (warmStart) 1 1.3.6.1.6.3.1.1.5.2 (warmStart) 1
1.3.6.1.6.3.1.1.5.3 (linkDown) 2 1.3.6.1.6.3.1.1.5.3 (linkDown) 2
1.3.6.1.6.3.1.1.5.4 (linkUp) 3 1.3.6.1.6.3.1.1.5.4 (linkUp) 3
1.3.6.1.6.3.1.1.5.5 (authenticationFailure) 4 1.3.6.1.6.3.1.1.5.5 (authenticationFailure) 4
1.3.6.1.6.3.1.1.5.6 (egpNeighborLoss) 5 1.3.6.1.6.3.1.1.5.6 (egpNeighborLoss) 5
Otherwise, the SNMPv1 generic-trap value SHALL be set to 6. Otherwise, the SNMPv1 generic-trap parameter SHALL be set to 6.
(4) If the SNMPv2 snmpTrapOID value is one of the standard traps as (4) If the SNMPv2 snmpTrapOID parameter is one of the standard traps as
defined in RFC1907 [12], the SNMPv1 specific-trap value SHALL be defined in RFC1907 [12], the SNMPv1 specific-trap parameter SHALL
set to zero. Otherwise, the SNMPv1 specific-trap value SHALL be be set to zero. Otherwise, the SNMPv1 specific-trap parameter
set to the last sub-identifier of the SNMPv2 snmpTrapOID value. SHALL be set to the last sub-identifier of the SNMPv2 snmpTrapOID
parameter.
(5) The SNMPv1 time-stamp value SHALL be taken directly from the SNMPv2 (5) The SNMPv1 time-stamp parameter SHALL be taken directly from the
sysUpTime value. SNMPv2 sysUpTime parameter.
(6) The SNMPv1 variable-bindings SHALL be the SNMPv2 variable-bindings (6) The SNMPv1 variable-bindings SHALL be the SNMPv2 variable-bindings
with the following exceptions: with the following exceptions:
- Any variable-binding whose type is Counter64 which exists in - Any variable-binding whose type is Counter64 which exists in
the SNMPv2 variable-bindings SHALL be removed. the SNMPv2 variable-bindings SHALL be removed.
4. Approaches to Coexistence in a Multi-lingual Network 4. Approaches to Coexistence in a Multi-lingual Network
There are two basic approaches to coexistence in a multi-lingual There are two basic approaches to coexistence in a multi-lingual
network, multi-lingual implementations, and proxy implementations. network, multi-lingual implementations and proxy implementations.
Multi-lingual implementations allow elements in a network to Multi-lingual implementations allow elements in a network to
communicate with each other using an SNMP version which both elements communicate with each other using an SNMP version which both elements
support. This allows a multi-lingual implentation to communicate support. This allows a multi-lingual implentation to communicate
with any mono-lingual implementation, regardless of the SNMP version with any mono-lingual implementation, regardless of the SNMP version
supported by the mono-lingual implementation. supported by the mono-lingual implementation.
Proxy implementations provide a mechanism for translating between Proxy implementations provide a mechanism for translating between
SNMP versions using a third party network element. This allows SNMP versions using a third party network element. This allows
network elements which support only a single, but different, SNMP network elements which support only a single, but different, SNMP
version to communicate with each other. Proxy implementations are version to communicate with each other. Proxy implementations are
skipping to change at page 24, line 26 skipping to change at page 24, line 26
Note also that access control and notification filtering are Note also that access control and notification filtering are
performed in the usual manner for notifications, regardless of the performed in the usual manner for notifications, regardless of the
SNMP message version to be used when sending a notification. The SNMP message version to be used when sending a notification. The
parameters for performing access control are found in the usual parameters for performing access control are found in the usual
manner (i.e. from inspecting the SNMP-TARGET-MIB and SNMP- manner (i.e. from inspecting the SNMP-TARGET-MIB and SNMP-
NOTIFICATION-MIB). In particular, when generating an SNMPv1 Trap, in NOTIFICATION-MIB). In particular, when generating an SNMPv1 Trap, in
order to perform the access check specified in [18], section 3.3, order to perform the access check specified in [18], section 3.3,
bullet (3), the notification originator may need to generate a value bullet (3), the notification originator may need to generate a value
for snmpTrapOID.0 as described in section 3.1, bullets (2) and (3) of for snmpTrapOID.0 as described in section 3.1, bullets (2) and (3) of
this document (if the SNMPv1 notificaton parameters being used were this document. If the SNMPv1 notificaton parameters being used were
previously translated from a set of SNMPv2 notification parameters, previously translated from a set of SNMPv2 notification parameters,
this value may already be known, in which case it need not be this value may already be known, in which case it need not be
generated). generated.
4.1.4. Notification Receiver 4.1.4. Notification Receiver
There are no special requirements of a notification receiver. There are no special requirements of a notification receiver.
However, an implementation may find it useful to allow a higher level However, an implementation may find it useful to allow a higher level
application to request whether notifications should be delivered to a application to request whether notifications should be delivered to a
higher level application using SNMPv1 notification parameter or higher level application using SNMPv1 notification parameter or
SNMPv2 notification parameters. The notification receiver would then SNMPv2 notification parameters. The notification receiver would then
translate notification parameters when required in order to present a translate notification parameters when required in order to present a
notification using the desired set of parameters. notification using the desired set of parameters.
skipping to change at page 25, line 24 skipping to change at page 25, line 24
before forwarding the response. before forwarding the response.
- If a GetResponse-PDU is received which contains variable- - If a GetResponse-PDU is received which contains variable-
bindings of type Counter64 or which contain an SNMPv2 bindings of type Counter64 or which contain an SNMPv2
exception code, and the message would be forwarded using the exception code, and the message would be forwarded using the
SNMPv1 message version, the proxy MUST generate an alternate SNMPv1 message version, the proxy MUST generate an alternate
response PDU consisting of the request-id and variable response PDU consisting of the request-id and variable
bindings from the original SNMPv1 request, containing a bindings from the original SNMPv1 request, containing a
noSuchName error-status value, and containing an error-index noSuchName error-status value, and containing an error-index
value indicating the position of the variable-binding value indicating the position of the variable-binding
containing the Counter64 type. containing the Counter64 type or exception code.
- If a GetResponse-PDU is received which contains an SNMPv2
error-status value of wrongValue, wrongEncoding, wrongType,
wrongLength, inconsistentValue, noAccess, notWritable,
noCreation, inconsistentName, resourceUnavailable,
commitFailed, undoFailed, or authorizationError, the error-
status value is modified using the mappings in section 4.3.
- If a Trap-PDU is received, and will be forwarded using the - If a Trap-PDU is received, and will be forwarded using the
SNMPv2c or SNMPv3 message version, the proxy SHALL apply the SNMPv2c or SNMPv3 message version, the proxy SHALL apply the
translation rules described in section 3, and SHALL forward translation rules described in section 3, and SHALL forward
the notification as an SNMPv2-Trap-PDU. the notification as an SNMPv2-Trap-PDU.
- If an SNMPv2-Trap-PDU is received, and will be forwarded using - If an SNMPv2-Trap-PDU is received, and will be forwarded using
the SNMPv1 message version, the proxy SHALL apply the the SNMPv1 message version, the proxy SHALL apply the
translation rules described in section 3, and SHALL forward translation rules described in section 3, and SHALL forward
the notification as a Trap-PDU. the notification as a Trap-PDU.
skipping to change at page 27, line 7 skipping to change at page 27, line 7
notWritable noSuchName notWritable noSuchName
noCreation noSuchName noCreation noSuchName
inconsistentName noSuchName inconsistentName noSuchName
resourceUnavailable genErr resourceUnavailable genErr
commitFailed genErr commitFailed genErr
undoFailed genErr undoFailed genErr
authorizationError noSuchName authorizationError noSuchName
5. Message Processing Models and Security Models 5. Message Processing Models and Security Models
In order to adapt SNMPv1 (and SNMPv2c) into the SNMP architecture, the In order to adapt SNMPv1 (and SNMPv2c) into the SNMP architecture,
following models must be defined: the following models are defined in this document:
- The SNMPv1 Message Processing Model - The SNMPv1 Message Processing Model
- The SNMPv1 Community-Based Security Model - The SNMPv1 Community-Based Security Model
The following models are also described in this document: The following models are also described in this document:
- The SNMPv2c Message Processing Model - The SNMPv2c Message Processing Model
- The SNMPv2c Community-Based Security Model - The SNMPv2c Community-Based Security Model
skipping to change at page 31, line 30 skipping to change at page 31, line 30
snmpTargetAddrTable [18]. In addition, the SNMP-COMMUNITY-MIB snmpTargetAddrTable [18]. In addition, the SNMP-COMMUNITY-MIB
augments the snmpTargetAddrTable with a transport address mask value. augments the snmpTargetAddrTable with a transport address mask value.
This allows selected entries in the snmpTargetAddrTable to specify This allows selected entries in the snmpTargetAddrTable to specify
multiple addresses (rather than just a single address per entry). multiple addresses (rather than just a single address per entry).
This would typically be used to specify a subnet in an This would typically be used to specify a subnet in an
snmpTargetAddrTable rather than just a single address. snmpTargetAddrTable rather than just a single address.
The mask value, snmpTargetAddrTMask, is used to select which bits of The mask value, snmpTargetAddrTMask, is used to select which bits of
a transport address must match bits of the corresponding instance of a transport address must match bits of the corresponding instance of
snmpTargetAddrTAddress, in order for the transport address to match a snmpTargetAddrTAddress, in order for the transport address to match a
particular entry in the snmpTargetAddrTable. The value of particular entry in the snmpTargetAddrTable. The value of an
snmpTargetAddrTMask must always be an OCTET STRING of the same length instance of snmpTargetAddrTMask must always be an OCTET STRING whose
as the snmpTargetAddrTAddress. length is either zero or the same as that of the corresponding
instance of snmpTargetAddrTAddress.
Each bit of each octet in the snmpTargetAddrTMask value corresponds When checking whether a transport address matches an entry in the
to the same bit of the same octet in the snmpTargetAddrTAddress snmpTargetAddrTable, if the value of snmpTargetAddrTMask is a zero-
value. For bits that are set in the snmpTargetAddrTMask value (i.e. length OCTET STRING, the mask value is ignored, and the value of
bits equal to 1), the corresponding bits in the snmpTargetAddrTAddress must exactly match a transport address.
snmpTargetAddrTAddress value must match the bits in a transport Otherwise, each bit of each octet in the snmpTargetAddrTMask value
address. If all such bits match, the transport address is matched by corresponds to the same bit of the same octet in the
that snmpTargetAddrTable entry. Otherwise, the transport address is snmpTargetAddrTAddress value. For bits that are set in the
not matched. snmpTargetAddrTMask value (i.e. bits equal to 1), the corresponding
bits in the snmpTargetAddrTAddress value must match the bits in a
transport address. If all such bits match, the transport address is
matched by that snmpTargetAddrTable entry. Otherwise, the transport
address is not matched.
SNMP-COMMUNITY-MIB DEFINITIONS ::= BEGIN SNMP-COMMUNITY-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
IpAddress IpAddress
FROM RFC1155-SMI FROM RFC1155-SMI
MODULE-IDENTITY, MODULE-IDENTITY,
OBJECT-TYPE, OBJECT-TYPE,
Integer32, Integer32,
Counter32, Counter32,
skipping to change at page 33, line 46 skipping to change at page 34, line 4
-- --
snmpCommunityTable OBJECT-TYPE snmpCommunityTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpCommunityEntry SYNTAX SEQUENCE OF SnmpCommunityEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table of community strings configured in the SNMP "The table of community strings configured in the SNMP
engine's Local Configuration Datastore (LCD)." engine's Local Configuration Datastore (LCD)."
::= { snmpCommunityMIBObjects 1 } ::= { snmpCommunityMIBObjects 1 }
snmpCommunityEntry OBJECT-TYPE snmpCommunityEntry OBJECT-TYPE
SYNTAX SnmpCommunityEntry SYNTAX SnmpCommunityEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Information about a particular community string." "Information about a particular community string."
INDEX { snmpCommunityIndex } INDEX { IMPLIED snmpCommunityIndex }
::= { snmpCommunityTable 1 } ::= { snmpCommunityTable 1 }
SnmpCommunityEntry ::= SEQUENCE { SnmpCommunityEntry ::= SEQUENCE {
snmpCommunityIndex SnmpAdminString, snmpCommunityIndex SnmpAdminString,
snmpCommunityName OCTET STRING, snmpCommunityName OCTET STRING,
snmpCommunitySecurityName SnmpAdminString, snmpCommunitySecurityName SnmpAdminString,
snmpCommunityContextEngineID SnmpEngineID, snmpCommunityContextEngineID SnmpEngineID,
snmpCommunityContextName SnmpAdminString, snmpCommunityContextName SnmpAdminString,
snmpCommunityTransportTag SnmpTagValue, snmpCommunityTransportTag SnmpTagValue,
snmpCommunityStorageType StorageType, snmpCommunityStorageType StorageType,
snmpCommunityStatus RowStatus snmpCommunityStatus RowStatus
} }
snmpCommunityIndex OBJECT-TYPE snmpCommunityIndex OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..128)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The unique index value of a row in this table." "The unique index value of a row in this table."
::= { snmpCommunityEntry 1 } ::= { snmpCommunityEntry 1 }
snmpCommunityName OBJECT-TYPE snmpCommunityName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..64)) SYNTAX OCTET STRING (SIZE(1..64))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
skipping to change at page 37, line 4 skipping to change at page 37, line 6
::= { snmpCommunityMIBObjects 2 } ::= { snmpCommunityMIBObjects 2 }
snmpTargetAddrMaskEntry OBJECT-TYPE snmpTargetAddrMaskEntry OBJECT-TYPE
SYNTAX SnmpTargetAddrMaskEntry SYNTAX SnmpTargetAddrMaskEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Information about a particular mask value." "Information about a particular mask value."
AUGMENTS { snmpTargetAddrEntry } AUGMENTS { snmpTargetAddrEntry }
::= { snmpTargetAddrMaskTable 1 } ::= { snmpTargetAddrMaskTable 1 }
SnmpTargetAddrMaskEntry ::= SEQUENCE { SnmpTargetAddrMaskEntry ::= SEQUENCE {
snmpTargetAddrTMask OCTET STRING snmpTargetAddrTMask OCTET STRING
} }
snmpTargetAddrTMask OBJECT-TYPE snmpTargetAddrTMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (1..255)) SYNTAX OCTET STRING (SIZE (0..255))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mask value associated with an entry in the "The mask value associated with an entry in the
snmpTargetAddrTable. The value of this object must snmpTargetAddrTable. The value of this object must
be the same length as the corresponding instance of have the same length as the corresponding instance of
snmpTargetAddrTAddress. snmpTargetAddrTAddress, or must have length 0."
DEFVAL { ''H }
The value of this object must be set before the
corresponding value of snmpTargetAddrRowStatus may
be set to active(1).
This object may not be set while the value of the
corresponding instance of snmpTargetAddrRowStatus
is active(1)."
::= { snmpTargetAddrMaskEntry 1 } ::= { snmpTargetAddrMaskEntry 1 }
-- --
-- The snmpTrapAddress and snmpTrapCommunity objects are included -- The snmpTrapAddress and snmpTrapCommunity objects are included
-- in notifications that are forwarded by a proxy, which were -- in notifications that are forwarded by a proxy, which were
-- originally received as SNMPv1 Trap messages. -- originally received as SNMPv1 Trap messages.
-- --
snmpTrapAddress OBJECT-TYPE snmpTrapAddress OBJECT-TYPE
SYNTAX IpAddress SYNTAX IpAddress
skipping to change at page 42, line 18 skipping to change at page 42, line 18
community names to be mapped into securityName/contextName provides community names to be mapped into securityName/contextName provides
the ability to use view-based access control to limit the access of the ability to use view-based access control to limit the access of
unsecured SNMPv1 and SNMPv2 operations. In fact, it is important for unsecured SNMPv1 and SNMPv2 operations. In fact, it is important for
network administrators to make use of this capability in order to network administrators to make use of this capability in order to
avoid unauthorized access to MIB data that would otherwise be secure. avoid unauthorized access to MIB data that would otherwise be secure.
Further, the SNMP-COMMUNITY-MIB has the potential to expose community Further, the SNMP-COMMUNITY-MIB has the potential to expose community
strings which provide access to more information than that which is strings which provide access to more information than that which is
available using the usual 'public' community string. For this available using the usual 'public' community string. For this
reason, a security administrator may wish to limit accessibility to reason, a security administrator may wish to limit accessibility to
the SNMP-COMMUNITY-MIB, and in particular, to make in inaccessible the SNMP-COMMUNITY-MIB, and in particular, to make it inaccessible
when using the 'public' community string. when using the 'public' community string.
When a proxy implementation translates messages between SNMPv1 (or When a proxy implementation translates messages between SNMPv1 (or
SNMPv2c) and SNMPv3, there may be a loss of security. For example, SNMPv2c) and SNMPv3, there may be a loss of security. For example,
an SNMPv3 message received using authentication and privacy which is an SNMPv3 message received using authentication and privacy which is
subsequently forwarded using SNMPv1 will lose the security benefits subsequently forwarded using SNMPv1 will lose the security benefits
of using authentication and privacy. Careful configuration of of using authentication and privacy. Careful configuration of
proxies is required to address such situations. One approach to deal proxies is required to address such situations. One approach to deal
with such situations might be to use an encrypted tunnel. with such situations might be to use an encrypted tunnel.
 End of changes. 43 change blocks. 
94 lines changed or deleted 99 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/