Developer CD Series 1999 February: Tool Chest

home *** CD-ROM | disk | FTP | other *** search

/ Developer CD Series 1999 February: Tool Chest / Dev.CD Feb 99 TC.toast / Tool Chest / Networking / SNMP / Network Management (SNMP) / SNMP Specific files / Drafts / draft-ietf-snmpsec-mib-02.txt < prev next >

Wrap

Text File | 1992-01-28 | 58.2 KB | 1,796 lines | [TEXT/MSWD]

Internet Draft SNMP Party MIB January 1992 Definitions of Managed Objects for Administration of SNMP Parties 12 January 1992 Keith McCloghrie Hughes LAN Systems, Inc. kzm@hls.com James R. Davin MIT Laboratory for Computer Science jrd@ptt.lcs.mit.edu and James M. Galvin Trusted Information Systems, Inc. galvin@tis.com 1. Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it describes a representation of the SNMP parties defined in [8] as objects defined according to the Internet Standard SMI [1]. These definitions are consistent with the SNMP Security protocols set forth in [9]. 2. Status of this Memo This draft document will be submitted to the RFC editor as an extension to the SNMP MIB. Distribution of this memo is unlimited. Please send comments to the authors. This memo does not specify a standard for the Internet community. McCloghrie/Davin/Galvin [Page 1] Internet Draft SNMP Party MIB January 1992 3. The Network Management Framework The Internet-standard Network Management Framework consists of three components. They are: RFC 1155 which defines the SMI, the mechanisms used for describing and naming objects for the purpose of management. RFC 1212 defines a more concise description mechanism, which is wholly consistent with the SMI. RFC 1156 which defines MIB-I, the core set of managed objects for the Internet suite of protocols. RFC 1213, defines MIB-II, an evolution of MIB-I based on implementation experience and new operational requirements. RFC 1157 which defines the SNMP, the protocol used for network access to managed objects. The Framework permits new objects to be defined for the purpose of experimentation and evaluation. 4. Objects Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) [5] defined in the SMI. In particular, each object has a name, a syntax, and an encoding. The name is an object identifier, an administratively assigned name, which specifies an object type. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the OBJECT DESCRIPTOR, to also refer to the object type. The syntax of an object type defines the abstract data structure corresponding to that object type. The ASN.1 language is used for this purpose. However, the SMI [1] purposely restricts the ASN.1 constructs which may be used. These restrictions are explicitly made for simplicity. The encoding of an object type is simply how that object type is represented using the object type's syntax. Implicitly McCloghrie/Davin/Galvin [Page 2] Internet Draft SNMP Party MIB January 1992 tied to the notion of an object type's syntax and encoding is how the object type is represented when being transmitted on the network. The SMI specifies the use of the basic encoding rules of ASN.1 [6], subject to the additional requirements imposed by the SNMP. 4.1. Format of Definitions Section 6 contains the specification of all object types contained in this MIB module. The object types are defined using the conventions defined in the SMI, as amended by the extensions specified in [7]. 5. Overview 5.1. Structure This MIB contains the definitions for four tables, a number of OBJECT IDENTIFIER assignments, and some conventions for initial use with some of the assignments. The four tables are the SNMP Party Public database, the SNMP Party Secrets database, the SNMP Access Control database, and the SNMP Views database. The SNMP Party Public database and the SNMP Party Secrets database are defined as separate tables specifically for the purpose of positioning them in different parts of the MIB tree namespace. In particular, the SNMP Party Secrets database contains secret information, for which security demands that access to it be limited to parties which use both authentication and privacy. It is therefore positioned in a separate branch of the MIB tree, at the highest level possible, so as to provide for the easiest means of accommodating the required limitation. In contrast, the SNMP Party Public database contains public information about SNMP parties. In particular, it contains the parties' clocks which need to be read-able (but not write-able) by unauthenticated queries, since an unauthenticated query of a party's clock is the first step of the procedure to re-establish clock synchronization (see [9]). McCloghrie/Davin/Galvin [Page 3] Internet Draft SNMP Party MIB January 1992 5.2. Instance Identifiers In all four of the tables in this MIB, the object instances are identified by values which have an underlying syntax of OBJECT IDENTIFIER. For the Party Public database and the Party Secrets database, the index variable is the party identifier. For the Access Control database and the Views database, two index variables are defined, both of which have a syntax of OBJECT IDENTIFIER. (See the INDEX clauses in the MIB definitions below for the specific variables.) According to RFC 1212 [7], section 4.1.6, the syntax of the object(s) specified in an INDEX clause indicates how to form the instance-identifier. In particular, for each such object which is object identifier-valued, its contribution to the instance identifier is: `n+1' sub-identifiers, where `n' is the number of sub- identifiers in the value (the first sub-identifier is `n' itself, following this, each sub-identifier in the value is copied); 5.3. Textual Conventions The datatypes, Party, Clock, and TAddress, are used as textual conventions in this document. These textual conventions have NO effect on either the syntax nor the semantics of any managed object. Objects defined using these conventions are always encoded by means of the rules that define their primitive type. Hence, no changes to the SMI or the SNMP are necessary to accommodate these textual conventions which are adopted merely for the convenience of readers. McCloghrie/Davin/Galvin [Page 4] Internet Draft SNMP Party MIB January 1992 6. Definitions RFCxxxx-MIB DEFINITIONS ::= BEGIN IMPORTS system, mib, private, internet FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212; snmpParties OBJECT IDENTIFIER ::= { internet 5 } partyAdmin OBJECT IDENTIFIER ::= { snmpParties 1 } partyPublic OBJECT IDENTIFIER ::= { snmpParties 2 } snmpSecrets OBJECT IDENTIFIER ::= { internet 6 } partyPrivate OBJECT IDENTIFIER ::= { snmpSecrets 1 } partyAccess OBJECT IDENTIFIER ::= { snmpSecrets 2 } partyViews OBJECT IDENTIFIER ::= { snmpSecrets 3 } Clock ::= INTEGER (0..2147483647) -- a textual convention denoting -- a non-negative integer which counts the -- time in seconds since some epoch. Party ::= OBJECT IDENTIFIER -- a textual convention denoting -- a SNMP Party identifier --- definitions of Authentication Protocols partyProtocols OBJECT IDENTIFIER ::= { partyAdmin 1 } noAuth -- The protocol without authentication OBJECT IDENTIFIER ::= { partyProtocols 1 } noPriv -- The protocol without privacy OBJECT IDENTIFIER ::= { partyProtocols 3 } desPrivProtocol -- The DES Privacy Protocol OBJECT IDENTIFIER ::= { partyProtocols 4 } md5AuthProtocol -- The MD5 Authentication Protocol OBJECT IDENTIFIER ::= { partyProtocols 5 } McCloghrie/Davin/Galvin [Page 5] Internet Draft SNMP Party MIB January 1992 --- definitions of Transport Domains transportDomains OBJECT IDENTIFIER ::= { partyAdmin 2 } rfcXxxxDomain --- RFC-Xxxx (SNMP over UDP, using SNMP Parties) OBJECT IDENTIFIER ::= { transportDomains 1 } TAddress ::= OCTET STRING -- a textual convention denoting -- a transport service address. -- For rfcXxxxDomain, a TAddress is 6 octets long, the -- initial 4 octets containing the IP-address -- in network-byte order and the last 2 containing the -- UDP port in network-byte order. --- definitions of Proxy Domains proxyDomains OBJECT IDENTIFIER ::= { partyAdmin 3 } noProxy --- Local operation OBJECT IDENTIFIER ::= { proxyDomains 1 } McCloghrie/Davin/Galvin [Page 6] Internet Draft SNMP Party MIB January 1992 --- Definition of Initial Party Identifiers -- When devices are installed, they need to be configured -- with an initial set of SNMP parties. The configuration -- of SNMP parties requires (among other things) the -- assignment of several OBJECT IDENTIFIERs. Any local network -- administration can obtain the delegated authority necessary -- to assign its own OBJECT IDENTIFIERs. However, to cater -- for those administrations who have not obtained the necessary -- authority, this document allocates a branch of the naming -- tree for use with the following conventions. initialPartyId OBJECT IDENTIFIER ::= { partyAdmin 4 } -- Note these are identified as "initial" party identifiers -- since these allow secure SNMP communication to proceed, -- thereby allowing further SNMP parties to be configured -- through use of the SNMP itself. -- The following definitions identify a party identifier, -- and specify the initial values of various object -- instances indexed by that identifier. In addition, -- the initial MIB view and access control parameters -- assigned, by convention, to these parties are identified. -- Party Identifiers for use as initial SNMP parties -- at IP address a.b.c.d -- partyIdentity = { initialPartyId a b c d 1 } -- partyTDomain = { rfcXxxxDomain } -- partyTAddress = a.b.c.d, 161 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { noAuth } -- partyAuthClock = 0 -- partySecretsAuthPrivate = ''h (the empty string) -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 0 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) McCloghrie/Davin/Galvin [Page 7] Internet Draft SNMP Party MIB January 1992 -- partyIdentity = { initialPartyId a b c d 2 } -- partyTDomain = { rfcXxxxDomain } -- partyTAddress = 0.0.0.0, 0 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { noAuth } -- partyAuthClock = 0 -- partySecretsAuthPrivate = ''h (the empty string) -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 0 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 3 } -- partyTDomain = { rfcXxxxDomain } -- partyTAddress = a.b.c.d, 161 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 4 } -- partyTDomain = { rfcXxxxDomain } -- partyTAddress = 0.0.0.0, 0 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { noPriv } -- partySecretsPrivPrivate = ''h (the empty string) -- partyPrivPublic = ''h (the empty string) McCloghrie/Davin/Galvin [Page 8] Internet Draft SNMP Party MIB January 1992 -- partyIdentity = { initialPartyId a b c d 5 } -- partyTDomain = { rfcXxxxDomain } -- partyTAddress = a.b.c.d, 161 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { desPrivProtocol } -- partySecretsPrivPrivate = assigned by local administration -- partyPrivPublic = ''h (the empty string) -- partyIdentity = { initialPartyId a b c d 6 } -- partyTDomain = { rfcXxxxDomain } -- partyTAddress = 0.0.0.0, 0 -- partyProxyFor = { noProxy } -- partyAuthProtocol = { md5AuthProtocol } -- partyAuthClock = 0 -- partySecretsAuthPrivate = assigned by local administration -- partyAuthPublic = ''h (the empty string) -- partyAuthLifetime = 300 -- partyPrivProtocol = { desPrivProtocol } -- partySecretsPrivPrivate = assigned by local administration -- partyPrivPublic = ''h (the empty string) -- The initial access control parameters assigned, by -- convention, to these parties are: -- aclTarget = { initialPartyId a b c d 1 } -- aclSubject = { initialPartyId a b c d 2 } -- aclPrivileges = 3 (Get & Get-Next) -- aclTarget = { initialPartyId a b c d 2 } -- aclSubject = { initialPartyId a b c d 1 } -- aclPrivileges = 20 (GetResponse & Trap) -- aclTarget = { initialPartyId a b c d 3 } -- aclSubject = { initialPartyId a b c d 4 } -- aclPrivileges = 11 (Get, Get-Next & Set) -- aclTarget = { initialPartyId a b c d 4 } -- aclSubject = { initialPartyId a b c d 3 } -- aclPrivileges = 20 (GetResponse & Trap) McCloghrie/Davin/Galvin [Page 9] Internet Draft SNMP Party MIB January 1992 -- aclTarget = { initialPartyId a b c d 5 } -- aclSubject = { initialPartyId a b c d 6 } -- aclPrivileges = 11 (Get, Get-Next & Set) -- aclTarget = { initialPartyId a b c d 6 } -- aclSubject = { initialPartyId a b c d 5 } -- aclPrivileges = 20 (GetResponse & Trap) -- The initial MIB views assigned, by convention, to -- these parties are: -- viewParty = { initialPartyId a b c d 1 } -- viewSubtree = { system } -- viewStatus = { included } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 1 } -- viewSubtree = { snmpParties } -- viewStatus = { included } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 3 } -- viewSubtree = { internet } -- viewStatus = { included } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 3 } -- viewSubtree = { partyPrivate } -- viewStatus = { excluded } -- viewMask = { ''h } -- viewParty = { initialPartyId a b c d 5 } -- viewSubtree = { internet } -- viewStatus = { included } -- viewMask = { ''h } McCloghrie/Davin/Galvin [Page 10] Internet Draft SNMP Party MIB January 1992 -- The SNMP Party Public Database -- The non-secret party information partyTable OBJECT-TYPE SYNTAX SEQUENCE OF PartyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The SNMP Party Public database. An agent must ensure that there is, at all times, a one-to-one correspondence between entries in this table and entries in the partySecretsTable. The creation/deletion of instances in this table via SNMP Set-Requests is not allowed. Instead, entries in this table are created/deleted as a side-effect of the creation/deletion of corresponding entries in the partySecretsTable. Thus, a SNMP Set-Request whose varbinds contain a reference to a non-existent instance of a partyTable object, but no reference to the corresponding instance of a partySecretsTable object, will be rejected." ::= { partyPublic 1 } partyEntry OBJECT-TYPE SYNTAX PartyEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Locally held non-secret information about a particular SNMP party, which is available for access by network management. Note that this does not include all locally held information about a party; in particular, it does not include the 'last-timestamp' (i.e., the timestamp of the last authentic message received) or the 'nonce'." INDEX { partyIdentity } ::= { partyTable 1 } PartyEntry ::= SEQUENCE { McCloghrie/Davin/Galvin [Page 11] Internet Draft SNMP Party MIB January 1992 partyIdentity Party, partyTDomain OBJECT IDENTIFIER, partyTAddress TAddress, partyProxyFor Party, partyAuthProtocol OBJECT IDENTIFIER, partyAuthClock Clock, partyAuthPublic OCTET STRING, partyAuthLifetime INTEGER, partyPrivProtocol OBJECT IDENTIFIER, partyPrivPublic OCTET STRING, partyMaxMessageSize INTEGER, partyStatus INTEGER } partyIdentity OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "A party identifier uniquely identifying a particular SNMP party." ::= { partyEntry 1 } partyTDomain OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "Indicates the kind of transport service by which the party receives network management traffic. An example of a transport domain is 'rfcXxxxDomain' (SNMP over UDP)." DEFVAL { rfcXxxxDomain } McCloghrie/Davin/Galvin [Page 12] Internet Draft SNMP Party MIB January 1992 ::= { partyEntry 2 } partyTAddress OBJECT-TYPE SYNTAX TAddress ACCESS read-write STATUS mandatory DESCRIPTION "The transport service address by which the party receives network management traffic, formatted according to the corresponding value of partyTDomain. For rfcXxxxDomain, partyTAddress is formatted as a 4-octet IP Address concatenated with a 2-octet UDP port number." DEFVAL { '000000000000'h } ::= { partyEntry 3 } partyProxyFor OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The identity of a second SNMP party or other management entity with which interaction may be necessary to satisfy received management requests. In this context, the distinguished value { noProxy } signifies that the party responds to received management requests by entirely local mechanisms." DEFVAL { noProxy } ::= { partyEntry 4 } partyAuthProtocol OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "The authentication protocol by which all messages generated by the party are authenticated as to origin and integrity. In this context, the value { noAuth } signifies that messages generated by the party are not authenticated." DEFVAL { md5AuthProtocol } ::= { partyEntry 5 } partyAuthClock OBJECT-TYPE SYNTAX Clock McCloghrie/Davin/Galvin [Page 13] Internet Draft SNMP Party MIB January 1992 ACCESS read-write STATUS mandatory DESCRIPTION "The authentication clock which represents the local notion of the current time specific to the party. This value must not be decremented unless the party's secret information is changed simultaneously, at which time the party's nonce and last-timestamp values must also be reset to zero, and the new value of the clock, respectively." DEFVAL { 0 } ::= { partyEntry 6 } partyAuthPublic OBJECT-TYPE SYNTAX OCTET STRING -- for md5AuthProtocol: (SIZE (0..16)) ACCESS read-write STATUS mandatory DESCRIPTION "A publically-readable value for the party. Depending on the party's authentication protocol, this value may be needed to support the party's authentication protocol. Alternatively, it may be used by a manager during the procedure for altering secret information about a party. (For example, by altering the value of an instance of this object in the same SNMP Set-Request used to update an instance of partyAuthPrivate, a subsequent Get-Request can determine if the Set- Request was successful in the event that no response to the Set-Request is received.) The length of the value is dependent on the party's authentication protocol. If not used by the authentication protocol, it is recommended that agents support values of any length up to and including the length of the corresponding partyAuthPrivate object." DEFVAL { ''h } -- the empty string ::= { partyEntry 7 } partyAuthLifetime OBJECT-TYPE SYNTAX INTEGER (0..2147483647) ACCESS read-write McCloghrie/Davin/Galvin [Page 14] Internet Draft SNMP Party MIB January 1992 STATUS mandatory DESCRIPTION "The lifetime (in units of seconds) which represents an administrative upper bound on acceptable delivery delay for protocol messages generated by the party." DEFVAL { 300 } ::= { partyEntry 8 } partyPrivProtocol OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "The privacy protocol by which all protocol messages received by the party are protected from disclosure. In this context, the value { noPriv } signifies that messages received by the party are not protected." DEFVAL { noPriv } ::= { partyEntry 9 } partyPrivPublic OBJECT-TYPE SYNTAX OCTET STRING -- for desPrivProtocol: (SIZE (0..16)) ACCESS read-write STATUS mandatory DESCRIPTION "A publically-readable value for the party. Depending on the party's privacy protocol, this value may be needed to support the party's privacy protocol. Alternatively, it may be used by a manager as a part of its procedure for altering secret information about a party. (For example, by altering the value of an instance of this object in the same SNMP Set-Request used to update an instance of partyPrivPrivate, a subsequent Get-Request can determine if the Set-Request was successful in the event that no response to the Set-Request is received.) The length of the value is dependent on the party's privacy protocol. If not used by the privacy protocol, it is recommended that agents support values of any length up to and including McCloghrie/Davin/Galvin [Page 15] Internet Draft SNMP Party MIB January 1992 the length of the corresponding partyPrivPrivate object." DEFVAL { ''h } -- the empty string ::= { partyEntry 10 } partyMaxMessageSize OBJECT-TYPE SYNTAX INTEGER (484..65507) ACCESS read-write STATUS mandatory DESCRIPTION "The maximum length in octets of a SNMP message which this party will accept. For parties which execute at an agent, the agent initializes this object to the maximum length supported by the agent, and does not let the object be set to any larger value. For parties which do not execute at the agent, the agent must allow the manager to set this object to any legal value, even if it is larger than the agent can generate." DEFVAL { 484 } ::= { partyEntry 11 } partyStatus OBJECT-TYPE SYNTAX INTEGER { valid(1), invalid(2) } ACCESS read-only STATUS mandatory DESCRIPTION "The status of the locally-held information on a particular SNMP party. The instance of this object for a particular party and the instance of partySecretsStatus for the same party always have the same value. This object will typically provide unrestricted read-only access to the status of parties. In contrast, partySecretsStatus will typically provide restricted read-write access to the status of parties." ::= { partyEntry 12 } McCloghrie/Davin/Galvin [Page 16] Internet Draft SNMP Party MIB January 1992 -- The SNMP Party Secrets Database -- The secret party information partySecretsTable OBJECT-TYPE SYNTAX SEQUENCE OF PartySecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The SNMP Party Secrets database." ::= { partyPrivate 1 } partySecretsEntry OBJECT-TYPE SYNTAX PartySecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Locally held secret information about a particular SNMP party, which is available for access by network management. When a SNMP Set-Request is used to update the values of instances of objects in this table, it is recommended that the same SNMP Set-Request also alter the value of a non-secret object instance (e.g., an instance of partyAuthPublic or partyPrivPublic). This allows a Get-Request of that non-secret object instance to determine if the Set-Request was successful in the event that no response which matches the Set-Request, is received." INDEX { partySecretsIdentity } ::= { partySecretsTable 1 } PartySecretsEntry ::= SEQUENCE { partySecretsIdentity Party, partySecretsAuthPrivate OCTET STRING, partySecretsPrivPrivate OCTET STRING, partySecretsStatus INTEGER } McCloghrie/Davin/Galvin [Page 17] Internet Draft SNMP Party MIB January 1992 partySecretsIdentity OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "A party identifier uniquely identifying a particular SNMP party." ::= { partySecretsEntry 1 } partySecretsAuthPrivate OBJECT-TYPE SYNTAX OCTET STRING -- for md5AuthProtocol: (SIZE (16)) ACCESS read-write STATUS mandatory DESCRIPTION "An encoding of the party's private authentication key which may be needed to support the authentication protocol. Although the value of this variable may be altered by a management operation (e.g., a SNMP Set-Request), its value can never be retrieved by a management operation: when read, the value of this variable is the zero length OCTET STRING. The value of this variable represents the private authentication key indirectly (i.e., NOT directly) according to an encoding. The encoding is the exclusive-OR of the old private authentication key prior to an alteration with the new private authentication key after the alteration. In calculating the exclusive-OR, the old key is padded with zeros if shorter than the new key. If no value for the old key exists, a zero-length OCTET STRING is used in the calculation." DEFVAL { ''h } -- the empty string ::= { partySecretsEntry 2 } partySecretsPrivPrivate OBJECT-TYPE SYNTAX OCTET STRING -- for desPrivProtocol: (SIZE (16)) ACCESS read-write STATUS mandatory DESCRIPTION "An encoding of the party's private encryption key which may be needed to support the privacy protocol. Although the value of this variable may McCloghrie/Davin/Galvin [Page 18] Internet Draft SNMP Party MIB January 1992 be altered by a management operation (e.g., a SNMP Set-Request), its value can never be retrieved by a management operation: when read, the value of this variable is the zero length OCTET STRING. The value of this variable represents the private encryption key indirectly (i.e., NOT directly) according to an encoding. The encoding is the exclusive-OR of the old private encryption key prior to an alteration with the new private encryption key after the alteration. In calculating the exclusive-OR, the old key is padded with zeros if shorter than the new key. If no value for the old key exists, a zero-length OCTET STRING is used in the calculation." DEFVAL { ''h } -- the empty string ::= { partySecretsEntry 3 } partySecretsStatus OBJECT-TYPE SYNTAX INTEGER { valid(1), invalid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "The status of the locally-held information on a particular SNMP party. Setting an instance of this object to the value 'valid(1)' has the effect of ensuring that valid local knowledge exists for the corresponding party. For valid local knowledge to exist, there must be corresponding instances of each object in this table and in the partyTable. Thus, the creation of instances in the partyTable (but not in the aclTable or viewTable) occurs as a direct result of the creation of instances in this table. Setting an instance of this object to the value 'invalid(2)' has the effect of invalidating all local knowledge of the corresponding party, including the invalidating of any/all entries in the partyTable, the partySecretsTable, the aclTable, and the viewTable which reference said party. It is an implementation-specific matter as to McCloghrie/Davin/Galvin [Page 19] Internet Draft SNMP Party MIB January 1992 whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive from agents tabular information corresponding to entries not currently in use. Proper interpretation of such entries requires examination of the relevant partySecretsStatus object." DEFVAL { valid } ::= { partySecretsEntry 4 } -- The SNMP Access Privileges Database -- Implementation of this group of objects is mandatory. -- It allows the SNMP itself to be used to configure new SNMP -- parties, or to manipulate the access privileges of existing -- parties. aclTable OBJECT-TYPE SYNTAX SEQUENCE OF AclEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The access privileges database." ::= { partyAccess 1 } aclEntry OBJECT-TYPE SYNTAX AclEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The access privileges for a particular requesting SNMP party in accessing a particular target SNMP party." INDEX { aclTarget, aclSubject } ::= { aclTable 1 } AclEntry ::= SEQUENCE { aclTarget Party, aclSubject McCloghrie/Davin/Galvin [Page 20] Internet Draft SNMP Party MIB January 1992 Party, aclPrivileges INTEGER, aclStatus INTEGER } aclTarget OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The target SNMP party whose performance of management operations is constrained by this set of access privileges." ::= { aclEntry 1 } aclSubject OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The subject SNMP party whose requests for management operations to be performed is constrained by this set of access privileges." ::= { aclEntry 2 } aclPrivileges OBJECT-TYPE SYNTAX INTEGER (0..31) ACCESS read-write STATUS mandatory DESCRIPTION "The access privileges which govern what management operations a particular target party may perform when requested by a particular subject party. These privileges are specified as a sum of values, where each value specifies a SNMP PDU type by which the subject party may request a permitted operation. The value for a particular PDU type is computed as 2 raised to the value of the ASN.1 context-specific tag for the appropriate SNMP PDU type. Thus, the values (for the tags defined in RFC 1157) are: Get : 1 McCloghrie/Davin/Galvin [Page 21] Internet Draft SNMP Party MIB January 1992 GetNext : 2 GetResponse : 4 Set : 8 Trap : 16 The null set is represented by the value zero." DEFVAL { 3 } -- Get & Get-Next ::= { aclEntry 3 } aclStatus OBJECT-TYPE SYNTAX INTEGER { valid(1), invalid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "The status of the access privileges for a particular requesting SNMP party in accessing a particular target SNMP party. Setting an instance of this object to the value 'invalid(2)' has the effect of invalidating the corresponding access privileges. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive from agents tabular information corresponding to entries not currently in use. Proper interpretation of such entries requires examination of the relevant aclStatus object." DEFVAL { valid } ::= { aclEntry 4 } McCloghrie/Davin/Galvin [Page 22] Internet Draft SNMP Party MIB January 1992 -- The MIB View Database -- Implementation of this group of objects is mandatory. -- It allows the SNMP itself to be used to configure new SNMP -- parties, or to manipulate the MIB views of existing parties. viewTable OBJECT-TYPE SYNTAX SEQUENCE OF ViewEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "The table contained in the local database which defines local MIB views. Each SNMP party has a single MIB view which is defined by two collections of view subtrees: the included view subtrees, and the excluded view subtrees. Every such subtree, both included and excluded, is defined in this table. To determine if a particular object instance is in a particular SNMP party's MIB view, compare the object instance's Object Identifier with each entry (for this party) in this table. If none match, then the object instance is not in the MIB view. If one or more match, then the object instance is included in, or excluded from, the MIB view according to the value of viewStatus in the entry whose value of viewSubtree has the most sub-identifiers. If multiple entries match and have the same number of sub-identifiers, then the lexicographically greatest instance of viewStatus determines the inclusion or exclusion. An object instance's Object Identifier X matches an entry in this table when the number of sub- identifiers in X is at least as many as in the value of viewSubtree for the entry, and each sub- identifier in the value of viewSubtree matches its corresponding sub-identifier in X. Two sub- identifiers match either if the corresponding bit of viewMask is zero (the 'wild card' value), or if they are equal. Due to this 'wild card' capability, we introduce McCloghrie/Davin/Galvin [Page 23] Internet Draft SNMP Party MIB January 1992 the term, a 'family' of view subtrees, to refer to the set of subtrees defined by a particular combination of values of viewSubtree and viewMask. In the case where no 'wild card' is defined in viewMask, the family of view subtrees reduces to a single view subtree." ::= { partyViews 1 } viewEntry OBJECT-TYPE SYNTAX ViewEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Information on a particular family of view subtrees included in or excluded from a particular SNMP party's MIB view." INDEX { viewParty, viewSubtree } ::= { viewTable 1 } ViewEntry ::= SEQUENCE { viewParty Party, viewSubtree OBJECT IDENTIFIER, viewStatus INTEGER, viewMask OCTET STRING } viewParty OBJECT-TYPE SYNTAX Party ACCESS read-write STATUS mandatory DESCRIPTION "The SNMP party whose single MIB view includes or excludes a particular family of view subtrees." ::= { viewEntry 1 } viewSubtree OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION McCloghrie/Davin/Galvin [Page 24] Internet Draft SNMP Party MIB January 1992 "The view subtree which, in combination with the corresponding instance of viewMask, defines a family of view subtrees. This family is included in, or excluded from the particular SNMP party's MIB view, according to the value of the corresponding instance of viewStatus." ::= { viewEntry 2 } viewStatus OBJECT-TYPE SYNTAX INTEGER { included(1), excluded(2), invalid(3) } ACCESS read-write STATUS mandatory DESCRIPTION "The status of a particular family of view subtrees within the particular SNMP party's MIB view. The value 'included(1)' indicates that the corresponding instances of viewSubtree and viewMask define a family of view subtrees included in the MIB view. The value 'excluded(2)' indicates that the corresponding instances of viewSubtree and viewMask define a family of view subtrees excluded from the MIB view. Setting an instance of this object to the value 'invalid(2)' has the effect of invalidating the presence or absence of the corresponding family of view subtrees in the corresponding SNMP party's MIB view. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive from agents tabular information corresponding to entries not currently in use. Proper interpretation of such entries requires examination of the relevant viewStatus object." DEFVAL { included } ::= { viewEntry 3 } McCloghrie/Davin/Galvin [Page 25] Internet Draft SNMP Party MIB January 1992 viewMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..16)) ACCESS read-write STATUS mandatory DESCRIPTION "The bit mask which, in combination with the corresponding instance of viewSubtree, defines a family of view subtrees. Each bit of this bit mask corresponds to a sub- identifier of viewSubtree, with the most significant bit of the i-th octet of this octet string value corresponding to the (8*i - 7)-th sub-identifier, and the least significant bit of the i-th octet of this octet string corresponding to the (8*i)-th sub-identifier. Each bit of this bit mask specifies whether or not the corresponding sub-identifiers must match when determining if an Object Identifier is in this family of view subtrees; a '1' indicates that an exact match must occur; a '0' indicates 'wild card', i.e., any sub-identifier value matches. Thus, the Object Identifier X of an object instance is contained in a family of view subtrees if the following criteria is met: for each sub-identifier of the value of viewSubtree, either: the i-th bit of viewMask is 0, or the i-th sub-identifier of X is equal to the i-th sub-identifier of the value of viewSubtree. If the value of this bit mask is M bits long and there are more than M sub-identifiers in the corresponding instance of viewSubtree, then the bit mask is extended with 1's to be the required length. Note that when the value of this object is the zero-length string, this extension rule results in McCloghrie/Davin/Galvin [Page 26] Internet Draft SNMP Party MIB January 1992 a mask of all-1's being used (i.e., no 'wild card'), and the family of view subtrees is the one view subtree uniquely identified by the corresponding instance of viewSubtree." DEFVAL { ''h } ::= { viewEntry 4 } END McCloghrie/Davin/Galvin [Page 27] Internet Draft SNMP Party MIB January 1992 7. Acknowledgments This document was produced on behalf of the SNMP Security Working Group of the Internet Engineering Task Force. The authors wish to thank the members of the working group, and others who contributed to this effort. McCloghrie/Davin/Galvin [Page 28] Internet Draft SNMP Party MIB January 1992 8. References [1] M.T. Rose and K. McCloghrie, Structure and Identification of Management Information for TCP/IP-based internets, Internet Working Group Request for Comments 1155. Network Information Center, SRI International, Menlo Park, California, (May, 1990). [2] K. McCloghrie and M.T. Rose, Management Information Base for Network Management of TCP/IP-based internets, Internet Working Group Request for Comments 1156. Network Information Center, SRI International, Menlo Park, California, (May, 1990). [3] J.D. Case, M.S. Fedor, M.L. Schoffstall, and J.R. Davin, Simple Network Management Protocol, Internet Working Group Request for Comments 1157. Network Information Center, SRI International, Menlo Park, California, (May, 1990). [4] K. McCloghrie, M.T. Rose (editors), Management Information Base for Network Management of TCP/IP-based internets, Internet Working Group Request for Comments 1213. Network Information Center, SRI International, Menlo Park, California, (March, 1991). [5] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization. International Standard 8824, (December, 1987). [6] Information processing systems - Open Systems Interconnection - Specification of Basic Encoding Rules for Abstract Notation One (ASN.1), International Organization for Standardization. International Standard 8825, (December, 1987). [7] M.T. Rose, K. McCloghrie (editors), Concise MIB Definitions, Internet Working Group Request for Comments 1212. Network Information Center, SRI International, Menlo Park, California, (March, 1991). [8] J.R. Davin, K. McCloghrie, J.M. Galvin, SNMP Administrative Model, RFC Xxxx (in preparation), McCloghrie/Davin/Galvin [Page 29] Internet Draft SNMP Party MIB January 1992 (December, 1991). [9] J.M. Galvin, K. McCloghrie, J.R. Davin, SNMP Security Protocol, RFC Yyyy (in preparation), (December, 1991). McCloghrie/Davin/Galvin [Page 30] Internet Draft SNMP Party MIB January 1992 Table of Contents 1 Abstract .............................................. 1 2 Status of this Memo ................................... 1 3 The Network Management Framework ...................... 2 4 Objects ............................................... 2 4.1 Format of Definitions ............................... 3 5 Overview .............................................. 3 5.1 Structure ........................................... 3 5.2 Instance Identifiers ................................ 4 5.3 Textual Conventions ................................. 4 6 Definitions ........................................... 5 6.1 The SNMP Party Public Database ...................... 11 6.2 The SNMP Party Secrets Database ..................... 17 6.3 The SNMP Access Privileges Database ................. 20 6.4 The MIB View Database ............................... 23 7 Acknowledgments ....................................... 28 8 References ............................................ 29 McCloghrie/Davin/Galvin [Page 31]