idnits 2.17.1 draft-ietf-opsawg-tlstm-update-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC6353], [RFC8446], [I-D.ietf-tls-dtls13]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document updates RFC6353, but the abstract doesn't seem to directly say this. It does mention RFC6353 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (16 December 2021) is 854 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC5591' is defined on line 1849, but no explicit reference was found in the text == Unused Reference: 'STD58' is defined on line 1905, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force K. Vaughn, Ed. 3 Internet-Draft Trevilon LLC 4 Updates: 6353 (if approved) 16 December 2021 5 Intended status: Standards Track 6 Expires: 19 June 2022 8 Transport Layer Security Verion 1.3 (TLS 1.3) Transport Model for the 9 Simple Network Management Protocol Version 3 (SNMPv3) 10 draft-ietf-opsawg-tlstm-update-00 12 Abstract 14 This document updates the TLS Transport Model (TLSTM), as defined in 15 [RFC6353], to support Transport Layer Security Version 1.3 (TLS) 16 [RFC8446] and Datagram Transport Layer Security Version 1.3 (DTLS) 17 [I-D.ietf-tls-dtls13], which are jointly known as "(D)TLS". This 18 document may be applicable to future versions of SNMP and (D)TLS. 20 This document updates the SNMP-TLS-TM-MIB as defined in [RFC6353]. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on 19 June 2022. 39 Copyright Notice 41 Copyright (c) 2021 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 46 license-info) in effect on the date of publication of this document. 47 Please review these documents carefully, as they describe your rights 48 and restrictions with respect to this document. Code Components 49 extracted from this document must include Revised BSD License text as 50 described in Section 4.e of the Trust Legal Provisions and are 51 provided without warranty as described in the Revised BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Changes from RFC 6353 . . . . . . . . . . . . . . . . . . . . 4 58 2.1. TLSTM Fingerprint . . . . . . . . . . . . . . . . . . . . 4 59 2.2. Security Level . . . . . . . . . . . . . . . . . . . . . 5 60 2.3. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 5 61 2.4. SNMP Version . . . . . . . . . . . . . . . . . . . . . . 5 62 2.5. Common Name . . . . . . . . . . . . . . . . . . . . . . . 6 63 3. Additional Rules for TLS 1.3 . . . . . . . . . . . . . . . . 6 64 3.1. Zero Round Trip Time Resumption (0-RTT) . . . . . . . . . 6 65 3.2. TLS ciphersuites, extensions and protocol invariants . . 6 66 4. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 6 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 68 5.1. MIB Module Security . . . . . . . . . . . . . . . . . . . 37 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 70 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 39 73 8.2. Informative References . . . . . . . . . . . . . . . . . 40 74 Appendix A. Target and Notification Configuration Example . . . 41 75 A.1. Configuring a Notification Originator . . . . . . . . . . 41 76 A.2. Configuring TLSTM to Utilize a Simple Derivation of 77 tmSecurityName . . . . . . . . . . . . . . . . . . . . . 42 78 A.3. Configuring TLSTM to Utilize Table-Driven Certificate 79 Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 42 80 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 43 82 1. Introduction 84 This document updates the fingerprint algorithm defined by [RFC6353] 85 to support the ciphersuites used by Transport Layer Security Version 86 1.3 (TLS) and Datagram Transport Layer Security Version 1.3 (DTLS), 87 which are jointly known as "(D)TLS". The update also incorporates 88 other less critical updates. Although the title and text of this 89 document specifically reference SNMPv3 and (D)TLS 1.3, this document 90 may be applicable to future versions of these protocols. 92 1.1. Conventions 94 Within this document the terms "TLS", "DTLS", "(D)TLS", "SNMP", and 95 "TLSTM" mean "TLS 1.3", "DTLS 1.3", "TLS 1.3 and/or DTLS 1.3", 96 "SMNPv3", and "TLSTM 1.3", respectively. These version numbers are 97 only used when the text needs to emphasize version numbers, such as 98 within the title. When this document refers to any other version of 99 these protocols, it always explicitly states the version intended. 101 For consistency with SNMP-related specifications, this document 102 favors terminology as defined in [STD62], rather than favoring 103 terminology that is consistent with non-SNMP specifications. This is 104 consistent with the IESG decision to not require the SNMPv3 105 terminology be modified to match the usage of other non-SNMP 106 specifications when SNMPv3 was advanced to a Full Standard. 107 "Authentication" in this document typically refers to the English 108 meaning of "serving to prove the authenticity of" the message, not 109 data source authentication or peer identity authentication. The 110 terms "manager" and "agent" are not used in this document because, in 111 the RFC3411 architecture, all SNMP entities have the capability of 112 acting as manager, agent, or both depending on the SNMP application 113 types supported in the implementation. Where distinction is 114 necessary, the application names of command generator, command 115 responder, notification originator, notification receiver, and proxy 116 forwarder are used. See "SNMP Applications" (RFC3411) for further 117 information. 119 Throughout this document, the terms "client" and "server" are used to 120 refer to the two ends of the TLS transport connection. The client 121 actively opens the TLS connection, and the server passively listens 122 for the incoming TLS connection. An SNMP entity MAY act as a TLS 123 client or server or both, depending on the SNMP applications 124 supported. 126 While TLS frequently refers to a user, the terminology preferred in 127 RFC3411 and in this memo is "principal". A principal is the "who" on 128 whose behalf services are provided or processing takes place. A 129 principal can be, among other things, an individual acting in a 130 particular role; a set of individuals, with each acting in a 131 particular role; an application or a set of applications, or a 132 combination of these within an administrative domain. 134 Throughout this document, the term "session" is used to refer to a 135 secure association between two TLS Transport Models that permits the 136 transmission of one or more SNMP messages within the lifetime of the 137 session. The TLS protocol also has an internal notion of a session 138 and although these two concepts of a session are related, when the 139 term "session" is used this document is referring to the TLSTM's 140 specific session and not directly to the TLS protocol's session. 142 The User-Based Security Model (USM) (RFC3414) is a mandatory-to- 143 implement Security Model in [STD62]. The USM derives the 144 securityName and securityLevel from the SNMP message received, even 145 when the message was received over a secure transport. It is 146 RECOMMENDED that deployments that support the TLSTM disable the USM, 147 if it has been implemented. 149 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 150 "SHOULD", "SHOULD NOT", "RECOMMENDED", NOT RECOMMENDED, "MAY", and 151 "OPTIONAL" in this document are to be interpreted as described in 152 [RFC2119]. 154 2. Changes from RFC 6353 156 This document updates [RFC6353]. The changes from [RFC6353] are 157 defined in the following clauses. 159 2.1. TLSTM Fingerprint 161 [RFC6353] defines a fingerprint algorithm that references the one- 162 octet TLS 1.2 hash algorithm identifier. TLS 1.3 replaced the one- 163 octet hash algorithm identifier with a two-octet TLS 1.3 cipher suite 164 identifier thereby breaking the algorithm defined in [RFC6353]. The 165 update to the SNMP-TLS-TM-MIB, as defined in Section 4, deprecates 166 the original fingerprint TEXTUAL-CONVENTION and replaces it with a 167 new TEXTUAL-CONVENTION. 169 The change also required an update to several objects within the 170 tables defined within the SNMP-TLS-TM-MIB; further these objects are 171 referernced by other (e.g., RowStatus) objects in a manner that 172 requires deprecating and replacing the tables in their entirety. 173 Thus, while the number of objects deprecated and replaced is 174 significant the semantics of the changes are minor. 176 References to the older objects within [RFC6353] are applicable to 177 the replacement objects. The newer objects are identified with names 178 similar to those used in the original MIB but with a "13" inserted to 179 reference TLS 1.3. 181 2.2. Security Level 183 The RFC3411 architecture recognizes three levels of security: 185 * without authentication and without privacy (noAuthNoPriv) 187 * with authentication but without privacy (authNoPriv) 189 * with authentication and with privacy (authPriv) 191 With (D)TLS 1.3, authentication and privacy are always provided. 192 Hence, all exchanges conforming to the rules of this document will 193 include authentication and privacy, regardless of the security level 194 requested. 195 // This is consistent with what was prescribed in RFC6353, where a 196 // TLS Transport Model is expected to provide for outgoing 197 // connections with a security level at least that of the requested 198 // security level. 200 2.3. TLS Version 202 [RFC6353] stated that TLSTM clients and servers MUST NOT request, 203 offer, or use SSL 2.0. This document extends this statement such 204 that TLSTM clients and servers MUST NOT request, offer, or use SSL 205 3.0, (D)TLSv 1.0, (D)TLS v1.1. See Appendix D.5 of [RFC8446] for 206 further details. For backward compatibility issues with older TLS 207 versions, see Appendix D of [RFC8446]. 209 An implementation that supports these older protocols is not 210 considered conformant to the TLSTM while the older protocols are 211 enabled. 213 2.4. SNMP Version 215 [RFC6353] stated that using a non-transport-aware Security Model with 216 a secure Transport Model was not recommended. This document tightens 217 this statement such that TLSTM clients and servers MUST NOT request, 218 offer, or use SNMPv1 or SNMPv2c message processing described in 219 [RFC3584], or the User-based Security Model of SNMPv3. 221 An implementation that supports these older protocols is not 222 considered conformant to the TLSTM while the older protocols are 223 enabled. 225 2.5. Common Name 227 [RFC6353] stated that the use of a certificate's CommonName is 228 deprecated and users were encouraged to use the subjectAltName. This 229 document tightens this statement such that TLSTM clients and servers 230 MUST NOT use the CommonName. 232 3. Additional Rules for TLS 1.3 234 This document specifies additional rules and clarifications for the 235 use of TLS 1.3. 237 3.1. Zero Round Trip Time Resumption (0-RTT) 239 TLS 1.3 implementations for SNMPv3 MUST NOT enable the 0-RTT mode of 240 session resumption (either sending or accepting) and MUST NOT 241 automatically resend 0-RTT data if it is rejected by the server. The 242 reason 0-RTT is disallowed is that there are no "safe" messages that 243 if replayed will be guaranteed to cause no harm at a server side: all 244 incoming notification or command responses are meant to be acted upon 245 only once. See Security considerations section for further details. 247 TLS TM clients and servers MUST NOT request, offer or use the 0-RTT 248 mode of TLS 1.3. [RFC8446] removed the renegotiation supported in 249 TLS 1.2 [RFC5246]; for session resumption, it introduced a zero-RTT 250 (0-RTT) mode, saving a round-trip at connection setup at the cost of 251 increased risk of replay attacks (it is possible for servers to guard 252 against this attack by keeping track of all the messages received). 253 [RFC8446] requires a profile be written for any application that 254 wants to use 0-RTT, specifying which messages are "safe to use" on 255 this mode. The reason 0-RTT is disallowed here is that there are no 256 "safe" SNMPv3 messages that if replayed will be sure to cause no harm 257 at a server side: all incoming notification or command responses have 258 consequences and are to be acted upon only once. 260 Renegotiation of sessions is not supported as it is not supported by 261 TLS 1.3. 263 3.2. TLS ciphersuites, extensions and protocol invariants 265 [RFC8446] section 9 requires that, in the absence of application 266 profiles, certain cipher suites, TLS extensions, and TLS protocol 267 invariants are mandatory to implement. This document does not 268 specify an application profile, hence all of the compliance 269 requirements in [RFC8446] apply. 271 4. MIB Module Definition 272 SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN 273 IMPORTS 274 MODULE-IDENTITY, OBJECT-TYPE, 275 OBJECT-IDENTITY, mib-2, snmpDomains, 276 Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE 277 FROM SNMPv2-SMI -- RFC 2578 or any update thereof 278 TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, 279 AutonomousType 280 FROM SNMPv2-TC -- RFC 2579 or any update thereof 281 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 282 FROM SNMPv2-CONF -- RFC 2580 or any update thereof 283 SnmpAdminString 284 FROM SNMP-FRAMEWORK-MIB -- RFC 3411 or any update thereof 285 snmpTargetParamsName, snmpTargetAddrName 286 FROM SNMP-TARGET-MIB -- RFC 3413 or any update thereof 287 ; 288 snmpTlstmMIB MODULE-IDENTITY 289 LAST-UPDATED "202106220000Z" 291 ORGANIZATION "ISMS Working Group" 292 CONTACT-INFO "Kenneth Vaughn 293 Trevilon LLC 294 6606 FM 1488 RD, STE 503 295 Magnolia, TX 77354 296 USA 297 kvaughn@trevilon.com 298 DESCRIPTION " 299 The TLS Transport Model MIB 300 Copyright (c) 2010-2021 IETF Trust and the persons identified 301 as authors of the code. All rights reserved. 302 Redistribution and use in source and binary forms, with or 303 without modification, is permitted pursuant to, and subject 304 to the license terms contained in, the Simplified BSD License 305 set forth in Section 4.c of the IETF Trust's Legal Provisions 306 Relating to IETF Documents 307 (http://trustee.ietf.org/license-info)." 308 REVISION "202106220000Z" 309 DESCRIPTION "This version of this MIB module is part of 310 RFC XXXX; see the RFC itself for full legal 311 notices. This version updated the MIB to 312 support (D)TLS 1.3." 314 REVISION "201107190000Z" 315 DESCRIPTION "This version of this MIB module is part of 316 RFC 6353; see the RFC itself for full legal 317 notices. The only change was to introduce 318 new wording to reflect require changes for 319 IDNA addresses in the SnmpTLSAddress TC." 321 REVISION "201005070000Z" 322 DESCRIPTION "This version of this MIB module is part of 323 RFC 5953; see the RFC itself for full legal 324 notices." 325 ::= { mib-2 198 } 326 -- ************************************************ 327 -- subtrees of the SNMP-TLS-TM-MIB 328 -- ************************************************ 329 snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 } 330 snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 } 331 snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 } 332 snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 } 333 -- ************************************************ 334 -- snmpTlstmObjects - Objects 335 -- ************************************************ 336 snmpTLSTCPDomain OBJECT-IDENTITY 337 STATUS current 338 DESCRIPTION 339 "The SNMP over TLS via TCP transport domain. The 340 corresponding transport address is of type SnmpTLSAddress. 341 The securityName prefix to be associated with the 342 snmpTLSTCPDomain is 'tls'. This prefix may be used by 343 security models or other components to identify which secure 344 transport infrastructure authenticated a securityName." 345 REFERENCE 346 "RFC 2579: Textual Conventions for SMIv2" 347 ::= { snmpDomains 8 } 348 snmpDTLSUDPDomain OBJECT-IDENTITY 349 STATUS deprecated 350 DESCRIPTION 351 "The SNMP over DTLS via UDP transport domain. The 352 corresponding transport address is of type SnmpTLSAddress. 353 The securityName prefix to be associated with the 354 snmpDTLSUDPDomain is 'dtls'. This prefix may be used by 355 security models or other components to identify which secure 356 transport infrastructure authenticated a securityName." 357 REFERENCE 358 "RFC 2579: Textual Conventions for SMIv2" 359 ::= { snmpDomains 9 } 360 SnmpTLSAddress ::= TEXTUAL-CONVENTION 361 DISPLAY-HINT "1a" 362 STATUS current 363 DESCRIPTION 364 "Represents an IPv4 address, an IPv6 address, or a 365 US-ASCII-encoded hostname and port number. 366 An IPv4 address must be in dotted decimal format followed by a 367 colon ':' (US-ASCII character 0x3A) and a decimal port number 368 in US-ASCII. 370 An IPv6 address must be a colon-separated format (as described 371 in RFC 5952), surrounded by square brackets ('[', US-ASCII 372 character 0x5B, and ']', US-ASCII character 0x5D), followed by 373 a colon ':' (US-ASCII character 0x3A) and a decimal port number 374 in US-ASCII. 375 A hostname is always in US-ASCII (as per RFC 1123); 376 internationalized hostnames are encoded as A-labels as 377 specified in RFC 5890. The hostname is followed by a 378 colon ':' (US-ASCII character 0x3A) and a decimal port number 379 in US-ASCII. The name SHOULD be fully qualified whenever 380 possible. 381 Values of this textual convention may not be directly usable 382 as transport-layer addressing information, and may require 383 run-time resolution. As such, applications that write them 384 must be prepared for handling errors if such values are not 385 supported, or cannot be resolved (if resolution occurs at the 386 time of the management operation). 387 The DESCRIPTION clause of TransportAddress objects that may 388 have SnmpTLSAddress values must fully describe how (and 389 when) such names are to be resolved to IP addresses and vice 390 versa. 391 This textual convention SHOULD NOT be used directly in object 392 definitions since it restricts addresses to a specific 393 format. However, if it is used, it MAY be used either on its 394 own or in conjunction with TransportAddressType or 395 TransportDomain as a pair. 396 When this textual convention is used as a syntax of an index 397 object, there may be issues with the limit of 128 398 sub-identifiers specified in SMIv2 (STD 58). It is 399 RECOMMENDED that all MIB documents using this textual 400 convention make explicit any limitations on index component 401 lengths that management software must observe. This may be 402 done either by including SIZE constraints on the index 403 components or by specifying applicable constraints in the 404 conceptual row DESCRIPTION clause or in the surrounding 405 documentation." 406 REFERENCE 407 "RFC 1123: Requirements for Internet Hosts - Application and 408 Support 409 RFC 5890: Internationalized Domain Names for Applications 410 (IDNA): Definitions and Document Framework 411 RFC 5952: A Recommendation for IPv6 Address Text Representation 412 " 413 SYNTAX OCTET STRING (SIZE (1..255)) 414 SnmpTLSFingerprint ::= TEXTUAL-CONVENTION 415 DISPLAY-HINT "1x:1x" 416 STATUS deprecated 417 DESCRIPTION 418 "A fingerprint value that can be used to uniquely reference 419 other data of potentially arbitrary length. 420 An SnmpTLSFingerprint value is composed of a 1-octet hashing 421 algorithm identifier followed by the fingerprint value. The 422 octet value encoded is taken from the IANA TLS HashAlgorithm 423 Registry (RFC 5246). The remaining octets are filled using the 424 results of the hashing algorithm. 425 This TEXTUAL-CONVENTION allows for a zero-length (blank) 426 SnmpTLSFingerprint value for use in tables where the 427 fingerprint value may be optional. MIB definitions or 428 implementations may refuse to accept a zero-length value as 429 appropriate. 430 This textual convention was deprecated because TLS 1.3 uses a 431 2-octet cipher suite identifier rather than a 1-octet hashing 432 algorithm identifier." 433 REFERENCE "RFC 5246: The Transport Layer 434 Security (TLS) Protocol Version 1.2 435 http://www.iana.org/assignments/tls-parameters/ 436 " 437 SYNTAX OCTET STRING (SIZE (0..255)) 438 SnmpTLS13Fingerprint ::= TEXTUAL-CONVENTION 439 DISPLAY-HINT "1x,1x" 440 STATUS current 441 DESCRIPTION 442 "A fingerprint value that can be used to uniquely reference 443 other data of potentially arbitrary length. 444 An SnmpTLS13Fingerprint value is composed of a 2-octet cipher 445 suite identifier followed by the fingerprint value. The 446 octet value encoded is taken from the IANA TLS Cipher Suites 447 Registry(RFC 8446). The remaining octets are filled using the 448 results of the hashing algorithm, up to the first 253 octets. 449 This TEXTUAL-CONVENTION allows for a zero-length (blank) 450 SnmpTLS13Fingerprint value for use in tables where the 451 fingerprint value may be optional. MIB definitions or 452 implementations may refuse to accept a zero-length value as 453 appropriate." 454 REFERENCE "RFC 8446: The Transport Layer 455 Security (TLS) Protocol Version 1.3 456 http://www.iana.org/assignments/tls-parameters/ 457 " 458 SYNTAX OCTET STRING (SIZE (0..255)) 459 -- Identities for use in the snmpTlstmCertToTSNTable and 460 -- snmpTlstmCertToTSN13Table 461 snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER 462 ::= { snmpTlstmIdentities 1 } 463 snmpTlstmCertSpecified OBJECT-IDENTITY 464 STATUS current 465 DESCRIPTION "Directly specifies the tmSecurityName to be used for 466 this certificate. The value of the tmSecurityName 467 to use is specified in the snmpTlstmCertToTSN13Data 468 column. The snmpTlstmCertToTSN13Data column must 469 contain a non-zero length SnmpAdminString compliant 470 value or the mapping described in this row must be 471 considered a failure." 472 ::= { snmpTlstmCertToTSNMIdentities 1 } 473 snmpTlstmCertSANRFC822Name OBJECT-IDENTITY 474 STATUS current 475 DESCRIPTION "Maps a subjectAltName's rfc822Name to a 476 tmSecurityName. The local part of the rfc822Name is 477 passed unaltered but the host-part of the name must 478 be passed in lowercase. This mapping results in a 479 1:1 correspondence between equivalent subjectAltName 480 rfc822Name values and tmSecurityName values except 481 that the host-part of the name MUST be passed in 482 lowercase. 483 Example rfc822Name Field: FooBar@Example.COM 484 is mapped to tmSecurityName: FooBar@example.com." 485 ::= { snmpTlstmCertToTSNMIdentities 2 } 486 snmpTlstmCertSANDNSName OBJECT-IDENTITY 487 STATUS current 488 DESCRIPTION "Maps a subjectAltName's dNSName to a 489 tmSecurityName after first converting it to all 490 lowercase (RFC 5280 does not specify converting to 491 lowercase so this involves an extra step). This 492 mapping results in a 1:1 correspondence between 493 subjectAltName dNSName values and the tmSecurityName 494 values." 495 REFERENCE "RFC 5280 - Internet X.509 Public Key Infrastructure 496 Certificate and Certificate Revocation 497 List (CRL) Profile." 498 ::= { snmpTlstmCertToTSNMIdentities 3 } 499 snmpTlstmCertSANIpAddress OBJECT-IDENTITY 500 STATUS current 501 DESCRIPTION "Maps a subjectAltName's iPAddress to a 502 tmSecurityName by transforming the binary encoded 503 address as follows: 504 1) for IPv4, the value is converted into a 505 decimal-dotted quad address (e.g., '192.0.2.1'). 506 2) for IPv6 addresses, the value is converted into a 507 32-character all lowercase hexadecimal string 508 without any colon separators. 509 This mapping results in a 1:1 correspondence between 510 subjectAltName iPAddress values and the 511 tmSecurityName values. 512 The resulting length of an encoded IPv6 address is 513 the maximum length supported by the View-Based 514 Access Control Model (VACM). Using both the 515 Transport Security Model's support for transport 516 prefixes (see the SNMP-TSM-MIB's 517 snmpTsmConfigurationUsePrefix object for details) 518 will result in securityName lengths that exceed what 519 VACM can handle." 520 ::= { snmpTlstmCertToTSNMIdentities 4 } 521 snmpTlstmCertSANAny OBJECT-IDENTITY 522 STATUS current 523 DESCRIPTION "Maps any of the following fields using the 524 corresponding mapping algorithms: 525 |------------+----------------------------| 526 | Type | Algorithm | 527 |------------+----------------------------| 528 | rfc822Name | snmpTlstmCertSANRFC822Name | 529 | dNSName | snmpTlstmCertSANDNSName | 530 | iPAddress | snmpTlstmCertSANIpAddress | 531 |------------+----------------------------| 532 The first matching subjectAltName value found in the 533 certificate of the above types MUST be used when 534 deriving the tmSecurityName. The mapping algorithm 535 specified in the 'Algorithm' column MUST be used to 536 derive the tmSecurityName. 537 This mapping results in a 1:1 correspondence between 538 subjectAltName values and tmSecurityName values. The 539 three sub-mapping algorithms produced by this 540 combined algorithm cannot produce conflicting 541 results between themselves." 542 ::= { snmpTlstmCertToTSNMIdentities 5 } 543 snmpTlstmCertCommonName OBJECT-IDENTITY 544 STATUS deprecated 545 DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName 546 after converting it to a UTF-8 encoding. The usage 547 of CommonNames is deprecated and users are 548 encouraged to use subjectAltName mapping methods 549 instead. This mapping results in a 1:1 550 correspondence between certificate CommonName values 551 and tmSecurityName values." 552 ::= { snmpTlstmCertToTSNMIdentities 6 } 554 -- The snmpTlstmSession Group 555 snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 } 556 snmpTlstmSessionOpens OBJECT-TYPE 557 SYNTAX Counter32 558 MAX-ACCESS read-only 559 STATUS current 560 DESCRIPTION 561 "The number of times an openSession() request has been executed 562 as a (D)TLS client, regardless of whether it succeeded or 563 failed." 564 ::= { snmpTlstmSession 1 } 565 snmpTlstmSessionClientCloses OBJECT-TYPE 566 SYNTAX Counter32 567 MAX-ACCESS read-only 568 STATUS current 569 DESCRIPTION 570 "The number of times a closeSession() request has been 571 executed as a (D)TLS client, regardless of whether it 572 succeeded or failed." 573 ::= { snmpTlstmSession 2 } 574 snmpTlstmSessionOpenErrors OBJECT-TYPE 575 SYNTAX Counter32 576 MAX-ACCESS read-only 577 STATUS current 578 DESCRIPTION 579 "The number of times an openSession() request failed to open a 580 session as a (D)TLS client, for any reason." 581 ::= { snmpTlstmSession 3 } 582 snmpTlstmSessionAccepts OBJECT-TYPE 583 SYNTAX Counter32 584 MAX-ACCESS read-only 585 STATUS current 586 DESCRIPTION 587 "The number of times a (D)TLS server has accepted a new 588 connection from a client and has received at least one SNMP 589 message through it." 590 ::= { snmpTlstmSession 4 } 592 snmpTlstmSessionServerCloses OBJECT-TYPE 593 SYNTAX Counter32 594 MAX-ACCESS read-only 595 STATUS current 596 DESCRIPTION 597 "The number of times a closeSession() request has been 598 executed as a (D)TLS server, regardless of whether it 599 succeeded or failed." 600 ::= { snmpTlstmSession 5 } 601 snmpTlstmSessionNoSessions OBJECT-TYPE 602 SYNTAX Counter32 603 MAX-ACCESS read-only 604 STATUS current 605 DESCRIPTION 606 "The number of times an outgoing message was dropped because 607 the session associated with the passed tmStateReference was no 608 longer (or was never) available." 609 ::= { snmpTlstmSession 6 } 611 snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE 612 SYNTAX Counter32 613 MAX-ACCESS read-only 614 STATUS current 615 DESCRIPTION 616 "The number of times an incoming session was not established 617 on a (D)TLS server because the presented client certificate 618 was invalid. Reasons for invalidation include, but are not 619 limited to, cryptographic validation failures or lack of a 620 suitable mapping row in the snmpTlstmCertToTSNTable or the 621 snmpTlstmCertToTSN13Table." 622 ::= { snmpTlstmSession 7 } 623 snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE 624 SYNTAX Counter32 625 MAX-ACCESS read-only 626 STATUS current 627 DESCRIPTION 628 "The number of times an outgoing session was not established 629 on a (D)TLS client because the server certificate presented 630 by an SNMP over (D)TLS server was invalid because no 631 configured fingerprint or Certification Authority (CA) was 632 acceptable to validate it. 633 This may result because there was no entry in the 634 snmpTlstmAddrTable (or snmpTlstmAddr13Table) or because no 635 path could be found to a known CA." 636 ::= { snmpTlstmSession 8 } 637 snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE 638 SYNTAX Counter32 639 MAX-ACCESS read-only 640 STATUS current 641 DESCRIPTION 642 "The number of times an outgoing session was not established 643 on a (D)TLS client because the server certificate presented 644 by an SNMP over (D)TLS server could not be validated even if 645 the fingerprint or expected validation path was known. That 646 is, a cryptographic validation error occurred during 647 certificate validation processing. 648 Reasons for invalidation include, but are not 649 limited to, cryptographic validation failures." 650 ::= { snmpTlstmSession 9 } 651 snmpTlstmSessionInvalidCaches OBJECT-TYPE 652 SYNTAX Counter32 653 MAX-ACCESS read-only 654 STATUS current 655 DESCRIPTION 656 "The number of outgoing messages dropped because the 657 tmStateReference referred to an invalid cache." 658 ::= { snmpTlstmSession 10 } 660 -- Configuration Objects 661 snmpTlstmConfig OBJECT IDENTIFIER ::= {snmpTlstmObjects 2} 662 -- Certificate mapping 663 snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= {snmpTlstmConfig 1} 664 snmpTlstmCertToTSNCount OBJECT-TYPE 665 SYNTAX Gauge32 666 MAX-ACCESS read-only 667 STATUS deprecated 668 DESCRIPTION 669 "A count of the number of entries in the 670 snmpTlstmCertToTSNTable." 671 ::= { snmpTlstmCertificateMapping 1 } 672 snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE 673 SYNTAX TimeStamp 674 MAX-ACCESS read-only 675 STATUS deprecated 676 DESCRIPTION 677 "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable was 678 last modified through any means, or 0 if it has not been 679 modified since the command responder was started." 680 ::= { snmpTlstmCertificateMapping 2 } 681 snmpTlstmCertToTSNTable OBJECT-TYPE 682 SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry 683 MAX-ACCESS not-accessible 684 STATUS deprecated 685 DESCRIPTION 686 "This table is used by a (D)TLS server to map the (D)TLS 687 client's presented X.509 certificate to a tmSecurityName. 688 On an incoming (D)TLS/SNMP connection, the client's presented 689 certificate must either be validated based on an established 690 trust anchor, or it must directly match a fingerprint in this 691 table. This table does not provide any mechanisms for 692 configuring the trust anchors; the transfer of any needed 693 trusted certificates for path validation is expected to occur 694 through an out-of-band transfer. 695 Once the certificate has been found acceptable (either by path 696 validation or directly matching a fingerprint in this table), 697 this table is consulted to determine the appropriate 698 tmSecurityName to identify with the remote connection. This 699 is done by considering each active row from this table in 700 prioritized order according to its snmpTlstmCertToTSNID value. 701 Each row's snmpTlstmCertToTSNFingerprint value determines 702 whether the row is a match for the incoming connection: 703 1) If the row's snmpTlstmCertToTSNFingerprint value 704 identifies the presented certificate, then consider the 705 row as a successful match. 706 2) If the row's snmpTlstmCertToTSNFingerprint value 707 identifies a locally held copy of a trusted CA 708 certificate and that CA certificate was used to 709 validate the path to the presented certificate, then 710 consider the row as a successful match. 711 Once a matching row has been found, the 712 snmpTlstmCertToTSNMapType value can be used to determine how 713 the tmSecurityName to associate with the session should be 714 determined. See the snmpTlstmCertToTSNMapType column's 715 DESCRIPTION for details on determining the tmSecurityName 716 value. If it is impossible to determine a tmSecurityName from 717 the row's data combined with the data presented in the 718 certificate, then additional rows MUST be searched looking for 719 another potential match. If a resulting tmSecurityName mapped 720 from a given row is not compatible with the needed 721 requirements of a tmSecurityName (e.g., VACM imposes a 722 32-octet-maximum length and the certificate derived 723 securityName could be longer), then it must be considered an 724 invalid match and additional rows MUST be searched looking for 725 another potential match. 726 If no matching and valid row can be found, the connection MUST 727 be closed and SNMP messages MUST NOT be accepted over it. 728 Missing values of snmpTlstmCertToTSNID are acceptable and 729 implementations should continue to the next highest numbered 730 row. It is recommended that administrators skip index values 731 to leave room for the insertion of future rows (for example, 732 use values of 10 and 20 when creating initial rows). 733 Users are encouraged to make use of certificates with 734 subjectAltName fields that can be used as tmSecurityNames so 735 that a single root CA certificate can allow all child 736 certificate's subjectAltName to map directly to a 737 tmSecurityName via a 1:1 transformation. However, this table 738 is flexible to allow for situations where existing deployed 739 certificate infrastructures do not provide adequate 740 subjectAltName values for use as tmSecurityNames. 741 Direct mapping from each individual 742 certificate fingerprint to a tmSecurityName is also possible 743 but requires one entry in the table per tmSecurityName and 744 requires more management operations to completely configure a 745 device. 746 This table and its associated objects were deprecated because 747 the fingerprint format changed to support TLS 1.3. By 748 deprecating (and creating an updated) table, rather than just 749 the fingerprint object, an implementation is able to support 750 both the original TLS and new TLS 1.3 tables while forcing some 751 agents to only use TLS 1.3." 752 ::= { snmpTlstmCertificateMapping 3 } 753 snmpTlstmCertToTSNEntry OBJECT-TYPE 754 SYNTAX SnmpTlstmCertToTSNEntry 755 MAX-ACCESS not-accessible 756 STATUS deprecated 757 DESCRIPTION 758 "A row in the snmpTlstmCertToTSNTable that specifies a mapping 759 for an incoming (D)TLS certificate to a tmSecurityName to use 760 for a connection." 761 INDEX { snmpTlstmCertToTSNID } 762 ::= { snmpTlstmCertToTSNTable 1 } 763 SnmpTlstmCertToTSNEntry ::= SEQUENCE { 764 snmpTlstmCertToTSNID Unsigned32, 765 snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint, 766 snmpTlstmCertToTSNMapType AutonomousType, 767 snmpTlstmCertToTSNData OCTET STRING, 768 snmpTlstmCertToTSNStorageType StorageType, 769 snmpTlstmCertToTSNRowStatus RowStatus 770 } 771 snmpTlstmCertToTSNID OBJECT-TYPE 772 SYNTAX Unsigned32 (1..4294967295) 773 MAX-ACCESS not-accessible 774 STATUS deprecated 775 DESCRIPTION 776 "A unique, prioritized index for the given entry. Lower 777 numbers indicate a higher priority." 778 ::= { snmpTlstmCertToTSNEntry 1 } 779 snmpTlstmCertToTSNFingerprint OBJECT-TYPE 780 SYNTAX SnmpTLSFingerprint (SIZE(1..255)) 781 MAX-ACCESS read-create 782 STATUS deprecated 783 DESCRIPTION 784 "A cryptographic hash of an X.509 certificate. The results of 785 a successful matching fingerprint to either the trusted CA in 786 the certificate validation path or to the certificate itself 787 is dictated by the snmpTlstmCertToTSNMapType column. 788 This object was deprecated because TLS 1.3 uses a 2-octet 789 cipher suite identifier rather than a 1-octet hashing algorithm 790 identifier." 791 ::= { snmpTlstmCertToTSNEntry 2 } 792 snmpTlstmCertToTSNMapType OBJECT-TYPE 793 SYNTAX AutonomousType 794 MAX-ACCESS read-create 795 STATUS deprecated 796 DESCRIPTION 797 "Specifies the mapping type for deriving a tmSecurityName from 798 a certificate. Details for mapping of a particular type SHALL 799 be specified in the DESCRIPTION clause of the OBJECT-IDENTITY 800 that describes the mapping. If a mapping succeeds it will 801 return a tmSecurityName for use by the TLSTM model and 802 processing stops. 803 If the resulting mapped value is not compatible with the 804 needed requirements of a tmSecurityName (e.g., VACM imposes a 805 32-octet-maximum length and the certificate derived 806 securityName could be longer), then future rows MUST be 807 searched for additional snmpTlstmCertToTSNFingerprint matches 808 to look for a mapping that succeeds. 809 Suitable values for assigning to this object that are defined 810 within the SNMP-TLS-TM-MIB can be found in the 811 snmpTlstmCertToTSNMIdentities portion of the MIB tree." 812 DEFVAL { snmpTlstmCertSpecified } 813 ::= { snmpTlstmCertToTSNEntry 3 } 814 snmpTlstmCertToTSNData OBJECT-TYPE 815 SYNTAX OCTET STRING (SIZE(0..1024)) 816 MAX-ACCESS read-create 817 STATUS deprecated 818 DESCRIPTION 819 "Auxiliary data used as optional configuration information for 820 a given mapping specified by the snmpTlstmCertToTSNMapType 821 column. Only some mapping systems will make use of this 822 column. The value in this column MUST be ignored for any 823 mapping type that does not require data present in this 824 column." 825 DEFVAL { "" } 826 ::= { snmpTlstmCertToTSNEntry 4 } 827 snmpTlstmCertToTSNStorageType OBJECT-TYPE 828 SYNTAX StorageType 829 MAX-ACCESS read-create 830 STATUS deprecated 831 DESCRIPTION 832 "The storage type for this conceptual row. Conceptual rows 833 having the value 'permanent' need not allow write-access to 834 any columnar objects in the row." 835 DEFVAL { nonVolatile } 836 ::= { snmpTlstmCertToTSNEntry 5 } 837 snmpTlstmCertToTSNRowStatus OBJECT-TYPE 838 SYNTAX RowStatus 839 MAX-ACCESS read-create 840 STATUS deprecated 841 DESCRIPTION 842 "The status of this conceptual row. This object may be used 843 to create or remove rows from this table. 844 To create a row in this table, an administrator must set this 845 object to either createAndGo(4) or createAndWait(5). 846 Until instances of all corresponding columns are appropriately 847 configured, the value of the corresponding instance of the 848 snmpTlstmParamsRowStatus column is notReady(3). 849 In particular, a newly created row cannot be made active until 850 the corresponding snmpTlstmCertToTSNFingerprint, 851 snmpTlstmCertToTSNMapType, and snmpTlstmCertToTSNData columns 852 have been set. 853 The following objects may not be modified while the 854 value of this object is active(1): 855 - snmpTlstmCertToTSNFingerprint 856 - snmpTlstmCertToTSNMapType 857 - snmpTlstmCertToTSNData 858 An attempt to set these objects while the value of 859 snmpTlstmParamsRowStatus is active(1) will result in 860 an inconsistentValue error." 861 ::= { snmpTlstmCertToTSNEntry 6 } 862 -- Maps tmSecurityNames to certificates for use by SNMP-TARGET-MIB 863 snmpTlstmParamsCount OBJECT-TYPE 864 SYNTAX Gauge32 865 MAX-ACCESS read-only 866 STATUS deprecated 867 DESCRIPTION 868 "A count of the number of entries in the snmpTlstmParamsTable." 869 ::= { snmpTlstmCertificateMapping 4 } 870 snmpTlstmParamsTableLastChanged OBJECT-TYPE 871 SYNTAX TimeStamp 872 MAX-ACCESS read-only 873 STATUS deprecated 874 DESCRIPTION 875 "The value of sysUpTime.0 when the snmpTlstmParamsTable 876 was last modified through any means, or 0 if it has not been 877 modified since the command responder was started." 878 ::= { snmpTlstmCertificateMapping 5 } 879 snmpTlstmParamsTable OBJECT-TYPE 880 SYNTAX SEQUENCE OF SnmpTlstmParamsEntry 881 MAX-ACCESS not-accessible 882 STATUS deprecated 883 DESCRIPTION 884 "This table is used by a (D)TLS client when a (D)TLS 885 connection is being set up using an entry in the 886 SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's 887 snmpTargetParamsTable with a fingerprint of a certificate to 888 use when establishing such a (D)TLS connection." 889 ::= { snmpTlstmCertificateMapping 6 } 890 snmpTlstmParamsEntry OBJECT-TYPE 891 SYNTAX SnmpTlstmParamsEntry 892 MAX-ACCESS not-accessible 893 STATUS deprecated 894 DESCRIPTION 895 "A conceptual row containing a fingerprint hash of a locally 896 held certificate for a given snmpTargetParamsEntry. The 897 values in this row should be ignored if the connection that 898 needs to be established, as indicated by the SNMP-TARGET-MIB 899 infrastructure, is not a certificate and TLS based 900 connection. The connection SHOULD NOT be established if the 901 certificate fingerprint stored in this entry does not point to 902 a valid locally held certificate or if it points to an 903 unusable certificate (such as might happen when the 904 certificate's expiration date has been reached)." 905 INDEX { IMPLIED snmpTargetParamsName } 906 ::= { snmpTlstmParamsTable 1 } 907 SnmpTlstmParamsEntry ::= SEQUENCE { 908 snmpTlstmParamsClientFingerprint SnmpTLSFingerprint, 909 snmpTlstmParamsStorageType StorageType, 910 snmpTlstmParamsRowStatus RowStatus 911 } 912 snmpTlstmParamsClientFingerprint OBJECT-TYPE 913 SYNTAX SnmpTLSFingerprint 914 MAX-ACCESS read-create 915 STATUS deprecated 916 DESCRIPTION 917 "This object stores the hash of the public portion of a 918 locally held X.509 certificate. The X.509 certificate, its 919 public key, and the corresponding private key will be used 920 when initiating a TLS connection as a TLS client." 921 ::= { snmpTlstmParamsEntry 1 } 922 snmpTlstmParamsStorageType OBJECT-TYPE 923 SYNTAX StorageType 924 MAX-ACCESS read-create 925 STATUS deprecated 926 DESCRIPTION 927 "The storage type for this conceptual row. Conceptual rows 928 having the value 'permanent' need not allow write-access to 929 any columnar objects in the row." 930 DEFVAL { nonVolatile } 931 ::= { snmpTlstmParamsEntry 2 } 932 snmpTlstmParamsRowStatus OBJECT-TYPE 933 SYNTAX RowStatus 934 MAX-ACCESS read-create 935 STATUS deprecated 936 DESCRIPTION 937 "The status of this conceptual row. This object may be used 938 to create or remove rows from this table. 939 To create a row in this table, an administrator must set this 940 object to either createAndGo(4) or createAndWait(5). 941 Until instances of all corresponding columns are appropriately 942 configured, the value of the corresponding instance of the 943 snmpTlstmParamsRowStatus column is notReady(3). 944 In particular, a newly created row cannot be made active until 945 the corresponding snmpTlstmParamsClientFingerprint column has 946 been set. 947 The snmpTlstmParamsClientFingerprint object may not be modified 948 while the value of this object is active(1). 949 An attempt to set these objects while the value of 950 snmpTlstmParamsRowStatus is active(1) will result in 951 an inconsistentValue error." 952 ::= { snmpTlstmParamsEntry 3 } 953 mpTlstmAddrCount OBJECT-TYPE 954 SYNTAX Gauge32 955 MAX-ACCESS read-only 956 STATUS deprecated 957 DESCRIPTION 958 "A count of the number of entries in the snmpTlstmAddrTable." 959 ::= { snmpTlstmCertificateMapping 7 } 960 snmpTlstmAddrTableLastChanged OBJECT-TYPE 961 SYNTAX TimeStamp 962 MAX-ACCESS read-only 963 STATUS deprecated 964 DESCRIPTION 965 "The value of sysUpTime.0 when the snmpTlstmAddrTable 966 was last modified through any means, or 0 if it has not been 967 modified since the command responder was started." 968 ::= { snmpTlstmCertificateMapping 8 } 969 snmpTlstmAddrTable OBJECT-TYPE 970 SYNTAX SEQUENCE OF SnmpTlstmAddrEntry 971 MAX-ACCESS not-accessible 972 STATUS deprecated 973 DESCRIPTION 974 "This table is used by a TLS client when a TLS 975 connection is being set up using an entry in the 976 SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's 977 snmpTargetAddrTable so that the client can verify that the 978 correct server has been reached. This verification can use 979 either a certificate fingerprint, or an identity 980 authenticated via certification path validation. 981 If there is an active row in this table corresponding to the 982 entry in the SNMP-TARGET-MIB that was used to establish the 983 connection, and the row's snmpTlstmAddrServerFingerprint 984 column has non-empty value, then the server's presented 985 certificate is compared with the 986 snmpTlstmAddrServerFingerprint value (and the 987 snmpTlstmAddrServerIdentity column is ignored). If the 988 fingerprint matches, the verification has succeeded. If the 989 fingerprint does not match, then the connection MUST be 990 closed. 991 If the server's presented certificate has passed 992 certification path validation [RFC5280] to a configured 993 trust anchor, and an active row exists with a zero-length 994 snmpTlstmAddrServerFingerprint value, then the 995 snmpTlstmAddrServerIdentity column contains the expected 996 host name. This expected host name is then compared against 997 the server's certificate as follows: 998 - Implementations MUST support matching the expected host 999 name against a dNSName in the subjectAltName extension 1000 field 1001 - The '*' (ASCII 0x2a) wildcard character is allowed in the 1002 dNSName of the subjectAltName extension, but only as the 1003 left-most (least significant) DNS label in that value. 1004 This wildcard matches any left-most DNS label in the 1005 server name. That is, the subject *.example.com matches 1006 the server names a.example.com and b.example.com, but does 1007 not match example.com or a.b.example.com. Implementations 1008 MUST support wildcards in certificates as specified above, 1009 but MAY provide a configuration option to disable them. 1010 - If the locally configured name is an internationalized 1011 domain name, conforming implementations MUST convert it to 1012 the ASCII Compatible Encoding (ACE) format for performing 1013 comparisons, as specified in Section 7 of [RFC5280]. 1014 If the expected host name fails these conditions then the 1015 connection MUST be closed. 1017 If there is no row in this table corresponding to the entry 1018 in the SNMP-TARGET-MIB and the server can be authorized by 1019 another, implementation-dependent means, then the connection 1020 MAY still proceed." 1021 ::= { snmpTlstmCertificateMapping 9 } 1022 snmpTlstmAddrEntry OBJECT-TYPE 1023 SYNTAX SnmpTlstmAddrEntry 1024 MAX-ACCESS not-accessible 1025 STATUS deprecated 1026 DESCRIPTION 1027 "A conceptual row containing a copy of a certificate's 1028 fingerprint for a given snmpTargetAddrEntry. The values in 1029 this row should be ignored if the connection that needs to be 1030 established, as indicated by the SNMP-TARGET-MIB 1031 infrastructure, is not a TLS based connection. If an 1032 snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, then 1033 the presented server certificate MUST match or the connection 1034 MUST NOT be established. If a row in this table does not 1035 exist to match an snmpTargetAddrEntry row, then the connection 1036 SHOULD still proceed if some other certificate validation path 1037 algorithm (e.g., RFC 5280) can be used." 1038 INDEX { IMPLIED snmpTargetAddrName } 1039 ::= { snmpTlstmAddrTable 1 } 1040 SnmpTlstmAddrEntry ::= SEQUENCE { 1041 snmpTlstmAddrServerFingerprint SnmpTLSFingerprint, 1042 snmpTlstmAddrServerIdentity SnmpAdminString, 1043 snmpTlstmAddrStorageType StorageType, 1044 snmpTlstmAddrRowStatus RowStatus 1045 } 1046 snmpTlstmAddrServerFingerprint OBJECT-TYPE 1047 SYNTAX SnmpTLSFingerprint 1048 MAX-ACCESS read-create 1049 STATUS deprecated 1050 DESCRIPTION 1051 "A cryptographic hash of a public X.509 certificate. This 1052 object should store the hash of the public X.509 certificate 1053 that the remote server should present during the TLS 1054 connection setup. The fingerprint of the presented 1055 certificate and this hash value MUST match exactly or the 1056 connection MUST NOT be established." 1057 DEFVAL { "" } 1058 ::= { snmpTlstmAddrEntry 1 } 1059 snmpTlstmAddrServerIdentity OBJECT-TYPE 1060 SYNTAX SnmpAdminString 1061 MAX-ACCESS read-create 1062 STATUS deprecated 1063 DESCRIPTION 1064 "The reference identity to check against the identity 1065 presented by the remote system." 1066 DEFVAL { "" } 1067 ::= { snmpTlstmAddrEntry 2 } 1068 snmpTlstmAddrStorageType OBJECT-TYPE 1069 SYNTAX StorageType 1070 MAX-ACCESS read-create 1071 STATUS deprecated 1072 DESCRIPTION 1073 "The storage type for this conceptual row. Conceptual rows 1074 having the value 'permanent' need not allow write-access to 1075 any columnar objects in the row." 1076 DEFVAL { nonVolatile } 1077 ::= { snmpTlstmAddrEntry 3 } 1078 snmpTlstmAddrRowStatus OBJECT-TYPE 1079 SYNTAX RowStatus 1080 MAX-ACCESS read-create 1081 STATUS deprecated 1082 DESCRIPTION 1083 "The status of this conceptual row. This object may be used 1084 to create or remove rows from this table. 1085 To create a row in this table, an administrator must set this 1086 object to either createAndGo(4) or createAndWait(5). 1087 Until instances of all corresponding columns are 1088 appropriately configured, the value of the 1089 corresponding instance of the snmpTlstmAddrRowStatus 1090 column is notReady(3). 1091 In particular, a newly created row cannot be made active until 1092 the corresponding snmpTlstmAddrServerFingerprint column has 1093 been set. 1094 Rows MUST NOT be active if the snmpTlstmAddrServerFingerprint 1095 column is blank and the snmpTlstmAddrServerIdentity is set to 1096 '*' since this would insecurely accept any presented 1097 certificate. 1099 The snmpTlstmAddrServerFingerprint object may not be modified 1100 while the value of this object is active(1). 1101 An attempt to set these objects while the value of 1102 snmpTlstmAddrRowStatus is active(1) will result in 1103 an inconsistentValue error." 1104 ::= { snmpTlstmAddrEntry 4 } 1105 snmpTlstmCertToTSN13Count OBJECT-TYPE 1106 SYNTAX Gauge32 1107 MAX-ACCESS read-only 1108 STATUS current 1109 DESCRIPTION 1110 "A count of the number of entries in the 1111 snmpTlstmCertToTSN13Table." 1112 ::= { snmpTlstmCertificateMapping 10 } 1113 snmpTlstmCertToTSN13TableLastChanged OBJECT-TYPE 1114 SYNTAX TimeStamp 1115 MAX-ACCESS read-only 1116 STATUS current 1117 DESCRIPTION 1118 "The value of sysUpTime.0 when the snmpTlstmCertToTSN13Table 1119 was last modified through any means, or 0 if it has not been 1120 modified since the command responder was started." 1121 ::= { snmpTlstmCertificateMapping 11 } 1122 snmpTlstmCertToTSN13Table OBJECT-TYPE 1123 SYNTAX SEQUENCE OF SnmpTlstmCertToTSN13Entry 1124 MAX-ACCESS not-accessible 1125 STATUS current 1126 DESCRIPTION 1127 "This table is used by a TLS 1.3 server to map the TLS 1.3 1128 client's presented X.509 certificate to a tmSecurityName. 1129 On an incoming TLS/SNMP connection, the client's presented 1130 certificate must either be validated based on an established 1131 trust anchor, or it must directly match a fingerprint in this 1132 table. This table does not provide any mechanisms for 1133 configuring the trust anchors; the transfer of any needed 1134 trusted certificates for path validation is expected to occur 1135 through an out-of-band transfer. 1136 Once the certificate has been found acceptable (either by path 1137 validation or directly matching a fingerprint in this table), 1138 this table is consulted to determine the appropriate 1139 tmSecurityName to identify with the remote connection. This 1140 is done by considering each active row from this table in 1141 prioritized order according to its snmpTlstmCertToTSN13ID 1142 value. Each row's snmpTlstmCertToTSN13Fingerprint value 1143 determines whether the row is a match for the incoming 1144 connection: 1145 1) If the row's snmpTlstmCertToTSN13Fingerprint value 1146 identifies the presented certificate, then consider the 1147 row as a successful match. 1148 2) If the row's snmpTlstmCertToTSN13Fingerprint value 1149 identifies a locally held copy of a trusted CA 1150 certificate and that CA certificate was used to 1151 validate the path to the presented certificate, then 1152 consider the row as a successful match. 1153 Once a matching row has been found, the 1154 snmpTlstmCertToTSN13MapType value can be used to determine how 1155 the tmSecurityName to associate with the session should be 1156 determined. See the snmpTlstmCertToTSN13MapType column's 1157 DESCRIPTION for details on determining the tmSecurityName 1158 value. If it is impossible to determine a tmSecurityName from 1159 the row's data combined with the data presented in the 1160 certificate, then additional rows MUST be searched looking for 1161 another potential match. If a resulting tmSecurityName mapped 1162 from a given row is not compatible with the needed 1163 requirements of a tmSecurityName (e.g., VACM imposes a 1164 32-octet-maximum length and the certificate derived 1165 securityName could be longer), then it must be considered an 1166 invalid match and additional rows MUST be searched looking for 1167 another potential match. 1168 If no matching and valid row can be found, the connection MUST 1169 be closed and SNMP messages MUST NOT be accepted over it. 1170 Missing values of snmpTlstmCertToTSN13ID are acceptable and 1171 implementations should continue to the next highest numbered 1172 row. It is recommended that administrators skip index values 1173 to leave room for the insertion of future rows (for example, 1174 use values of 10 and 20 when creating initial rows). 1175 Users are encouraged to make use of certificates with 1176 subjectAltName fields that can be used as tmSecurityNames so 1177 that a single root CA certificate can allow all child 1178 certificate's subjectAltName to map directly to a 1179 tmSecurityName via a 1:1 transformation. However, this table 1180 is flexible to allow for situations where existing deployed 1181 certificate infrastructures do not provide adequate 1182 subjectAltName values for use as tmSecurityNames. 1183 Direct mapping from each individual certificate fingerprint to 1184 a tmSecurityName is possible but requires one entry in the 1185 table per tmSecurityName and requires more management 1186 operations to completely configure a device." 1187 ::= { snmpTlstmCertificateMapping 12 } 1189 snmpTlstmCertToTSN13Entry OBJECT-TYPE 1190 SYNTAX SnmpTlstmCertToTSN13Entry 1191 MAX-ACCESS not-accessible 1192 STATUS current 1193 DESCRIPTION 1194 "A row in the snmpTlstmCertToTSN13Table that specifies a 1195 mapping for an incoming TLS certificate to a tmSecurityName 1196 to use for a connection." 1197 INDEX { snmpTlstmCertToTSN13ID } 1198 ::= { snmpTlstmCertToTSN13Table 1 } 1199 SnmpTlstmCertToTSN13Entry ::= SEQUENCE { 1200 snmpTlstmCertToTSN13ID Unsigned32, 1201 snmpTlstmCertToTSN13Fingerprint SnmpTLS13Fingerprint, 1202 snmpTlstmCertToTSN13MapType AutonomousType, 1203 snmpTlstmCertToTSN13Data OCTET STRING, 1204 snmpTlstmCertToTSN13StorageType StorageType, 1205 snmpTlstmCertToTSN13RowStatus RowStatus 1206 } 1207 snmpTlstmCertToTSN13ID OBJECT-TYPE 1208 SYNTAX Unsigned32 (1..4294967295) 1209 MAX-ACCESS not-accessible 1210 STATUS current 1211 DESCRIPTION 1212 "A unique, prioritized index for the given entry. Lower 1213 numbers indicate a higher priority." 1214 ::= { snmpTlstmCertToTSN13Entry 1 } 1215 snmpTlstmCertToTSN13Fingerprint OBJECT-TYPE 1216 SYNTAX SnmpTLS13Fingerprint (SIZE(2..255)) 1217 MAX-ACCESS read-create 1218 STATUS current 1219 DESCRIPTION 1220 "A cryptographic hash of an X.509 certificate. The results of 1221 a successful matching fingerprint to either the trusted CA in 1222 the certificate validation path or to the certificate itself 1223 is dictated by the snmpTlstmCertToTSN13MapType column." 1224 ::= { snmpTlstmCertToTSN13Entry 2 } 1225 snmpTlstmCertToTSN13MapType OBJECT-TYPE 1226 SYNTAX AutonomousType 1227 MAX-ACCESS read-create 1228 STATUS current 1229 DESCRIPTION 1230 "Specifies the mapping type for deriving a tmSecurityName from 1231 a certificate. Details for mapping of a particular type SHALL 1232 be specified in the DESCRIPTION clause of the OBJECT-IDENTITY 1233 that describes the mapping. If a mapping succeeds it will 1234 return a tmSecurityName for use by the TLSTM model and 1235 processing stops. 1236 If the resulting mapped value is not compatible with the 1237 needed requirements of a tmSecurityName (e.g., VACM imposes a 1238 32-octet-maximum length and the certificate derived 1239 securityName could be longer), then future rows MUST be 1240 searched for additional snmpTlstmCertToTSN13Fingerprint matches 1241 to look for a mapping that succeeds. 1242 Suitable values for assigning to this object that are defined 1243 within the SNMP-TLS-TM-MIB can be found in the 1244 snmpTlstmCertToTSNMIdentities portion of the MIB tree." 1245 DEFVAL { snmpTlstmCertSpecified } 1246 ::= { snmpTlstmCertToTSN13Entry 3 } 1247 snmpTlstmCertToTSN13Data OBJECT-TYPE 1248 SYNTAX OCTET STRING (SIZE(0..1024)) 1249 MAX-ACCESS read-create 1250 STATUS current 1251 DESCRIPTION 1252 "Auxiliary data used as optional configuration information for 1253 a given mapping specified by the snmpTlstmCertToTSN13MapType 1254 column. Only some mapping systems will make use of this 1255 column. The value in this column MUST be ignored for any 1256 mapping type that does not require data present in this 1257 column." 1258 DEFVAL { "" } 1259 ::= { snmpTlstmCertToTSN13Entry 4 } 1260 snmpTlstmCertToTSN13StorageType OBJECT-TYPE 1261 SYNTAX StorageType 1262 MAX-ACCESS read-create 1263 STATUS current 1264 DESCRIPTION 1265 "The storage type for this conceptual row. Conceptual rows 1266 having the value 'permanent' need not allow write-access to 1267 any columnar objects in the row." 1268 DEFVAL { nonVolatile } 1269 ::= { snmpTlstmCertToTSN13Entry 5 } 1270 snmpTlstmCertToTSN13RowStatus OBJECT-TYPE 1271 SYNTAX RowStatus 1272 MAX-ACCESS read-create 1273 STATUS current 1274 DESCRIPTION 1275 "The status of this conceptual row. This object may be used 1276 to create or remove rows from this table. 1277 To create a row in this table, an administrator must set this 1278 object to either createAndGo(4) or createAndWait(5). 1279 Until instances of all corresponding columns are appropriately 1280 configured, the value of the corresponding instance of the 1281 snmpTlstmParams13RowStatus column is notReady(3). 1282 In particular, a newly created row cannot be made active until 1283 the corresponding snmpTlstmCertToTSN13Fingerprint, 1284 snmpTlstmCertToTSN13MapType, and snmpTlstmCertToTSN13Data 1285 columns have been set. 1286 The following objects may not be modified while the 1287 value of this object is active(1): 1288 - snmpTlstmCertToTSN13Fingerprint 1289 - snmpTlstmCertToTSN13MapType 1290 - snmpTlstmCertToTSN13Data 1291 An attempt to set these objects while the value of 1292 snmpTlstmParams13RowStatus is active(1) will result in 1293 an inconsistentValue error." 1294 ::= { snmpTlstmCertToTSN13Entry 6 } 1295 snmpTlstmParams13Count OBJECT-TYPE 1296 SYNTAX Gauge32 1297 MAX-ACCESS read-only 1298 STATUS current 1299 DESCRIPTION 1300 "A count of the number of entries in the 1301 snmpTlstmParams13Table." 1302 ::= { snmpTlstmCertificateMapping 13 } 1303 snmpTlstmParams13TableLastChanged OBJECT-TYPE 1304 SYNTAX TimeStamp 1305 MAX-ACCESS read-only 1306 STATUS current 1307 DESCRIPTION 1308 "The value of sysUpTime.0 when the snmpTlstmParams13Table 1309 was last modified through any means, or 0 if it has not been 1310 modified since the command responder was started." 1311 ::= { snmpTlstmCertificateMapping 14 } 1312 snmpTlstmParams13Table OBJECT-TYPE 1313 SYNTAX SEQUENCE OF SnmpTlstmParams13Entry 1314 MAX-ACCESS not-accessible 1315 STATUS current 1316 DESCRIPTION 1317 "This table is used by a TLS client when a TLS 1318 connection is being set up using an entry in the 1319 SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's 1320 snmpTargetParams13Table with a fingerprint of a certificate to 1321 use when establishing such a TLS connection." 1322 ::= { snmpTlstmCertificateMapping 15 } 1323 snmpTlstmParams13Entry OBJECT-TYPE 1324 SYNTAX SnmpTlstmParams13Entry 1325 MAX-ACCESS not-accessible 1326 STATUS current 1327 DESCRIPTION 1328 "A conceptual row containing a fingerprint hash of a locally 1329 held certificate for a given snmpTargetParamsEntry. The 1330 values in this row should be ignored if the connection that 1331 needs to be established, as indicated by the SNMP-TARGET-MIB 1332 infrastructure, is not a certificate and TLS based 1333 connection. The connection SHOULD NOT be established if the 1334 certificate fingerprint stored in this entry does not point to 1335 a valid locally held certificate or if it points to an 1336 unusable certificate (such as might happen when the 1337 certificate's expiration date has been reached)." 1338 INDEX { IMPLIED snmpTargetParamsName } 1339 ::= { snmpTlstmParams13Table 1 } 1340 SnmpTlstmParams13Entry ::= SEQUENCE { 1341 snmpTlstmParams13ClientFingerprint SnmpTLS13Fingerprint, 1342 snmpTlstmParams13StorageType StorageType, 1343 snmpTlstmParams13RowStatus RowStatus 1344 } 1345 snmpTlstmParams13ClientFingerprint OBJECT-TYPE 1346 SYNTAX SnmpTLS13Fingerprint 1347 MAX-ACCESS read-create 1348 STATUS current 1349 DESCRIPTION 1350 "This object stores the hash of the public portion of a 1351 locally held X.509 certificate. The X.509 certificate, its 1352 public key, and the corresponding private key will be used 1353 when initiating a TLS connection as a TLS client." 1354 ::= { snmpTlstmParams13Entry 1 } 1355 snmpTlstmParams13StorageType OBJECT-TYPE 1356 SYNTAX StorageType 1357 MAX-ACCESS read-create 1358 STATUS current 1359 DESCRIPTION 1360 "The storage type for this conceptual row. Conceptual rows 1361 having the value 'permanent' need not allow write-access to 1362 any columnar objects in the row." 1363 DEFVAL { nonVolatile } 1364 ::= { snmpTlstmParams13Entry 2 } 1365 snmpTlstmParams13RowStatus OBJECT-TYPE 1366 SYNTAX RowStatus 1367 MAX-ACCESS read-create 1368 STATUS current 1369 DESCRIPTION 1370 "The status of this conceptual row. This object may be used 1371 to create or remove rows from this table. 1372 To create a row in this table, an administrator must set this 1373 object to either createAndGo(4) or createAndWait(5). 1374 Until instances of all corresponding columns are appropriately 1375 configured, the value of the corresponding instance of the 1376 snmpTlstmParams13RowStatus column is notReady(3). 1377 In particular, a newly created row cannot be made active until 1378 the corresponding snmpTlstmParams13ClientFingerprint column has 1379 been set. 1380 The snmpTlstmParams13ClientFingerprint object may not be 1381 modified while the value of this object is active(1). 1382 An attempt to set these objects while the value of 1383 snmpTlstmParams13RowStatus is active(1) will result in 1384 an inconsistentValue error." 1385 ::= { snmpTlstmParams13Entry 3 } 1386 snmpTlstmAddr13Count OBJECT-TYPE 1387 SYNTAX Gauge32 1388 MAX-ACCESS read-only 1389 STATUS current 1390 DESCRIPTION 1391 "A count of the number of entries in the snmpTlstmAddr13Table." 1392 ::= { snmpTlstmCertificateMapping 16 } 1393 snmpTlstmAddr13TableLastChanged OBJECT-TYPE 1394 SYNTAX TimeStamp 1395 MAX-ACCESS read-only 1396 STATUS current 1397 DESCRIPTION 1398 "The value of sysUpTime.0 when the snmpTlstmAddr13Table 1399 was last modified through any means, or 0 if it has not been 1400 modified since the command responder was started." 1401 ::= { snmpTlstmCertificateMapping 17 } 1402 snmpTlstmAddr13Table OBJECT-TYPE 1403 SYNTAX SEQUENCE OF SnmpTlstmAddr13Entry 1404 MAX-ACCESS not-accessible 1405 STATUS current 1406 DESCRIPTION 1407 "This table is used by a TLS client when a TLS 1408 connection is being set up using an entry in the 1409 SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's 1410 snmpTargetAddrTable so that the client can verify that the 1411 correct server has been reached. This verification can use 1412 either a certificate fingerprint, or an identity 1413 authenticated via certification path validation. 1414 If there is an active row in this table corresponding to the 1415 entry in the SNMP-TARGET-MIB that was used to establish the 1416 connection, and the row's snmpTlstmAddr13ServerFingerprint 1417 column has non-empty value, then the server's presented 1418 certificate is compared with the 1419 snmpTlstmAddr13ServerFingerprint value (and the 1420 snmpTlstmAddr13ServerIdentity column is ignored). If the 1421 fingerprint matches, the verification has succeeded. If the 1422 fingerprint does not match, then the connection MUST be 1423 closed. 1424 If the server's presented certificate has passed 1425 certification path validation [RFC5280] to a configured 1426 trust anchor, and an active row exists with a zero-length 1427 snmpTlstmAddr13ServerFingerprint value, then the 1428 snmpTlstmAddr13ServerIdentity column contains the expected 1429 host name. This expected host name is then compared against 1430 the server's certificate as follows: 1431 - Implementations MUST support matching the expected host 1432 name against a dNSName in the subjectAltName extension 1433 field. 1434 - The '*' (ASCII 0x2a) wildcard character is allowed in the 1435 dNSName of the subjectAltName extension, but only as the 1436 left-most (least significant) DNS label in that value. 1437 This wildcard matches any left-most DNS label in the 1438 server name. That is, the subject *.example.com matches 1439 the server names a.example.com and b.example.com, but does 1440 not match example.com or a.b.example.com. Implementations 1441 MUST support wildcards in certificates as specified above, 1442 but MAY provide a configuration option to disable them. 1443 - If the locally configured name is an internationalized 1444 domain name, conforming implementations MUST convert it to 1445 the ASCII Compatible Encoding (ACE) format for performing 1446 comparisons, as specified in Section 7 of [RFC5280]. 1447 If the expected host name fails these conditions then the 1448 connection MUST be closed. 1450 If there is no row in this table corresponding to the entry 1451 in the SNMP-TARGET-MIB and the server can be authorized by 1452 another, implementation-dependent means, then the connection 1453 MAY still proceed." 1454 ::= { snmpTlstmCertificateMapping 18 } 1455 snmpTlstmAddr13Entry OBJECT-TYPE 1456 SYNTAX SnmpTlstmAddr13Entry 1457 MAX-ACCESS not-accessible 1458 STATUS current 1459 DESCRIPTION 1460 "A conceptual row containing a copy of a certificate's 1461 fingerprint for a given snmpTargetAddrEntry. The values in 1462 this row should be ignored if the connection that needs to be 1463 established, as indicated by the SNMP-TARGET-MIB 1464 infrastructure, is not a TLS based connection. If an 1465 snmpTlstmAddr13Entry exists for a given snmpTargetAddrEntry, 1466 then the presented server certificate MUST match or the 1467 connection MUST NOT be established. If a row in this table 1468 does not exist to match an snmpTargetAddrEntry row, then the 1469 connection SHOULD still proceed if some other certificate 1470 validation path algorithm (e.g., RFC 5280) can be used." 1471 INDEX { IMPLIED snmpTargetAddrName } 1472 ::= { snmpTlstmAddr13Table 1 } 1473 SnmpTlstmAddr13Entry ::= SEQUENCE { 1474 snmpTlstmAddr13ServerFingerprint SnmpTLS13Fingerprint, 1475 snmpTlstmAddr13ServerIdentity SnmpAdminString, 1476 snmpTlstmAddr13StorageType StorageType, 1477 snmpTlstmAddr13RowStatus RowStatus 1478 } 1479 snmpTlstmAddr13ServerFingerprint OBJECT-TYPE 1480 SYNTAX SnmpTLS13Fingerprint 1481 MAX-ACCESS read-create 1482 STATUS current 1483 DESCRIPTION 1484 "A cryptographic hash of a public X.509 certificate. This 1485 object should store the hash of the public X.509 certificate 1486 that the remote server should present during the TLS 1487 connection setup. The fingerprint of the presented 1488 certificate and this hash value MUST match exactly or the 1489 connection MUST NOT be established." 1490 DEFVAL { "" } 1491 ::= { snmpTlstmAddr13Entry 1 } 1492 snmpTlstmAddr13ServerIdentity OBJECT-TYPE 1493 SYNTAX SnmpAdminString 1494 MAX-ACCESS read-create 1495 STATUS current 1496 DESCRIPTION 1497 "The reference identity to check against the identity 1498 presented by the remote system." 1499 DEFVAL { "" } 1500 ::= { snmpTlstmAddr13Entry 2 } 1501 snmpTlstmAddr13StorageType OBJECT-TYPE 1502 SYNTAX StorageType 1503 MAX-ACCESS read-create 1504 STATUS current 1505 DESCRIPTION 1506 "The storage type for this conceptual row. Conceptual rows 1507 having the value 'permanent' need not allow write-access to 1508 any columnar objects in the row." 1509 DEFVAL { nonVolatile } 1510 ::= { snmpTlstmAddr13Entry 3 } 1511 snmpTlstmAddr13RowStatus OBJECT-TYPE 1512 SYNTAX RowStatus 1513 MAX-ACCESS read-create 1514 STATUS current 1515 DESCRIPTION 1516 "The status of this conceptual row. This object may be used 1517 to create or remove rows from this table. 1518 To create a row in this table, an administrator must set this 1519 object to either createAndGo(4) or createAndWait(5). 1520 Until instances of all corresponding columns are 1521 appropriately configured, the value of the 1522 corresponding instance of the snmpTlstmAddr13RowStatus 1523 column is notReady(3). 1524 In particular, a newly created row cannot be made active until 1525 the corresponding snmpTlstmAddr13ServerFingerprint column has 1526 been set. 1527 Rows MUST NOT be active if the snmpTlstmAddr13ServerFingerprint 1528 column is blank and the snmpTlstmAddr13ServerIdentity is set to 1529 '*' since this would insecurely accept any presented 1530 certificate. 1531 The snmpTlstmAddr13ServerFingerprint object may not be modified 1532 while the value of this object is active(1). 1533 An attempt to set these objects while the value of 1534 snmpTlstmAddr13RowStatus is active(1) will result in 1535 an inconsistentValue error." 1536 ::= { snmpTlstmAddr13Entry 4 } 1537 -- ************************************************ 1538 -- snmpTlstmNotifications - Notifications Information 1539 -- ************************************************ 1540 snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE 1541 OBJECTS { snmpTlstmSessionUnknownServerCertificate } 1542 STATUS current 1543 DESCRIPTION 1544 "Notification that the server certificate presented by an SNMP 1545 over (D)TLS server was invalid because no configured 1546 fingerprint or CA was acceptable to validate it. This may be 1547 because there was no entry in the snmpTlstmAddrTable (or 1548 snmpTlstmAddr13Table) or 1549 because no path could be found to known Certification 1550 Authority. 1551 To avoid notification loops, this notification MUST NOT be 1552 sent to servers that themselves have triggered the 1553 notification." 1554 ::= { snmpTlstmNotifications 1 } 1555 snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE 1556 OBJECTS { snmpTlstmAddrServerFingerprint, 1557 snmpTlstmSessionInvalidServerCertificates} 1558 STATUS deprecated 1559 DESCRIPTION 1560 "Notification that the server certificate presented by an SNMP 1561 over (D)TLS server could not be validated even if the 1562 fingerprint or expected validation path was known. That is, a 1563 cryptographic validation error occurred during certificate 1564 validation processing. 1565 To avoid notification loops, this notification MUST NOT be 1566 sent to servers that themselves have triggered the 1567 notification." 1568 ::= { snmpTlstmNotifications 2 } 1569 snmpTlstmServerInvalidCertificate13 NOTIFICATION-TYPE 1570 OBJECTS { snmpTlstmAddr13ServerFingerprint, 1571 snmpTlstmSessionInvalidServerCertificates} 1572 STATUS current 1573 DESCRIPTION 1574 "Notification that the server certificate presented by an SNMP 1575 over TLS server could not be validated even if the 1576 fingerprint or expected validation path was known. That is, a 1577 cryptographic validation error occurred during certificate 1578 validation processing. 1579 To avoid notification loops, this notification MUST NOT be 1580 sent to servers that themselves have triggered the 1581 notification." 1582 ::= { snmpTlstmNotifications 3 } 1583 -- ************************************************ 1584 -- snmpTlstmCompliances - Conformance Information 1585 -- ************************************************ 1586 snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 } 1587 snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 } 1588 -- ************************************************ 1589 -- Compliance statements 1590 -- ************************************************ 1591 snmpTlstmCompliance MODULE-COMPLIANCE 1592 STATUS deprecated 1593 DESCRIPTION 1594 "The compliance statement for SNMP engines that support the 1595 SNMP-TLS-TM-MIB" 1596 MODULE 1597 MANDATORY-GROUPS { snmpTlstmStatsGroup, 1598 snmpTlstmIncomingGroup, 1599 snmpTlstmOutgoingGroup, 1600 snmpTlstmNotificationGroup } 1601 ::= { snmpTlstmCompliances 1 } 1602 snmpTlstmCompliance13 MODULE-COMPLIANCE 1603 STATUS current 1604 DESCRIPTION 1605 "The compliance statement for SNMP engines that support the 1606 SNMP-TLS-TM-MIB" 1607 MODULE 1608 MANDATORY-GROUPS { snmpTlstmStatsGroup, 1609 snmpTlstmIncoming13Group, 1610 snmpTlstmOutgoing13Group, 1611 snmpTlstmNotification13Group } 1612 ::= { snmpTlstmCompliances 2 } 1613 -- ************************************************ 1614 -- Units of conformance 1615 -- ************************************************ 1616 snmpTlstmStatsGroup OBJECT-GROUP 1617 OBJECTS { 1618 snmpTlstmSessionOpens, 1619 snmpTlstmSessionClientCloses, 1620 snmpTlstmSessionOpenErrors, 1621 snmpTlstmSessionAccepts, 1622 snmpTlstmSessionServerCloses, 1623 snmpTlstmSessionNoSessions, 1624 snmpTlstmSessionInvalidClientCertificates, 1625 snmpTlstmSessionUnknownServerCertificate, 1626 snmpTlstmSessionInvalidServerCertificates, 1627 snmpTlstmSessionInvalidCaches 1628 } 1629 STATUS current 1630 DESCRIPTION 1631 "A collection of objects for maintaining 1632 statistical information of an SNMP engine that 1633 implements the SNMP TLS Transport Model." 1634 ::= { snmpTlstmGroups 1 } 1635 snmpTlstmIncomingGroup OBJECT-GROUP 1636 OBJECTS { 1637 snmpTlstmCertToTSNCount, 1638 snmpTlstmCertToTSNTableLastChanged, 1639 snmpTlstmCertToTSNFingerprint, 1640 snmpTlstmCertToTSNMapType, 1641 snmpTlstmCertToTSNData, 1642 snmpTlstmCertToTSNStorageType, 1643 snmpTlstmCertToTSNRowStatus 1644 } 1645 STATUS deprecated 1646 DESCRIPTION 1647 "A collection of objects for maintaining 1648 incoming connection certificate mappings to 1649 tmSecurityNames of an SNMP engine that implements the 1650 SNMP TLS Transport Model." 1651 ::= { snmpTlstmGroups 2 } 1652 snmpTlstmOutgoingGroup OBJECT-GROUP 1653 OBJECTS { 1654 snmpTlstmParamsCount, 1655 snmpTlstmParamsTableLastChanged, 1656 snmpTlstmParamsClientFingerprint, 1657 snmpTlstmParamsStorageType, 1658 snmpTlstmParamsRowStatus, 1659 snmpTlstmAddrCount, 1660 snmpTlstmAddrTableLastChanged, 1661 snmpTlstmAddrServerFingerprint, 1662 snmpTlstmAddrServerIdentity, 1663 snmpTlstmAddrStorageType, 1664 snmpTlstmAddrRowStatus 1665 } 1666 STATUS deprecated 1667 DESCRIPTION 1668 "A collection of objects for maintaining 1669 outgoing connection certificates to use when opening 1670 connections as a result of SNMP-TARGET-MIB settings." 1671 ::= { snmpTlstmGroups 3 } 1672 snmpTlstmNotificationGroup NOTIFICATION-GROUP 1673 NOTIFICATIONS { 1674 snmpTlstmServerCertificateUnknown, 1675 snmpTlstmServerInvalidCertificate 1676 } 1677 STATUS deprecated 1678 DESCRIPTION 1679 "Notifications" 1680 ::= { snmpTlstmGroups 4 } 1681 snmpTlstmIncoming13Group OBJECT-GROUP 1682 OBJECTS { 1683 snmpTlstmCertToTSN13Count, 1684 snmpTlstmCertToTSN13TableLastChanged, 1685 snmpTlstmCertToTSN13Fingerprint, 1686 snmpTlstmCertToTSN13MapType, 1687 snmpTlstmCertToTSN13Data, 1688 snmpTlstmCertToTSN13StorageType, 1689 snmpTlstmCertToTSN13RowStatus 1690 } 1691 STATUS current 1692 DESCRIPTION 1693 "A collection of objects for maintaining 1694 incoming connection certificate mappings to 1695 tmSecurityNames of an SNMP engine that implements the 1696 SNMP TLS 1.3 Transport Model." 1697 ::= { snmpTlstmGroups 5 } 1698 snmpTlstmOutgoing13Group OBJECT-GROUP 1699 OBJECTS { 1700 snmpTlstmParams13Count, 1701 snmpTlstmParams13TableLastChanged, 1702 snmpTlstmParams13ClientFingerprint, 1703 snmpTlstmParams13StorageType, 1704 snmpTlstmParams13RowStatus, 1705 snmpTlstmAddr13Count, 1706 snmpTlstmAddr13TableLastChanged, 1707 snmpTlstmAddr13ServerFingerprint, 1708 snmpTlstmAddr13ServerIdentity, 1709 snmpTlstmAddr13StorageType, 1710 snmpTlstmAddr13RowStatus 1711 } 1712 STATUS current 1713 DESCRIPTION 1714 "A collection of objects for maintaining 1715 outgoing connection certificates to use when opening 1716 TLS 1.3 connections as a result of SNMP-TARGET-MIB settings." 1718 ::= { snmpTlstmGroups 6 } 1719 snmpTlstmNotification13Group NOTIFICATION-GROUP 1720 NOTIFICATIONS { 1721 snmpTlstmServerCertificateUnknown, 1722 snmpTlstmServerInvalidCertificate13 1723 } 1724 STATUS current 1725 DESCRIPTION 1726 "Notifications for the SNMP TLS 1.3 Transport Model" 1727 ::= { snmpTlstmGroups 7 } 1728 END 1730 5. Security Considerations 1732 This document updates a transport model that permits SNMP to utilize 1733 TLS security services. The security threats and how the TLS 1734 transport model mitigates these threats are covered throughout this 1735 document and in [RFC6353]. Security considerations for TLS are 1736 described in Section 10 and Appendix E of TLS 1.3 [RFC8446]. 1738 5.1. MIB Module Security 1740 There are a number of management objects defined in this MIB module 1741 with a MAX-ACCESS clause of read-write and/or read-create. Such 1742 objects might be considered sensitive or vulnerable in some network 1743 environments. The support for SET operations in a non-secure 1744 environment without proper protection can have a negative effect on 1745 network operations. These are the tables and objects and their 1746 sensitivity/vulnerability: 1748 * The snmpTlstmParams13Table can be used to change the outgoing 1749 X.509 certificate used to establish a TLS connection. 1750 Modifications to objects in this table need to be adequately 1751 authenticated since modifying the values in this table will have 1752 profound impacts to the security of outbound connections from the 1753 device. Since knowledge of authorization rules and certificate 1754 usage mechanisms might be considered sensitive, protection from 1755 disclosure of the SNMP traffic via encryption is automatically 1756 acheived via TLS 1.3. 1758 * The snmpTlstmAddr13Table can be used to change the expectations of 1759 the certificates presented by a remote TLS server. Modifications 1760 to objects in this table need to be adequately authenticated since 1761 modifying the values in this table will have profound impacts to 1762 the security of outbound connections from the device. Since 1763 knowledge of authorization rules and certificate usage mechanisms 1764 might be considered sensitive, protection from disclosure of the 1765 SNMP traffic via encryption is automatically acheived via TLS 1.3. 1767 * The snmpTlstmCertToTSN13Table is used to specify the mapping of 1768 incoming X.509 certificates to tmSecurityNames, which eventually 1769 get mapped to an SNMPv3 securityName. Modifications to objects in 1770 this table need to be adequately authenticated since modifying the 1771 values in this table will have profound impacts to the security of 1772 incoming connections to the device. Since knowledge of 1773 authorization rules and certificate usage mechanisms might be 1774 considered sensitive, protection from disclosure of the SNMP 1775 traffic via encryption is automatically acheived via TLS 1.3. 1776 When this table contains a significant number of rows it might 1777 affect the system performance when accepting new TLS connections. 1779 Some of the readable objects in this MIB module (i.e., objects with a 1780 MAX-ACCESS other than not-accessible) might be considered sensitive 1781 or vulnerable in some network environments. It is thus important to 1782 control even GET and/or NOTIFY access to these objects and encrypt 1783 the values of these objects when sending them over the network via 1784 SNMP. These are the tables and objects and their sensitivity/ 1785 vulnerability: 1787 * This MIB contains a collection of counters that monitor the TLS 1788 connections being established with a device. Since knowledge of 1789 connection and certificate usage mechanisms might be considered 1790 sensitive, protection from disclosure of the SNMP traffic via 1791 encryption is automatically acheived via TLS 1.3. 1793 SNMP versions prior to SNMPv3 did not include adequate security. 1794 Even if the network itself is secure (for example, by using IPsec), 1795 even then, there is no control as to who on the secure network is 1796 allowed to access and GET/SET (read/change/create/delete) the objects 1797 in this MIB module. 1799 As defined in Section 2.4, TLSTM clients and servers MUST NOT 1800 request, offer, or use SNMPv1 or SNMPv2c message processing described 1801 in [RFC3584], or the User-based Security Model of SNMPv3. Instead, 1802 it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic 1803 security. It is then a customer/operator responsibility to ensure 1804 that the SNMP entity giving access to an instance of this MIB module 1805 is properly configured to give access to the objects only to those 1806 principals (users) that have legitimate rights to indeed GET or SET 1807 (change/create/delete) them. 1809 6. IANA Considerations 1811 This document has no IANA actions beyond those performed as a part of 1812 [RFC6353]. 1814 7. Acknowledgements 1816 Acknowledgements This document is based on [RFC6353]. This document 1817 was reviewed by the following people who helped provide useful 1818 comments: Michaela Vanderveen. 1820 8. References 1822 8.1. Normative References 1824 [I-D.ietf-tls-dtls13] 1825 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 1826 Datagram Transport Layer Security (DTLS) Protocol Version 1827 1.3", Work in Progress, Internet-Draft, draft-ietf-tls- 1828 dtls13-43, 30 April 2021, 1829 . 1832 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1833 Requirement Levels", BCP 14, RFC 2119, 1834 DOI 10.17487/RFC2119, March 1997, 1835 . 1837 [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, 1838 "Coexistence between Version 1, Version 2, and Version 3 1839 of the Internet-standard Network Management Framework", 1840 BCP 74, RFC 3584, DOI 10.17487/RFC3584, August 2003, 1841 . 1843 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1844 Housley, R., and W. Polk, "Internet X.509 Public Key 1845 Infrastructure Certificate and Certificate Revocation List 1846 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 1847 . 1849 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 1850 for the Simple Network Management Protocol (SNMP)", 1851 STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, 1852 . 1854 [RFC6353] Hardaker, W., "Transport Layer Security (TLS) Transport 1855 Model for the Simple Network Management Protocol (SNMP)", 1856 STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011, 1857 . 1859 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1860 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1861 . 1863 [STD62] Harrington, D., Presuhn, R., and B. Wijnen, "An 1864 Architecture for Describing Simple Network Management 1865 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 1866 December 2002. 1868 Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 1869 "Message Processing and Dispatching for the Simple Network 1870 Management Protocol (SNMP)", STD 62, RFC 3412, December 1871 2002. 1873 Levi, D., Meyer, P., and B. Stewart, "Simple Network 1874 Management Protocol (SNMP) Applications", STD 62, 1875 RFC 3413, December 2002. 1877 Blumenthal, U. and B. Wijnen, "User-based Security Model 1878 (USM) for version 3 of the Simple Network Management 1879 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 1881 Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 1882 Access Control Model (VACM) for the Simple Network 1883 Management Protocol (SNMP)", STD 62, RFC 3415, December 1884 2002. 1886 Presuhn, R., Ed., "Version 2 of the Protocol Operations 1887 for the Simple Network Management Protocol (SNMP)", 1888 STD 62, RFC 3416, December 2002. 1890 Presuhn, R., Ed., "Transport Mappings for the Simple 1891 Network Management Protocol (SNMP)", STD 62, RFC 3417, 1892 December 2002. 1894 Presuhn, R., Ed., "Management Information Base (MIB) for 1895 the Simple Network Management Protocol (SNMP)", STD 62, 1896 RFC 3418, December 2002. 1898 8.2. Informative References 1900 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1901 (TLS) Protocol Version 1.2", RFC 5246, 1902 DOI 10.17487/RFC5246, August 2008, 1903 . 1905 [STD58] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1906 Schoenwaelder, Ed., "Structure of Management Information 1907 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 1909 McCloghrie, K., Ed., Perkins, D., Ed., and J. 1910 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1911 STD 58, RFC 2579, April 1999. 1913 McCloghrie, K., Ed., Perkins, D., Ed., and J. 1914 Schoenwaelder, Ed., "Conformance Statements for SMIv2", 1915 STD 58, RFC 2580, April 1999. 1917 Appendix A. Target and Notification Configuration Example 1919 The following sections describe example configuration for the SNMP- 1920 TLS-TM-MIB, the SNMP-TARGET-MIB, the NOTIFICATION-MIB, and the SNMP- 1921 VIEW-BASED-ACM-MIB. 1923 A.1. Configuring a Notification Originator 1925 The following row adds the "Joe Cool" user to the "administrators" 1926 group: 1928 vacmSecurityModel = 4 (TSM) 1929 vacmSecurityName = "Joe Cool" 1930 vacmGroupName = "administrators" 1931 vacmSecurityToGroupStorageType = 3 (nonVolatile) 1932 vacmSecurityToGroupStatus = 4 (createAndGo) 1934 The following row configures the snmpTlstmAddr13Table to use 1935 certificate path validation and to require the remote notification 1936 receiver to present a certificate for the "server.example.org" 1937 identity. 1939 snmpTargetAddrName = "toNRAddr" 1940 snmpTlstmAddr13ServerFingerprint = "" 1941 snmpTlstmAddr13ServerIdentity = "server.example.org" 1942 snmpTlstmAddr13StorageType = 3 (nonVolatile) 1943 snmpTlstmAddr13RowStatus = 4 (createAndGo) 1945 The following row configures the snmpTargetAddrTable to send 1946 notifications using TLS/TCP to the snmptls-trap port at 192.0.2.1: 1948 snmpTargetAddrName = "toNRAddr" 1949 snmpTargetAddrTDomain = snmpTLSTCPDomain 1950 snmpTargetAddrTAddress = "192.0.2.1:10162" 1951 snmpTargetAddrTimeout = 1500 1952 snmpTargetAddrRetryCount = 3 1953 snmpTargetAddrTagList = "toNRTag" 1954 snmpTargetAddrParams = "toNR" (MUST match below) 1955 snmpTargetAddrStorageType = 3 (nonVolatile) 1956 snmpTargetAddrRowStatus = 4 (createAndGo) 1958 The following row configures the snmpTargetParamsTable to send the 1959 notifications to "Joe Cool", using authPriv SNMPv3 notifications 1960 through the TransportSecurityModel [[RFC5591]]: 1962 snmpTargetParamsName = "toNR" (MUST match above) 1963 snmpTargetParamsMPModel = 3 (SNMPv3) 1964 snmpTargetParamsSecurityModel = 4 (TransportSecurityModel) 1965 snmpTargetParamsSecurityName = "Joe Cool" 1966 snmpTargetParamsSecurityLevel = 3 (authPriv) 1967 snmpTargetParamsStorageType = 3 (nonVolatile) 1968 snmpTargetParamsRowStatus = 4 (createAndGo) 1970 A.2. Configuring TLSTM to Utilize a Simple Derivation of tmSecurityName 1972 The following row configures the snmpTlstmCertToTSN13Table to map a 1973 validated client certificate, referenced by the client's public X.509 1974 hash fingerprint, to a tmSecurityName using the subjectAltName 1975 component of the certificate. 1977 snmpTlstmCertToTSN13ID = 1 1978 (chosen by ordering preference) 1979 snmpTlstmCertToTSN13Fingerprint = HASH (appropriate fingerprint) 1980 snmpTlstmCertToTSN13MapType = snmpTlstmCertSANAny 1981 snmpTlstmCertToTSN13Data = "" (not used) 1982 snmpTlstmCertToTSN13StorageType = 3 (nonVolatile) 1983 snmpTlstmCertToTSN13RowStatus = 4 (createAndGo) 1985 This type of configuration should only be used when the naming 1986 conventions of the (possibly multiple) Certification Authorities are 1987 well understood, so two different principals cannot inadvertently be 1988 identified by the same derived tmSecurityName. 1990 A.3. Configuring TLSTM to Utilize Table-Driven Certificate Mapping 1992 The following row configures the snmpTlstmCertToTSN13Table to map a 1993 validated client certificate, referenced by the client's public X.509 1994 hash fingerprint, to the directly specified tmSecurityName of "Joe 1995 Cool". 1997 snmpTlstmCertToTSN13ID = 2 1998 (chosen by ordering preference) 1999 snmpTlstmCertToTSN13Fingerprint = HASH (appropriate fingerprint) 2000 snmpTlstmCertToTSN13MapType = snmpTlstmCertSpecified 2001 snmpTlstmCertToTSN13SecurityName = "Joe Cool" 2002 snmpTlstmCertToTSN13StorageType = 3 (nonVolatile) 2003 snmpTlstmCertToTSN13RowStatus = 4 (createAndGo) 2005 Author's Address 2007 Kenneth Vaughn (editor) 2008 Trevilon LLC 2009 6606 FM 1488 RD 2010 Suite 148-503 2011 Magnolia, TX 77354 2012 United States of America 2014 Phone: +1 571 331 5670 2015 Email: kvaughn@trevilon.com