idnits 2.17.1 draft-ietf-opsawg-snmp-engineid-discovery-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 385. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 396. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 403. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 409. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3411, updated by this document, for RFC5378 checks: 2001-02-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 14, 2008) is 5758 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCXXXX' is mentioned on line 262, but not defined ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) == Outdated reference: A later version (-14) exists of draft-ietf-isms-transport-security-model-08 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Updates: 3411 (if approved) July 14, 2008 5 Intended status: Standards Track 6 Expires: January 15, 2009 8 Simple Network Management Protocol (SNMP) Context EngineID Discovery 9 draft-ietf-opsawg-snmp-engineid-discovery-03.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on January 15, 2009. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 The Simple Network Management Protocol (SNMP) version three (SNMPv3) 43 requires that an application knows the identifier (snmpEngineID) of 44 the remote SNMP protocol engine in order to retrieve or manipulate 45 objects maintained on the remote SNMP entity. 47 This document introduces a well-known localEngineID and a discovery 48 mechanism which can be used to learn the snmpEngineID of a remote 49 SNMP protocol engine. The proposed mechanism is independent of the 50 features provided by SNMP security models and may also be used by 51 other protocol interfaces providing access to managed objects. 53 This document updates RFC 3411. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3.1. Local EngineID . . . . . . . . . . . . . . . . . . . . . . 5 61 3.2. EngineID Discovery . . . . . . . . . . . . . . . . . . . . 5 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 64 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 67 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 Intellectual Property and Copyright Statements . . . . . . . . . . 10 71 1. Introduction 73 To retrieve or manipulate management information using the third 74 version of the Simple Network Management Protocol (SNMPv3) [RFC3410], 75 it is necessary to know the identifier of the remote SNMP protocol 76 engine, the so called snmpEngineID [RFC3411]. While an appropriate 77 snmpEngineID can in principle be configured on each management 78 application for each SNMP agent, it is often desirable to discover 79 the snmpEngineID automatically. 81 This document introduces a discovery mechanism which can be used to 82 learn the snmpEngineID of a remote SNMP protocol engine. The 83 proposed mechanism is independent of the features provided by SNMP 84 security models. The mechanism has been designed to co-exist with 85 discovery mechanisms that may exist in SNMP security models, such as 86 the authoritative engine identifier discovery of the User-based 87 Security Model (USM) of SNMP [RFC3414]. 89 This document updates RFC 3411 [RFC3411] by clarifying the IANA rules 90 for the maintenance of the SnmpEngineID format registry. 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in RFC 2119 [RFC2119]. 96 2. Background 98 Within an administrative domain, an SNMP engine is uniquely 99 identified by an snmpEngineID value [RFC3411]. An SNMP entity, which 100 consists of an SNMP engine and several SNMP applications, may provide 101 access to multiple contexts. 103 An SNMP context is a collection of management information accessible 104 by an SNMP entity. An item of management information may exist in 105 more than one context and an SNMP entity potentially has access to 106 many contexts [RFC3411]. A context is identified by the snmpEngineID 107 value of the entity hosting the management information (also called a 108 contextEngineID) and a context name which identifies the specific 109 context (also called a contextName). 111 To identify an individual item of management information within an 112 administrative domain, a four tuple is used consisting of 114 1. a contextEngineID, 115 2. a contextName, 116 3. an object type, and 117 4. its instance identification. 119 The last two elements are encoded in an object identifier (OID) 120 value. The contextName is a character string (following the 121 SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB 122 [RFC3411]) while the contextEngineID is an octet string constructed 123 according to the rules defined as part of the SnmpEngineID textual 124 convention of the SNMP-FRAMEWORK-MIB [RFC3411]. 126 The SNMP protocol operations and the protocol data units (PDUs) 127 operate on OIDs and thus deal with object types and instances 128 [RFC3416]. The SNMP architecture [RFC3411] introduces the concept of 129 a scopedPDU as a data structure containing a contextEngineID, a 130 contextName, and a PDU. The SNMP version 3 (SNMPv3) message format 131 uses ScopedPDUs to exchange management information [RFC3412]. 133 Within the SNMP framework, contextEngineIDs serve as end-to-end 134 identifiers. This becomes important in situations where SNMP proxies 135 are deployed to translate between protocol versions or to cross 136 middleboxes such as network address translators. In addition, 137 snmpEngineIDs separate the identification of an SNMP engine from the 138 transport addresses used to communicate with an SNMP engine. This 139 property can be used to correlate management information easily even 140 in situations where multiple different transports were used to 141 retrieve the information or where transport addresses can change 142 dynamically. 144 To retrieve data from an SNMPv3 agent, it is necessary to know the 145 appropriate contextEngineID. The User-based Security Model (USM) of 146 SNMPv3 provides a mechanism to discover the snmpEngineID of the 147 remote SNMP engine since this is needed for security processing 148 reasons. The discovered snmpEngineID can subsequently be used as a 149 contextEngineID in a ScopedPDU to access management information local 150 to the remote SNMP engine. Other security models, such as the 151 Transport Security Model (TSM) [I-D.TSM], lack such a procedure and 152 may use the discovery mechanism defined in this memo. 154 3. Procedure 156 The proposed discovery mechanism consists of two parts, namely (i) 157 the definition of a special well-known snmpEngineID value, called the 158 localEngineID, which always refers to a local default context, and 159 (ii) the definition of a procedure to acquire the snmpEngineID scalar 160 of the SNMP-FRAMEWORK-MIB [RFC3411] using the special well-known 161 local localEngineID value. 163 3.1. Local EngineID 165 An SNMP command responder implementing this specification MUST 166 register their pduTypes using the localEngineID snmpEngineID value 167 (defined below) using the registerContextEngineID() Abstract Service 168 Interface (ASI) defined in RFC 3412 [RFC3412]. This registration is 169 done in addition to the normal registration under the SNMP engine's 170 snmpEngineID. This is consistent with the SNMPv3 specifications 171 since they explicitly allow to register multiple engineIDs and 172 multiple pduTypes [RFC3412]. 174 The SnmpEngineID textual convention [RFC3411] defines that an 175 snmpEngineID value MUST be between 5 and 32 octets long. This 176 specification proposes to use the variable length format 3) and to 177 allocate the reserved, unused format value 6, using the enterprise ID 178 0 for the localEngineID. An ASN.1 definition for localEngineID would 179 look like this: 181 localEngineID OCTET STRING ::= '8000000006'H 183 The localEngineID value always provides access to the default context 184 of an SNMP engine. Note that the localEngineID value is intended to 185 be used as a special value for the contextEngineID field in the 186 ScopedPDU. It MUST NOT be used as a value to identify an SNMP 187 engine, that is this value MUST NOT be used in the snmpEngineID.0 188 scalar [RFC3418] or in the msgAuthoritativeEngineID field in the 189 securityParameters of the User-based Security Model (USM) [RFC3414]. 191 3.2. EngineID Discovery 193 Discovery of the snmpEngineID is done by sending a Read Class 194 protocol operation (see section 2.8 of [RFC3411]) to retrieve the 195 snmpEngineID scalar using the localEngineID defined above as a 196 contextEngineID value. Implementations SHOULD only perform this 197 discovery step when it is needed. In particular, if security models 198 are used that already discover the remote snmpEngineID (such as USM), 199 then no further discovery is necessary. The same is true in 200 situations where the application already knows a suitable 201 snmpEngineID value. 203 The procedure to discover the snmpEngineID of a remote SNMP engine 204 can be described as follows: 206 1. Check whether a suitable contextEngineID value is already known. 207 If yes, use the provided contextEngineID value and stop the 208 discovery procedure. 210 2. Check whether the selected security model supports discovery of 211 the remote snmpEngineID (e.g., USM with its discovery mechanism). 212 If yes, let the security model perform the discovery. If the 213 remote snmpEngineID value has been successfully determined, 214 assign it to the contextEngineID and stop the discovery 215 procedure. 216 3. Send a Read Class operation to the remote SNMP engine using the 217 localEngineID value as the contextEngineID in order to retrieve 218 the scalar snmpEngineID.0 of the SNMP-FRAMEWORK-MIB [RFC3411]. 219 If successful, set the contextEngineID to the retrieved value and 220 stop the discovery procedure. 221 4. Return an error indication that a suitable contextEngineID could 222 not be discovered. 224 The procedure outlined above is an example and can be modified to 225 retrieve more variables in step 3), such as the sysObjectID.0 scalar 226 or the snmpSetSerialNo.0 scalar of the SNMPv2-MIB [RFC3418]. 228 4. IANA Considerations 230 RFC 3411 requested IANA to create a registry for SnmpEngineID 231 formats. However, RFC 3411 did not ask IANA to record the initial 232 assignments made by RFC 3411 nor did RFC 3411 spell out the precise 233 allocation rules. To address this issue, the following rules are 234 hereby established. 236 IANA has to maintain a registry for SnmpEngineID formats. The first 237 four octets of an SnmpEngineID carry an enterprise number while the 238 fifth octet in a variable length SnmpEngineID value, called the 239 format octet, indicates how the following octets are formed. The 240 following format values were allocated in [RFC3411]: 242 Format Description References 243 ------- ----------- ---------- 244 0 reserved, unused [RFC3411] 245 1 IPv4 address [RFC3411] 246 2 IPv6 address [RFC3411] 247 3 MAC address [RFC3411] 248 4 administratively assigned text [RFC3411] 249 5 administratively assigned octets [RFC3411] 250 6-127 reserved, unused [RFC3411] 251 128-255 enterprise specific [RFC3411] 253 IANA can assign new format values out of the originally assigned and 254 reserved number space 1-127. For new assignments in this number 255 space, a specification is required as per [RFC5226]. The number 256 space 128-255 is enterprise specific and not controlled by IANA. 258 This document requested the following assignment: 260 Format Description References 261 ------- ----------- ---------- 262 6 local engine [RFCXXXX] 264 [RFC Ed.: replace XXXX with RFC number assigned to the document] 266 5. Security Considerations 268 SNMP version 3 (SNMPv3) provides cryptographic security to protect 269 devices from unauthorized access. This specification recommends to 270 use the security services provided by SNMPv3. In particular, it is 271 RECOMMENDED to protect the discovery exchange. 273 An snmpEngineID can contain information such as a device's MAC 274 address, IPv4 address, IPv6 address, or administratively assigned 275 text. An attacker located behind a router / firewall / network 276 address translator may not be able to obtain this information 277 directly and he therefore might discover snmpEngineID values in order 278 to obtain this kind of device information. 280 In many environments, making snmpEngineID values accessible via a 281 security level of noAuthNoPriv will benefit legitimate tools that try 282 to algorithmically determine some basic information about a device. 283 For this reason, the default View-based Access Control Model (VACM) 284 configuration in appendix A of RFC 3415 [RFC3415] gives noAuthNoPriv 285 read access to the snmpEngineID. Furthermore, the USM discovery 286 mechanism defined in RFC 3414 [RFC3414] uses unprotected messages and 287 reveals snmpEngineID values. 289 In highly secure environments, snmpEngineID values can be protected 290 by using the discovery mechanism described in this document together 291 with a security model that does not exchange cleartext SNMP messages, 292 such as the Transport Security Model (TSM) [I-D.TSM]. 294 The isAccessAllowed() abstract service primitive of the SNMP access 295 control subsystem does not take the contextEngineID into account when 296 checking access rights [RFC3411]. As a consequence, it is not 297 possible to define a special view for context engineID discovery. A 298 request with a localEngineID is thus treated like a request with the 299 correct snmpEngineID by the access control subsystem. This is inline 300 with the SNMPv3 design where the authenticated identity is the 301 securityName (together with the securityModel and securityLevel 302 information) and transport addresses or knowledge of contextEngineID 303 values do not impact to the access control decision. 305 6. Acknowledgments 307 Dave Perkins suggested to introduce a "local" contextEngineID during 308 the interim meeting of the ISMS working group in Boston, 2006. Joe 309 Fernandez, David Harrington, Dan Romascanu, and Bert Wijnen provided 310 helpful review and feedback, which helped to improve this document. 312 7. References 314 7.1. Normative References 316 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 317 Requirement Levels", BCP 14, RFC 2119, March 1997. 319 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 320 Architecture for Describing Simple Network Management 321 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 322 December 2002. 324 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 325 "Message Processing and Dispatching for the Simple Network 326 Management Protocol (SNMP)", STD 62, RFC 3412, 327 December 2002. 329 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 330 (USM) for version 3 of the Simple Network Management 331 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 333 [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the 334 Simple Network Management Protocol (SNMP)", STD 62, 335 RFC 3416, December 2002. 337 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 338 Simple Network Management Protocol (SNMP)", STD 62, 339 RFC 3418, December 2002. 341 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 342 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 343 May 2008. 345 7.2. Informative References 347 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 348 "Introduction and Applicability Statements for Internet- 349 Standard Management Framework", RFC 3410, December 2002. 351 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 352 Access Control Model (VACM) for the Simple Network 353 Management Protocol (SNMP)", STD 62, RFC 3415, 354 December 2002. 356 [I-D.TSM] Harrington, D., "Transport Security Model for SNMP", 357 draft-ietf-isms-transport-security-model-08.txt (work in 358 progress), July 2008. 360 Author's Address 362 Juergen Schoenwaelder 363 Jacobs University Bremen 364 Campus Ring 1 365 28725 Bremen 366 Germany 368 Phone: +49 421 200-3587 369 Email: j.schoenwaelder@jacobs-university.de 371 Full Copyright Statement 373 Copyright (C) The IETF Trust (2008). 375 This document is subject to the rights, licenses and restrictions 376 contained in BCP 78, and except as set forth therein, the authors 377 retain all their rights. 379 This document and the information contained herein are provided on an 380 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 381 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 382 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 383 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 384 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 385 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 387 Intellectual Property 389 The IETF takes no position regarding the validity or scope of any 390 Intellectual Property Rights or other rights that might be claimed to 391 pertain to the implementation or use of the technology described in 392 this document or the extent to which any license under such rights 393 might or might not be available; nor does it represent that it has 394 made any independent effort to identify any such rights. Information 395 on the procedures with respect to rights in RFC documents can be 396 found in BCP 78 and BCP 79. 398 Copies of IPR disclosures made to the IETF Secretariat and any 399 assurances of licenses to be made available, or the result of an 400 attempt made to obtain a general license or permission for the use of 401 such proprietary rights by implementers or users of this 402 specification can be obtained from the IETF on-line IPR repository at 403 http://www.ietf.org/ipr. 405 The IETF invites any interested party to bring to its attention any 406 copyrights, patents or patent applications, or other proprietary 407 rights that may cover technology that may be required to implement 408 this standard. Please address the information to the IETF at 409 ietf-ipr@ietf.org. 411 Acknowledgment 413 Funding for the RFC Editor function is provided by the IETF 414 Administrative Support Activity (IASA).