draft-ietf-snmpv3-next-gen-arch-06.txt   rfc2261.txt 
INTERNET-DRAFT D. Harrington Network Working Group D. Harrington
Cabletron Systems, Inc. Request for Comments: 2261 Cabletron Systems, Inc.
R. Presuhn Category: Standards Track R. Presuhn
BMC Software, Inc. BMC Software, Inc.
B. Wijnen B. Wijnen
IBM T. J. Watson Research IBM T. J. Watson Research
28 October 1997 January 1998
An Architecture for Describing An Architecture for Describing
SNMP Management Frameworks SNMP Management Frameworks
<draft-ietf-snmpv3-next-gen-arch-06.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document specifies an Internet standards track protocol for the
documents of the Internet Engineering Task Force (IETF), its areas, Internet community, and requests discussion and suggestions for
and its working groups. Note that other groups may also distribute improvements. Please refer to the current edition of the "Internet
working documents as Internet-Drafts. Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (1997). All Rights Reserved. Copyright (C) The Internet Society (1997). All Rights Reserved.
Abstract Abstract
This document describes an architecture for describing SNMP This document describes an architecture for describing SNMP
Management Frameworks. The architecture is designed to be modular to Management Frameworks. The architecture is designed to be modular to
allow the evolution of the SNMP protocol standards over time. The allow the evolution of the SNMP protocol standards over time. The
major portions of the architecture are an SNMP engine containing a major portions of the architecture are an SNMP engine containing a
Message Processing Subsystem, a Security Subsystem and an Access Message Processing Subsystem, a Security Subsystem and an Access
Control Subsystem, and possibly multiple SNMP applications which Control Subsystem, and possibly multiple SNMP applications which
provide specific functional processing of management data. provide specific functional processing of management data.
Table of Contents Table of Contents
1. Introduction ................................................ 5 1. Introduction ................................................ 3
1.1. Overview .................................................. 5 1.1. Overview .................................................. 3
1.2. SNMP ...................................................... 5 1.2. SNMP ...................................................... 4
1.3. Goals of this Architecture ................................ 6 1.3. Goals of this Architecture ................................ 5
1.4. Security Requirements of this Architecture ................ 7 1.4. Security Requirements of this Architecture ................ 6
1.5. Design Decisions .......................................... 8 1.5. Design Decisions .......................................... 7
2. Documentation Overview ...................................... 9 2. Documentation Overview ...................................... 8
2.1. Document Roadmap .......................................... 11 2.1. Document Roadmap .......................................... 10
2.2. Applicability Statement ................................... 11 2.2. Applicability Statement ................................... 10
2.3. Coexistence and Transition ................................ 11 2.3. Coexistence and Transition ................................ 10
2.4. Transport Mappings ........................................ 11 2.4. Transport Mappings ........................................ 11
2.5. Message Processing ........................................ 12 2.5. Message Processing ........................................ 11
2.6. Security .................................................. 12 2.6. Security .................................................. 11
2.7. Access Control ............................................ 12 2.7. Access Control ............................................ 11
2.8. Protocol Operations ....................................... 13 2.8. Protocol Operations ....................................... 12
2.9. Applications .............................................. 13 2.9. Applications .............................................. 12
2.10. Structure of Management Information ...................... 13 2.10. Structure of Management Information ...................... 12
2.11. Textual Conventions ...................................... 13 2.11. Textual Conventions ...................................... 13
2.12. Conformance Statements ................................... 14 2.12. Conformance Statements ................................... 13
2.13. Management Information Base Modules ...................... 14 2.13. Management Information Base Modules ...................... 13
2.13.1. SNMP Instrumentation MIBs .............................. 14 2.13.1. SNMP Instrumentation MIBs .............................. 13
2.14. SNMP Framework Documents ................................. 14 2.14. SNMP Framework Documents ................................. 13
3. Elements of the Architecture ................................ 15 3. Elements of the Architecture ................................ 14
3.1. The Naming of Entities .................................... 15 3.1. The Naming of Entities .................................... 14
3.1.1. SNMP engine ............................................. 16 3.1.1. SNMP engine ............................................. 15
3.1.1.1. snmpEngineID .......................................... 17 3.1.1.1. snmpEngineID .......................................... 16
3.1.1.2. Dispatcher ............................................ 17 3.1.1.2. Dispatcher ............................................ 16
3.1.1.3. Message Processing Subsystem .......................... 18 3.1.1.3. Message Processing Subsystem .......................... 16
3.1.1.3.1. Message Processing Model ............................ 18 3.1.1.3.1. Message Processing Model ............................ 17
3.1.1.4. Security Subsystem .................................... 19 3.1.1.4. Security Subsystem .................................... 17
3.1.1.4.1. Security Model ...................................... 19 3.1.1.4.1. Security Model ...................................... 17
3.1.1.4.2. Security Protocol ................................... 19 3.1.1.4.2. Security Protocol ................................... 18
3.1.2. Access Control Subsystem ................................ 20 3.1.2. Access Control Subsystem ................................ 18
3.1.2.1. Access Control Model .................................. 20 3.1.2.1. Access Control Model .................................. 18
3.1.3. Applications ............................................ 20 3.1.3. Applications ............................................ 18
3.1.3.1. SNMP Manager .......................................... 21 3.1.3.1. SNMP Manager .......................................... 19
3.1.3.2. SNMP Agent ............................................ 22 3.1.3.2. SNMP Agent ............................................ 20
3.2. The Naming of Identities .................................. 23 3.2. The Naming of Identities .................................. 21
3.2.1. Principal ............................................... 23 3.2.1. Principal ............................................... 21
3.2.2. securityName ............................................ 23 3.2.2. securityName ............................................ 21
3.2.3. Model-dependent security ID ............................. 24 3.2.3. Model-dependent security ID ............................. 22
3.3. The Naming of Management Information ...................... 25 3.3. The Naming of Management Information ...................... 22
3.3.1. An SNMP Context ......................................... 26 3.3.1. An SNMP Context ......................................... 23
3.3.2. contextEngineID ......................................... 26 3.3.2. contextEngineID ......................................... 24
3.3.3. contextName ............................................. 27 3.3.3. contextName ............................................. 24
3.3.4. scopedPDU ............................................... 27 3.3.4. scopedPDU ............................................... 25
3.4. Other Constructs .......................................... 27 3.4. Other Constructs .......................................... 25
3.4.1. maxSizeResponseScopedPDU ................................ 27 3.4.1. maxSizeResponseScopedPDU ................................ 25
3.4.2. Local Configuration Datastore ........................... 27 3.4.2. Local Configuration Datastore ........................... 25
3.4.3. securityLevel ........................................... 27 3.4.3. securityLevel ........................................... 25
4. Abstract Service Interfaces ................................. 28 4. Abstract Service Interfaces ................................. 26
4.1. Dispatcher Primitives ..................................... 28 4.1. Dispatcher Primitives ..................................... 26
4.1.1. Generate Outgoing Request or Notification ............... 28 4.1.1. Generate Outgoing Request or Notification ............... 26
4.1.2. Process Incoming Request or Notification PDU ............ 28 4.1.2. Process Incoming Request or Notification PDU ............ 26
4.1.3. Generate Outgoing Response .............................. 30 4.1.3. Generate Outgoing Response .............................. 27
4.1.4. Process Incoming Response PDU ........................... 30 4.1.4. Process Incoming Response PDU ........................... 27
4.1.5. Registering Responsibility for Handling SNMP PDUs ....... 30 4.1.5. Registering Responsibility for Handling SNMP PDUs ....... 28
4.2. Message Processing Subsystem Primitives ................... 31 4.2. Message Processing Subsystem Primitives ................... 28
4.2.1. Prepare Outgoing SNMP Request or Notification Message ... 31 4.2.1. Prepare Outgoing SNMP Request or Notification Message ... 28
4.2.2. Prepare an Outgoing SNMP Response Message ............... 32 4.2.2. Prepare an Outgoing SNMP Response Message ............... 29
4.2.3. Prepare Data Elements from an Incoming SNMP Message ..... 33 4.2.3. Prepare Data Elements from an Incoming SNMP Message ..... 29
4.3. Access Control Subsystem Primitives ....................... 33 4.3. Access Control Subsystem Primitives ....................... 30
4.4. Security Subsystem Primitives ............................. 34 4.4. Security Subsystem Primitives ............................. 30
4.4.1. Generate a Request or Notification Message .............. 34 4.4.1. Generate a Request or Notification Message .............. 30
4.4.2. Process Incoming Message ................................ 34 4.4.2. Process Incoming Message ................................ 31
4.4.3. Generate a Response Message ............................. 35 4.4.3. Generate a Response Message ............................. 31
4.5. Common Primitives ......................................... 35 4.5. Common Primitives ......................................... 32
4.5.1. Release State Reference Information ..................... 35 4.5.1. Release State Reference Information ..................... 32
4.6. Scenario Diagrams ......................................... 36 4.6. Scenario Diagrams ......................................... 32
4.6.1. Command Generator or Notification Originator ............ 36 4.6.1. Command Generator or Notification Originator ............ 32
4.6.2. Scenario Diagram for a Command Responder Application .... 37 4.6.2. Scenario Diagram for a Command Responder Application .... 33
5. Managed Object Definitions for SNMP Management Frameworks ... 38 5. Managed Object Definitions for SNMP Management Frameworks ... 35
6. Intellectual Property ....................................... 47 6. Intellectual Property ....................................... 44
7. Acknowledgements ............................................ 48 7. Acknowledgements ............................................ 45
8. Security Considerations ..................................... 49 8. Security Considerations ..................................... 46
9. References .................................................. 50 9. References .................................................. 46
10. Editor's Addresses ......................................... 52 10. Editors' Addresses ......................................... 48
A. Guidelines for Model Designers .............................. 53 A. Guidelines for Model Designers .............................. 49
A.1. Security Model Design Requirements ........................ 53 A.1. Security Model Design Requirements ........................ 49
A.1.1. Threats ................................................. 53 A.1.1. Threats ................................................. 49
A.1.2. Security Processing ..................................... 54 A.1.2. Security Processing ..................................... 50
A.1.3. Validate the security-stamp in a received message ....... 54 A.1.3. Validate the security-stamp in a received message ....... 51
A.1.4. Security MIBs ........................................... 55 A.1.4. Security MIBs ........................................... 51
A.1.5. Cached Security Data .................................... 55 A.1.5. Cached Security Data .................................... 51
A.2. Message Processing Model Design Requirements .............. 55 A.2. Message Processing Model Design Requirements .............. 52
A.2.1. Receiving an SNMP Message from the Network .............. 56 A.2.1. Receiving an SNMP Message from the Network .............. 52
A.2.2. Sending an SNMP Message to the Network .................. 56 A.2.2. Sending an SNMP Message to the Network .................. 52
A.3. Application Design Requirements ........................... 56 A.3. Application Design Requirements ........................... 53
A.3.1. Applications that Initiate Messages ..................... 57 A.3.1. Applications that Initiate Messages ..................... 53
A.3.2. Applications that Receive Responses ..................... 57 A.3.2. Applications that Receive Responses ..................... 54
A.3.3. Applications that Receive Asynchronous Messages ......... 57 A.3.3. Applications that Receive Asynchronous Messages ......... 54
A.3.4. Applications that Send Responses ........................ 58 A.3.4. Applications that Send Responses ........................ 54
A.4. Access Control Model Design Requirements .................. 58 A.4. Access Control Model Design Requirements .................. 55
B. Issues ...................................................... 59 B. Full Copyright Statement .................................... 56
B.1. Open Issues ............................................... 59
B.2. Change Log ................................................ 59
C. Full Copyright Statement .................................... 59
1. Introduction 1. Introduction
1.1. Overview 1.1. Overview
This document defines a vocabulary for describing SNMP Management This document defines a vocabulary for describing SNMP Management
Frameworks, and an architecture for describing the major portions of Frameworks, and an architecture for describing the major portions of
SNMP Management Frameworks. SNMP Management Frameworks.
This document does not provide a general introduction to SNMP. Other This document does not provide a general introduction to SNMP. Other
documents and books can provide a much better introduction to SNMP. documents and books can provide a much better introduction to SNMP.
Nor does this document provide a history of SNMP. That also can be Nor does this document provide a history of SNMP. That also can be
found in books and other documents. found in books and other documents.
skipping to change at page 10, line 42 skipping to change at page 9, line 42
| | | Structure of | | Textual | | Conformance | | | | | | Structure of | | Textual | | Conformance | | |
| | | Management | | Conventions | | Statements | | | | | | Management | | Conventions | | Statements | | |
| | | Information | | | | | | | | | | Information | | | | | | |
| | +--------------+ +--------------+ +---------------+ | | | | +--------------+ +--------------+ +---------------+ | |
| +---------------------------------------------------------------+ | | +---------------------------------------------------------------+ |
| | | |
| +---------------------------------------------------------------+ | | +---------------------------------------------------------------+ |
| | MIBs | | | | MIBs | |
| | +-------------+ +-------------+ +----------+ +----------+ | | | | +-------------+ +-------------+ +----------+ +----------+ | |
| | | Standard v1 | | Standard v1 | | Historic | | Draft v2 | | | | | | Standard v1 | | Standard v1 | | Historic | | Draft v2 | | |
| | | RFC1157 | | RFC1212 | | RFC14xx | | RFC19xx | | | | | | RFC1157 | | RFC1212 | | RFC14XX | | RFC19XX | | |
| | | format | | format | | format | | format | | | | | | format | | format | | format | | format | | |
| | +-------------+ +-------------+ +----------+ +----------+ | | | | +-------------+ +-------------+ +----------+ +----------+ | |
| +---------------------------------------------------------------+ | | +---------------------------------------------------------------+ |
| | | |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
Note: RFC14XX means RFCs 1442, 1443, and 1444. RFC19XX means RFCs
1902, 1903, and 1904.
Those marked with an asterisk (*) are expected to be written in the Those marked with an asterisk (*) are expected to be written in the
future. Each of these documents may be replaced or supplemented. future. Each of these documents may be replaced or supplemented.
This Architecture document specifically describes how new documents This Architecture document specifically describes how new documents
fit into the set of documents in the area of Message and PDU fit into the set of documents in the area of Message and PDU
handling. handling.
2.1. Document Roadmap 2.1. Document Roadmap
One or more documents may be written to describe how sets of One or more documents may be written to describe how sets of
documents taken together form specific Frameworks. The configuration documents taken together form specific Frameworks. The configuration
skipping to change at page 20, line 11 skipping to change at page 18, line 16
A Security Protocol defines the mechanisms, procedures, and MIB data A Security Protocol defines the mechanisms, procedures, and MIB data
used to provide a security service such as authentication or privacy. used to provide a security service such as authentication or privacy.
3.1.2. Access Control Subsystem 3.1.2. Access Control Subsystem
The Access Control Subsystem provides authorization services by means The Access Control Subsystem provides authorization services by means
of one or more Access Control Models. of one or more Access Control Models.
+------------------------------------------------------------------+ +------------------------------------------------------------------+
| | | |
| Access Control Subsystem | | Access Control Subsystem |
| | | |
| +---------------+ +-----------------+ +------------------+ | | +---------------+ +-----------------+ +------------------+ |
| | * | | * | | * | | | | * | | * | | * | |
| | View-Based | | Other | | Other | | | | View-Based | | Other | | Other | |
| | Access | | Access | | Access | | | | Access | | Access | | Access | |
| | Control | | Control | | Control | | | | Control | | Control | | Control | |
| | Model | | Model | | Model | | | | Model | | Model | | Model | |
| | | | | | | | | | | | | | | |
| +---------------+ +-----------------+ +------------------+ | | +---------------+ +-----------------+ +------------------+ |
| | | |
+------------------------------------------------------------------+ +------------------------------------------------------------------+
3.1.2.1. Access Control Model 3.1.2.1. Access Control Model
An Access Control Model defines a particular access decision function An Access Control Model defines a particular access decision function
in order to support decisions regarding access rights. in order to support decisions regarding access rights.
3.1.3. Applications 3.1.3. Applications
There are several types of applications, including: There are several types of applications, including:
skipping to change at page 21, line 9 skipping to change at page 19, line 9
- proxy forwarders, which forward messages between entities. - proxy forwarders, which forward messages between entities.
These applications make use of the services provided by the SNMP These applications make use of the services provided by the SNMP
engine. engine.
3.1.3.1. SNMP Manager 3.1.3.1. SNMP Manager
An SNMP entity containing one or more command generator and/or An SNMP entity containing one or more command generator and/or
notification receiver applications (along with their associated SNMP notification receiver applications (along with their associated SNMP
engine) has traditionally been called an SNMP manager. engine) has traditionally been called an SNMP manager. * One or more
* One or more models may be present. models may be present.
(traditional SNMP manager) (traditional SNMP manager)
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| +--------------+ +--------------+ +--------------+ SNMP entity | | +--------------+ +--------------+ +--------------+ SNMP entity |
| | NOTIFICATION | | NOTIFICATION | | COMMAND | | | | NOTIFICATION | | NOTIFICATION | | COMMAND | |
| | ORIGINATOR | | RECEIVER | | GENERATOR | | | | ORIGINATOR | | RECEIVER | | GENERATOR | |
| | applications | | applications | | applications | | | | applications | | applications | | applications | |
| +--------------+ +--------------+ +--------------+ | | +--------------+ +--------------+ +--------------+ |
| ^ ^ ^ | | ^ ^ ^ |
| | | | | | | | | |
skipping to change at page 38, line 17 skipping to change at page 35, line 17
SNMP-FRAMEWORK-MIB DEFINITIONS ::= BEGIN SNMP-FRAMEWORK-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE,
OBJECT-IDENTITY, OBJECT-IDENTITY,
snmpModules FROM SNMPv2-SMI snmpModules FROM SNMPv2-SMI
TEXTUAL-CONVENTION FROM SNMPv2-TC TEXTUAL-CONVENTION FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF;
snmpFrameworkMIB MODULE-IDENTITY snmpFrameworkMIB MODULE-IDENTITY
LAST-UPDATED "9710280000Z" -- 28 October 1997 LAST-UPDATED "9711200000Z" -- 20 November 1997
ORGANIZATION "SNMPv3 Working Group" ORGANIZATION "SNMPv3 Working Group"
CONTACT-INFO "WG-email: snmpv3@tis.com CONTACT-INFO "WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com Subscribe: majordomo@tis.com
In message body: subscribe snmpv3 In message body: subscribe snmpv3
Chair: Russ Mundy Chair: Russ Mundy
Trusted Information Systems Trusted Information Systems
postal: 3060 Washington Rd postal: 3060 Washington Rd
Glenwood MD 21738 Glenwood MD 21738
USA USA
email: mundy@tis.com email: mundy@tis.com
phone: +1 301-854-6889 phone: +1 301-854-6889
Co-editor Dave Harrington Co-editor Dave Harrington
Cabletron Systems, Inc. Cabletron Systems, Inc.
postal: Post Office Box 5005 postal: Post Office Box 5005
Mail Stop: Durham Mail Stop: Durham
35 Industrial Way 35 Industrial Way
Rochester, NH 03867-5005 Rochester, NH 03867-5005
USA USA
email: dbh@cabletron.com email: dbh@ctron.com
phone: +1 603-337-7357 phone: +1 603-337-7357
Co-editor Randy Presuhn Co-editor Randy Presuhn
BMC Software, Inc. BMC Software, Inc.
postal: 1190 Saratoga Avenue postal: 1190 Saratoga Avenue
Suite 130 Suite 130
San Jose, CA 95129 San Jose, CA 95129
USA USA
email: rpresuhn@bmc.com email: rpresuhn@bmc.com
phone: +1 408-556-0720 phone: +1 408-556-0720
Co-editor: Bert Wijnen Co-editor: Bert Wijnen
IBM T.J. Watson Research IBM T.J. Watson Research
postal: Schagen 33 postal: Schagen 33
3461 GL Linschoten 3461 GL Linschoten
Netherlands Netherlands
email: wijnen@vnet.ibm.com email: wijnen@vnet.ibm.com
phone: +31 348-432-794 phone: +31 348-432-794
" "
DESCRIPTION "The SNMP Management Architecture MIB" DESCRIPTION "The SNMP Management Architecture MIB"
::= { snmpModules 7 } -- DBH: check if this number is indeed OK ::= { snmpModules 2 }
-- Textual Conventions used in the SNMP Management Architecture *** -- Textual Conventions used in the SNMP Management Architecture ***
SnmpEngineID ::= TEXTUAL-CONVENTION SnmpEngineID ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION "An SNMP engine's administratively-unique identifier. DESCRIPTION "An SNMP engine's administratively-unique identifier.
The value for this object may not be all zeros or The value for this object may not be all zeros or
all 'ff'H or the empty (zero length) string. all 'ff'H or the empty (zero length) string.
skipping to change at page 48, line 18 skipping to change at page 45, line 17
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
7. Acknowledgements 7. Acknowledgements
This document is the result of the efforts of the SNMPv3 Working This document is the result of the efforts of the SNMPv3 Working
Group. Some special thanks are in order to the following SNMPv3 WG Group. Some special thanks are in order to the following SNMPv3 WG
members: members:
Dave Battle (SNMP Research, Inc.) Dave Battle (SNMP Research, Inc.)
Uri Blumenthal (IBM T.J. Watson Research Center) Uri Blumenthal (IBM T.J. Watson Research Center)
Jeff Case (SNMP Research, Inc.) Jeff Case (SNMP Research, Inc.)
John Curran (BBN) John Curran (BBN)
T. Max Devlin (Hi-TECH Connections) T. Max Devlin (Hi-TECH Connections)
John Flick (Hewlett Packard) John Flick (Hewlett Packard)
David Harrington (Cabletron Systems Inc.) David Harrington (Cabletron Systems Inc.)
N.C. Hien (IBM T.J. Watson Research Center) N.C. Hien (IBM T.J. Watson Research Center)
Dave Levi (SNMP Research, Inc.) Dave Levi (SNMP Research, Inc.)
Louis A Mamakos (UUNET Technologies Inc.) Louis A Mamakos (UUNET Technologies Inc.)
Paul Meyer (Secure Computing Corporation) Paul Meyer (Secure Computing Corporation)
Keith McCloghrie (Cisco Systems) Keith McCloghrie (Cisco Systems)
Russ Mundy (Trusted Information Systems, Inc.) Russ Mundy (Trusted Information Systems, Inc.)
Bob Natale (ACE*COMM Corporation) Bob Natale (ACE*COMM Corporation)
Mike O'Dell (UUNET Technologies Inc.) Mike O'Dell (UUNET Technologies Inc.)
Dave Perkins (DeskTalk) Dave Perkins (DeskTalk)
Peter Polkinghorne (Brunel University) Peter Polkinghorne (Brunel University)
Randy Presuhn (BMC Software, Inc.) Randy Presuhn (BMC Software, Inc.)
David Reid (SNMP Research, Inc.) David Reid (SNMP Research, Inc.)
Shawn Routhier (Epilogue) Shawn Routhier (Epilogue)
Juergen Schoenwaelder (TU Braunschweig) Juergen Schoenwaelder (TU Braunschweig)
Bob Stewart (Cisco Systems) Bob Stewart (Cisco Systems)
Bert Wijnen (IBM T.J. Watson Research Center) Bert Wijnen (IBM T.J. Watson Research Center)
The document is based on recommendations of the IETF Security and The document is based on recommendations of the IETF Security and
Administrative Framework Evolution for SNMP Advisory Team. Members Administrative Framework Evolution for SNMP Advisory Team. Members
of that Advisory Team were: of that Advisory Team were:
David Harrington (Cabletron Systems Inc.) David Harrington (Cabletron Systems Inc.)
Jeff Johnson (Cisco Systems) Jeff Johnson (Cisco Systems)
David Levi (SNMP Research Inc.) David Levi (SNMP Research Inc.)
John Linn (Openvision) John Linn (Openvision)
Russ Mundy (Trusted Information Systems) chair Russ Mundy (Trusted Information Systems) chair
Shawn Routhier (Epilogue) Shawn Routhier (Epilogue)
Glenn Waters (Nortel) Glenn Waters (Nortel)
Bert Wijnen (IBM T. J. Watson Research Center) Bert Wijnen (IBM T. J. Watson Research Center)
As recommended by the Advisory Team and the SNMPv3 Working Group As recommended by the Advisory Team and the SNMPv3 Working Group
Charter, the design incorporates as much as practical from previous Charter, the design incorporates as much as practical from previous
RFCs and drafts. As a result, special thanks are due to the authors RFCs and drafts. As a result, special thanks are due to the authors
of previous designs known as SNMPv2u and SNMPv2*: of previous designs known as SNMPv2u and SNMPv2*:
Jeff Case (SNMP Research, Inc.) Jeff Case (SNMP Research, Inc.)
David Harrington (Cabletron Systems Inc.) David Harrington (Cabletron Systems Inc.)
David Levi (SNMP Research, Inc.) David Levi (SNMP Research, Inc.)
Keith McCloghrie (Cisco Systems) Keith McCloghrie (Cisco Systems)
Brian O'Keefe (Hewlett Packard) Brian O'Keefe (Hewlett Packard)
Marshall T. Rose (Dover Beach Consulting) Marshall T. Rose (Dover Beach Consulting)
Jon Saperia (BGS Systems Inc.) Jon Saperia (BGS Systems Inc.)
Steve Waldbusser (International Network Services) Steve Waldbusser (International Network Services)
Glenn W. Waters (Bell-Northern Research Ltd.) Glenn W. Waters (Bell-Northern Research Ltd.)
8. Security Considerations 8. Security Considerations
This document describes how an implementation can include a Security This document describes how an implementation can include a Security
Model to protect management messages and an Access Control Model to Model to protect management messages and an Access Control Model to
control access to management information. control access to management information.
The level of security provided is determined by the specific Security The level of security provided is determined by the specific Security
Model implementation(s) and the specific Access Control Model Model implementation(s) and the specific Access Control Model
implementation(s) used. implementation(s) used.
skipping to change at page 50, line 7 skipping to change at page 46, line 50
security and access control needs of the organization, security and access control needs of the organization,
3) the implementations of the Models and Applications comply with 3) the implementations of the Models and Applications comply with
the model and application specifications, the model and application specifications,
4) and the implementation protects configuration secrets from 4) and the implementation protects configuration secrets from
inadvertent disclosure. inadvertent disclosure.
9. References 9. References
[RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification [RFC1155] Rose, M. and K. McCloghrie, "Structure and Identification
of Management Information for TCP/IP-based internets", STD 16, RFC of Management Information for TCP/IP-based internets", STD 16, RFC
1155, May 1990. 1155, May 1990.
[RFC1157] Case, J., M. Fedor, M. Schoffstall, and J. Davin, "The [RFC1157] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "The
Simple Network Management Protocol", STD 15, RFC 1157, University Simple Network Management Protocol", STD 15, RFC 1157, May 1990.
of Tennessee at Knoxville, Performance Systems s International,
Performance International, and the MIT Laboratory for Computer
Science, May 1990.
[RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD
16, RFC 1212, March 1991. 16, RFC 1212, March 1991.
[RFC1901] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, [RFC1901] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
M., and S. Waldbusser, "Introduction to Community-based SNMPv2", "Introduction to Community-based SNMPv2", RFC 1901, January 1996.
RFC 1901, January 1996.
[RFC1902] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose,
M., and S. Waldbusser, "Structure of Management Information for
Version 2 of the Simple Network Management Protocol (SNMPv2)",
RFC 1902, January 1996.
[RFC1903] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose,
M., and S. Waldbusser, "Textual Conventions for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1903, January
1996.
[RFC1904] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, [RFC1902] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
M., and S. Waldbusser, "Conformance Statements for Version 2 of "Structure of Management Information for Version 2 of the Simple
the Simple Network Management Protocol (SNMPv2)", RFC 1904, Network Management Protocol (SNMPv2)", RFC 1902, January 1996.
January 1996.
[RFC1905] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, [RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
M., and S. Waldbusser, "Protocol Operations for Version 2 of the "Protocol Operations for Version 2 of the Simple Network
Simple Network Management Protocol (SNMPv2)", RFC 1905, January Management Protocol (SNMPv2)", RFC 1905, January 1996.
1996.
[RFC1906] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, [RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
M., and S. Waldbusser, "Transport Mappings for Version 2 of the "Transport Mappings for Version 2 of the Simple Network Management
Simple Network Management Protocol (SNMPv2)", RFC 1906, January Protocol (SNMPv2)", RFC 1906, January 1996.
1996.
[RFC1907] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, [RFC1907] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
M., and S. Waldbusser, "Management Information Base for Version 2 "Management Information Base for Version 2 of the Simple Network
of the Simple Network Management Protocol (SNMPv2)", RFC 1907 Management Protocol (SNMPv2)", RFC 1907 January 1996.
January 1996.
[RFC1908] The SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, [RFC1908] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
M., and S. Waldbusser, "Coexistence between Version 1 and Version "Coexistence between Version 1 and Version 2 of the Internet-
2 of the SNMP-standard Network Management Framework", RFC 1908, standard Network Management Framework", RFC 1908, January 1996.
January 1996.
[RFC1909] McCloghrie, K., Editor, "An Administrative Infrastructure [RFC1909] McCloghrie, K., Editor, "An Administrative Infrastructure
for SNMPv2", RFC1909, February 1996. for SNMPv2", RFC 1909, February 1996.
[RFC1910] Waters, G., Editor, "User-based Security Model for SNMPv2", [RFC1910] Waters, G., Editor, "User-based Security Model for SNMPv2",
RFC1910, February 1996. RFC 1910, February 1996.
[RFC2028] Hovey, R. and S. Bradner, "The Organizations Involved in
the IETF Standards Process", BCP 11, RFC 2028, October 1996.
[RFC2044] Yergeau, F., "UTF-8, a transformation format of Unicode and [RFC2044] Yergeau, F., "UTF-8, a transformation format of Unicode and
ISO 10646", RFC 2044, October 1996. ISO 10646", RFC 2044, October 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[BCP-11] Hovey, R., and S. Bradner, "The Organizations Involved in [RFC2262] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
the IETF Standards Process", BCP 11, RFC 2028, October 1996. "Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", RFC 2262, January 1998.
[SNMP-MPD] The SNMPv3 Working Group, Case, J., Harrington, D.,
Presuhn, R., and B. Wijnen, "Message Processing and Dispatching
for the Simple Network Management Protocol (SNMP)",
draft-ietf-snmpv3-mpc-06.txt, October 1997.
[SNMP-USM] The SNMPv3 Working Group, Blumenthal, U., and B. Wijnen, [RFC2264] Blumenthal, U., and B. Wijnen, "The User-Based
"The User-Based Security Model for Version 3 of the Simple Network Security Model for Version 3 of the Simple Network Management
Management Protocol (SNMPv3)", draft-ietf-snmpv3-usm-03.txt, Protocol (SNMPv3)", RFC 2264, January 1998.
October 1997.
[SNMP-ACM] The SNMPv3 Working Group, Wijnen, B., Presuhn, R., and K. [RFC2265] Wijnen, B., Presuhn, R., and K. McCloghrie,
McCloghrie, "View-based Access Control Model for the Simple "View-based Access Control Model for the Simple Network Management
Network Management Protocol (SNMP)", draft-ietf-snmpv3-acm-04.txt, Protocol (SNMP)", RFC 2265, January 1998.
October 1997.
[SNMP-APPL] The SNMPv3 Working Group, Levi, D. B., Meyer, P., and B. [RFC2263] Levi, D., Meyer, P., and B. Stewart, "SNMPv3
Stewart, "SNMPv3 Applications", <draft-ietf-snmpv3-appl-04.txt>, Applications", RFC 2263, January 1998.
October 1997.
10. Editor's Addresses 10. Editors' Addresses
Bert Wijnen Bert Wijnen
IBM T.J. Watson Research IBM T.J. Watson Research
Schagen 33 Schagen 33
3461 GL Linschoten 3461 GL Linschoten
Netherlands Netherlands
Phone: +31 348-432-794 Phone: +31 348-432-794
EMail: wijnen@vnet.ibm.com EMail: wijnen@vnet.ibm.com
Dave Harrington Dave Harrington
Cabletron Systems, Inc Cabletron Systems, Inc
Post Office Box 5005 Post Office Box 5005
Mail Stop: Durham Mail Stop: Durham
35 Industrial Way 35 Industrial Way
Rochester, NH 03867-5005 Rochester, NH 03867-5005
USA USA
Phone: +1 603-337-7357 Phone: +1 603-337-7357
EMail: dbh@cabletron.com EMail: dbh@ctron.com
Randy Presuhn Randy Presuhn
BMC Software, Inc. BMC Software, Inc.
1190 Saratoga Avenue 1190 Saratoga Avenue
Suite 130 Suite 130
San Jose, CA 95129 San Jose, CA 95129
USA USA
Phone: +1 408-556-0720 Phone: +1 408-556-0720
EMail: rpresuhn@bmc.com EMail: rpresuhn@bmc.com
skipping to change at page 56, line 9 skipping to change at page 52, line 16
An SNMP engine contains a Message Processing Subsystem which may An SNMP engine contains a Message Processing Subsystem which may
contain multiple Message Processing Models. contain multiple Message Processing Models.
The Message Processing Model MUST always (conceptually) pass the The Message Processing Model MUST always (conceptually) pass the
complete PDU, i.e., it never forwards less than the complete list of complete PDU, i.e., it never forwards less than the complete list of
varBinds. varBinds.
A.2.1. Receiving an SNMP Message from the Network A.2.1. Receiving an SNMP Message from the Network
Upon receipt of a message from the network, the Dispatcher in the Upon receipt of a message from the network, the Dispatcher in the
SNMP engine determines the version of the SNMP message and interacts SNMP engine determines the version of the SNMP message and interacts
with the corresponding Message Processing Model to determine the with the corresponding Message Processing Model to determine the
abstract data elements. abstract data elements.
A Message Processing Model specifies the SNMP Message format it A Message Processing Model specifies the SNMP Message format it
supports and describes how to determine the values of the abstract supports and describes how to determine the values of the abstract
data elements (like msgID, msgMaxSize, msgFlags, data elements (like msgID, msgMaxSize, msgFlags,
msgSecurityParameters, securityModel, securityLevel etc). A Message msgSecurityParameters, securityModel, securityLevel etc). A Message
Processing Model interacts with a Security Model to provide security Processing Model interacts with a Security Model to provide security
processing for the message using the processMsg primitive, as processing for the message using the processMsg primitive, as
described in section 4.5. described in section 4.5.
A.2.2. Sending an SNMP Message to the Network A.2.2. Sending an SNMP Message to the Network
The Dispatcher in the SNMP engine interacts with a Message Processing The Dispatcher in the SNMP engine interacts with a Message Processing
Model to prepare an outgoing message. For that it uses the following Model to prepare an outgoing message. For that it uses the following
primitives: primitives:
- for requests and notifications: prepareOutgoingMessage, as - for requests and notifications: prepareOutgoingMessage, as
described in section 4.4 described in section 4.4
skipping to change at page 59, line 5 skipping to change at page 56, line 5
is allowed to perform the requested operation on a specified managed is allowed to perform the requested operation on a specified managed
object. The Access Control Model specifies the rules by which access object. The Access Control Model specifies the rules by which access
control is determined. control is determined.
The persistent data used for access control should be manageable The persistent data used for access control should be manageable
using SNMP, but the Access Control Model defines whether an using SNMP, but the Access Control Model defines whether an
instantiation of the MIB is a conformance requirement. instantiation of the MIB is a conformance requirement.
The Access Control Model must provide the primitive isAccessAllowed. The Access Control Model must provide the primitive isAccessAllowed.
B. Issues B. Full Copyright Statement
The issues list will be deleted when it is time to publish as an RFC.
B.1. Open Issues
- we need a mechanism for a manager to be able to discover what
securityModels are supported by a particular implementation
B.2. Change Log
Current version
- Minor layout and editorial clarifications.
- Adjusted layout per RFC 2223 and added copyright statements
required by RFC 2026.
- Removed duplicate description of common primitives.
C. Full Copyright Statement
Copyright (C) The Internet Society (1997). All Rights Reserved. Copyright (C) The Internet Society (1997). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and or assist in its implementation may be prepared, copied, published
distributed, in whole or in part, without restriction of any kind, and distributed, in whole or in part, without restriction of any
provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
 End of changes. 39 change blocks. 
272 lines changed or deleted 218 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/