| < draft-ietf-isms-dtls-tm-07.txt | draft-ietf-isms-dtls-tm-08.txt > | |||
|---|---|---|---|---|
| ISMS W. Hardaker | ISMS W. Hardaker | |||
| Internet-Draft Sparta, Inc. | Internet-Draft Sparta, Inc. | |||
| Intended status: Standards Track January 27, 2010 | Intended status: Standards Track February 2, 2010 | |||
| Expires: July 31, 2010 | Expires: August 6, 2010 | |||
| Transport Layer Security (TLS) Transport Model for SNMP | Transport Layer Security (TLS) Transport Model for SNMP | |||
| draft-ietf-isms-dtls-tm-07.txt | draft-ietf-isms-dtls-tm-08.txt | |||
| Abstract | Abstract | |||
| This document describes a Transport Model for the Simple Network | This document describes a Transport Model for the Simple Network | |||
| Management Protocol (SNMP), that uses either the Transport Layer | Management Protocol (SNMP), that uses either the Transport Layer | |||
| Security protocol or the Datagram Transport Layer Security (DTLS) | Security protocol or the Datagram Transport Layer Security (DTLS) | |||
| protocol. The TLS and DTLS protocols provide authentication and | protocol. The TLS and DTLS protocols provide authentication and | |||
| privacy services for SNMP applications. This document describes how | privacy services for SNMP applications. This document describes how | |||
| the TLS Transport Model (TLSTM) implements the needed features of a | the TLS Transport Model (TLSTM) implements the needed features of a | |||
| SNMP Transport Subsystem to make this protection possible in an | SNMP Transport Subsystem to make this protection possible in an | |||
| skipping to change at page 2, line 9 ¶ | skipping to change at page 2, line 9 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on July 31, 2010. | This Internet-Draft will expire on August 6, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 34 ¶ | skipping to change at page 3, line 34 ¶ | |||
| 4.4. Cached Information and References . . . . . . . . . . . . 18 | 4.4. Cached Information and References . . . . . . . . . . . . 18 | |||
| 4.4.1. TLS Transport Model Cached Information . . . . . . . . 18 | 4.4.1. TLS Transport Model Cached Information . . . . . . . . 18 | |||
| 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19 | 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19 | |||
| 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19 | 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19 | 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19 | |||
| 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19 | 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20 | 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20 | |||
| 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20 | 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20 | |||
| 5.1.2. Transport Processing for Incoming SNMP Messages . . . 22 | 5.1.2. Transport Processing for Incoming SNMP Messages . . . 22 | |||
| 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23 | 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23 | |||
| 5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 24 | 5.3. Establishing or Accepting a Session . . . . . . . . . . . 25 | |||
| 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 27 | 5.3.1. Establishing a Session as a Client . . . . . . . . . . 25 | |||
| 5.3.2. Accepting a Session as a Server . . . . . . . . . . . 27 | ||||
| 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 28 | ||||
| 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 28 | 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28 | 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28 | |||
| 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 28 | 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 29 | |||
| 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 28 | 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 29 | |||
| 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 28 | 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 29 | |||
| 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 29 | 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 29 | |||
| 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29 | 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29 | |||
| 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 29 | 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 30 | |||
| 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 29 | 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 30 | |||
| 8. Operational Considerations . . . . . . . . . . . . . . . . . . 51 | 8. Operational Considerations . . . . . . . . . . . . . . . . . . 51 | |||
| 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 51 | 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 52 | |||
| 8.2. Notification Receiver Credential Selection . . . . . . . . 52 | 8.2. Notification Receiver Credential Selection . . . . . . . . 52 | |||
| 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 52 | 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 53 | |||
| 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 52 | 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 53 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 53 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 53 | |||
| 9.1. Certificates, Authentication, and Authorization . . . . . 53 | 9.1. Certificates, Authentication, and Authorization . . . . . 53 | |||
| 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 54 | 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 54 | |||
| 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 54 | 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 55 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . . 58 | 12.1. Normative References . . . . . . . . . . . . . . . . . . . 58 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . . 59 | 12.2. Informative References . . . . . . . . . . . . . . . . . . 59 | |||
| Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 60 | Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 60 | |||
| A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 60 | A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 60 | |||
| A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 61 | A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 61 | |||
| Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 62 | Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 62 | |||
| Appendix C. Target and Notification Configuration Example . . . . 63 | Appendix C. Target and Notification Configuration Example . . . . 63 | |||
| skipping to change at page 19, line 15 ¶ | skipping to change at page 19, line 15 ¶ | |||
| 4.4.1.1. tmSecurityName | 4.4.1.1. tmSecurityName | |||
| The tmSecurityName MUST be a human-readable name (in snmpAdminString | The tmSecurityName MUST be a human-readable name (in snmpAdminString | |||
| format) representing the identity that has been set according to the | format) representing the identity that has been set according to the | |||
| procedures in Section 5. The tmSecurityName MUST be constant for all | procedures in Section 5. The tmSecurityName MUST be constant for all | |||
| traffic passing through an TLSTM session. Messages MUST NOT be sent | traffic passing through an TLSTM session. Messages MUST NOT be sent | |||
| through an existing (D)TLS session that was established using a | through an existing (D)TLS session that was established using a | |||
| different tmSecurityName. | different tmSecurityName. | |||
| On the (D)TLS server side of a connection the tmSecurityName is | On the (D)TLS server side of a connection the tmSecurityName is | |||
| derived using the procedures described in Section 5.3 and the TLSTM- | derived using the procedures described in Section 5.3.2 and the | |||
| MIB's tlstmCertToTSNTable DESCRIPTION clause. | TLSTM-MIB's tlstmCertToTSNTable DESCRIPTION clause. | |||
| On the (D)TLS client side of a connection the tmSecurityName is | On the (D)TLS client side of a connection the tmSecurityName is | |||
| presented to the TLS Transport Model by the application (possibly | presented to the TLS Transport Model by the application (possibly | |||
| because of configuration specified in the SNMP-TARGET-MIB). | because of configuration specified in the SNMP-TARGET-MIB). | |||
| The securityName MAY be derived from the tmSecurityName by a Security | The securityName MAY be derived from the tmSecurityName by a Security | |||
| Model and MAY be used to configure notifications and access controls | Model and MAY be used to configure notifications and access controls | |||
| in MIB modules. Transport Models SHOULD generate a predictable | in MIB modules. Transport Models SHOULD generate a predictable | |||
| tmSecurityName so operators will know what to use when configuring | tmSecurityName so operators will know what to use when configuring | |||
| MIB modules that use securityNames derived from tmSecurityNames. | MIB modules that use securityNames derived from tmSecurityNames. | |||
| skipping to change at page 22, line 21 ¶ | skipping to change at page 22, line 21 ¶ | |||
| The procedures in this section describe how the TLS Transport Model | The procedures in this section describe how the TLS Transport Model | |||
| should process messages that have already been properly extracted | should process messages that have already been properly extracted | |||
| from the (D)TLS stream. Note that care must be taken when processing | from the (D)TLS stream. Note that care must be taken when processing | |||
| messages originating from either TLS or DTLS to ensure they're | messages originating from either TLS or DTLS to ensure they're | |||
| complete and single. For example, multiple SNMP messages can be | complete and single. For example, multiple SNMP messages can be | |||
| passed through a single DTLS message and partial SNMP messages may be | passed through a single DTLS message and partial SNMP messages may be | |||
| received from a TLS stream. These steps describe the processing of a | received from a TLS stream. These steps describe the processing of a | |||
| singular SNMP message after it has been delivered from the (D)TLS | singular SNMP message after it has been delivered from the (D)TLS | |||
| stream. | stream. | |||
| 1) Create a tmStateReference cache for the subsequent reference and | 1) Determine the tlstmSessionID for the incoming message. The | |||
| tlstmSessionID MUST be a unique session identifier for this | ||||
| (D)TLS connection. The contents and format of this identifier | ||||
| are implementation-dependent as long as it is unique to the | ||||
| session. A session identifier MUST NOT be reused until all | ||||
| references to it are no longer in use. The tmSessionID is equal | ||||
| to the tlstmSessionID discussed in Section 5.1.1. tmSessionID | ||||
| refers to the session identifier when stored in the | ||||
| tmStateReference and tlstmSessionID refers to the session | ||||
| identifier when stored in the LCD. They MUST always be equal | ||||
| when processing a given session's traffic. | ||||
| If this is the first message received through this session and | ||||
| the session does not have an assigned tlstmSessionID yet then the | ||||
| snmpTlstmSessionAccepts counter is incremented and a | ||||
| tlstmSessionID for the session is created. This will only happen | ||||
| on the server side of a connection because a client would have | ||||
| already assigned a tlstmSessionID during the openSession() | ||||
| invocation. Implementations may have performed the procedures | ||||
| described in Section 5.3.2 prior to this point or they may | ||||
| perform them now, but the procedures described in Section 5.3.2 | ||||
| MUST be performed before continuing beyond this point. | ||||
| 2) Create a tmStateReference cache for the subsequent reference and | ||||
| assign the following values within it: | assign the following values within it: | |||
| tmTransportDomain = snmpTLSTCPDomain, snmpDTLSUDPDomain or | tmTransportDomain = snmpTLSTCPDomain, snmpDTLSUDPDomain or | |||
| snmpDTLSSCTPDomain as appropriate. | snmpDTLSSCTPDomain as appropriate. | |||
| tmTransportAddress = The address the message originated from. | tmTransportAddress = The address the message originated from. | |||
| tmSecurityLevel = The derived tmSecurityLevel for the session, | tmSecurityLevel = The derived tmSecurityLevel for the session, | |||
| as discussed in Section 3.1.2 and Section 5.3. | as discussed in Section 3.1.2 and Section 5.3. | |||
| tmSecurityName = The derived tmSecurityName for the session as | tmSecurityName = The derived tmSecurityName for the session as | |||
| discussed in Section 5.3. This value MUST be constant during | discussed in Section 5.3. This value MUST be constant during | |||
| the lifetime of the (D)TLS session. | the lifetime of the (D)TLS session. | |||
| tmSessionID = The tlstmSessionID, which MUST be a unique session | tmSessionID = The tlstmSessionID described in step 1 above. | |||
| identifier for this (D)TLS connection. The contents and | ||||
| format of this identifier are implementation-dependent as long | ||||
| as it is unique to the session. A session identifier MUST NOT | ||||
| be reused until all references to it are no longer in use. | ||||
| The tmSessionID is equal to the tlstmSessionID discussed in | ||||
| Section 5.1.1. tmSessionID refers to the session identifier | ||||
| when stored in the tmStateReference and tlstmSessionID refers | ||||
| to the session identifier when stored in the LCD. They MUST | ||||
| always be equal when processing a given session's traffic. | ||||
| 2) The incomingMessage and incomingMessageLength are assigned values | 3) The incomingMessage and incomingMessageLength are assigned values | |||
| from the (D)TLS processing. | from the (D)TLS processing. | |||
| 3) The TLS Transport Model passes the transportDomain, | 4) The TLS Transport Model passes the transportDomain, | |||
| transportAddress, incomingMessage, and incomingMessageLength to | transportAddress, incomingMessage, and incomingMessageLength to | |||
| the Dispatcher using the receiveMessage ASI: | the Dispatcher using the receiveMessage ASI: | |||
| statusInformation = | statusInformation = | |||
| receiveMessage( | receiveMessage( | |||
| IN transportDomain -- snmpTLSTCPDomain, snmpDTLSUDPDomain, | IN transportDomain -- snmpTLSTCPDomain, snmpDTLSUDPDomain, | |||
| -- or snmpDTLSSCTPDomain | -- or snmpDTLSSCTPDomain | |||
| IN transportAddress -- address for the received message | IN transportAddress -- address for the received message | |||
| IN incomingMessage -- the whole SNMP message from (D)TLS | IN incomingMessage -- the whole SNMP message from (D)TLS | |||
| IN incomingMessageLength -- the length of the SNMP message | IN incomingMessageLength -- the length of the SNMP message | |||
| skipping to change at page 24, line 9 ¶ | skipping to change at page 24, line 27 ¶ | |||
| 3) If tmSameSecurity is true and either tmSessionID is undefined or | 3) If tmSameSecurity is true and either tmSessionID is undefined or | |||
| refers to a session that is no longer open then increment the | refers to a session that is no longer open then increment the | |||
| snmpTlstmSessionNoSessions counter, discard the message and | snmpTlstmSessionNoSessions counter, discard the message and | |||
| return the error indication in the statusInformation. Processing | return the error indication in the statusInformation. Processing | |||
| of this message stops. | of this message stops. | |||
| 4) If tmSameSecurity is false and tmSessionID refers to a session | 4) If tmSameSecurity is false and tmSessionID refers to a session | |||
| that is no longer available then an implementation SHOULD open a | that is no longer available then an implementation SHOULD open a | |||
| new session using the openSession() ASI (described in greater | new session using the openSession() ASI (described in greater | |||
| detail in step 4b). Instead of opening a new session an | detail in step 5b). Instead of opening a new session an | |||
| implementation MAY return a snmpTlstmSessionNoSessions error to | implementation MAY return a snmpTlstmSessionNoSessions error to | |||
| the calling module and stop processing of the message. | the calling module and stop processing of the message. | |||
| 5) If tmSessionID is undefined, then use tmTransportDomain, | 5) If tmSessionID is undefined, then use tmTransportDomain, | |||
| tmTransportAddress, tmSecurityName and tmRequestedSecurityLevel | tmTransportAddress, tmSecurityName and tmRequestedSecurityLevel | |||
| to see if there is a corresponding entry in the LCD suitable to | to see if there is a corresponding entry in the LCD suitable to | |||
| send the message over. | send the message over. | |||
| 5a) If there is a corresponding LCD entry, then this session | 5a) If there is a corresponding LCD entry, then this session | |||
| will be used to send the message. | will be used to send the message. | |||
| 5b) If there is not a corresponding LCD entry, then open a | 5b) If there is not a corresponding LCD entry, then open a | |||
| session using the openSession() ASI (discussed further in | session using the openSession() ASI (discussed further in | |||
| Section 5.3). Implementations MAY wish to offer message | Section 5.3.1). Implementations MAY wish to offer message | |||
| buffering to prevent redundant openSession() calls for the | buffering to prevent redundant openSession() calls for the | |||
| same cache entry. If an error is returned from | same cache entry. If an error is returned from | |||
| openSession(), then discard the message, discard the | openSession(), then discard the message, discard the | |||
| tmStateReference, increment the snmpTlstmSessionOpenErrors, | tmStateReference, increment the snmpTlstmSessionOpenErrors, | |||
| return an error indication to the calling module and stop | return an error indication to the calling module and stop | |||
| processing of the message. | processing of the message. | |||
| 6) Using either the session indicated by the tmSessionID if there | 6) Using either the session indicated by the tmSessionID if there | |||
| was one or the session resulting from a previous step (4 or 5), | was one or the session resulting from a previous step (4 or 5), | |||
| pass the outgoingMessage to (D)TLS for encapsulation and | pass the outgoingMessage to (D)TLS for encapsulation and | |||
| transmission. | transmission. | |||
| 5.3. Establishing a Session | 5.3. Establishing or Accepting a Session | |||
| The TLS Transport Model provides the following primitive to establish | Establishing a (D)TLS session as either a client or a server requires | |||
| a new (D)TLS session: | slightly different processing. The following two sections describe | |||
| the necessary processing steps. | ||||
| 5.3.1. Establishing a Session as a Client | ||||
| The TLS Transport Model provides the following primitive for use by a | ||||
| client to establish a new (D)TLS session: | ||||
| statusInformation = -- errorIndication or success | statusInformation = -- errorIndication or success | |||
| openSession( | openSession( | |||
| IN tmStateReference -- transport information to be used | IN tmStateReference -- transport information to be used | |||
| OUT tmStateReference -- transport information to be used | OUT tmStateReference -- transport information to be used | |||
| IN maxMessageSize -- of the sending SNMP entity | IN maxMessageSize -- of the sending SNMP entity | |||
| ) | ) | |||
| The following describes the procedure to follow when establishing a | The following describes the procedure to follow when establishing a | |||
| SNMP over (D)TLS session between SNMP engines for exchanging SNMP | SNMP over (D)TLS session between SNMP engines for exchanging SNMP | |||
| messages. This process is followed by any SNMP engine establishing a | messages. This process is followed by any SNMP client's engine when | |||
| session for subsequent use. | establishing a session for subsequent use. | |||
| This MAY be done automatically for an SNMP application that initiates | This MAY be done automatically for an SNMP application that initiates | |||
| a transaction, such as a command generator, a notification | a transaction, such as a command generator, a notification | |||
| originator, or a proxy forwarder. | originator, or a proxy forwarder. | |||
| 1) The client selects the appropriate certificate and cipher_suites | 1) The snmpTlstmSessionOpens counter is incremented. | |||
| 2) The client selects the appropriate certificate and cipher_suites | ||||
| for the key agreement based on the tmSecurityName and the | for the key agreement based on the tmSecurityName and the | |||
| tmRequestedSecurityLevel for the session. For sessions being | tmRequestedSecurityLevel for the session. For sessions being | |||
| established as a result of a SNMP-TARGET-MIB based operation, the | established as a result of a SNMP-TARGET-MIB based operation, the | |||
| certificate will potentially have been identified via the | certificate will potentially have been identified via the | |||
| tlstmParamsTable mapping and the cipher_suites will have to be | tlstmParamsTable mapping and the cipher_suites will have to be | |||
| taken from system-wide or implementation-specific configuration. | taken from system-wide or implementation-specific configuration. | |||
| Otherwise, the certificate and appropriate cipher_suites will | Otherwise, the certificate and appropriate cipher_suites will | |||
| need to be passed to the openSession() ASI as supplemental | need to be passed to the openSession() ASI as supplemental | |||
| information or configured through an implementation-dependent | information or configured through an implementation-dependent | |||
| mechanism. It is also implementation-dependent and possibly | mechanism. It is also implementation-dependent and possibly | |||
| policy-dependent how tmRequestedSecurityLevel will be used to | policy-dependent how tmRequestedSecurityLevel will be used to | |||
| influence the security capabilities provided by the (D)TLS | influence the security capabilities provided by the (D)TLS | |||
| session. However this is done, the security capabilities | session. However this is done, the security capabilities | |||
| provided by (D)TLS MUST be at least as high as the level of | provided by (D)TLS MUST be at least as high as the level of | |||
| security indicated by the tmRequestedSecurityLevel parameter. | security indicated by the tmRequestedSecurityLevel parameter. | |||
| The actual security level of the session is reported in the | The actual security level of the session is reported in the | |||
| tmStateReference cache as tmSecurityLevel. For (D)TLS to provide | tmStateReference cache as tmSecurityLevel. For (D)TLS to provide | |||
| strong authentication, each principal acting as a command | strong authentication, each principal acting as a command | |||
| generator SHOULD have its own certificate. | generator SHOULD have its own certificate. | |||
| 2) Using the destTransportDomain and destTransportAddress values, | 3) Using the destTransportDomain and destTransportAddress values, | |||
| the client will initiate the (D)TLS handshake protocol to | the client will initiate the (D)TLS handshake protocol to | |||
| establish session keys for message integrity and encryption. | establish session keys for message integrity and encryption. | |||
| If the attempt to establish a session is unsuccessful, then | If the attempt to establish a session is unsuccessful, then | |||
| snmpTlstmSessionOpenErrors is incremented, an error indication is | snmpTlstmSessionOpenErrors is incremented, an error indication is | |||
| returned, and processing stops. If the session failed to open | returned, and processing stops. If the session failed to open | |||
| because the presented server certificate was unknown or invalid | because the presented server certificate was unknown or invalid | |||
| then the snmpTlstmSessionUnknownServerCertificate or | then the snmpTlstmSessionUnknownServerCertificate or | |||
| snmpTlstmSessionInvalidServerCertificates MUST be incremented and | snmpTlstmSessionInvalidServerCertificates MUST be incremented and | |||
| a tlstmServerCertificateUnknown or tlstmServerInvalidCertificate | a tlstmServerCertificateUnknown or tlstmServerInvalidCertificate | |||
| notification SHOULD be sent as appropriate. Reasons for server | notification SHOULD be sent as appropriate. Reasons for server | |||
| certificate invalidation includes, but is not limited to, | certificate invalidation includes, but is not limited to, | |||
| cryptographic validation failures and an unexpected presented | cryptographic validation failures and an unexpected presented | |||
| certificate identity. | certificate identity. | |||
| 3) Once a (D)TLS secured session is established and both sides have | 4) The (D)TLS client MUST then verify that the (D)TLS server's | |||
| verified the authenticity of the peer's certificate (e.g. | presented certificate is the expected certificate. The (D)TLS | |||
| [RFC5280]) then each side will determine and/or check the | client MUST NOT transmit SNMP messages until the server | |||
| identity of the remote entity using the procedures described | certificate has been authenticated and the client certificate has | |||
| below. | been transmitted. | |||
| a) The (D)TLS server side of the connection increments the | ||||
| snmpTlstmSessionServerOpens counter and identifies the | ||||
| authenticated identity from the (D)TLS client's principal | ||||
| certificate using configuration information from the | ||||
| tlstmCertToTSNTable mapping table. The (D)TLS server MUST | ||||
| request and expect a certificate from the client and MUST NOT | ||||
| accept SNMP messages over the (D)TLS session until the client | ||||
| has sent a certificate and it has been authenticated. The | ||||
| resulting derived tmSecurityName is recorded in the | ||||
| tmStateReference cache as tmSecurityName. The details of the | ||||
| lookup process are fully described in the DESCRIPTION clause | ||||
| of the tlstmCertToTSNTable MIB object. If any verification | ||||
| fails in any way (for example because of failures in | ||||
| cryptographic verification or because of the lack of an | ||||
| appropriate row in the tlstmCertToTSNTable) then the session | ||||
| establishment MUST fail, the | ||||
| snmpTlstmSessionInvalidClientCertificates object is | ||||
| incremented. If the session can not be opened for any reason | ||||
| at all, including cryptographic verification failures, then | ||||
| the snmpTlstmSessionClientOpenErrors counter is incremented | ||||
| and processing stops. | ||||
| b) The (D)TLS client side of the connection increments the | ||||
| snmpTlstmSessionClientOpens counter. The (D)TLS client side | ||||
| of the connection MUST then verify that the (D)TLS server's | ||||
| presented certificate is the expected certificate. The | ||||
| (D)TLS client MUST NOT transmit SNMP messages until the | ||||
| server certificate has been authenticated and the client | ||||
| certificate has been transmitted. | ||||
| If the connection is being established from configuration | If the connection is being established from configuration based | |||
| based on SNMP-TARGET-MIB configuration then the procedures in | on SNMP-TARGET-MIB configuration then the procedures in the | |||
| the tlstmAddrTable DESCRIPTION clause should be followed to | tlstmAddrTable DESCRIPTION clause should be followed to determine | |||
| determine if the presented identity matches the expectations | if the presented identity matches the expectations of the | |||
| of the configuration. Validation procedures (like the path | configuration. Validation procedures (like the path validation | |||
| validation procedures defined in [RFC5280] or through the use | procedures defined in [RFC5280] or through the use of | |||
| of fingerprints as defined by the tlstmAddrServerIdentity | fingerprints as defined by the tlstmAddrServerIdentity column) | |||
| column) MUST be followed. If a server identity name has been | MUST be followed. If a server identity name has been configured | |||
| configured in the tlstmAddrServerIdentity column then this | in the tlstmAddrServerIdentity column then this reference | |||
| reference identity must be compared against the presented | identity must be compared against the presented identity (for | |||
| identity (for example using procedures described in | example using procedures described in | |||
| [I-D.saintandre-tls-server-id-check]). | [I-D.saintandre-tls-server-id-check]). | |||
| If the connection is being established for other reasons then | If the connection is being established for reasons other than | |||
| configuration and procedures outside the scope of this | configuration found in the SNMP-TARGET-MIB then configuration and | |||
| document should be followed. | procedures outside the scope of this document should be followed. | |||
| (D)TLS provides assurance that the authenticated identity has | 5) (D)TLS provides assurance that the authenticated identity has | |||
| been signed by a trusted configured certificate authority. | been signed by a trusted configured certificate authority. If | |||
| If verification of the server's certificate fails in any way | verification of the server's certificate fails in any way (for | |||
| (for example because of failures in cryptographic | example because of failures in cryptographic verification or the | |||
| verification or the presented identity did not match the | presented identity did not match the expected named entity) then | |||
| expected named entity) then the session establishment MUST | the session establishment MUST fail, the | |||
| fail, the snmpTlstmSessionInvalidServerCertificates object is | snmpTlstmSessionInvalidServerCertificates object is incremented. | |||
| incremented. If the session can not be opened for any reason | If the session can not be opened for any reason at all, including | |||
| at all, including cryptographic verification failures, then | cryptographic verification failures, then the | |||
| the snmpTlstmSessionClientOpenErrors counter is incremented | snmpTlstmSessionOpenErrors counter is incremented and processing | |||
| and processing stops. | stops. | |||
| 4) The TLSTM-specific session identifier (tlstmSessionID) is set in | 6) The TLSTM-specific session identifier (tlstmSessionID) is set in | |||
| the tmSessionID of the tmStateReference passed to the TLS | the tmSessionID of the tmStateReference passed to the TLS | |||
| Transport Model to indicate that the session has been established | Transport Model to indicate that the session has been established | |||
| successfully and to point to a specific (D)TLS session for future | successfully and to point to a specific (D)TLS session for future | |||
| use. The tlstmSessionID is also stored in the LCD for later | use. The tlstmSessionID is also stored in the LCD for later | |||
| lookup during processing of incoming messages (Section 5.1.2). | lookup during processing of incoming messages (Section 5.1.2). | |||
| 5.3.2. Accepting a Session as a Server | ||||
| A (D)TLS server should accept new session connections from any client | ||||
| that it is able to verify the client's credentials for. This is done | ||||
| by authenticating the client's presented certificate through a | ||||
| certificate path validation process (e.g. [RFC5280]) or through | ||||
| certificate fingerprint verification using fingerprints configure in | ||||
| the tlstmCertToTSNTable. Afterward the server will determine the | ||||
| identity of the remote entity using the following procedures. | ||||
| The (D)TLS server identifies the authenticated identity from the | ||||
| (D)TLS client's principal certificate using configuration information | ||||
| from the tlstmCertToTSNTable mapping table. The (D)TLS server MUST | ||||
| request and expect a certificate from the client and MUST NOT accept | ||||
| SNMP messages over the (D)TLS session until the client has sent a | ||||
| certificate and it has been authenticated. The resulting derived | ||||
| tmSecurityName is recorded in the tmStateReference cache as | ||||
| tmSecurityName. The details of the lookup process are fully | ||||
| described in the DESCRIPTION clause of the tlstmCertToTSNTable MIB | ||||
| object. If any verification fails in any way (for example because of | ||||
| failures in cryptographic verification or because of the lack of an | ||||
| appropriate row in the tlstmCertToTSNTable) then the session | ||||
| establishment MUST fail, the | ||||
| snmpTlstmSessionInvalidClientCertificates object is incremented. If | ||||
| the session can not be opened for any reason at all, including | ||||
| cryptographic verification failures, then the | ||||
| snmpTlstmSessionOpenErrors counter is incremented and processing | ||||
| stops. | ||||
| Servers that wish to support multiple principals at a particular port | Servers that wish to support multiple principals at a particular port | |||
| SHOULD make use of a (D)TLS extension that allows server-side | SHOULD make use of a (D)TLS extension that allows server-side | |||
| principal selection like the Server Name Indication extension defined | principal selection like the Server Name Indication extension defined | |||
| in Section 3.1 of [RFC4366]. Supporting this will allow, for | in Section 3.1 of [RFC4366]. Supporting this will allow, for | |||
| example, sending notifications to a specific principal at a given | example, sending notifications to a specific principal at a given | |||
| TCP, UDP or SCTP port. | TCP, UDP or SCTP port. | |||
| 5.4. Closing a Session | 5.4. Closing a Session | |||
| The TLS Transport Model provides the following primitive to close a | The TLS Transport Model provides the following primitive to close a | |||
| skipping to change at page 30, line 4 ¶ | skipping to change at page 30, line 30 ¶ | |||
| OBJECT-IDENTITY, snmpModules, snmpDomains, | OBJECT-IDENTITY, snmpModules, snmpDomains, | |||
| Counter32, Unsigned32, NOTIFICATION-TYPE | Counter32, Unsigned32, NOTIFICATION-TYPE | |||
| FROM SNMPv2-SMI | FROM SNMPv2-SMI | |||
| TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, | TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, | |||
| AutonomousType | AutonomousType | |||
| FROM SNMPv2-TC | FROM SNMPv2-TC | |||
| MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP | MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP | |||
| FROM SNMPv2-CONF | FROM SNMPv2-CONF | |||
| SnmpAdminString | SnmpAdminString | |||
| FROM SNMP-FRAMEWORK-MIB | FROM SNMP-FRAMEWORK-MIB | |||
| snmpTargetParamsName, snmpTargetAddrName | snmpTargetParamsName, snmpTargetAddrName | |||
| FROM SNMP-TARGET-MIB | FROM SNMP-TARGET-MIB | |||
| ; | ; | |||
| tlstmMIB MODULE-IDENTITY | tlstmMIB MODULE-IDENTITY | |||
| LAST-UPDATED "201001270000Z" | LAST-UPDATED "201002020000Z" | |||
| ORGANIZATION "ISMS Working Group" | ORGANIZATION "ISMS Working Group" | |||
| CONTACT-INFO "WG-EMail: isms@lists.ietf.org | CONTACT-INFO "WG-EMail: isms@lists.ietf.org | |||
| Subscribe: isms-request@lists.ietf.org | Subscribe: isms-request@lists.ietf.org | |||
| Chairs: | Chairs: | |||
| Juergen Schoenwaelder | Juergen Schoenwaelder | |||
| Jacobs University Bremen | Jacobs University Bremen | |||
| Campus Ring 1 | Campus Ring 1 | |||
| 28725 Bremen | 28725 Bremen | |||
| Germany | Germany | |||
| skipping to change at page 31, line 9 ¶ | skipping to change at page 31, line 37 ¶ | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this MIB module is part of RFC XXXX; | This version of this MIB module is part of RFC XXXX; | |||
| see the RFC itself for full legal notices." | see the RFC itself for full legal notices." | |||
| -- NOTE to RFC editor: replace XXXX with actual RFC number | -- NOTE to RFC editor: replace XXXX with actual RFC number | |||
| -- for this document and remove this note | -- for this document and remove this note | |||
| REVISION "201001270000Z" | REVISION "201002020000Z" | |||
| DESCRIPTION "The initial version, published in RFC XXXX." | DESCRIPTION "The initial version, published in RFC XXXX." | |||
| -- NOTE to RFC editor: replace XXXX with actual RFC number | -- NOTE to RFC editor: replace XXXX with actual RFC number | |||
| -- for this document and remove this note | -- for this document and remove this note | |||
| ::= { snmpModules xxxx } | ::= { snmpModules xxxx } | |||
| -- RFC Ed.: replace xxxx with IANA-assigned number and | -- RFC Ed.: replace xxxx with IANA-assigned number and | |||
| -- remove this note | -- remove this note | |||
| -- ************************************************ | -- ************************************************ | |||
| -- subtrees of the TLSTM-MIB | -- subtrees of the TLSTM-MIB | |||
| skipping to change at page 36, line 16 ¶ | skipping to change at page 36, line 45 ¶ | |||
| STATUS current | STATUS current | |||
| DESCRIPTION "Maps a certificate's CommonName to a | DESCRIPTION "Maps a certificate's CommonName to a | |||
| tmSecurityName by directly passing the value without | tmSecurityName by directly passing the value without | |||
| any transformations." | any transformations." | |||
| ::= { tlstmCertToTSNMIdentities 6 } | ::= { tlstmCertToTSNMIdentities 6 } | |||
| -- The snmpTlstmSession Group | -- The snmpTlstmSession Group | |||
| snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } | snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } | |||
| snmpTlstmSessionClientOpens OBJECT-TYPE | snmpTlstmSessionOpens OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an openSession() request has been | "The number of times an openSession() request has been executed | |||
| executed as an (D)TLS client, whether it succeeded or failed." | as an (D)TLS client, regardless of whether it succeeded or | |||
| failed." | ||||
| ::= { snmpTlstmSession 1 } | ::= { snmpTlstmSession 1 } | |||
| snmpTlstmSessionClientCloses OBJECT-TYPE | snmpTlstmSessionClientCloses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times a closeSession() request has been | "The number of times a closeSession() request has been | |||
| executed as an (D)TLS client, whether it succeeded or failed." | executed as an (D)TLS client, regardless of whether it | |||
| succeeded or failed." | ||||
| ::= { snmpTlstmSession 2 } | ::= { snmpTlstmSession 2 } | |||
| snmpTlstmSessionClientOpenErrors OBJECT-TYPE | snmpTlstmSessionOpenErrors OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an openSession() request failed to open a | "The number of times an openSession() request failed to open a | |||
| session as a (D)TLS client, for any reason." | session as a (D)TLS client, for any reason." | |||
| ::= { snmpTlstmSession 3 } | ::= { snmpTlstmSession 3 } | |||
| snmpTlstmSessionServerOpens OBJECT-TYPE | snmpTlstmSessionAccepts OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an openSession request has been | "The number of times a server has accepted a (D)TLS session and | |||
| executed as an (D)TLS server, whether it succeeded or failed." | at least one SNMP message has been accepted through it." | |||
| ::= { snmpTlstmSession 4 } | ::= { snmpTlstmSession 4 } | |||
| snmpTlstmSessionServerCloses OBJECT-TYPE | snmpTlstmSessionServerCloses OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times a closeSession() request has been | "The number of times a closeSession() request has been | |||
| executed as an (D)TLS server, whether it succeeded or failed." | executed as an (D)TLS server, regardless of whether it | |||
| succeeded or failed." | ||||
| ::= { snmpTlstmSession 5 } | ::= { snmpTlstmSession 5 } | |||
| snmpTlstmSessionServerOpenErrors OBJECT-TYPE | ||||
| SYNTAX Counter32 | ||||
| MAX-ACCESS read-only | ||||
| STATUS current | ||||
| DESCRIPTION | ||||
| "The number of times an openSession() request failed to open a | ||||
| session as a (D)TLS server for any reason." | ||||
| ::= { snmpTlstmSession 6 } | ||||
| snmpTlstmSessionNoSessions OBJECT-TYPE | snmpTlstmSessionNoSessions OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing message was dropped because | "The number of times an outgoing message was dropped because | |||
| the session associated with the passed tmStateReference was no | the session associated with the passed tmStateReference was no | |||
| longer (or was never) available." | longer (or was never) available." | |||
| ::= { snmpTlstmSession 7 } | ::= { snmpTlstmSession 6 } | |||
| snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE | snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an incoming session was not established | "The number of times an incoming session was not established | |||
| on an (D)TLS server because the presented client certificate was | on an (D)TLS server because the presented client certificate was | |||
| invalid. Reasons for invalidation include, but are not | invalid. Reasons for invalidation include, but are not | |||
| limited to, cryptographic validation failures or lack of a | limited to, cryptographic validation failures or lack of a | |||
| suitable mapping row in the tlstmCertToTSNTable." | suitable mapping row in the tlstmCertToTSNTable." | |||
| ::= { snmpTlstmSession 8 } | ::= { snmpTlstmSession 7 } | |||
| snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing session was not established | "The number of times an outgoing session was not established | |||
| on an (D)TLS client because the server certificate presented | on an (D)TLS client because the server certificate presented | |||
| by a SNMP over (D)TLS server was invalid because no | by a SNMP over (D)TLS server was invalid because no | |||
| configured fingerprint or CA was acceptable to validate it. | configured fingerprint or CA was acceptable to validate it. | |||
| skipping to change at page 38, line 4 ¶ | skipping to change at page 38, line 28 ¶ | |||
| snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing session was not established | "The number of times an outgoing session was not established | |||
| on an (D)TLS client because the server certificate presented | on an (D)TLS client because the server certificate presented | |||
| by a SNMP over (D)TLS server was invalid because no | by a SNMP over (D)TLS server was invalid because no | |||
| configured fingerprint or CA was acceptable to validate it. | configured fingerprint or CA was acceptable to validate it. | |||
| This may result because there was no entry in the | This may result because there was no entry in the | |||
| tlstmAddrTable or because no path could be found to a known | tlstmAddrTable or because no path could be found to a known | |||
| certificate authority." | certificate authority." | |||
| ::= { snmpTlstmSession 9 } | ::= { snmpTlstmSession 8 } | |||
| snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE | snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of times an outgoing session was not established | "The number of times an outgoing session was not established | |||
| on an (D)TLS client because the server certificate presented | on an (D)TLS client because the server certificate presented | |||
| by an SNMP over (D)TLS server could not be validated even if | by an SNMP over (D)TLS server could not be validated even if | |||
| the fingerprint or expected validation path was known. I.E., | the fingerprint or expected validation path was known. I.E., | |||
| a cryptographic validation error occurred during certificate | a cryptographic validation error occurred during certificate | |||
| validation processing. | validation processing. | |||
| Reasons for invalidation include, but are not | Reasons for invalidation include, but are not | |||
| limited to, cryptographic validation failures." | limited to, cryptographic validation failures." | |||
| ::= { snmpTlstmSession 10 } | ::= { snmpTlstmSession 9 } | |||
| snmpTlstmSessionInvalidCaches OBJECT-TYPE | snmpTlstmSessionInvalidCaches OBJECT-TYPE | |||
| SYNTAX Counter32 | SYNTAX Counter32 | |||
| MAX-ACCESS read-only | MAX-ACCESS read-only | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "The number of outgoing messages dropped because the | "The number of outgoing messages dropped because the | |||
| tmStateReference referred to an invalid cache." | tmStateReference referred to an invalid cache." | |||
| ::= { snmpTlstmSession 11 } | ::= { snmpTlstmSession 10 } | |||
| -- Configuration Objects | -- Configuration Objects | |||
| tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } | tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } | |||
| -- Certificate mapping | -- Certificate mapping | |||
| tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } | tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } | |||
| tlstmCertToTSNCount OBJECT-TYPE | tlstmCertToTSNCount OBJECT-TYPE | |||
| skipping to change at page 50, line 5 ¶ | skipping to change at page 50, line 25 ¶ | |||
| tlstmIncomingGroup, | tlstmIncomingGroup, | |||
| tlstmOutgoingGroup, | tlstmOutgoingGroup, | |||
| tlstmNotificationGroup } | tlstmNotificationGroup } | |||
| ::= { tlstmCompliances 1 } | ::= { tlstmCompliances 1 } | |||
| -- ************************************************ | -- ************************************************ | |||
| -- Units of conformance | -- Units of conformance | |||
| -- ************************************************ | -- ************************************************ | |||
| tlstmStatsGroup OBJECT-GROUP | tlstmStatsGroup OBJECT-GROUP | |||
| OBJECTS { | OBJECTS { | |||
| snmpTlstmSessionClientOpens, | snmpTlstmSessionOpens, | |||
| snmpTlstmSessionClientCloses, | snmpTlstmSessionClientCloses, | |||
| snmpTlstmSessionClientOpenErrors, | snmpTlstmSessionOpenErrors, | |||
| snmpTlstmSessionServerOpens, | snmpTlstmSessionAccepts, | |||
| snmpTlstmSessionServerCloses, | snmpTlstmSessionServerCloses, | |||
| snmpTlstmSessionServerOpenErrors, | ||||
| snmpTlstmSessionNoSessions, | snmpTlstmSessionNoSessions, | |||
| snmpTlstmSessionInvalidClientCertificates, | snmpTlstmSessionInvalidClientCertificates, | |||
| snmpTlstmSessionUnknownServerCertificate, | snmpTlstmSessionUnknownServerCertificate, | |||
| snmpTlstmSessionInvalidServerCertificates, | snmpTlstmSessionInvalidServerCertificates, | |||
| snmpTlstmSessionInvalidCaches | snmpTlstmSessionInvalidCaches | |||
| } | } | |||
| STATUS current | STATUS current | |||
| DESCRIPTION | DESCRIPTION | |||
| "A collection of objects for maintaining | "A collection of objects for maintaining | |||
| statistical information of an SNMP engine which | statistical information of an SNMP engine which | |||
| End of changes. 47 change blocks. | ||||
| 132 lines changed or deleted | 146 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||