< draft-ietf-isms-dtls-tm-09.txt   draft-ietf-isms-dtls-tm-10.txt >
ISMS W. Hardaker ISMS W. Hardaker
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Intended status: Standards Track March 6, 2010 Intended status: Standards Track April 14, 2010
Expires: September 7, 2010 Expires: October 16, 2010
Transport Layer Security (TLS) Transport Model for SNMP Transport Layer Security (TLS) Transport Model for SNMP
draft-ietf-isms-dtls-tm-09.txt draft-ietf-isms-dtls-tm-10.txt
Abstract Abstract
This document describes a Transport Model for the Simple Network This document describes a Transport Model for the Simple Network
Management Protocol (SNMP), that uses either the Transport Layer Management Protocol (SNMP), that uses either the Transport Layer
Security protocol or the Datagram Transport Layer Security (DTLS) Security protocol or the Datagram Transport Layer Security (DTLS)
protocol. The TLS and DTLS protocols provide authentication and protocol. The TLS and DTLS protocols provide authentication and
privacy services for SNMP applications. This document describes how privacy services for SNMP applications. This document describes how
the TLS Transport Model (TLSTM) implements the needed features of a the TLS Transport Model (TLSTM) implements the needed features of a
SNMP Transport Subsystem to make this protection possible in an SNMP Transport Subsystem to make this protection possible in an
skipping to change at page 2, line 9 skipping to change at page 2, line 9
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2010. This Internet-Draft will expire on October 16, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 8 skipping to change at page 4, line 8
8. Operational Considerations . . . . . . . . . . . . . . . . . . 52 8. Operational Considerations . . . . . . . . . . . . . . . . . . 52
8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 52 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 52
8.2. Notification Receiver Credential Selection . . . . . . . . 53 8.2. Notification Receiver Credential Selection . . . . . . . . 53
8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 53 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 53
8.4. Transport Considerations . . . . . . . . . . . . . . . . . 54 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 54
9. Security Considerations . . . . . . . . . . . . . . . . . . . 54 9. Security Considerations . . . . . . . . . . . . . . . . . . . 54
9.1. Certificates, Authentication, and Authorization . . . . . 54 9.1. Certificates, Authentication, and Authorization . . . . . 54
9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 55 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 55
9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 55 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 55
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 58
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58
12.1. Normative References . . . . . . . . . . . . . . . . . . . 58 12.1. Normative References . . . . . . . . . . . . . . . . . . . 58
12.2. Informative References . . . . . . . . . . . . . . . . . . 59 12.2. Informative References . . . . . . . . . . . . . . . . . . 59
Appendix A. Target and Notification Configuration Example . . . . 60 Appendix A. Target and Notification Configuration Example . . . . 60
A.1. Configuring the Notification Originator . . . . . . . . . 60 A.1. Configuring the Notification Originator . . . . . . . . . 61
A.2. Configuring the Command Responder . . . . . . . . . . . . 62 A.2. Configuring the Command Responder . . . . . . . . . . . . 62
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 63
1. Introduction 1. Introduction
It is important to understand the modular SNMPv3 architecture as It is important to understand the modular SNMPv3 architecture as
defined by [RFC3411] and enhanced by the Transport Subsystem defined by [RFC3411] and enhanced by the Transport Subsystem
[RFC5590]. It is also important to understand the terminology of the [RFC5590]. It is also important to understand the terminology of the
SNMPv3 architecture in order to understand where the Transport Model SNMPv3 architecture in order to understand where the Transport Model
described in this document fits into the architecture and how it described in this document fits into the architecture and how it
skipping to change at page 5, line 48 skipping to change at page 5, line 48
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58: module that is compliant to the SMIv2, which is described in STD 58:
[RFC2578], [RFC2579] and [RFC2580]. [RFC2578], [RFC2579] and [RFC2580].
The diagram shown below gives a conceptual overview of two SNMP The diagram shown below gives a conceptual overview of two SNMP
entities communicating using the TLS Transport Model. One entity entities communicating using the TLS Transport Model (shown as "TLS
contains a command responder and notification originator application, TM"). One entity contains a command responder and notification
and the other a command generator and notification responder originator application, and the other a command generator and
application. It should be understood that this particular mix of notification responder application. It should be understood that
application types is an example only and other combinations are this particular mix of application types is an example only and other
equally valid. Note: this diagram shows the Transport Security Model combinations are equally valid. Note: this diagram shows the
(TSM) being used as the security model which is defined in [RFC5591]. Transport Security Model (TSM) being used as the security model which
is defined in [RFC5591].
+---------------------------------------------------------------------+ +---------------------------------------------------------------------+
| Network | | Network |
+---------------------------------------------------------------------+ +---------------------------------------------------------------------+
^ | ^ | ^ | ^ |
|Notifications |Commands |Commands |Notifications |Notifications |Commands |Commands |Notifications
+---|---------------------|-------+ +--|---------------|--------------+ +---|---------------------|-------+ +--|---------------|--------------+
| | V | | | V | | | V | | | V |
| +------------+ +------------+ | | +-----------+ +----------+ | | +------------+ +------------+ | | +-----------+ +----------+ |
| | (D)TLS | | (D)TLS | | | | (D)TLS | | (D)TLS | | | | (D)TLS | | (D)TLS | | | | (D)TLS | | (D)TLS | |
skipping to change at page 10, line 9 skipping to change at page 10, line 9
conceptually be sent through the session from one SNMP message conceptually be sent through the session from one SNMP message
Dispatcher to another SNMP Message Dispatcher. If multiple SNMP Dispatcher to another SNMP Message Dispatcher. If multiple SNMP
messages are needed to be passed between two SNMP applications they messages are needed to be passed between two SNMP applications they
MAY be passed through the same session. A TLSTM implementation MAY be passed through the same session. A TLSTM implementation
engine MAY choose to close the session to conserve resources. engine MAY choose to close the session to conserve resources.
The TLS Transport Model of an SNMP engine will perform the The TLS Transport Model of an SNMP engine will perform the
translation between (D)TLS-specific security parameters and SNMP- translation between (D)TLS-specific security parameters and SNMP-
specific, model-independent parameters. specific, model-independent parameters.
The diagram below depicts where the TLS Transport Model fits into the The diagram below depicts where the TLS Transport Model (shown as
architecture described in RFC3411 and the Transport Subsystem: "(D)TLS TM") fits into the architecture described in RFC3411 and the
Transport Subsystem:
+------------------------------+ +------------------------------+
| Network | | Network |
+------------------------------+ +------------------------------+
^ ^ ^ ^ ^ ^
| | | | | |
v v v v v v
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| +--------------------------------------------------+ | | +--------------------------------------------------+ |
| | Transport Subsystem | +--------+ | | | Transport Subsystem | +--------+ |
skipping to change at page 12, line 16 skipping to change at page 12, line 16
sequence number. Since UDP provides no sequencing ability, DTLS sequence number. Since UDP provides no sequencing ability, DTLS
uses a sliding window protocol with the sequence number used for uses a sliding window protocol with the sequence number used for
replay protection (see [RFC4347]). replay protection (see [RFC4347]).
4. Disclosure - The disclosure threat is the danger of eavesdropping 4. Disclosure - The disclosure threat is the danger of eavesdropping
on the exchanges between SNMP engines. on the exchanges between SNMP engines.
(D)TLS provides protection against the disclosure of information (D)TLS provides protection against the disclosure of information
to unauthorized recipients or eavesdroppers by allowing for to unauthorized recipients or eavesdroppers by allowing for
encryption of all traffic between SNMP engines. A TLS Transport encryption of all traffic between SNMP engines. A TLS Transport
Model implementation SHOULD support the message encryption to Model implementation SHOULD support message encryption to protect
protect sensitive data from eavesdropping attacks. sensitive data from eavesdropping attacks.
5. Denial of Service - the RFC 3411 architecture [RFC3411] states 5. Denial of Service - the RFC 3411 architecture [RFC3411] states
that denial of service (DoS) attacks need not be addressed by an that denial of service (DoS) attacks need not be addressed by an
SNMP security protocol. However, connectionless transports (like SNMP security protocol. However, connectionless transports (like
DTLS over UDP) are susceptible to a variety of denial of service DTLS over UDP) are susceptible to a variety of denial of service
attacks because they are more vulnerable to spoofed IP addresses. attacks because they are more vulnerable to spoofed IP addresses.
See Section 4.2 for details how the cookie mechanism is used. See Section 4.2 for details how the cookie mechanism is used.
Note, however, that this mechanism does not provide any defense Note, however, that this mechanism does not provide any defense
against denial of service attacks mounted from valid IP against denial of service attacks mounted from valid IP
addresses. addresses.
skipping to change at page 15, line 12 skipping to change at page 15, line 12
module that extends the SNMP-TARGET-MIB's snmpTargetParamsTable to module that extends the SNMP-TARGET-MIB's snmpTargetParamsTable to
specify a (D)TLS client-side certificate to use for the connection. specify a (D)TLS client-side certificate to use for the connection.
When configuring a (D)TLS target, the snmpTargetAddrTDomain and When configuring a (D)TLS target, the snmpTargetAddrTDomain and
snmpTargetAddrTAddress parameters in snmpTargetAddrTable should be snmpTargetAddrTAddress parameters in snmpTargetAddrTable should be
set to the snmpTLSTCPDomain or snmpDTLSUDPDomain object and an set to the snmpTLSTCPDomain or snmpDTLSUDPDomain object and an
appropriate snmpTLSAddress value. When used with the SNMPv3 message appropriate snmpTLSAddress value. When used with the SNMPv3 message
processing model, the snmpTargetParamsMPModel column of the processing model, the snmpTargetParamsMPModel column of the
snmpTargetParamsTable should be set to a value of 3. The snmpTargetParamsTable should be set to a value of 3. The
snmpTargetParamsSecurityName should be set to an appropriate snmpTargetParamsSecurityName should be set to an appropriate
securityName value and the tlstmParamsClientFingerprint parameter of securityName value and the snmpTlstmParamsClientFingerprint parameter
the tlstmParamsTable should be set a value that refers to a locally of the snmpTlstmParamsTable should be set a value that refers to a
held certificate (and the corresponding private key) to be used. locally held certificate (and the corresponding private key) to be
Other parameters, for example cryptographic configuration such as used. Other parameters, for example cryptographic configuration such
which cipher suites to use, must come from configuration mechanisms as which cipher suites to use, must come from configuration
not defined in this document. mechanisms not defined in this document.
The securityName defined in the snmpTargetParamsSecurityName column The securityName defined in the snmpTargetParamsSecurityName column
will be used by the access control model to authorize any will be used by the access control model to authorize any
notifications that need to be sent. notifications that need to be sent.
4. Elements of the Model 4. Elements of the Model
This section contains definitions required to realize the (D)TLS This section contains definitions required to realize the (D)TLS
Transport Model defined by this document. Transport Model defined by this document.
4.1. X.509 Certificates 4.1. X.509 Certificates
(D)TLS can make use of X.509 certificates for authentication of both (D)TLS can make use of X.509 certificates for authentication of both
sides of the transport. This section discusses the use of X.509 sides of the transport. This section discusses the use of X.509
certificates in the TLSTM. certificates in the TLSTM.
While (D)TLS supports multiple authentication mechanisms, this While (D)TLS supports multiple authentication mechanisms, this
document only discusses X.509 certificate based authentication; Other document only discusses X.509 certificate based authentication; other
forms of authentication are are outside the scope of this forms of authentication are are outside the scope of this
specification. TLSTM implementations are REQUIRED to support X.509 specification. TLSTM implementations are REQUIRED to support X.509
certificates. certificates.
4.1.1. Provisioning for the Certificate 4.1.1. Provisioning for the Certificate
Authentication using (D)TLS will require that SNMP entities have Authentication using (D)TLS will require that SNMP entities have
certificates, either signed by trusted certification authorities, or certificates, either signed by trusted certification authorities, or
self-signed. Furthermore, SNMP entities will most commonly need to self-signed. Furthermore, SNMP entities will most commonly need to
be provisioned with root certificates which represent the list of be provisioned with root certificates which represent the list of
trusted certificate authorities that an SNMP entity can use for trusted certificate authorities that an SNMP entity can use for
certificate verification. SNMP entities SHOULD also be provisioned certificate verification. SNMP entities SHOULD also be provisioned
with a X.509 certificate revocation mechanism which can be used to with a X.509 certificate revocation mechanism which can be used to
verify that a certificate has not been revoked. Trusted public keys verify that a certificate has not been revoked. Trusted public keys
from either CA certificates and/or self-signed certificates, MUST be from either CA certificates and/or self-signed certificates MUST be
installed into the server through a trusted out of band mechanism and installed into the server through a trusted out of band mechanism and
their authenticity MUST be verified before access is granted. their authenticity MUST be verified before access is granted.
Having received a certificate from a connecting TLSTM client, the Having received a certificate from a connecting TLSTM client, the
authenticated tmSecurityName of the principal is derived using the authenticated tmSecurityName of the principal is derived using the
tlstmCertToTSNTable. This table allows mapping of incoming snmpTlstmCertToTSNTable. This table allows mapping of incoming
connections to tmSecurityNames through defined transformations. The connections to tmSecurityNames through defined transformations. The
transformations defined in the TLSTM-MIB include: transformations defined in the SNMP-TLS-TM-MIB include:
o Mapping a certificate's subjectAltName or CommonName components to o Mapping a certificate's subjectAltName or CommonName components to
a tmSecurityName, or a tmSecurityName, or
o Mapping a certificate's fingerprint value to a directly specified o Mapping a certificate's fingerprint value to a directly specified
tmSecurityName tmSecurityName
As an implementation hint: implementations may choose to discard any As an implementation hint: implementations may choose to discard any
connections for which no potential tlstmCertToTSNTable mapping exists connections for which no potential snmpTlstmCertToTSNTable mapping
before performing certificate verification to avoid expending exists before performing certificate verification to avoid expending
computational resources associated with certificate verification. computational resources associated with certificate verification.
Enterprise configurations are encouraged to map a "subjectAltName" Enterprise configurations are encouraged to map a "subjectAltName"
component of the X.509 certificate to the TLSTM specific component of the X.509 certificate to the TLSTM specific
tmSecurityName. The authenticated identity can be obtained by the tmSecurityName. The authenticated identity can be obtained by the
TLS Transport Model by extracting the subjectAltName(s) from the TLS Transport Model by extracting the subjectAltName(s) from the
peer's certificate. The receiving application will then have an peer's certificate. The receiving application will then have an
appropriate tmSecurityName for use by other SNMPv3 components like an appropriate tmSecurityName for use by other SNMPv3 components like an
access control model. access control model.
skipping to change at page 20, line 15 skipping to change at page 20, line 15
4.4.1.1. tmSecurityName 4.4.1.1. tmSecurityName
The tmSecurityName MUST be a human-readable name (in snmpAdminString The tmSecurityName MUST be a human-readable name (in snmpAdminString
format) representing the identity that has been set according to the format) representing the identity that has been set according to the
procedures in Section 5. The tmSecurityName MUST be constant for all procedures in Section 5. The tmSecurityName MUST be constant for all
traffic passing through an TLSTM session. Messages MUST NOT be sent traffic passing through an TLSTM session. Messages MUST NOT be sent
through an existing (D)TLS connection that was established using a through an existing (D)TLS connection that was established using a
different tmSecurityName. different tmSecurityName.
On the (D)TLS server side of a connection the tmSecurityName is On the (D)TLS server side of a connection the tmSecurityName is
derived using the procedures described in Section 5.3.2 and the derived using the procedures described in Section 5.3.2 and the SNMP-
TLSTM-MIB's tlstmCertToTSNTable DESCRIPTION clause. TLS-TM-MIB's snmpTlstmCertToTSNTable DESCRIPTION clause.
On the (D)TLS client side of a connection the tmSecurityName is On the (D)TLS client side of a connection the tmSecurityName is
presented to the TLS Transport Model by the application (possibly presented to the TLS Transport Model by the application (possibly
because of configuration specified in the SNMP-TARGET-MIB). because of configuration specified in the SNMP-TARGET-MIB).
The securityName MAY be derived from the tmSecurityName by a Security The securityName MAY be derived from the tmSecurityName by a Security
Model and MAY be used to configure notifications and access controls Model and MAY be used to configure notifications and access controls
in MIB modules. Transport Models SHOULD generate a predictable in MIB modules. Transport Models SHOULD generate a predictable
tmSecurityName so operators will know what to use when configuring tmSecurityName so operators will know what to use when configuring
MIB modules that use securityNames derived from tmSecurityNames. The MIB modules that use securityNames derived from tmSecurityNames. The
TLSTM generates predictable tmSecurityNames based on the TLSTM generates predictable tmSecurityNames based on the
configuration found in the TLSTM-MIB's tlstmCertToTSNTable and relies configuration found in the SNMP-TLS-TM-MIB's snmpTlstmCertToTSNTable
on the network operators to have configured this table appropriately. and relies on the network operators to have configured this table
appropriately.
4.4.1.2. tmSessionID 4.4.1.2. tmSessionID
The tmSessionID MUST be recorded per message at the time of receipt. The tmSessionID MUST be recorded per message at the time of receipt.
When tmSameSecurity is set, the recorded tmSessionID can be used to When tmSameSecurity is set, the recorded tmSessionID can be used to
determine whether the (D)TLS connection available for sending a determine whether the (D)TLS connection available for sending a
corresponding outgoing message is the same (D)TLS connection as was corresponding outgoing message is the same (D)TLS connection as was
used when receiving the incoming message (e.g., a response to a used when receiving the incoming message (e.g., a response to a
request). request).
skipping to change at page 22, line 23 skipping to change at page 22, line 24
remote transport address, incomingMessage, incomingMessageLength, and remote transport address, incomingMessage, incomingMessageLength, and
the tlstmSessionID. the tlstmSessionID.
1) The TLS Transport Model examines the raw UDP message, in an 1) The TLS Transport Model examines the raw UDP message, in an
implementation-dependent manner. implementation-dependent manner.
2) The TLS Transport Model queries the LCD using the transport 2) The TLS Transport Model queries the LCD using the transport
parameters (source and destination IP addresses and ports) to parameters (source and destination IP addresses and ports) to
determine if a session already exists. determine if a session already exists.
2a) f a matching entry in the LCD does not exist, then the UDP 2a) If a matching entry in the LCD does not exist, then the UDP
packet is passed to the DTLS implementation for processing. packet is passed to the DTLS implementation for processing.
If the DTLS implementation decides to continue with the If the DTLS implementation decides to continue with the
connection and allocate state for it, it returns a new DTLS connection and allocate state for it, it returns a new DTLS
connection handle (an implementation dependent detail). In connection handle (an implementation dependent detail). In
this case, TLSTM selects a new tlstmSessionId, and caches this case, TLSTM selects a new tlstmSessionId, and caches
this and the DTLS connection handle as a new entry in the this and the DTLS connection handle as a new entry in the
LCD (indexed by the transport parameters). If the DTLS LCD (indexed by the transport parameters). If the DTLS
implementation returns an error or does not allocate implementation returns an error or does not allocate
connection state (which can happen with the stateless cookie connection state (which can happen with the stateless cookie
exchange), processing stops. exchange), processing stops.
skipping to change at page 26, line 22 skipping to change at page 26, line 22
IN tmStateReference -- transport information to be used IN tmStateReference -- transport information to be used
OUT tmStateReference -- transport information to be used OUT tmStateReference -- transport information to be used
IN maxMessageSize -- of the sending SNMP entity IN maxMessageSize -- of the sending SNMP entity
) )
The following describes the procedure to follow when establishing a The following describes the procedure to follow when establishing a
SNMP over (D)TLS connection between SNMP engines for exchanging SNMP SNMP over (D)TLS connection between SNMP engines for exchanging SNMP
messages. This process is followed by any SNMP client's engine when messages. This process is followed by any SNMP client's engine when
establishing a session for subsequent use. establishing a session for subsequent use.
This MAY be done automatically for an SNMP application that initiates This procedure MAY be done automatically for an SNMP application that
a transaction, such as a command generator, a notification initiates a transaction, such as a command generator, a notification
originator, or a proxy forwarder. originator, or a proxy forwarder.
1) The snmpTlstmSessionOpens counter is incremented. 1) The snmpTlstmSessionOpens counter is incremented.
2) The client selects the appropriate certificate and cipher_suites 2) The client selects the appropriate certificate and cipher_suites
for the key agreement based on the tmSecurityName and the for the key agreement based on the tmSecurityName and the
tmRequestedSecurityLevel for the session. For sessions being tmRequestedSecurityLevel for the session. For sessions being
established as a result of a SNMP-TARGET-MIB based operation, the established as a result of a SNMP-TARGET-MIB based operation, the
certificate will potentially have been identified via the certificate will potentially have been identified via the
tlstmParamsTable mapping and the cipher_suites will have to be snmpTlstmParamsTable mapping and the cipher_suites will have to
taken from system-wide or implementation-specific configuration. be taken from system-wide or implementation-specific
If no row in the tlstmParamsTable exists then implementations MAY configuration. If no row in the snmpTlstmParamsTable exists then
choose to establish the connection using a default client implementations MAY choose to establish the connection using a
certificate available to the application. Otherwise, the default client certificate available to the application.
certificate and appropriate cipher_suites will need to be passed Otherwise, the certificate and appropriate cipher_suites will
to the openSession() ASI as supplemental information or need to be passed to the openSession() ASI as supplemental
configured through an implementation-dependent mechanism. It is information or configured through an implementation-dependent
also implementation-dependent and possibly policy-dependent how mechanism. It is also implementation-dependent and possibly
tmRequestedSecurityLevel will be used to influence the security policy-dependent how tmRequestedSecurityLevel will be used to
capabilities provided by the (D)TLS connection. However this is influence the security capabilities provided by the (D)TLS
done, the security capabilities provided by (D)TLS MUST be at connection. However this is done, the security capabilities
least as high as the level of security indicated by the provided by (D)TLS MUST be at least as high as the level of
tmRequestedSecurityLevel parameter. The actual security level of security indicated by the tmRequestedSecurityLevel parameter.
the session is reported in the tmStateReference cache as The actual security level of the session is reported in the
tmSecurityLevel. For (D)TLS to provide strong authentication, tmStateReference cache as tmSecurityLevel. For (D)TLS to provide
each principal acting as a command generator SHOULD have its own strong authentication, each principal acting as a command
certificate. generator SHOULD have its own certificate.
3) Using the destTransportDomain and destTransportAddress values, 3) Using the destTransportDomain and destTransportAddress values,
the client will initiate the (D)TLS handshake protocol to the client will initiate the (D)TLS handshake protocol to
establish session keys for message integrity and encryption. establish session keys for message integrity and encryption.
If the attempt to establish a session is unsuccessful, then If the attempt to establish a session is unsuccessful, then
snmpTlstmSessionOpenErrors is incremented, an error indication is snmpTlstmSessionOpenErrors is incremented, an error indication is
returned, and processing stops. If the session failed to open returned, and processing stops. If the session failed to open
because the presented server certificate was unknown or invalid because the presented server certificate was unknown or invalid
then the snmpTlstmSessionUnknownServerCertificate or then the snmpTlstmSessionUnknownServerCertificate or
snmpTlstmSessionInvalidServerCertificates MUST be incremented and snmpTlstmSessionInvalidServerCertificates MUST be incremented and
a tlstmServerCertificateUnknown or tlstmServerInvalidCertificate a snmpTlstmServerCertificateUnknown or
notification SHOULD be sent as appropriate. Reasons for server snmpTlstmServerInvalidCertificate notification SHOULD be sent as
certificate invalidation includes, but is not limited to, appropriate. Reasons for server certificate invalidation
cryptographic validation failures and an unexpected presented includes, but is not limited to, cryptographic validation
certificate identity. failures and an unexpected presented certificate identity.
4) The (D)TLS client MUST then verify that the (D)TLS server's 4) The (D)TLS client MUST then verify that the (D)TLS server's
presented certificate is the expected certificate. The (D)TLS presented certificate is the expected certificate. The (D)TLS
client MUST NOT transmit SNMP messages until the server client MUST NOT transmit SNMP messages until the server
certificate has been authenticated and the client certificate has certificate has been authenticated, the client certificate has
been transmitted. been transmitted and the TLS connection has been fully
established.
If the connection is being established from configuration based If the connection is being established from configuration based
on SNMP-TARGET-MIB configuration, then the tlstmAddrTable on SNMP-TARGET-MIB configuration, then the snmpTlstmAddrTable
DESCRIPTION clause describes how the verification is done (using DESCRIPTION clause describes how the verification is done (using
either a certificate fingerprint, or an identity authenticated either a certificate fingerprint, or an identity authenticated
via certification path validation). via certification path validation).
If the connection is being established for reasons other than If the connection is being established for reasons other than
configuration found in the SNMP-TARGET-MIB then configuration and configuration found in the SNMP-TARGET-MIB then configuration and
procedures outside the scope of this document should be followed. procedures outside the scope of this document should be followed.
Configuration mechanisms SHOULD be similar in nature to those Configuration mechanisms SHOULD be similar in nature to those
defined in the tlstmAddrTable to ensure consistency across defined in the snmpTlstmAddrTable to ensure consistency across
management configuration systems. For example, a command-line management configuration systems. For example, a command-line
tool for generating SNMP GETs might support specifying either the tool for generating SNMP GETs might support specifying either the
server's certificate fingerprint or the expected host name as a server's certificate fingerprint or the expected host name as a
command line argument. command line argument.
5) (D)TLS provides assurance that the authenticated identity has 5) (D)TLS provides assurance that the authenticated identity has
been signed by a trusted configured certification authority. If been signed by a trusted configured certification authority. If
verification of the server's certificate fails in any way (for verification of the server's certificate fails in any way (for
example because of failures in cryptographic verification or the example because of failures in cryptographic verification or the
presented identity did not match the expected named entity) then presented identity did not match the expected named entity) then
skipping to change at page 28, line 20 skipping to change at page 28, line 21
future use. The tlstmSessionID is also stored in the LCD for future use. The tlstmSessionID is also stored in the LCD for
later lookup during processing of incoming messages later lookup during processing of incoming messages
(Section 5.1.2). (Section 5.1.2).
5.3.2. Accepting a Session as a Server 5.3.2. Accepting a Session as a Server
A (D)TLS server should accept new session connections from any client A (D)TLS server should accept new session connections from any client
that it is able to verify the client's credentials for. This is done that it is able to verify the client's credentials for. This is done
by authenticating the client's presented certificate through a by authenticating the client's presented certificate through a
certificate path validation process (e.g. [RFC5280]) or through certificate path validation process (e.g. [RFC5280]) or through
certificate fingerprint verification using fingerprints configure in certificate fingerprint verification using fingerprints configured in
the tlstmCertToTSNTable. Afterward the server will determine the the snmpTlstmCertToTSNTable. Afterward the server will determine the
identity of the remote entity using the following procedures. identity of the remote entity using the following procedures.
The (D)TLS server identifies the authenticated identity from the The (D)TLS server identifies the authenticated identity from the
(D)TLS client's principal certificate using configuration information (D)TLS client's principal certificate using configuration information
from the tlstmCertToTSNTable mapping table. The (D)TLS server MUST from the snmpTlstmCertToTSNTable mapping table. The (D)TLS server
request and expect a certificate from the client and MUST NOT accept MUST request and expect a certificate from the client and MUST NOT
SNMP messages over the (D)TLS connection until the client has sent a accept SNMP messages over the (D)TLS connection until the client has
certificate and it has been authenticated. The resulting derived sent a certificate and it has been authenticated. The resulting
tmSecurityName is recorded in the tmStateReference cache as derived tmSecurityName is recorded in the tmStateReference cache as
tmSecurityName. The details of the lookup process are fully tmSecurityName. The details of the lookup process are fully
described in the DESCRIPTION clause of the tlstmCertToTSNTable MIB described in the DESCRIPTION clause of the snmpTlstmCertToTSNTable
object. If any verification fails in any way (for example because of MIB object. If any verification fails in any way (for example
failures in cryptographic verification or because of the lack of an because of failures in cryptographic verification or because of the
appropriate row in the tlstmCertToTSNTable) then the session lack of an appropriate row in the snmpTlstmCertToTSNTable) then the
establishment MUST fail, the session establishment MUST fail, and the
snmpTlstmSessionInvalidClientCertificates object is incremented. If snmpTlstmSessionInvalidClientCertificates object is incremented. If
the session can not be opened for any reason at all, including the session can not be opened for any reason at all, including
cryptographic verification failures, then the cryptographic verification failures, then the
snmpTlstmSessionOpenErrors counter is incremented and processing snmpTlstmSessionOpenErrors counter is incremented and processing
stops. stops.
Servers that wish to support multiple principals at a particular port Servers that wish to support multiple principals at a particular port
SHOULD make use of a (D)TLS extension that allows server-side SHOULD make use of a (D)TLS extension that allows server-side
principal selection like the Server Name Indication extension defined principal selection like the Server Name Indication extension defined
in Section 3.1 of [RFC4366]. Supporting this will allow, for in Section 3.1 of [RFC4366]. Supporting this will allow, for
skipping to change at page 30, line 15 skipping to change at page 30, line 15
o A new TransportAddress format for describing (D)TLS connection o A new TransportAddress format for describing (D)TLS connection
addressing requirements. addressing requirements.
o A certificate fingerprint allowing MIB module objects to o A certificate fingerprint allowing MIB module objects to
generically refer to a stored X.509 certificate using a generically refer to a stored X.509 certificate using a
cryptographic hash as a reference pointer. cryptographic hash as a reference pointer.
6.3. Statistical Counters 6.3. Statistical Counters
The TLSTM-MIB defines some counters that can provide network The SNMP-TLS-TM-MIB defines some counters that can provide network
management stations with information about session usage and management stations with information about session usage and
potential errors that a MIB-instrumented device may be experiencing. potential errors that a MIB-instrumented device may be experiencing.
6.4. Configuration Tables 6.4. Configuration Tables
The TLSTM-MIB defines configuration tables that an administrator can The SNMP-TLS-TM-MIB defines configuration tables that an
use for configuring a MIB-instrumented device for sending and administrator can use for configuring a MIB-instrumented device for
receiving SNMP messages over (D)TLS. In particular, there are MIB sending and receiving SNMP messages over (D)TLS. In particular,
tables that extend the SNMP-TARGET-MIB for configuring (D)TLS there are MIB tables that extend the SNMP-TARGET-MIB for configuring
certificate usage and a MIB table for mapping incoming (D)TLS client (D)TLS certificate usage and a MIB table for mapping incoming (D)TLS
certificates to SNMPv3 securityNames. client certificates to SNMPv3 securityNames.
6.4.1. Notifications 6.4.1. Notifications
The TLSTM-MIB defines notifications to alert management stations when The SNMP-TLS-TM-MIB defines notifications to alert management
a (D)TLS connection fails because a server's presented certificate stations when a (D)TLS connection fails because a server's presented
did not meet an expected value (tlstmServerCertificateUnknown) or certificate did not meet an expected value
because cryptographic validation failed (snmpTlstmServerCertificateUnknown) or because cryptographic
(tlstmServerInvalidCertificate). validation failed (snmpTlstmServerInvalidCertificate).
6.5. Relationship to Other MIB Modules 6.5. Relationship to Other MIB Modules
Some management objects defined in other MIB modules are applicable Some management objects defined in other MIB modules are applicable
to an entity implementing the TLS Transport Model. In particular, it to an entity implementing the TLS Transport Model. In particular, it
is assumed that an entity implementing the TLSTM-MIB will implement is assumed that an entity implementing the SNMP-TLS-TM-MIB will
the SNMPv2-MIB [RFC3418], the SNMP-FRAMEWORK-MIB [RFC3411], the SNMP- implement the SNMPv2-MIB [RFC3418], the SNMP-FRAMEWORK-MIB [RFC3411],
TARGET-MIB [RFC3413], the SNMP-NOTIFICATION-MIB [RFC3413] and the the SNMP-TARGET-MIB [RFC3413], the SNMP-NOTIFICATION-MIB [RFC3413]
SNMP-VIEW-BASED-ACM-MIB [RFC3415]. and the SNMP-VIEW-BASED-ACM-MIB [RFC3415].
The TLSTM-MIB module contained in this document is for managing TLS The SNMP-TLS-TM-MIB module contained in this document is for managing
Transport Model information. TLS Transport Model information.
6.5.1. MIB Modules Required for IMPORTS 6.5.1. MIB Modules Required for IMPORTS
The TLSTM-MIB module imports items from SNMPv2-SMI [RFC2578], The SNMP-TLS-TM-MIB module imports items from SNMPv2-SMI [RFC2578],
SNMPv2-TC [RFC2579], SNMP-FRAMEWORK-MIB [RFC3411], SNMP-TARGET-MIB SNMPv2-TC [RFC2579], SNMP-FRAMEWORK-MIB [RFC3411], SNMP-TARGET-MIB
[RFC3413] and SNMPv2-CONF [RFC2580]. [RFC3413] and SNMPv2-CONF [RFC2580].
7. MIB Module Definition 7. MIB Module Definition
TLSTM-MIB DEFINITIONS ::= BEGIN SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE,
OBJECT-IDENTITY, snmpModules, snmpDomains, OBJECT-IDENTITY, mib-2, snmpDomains,
Counter32, Unsigned32, NOTIFICATION-TYPE Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE
FROM SNMPv2-SMI FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType,
AutonomousType AutonomousType
FROM SNMPv2-TC FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB FROM SNMP-FRAMEWORK-MIB
snmpTargetParamsName, snmpTargetAddrName snmpTargetParamsName, snmpTargetAddrName
FROM SNMP-TARGET-MIB FROM SNMP-TARGET-MIB
; ;
tlstmMIB MODULE-IDENTITY snmpTlstmMIB MODULE-IDENTITY
LAST-UPDATED "201003060000Z" LAST-UPDATED "201004140000Z"
ORGANIZATION "ISMS Working Group" ORGANIZATION "ISMS Working Group"
CONTACT-INFO "WG-EMail: isms@lists.ietf.org CONTACT-INFO "WG-EMail: isms@lists.ietf.org
Subscribe: isms-request@lists.ietf.org Subscribe: isms-request@lists.ietf.org
Chairs: Chairs:
Juergen Schoenwaelder Juergen Schoenwaelder
Jacobs University Bremen Jacobs University Bremen
Campus Ring 1 Campus Ring 1
28725 Bremen 28725 Bremen
Germany Germany
+49 421 200-3587 +49 421 200-3587
j.schoenwaelder@jacobs-university.de j.schoenwaelder@jacobs-university.de
Russ Mundy Russ Mundy
SPARTA, Inc. SPARTA, Inc.
7110 Samuel Morse Drive 7110 Samuel Morse Drive
Columbia, MD 21046 Columbia, MD 21046
USA USA
Co-editors: Editor:
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
USA USA
ietf@hardakers.net ietf@hardakers.net
" "
DESCRIPTION " DESCRIPTION "
The TLS Transport Model MIB The TLS Transport Model MIB
Copyright (c) 2010 IETF Trust and the persons identified as Copyright (c) 2010 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info)."
This version of this MIB module is part of RFC XXXX;
see the RFC itself for full legal notices."
REVISION "201004140000Z"
DESCRIPTION "This version of this MIB module is part of
RFC XXXX; see the RFC itself for full legal
notices."
REVISION "201003060000Z"
DESCRIPTION "The initial version, published in RFC XXXX."
-- NOTE to RFC editor: replace XXXX with actual RFC number -- NOTE to RFC editor: replace XXXX with actual RFC number
-- for this document and change the date to the
-- current date and remove this note
::= { snmpModules xxxx } ::= { mib-2 www }
-- RFC Ed.: replace www with IANA-assigned number under the mib-2
-- SNMP OID tree and remove this note
-- ************************************************ -- ************************************************
-- subtrees of the SNMP-TLS-TM-MIB
-- ************************************************ -- ************************************************
tlstmNotifications OBJECT IDENTIFIER ::= { tlstmMIB 0 } snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 }
tlstmIdentities OBJECT IDENTIFIER ::= { tlstmMIB 1 } snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 }
tlstmObjects OBJECT IDENTIFIER ::= { tlstmMIB 2 } snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 }
tlstmConformance OBJECT IDENTIFIER ::= { tlstmMIB 3 } snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 }
-- ************************************************ -- ************************************************
-- snmpTlstmObjects - Objects
-- ************************************************ -- ************************************************
snmpTLSTCPDomain OBJECT-IDENTITY snmpTLSTCPDomain OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SNMP over TLS transport domain. The corresponding "The SNMP over TLS transport domain. The corresponding
transport address is of type SnmpTLSAddress. transport address is of type SnmpTLSAddress.
The securityName prefix to be associated with the The securityName prefix to be associated with the
snmpTLSTCPDomain is 'tls'. This prefix may be used by snmpTLSTCPDomain is 'tls'. This prefix may be used by
skipping to change at page 33, line 29 skipping to change at page 33, line 27
-- RFC Ed.: replace 'tls' with the actual IANA assigned prefix string -- RFC Ed.: replace 'tls' with the actual IANA assigned prefix string
-- if 'tls' is not assigned to this document. -- if 'tls' is not assigned to this document.
snmpDTLSUDPDomain OBJECT-IDENTITY snmpDTLSUDPDomain OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The SNMP over DTLS/UDP transport domain. The corresponding "The SNMP over DTLS/UDP transport domain. The corresponding
transport address is of type SnmpTLSAddress. transport address is of type SnmpTLSAddress.
The securityName prefix to be associated with the The securityName prefix to be associated with the
snmpDTLSUDPDomain is 'dudp'. This prefix may be used by snmpDTLSUDPDomain is 'dtls'. This prefix may be used by
security models or other components to identify which secure security models or other components to identify which secure
transport infrastructure authenticated a securityName." transport infrastructure authenticated a securityName."
::= { snmpDomains yy } ::= { snmpDomains yy }
-- RFC Ed.: replace yy with IANA-assigned number and -- RFC Ed.: replace yy with IANA-assigned number and
-- remove this note -- remove this note
-- RFC Ed.: replace 'dtls' with the actual IANA assigned prefix string
-- if 'dtls' is not assigned to this document.
SnmpTLSAddress ::= TEXTUAL-CONVENTION SnmpTLSAddress ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1a" DISPLAY-HINT "1a"
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Represents a IPv4 address, an IPv6 address or an US-ASCII "Represents a IPv4 address, an IPv6 address or an US-ASCII
encoded hostname and port number. encoded hostname and port number.
An IPv4 address must be in dotted decimal format followed by a An IPv4 address must be in dotted decimal format followed by a
colon ':' (US-ASCII character 0x3A) and a decimal port number colon ':' (US-ASCII character 0x3A) and a decimal port number
skipping to change at page 35, line 28 skipping to change at page 35, line 26
This TEXTUAL-CONVENTION allows for a zero-length (blank) This TEXTUAL-CONVENTION allows for a zero-length (blank)
Fingerprint value for use in tables where the fingerprint value Fingerprint value for use in tables where the fingerprint value
may be optional. MIB definitions or implementations may refuse may be optional. MIB definitions or implementations may refuse
to accept a zero-length value as appropriate." to accept a zero-length value as appropriate."
REFERENCE REFERENCE
"RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
http://www.iana.org/assignments/tls-parameters/ http://www.iana.org/assignments/tls-parameters/
" "
SYNTAX OCTET STRING (SIZE (0..255)) SYNTAX OCTET STRING (SIZE (0..255))
-- Identities for use in the snmpTlstmCertToTSNTable
tlstmCertToTSNMIdentities OBJECT IDENTIFIER ::= { tlstmIdentities 1 } snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER
::= { snmpTlstmIdentities 1 }
tlstmCertSpecified OBJECT-IDENTITY snmpTlstmCertSpecified OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Directly specifies the tmSecurityName to be used for DESCRIPTION "Directly specifies the tmSecurityName to be used for
this certificate. The value of the tmSecurityName this certificate. The value of the tmSecurityName
to use is specified in the tlstmCertToTSNData to use is specified in the snmpTlstmCertToTSNData
column. The tlstmCertToTSNData column must contain column. The snmpTlstmCertToTSNData column must
a non-zero length SnmpAdminString compliant value or contain a non-zero length SnmpAdminString compliant
the mapping described in this row must be considered value or the mapping described in this row must be
a failure." considered a failure."
::= { tlstmCertToTSNMIdentities 1 } ::= { snmpTlstmCertToTSNMIdentities 1 }
tlstmCertSANRFC822Name OBJECT-IDENTITY snmpTlstmCertSANRFC822Name OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a subjectAltName's rfc822Name to a DESCRIPTION "Maps a subjectAltName's rfc822Name to a
tmSecurityName. The local part of the rfc822Name is tmSecurityName. The local part of the rfc822Name is
passed unaltered but the host-part of the name must passed unaltered but the host-part of the name must
be passed in lower case. be passed in lower case.
Example rfc822Name Field: FooBar@Example.COM Example rfc822Name Field: FooBar@Example.COM
is mapped to tmSecurityName: FooBar@example.com" is mapped to tmSecurityName: FooBar@example.com"
::= { tlstmCertToTSNMIdentities 2 } ::= { snmpTlstmCertToTSNMIdentities 2 }
tlstmCertSANDNSName OBJECT-IDENTITY snmpTlstmCertSANDNSName OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a subjectAltName's dNSName to a DESCRIPTION "Maps a subjectAltName's dNSName to a
tmSecurityName after first converting it to all tmSecurityName after first converting it to all
lower case." lower case."
::= { tlstmCertToTSNMIdentities 3 } ::= { snmpTlstmCertToTSNMIdentities 3 }
tlstmCertSANIpAddress OBJECT-IDENTITY snmpTlstmCertSANIpAddress OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a subjectAltName's iPAddress to a DESCRIPTION "Maps a subjectAltName's iPAddress to a
tmSecurityName by transforming the binary encoded tmSecurityName by transforming the binary encoded
address as follows: address as follows:
1) for IPv4 the value is converted into a decimal 1) for IPv4 the value is converted into a decimal
dotted quad address (e.g. '192.0.2.1') dotted quad address (e.g. '192.0.2.1')
2) for IPv6 addresses the value is converted into a 2) for IPv6 addresses the value is converted into a
32-character all lowercase hexadecimal string 32-character all lowercase hexadecimal string
without any colon separators. without any colon separators.
Note that the resulting length is the maximum Note that the resulting length is the maximum
length supported by the View-Based Access Control length supported by the View-Based Access Control
Model (VACM). Note that using both the Transport Model (VACM). Note that using both the Transport
Security Model's support for transport prefixes Security Model's support for transport prefixes
(see the SNMP-TSM-MIB's (see the SNMP-TSM-MIB's
snmpTsmConfigurationUsePrefix object for details) snmpTsmConfigurationUsePrefix object for details)
will result in securityName lengths that exceed will result in securityName lengths that exceed
what VACM can handle." what VACM can handle."
::= { tlstmCertToTSNMIdentities 4 } ::= { snmpTlstmCertToTSNMIdentities 4 }
tlstmCertSANAny OBJECT-IDENTITY snmpTlstmCertSANAny OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps any of the following fields using the DESCRIPTION "Maps any of the following fields using the
corresponding mapping algorithms: corresponding mapping algorithms:
|------------+------------------------| |------------+------------------------|
| Type | Algorithm | | Type | Algorithm |
|------------+------------------------| |------------+------------------------|
| rfc822Name | tlstmCertSANRFC822Name | | rfc822Name | snmpTlstmCertSANRFC822Name |
| dNSName | tlstmCertSANDNSName | | dNSName | snmpTlstmCertSANDNSName |
| iPAddress | tlstmCertSANIpAddress | | iPAddress | snmpTlstmCertSANIpAddress |
|------------+------------------------| |------------+------------------------|
The first matching subjectAltName value found in the The first matching subjectAltName value found in the
certificate of the above types MUST be used when certificate of the above types MUST be used when
deriving the tmSecurityName." deriving the tmSecurityName."
::= { tlstmCertToTSNMIdentities 5 } ::= { snmpTlstmCertToTSNMIdentities 5 }
tlstmCertCommonName OBJECT-IDENTITY snmpTlstmCertCommonName OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName
after converting it to a UTF-8 encoding." after converting it to a UTF-8 encoding."
::= { tlstmCertToTSNMIdentities 6 } ::= { snmpTlstmCertToTSNMIdentities 6 }
-- The snmpTlstmSession Group -- The snmpTlstmSession Group
snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 }
snmpTlstmSessionOpens OBJECT-TYPE snmpTlstmSessionOpens OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession() request has been executed "The number of times an openSession() request has been executed
as an (D)TLS client, regardless of whether it succeeded or as an (D)TLS client, regardless of whether it succeeded or
failed." failed."
::= { snmpTlstmSession 1 } ::= { snmpTlstmSession 1 }
skipping to change at page 38, line 33 skipping to change at page 38, line 33
the session associated with the passed tmStateReference was no the session associated with the passed tmStateReference was no
longer (or was never) available." longer (or was never) available."
::= { snmpTlstmSession 6 } ::= { snmpTlstmSession 6 }
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an incoming session was not established "The number of times an incoming session was not established
on an (D)TLS server because the presented client certificate was on an (D)TLS server because the presented client certificate
invalid. Reasons for invalidation include, but are not was invalid. Reasons for invalidation include, but are not
limited to, cryptographic validation failures or lack of a limited to, cryptographic validation failures or lack of a
suitable mapping row in the tlstmCertToTSNTable." suitable mapping row in the snmpTlstmCertToTSNTable."
::= { snmpTlstmSession 7 } ::= { snmpTlstmSession 7 }
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by a SNMP over (D)TLS server was invalid because no by a SNMP over (D)TLS server was invalid because no
configured fingerprint or CA was acceptable to validate it. configured fingerprint or CA was acceptable to validate it.
This may result because there was no entry in the This may result because there was no entry in the
tlstmAddrTable or because no path could be found to a known snmpTlstmAddrTable or because no path could be found to a
certification authority." known certification authority."
::= { snmpTlstmSession 8 } ::= { snmpTlstmSession 8 }
snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by an SNMP over (D)TLS server could not be validated even if by an SNMP over (D)TLS server could not be validated even if
skipping to change at page 39, line 32 skipping to change at page 39, line 32
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of outgoing messages dropped because the "The number of outgoing messages dropped because the
tmStateReference referred to an invalid cache." tmStateReference referred to an invalid cache."
::= { snmpTlstmSession 10 } ::= { snmpTlstmSession 10 }
-- Configuration Objects -- Configuration Objects
tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 }
-- Certificate mapping -- Certificate mapping
tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= { snmpTlstmConfig 1 }
tlstmCertToTSNCount OBJECT-TYPE snmpTlstmCertToTSNCount OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Gauge32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A count of the number of entries in the tlstmCertToTSNTable" "A count of the number of entries in the
::= { tlstmCertificateMapping 1 } snmpTlstmCertToTSNTable"
::= { snmpTlstmCertificateMapping 1 }
tlstmCertToTSNTableLastChanged OBJECT-TYPE snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime.0 when the tlstmCertToTSNTable "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable was
was last modified through any means, or 0 if it has not been last modified through any means, or 0 if it has not been
modified since the command responder was started." modified since the command responder was started."
::= { tlstmCertificateMapping 2 } ::= { snmpTlstmCertificateMapping 2 }
tlstmCertToTSNTable OBJECT-TYPE snmpTlstmCertToTSNTable OBJECT-TYPE
SYNTAX SEQUENCE OF TlstmCertToTSNEntry SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A table listing the fingerprints of X.509 certificates known "This table is used by a (D)TLS server to map the (D)TLS
to the entity and the associated method for determining the client's presented X.509 certificate to a tmSecurityName.
SNMPv3 security name from a certificate.
On an incoming (D)TLS/SNMP connection the client's presented On an incoming (D)TLS/SNMP connection the client's presented
certificate must be examined and validated based on an certificate must either be validated based on an established
established trusted path from a CA certificate or self-signed trust anchor, or it must directly match a fingerprint in this
public certificate (e.g. RFC5280). This table provides a table. This table does not provide any mechanisms for
mapping from a validated certificate to a tmSecurityName. configuring the trust anchors; the transfer of any needed
This table does not provide any mechanisms for uploading trusted certificates for path validation is expected to occur
trusted certificates; the transfer of any needed trusted through an out-of-band transfer.
certificates for path validation is expected to occur through
an out-of-band transfer.
Once the authenticity of a certificate has been verified, this Once the certificate has been found acceptable (either by path
table is consulted to determine the appropriate tmSecurityName validation or directly matching a fingerprint in this table),
to identify with the remote connection. This is done by this table is consulted to determine the appropriate
considering each active row from this table in prioritized tmSecurityName to identify with the remote connection. This
order according to its tlstmCertToTSNID value. Each row's is done by considering each active row from this table in
tlstmCertToTSNFingerprint value determines whether the row is a prioritized order according to its snmpTlstmCertToTSNID value.
match for the incoming connection: Each row's snmpTlstmCertToTSNFingerprint value determines
whether the row is a match for the incoming connection:
1) If the row's tlstmCertToTSNFingerprint value identifies 1) If the row's snmpTlstmCertToTSNFingerprint value
the presented certificate then consider the row as a identifies the presented certificate then consider the
successful match. row as a successful match.
2) If the row's tlstmCertToTSNFingerprint value identifies 2) If the row's snmpTlstmCertToTSNFingerprint value
a locally held copy of a trusted CA certificate and identifies a locally held copy of a trusted CA
that CA certificate was used to validate the path to certificate and that CA certificate was used to
the presented certificate then consider the row as a validate the path to the presented certificate then
successful match. consider the row as a successful match.
Once a matching row has been found, the tlstmCertToTSNMapType Once a matching row has been found, the
value can be used to determine how the tmSecurityName to snmpTlstmCertToTSNMapType value can be used to determine how
associate with the session should be determined. See the the tmSecurityName to associate with the session should be
tlstmCertToTSNMapType column's DESCRIPTION for details on determined. See the snmpTlstmCertToTSNMapType column's
determining the tmSecurityName value. If it is impossible to DESCRIPTION for details on determining the tmSecurityName
determine a tmSecurityName from the row's data combined with the value. If it is impossible to determine a tmSecurityName from
data presented in the certificate then additional rows MUST be the row's data combined with the data presented in the
searched looking for another potential match. If a resulting certificate then additional rows MUST be searched looking for
tmSecurityName mapped from a given row is not compatible with another potential match. If a resulting tmSecurityName mapped
the needed requirements of a tmSecurityName (e.g., VACM imposes from a given row is not compatible with the needed
a 32-octet-maximum length and the certificate derived requirements of a tmSecurityName (e.g., VACM imposes a
32-octet-maximum length and the certificate derived
securityName could be longer) then it must be considered an securityName could be longer) then it must be considered an
invalid match and additional rows MUST be searched looking for invalid match and additional rows MUST be searched looking for
another potential match. another potential match.
Missing values of tlstmCertToTSNID are acceptable and Missing values of snmpTlstmCertToTSNID are acceptable and
implementations should continue to the next highest numbered implementations should continue to the next highest numbered
row. E.G., the table may legally contain only two rows with row. E.G., the table may legally contain only two rows with
tlstmCertToTSNID values of 10 and 20. snmpTlstmCertToTSNID values of 10 and 20.
Users are encouraged to make use of certificates with Users are encouraged to make use of certificates with
subjectAltName fields that can be used as tmSecurityNames so subjectAltName fields that can be used as tmSecurityNames so
that a single root CA certificate can allow all child that a single root CA certificate can allow all child
certificate's subjectAltName to map directly to a certificate's subjectAltName to map directly to a
tmSecurityName via a 1:1 transformation. However, this table tmSecurityName via a 1:1 transformation. However, this table
is flexible to allow for situations where existing deployed is flexible to allow for situations where existing deployed
certificate infrastructures do not provide adequate certificate infrastructures do not provide adequate
subjectAltName values for use as tmSecurityNames. subjectAltName values for use as tmSecurityNames.
Certificates may also be mapped to tmSecurityNames using the Certificates may also be mapped to tmSecurityNames using the
CommonName portion of the Subject field. However, the usage CommonName portion of the Subject field. However, the usage
of the CommonName field is deprecated and thus this usage is of the CommonName field is deprecated and thus this usage is
NOT RECOMMENDED. Direct mapping from each individual NOT RECOMMENDED. Direct mapping from each individual
certificate fingerprint to a tmSecurityName is also possible certificate fingerprint to a tmSecurityName is also possible
but requires one entry in the table per tmSecurityName and but requires one entry in the table per tmSecurityName and
requires more management operations to completely configure a requires more management operations to completely configure a
device." device."
::= { tlstmCertificateMapping 3 } ::= { snmpTlstmCertificateMapping 3 }
tlstmCertToTSNEntry OBJECT-TYPE snmpTlstmCertToTSNEntry OBJECT-TYPE
SYNTAX TlstmCertToTSNEntry SYNTAX SnmpTlstmCertToTSNEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A row in the tlstmCertToTSNTable that specifies a mapping for "A row in the snmpTlstmCertToTSNTable that specifies a mapping
an incoming (D)TLS certificate to a tmSecurityName to use for a for an incoming (D)TLS certificate to a tmSecurityName to use
connection." for a connection."
INDEX { tlstmCertToTSNID } INDEX { snmpTlstmCertToTSNID }
::= { tlstmCertToTSNTable 1 } ::= { snmpTlstmCertToTSNTable 1 }
TlstmCertToTSNEntry ::= SEQUENCE { SnmpTlstmCertToTSNEntry ::= SEQUENCE {
tlstmCertToTSNID Unsigned32, snmpTlstmCertToTSNID Unsigned32,
tlstmCertToTSNFingerprint Fingerprint, snmpTlstmCertToTSNFingerprint Fingerprint,
tlstmCertToTSNMapType AutonomousType, snmpTlstmCertToTSNMapType AutonomousType,
tlstmCertToTSNData OCTET STRING, snmpTlstmCertToTSNData OCTET STRING,
tlstmCertToTSNStorageType StorageType, snmpTlstmCertToTSNStorageType StorageType,
tlstmCertToTSNRowStatus RowStatus snmpTlstmCertToTSNRowStatus RowStatus
} }
tlstmCertToTSNID OBJECT-TYPE snmpTlstmCertToTSNID OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A unique, prioritized index for the given entry. Lower "A unique, prioritized index for the given entry. Lower
numbers indicate a higher priority." numbers indicate a higher priority."
::= { tlstmCertToTSNEntry 1 } ::= { snmpTlstmCertToTSNEntry 1 }
tlstmCertToTSNFingerprint OBJECT-TYPE snmpTlstmCertToTSNFingerprint OBJECT-TYPE
SYNTAX Fingerprint (SIZE(1..255)) SYNTAX Fingerprint (SIZE(1..255))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A cryptographic hash of a X.509 certificate. The results of "A cryptographic hash of a X.509 certificate. The results of
a successful matching fingerprint to either the trusted CA in a successful matching fingerprint to either the trusted CA in
the certificate validation path or to the certificate itself the certificate validation path or to the certificate itself
is dictated by the tlstmCertToTSNMapType column." is dictated by the snmpTlstmCertToTSNMapType column."
::= { tlstmCertToTSNEntry 2 } ::= { snmpTlstmCertToTSNEntry 2 }
tlstmCertToTSNMapType OBJECT-TYPE snmpTlstmCertToTSNMapType OBJECT-TYPE
SYNTAX AutonomousType SYNTAX AutonomousType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Specifies the mapping type for deriving a tmSecurityName from a "Specifies the mapping type for deriving a tmSecurityName from
certificate. Details for mapping of a particular type SHALL a certificate. Details for mapping of a particular type SHALL
be specified in the DESCRIPTION clause of the OBJECT-IDENTITY be specified in the DESCRIPTION clause of the OBJECT-IDENTITY
that describes the mapping. If a mapping succeeds it will that describes the mapping. If a mapping succeeds it will
return a tmSecurityName for use by the TLSTM model and return a tmSecurityName for use by the TLSTM model and
processing stops. processing stops.
If the resulting mapped value is not compatible with the If the resulting mapped value is not compatible with the
needed requirements of a tmSecurityName (e.g., VACM imposes a needed requirements of a tmSecurityName (e.g., VACM imposes a
32-octet-maximum length and the certificate derived 32-octet-maximum length and the certificate derived
securityName could be longer) then future rows MUST be securityName could be longer) then future rows MUST be
searched for additional tlstmCertToTSNFingerprint matches to searched for additional snmpTlstmCertToTSNFingerprint matches
look for a mapping that succeeds." to look for a mapping that succeeds."
DEFVAL { tlstmCertSpecified } DEFVAL { snmpTlstmCertSpecified }
::= { tlstmCertToTSNEntry 3 } ::= { snmpTlstmCertToTSNEntry 3 }
tlstmCertToTSNData OBJECT-TYPE snmpTlstmCertToTSNData OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..1024)) SYNTAX OCTET STRING (SIZE(0..1024))
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Auxiliary data used as optional configuration information for "Auxiliary data used as optional configuration information for
a given mapping specified by the tlstmCertToTSNMapType column. a given mapping specified by the snmpTlstmCertToTSNMapType
Only some mapping systems will make use of this column. The column. Only some mapping systems will make use of this
value in this column MUST be ignored for any mapping type that column. The value in this column MUST be ignored for any
does not require data present in this column." mapping type that does not require data present in this
column."
DEFVAL { "" } DEFVAL { "" }
::= { tlstmCertToTSNEntry 4 } ::= { snmpTlstmCertToTSNEntry 4 }
tlstmCertToTSNStorageType OBJECT-TYPE snmpTlstmCertToTSNStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this conceptual row. Conceptual rows "The storage type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to having the value 'permanent' need not allow write-access to
any columnar objects in the row." any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { tlstmCertToTSNEntry 5 } ::= { snmpTlstmCertToTSNEntry 5 }
tlstmCertToTSNRowStatus OBJECT-TYPE snmpTlstmCertToTSNRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The status of this conceptual row. This object may be used "The status of this conceptual row. This object may be used
to create or remove rows from this table. to create or remove rows from this table.
To create a row in this table, an administrator must set this To create a row in this table, an administrator must set this
object to either createAndGo(4) or createAndWait(5). object to either createAndGo(4) or createAndWait(5).
Until instances of all corresponding columns are appropriately Until instances of all corresponding columns are appropriately
configured, the value of the corresponding instance of the configured, the value of the corresponding instance of the
tlstmParamsRowStatus column is 'notReady'. snmpTlstmParamsRowStatus column is 'notReady'.
In particular, a newly created row cannot be made active until In particular, a newly created row cannot be made active until
the corresponding tlstmCertToTSNFingerprint, the corresponding snmpTlstmCertToTSNFingerprint,
tlstmCertToTSNMapType, and tlstmCertToTSNData columns have been snmpTlstmCertToTSNMapType, and snmpTlstmCertToTSNData columns
set. have been set.
The following objects may not be modified while the The following objects may not be modified while the
value of this object is active(1): value of this object is active(1):
- tlstmCertToTSNFingerprint - snmpTlstmCertToTSNFingerprint
- tlstmCertToTSNMapType - snmpTlstmCertToTSNMapType
- tlstmCertToTSNData - snmpTlstmCertToTSNData
An attempt to set these objects while the value of An attempt to set these objects while the value of
tlstmParamsRowStatus is active(1) will result in snmpTlstmParamsRowStatus is active(1) will result in
an inconsistentValue error." an inconsistentValue error."
::= { tlstmCertToTSNEntry 6 }
::= { snmpTlstmCertToTSNEntry 6 }
-- Maps tmSecurityNames to certificates for use by the SNMP-TARGET-MIB -- Maps tmSecurityNames to certificates for use by the SNMP-TARGET-MIB
tlstmParamsCount OBJECT-TYPE snmpTlstmParamsCount OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Gauge32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A count of the number of entries in the tlstmParamsTable" "A count of the number of entries in the snmpTlstmParamsTable"
::= { tlstmCertificateMapping 4 } ::= { snmpTlstmCertificateMapping 4 }
tlstmParamsTableLastChanged OBJECT-TYPE snmpTlstmParamsTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime.0 when the tlstmParamsTable "The value of sysUpTime.0 when the snmpTlstmParamsTable
was last modified through any means, or 0 if it has not been was last modified through any means, or 0 if it has not been
modified since the command responder was started." modified since the command responder was started."
::= { tlstmCertificateMapping 5 } ::= { snmpTlstmCertificateMapping 5 }
tlstmParamsTable OBJECT-TYPE snmpTlstmParamsTable OBJECT-TYPE
SYNTAX SEQUENCE OF TlstmParamsEntry SYNTAX SEQUENCE OF SnmpTlstmParamsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table is used by a (D)TLS client when a (D)TLS "This table is used by a (D)TLS client when a (D)TLS
connection is being set up using an entry in the connection is being set up using an entry in the
SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's
snmpTargetParamsTable with a fingerprint of a certificate to snmpTargetParamsTable with a fingerprint of a certificate to
use when establishing such a (D)TLS connection." use when establishing such a (D)TLS connection."
::= { tlstmCertificateMapping 6 } ::= { snmpTlstmCertificateMapping 6 }
tlstmParamsEntry OBJECT-TYPE snmpTlstmParamsEntry OBJECT-TYPE
SYNTAX TlstmParamsEntry SYNTAX SnmpTlstmParamsEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A conceptual row containing a fingerprint hash of a locally "A conceptual row containing a fingerprint hash of a locally
held certificate for a given snmpTargetParamsEntry. The held certificate for a given snmpTargetParamsEntry. The
values in this row should be ignored if the connection that values in this row should be ignored if the connection that
needs to be established, as indicated by the SNMP-TARGET-MIB needs to be established, as indicated by the SNMP-TARGET-MIB
infrastructure, is not a certificate and (D)TLS based infrastructure, is not a certificate and (D)TLS based
connection. The connection SHOULD NOT be established if the connection. The connection SHOULD NOT be established if the
certificate fingerprint stored in this entry does not point to certificate fingerprint stored in this entry does not point to
a valid locally held certificate or if it points to an unusable a valid locally held certificate or if it points to an
certificate (such as might happen when the certificate's unusable certificate (such as might happen when the
expiration date has been reached)." certificate's expiration date has been reached)."
INDEX { IMPLIED snmpTargetParamsName } INDEX { IMPLIED snmpTargetParamsName }
::= { tlstmParamsTable 1 } ::= { snmpTlstmParamsTable 1 }
TlstmParamsEntry ::= SEQUENCE { SnmpTlstmParamsEntry ::= SEQUENCE {
tlstmParamsClientFingerprint Fingerprint, snmpTlstmParamsClientFingerprint Fingerprint,
tlstmParamsStorageType StorageType, snmpTlstmParamsStorageType StorageType,
tlstmParamsRowStatus RowStatus snmpTlstmParamsRowStatus RowStatus
} }
tlstmParamsClientFingerprint OBJECT-TYPE snmpTlstmParamsClientFingerprint OBJECT-TYPE
SYNTAX Fingerprint SYNTAX Fingerprint
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A cryptographic hash of a X.509 certificate. This object "A cryptographic hash of a X.509 certificate. This object
should store the hash of a locally held X.509 certificate (and should store the hash of a locally held X.509 certificate that
the corresponding private key) that should be used when should be used (along with the corresponding private key) when
initiating a (D)TLS connection as a (D)TLS client." initiating a (D)TLS connection as a (D)TLS client."
::= { tlstmParamsEntry 1 } ::= { snmpTlstmParamsEntry 1 }
tlstmParamsStorageType OBJECT-TYPE snmpTlstmParamsStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this conceptual row. Conceptual rows "The storage type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to having the value 'permanent' need not allow write-access to
any columnar objects in the row." any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { tlstmParamsEntry 2 } ::= { snmpTlstmParamsEntry 2 }
tlstmParamsRowStatus OBJECT-TYPE snmpTlstmParamsRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The status of this conceptual row. This object may be used "The status of this conceptual row. This object may be used
to create or remove rows from this table. to create or remove rows from this table.
To create a row in this table, an administrator must set this To create a row in this table, an administrator must set this
object to either createAndGo(4) or createAndWait(5). object to either createAndGo(4) or createAndWait(5).
Until instances of all corresponding columns are appropriately Until instances of all corresponding columns are appropriately
configured, the value of the corresponding instance of the configured, the value of the corresponding instance of the
tlstmParamsRowStatus column is 'notReady'. snmpTlstmParamsRowStatus column is 'notReady'.
In particular, a newly created row cannot be made active until In particular, a newly created row cannot be made active until
the corresponding tlstmParamsClientFingerprint column has the corresponding snmpTlstmParamsClientFingerprint column has
been set. been set.
The tlstmParamsClientFingerprint object may not be modified The snmpTlstmParamsClientFingerprint object may not be modified
while the value of this object is active(1). while the value of this object is active(1).
An attempt to set these objects while the value of An attempt to set these objects while the value of
tlstmParamsRowStatus is active(1) will result in snmpTlstmParamsRowStatus is active(1) will result in
an inconsistentValue error." an inconsistentValue error."
::= { tlstmParamsEntry 3 } ::= { snmpTlstmParamsEntry 3 }
tlstmAddrCount OBJECT-TYPE snmpTlstmAddrCount OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Gauge32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A count of the number of entries in the tlstmAddrTable" "A count of the number of entries in the snmpTlstmAddrTable"
::= { tlstmCertificateMapping 7 } ::= { snmpTlstmCertificateMapping 7 }
tlstmAddrTableLastChanged OBJECT-TYPE snmpTlstmAddrTableLastChanged OBJECT-TYPE
SYNTAX TimeStamp SYNTAX TimeStamp
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The value of sysUpTime.0 when the tlstmAddrTable "The value of sysUpTime.0 when the snmpTlstmAddrTable
was last modified through any means, or 0 if it has not been was last modified through any means, or 0 if it has not been
modified since the command responder was started." modified since the command responder was started."
::= { tlstmCertificateMapping 8 } ::= { snmpTlstmCertificateMapping 8 }
tlstmAddrTable OBJECT-TYPE snmpTlstmAddrTable OBJECT-TYPE
SYNTAX SEQUENCE OF TlstmAddrEntry SYNTAX SEQUENCE OF SnmpTlstmAddrEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This table is used by a (D)TLS client when a (D)TLS "This table is used by a (D)TLS client when a (D)TLS
connection is being set up using an entry in the connection is being set up using an entry in the
SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's
snmpTargetAddrTable so that the client can verify that the snmpTargetAddrTable so that the client can verify that the
correct server has been reached. This verification can use correct server has been reached. This verification can use
either a certificate fingerprint, or an identity either a certificate fingerprint, or an identity
authenticated via certification path validation. authenticated via certification path validation.
If there is an active row in this table corresponding to the If there is an active row in this table corresponding to the
entry in the SNMP-TARGET-MIB that was used to establish the entry in the SNMP-TARGET-MIB that was used to establish the
connection, and the row's tlstmAddrServerFingerprint column connection, and the row's snmpTlstmAddrServerFingerprint
has non-empty value, then the server's presented certificate column has non-empty value, then the server's presented
is compared with the tlstmAddrServerFingerprint value (and certificate is compared with the
the tlstmAddrServerIdentity column is ignored). If the snmpTlstmAddrServerFingerprint value (and the
snmpTlstmAddrServerIdentity column is ignored). If the
fingerprint matches, the verification has succeeded. If the fingerprint matches, the verification has succeeded. If the
fingerprint does not match then the connection MUST be fingerprint does not match then the connection MUST be
closed. closed.
If the server's presented certificate has passed If the server's presented certificate has passed
certification path validation [RFC5280] to a configured certification path validation [RFC5280] to a configured
trust anchor, and an active row exists with a zero-length trust anchor, and an active row exists with a zero-length
tlstmAddrServerFingerprint value, then the snmpTlstmAddrServerFingerprint value, then the
tlstmAddrServerIdentity column contains the expected host snmpTlstmAddrServerIdentity column contains the expected
name. This expected host name is then compared against the host name. This expected host name is then compared against
server's certificate as follows: the server's certificate as follows:
- Implementations MUST support matching the expected host - Implementations MUST support matching the expected host
name against a dNSName in the subjectAltName extension field name against a dNSName in the subjectAltName extension
and SHOULD support checking the name against the common name field and SHOULD support checking the name against the
portion of the subject distinguished name. common name portion of the subject distinguished name.
- The '*' (ASCII 0x2a) wildcard character is allowed in the - The '*' (ASCII 0x2a) wildcard character is allowed in the
dNSName of the subjectAltName extension (and in common name, dNSName of the subjectAltName extension (and in common
if used to store the host name), but only as the left-most name, if used to store the host name), but only as the
(least significant) DNS label in that value. This wildcard left-most (least significant) DNS label in that value.
matches any left-most DNS label in the server name. That This wildcard matches any left-most DNS label in the
is, the subject *.example.com matches the server names server name. That is, the subject *.example.com matches
a.example.com and b.example.com, but does not match the server names a.example.com and b.example.com, but does
example.com or a.b.example.com. Implementations MUST not match example.com or a.b.example.com. Implementations
support wildcards in certificates as specified above, but MUST support wildcards in certificates as specified above,
MAY provide a configuration option to disable them. but MAY provide a configuration option to disable them.
- If the locally configured name is an internationalized - If the locally configured name is an internationalized
domain name, conforming implementations MUST convert it to domain name, conforming implementations MUST convert it to
the ASCII Compatible Encoding (ACE) format for performing the ASCII Compatible Encoding (ACE) format for performing
comparisons, as specified in Section 7 of [RFC5280]. comparisons, as specified in Section 7 of [RFC5280].
If the expected host name fails these conditions then the If the expected host name fails these conditions then the
connection MUST be closed. connection MUST be closed.
If there is no row in this table corresponding to the entry If there is no row in this table corresponding to the entry
in the SNMP-TARGET-MIB and the server can be authorized by in the SNMP-TARGET-MIB and the server can be authorized by
another, implementation dependent means, then the connection another, implementation dependent means, then the connection
MAY still proceed." MAY still proceed."
::= { tlstmCertificateMapping 9 } ::= { snmpTlstmCertificateMapping 9 }
tlstmAddrEntry OBJECT-TYPE snmpTlstmAddrEntry OBJECT-TYPE
SYNTAX TlstmAddrEntry SYNTAX SnmpTlstmAddrEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A conceptual row containing a copy of a certificate's "A conceptual row containing a copy of a certificate's
fingerprint for a given snmpTargetAddrEntry. The values in fingerprint for a given snmpTargetAddrEntry. The values in
this row should be ignored if the connection that needs to be this row should be ignored if the connection that needs to be
established, as indicated by the SNMP-TARGET-MIB established, as indicated by the SNMP-TARGET-MIB
infrastructure, is not a (D)TLS based connection. If an infrastructure, is not a (D)TLS based connection. If an
tlstmAddrEntry exists for a given snmpTargetAddrEntry then the snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry then
presented server certificate MUST match or the connection MUST the presented server certificate MUST match or the connection
NOT be established. If a row in this table does not exist to MUST NOT be established. If a row in this table does not
match a snmpTargetAddrEntry row then the connection SHOULD exist to match a snmpTargetAddrEntry row then the connection
still proceed if some other certificate validation path SHOULD still proceed if some other certificate validation path
algorithm (e.g. RFC5280) can be used." algorithm (e.g. RFC5280) can be used."
INDEX { IMPLIED snmpTargetAddrName } INDEX { IMPLIED snmpTargetAddrName }
::= { tlstmAddrTable 1 } ::= { snmpTlstmAddrTable 1 }
TlstmAddrEntry ::= SEQUENCE { SnmpTlstmAddrEntry ::= SEQUENCE {
tlstmAddrServerFingerprint Fingerprint, snmpTlstmAddrServerFingerprint Fingerprint,
tlstmAddrServerIdentity SnmpAdminString, snmpTlstmAddrServerIdentity SnmpAdminString,
tlstmAddrStorageType StorageType, snmpTlstmAddrStorageType StorageType,
tlstmAddrRowStatus RowStatus snmpTlstmAddrRowStatus RowStatus
} }
tlstmAddrServerFingerprint OBJECT-TYPE snmpTlstmAddrServerFingerprint OBJECT-TYPE
SYNTAX Fingerprint SYNTAX Fingerprint
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A cryptographic hash of a public X.509 certificate. This "A cryptographic hash of a public X.509 certificate. This
object should store the hash of the public X.509 certificate object should store the hash of the public X.509 certificate
that the remote server should present during the (D)TLS that the remote server should present during the (D)TLS
connection setup. The fingerprint of the presented connection setup. The fingerprint of the presented
certificate and this hash value MUST match exactly or the certificate and this hash value MUST match exactly or the
connection MUST NOT be established." connection MUST NOT be established."
DEFVAL { "" } DEFVAL { "" }
::= { tlstmAddrEntry 1 } ::= { snmpTlstmAddrEntry 1 }
tlstmAddrServerIdentity OBJECT-TYPE snmpTlstmAddrServerIdentity OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The reference identity to check against the identity "The reference identity to check against the identity
presented by the remote system." presented by the remote system."
DEFVAL { "" } DEFVAL { "" }
::= { tlstmAddrEntry 2 } ::= { snmpTlstmAddrEntry 2 }
tlstmAddrStorageType OBJECT-TYPE snmpTlstmAddrStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this conceptual row. Conceptual rows "The storage type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to having the value 'permanent' need not allow write-access to
any columnar objects in the row." any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { tlstmAddrEntry 3 } ::= { snmpTlstmAddrEntry 3 }
tlstmAddrRowStatus OBJECT-TYPE snmpTlstmAddrRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The status of this conceptual row. This object may be used "The status of this conceptual row. This object may be used
to create or remove rows from this table. to create or remove rows from this table.
To create a row in this table, an administrator must set this To create a row in this table, an administrator must set this
object to either createAndGo(4) or createAndWait(5). object to either createAndGo(4) or createAndWait(5).
Until instances of all corresponding columns are Until instances of all corresponding columns are
appropriately configured, the value of the appropriately configured, the value of the
corresponding instance of the tlstmAddrRowStatus corresponding instance of the snmpTlstmAddrRowStatus
column is 'notReady'. column is 'notReady'.
In particular, a newly created row cannot be made active until In particular, a newly created row cannot be made active until
the corresponding tlstmAddrServerFingerprint column has been the corresponding snmpTlstmAddrServerFingerprint column has been
set. set.
Rows MUST NOT be active if the tlstmAddrServerFingerprint Rows MUST NOT be active if the snmpTlstmAddrServerFingerprint
column is blank and the tlstmAddrServerIdentity is set to '*' column is blank and the snmpTlstmAddrServerIdentity is set to
since this would insecurely accept any presented certificate. '*' since this would insecurely accept any presented
certificate.
The tlstmAddrServerFingerprint object may not be modified The snmpTlstmAddrServerFingerprint object may not be modified
while the value of this object is active(1). while the value of this object is active(1).
An attempt to set these objects while the value of An attempt to set these objects while the value of
tlstmAddrRowStatus is active(1) will result in snmpTlstmAddrRowStatus is active(1) will result in
an inconsistentValue error." an inconsistentValue error."
::= { tlstmAddrEntry 4 } ::= { snmpTlstmAddrEntry 4 }
-- ************************************************ -- ************************************************
-- snmpTlstmNotifications - Notifications Information
-- ************************************************ -- ************************************************
snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE
tlstmServerCertificateUnknown NOTIFICATION-TYPE
OBJECTS { snmpTlstmSessionUnknownServerCertificate } OBJECTS { snmpTlstmSessionUnknownServerCertificate }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that the server certificate presented by a SNMP "Notification that the server certificate presented by a SNMP
over (D)TLS server was invalid because no configured over (D)TLS server was invalid because no configured
fingerprint or CA was acceptable to validate it. This may fingerprint or CA was acceptable to validate it. This may be
be because there was no entry in the tlstmAddrTable or because there was no entry in the snmpTlstmAddrTable or
because no path could be found to known certificate because no path could be found to known certificate
authority. authority.
To avoid notification loops, this notification MUST NOT be To avoid notification loops, this notification MUST NOT be
sent to servers that themselves have triggered the sent to servers that themselves have triggered the
notification." notification."
::= { tlstmNotifications 1 } ::= { snmpTlstmNotifications 1 }
tlstmServerInvalidCertificate NOTIFICATION-TYPE snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE
OBJECTS { tlstmAddrServerFingerprint, OBJECTS { snmpTlstmAddrServerFingerprint,
snmpTlstmSessionInvalidServerCertificates} snmpTlstmSessionInvalidServerCertificates}
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notification that the server certificate presented by an SNMP "Notification that the server certificate presented by an SNMP
over (D)TLS server could not be validated even if the over (D)TLS server could not be validated even if the
fingerprint or expected validation path was known. I.E., a fingerprint or expected validation path was known. I.E., a
cryptographic validation occurred during certificate cryptographic validation occurred during certificate
validation processing. validation processing.
To avoid notification loops, this notification MUST NOT be To avoid notification loops, this notification MUST NOT be
sent to servers that themselves have triggered the sent to servers that themselves have triggered the
notification." notification."
::= { tlstmNotifications 2 } ::= { snmpTlstmNotifications 2 }
-- ************************************************ -- ************************************************
-- snmpTlstmCompliances - Conformance Information
-- ************************************************ -- ************************************************
tlstmCompliances OBJECT IDENTIFIER ::= { tlstmConformance 1 } snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 }
tlstmGroups OBJECT IDENTIFIER ::= { tlstmConformance 2 } snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 }
-- ************************************************ -- ************************************************
-- Compliance statements -- Compliance statements
-- ************************************************ -- ************************************************
tlstmCompliance MODULE-COMPLIANCE snmpTlstmCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP engines that support the "The compliance statement for SNMP engines that support the
TLSTM-MIB" SNMP-TLS-TM-MIB"
MODULE MODULE
MANDATORY-GROUPS { tlstmStatsGroup, MANDATORY-GROUPS { snmpTlstmStatsGroup,
tlstmIncomingGroup, snmpTlstmIncomingGroup,
tlstmOutgoingGroup, snmpTlstmOutgoingGroup,
tlstmNotificationGroup } snmpTlstmNotificationGroup }
::= { tlstmCompliances 1 } ::= { snmpTlstmCompliances 1 }
-- ************************************************ -- ************************************************
-- Units of conformance -- Units of conformance
-- ************************************************ -- ************************************************
tlstmStatsGroup OBJECT-GROUP snmpTlstmStatsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
snmpTlstmSessionOpens, snmpTlstmSessionOpens,
snmpTlstmSessionClientCloses, snmpTlstmSessionClientCloses,
snmpTlstmSessionOpenErrors, snmpTlstmSessionOpenErrors,
snmpTlstmSessionAccepts, snmpTlstmSessionAccepts,
snmpTlstmSessionServerCloses, snmpTlstmSessionServerCloses,
snmpTlstmSessionNoSessions, snmpTlstmSessionNoSessions,
snmpTlstmSessionInvalidClientCertificates, snmpTlstmSessionInvalidClientCertificates,
snmpTlstmSessionUnknownServerCertificate, snmpTlstmSessionUnknownServerCertificate,
snmpTlstmSessionInvalidServerCertificates, snmpTlstmSessionInvalidServerCertificates,
snmpTlstmSessionInvalidCaches snmpTlstmSessionInvalidCaches
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
statistical information of an SNMP engine which statistical information of an SNMP engine which
implements the SNMP TLS Transport Model." implements the SNMP TLS Transport Model."
::= { tlstmGroups 1 } ::= { snmpTlstmGroups 1 }
tlstmIncomingGroup OBJECT-GROUP snmpTlstmIncomingGroup OBJECT-GROUP
OBJECTS { OBJECTS {
tlstmCertToTSNCount, snmpTlstmCertToTSNCount,
tlstmCertToTSNTableLastChanged, snmpTlstmCertToTSNTableLastChanged,
tlstmCertToTSNFingerprint, snmpTlstmCertToTSNFingerprint,
tlstmCertToTSNMapType, snmpTlstmCertToTSNMapType,
tlstmCertToTSNData, snmpTlstmCertToTSNData,
tlstmCertToTSNStorageType, snmpTlstmCertToTSNStorageType,
tlstmCertToTSNRowStatus snmpTlstmCertToTSNRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
incoming connection certificate mappings to incoming connection certificate mappings to
tmSecurityNames of an SNMP engine which implements the tmSecurityNames of an SNMP engine which implements the
SNMP TLS Transport Model." SNMP TLS Transport Model."
::= { tlstmGroups 2 } ::= { snmpTlstmGroups 2 }
tlstmOutgoingGroup OBJECT-GROUP snmpTlstmOutgoingGroup OBJECT-GROUP
OBJECTS { OBJECTS {
tlstmParamsCount, snmpTlstmParamsCount,
tlstmParamsTableLastChanged, snmpTlstmParamsTableLastChanged,
tlstmParamsClientFingerprint, snmpTlstmParamsClientFingerprint,
tlstmParamsStorageType, snmpTlstmParamsStorageType,
tlstmParamsRowStatus, snmpTlstmParamsRowStatus,
tlstmAddrCount, snmpTlstmAddrCount,
tlstmAddrTableLastChanged, snmpTlstmAddrTableLastChanged,
tlstmAddrServerFingerprint, snmpTlstmAddrServerFingerprint,
tlstmAddrServerIdentity, snmpTlstmAddrServerIdentity,
tlstmAddrStorageType, snmpTlstmAddrStorageType,
tlstmAddrRowStatus snmpTlstmAddrRowStatus
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
outgoing connection certificates to use when opening outgoing connection certificates to use when opening
connections as a result of SNMP-TARGET-MIB settings." connections as a result of SNMP-TARGET-MIB settings."
::= { tlstmGroups 3 } ::= { snmpTlstmGroups 3 }
tlstmNotificationGroup NOTIFICATION-GROUP snmpTlstmNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS { NOTIFICATIONS {
tlstmServerCertificateUnknown, snmpTlstmServerCertificateUnknown,
tlstmServerInvalidCertificate snmpTlstmServerInvalidCertificate
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Notifications" "Notifications"
::= { tlstmGroups 4 } ::= { snmpTlstmGroups 4 }
END END
8. Operational Considerations 8. Operational Considerations
This section discusses various operational aspects of deploying This section discusses various operational aspects of deploying
TLSTM. TLSTM.
8.1. Sessions 8.1. Sessions
skipping to change at page 54, line 9 skipping to change at page 54, line 12
generators to discover a suitable default contextEngineID. generators to discover a suitable default contextEngineID.
Implementations should consider offering another engineID discovery Implementations should consider offering another engineID discovery
mechanism to continue providing Command Generators with a suitable mechanism to continue providing Command Generators with a suitable
contextEngineID mechanism. A recommended discovery solution is contextEngineID mechanism. A recommended discovery solution is
documented in [RFC5343]. documented in [RFC5343].
8.4. Transport Considerations 8.4. Transport Considerations
This document defines how SNMP messages can be transmitted over the This document defines how SNMP messages can be transmitted over the
TLS and DTLS based protocols. Each of these protocols are TLS and DTLS based protocols. Each of these protocols are
additionally based on other transports (TCP and UDP). These three additionally based on other transports (TCP and UDP). These two base
protocols also have operational considerations that must be taken protocols also have operational considerations that must be taken
into consideration when selecting a (D)TLS based protocol to use such into consideration when selecting a (D)TLS based protocol to use such
as its performance in degraded or limited networks. It is beyond the as its performance in degraded or limited networks. It is beyond the
scope of this document to summarize the characteristics of these scope of this document to summarize the characteristics of these
transport mechanisms. Please refer to the base protocol documents transport mechanisms. Please refer to the base protocol documents
for details on messaging considerations with respect to MTU size, for details on messaging considerations with respect to MTU size,
fragmentation, performance in lossy-networks, etc. fragmentation, performance in lossy-networks, etc.
9. Security Considerations 9. Security Considerations
This document describes a transport model that permits SNMP to This document describes a transport model that permits SNMP to
utilize (D)TLS security services. The security threats and how the utilize (D)TLS security services. The security threats and how the
(D)TLS transport model mitigates these threats are covered in detail (D)TLS transport model mitigates these threats are covered in detail
throughout this document. Security considerations for DTLS are throughout this document. Security considerations for DTLS are
covered in [RFC4347] and security considerations for TLS are covered in [RFC4347] and security considerations for TLS are
described in Section 11 and Appendices D, E, and F of TLS 1.2 described in Section 11 and Appendices D, E, and F of TLS 1.2
[RFC5246]. When run over UDP, DTLS is more vulnerable to denial of [RFC5246]. When run over a connectionless transport such as UDP,
service attacks from spoofed IP addresses; see Section 4.2 for DTLS is more vulnerable to denial of service attacks from spoofed IP
details how the cookie exchange is used to address this issue. addresses; see Section 4.2 for details how the cookie exchange is
used to address this issue.
9.1. Certificates, Authentication, and Authorization 9.1. Certificates, Authentication, and Authorization
Implementations are responsible for providing a security certificate Implementations are responsible for providing a security certificate
installation and configuration mechanism. Implementations SHOULD installation and configuration mechanism. Implementations SHOULD
support certificate revocation lists. support certificate revocation lists.
(D)TLS provides for authentication of the identity of both the (D)TLS (D)TLS provides for authentication of the identity of both the (D)TLS
server and the (D)TLS client. Access to MIB objects for the server and the (D)TLS client. Access to MIB objects for the
authenticated principal MUST be enforced by an access control authenticated principal MUST be enforced by an access control
skipping to change at page 55, line 20 skipping to change at page 55, line 25
For example, command generators must check that the command responder For example, command generators must check that the command responder
presented and authenticated itself with a X.509 certificate that was presented and authenticated itself with a X.509 certificate that was
expected. Not doing so would allow an impostor, at a minimum, to expected. Not doing so would allow an impostor, at a minimum, to
present false data, receive sensitive information and/or provide a present false data, receive sensitive information and/or provide a
false belief that configuration was actually received and acted upon. false belief that configuration was actually received and acted upon.
Authenticating and verifying the identity of the (D)TLS server and Authenticating and verifying the identity of the (D)TLS server and
the (D)TLS client for all operations ensures the authenticity of the the (D)TLS client for all operations ensures the authenticity of the
SNMP engine that provides MIB data. SNMP engine that provides MIB data.
The instructions found in the DESCRIPTION clause of the The instructions found in the DESCRIPTION clause of the
tlstmCertToTSNTable object must be followed exactly. It is also snmpTlstmCertToTSNTable object must be followed exactly. It is also
important that the rows of the table be searched in prioritized order important that the rows of the table be searched in prioritized order
starting with the row containing the lowest numbered tlstmCertToTSNID starting with the row containing the lowest numbered
value. snmpTlstmCertToTSNID value.
9.2. Use with SNMPv1/SNMPv2c Messages 9.2. Use with SNMPv1/SNMPv2c Messages
The SNMPv1 and SNMPv2c message processing described in [RFC3584] (BCP The SNMPv1 and SNMPv2c message processing described in [RFC3584] (BCP
74) always selects the SNMPv1 or SNMPv2c Security Models, 74) always selects the SNMPv1 or SNMPv2c Security Models,
respectively. Both of these and the User-based Security Model respectively. Both of these and the User-based Security Model
typically used with SNMPv3 derive the securityName and securityLevel typically used with SNMPv3 derive the securityName and securityLevel
from the SNMP message received, even when the message was received from the SNMP message received, even when the message was received
over a secure transport. Access control decisions are therefore made over a secure transport. Access control decisions are therefore made
based on the contents of the SNMP message, rather than using the based on the contents of the SNMP message, rather than using the
skipping to change at page 55, line 47 skipping to change at page 56, line 5
9.3. MIB Module Security 9.3. MIB Module Security
There are a number of management objects defined in this MIB module There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their network operations. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
o The tlstmParamsTable can be used to change the outgoing X.509 o The snmpTlstmParamsTable can be used to change the outgoing X.509
certificate used to establish a (D)TLS connection. Modification certificate used to establish a (D)TLS connection. Modification
to objects in this table need to be adequately authenticated since to objects in this table need to be adequately authenticated since
modification to values in this table will have profound impacts to modification to values in this table will have profound impacts to
the security of outbound connections from the device. Since the security of outbound connections from the device. Since
knowledge of authorization rules and certificate usage mechanisms knowledge of authorization rules and certificate usage mechanisms
may be considered sensitive, protection from disclosure of the may be considered sensitive, protection from disclosure of the
SNMP traffic via encryption is also highly recommended. SNMP traffic via encryption is also highly recommended.
o The tlstmAddrTable can be used to change the expectations of the o The snmpTlstmAddrTable can be used to change the expectations of
certificates presented by a remote (D)TLS server. Modification to the certificates presented by a remote (D)TLS server.
objects in this table need to be adequately authenticated since Modification to objects in this table need to be adequately
modification to values in this table will have profound impacts to authenticated since modification to values in this table will have
the security of outbound connections from the device. Since profound impacts to the security of outbound connections from the
knowledge of authorization rules and certificate usage mechanisms device. Since knowledge of authorization rules and certificate
may be considered sensitive, protection from disclosure of the usage mechanisms may be considered sensitive, protection from
SNMP traffic via encryption is also highly recommended. disclosure of the SNMP traffic via encryption is also highly
recommended.
o The tlstmCertToTSNTable is used to specify the mapping of incoming o The snmpTlstmCertToTSNTable is used to specify the mapping of
X.509 certificates to tmSecurityNames which eventually get mapped incoming X.509 certificates to tmSecurityNames which eventually
to a SNMPv3 securityName. Modification to objects in this table get mapped to a SNMPv3 securityName. Modification to objects in
need to be adequately authenticated since modification to values this table need to be adequately authenticated since modification
in this table will have profound impacts to the security of to values in this table will have profound impacts to the security
incoming connections to the device. Since knowledge of of incoming connections to the device. Since knowledge of
authorization rules and certificate usage mechanisms may be authorization rules and certificate usage mechanisms may be
considered sensitive, protection from disclosure of the SNMP considered sensitive, protection from disclosure of the SNMP
traffic via encryption is also highly recommended. traffic via encryption is also highly recommended.
Some of the readable objects in this MIB module (i.e., objects with a Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their the network via SNMP. These are the tables and objects and their
skipping to change at page 57, line 18 skipping to change at page 57, line 23
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
10. IANA Considerations 10. IANA Considerations
IANA is requested to assign: IANA is requested to assign:
1. Two TCP/UDP port numbers from the "Registered Ports" range of the 1. Two TCP/UDP port numbers from the "Registered Ports" range of the
Port Numbers registry, with keywords "snmptls" and "snmptls- Port Numbers registry, with the following keywords (where TBD1
trap". These are the default ports for receipt of SNMP command and TBD2 correspond to the assigned port numbers):
messages (snmptls) and SNMP notification messages (snmptls-trap)
over a TLS Transport Model as defined in this document.
2. an SMI number under snmpDomains for the snmpTLSTCPDomain object Keyword Decimal Description References
------- ------- ----------- ----------
snmptls TBD1/tcp SNMPv3-TLS [RFC-isms-dtls-tm]
snmpdtls TBD1/udp SNMPv3-DTLS [RFC-isms-dtls-tm]
snmptls-trap TBD2/tcp SNMPv3-Trap-TLS [RFC-isms-dtls-tm]
snmpdtls-trap TBD2/udp SNMPv3-Trap-DTLS [RFC-isms-dtls-tm]
These are the default ports for receipt of SNMP command messages
(snmptls and snmpdtls) and SNMP notification messages (snmptls-
trap and snmpdtls-trap) over a TLS Transport Model as defined in
this document.
2. An SMI number under snmpDomains for the snmpTLSTCPDomain object
identifier, identifier,
3. an SMI number under snmpDomains for the snmpDTLSUDPDomain object 3. An SMI number under snmpDomains for the snmpDTLSUDPDomain object
identifier, identifier,
4. a SMI number under snmpModules, for the MIB module in this 4. A SMI number under mib-2, for the MIB module in this document,
document,
5. "tls" as the corresponding prefix for the snmpTLSTCPDomain in the 5. "tls" as the corresponding prefix for the snmpTLSTCPDomain in the
SNMP Transport Model registry, SNMP Transport Model registry,
6. "dudp" as the corresponding prefix for the snmpDTLSUDPDomain in 6. "dtls" as the corresponding prefix for the snmpDTLSUDPDomain in
the SNMP Transport Model registry, the SNMP Transport Model registry,
Editor's note: this section should be replaced with appropriate RFC Editor's note: this section should be replaced with appropriate
descriptive assignment text after IANA assignments are made and prior descriptive assignment text after IANA assignments are made and prior
to publication. to publication.
11. Acknowledgements 11. Acknowledgements
This document closely follows and copies the Secure Shell Transport This document closely follows and copies the Secure Shell Transport
Model for SNMP defined by David Harrington and Joseph Salowey in Model for SNMP defined by David Harrington and Joseph Salowey in
[RFC5292]. [RFC5292].
This document was reviewed by the following people who helped provide This document was reviewed by the following people who helped provide
useful comments (in alphabetical order): Andy Donati, Pasi Eronen, useful comments (in alphabetical order): Andy Donati, Pasi Eronen,
David Harrington, Jeffrey Hutzelman, Alan Luchuk, Tom Petch, Randy David Harrington, Jeffrey Hutzelman, Alan Luchuk, Michael Peck, Tom
Presuhn, Ray Purvis, Joseph Salowey, Jurgen Schonwalder, Dave Shield, Petch, Randy Presuhn, Ray Purvis, Peter Saint-Andre, Joseph Salowey,
Robert Story. Jurgen Schonwalder, Dave Shield, Robert Story.
This work was supported in part by the United States Department of This work was supported in part by the United States Department of
Defense. Large portions of this document are based on work by Defense. Large portions of this document are based on work by
General Dynamics C4 Systems and the following individuals: Brian General Dynamics C4 Systems and the following individuals: Brian
Baril, Kim Bryant, Dana Deluca, Dan Hanson, Tim Huemiller, John Baril, Kim Bryant, Dana Deluca, Dan Hanson, Tim Huemiller, John
Holzhauer, Colin Hoogeboom, Dave Kornbau, Chris Knaian, Dan Knaul, Holzhauer, Colin Hoogeboom, Dave Kornbau, Chris Knaian, Dan Knaul,
Charles Limoges, Steve Moccaldi, Gerardo Orlando, and Brandon Yip. Charles Limoges, Steve Moccaldi, Gerardo Orlando, and Brandon Yip.
12. References 12. References
skipping to change at page 60, line 47 skipping to change at page 61, line 14
Depending on whether this VACM configuration is for a Command Depending on whether this VACM configuration is for a Command
Responder or a command generator the security name "blueberry" will Responder or a command generator the security name "blueberry" will
come from a few different locations. come from a few different locations.
A.1. Configuring the Notification Originator A.1. Configuring the Notification Originator
For notification originators performing authorization checks, the For notification originators performing authorization checks, the
server's certificate must be verified against the expected server's certificate must be verified against the expected
certificate before proceeding to send the notification. The expected certificate before proceeding to send the notification. The expected
certificate from the server may be listed in the tlstmAddrTable or certificate from the server may be listed in the snmpTlstmAddrTable
may be determined through other X.509 path validation mechanisms. or may be determined through other X.509 path validation mechanisms.
The securityName to use for VACM authorization checks is set by the The securityName to use for VACM authorization checks is set by the
SNMP-TARGET-MIB's snmpTargetParamsSecurityName column. SNMP-TARGET-MIB's snmpTargetParamsSecurityName column.
The certificate that the notification originator should present to The certificate that the notification originator should present to
the server is taken from the tlstmParamsClientFingerprint column from the server is taken from the snmpTlstmParamsClientFingerprint column
the appropriate entry in the tlstmParamsTable table. (Or else a from the appropriate entry in the snmpTlstmParamsTable table. (Or
default certificate may be used if available.) else a default certificate may be used if available.)
To configure a notification originator to open a TLS over TCP To configure a notification originator to open a TLS over TCP
connection to a notification receiver it must be configured so the connection to a notification receiver it must be configured so the
server's presented certificate can be verified against the expected server's presented certificate can be verified against the expected
certificate before proceeding to send the notification. This is done certificate before proceeding to send the notification. This is done
by configuring the tlstmAddrTable accordingly. For example, if the by configuring the snmpTlstmAddrTable accordingly. For example, if
verification is done via certification path validation (to a trust the verification is done via certification path validation (to a
anchor configured in implementation dependent manner), then the table trust anchor configured in implementation dependent manner), then the
entries could look like: table entries could look like:
snmpTargetAddrTable row: snmpTargetAddrTable row:
snmpTargetAddrName = "toNRAddr" snmpTargetAddrName = "toNRAddr"
snmpTargetAddrTDomain = snmpTLSTCPDomain snmpTargetAddrTDomain = snmpTLSTCPDomain
snmpTargetAddrTAddress = "192.0.2.1:XXXTLSTCPTRAPPORT" snmpTargetAddrTAddress = "192.0.2.1:XXXTLSTCPTRAPPORT"
snmpTargetAddrTimeout = 1500 snmpTargetAddrTimeout = 1500
snmpTargetAddrRetryCount = 3 snmpTargetAddrRetryCount = 3
snmpTargetAddrTagList = "toNRTag" snmpTargetAddrTagList = "toNRTag"
snmpTargetAddrParams = "toNR" (MUST match below) snmpTargetAddrParams = "toNR" (MUST match below)
snmpTargetAddrStorageType = 3 (nonVolatile) snmpTargetAddrStorageType = 3 (nonVolatile)
snmpTargetAddrColumnStatus = 4 (createAndGo) snmpTargetAddrColumnStatus = 4 (createAndGo)
snmpTargetParamsTable row: snmpTargetParamsTable row:
snmpTargetParamsName = toNR snmpTargetParamsName = toNR
snmpTargetParamsMPModel = SNMPv3 snmpTargetParamsMPModel = SNMPv3
snmpTargetParamsSecurityModel = 4 (TransportSecurityModel) snmpTargetParamsSecurityModel = 4 (TransportSecurityModel)
snmpTargetParamsSecurityName = "blueberry" snmpTargetParamsSecurityName = "blueberry"
snmpTargetParamsSecurityLevel = 3 (authPriv) snmpTargetParamsSecurityLevel = 3 (authPriv)
snmpTargetParamsStorageType = 3 (nonVolatile) snmpTargetParamsStorageType = 3 (nonVolatile)
snmpTargetParamsRowStatus = 4 (createAndGo0 snmpTargetParamsRowStatus = 4 (createAndGo0
tlstmAddrTable row: snmpTlstmAddrTable row:
snmpTargetAddrName = "toNRAddr" snmpTargetAddrName = "toNRAddr"
tlstmAddrServerFingerprint = "" snmpTlstmAddrServerFingerprint = ""
tlstmAddrServerIdentity = "server.example.org" snmpTlstmAddrServerIdentity = "server.example.org"
tlstmAddrStorageType = 3 (nonVolatile) snmpTlstmAddrStorageType = 3 (nonVolatile)
tlstmAddrRowStatus = 4 (createAndGo) snmpTlstmAddrRowStatus = 4 (createAndGo)
Editor's note: replace the string "XXXTLSTCPTRAPPORT" above with the Editor's note: replace the string "XXXTLSTCPTRAPPORT" above with the
appropriately assigned "snmptls-trap" port. appropriately assigned "snmptls-trap" port.
A.2. Configuring the Command Responder A.2. Configuring the Command Responder
For command responder applications, the vacmSecurityName "blueberry" For command responder applications, the vacmSecurityName "blueberry"
value is a value that derived from an incoming (D)TLS connection. value is a value that derived from an incoming (D)TLS connection.
The mapping from a recevied (D)TLS client certificate to a The mapping from a recevied (D)TLS client certificate to a
tmSecurityName is done with the tlstmCertToTSNTable. The tmSecurityName is done with the snmpTlstmCertToTSNTable. The
certificates must be loaded into the device so that a certificates must be loaded into the device so that a
tlstmCertToTSNEntry may refer to it. As an example, consider the snmpTlstmCertToTSNEntry may refer to it. As an example, consider the
following entry which will provide a mapping from a client's public following entry which will provide a mapping from a client's public
X.509's hash fingerprint directly to the "blueberry" tmSecurityName: X.509's hash fingerprint directly to the "blueberry" tmSecurityName:
tlstmCertToTSNID = 1 (chosen by ordering preference) snmpTlstmCertToTSNID = 1 (chosen by ordering preference)
tlstmCertToTSNFingerprint = HASH (appropriate fingerprint) snmpTlstmCertToTSNFingerprint = HASH (appropriate fingerprint)
tlstmCertToTSNMapType = tlstmCertSpecified snmpTlstmCertToTSNMapType = snmpTlstmCertSpecified
tlstmCertToTSNSecurityName = "blueberry" snmpTlstmCertToTSNSecurityName = "blueberry"
tlstmCertToTSNStorageType = 3 (nonVolatile) snmpTlstmCertToTSNStorageType = 3 (nonVolatile)
tlstmCertToTSNRowStatus = 4 (createAndGo) snmpTlstmCertToTSNRowStatus = 4 (createAndGo)
The above is an example of how to map a particular certificate to a The above is an example of how to map a particular certificate to a
particular tmSecurityName. It is recommended, however, that users particular tmSecurityName. It is recommended, however, that users
make use of direct subjectAltName or CommonName mappings where make use of direct subjectAltName or CommonName mappings where
possible as it provides a more scalable approach to certificate possible as it provides a more scalable approach to certificate
management. This entry provides an example of using a subjectAltName management. This entry provides an example of using a subjectAltName
mapping: mapping:
tlstmCertToTSNID = 1 (chosen by ordering preference) snmpTlstmCertToTSNID = 1 (chosen by ordering preference)
tlstmCertToTSNFingerprint = HASH (appropriate fingerprint) snmpTlstmCertToTSNFingerprint = HASH (appropriate fingerprint)
tlstmCertToTSNMapType = tlstmCertSANAny snmpTlstmCertToTSNMapType = snmpTlstmCertSANAny
tlstmCertToTSNData = "" (not used) snmpTlstmCertToTSNData = "" (not used)
tlstmCertToTSNStorageType = 3 (nonVolatile) snmpTlstmCertToTSNStorageType = 3 (nonVolatile)
tlstmCertToTSNRowStatus = 4 (createAndGo) snmpTlstmCertToTSNRowStatus = 4 (createAndGo)
The above entry indicates the subjectAltName field for certificates The above entry indicates the subjectAltName field for certificates
created by an issuing certificate with a corresponding fingerprint created by an issuing certificate with a corresponding fingerprint
will be trusted to always produce common names that are directly one- will be trusted to always produce common names that are directly one-
to-one mappable into tmSecurityNames. This type of configuration to-one mappable into tmSecurityNames. This type of configuration
should only be used when the certificate authorities naming should only be used when the certificate authorities naming
conventions are carefully controlled. conventions are carefully controlled.
In the example, if the incoming (D)TLS client provided certificate In the example, if the incoming (D)TLS client provided certificate
contained a subjectAltName where the first listed subjectAltName in contained a subjectAltName where the first listed subjectAltName in
the extension is the rfc822Name of "blueberry@example.com", the the extension is the rfc822Name of "blueberry@example.com", the
certificate was signed by a certificate matching the certificate was signed by a certificate matching the
tlstmCertToTSNFingerprint value and the CA's certificate was properly snmpTlstmCertToTSNFingerprint value and the CA's certificate was
installed on the device then the string "blueberry@example.com" would properly installed on the device then the string
be used as the tmSecurityName for the session. "blueberry@example.com" would be used as the tmSecurityName for the
session.
Author's Address Author's Address
Wes Hardaker Wes Hardaker
Sparta, Inc. Sparta, Inc.
P.O. Box 382 P.O. Box 382
Davis, CA 95617 Davis, CA 95617
USA USA
Phone: +1 530 792 1913 Phone: +1 530 792 1913
 End of changes. 201 change blocks. 
456 lines changed or deleted 485 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/