idnits 2.17.1 draft-ietf-snmpv3-acm-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 9 longer pages, the longest (page 32) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([SNMP-ARCH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 208 has weird spacing: '...Boolean is_ac...' == Line 1291 has weird spacing: '...support priva...' == Line 1304 has weird spacing: '...support priva...' == Line 1317 has weird spacing: '...support priva...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (18 June 1997) is 9809 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC1905' is defined on line 1218, but no explicit reference was found in the text == Unused Reference: 'RFC1906' is defined on line 1223, but no explicit reference was found in the text == Unused Reference: 'RFC1908' is defined on line 1233, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1905 (ref. 'RFC1902') (Obsoleted by RFC 3416) -- Duplicate reference: RFC1905, mentioned in 'RFC1905', was also mentioned in 'RFC1902'. ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 1907 (Obsoleted by RFC 3418) ** Obsolete normative reference: RFC 1908 (Obsoleted by RFC 2576) == Outdated reference: A later version (-06) exists of draft-ietf-snmpv3-next-gen-arch-02 == Outdated reference: A later version (-04) exists of draft-ietf-snmpv3-acm-00 == Outdated reference: A later version (-05) exists of draft-ietf-snmpv3-mpc-00 -- Possible downref: Normative reference to a draft: ref. 'SNMPv3-USEC' Summary: 15 errors (**), 0 flaws (~~), 12 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Access Control Model for version 3 of the 2 Simple Network Management Protocol (SNMPv3) 4 18 June 1997 6 Bert Wijnen 7 IBM T. J. Watson Research 8 wijnen@vnet.ibm.com 10 Randy Presuhn 11 BMC Software, Inc. 12 rpresuhn@bmc.com 14 Keith McCloghrie 15 Cisco Systems, Inc. 16 kzm@cisco.com 18 20 Status of this Memo 22 This document is an Internet-Draft. Internet-Drafts are working 23 documents of the Internet Engineering Task Force (IETF), its areas, 24 and its working groups. Note that other groups may also distribute 25 working documents as Internet-Drafts. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet- Drafts as reference 30 material or to cite them other than as ``work in progress.'' 32 To learn the current status of any Internet-Draft, please check the 33 ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow 34 Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), 35 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 37 Abstract 39 This document describes the Access Control Model (ACM) for SNMP 40 version 3 for use in the SNMP architecture [SNMP-ARCH]. This 41 document defines the Elements of Procedure for applying access 42 control to management information. This document also includes 43 a MIB for remotely monitoring/managing the configuration parameters 44 for this ACM. 46 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 1] 47 0.1 Issues 48 - Where do we do the miId to groupName mapping 49 - Should we use UTF-8 for human readable names like 50 contextName, viewName, groupName etc. 51 We now use a SnmpAdminString TC which still needs to be defined. 52 - acknowledgements needs expansion 53 - Do we want to mandate a standard out-of-the-box configuration. 54 - How do we return a proper indication of the error-counter 55 to be used in a possible reportPDU. 56 - Do we keep the statistics (error counters) here or in MPC 58 0.2 Change Log 60 [version 3.1] - This is the June 18 version. 61 - remove old (resolved) issues 62 - list new issues 63 - corrections/additions by myself (bert) 64 - corrections based on dbh comments 65 - removed change log of before 1st interim meeting. 67 [version 3.0] - this is the first ACM doc (June 12 version). 68 - Modifications as agreed at 1st Interim Meeting 69 - Make Access Control Module a separate document 70 - Use viewName as index instead of an integer 71 - add notify_view 72 - use SnmpAdminString 73 - Other Modification 74 - use miId and secModel 75 - add groupTable 76 - add/rename Stats counters 78 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 2] 79 1. Introduction 81 The Architecture for describing Internet Management Frameworks 82 is composed of multiple subsystems: 83 1) a message processing and control subsystem, 84 2) a security subsystem, 85 3) an access control subsystem, and 86 4) orangelets. 88 It is important to understand the SNMP architecture and the 89 terminology of the architecture to understand where the model 90 described in this document fits into the architecture and interacts 91 with other subsystems within the architecture. The reader is 92 expected to have read and understood the description of the SNMP 93 architecture, as defined in [SNMP-ARCH]. 95 The Access Control subsystem of an SNMP engine provides services 96 to orangelets so that these orangelets can check if access to an 97 object is allowed or not. 99 An Access Control model has the responsibility for checking if 100 a specific type of access (read, write, notify) to a particular 101 object (instance) is allowed. 103 It is the purpose of this document to define a specific model of 104 the Access Control subsystem, designated the SNMP version 3 Access 105 Control model. 107 1.2 Access Control 109 Access Control occurs (either implicit or explicit) in an SNMP 110 engine acting in an agent role when processing SNMP request 111 messages from an SNMP engine acting in a manager role. These 112 request messages include these types of operations: GetRequest, 113 GetNextRequest, GetBulkRequest, and SetRequest operations. 115 Access Control also occurs in an SNMP engine when an SNMP 116 notification message is generated. These notification messages 117 include these types of operations: InformRequest and SNMPv2-trap 118 operations. 120 Access Control via the Access Control module only occurs if the 121 orangelet that processes or generates the operation explicitly 122 calls upon the access control service for checking of access 123 rights. So it is the responsibility of an orangelet to make 124 the proper calls for access checking. 126 1.3 Local Configuration Datastore 128 To implement the model described in this document, each SNMP 129 engine needs to retain its own set of information about access 131 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 3] 132 rights and policies, and the like. This set of information is 133 called the SNMP engine's Local Configuration Datastore (LCD) 134 because it is locally-stored information. 136 In order to allow an SNMP engine's LCD to be remotely configured, 137 portions of the LCD need to be accessible as managed objects. 138 A MIB module, the SNMPv3 Access Control Model Configuration MIB, 139 which defines these managed object types is included in this 140 document. 142 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 4] 143 2. Elements of the Model 145 This section contains definitions to realize the access control 146 applied by this Access Control Model. 148 2.1 Groups 150 A groupName identifies a group (set) of zero or more 151 securityIdentities on whose behalf SNMP management objects can be 152 accessed. The Access Control module assumes the securityIdentity 153 has already been authenticated as needed and provides no 154 authentication by itself. 156 This SNMPv3 Access Control model requires the securityModel and the 157 securityIdentity to be passed as input to the Access Control module 158 when a request is made to check for access rights. 160 2.2 Level of Security (LoS) 162 Different access rights can be defined for different Levels of 163 Security. The LoS identifies the Level of Security that will be 164 assumed when checking for access rights. 166 This Access Control Model requires the LoS to be passed as input 167 to the Access Control module when a request is made to check access 168 rights. 170 2.3 Contexts 172 An SNMP context is a collection of management information 173 accessible by an SNMP agent. An item of management information 174 may exist in more than one context. An SNMP agent potentially 175 has access to many contexts. 177 2.4 Access Policy 179 This Access Control model determines the access rights of groups 180 (representing zero, one or more securityIdentities 181 which have the same access rights). For a particular context 182 (contextName) to which a group (groupName) has access using 183 a particular Level of Security (LoS), that group's access rights 184 are given by a read-view, a write-view and a notify-view. 186 The read-view is the set of object instances authorized 187 for the group when reading objects. Reading objects occurs 188 when processing a retrieval (Get, GetNext, GetBulk) operation. 190 The write-view is the set of object instances authorized for 191 the group when writing objects. Writing objects occurs when 192 processing a Set operation. 194 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 5] 195 The notify-view is the set of object instances authorized for 196 the group when sending objects in a notification. Such occurs 197 when sending a notification (Inform or Trap). 199 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 6] 200 3. Elements of Procedure 202 This section describes the procedures followed by the Access Control 203 module that implements this Access Control Model when checking access 204 rights as requested by an orangelet. 206 The abstract service interface into the access control service is: 208 Boolean is_access_allowed ( secModel, miId, LoS, 209 viewType, contextName, 210 variableName 211 ) 213 Where: 215 Boolean - FALSE if no access is allowed. 216 TRUE if access is allowed. 217 secModel - security model to which the miId belongs. 218 miId - security model independent ID (securityIdentity). 219 LoS - Level of Security 220 viewType - view to be checked (read, write or notify). 221 contextName - context in which the variable_name is accessed. 222 variableName - variable that is accessed. 224 3.1 Processing the is_access_allowed service request 226 This section describes the procedure followed by the Access Control 227 module whenever it receives a request to check if access is allowed. 229 (1) The LCD (snmpV3AcContextTable) is consulted for information about 230 the SNMP context identified by the contextName. If information 231 about this SNMP context is absent from the LCD, then the 232 snmpV3AcStatsUnknownContexts counter is incremented, and FALSE 233 is returned to the caller. 235 (2) The LCD (snmpV3AcGroupTable) is consulted for information about 236 the security model (secModel) and securityIdentity (miId). If 237 information about this combination is absent from the LCD, then 238 the snmpV3AcStatsNoGroups counter is incremented, and FALSE is 239 returned to the caller. 241 (3) The LCD (snmpV3AcTable) is consulted for information about 242 the contextName, groupName and LoS. If information about this 243 combination is absent from the LCD, then the snmpV3AcStatsNoViews 244 counter is incremented, and FALSE is returned to the caller. 246 (4) If the SNMPv2 viewType is the read, then the read-view is used 247 for checking if the variableName is accessible. 248 If access is allowed, then TRUE is returned to the caller. 249 Otherwise the snmpV3AcStatsUnauthorizedAccesses counter is 250 incremented and FALSE is returned to the caller. 252 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 7] 253 (5) If the SNMPv2 viewType is the write, then the write-view is used 254 for checking if the variableName is accessible. 255 If access is allowed, then TRUE is returned to the caller. 256 Otherwise the snmpV3AcStatsUnauthorizedAccesses counter is 257 incremented and FALSE is returned to the caller. 259 (6) If the SNMPv2 viewType is the notify, then the notify-view is 260 used for checking if the variableName is accessible. 261 If access is allowed, then TRUE is returned to the caller. 262 Otherwise the snmpV3AcStatsUnauthorizedAccesses counter is 263 incremented and FALSE is returned to the caller. 265 Editor's note: 266 We decided that a boolean would be returned. Maybe it is better 267 to return a status_code which can have one of these values: 268 otherError 269 accessAllowed 270 unknownContext 271 noGroup 272 noView 273 accessNotAllowed 274 Then the caller can generate the appropriate reportPDU (or tell the 275 MPC to generate the appropriate reportPDU). 276 End Editor's note 278 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 8] 279 4. Definitions 281 SNMPV3-AC-MIB DEFINITIONS ::= BEGIN 283 IMPORTS 284 Counter32, Unsigned32, BITS, 285 MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI 286 TEXTUAL-CONVENTION, TestAndIncr, 287 RowStatus, StorageType, FROM SNMPv2-TC 288 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 289 SnmpAdminString, 290 SnmpLoS, 291 SnmpSecurityModel FROM SNMPv3-MIB; 293 snmpV3AcMIB MODULE-IDENTITY 294 LAST-UPDATED "9706180000Z" -- 18 June 1997, midnight 295 ORGANIZATION "SNMPv3 Working Group" 296 CONTACT-INFO "WG-email: snmpv3@tis.com 297 Subscribe: majordomo@tis.com 298 In msg body: subscribe snmpv3 300 Chair: Russ Mundy 301 Trusted Information Systems 302 postal: 3060 Washington Rd 303 Glenwood MD 21738 304 email: mundy@tis.com 305 phone: 301-854-6889 307 Co-editor: Bert Wijnen 308 IBM T.J. Watson Research 309 postal: Schagen 33 310 3461 GL Linschoten 311 Netherlands 312 email: wijnen@vnet.ibm.com 313 phone: +31-348-412-498 315 Co-editor: Randy Presuhn 316 BMC Software, Inc 317 postal: 1190 Saratoga Avenue, Suite 130 318 San Jose, CA 95129-3433 319 USA 320 email: rpresuhn@bmc.com 321 phone: +1-408-556-0720 323 Co-editor: Keith McCloghrie 324 Cisco Systems, Inc. 325 postal: 170 West Tasman Drive 326 San Jose, CA 95134-1706 327 USA 328 email: kzm@cisco.com 329 phone: +1-408-526-5260 331 Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 9] 332 " 334 DESCRIPTION "The management information definitions for the 335 SNMPv3 Access Control Model. 336 " 337 ::= { snmpModules 99 } 339 -- Administrative assignments **************************************** 341 snmpV3AcMIBObjects OBJECT IDENTIFIER ::= { snmpV3AcMIB 1 } 342 snmpV3AcMIBConformance OBJECT IDENTIFIER ::= { snmpV3AcMIB 2 } 344 -- Statistics for Access Control Checking **************************** 346 snmpV3AcStats OBJECT IDENTIFIER ::= { snmpV3AcMIBObjects 1 } 348 snmpV3AcStatsUnknownContexts OBJECT-TYPE 349 SYNTAX Counter32 350 MAX-ACCESS read-only 351 STATUS current 352 DESCRIPTION "The total number of packets received by the SNMP 353 engine which were dropped because they referenced a 354 context that was not known to the engine. 355 " 356 ::= { snmpV3AcStats 1 } 358 snmpV3AcStatsNoGroups OBJECT-TYPE 359 SYNTAX Counter32 360 MAX-ACCESS read-only 361 STATUS current 362 DESCRIPTION "The total number of packets received by the SNMP 363 engine which were dropped because the security model 364 independent ID (securityIdentity, miId) did not map 365 a group in the snmpV3AcGroupTable. 366 " 367 ::= { snmpV3AcStats 2 } 369 snmpV3AcStatsNoViews OBJECT-TYPE 370 SYNTAX Counter32 371 MAX-ACCESS read-only 372 STATUS current 373 DESCRIPTION "The total number of packets received by the SNMP 374 engine which were dropped because the combination 375 of contextName, groupName and LoS does not have 376 an entry in the snmpV3AcTable at all. 377 " 378 ::= { snmpV3AcStats 3 } 380 snmpV3AcStatsUnauthorizedAccesses OBJECT-TYPE 381 SYNTAX Counter32 382 MAX-ACCESS read-only 383 STATUS current 384 DESCRIPTION "The total number of packets received by the SNMP 385 engine which were dropped because the type of access 386 requested is invalid or not authorized. 387 " 388 ::= { snmpV3AcStats 4 } 390 -- Information about Mapping of miId into a group ******************** 392 -- Editor's question: 393 -- I have included the mapping table for the miId into a 394 -- groupName into this MIB. I think that keeps the acces 395 -- control nicely grouped together. Comments? 396 -- End Editor's question. 398 snmpV3AcGroupTable OBJECT-TYPE 399 SYNTAX SEQUENCE OF SnmpV3AcGroupEntry 400 MAX-ACCESS not-accessible 401 STATUS current 402 DESCRIPTION "The table that maps the Security Model Independent ID 403 into a groupName which defines an acces control 404 policy for a group of security identities. 405 " 406 ::= { snmpV3AcMIBObjects 2 } 408 snmpV3AcGroupEntry OBJECT-TYPE 409 SYNTAX SnmpV3AcGroupEntry 410 MAX-ACCESS not-accessible 411 STATUS current 412 DESCRIPTION "An entry in this table maps a miId into a groupName." 413 INDEX { snmpV3AcSecModel, 414 snmpV3AcMiId 415 } 416 ::= { snmpV3AcGroupTable 1 } 418 SnmpV3AcGroupEntry ::= SEQUENCE 419 { 420 snmpV3AcSecModel SnmpV3SecurityModel, 421 snmpV3AcMiId SnmpV3AdminString, 422 snmpV3AcGroupName SnmpV3AdminString, 423 snmpV3AcGroupStorageType StorageType, 424 snmpV3AcGroupStatus RowStatus 425 } 427 snmpV3AcSecModel OBJECT-TYPE 428 SYNTAX SnmpV3SecurityModel 429 MAX-ACCESS not-accessible 430 STATUS current 431 DESCRIPTION "The security model, which is the first index in this 432 table. 433 " 435 ::= { snmpV3AcGroupEntry 1 } 437 snmpV3AcMiId OBJECT-TYPE 438 SYNTAX SnmpV3AdminString 439 MAX-ACCESS not-accessible 440 STATUS current 441 DESCRIPTION "The Security Model Independent ID (miId) for a 442 particular security identity. It is used as a second 443 index in this table. 444 " 445 ::= { snmpV3AcGroupEntry 2 } 447 snmpV3AcGroupName OBJECT-TYPE 448 SYNTAX SnmpV3AdminString 449 MAX-ACCESS read-create 450 STATUS current 451 DESCRIPTION "The groupName to which this miId belongs. This 452 groupName represents a access control policy and is 453 used as an index in the snmpV3AcTable. 454 " 455 ::= { snmpV3AcGroupEntry 3 } 457 snmpV3AcGroupStorageType OBJECT-TYPE 458 SYNTAX StorageType 459 MAX-ACCESS read-create 460 STATUS current 461 DESCRIPTION "The storage type for this conceptual row. 462 Conceptual rows having the value 'permanent' 463 need not allow write-access to any columnar 464 objects in the row. 465 " 466 DEFVAL { nonVolatile } 467 ::= { snmpV3AcGroupEntry 6 } 469 snmpV3AcGroupStatus OBJECT-TYPE 470 SYNTAX RowStatus 471 MAX-ACCESS read-create 472 STATUS current 473 DESCRIPTION "The status of this conceptual row. 475 For those columnar objects which permit write-access, 476 their value in an existing conceptual row can be 477 changed irrespective of the value of 478 snmpV3AcGroupStatus for that row. 479 " 480 ::= { snmpV3AcGroupEntry 7 } 482 -- Information about Local Contexts ********************************** 484 snmpV3AcContextTable OBJECT-TYPE 485 SYNTAX SEQUENCE OF SnmpV3AcContextEntry 486 MAX-ACCESS not-accessible 487 STATUS current 488 DESCRIPTION "The table of locally available contexts. If a context 489 is listed in this table that does not mean that 490 access to this context has been defined in the 491 snmpV3AcTable. It just means that the context exists 492 and that MIB objects may exist in this context. 494 This table must be made accessible via the default 495 context. 497 This table is read-only meaning that SNMP engines 498 in a manager role cannot configure contexts. 500 Instead the table is meant to provide input to SNMP 501 engines in a manager role such that they can 502 properly configure the snmpV3AcTable to control 503 access to all contexts in an SNMP engine operating 504 in an agent role. 505 " 506 ::= { snmpV3AcMIBObjects 3 } 508 snmpV3AcContextEntry OBJECT-TYPE 509 SYNTAX SnmpV3AcContextEntry 510 MAX-ACCESS not-accessible 511 STATUS current 512 DESCRIPTION "Information about a particular context." 513 INDEX { snmpV3AcContextName } 514 ::= { snmpV3AcContextTable 1 } 516 SnmpV3AcContextEntry ::= SEQUENCE 517 { 518 snmpV3AcContextName SnmpV3AdminString 519 } 521 snmpV3AcContextName OBJECT-TYPE 522 SYNTAX SnmpV3AdminString (SIZE(0..32)) 523 MAX-ACCESS read-only 524 STATUS current 525 DESCRIPTION "A textual name uniquely identifying a particular 526 context on a particular agent. 527 " 528 ::= { snmpV3AcContextEntry 1 } 530 -- Information about Access Rights *********************************** 532 snmpV3AcTable OBJECT-TYPE 533 SYNTAX SEQUENCE OF SnmpV3AcEntry 534 MAX-ACCESS not-accessible 535 STATUS current 536 DESCRIPTION "The table of group access rights configured in the 537 local configuration datastore (LCD). 539 Each entry is indexed by a contextName, a GroupName 540 and a Level of Security (LoS). When checking if access 541 is allowed, then one entry from this table needs to 542 be selected and the proper viewName from that entry 543 must be used for access control checking. 545 To select the proper entry, first a match must be 546 found for the contextName. The procedure for this 547 process depends on the value of snmpV3AcContextMatch: 548 - exact 549 In this case, the snmpV3AcContextName represents 550 an exact contextName, and so the name must match 551 exactly. 552 - prefix 553 In this case, the snmpV3AcContextName represents 554 a prefix of a contextName, so that (a limited from 555 of) wildcarding is possible. The value of 556 snmpV3AcContextName must match with the first part 557 of the contextName to which access is requested. 559 For example, if we use a prefix contextName 560 'repeater', then both contexts named 'repeater1' 561 and 'repeater2' are accessible. 563 In case multiple entries match, then the entry with 564 the longest snmpV3AcContextName wins. 566 The second match to make is for the groupName. Here 567 an exact match must be found. 569 The 3rd match to make is for the LoS. Here an exact 570 match must be found. 571 " 572 -- Editors Question to Keith: 573 -- I have removed snmpV3AcContextName from the AcTable.... I was 574 -- thinking that it has the same semantics as snmpV3AcContextName 575 -- in the SnmpV3AcContextTable above. But now that we also allow 576 -- for wildcarding here, now I am not so sure that the semantics 577 -- are indeed the same. Should I define a snmpV2AcContextPrefix 578 -- instead? 579 -- End Editors Question 580 ::= { snmpV3AcMIBObjects 4 } 582 snmpV3AcEntry OBJECT-TYPE 583 SYNTAX SnmpV3AcEntry 584 MAX-ACCESS not-accessible 585 STATUS current 586 DESCRIPTION "An access right configured in the local configuration 587 datastore (LCD) authorizing access to an SNMP context. 589 " 590 INDEX { snmpV3AcContextName, 591 snmpV3AcGroupName, 592 snmpV3AcLoS 593 } 594 ::= { snmpV3AcTable 1 } 596 SnmpV3AcEntry ::= SEQUENCE 597 { 598 snmpV3AcLoS SnmpV3LoS, 599 snmpV3AcContextMatch INTEGER, 600 snmpV3AcReadViewName SnmpV3AdminString, 601 snmpV3AcWriteViewName SnmpV3AdminString, 602 snmpV3AcNotifyViewName SnmpV3AdminString, 603 snmpV3AcStorageType StorageType, 604 snmpV3AcStatus RowStatus 605 } 607 snmpV3AcLoS OBJECT-TYPE 608 SYNTAX SnmpV3LoS 609 MAX-ACCESS not-accessible 610 STATUS current 611 DESCRIPTION "The minimum level of security required in order to 612 gain the access rights allowed by this conceptual 613 row. 614 " 615 ::= { snmpV3AcEntry 1 } 617 snmpV3AcContextMatch OBJECT-TYPE 618 SYNTAX INTEGER 619 { exact (0), -- exact match of context Name 620 prefix (1) -- Only match to this prefix 621 } 622 MAX-ACCESS read-create 623 STATUS current 624 DESCRIPTION "If exact is set, then the contextName of the 625 index part snmpV3AcContextName of this entry in this 626 table represents a full contextName. 628 If prefix is set, then the contextName of the 629 index part snmpV3AcContextName of this entry in this 630 table represents a partial contextName which acts 631 as a prefix so that a simple form of wildcarding 632 is possible. 633 " 634 ::= { snmpV3AcEntry 2 } 636 snmpV3AcReadViewName OBJECT-TYPE 637 SYNTAX SnmpV3AdminString 638 MAX-ACCESS read-create 639 STATUS current 640 DESCRIPTION "The value of an instance of this object identifies 641 the MIB view of the SNMP context to which this 642 conceptual row authorizes read access. 644 The identified MIB view is that for which 645 snmpV3AcViewName has the same value as the instance 646 of this object; if the value is the empty string or 647 if there is no active MIB view having this value of 648 snmpV3AcViewName, then no access is granted. 650 Otherwise, this object is ignored and can take any 651 value at the Access Control module's discretion, 652 e.g., the empty string. 653 " 654 DEFVAL { ''H } -- the empty string 655 ::= { snmpV3AcEntry 3 } 657 snmpV3AcWriteViewName OBJECT-TYPE 658 SYNTAX SnmpV3AdminString 659 MAX-ACCESS read-create 660 STATUS current 661 DESCRIPTION "The value of an instance of this object identifies 662 the MIB view of the SNMP context to which this 663 conceptual row authorizes write access. 665 The identified MIB view is that for which 666 snmpV3AcViewName has the same value as the instance 667 of this object; if the value is the empty string or 668 if there is no active MIB view having this value of 669 snmpV3AcViewName, then no access is granted. 671 Otherwise, this object is ignored and can take any 672 value at the Access Control module's discretion, 673 e.g., the empty string. 674 " 675 DEFVAL { ''H } -- the empty string 676 ::= { snmpV3AcEntry 4 } 678 snmpV3AcNotifyViewName OBJECT-TYPE 679 SYNTAX SnmpV3AdminString 680 MAX-ACCESS read-create 681 STATUS current 682 DESCRIPTION "The value of an instance of this object identifies 683 the MIB view of the SNMP context to which this 684 conceptual row authorizes access for notifications. 686 The identified MIB view is that for which 687 snmpV3AcViewName has the same value as the instance 688 of this object; if the value is the empty string or 689 if there is no active MIB view having this value of 690 snmpV3AcViewName, then no access is granted. 692 Otherwise, this object is ignored and can take any 693 value at the Access Control module's discretion, 694 e.g., the empty string. 695 " 696 DEFVAL { ''H } -- the empty string 697 ::= { snmpV3AcEntry 5 } 699 snmpV3AcStorageType OBJECT-TYPE 700 SYNTAX StorageType 701 MAX-ACCESS read-create 702 STATUS current 703 DESCRIPTION "The storage type for this conceptual row. 705 Conceptual rows having the value 'permanent' 706 need not allow write-access to any columnar 707 objects in the row. 708 " 709 DEFVAL { nonVolatile } 710 ::= { snmpV3AcEntry 6 } 712 snmpV3AcStatus OBJECT-TYPE 713 SYNTAX RowStatus 714 MAX-ACCESS read-create 715 STATUS current 716 DESCRIPTION "The status of this conceptual row. 718 For those columnar objects which permit write-access, 719 their value in an existing conceptual row can be 720 changed irrespective of the value of snmpV3AcStatus 721 for that row. 722 " 723 ::= { snmpV3AcEntry 7 } 725 -- Information about MIB views *************************************** 726 -- Support for views having instance-level granularity is optional 728 snmpV3AcViewTable OBJECT-TYPE 729 SYNTAX SEQUENCE OF SnmpV3AcViewEntry 730 MAX-ACCESS not-accessible 731 STATUS current 732 DESCRIPTION "The table of locally defined MIB views. 734 When an SNMP engine in the manager role wants to 735 create a new MIB view, then it must first create 736 an entry in the snmpV3AcViewTable, using a 737 non-existing index-value for snmpV3AcViewName. 738 If the creation of such an entry is successful, 739 the SNMP engine in the manager role can then start 740 creating entries in the snmpV3AcSubtreeFamiliyTable. 742 When deleting MIB views, it is strongly advised that 743 first the related snmpV3AcSubtreeFamilityEntries are 744 deleted from the snmpV3AcSubtreeFamiliyTable and that 745 only upon completion of that deletion process the 746 snmpV3AcViewEntry is deleted from the 747 snmpV3AcViewTable. 749 Furthermore, a manager should take great care to 750 delete all the 'included' family entries before 751 deleting any of the 'excluded' ones. 753 Following these procedures there should be no 754 collisions when multiple managers try to update 755 the MIB views at an SNMP engine in an agent role. 757 If managers do not follow these procedures then it is 758 agent-implementation dependent as to what the result 759 of possible collisions will be. 760 " 761 ::= { snmpV3AcMIBObjects 5 } 763 snmpV3AcViewEntry OBJECT-TYPE 764 SYNTAX SnmpV3AcViewEntry 765 MAX-ACCESS not-accessible 766 STATUS current 767 DESCRIPTION "Information on a particular local MIB view." 768 INDEX { snmpV3AcViewName } 769 ::= { snmpV3AcViewTable 1 } 771 SnmpV3AcViewEntry ::= SEQUENCE 772 { 773 snmpV3AcViewName SnmpV3AdminString, 774 snmpV3AcViewStorageType StorageType, 775 snmpV3AcViewStatus RowStatus 776 } 778 snmpV3AcViewName OBJECT-TYPE 779 SYNTAX SnmpV3AdminString (SIZE(1..32)) 780 MAX-ACCESS not-accessible 781 STATUS current 782 DESCRIPTION "An unique viewName that uniquely identifies a MIB 783 viewEntry in this table. 784 " 785 ::= { snmpV3AcViewEntry 1 } 787 snmpV3AcViewStorageType OBJECT-TYPE 788 SYNTAX StorageType 789 MAX-ACCESS read-create 790 STATUS current 791 DESCRIPTION "The storage type for this conceptual row. 793 Conceptual rows having the value 'permanent' need 794 not allow write-access to any columnar objects in 795 the row. 796 " 797 DEFVAL { nonVolatile } 798 ::= { snmpV3AcViewEntry 2 } 800 snmpV3AcViewStatus OBJECT-TYPE 801 SYNTAX RowStatus 802 MAX-ACCESS read-create 803 STATUS current 804 DESCRIPTION "The status of this conceptual row. 806 For those columnar objects which permit write-access, 807 their value in an existing conceptual row can be 808 changed irrespective of the value of 809 snmpV3AcViewStatus for that row. 810 " 811 ::= { snmpV3AcViewEntry 3 } 813 -- Subtree families of MIB views ************************************* 815 snmpV3AcSubtreeFamilyTable OBJECT-TYPE 816 SYNTAX SEQUENCE OF SnmpV3AcSubtreeFamilyEntry 817 MAX-ACCESS not-accessible 818 STATUS current 819 DESCRIPTION "Locally held information about families of subtrees 820 within MIB views. 822 Each MIB view is defined by two collections of view 823 subtrees: the included view subtrees, and the 824 excluded view subtrees. 825 Every such subtree, both included and excluded, 826 is defined in this table. 828 To determine if a particular object instance is in 829 a particular MIB view, compare the object instance's 830 OBJECT IDENTIFIER with each of the MIB view's active 831 entries in this table. If none match, then the 832 object instance is not in the MIB view. If one or 833 more match, then the object instance is included in, 834 or excluded from, the MIB view according to the 835 value of snmpV3AcSubtreeFamilyType in the entry 836 whose value of snmpV3AcSubtreeFamilySubtree has the 837 most sub-identifiers. If multiple entries match 838 and have the same number of sub-identifiers, then 839 the lexicographically greatest instance of 840 snmpV3AcSubtreeFamilyType determines the inclusion 841 or exclusion. 843 An object instance's OBJECT IDENTIFIER X matches an 844 active entry in this table when the number of 845 sub-identifiers in X is at least as many as in the 846 value of snmpV3AcSubtreeFamilySubtree for the entry, 847 and each sub-identifier in the value of 848 snmpV3AcSubtreeFamilySubtree matches its 849 corresponding sub-identifier in X. 850 Two sub-identifiers match either if the 851 corresponding bit of snmpV3AcSubtreeFamilyMask is 852 zero (the 'wild card' value), or if they are equal. 854 A 'family' of view subtrees is the set of subtrees 855 defined by a particular combination of values of 856 snmpV3AcSubtreeFamilySubtree and 857 snmpV3AcSubtreeFamilyMask. 858 In the case where no 'wild card' is defined in 859 snmpV3AcSubtreeFamilyMask, the family of view 860 subtrees reduces to a single view subtree. 862 When an SNMP engine in the manager role wants to 863 create a new MIB view, then it should first create 864 an entry in the snmpV3AcViewTable, using a 865 non-existing index-value for snmpV3AcViewName. 866 If the creation of such an entry is successful, 867 the SNMP engine in the manager role can then start 868 creating entries in the snmpV3AcSubtreeFamiliyTable. 870 When deleting MIB views, it is strongly advised that 871 first the related snmpV3AcSubtreeFamilityEntries are 872 deleted from the snmpV3AcSubtreeFamiliyTable and that 873 only upon completion of that deletion process the 874 snmpV3AcViewEntry is deleted from the 875 snmpV3AcViewTable. 877 Following these procedures there should be no 878 collisions when multiple managers try to update 879 the MIB views at an SNMP engine in an agent role. 880 " 881 ::= { snmpV3AcMIBObjects 6 } 883 snmpV3AcSubtreeFamilyEntry OBJECT-TYPE 884 SYNTAX SnmpV3AcSubtreeFamilyEntry 885 MAX-ACCESS not-accessible 886 STATUS current 887 DESCRIPTION "Information on a particular family of view subtrees 888 included in or excluded from a particular SNMP 889 context's MIB view. The MIB view must exist 890 (i.e., be represented by a conceptual row in the 891 snmpV3AcViewTable) before any subtree families can 892 be defined for it. 894 Implementations must not restrict the number of 895 families of view subtrees for a given MIB view, 896 except as dictated by resource constraints on the 897 overall number of entries in the 898 snmpV3AcSubtreeFamilyTable. 900 The value of snmpV3AcViewName in this INDEX clause 901 of this table identifies the MIB view in which this 902 subtree family exists. 904 A MIB view for which there are no conceptual rows 905 in this table is the empty set of view subtrees. 906 " 907 INDEX { snmpV3AcViewName, 908 IMPLIED snmpV3AcSubtreeFamilySubtree 909 } 910 ::= { snmpV3AcSubtreeFamilyTable 1 } 912 SnmpV3AcSubtreeFamilyEntry ::= SEQUENCE 913 { 914 snmpV3AcSubtreeFamilySubtree OBJECT IDENTIFIER, 915 snmpV3AcSubtreeFamilyMask OCTET STRING, 916 snmpV3AcSubtreeFamilyType INTEGER, 917 snmpV3AcSubtreeFamilyStorageType StorageType, 918 snmpV3AcSubtreeFamilyStatus RowStatus 919 } 921 snmpV3AcSubtreeFamilySubtree OBJECT-TYPE 922 SYNTAX OBJECT IDENTIFIER 923 MAX-ACCESS not-accessible 924 STATUS current 925 DESCRIPTION "The MIB subtree which when combined with the 926 corresponding instance of snmpV3AcSubtreeFamilyMask 927 defines a family of view subtrees. 928 " 929 ::= { snmpV3AcSubtreeFamilyEntry 1 } 931 snmpV3AcSubtreeFamilyMask OBJECT-TYPE 932 SYNTAX OCTET STRING (SIZE (0..16)) 933 MAX-ACCESS read-create 934 STATUS current 935 DESCRIPTION "The bit mask which, 936 in combination with the corresponding instance of 937 snmpV3AcSubtreeFamilySubtree, defines a family of 938 view subtrees. 940 Each bit of this bit mask corresponds to a 941 sub-identifier of snmpV3AcSubtreeFamilySubtree, 942 with the most significant bit of the i-th octet 943 of this octet string value (extended if necessary, 944 see below) corresponding to the (8*i - 7)-th 945 sub-identifier, and the least significant bit of 946 the i-th octet of this octet string corresponding 947 to the (8*i)-th sub-identifier, where i is in the 948 range 1 through 16. 950 Each bit of this bit mask specifies whether or not 951 the corresponding sub-identifiers must match when 952 determining if an OBJECT IDENTIFIER is in this 953 family of view subtrees; a '1' indicates that an 954 exact match must occur; a '0' indicates 'wild card', 955 i.e., any sub-identifier value matches. 957 Thus, the OBJECT IDENTIFIER X of an object instance 958 is contained in a family of view subtrees if, for 959 each sub-identifier of the value of 960 snmpV3AcSubtreeFamilySubtree, either: 962 the i-th bit of snmpV3AcSubtreeFamilyMask is 0, or 964 the i-th sub-identifier of X is equal to the 965 i-th sub-identifier of the value of 966 snmpV3AcSubtreeFamilySubtree. 968 If the value of this bit mask is M bits long 969 and there are more than M sub-identifiers in 970 the corresponding instance of 971 snmpV3AcSubtreeFamilySubtree, then the bit mask 972 is extended with 1's to be the required length. 974 Note that when the value of this object is the 975 zero-length string, this extension rule results in 976 a mask of all-1's being used (i.e., no 'wild card'), 977 and the family of view subtrees is the one view 978 subtree uniquely identified by the corresponding 979 instance of snmpV3AcSubtreeFamilySubtree. 980 " 981 DEFVAL { ''H } 982 ::= { snmpV3AcSubtreeFamilyEntry 2 } 984 snmpV3AcSubtreeFamilyType OBJECT-TYPE 985 SYNTAX INTEGER { included(1), excluded(2) } 986 MAX-ACCESS read-create 987 STATUS current 988 DESCRIPTION "The indication of whether the corresponding instances 989 of snmpV3AcSubtreeFamilySubtree and 990 snmpV3AcSubtreeFamilyMask define a family of view 991 subtrees which is included in or excluded from the 992 MIB view. 993 " 994 DEFVAL { included } 995 ::= { snmpV3AcSubtreeFamilyEntry 3 } 997 snmpV3AcSubtreeFamilyStorageType OBJECT-TYPE 998 SYNTAX StorageType 999 MAX-ACCESS read-create 1000 STATUS current 1001 DESCRIPTION "The storage type for this conceptual row. 1003 Conceptual rows having the value 'permanent' need 1004 not allow write-access to any columnar objects in 1005 the row. 1007 An SNMP engine in the manager role is advised to 1008 use the same value for this row as the value used 1009 in the corresponding row in the snmpV3AcViewTable. 1010 " 1011 DEFVAL { nonVolatile } 1012 ::= { snmpV3AcSubtreeFamilyEntry 4 } 1014 snmpV3AcSubtreeFamilyStatus OBJECT-TYPE 1015 SYNTAX RowStatus 1016 MAX-ACCESS read-create 1017 STATUS current 1018 DESCRIPTION "The status of this conceptual row. 1020 For those columnar objects which permit write-access, 1021 their value in an existing conceptual row can be 1022 changed irrespective of the value of 1023 snmpV3AcSubtreeFamilyStatus for that row. 1025 An SNMP engine in the manager role is advised to 1026 use the same value for this row as the value used 1027 in the corresponding row in the snmpV3AcViewTable. 1028 " 1029 ::= { snmpV3AcSubtreeFamilyEntry 5 } 1031 -- Conformance information ******************************************* 1033 snmpV3AcMIBCompliances 1034 OBJECT IDENTIFIER ::= { snmpV3AcMIBConformance 1 } 1035 snmpV3AcMIBGroups 1036 OBJECT IDENTIFIER ::= { snmpV3AcMIBConformance 2 } 1038 -- Compliance statements ********************************************* 1040 snmpV3AcMIBCompliance MODULE-COMPLIANCE 1041 STATUS current 1042 DESCRIPTION "The compliance statement for SNMP engines which 1043 implement the SNMPv3 ACM configuration MIB. 1044 " 1045 MODULE -- this module 1046 MANDATORY-GROUPS { snmpV3AcBasicGroup } 1047 OBJECT snmpV3AcContextMatch 1048 MIN-ACCESS read-only 1049 DESCRIPTION "Write access is not required." 1051 OBJECT snmpV3AcReadViewName 1052 MIN-ACCESS read-only 1053 DESCRIPTION "Write access is not required." 1055 OBJECT snmpV3AcWriteViewName 1056 MIN-ACCESS read-only 1057 DESCRIPTION "Write access is not required." 1059 OBJECT snmpV3AcNotifyViewName 1060 MIN-ACCESS read-only 1061 DESCRIPTION "Write access is not required." 1063 OBJECT snmpV3AcStorageType 1064 MIN-ACCESS read-only 1065 DESCRIPTION "Write access is not required." 1067 OBJECT snmpV3AcStatus 1068 MIN-ACCESS read-only 1069 DESCRIPTION "Create access to the snmpV3AcViewTable 1070 is not required. 1071 " 1073 OBJECT snmpV3AcViewStorageType 1074 MIN-ACCESS read-only 1075 DESCRIPTION "Write access is not required." 1077 OBJECT snmpV3AcViewStatus 1078 MIN-ACCESS read-only 1079 DESCRIPTION "Create access to the snmpV3AcViewTable 1080 is not required. 1081 " 1083 OBJECT snmpV3AcSubtreeFamilyMask 1084 WRITE-SYNTAX OCTET STRING (SIZE (0)) 1085 MIN-ACCESS read-only 1086 DESCRIPTION "Support for configuration via SNMP of 1087 subtree families defined using wild-cards 1088 is not required. 1089 " 1091 OBJECT snmpV3AcSubtreeFamilyType 1092 MIN-ACCESS read-only 1093 DESCRIPTION "Write access is not required." 1095 OBJECT snmpV3AcSubtreeFamilyStorageType 1096 MIN-ACCESS read-only 1097 DESCRIPTION "Write access is not required." 1098 OBJECT snmpV3AcSubtreeFamilyStatus 1099 MIN-ACCESS read-only 1100 DESCRIPTION "Create access to the snmpV3AcSubtreeFamilyTable 1101 is not required. 1102 " 1103 ::= { snmpV3AcMIBCompliances 1 } 1105 -- Units of conformance ********************************************** 1107 snmpV3AcBasicGroup OBJECT-GROUP 1108 OBJECTS { snmpV3AcStatsUnknownContexts, 1109 snmpV3AcStatsNoGroups, 1110 snmpV3AcStatsNoViews, 1111 snmpV3AcStatsUnauthorizedAccesses, -- length 33 1112 snmpV3AcGroupName, 1113 snmpV3AcGroupStorageType, 1114 snmpV3AcGroupStatus, 1115 snmpV3AcContextName, 1116 snmpV3AcReadViewName, 1117 snmpV3AcWriteViewName, 1118 snmpV3AcNotifyViewName, 1119 snmpV3AcStorageType, 1120 snmpV3AcStatus, 1121 snmpV3AcViewStorageType, 1122 snmpV3AcViewStatus, 1123 snmpV3AcSubtreeFamilyMask, 1124 snmpV3AcSubtreeFamilyType, 1125 snmpV3AcSubtreeFamilyStorageType, -- length 32 1126 snmpV3AcSubtreeFamilyStatus 1127 } 1128 STATUS current 1129 DESCRIPTION "A collection of objects providing for remote 1130 configuration of an SNMP engine which implements 1131 the SNMPv3 Access Control Model (ACM). 1132 " 1133 ::= { snmpV3AcMIBGroups 1 } 1135 END 1136 5. Security Considerations 1138 5.1 Recommended Practices 1140 This document is meant for use in the SNMP architecture. The 1141 Access Control Model (ACM) described in this document controls 1142 access rights to management information based on: 1144 - contextName, representing a set of management information at the 1145 managed system where the Access Control module is running. 1146 - groupName, representing a group or set of zero, one or more 1147 securityIdentities. These securityIdentities are mapped into 1148 one or more groups in the SNMPv3 Access Control subsystem. 1149 - Level of Security (LoS) used for the transmission of an SNMP 1150 message. 1152 When the Access Control module (ACM) is called for checking access 1153 rights, it is assumed that the calling module has ensured the 1154 authentication and privacy aspects as specified by the Level of 1155 Security (LoS) that is being passed. 1157 5.2 Defining Groups 1159 GroupNames are used to give access to a group of zero, one or more 1160 securityIdentities. Within the ACM, a groupName is considered to 1161 exist if that groupName is used (as an index) in a row in the 1162 snmpV3AcTable. 1163 By mapping a securityIdentity into a group, a Management System can 1164 add/delete securityIdentities to/from a group. 1166 5.3 Conformance 1168 Conformance rules are described in the SNMP architecture document 1169 [SNMP-ARCH]. 1171 6. Editor's Addresses 1173 Co-editor: Bert Wijnen 1174 IBM T. J. Watson Research 1175 postal: Schagen 33 1176 3461 GL Linschoten 1177 Netherlands 1178 email: wijnen@vnet.ibm.com 1179 phone: +31-348-432-794 1181 Co-editor: Randy Presuhn 1182 BMC Software, Inc 1183 postal: 1190 Saratoga Avenue, Suite 130 1184 San Jose, CA 95129-3433 1185 USA 1186 email: rpresuhn@bmc.com 1187 phone: +1-408-556-0720 1189 Co-editor: Keith McCloghrie 1190 Cisco Systems, Inc. 1191 postal: 170 West Tasman Drive 1192 San Jose, CA 95134-1706 1193 USA 1194 email: kzm@cisco.com 1195 phone: +1-408-526-5260 1197 7. Acknowledgements 1199 This document describes the work of the SNMP Security and 1200 Administrative Framework Evolution team, comprised of 1202 David Harrington (Cabletron Systems Inc.) 1203 Jeff Johnson (Cisco) 1204 David Levi (SNMP Research Inc.) 1205 John Linn (Openvision) 1206 Russ Mundy (Trusted Information Systems) chair 1207 Shawn Routhier (Epilogue) 1208 Glenn Waters (Nortel) 1209 Bert Wijnen (IBM T. J. Watson Research) 1211 8. References 1213 [RFC1902] The SNMPv2 Working Group, Case, J., McCloghrie, K., 1214 Rose, M., and S., Waldbusser, "Structure of Management 1215 Information for Version 2 of the Simple Network Management 1216 Protocol (SNMPv2)", RFC 1905, January 1996. 1218 [RFC1905] The SNMPv2 Working Group, Case, J., McCloghrie, K., 1219 Rose, M., and S., Waldbusser, "Protocol Operations for 1220 Version 2 of the Simple Network Management Protocol (SNMPv2)", 1221 RFC 1905, January 1996. 1223 [RFC1906] The SNMPv2 Working Group, Case, J., McCloghrie, K., 1224 Rose, M., and S. Waldbusser, "Transport Mappings for 1225 Version 2 of the Simple Network Management Protocol (SNMPv2)", 1226 RFC 1906, January 1996. 1228 [RFC1907] The SNMPv2 Working Group, Case, J., McCloghrie, K., 1229 Rose, M., and S. Waldbusser, "Management Information Base for 1230 Version 2 of the Simple Network Management Protocol (SNMPv2)", 1231 RFC 1907, January 1996. 1233 [RFC1908] The SNMPv2 Working Group, Case, J., McCloghrie, K., 1234 Rose, M., and S. Waldbusser, "Coexistence between Version 1 1235 and Version 2 of the Internet-standard Network Management 1236 Framework", RFC 1908, January 1996. 1238 [SNMP-ARCH] The SNMPv3 Working Group, Harrington, D., Wijnen, B., 1239 "An Architecture for describing Internet Management Frameworks", 1240 draft-ietf-snmpv3-next-gen-arch-02.txt, June 1997. 1242 [SNMPv3-ACM] The SNMPv3 Working Group, Wijnen, B., Harrington, D., 1243 "Access Control Model for Version 3 of the Simple Network 1244 Management Protocol (SNMPv3)", draft-ietf-snmpv3-acm-00.txt, 1245 June 1997. 1247 [SNMPv3-MPC] The SNMPv3 Working Group, Wijnen, B., Harrington, D., 1248 "Message Processing and Control Model for version 3 of the Simple 1249 Network Management Protocol (SNMPv3)", 1250 draft-ietf-snmpv3-mpc-00.txt, 1251 March 1997. 1253 [SNMPv3-USEC] The SNMPv3 Working Group, Blumenthal, U., Wijnen, B., 1254 "The User-Based Security Model for Version 3 of the Simple 1255 Network Management Protocol (SNMPv3)", 1256 draft-ietf-snmpv3-usec-01.txt, June 1997. 1258 APPENDIX A - Installation 1260 A.1. Installation Parameters 1262 During installation, an SNMPv3 engine acting in an authoritative role 1263 is configured with several parameters. These include for the Access 1264 Control module: 1266 (1) A security posture 1268 The choice of security posture determines the extent of the view 1269 configured for unauthenticated access. One of three possible 1270 choices is selected: 1272 minimum-secure, 1273 semi-secure, or 1274 very-secure. 1276 (2) A default context 1278 One entry in the snmpV3AcContextTable with a contextName of 1279 "" (the empty string, representing the default context. 1281 Editor's note: 1282 If we do keep the groupTable, then we also need an entry in 1283 the groupTable for group public. It should have a miId of 1284 "public" for USEC that maps into groupName "public" 1285 End Editor's note. 1287 (3) Three entries in the snmpV3AcTable as follows: 1289 - One entry to be used for unauthenticated access: 1291 no privacy support privacy support 1292 ------------------ --------------- 1293 snmpV3AcContextName "" "" 1294 snmpV3AcGroupName "public" "public" 1295 snmpV3AcLoS noAuth/noPriv noAuth/noPriv 1296 snmpV3AcReadViewName "restricted" "restricted" 1297 snmpV3AcWriteViewName "" "" 1298 snmpV3AcNotifyViewName "restricted" "restricted" 1299 snmpV3AcStorageType permanent permanent 1300 snmpV3AcStatus active active 1302 - One entry to be used for authenticated access but without 1303 privacy: 1304 no privacy support privacy support 1305 ------------------ --------------- 1306 snmpV3AcContextName "" "" 1307 snmpV3AcGroupName "public" "public" 1308 snmpV3AcLoS Auth/noPriv Auth/noPriv 1309 snmpV3AcReadViewName "all" "all" 1310 snmpV3AcWriteViewName "all" "all" 1311 snmpV3AcNotifyViewName "all" "all" 1312 snmpV3AcStorageType permanent permanent 1313 snmpV3AcStatus active active 1315 - One entry to be used for authenticated access with privacy: 1317 no privacy support privacy support 1318 ------------------ --------------- 1319 snmpV3AcContextName "" 1320 snmpV3AcGroupName "public" 1321 snmpV3AcLoS Auth/Priv 1322 snmpV3AcReadViewName "all" 1323 snmpV3AcWriteViewName "all" 1324 snmpV3AcNotifyViewName "all" 1325 snmpV3AcStorageType permanent 1326 snmpV3AcStatus active 1328 (4) Two views depending on the security posture. 1330 - One view (the view) for authenticated access: 1332 - the MIB view is the following subtree: 1333 "internet" [RFC1902] 1335 Editor's note: 1336 I picked this up from the RFC1910. 1337 I have experience myself that MIBs were defined outside the 1338 internet subtree, so maybe this should just be 1339 "iso" 1340 End Editor's note. 1342 - A second view (the view) for unauthenticated 1343 access. This view is configured according to the selected 1344 security posture: 1346 - For the "very-secure" posture: 1348 the MIB view is the union of these subtrees: 1349 "snmp" [RFC1907] 1350 "snmpEngine" [SNMPv3-USEC] 1351 "snmpV3Stats" [SNMPv3-MPC] 1352 "snmpV3AcStats" [SNMPv3-ACM] 1354 - For the "semi-secure" posture: 1356 the MIB view is the union of these subtrees: 1357 "snmp" [RFC1907] 1358 "snmpEngine" [SNMPv3-USEC] 1359 "snmpV3Stats" [SNMPv3-MPC] 1360 "snmpV3AcStats" [SNMPv3-ACM] 1361 "system" [RFC1907] 1363 - For the "minimum-secure" posture: 1365 the MIB view is the following subtree. 1366 "internet" [RFC1902] 1368 - Access rights to allow: 1370 - read-notify access for LoS "noAuth" on behalf of security 1371 entities that belong to the group "public" to the 1372 MIB view in the context with contextName "". 1374 - read-write-notify access for LoS "auth" on behalf of security 1375 entities that belong to the group "public" to the 1376 MIB view in the context with contextName "". 1378 - if privacy is supported, 1379 read-write-notify access for LoS "auth" on behalf of security 1380 entities that belong to the group "public" to the 1381 MIB view in the context with contextName "". 1383 -- Editor's note: 1384 If we find it useful (I do) then I will also work out 1385 the entries in the viewTable and viewSubtreeFamilyTable 1386 so that we have the above views defined. 1387 -- End Editor's note 1388 Table of Contents 1390 0.1 Issues 2 1391 0.2 Change Log 2 1392 1. Introduction 3 1393 1.2 Access Control 3 1394 1.3 Local Configuration Datastore 3 1395 2. Elements of the Model 5 1396 2.1 Groups 5 1397 2.2 Level of Security (LoS) 5 1398 2.3 Contexts 5 1399 2.4 Access Policy 5 1400 3. Elements of Procedure 7 1401 3.1 Processing the is_access_allowed service request 7 1402 4. Definitions 9 1403 5. Security Considerations 26 1404 5.1 Recommended Practices 26 1405 5.2 Defining Groups 26 1406 5.3 Conformance 26 1407 6. Editor's Addresses 27 1408 7. Acknowledgements 27 1409 8. References 28 1410 A.1. Installation Parameters 29