| < draft-ietf-isms-tmsm-17.txt | draft-ietf-isms-tmsm-18.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Harrington | Network Working Group D. Harrington | |||
| Internet-Draft Huawei Technologies (USA) | Internet-Draft Huawei Technologies (USA) | |||
| Updates: 3411,3412,3414,3417 J. Schoenwaelder | Updates: 3411,3412,3414,3417 J. Schoenwaelder | |||
| (if approved) Jacobs University Bremen | (if approved) Jacobs University Bremen | |||
| Intended status: Standards Track April 27, 2009 | Intended status: Standards Track May 6, 2009 | |||
| Expires: October 29, 2009 | Expires: November 7, 2009 | |||
| Transport Subsystem for the Simple Network Management Protocol (SNMP) | Transport Subsystem for the Simple Network Management Protocol (SNMP) | |||
| draft-ietf-isms-tmsm-17 | draft-ietf-isms-tmsm-18 | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. This document may contain material | provisions of BCP 78 and BCP 79. This document may contain material | |||
| from IETF Documents or IETF Contributions published or made publicly | from IETF Documents or IETF Contributions published or made publicly | |||
| available before November 10, 2008. The person(s) controlling the | available before November 10, 2008. The person(s) controlling the | |||
| copyright in some of this material may not have granted the IETF | copyright in some of this material may not have granted the IETF | |||
| Trust the right to allow modifications of such material outside the | Trust the right to allow modifications of such material outside the | |||
| IETF Standards Process. Without obtaining an adequate license from | IETF Standards Process. Without obtaining an adequate license from | |||
| skipping to change at page 1, line 44 ¶ | skipping to change at page 1, line 44 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on October 29, 2009. | This Internet-Draft will expire on November 7, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents in effect on the date of | |||
| publication of this document (http://trustee.ietf.org/license-info). | publication of this document (http://trustee.ietf.org/license-info). | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 28 ¶ | skipping to change at page 2, line 28 ¶ | |||
| such as SSH and TLS, using a subsystem will enable consistent design | such as SSH and TLS, using a subsystem will enable consistent design | |||
| and modularity of such Transport Models. This document identifies | and modularity of such Transport Models. This document identifies | |||
| and describes some key aspects that need to be considered for any | and describes some key aspects that need to be considered for any | |||
| Transport Model for SNMP. | Transport Model for SNMP. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.1. The Internet-Standard Management Framework . . . . . . . . 4 | 1.1. The Internet-Standard Management Framework . . . . . . . . 4 | |||
| 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Where this Extension Fits . . . . . . . . . . . . . . . . 4 | 1.3. Where this Extension Fits . . . . . . . . . . . . . . . . 5 | |||
| 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Requirements of a Transport Model . . . . . . . . . . . . . . 8 | 3. Requirements of a Transport Model . . . . . . . . . . . . . . 8 | |||
| 3.1. Message Security Requirements . . . . . . . . . . . . . . 8 | 3.1. Message Security Requirements . . . . . . . . . . . . . . 8 | |||
| 3.1.1. Security Protocol Requirements . . . . . . . . . . . . 8 | 3.1.1. Security Protocol Requirements . . . . . . . . . . . . 8 | |||
| 3.2. SNMP Requirements . . . . . . . . . . . . . . . . . . . . 8 | 3.2. SNMP Requirements . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.2.1. Architectural Modularity Requirements . . . . . . . . 9 | 3.2.1. Architectural Modularity Requirements . . . . . . . . 9 | |||
| 3.2.2. Access Control Requirements . . . . . . . . . . . . . 12 | 3.2.2. Access Control Requirements . . . . . . . . . . . . . 12 | |||
| 3.2.3. Security Parameter Passing Requirements . . . . . . . 13 | 3.2.3. Security Parameter Passing Requirements . . . . . . . 13 | |||
| 3.2.4. Separation of Authentication and Authorization . . . . 13 | 3.2.4. Separation of Authentication and Authorization . . . . 13 | |||
| 3.3. Session Requirements . . . . . . . . . . . . . . . . . . . 14 | 3.3. Session Requirements . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.3.1. No SNMP Sessions . . . . . . . . . . . . . . . . . . . 14 | 3.3.1. No SNMP Sessions . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.3.2. Session Establishment Requirements . . . . . . . . . . 15 | 3.3.2. Session Establishment Requirements . . . . . . . . . . 15 | |||
| 3.3.3. Session Maintenance Requirements . . . . . . . . . . . 16 | 3.3.3. Session Maintenance Requirements . . . . . . . . . . . 16 | |||
| 3.3.4. Message security versus session security . . . . . . . 16 | 3.3.4. Message security versus session security . . . . . . . 16 | |||
| 4. Scenario Diagrams and the Transport Subsystem . . . . . . . . 17 | 4. Scenario Diagrams and the Transport Subsystem . . . . . . . . 17 | |||
| 5. Cached Information and References . . . . . . . . . . . . . . 17 | 5. Cached Information and References . . . . . . . . . . . . . . 18 | |||
| 5.1. securityStateReference . . . . . . . . . . . . . . . . . . 18 | 5.1. securityStateReference . . . . . . . . . . . . . . . . . . 18 | |||
| 5.2. tmStateReference . . . . . . . . . . . . . . . . . . . . . 18 | 5.2. tmStateReference . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.2.1. Transport information . . . . . . . . . . . . . . . . 19 | 5.2.1. Transport information . . . . . . . . . . . . . . . . 19 | |||
| 5.2.2. securityName . . . . . . . . . . . . . . . . . . . . . 20 | 5.2.2. securityName . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 5.2.3. securityLevel . . . . . . . . . . . . . . . . . . . . 20 | 5.2.3. securityLevel . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5.2.4. Session Information . . . . . . . . . . . . . . . . . 21 | 5.2.4. Session Information . . . . . . . . . . . . . . . . . 21 | |||
| 6. Abstract Service Interfaces . . . . . . . . . . . . . . . . . 21 | 6. Abstract Service Interfaces . . . . . . . . . . . . . . . . . 21 | |||
| 6.1. sendMessage ASI . . . . . . . . . . . . . . . . . . . . . 22 | 6.1. sendMessage ASI . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 6.2. Changes to RFC3411 Outgoing ASIs . . . . . . . . . . . . . 23 | 6.2. Changes to RFC3411 Outgoing ASIs . . . . . . . . . . . . . 23 | |||
| 6.2.1. Message Processing Subsystem Primitives . . . . . . . 23 | 6.2.1. Message Processing Subsystem Primitives . . . . . . . 23 | |||
| 6.2.2. Security Subsystem Primitives . . . . . . . . . . . . 24 | 6.2.2. Security Subsystem Primitives . . . . . . . . . . . . 24 | |||
| 6.3. The receiveMessage ASI . . . . . . . . . . . . . . . . . . 25 | 6.3. The receiveMessage ASI . . . . . . . . . . . . . . . . . . 25 | |||
| 6.4. Changes to RFC3411 Incoming ASIs . . . . . . . . . . . . . 26 | 6.4. Changes to RFC3411 Incoming ASIs . . . . . . . . . . . . . 26 | |||
| 6.4.1. Message Processing Subsystem Primitive . . . . . . . . 26 | 6.4.1. Message Processing Subsystem Primitive . . . . . . . . 26 | |||
| 6.4.2. Security Subsystem Primitive . . . . . . . . . . . . . 27 | 6.4.2. Security Subsystem Primitive . . . . . . . . . . . . . 27 | |||
| skipping to change at page 4, line 34 ¶ | skipping to change at page 4, line 34 ¶ | |||
| Non uppercased versions of the keywords should be read as in normal | Non uppercased versions of the keywords should be read as in normal | |||
| English. They will usually, but not always, be used in a context | English. They will usually, but not always, be used in a context | |||
| relating to compatibility with the RFC3411 architecture or the | relating to compatibility with the RFC3411 architecture or the | |||
| subsystem defined here, but which might have no impact on on-the-wire | subsystem defined here, but which might have no impact on on-the-wire | |||
| compatibility. These terms are used as guidance for designers of | compatibility. These terms are used as guidance for designers of | |||
| proposed IETF models to make the designs compatible with RFC3411 | proposed IETF models to make the designs compatible with RFC3411 | |||
| subsystems and Abstract Service Interfaces (ASIs) (see section 3.2). | subsystems and Abstract Service Interfaces (ASIs) (see section 3.2). | |||
| Implementers are free to implement differently. Some usages of these | Implementers are free to implement differently. Some usages of these | |||
| lowercase terms are simply normal English usage. | lowercase terms are simply normal English usage. | |||
| This document discusses an extension to the modular RFC3411 | ||||
| architecture; this is not a protocol document. An architectural MUST | ||||
| is a really sharp constraint and to allow for the evolution of | ||||
| technology, and to not unnecessarily constrain future models, often a | ||||
| SHOULD or a should is more appropriate than a MUST in an architecure. | ||||
| Future models MAY express tighter requirements for their own model- | ||||
| specific processing. | ||||
| For consistency with SNMP-related specifications, this document | For consistency with SNMP-related specifications, this document | |||
| favors terminology as defined in STD62 rather than favoring | favors terminology as defined in STD62 rather than favoring | |||
| terminology that is consistent with non-SNMP specifications that use | terminology that is consistent with non-SNMP specifications that use | |||
| different variations of the same terminology. This is consistent | different variations of the same terminology. This is consistent | |||
| with the IESG decision to not require the SNMPv3 terminology be | with the IESG decision to not require the SNMPv3 terminology be | |||
| modified to match the usage of other non-SNMP specifications when | modified to match the usage of other non-SNMP specifications when | |||
| SNMPv3 was advanced to Full Standard. | SNMPv3 was advanced to Full Standard. | |||
| 1.3. Where this Extension Fits | 1.3. Where this Extension Fits | |||
| skipping to change at page 6, line 38 ¶ | skipping to change at page 6, line 47 ¶ | |||
| part except identifying requirements and verifying the quality of | part except identifying requirements and verifying the quality of | |||
| service being provided. | service being provided. | |||
| The User-based Security Model (USM) as defined in [RFC3414] largely | The User-based Security Model (USM) as defined in [RFC3414] largely | |||
| uses the first approach - it provides its own security. It utilizes | uses the first approach - it provides its own security. It utilizes | |||
| existing mechanisms (e.g., SHA), but provides all the coordination. | existing mechanisms (e.g., SHA), but provides all the coordination. | |||
| USM provides for the authentication of a principal, message | USM provides for the authentication of a principal, message | |||
| encryption, data integrity checking, timeliness checking, etc. | encryption, data integrity checking, timeliness checking, etc. | |||
| USM was designed to be independent of other existing security | USM was designed to be independent of other existing security | |||
| infrastructures. USM therefore requires a separate principal and key | infrastructures. USM therefore uses a separate principal and key | |||
| management infrastructure. Operators have reported that deploying | management infrastructure. Operators have reported that deploying | |||
| another principal and key management infrastructure in order to use | another principal and key management infrastructure in order to use | |||
| SNMPv3 is a deterrent to deploying SNMPv3. It is possible to use | SNMPv3 is a deterrent to deploying SNMPv3. It is possible to use | |||
| external mechanisms to handle the distribution of keys for use by | external mechanisms to handle the distribution of keys for use by | |||
| USM. The more important issue is that operators wanted to leverage | USM. The more important issue is that operators wanted to leverage | |||
| existing user base infrastructures that were not specific to SNMP. | existing user base infrastructures that were not specific to SNMP. | |||
| A USM-compliant architecture might combine the authentication | A USM-compliant architecture might combine the authentication | |||
| mechanism with an external mechanism, such as RADIUS [RFC2865] to | mechanism with an external mechanism, such as RADIUS [RFC2865] to | |||
| provide the authentication service. Similarly it might be possible | provide the authentication service. Similarly it might be possible | |||
| skipping to change at page 7, line 24 ¶ | skipping to change at page 7, line 33 ¶ | |||
| problems through security layers at the transport layer or | problems through security layers at the transport layer or | |||
| application layer, among them TLS [RFC5246], SASL [RFC4422], and SSH | application layer, among them TLS [RFC5246], SASL [RFC4422], and SSH | |||
| [RFC4251] | [RFC4251] | |||
| From an operational perspective, it is highly desirable to use | From an operational perspective, it is highly desirable to use | |||
| security mechanisms that can unify the administrative security | security mechanisms that can unify the administrative security | |||
| management for SNMPv3, command line interfaces (CLIs) and other | management for SNMPv3, command line interfaces (CLIs) and other | |||
| management interfaces. The use of security services provided by | management interfaces. The use of security services provided by | |||
| lower layers is the approach commonly used for the CLI, and is also | lower layers is the approach commonly used for the CLI, and is also | |||
| the approach being proposed for other network management protocols, | the approach being proposed for other network management protocols, | |||
| such as syslog [I-D.ietf-syslog-protocol] and NETCONF [RFC4741]. | such as syslog [RFC5424] and NETCONF [RFC4741]. | |||
| This document defines a Transport Subsystem extension to the RFC3411 | This document defines a Transport Subsystem extension to the RFC3411 | |||
| architecture based on the third approach. This extension specifies | architecture based on the third approach. This extension specifies | |||
| how other lower layer protocols with common security infrastructures | how other lower layer protocols with common security infrastructures | |||
| can be used underneath the SNMP protocol and the desired goal of | can be used underneath the SNMP protocol and the desired goal of | |||
| unified administrative security can be met. | unified administrative security can be met. | |||
| This extension allows security to be provided by an external protocol | This extension allows security to be provided by an external protocol | |||
| connected to the SNMP engine through an SNMP Transport Model | connected to the SNMP engine through an SNMP Transport Model | |||
| [RFC3417]. Such a Transport Model would then enable the use of | [RFC3417]. Such a Transport Model would then enable the use of | |||
| skipping to change at page 8, line 41 ¶ | skipping to change at page 8, line 50 ¶ | |||
| numerous problems. The advertised security characteristics of a | numerous problems. The advertised security characteristics of a | |||
| protocol might depend on it being used as designed; when used in | protocol might depend on it being used as designed; when used in | |||
| other ways, it might not deliver the expected security | other ways, it might not deliver the expected security | |||
| characteristics. It is recommended that any proposed model include a | characteristics. It is recommended that any proposed model include a | |||
| description of the applicability of the Transport Model. | description of the applicability of the Transport Model. | |||
| A Transport Model SHOULD NOT require modifications to the underlying | A Transport Model SHOULD NOT require modifications to the underlying | |||
| protocol. Modifying the protocol might change its security | protocol. Modifying the protocol might change its security | |||
| characteristics in ways that could impact other existing usages. If | characteristics in ways that could impact other existing usages. If | |||
| a change is necessary, the change SHOULD be an extension that has no | a change is necessary, the change SHOULD be an extension that has no | |||
| impact on the existing usages. Any Transport Model SHOULD include a | impact on the existing usages. Any Transport Model should include a | |||
| description of potential impact on other usages of the protocol. | description of potential impact on other usages of the protocol. | |||
| Since multiple transport models can exist simultaneously within the | Since multiple transport models can exist simultaneously within the | |||
| transport subsystem, transport models MUST be able to coexist with | transport subsystem, transport models MUST be able to coexist with | |||
| each other. | each other. | |||
| 3.2. SNMP Requirements | 3.2. SNMP Requirements | |||
| 3.2.1. Architectural Modularity Requirements | 3.2.1. Architectural Modularity Requirements | |||
| SNMP version 3 (SNMPv3) is based on a modular architecture (defined | SNMP version 3 (SNMPv3) is based on a modular architecture (defined | |||
| in [RFC3411] section 3) to allow the evolution of the SNMP protocol | in [RFC3411] section 3) to allow the evolution of the SNMP protocol | |||
| standards over time, and to minimize side effects between subsystems | standards over time, and to minimize side effects between subsystems | |||
| when changes are made. | when changes are made. | |||
| The RFC3411 architecture includes a Message Processing Subsystem | The RFC3411 architecture includes a Message Processing Subsystem | |||
| permitting different message versions to be handled by a single | permitting different message versions to be handled by a single | |||
| engine, a Security Subsystem for enabling different methods of | engine, a Security Subsystem for enabling different methods of | |||
| skipping to change at page 9, line 28 ¶ | skipping to change at page 9, line 35 ¶ | |||
| despite the fact there are multiple transport mappings already | despite the fact there are multiple transport mappings already | |||
| defined for SNMP [RFC3417]. This document describes a Transport | defined for SNMP [RFC3417]. This document describes a Transport | |||
| Subsystem that is compatible with the RFC3411 architecture. As work | Subsystem that is compatible with the RFC3411 architecture. As work | |||
| is being done to use secure transports such as SSH and TLS, using a | is being done to use secure transports such as SSH and TLS, using a | |||
| subsystem will enable consistent design and modularity of such | subsystem will enable consistent design and modularity of such | |||
| Transport Models. | Transport Models. | |||
| The design of this Transport Subsystem accepts the goals of the | The design of this Transport Subsystem accepts the goals of the | |||
| RFC3411 architecture defined in section 1.5 of [RFC3411]. This | RFC3411 architecture defined in section 1.5 of [RFC3411]. This | |||
| Transport Subsystem uses a modular design that permits Transport | Transport Subsystem uses a modular design that permits Transport | |||
| Models (which may or may not be security-aware) to be "plugged into" | Models (which might or might not be security-aware) to be "plugged | |||
| the RFC3411 architecture. Such Transport Models would be independent | into" the RFC3411 architecture. Such Transport Models would be | |||
| of other modular SNMP components as much as possible. This design | independent of other modular SNMP components as much as possible. | |||
| also permits Transport Models to be advanced through the standards | This design also permits Transport Models to be advanced through the | |||
| process independently of other Transport Models. | standards process independently of other Transport Models. | |||
| To encourage a basic level of interoperability, any Transport Model | ||||
| SHOULD define one mandatory-to-implement security mechanism, but | ||||
| should also be able to support additional existing and new | ||||
| mechanisms. | ||||
| The following diagram depicts the SNMPv3 architecture including the | The following diagram depicts the SNMPv3 architecture including the | |||
| new Transport Subsystem defined in this document, and a new Transport | new Transport Subsystem defined in this document, and a new Transport | |||
| Security Model defined in [I-D.ietf-isms-transport-security-model]. | Security Model defined in [I-D.ietf-isms-transport-security-model]. | |||
| +------------------------------+ | +------------------------------+ | |||
| | Network | | | Network | | |||
| +------------------------------+ | +------------------------------+ | |||
| ^ ^ ^ | ^ ^ ^ | |||
| | | | | | | | | |||
| skipping to change at page 11, line 21 ¶ | skipping to change at page 11, line 21 ¶ | |||
| perform similar security functions within the Transport Subsystem, | perform similar security functions within the Transport Subsystem, | |||
| including the translation of transport security parameters to/from | including the translation of transport security parameters to/from | |||
| security-model-independent parameters. | security-model-independent parameters. | |||
| To accommodate this, an implementation-specific cache of transport- | To accommodate this, an implementation-specific cache of transport- | |||
| specific information will be described (not shown), and the data | specific information will be described (not shown), and the data | |||
| flows on this path will be extended to pass security-model- | flows on this path will be extended to pass security-model- | |||
| independent values. This document amends some of the ASIs defined in | independent values. This document amends some of the ASIs defined in | |||
| RFC 3411, and these changes are covered in section 6. | RFC 3411, and these changes are covered in section 6. | |||
| New Security Models may be defined that understand how to work with | New Security Models might be defined that understand how to work with | |||
| these modified ASIs and the transport-information cache. One such | these modified ASIs and the transport-information cache. One such | |||
| Security Model, the Transport Security Model, is defined in | Security Model, the Transport Security Model, is defined in | |||
| [I-D.ietf-isms-transport-security-model]. | [I-D.ietf-isms-transport-security-model]. | |||
| 3.2.1.2. Changes to RFC3411 processing | 3.2.1.2. Changes to RFC3411 processing | |||
| The introduction of secure transports affects the responsibilities | The introduction of secure transports affects the responsibilities | |||
| and order of processing within the RFC3411 architecture. While the | and order of processing within the RFC3411 architecture. While the | |||
| steps are the same, they may occur in a different order, and may be | steps are the same, they might occur in a different order, and might | |||
| done by different subsystems. With the existing RFC3411 | be done by different subsystems. With the existing RFC3411 | |||
| architecture, security processing starts when the Message Processing | architecture, security processing starts when the Message Processing | |||
| Model decodes portions of the encoded message to extract parameters | Model decodes portions of the encoded message to extract parameters | |||
| that identify which Security Model should handle the security-related | that identify which Security Model MUST handle the security-related | |||
| tasks. | tasks. | |||
| A secure transport performs those security functions on the message, | A secure transport performs those security functions on the message, | |||
| before the message is decoded. Some of these functions might then be | before the message is decoded. Some of these functions might then be | |||
| repeated by the selected Security Model. | repeated by the selected Security Model. | |||
| 3.2.1.3. Passing Information between SNMP Engines | 3.2.1.3. Passing Information between SNMP Engines | |||
| A secure Transport Model will establish an authenticated and possibly | A secure Transport Model will establish an authenticated and possibly | |||
| encrypted tunnel between the Transport Models of two SNMP engines. | encrypted tunnel between the Transport Models of two SNMP engines. | |||
| skipping to change at page 12, line 39 ¶ | skipping to change at page 12, line 39 ¶ | |||
| mechanism-specific identity, and this mapping must be done for | mechanism-specific identity, and this mapping must be done for | |||
| incoming messages by the Security Model before it passes securityName | incoming messages by the Security Model before it passes securityName | |||
| to the Message Processing Model via the processIncoming ASI. | to the Message Processing Model via the processIncoming ASI. | |||
| A Security Model is also responsible to specify, via the | A Security Model is also responsible to specify, via the | |||
| securityLevel parameter, whether incoming messages have been | securityLevel parameter, whether incoming messages have been | |||
| authenticated and encrypted, and to ensure that outgoing messages are | authenticated and encrypted, and to ensure that outgoing messages are | |||
| authenticated and encrypted based on the value of securityLevel. | authenticated and encrypted based on the value of securityLevel. | |||
| A Transport Model MAY provide suggested values for securityName and | A Transport Model MAY provide suggested values for securityName and | |||
| securityLevel. A Security Model may have multiple sources for | securityLevel. A Security Model might have multiple sources for | |||
| determining the principal and desired security services, and a | determining the principal and desired security services, and a | |||
| particular Security Model may or may not utilize the values proposed | particular Security Model might or might not utilize the values | |||
| by a Transport Model when deciding the value of securityName and | proposed by a Transport Model when deciding the value of securityName | |||
| securityLevel. | and securityLevel. | |||
| Documents defining a new transport domain MUST define a prefix that | Documents defining a new transport domain MUST define a prefix that | |||
| MAY be prepended by the Security Model to all passed securityNames. | MAY be prepended to all securityNames passed by the Security Model. | |||
| The prefix MUST include from one to four ASCII characters, not | The prefix MUST include from one to four US-ASCII alpha-numeric | |||
| including a ":" (ASCII 0x3a) character. If a prefix is used, a | characters, not including a ":" (US-ASCII 0x3a) character. If a | |||
| securityName is constructed by concatenating the prefix and a ":" | prefix is used, a securityName is constructed by concatenating the | |||
| (ASCII 0x3a) character followed by a non-empty identity in an | prefix and a ":" (US-ASCII 0x3a) character followed by a non-empty | |||
| snmpAdminString compatible format. Transport domains and their | identity in an snmpAdminString compatible format. The prefix can be | |||
| used by SNMP applications to distinguish "alice" authenticated by SSH | ||||
| from "alice" authenticated by TLS. Transport domains and their | ||||
| corresponding prefixes are coordinated via the IANA registry "SNMP | corresponding prefixes are coordinated via the IANA registry "SNMP | |||
| Transport Domains". | Transport Domains". | |||
| 3.2.3. Security Parameter Passing Requirements | 3.2.3. Security Parameter Passing Requirements | |||
| A Message Processing Model might unpack SNMP-specific security | A Message Processing Model might unpack SNMP-specific security | |||
| parameters from an incoming message before calling a specific | parameters from an incoming message before calling a specific | |||
| Security Model to handle the security-related processing of the | Security Model to handle the security-related processing of the | |||
| message. When using a secure Transport Model, some security | message. When using a secure Transport Model, some security | |||
| parameters might be extracted from the transport layer by the | parameters might be extracted from the transport layer by the | |||
| Transport Model before the message is passed to the Message | Transport Model before the message is passed to the Message | |||
| Processing Subsystem. | Processing Subsystem. | |||
| This document describes a cache mechanism (see Section 5), into which | This document describes a cache mechanism (see Section 5), into which | |||
| the Transport Model puts information about the transport and security | the Transport Model puts information about the transport and security | |||
| parameters applied to a transport connection or an incoming message, | parameters applied to a transport connection or an incoming message, | |||
| and a Security Model may extract that information from the cache. A | and a Security Model might extract that information from the cache. | |||
| tmStateReference is passed as an extra parameter in the ASIs between | A tmStateReference is passed as an extra parameter in the ASIs | |||
| the Transport Subsystem, the Message Processing and Security | between the Transport Subsystem, the Message Processing and Security | |||
| Subsystems, to identify the relevant cache. This approach of passing | Subsystems, to identify the relevant cache. This approach of passing | |||
| a model-independent reference is consistent with the | a model-independent reference is consistent with the | |||
| securityStateReference cache already being passed around in the | securityStateReference cache already being passed around in the | |||
| RFC3411 ASIs. | RFC3411 ASIs. | |||
| 3.2.4. Separation of Authentication and Authorization | 3.2.4. Separation of Authentication and Authorization | |||
| The RFC3411 architecture defines a separation of authentication and | The RFC3411 architecture defines a separation of authentication and | |||
| the authorization to access and/or modify MIB data. A set of model- | the authorization to access and/or modify MIB data. A set of model- | |||
| independent parameters (securityModel, securityName, and | independent parameters (securityModel, securityName, and | |||
| skipping to change at page 14, line 50 ¶ | skipping to change at page 15, line 5 ¶ | |||
| To reduce redundancy, this document describes aspects that are | To reduce redundancy, this document describes aspects that are | |||
| expected to be common to all Transport Model sessions. | expected to be common to all Transport Model sessions. | |||
| 3.3.1. No SNMP Sessions | 3.3.1. No SNMP Sessions | |||
| The architecture defined in [RFC3411] and the Transport Subsystem | The architecture defined in [RFC3411] and the Transport Subsystem | |||
| defined in this document do not support SNMP sessions or include a | defined in this document do not support SNMP sessions or include a | |||
| session selector in the Abstract Service Interfaces. | session selector in the Abstract Service Interfaces. | |||
| The Transport Subsystem may support transport sessions. However, the | The Transport Subsystem might support transport sessions. However, | |||
| transport subsystem does not have access to the pduType (i.e., the | the transport subsystem does not have access to the pduType (i.e., | |||
| SNMP operation type), so cannot select a given transport session for | the SNMP operation type), so cannot select a given transport session | |||
| particular types of traffic. | for particular types of traffic. | |||
| Certain parameters of the Abstract Service Interfaces might be used | Certain parameters of the Abstract Service Interfaces might be used | |||
| to guide the selection of an appropriate transport session to use for | to guide the selection of an appropriate transport session to use for | |||
| a given request by an application. | a given request by an application. | |||
| The transportDomain and transportAddress identify the transport | The transportDomain and transportAddress identify the transport | |||
| connection to a remote network node. Elements of the transport | connection to a remote network node. Elements of the transport | |||
| address (such as the port number) might be used by an application to | address (such as the port number) might be used by an application to | |||
| send a particular PDU type to a particular transport address. For | send a particular PDU type to a particular transport address. For | |||
| example, the SNMP-TARGET-MIB and SNMP-NOTIFICATION-MIB [RFC3413] are | example, the SNMP-TARGET-MIB and SNMP-NOTIFICATION-MIB [RFC3413] are | |||
| used to configure notification originators with the destination port | used to configure notification originators with the destination port | |||
| to which SNMPv2-Trap PDUs or Inform PDUs should be sent, but the | to which SNMPv2-Trap PDUs or Inform PDUs are to be sent, but the | |||
| transport subsystem never looks inside the PDU. | transport subsystem never looks inside the PDU. | |||
| The securityName identifies which security principal to communicate | The securityName identifies which security principal to communicate | |||
| with at that address (e.g., different NMS applications), and the | with at that address (e.g., different NMS applications), and the | |||
| securityLevel might permit selection of different sets of security | securityLevel might permit selection of different sets of security | |||
| properties for different purposes (e.g., encrypted SETs vs. non- | properties for different purposes (e.g., encrypted SETs vs. non- | |||
| encrypted GETs). | encrypted GETs). | |||
| However, because the handling of transport sessions is specific to | However, because the handling of transport sessions is specific to | |||
| each transport model, some transport models MAY restrict selecting a | each transport model, some transport models MAY restrict selecting a | |||
| skipping to change at page 15, line 45 ¶ | skipping to change at page 15, line 48 ¶ | |||
| Implementations SHOULD be able to maintain some reasonable number of | Implementations SHOULD be able to maintain some reasonable number of | |||
| concurrent transport sessions, and MAY provide non-standard internal | concurrent transport sessions, and MAY provide non-standard internal | |||
| mechanisms to select transport sessions. | mechanisms to select transport sessions. | |||
| 3.3.2. Session Establishment Requirements | 3.3.2. Session Establishment Requirements | |||
| SNMP applications provide the transportDomain, transportAddress, | SNMP applications provide the transportDomain, transportAddress, | |||
| securityName, and securityLevel to be used to create a new session. | securityName, and securityLevel to be used to create a new session. | |||
| If the Transport Model cannot provide at least the requested level of | If the Transport Model cannot provide at least the requested level of | |||
| security, the Transport Model SHOULD discard the message and SHOULD | security, the Transport Model should discard the message and should | |||
| notify the dispatcher that establishing a session and sending the | notify the dispatcher that establishing a session and sending the | |||
| message failed. Similarly, if the session cannot be established, | message failed. Similarly, if the session cannot be established, | |||
| then the message SHOULD be discarded and the dispatcher notified. | then the message should be discarded and the dispatcher notified. | |||
| Transport session establishment might require provisioning | Transport session establishment might require provisioning | |||
| authentication credentials at an engine, either statically or | authentication credentials at an engine, either statically or | |||
| dynamically. How this is done is dependent on the transport model | dynamically. How this is done is dependent on the transport model | |||
| and the implementation. | and the implementation. | |||
| 3.3.3. Session Maintenance Requirements | 3.3.3. Session Maintenance Requirements | |||
| A Transport Model can tear down sessions as needed. It might be | A Transport Model can tear down sessions as needed. It might be | |||
| necessary for some implementations to tear down sessions as the | necessary for some implementations to tear down sessions as the | |||
| skipping to change at page 16, line 24 ¶ | skipping to change at page 16, line 27 ¶ | |||
| an implementation determines that an operation has completed is | an implementation determines that an operation has completed is | |||
| implementation-dependent. While it is possible to tear down each | implementation-dependent. While it is possible to tear down each | |||
| transport session after processing for each message has completed, | transport session after processing for each message has completed, | |||
| this is not recommended for performance reasons. | this is not recommended for performance reasons. | |||
| The elements of procedure describe when cached information can be | The elements of procedure describe when cached information can be | |||
| discarded, and the timing of cache cleanup might have security | discarded, and the timing of cache cleanup might have security | |||
| implications, but cache memory management is an implementation issue. | implications, but cache memory management is an implementation issue. | |||
| If a Transport Model defines MIB module objects to maintain session | If a Transport Model defines MIB module objects to maintain session | |||
| state information, then the Transport Model MUST define what SHOULD | state information, then the Transport Model MUST define what happens | |||
| happen to the objects when a related session is torn down, since this | to the objects when a related session is torn down, since this will | |||
| will impact interoperability of the MIB module. | impact interoperability of the MIB module. | |||
| 3.3.4. Message security versus session security | 3.3.4. Message security versus session security | |||
| A Transport Model session is associated with state information that | A Transport Model session is associated with state information that | |||
| is maintained for its lifetime. This state information allows for | is maintained for its lifetime. This state information allows for | |||
| the application of various security services to multiple messages. | the application of various security services to multiple messages. | |||
| Cryptographic keys associated with the transport session SHOULD be | Cryptographic keys associated with the transport session SHOULD be | |||
| used to provide authentication, integrity checking, and encryption | used to provide authentication, integrity checking, and encryption | |||
| services, as needed, for data that is communicated during the | services, as needed, for data that is communicated during the | |||
| session. The cryptographic protocols used to establish keys for a | session. The cryptographic protocols used to establish keys for a | |||
| skipping to change at page 17, line 28 ¶ | skipping to change at page 17, line 31 ¶ | |||
| might add significant overhead to processing of the messages. | might add significant overhead to processing of the messages. | |||
| Some Transport Models might support only specific authentication and | Some Transport Models might support only specific authentication and | |||
| encryption services, such as requiring all messages to be carried | encryption services, such as requiring all messages to be carried | |||
| using both authentication and encryption, regardless of the security | using both authentication and encryption, regardless of the security | |||
| level requested by an SNMP application. A Transport Model MAY | level requested by an SNMP application. A Transport Model MAY | |||
| upgrade the security level requested by a transport-aware security | upgrade the security level requested by a transport-aware security | |||
| model, i.e. noAuthNoPriv and authNoPriv might be sent over an | model, i.e. noAuthNoPriv and authNoPriv might be sent over an | |||
| authenticated and encrypted session. A Transport Model MUST NOT | authenticated and encrypted session. A Transport Model MUST NOT | |||
| downgrade the security level requested by a transport-aware security | downgrade the security level requested by a transport-aware security | |||
| model, and SHOULD discard any message where this would occur. | model, and SHOULD discard any message where this would occur. This | |||
| is a SHOULD rather than a MUST only to permit the potential | ||||
| development of models that can perform error-handling in a manner | ||||
| that is less severe than discarding the message. However, any model | ||||
| that does not discard the message in this circumstance should have a | ||||
| clear justification for why not discarding will not create a security | ||||
| vulnerability. | ||||
| 4. Scenario Diagrams and the Transport Subsystem | 4. Scenario Diagrams and the Transport Subsystem | |||
| RFC3411 section 4.6.1 and 4.6.2 provide scenario diagrams to | RFC3411 section 4.6.1 and 4.6.2 provide scenario diagrams to | |||
| illustrate how an outgoing message is created, and how an incoming | illustrate how an outgoing message is created, and how an incoming | |||
| message is processed. RFC3411 does not define ASIs for the "Send | message is processed. RFC3411 does not define ASIs for the "Send | |||
| SNMP Request Message to Network", "Receive SNMP Response Message from | SNMP Request Message to Network", "Receive SNMP Response Message from | |||
| Network", "Receive SNMP Message from Network" and "Send SNMP message | Network", "Receive SNMP Message from Network" and "Send SNMP message | |||
| to Network" arrows in these diagrams. | to Network" arrows in these diagrams. | |||
| This document defines two ASIs corresponding to these arrows: a | This document defines two ASIs corresponding to these arrows: a | |||
| sendMessage ASI to send SNMP messages to the network, and a | sendMessage ASI to send SNMP messages to the network, and a | |||
| receiveMessage ASI to receive SNMP messages from the network. These | receiveMessage ASI to receive SNMP messages from the network. These | |||
| ASIs are used for all SNMP messages, regardless of pduType. | ASIs are used for all SNMP messages, regardless of pduType. | |||
| 5. Cached Information and References | 5. Cached Information and References | |||
| When performing SNMP processing, there are two levels of state | When performing SNMP processing, there are two levels of state | |||
| information that may need to be retained: the immediate state linking | information that might need to be retained: the immediate state | |||
| a request-response pair, and potentially longer-term state relating | linking a request-response pair, and potentially longer-term state | |||
| to transport and security. | relating to transport and security. | |||
| The RFC3411 architecture uses caches to maintain the short-term | The RFC3411 architecture uses caches to maintain the short-term | |||
| message state, and uses references in the ASIs to pass this | message state, and uses references in the ASIs to pass this | |||
| information between subsystems. | information between subsystems. | |||
| This document defines the requirements for a cache to handle | This document defines the requirements for a cache to handle | |||
| additional short-term message state and longer-term transport state | additional short-term message state and longer-term transport state | |||
| information, using a tmStateReference parameter to pass this | information, using a tmStateReference parameter to pass this | |||
| information between subsystems. | information between subsystems. | |||
| To simplify the elements of procedure, the release of state | To simplify the elements of procedure, the release of state | |||
| information is not always explicitly specified. As a general rule, | information is not always explicitly specified. As a general rule, | |||
| if state information is available when a message being processed gets | if state information is available when a message being processed gets | |||
| discarded, the state related to that message SHOULD also be | discarded, the state related to that message should also be | |||
| discarded. If state information is available when a relationship | discarded. If state information is available when a relationship | |||
| between engines is severed, such as the closing of a transport | between engines is severed, such as the closing of a transport | |||
| session, the state information for that relationship SHOULD also be | session, the state information for that relationship should also be | |||
| discarded. | discarded. | |||
| Since the contents of a cache are meaningful only within an | Since the contents of a cache are meaningful only within an | |||
| implementation, and not on-the-wire, the format of the cache is | implementation, and not on-the-wire, the format of the cache is | |||
| implementation-specific. | implementation-specific. | |||
| 5.1. securityStateReference | 5.1. securityStateReference | |||
| The securityStateReference parameter is defined in RFC3411. Its | The securityStateReference parameter is defined in RFC3411. Its | |||
| primary purpose is to provide a mapping between a request and the | primary purpose is to provide a mapping between a request and the | |||
| skipping to change at page 18, line 44 ¶ | skipping to change at page 19, line 4 ¶ | |||
| For each transport session, information about the transport security | For each transport session, information about the transport security | |||
| is stored in a tmState cache or datastore, that is referenced by a | is stored in a tmState cache or datastore, that is referenced by a | |||
| tmStateReference. The tmStateReference parameter is used to pass | tmStateReference. The tmStateReference parameter is used to pass | |||
| model-specific and mechanism-specific parameters between the | model-specific and mechanism-specific parameters between the | |||
| Transport subsystem and transport-aware Security Models. | Transport subsystem and transport-aware Security Models. | |||
| In general, when necessary, the tmState is populated by the security | In general, when necessary, the tmState is populated by the security | |||
| model for outgoing messages and by the transport model for incoming | model for outgoing messages and by the transport model for incoming | |||
| messages. However, in both cases, the model populating the tmState | messages. However, in both cases, the model populating the tmState | |||
| may have incomplete information, and the missing information might be | might have incomplete information, and the missing information might | |||
| populated by the other model when the information becomes available. | be populated by the other model when the information becomes | |||
| available. | ||||
| The tmState might contain both long-term and short-term information. | The tmState might contain both long-term and short-term information. | |||
| The session information typically remains valid for the duration of | The session information typically remains valid for the duration of | |||
| the transport session, might be used for several messages, and might | the transport session, might be used for several messages, and might | |||
| be stored in a local configuration datastore. Some information has a | be stored in a local configuration datastore. Some information has a | |||
| shorter lifespan, such as tmSameSecurity and tmRequestedSecurityLevel | shorter lifespan, such as tmSameSecurity and tmRequestedSecurityLevel | |||
| which are associated with a specific message. | which are associated with a specific message. | |||
| Since this cache is only used within an implementation, and not on- | Since this cache is only used within an implementation, and not on- | |||
| the-wire, the precise contents and format of the cache are | the-wire, the precise contents and format of the cache are | |||
| skipping to change at page 20, line 28 ¶ | skipping to change at page 20, line 37 ¶ | |||
| representing this transport identity. This value is transport- | representing this transport identity. This value is transport- | |||
| and implementation-specific, and is only used (directly) by the | and implementation-specific, and is only used (directly) by the | |||
| Transport and Security Models. | Transport and Security Models. | |||
| o securityName: a human-readable name (in snmpAdminString format) | o securityName: a human-readable name (in snmpAdminString format) | |||
| representing the SNMP principal in a model-independent manner. | representing the SNMP principal in a model-independent manner. | |||
| This value is used directly by SNMP Applications, the access | This value is used directly by SNMP Applications, the access | |||
| control subsystem, the message processing subsystem, and the | control subsystem, the message processing subsystem, and the | |||
| security subsystem. | security subsystem. | |||
| The transport principal may or may not be the same as the | The transport principal might or might not be the same as the | |||
| tmSecurityName. Similarly, the tmSecurityName may or may not be the | tmSecurityName. Similarly, the tmSecurityName might or might not be | |||
| same as the securityName as seen by the Application and Access | the same as the securityName as seen by the Application and Access | |||
| Control subsystems. In particular, a non-transport-aware Security | Control subsystems. In particular, a non-transport-aware Security | |||
| Model will ignore tmSecurityName completely when determining the SNMP | Model will ignore tmSecurityName completely when determining the SNMP | |||
| securityName. | securityName. | |||
| However it is important that the mapping between the transport | However it is important that the mapping between the transport | |||
| principal and the SNMP securityName (for transport-aware Security | principal and the SNMP securityName (for transport-aware Security | |||
| Models) is consistent and predictable, to allow configuration of | Models) is consistent and predictable, to allow configuration of | |||
| suitable access control and the establishment of transport | suitable access control and the establishment of transport | |||
| connections. | connections. | |||
| skipping to change at page 21, line 27 ¶ | skipping to change at page 21, line 38 ¶ | |||
| this should be a SHOULD architecturally, and it is a security-model- | this should be a SHOULD architecturally, and it is a security-model- | |||
| specific decision whether to REQUIRE this. | specific decision whether to REQUIRE this. | |||
| o tmSameSecurity: this flag is used by a transport-aware Security | o tmSameSecurity: this flag is used by a transport-aware Security | |||
| Model to indicate whether the Transport Model MUST enforce this | Model to indicate whether the Transport Model MUST enforce this | |||
| restriction. | restriction. | |||
| o tmSessionID: in order to verify whether the session has changed, | o tmSessionID: in order to verify whether the session has changed, | |||
| the Transport Model must be able to compare the session used to | the Transport Model must be able to compare the session used to | |||
| receive the original request with the one to be used to send the | receive the original request with the one to be used to send the | |||
| response. This typically requires some form of session | response. This typically needs some form of session identifier. | |||
| identifier. This value is only ever used by the Transport Model, | This value is only ever used by the Transport Model, so the format | |||
| so the format and interpretation of this field are model-specific | and interpretation of this field are model-specific and | |||
| and implementation-dependent. | implementation-dependent. | |||
| When processing an outgoing message, if tmSameSecurity is true, then | When processing an outgoing message, if tmSameSecurity is true, then | |||
| the tmSessionID MUST match the current transport session, otherwise | the tmSessionID MUST match the current transport session, otherwise | |||
| the message MUST be discarded, and the dispatcher notified that | the message MUST be discarded, and the dispatcher notified that | |||
| sending the message failed. | sending the message failed. | |||
| 6. Abstract Service Interfaces | 6. Abstract Service Interfaces | |||
| Abstract service interfaces have been defined by RFC 3411 to describe | Abstract service interfaces have been defined by RFC 3411 to describe | |||
| the conceptual data flows between the various subsystems within an | the conceptual data flows between the various subsystems within an | |||
| skipping to change at page 22, line 12 ¶ | skipping to change at page 22, line 23 ¶ | |||
| 1) The release of state information is not always explicitly | 1) The release of state information is not always explicitly | |||
| specified in a transport model. As a general rule, if state | specified in a transport model. As a general rule, if state | |||
| information is available when a message gets discarded, the message- | information is available when a message gets discarded, the message- | |||
| state information should also be released, and if state information | state information should also be released, and if state information | |||
| is available when a session is closed, the session state information | is available when a session is closed, the session state information | |||
| should also be released. Keeping sensitive security information | should also be released. Keeping sensitive security information | |||
| longer than necessary might introduce potential vulnerabilities to an | longer than necessary might introduce potential vulnerabilities to an | |||
| implementation. | implementation. | |||
| 2)An error indication in statusInformation will typically include the | 2)An error indication in statusInformation will typically include the | |||
| OID and value for an incremented error counter. This may be | OID and value for an incremented error counter. This might be | |||
| accompanied by values for contextEngineID and contextName for this | accompanied by values for contextEngineID and contextName for this | |||
| counter, a value for securityLevel, and the appropriate state | counter, a value for securityLevel, and the appropriate state | |||
| reference if the information is available at the point where the | reference if the information is available at the point where the | |||
| error is detected. | error is detected. | |||
| 6.1. sendMessage ASI | 6.1. sendMessage ASI | |||
| The sendMessage ASI is used to pass a message from the Dispatcher to | The sendMessage ASI is used to pass a message from the Dispatcher to | |||
| the appropriate Transport Model for sending. In the diagram in | the appropriate Transport Model for sending. In the diagram in | |||
| section 4.6.1 of RFC 3411, the sendMessage ASI defined in this | section 4.6.1 of RFC 3411, the sendMessage ASI defined in this | |||
| skipping to change at page 22, line 34 ¶ | skipping to change at page 22, line 45 ¶ | |||
| In section 4.6.2, the sendMessage ASI replaces the text "Send SNMP | In section 4.6.2, the sendMessage ASI replaces the text "Send SNMP | |||
| Message to Network" | Message to Network" | |||
| If present and valid, the tmStateReference refers to a cache | If present and valid, the tmStateReference refers to a cache | |||
| containing transport-model-specific parameters for the transport and | containing transport-model-specific parameters for the transport and | |||
| transport security. How a tmStateReference is determined to be | transport security. How a tmStateReference is determined to be | |||
| present and valid is implementation-dependent. How the information | present and valid is implementation-dependent. How the information | |||
| in the cache is used is transport-model-dependent and implementation- | in the cache is used is transport-model-dependent and implementation- | |||
| dependent. | dependent. | |||
| This may sound underspecified, but a transport model might be | This might sound underspecified, but a transport model might be | |||
| something like SNMP over UDP over IPv6, where no security is | something like SNMP over UDP over IPv6, where no security is | |||
| provided, so it might have no mechanisms for utilizing a | provided, so it might have no mechanisms for utilizing a | |||
| tmStateReference cache. | tmStateReference cache. | |||
| statusInformation = | statusInformation = | |||
| sendMessage( | sendMessage( | |||
| IN destTransportDomain -- transport domain to be used | IN destTransportDomain -- transport domain to be used | |||
| IN destTransportAddress -- transport address to be used | IN destTransportAddress -- transport address to be used | |||
| IN outgoingMessage -- the message to send | IN outgoingMessage -- the message to send | |||
| IN outgoingMessageLength -- its length | IN outgoingMessageLength -- its length | |||
| skipping to change at page 26, line 7 ¶ | skipping to change at page 26, line 7 ¶ | |||
| 3411, the receiveMessage ASI replaces the text "Receive SNMP Response | 3411, the receiveMessage ASI replaces the text "Receive SNMP Response | |||
| Message from Network". In section 4.6.2, the receiveMessage ASI | Message from Network". In section 4.6.2, the receiveMessage ASI | |||
| replaces the text "Receive SNMP Message from Network". | replaces the text "Receive SNMP Message from Network". | |||
| When a message is received on a given transport session, if a cache | When a message is received on a given transport session, if a cache | |||
| does not already exist for that session, the Transport Model might | does not already exist for that session, the Transport Model might | |||
| create one, referenced by tmStateReference. The contents of this | create one, referenced by tmStateReference. The contents of this | |||
| cache are discussed in section 5. How this information is determined | cache are discussed in section 5. How this information is determined | |||
| is implementation- and transport-model-specific. | is implementation- and transport-model-specific. | |||
| "Might create one" may sound underspecified, but a transport model | "Might create one" might sound underspecified, but a transport model | |||
| might be something like SNMP over UDP over IPv6, where transport | might be something like SNMP over UDP over IPv6, where transport | |||
| security is not provided, so it might not create a cache. | security is not provided, so it might not create a cache. | |||
| The Transport Model does not know the securityModel for an incoming | The Transport Model does not know the securityModel for an incoming | |||
| message; this will be determined by the Message Processing Model in a | message; this will be determined by the Message Processing Model in a | |||
| message-processing-model-dependent manner. | message-processing-model-dependent manner. | |||
| statusInformation = | statusInformation = | |||
| receiveMessage( | receiveMessage( | |||
| IN transportDomain -- origin transport domain | IN transportDomain -- origin transport domain | |||
| skipping to change at page 26, line 31 ¶ | skipping to change at page 26, line 31 ¶ | |||
| IN tmStateReference -- reference to transport state | IN tmStateReference -- reference to transport state | |||
| ) | ) | |||
| 6.4. Changes to RFC3411 Incoming ASIs | 6.4. Changes to RFC3411 Incoming ASIs | |||
| The tmStateReference parameter has also been added to some of the | The tmStateReference parameter has also been added to some of the | |||
| incoming ASIs defined in RFC3411. How or if a Message Processing | incoming ASIs defined in RFC3411. How or if a Message Processing | |||
| Model or Security Model uses tmStateReference is message-processing- | Model or Security Model uses tmStateReference is message-processing- | |||
| and security-model-specific. | and security-model-specific. | |||
| This may sound underspecified, but a message processing model might | This might sound underspecified, but a message processing model might | |||
| have access to all the information from the cache and from the | have access to all the information from the cache and from the | |||
| message. The Message Processing Model might determine that the USM | message. The Message Processing Model might determine that the USM | |||
| Security Model is specified in an SNMPv3 message header; the USM | Security Model is specified in an SNMPv3 message header; the USM | |||
| Security Model has no need of values in the tmStateReference cache to | Security Model has no need of values in the tmStateReference cache to | |||
| authenticate and secure the SNMP message, but an application might | authenticate and secure the SNMP message, but an application might | |||
| have specified to use a secure transport such as that provided by the | have specified to use a secure transport such as that provided by the | |||
| SSH Transport Model to send the message to its destination. | SSH Transport Model to send the message to its destination. | |||
| 6.4.1. Message Processing Subsystem Primitive | 6.4.1. Message Processing Subsystem Primitive | |||
| skipping to change at page 28, line 31 ¶ | skipping to change at page 28, line 31 ¶ | |||
| ) -- information, needed for response | ) -- information, needed for response | |||
| 7. Security Considerations | 7. Security Considerations | |||
| This document defines an architectural approach that permits SNMP to | This document defines an architectural approach that permits SNMP to | |||
| utilize transport layer security services. Each proposed Transport | utilize transport layer security services. Each proposed Transport | |||
| Model should discuss the security considerations of that Transport | Model should discuss the security considerations of that Transport | |||
| Model. | Model. | |||
| It is considered desirable by some industry segments that SNMP | It is considered desirable by some industry segments that SNMP | |||
| Transport Models should utilize transport layer security that | Transport Models utilize transport layer security that addresses | |||
| addresses perfect forward secrecy at least for encryption keys. | perfect forward secrecy at least for encryption keys. Perfect | |||
| Perfect forward secrecy guarantees that compromise of long term | forward secrecy guarantees that compromise of long term secret keys | |||
| secret keys does not result in disclosure of past session keys. Each | does not result in disclosure of past session keys. Each proposed | |||
| proposed Transport Model should include a discussion in its security | Transport Model should include a discussion in its security | |||
| considerations of whether perfect forward security is appropriate for | considerations of whether perfect forward security is appropriate for | |||
| that Transport Model. | that Transport Model. | |||
| The Denial of Service characteristics of various transport models and | The Denial of Service characteristics of various transport models and | |||
| security protocols will vary and should be evaluated when determining | security protocols will vary and should be evaluated when determining | |||
| the applicability of a transport model to a particular deployment | the applicability of a transport model to a particular deployment | |||
| situation. | situation. | |||
| Since the cache will contain security-related parameters, | Since the cache will contain security-related parameters, | |||
| implementers should store this information (in memory or in | implementers SHOULD store this information (in memory or in | |||
| persistent storage) in a manner to protect it from unauthorized | persistent storage) in a manner to protect it from unauthorized | |||
| disclosure and/or modification. | disclosure and/or modification. | |||
| Care must be taken to ensure that a SNMP engine is sending packets | Care must be taken to ensure that a SNMP engine is sending packets | |||
| out over a transport using credentials that are legal for that engine | out over a transport using credentials that are legal for that engine | |||
| to use on behalf of that user. Otherwise an engine that has multiple | to use on behalf of that user. Otherwise an engine that has multiple | |||
| transports open might be "tricked" into sending a message through the | transports open might be "tricked" into sending a message through the | |||
| wrong transport. | wrong transport. | |||
| A Security Model may have multiple sources from which to define the | A Security Model might have multiple sources from which to define the | |||
| securityName and securityLevel. The use of a secure Transport Model | securityName and securityLevel. The use of a secure Transport Model | |||
| does not imply that the securityName and securityLevel chosen by the | does not imply that the securityName and securityLevel chosen by the | |||
| Security Model represent the transport-authenticated identity or the | Security Model represent the transport-authenticated identity or the | |||
| transport-provided security services. The securityModel, | transport-provided security services. The securityModel, | |||
| securityName, and securityLevel parameters are a related set, and an | securityName, and securityLevel parameters are a related set, and an | |||
| administrator should understand how the specified securityModel | administrator should understand how the specified securityModel | |||
| selects the corresponding securityName and securityLevel. | selects the corresponding securityName and securityLevel. | |||
| 7.1. Coexistence, Security Parameters, and Access Control | 7.1. Coexistence, Security Parameters, and Access Control | |||
| skipping to change at page 30, line 19 ¶ | skipping to change at page 30, line 19 ¶ | |||
| RFC3412), regardless of the transport mapping or transport model | RFC3412), regardless of the transport mapping or transport model | |||
| used. If the SNMPv3 message specifies the User-based Security | used. If the SNMPv3 message specifies the User-based Security | |||
| Model (USM), with noAuthNoPriv, then the access controls will be | Model (USM), with noAuthNoPriv, then the access controls will be | |||
| based on the unauthenticated USM user. | based on the unauthenticated USM user. | |||
| o For outgoing messages, if a secure transport model is selected in | o For outgoing messages, if a secure transport model is selected in | |||
| combination with a security model that does not populate a | combination with a security model that does not populate a | |||
| tmStateReference, the secure transport model SHOULD detect the | tmStateReference, the secure transport model SHOULD detect the | |||
| lack of a valid tmStateReference and fail. | lack of a valid tmStateReference and fail. | |||
| However, in times of network stress, a secure transport model may not | In times of network stress, a secure transport model might not work | |||
| work properly if its underlying security mechanisms (e.g., Network | properly if its underlying security mechanisms (e.g., Network Time | |||
| Time Protocol (NTP) or Authentication, Authorization, and Accounting | Protocol (NTP) or Authentication, Authorization, and Accounting (AAA) | |||
| (AAA) protocols or certificate authorities) are not reachable. The | protocols or certificate authorities) are not reachable. The User- | |||
| User-based Security Model was explicitly designed to not depend upon | based Security Model was explicitly designed to not depend upon | |||
| external network services, and provides its own security services. | external network services, and provides its own security services. | |||
| It is RECOMMENDED that operators provision authPriv USM as a fallback | It is RECOMMENDED that operators provision authPriv USM as a fallback | |||
| mechanism to supplement any security model or transport model that | mechanism to supplement any security model or transport model that | |||
| has external dependencies, so that secure SNMP communications can | has external dependencies, so that secure SNMP communications can | |||
| continue when the external network service is not available. | continue when the external network service is not available. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| IANA is requested to create a new registry in the Simple Network | IANA is requested to create a new registry in the Simple Network | |||
| Management Protocol (SNMP) Number Spaces. The new registry should be | Management Protocol (SNMP) Number Spaces. The new registry should be | |||
| called "SNMP Transport Domains". This registry will contain ASCII | called "SNMP Transport Domains". This registry will contain US-ASCII | |||
| strings of one to four characters to identify prefixes for | alpha-numeric strings of one to four characters to identify prefixes | |||
| corresponding SNMP transport domains. Each transport domain requires | for corresponding SNMP transport domains. Each transport domain MUST | |||
| an OID assignment under snmpDomains [RFC2578] . Values are to be | have an OID assignment under snmpDomains [RFC2578] . Values are to | |||
| assigned via [RFC5226] "Specification Required". | be assigned via [RFC5226] "Specification Required". | |||
| The registry should be populated with the following initial entries: | The registry should be populated with the following initial entries: | |||
| Registry Name: SNMP Transport Domains | Registry Name: SNMP Transport Domains | |||
| Reference: [RFC2578] [RFC3417] [XXXX] | Reference: [RFC2578] [RFC3417] [XXXX] | |||
| Registration Procedures: Specification Required | Registration Procedures: Specification Required | |||
| Each domain is assigned a MIB-defined OID under snmpDomains | Each domain is assigned a MIB-defined OID under snmpDomains | |||
| Prefix snmpDomains Reference | Prefix snmpDomains Reference | |||
| ------- ----------------------------- --------- | ------- ----------------------------- --------- | |||
| skipping to change at page 34, line 4 ¶ | skipping to change at page 34, line 4 ¶ | |||
| Alvestrand, "Guidelines for | Alvestrand, "Guidelines for | |||
| Writing an IANA | Writing an IANA | |||
| Considerations Section in | Considerations Section in | |||
| RFCs", BCP 26, RFC 5226, | RFCs", BCP 26, RFC 5226, | |||
| May 2008. | May 2008. | |||
| [I-D.ietf-isms-transport-security-model] Harrington, D. and W. | [I-D.ietf-isms-transport-security-model] Harrington, D. and W. | |||
| Hardaker, "Transport | Hardaker, "Transport | |||
| Security Model for SNMP", d | Security Model for SNMP", d | |||
| raft-ietf-isms-transport- | raft-ietf-isms-transport- | |||
| security-model-12 (work in | security-model-13 (work in | |||
| progress), March 2009. | progress), April 2009. | |||
| [I-D.ietf-isms-secshell] Harrington, D., Salowey, | [I-D.ietf-isms-secshell] Harrington, D., Salowey, | |||
| J., and W. Hardaker, | J., and W. Hardaker, | |||
| "Secure Shell Transport | "Secure Shell Transport | |||
| Model for SNMP", | Model for SNMP", | |||
| draft-ietf-isms-secshell-15 | draft-ietf-isms-secshell-16 | |||
| (work in progress), | (work in progress), | |||
| March 2009. | April 2009. | |||
| [I-D.ietf-syslog-protocol] Gerhards, R., "The syslog | [RFC5424] Gerhards, R., "The Syslog | |||
| Protocol", draft-ietf- | Protocol", RFC 5424, | |||
| syslog-protocol-23 (work in | March 2009. | |||
| progress), September 2007. | ||||
| Appendix A. Why tmStateReference? | Appendix A. Why tmStateReference? | |||
| This appendix considers why a cache-based approach was selected for | This appendix considers why a cache-based approach was selected for | |||
| passing parameters. | passing parameters. | |||
| There are four approaches that could be used for passing information | There are four approaches that could be used for passing information | |||
| between the Transport Model and a Security Model. | between the Transport Model and a Security Model. | |||
| 1. one could define an ASI to supplement the existing ASIs, or | 1. one could define an ASI to supplement the existing ASIs, or | |||
| End of changes. 45 change blocks. | ||||
| 92 lines changed or deleted | 104 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||