idnits 2.17.1 draft-ietf-opsawg-snmp-engineid-discovery-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 377. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 388. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 395. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 401. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. (Using the creation date from RFC3411, updated by this document, for RFC5378 checks: 2001-02-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 13, 2008) is 5914 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCXXXX' is mentioned on line 262, but not defined ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) == Outdated reference: A later version (-14) exists of draft-ietf-isms-transport-security-model-07 Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Updates: 3411 (if approved) February 13, 2008 5 Intended status: Standards Track 6 Expires: August 16, 2008 8 Simple Network Management Protocol (SNMP) Context EngineID Discovery 9 draft-ietf-opsawg-snmp-engineid-discovery-02.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on August 16, 2008. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 The Simple Network Management Protocol (SNMP) version three (SNMPv3) 43 requires that an application knows the identifier (snmpEngineID) of 44 the remote SNMP protocol engine in order to retrieve or manipulate 45 objects maintained on the remote SNMP entity. 47 This document introduces a well-known localEngineID and a discovery 48 mechanism which can be used to learn the snmpEngineID of a remote 49 SNMP protocol engine. The proposed mechanism is independent of the 50 features provided by SNMP security models and may also be used by 51 other protocol interfaces providing access to managed objects. 53 This document updates RFC 3411. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3.1. Local EngineID . . . . . . . . . . . . . . . . . . . . . . 5 61 3.2. EngineID Discovery . . . . . . . . . . . . . . . . . . . . 5 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 63 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 64 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 67 7.2. Informative References . . . . . . . . . . . . . . . . . . 8 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 Intellectual Property and Copyright Statements . . . . . . . . . . 10 71 1. Introduction 73 To retrieve or manipulate management information using the third 74 version of the Simple Network Management Protocol (SNMPv3) [RFC3410], 75 it is necessary to know the identifier of the remote SNMP protocol 76 engine, the so called snmpEngineID [RFC3411]. While an appropriate 77 snmpEngineID can in principle be configured on each management 78 application for each SNMP agent, it is often desirable to discover 79 the snmpEngineID automatically. 81 This document introduces a discovery mechanism which can be used to 82 learn the snmpEngineID of a remote SNMP protocol engine. The 83 proposed mechanism is independent of the features provided by SNMP 84 security models. The mechanism has been designed to co-exist with 85 discovery mechanisms that may exist in SNMP security models, such as 86 the authoritative engine identifier discovery of the User-based 87 Security Model (USM) of SNMP [RFC3414]. 89 This document updates RFC 3411 [RFC3411] by clarifying the IANA rules 90 for the maintenance of the SnmpEngineID format registry. 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in RFC 2119 [RFC2119]. 96 2. Background 98 Within an administrative domain, an SNMP engine is uniquely 99 identified by an snmpEngineID value [RFC3411]. An SNMP entity, which 100 consists of an SNMP engine and several SNMP applications, may provide 101 access to multiple contexts. 103 An SNMP context is a collection of management information accessible 104 by an SNMP entity. An item of management information may exist in 105 more than one context and an SNMP entity potentially has access to 106 many contexts [RFC3411]. A context is identified by the snmpEngineID 107 value of the entity hosting the management information (also called a 108 contextEngineID) and a context name which identifies the specific 109 context (also called a contextName). 111 To identify an individual item of management information within an 112 administrative domain, a four tuple is used consisting of 114 1. a contextEngineID, 115 2. a contextName, 116 3. an object type, and 117 4. its instance identification. 119 The last two elements are encoded in an object identifier (OID) 120 value. The contextName is a character string (following the 121 SnmpAdminString textual convention of the SNMP-FRAMEWORK-MIB 122 [RFC3411]) while the contextEngineID is an octet string constructed 123 according to the rules defined as part of the SnmpEngineID textual 124 convention of the SNMP-FRAMEWORK-MIB [RFC3411]. 126 The SNMP protocol operations and the protocol data units (PDUs) 127 operate on OIDs and thus deal with object types and instances 128 [RFC3416]. The SNMP architecture [RFC3411] introduces the concept of 129 a scopedPDU as a data structure containing a contextEngineID, a 130 contextName, and a PDU. The SNMP version 3 (SNMPv3) message format 131 uses ScopedPDUs to exchange management information [RFC3412]. 133 Within the SNMP framework, contextEngineIDs serve as end-to-end 134 identifiers. This becomes important in situations where SNMP proxies 135 are deployed to translate between protocol versions or to cross 136 middleboxes such as network address translators. In addition, 137 snmpEngineIDs separate the identification of an SNMP engine from the 138 transport addresses used to communicate with an SNMP engine. This 139 property can be used to correlate management information easily even 140 in situations where multiple different transports were used to 141 retrieve the information or where transport addresses can change 142 dynamically. 144 To retrieve data from an SNMPv3 agent, it is necessary to know the 145 appropriate contextEngineID. The User-based Security Model (USM) of 146 SNMPv3 provides a mechanism to discover the snmpEngineID of the 147 remote SNMP engine since this is needed for security processing 148 reasons. The discovered snmpEngineID can subsequently be used as a 149 contextEngineID in a ScopedPDU to access management information local 150 to the remote SNMP engine. Other security models, such as the 151 Transport Security Model (TSM) [I-D.TSM], lack such a procedure and 152 may use the discovery mechanism defined in this memo. 154 3. Procedure 156 The proposed discovery mechanism consists of two parts, namely (i) 157 the definition of a special well-known snmpEngineID value, called the 158 localEngineID, which always refers to a local default context, and 159 (ii) the definition of a procedure to acquire the snmpEngineID scalar 160 of the SNMP-FRAMEWORK-MIB [RFC3411] using the special well-known 161 local localEngineID value. 163 3.1. Local EngineID 165 An SNMP command responder implementing this specification MUST 166 register their pduTypes using the localEngineID snmpEngineID value 167 (defined below) using the registerContextEngineID() Abstract Service 168 Interface (ASI) defined in RFC 3412 [RFC3412]. This registration is 169 done in addition to the normal registration under the SNMP engine's 170 snmpEngineID. This is consistent with the SNMPv3 specifications 171 since they explicitly allow to register multiple engineIDs and 172 multiple pduTypes [RFC3412]. 174 The SnmpEngineID textual convention [RFC3411] defines that an 175 snmpEngineID value MUST be between 5 and 32 octets long. This 176 specification proposes to use the variable length format 3) and to 177 allocate the reserved, unused format value 6, using the enterprise ID 178 0 for the localEngineID. An ASN.1 definition for localEngineID would 179 look like this: 181 localEngineID OCTET STRING ::= '8000000006'H 183 The localEngineID value always provides access to the default context 184 of an SNMP engine. Note that the localEngineID value is intended to 185 be used as a special value for the contextEngineID field in the 186 ScopedPDU. It MUST NOT be used as a value to identify an SNMP 187 engine, that is this value MUST NOT be used in the snmpEngineID.0 188 scalar [RFC3418] or in the msgAuthoritativeEngineID field in the 189 securityParameters of the User-based Security Model (USM) [RFC3414]. 191 3.2. EngineID Discovery 193 Discovery of the snmpEngineID is done by sending a Read Class 194 protocol operation (see section 2.8 of [RFC3411]) to retrieve the 195 snmpEngineID scalar using the localEngineID defined above as a 196 contextEngineID value. Implementations SHOULD only perform this 197 discovery step when it is needed. In particular, if security models 198 are used that already discover the remote snmpEngineID (such as USM), 199 then no further discovery is necessary. The same is true in 200 situations where the application already knows a suitable 201 snmpEngineID value. 203 The procedure to discover the snmpEngineID of a remote SNMP engine 204 can be described as follows: 206 1. Check whether a suitable contextEngineID value is already known. 207 If yes, use the provided contextEngineID value and stop the 208 discovery procedure. 210 2. Check whether the selected security model supports discovery of 211 the remote snmpEngineID (e.g., USM with its discovery mechanism). 212 If yes, let the security model perform the discovery. If the 213 remote snmpEngineID value has been successfully determined, 214 assign it to the contextEngineID and stop the discovery 215 procedure. 216 3. Send a Read Class operation to the remote SNMP engine using the 217 localEngineID value as the contextEngineID in order to retrieve 218 the scalar snmpEngineID.0 of the SNMP-FRAMEWORK-MIB [RFC3411]. 219 If successful, set the contextEngineID to the retrieved value and 220 stop the discovery procedure. 221 4. Return an error indication that a suitable contextEngineID could 222 not be discovered. 224 The procedure outlined above is an example and can be modified to 225 retrieve more variables in step 3), such as the sysObjectID.0 scalar 226 or the snmpSetSerialNo.0 scalar of the SNMPv2-MIB [RFC3418]. 228 4. IANA Considerations 230 RFC 3411 requested IANA to create a registry for SnmpEngineID 231 formats. However, RFC 3411 did not ask IANA to record the initial 232 assignments made by RFC 3411 nor did RFC 3411 spell out the precise 233 allocation rules. To address this issue, the following rules are 234 hereby established. 236 IANA has to maintain a registry for SnmpEngineID formats. The first 237 four octets of an SnmpEngineID carry an enterprise number while the 238 fifth octet in a variable length SnmpEngineID value, called the 239 format octet, indicates how the following octets are formed. The 240 following format values were allocated in [RFC3411]: 242 Format Description References 243 ------- ----------- ---------- 244 0 reserved, unused [RFC3411] 245 1 IPv4 address [RFC3411] 246 2 IPv6 address [RFC3411] 247 3 MAC address [RFC3411] 248 4 administratively assigned text [RFC3411] 249 5 administratively assigned octets [RFC3411] 250 6-127 reserved, unused [RFC3411] 251 128-255 enterprise specific [RFC3411] 253 IANA can assign new format values out of the originally assigned and 254 reserved number space 1-127. For new assignments in this number 255 space, a specification is required as per [RFC2434]. The number 256 space 128-255 is enterprise specific and not controlled by IANA. 258 This document requested the following assignment: 260 Format Description References 261 ------- ----------- ---------- 262 6 local engine [RFCXXXX] 264 [RFC Ed.: replace XXXX with RFC number assigned to the document] 266 5. Security Considerations 268 SNMP version 3 (SNMPv3) provides cryptographic security to protect 269 devices from unauthorized access. This specification recommends to 270 use the security services provided by SNMPv3. In particular, it is 271 RECOMMENDED to protect the discovery exchange. 273 In situations where SNMPv3 is used without security (i.e., the 274 security level of noAuthNoPriv is used), the introduction of a 275 localEngineID may make it slightly easier for an attacker to discover 276 suitable snmpEngineID values. However, since SNMP messages with a 277 security level of noAuthNoPriv are normally carried in clear-text 278 over the wire, it is usually easy for an attacker to discover 279 snmpEngineID values by sniffing on the wire and any attempts to keep 280 snmpEngineID values private will not lead to strong security. The 281 usage of SNMPv3 without security is therefore generally NOT 282 RECOMMENDED. 284 If a device configuration permits non-secure SNMPv1/v2c access to a 285 target system, then reading the snmpEngineID variable of the SNMP- 286 FRAMEWORK-MIB will also reveal a suitable contextEngineID value for 287 subsequent SNMPv3 usage. However, implementations should not rely on 288 non-secure SNMPv1/v2c access and therefore MUST implement this 289 specification to enable secure contextEngineID discovery. 291 The isAccessAllowed() abstract service primitive of the SNMP access 292 control subsystem does not take the contextEngineID into account when 293 checking access rights [RFC3411]. As a consequence, it is not 294 possible to define a special view for context engineID discovery. A 295 request with a localEngineID is thus treated like a request with the 296 correct snmpEngineID by the access control subsystem. This is inline 297 with the SNMPv3 design where the authenticated identity is the 298 securityName (together with the securityModel and securityLevel 299 information) and transport addresses or knowledge of contextEngineID 300 values do not impact to the access control decision. 302 6. Acknowledgments 304 Dave Perkins suggested to introduce a "local" contextEngineID during 305 the interim meeting of the ISMS working group in Boston, 2006. Joe 306 Fernandez, David Harrington, Dan Romascanu, and Bert Wijnen provided 307 helpful review and feedback, which helped to improve this document. 309 7. References 311 7.1. Normative References 313 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 314 Requirement Levels", BCP 14, RFC 2119, March 1997. 316 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 317 Architecture for Describing Simple Network Management 318 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 319 December 2002. 321 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 322 "Message Processing and Dispatching for the Simple Network 323 Management Protocol (SNMP)", STD 62, RFC 3412, 324 December 2002. 326 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 327 (USM) for version 3 of the Simple Network Management 328 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 330 [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the 331 Simple Network Management Protocol (SNMP)", STD 62, 332 RFC 3416, December 2002. 334 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 335 Simple Network Management Protocol (SNMP)", STD 62, 336 RFC 3418, December 2002. 338 [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an 339 IANA Considerations Section in RFCs", BCP 26, RFC 2434, 340 October 1998. 342 7.2. Informative References 344 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 345 "Introduction and Applicability Statements for Internet- 346 Standard Management Framework", RFC 3410, December 2002. 348 [I-D.TSM] Harrington, D., "Transport Security Model for SNMP", 349 draft-ietf-isms-transport-security-model-07.txt (work in 350 progress), November 2007. 352 Author's Address 354 Juergen Schoenwaelder 355 Jacobs University Bremen 356 Campus Ring 1 357 28725 Bremen 358 Germany 360 Phone: +49 421 200-3587 361 Email: j.schoenwaelder@jacobs-university.de 363 Full Copyright Statement 365 Copyright (C) The IETF Trust (2008). 367 This document is subject to the rights, licenses and restrictions 368 contained in BCP 78, and except as set forth therein, the authors 369 retain all their rights. 371 This document and the information contained herein are provided on an 372 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 373 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 374 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 375 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 376 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 377 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 379 Intellectual Property 381 The IETF takes no position regarding the validity or scope of any 382 Intellectual Property Rights or other rights that might be claimed to 383 pertain to the implementation or use of the technology described in 384 this document or the extent to which any license under such rights 385 might or might not be available; nor does it represent that it has 386 made any independent effort to identify any such rights. Information 387 on the procedures with respect to rights in RFC documents can be 388 found in BCP 78 and BCP 79. 390 Copies of IPR disclosures made to the IETF Secretariat and any 391 assurances of licenses to be made available, or the result of an 392 attempt made to obtain a general license or permission for the use of 393 such proprietary rights by implementers or users of this 394 specification can be obtained from the IETF on-line IPR repository at 395 http://www.ietf.org/ipr. 397 The IETF invites any interested party to bring to its attention any 398 copyrights, patents or patent applications, or other proprietary 399 rights that may cover technology that may be required to implement 400 this standard. Please address the information to the IETF at 401 ietf-ipr@ietf.org. 403 Acknowledgment 405 Funding for the RFC Editor function is provided by the IETF 406 Administrative Support Activity (IASA).