| < draft-ietf-isms-dtls-tm-06.txt | draft-ietf-isms-dtls-tm-07.txt > | |||
|---|---|---|---|---|
| ISMS W. Hardaker | ISMS W. Hardaker | |||
| Internet-Draft Sparta, Inc. | Internet-Draft Sparta, Inc. | |||
| Intended status: Standards Track January 27, 2010 | Intended status: Standards Track January 27, 2010 | |||
| Expires: July 31, 2010 | Expires: July 31, 2010 | |||
| Transport Layer Security (TLS) Transport Model for SNMP | Transport Layer Security (TLS) Transport Model for SNMP | |||
| draft-ietf-isms-dtls-tm-06.txt | draft-ietf-isms-dtls-tm-07.txt | |||
| Abstract | Abstract | |||
| This document describes a Transport Model for the Simple Network | This document describes a Transport Model for the Simple Network | |||
| Management Protocol (SNMP), that uses either the Transport Layer | Management Protocol (SNMP), that uses either the Transport Layer | |||
| Security protocol or the Datagram Transport Layer Security (DTLS) | Security protocol or the Datagram Transport Layer Security (DTLS) | |||
| protocol. The TLS and DTLS protocols provide authentication and | protocol. The TLS and DTLS protocols provide authentication and | |||
| privacy services for SNMP applications. This document describes how | privacy services for SNMP applications. This document describes how | |||
| the TLS Transport Model (TLSTM) implements the needed features of a | the TLS Transport Model (TLSTM) implements the needed features of a | |||
| SNMP Transport Subsystem to make this protection possible in an | SNMP Transport Subsystem to make this protection possible in an | |||
| skipping to change at page 3, line 36 ¶ | skipping to change at page 3, line 36 ¶ | |||
| 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19 | 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19 | |||
| 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19 | 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19 | 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19 | |||
| 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19 | 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20 | 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20 | |||
| 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20 | 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20 | |||
| 5.1.2. Transport Processing for Incoming SNMP Messages . . . 22 | 5.1.2. Transport Processing for Incoming SNMP Messages . . . 22 | |||
| 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23 | 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23 | |||
| 5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 24 | 5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 24 | |||
| 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 27 | 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 27 | |||
| 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 27 | 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28 | 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28 | |||
| 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 28 | 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 28 | |||
| 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 28 | 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 28 | |||
| 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 28 | 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 28 | |||
| 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 28 | 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 29 | |||
| 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29 | 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29 | |||
| 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 29 | 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 29 | |||
| 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 29 | 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 29 | |||
| 8. Operational Considerations . . . . . . . . . . . . . . . . . . 50 | 8. Operational Considerations . . . . . . . . . . . . . . . . . . 51 | |||
| 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 51 | 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 8.2. Notification Receiver Credential Selection . . . . . . . . 51 | 8.2. Notification Receiver Credential Selection . . . . . . . . 52 | |||
| 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 52 | 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 52 | |||
| 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 52 | 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 52 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 52 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 53 | |||
| 9.1. Certificates, Authentication, and Authorization . . . . . 52 | 9.1. Certificates, Authentication, and Authorization . . . . . 53 | |||
| 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 53 | 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 54 | |||
| 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 54 | 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 54 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 56 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 57 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . . 57 | 12.1. Normative References . . . . . . . . . . . . . . . . . . . 58 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . . 58 | 12.2. Informative References . . . . . . . . . . . . . . . . . . 59 | |||
| Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 59 | Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 60 | |||
| A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 59 | A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 60 | |||
| A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 60 | A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 61 | |||
| Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 61 | Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 62 | |||
| Appendix C. Target and Notification Configuration Example . . . . 62 | Appendix C. Target and Notification Configuration Example . . . . 63 | |||
| C.1. Configuring the Notification Originator . . . . . . . . . 63 | C.1. Configuring the Notification Originator . . . . . . . . . 64 | |||
| C.2. Configuring the Command Responder . . . . . . . . . . . . 63 | C.2. Configuring the Command Responder . . . . . . . . . . . . 64 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 64 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 65 | |||
| 1. Introduction | 1. Introduction | |||
| It is important to understand the modular SNMPv3 architecture as | It is important to understand the modular SNMPv3 architecture as | |||
| defined by [RFC3411] and enhanced by the Transport Subsystem | defined by [RFC3411] and enhanced by the Transport Subsystem | |||
| [RFC5590]. It is also important to understand the terminology of the | [RFC5590]. It is also important to understand the terminology of the | |||
| SNMPv3 architecture in order to understand where the Transport Model | SNMPv3 architecture in order to understand where the Transport Model | |||
| described in this document fits into the architecture and how it | described in this document fits into the architecture and how it | |||
| interacts with the other architecture subsystems. For a detailed | interacts with the other architecture subsystems. For a detailed | |||
| overview of the documents that describe the current Internet-Standard | overview of the documents that describe the current Internet-Standard | |||
| skipping to change at page 21, line 47 ¶ | skipping to change at page 21, line 47 ¶ | |||
| previously (as described both above and in Section 5.3) even if | previously (as described both above and in Section 5.3) even if | |||
| no message had yet been sent through the newly established | no message had yet been sent through the newly established | |||
| session. An entry may not exist, however, if a message not | session. An entry may not exist, however, if a message not | |||
| intended the SNMP entity was routed to it by mistake. An entry | intended the SNMP entity was routed to it by mistake. An entry | |||
| might also be missing because of a "broken" session (see | might also be missing because of a "broken" session (see | |||
| operational considerations). | operational considerations). | |||
| 3) Retrieve the tlstmSessionID from the LCD. | 3) Retrieve the tlstmSessionID from the LCD. | |||
| 4) The UDP packet and the tlstmSessionID are passed to DTLS for | 4) The UDP packet and the tlstmSessionID are passed to DTLS for | |||
| integrity checking and decryption. | integrity checking and decryption. If processing does not return | |||
| an incomingMessage and an incomingMessageLength then processing | ||||
| If the message fails integrity checks or other (D)TLS security | stops. | |||
| processing then increment the tlstmDTLSProtectionErrors counter, | ||||
| discard and stop processing the message. | ||||
| 5) DTLS should return an incomingMessage and an | 5) Retrieve the incomingMessage and an incomingMessageLength from | |||
| incomingMessageLength. These results and the tlstmSessionID are | DTLS. These results and the tlstmSessionID are used below in | |||
| used below in Section 5.1.2 to complete the processing of the | Section 5.1.2 to complete the processing of the incoming message. | |||
| incoming message. | ||||
| 5.1.2. Transport Processing for Incoming SNMP Messages | 5.1.2. Transport Processing for Incoming SNMP Messages | |||
| The procedures in this section describe how the TLS Transport Model | The procedures in this section describe how the TLS Transport Model | |||
| should process messages that have already been properly extracted | should process messages that have already been properly extracted | |||
| from the (D)TLS stream. Note that care must be taken when processing | from the (D)TLS stream. Note that care must be taken when processing | |||
| messages originating from either TLS or DTLS to ensure they're | messages originating from either TLS or DTLS to ensure they're | |||
| complete and single. For example, multiple SNMP messages can be | complete and single. For example, multiple SNMP messages can be | |||
| passed through a single DTLS message and partial SNMP messages may be | passed through a single DTLS message and partial SNMP messages may be | |||
| received from a TLS stream. These steps describe the processing of a | received from a TLS stream. These steps describe the processing of a | |||
| skipping to change at page 26, line 5 ¶ | skipping to change at page 26, line 5 ¶ | |||
| certificate invalidation includes, but is not limited to, | certificate invalidation includes, but is not limited to, | |||
| cryptographic validation failures and an unexpected presented | cryptographic validation failures and an unexpected presented | |||
| certificate identity. | certificate identity. | |||
| 3) Once a (D)TLS secured session is established and both sides have | 3) Once a (D)TLS secured session is established and both sides have | |||
| verified the authenticity of the peer's certificate (e.g. | verified the authenticity of the peer's certificate (e.g. | |||
| [RFC5280]) then each side will determine and/or check the | [RFC5280]) then each side will determine and/or check the | |||
| identity of the remote entity using the procedures described | identity of the remote entity using the procedures described | |||
| below. | below. | |||
| a) The (D)TLS server side of the connection identifies the | a) The (D)TLS server side of the connection increments the | |||
| snmpTlstmSessionServerOpens counter and identifies the | ||||
| authenticated identity from the (D)TLS client's principal | authenticated identity from the (D)TLS client's principal | |||
| certificate using configuration information from the | certificate using configuration information from the | |||
| tlstmCertToTSNTable mapping table. The (D)TLS server MUST | tlstmCertToTSNTable mapping table. The (D)TLS server MUST | |||
| request and expect a certificate from the client and MUST NOT | request and expect a certificate from the client and MUST NOT | |||
| accept SNMP messages over the (D)TLS session until the client | accept SNMP messages over the (D)TLS session until the client | |||
| has sent a certificate and it has been authenticated. The | has sent a certificate and it has been authenticated. The | |||
| resulting derived tmSecurityName is recorded in the | resulting derived tmSecurityName is recorded in the | |||
| tmStateReference cache as tmSecurityName. The details of the | tmStateReference cache as tmSecurityName. The details of the | |||
| lookup process are fully described in the DESCRIPTION clause | lookup process are fully described in the DESCRIPTION clause | |||
| of the tlstmCertToTSNTable MIB object. If any verification | of the tlstmCertToTSNTable MIB object. If any verification | |||
| fails in any way (for example because of failures in | fails in any way (for example because of failures in | |||
| cryptographic verification or because of the lack of an | cryptographic verification or because of the lack of an | |||
| appropriate row in the tlstmCertToTSNTable) then the session | appropriate row in the tlstmCertToTSNTable) then the session | |||
| establishment MUST fail, the | establishment MUST fail, the | |||
| snmpTlstmSessionInvalidClientCertificates object is | snmpTlstmSessionInvalidClientCertificates object is | |||
| incremented and processing stops. | incremented. If the session can not be opened for any reason | |||
| at all, including cryptographic verification failures, then | ||||
| the snmpTlstmSessionClientOpenErrors counter is incremented | ||||
| and processing stops. | ||||
| b) The (D)TLS client side of the connection MUST verify that the | b) The (D)TLS client side of the connection increments the | |||
| (D)TLS server's presented certificate is the expected | snmpTlstmSessionClientOpens counter. The (D)TLS client side | |||
| certificate. The (D)TLS client MUST NOT transmit SNMP | of the connection MUST then verify that the (D)TLS server's | |||
| messages until the server certificate has been authenticated | presented certificate is the expected certificate. The | |||
| and the client certificate has been transmitted. | (D)TLS client MUST NOT transmit SNMP messages until the | |||
| server certificate has been authenticated and the client | ||||
| certificate has been transmitted. | ||||
| If the connection is being established from configuration | If the connection is being established from configuration | |||
| based on SNMP-TARGET-MIB configuration then the procedures in | based on SNMP-TARGET-MIB configuration then the procedures in | |||
| the tlstmAddrTable DESCRIPTION clause should be followed to | the tlstmAddrTable DESCRIPTION clause should be followed to | |||
| determine if the presented identity matches the expectations | determine if the presented identity matches the expectations | |||
| of the configuration. Validation procedures (like the path | of the configuration. Validation procedures (like the path | |||
| validation procedures defined in [RFC5280] or through the use | validation procedures defined in [RFC5280] or through the use | |||
| of fingerprints as defined by the tlstmAddrServerIdentity | of fingerprints as defined by the tlstmAddrServerIdentity | |||
| column) MUST be followed. If a server identity name has been | column) MUST be followed. If a server identity name has been | |||
| configured in the tlstmAddrServerIdentity column then this | configured in the tlstmAddrServerIdentity column then this | |||
| skipping to change at page 27, line 4 ¶ | skipping to change at page 27, line 10 ¶ | |||
| configuration and procedures outside the scope of this | configuration and procedures outside the scope of this | |||
| document should be followed. | document should be followed. | |||
| (D)TLS provides assurance that the authenticated identity has | (D)TLS provides assurance that the authenticated identity has | |||
| been signed by a trusted configured certificate authority. | been signed by a trusted configured certificate authority. | |||
| If verification of the server's certificate fails in any way | If verification of the server's certificate fails in any way | |||
| (for example because of failures in cryptographic | (for example because of failures in cryptographic | |||
| verification or the presented identity did not match the | verification or the presented identity did not match the | |||
| expected named entity) then the session establishment MUST | expected named entity) then the session establishment MUST | |||
| fail, the snmpTlstmSessionInvalidServerCertificates object is | fail, the snmpTlstmSessionInvalidServerCertificates object is | |||
| incremented and processing stops. | incremented. If the session can not be opened for any reason | |||
| at all, including cryptographic verification failures, then | ||||
| the snmpTlstmSessionClientOpenErrors counter is incremented | ||||
| and processing stops. | ||||
| 4) The TLSTM-specific session identifier (tlstmSessionID) is set in | 4) The TLSTM-specific session identifier (tlstmSessionID) is set in | |||
| the tmSessionID of the tmStateReference passed to the TLS | the tmSessionID of the tmStateReference passed to the TLS | |||
| Transport Model to indicate that the session has been established | Transport Model to indicate that the session has been established | |||
| successfully and to point to a specific (D)TLS session for future | successfully and to point to a specific (D)TLS session for future | |||
| use. The tlstmSessionID is also stored in the LCD for later | use. The tlstmSessionID is also stored in the LCD for later | |||
| lookup during processing of incoming messages (Section 5.1.2). | lookup during processing of incoming messages (Section 5.1.2). | |||
| Servers that wish to support multiple principals at a particular port | Servers that wish to support multiple principals at a particular port | |||
| SHOULD make use of a (D)TLS extension that allows server-side | SHOULD make use of a (D)TLS extension that allows server-side | |||
| skipping to change at page 27, line 34 ¶ | skipping to change at page 27, line 43 ¶ | |||
| statusInformation = | statusInformation = | |||
| closeSession( | closeSession( | |||
| IN tmSessionID -- session ID of the session to be closed | IN tmSessionID -- session ID of the session to be closed | |||
| ) | ) | |||
| The following describes the procedure to follow to close a session | The following describes the procedure to follow to close a session | |||
| between a client and server. This process is followed by any SNMP | between a client and server. This process is followed by any SNMP | |||
| engine closing the corresponding SNMP session. | engine closing the corresponding SNMP session. | |||
| 1) Increment the snmpTlstmSessionCloses counter. | 1) Increment either the snmpTlstmSessionClientCloses or the | |||
| snmpTlstmSessionServerCloses counter as appropriate. | ||||
| 2) Look up the session using the tmSessionID. | 2) Look up the session using the tmSessionID. | |||
| 3) If there is no open session associated with the tmSessionID, then | 3) If there is no open session associated with the tmSessionID, then | |||
| closeSession processing is completed. | closeSession processing is completed. | |||
| 4) Have (D)TLS close the specified session. This SHOULD include | 4) Have (D)TLS close the specified session. This SHOULD include | |||
| sending a close_notify TLS Alert to inform the other side that | sending a close_notify TLS Alert to inform the other side that | |||
| session cleanup may be performed. | session cleanup may be performed. | |||
| skipping to change at page 35, line 51 ¶ | skipping to change at page 36, line 16 ¶ | |||
| STATUS current | STATUS current | |||
| DESCRIPTION "Maps a certificate's CommonName to a | DESCRIPTION "Maps a certificate's CommonName to a | |||
| tmSecurityName by directly passing the value without | tmSecurityName by directly passing the value without | |||
| any transformations." | any transformations." | |||
| ::= { tlstmCertToTSNMIdentities 6 } | ::= { tlstmCertToTSNMIdentities 6 } | |||
| -- The snmpTlstmSession Group | -- The snmpTlstmSession Group | |||
| snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } | snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } | |||
| snmpTlstmSessionOpens OBJECT-TYPE | snmpTlstmSessionClientOpens OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an openSession() request has been | "The number of times an openSession() request has been | |||
| executed as an (D)TLS client, whether it succeeded or failed." | executed as an (D)TLS client, whether it succeeded or failed." | |||
| ::= { snmpTlstmSession 1 } | ::= { snmpTlstmSession 1 } | |||
| snmpTlstmSessionCloses OBJECT-TYPE | snmpTlstmSessionClientCloses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times a closeSession() request has been | "The number of times a closeSession() request has been | |||
| executed as an (D)TLS client, whether it succeeded or failed." | executed as an (D)TLS client, whether it succeeded or failed." | |||
| ::= { snmpTlstmSession 2 } | ::= { snmpTlstmSession 2 } | |||
| snmpTlstmSessionOpenErrors OBJECT-TYPE | snmpTlstmSessionClientOpenErrors OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an openSession() request failed to open a | "The number of times an openSession() request failed to open a | |||
| session as a (D)TLS client, for any reason." | session as a (D)TLS client, for any reason." | |||
| ::= { snmpTlstmSession 3 } | ::= { snmpTlstmSession 3 } | |||
| snmpTlstmSessionServerOpens OBJECT-TYPE | ||||
| SYNTAX Counter32 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The number of times an openSession request has been | ||||
| executed as an (D)TLS server, whether it succeeded or failed." | ||||
| ::= { snmpTlstmSession 4 } | ||||
| snmpTlstmSessionServerCloses OBJECT-TYPE | ||||
| SYNTAX Counter32 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The number of times a closeSession() request has been | ||||
| executed as an (D)TLS server, whether it succeeded or failed." | ||||
| ::= { snmpTlstmSession 5 } | ||||
| snmpTlstmSessionServerOpenErrors OBJECT-TYPE | ||||
| SYNTAX Counter32 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The number of times an openSession() request failed to open a | ||||
| session as a (D)TLS server for any reason." | ||||
| ::= { snmpTlstmSession 6 } | ||||
| snmpTlstmSessionNoSessions OBJECT-TYPE | snmpTlstmSessionNoSessions OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing message was dropped because | "The number of times an outgoing message was dropped because | |||
| the session associated with the passed tmStateReference was no | the session associated with the passed tmStateReference was no | |||
| longer (or was never) available." | longer (or was never) available." | |||
| ::= { snmpTlstmSession 4 } | ::= { snmpTlstmSession 7 } | |||
| snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE | snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an incoming session was not established | "The number of times an incoming session was not established | |||
| on an (D)TLS server because the presented client certificate was | on an (D)TLS server because the presented client certificate was | |||
| invalid. Reasons for invalidation include, but are not | invalid. Reasons for invalidation include, but are not | |||
| limited to, cryptographic validation failures or lack of a | limited to, cryptographic validation failures or lack of a | |||
| suitable mapping row in the tlstmCertToTSNTable." | suitable mapping row in the tlstmCertToTSNTable." | |||
| ::= { snmpTlstmSession 5 } | ::= { snmpTlstmSession 8 } | |||
| snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing session was not established | "The number of times an outgoing session was not established | |||
| on an (D)TLS client because the server certificate presented | on an (D)TLS client because the server certificate presented | |||
| by a SNMP over (D)TLS server was invalid because no | by a SNMP over (D)TLS server was invalid because no | |||
| configured fingerprint or CA was acceptable to validate it. | configured fingerprint or CA was acceptable to validate it. | |||
| skipping to change at page 37, line 12 ¶ | skipping to change at page 38, line 4 ¶ | |||
| snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing session was not established | "The number of times an outgoing session was not established | |||
| on an (D)TLS client because the server certificate presented | on an (D)TLS client because the server certificate presented | |||
| by a SNMP over (D)TLS server was invalid because no | by a SNMP over (D)TLS server was invalid because no | |||
| configured fingerprint or CA was acceptable to validate it. | configured fingerprint or CA was acceptable to validate it. | |||
| This may result because there was no entry in the | This may result because there was no entry in the | |||
| tlstmAddrTable or because no path could be found to a known | tlstmAddrTable or because no path could be found to a known | |||
| certificate authority." | certificate authority." | |||
| ::= { snmpTlstmSession 6 } | ::= { snmpTlstmSession 9 } | |||
| snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE | snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing session was not established | "The number of times an outgoing session was not established | |||
| on an (D)TLS client because the server certificate presented | on an (D)TLS client because the server certificate presented | |||
| by an SNMP over (D)TLS server could not be validated even if | by an SNMP over (D)TLS server could not be validated even if | |||
| the fingerprint or expected validation path was known. I.E., | the fingerprint or expected validation path was known. I.E., | |||
| a cryptographic validation error occurred during certificate | a cryptographic validation error occurred during certificate | |||
| validation processing. | validation processing. | |||
| Reasons for invalidation include, but are not | Reasons for invalidation include, but are not | |||
| limited to, cryptographic validation failures." | limited to, cryptographic validation failures." | |||
| ::= { snmpTlstmSession 7 } | ::= { snmpTlstmSession 10 } | |||
| snmpTlstmSessionInvalidCaches OBJECT-TYPE | snmpTlstmSessionInvalidCaches OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of outgoing messages dropped because the | "The number of outgoing messages dropped because the | |||
| tmStateReference referred to an invalid cache." | tmStateReference referred to an invalid cache." | |||
| ::= { snmpTlstmSession 8 } | ::= { snmpTlstmSession 11 } | |||
| snmpTlstmTLSProtectionErrors OBJECT-TYPE | ||||
| SYNTAX Counter32 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The number of times (D)TLS processing resulted in a message | ||||
| being discarded because it failed its integrity test, | ||||
| decryption processing or other (D)TLS processing." | ||||
| ::= { snmpTlstmSession 9 } | ||||
| -- Configuration Objects | -- Configuration Objects | |||
| tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } | tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } | |||
| -- Certificate mapping | -- Certificate mapping | |||
| tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } | tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } | |||
| tlstmCertToTSNCount OBJECT-TYPE | tlstmCertToTSNCount OBJECT-TYPE | |||
| skipping to change at page 49, line 23 ¶ | skipping to change at page 50, line 5 ¶ | |||
| tlstmIncomingGroup, | tlstmIncomingGroup, | |||
| tlstmOutgoingGroup, | tlstmOutgoingGroup, | |||
| tlstmNotificationGroup } | tlstmNotificationGroup } | |||
| ::= { tlstmCompliances 1 } | ::= { tlstmCompliances 1 } | |||
| -- ************************************************ | -- ************************************************ | |||
| -- Units of conformance | -- Units of conformance | |||
| -- ************************************************ | -- ************************************************ | |||
| tlstmStatsGroup OBJECT-GROUP | tlstmStatsGroup OBJECT-GROUP | |||
| OBJECTS { | OBJECTS { | |||
| snmpTlstmSessionOpens, | snmpTlstmSessionClientOpens, | |||
| snmpTlstmSessionCloses, | snmpTlstmSessionClientCloses, | |||
| snmpTlstmSessionOpenErrors, | snmpTlstmSessionClientOpenErrors, | |||
| snmpTlstmSessionServerOpens, | ||||
| snmpTlstmSessionServerCloses, | ||||
| snmpTlstmSessionServerOpenErrors, | ||||
| snmpTlstmSessionNoSessions, | snmpTlstmSessionNoSessions, | |||
| snmpTlstmSessionInvalidClientCertificates, | snmpTlstmSessionInvalidClientCertificates, | |||
| snmpTlstmSessionUnknownServerCertificate, | snmpTlstmSessionUnknownServerCertificate, | |||
| snmpTlstmSessionInvalidServerCertificates, | snmpTlstmSessionInvalidServerCertificates, | |||
| snmpTlstmSessionInvalidCaches, | snmpTlstmSessionInvalidCaches | |||
| snmpTlstmTLSProtectionErrors | ||||
| } | } | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "A collection of objects for maintaining | "A collection of objects for maintaining | |||
| statistical information of an SNMP engine which | statistical information of an SNMP engine which | |||
| implements the SNMP TLS Transport Model." | implements the SNMP TLS Transport Model." | |||
| ::= { tlstmGroups 1 } | ::= { tlstmGroups 1 } | |||
| tlstmIncomingGroup OBJECT-GROUP | tlstmIncomingGroup OBJECT-GROUP | |||
| OBJECTS { | OBJECTS { | |||
| End of changes. 26 change blocks. | ||||
| 62 lines changed or deleted | 89 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||