< draft-hardaker-isms-dtls-tm-01.txt   draft-hardaker-isms-dtls-tm-02.txt >
ISMS W. Hardaker ISMS W. Hardaker
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Intended status: Informational November 3, 2008 Intended status: Informational December 10, 2008
Expires: May 7, 2009 Expires: June 13, 2009
Datagram Transport Layer Security Transport Model for SNMP Datagram Transport Layer Security Transport Model for SNMP
draft-hardaker-isms-dtls-tm-01.txt draft-hardaker-isms-dtls-tm-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 7, 2009. This Internet-Draft will expire on June 13, 2009.
Abstract Abstract
This document describes a Transport Model for the Simple Network This document describes a Transport Model for the Simple Network
Management Protocol (SNMP), that uses the Datagram Transport Layer Management Protocol (SNMP), that uses the Datagram Transport Layer
Security (DTLS) protocol. The DTLS protocol provides authentication Security (DTLS) protocol. The DTLS protocol provides authentication
and privacy services for SNMP applications. This document describes and privacy services for SNMP applications. This document describes
how the DTLS Transport Model (DTLSTM) implements the needed features how the DTLS Transport Model (DTLSTM) implements the needed features
of a SNMP Transport Subsystem to make this protection possible in an of a SNMP Transport Subsystem to make this protection possible in an
interoperable way. interoperable way.
skipping to change at page 2, line 31 skipping to change at page 2, line 31
3.1.3. DTLS Sessions . . . . . . . . . . . . . . . . . . . . 13 3.1.3. DTLS Sessions . . . . . . . . . . . . . . . . . . . . 13
3.2. Security Parameter Passing . . . . . . . . . . . . . . . . 14 3.2. Security Parameter Passing . . . . . . . . . . . . . . . . 14
3.3. Notifications and Proxy . . . . . . . . . . . . . . . . . 14 3.3. Notifications and Proxy . . . . . . . . . . . . . . . . . 14
4. Elements of the Model . . . . . . . . . . . . . . . . . . . . 15 4. Elements of the Model . . . . . . . . . . . . . . . . . . . . 15
4.1. Certificates . . . . . . . . . . . . . . . . . . . . . . . 15 4.1. Certificates . . . . . . . . . . . . . . . . . . . . . . . 15
4.1.1. The Certificate Infrastructure . . . . . . . . . . . . 15 4.1.1. The Certificate Infrastructure . . . . . . . . . . . . 15
4.1.2. Provisioning for the Certificate . . . . . . . . . . . 16 4.1.2. Provisioning for the Certificate . . . . . . . . . . . 16
4.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3. SNMP Services . . . . . . . . . . . . . . . . . . . . . . 17 4.3. SNMP Services . . . . . . . . . . . . . . . . . . . . . . 17
4.3.1. SNMP Services for an Outgoing Message . . . . . . . . 18 4.3.1. SNMP Services for an Outgoing Message . . . . . . . . 18
4.3.2. SNMP Services for an Incoming Message . . . . . . . . 18 4.3.2. SNMP Services for an Incoming Message . . . . . . . . 19
4.4. DTLS Services . . . . . . . . . . . . . . . . . . . . . . 19 4.4. DTLS Services . . . . . . . . . . . . . . . . . . . . . . 19
4.4.1. Services for Establishing a Session . . . . . . . . . 19 4.4.1. Services for Establishing a Session . . . . . . . . . 20
4.4.2. DTLS Services for an Incoming Message . . . . . . . . 21 4.4.2. DTLS Services for an Incoming Message . . . . . . . . 21
4.4.3. DTLS Services for an Outgoing Message . . . . . . . . 22 4.4.3. DTLS Services for an Outgoing Message . . . . . . . . 22
4.5. Cached Information and References . . . . . . . . . . . . 22 4.5. Cached Information and References . . . . . . . . . . . . 22
4.5.1. securityStateReference . . . . . . . . . . . . . . . . 23 4.5.1. securityStateReference . . . . . . . . . . . . . . . . 23
4.5.2. tmStateReference . . . . . . . . . . . . . . . . . . . 23 4.5.2. tmStateReference . . . . . . . . . . . . . . . . . . . 23
4.5.2.1. Transport information . . . . . . . . . . . . . . 24 4.5.2.1. Transport information . . . . . . . . . . . . . . 24
4.5.2.2. securityName . . . . . . . . . . . . . . . . . . . 24 4.5.2.2. securityName . . . . . . . . . . . . . . . . . . . 24
4.5.2.3. securityLevel . . . . . . . . . . . . . . . . . . 25 4.5.2.3. securityLevel . . . . . . . . . . . . . . . . . . 25
4.5.2.4. Session Information . . . . . . . . . . . . . . . 25 4.5.2.4. Session Information . . . . . . . . . . . . . . . 25
4.5.3. DTLS Transport Model Cached Information . . . . . . . 26 4.5.3. DTLS Transport Model Cached Information . . . . . . . 26
4.5.3.1. Transport Information . . . . . . . . . . . . . . 26 4.5.3.1. Transport Information . . . . . . . . . . . . . . 26
4.5.3.2. tmRequestedSecurityLevel . . . . . . . . . . . . . 26 4.5.3.2. tmRequestedSecurityLevel . . . . . . . . . . . . . 27
4.5.3.3. tmSecurityLevel . . . . . . . . . . . . . . . . . 27 4.5.3.3. tmSecurityLevel . . . . . . . . . . . . . . . . . 27
4.5.3.4. tmSecurityName . . . . . . . . . . . . . . . . . . 27 4.5.3.4. tmSecurityName . . . . . . . . . . . . . . . . . . 27
4.5.4. Transport Model LCD . . . . . . . . . . . . . . . . . 27 4.5.4. Transport Model LCD . . . . . . . . . . . . . . . . . 27
5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 27 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 28
5.1. Procedures for an Incoming Message . . . . . . . . . . . . 28 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 28
5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 28 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 28
5.1.2. Transport Processing for Incoming Messages . . . . . . 29 5.1.2. Transport Processing for Incoming Messages . . . . . . 30
5.2. Procedures for an Outgoing Message . . . . . . . . . . . . 30 5.2. Procedures for an Outgoing Message . . . . . . . . . . . . 31
5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 32 5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 32
5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 34 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 34
6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 34 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 35
6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 35 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 35
6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 35 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 35
6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 35 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 35
6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 35 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 35
6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 35 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 35
6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 35 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 36
7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 36 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 36
8. Operational Considerations . . . . . . . . . . . . . . . . . . 47 8. Operational Considerations . . . . . . . . . . . . . . . . . . 49
8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 47 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 49
8.2. Notification Receiver Credential Selection . . . . . . . . 48 8.2. Notification Receiver Credential Selection . . . . . . . . 50
8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 48 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 50
9. Security Considerations . . . . . . . . . . . . . . . . . . . 48 9. Security Considerations . . . . . . . . . . . . . . . . . . . 50
9.1. Certificates, Authentication, and Authorization . . . . . 49 9.1. Certificates, Authentication, and Authorization . . . . . 51
9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 49 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 52
9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 50 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 52
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 52
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 51 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 53
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 51 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 53
12.1. Normative References . . . . . . . . . . . . . . . . . . . 51 12.1. Normative References . . . . . . . . . . . . . . . . . . . 53
12.2. Informative References . . . . . . . . . . . . . . . . . . 53 12.2. Informative References . . . . . . . . . . . . . . . . . . 55
Appendix A. Target and Notificaton Configuration Example . . . . 53 Appendix A. Target and Notificaton Configuration Example . . . . 56
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 55 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 58
Intellectual Property and Copyright Statements . . . . . . . . . . 56 Intellectual Property and Copyright Statements . . . . . . . . . . 59
1. Introduction 1. Introduction
It is important to understand the SNMPv3 architecture [RFC3411], as It is important to understand the SNMPv3 architecture [RFC3411], as
enhanced by the Transport Subsystem [I-D.ietf-isms-tmsm]. It is also enhanced by the Transport Subsystem [I-D.ietf-isms-tmsm]. It is also
important to understand the terminology of the SNMPv3 architecture in important to understand the terminology of the SNMPv3 architecture in
order to understand where the Transport Model described in this order to understand where the Transport Model described in this
document fits into the architecture and how it interacts with the document fits into the architecture and how it interacts with the
other architecture subsystems. For a detailed overview of the other architecture subsystems. For a detailed overview of the
documents that describe the current Internet-Standard Management documents that describe the current Internet-Standard Management
skipping to change at page 14, line 8 skipping to change at page 14, line 8
DTLS sessions are uniquely identified within the DTLS Transport Model DTLS sessions are uniquely identified within the DTLS Transport Model
by the combination of transportDomain, transportAddress, by the combination of transportDomain, transportAddress,
securityName, and requestedSecurityLevel associated with each securityName, and requestedSecurityLevel associated with each
session. Each unique combination of these parameters MUST have a session. Each unique combination of these parameters MUST have a
locally-chosen unique dtlsSessionID associated for active sessions. locally-chosen unique dtlsSessionID associated for active sessions.
For further information see Section 4.4 and Section 5. For further information see Section 4.4 and Section 5.
3.2. Security Parameter Passing 3.2. Security Parameter Passing
For the DTLS server-side, DTLS-specific security parameters (i.e., For the DTLS server-side, DTLS-specific security parameters (i.e.,
cipher_suites, common name of X.509 certificate, IP address and port) cipher_suites, X.509 certificate fields, IP address and port) are
are translated by the DTLS Transport Model into security parameters translated by the DTLS Transport Model into security parameters for
for the DTLS Transport Model and security model (i.e., securityLevel, the DTLS Transport Model and security model (i.e., securityLevel,
securityName, transportDomain, transportAddress). The transport- securityName, transportDomain, transportAddress). The transport-
related and DTLS-security-related information, including the related and DTLS-security-related information, including the
authenticated identity, are stored in a cache referenced by authenticated identity, are stored in a cache referenced by
tmStateReference. tmStateReference.
For the DTLS client-side, the DTLS Transport Model takes input For the DTLS client-side, the DTLS Transport Model takes input
provided by the dispatcher in the sendMessage() Abstract Service provided by the dispatcher in the sendMessage() Abstract Service
Interface (ASI) and input from the tmStateReference cache. The DTLS Interface (ASI) and input from the tmStateReference cache. The DTLS
Transport Model converts that information into suitable security Transport Model converts that information into suitable security
parameters for DTLS and establishes sessions as needed. parameters for DTLS and establishes sessions as needed.
skipping to change at page 14, line 52 skipping to change at page 14, line 52
module that extends the SNMP-TARGET-MIB's snmpTargetParamsTable to module that extends the SNMP-TARGET-MIB's snmpTargetParamsTable to
specify a DTLS client-side certificate to use for the connection. specify a DTLS client-side certificate to use for the connection.
When configuring a DTLS target, the snmpTargetAddrTDomain and When configuring a DTLS target, the snmpTargetAddrTDomain and
snmpTargetAddrTAddress parameters in snmpTargetAddrTable should be snmpTargetAddrTAddress parameters in snmpTargetAddrTable should be
set to the snmpDTLSDomain object and an appropriate snmpDTLSAddress set to the snmpDTLSDomain object and an appropriate snmpDTLSAddress
value respectively. The snmpTargetParamsMPModel column of the value respectively. The snmpTargetParamsMPModel column of the
snmpTargetParamsTable should be set to a value of 3 to indicate the snmpTargetParamsTable should be set to a value of 3 to indicate the
SNMPv3 message processing model. The snmpTargetParamsSecurityName SNMPv3 message processing model. The snmpTargetParamsSecurityName
should be set to an appropriate securityName value and the should be set to an appropriate securityName value and the
dtlstmParamsSubject parameter of the dtlstmParamsTable should be set dtlstmParamsHashType and dtlstmParamsHashValue parameters of the
to the Subject of the locally held certificate to be used. Other dtlstmParamsTable should be set to values that refer to a locally
parameters, for example cryptographic configuration such as cipher held certificate to be used. Other parameters, for example
suites to use, must come from configuration mechanisms not defined in cryptographic configuration such as cipher suites to use, must come
this document. The other needed configuration may be configured from configuration mechanisms not defined in this document. The
using SNMP or other implementation-dependent mechanisms (for example, other needed configuration may be configured using SNMP or other
via a CLI). This securityName defined in the implementation-dependent mechanisms (for example, via a CLI). This
snmpTargetParamsSecurityName column will be used by the access securityName defined in the snmpTargetParamsSecurityName column will
control model to authorize any notifications that need to be sent. be used by the access control model to authorize any notifications
that need to be sent.
4. Elements of the Model 4. Elements of the Model
This section contains definitions required to realize the DTLS This section contains definitions required to realize the DTLS
Transport Model defined by this document. Transport Model defined by this document.
4.1. Certificates 4.1. Certificates
DTLS makes use of X.509 certificates for authentication of both sides DTLS makes use of X.509 certificates for authentication of both sides
of the transport. This section discusses the use of certificates in of the transport. This section discusses the use of certificates in
skipping to change at page 16, line 24 skipping to change at page 16, line 24
signatureValue: The signatureValue field contains a digital signatureValue: The signatureValue field contains a digital
signature computed upon the ASN.1 DER encoded tbsCertificate signature computed upon the ASN.1 DER encoded tbsCertificate
field. The ASN.1 DER encoded tbsCertificate is used as the input field. The ASN.1 DER encoded tbsCertificate is used as the input
to the signature function. This signature value is then ASN.1 DER to the signature function. This signature value is then ASN.1 DER
encoded as a BIT STRING and included in the Certificate's encoded as a BIT STRING and included in the Certificate's
signature field. By generating this signature, a CA certifies the signature field. By generating this signature, a CA certifies the
validity of the information in the tbsCertificate field. In validity of the information in the tbsCertificate field. In
particular, the CA certifies the binding between the public key particular, the CA certifies the binding between the public key
material and the subject of the certificate. material and the subject of the certificate.
The basic X.509 authentication procedure is as follows: A system, The basic X.509 authentication procedure is as follows: A system is
which uses the X.509 key management infrastructure, is initialized initialized with a number of root certificates that contain the
with a number of root certificates which contain the public keys of a public keys of a number of trusted CAs. When a system receives a
number of trusted CAs. When a system receives a X.509 certificate, X.509 certificate, signed by one of those CAs, the certificate has to
signed by one of those CAs, that has to be verified, it first be verified. It first checks the signatureValue field by using the
decrypts the signatureValue field by using the public key of the public key of the corresponding trusted CA. Then it compares the
corresponding trusted CA. Then it compares the decrypted information decrypted information with a digest of the tbsCertificate field. If
with the tbsCertificate field. If they match, then the subject in they match, then the subject in the tbsCertificate field is
the tbsCertificate field is authenticated. authenticated.
4.1.2. Provisioning for the Certificate 4.1.2. Provisioning for the Certificate
Authentication using DTLS will require that SNMP entities are Authentication using DTLS will require that SNMP entities are
provisioned with certificates, which are signed by trusted provisioned with certificates, which are signed by trusted
certificate authorities. Furthermore, SNMP entities will most certificate authorities. Furthermore, SNMP entities will most
commonly need to be provisioned with root certificates which commonly need to be provisioned with root certificates which
represent the list of trusted certificate authorities that an SNMP represent the list of trusted certificate authorities that an SNMP
entity can use for certificate verification. SNMP entities MAY also entity can use for certificate verification. SNMP entities MAY also
be provisioned with X.509 certificate revocation mechanism which will be provisioned with a X.509 certificate revocation mechanism which
be used to verify that a certificate has not been revoked. can be used to verify that a certificate has not been revoked.
The authenticated tmSecurityName of the principal is looked up using The authenticated tmSecurityName of the principal is looked up using
the dtlstmCertificateToSNTable. This table maps the certificates the dtlstmCertificateToSNTable. This table either:
issuer's distinguished name to a directly specified tmSecurityName or
it specifies that the CommonName field of the certificate's Subject
should be used as the tmSecurityName. The certificate trust anchors,
being either CA certificates or public keys for use by self-signed
certificates, must be installed through an out of band trusted
mechanism into the server and its authenticity MUST be verified
before access is granted. Implementations MAY choose to discard any
connections for which no dtlstmCertificateToSNTable mapping exists
for the issuer to avoid the computational resources associated with a
certificate verification check since the verified certificate would
be unusable anyway.
The typical enterprise configuration will map the "CommonName" o Maps a certificate's fingerprint hash type and value to a directly
component of the Subject field in the tbsCertificate to the DTLSSM specified tmSecurityName.
specific tmSecurityName. Thus, the authenticated identity can be
verified by the DTLS Transport Model by extracting the CommonName o Identifies a certificate issuer's fingerprint hash type and value
from the Subject of the peer certificate and the receiving and allows child certificate's subjectAltName or CommonName to
application will have an appropriate tmSecurityName for use by directly used as the tmSecurityNome.
components like an access control model. This setup requires very
little configuration: a single row in the dtlstmCertificateToSNTable. The certificate trust anchors, being either CA certificates or public
keys for use by self-signed certificates, must be installed through
an out of band trusted mechanism into the server and its authenticity
MUST be verified before access is granted. Implementations SHOULD
choose to discard any connections for which no potential
dtlstmCertificateToSNTable mapping exists before performing
certificate verification to avoid expending computational resources
associated with certificate verification.
The typical enterprise configuration will map the "subjectAltName"
component of the tbsCertificate to the DTLSSM specific
tmSecurityName. Thus, the authenticated identity can be obtained by
the DTLS Transport Model by extracting the subjectAltName from the
peer's certificate and the receiving application will have an
appropriate tmSecurityName for use by components like an access
control model. This setup requires very little configuration: a
single row in the dtlstmCertificateToSNTable referencing a
certificate authority.
An example mapping setup can be found in Appendix A An example mapping setup can be found in Appendix A
This tmSecurityName may be later translated from a DTLSSM specific This tmSecurityName may be later translated from a DTLSSM specific
tmSecurityName to a SNMP engine securityName by the security model. tmSecurityName to a SNMP engine securityName by the security model.
A security model, like the TSM security model, may perform an A security model, like the TSM security model, may perform an
identity mapping or a more complex mapping to derive the securityName identity mapping or a more complex mapping to derive the securityName
from the tmSecurityName. from the tmSecurityName offered by the DTLS Transport Model.
4.2. Messages 4.2. Messages
As stated in RFC4347, each DTLS message must fit within a single As stated in RFC4347, each DTLS message must fit within a single
datagram. The DTLSTM MUST prohibit SNMP messages from being set that datagram. The DTLSTM MUST prohibit SNMP messages from being set that
exceed the MTU size. The DTLSTM implementation MUST return an error exceed the MTU size. The DTLSTM implementation MUST return an error
when the MTU size would be exceeded and the message won't be sent. when the MTU size would be exceeded and the message won't be sent.
For Ethernet the MTU size is 1500 and thus the maximum allowable SNMP For Ethernet the MTU size is 1500 and thus the maximum allowable SNMP
message that can be sent over DTLSTM after UDP/IP/DTLS overhead is message that can be sent over DTLSTM after UDP/IP/DTLS overhead is
skipping to change at page 30, line 19 skipping to change at page 30, line 25
tmTransportAddress = The address the message originated from, tmTransportAddress = The address the message originated from,
determined in an implementation dependent way. determined in an implementation dependent way.
tmSecurityLevel = The derived tmSecurityLevel for the session, tmSecurityLevel = The derived tmSecurityLevel for the session,
as discussed in Section 3.1.2 and Section 5.3. as discussed in Section 3.1.2 and Section 5.3.
tmSecurityName = The derived tmSecurityName for the session as tmSecurityName = The derived tmSecurityName for the session as
discussed in and Section 5.3. discussed in and Section 5.3.
tmSessionID = A unique session identifier for this DTLS session. tmSessionID = The dtlsSessionID, which MUST be A unique session
The contents and format of this identifier are implementation identifier for this DTLS session. The contents and format of
dependent as long as it is unique to the session. A session this identifier are implementation dependent as long as it is
identifier MUST NOT be reused until all references to it are unique to the session. A session identifier MUST NOT be
no longer in use. reused until all references to it are no longer in use. The
tmSessionID is equal to the dtlsSessionID discussed in
Section 5.1.1. tmSessionID refers to the session identifier
when stored in the tmStateReference and dtlsSessionID refers
to the session identifier when stored in the LCD. They MUST
always be equal when processing a given session's traffic.
2) The wholeMessage and the wholeMessageLength are assigned values 2) The wholeMessage and the wholeMessageLength are assigned values
from the incomingMessage and incomingMessageLength values from from the incomingMessage and incomingMessageLength values from
the DTLS processing. the DTLS processing.
3) The DTLS Transport Model passes the transportDomain, 3) The DTLS Transport Model passes the transportDomain,
transportAddress, wholeMessage, and wholeMessageLength to the transportAddress, wholeMessage, and wholeMessageLength to the
Dispatcher using the receiveMessage ASI: Dispatcher using the receiveMessage ASI:
statusInformation = statusInformation =
skipping to change at page 33, line 33 skipping to change at page 33, line 35
returned, and session establishment processing stops. returned, and session establishment processing stops.
3) Once the secure session is established and both sides have been 3) Once the secure session is established and both sides have been
authenticated, certificate validation and identity expectations authenticated, certificate validation and identity expectations
are performed. are performed.
a) The DTLS server side of the connection identifies the a) The DTLS server side of the connection identifies the
authenticated identity from the DTLS client's principal authenticated identity from the DTLS client's principal
certificate using the dtlstmCertificateToSNTable mapping certificate using the dtlstmCertificateToSNTable mapping
table and records this in the tmStateReference cache as table and records this in the tmStateReference cache as
tmSecurityName. If this verification fails in any way (for tmSecurityName. The details of the lookup process are fully
example because of failures in cryptographic verification or described in the DESCRIPTION clause of the
the lack of an appropriate row in the dtlstmCertificateToSNTable MIB object. If this verification
dtlstmCertificateToSNTable) then the session establishment fails in any way (for example because of failures in
MUST fail, the dtlstmSessionInvalidClientCertificates object cryptographic verification or the lack of an appropriate row
is incremented and processing is stopped. in the dtlstmCertificateToSNTable) then the session
establishment MUST fail, the
dtlstmSessionInvalidClientCertificates object is incremented
and processing is stopped.
b) The DTLS client side of the connection SHOULD verify that b) The DTLS client side of the connection SHOULD verify that
authenticated identity of the DTLS server's certificate is authenticated identity of the DTLS server's certificate is
the expected identity and MUST do so if the client the expected identity and MUST do so if the client
application is a Notification Generator. If strong application is a Notification Generator. If strong
authentication is desired then the DTLS server certificate authentication is desired then the DTLS server certificate
MUST always be verified and checked against the expected MUST always be verified and checked against the expected
identity. Methods for doing this are described in identity. Methods for doing this are described in
[I-D.hodges-server-ident-check]. DTLS provides assurance [I-D.hodges-server-ident-check]. DTLS provides assurance
that the authenticated identity has been signed by a trusted that the authenticated identity has been signed by a trusted
configured certificate authority. If verification of the configured certificate authority. If verification of the
server's certificate fails in any way (for example because of server's certificate fails in any way (for example because of
failures in cryptographic verification or the presented failures in cryptographic verification or the presented
identity was not the expected identity) then the session identity was not the expected identity) then the session
establishment MUST fail, the establishment MUST fail, the
dtlstmSessionInvalidServerCertificates object is incremented dtlstmSessionInvalidServerCertificates object is incremented
and processing is stopped. and processing is stopped.
skipping to change at page 38, line 45 skipping to change at page 39, line 5
object, there may be issues with the limit of 128 object, there may be issues with the limit of 128
sub-identifiers specified in SMIv2, STD 58. It is RECOMMENDED sub-identifiers specified in SMIv2, STD 58. It is RECOMMENDED
that all MIB documents using this textual convention make that all MIB documents using this textual convention make
explicit any limitations on index component lengths that explicit any limitations on index component lengths that
management software must observe. This may be done either by management software must observe. This may be done either by
including SIZE constraints on the index components or by including SIZE constraints on the index components or by
specifying applicable constraints in the conceptual row specifying applicable constraints in the conceptual row
DESCRIPTION clause or in the surrounding documentation." DESCRIPTION clause or in the surrounding documentation."
SYNTAX OCTET STRING (SIZE (1..255)) SYNTAX OCTET STRING (SIZE (1..255))
X509IdentifierHashType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Identifies a hashing algorithm type that will be used for
identifying an X.509 certificate.
The md5(1) value SHOULD NOT be used."
SYNTAX INTEGER { md5(1), sha1(2), sha256(3) }
X509IdentifierHash ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A hash value that uniquely identifies a certificate within a
systems local certificate store. The length of the value
stored in an object of type X509IdentifierHash is dependent on
the hashing algorithm that produced the hash.
MIB structures making use of this textual convention should
have an accompanying object of type X509IdentifierHashType.
"
SYNTAX OCTET STRING
-- The dtlstmSession Group -- The dtlstmSession Group
dtlstmSession OBJECT IDENTIFIER ::= { dtlstmObjects 1 } dtlstmSession OBJECT IDENTIFIER ::= { dtlstmObjects 1 }
dtlstmSessionOpens OBJECT-TYPE dtlstmSessionOpens OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession() request has been "The number of times an openSession() request has been
skipping to change at page 41, line 15 skipping to change at page 41, line 44
dtlstmCertificateToSNTable OBJECT-TYPE dtlstmCertificateToSNTable OBJECT-TYPE
SYNTAX SEQUENCE OF DtlstmCertificateToSNEntry SYNTAX SEQUENCE OF DtlstmCertificateToSNEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A table listing the X.509 certificates known to the entity "A table listing the X.509 certificates known to the entity
and the associated method for determining the SNMPv3 security and the associated method for determining the SNMPv3 security
name from a certificate. name from a certificate.
On an incoming DTLS/SNMP connection the client's presented On an incoming DTLS/SNMP connection the client's presented
certificate should be examined and validated based on certificate should be examined and validated based on an
an established trusted CA certificate or self-signed public established trusted CA certificate or self-signed public
certificate. This table does not provide certificate. This table does not provide a mechanism for
a mechanism for uploading the certificates as that is expected uploading the certificates as that is expected to occur
to occur through an out-of-band transfer. through an out-of-band transfer.
Once the authenticity of the certificate has been verified, Once the authenticity of the certificate has been verified,
this table can be consulted to determine the appropriate this table can be consulted to determine the appropriate
securityName to identify the remote connection. This is done securityName to identify the remote connection. This is done
by comparing the issuer's distinguished name against the by comparing the issuer's fingerprint hash type and value and
dtlstmCertDN value. If a matching entry is found then the the certificate's fingerprint hash type and value against the
dtlstmCertHashType and dtlstmCertHashValue values in each
entry of this table. If a matching entry is found then the
securityName is selected based on the dtlstmCertMapType, securityName is selected based on the dtlstmCertMapType,
dtlstmCertSubject and dtlstmCertSecurityName fields and the dtlstmCertHashType, dtlstmCertHashValue and
resulting securityName is used to identify the other side of dtlstmCertSecurityName fields and the resulting securityName
the DTLS connection. is used to identify the other side of the DTLS connection.
This table should be treated as an ordered list of mapping
rules to check. The first mapping rule appropriately matching
a certificate in the local certificate store with a
corresponding hash type (dtlstmCertHashType) and hash value
(dtlstmCertHashValue) will be used to perform the mapping from
X.509 certificate values to a securityName. If, after a
matching row is found but the mapping can not succeed for some
other reason then further attempts to perform the mapping MUST
NOT be taken. For example, if the entry being checked
contains a dtlstmCertMapType of bySubjectAltName(2) and an
incoming connection uses a certificate with an issuer
certificate matching the dtlstmCertHashType and
dtlstmCertHashValue fields but the connecting certificate does
not contain a subjectAltName field then the lookup operation
must be treated as a failure. No further rows are examined for
other potential mappings.
Missing values of dtlstmCertID are acceptable and
implementations should treat missing entries as a failed match
and should continue to the next highest numbered row. E.G.,
the table may legally contain only two rows with dtlstmCertID
values of 10 and 20.
Users are encouraged to make use of certificates with Users are encouraged to make use of certificates with
CommonName fields that can be used as securityNames so that a subjectAltName fields that can be used as securityNames so
single root CA certificate can allow all child certificate's that a single root CA certificate can allow all child
CommonName to map directly to a securityName via a 1:1 certificate's subjectAltName to map directly to a securityName
transformation. However, this table is flexible enough to via a 1:1 transformation. However, this table is flexible
allow for situations where existing an existing deployed enough to allow for situations where existing deployed
certificate infrastructures dose not provide adequate certificate infrastructures do not provide adequate
CommonName values for use as SNMPv3 securityNames." subjectAltName values for use as SNMPv3 securityNames.
Certificates may also be mapped to securityNames using the
CommonName portion of the Subject field which is also a
scalable method of mapping certificate components to
securityNames. Finally, direct mapping from each individual
certificate fingerprint to a securityName is possible but
requires one entry in the table per securityName."
::= { dtlstmCertificateMapping 3 } ::= { dtlstmCertificateMapping 3 }
dtlstmCertificateToSNEntry OBJECT-TYPE dtlstmCertificateToSNEntry OBJECT-TYPE
SYNTAX DtlstmCertificateToSNEntry SYNTAX DtlstmCertificateToSNEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row in the dtlstmCertificateToSNTable that specifies a "A row in the dtlstmCertificateToSNTable that specifies a
mapping for an incoming DTLS certificate to a securityName to mapping for an incoming DTLS certificate to a securityName to
use for the connection." use for the connection."
INDEX { dtlstmCertID } INDEX { dtlstmCertID }
::= { dtlstmCertificateToSNTable 1 } ::= { dtlstmCertificateToSNTable 1 }
DtlstmCertificateToSNEntry ::= SEQUENCE { DtlstmCertificateToSNEntry ::= SEQUENCE {
dtlstmCertID Unsigned32, dtlstmCertID Unsigned32,
dtlstmCertIssuerDN OCTET STRING, dtlstmCertHashType X509IdentifierHashType,
dtlstmCertHashValue X509IdentifierHash,
dtlstmCertMapType INTEGER, dtlstmCertMapType INTEGER,
dtlstmCertSecurityName SnmpAdminString, dtlstmCertSecurityName SnmpAdminString,
dtlstmCertStorageType StorageType, dtlstmCertStorageType StorageType,
dtlstmCertRowStatus RowStatus dtlstmCertRowStatus RowStatus
} }
dtlstmCertID OBJECT-TYPE dtlstmCertID OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique arbitrary number index for a given certificate "A unique arbitrary number index for a given certificate
entry." entry."
::= { dtlstmCertificateToSNEntry 1 } ::= { dtlstmCertificateToSNEntry 1 }
dtlstmCertIssuerDN OBJECT-TYPE dtlstmCertHashType OBJECT-TYPE
SYNTAX OCTET STRING SYNTAX X509IdentifierHashType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The issuer's 'distinguished name' field matching the "The hash algorithm to use when applying a hash to a X.509
certificate to be used for this mapping entry. certificate for purposes of referring to it from the
" dtlstmCertHashValue column.
The md5(1) value SHOULD NOT be used."
DEFVAL { sha256 }
::= { dtlstmCertificateToSNEntry 2 } ::= { dtlstmCertificateToSNEntry 2 }
dtlstmCertHashValue OBJECT-TYPE
SYNTAX X509IdentifierHash
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A cryptographic hash of a X.509 certificate. The use of this
hash is dictated by the dtlstmCertMapType column.
"
::= { dtlstmCertificateToSNEntry 3 }
dtlstmCertMapType OBJECT-TYPE dtlstmCertMapType OBJECT-TYPE
SYNTAX INTEGER { specified(1), byCN(2) } SYNTAX INTEGER { specified(1), bySubjectAltName(2), byCN(3) }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The mapping type used to obtain the securityName from the "The mapping type used to obtain the securityName from the
certificate. The possible values of use and their usage certificate. The possible values of use and their usage
methods are defined as follows: methods are defined as follows:
specified(1): The securityName that should be used locally to specified(1): The securityName that should be used locally to
identify the remote entity is directly specified identify the remote entity is directly specified
in the dtlstmCertSecurityName column from this in the dtlstmCertSecurityName column from this
table. table. The dtlstmCertHashValue MUST refer to a
X.509 client certificate that will be mapped
directly to the securityName specified in the
dtlstmCertSecurityName column.
byCN(2): The securityName that should be used locally to bySubjectAltName(2):
The securityName that should be used locally to
identify the remote entity should be taken from
the subjectAltName portion of the X.509
certificate. The dtlstmCertHashValue MUST refer
to a trust anchor certificate that is
responsible for issuing certificates with
carefully controlled subjectAltName fields.
byCN(3): The securityName that should be used locally to
identify the remote entity should be taken from identify the remote entity should be taken from
the CommonName portion of the Subject field from the CommonName portion of the Subject field from
the X.509 certificate." the X.509 certificate. The dtlstmCertHashValue
MUST refer to a trust anchor certificate that is
responsible for issuing certificates with
carefully controlled CommonName fields."
DEFVAL { specified } DEFVAL { specified }
::= { dtlstmCertificateToSNEntry 3 } ::= { dtlstmCertificateToSNEntry 4 }
dtlstmCertSecurityName OBJECT-TYPE dtlstmCertSecurityName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32)) SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The securityName that the session should use if the "The securityName that the session should use if the
dtlstmCertMapType is set to specified(1), otherwise the value dtlstmCertMapType is set to specified(1), otherwise the value
in this column should be ignored. If dtlstmCertMapType is set in this column should be ignored. If dtlstmCertMapType is set
to specifed(1) and this column contains a zero-length string to specifed(1) and this column contains a zero-length string
(which is not a legal securityName value) this row is (which is not a legal securityName value) this row is
effectively disabled and the match will not be considered effectively disabled and the match will not be considered
successful." successful."
DEFVAL { "" } DEFVAL { "" }
::= { dtlstmCertificateToSNEntry 4 } ::= { dtlstmCertificateToSNEntry 5 }
dtlstmCertStorageType OBJECT-TYPE dtlstmCertStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this conceptual row. Conceptual rows "The storage type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to having the value 'permanent' need not allow write-access to
any columnar objects in the row." any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { dtlstmCertificateToSNEntry 5 } ::= { dtlstmCertificateToSNEntry 6 }
dtlstmCertRowStatus OBJECT-TYPE dtlstmCertRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The status of this conceptual row. This object may be used "The status of this conceptual row. This object may be used
to create or remove rows from this table. to create or remove rows from this table.
The value of this object has no effect on whether The value of this object has no effect on whether
other objects in this conceptual row can be modified." other objects in this conceptual row can be modified."
::= { dtlstmCertificateToSNEntry 6 } ::= { dtlstmCertificateToSNEntry 7 }
-- Maps securityNames to certificates for use by the SNMP-TARGET-MIB -- Maps securityNames to certificates for use by the SNMP-TARGET-MIB
dtlstmParamsCount OBJECT-TYPE dtlstmParamsCount OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A count of the number of entries in the "A count of the number of entries in the
dtlstmParamsTable" dtlstmParamsTable"
skipping to change at page 44, line 33 skipping to change at page 46, line 26
snmpTargetParamsTable with additional a DTLS client-side snmpTargetParamsTable with additional a DTLS client-side
certificate certificate identifier to use when establishing certificate certificate identifier to use when establishing
new DTLS connections." new DTLS connections."
::= { dtlstmCertificateMapping 6 } ::= { dtlstmCertificateMapping 6 }
dtlstmParamsEntry OBJECT-TYPE dtlstmParamsEntry OBJECT-TYPE
SYNTAX DtlstmParamsEntry SYNTAX DtlstmParamsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A conceptual row containing the certificate subject name for "A conceptual row containing a locally held certificate's hash
a given snmpTargetParamsEntry. The values in this row should type and hash value for a given snmpTargetParamsEntry. The
be ignored if not the connection that needs to be established, values in this row should be ignored if not the connection
as indicated by the SNMP-TARGET-MIB infrastructure, is not a that needs to be established, as indicated by the
DTLS based connection." SNMP-TARGET-MIB infrastructure, is not a DTLS based
connection."
AUGMENTS { snmpTargetParamsEntry } AUGMENTS { snmpTargetParamsEntry }
::= { dtlstmParamsTable 1 } ::= { dtlstmParamsTable 1 }
DtlstmParamsEntry ::= SEQUENCE { DtlstmParamsEntry ::= SEQUENCE {
dtlstmParamsSubject OCTET STRING, dtlstmParamsHashType X509IdentifierHashType,
dtlstmParamsHashValue X509IdentifierHash,
dtlstmParamsStorageType StorageType, dtlstmParamsStorageType StorageType,
dtlstmParamsRowStatus RowStatus dtlstmParamsRowStatus RowStatus
} }
dtlstmParamsSubject OBJECT-TYPE dtlstmParamsHashType OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..4096)) SYNTAX X509IdentifierHashType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The subject name of the locally-held X.509 certificate that "The hash algorithm type for the hash stored in the
dtlstmParamsHash column to identify a locally-held X.509
certificate that should be used when initiating a DTLS
connection as a DTLS client."
DEFVAL { sha256 }
::= { dtlstmParamsEntry 1 }
dtlstmParamsHashValue OBJECT-TYPE
SYNTAX X509IdentifierHash
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A cryptographic hash of a X.509 certificate. This object
should store the hash of a locally held X.509 certificate that
should be used when initiating a DTLS connection as a DTLS should be used when initiating a DTLS connection as a DTLS
client." client."
::= { dtlstmParamsEntry 1 } ::= { dtlstmParamsEntry 2 }
dtlstmParamsStorageType OBJECT-TYPE dtlstmParamsStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this conceptual row. Conceptual rows "The storage type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to having the value 'permanent' need not allow write-access to
any columnar objects in the row." any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { dtlstmParamsEntry 2 } ::= { dtlstmParamsEntry 3 }
dtlstmParamsRowStatus OBJECT-TYPE dtlstmParamsRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The status of this conceptual row. This object may be used "The status of this conceptual row. This object may be used
to create or remove rows from this table. to create or remove rows from this table.
The value of this object has no effect on whether The value of this object has no effect on whether
other objects in this conceptual row can be modified." other objects in this conceptual row can be modified."
::= { dtlstmParamsEntry 3 } ::= { dtlstmParamsEntry 4 }
-- ************************************************ -- ************************************************
-- dtlstmMIB - Conformance Information -- dtlstmMIB - Conformance Information
-- ************************************************ -- ************************************************
dtlstmCompliances OBJECT IDENTIFIER ::= { dtlstmConformance 1 } dtlstmCompliances OBJECT IDENTIFIER ::= { dtlstmConformance 1 }
dtlstmGroups OBJECT IDENTIFIER ::= { dtlstmConformance 2 } dtlstmGroups OBJECT IDENTIFIER ::= { dtlstmConformance 2 }
-- ************************************************ -- ************************************************
skipping to change at page 46, line 32 skipping to change at page 48, line 41
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
statistical information of an SNMP engine which statistical information of an SNMP engine which
implements the SNMP DTLS Transport Model." implements the SNMP DTLS Transport Model."
::= { dtlstmGroups 1 } ::= { dtlstmGroups 1 }
dtlstmIncomingGroup OBJECT-GROUP dtlstmIncomingGroup OBJECT-GROUP
OBJECTS { OBJECTS {
dtlstmCertificateToSNCount, dtlstmCertificateToSNCount,
dtlstmCertificateToSNTableLastChanged, dtlstmCertificateToSNTableLastChanged,
dtlstmCertIssuerDN, dtlstmCertHashType,
dtlstmCertHashValue,
dtlstmCertMapType, dtlstmCertMapType,
dtlstmCertSecurityName, dtlstmCertSecurityName,
dtlstmCertStorageType, dtlstmCertStorageType,
dtlstmCertRowStatus dtlstmCertRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
incoming connection certificate mappings to incoming connection certificate mappings to
securityNames of an SNMP engine which implements the securityNames of an SNMP engine which implements the
SNMP DTLS Transport Model." SNMP DTLS Transport Model."
::= { dtlstmGroups 2 } ::= { dtlstmGroups 2 }
dtlstmOutgoingGroup OBJECT-GROUP dtlstmOutgoingGroup OBJECT-GROUP
OBJECTS { OBJECTS {
dtlstmParamsCount, dtlstmParamsCount,
dtlstmParamsTableLastChanged, dtlstmParamsTableLastChanged,
dtlstmParamsSubject, dtlstmParamsHashType,
dtlstmParamsHashValue,
dtlstmParamsStorageType, dtlstmParamsStorageType,
dtlstmParamsRowStatus dtlstmParamsRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
outgoing connection certificates to use when opening outgoing connection certificates to use when opening
connections as a result of SNMP-TARGET-MIB settings." connections as a result of SNMP-TARGET-MIB settings."
::= { dtlstmGroups 3 } ::= { dtlstmGroups 3 }
skipping to change at page 49, line 45 skipping to change at page 52, line 6
against what was expected. For example, Command Generators must against what was expected. For example, Command Generators must
check that the Command Responder presented and authenticated itself check that the Command Responder presented and authenticated itself
with a X.509 certificate that was expected. Not doing so would allow with a X.509 certificate that was expected. Not doing so would allow
an impostor, at a minimum, to present false data, receive sensitive an impostor, at a minimum, to present false data, receive sensitive
information and/or provide a false-positive belief that configuration information and/or provide a false-positive belief that configuration
was actually received and acted upon. Authenticating and verifying was actually received and acted upon. Authenticating and verifying
the identity of the DTLS server and the DTLS client for all the identity of the DTLS server and the DTLS client for all
operations ensures the authenticity of the SNMP engine that provides operations ensures the authenticity of the SNMP engine that provides
MIB data. MIB data.
The instructions found in the DESCRIPTION clause of the
dtlstmCertificateToSNTable object must be followed exactly.
Specifically, it is important that if a row matching a certificate or
a certificate's issuer is found but the translation to a securityName
using the row fails that the lookup process stops and no further rows
are consulted. It is also important that the rows of the table be
search in order starting with the row containing the lowest numbered
dtlstmCertID value.
9.2. Use with SNMPv1/SNMPv2c Messages 9.2. Use with SNMPv1/SNMPv2c Messages
The SNMPv1 and SNMPv2c message processing described in RFC3484 (BCP The SNMPv1 and SNMPv2c message processing described in RFC3484 (BCP
74) [RFC3584] always selects the SNMPv1(1) Security Model for an 74) [RFC3584] always selects the SNMPv1(1) Security Model for an
SNMPv1 message, or the SNMPv2c(2) Security Model for an SNMPv2c SNMPv1 message, or the SNMPv2c(2) Security Model for an SNMPv2c
message. When running SNMPv1/SNMPv2c over a secure transport like message. When running SNMPv1/SNMPv2c over a secure transport like
the DTLS Transport Model, the securityName and securityLevel used for the DTLS Transport Model, the securityName and securityLevel used for
access control decisions are then derived from the community string, access control decisions are then derived from the community string,
not the authenticated identity and securityLevel provided by the DTLS not the authenticated identity and securityLevel provided by the DTLS
Transport Model. Transport Model.
9.3. MIB Module Security 9.3. MIB Module Security
The MIB objects in this document should be protected with an adequate The MIB objects in this document must be protected with an adequate
level of at least integrity protection, especially those objects level of at least integrity protection, especially those objects
which are writable. Since knowledge of authorization and certificate which are writable. Since knowledge of authorization rules and
usage mechanisms may be considered sensitive, protection from certificate usage mechanisms may be considered sensitive, protection
disclosure of the SNMP traffic via encryption is also recommended. from disclosure of the SNMP traffic via encryption is also highly
recommended.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec or Even if the network itself is secure (for example by using IPSec or
DTLS) there is no control as to who on the secure network is allowed DTLS) there is no control as to who on the secure network is allowed
to access and GET/SET (read/change/create/delete) the objects in this to access and GET/SET (read/change/create/delete) the objects in this
MIB module. MIB module.
It is RECOMMENDED that implementers consider the security features as It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see section 8 of [RFC3410]), provided by the SNMPv3 framework (see section 8 of [RFC3410]),
including full support for the USM (see [RFC3414]) and the DTLS including full support for the USM (see [RFC3414]) and the DTLS
skipping to change at page 54, line 5 skipping to change at page 56, line 28
vacmViewTreeFamilyTable vacmViewTreeFamilyTable
The only table that needs to be discussed as particularly different The only table that needs to be discussed as particularly different
here is the vacmSecurityToGroupTable. This table is indexed by both here is the vacmSecurityToGroupTable. This table is indexed by both
the SNMPv3 security model and the security name. The security model, the SNMPv3 security model and the security name. The security model,
when DTLSTM is in use, should be set to the value of XXX when DTLSTM is in use, should be set to the value of XXX
corresponding to the TSM [I-D.ietf-isms-transport-security-model]. corresponding to the TSM [I-D.ietf-isms-transport-security-model].
An example vacmSecurityToGroupTable row might be filled out as An example vacmSecurityToGroupTable row might be filled out as
follows (using a single SNMP SET request): follows (using a single SNMP SET request):
vacmSecurityModel = XXX:TSM Note to RFC editor: replace XXX in the previous paragraph above with
the actual IANA-assigned number for the TSM security model and remove
this note.
vacmSecurityModel = XXX (TSM)
vacmSecurityName = "blueberry" vacmSecurityName = "blueberry"
vacmGroupaName = "administrators" vacmGroupaName = "administrators"
vacmSecurityToGroupStorageType = 3 (nonVolatile) vacmSecurityToGroupStorageType = 3 (nonVolatile)
vacmSecurityToGroupStatus = 4 (createAndGo) vacmSecurityToGroupStatus = 4 (createAndGo)
Note to RFC editor: replace XXX with the actual IANA-assigned number Note to RFC editor: replace XXX in the vacmSecurityModel line above
for the TSM security model and remove this note. with the actual IANA-assigned number for the TSM security model and
remove this note.
This example will assume that the "administrators" group has been This example will assume that the "administrators" group has been
given proper permissions via rows in the vacmAccessTable and given proper permissions via rows in the vacmAccessTable and
vacmViewTreeFamilyTable. vacmViewTreeFamilyTable.
Depending on whether this VACM configuration is for a Command Depending on whether this VACM configuration is for a Command
Responder or a Command Generator the security name "blueberry" will Responder or a Command Generator the security name "blueberry" will
come from a few different locations. come from a few different locations.
For Notification Generator's performing authorization checks, the For Notification Generator's performing authorization checks, the
skipping to change at page 54, line 38 skipping to change at page 57, line 18
in the dtlstmParamsTable. The dtlstmParamsTable augments the SNMP- in the dtlstmParamsTable. The dtlstmParamsTable augments the SNMP-
TARGET-MIB's snmpTargetParamsTable with client-side certificate TARGET-MIB's snmpTargetParamsTable with client-side certificate
information. information.
For Command Responder applications, the vacmSecurityName "blueberry" For Command Responder applications, the vacmSecurityName "blueberry"
value is a value that needs to come from an incoming DTLS session. value is a value that needs to come from an incoming DTLS session.
The mapping from a recevied DTLS client certificate to a securityName The mapping from a recevied DTLS client certificate to a securityName
is done with the dtlstmCertificateToSNTable. The certificates must is done with the dtlstmCertificateToSNTable. The certificates must
be loaded into the device so that a dtlstmCertificateToSNEntry may be loaded into the device so that a dtlstmCertificateToSNEntry may
refer to it. As an example, consider the following entry which will refer to it. As an example, consider the following entry which will
provide a mapping from a X.509 Issuer's Distinguished Name directly provide a mapping from a X.509's hash fingerprint directly to the
to the "blueberry" securityName: "blueberry" securityName:
dtlstmCertID = 1 (arbitrarily chosen) dtlstmCertID = 1 (arbitrarily chosen)
dtlstmCertIssuerDN = "C=US, ST=California, ..., CN=hardaker" dtlstmCertHashType = sha256
dtlstmCertHashValue = (appropriate sha256 fingerprint)
dtlstmCertMapType = specified(1) dtlstmCertMapType = specified(1)
dtlstmCertSecurityName = "blueberry" dtlstmCertSecurityName = "blueberry"
dtlstmCertStorageType = 3 (nonVolatile) dtlstmCertStorageType = 3 (nonVolatile)
dtlstmCertRowStatus = 4 (createAndGo) dtlstmCertRowStatus = 4 (createAndGo)
The above is an example of how to map a particular certificate to a The above is an example of how to map a particular certificate to a
particular securityName. It is recommended that users make use of particular securityName. It is recommended that users make use of
direct CommonName mappings where possible since it will provide a direct subjectAltName or CommonName mappings where possible since it
more scalable approach to certificate management. If the following will provide a more scalable approach to certificate management.
entry was created: This entry provides an example of using a subjectAltName mapping:
dtlstmCertID = 1 (arbitrarily chosen) dtlstmCertID = 1 (arbitrarily chosen)
dtlstmCertIssuerDN = "C=US, ST=California, L=Davis, O=SuprIDs, ..." dtlstmCertHashType = sha256
dtlstmCertMapType = byCN(2) dtlstmCertHashValue = (appropriate sha256 fingerprint)
dtlstmCertStorageType = 3 (nonVolatile) dtlstmCertMapType = bySubjectAltName(2)
dtlstmCertRowStatus = 4 (createAndGo) dtlstmCertStorageType = 3 (nonVolatile)
dtlstmCertRowStatus = 4 (createAndGo)
The above entry indicates the CommonName field for that particular The above entry indicates the subjectAltName field for certificates
Issuer will be trusted to always produce common names that are created by an Issuing certificate with a corresponding hash type and
value will be trusted to always produce common names that are
directly 1 to 1 mappable into SNMPv3 securityNames. This type of directly 1 to 1 mappable into SNMPv3 securityNames. This type of
configuration should only be used when the CA is carefully configuration should only be used when the certificate authorities
controlled. naming conventions are carefully controlled.
For the example, if the incoming DTLS client provided certificate For the example, if the incoming DTLS client provided certificate
contained a Subject with a CommonName of "blueberry" and the contained a subjectAltName of "blueberry" and the certificate was
certificate was signed by the CA matching the dtlstmCertIssuerDN signed by a certificate matching the dtlstmCertHashType and
value above and the CA's certificate was properly installed on the dtlstmCertHashValue values above and the CA's certificate was
device then the CommonName of "blueberry" would be used as the properly installed on the device then the CommonName of "blueberry"
securityName for the session. would be used as the securityName for the session.
Author's Address Author's Address
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
US US
Phone: +1 530 792 1913 Phone: +1 530 792 1913
 End of changes. 59 change blocks. 
155 lines changed or deleted 288 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/