| < draft-schoenw-snmp-discover-01.txt | draft-schoenw-snmp-discover-02.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Schoenwaelder | Network Working Group J. Schoenwaelder | |||
| Internet-Draft Jacobs University Bremen | Internet-Draft Jacobs University Bremen | |||
| Intended status: Informational March 1, 2007 | Intended status: Informational April 14, 2007 | |||
| Expires: September 2, 2007 | Expires: October 16, 2007 | |||
| Simple Network Management Protocol (SNMP) EngineID Discovery | Simple Network Management Protocol (SNMP) EngineID Discovery | |||
| draft-schoenw-snmp-discover-01.txt | draft-schoenw-snmp-discover-02.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on September 2, 2007. | This Internet-Draft will expire on October 16, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| The third version of the Simple Network Management Protocol (SNMP) | The third version of the Simple Network Management Protocol (SNMP) | |||
| assumes that a manager knows the identifier of a remote SNMP protocol | assumes that a manager knows the identifier of a remote SNMP protocol | |||
| engine (the so called snmpEngineID) in order to retrieve or | engine (the so called snmpEngineID) in order to retrieve or | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| of the features provided by SNMP security models and may also be used | of the features provided by SNMP security models and may also be used | |||
| by other protocol interfaces providing access to managed objects. | by other protocol interfaces providing access to managed objects. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Local EngineID . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Local EngineID . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. EngineID Discovery . . . . . . . . . . . . . . . . . . . . 5 | 3.2. EngineID Discovery . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . . 7 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 7 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 8 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 9 | ||||
| 1. Introduction | 1. Introduction | |||
| To retrieve or manipulate management information using the third | To retrieve or manipulate management information using the third | |||
| version of the Simple Network Management Protocol (SNMPv3) [RFC3410], | version of the Simple Network Management Protocol (SNMPv3) [RFC3410], | |||
| it is necessary to know the identifier of the remote SNMP protocol | it is necessary to know the identifier of the remote SNMP protocol | |||
| engine, the so called snmpEngineID [RFC3411]. While an appropriate | engine, the so called snmpEngineID [RFC3411]. While an appropriate | |||
| engine identifier can in principle be provided by an operator, it is | engine identifier can in principle be provided by an operator, it is | |||
| often desirable to discover the engine identifier automatically. | often desirable to discover the engine identifier automatically. | |||
| skipping to change at page 5, line 22 ¶ | skipping to change at page 5, line 22 ¶ | |||
| localEngineID. An ASN.1 definition for localEngineID would look like | localEngineID. An ASN.1 definition for localEngineID would look like | |||
| this: | this: | |||
| localEngineID OCTET STRING ::= '8000000006'H | localEngineID OCTET STRING ::= '8000000006'H | |||
| The localEngineID value always provides access to the main local | The localEngineID value always provides access to the main local | |||
| context of an SNMP engine. | context of an SNMP engine. | |||
| 3.2. EngineID Discovery | 3.2. EngineID Discovery | |||
| Discovery of the snmpEngineID is simply done by sending an Read Class | Discovery of the snmpEngineID is simply done by sending a Read Class | |||
| protocol operation (see section 2.8 of [RFC3411] to retrieve the | protocol operation (see section 2.8 of [RFC3411] to retrieve the | |||
| snmpEngineID scalar using the localEngineID defined above as a | snmpEngineID scalar using the localEngineID defined above as a | |||
| contextEngineID value. Implementations SHOULD only perform this | contextEngineID value. Implementations SHOULD only perform this | |||
| discovery step when it is needed. In particular, if security models | discovery step when it is needed. In particular, if security models | |||
| are used that already discover the remote snmpEngineID (such as USM), | are used that already discover the remote snmpEngineID (such as USM), | |||
| then no further discovery is necessary. The same is true in | then no further discovery is necessary. The same is true in | |||
| situations where the application already supplies a suitable | situations where the application already supplies a suitable | |||
| snmpEngineID value (e.g., in proxy situations). | snmpEngineID value (e.g., in proxy situations). | |||
| The procedure to discover the snmpEngineID of a remote SNMP engine | The procedure to discover the snmpEngineID of a remote SNMP engine | |||
| skipping to change at page 6, line 10 ¶ | skipping to change at page 6, line 10 ¶ | |||
| successful, set the contextEngineID to the retrieved value and stop | successful, set the contextEngineID to the retrieved value and stop | |||
| the discovery procedure. | the discovery procedure. | |||
| 4) Return an error indication that a suitable contextEngineID could | 4) Return an error indication that a suitable contextEngineID could | |||
| not be discovered. | not be discovered. | |||
| The procedure outlined above is exemplary and can be modified to | The procedure outlined above is exemplary and can be modified to | |||
| retrieve more variables in step 3), such as the sysObjectID.0 scalar | retrieve more variables in step 3), such as the sysObjectID.0 scalar | |||
| or the snmpSetSerialNo.0 scalar of the SNMPv2-MIB [RFC3418]. | or the snmpSetSerialNo.0 scalar of the SNMPv2-MIB [RFC3418]. | |||
| 4. Security Considerations | 4. IANA Considerations | |||
| IANA has to create a registry for SnmpEngineID formats. The first | ||||
| four ctets of an SnmpEngineID carry an enterprise number while the | ||||
| fifth octet in a variable length SnmpEngineID value, called the | ||||
| format octet, indicates how the following octets are formed. The | ||||
| following format values were defined in [RFC3411]: | ||||
| Format Description References | ||||
| ------- ----------- ---------- | ||||
| 0 reserved, unused [RFC3411] | ||||
| 1 IPv4 address [RFC3411] | ||||
| 2 IPv6 address [RFC3411] | ||||
| 3 MAC address [RFC3411] | ||||
| 4 administratively assigned text [RFC3411] | ||||
| 5 administratively assigned octets [RFC3411] | ||||
| 6-127 reserved, unused [RFC3411] | ||||
| 128-255 enterprise specific [RFC3411] | ||||
| IANA has to create a registry to assign new format values out of the | ||||
| originally reserved number space 6-127. For new assignments, a | ||||
| specification is required as per [RFC2434]. | ||||
| This document requested the following assignment: | ||||
| Format Description References | ||||
| ------- ----------- ---------- | ||||
| 6 local engine [RFCXXXX] | ||||
| 5. Security Considerations | ||||
| SNMP version 3 (SNMPv3) provides cryptographic security to protect | SNMP version 3 (SNMPv3) provides cryptographic security to protect | |||
| devices from unauthorized access. This specification recommends to | devices from unauthorized access. This specification recommends to | |||
| use the security services provided by SNMPv3. In particular, it is | use the security services provided by SNMPv3. In particular, it is | |||
| recommended to use the security services provided by an SNMP security | recommended to use the security services provided by an SNMP security | |||
| model to protect the discovery exchange. | model to protect the discovery exchange. | |||
| In situations where SNMPv3 is used without security (i.e., the | In situations where SNMPv3 is used without security (i.e., the | |||
| security level of noAuthNoPriv is used), the introduction of a | security level of noAuthNoPriv is used), the introduction of a | |||
| localEngineID may make it slightly easier for an attacker to discover | localEngineID may make it slightly easier for an attacker to discover | |||
| suitable snmpEngineID values. However, since SNMP messages with a | suitable snmpEngineID values. However, since SNMP messages with a | |||
| security level of noAuthNoPriv are normally carried in clear-text | security level of noAuthNoPriv are normally carried in clear-text | |||
| over the wire, it is usually easy for an attacker to discover a | over the wire, it is usually easy for an attacker to discover a | |||
| contextEngineID by sniffing on the wire and any attempts to keep the | contextEngineID by sniffing on the wire and any attempts to keep the | |||
| snmpEngineIDs private won't lead to strong security. The usage of | snmpEngineIDs private won't lead to strong security. The usage of | |||
| SNMPv3 without security is therefore generally not recommended. | SNMPv3 without security is therefore generally not recommended. | |||
| 5. Acknowledgments | 6. Acknowledgments | |||
| Dave Perkins suggested to introduce a "local" contextEngineID during | Dave Perkins suggested to introduce a "local" contextEngineID during | |||
| the interim meeting of the ISMS working group in Boston, 2006. Joe | the interim meeting of the ISMS working group in Boston, 2006. Joe | |||
| Fernandez and David Harrington provided helpful review and feedback, | Fernandez and David Harrington provided helpful review and feedback, | |||
| which helped to improve this document. | which helped to improve this document. | |||
| 6. References | 7. References | |||
| 6.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, March 1997. | Requirement Levels", BCP 14, March 1997. | |||
| [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An | [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An | |||
| Architecture for Describing Simple Network Management | Architecture for Describing Simple Network Management | |||
| Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | |||
| December 2002. | December 2002. | |||
| [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, | [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, | |||
| skipping to change at page 7, line 15 ¶ | skipping to change at page 7, line 43 ¶ | |||
| December 2002. | December 2002. | |||
| [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model | [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model | |||
| (USM) for version 3 of the Simple Network Management | (USM) for version 3 of the Simple Network Management | |||
| Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. | Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. | |||
| [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the | [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3416, December 2002. | RFC 3416, December 2002. | |||
| 6.2. Informative References | [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 2434, | ||||
| October 1998. | ||||
| 7.2. Informative References | ||||
| [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | |||
| "Introduction and Applicability Statements for Internet- | "Introduction and Applicability Statements for Internet- | |||
| Standard Management Framework", RFC 3410, December 2002. | Standard Management Framework", RFC 3410, December 2002. | |||
| [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3418, December 2002. | RFC 3418, December 2002. | |||
| [I-D.TSM] Harrington, D., "Transport Security Model for SNMP", | [I-D.TSM] Harrington, D., "Transport Security Model for SNMP", | |||
| End of changes. 10 change blocks. | ||||
| 17 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||