idnits 2.17.1 draft-ietf-snmpv2-party-ds-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-23) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 626 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 1464 has weird spacing: '...w. The value...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. '1' -- Possible downref: Non-RFC (?) normative reference: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' -- Possible downref: Non-RFC (?) normative reference: ref. '4' -- Possible downref: Non-RFC (?) normative reference: ref. '5' Summary: 11 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Party MIB 2 for Version 2 of the 3 Simple Network Management Protocol (SNMPv2) 5 19 March 1995 | 7 draft-ietf-snmpv2-party-ds-01.txt | 9 Jeffrey D. Case | 10 SNMP Research, Inc. | 11 case@snmp.com | 13 James Galvin | 14 Trusted Information Systems 15 galvin@tis.com 17 Keith McCloghrie | 18 Cisco Systems, Inc. | 19 kzm@cisco.com | 21 Marshall T. Rose | 22 Dover Beach Consulting, Inc. | 23 mrose@dbc.mtview.ca.us | 25 Steven Waldbusser | 26 Carnegie Mellon University | 27 waldbusser@cmu.edu | 29 Status of this Memo 31 This document is an Internet-Draft. Internet-Drafts are working 32 documents of the Internet Engineering Task Force (IETF), its areas, and 33 its working groups. Note that other groups may also distribute working 34 documents as Internet-Drafts. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet- Drafts as reference material 39 or to cite them other than as ``work in progress.'' 41 To learn the current status of any Internet-Draft, please check the 42 ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow 43 Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), 44 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 46 1. Introduction 48 A management system contains: several (potentially many) nodes, each 49 with a processing entity, termed an agent, which has access to 50 management instrumentation; at least one management station; and, a 51 management protocol, used to convey management information between the 52 agents and management stations. Operations of the protocol are carried 53 out under an administrative framework which defines authentication, 54 authorization, access control, and privacy policies. 56 Management stations execute management applications which monitor and 57 control managed elements. Managed elements are devices such as hosts, 58 routers, terminal servers, etc., which are monitored and controlled via 59 access to their management information. 61 Management information is viewed as a collection of managed objects, 62 residing in a virtual information store, termed the Management 63 Information Base (MIB). Collections of related objects are defined in 64 MIB modules. These modules are written using a subset of OSI's Abstract 65 Syntax Notation One (ASN.1) [1], termed the Structure of Management 66 Information (SMI) [2]. 68 The Administrative Infrastructure for SNMPv2 document [3] defines the | 69 properties associated with SNMPv2 parties, SNMPv2 contexts, and access 70 control policies. It is the purpose of this document, the Party MIB for 71 SNMPv2, to define managed objects which correspond to these properties. 73 1.1. A Note on Terminology 75 For the purpose of exposition, the original Internet-standard Network 76 Management Framework, as described in RFCs 1155, 1157, and 1212, is 77 termed the SNMP version 1 framework (SNMPv1). The current framework is 78 termed the SNMP version 2 framework (SNMPv2). 80 1.2. Change Log 82 For the 19 March version: + 84 - The many changes adopted by the SNMPv2 Working Group. + 86 For the 1 November version: 88 - recast RFC 1447 into an Internet-Draft, 90 - fixed typos, 92 - added snmpUDPDomain to the IMPORTS clause, 94 - added descriptive text for the initial Context conventions, 96 - added text to the DESCRIPTIONs of partyStatus, contextStatus, | 97 acStatus, and viewStatus, specifying that columnar objects can | 98 be modified without having to set the status column to 99 'notInService', 101 - added clarifying text to the DESCRIPTIONs of contextLocal, 102 contextLocalEntity, contextProxySrcParty, contextProxyDstParty, 103 contextProxyContext, and contextStatus, 105 - removed auxiliary objects from the definition of partyMIBGroup. 107 2. Definitions 109 SNMPv2-PARTY-MIB DEFINITIONS ::= BEGIN 111 IMPORTS 112 MODULE-IDENTITY, OBJECT-IDENTITY, OBJECT-TYPE, snmpModules, | 113 UInteger32, zeroDotZero | 114 FROM SNMPv2-SMI 115 snmpUDPDomain 116 FROM SNMPv2-TM 117 TEXTUAL-CONVENTION, RowStatus, TruthValue 118 FROM SNMPv2-TC 119 MODULE-COMPLIANCE, OBJECT-GROUP 120 FROM SNMPv2-CONF; 122 partyMIB MODULE-IDENTITY 123 LAST-UPDATED "9503190000Z" | 124 ORGANIZATION "IETF SNMPv2 Working Group" | 125 CONTACT-INFO 126 " Keith McCloghrie 128 Postal: Cisco Systems, Inc. 129 170 West Tasman Drive 130 San Jose, CA 95134-1706 131 USA 133 Phone: +1 408 526 5260 134 Email: kzm@cisco.com" 135 DESCRIPTION 136 "The MIB module describing SNMPv2 parties." 137 REVISION "9104300000Z" + 138 DESCRIPTION + 139 "The initial revision of this MIB module was published as + 140 RFC 1447." + 141 ::= { snmpModules 3 } 143 -- textual conventions 145 Party ::= TEXTUAL-CONVENTION 146 STATUS current 147 DESCRIPTION 148 "Denotes a SNMPv2 party identifier. 150 Note that agents may impose implementation limitations on 151 the length of OIDs used to identify Parties. As such, 152 management stations creating new parties should be aware 153 that using an excessively long OID may result in the agent 154 refusing to perform the set operation and instead returning 155 the appropriate error response, e.g., noCreation." 156 SYNTAX OBJECT IDENTIFIER 158 TAddress ::= TEXTUAL-CONVENTION 159 STATUS current 160 DESCRIPTION 161 "Denotes a transport service address. 163 For snmpUDPDomain, a TAddress is 6 octets long, the initial 164 4 octets containing the IP-address in network-byte order and 165 the last 2 containing the UDP port in network-byte order. 166 Consult [5] for further information on snmpUDPDomain." 167 SYNTAX OCTET STRING 169 Clock ::= TEXTUAL-CONVENTION 170 STATUS current 171 DESCRIPTION 172 "A party's authentication clock - a non-negative integer 173 which is incremented as specified/allowed by the party's 174 Authentication Protocol. 176 For noAuth, a party's authentication clock is unused and its 177 value is undefined. 179 For v2md5AuthProtocol, a party's authentication clock is a 180 relative clock with 1-second granularity." 181 SYNTAX UInteger32 (0..2147483647) | 183 Context ::= TEXTUAL-CONVENTION 184 STATUS current 185 DESCRIPTION 186 "Denotes a SNMPv2 context identifier. 188 Note that agents may impose implementation limitations on 189 the length of OIDs used to identify Contexts. As such, 190 management stations creating new contexts should be aware 191 that using an excessively long OID may result in the agent 192 refusing to perform the set operation and instead returning 193 the appropriate error response, e.g., noCreation." 194 SYNTAX OBJECT IDENTIFIER 196 AccessPrivileges ::= TEXTUAL-CONVENTION | 197 STATUS current | 198 DESCRIPTION | 199 "A set of access privileges which specify the authorized set | 200 of management operations between two SNMPv2 entities. | 202 These privileges are specified as a sum of values, where | 203 each value specifies a SNMPv2 PDU type by which the subject | 204 party may request a permitted operation. The value for a | 205 particular PDU type is computed as 2 raised to the value of | 206 the ASN.1 context-specific tag for the appropriate SNMPv2 | 207 PDU type. The values (for the tags defined in [5]) are | 208 defined in [3] as: | 210 Get : 1 | 211 GetNext : 2 | 212 Response : 4 | 213 Set : 8 | 214 unused : 16 | 215 GetBulk : 32 | 216 Inform : 64 | 217 SNMPv2-Trap : 128 | 219 The null set is represented by the value zero." | 220 SYNTAX INTEGER (0..255) | 222 StorageType ::= TEXTUAL-CONVENTION 223 STATUS current 224 DESCRIPTION 225 "Describes the memory realization of a conceptual row. A | 226 row which is volatile(2) is lost upon reboot. A row which | 227 is either nonVolatile(3), permanent(4) or readOnly(5), is | 228 backed up by stable storage. A row which is permanent(4) | 229 can be changed but not deleted. A row which is readOnly(5) | 230 cannot be changed nor deleted. | 232 If the value of an object with this syntax is either | 233 permanent(4) or readOnly(5), it cannot be modified. | 234 Conversely, if the value is either other(1), volatile(2) or | 235 nonVolatile(3), it cannot be modified to be permanent(4) or | 236 readOnly(5). | 238 Every usage of this textual convention is required to | 239 specify the columnar objects which a permanent(4) row must | 240 at a minimum allow to be writable." | 241 SYNTAX INTEGER { 242 other(1), -- eh? 243 volatile(2), -- e.g., in RAM 244 nonVolatile(3), -- e.g., in NVRAM 245 permanent(4), -- e.g., partially in ROM | 246 readOnly(5) -- e.g., completely in ROM | 247 } 249 -- administrative assignments 251 partyAdmin OBJECT IDENTIFIER ::= { partyMIB 1 } 253 -- definitions of security protocols 255 partyProtocols OBJECT IDENTIFIER ::= { partyAdmin 1 } 257 noAuth OBJECT-IDENTITY | 258 STATUS current | 259 DESCRIPTION | 260 "The protocol without authentication." | 261 ::= { partyProtocols 1 } | 263 noPriv OBJECT-IDENTITY | 264 STATUS current | 265 DESCRIPTION | 266 "The protocol without privacy." | 267 ::= { partyProtocols 2 } | 269 -- defined in [4] | 270 desPrivProtocol OBJECT-IDENTITY | 271 STATUS current | 272 DESCRIPTION | 273 "The DES Privacy Protocol." | 274 ::= { partyProtocols 3 } | 276 -- defined in [4] | 277 v2md5AuthProtocol OBJECT-IDENTITY | 278 STATUS current | 279 DESCRIPTION | 280 "The MD5 Authentication Protocol." | 281 ::= { partyProtocols 4 } | 283 -- definitions of temporal domains - 285 temporalDomains 286 OBJECT IDENTIFIER ::= { partyAdmin 2 } 288 currentTime OBJECT-IDENTITY | 289 STATUS current | 290 DESCRIPTION | 291 "The temporal domain which refers to management information | 292 at the current time." | 293 ::= { temporalDomains 1 } | 295 restartTime OBJECT-IDENTITY | 296 STATUS current | 297 DESCRIPTION | 298 "The temporal domain which refers to management information | 299 upon the next re-initialization of the managed device." | 300 ::= { temporalDomains 2 } | 302 cacheTime OBJECT-IDENTITY | 303 STATUS current | 304 DESCRIPTION | 305 "The prefix for temporal domains which refer to management | 306 information that is cached. In particular, the temporal | 307 domain: | 309 { cacheTime N } | 311 and guaranteed to be at most N seconds old." | 312 ::= { temporalDomains 3 } | 314 -- object assignments - 316 partyMIBObjects 317 OBJECT IDENTIFIER ::= { partyMIB 2 } 319 -- SNMPv2 party information | 321 snmpParties OBJECT IDENTIFIER ::= { partyMIBObjects 1 } 323 partyTable OBJECT-TYPE 324 SYNTAX SEQUENCE OF PartyEntry 325 MAX-ACCESS not-accessible 326 STATUS current 327 DESCRIPTION 328 "The SNMPv2 Party database." 329 ::= { snmpParties 1 } 331 partyEntry OBJECT-TYPE 332 SYNTAX PartyEntry 333 MAX-ACCESS not-accessible 334 STATUS current 335 DESCRIPTION 336 "Locally held information about a particular SNMPv2 party." 337 INDEX { IMPLIED partyIdentity } 338 ::= { partyTable 1 } 340 PartyEntry ::= 341 SEQUENCE { 342 partyIdentity Party, 343 partyIndex INTEGER, 344 partyTDomain OBJECT IDENTIFIER, 345 partyTAddress TAddress, 346 partyMaxMessageSize INTEGER, 347 partyLocal TruthValue, 348 partyAuthProtocol OBJECT IDENTIFIER, 349 partyAuthClock Clock, 350 partyAuthPrivate OCTET STRING, 351 partyAuthPublic OCTET STRING, 352 partyAuthLifetime INTEGER, 353 partyPrivProtocol OBJECT IDENTIFIER, 354 partyPrivPrivate OCTET STRING, 355 partyPrivPublic OCTET STRING, 356 partyCloneFrom Party, 357 partyStorageType StorageType, 358 partyStatus RowStatus, | 359 partyAuthChange OCTET STRING, | 360 partyPrivChange OCTET STRING | 361 } 363 partyIdentity OBJECT-TYPE 364 SYNTAX Party 365 MAX-ACCESS not-accessible 366 STATUS current 367 DESCRIPTION 368 "A party identifier uniquely identifying a particular SNMPv2 | 369 party. This object is prohibited from taking the value { 0 | 370 0 }." | 371 ::= { partyEntry 1 } 373 partyIndex OBJECT-TYPE 374 SYNTAX INTEGER (1..2147483647) | 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "An arbitrary unique value for each SNMPv2 party. | 379 The value for each SNMPv2 party must remain constant at 380 least from one re-initialization of the entity's network | 381 management system to the next re-initialization. | 383 The specific value is meaningful only within a given SNMPv2 | 384 entity, i.e., it is not meaningful to any other SNMPv2 | 385 entity except to uniquely identify the party within the set | 386 of all parties known to this agent." | 387 ::= { partyEntry 2 } 389 partyTDomain OBJECT-TYPE 390 SYNTAX OBJECT IDENTIFIER 391 MAX-ACCESS read-create 392 STATUS current 393 DESCRIPTION 394 "Indicates the kind of transport service by which the party 395 receives network management traffic." 396 DEFVAL { snmpUDPDomain } 397 ::= { partyEntry 3 } 399 partyTAddress OBJECT-TYPE 400 SYNTAX TAddress 401 MAX-ACCESS read-create 402 STATUS current 403 DESCRIPTION 404 "The transport service address by which the party receives 405 network management traffic, formatted according to the 406 corresponding value of partyTDomain. The agent must listen + 407 for SNMPv2 requests sent to this address. The default + 408 assignment of a transport-layer 'port' is that specified by + 409 the standard Transport Mapping for the kind of transport + 410 service given by the corresponding value of partyTDomain. + 412 For snmpUDPDomain, partyTAddress is formatted as a 4-octet 413 IP Address concatenated with a 2-octet UDP port number." 414 DEFVAL { '000000000000'H } 415 ::= { partyEntry 4 } 417 partyMaxMessageSize OBJECT-TYPE 418 SYNTAX INTEGER (484..65507) 419 MAX-ACCESS read-create 420 STATUS current 421 DESCRIPTION 422 "The maximum length in octets of a SNMPv2 message which this 423 party will accept. For parties which execute at an agent, 424 the agent initializes this object to the maximum length 425 supported by the agent, and does not let the object be set 426 to any larger value. For parties which do not execute at 427 the agent, the agent must allow the manager to set this 428 object to any legal value, even if it is larger than the 429 agent can generate." 430 DEFVAL { 484 } 431 ::= { partyEntry 5 } 433 partyLocal OBJECT-TYPE 434 SYNTAX TruthValue 435 MAX-ACCESS read-create 436 STATUS current 437 DESCRIPTION 438 "An indication of whether this party executes at this SNMPv2 439 entity. If this object has a value of true(1), then the 440 SNMPv2 entity will listen for SNMPv2 messages on the 441 partyTAddress associated with this party. If this object 442 has the value false(2), then the SNMPv2 entity will not 443 listen for SNMPv2 messages on the partyTAddress associated 444 with this party." 445 DEFVAL { false } 446 ::= { partyEntry 6 } 448 partyAuthProtocol OBJECT-TYPE 449 SYNTAX OBJECT IDENTIFIER 450 MAX-ACCESS read-create 451 STATUS current 452 DESCRIPTION 453 "The authentication protocol by which all messages generated 454 by the party are authenticated as to origin and integrity. 455 The value noAuth signifies that messages generated by the 456 party are not authenticated. 458 An instance of this object is created concurrently with the | 459 creation of any other object instance for the same party | 460 (i.e., as part of the processing of the set operation which | 461 creates the first object instance in the same conceptual | 462 row). Once created, the value of an instance of this object | 463 can not be changed." | 464 DEFVAL { v2md5AuthProtocol } 465 ::= { partyEntry 7 } 467 partyAuthClock OBJECT-TYPE 468 SYNTAX Clock 469 MAX-ACCESS read-create 470 STATUS current 471 DESCRIPTION 472 "The authentication clock which represents the local notion 473 of the current time specific to the party. This value must 474 not be decremented unless the party's private authentication 475 key is changed simultaneously." 476 DEFVAL { 0 } 477 ::= { partyEntry 8 } 479 partyAuthPrivate OBJECT-TYPE 480 SYNTAX OCTET STRING 481 -- for v2md5AuthProtocol: (SIZE (16)) 482 MAX-ACCESS read-create 483 STATUS current 484 DESCRIPTION 485 "An encoding of the party's private authentication key which 486 may be needed to support the authentication protocol. 487 Although the value of this variable may be altered by a 488 management operation (e.g., a SNMPv2 Set-Request), its value 489 can never be retrieved by a management operation: when read, 490 the value of this variable is the zero length OCTET STRING. 492 The private authentication key is NOT directly represented 493 by the value of this variable, but rather it is represented 494 according to an encoding. This encoding is the bitwise 495 exclusive-OR of the old key with the new key, i.e., of the 496 old private authentication key (prior to the alteration) 497 with the new private authentication key (after the 498 alteration). Thus, when processing a received protocol Set 499 operation, the new private authentication key is obtained 500 from the value of this variable as the result of a bitwise 501 exclusive-OR of the variable's value and the old private 502 authentication key. In calculating the exclusive-OR, if the 503 old key is shorter than the new key, zero-valued padding is 504 appended to the old key. If no value for the old key 505 exists, a zero-length OCTET STRING is used in the 506 calculation." 507 DEFVAL { ''H } -- the empty string 508 ::= { partyEntry 9 } 510 partyAuthPublic OBJECT-TYPE 511 SYNTAX OCTET STRING 512 -- for v2md5AuthProtocol: (SIZE (0..16)) 513 MAX-ACCESS read-create 514 STATUS current 515 DESCRIPTION 516 "A publically-readable value for the party. 518 Depending on the party's authentication protocol, this value 519 may be needed to support the party's authentication 520 protocol. Alternatively, it may be used by a manager during 521 the procedure for altering secret information about a party. 522 (For example, by altering the value of an instance of this 523 object in the same SNMPv2 Set-Request used to update an 524 instance of partyAuthPrivate, a subsequent Get-Request can 525 determine if the Set-Request was successful in the event 526 that no response to the Set-Request is received, see [4].) 528 The length of the value is dependent on the party's 529 authentication protocol. If not used by the authentication 530 protocol, it is recommended that agents support values of 531 any length up to and including the length of the 532 corresponding partyAuthPrivate object." 533 DEFVAL { ''H } -- the empty string 534 ::= { partyEntry 10 } 536 partyAuthLifetime OBJECT-TYPE 537 SYNTAX INTEGER (0..2147483647) 538 UNITS "seconds" 539 MAX-ACCESS read-create 540 STATUS current 541 DESCRIPTION 542 "The lifetime (in units of seconds) which represents an 543 administrative upper bound on acceptable delivery delay for 544 protocol messages generated by the party. 546 An instance of this object is created concurrently with the | 547 creation of any other object instance for the same party | 548 (i.e., as part of the processing of the set operation which | 549 creates the first object instance in the same conceptual | 550 row). Once created, the value of an instance of this object | 551 can not be changed." | 552 DEFVAL { 300 } 553 ::= { partyEntry 11 } 555 partyPrivProtocol OBJECT-TYPE 556 SYNTAX OBJECT IDENTIFIER 557 MAX-ACCESS read-create 558 STATUS current 559 DESCRIPTION 560 "The privacy protocol by which all protocol messages 561 received by the party are protected from disclosure. The 562 value noPriv signifies that messages received by the party 563 are not protected. 565 An instance of this object is created concurrently with the | 566 creation of any other object instance for the same party | 567 (i.e., as part of the processing of the set operation which | 568 creates the first object instance in the same conceptual | 569 row). Once created, the value of an instance of this object | 570 can not be changed." | 571 DEFVAL { noPriv } 572 ::= { partyEntry 12 } 574 partyPrivPrivate OBJECT-TYPE 575 SYNTAX OCTET STRING 576 -- for desPrivProtocol: (SIZE (16)) 577 MAX-ACCESS read-create 578 STATUS current 579 DESCRIPTION 580 "An encoding of the party's private encryption key which may 581 be needed to support the privacy protocol. Although the 582 value of this variable may be altered by a management 583 operation (e.g., a SNMPv2 Set-Request), its value can never 584 be retrieved by a management operation: when read, the value 585 of this variable is the zero length OCTET STRING. 587 The private encryption key is NOT directly represented by 588 the value of this variable, but rather it is represented 589 according to an encoding. This encoding is the bitwise 590 exclusive-OR of the old key with the new key, i.e., of the 591 old private encryption key (prior to the alteration) with 592 the new private encryption key (after the alteration). 593 Thus, when processing a received protocol Set operation, the 594 new private encryption key is obtained from the value of 595 this variable as the result of a bitwise exclusive-OR of the 596 variable's value and the old private encryption key. In 597 calculating the exclusive-OR, if the old key is shorter than 598 the new key, zero-valued padding is appended to the old key. 599 If no value for the old key exists, a zero-length OCTET 600 STRING is used in the calculation." 601 DEFVAL { ''H } -- the empty string 602 ::= { partyEntry 13 } 604 partyPrivPublic OBJECT-TYPE 605 SYNTAX OCTET STRING 606 -- for desPrivProtocol: (SIZE (0..16)) 607 MAX-ACCESS read-create 608 STATUS current 609 DESCRIPTION 610 "A publically-readable value for the party. 612 Depending on the party's privacy protocol, this value may be 613 needed to support the party's privacy protocol. 614 Alternatively, it may be used by a manager as a part of its 615 procedure for altering secret information about a party. 616 (For example, by altering the value of an instance of this 617 object in the same SNMPv2 Set-Request used to update an 618 instance of partyPrivPrivate, a subsequent Get-Request can 619 determine if the Set-Request was successful in the event 620 that no response to the Set-Request is received, see [4].) 622 The length of the value is dependent on the party's privacy 623 protocol. If not used by the privacy protocol, it is 624 recommended that agents support values of any length up to 625 and including the length of the corresponding 626 partyPrivPrivate object." 627 DEFVAL { ''H } -- the empty string 628 ::= { partyEntry 14 } 630 partyCloneFrom OBJECT-TYPE 631 SYNTAX Party 632 MAX-ACCESS read-create 633 STATUS current 634 DESCRIPTION 635 "The identity of a party to clone authentication and privacy 636 parameters from. When read, the value { 0 0 } is returned. 638 This value must be written exactly once, when the associated 639 instance of partyStatus either does not exist or has the 640 value `notReady'. When written, the value identifies a 641 party, the cloning party, whose status column has the value 642 `active'. The cloning party is used in two ways. 644 One, if instances of the following objects do not exist for 645 the party being created, then they are created with values 646 identical to those of the corresponding objects for the 647 cloning party: 649 partyAuthProtocol 650 partyAuthPublic 651 partyAuthLifetime 652 partyPrivProtocol 653 partyPrivPublic 655 Two, instances of the following objects are updated using 656 the corresponding values of the cloning party: 658 partyAuthPrivate 659 partyPrivPrivate 661 (e.g., the value of the cloning party's instance of the 662 partyAuthPrivate object is XOR'd with the value of the 663 partyAuthPrivate instances of the party being created.)" 664 ::= { partyEntry 15 } 666 partyStorageType OBJECT-TYPE 667 SYNTAX StorageType 668 MAX-ACCESS read-create 669 STATUS current 670 DESCRIPTION 671 "The storage type for this conceptual row in the partyTable. | 673 Conceptual rows having the value 'permanent' must allow | 674 write-access at a minimum to: partyTDomain and partyTAddress | 675 for all parties; partyAuthClock, partyAuthPrivate and | 676 partyAuthPublic for parties employing authentication; and | 677 partyPrivPrivate and partyPrivPublic for parties employing | 678 privacy. | 680 Note that any party which employs authentication or privacy | 681 must allow its clock and secrets to be updated and thus | 682 cannot be 'readOnly'." | 683 DEFVAL { nonVolatile } 684 ::= { partyEntry 16 } 686 partyStatus OBJECT-TYPE 687 SYNTAX RowStatus 688 MAX-ACCESS read-create 689 STATUS current 690 DESCRIPTION 691 "The status of this conceptual row in the partyTable. 693 A party is not qualified for activation until instances of 694 all columns of its partyEntry row have an appropriate value. | 695 In particular, one or more management set operations are | 696 required to configure the party: | 698 a value must be written to the party's partyCloneFrom | 699 object, and | 701 if the value of the party's partyAuthProtocol object is | 702 not noAuth, | 703 then the corresponding instance of partyAuthPrivate must 704 contain a secret of the appropriate length. Further, at 705 least one management protocol set operation updating the 706 value of the party's partyAuthPrivate object must be | 707 successfully processed before the partyAuthPrivate column | 708 is considered appropriately configured, and | 710 if the value of party's partyPrivProtocol object is not | 711 noPriv, | 712 then the corresponding instance of partyPrivPrivate must 713 contain a secret of the appropriate length. Further, at 714 least one management protocol set operation updating the 715 value of the party's partyPrivPrivate object must be | 716 successfully processed | 717 before the partyPrivPrivate column is considered 718 appropriately configured. 720 Until instances of all corresponding columns are 721 appropriately configured, the value of the corresponding 722 instance of the partyStatus column is `notReady'. 724 For those columnar objects which permit write-access (after | 725 their initial creation), | 726 their value in an existing conceptual row can be changed 727 irrespective of the value of partyStatus for that row." 728 ::= { partyEntry 17 } 730 partyAuthChange OBJECT-TYPE + 731 SYNTAX OCTET STRING -- typically (SIZE (0..32)) + 732 MAX-ACCESS read-create + 733 STATUS current + 734 DESCRIPTION + 735 "A manager-generated, partially-random value which, when + 736 modified, causes the corresponding instance of + 737 partyAuthPrivate to be modified via a one-way function. + 739 The value of an instance of this object is the concatenation + 740 of two components: a 'random' component and a 'delta' + 741 component. The lengths of the random and delta components + 742 are given by the corresponding value of partyAuthProtocol; + 743 for authentication protocols requiring partyAuthPrivate to + 744 be a fixed length, the length of both the random and delta + 745 components is that fixed length; for authentication + 746 protocols allowing the length of partyAuthPrivate to be + 747 variable up to a particular maximum length, the length of + 748 the random component is that maximum length and the length + 749 of the delta component is any length less than or equal to + 750 the maximum length. For example, v2md5AuthProtocol requires + 751 a fixed length of 16 octets, and for the purposes of this + 752 definition, noAuth and rfc1157noAuth allow a variable length + 753 up to a maximum of 16 octets. Other authentication + 754 protocols may define other sizes, as deemed appropriate. + 755 When an instance of this object is modified to have a new + 756 value by the management protocol, the agent generates a new + 757 value of the corresponding instance of partyAuthPrivate as + 758 follows: + 760 - the existing value of the corresponding instance of + 761 partyAuthPrivate is extended if necessary with zero-value + 762 padding to be the same length as the random component; + 763 - the new value of the random component is appended to the + 764 (possibly extended) value of the corresponding instance of + 765 partyAuthPrivate, and the result is subjected to the MD5 + 766 hash algorithm to produce a digest value; + 767 - this digest value, truncated if necessary to be the same + 768 length as the new value of the delta component, is XOR-ed + 769 with the new value of the delta component to produce the + 770 new value of the corresponding instance of + 771 partyAuthPrivate. + 773 i.e., + 775 keyIntermediate = md5(keyold XOR randomComponent) + 776 keynew = deltaComponent XOR keyIntermediate + 778 The value of this object whenever it is retrieved by the + 779 management protocol is always the zero-length string." + 780 DEFVAL { ''H } -- the empty string + 781 ::= { partyEntry 18 } + 783 partyPrivChange OBJECT-TYPE + 784 SYNTAX OCTET STRING -- typically (SIZE (0..32)) + 785 MAX-ACCESS read-create + 786 STATUS current + 787 DESCRIPTION + 788 "A manager-generated, partially-random value which, when + 789 modified, causes the corresponding instance of + 790 partyPrivPrivate to be modified via a one-way function. + 792 The value of an instance of this object is the concatenation + 793 of two components: a 'random' component and a 'delta' + 794 component. The lengths of the random and delta components + 795 are given by the corresponding value of partyPrivProtocol; + 796 for privacy protocols requiring partyPrivPrivate to be a + 797 fixed length, the length of both the random and delta + 798 components is that fixed length; for privacy protocols + 799 allowing the length of partyPrivPrivate to be variable up to + 800 a particular maximum length, the length of the random + 801 component is that maximum length and the length of the delta + 802 component is any length less than or equal to the maximum + 803 length. For example, desPrivProtocol requires a fixed + 804 length of 16 octets, and for the purposes of this + 805 definition, noPriv allows a variable length up to a maximum + 806 of 16 octets. Other privacy protocols may define other + 807 sizes, as deemed appropriate. + 809 When an instance of this object is modified to have a new + 810 value by the management protocol, the agent generates a new + 811 value of the corresponding instance of partyPrivPrivate as + 812 follows: + 814 - the existing value of the corresponding instance of + 815 partyPrivPrivate is extended if necessary with zero-value + 816 padding to be the same length as the random component; + 817 - the new value of the random component is appended to the + 818 (possibly extended) value of the corresponding instance of + 819 partyPrivPrivate, and the result is subjected to the MD5 + 820 hash algorithm to produce a digest value; + 821 - this digest value, truncated if necessary to be the same + 822 length as the new value of the delta component, is XOR-ed + 823 with the new value of the delta component to produce the + 824 new value of the corresponding instance of + 825 partyPrivPrivate. + 827 i.e., + 829 keyIntermediate = md5(keyold XOR randomComponent) + 830 keynew = deltaComponent XOR keyIntermediate + 832 The value of this object whenever it is retrieved by the + 833 management protocol is always the zero-length string." + 834 DEFVAL { ''H } -- the empty string + 835 ::= { partyEntry 19 } + 837 partySecretSpinLock OBJECT-TYPE + 838 SYNTAX TestAndIncr + 839 MAX-ACCESS read-write + 840 STATUS current + 841 DESCRIPTION + 842 "An advisory lock used to allow several cooperating SNMPv2 + 843 entities, all acting in a manager role, to coordinate their + 844 use of facilities to alter secrets in the Party Table." + 845 ::= { snmpParties 2 } + 847 -- Agent Identifier | 849 agentID OBJECT-TYPE + 850 SYNTAX OCTET STRING (SIZE (12)) + 851 MAX-ACCESS read-write + 852 STATUS current + 853 DESCRIPTION + 854 "The agent's administratively-unique identifier. + 856 The initial value for this object may be configured via an + 857 operator console entry or via an algorithmic function. In + 858 the later case, the following guidelines are recommended: + 860 1) The first four octets should be set to the binary + 861 equivalent of the agent's SNMP network management + 862 private enterprise number as assigned by the Internet + 863 Assigned Numbers Authority (IANA). For example, if + 864 Acme Networks has been assigned { enterprises 696 }, + 865 the first four octets would be assigned '000002b8'H. + 867 2) The remaining eight octets are the cookie whose + 868 contents are determined via one or more enterprise- + 869 specific methods. Such methods must be designed so as + 870 to maximize the possibility that the value of this + 871 object will be unique in the agent's administrative + 872 domain. For example, the cookie may be the IP address + 873 of the agent, or the MAC address of one of the + 874 interfaces, with each address suitably padded with + 875 random octets. If multiple methods are defined, then + 876 it is recommended that the cookie be further divided + 877 into one octet that indicates the method being used and + 878 seven octets which are a function of the method. + 880 If set by a management operation, the value must be + 881 persistent across re-initializations of the entity's network + 882 management system." + 883 ::= { snmpParties 3 } + 885 -- SNMPv2 contexts + 887 snmpContexts OBJECT IDENTIFIER ::= { partyMIBObjects 2 } 889 contextTable OBJECT-TYPE 890 SYNTAX SEQUENCE OF ContextEntry 891 MAX-ACCESS not-accessible 892 STATUS current 893 DESCRIPTION 894 "The SNMPv2 Context database." 895 ::= { snmpContexts 1 } 897 contextEntry OBJECT-TYPE 898 SYNTAX ContextEntry 899 MAX-ACCESS not-accessible 900 STATUS current 901 DESCRIPTION 902 "Locally held information about a particular SNMPv2 903 context." 904 INDEX { IMPLIED contextIdentity } 905 ::= { contextTable 1 } 907 ContextEntry ::= 908 SEQUENCE { 909 contextIdentity Context, 910 contextIndex INTEGER, 911 contextLocalEntity OCTET STRING, - 912 contextLocalTime OBJECT IDENTIFIER, 913 contextProxyDstParty Party, 914 contextProxySrcParty Party, 915 contextProxyContext OBJECT IDENTIFIER, 916 contextStorageType StorageType, 917 contextStatus RowStatus, | 918 contextType INTEGER | 919 } 921 contextIdentity OBJECT-TYPE 922 SYNTAX Context 923 MAX-ACCESS not-accessible 924 STATUS current 925 DESCRIPTION 926 "A context identifier uniquely identifying a particular | 927 SNMPv2 context. This object is prohibited from taking the | 928 value { 0 x } for any value of x." | 929 ::= { contextEntry 1 } 931 contextIndex OBJECT-TYPE 932 SYNTAX INTEGER (1..2147483647) | 933 MAX-ACCESS read-only 934 STATUS current 935 DESCRIPTION 936 "An arbitrary unique value for each SNMPv2 context. | 937 The value for each SNMPv2 context must remain constant at 938 least from one re-initialization of the entity's network | 939 management system to the next re-initialization. | 941 The specific value is meaningful only within a given SNMPv2 | 942 entity, i.e., it is not meaningful to any other SNMPv2 | 943 entity except to uniquely identify the context within the | 944 set of all contexts known to this agent." | 945 ::= { contextEntry 2 } 947 -- ::= { contextEntry 3 } this OID is obsolete | 948 -- ::= { contextEntry 4 } this OID is obsolete | 949 contextLocalEntity OBJECT-TYPE - 950 SYNTAX OCTET STRING 951 MAX-ACCESS read-create 952 STATUS current 953 DESCRIPTION 954 "If the value of the corresponding instance of the | 955 contextType is local(1), then the value of an instance of | 956 this object uniquely identifies the local entity (e.g., a | 957 logical device managed by the same agent) | 958 whose management information is in the SNMPv2 context's MIB 959 view. The empty string indicates that the MIB view contains 960 the SNMPv2 entity's own local management information; 961 otherwise, a non-empty string indicates that the MIB view 962 contains management information of some other local entity, 963 e.g., 'Repeater1'. 965 If the value of the corresponding instance of the | 966 contextType is remote(2), then the value of an instance of | 967 this object identifies an entity which is local to the | 968 SNMPv2 entity which realizes this SNMPv2 context, and whose | 969 management information is in the SNMPv2 context's MIB view. | 971 If the value of the corresponding instance of the | 972 contextType is proxy(3), then the value of an instance of | 973 this object is ignored and can take any value at the agent's | 974 discretion, e.g., the zero-length string." | 975 DEFVAL { ''H } -- the empty string 976 ::= { contextEntry 5 } 978 contextLocalTime OBJECT-TYPE 979 SYNTAX OBJECT IDENTIFIER 980 MAX-ACCESS read-create 981 STATUS current 982 DESCRIPTION 983 "If the value of the corresponding instance of the | 984 contextType is local(1) or remote(2), | 985 then the value of an instance of this object identifies the 986 temporal context of the management information in the MIB 987 view. 989 If the value of the corresponding instance of the | 990 contextType is proxy(3), then the value of an instance of | 991 this object is ignored and can take any value at the agent's | 992 discretion, e.g., { 0 0 }." | 993 DEFVAL { currentTime } 994 ::= { contextEntry 6 } 996 contextProxyDstParty OBJECT-TYPE 997 SYNTAX Party 998 MAX-ACCESS read-create 999 STATUS current 1000 DESCRIPTION 1001 "If the corresponding instance of contextType has the value | 1002 proxy(3), and if requests referencing this context are to be | 1003 forwarded, then the value of an instance of this object | 1004 identifies the proxy destination party to be used in such | 1005 forwarded requests. Otherwise, the value of an instance of | 1006 this object is ignored and can take any value at the agent's | 1007 discretion, e.g., { 0 0 }." | 1008 DEFVAL { zeroDotZero } + 1009 ::= { contextEntry 7 } 1011 contextProxySrcParty OBJECT-TYPE 1012 SYNTAX Party 1013 MAX-ACCESS read-create 1014 STATUS current 1015 DESCRIPTION 1016 "If the corresponding instance of contextType has the value | 1017 proxy(3), and if requests referencing this context are to be | 1018 forwarded, then the value of an instance of this object | 1019 identifies the proxy source party to be used in such | 1020 forwarded requests. Otherwise, the value of an instance of | 1021 this object is ignored and can take any value at the agent's | 1022 discretion, e.g., { 0 0 }. | 1024 Interpretation of an instance of this object depends upon 1025 the transport domain of the proxy destination party (i.e., 1026 upon the value of partyTDomain for the party identified by 1027 the corresponding instance of contextProxyDstParty)." | 1028 DEFVAL { zeroDotZero } + 1029 ::= { contextEntry 8 } 1031 contextProxyContext OBJECT-TYPE 1032 SYNTAX OBJECT IDENTIFIER 1033 MAX-ACCESS read-create 1034 STATUS current 1035 DESCRIPTION 1036 "If the corresponding instance of contextType has the value | 1037 proxy(3), and if requests referencing this context are to be | 1038 forwarded, then the value of an instance of this object | 1039 identifies the context to be used in such forwarded | 1040 requests. Otherwise, the value of an instance of this | 1041 object is ignored and can take any value at the agent's | 1042 discretion, e.g., { 0 0 }. | 1044 Interpretation of an instance of this object depends upon 1045 the value of the transport domain associated with the SNMPv2 1046 party used as the proxy destination for this proxy context." | 1047 DEFVAL { zeroDotZero } + 1048 ::= { contextEntry 9 } 1050 contextStorageType OBJECT-TYPE 1051 SYNTAX StorageType 1052 MAX-ACCESS read-create 1053 STATUS current 1054 DESCRIPTION 1055 "The storage type for this conceptual row in the | 1056 contextTable. Conceptual rows having the value 'permanent' | 1057 need not allow write-access to any columnar objects in the | 1058 row, unless they are proxy contexts in which case they must | 1059 allow at a minimum write-access to: contextProxyDstParty, | 1060 contextProxySrcParty and contextProxyContext." | 1061 DEFVAL { nonVolatile } 1062 ::= { contextEntry 10 } 1064 contextStatus OBJECT-TYPE 1065 SYNTAX RowStatus 1066 MAX-ACCESS read-create 1067 STATUS current 1068 DESCRIPTION 1069 "The status of this conceptual row in the contextTable. 1071 A context is not qualified for activation until instances of | 1072 all corresponding columns have consistent values. | 1074 For those columnar objects which permit write-access, their - 1075 value in an existing conceptual row can be changed 1076 irrespective of the value of contextStatus for that row." 1077 ::= { contextEntry 11 } 1079 contextType OBJECT-TYPE + 1080 SYNTAX INTEGER { local(1), remote(2), proxy(3) } + 1081 MAX-ACCESS read-create + 1082 STATUS current + 1083 DESCRIPTION + 1084 "The type of context. + 1086 local(1) - this conceptual row refers to a SNMPv2 context + 1087 containing MIB views of a locally accessible entity; + 1088 the value of the corresponding instances of the + 1089 contextLocalEntity and contextLocalTime objects provide + 1090 further information on the local entity and its + 1091 temporal domain. + 1093 remote(2) - this conceptual row refers to a SNMPv2 context + 1094 which is realized by a remote SNMPv2 entity. + 1096 proxy(3) - this conceptual row refers to a SNMPv2 proxy + 1097 context; the values of the corresponding instances of + 1098 the contextProxyDstParty, contextProxySrcParty, and + 1099 contextProxyContext objects provide further information + 1100 on the proxied context and the parties used to access + 1101 it." + 1102 DEFVAL { local } + 1103 ::= { contextEntry 12 } + 1105 -- SNMPv2 access privileges | 1107 snmpAccess OBJECT IDENTIFIER ::= { partyMIBObjects 3 } 1109 -- ::= { snmpAccess 1 } this OID is obsolete + 1111 acTable OBJECT-TYPE | 1112 SYNTAX SEQUENCE OF AcEntry | 1113 MAX-ACCESS not-accessible 1114 STATUS current 1115 DESCRIPTION 1116 "The access privileges database." 1117 ::= { snmpAccess 2 } | 1119 acEntry OBJECT-TYPE | 1120 SYNTAX AcEntry | 1121 MAX-ACCESS not-accessible 1122 STATUS current 1123 DESCRIPTION 1124 "Each conceptual row in this table represents an individual | 1125 access policy, called an ACL (for historical reasons). | 1127 An ACL specifies the access privileges authorized for | 1128 communication from one SNMPv2 party to another concerning | 1129 information contained in a particular SNMPv2 context. | 1131 For each conceptual row in this table which is retained | 1132 across a re-initialization of the entity's network | 1133 management system, the combination of the partyIdentity | 1134 values of the referenced parties and the contextIdentity | 1135 value of the referenced context must be the same after the | 1136 re-initialization as it was before the re-initialization, | 1137 even if the values of acTarget, acSubject and acContext | 1138 vary." | 1139 INDEX { acTarget, acSubject, acContext } | 1140 ::= { acTable 1 } | 1142 AcEntry ::= | 1143 SEQUENCE { 1144 acTarget INTEGER, | 1145 acSubject INTEGER, | 1146 acContext INTEGER, | 1147 acPrivileges AccessPrivileges, | 1148 acReadViewIndex INTEGER, | 1149 acWriteViewIndex INTEGER, | 1150 acStorageType StorageType, | 1151 acStatus RowStatus | 1152 } 1154 acTarget OBJECT-TYPE | 1155 SYNTAX INTEGER (1..2147483647) | 1156 MAX-ACCESS not-accessible 1157 STATUS current 1158 DESCRIPTION 1159 "The value of partyIndex for one of the SNMPv2 parties | 1160 between which communication is authorized concerning | 1161 information contained in a particular SNMPv2 context. In | 1162 particular, for retrieval or set operations, this object | 1163 identifies the destination party; for notification | 1164 operations, this object identifies the source party." | 1165 ::= { acEntry 1 } | 1167 acSubject OBJECT-TYPE | 1168 SYNTAX INTEGER (1..2147483647) | 1169 MAX-ACCESS not-accessible 1170 STATUS current 1171 DESCRIPTION 1172 "The value of partyIndex for one of the SNMPv2 parties | 1173 between which communication is authorized concerning | 1174 information contained in a particular SNMPv2 context. In | 1175 particular, for retrieval or set operations, this object | 1176 identifies the source party; for notification operations, | 1177 this object identifies the destination party." | 1178 ::= { acEntry 2 } | 1180 acContext OBJECT-TYPE | 1181 SYNTAX INTEGER (1..2147483647) | 1182 MAX-ACCESS not-accessible 1183 STATUS current 1184 DESCRIPTION 1185 "The value of this instance identifies the SNMPv2 context | 1186 associated with a particular set of access privileges, | 1187 and has the same value as the instance of the contextIndex 1188 object for that SNMPv2 context." 1189 ::= { acEntry 3 } | 1191 acPrivileges OBJECT-TYPE | 1192 SYNTAX AccessPrivileges | 1193 MAX-ACCESS read-create 1194 STATUS current 1195 DESCRIPTION 1196 "The access privileges authorized for communication between | 1197 a particular local SNMPv2 party and a particular remote | 1198 SNMPv2 party concerning information contained in a | 1199 particular SNMPv2 context." | 1200 DEFVAL { 35 } -- Get, Get-Next & Get-Bulk | 1201 ::= { acEntry 4 } | 1203 acReadViewIndex OBJECT-TYPE + 1204 SYNTAX INTEGER (0..2147483647) + 1205 MAX-ACCESS read-create + 1206 STATUS current + 1207 DESCRIPTION + 1208 "If, for the SNMPv2 context identified by the corresponding + 1209 instance of acContext, the value of contextType is local(1), + 1210 then the value of an instance of this object identifies the + 1211 MIB view of the SNMPv2 context to which this conceptual row + 1212 authorizes read access. The identified MIB view is that for + 1213 which viewIndex has the same value as the instance of this + 1214 object; if the value is zero or there are no active view + 1215 subtrees for that value, then the identified MIB view is the + 1216 empty set of view subtrees. (Note that read access includes + 1217 access via retrieval requests as well as transmission of + 1218 information via notification requests.) + 1220 Otherwise, this object is ignored and can take any value at + 1221 the agent's discretion, e.g., zero." + 1222 DEFVAL { 0 } | 1223 ::= { acEntry 5 } | 1225 acWriteViewIndex OBJECT-TYPE | 1226 SYNTAX INTEGER (0..2147483647) | 1227 MAX-ACCESS read-create | 1228 STATUS current | 1229 DESCRIPTION | 1230 "If, for the SNMPv2 context identified by the corresponding | 1231 instance of acContext, the value of contextType is local(1), | 1232 then the value of an instance of this object identifies the | 1233 MIB view of the SNMPv2 context to which this conceptual row | 1234 authorizes write access. The identified MIB view is that | 1235 for which viewIndex has the same value as the instance of | 1236 this object; if the value is zero or there are no active | 1237 view subtrees for that value, then the identified MIB view | 1238 is the empty set of view subtrees. | 1240 Otherwise, this object is ignored and can take any value at | 1241 the agent's discretion, e.g., zero." | 1242 DEFVAL { 0 } | 1243 ::= { acEntry 6 } | 1245 acStorageType OBJECT-TYPE | 1246 SYNTAX StorageType 1247 MAX-ACCESS read-create 1248 STATUS current 1249 DESCRIPTION 1250 "The storage type for this conceptual row in the acTable. | 1251 Conceptual rows having the value 'permanent' need not allow | 1252 write-access to any columnar objects in the row." | 1253 DEFVAL { nonVolatile } 1254 ::= { acEntry 7 } | 1256 acStatus OBJECT-TYPE | 1257 SYNTAX RowStatus 1258 MAX-ACCESS read-create 1259 STATUS current 1260 DESCRIPTION 1261 "The status of this conceptual row in the acTable. | 1263 For those columnar objects which permit write-access, their 1264 value in an existing conceptual row can be changed | 1265 irrespective of the value of acStatus for that row. | 1267 A conceptual row in this table is not qualified for | 1268 activation until the context and both parties it references | 1269 are active. Further, a conceptual row in this table is | 1270 immediately made notInService whenever the status of the | 1271 context or either party it references is made notInService, | 1272 Finally, a conceptual row in this table is immediately | 1273 destroyed whenever the context or either party it references | 1274 is destroyed." | 1275 ::= { acEntry 8 } | 1277 -- MIB views | 1279 snmpViews OBJECT IDENTIFIER ::= { partyMIBObjects 4 } 1281 viewNextIndex OBJECT-TYPE + 1282 SYNTAX INTEGER (0..2147483647) + 1283 MAX-ACCESS read-only + 1284 STATUS current + 1285 DESCRIPTION + 1286 "The next unassigned value of viewIndex. The value 0 + 1287 indicates that no unassigned values are available. + 1289 Reading a non-zero value causes the assignment of the + 1290 retrieved value for use as the viewIndex of a future MIB + 1291 view, and thus causes the value of this object to change. + 1293 The algorithm for changing nextViewIndex is implementation- + 1294 dependent, and the agent may use a subset of values within + 1295 1..2147483647, but the agent must guarantee that the value + 1296 held by this object is not assigned to any in-use value of + 1297 viewIndex, e.g., is not pointed to by any other MIB object. + 1299 A management station creates a new MIB view using this + 1300 algorithm: first, issue a management protocol retrieval + 1301 operation to obtain the value of viewNextIndex - this value + 1302 is used as the viewIndex of the new MIB view; and, second, + 1303 issue a management protocol set operation to create an + 1304 instance of the viewStatus object setting its value to + 1305 `createAndGo' or `createAndWait' (as specified in the + 1306 description of the RowStatus textual convention)." + 1307 ::= { snmpViews 2 } + 1309 viewTable OBJECT-TYPE 1310 SYNTAX SEQUENCE OF ViewEntry 1311 MAX-ACCESS not-accessible 1312 STATUS current 1313 DESCRIPTION 1314 "Locally held information about the subtrees of MIB views | 1315 known to this SNMPv2 entity. Note that a MIB view which has | 1316 no subtrees defined for it has no entries in this table. | 1318 Each SNMPv2 context which is locally accessible has zero or | 1319 more MIB views. Each MIB view is defined by two collections | 1320 of view subtrees: the included view subtrees, and the | 1321 excluded view subtrees. | 1322 Every such subtree, both included and excluded, is defined 1323 in this table. 1325 To determine if a particular object instance is in a 1326 particular MIB view, compare the object instance's OBJECT 1327 IDENTIFIER with each of the MIB view's active entries | 1328 in this table. If none match, then the object instance is 1329 not in the MIB view. If one or more match, then the object 1330 instance is included in, or excluded from, the MIB view 1331 according to the value of viewType in the entry whose value 1332 of viewSubtree has the most sub-identifiers. If multiple 1333 entries match and have the same number of sub-identifiers, 1334 then the lexicographically greatest instance of viewType 1335 determines the inclusion or exclusion. 1337 An object instance's OBJECT IDENTIFIER X matches an active | 1338 entry in this table | 1339 when the number of sub-identifiers in X is at least as many 1340 as in the value of viewSubtree for the entry, and each sub- 1341 identifier in the value of viewSubtree matches its 1342 corresponding sub-identifier in X. Two sub-identifiers 1343 match either if the corresponding bit of viewMask is zero 1344 (the 'wild card' value), or if they are equal. 1346 Due to this 'wild card' capability, we introduce the term, a 1347 'family' of view subtrees, to refer to the set of subtrees 1348 defined by a particular combination of values of viewSubtree 1349 and viewMask. In the case where no 'wild card' is defined 1350 in viewMask, the family of view subtrees reduces to a single 1351 view subtree." 1352 ::= { snmpViews 1 } 1354 viewEntry OBJECT-TYPE 1355 SYNTAX ViewEntry 1356 MAX-ACCESS not-accessible 1357 STATUS current 1358 DESCRIPTION 1359 "Information on a particular family of view subtrees 1360 included in or excluded from a particular SNMPv2 context's 1361 MIB view. 1363 Implementations must not restrict the number of families of 1364 view subtrees for a given MIB view, except as dictated by 1365 resource constraints on the overall number of entries in the 1366 viewTable." 1367 INDEX { viewIndex, IMPLIED viewSubtree } 1368 ::= { viewTable 1 } 1370 ViewEntry ::= 1371 SEQUENCE { 1372 viewIndex INTEGER, 1373 viewSubtree OBJECT IDENTIFIER, 1374 viewMask OCTET STRING, 1375 viewType INTEGER, 1376 viewStorageType StorageType, 1377 viewStatus RowStatus 1378 } 1380 viewIndex OBJECT-TYPE 1381 SYNTAX INTEGER (1..2147483647) | 1382 MAX-ACCESS not-accessible 1383 STATUS current 1384 DESCRIPTION 1385 "An arbitrary unique value for each MIB view. | 1386 The value for each MIB view must remain constant at least 1387 from one re-initialization of the entity's network | 1388 management system to the next re-initialization. | 1390 The specific value is meaningful only within a given SNMPv2 | 1391 entity, i.e., it is not meaningful to any other SNMPv2 | 1392 entity except to uniquely identify the view within the set | 1393 of all views known to this agent." | 1394 ::= { viewEntry 1 } 1396 viewSubtree OBJECT-TYPE 1397 SYNTAX OBJECT IDENTIFIER 1398 MAX-ACCESS not-accessible 1399 STATUS current 1400 DESCRIPTION 1401 "A MIB subtree." 1402 ::= { viewEntry 2 } 1404 viewMask OBJECT-TYPE 1405 SYNTAX OCTET STRING (SIZE (0..16)) 1406 MAX-ACCESS read-create 1407 STATUS current 1408 DESCRIPTION 1409 "The bit mask which, in combination with the corresponding 1410 instance of viewSubtree, defines a family of view subtrees. 1412 Each bit of this bit mask corresponds to a sub-identifier of 1413 viewSubtree, with the most significant bit of the i-th octet 1414 of this octet string value (extended if necessary, see 1415 below) corresponding to the (8*i - 7)-th sub-identifier, and 1416 the least significant bit of the i-th octet of this octet 1417 string corresponding to the (8*i)-th sub-identifier, where i 1418 is in the range 1 through 16. 1420 Each bit of this bit mask specifies whether or not the 1421 corresponding sub-identifiers must match when determining if 1422 an OBJECT IDENTIFIER is in this family of view subtrees; a 1423 '1' indicates that an exact match must occur; a '0' 1424 indicates 'wild card', i.e., any sub-identifier value 1425 matches. 1427 Thus, the OBJECT IDENTIFIER X of an object instance is 1428 contained in a family of view subtrees if the following 1429 criteria are met: 1431 for each sub-identifier of the value of viewSubtree, 1432 either: 1434 the i-th bit of viewMask is 0, or 1436 the i-th sub-identifier of X is equal to the i-th 1437 sub-identifier of the value of viewSubtree. 1439 If the value of this bit mask is M bits long and there are 1440 more than M sub-identifiers in the corresponding instance of 1441 viewSubtree, then the bit mask is extended with 1's to be 1442 the required length. 1444 Note that when the value of this object is the zero-length 1445 string, this extension rule results in a mask of all-1's 1446 being used (i.e., no 'wild card'), and the family of view 1447 subtrees is the one view subtree uniquely identified by the 1448 corresponding instance of viewSubtree." 1449 DEFVAL { ''H } 1450 ::= { viewEntry 3 } 1452 viewType OBJECT-TYPE 1453 SYNTAX INTEGER { 1454 included(1), 1455 excluded(2) 1456 } 1457 MAX-ACCESS read-create 1458 STATUS current 1459 DESCRIPTION 1460 "The status of a particular family of view subtrees within 1461 the particular SNMPv2 context's MIB view. The value 1462 'included(1)' indicates that the corresponding instances of 1463 viewSubtree and viewMask define a family of view subtrees 1464 included in the MIB view. The value 'excluded(2)' 1465 indicates that the corresponding instances of viewSubtree 1466 and viewMask define a family of view subtrees excluded from 1467 the MIB view." 1468 DEFVAL { included } 1469 ::= { viewEntry 4 } 1471 viewStorageType OBJECT-TYPE 1472 SYNTAX StorageType 1473 MAX-ACCESS read-create 1474 STATUS current 1475 DESCRIPTION 1476 "The storage type for this conceptual row in the viewTable. | 1477 Conceptual rows having the value 'permanent' need not allow | 1478 write-access to any columnar objects in the row." | 1479 DEFVAL { nonVolatile } 1480 ::= { viewEntry 5 } 1482 viewStatus OBJECT-TYPE 1483 SYNTAX RowStatus 1484 MAX-ACCESS read-create 1485 STATUS current 1486 DESCRIPTION 1487 "The status of this conceptual row in the viewTable. 1489 For those columnar objects which permit write-access, their 1490 value in an existing conceptual row can be changed 1491 irrespective of the value of viewStatus for that row." 1492 ::= { viewEntry 6 } 1494 -- conformance information + 1496 partyMIBConformance 1497 OBJECT IDENTIFIER ::= { partyMIB 3 } 1499 partyMIBCompliances 1500 OBJECT IDENTIFIER ::= { partyMIBConformance 1 } 1501 partyMIBGroups 1502 OBJECT IDENTIFIER ::= { partyMIBConformance 2 } 1504 -- compliance statements 1506 unSecurableCompliance MODULE-COMPLIANCE 1507 STATUS current 1508 DESCRIPTION 1509 "The compliance statement for SNMPv2 entities which 1510 implement the Party MIB, but do not support any 1511 authentication or privacy protocols (i.e., only the noAuth 1512 and noPriv protocols are supported)." 1513 MODULE -- this module 1514 MANDATORY-GROUPS { partyMIBGroup } 1515 ::= { partyMIBCompliances 1 } 1517 partyNoPrivacyCompliance MODULE-COMPLIANCE 1518 STATUS current 1519 DESCRIPTION 1520 "The compliance statement for SNMPv2 entities which 1521 implement the Party MIB, and support an authentication 1522 protocol, but do not support any privacy protocols (i.e., 1523 only the noAuth, v2md5AuthProtocol, and noPriv protocols are 1524 supported)." 1525 MODULE -- this module 1526 MANDATORY-GROUPS { partyMIBGroup } 1527 ::= { partyMIBCompliances 2 } 1529 partyPrivacyCompliance MODULE-COMPLIANCE 1530 STATUS current 1531 DESCRIPTION 1532 "The compliance statement for SNMPv2 entities which 1533 implement the Party MIB, support an authentication protocol, 1534 and support a privacy protocol ONLY for the purpose of 1535 accessing security parameters. 1537 For all acTable entries authorizing a local and/or remote | 1538 SNMPv2 party | 1539 whose privacy protocol is desPrivProtocol, to be used in 1540 accessing a SNMPv2 context, the MIB view for that SNMPv2 1541 context shall include only those objects subordinate to 1542 partyMIBObjects, or a subset thereof, e.g., 1544 viewSubtree = { partyMIBObjects } 1545 viewMask = ''H 1546 viewType = { included } 1548 Any attempt to configure an entry in the partyTable, the 1549 contextTable, the acTable or the viewTable such that | 1550 a party using the desPrivProtocol would be authorized for 1551 use in accessing objects outside of the partyMIBObjects 1552 subtree shall result in the appropriate error response 1553 (e.g., wrongValue or inconsistentValue)." 1554 MODULE -- this module 1555 MANDATORY-GROUPS { partyMIBGroup } 1556 ::= { partyMIBCompliances 3 } 1558 fullPrivacyCompliance MODULE-COMPLIANCE 1559 STATUS current 1560 DESCRIPTION 1561 "The compliance statement for SNMPv2 entities which 1562 implement the Party MIB, support an authentication protocol, 1563 and support a privacy protocol without restrictions on its 1564 use." 1565 MODULE -- this module 1566 MANDATORY-GROUPS { partyMIBGroup } 1567 ::= { partyMIBCompliances 4 } 1569 -- units of conformance 1571 partyMIBGroup OBJECT-GROUP 1572 OBJECTS { partyIndex, partyTDomain, partyTAddress, 1573 partyMaxMessageSize, partyLocal, 1574 partyAuthProtocol, partyAuthClock, 1575 partyAuthPrivate, partyAuthPublic, 1576 partyAuthLifetime, partyPrivProtocol, 1577 partyPrivPrivate, partyPrivPublic, 1578 partyStorageType, partyStatus, 1579 partyCloneFrom, 1580 partyAuthChange, partyPrivChange, | 1581 partySecretSpinLock, | 1582 agentID, | 1583 contextIndex, contextType, contextLocalEntity, | 1584 contextLocalTime, contextStorageType, 1585 contextStatus, 1586 acPrivileges, acStorageType, acStatus, | 1587 acReadViewIndex, acWriteViewIndex, | 1588 viewNextIndex, | 1589 viewMask, viewType, viewStorageType, viewStatus } 1590 STATUS current 1591 DESCRIPTION 1592 "The collection of objects allowing the description and 1593 configuration of SNMPv2 parties. 1595 Note that objects which support proxy contexts are not 1596 included in this conformance group." 1597 ::= { partyMIBGroups 1 } 1599 partyMIBProxyGroup OBJECT-GROUP + 1600 OBJECTS { contextProxySrcParty, contextProxyDstParty, + 1601 contextProxyContext } + 1602 STATUS current + 1603 DESCRIPTION + 1604 "The collection of objects needed for the support of proxy + 1605 SNMPv2 contexts." + 1606 ::= { partyMIBGroups 2 } + 1608 END + 1609 3. Acknowledgments 1611 The authors wish to acknowledge the contributions of the SNMPv2 Working 1612 Group in general. In particular, the following individuals 1614 Dave Arneson (Cabletron), 1615 Uri Blumenthal (IBM), 1616 Doug Book (Chipcom), 1617 Maria Greene (Ascom Timeplex), 1618 Deirdre Kostik (Bellcore), 1619 Dave Harrington (Cabletron), 1620 Jeff Johnson (Cisco Systems), 1621 Brian O'Keefe (Hewlett Packard), 1622 Dave Perkins (Bay Networks), 1623 Randy Presuhn (Peer Networks), 1624 Shawn Routhier (Epilogue), 1625 Bob Stewart (Cisco Systems), 1626 Kaj Tesink (Bellcore). 1628 deserve special thanks for their contributions. 1630 4. References 1632 [1] Information processing systems - Open Systems Interconnection - 1633 Specification of Abstract Syntax Notation One (ASN.1), 1634 International Organization for Standardization. International 1635 Standard 8824, (December, 1987). 1637 [2] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Structure 1638 of Management Information for Version 2 of the Simple Network 1639 Management Protocol (SNMPv2)", Internet Draft, SNMP Research, Inc., 1640 Cisco Systems, Dover Beach Consulting, Inc., Carnegie Mellon 1641 University, November 1994. 1643 [3] Case, J., Galvin, J., McCloghrie, K., Rose, M., and Waldbusser, S., | 1644 "Administrative Infrastructure for Version 2 of the Simple Network | 1645 Management Protocol (SNMPv2)", | 1646 Internet Draft, SNMP Research, Inc., Trusted Information Systems, | 1647 Cisco Systems, Dover Beach Consulting, Inc., Carnegie Mellon | 1648 University, | 1649 November 1994. 1651 [4] Case, J., Galvin, J., McCloghrie, K., Rose, M., and Waldbusser, S., | 1652 "Security Protocols for Version 2 of the Simple Network Management 1653 Protocol (SNMPv2)", Internet Draft, SNMP Research, Inc., Trusted | 1654 Information Systems, Cisco Systems, Dover Beach Consulting, Inc., | 1655 Carnegie Mellon University, | 1656 November 1994. 1658 [5] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Protocol 1659 Operations for Version 2 of the Simple Network Management Protocol 1660 (SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems, 1661 Dover Beach Consulting, Inc., Carnegie Mellon University, November 1662 1994. 1664 [5] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Transport 1665 Mappings for Version 2 of the Simple Network Management Protocol 1666 (SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems, 1667 Dover Beach Consulting, Inc., Carnegie Mellon University, November 1668 1994. 1670 5. Security Considerations 1672 Security issues are not discussed in this memo. 1674 6. Authors' Addresses 1676 Jeffrey D. Case | 1677 SNMP Research, Inc. | 1678 3001 Kimberlin Heights Rd. | 1679 Knoxville, TN 37920-9716 | 1680 US | 1682 Phone: +1 615 573 1434 | 1683 Email: case@snmp.com | 1685 James M. Galvin 1686 Trusted Information Systems, Inc. 1687 3060 Washington Road, Route 97 1688 Glenwood, MD 21738 1690 Phone: +1 301 854-6889 1691 EMail: galvin@tis.com 1693 Keith McCloghrie + 1694 Cisco Systems, Inc. + 1695 170 West Tasman Drive, + 1696 San Jose CA 95134-1706. + 1698 Phone: +1 408 526 5260 + 1699 Email: kzm@cisco.com + 1701 Marshall T. Rose + 1702 Dover Beach Consulting, Inc. + 1703 420 Whisman Court + 1704 Mountain View, CA 94043-2186 + 1705 US + 1707 Phone: +1 415 968 1052 + 1708 Email: mrose@dbc.mtview.ca.us + 1709 Steven Waldbusser + 1710 Carnegie Mellon University + 1711 5000 Forbes Ave + 1712 Pittsburgh, PA 15213 + 1713 US + 1715 Phone: +1 412 268 6628 + 1716 Email: waldbusser@cmu.edu + 1718 Table of Contents 1720 1 Introduction .................................................... 3 1721 1.1 A Note on Terminology ......................................... 3 1722 1.2 Change Log .................................................... 3 1723 2 Definitions ..................................................... 5 1724 3.1 Textual Conventions ........................................... 6 1725 3.2 Administrative Assignments .................................... 9 1726 3.3 Object Assignments ............................................ 11 1727 3.4 SNMPv2 Party Information ...................................... 11 1728 3.5 Agent Identifier .............................................. 27 1729 3.6 SNMPv2 Contexts ............................................... 28 1730 3.7 SNMPv2 Access Privileges ...................................... 34 1731 3.8 MIB Views ..................................................... 40 1732 3.9 Conformance Information ....................................... 46 1733 3.9.1 Compliance Statements ....................................... 46 1734 3.9.2 Units of Conformance ........................................ 48 1735 3 Acknowledgments ................................................. 49 1736 4 References ...................................................... 49 1737 5 Security Considerations ......................................... 51 1738 6 Authors' Addresses .............................................. 51