idnits 2.17.1 draft-ietf-snmpv3-appl-v2-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 3) being 96 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([SNMP-ARCH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 5 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 3395 has weird spacing: '...tyLevel auth...' == Line 3396 has weird spacing: '...tDomain snmp...' == Line 3402 has weird spacing: '...tyLevel auth...' == Line 3405 has weird spacing: '...tDomain snmp...' == Line 3418 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (21 January 1999) is 9227 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC1157' is defined on line 3216, but no explicit reference was found in the text == Unused Reference: 'RFC1213' is defined on line 3222, but no explicit reference was found in the text == Unused Reference: 'RFC1902' is defined on line 3228, but no explicit reference was found in the text == Unused Reference: 'RFC1903' is defined on line 3235, but no explicit reference was found in the text == Unused Reference: 'RFC1908' is defined on line 3256, but no explicit reference was found in the text == Unused Reference: 'SNMP-MPD' is defined on line 3272, but no explicit reference was found in the text == Unused Reference: 'SNMP-ACM' is defined on line 3278, but no explicit reference was found in the text == Outdated reference: A later version (-07) exists of draft-ietf-snmpv3-coex-03 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Obsolete normative reference: RFC 1902 (Obsoleted by RFC 2578) ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) -- Duplicate reference: RFC1905, mentioned in 'RFC1907', was also mentioned in 'RFC1905'. ** Obsolete normative reference: RFC 1905 (ref. 'RFC1907') (Obsoleted by RFC 3416) -- Duplicate reference: RFC1905, mentioned in 'RFC1908', was also mentioned in 'RFC1907'. ** Obsolete normative reference: RFC 1905 (ref. 'RFC1908') (Obsoleted by RFC 3416) == Outdated reference: A later version (-05) exists of draft-ietf-snmpv3-arch-03 == Outdated reference: A later version (-05) exists of draft-ietf-snmpv3-mpc-03 == Outdated reference: A later version (-04) exists of draft-ietf-snmpv3-vacm-03 == Outdated reference: A later version (-03) exists of draft-ietf-snmpv3-appl-v2-02 Summary: 15 errors (**), 0 flaws (~~), 20 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft SNMP Applications November 1998 4 INTERNET-DRAFT David B. Levi 5 SNMP Research, Inc. 6 Paul Meyer 7 Secure Computing Corporation 8 Bob Stewart 9 Cisco Systems 10 21 January 1999 12 SNMP Applications 13 15 Status of this Memo 17 This document is an Internet-Draft. Internet-Drafts are working 18 documents of the Internet Engineering Task Force (IETF), its areas, 19 and its working groups. Note that other groups may also distribute 20 working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as ``work in progress.'' 27 To learn the current status of any Internet-Draft, please check the 28 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 29 Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), 30 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 32 Copyright Notice 34 Copyright (C) The Internet Society (date). All Rights Reserved. 36 Abstract 38 This memo describes five types of SNMP applications which make use of 39 an SNMP engine as described in [SNMP-ARCH]. The types of application 40 described are Command Generators, Command Responders, Notification 41 Originators, Notification Receivers, and Proxy Forwarders. 43 This memo also defines MIB modules for specifying targets of 44 management operations, for notification filtering, and for proxy 45 forwarding. 47 This memo will obsolete RFC2273. 49 Table Of Contents 51 1 Overview ..................................................... 4 52 1.1 Command Generator Applications ............................. 4 53 1.2 Command Responder Applications ............................. 4 54 1.3 Notification Originator Applications ....................... 5 55 1.4 Notification Receiver Applications ......................... 5 56 1.5 Proxy Forwarder Applications ............................... 5 57 2 Management Targets ........................................... 7 58 3 Elements Of Procedure ........................................ 7 59 3.1 Command Generator Applications ............................. 7 60 3.2 Command Responder Applications ............................. 11 61 3.3 Notification Originator Applications ....................... 17 62 3.4 Notification Receiver Applications ......................... 21 63 3.5 Proxy Forwarder Applications ............................... 23 64 3.5.1 Request Forwarding ....................................... 24 65 3.5.1.1 Processing an Incoming Request ......................... 24 66 3.5.1.2 Processing an Incoming Response ........................ 27 67 3.5.1.3 Processing an Incoming Internal-Class PDU .............. 28 68 3.5.2 Notification Forwarding .................................. 29 69 4 The Structure of the MIB Modules ............................. 33 70 4.1 The Management Target MIB Module ........................... 33 71 4.1.1 Tag Lists ................................................ 34 72 4.1.2 Definitions .............................................. 34 73 4.2 The Notification MIB Module ................................ 49 74 4.2.1 Definitions .............................................. 49 75 4.3 The Proxy MIB Module ....................................... 62 76 4.3.1 Definitions .............................................. 62 77 5 Identification of Management Targets in Notification Origi- 78 nators .................................................... 69 79 6 Notification Filtering ....................................... 70 80 7 Management Target Translation in Proxy Forwarder Applica- 81 tions ..................................................... 72 82 7.1 Management Target Translation for Request Forwarding ....... 72 83 7.2 Management Target Translation for Notification Forwarding 84 ........................................................... 73 85 8 Intellectual Property ........................................ 74 86 9 Acknowledgments .............................................. 74 87 10 Security Considerations ..................................... 76 88 11 References .................................................. 77 89 12 Editor's Address ............................................ 79 90 A. Trap Configuration Example .................................. 80 91 B. Full Copyright Statement .................................... 82 93 1. Overview 95 This document describes five types of SNMP applications: 97 - Applications which initiate SNMP Read-Class, and/or Write- 98 Class requests, called 'command generators.' 100 - Applications which respond to SNMP Read-Class, and/or Write- 101 Class requests, called 'command responders.' 103 - Applications which generate SNMP Notification-Class PDUs, 104 called 'notification originators.' 106 - Applications which receive SNMP Notification-Class PDUs, 107 called 'notification receivers.' 109 - Applications which forward SNMP messages, called 'proxy 110 forwarders.' 112 Note that there are no restrictions on which types of applications 113 may be associated with a particular SNMP engine. For example, a 114 single SNMP engine may, in fact, be associated with both command 115 generator and command responder applications. 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in [RFC2119]. 121 1.1. Command Generator Applications 123 A command generator application initiates SNMP Read-Class and/or 124 Write-Class requests, as well as processing the response to a request 125 which it generated. 127 1.2. Command Responder Applications 129 A command responder application receives SNMP Read-Class and/or 130 Write-Class requests destined for the local system as indicated by 131 the fact that the contextEngineID in the received request is equal to 132 that of the local engine through which the request was received. The 133 command responder application will perform the appropriate protocol 134 operation, using access control, and will generate a response message 135 to be sent to the request's originator. 137 1.3. Notification Originator Applications 139 A notification originator application conceptually monitors a system 140 for particular events or conditions, and generates Notification-Class 141 messages based on these events or conditions. A notification 142 originator must have a mechanism for determining where to send 143 messages, and what SNMP version and security parameters to use when 144 sending messages. A mechanism and MIB module for this purpose is 145 provided in this document. Note that Notification-Class PDUs 146 generated by a notification originator may be either Confirmed-Class 147 or Unconfirmed-Class PDU types. 149 1.4. Notification Receiver Applications 151 A notification receiver application listens for notification 152 messages, and generates response messages when a message containing a 153 Confirmed-Class PDU is received. 155 1.5. Proxy Forwarder Applications 157 A proxy forwarder application forwards SNMP messages. Note that 158 implementation of a proxy forwarder application is optional. The 159 sections describing proxy (4.5, 5.3, and 8) may be skipped for 160 implementations that do not include a proxy forwarder application. 162 The term "proxy" has historically been used very loosely, with 163 multiple different meanings. These different meanings include (among 164 others): 166 (1) the forwarding of SNMP requests to other SNMP entities without 167 regard for what managed object types are being accessed; for 168 example, in order to forward an SNMP request from one transport 169 domain to another, or to translate SNMP requests of one version 170 into SNMP requests of another version; 172 (2) the translation of SNMP requests into operations of some non-SNMP 173 management protocol; and 175 (3) support for aggregated managed objects where the value of one 176 managed object instance depends upon the values of multiple other 177 (remote) items of management information. 179 Each of these scenarios can be advantageous; for example, support for 180 aggregation of management information can significantly reduce the 181 bandwidth requirements of large-scale management activities. 183 However, using a single term to cover multiple different scenarios 184 causes confusion. 186 To avoid such confusion, this document uses the term "proxy" with a 187 much more tightly defined meaning. The term "proxy" is used in this 188 document to refer to a proxy forwarder application which forwards 189 either SNMP messages without regard for what managed objects are 190 contained within those messages. This definition is most closely 191 related to the first definition above. Note, however, that in the 192 SNMP architecture [SNMP-ARCH], a proxy forwarder is actually an 193 application, and need not be associated with what is traditionally 194 thought of as an SNMP agent. 196 Specifically, the distinction between a traditional SNMP agent and a 197 proxy forwarder application is simple: 199 - a proxy forwarder application forwards SNMP messages to other 200 SNMP engines according to the context, and irrespective of the 201 specific managed object types being accessed, and forwards the 202 response to such previously forwarded messages back to the 203 SNMP engine from which the original message was received; 205 - in contrast, the command responder application that is part of 206 what is traditionally thought of as an SNMP agent, and which 207 processes SNMP requests according to the (names of the) 208 individual managed object types and instances being accessed, 209 is NOT a proxy forwarder application from the perspective of 210 this document. 212 Thus, when a proxy forwarder application forwards a request or 213 notification for a particular contextEngineID / contextName pair, not 214 only is the information on how to forward the request specifically 215 associated with that context, but the proxy forwarder application has 216 no need of a detailed definition of a MIB view (since the proxy 217 forwarder application forwards the request irrespective of the 218 managed object types). 220 In contrast, a command responder application must have the detailed 221 definition of the MIB view, and even if it needs to issue requests to 222 other entities, via SNMP or otherwise, that need is dependent on the 223 individual managed object instances being accessed (i.e., not only on 224 the context). 226 Note that it is a design goal of a proxy forwarder application to act 227 as an intermediary between the endpoints of a transaction. In 228 particular, when forwarding Confirmed Notification-Class messages, 229 the associated response is forwarded when it is received from the 230 target to which the Notification-Class message was forwarded, rather 231 than generating a response immediately when the Notification-Class 232 message is received. 234 2. Management Targets 236 Some types of applications (notification generators and proxy 237 forwarders in particular) require a mechanism for determining where 238 and how to send generated messages. This document provides a 239 mechanism and MIB module for this purpose. The set of information 240 that describes where and how to send a message is called a 241 'Management Target', and consists of two kinds of information: 243 - Destination information, consisting of a transport domain and 244 a transport address. This is also termed a transport 245 endpoint. 247 - SNMP parameters, consisting of message processing model, 248 security model, security level, and security name information. 250 The SNMP-TARGET-MIB module described later in this document contains 251 one table for each of these types of information. There can be a 252 many-to-many relationship in the MIB between these two types of 253 information. That is, there may be multiple transport endpoints 254 associated with a particular set of SNMP parameters, or a particular 255 transport endpoint may be associated with several sets of SNMP 256 parameters. 258 3. Elements Of Procedure 260 The following sections describe the procedures followed by each type 261 of application when generating messages for transmission or when 262 processing received messages. Applications communicate with the 263 Dispatcher using the abstract service interfaces defined in [SNMP- 264 ARCH]. 266 3.1. Command Generator Applications 268 A command generator initiates an SNMP request by calling the 269 Dispatcher using the following abstract service interface: 271 statusInformation = -- sendPduHandle if success 272 -- errorIndication if failure 273 sendPdu( 274 IN transportDomain -- transport domain to be used 275 IN transportAddress -- destination network address 276 IN messageProcessingModel -- typically, SNMP version 277 IN securityModel -- Security Model to use 278 IN securityName -- on behalf of this principal 279 IN securityLevel -- Level of Security requested 280 IN contextEngineID -- data from/at this entity 281 IN contextName -- data from/in this context 282 IN pduVersion -- the version of the PDU 283 IN PDU -- SNMP Protocol Data Unit 284 IN expectResponse -- TRUE or FALSE 285 ) 287 Where: 289 - The transportDomain is that of the destination of the message. 291 - The transportAddress is that of the destination of the 292 message. 294 - The messageProcessingModel indicates which Message Processing 295 Model the application wishes to use. 297 - The securityModel is the security model that the application 298 wishes to use. 300 - The securityName is the security model independent name for 301 the principal on whose behalf the application wishes the 302 message is to be generated. 304 - The securityLevel is the security level that the application 305 wishes to use. 307 - The contextEngineID is provided by the command generator if it 308 wishes to explicitly specify the location of the management 309 information it is requesting. 311 - The contextName is provided by the command generator if it 312 wishes to explicitly specify the local context name for the 313 management information it is requesting. 315 - The pduVersion indicates the version of the PDU to be sent. 317 - The PDU is a value constructed by the command generator 318 containing the management operation that the command generator 319 wishes to perform. 321 - The expectResponse argument indicates that a response is 322 expected. 324 The result of the sendPdu interface indicates whether the PDU was 325 successfully sent. If it was successfully sent, the returned value 326 will be a sendPduHandle. The command generator should store the 327 sendPduHandle so that it can correlate a response to the original 328 request. 330 The Dispatcher is responsible for delivering the response to a 331 particular request to the correct command generator application. The 332 abstract service interface used is: 334 processResponsePdu( -- process Response PDU 335 IN messageProcessingModel -- typically, SNMP version 336 IN securityModel -- Security Model in use 337 IN securityName -- on behalf of this principal 338 IN securityLevel -- Level of Security 339 IN contextEngineID -- data from/at this SNMP entity 340 IN contextName -- data from/in this context 341 IN pduVersion -- the version of the PDU 342 IN PDU -- SNMP Protocol Data Unit 343 IN statusInformation -- success or errorIndication 344 IN sendPduHandle -- handle from sendPdu 345 ) 347 Where: 349 - The messageProcessingModel is the value from the received 350 response. 352 - The securityModel is the value from the received response. 354 - The securityName is the value from the received response. 356 - The securityLevel is the value from the received response. 358 - The contextEngineID is the value from the received response. 360 - The contextName is the value from the received response. 362 - The pduVersion indicates the version of the PDU in the 363 received response. 365 - The PDU is the value from the received response. 367 - The statusInformation indicates success or failure in 368 receiving the response. 370 - The sendPduHandle is the value returned by the sendPdu call 371 which generated the original request to which this is a 372 response. 374 The procedure when a command generator receives a message is as 375 follows: 377 (1) If the received values of messageProcessingModel, securityModel, 378 securityName, contextEngineID, contextName, and pduVersion are not 379 all equal to the values used in the original request, the response 380 is discarded. 382 (2) The operation type, request-id, error-status, error-index, and 383 variable-bindings are extracted from the PDU and saved. If the 384 request-id is not equal to the value used in the original request, 385 the response is discarded. 387 (3) At this point, it is up to the application to take an appropriate 388 action. The specific action is implementation dependent. If the 389 statusInformation indicates that the request failed, an appropriate 390 action might be to attempt to transmit the request again, or to 391 notify the person operating the application that a failure 392 occurred. 394 3.2. Command Responder Applications 396 Before a command responder application can process messages, it must 397 first associate itself with an SNMP engine. The abstract service 398 interface used for this purpose is: 400 statusInformation = -- success or errorIndication 401 registerContextEngineID( 402 IN contextEngineID -- take responsibility for this one 403 IN pduType -- the pduType(s) to be registered 404 ) 406 Where: 408 - The statusInformation indicates success or failure of the 409 registration attempt. 411 - The contextEngineID is equal to the snmpEngineID of the SNMP 412 engine with which the command responder is registering. 414 - The pduType indicates a Read-Class and/or Write-Class PDU. 416 Note that if another command responder application is already 417 registered with an SNMP engine, any further attempts to register with 418 the same contextEngineID and pduType will be denied. This implies 419 that separate command responder applications could register 420 separately for the various pdu types. However, in practice this is 421 undesirable, and only a single command responder application should 422 be registered with an SNMP engine at any given time. 424 A command responder application can disassociate with an SNMP engine 425 using the following abstract service interface: 427 unregisterContextEngineID( 428 IN contextEngineID -- give up responsibility for this one 429 IN pduType -- the pduType(s) to be unregistered 430 ) 432 Where: 434 - The contextEngineID is equal to the snmpEngineID of the SNMP 435 engine with which the command responder is cancelling the 436 registration. 438 - The pduType indicates a Read-Class and/or Write-Class PDU. 440 Once the command responder has registered with the SNMP engine, it 441 waits to receive SNMP messages. The abstract service interface used 442 for receiving messages is: 444 processPdu( -- process Request/Notification PDU 445 IN messageProcessingModel -- typically, SNMP version 446 IN securityModel -- Security Model in use 447 IN securityName -- on behalf of this principal 448 IN securityLevel -- Level of Security 449 IN contextEngineID -- data from/at this SNMP entity 450 IN contextName -- data from/in this context 451 IN pduVersion -- the version of the PDU 452 IN PDU -- SNMP Protocol Data Unit 453 IN maxSizeResponseScopedPDU -- maximum size of the Response PDU 454 IN stateReference -- reference to state information 455 ) -- needed when sending a response 457 Where: 459 - The messageProcessingModel indicates which Message Processing 460 Model received and processed the message. 462 - The securityModel is the value from the received message. 464 - The securityName is the value from the received message. 466 - The securityLevel is the value from the received message. 468 - The contextEngineID is the value from the received message. 470 - The contextName is the value from the received message. 472 - The pduVersion indicates the version of the PDU in the 473 received message. 475 - The PDU is the value from the received message. 477 - The maxSizeResponseScopedPDU is the maximum allowable size of 478 a ScopedPDU containing a Response PDU (based on the maximum 479 message size that the originator of the message can accept). 481 - The stateReference is a value which references cached 482 information about each received request message. This value 483 must be returned to the Dispatcher in order to generate a 484 response. 486 The procedure when a message is received is as follows. 488 (1) The operation type is determined from the ASN.1 tag value 489 associated with the PDU parameter. The operation type should 490 always be one of the types previously registered by the 491 application. 493 (2) The request-id is extracted from the PDU and saved. 495 (3) Any PDU type specific parameters are extracted from the PDU and 496 saved (for example, if the PDU type is an SNMPv2 GetBulk PDU, the 497 non-repeaters and max-repetitions values are extracted). 499 (4) The variable-bindings are extracted from the PDU and saved. 501 (5) The management operation represented by the PDU type is performed 502 with respect to the relevant MIB view within the context named by 503 the contextName (for an SNMPv2 PDU type, the operation is performed 504 according to the procedures set forth in [RFC1905]). The relevant 505 MIB view is determined by the securityLevel, securityModel, 506 contextName, securityName, and the class of the PDU type. To 507 determine whether a particular object instance is within the 508 relevant MIB view, the following abstract service interface is 509 called: 511 statusInformation = -- success or errorIndication 512 isAccessAllowed( 513 IN securityModel -- Security Model in use 514 IN securityName -- principal who wants to access 515 IN securityLevel -- Level of Security 516 IN viewType -- read, write, or notify view 517 IN contextName -- context containing variableName 518 IN variableName -- OID for the managed object 519 ) 521 Where: 523 - The securityModel is the value from the received message. 525 - The securityName is the value from the received message. 527 - The securityLevel is the value from the received message. 529 - The viewType indicates whether the PDU type is a Read-Class or 530 Write-Class operation. 532 - The contextName is the value from the received message. 534 - The variableName is the object instance of the variable for 535 which access rights are to be checked. 537 Normally, the result of the management operation will be a new PDU 538 value, and processing will continue in step (6) below. However, at 539 any time during the processing of the management operation: 541 - If the isAccessAllowed ASI returns a noSuchView, 542 noAccessEntry, or noGroupName error, processing of the 543 management operation is halted, a PDU value is constructed 544 using the values from the originally received PDU, but 545 replacing the error_status with an authorizationError code, 546 and error_index value of 0, and control is passed to step (6) 547 below. 549 - If the isAccessAllowed ASI returns an otherError, processing 550 of the management operation is halted, a different PDU value 551 is constructed using the values from the originally received 552 PDU, but replacing the error_status with a genError code, and 553 control is passed to step (6) below. 555 - If the isAccessAllowed ASI returns a noSuchContext error, 556 processing of the management operation is halted, no result 557 PDU is generated, the snmpUnknownContexts counter is 558 incremented, and control is passed to step (6) below. 560 - If the context named by the contextName parameter is 561 unavailable, processing of the management operation is halted, 562 no result PDU is generated, the snmpUnavailableContexts 563 counter is incremented, and control is passed to step (6) 564 below. 566 (6) The Dispatcher is called to generate a response or report message. 567 The abstract service interface is: 569 returnResponsePdu( 570 IN messageProcessingModel -- typically, SNMP version 571 IN securityModel -- Security Model in use 572 IN securityName -- on behalf of this principal 573 IN securityLevel -- same as on incoming request 574 IN contextEngineID -- data from/at this SNMP entity 575 IN contextName -- data from/in this context 576 IN pduVersion -- the version of the PDU 577 IN PDU -- SNMP Protocol Data Unit 578 IN maxSizeResponseScopedPDU -- maximum size of the Response PDU 579 IN stateReference -- reference to state information 580 -- as presented with the request 581 IN statusInformation -- success or errorIndication 582 ) -- error counter OID/value if error 584 Where: 586 - The messageProcessingModel is the value from the processPdu 587 call. 589 - The securityModel is the value from the processPdu call. 591 - The securityName is the value from the processPdu call. 593 - The securityLevel is the value from the processPdu call. 595 - The contextEngineID is the value from the processPdu call. 597 - The contextName is the value from the processPdu call. 599 - The pduVersion indicates the version of the PDU to be 600 returned. If no result PDU was generated, the pduVersion is 601 an undefined value. 603 - The PDU is the result generated in step (5) above. If no 604 result PDU was generated, the PDU is an undefined value. 606 - The maxSizeResponseScopedPDU is a local value indicating the 607 maximum size of a ScopedPDU that the application can accept. 609 - The stateReference is the value from the processPdu call. 611 - The statusInformation either contains an indication that no 612 error occurred and that a response should be generated, or 613 contains an indication that an error occurred along with the 614 OID and counter value of the appropriate error counter object. 616 Note that a command responder application should always call the 617 returnResponsePdu abstract service interface, even in the event of an 618 error such as a resource allocation error. In the event of such an 619 error, the PDU value passed to returnResponsePdu should contain 620 appropriate values for errorStatus and errorIndex. 622 Note that the text above describes situations where the 623 snmpUnknownContexts counter is incremented, and where the 624 snmpUnavailableContexts counter is incremented. The difference 625 between these is that the snmpUnknownContexts counter is incremented 626 when a request is received for a context which unknown to the SNMP 627 entity. The snmpUnavailableContexts counter is incremented when a 628 request is received for a context which is known to the SNMP entity, 629 but is currently unavailable. Determining when a context is 630 unavailable is implementation specific, and some implementations may 631 never encounter this situation, and so may never increment the 632 snmpUnavailableContexts counter. 634 3.3. Notification Originator Applications 636 A notification originator application generates SNMP messages 637 containing Notification-Class PDUs (for example, SNMPv2-Trap PDUs or 638 Inform PDUs). There is no requirement as to what specific types of 639 Notification-Class PDUs a particular implementation must be capable 640 of generating. 642 Notification originator applications require a mechanism for 643 identifying the management targets to which notifications should be 644 sent. The particular mechanism used is implementation dependent. 645 However, if an implementation makes the configuration of management 646 targets SNMP manageable, it MUST use the SNMP-TARGET-MIB module 647 described in this document. 649 When a notification originator wishes to generate a notification, it 650 must first determine in which context the information to be conveyed 651 in the notification exists, i.e., it must determine the 652 contextEngineID and contextName. It must then determine the set of 653 management targets to which the notification should be sent. The 654 application must also determine, for each management target, what 655 specific PDU type the notification message should contain, and if it 656 is to contain a Confirmed-Class PDU, the number of retries and 657 retransmission algorithm. 659 The mechanism by which a notification originator determines this 660 information is implementation dependent. Once the application has 661 determined this information, the following procedure is performed for 662 each management target: 664 (1) Any appropriate filtering mechanisms are applied to determine 665 whether the notification should be sent to the management target. 666 If such filtering mechanisms determine that the notification should 667 not be sent, processing continues with the next management target. 668 Otherwise, 670 (2) The appropriate set of variable-bindings is retrieved from local 671 MIB instrumentation within the relevant MIB view. The relevant MIB 672 view is determined by the securityLevel, securityModel, 673 contextName, and securityName of the management target. To 674 determine whether a particular object instance is within the 675 relevant MIB view, the isAccessAllowed abstract service interface 676 is used, in the same manner as described in the preceding section. 677 If the statusInformation returned by isAccessAllowed does not 678 indicate accessAllowed, the notification is not sent to the 679 management target. 681 (3) The NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this 682 is the value of the element of the variable bindings whose name is 683 snmpTrapOID.0, i.e., the second variable binding) is checked using 684 the isAccessAllowed abstract service interface, using the same 685 parameters used in the preceding step. If the statusInformation 686 returned by isAccessAllowed does not indicate accessAllowed, the 687 notification is not sent to the management target. 689 (4) A PDU is constructed using a locally unique request-id value, a PDU 690 type as determined by the implementation, an error-status and 691 error-index value of 0, and the variable-bindings supplied 692 previously in step (2). 694 (5) If the notification contains an Unconfirmed-Class PDU, the 695 Dispatcher is called using the following abstract service 696 interface: 698 statusInformation = -- sendPduHandle if success 699 -- errorIndication if failure 700 sendPdu( 701 IN transportDomain -- transport domain to be used 702 IN transportAddress -- destination network address 703 IN messageProcessingModel -- typically, SNMP version 704 IN securityModel -- Security Model to use 705 IN securityName -- on behalf of this principal 706 IN securityLevel -- Level of Security requested 707 IN contextEngineID -- data from/at this entity 708 IN contextName -- data from/in this context 709 IN pduVersion -- the version of the PDU 710 IN PDU -- SNMP Protocol Data Unit 711 IN expectResponse -- TRUE or FALSE 712 ) 714 Where: 716 - The transportDomain is that of the management target. 718 - The transportAddress is that of the management target. 720 - The messageProcessingModel is that of the management target. 722 - The securityModel is that of the management target. 724 - The securityName is that of the management target. 726 - The securityLevel is that of the management target. 728 - The contextEngineID is the value originally determined for the 729 notification. 731 - The contextName is the value originally determined for the 732 notification. 734 - The pduVersion is the version of the PDU to be sent. 736 - The PDU is the value constructed in step (3) above. 738 - The expectResponse argument indicates that no response is 739 expected. 741 Otherwise, 743 (6) If the notification contains a Confirmed-Class PDU, then: 745 a) The Dispatcher is called using the sendPdu abstract service 746 interface as described in step (4) above, except that the 747 expectResponse argument indicates that a response is expected. 749 b) The application caches information about the management 750 target. 752 c) If a response is received within an appropriate time interval 753 from the transport endpoint of the management target, the 754 notification is considered acknowledged and the cached 755 information is deleted. Otherwise, 757 d) If a response is not received within an appropriate time 758 period, or if a report indication is received, information 759 about the management target is retrieved from the cache, and 760 steps a) through d) are repeated. The number of times these 761 steps are repeated is equal to the previously determined retry 762 count. If this retry count is exceeded, the acknowledgement 763 of the notification is considered to have failed, and 764 processing of the notification for this management target is 765 halted. Note that some report indications might be considered 766 a failure. Such report indications should be interpreted to 767 mean that the acknowledgement of the notification has failed. 769 Responses to Confirmed-Class PDU notifications will be received via 770 the processResponsePdu abstract service interface. 772 To summarize, the steps that a notification originator follows when 773 determining where to send a notification are: 775 - Determine the targets to which the notification should be 776 sent. 778 - Apply any required filtering to the list of targets. 780 - Determine which targets are authorized to receive the 781 notification. 783 3.4. Notification Receiver Applications 785 Notification receiver applications receive SNMP Notification messages 786 from the Dispatcher. Before any messages can be received, the 787 notification receiver must register with the Dispatcher using the 788 registerContextEngineID abstract service interface. The parameters 789 used are: 791 - The contextEngineID is an undefined 'wildcard' value. 792 Notifications are delivered to a registered notification 793 receiver regardless of the contextEngineID contained in the 794 notification message. 796 - The pduType indicates the type of notifications that the 797 application wishes to receive (for example, SNMPv2-Trap PDUs 798 or Inform PDUs). 800 Once the notification receiver has registered with the Dispatcher, 801 messages are received using the processPdu abstract service 802 interface. Parameters are: 804 - The messageProcessingModel indicates which Message Processing 805 Model received and processed the message. 807 - The securityModel is the value from the received message. 809 - The securityName is the value from the received message. 811 - The securityLevel is the value from the received message. 813 - The contextEngineID is the value from the received message. 815 - The contextName is the value from the received message. 817 - The pduVersion indicates the version of the PDU in the 818 received message. 820 - The PDU is the value from the received message. 822 - The maxSizeResponseScopedPDU is the maximum allowable size of 823 a ScopedPDU containing a Response PDU (based on the maximum 824 message size that the originator of the message can accept). 826 - If the message contains an Unconfirmed-Class PDU, the 827 stateReference is undefined and unused. Otherwise, the 828 stateReference is a value which references cached information 829 about the notification. This value must be returned to the 830 Dispatcher in order to generate a response. 832 When an Unconfirmed-Class PDU is delivered to a notification receiver 833 application, it first extracts the SNMP operation type, request-id, 834 error-status, error-index, and variable-bindings from the PDU. After 835 this, processing depends on the particular implementation. 837 When a Confirmed-Class PDU is received, the notification receiver 838 application follows the following procedure: 840 (1) The PDU type, request-id, error-status, error-index, and variable- 841 bindings are extracted from the PDU. 843 (2) A Response-Class PDU is constructed using the extracted request-id 844 and variable-bindings, and with error-status and error-index both 845 set to 0. 847 (3) The Dispatcher is called to generate a response message using the 848 returnResponsePdu abstract service interface. Parameters are: 850 - The messageProcessingModel is the value from the processPdu 851 call. 853 - The securityModel is the value from the processPdu call. 855 - The securityName is the value from the processPdu call. 857 - The securityLevel is the value from the processPdu call. 859 - The contextEngineID is the value from the processPdu call. 861 - The contextName is the value from the processPdu call. 863 - The pduVersion indicates the version of the PDU to be 864 returned. 866 - The PDU is the result generated in step (2) above. 868 - The maxSizeResponseScopedPDU is a local value indicating the 869 maximum size of a ScopedPDU that the application can accept. 871 - The stateReference is the value from the processPdu call. 873 - The statusInformation indicates that no error occurred and 874 that a response should be generated. 876 3.5. Proxy Forwarder Applications 878 A proxy forwarder application deals with forwarding SNMP messages. 879 There are four basic types of messages which a proxy forwarder 880 application may need to forward. These are grouped according to the 881 class of PDU type contained in a message. The four basic types of 882 messages are: 884 - Those containing Read-Class or Write-Class PDU types (for 885 example, Get, GetNext, GetBulk, and Set PDU types). These 886 deal with requesting or modifying information located within a 887 particular context. 889 - Those containing Notification-Class PDU types (for example, 890 SNMPv2-Trap and Inform PDU types). These deal with 891 notifications concerning information located within a 892 particular context. 894 - Those containing a Response-Class PDU type. Forwarding of 895 Response PDUs always occurs as a result of receiving a 896 response to a previously forwarded message. 898 - Those containing Internal-Class PDU types (for example, a 899 Report PDU). Forwarding of Internal-Class PDU types always 900 occurs as a result of receiving an Internal-Class PDU in 901 response to a previously forwarded message. 903 For the first type, the proxy forwarder's role is to deliver a 904 request for management information to an SNMP engine which is 905 "closer" or "downstream in the path" to the SNMP engine which has 906 access to that information, and to deliver the response containing 907 the information back to the SNMP engine from which the request was 908 received. The context information in a request is used to determine 909 which SNMP engine has access to the requested information, and this 910 is used to determine where and how to forward the request. 912 For the second type, the proxy forwarder's role is to determine which 913 SNMP engines should receive notifications about management 914 information from a particular location. The context information in a 915 notification message determines the location to which the information 916 contained in the notification applies. This is used to determine 917 which SNMP engines should receive notification about this 918 information. 920 For the third type, the proxy forwarder's role is to determine which 921 previously forwarded request or notification (if any) the response 922 matches, and to forward the response back to the initiator of the 923 request or notification. 925 For the fourth type, the proxy forwarder's role is to determine which 926 previously forwarded request or notification (if any) the Internal- 927 Class PDU matches, and to forward the Internal-Class PDU back to the 928 initiator of the request or notification. 930 When forwarding messages, a proxy forwarder application must perform 931 a translation of incoming management target information into outgoing 932 management target information. How this translation is performed is 933 implementation specific. In many cases, this will be driven by a 934 preconfigured translation table. If a proxy forwarder application 935 makes the contents of this table SNMP manageable, it MUST use the 936 SNMP-PROXY-MIB module defined in this document. 938 3.5.1. Request Forwarding 940 There are two phases for request forwarding. First, the incoming 941 request needs to be passed through the proxy application. Then, the 942 resulting response needs to be passed back. These phases are 943 described in the following two sections. 945 3.5.1.1. Processing an Incoming Request 947 A proxy forwarder application that wishes to forward request messages 948 must first register with the Dispatcher using the 949 registerContextEngineID abstract service interface. The proxy 950 forwarder must register each contextEngineID for which it wishes to 951 forward messages, as well as for each pduType. Note that as the 952 configuration of a proxy forwarder is changed, the particular 953 contextEngineID values for which it is forwarding may change. The 954 proxy forwarder should call the registerContextEngineID and 955 unregisterContextEngineID abstract service interfaces as needed to 956 reflect its current configuration. 958 A proxy forwarder application should never attempt to register a 959 value of contextEngineID which is equal to the snmpEngineID of the 960 SNMP engine to which the proxy forwarder is associated. 962 Once the proxy forwarder has registered for the appropriate 963 contextEngineID values, it can start processing messages. The 964 following procedure is used: 966 (1) A message is received using the processPdu abstract service 967 interface. The incoming management target information received 968 from the processPdu interface is translated into outgoing 969 management target information. Note that this translation may vary 970 for different values of contextEngineID and/or contextName. The 971 translation should result in a single management target. 973 (2) If appropriate outgoing management target information cannot be 974 found, the proxy forwarder increments the snmpProxyDrops counter 975 [RFC1907], and then calls the Dispatcher using the 976 returnResponsePdu abstract service interface. Parameters are: 978 - The messageProcessingModel is the value from the processPdu 979 call. 981 - The securityModel is the value from the processPdu call. 983 - The securityName is the value from the processPdu call. 985 - The securityLevel is the value from the processPdu call. 987 - The contextEngineID is the value from the processPdu call. 989 - The contextName is the value from the processPdu call. 991 - The pduVersion is the value from the processPdu call. 993 - The PDU is an undefined value. 995 - The maxSizeResponseScopedPDU is a local value indicating the 996 maximum size of a ScopedPDU that the application can accept. 998 - The stateReference is the value from the processPdu call. 1000 - The statusInformation indicates that an error occurred and 1001 includes the OID and value of the snmpProxyDrops object. 1003 Processing of the message stops at this point. Otherwise, 1005 (3) A new PDU is constructed. A unique value of request-id should be 1006 used in the new PDU (this value will enable a subsequent response 1007 message to be correlated with this request). The remainder of the 1008 new PDU is identical to the received PDU, unless the incoming SNMP 1009 version and the outgoing SNMP version support different PDU 1010 versions, in which case the proxy forwarder may need to perform a 1011 translation on the PDU (A method for performing such a translation 1012 is described in [COEX].) 1014 (4) The proxy forwarder calls the Dispatcher to generate the forwarded 1015 message, using the sendPdu abstract service interface. The 1016 parameters are: 1018 - The transportDomain is that of the outgoing management target. 1020 - The transportAddress is that of the outgoing management 1021 target. 1023 - The messageProcessingModel is that of the outgoing management 1024 target. 1026 - The securityModel is that of the outgoing management target. 1028 - The securityName is that of the outgoing management target. 1030 - The securityLevel is that of the outgoing management target. 1032 - The contextEngineID is the value originally received. 1034 - The contextName is the value originally received. 1036 - The pduVersion is the version of the PDU to be sent. 1038 - The PDU is the value constructed in step (3) above. 1040 - The expectResponse argument indicates that a response is 1041 expected. If the sendPdu call is unsuccessful, the proxy 1042 forwarder performs the steps described in (2) above. 1043 Otherwise: 1045 (5) The proxy forwarder caches the following information in order to 1046 match an incoming response to the forwarded request: 1048 - The sendPduHandle returned from the call to sendPdu, 1050 - The request-id from the received PDU. 1052 - the contextEngineID, 1054 - the contextName, 1056 - the stateReference, 1058 - the incoming management target information, 1059 - the outgoing management information, 1061 - any other information needed to match an incoming response to 1062 the forwarded request. 1064 If this information cannot be cached (possibly due to a lack of 1065 resources), the proxy forwarder performs the steps described in (2) 1066 above. Otherwise: 1068 (6) Processing of the request stops until a response to the forwarded 1069 request is received, or until an appropriate time interval has 1070 expired. If this time interval expires before a response has been 1071 received, the cached information about this request is removed. 1073 3.5.1.2. Processing an Incoming Response 1075 A proxy forwarder follows the following procedure when an incoming 1076 response is received: 1078 (1) The incoming response is received using the processResponsePdu 1079 interface. The proxy forwarder uses the received parameters to 1080 locate an entry in its cache of pending forwarded requests. This 1081 is done by matching the received parameters with the cached values 1082 of sendPduHandle, contextEngineID, contextName, outgoing management 1083 target information, and the request-id contained in the received 1084 PDU (the proxy forwarder must extract the request-id for this 1085 purpose). If an appropriate cache entry cannot be found, 1086 processing of the response is halted. Otherwise: 1088 (2) The cache information is extracted, and removed from the cache. 1090 (3) A new Response-Class PDU is constructed, using the request-id value 1091 from the original forwarded request (as extracted from the cache). 1092 All other values are identical to those in the received Response- 1093 Class PDU, unless the incoming SNMP version and the outgoing SNMP 1094 version support different PDU versions, in which case the proxy 1095 forwarder may need to perform a translation on the PDU. (A method 1096 for performing such a translation is described in [COEX].) 1098 (4) The proxy forwarder calls the Dispatcher using the 1099 returnResponsePdu abstract service interface. Parameters are: 1101 - The messageProcessingModel indicates the Message Processing 1102 Model by which the original incoming message was processed. 1104 - The securityModel is that of the original incoming management 1105 target extracted from the cache. 1107 - The securityName is that of the original incoming management 1108 target extracted from the cache. 1110 - The securityLevel is that of the original incoming management 1111 target extracted from the cache. 1113 - The contextEngineID is the value extracted from the cache. 1115 - The contextName is the value extracted from the cache. 1117 - The pduVersion indicates the version of the PDU to be 1118 returned. 1120 - The PDU is the (possibly translated) Response PDU. 1122 - The maxSizeResponseScopedPDU is a local value indicating the 1123 maximum size of a ScopedPDU that the application can accept. 1125 - The stateReference is the value extracted from the cache. 1127 - The statusInformation indicates that no error occurred and 1128 that a Response PDU message should be generated. 1130 3.5.1.3. Processing an Incoming Internal-Class PDU 1132 A proxy forwarder follows the following procedure when an incoming 1133 Internal-Class PDU is received: 1135 (1) The incoming Internal-Class PDU is received using the 1136 processResponsePdu interface. The proxy forwarder uses the 1137 received parameters to locate an entry in its cache of pending 1138 forwarded requests. This is done by matching the received 1139 parameters with the cached values of sendPduHandle. If an 1140 appropriate cache entry cannot be found, processing of the 1141 Internal-Class PDU is halted. Otherwise: 1143 (2) The cache information is extracted, and removed from the cache. 1145 (3) If the original incoming management target information indicates an 1146 SNMP version which does not support Report PDUs, processing of the 1147 Internal-Class PDU is halted. 1149 (4) The proxy forwarder calls the Dispatcher using the 1150 returnResponsePdu abstract service interface. Parameters are: 1152 - The messageProcessingModel indicates the Message Processing 1153 Model by which the original incoming message was processed. 1155 - The securityModel is that of the original incoming management 1156 target extracted from the cache. 1158 - The securityName is that of the original incoming management 1159 target extracted from the cache. 1161 - The securityLevel is that of the original incoming management 1162 target extracted from the cache. 1164 - The contextEngineID is the value extracted from the cache. 1166 - The contextName is the value extracted from the cache. 1168 - The pduVersion indicates the version of the PDU to be 1169 returned. 1171 - The PDU is unused. 1173 - The maxSizeResponseScopedPDU is a local value indicating the 1174 maximum size of a ScopedPDU that the application can accept. 1176 - The stateReference is the value extracted from the cache. 1178 - The statusInformation contains values specific to the 1179 Internal-Class PDU type (for example, for a Report PDU, the 1180 statusInformation contains the contextEngineID, contextName, 1181 counter OID, and counter value received in the incoming Report 1182 PDU). 1184 3.5.2. Notification Forwarding 1186 A proxy forwarder receives notifications in the same manner as a 1187 notification receiver application, using the processPdu abstract 1188 service interface. The following procedure is used when a 1189 notification is received: 1191 (1) The incoming management target information received from the 1192 processPdu interface is translated into outgoing management target 1193 information. Note that this translation may vary for different 1194 values of contextEngineID and/or contextName. The translation may 1195 result in multiple management targets. 1197 (2) If appropriate outgoing management target information cannot be 1198 found and the notification was an Unconfirmed-Class PDU, processing 1199 of the notification is halted. If appropriate outgoing management 1200 target information cannot be found and the notification was a 1201 Confirmed-Class PDU, the proxy forwarder increments the 1202 snmpProxyDrops object, and calls the Dispatcher using the 1203 returnResponsePdu abstract service interface. The parameters are: 1205 - The messageProcessingModel is the received value. 1207 - The securityModel is the received value. 1209 - The securityName is the received value. 1211 - The securityLevel is the received value. 1213 - The contextEngineID is the received value. 1215 - The contextName is the received value. 1217 - The pduVersion is the received value. 1219 - The PDU is an undefined and unused value. 1221 - The maxSizeResponseScopedPDU is a local value indicating the 1222 maximum size of a ScopedPDU that the application can accept. 1224 - The stateReference is the received value. 1226 - The statusInformation indicates that an error occurred and 1227 that a Report message should be generated. 1229 Processing of the message stops at this point. Otherwise, 1231 (3) The proxy forwarder generates a notification using the procedures 1232 described in the preceding section on Notification Originators, 1233 with the following exceptions: 1235 - The contextEngineID and contextName values from the original 1236 received notification are used. 1238 - The outgoing management targets previously determined are 1239 used. 1241 - No filtering mechanisms are applied. 1243 - The variable-bindings from the original received notification 1244 are used, rather than retrieving variable-bindings from local 1245 MIB instrumentation. In particular, no access-control is 1246 applied to these variable-bindings. 1248 - If the original notification contains a Confirmed-Class PDU, 1249 then any outgoing management targets, for which the outgoing 1250 SNMP version does not support and PDU types which are both 1251 Notification-Class and Confirmed-Class PDUs, will not be used 1252 when generating the forwarded notifications. 1254 - If, for any of the outgoing management targets, the incoming 1255 SNMP version and the outgoing SNMP version support different 1256 PDU versions, the proxy forwarder may need to perform a 1257 translation on the PDU. (A method for performing such a 1258 translation is described in [COEX].) 1260 (4) If the original received notification contains an Unconfirmed-Class 1261 PDU, processing of the notification is now completed. Otherwise, 1262 the original received notification must contain a Confirmed-Class 1263 PDU, and processing continues. 1265 (5) If the forwarded notifications included any Confirmed-Class PDUs, 1266 processing continues when the procedures described in the section 1267 for Notification Originators determine that either: 1269 - None of the generated notifications containing Confirmed-Class 1270 PDUs have been successfully acknowledged within the longest of 1271 the time intervals, in which case processing of the original 1272 notification is halted, or, 1274 - At least one of the generated notifications containing 1275 Confirmed-Class PDUs is successfully acknowledged, in which 1276 case a response to the original received notification 1277 containing an Confirmed-Class PDU is generated as described in 1278 the following steps. 1280 (6) A Response-Class PDU is constructed, using the values of request-id 1281 and variable-bindings from the original received Notification-Class 1282 PDU, and error-status and error-index values of 0. 1284 (7) The Dispatcher is called using the returnResponsePdu abstract 1285 service interface. Parameters are: 1287 - The messageProcessingModel is the originally received value. 1289 - The securityModel is the originally received value. 1291 - The securityName is the originally received value. 1293 - The securityLevel is the originally received value. 1295 - The contextEngineID is the originally received value. 1297 - The contextName is the originally received value. 1299 - The pduVersion indicates the version of the PDU constructed in 1300 step (6) above. 1302 - The PDU is the value constructed in step (6) above. 1304 - The maxSizeResponseScopedPDU is a local value indicating the 1305 maximum size of a ScopedPDU that the application can accept. 1307 - The stateReference is the originally received value. 1309 - The statusInformation indicates that no error occurred and 1310 that a Response-Class PDU message should be generated. 1312 4. The Structure of the MIB Modules 1314 There are three separate MIB modules described in this document, the 1315 management target MIB, the notification MIB, and the proxy MIB. The 1316 following sections describe the structure of these three MIB modules. 1318 The use of these MIBs by particular types of applications is 1319 described later in this document: 1321 - The use of the management target MIB and the notification MIB 1322 in notification originator applications is described in 1323 section 6. 1325 - The use of the notification MIB for filtering notifications in 1326 notification originator applications is described in section 1327 7. 1329 - The use of the management target MIB and the proxy MIB in 1330 proxy forwarding applications is described in section 8. 1332 4.1. The Management Target MIB Module 1334 The SNMP-TARGET-MIB module contains objects for defining management 1335 targets. It consists of two tables and conformance/compliance 1336 statements. 1338 The first table, the snmpTargetAddrTable, contains information about 1339 transport domains and addresses. It also contains an object, 1340 snmpTargetAddrTagList, which provides a mechanism for grouping 1341 entries. 1343 The second table, the snmpTargetParamsTable, contains information 1344 about SNMP version and security information to be used when sending 1345 messages to particular transport domains and addresses. 1347 The Management Target MIB is intended to provide a general-purpose 1348 mechanism for specifying transport address, and for specifying 1349 parameters of SNMP messages generated by an SNMP entity. It is used 1350 within this document for generation of notifications and for proxy 1351 forwarding. However, it may be used for other purposes. If another 1352 document makes use of this MIB, that document is responsible for 1353 specifying how it is used. For example, [COEX] uses this MIB for 1354 source address validation of SNMPv1 messages. 1356 4.1.1. Tag Lists 1358 The snmpTargetAddrTagList object is used for grouping entries in the 1359 snmpTargetAddrTable. The value of this object contains a list of tag 1360 values which are used to select target addresses to be used for a 1361 particular operation. 1363 A tag value, which may also be used in MIB objects other than 1364 snmpTargetAddrTagList, is an arbitrary string of octets, but may not 1365 contain a delimiter character. Delimiter characters are defined to 1366 be one of the following characters: 1368 - An ASCII space character (0x20). 1370 - An ASCII TAB character (0x09). 1372 - An ASCII carriage return (CR) character (0x0D). 1374 - An ASCII line feed (LF) character (0x0B). 1376 In addition, a tag value may not have a zero length. Generally, a 1377 particular MIB object may contain either 1379 - a single tag value, in which case the value of the MIB object 1380 may not contain a delimiter character, or: 1382 - a MIB object may contain a list of tag values, separated by 1383 single delimiter characters. 1385 For a list of tag values, these constraints imply certain 1386 restrictions on the value of a MIB object: 1388 - There cannot be a leading or trailing delimiter character. 1390 - There cannot be multiple adjacent delimiter characters. 1392 4.1.2. Definitions 1394 SNMP-TARGET-MIB DEFINITIONS ::= BEGIN 1396 IMPORTS 1397 MODULE-IDENTITY, 1398 OBJECT-TYPE, 1399 snmpModules, 1400 Counter32, 1401 Integer32 1402 FROM SNMPv2-SMI 1404 TEXTUAL-CONVENTION, 1405 TDomain, 1406 TAddress, 1407 TimeInterval, 1408 RowStatus, 1409 StorageType, 1410 TestAndIncr 1411 FROM SNMPv2-TC 1413 SnmpSecurityModel, 1414 SnmpMessageProcessingModel, 1415 SnmpSecurityLevel, 1416 SnmpAdminString 1417 FROM SNMP-FRAMEWORK-MIB 1419 MODULE-COMPLIANCE, 1420 OBJECT-GROUP 1421 FROM SNMPv2-CONF; 1423 snmpTargetMIB MODULE-IDENTITY 1424 LAST-UPDATED "9808040000Z" 1425 ORGANIZATION "IETF SNMPv3 Working Group" 1426 CONTACT-INFO 1427 "WG-email: snmpv3@tis.com 1428 Subscribe: majordomo@tis.com 1429 In message body: subscribe snmpv3 1431 Chair: Russ Mundy 1432 Trusted Information Systems 1433 Postal: 3060 Washington Rd 1434 Glenwood MD 21738 1435 USA 1436 EMail: mundy@tis.com 1437 Phone: +1-301-854-6889 1439 Co-editor: David B. Levi 1440 SNMP Research, Inc. 1441 Postal: 3001 Kimberlin Heights Road 1442 Knoxville, TN 37920-9716 1443 EMail: levi@snmp.com 1444 Phone: +1 423 573 1434 1446 Co-editor: Paul Meyer 1447 Secure Computing Corporation 1448 Postal: 2675 Long Lake Road 1449 Roseville, MN 55113 1450 EMail: paul_meyer@securecomputing.com 1451 Phone: +1 651 628 1592 1453 Co-editor: Bob Stewart 1454 Cisco Systems, Inc. 1455 Postal: 170 West Tasman Drive 1456 San Jose, CA 95134-1706 1457 EMail: bstewart@cisco.com 1458 Phone: +1 603 654 2686" 1459 DESCRIPTION 1460 "This MIB module defines MIB objects which provide 1461 mechanisms to remotely configure the parameters used 1462 by an SNMP entity for the generation of SNMP messages." 1463 REVISION "9808040000Z" 1464 DESCRIPTION "Clarifications, published as 1465 draft-ietf-snmpv3-appl-v2-01.txt." 1466 REVISION "9707140000Z" 1467 DESCRIPTION "The initial revision, published as RFC2273." 1468 ::= { snmpModules 12 } 1470 snmpTargetObjects OBJECT IDENTIFIER ::= { snmpTargetMIB 1 } 1471 snmpTargetConformance OBJECT IDENTIFIER ::= { snmpTargetMIB 3 } 1473 SnmpTagValue ::= TEXTUAL-CONVENTION 1474 DISPLAY-HINT "255a" 1475 STATUS current 1476 DESCRIPTION 1477 "An octet string containing a tag value. 1478 Tag values are preferably in human-readable form. 1480 To facilitate internationalization, this information 1481 is represented using the ISO/IEC IS 10646-1 character 1482 set, encoded as an octet string using the UTF-8 1483 character encoding scheme described in RFC 2279. 1485 Since additional code points are added by amendments 1486 to the 10646 standard from time to time, 1487 implementations must be prepared to encounter any code 1488 point from 0x00000000 to 0x7fffffff. 1490 The use of control codes should be avoided, and certain 1491 control codes are not allowed as described below. 1493 For code points not directly supported by user 1494 interface hardware or software, an alternative means 1495 of entry and display, such as hexadecimal, may be 1496 provided. 1498 For information encoded in 7-bit US-ASCII, the UTF-8 1499 representation is identical to the US-ASCII encoding. 1501 Note that when this TC is used for an object that 1502 is used or envisioned to be used as an index, then a 1503 SIZE restriction must be specified so that the number 1504 of sub-identifiers for any object instance does not 1505 exceed the limit of 128, as defined by [RFC1905]. 1507 An object of this type contains a single tag value 1508 which is used to select a set of entries in a table. 1510 A tag value is an arbitrary string of octets, but 1511 may not contain a delimiter character. Delimiter 1512 characters are defined to be one of the following: 1514 - An ASCII space character (0x20). 1516 - An ASCII TAB character (0x09). 1518 - An ASCII carriage return (CR) character (0x0D). 1520 - An ASCII line feed (LF) character (0x0B). 1522 Delimiter characters are used to separate tag values 1523 in a tag list. An object of this type may only 1524 contain a single tag value, and so delimiter 1525 characters are not allowed in a value of this type. 1527 Some examples of valid tag values are: 1529 - 'acme' 1531 - 'router' 1533 - 'host' 1535 The use of a tag value to select table entries is 1536 application and MIB specific." 1537 SYNTAX OCTET STRING (SIZE (0..255)) 1539 SnmpTagList ::= TEXTUAL-CONVENTION 1540 DISPLAY-HINT "255a" 1541 STATUS current 1542 DESCRIPTION 1543 "An octet string containing a list of tag values. 1544 Tag values are preferably in human-readable form. 1546 To facilitate internationalization, this information 1547 is represented using the ISO/IEC IS 10646-1 character 1548 set, encoded as an octet string using the UTF-8 1549 character encoding scheme described in RFC 2279. 1551 Since additional code points are added by amendments 1552 to the 10646 standard from time to time, 1553 implementations must be prepared to encounter any code 1554 point from 0x00000000 to 0x7fffffff. 1556 The use of control codes should be avoided, except as 1557 described below. 1559 For code points not directly supported by user 1560 interface hardware or software, an alternative means 1561 of entry and display, such as hexadecimal, may be 1562 provided. 1564 For information encoded in 7-bit US-ASCII, the UTF-8 1565 representation is identical to the US-ASCII encoding. 1567 An object of this type contains a list of tag values 1568 which are used to select a set of entries in a table. 1570 A tag value is an arbitrary string of octets, but 1571 may not contain a delimiter character. Delimiter 1572 characters are defined to be one of the following: 1574 - An ASCII space character (0x20). 1576 - An ASCII TAB character (0x09). 1578 - An ASCII carriage return (CR) character (0x0D). 1580 - An ASCII line feed (LF) character (0x0B). 1582 Delimiter characters are used to separate tag values 1583 in a tag list. Only a single delimiter character may 1584 occur between two tag values. A tag value may not 1585 have a zero length. These constraints imply certain 1586 restrictions on the contents of this object: 1588 - There cannot be a leading or trailing delimiter 1589 character. 1591 - There cannot be multiple adjacent delimiter 1592 characters. 1594 Some examples of valid tag lists are: 1596 - An empty string 1598 - 'acme router' 1600 - 'host managerStation' 1602 Note that although a tag value may not have a length of 1603 zero, an empty string is still valid. This indicates 1604 an empty list (i.e. there are no tag values in the list). 1606 The use of the tag list to select table entries is 1607 application and MIB specific. Typically, an application 1608 will provide one or more tag values, and any entry 1609 which contains some combination of these tag values 1610 will be selected." 1611 SYNTAX OCTET STRING (SIZE (0..255)) 1613 -- 1614 -- 1615 -- The snmpTargetObjects group 1616 -- 1617 -- 1619 snmpTargetSpinLock OBJECT-TYPE 1620 SYNTAX TestAndIncr 1621 MAX-ACCESS read-write 1622 STATUS current 1623 DESCRIPTION 1624 "This object is used to facilitate modification of table 1625 entries in the SNMP-TARGET-MIB module by multiple 1626 managers. In particular, it is useful when modifying 1627 the value of the snmpTargetAddrTagList object. 1629 The procedure for modifying the snmpTargetAddrTagList 1630 object is as follows: 1632 1. Retrieve the value of snmpTargetSpinLock and 1633 of snmpTargetAddrTagList. 1635 2. Generate a new value for snmpTargetAddrTagList. 1637 3. Set the value of snmpTargetSpinLock to the 1638 retrieved value, and the value of 1639 snmpTargetAddrTagList to the new value. If 1640 the set fails for the snmpTargetSpinLock 1641 object, go back to step 1." 1642 ::= { snmpTargetObjects 1 } 1644 snmpTargetAddrTable OBJECT-TYPE 1645 SYNTAX SEQUENCE OF SnmpTargetAddrEntry 1646 MAX-ACCESS not-accessible 1647 STATUS current 1648 DESCRIPTION 1649 "A table of transport addresses to be used in the generation 1650 of SNMP messages." 1651 ::= { snmpTargetObjects 2 } 1653 snmpTargetAddrEntry OBJECT-TYPE 1654 SYNTAX SnmpTargetAddrEntry 1655 MAX-ACCESS not-accessible 1656 STATUS current 1657 DESCRIPTION 1658 "A transport address to be used in the generation 1659 of SNMP operations. 1661 Entries in the snmpTargetAddrTable are created and 1662 deleted using the snmpTargetAddrRowStatus object." 1663 INDEX { IMPLIED snmpTargetAddrName } 1664 ::= { snmpTargetAddrTable 1 } 1666 SnmpTargetAddrEntry ::= SEQUENCE { 1667 snmpTargetAddrName SnmpAdminString, 1668 snmpTargetAddrTDomain TDomain, 1669 snmpTargetAddrTAddress TAddress, 1670 snmpTargetAddrTimeout TimeInterval, 1671 snmpTargetAddrRetryCount Integer32, 1672 snmpTargetAddrTagList SnmpTagList, 1673 snmpTargetAddrParams SnmpAdminString, 1674 snmpTargetAddrStorageType StorageType, 1675 snmpTargetAddrRowStatus RowStatus 1676 } 1678 snmpTargetAddrName OBJECT-TYPE 1679 SYNTAX SnmpAdminString (SIZE(1..32)) 1680 MAX-ACCESS not-accessible 1681 STATUS current 1682 DESCRIPTION 1683 "The locally arbitrary, but unique identifier associated 1684 with this snmpTargetAddrEntry." 1686 ::= { snmpTargetAddrEntry 1 } 1688 snmpTargetAddrTDomain OBJECT-TYPE 1689 SYNTAX TDomain 1690 MAX-ACCESS read-create 1691 STATUS current 1692 DESCRIPTION 1693 "This object indicates the transport type of the address 1694 contained in the snmpTargetAddrTAddress object." 1695 ::= { snmpTargetAddrEntry 2 } 1697 snmpTargetAddrTAddress OBJECT-TYPE 1698 SYNTAX TAddress 1699 MAX-ACCESS read-create 1700 STATUS current 1701 DESCRIPTION 1702 "This object contains a transport address. The format of 1703 this address depends on the value of the 1704 snmpTargetAddrTDomain object." 1705 ::= { snmpTargetAddrEntry 3 } 1707 snmpTargetAddrTimeout OBJECT-TYPE 1708 SYNTAX TimeInterval 1709 MAX-ACCESS read-create 1710 STATUS current 1711 DESCRIPTION 1712 "This object should reflect the expected maximum round 1713 trip time for communicating with the transport address 1714 defined by this row. When a message is sent to this 1715 address, and a response (if one is expected) is not 1716 received within this time period, an implementation 1717 may assume that the response will not be delivered. 1719 Note that the time interval that an application waits 1720 for a response may actually be derived from the value 1721 of this object. The method for deriving the actual time 1722 interval is implementation dependent. One such method 1723 is to derive the expected round trip time based on a 1724 particular retransmission algorithm and on the number 1725 of timeouts which have occurred. The type of message may 1726 also be considered when deriving expected round trip 1727 times for retransmissions. For example, if a message is 1728 being sent with a securityLevel that indicates both 1729 authentication and privacy, the derived value may be 1730 increased to compensate for extra processing time spent 1731 during authentication and encryption processing." 1732 DEFVAL { 1500 } 1733 ::= { snmpTargetAddrEntry 4 } 1735 snmpTargetAddrRetryCount OBJECT-TYPE 1736 SYNTAX Integer32 (0..255) 1737 MAX-ACCESS read-create 1738 STATUS current 1739 DESCRIPTION 1740 "This object specifies a default number of retries to be 1741 attempted when a response is not received for a generated 1742 message. An application may provide its own retry count, 1743 in which case the value of this object is ignored." 1744 DEFVAL { 3 } 1745 ::= { snmpTargetAddrEntry 5 } 1747 snmpTargetAddrTagList OBJECT-TYPE 1748 SYNTAX SnmpTagList 1749 MAX-ACCESS read-create 1750 STATUS current 1751 DESCRIPTION 1752 "This object contains a list of tag values which are 1753 used to select target addresses for a particular 1754 operation." 1755 DEFVAL { "" } 1756 ::= { snmpTargetAddrEntry 6 } 1758 snmpTargetAddrParams OBJECT-TYPE 1759 SYNTAX SnmpAdminString (SIZE(1..32)) 1760 MAX-ACCESS read-create 1761 STATUS current 1762 DESCRIPTION 1763 "The value of this object identifies an entry in the 1764 snmpTargetParamsTable. The identified entry 1765 contains SNMP parameters to be used when generating 1766 messages to be sent to this transport address." 1767 ::= { snmpTargetAddrEntry 7 } 1769 snmpTargetAddrStorageType OBJECT-TYPE 1770 SYNTAX StorageType 1771 MAX-ACCESS read-create 1772 STATUS current 1773 DESCRIPTION 1774 "The storage type for this conceptual row." 1775 DEFVAL { nonVolatile } 1776 ::= { snmpTargetAddrEntry 8 } 1778 snmpTargetAddrRowStatus OBJECT-TYPE 1779 SYNTAX RowStatus 1780 MAX-ACCESS read-create 1781 STATUS current 1782 DESCRIPTION 1783 "The status of this conceptual row. 1785 To create a row in this table, a manager must 1786 set this object to either createAndGo(4) or 1787 createAndWait(5). 1789 Until instances of all corresponding columns are 1790 appropriately configured, the value of the 1791 corresponding instance of the snmpTargetAddrRowStatus 1792 column is 'notReady'. 1794 In particular, a newly created row cannot be made 1795 active until the corresponding instances of 1796 snmpTargetAddrTDomain, snmpTargetAddrTAddress, and 1797 snmpTargetAddrParams have all been set. 1799 The following objects may not be modified while the 1800 value of this object is active(1): 1801 - snmpTargetAddrTDomain 1802 - snmpTargetAddrTAddress 1803 An attempt to set these objects while the value of 1804 snmpTargetAddrRowStatus is active(1) will result in 1805 an inconsistentValue error." 1806 ::= { snmpTargetAddrEntry 9 } 1808 snmpTargetParamsTable OBJECT-TYPE 1809 SYNTAX SEQUENCE OF SnmpTargetParamsEntry 1810 MAX-ACCESS not-accessible 1811 STATUS current 1812 DESCRIPTION 1813 "A table of SNMP target information to be used 1814 in the generation of SNMP messages." 1815 ::= { snmpTargetObjects 3 } 1817 snmpTargetParamsEntry OBJECT-TYPE 1818 SYNTAX SnmpTargetParamsEntry 1819 MAX-ACCESS not-accessible 1820 STATUS current 1821 DESCRIPTION 1822 "A set of SNMP target information. 1824 Entries in the snmpTargetParamsTable are created and 1825 deleted using the snmpTargetParamsRowStatus object." 1826 INDEX { IMPLIED snmpTargetParamsName } 1827 ::= { snmpTargetParamsTable 1 } 1829 SnmpTargetParamsEntry ::= SEQUENCE { 1830 snmpTargetParamsName SnmpAdminString, 1831 snmpTargetParamsMPModel SnmpMessageProcessingModel, 1832 snmpTargetParamsSecurityModel SnmpSecurityModel, 1833 snmpTargetParamsSecurityName SnmpAdminString, 1834 snmpTargetParamsSecurityLevel SnmpSecurityLevel, 1835 snmpTargetParamsStorageType StorageType, 1836 snmpTargetParamsRowStatus RowStatus 1837 } 1839 snmpTargetParamsName OBJECT-TYPE 1840 SYNTAX SnmpAdminString (SIZE(1..32)) 1841 MAX-ACCESS not-accessible 1842 STATUS current 1843 DESCRIPTION 1844 "The locally arbitrary, but unique identifier associated 1845 with this snmpTargetParamsEntry." 1846 ::= { snmpTargetParamsEntry 1 } 1848 snmpTargetParamsMPModel OBJECT-TYPE 1849 SYNTAX SnmpMessageProcessingModel 1850 MAX-ACCESS read-create 1851 STATUS current 1852 DESCRIPTION 1853 "The Message Processing Model to be used when generating 1854 SNMP messages using this entry." 1855 ::= { snmpTargetParamsEntry 2 } 1857 snmpTargetParamsSecurityModel OBJECT-TYPE 1858 SYNTAX SnmpSecurityModel (1..2147483647) 1859 MAX-ACCESS read-create 1860 STATUS current 1861 DESCRIPTION 1862 "The Security Model to be used when generating SNMP 1863 messages using this entry. An implementation may 1864 choose to return an inconsistentValue error if an 1865 attempt is made to set this variable to a value 1866 for a security model which the implementation does 1867 not support." 1868 ::= { snmpTargetParamsEntry 3 } 1870 snmpTargetParamsSecurityName OBJECT-TYPE 1871 SYNTAX SnmpAdminString 1872 MAX-ACCESS read-create 1873 STATUS current 1874 DESCRIPTION 1875 "The securityName which identifies the Principal on 1876 whose behalf SNMP messages will be generated using 1877 this entry." 1878 ::= { snmpTargetParamsEntry 4 } 1880 snmpTargetParamsSecurityLevel OBJECT-TYPE 1881 SYNTAX SnmpSecurityLevel 1882 MAX-ACCESS read-create 1883 STATUS current 1884 DESCRIPTION 1885 "The Level of Security to be used when generating 1886 SNMP messages using this entry." 1887 ::= { snmpTargetParamsEntry 5 } 1889 snmpTargetParamsStorageType OBJECT-TYPE 1890 SYNTAX StorageType 1891 MAX-ACCESS read-create 1892 STATUS current 1893 DESCRIPTION 1894 "The storage type for this conceptual row." 1895 DEFVAL { nonVolatile } 1896 ::= { snmpTargetParamsEntry 6 } 1898 snmpTargetParamsRowStatus OBJECT-TYPE 1899 SYNTAX RowStatus 1900 MAX-ACCESS read-create 1901 STATUS current 1902 DESCRIPTION 1903 "The status of this conceptual row. 1905 To create a row in this table, a manager must 1906 set this object to either createAndGo(4) or 1907 createAndWait(5). 1909 Until instances of all corresponding columns are 1910 appropriately configured, the value of the 1911 corresponding instance of the snmpTargetParamsRowStatus 1912 column is 'notReady'. 1914 In particular, a newly created row cannot be made 1915 active until the corresponding 1916 snmpTargetParamsMPModel, 1917 snmpTargetParamsSecurityModel, 1918 snmpTargetParamsSecurityName, 1919 and snmpTargetParamsSecurityLevel have all been set. 1921 The following objects may not be modified while the 1922 value of this object is active(1): 1923 - snmpTargetParamsMPModel 1924 - snmpTargetParamsSecurityModel 1925 - snmpTargetParamsSecurityName 1926 - snmpTargetParamsSecurityLevel 1927 An attempt to set these objects while the value of 1928 snmpTargetParamsRowStatus is active(1) will result in 1929 an inconsistentValue error." 1930 ::= { snmpTargetParamsEntry 7 } 1932 snmpUnavailableContexts OBJECT-TYPE 1933 SYNTAX Counter32 1934 MAX-ACCESS read-only 1935 STATUS current 1936 DESCRIPTION 1937 "The total number of packets received by the SNMP 1938 engine which were dropped because the context 1939 contained in the message was unavailable." 1940 ::= { snmpTargetObjects 4 } 1942 snmpUnknownContexts OBJECT-TYPE 1943 SYNTAX Counter32 1944 MAX-ACCESS read-only 1945 STATUS current 1946 DESCRIPTION 1947 "The total number of packets received by the SNMP 1948 engine which were dropped because the context 1949 contained in the message was unknown." 1950 ::= { snmpTargetObjects 5 } 1952 -- 1953 -- 1954 -- Conformance information 1955 -- 1956 -- 1958 snmpTargetCompliances OBJECT IDENTIFIER ::= 1959 { snmpTargetConformance 1 } 1960 snmpTargetGroups OBJECT IDENTIFIER ::= 1961 { snmpTargetConformance 2 } 1963 -- 1964 -- 1965 -- Compliance statements 1966 -- 1967 -- 1968 snmpTargetCommandResponderCompliance MODULE-COMPLIANCE 1969 STATUS current 1970 DESCRIPTION 1971 "The compliance statement for SNMP entities which include 1972 a command responder application." 1973 MODULE -- This Module 1974 MANDATORY-GROUPS { snmpTargetCommandResponderGroup } 1975 ::= { snmpTargetCompliances 1 } 1977 snmpTargetBasicGroup OBJECT-GROUP 1978 OBJECTS { 1979 snmpTargetSpinLock, 1980 snmpTargetAddrTDomain, 1981 snmpTargetAddrTAddress, 1982 snmpTargetAddrTagList, 1983 snmpTargetAddrParams, 1984 snmpTargetAddrStorageType, 1985 snmpTargetAddrRowStatus, 1986 snmpTargetParamsMPModel, 1987 snmpTargetParamsSecurityModel, 1988 snmpTargetParamsSecurityName, 1989 snmpTargetParamsSecurityLevel, 1990 snmpTargetParamsStorageType, 1991 snmpTargetParamsRowStatus 1992 } 1993 STATUS current 1994 DESCRIPTION 1995 "A collection of objects providing basic remote 1996 configuration of management targets." 1997 ::= { snmpTargetGroups 1 } 1999 snmpTargetResponseGroup OBJECT-GROUP 2000 OBJECTS { 2001 snmpTargetAddrTimeout, 2002 snmpTargetAddrRetryCount 2003 } 2004 STATUS current 2005 DESCRIPTION 2006 "A collection of objects providing remote configuration 2007 of management targets for applications which generate 2008 SNMP messages for which a response message would be 2009 expected." 2010 ::= { snmpTargetGroups 2 } 2012 snmpTargetCommandResponderGroup OBJECT-GROUP 2013 OBJECTS { 2014 snmpUnavailableContexts, 2015 snmpUnknownContexts 2016 } 2017 STATUS current 2018 DESCRIPTION 2019 "A collection of objects required for command responder 2020 applications, used for counting error conditions." 2021 ::= { snmpTargetGroups 3 } 2023 END 2025 4.2. The Notification MIB Module 2027 The SNMP-NOTIFICATION-MIB module contains objects for the remote 2028 configuration of the parameters used by an SNMP entity for the 2029 generation of notifications. It consists of three tables and 2030 conformance/compliance statements. The first table, the 2031 snmpNotifyTable, contains entries which select which entries in the 2032 snmpTargetAddrTable should be used for generating notifications, and 2033 the type of notifications to be generated. 2035 The second table sparsely augments the snmpTargetAddrTable with an 2036 object which is used to associate a set of filters with a particular 2037 management target. 2039 The third table defines filters which are used to limit the number of 2040 notifications which are generated using particular management 2041 targets. 2043 4.2.1. Definitions 2045 SNMP-NOTIFICATION-MIB DEFINITIONS ::= BEGIN 2047 IMPORTS 2048 MODULE-IDENTITY, 2049 OBJECT-TYPE, 2050 snmpModules 2051 FROM SNMPv2-SMI 2053 RowStatus, 2054 StorageType 2055 FROM SNMPv2-TC 2057 SnmpAdminString 2058 FROM SNMP-FRAMEWORK-MIB 2060 SnmpTagValue, 2061 snmpTargetParamsName 2062 FROM SNMP-TARGET-MIB 2064 MODULE-COMPLIANCE, 2065 OBJECT-GROUP 2066 FROM SNMPv2-CONF; 2068 snmpNotificationMIB MODULE-IDENTITY 2069 LAST-UPDATED "9808040000Z" 2070 ORGANIZATION "IETF SNMPv3 Working Group" 2071 CONTACT-INFO 2072 "WG-email: snmpv3@tis.com 2073 Subscribe: majordomo@tis.com 2074 In message body: subscribe snmpv3 2076 Chair: Russ Mundy 2077 Trusted Information Systems 2078 Postal: 3060 Washington Rd 2079 Glenwood MD 21738 2080 USA 2081 EMail: mundy@tis.com 2082 Phone: +1-301-854-6889 2084 Co-editor: David B. Levi 2085 SNMP Research, Inc. 2086 Postal: 3001 Kimberlin Heights Road 2087 Knoxville, TN 37920-9716 2088 EMail: levi@snmp.com 2089 Phone: +1 423 573 1434 2091 Co-editor: Paul Meyer 2092 Secure Computing Corporation 2093 Postal: 2675 Long Lake Road 2094 Roseville, MN 55113 2095 EMail: paul_meyer@securecomputing.com 2096 Phone: +1 651 628 1592 2098 Co-editor: Bob Stewart 2099 Cisco Systems, Inc. 2100 Postal: 170 West Tasman Drive 2101 San Jose, CA 95134-1706 2102 EMail: bstewart@cisco.com 2103 Phone: +1 603 654 2686" 2104 DESCRIPTION 2105 "This MIB module defines MIB objects which provide 2106 mechanisms to remotely configure the parameters 2107 used by an SNMP entity for the generation of 2108 notifications." 2109 REVISION "9808040000Z" 2110 DESCRIPTION "Clarifications, published as 2111 draft-ietf-snmpv3-appl-v2-01.txt." 2112 REVISION "9707140000Z" 2113 DESCRIPTION "The initial revision, published as RFC2273." 2114 ::= { snmpModules 13 } 2116 snmpNotifyObjects OBJECT IDENTIFIER ::= 2117 { snmpNotificationMIB 1 } 2119 snmpNotifyConformance OBJECT IDENTIFIER ::= 2120 { snmpNotificationMIB 3 } 2122 -- 2123 -- 2124 -- The snmpNotifyObjects group 2125 -- 2126 -- 2128 snmpNotifyTable OBJECT-TYPE 2129 SYNTAX SEQUENCE OF SnmpNotifyEntry 2130 MAX-ACCESS not-accessible 2131 STATUS current 2132 DESCRIPTION 2133 "This table is used to select management targets which should 2134 receive notifications, as well as the type of notification 2135 which should be sent to each selected management target." 2136 ::= { snmpNotifyObjects 1 } 2138 snmpNotifyEntry OBJECT-TYPE 2139 SYNTAX SnmpNotifyEntry 2140 MAX-ACCESS not-accessible 2141 STATUS current 2142 DESCRIPTION 2143 "An entry in this table selects a set of management targets 2144 which should receive notifications, as well as the type of 2145 notification which should be sent to each selected 2146 management target. 2148 Entries in the snmpNotifyTable are created and 2149 deleted using the snmpNotifyRowStatus object." 2150 INDEX { IMPLIED snmpNotifyName } 2151 ::= { snmpNotifyTable 1 } 2153 SnmpNotifyEntry ::= SEQUENCE { 2154 snmpNotifyName SnmpAdminString, 2155 snmpNotifyTag SnmpTagValue, 2156 snmpNotifyType INTEGER, 2157 snmpNotifyStorageType StorageType, 2158 snmpNotifyRowStatus RowStatus 2159 } 2161 snmpNotifyName OBJECT-TYPE 2162 SYNTAX SnmpAdminString (SIZE(1..32)) 2163 MAX-ACCESS not-accessible 2164 STATUS current 2165 DESCRIPTION 2166 "The locally arbitrary, but unique identifier associated 2167 with this snmpNotifyEntry." 2168 ::= { snmpNotifyEntry 1 } 2170 snmpNotifyTag OBJECT-TYPE 2171 SYNTAX SnmpTagValue 2172 MAX-ACCESS read-create 2173 STATUS current 2174 DESCRIPTION 2175 "This object contains a single tag value which is used 2176 to select entries in the snmpTargetAddrTable. Any entry 2177 in the snmpTargetAddrTable which contains a tag value 2178 which is equal to the value of an instance of this 2179 object is selected. If this object contains a value 2180 of zero length, no entries are selected." 2181 DEFVAL { "" } 2182 ::= { snmpNotifyEntry 2 } 2184 snmpNotifyType OBJECT-TYPE 2185 SYNTAX INTEGER { 2186 trap(1), 2187 inform(2) 2188 } 2189 MAX-ACCESS read-create 2190 STATUS current 2191 DESCRIPTION 2192 "This object determines the type of notification to 2193 be generated for entries in the snmpTargetAddrTable 2194 selected by the corresponding instance of 2195 snmpNotifyTag. This value is only used when 2196 generating notifications, and is ignored when 2197 using the snmpTargetAddrTable for other purposes. 2199 If the value of this object is trap(1), then any 2200 messages generated for selected rows will contain 2201 Unconfirmed-Class PDUs. 2203 If the value of this object is inform(2), then any 2204 messages generated for selected rows will contain 2205 Confirmed-Class PDUs. 2207 Note that if an SNMP entity only supports 2208 generation of Unconfirmed-Class PDUs (and not 2209 Confirmed-Class PDUs), then this object may be 2210 read-only." 2211 DEFVAL { trap } 2212 ::= { snmpNotifyEntry 3 } 2214 snmpNotifyStorageType OBJECT-TYPE 2215 SYNTAX StorageType 2216 MAX-ACCESS read-create 2217 STATUS current 2218 DESCRIPTION 2219 "The storage type for this conceptual row." 2220 DEFVAL { nonVolatile } 2221 ::= { snmpNotifyEntry 4 } 2223 snmpNotifyRowStatus OBJECT-TYPE 2224 SYNTAX RowStatus 2225 MAX-ACCESS read-create 2226 STATUS current 2227 DESCRIPTION 2228 "The status of this conceptual row. 2230 To create a row in this table, a manager must 2231 set this object to either createAndGo(4) or 2232 createAndWait(5)." 2233 ::= { snmpNotifyEntry 5 } 2235 snmpNotifyFilterProfileTable OBJECT-TYPE 2236 SYNTAX SEQUENCE OF SnmpNotifyFilterProfileEntry 2237 MAX-ACCESS not-accessible 2238 STATUS current 2239 DESCRIPTION 2240 "This table is used to associate a notification filter 2241 profile with a particular set of target parameters." 2242 ::= { snmpNotifyObjects 2 } 2244 snmpNotifyFilterProfileEntry OBJECT-TYPE 2245 SYNTAX SnmpNotifyFilterProfileEntry 2246 MAX-ACCESS not-accessible 2247 STATUS current 2248 DESCRIPTION 2249 "An entry in this table indicates the name of the filter 2250 profile to be used when generating notifications using 2251 the corresponding entry in the snmpTargetParamsTable. 2253 Entries in the snmpNotifyFilterProfileTable are created 2254 and deleted using the snmpNotifyFilterProfileRowStatus 2255 object." 2256 INDEX { IMPLIED snmpTargetParamsName } 2257 ::= { snmpNotifyFilterProfileTable 1 } 2259 SnmpNotifyFilterProfileEntry ::= SEQUENCE { 2260 snmpNotifyFilterProfileName SnmpAdminString, 2261 snmpNotifyFilterProfileStorType StorageType, 2262 snmpNotifyFilterProfileRowStatus RowStatus 2263 } 2265 snmpNotifyFilterProfileName OBJECT-TYPE 2266 SYNTAX SnmpAdminString (SIZE(1..32)) 2267 MAX-ACCESS read-create 2268 STATUS current 2269 DESCRIPTION 2270 "The name of the filter profile to be used when generating 2271 notifications using the corresponding entry in the 2272 snmpTargetAddrTable." 2273 ::= { snmpNotifyFilterProfileEntry 1 } 2275 snmpNotifyFilterProfileStorType OBJECT-TYPE 2276 SYNTAX StorageType 2277 MAX-ACCESS read-create 2278 STATUS current 2279 DESCRIPTION 2280 "The storage type of this conceptual row." 2281 DEFVAL { nonVolatile } 2282 ::= { snmpNotifyFilterProfileEntry 2 } 2284 snmpNotifyFilterProfileRowStatus OBJECT-TYPE 2285 SYNTAX RowStatus 2286 MAX-ACCESS read-create 2287 STATUS current 2288 DESCRIPTION 2289 "The status of this conceptual row. 2291 To create a row in this table, a manager must 2292 set this object to either createAndGo(4) or 2293 createAndWait(5). 2295 Until instances of all corresponding columns are 2296 appropriately configured, the value of the 2297 corresponding instance of the 2298 snmpNotifyFilterProfileRowStatus column is 'notReady'. 2300 In particular, a newly created row cannot be made 2301 active until the corresponding instance of 2302 snmpNotifyFilterProfileName has been set." 2303 ::= { snmpNotifyFilterProfileEntry 3 } 2305 snmpNotifyFilterTable OBJECT-TYPE 2306 SYNTAX SEQUENCE OF SnmpNotifyFilterEntry 2307 MAX-ACCESS not-accessible 2308 STATUS current 2309 DESCRIPTION 2310 "The table of filter profiles. Filter profiles are used 2311 to determine whether particular management targets should 2312 receive particular notifications. 2314 When a notification is generated, it must be compared 2315 with the filters associated with each management target 2316 which is configured to receive notifications, in order to 2317 determine whether it may be sent to each such management 2318 target. 2320 A more complete discussion of notification filtering 2321 can be found in section 6. of [SNMP-APPL]." 2322 ::= { snmpNotifyObjects 3 } 2324 snmpNotifyFilterEntry OBJECT-TYPE 2325 SYNTAX SnmpNotifyFilterEntry 2326 MAX-ACCESS not-accessible 2327 STATUS current 2328 DESCRIPTION 2329 "An element of a filter profile. 2331 Entries in the snmpNotifyFilterTable are created and 2332 deleted using the snmpNotifyFilterRowStatus object." 2333 INDEX { snmpNotifyFilterProfileName, 2334 IMPLIED snmpNotifyFilterSubtree } 2335 ::= { snmpNotifyFilterTable 1 } 2337 SnmpNotifyFilterEntry ::= SEQUENCE { 2338 snmpNotifyFilterSubtree OBJECT IDENTIFIER, 2339 snmpNotifyFilterMask OCTET STRING, 2340 snmpNotifyFilterType INTEGER, 2341 snmpNotifyFilterStorageType StorageType, 2342 snmpNotifyFilterRowStatus RowStatus 2343 } 2345 snmpNotifyFilterSubtree OBJECT-TYPE 2346 SYNTAX OBJECT IDENTIFIER 2347 MAX-ACCESS not-accessible 2348 STATUS current 2349 DESCRIPTION 2350 "The MIB subtree which, when combined with the corresponding 2351 instance of snmpNotifyFilterMask, defines a family of 2352 subtrees which are included in or excluded from the 2353 filter profile." 2354 ::= { snmpNotifyFilterEntry 1 } 2356 snmpNotifyFilterMask OBJECT-TYPE 2357 SYNTAX OCTET STRING (SIZE(0..16)) 2358 MAX-ACCESS read-create 2359 STATUS current 2360 DESCRIPTION 2361 "The bit mask which, in combination with the corresponding 2362 instance of snmpNotifyFilterSubtree, defines a family of 2363 subtrees which are included in or excluded from the 2364 filter profile. 2366 Each bit of this bit mask corresponds to a 2367 sub-identifier of snmpNotifyFilterSubtree, with the 2368 most significant bit of the i-th octet of this octet 2369 string value (extended if necessary, see below) 2370 corresponding to the (8*i - 7)-th sub-identifier, and 2371 the least significant bit of the i-th octet of this 2372 octet string corresponding to the (8*i)-th 2373 sub-identifier, where i is in the range 1 through 16. 2375 Each bit of this bit mask specifies whether or not 2376 the corresponding sub-identifiers must match when 2377 determining if an OBJECT IDENTIFIER matches this 2378 family of filter subtrees; a '1' indicates that an 2379 exact match must occur; a '0' indicates 'wild card', 2380 i.e., any sub-identifier value matches. 2382 Thus, the OBJECT IDENTIFIER X of an object instance 2383 is contained in a family of filter subtrees if, for 2384 each sub-identifier of the value of 2385 snmpNotifyFilterSubtree, either: 2387 the i-th bit of snmpNotifyFilterMask is 0, or 2389 the i-th sub-identifier of X is equal to the i-th 2390 sub-identifier of the value of 2391 snmpNotifyFilterSubtree. 2393 If the value of this bit mask is M bits long and 2394 there are more than M sub-identifiers in the 2395 corresponding instance of snmpNotifyFilterSubtree, 2396 then the bit mask is extended with 1's to be the 2397 required length. 2399 Note that when the value of this object is the 2400 zero-length string, this extension rule results in 2401 a mask of all-1's being used (i.e., no 'wild card'), 2402 and the family of filter subtrees is the one 2403 subtree uniquely identified by the corresponding 2404 instance of snmpNotifyFilterSubtree." 2405 DEFVAL { ''H } 2406 ::= { snmpNotifyFilterEntry 2 } 2408 snmpNotifyFilterType OBJECT-TYPE 2409 SYNTAX INTEGER { 2410 included(1), 2411 excluded(2) 2412 } 2413 MAX-ACCESS read-create 2414 STATUS current 2415 DESCRIPTION 2416 "This object indicates whether the family of filter subtrees 2417 defined by this entry are included in or excluded from a 2418 filter. A more detailed discussion of the use of this 2419 object can be found in section 6. of [SNMP-APPL]." 2420 DEFVAL { included } 2421 ::= { snmpNotifyFilterEntry 3 } 2423 snmpNotifyFilterStorageType OBJECT-TYPE 2424 SYNTAX StorageType 2425 MAX-ACCESS read-create 2426 STATUS current 2427 DESCRIPTION 2428 "The storage type of this conceptual row." 2429 DEFVAL { nonVolatile } 2430 ::= { snmpNotifyFilterEntry 4 } 2432 snmpNotifyFilterRowStatus OBJECT-TYPE 2433 SYNTAX RowStatus 2434 MAX-ACCESS read-create 2435 STATUS current 2436 DESCRIPTION 2437 "The status of this conceptual row. 2439 To create a row in this table, a manager must 2440 set this object to either createAndGo(4) or 2441 createAndWait(5)." 2442 ::= { snmpNotifyFilterEntry 5 } 2444 -- 2445 -- 2446 -- Conformance information 2447 -- 2448 -- 2449 snmpNotifyCompliances OBJECT IDENTIFIER ::= 2450 { snmpNotifyConformance 1 } 2451 snmpNotifyGroups OBJECT IDENTIFIER ::= 2452 { snmpNotifyConformance 2 } 2454 -- 2455 -- 2456 -- Compliance statements 2457 -- 2458 -- 2460 snmpNotifyBasicCompliance MODULE-COMPLIANCE 2461 STATUS current 2462 DESCRIPTION 2463 "The compliance statement for minimal SNMP entities which 2464 implement only SNMP Unconfirmed-Class notifications and 2465 read-create operations on only the snmpTargetAddrTable." 2466 MODULE SNMP-TARGET-MIB 2467 MANDATORY-GROUPS { snmpTargetBasicGroup } 2469 OBJECT snmpTargetParamsMPModel 2470 MIN-ACCESS read-only 2471 DESCRIPTION 2472 "Create/delete/modify access is not required." 2474 OBJECT snmpTargetParamsSecurityModel 2475 MIN-ACCESS read-only 2476 DESCRIPTION 2477 "Create/delete/modify access is not required." 2479 OBJECT snmpTargetParamsSecurityName 2480 MIN-ACCESS read-only 2481 DESCRIPTION 2482 "Create/delete/modify access is not required." 2484 OBJECT snmpTargetParamsSecurityLevel 2485 MIN-ACCESS read-only 2486 DESCRIPTION 2487 "Create/delete/modify access is not required." 2489 OBJECT snmpTargetParamsStorageType 2490 SYNTAX INTEGER { 2491 readOnly(5) 2492 } 2493 MIN-ACCESS read-only 2494 DESCRIPTION 2495 "Create/delete/modify access is not required. 2497 Support of the values other(1), volatile(2), 2498 nonVolatile(3), and permanent(4) is not required." 2500 OBJECT snmpTargetParamsRowStatus 2501 SYNTAX INTEGER { 2502 active(1) 2503 } 2504 MIN-ACCESS read-only 2505 DESCRIPTION 2506 "Create/delete/modify access to the 2507 snmpTargetParamsTable is not required. 2508 Support of the values notInService(2), notReady(3), 2509 createAndGo(4), createAndWait(5), and destroy(6) is 2510 not required." 2512 MODULE -- This Module 2513 MANDATORY-GROUPS { snmpNotifyGroup } 2515 OBJECT snmpNotifyTag 2516 MIN-ACCESS read-only 2517 DESCRIPTION 2518 "Create/delete/modify access is not required." 2520 OBJECT snmpNotifyType 2521 SYNTAX INTEGER { 2522 trap(1) 2523 } 2524 MIN-ACCESS read-only 2525 DESCRIPTION 2526 "Create/delete/modify access is not required. 2527 Support of the value notify(2) is not required." 2529 OBJECT snmpNotifyStorageType 2530 SYNTAX INTEGER { 2531 readOnly(5) 2532 } 2533 MIN-ACCESS read-only 2534 DESCRIPTION 2535 "Create/delete/modify access is not required. 2536 Support of the values other(1), volatile(2), 2537 nonVolatile(3), and permanent(4) is not required." 2539 OBJECT snmpNotifyRowStatus 2540 SYNTAX INTEGER { 2541 active(1) 2542 } 2543 MIN-ACCESS read-only 2544 DESCRIPTION 2545 "Create/delete/modify access to the 2546 snmpNotifyTable is not required. 2547 Support of the values notInService(2), notReady(3), 2548 createAndGo(4), createAndWait(5), and destroy(6) is 2549 not required." 2551 ::= { snmpNotifyCompliances 1 } 2553 snmpNotifyBasicFiltersCompliance MODULE-COMPLIANCE 2554 STATUS current 2555 DESCRIPTION 2556 "The compliance statement for SNMP entities which implement 2557 SNMP Unconfirmed-Class notifications with filtering, and 2558 read-create operations on all related tables." 2559 MODULE SNMP-TARGET-MIB 2560 MANDATORY-GROUPS { snmpTargetBasicGroup } 2561 MODULE -- This Module 2562 MANDATORY-GROUPS { snmpNotifyGroup, 2563 snmpNotifyFilterGroup } 2564 ::= { snmpNotifyCompliances 2 } 2566 snmpNotifyFullCompliance MODULE-COMPLIANCE 2567 STATUS current 2568 DESCRIPTION 2569 "The compliance statement for SNMP entities which either 2570 implement only SNMP Confirmed-Class notifications, or both 2571 SNMP Unconfirmed-Class and Confirmed-Class notifications, 2572 plus filtering and read-create operations on all related 2573 tables." 2574 MODULE SNMP-TARGET-MIB 2575 MANDATORY-GROUPS { snmpTargetBasicGroup, 2576 snmpTargetResponseGroup } 2577 MODULE -- This Module 2578 MANDATORY-GROUPS { snmpNotifyGroup, 2579 snmpNotifyFilterGroup } 2580 ::= { snmpNotifyCompliances 3 } 2582 snmpNotifyGroup OBJECT-GROUP 2583 OBJECTS { 2584 snmpNotifyTag, 2585 snmpNotifyType, 2586 snmpNotifyStorageType, 2587 snmpNotifyRowStatus 2588 } 2589 STATUS current 2590 DESCRIPTION 2591 "A collection of objects for selecting which management 2592 targets are used for generating notifications, and the 2593 type of notification to be generated for each selected 2594 management target." 2595 ::= { snmpNotifyGroups 1 } 2597 snmpNotifyFilterGroup OBJECT-GROUP 2598 OBJECTS { 2599 snmpNotifyFilterProfileName, 2600 snmpNotifyFilterProfileStorType, 2601 snmpNotifyFilterProfileRowStatus, 2602 snmpNotifyFilterMask, 2603 snmpNotifyFilterType, 2604 snmpNotifyFilterStorageType, 2605 snmpNotifyFilterRowStatus 2606 } 2607 STATUS current 2608 DESCRIPTION 2609 "A collection of objects providing remote configuration 2610 of notification filters." 2611 ::= { snmpNotifyGroups 2 } 2613 END 2615 4.3. The Proxy MIB Module 2617 The SNMP-PROXY-MIB module, which defines MIB objects that provide 2618 mechanisms to remotely configure the parameters used by an SNMP 2619 entity for proxy forwarding operations, contains a single table. 2620 This table, snmpProxyTable, is used to define translations between 2621 management targets for use when forwarding messages. 2623 4.3.1. Definitions 2625 SNMP-PROXY-MIB DEFINITIONS ::= BEGIN 2627 IMPORTS 2628 MODULE-IDENTITY, 2629 OBJECT-TYPE, 2630 snmpModules 2631 FROM SNMPv2-SMI 2633 RowStatus, 2634 StorageType 2635 FROM SNMPv2-TC 2637 SnmpEngineID, 2638 SnmpAdminString 2639 FROM SNMP-FRAMEWORK-MIB 2641 SnmpTagValue 2642 FROM SNMP-TARGET-MIB 2644 MODULE-COMPLIANCE, 2645 OBJECT-GROUP 2646 FROM SNMPv2-CONF; 2648 snmpProxyMIB MODULE-IDENTITY 2649 LAST-UPDATED "9808040000Z" 2650 ORGANIZATION "IETF SNMPv3 Working Group" 2651 CONTACT-INFO 2652 "WG-email: snmpv3@tis.com 2653 Subscribe: majordomo@tis.com 2654 In message body: subscribe snmpv3 2656 Chair: Russ Mundy 2657 Trusted Information Systems 2658 Postal: 3060 Washington Rd 2659 Glenwood MD 21738 2660 USA 2662 EMail: mundy@tis.com 2663 Phone: +1-301-854-6889 2665 Co-editor: David B. Levi 2666 SNMP Research, Inc. 2667 Postal: 3001 Kimberlin Heights Road 2668 Knoxville, TN 37920-9716 2669 EMail: levi@snmp.com 2670 Phone: +1 423 573 1434 2672 Co-editor: Paul Meyer 2673 Secure Computing Corporation 2674 Postal: 2675 Long Lake Road 2675 Roseville, MN 55113 2676 EMail: paul_meyer@securecomputing.com 2677 Phone: +1 651 628 1592 2679 Co-editor: Bob Stewart 2680 Cisco Systems, Inc. 2681 Postal: 170 West Tasman Drive 2682 San Jose, CA 95134-1706 2683 EMail: bstewart@cisco.com 2684 Phone: +1 603 654 2686" 2685 DESCRIPTION 2686 "This MIB module defines MIB objects which provide 2687 mechanisms to remotely configure the parameters 2688 used by a proxy forwarding application." 2689 REVISION "9808040000Z" 2690 DESCRIPTION "Clarifications, published as 2691 draft-ietf-snmpv3-appl-v2-01.txt." 2692 REVISION "9707140000Z" 2693 DESCRIPTION "The initial revision, published as RFC2273." 2694 ::= { snmpModules 14 } 2696 snmpProxyObjects OBJECT IDENTIFIER ::= { snmpProxyMIB 1 } 2697 snmpProxyConformance OBJECT IDENTIFIER ::= { snmpProxyMIB 3 } 2699 -- 2700 -- 2701 -- The snmpProxyObjects group 2702 -- 2703 -- 2705 snmpProxyTable OBJECT-TYPE 2706 SYNTAX SEQUENCE OF SnmpProxyEntry 2707 MAX-ACCESS not-accessible 2708 STATUS current 2709 DESCRIPTION 2710 "The table of translation parameters used by proxy forwarder 2711 applications for forwarding SNMP messages." 2712 ::= { snmpProxyObjects 2 } 2714 snmpProxyEntry OBJECT-TYPE 2715 SYNTAX SnmpProxyEntry 2716 MAX-ACCESS not-accessible 2717 STATUS current 2718 DESCRIPTION 2719 "A set of translation parameters used by a proxy forwarder 2720 application for forwarding SNMP messages. 2722 Entries in the snmpProxyTable are created and deleted 2723 using the snmpProxyRowStatus object." 2724 INDEX { IMPLIED snmpProxyName } 2725 ::= { snmpProxyTable 1 } 2727 SnmpProxyEntry ::= SEQUENCE { 2728 snmpProxyName SnmpAdminString, 2729 snmpProxyType INTEGER, 2730 snmpProxyContextEngineID SnmpEngineID, 2731 snmpProxyContextName SnmpAdminString, 2732 snmpProxyTargetParamsIn SnmpAdminString, 2733 snmpProxySingleTargetOut SnmpAdminString, 2734 snmpProxyMultipleTargetOut SnmpTagValue, 2735 snmpProxyStorageType StorageType, 2736 snmpProxyRowStatus RowStatus 2737 } 2739 snmpProxyName OBJECT-TYPE 2740 SYNTAX SnmpAdminString (SIZE(1..32)) 2741 MAX-ACCESS not-accessible 2742 STATUS current 2743 DESCRIPTION 2744 "The locally arbitrary, but unique identifier associated 2745 with this snmpProxyEntry." 2746 ::= { snmpProxyEntry 1 } 2748 snmpProxyType OBJECT-TYPE 2749 SYNTAX INTEGER { 2750 read(1), 2751 write(2), 2752 trap(3), 2753 inform(4) 2754 } 2755 MAX-ACCESS read-create 2756 STATUS current 2757 DESCRIPTION 2758 "The type of message that may be forwarded using 2759 the translation parameters defined by this entry." 2760 ::= { snmpProxyEntry 2 } 2762 snmpProxyContextEngineID OBJECT-TYPE 2763 SYNTAX SnmpEngineID 2764 MAX-ACCESS read-create 2765 STATUS current 2766 DESCRIPTION 2767 "The contextEngineID contained in messages that 2768 may be forwarded using the translation parameters 2769 defined by this entry." 2770 ::= { snmpProxyEntry 3 } 2772 snmpProxyContextName OBJECT-TYPE 2773 SYNTAX SnmpAdminString 2774 MAX-ACCESS read-create 2775 STATUS current 2776 DESCRIPTION 2777 "The contextName contained in messages that may be 2778 forwarded using the translation parameters defined 2779 by this entry. 2781 This object is optional, and if not supported, the 2782 contextName contained in a message is ignored when 2783 selecting an entry in the snmpProxyTable." 2784 ::= { snmpProxyEntry 4 } 2786 snmpProxyTargetParamsIn OBJECT-TYPE 2787 SYNTAX SnmpAdminString 2788 MAX-ACCESS read-create 2789 STATUS current 2790 DESCRIPTION 2791 "This object selects an entry in the snmpTargetParamsTable. 2792 The selected entry is used to determine which row of the 2793 snmpProxyTable to use for forwarding received messages." 2794 ::= { snmpProxyEntry 5 } 2796 snmpProxySingleTargetOut OBJECT-TYPE 2797 SYNTAX SnmpAdminString 2798 MAX-ACCESS read-create 2799 STATUS current 2800 DESCRIPTION 2801 "This object selects a management target defined in the 2802 snmpTargetAddrTable (in the SNMP-TARGET-MIB). The 2803 selected target is defined by an entry in the 2804 snmpTargetAddrTable whose index value (snmpTargetAddrName) 2805 is equal to this object. 2807 This object is only used when selection of a single 2808 target is required (i.e. when forwarding an incoming 2809 read or write request)." 2810 ::= { snmpProxyEntry 6 } 2812 snmpProxyMultipleTargetOut OBJECT-TYPE 2813 SYNTAX SnmpTagValue 2814 MAX-ACCESS read-create 2815 STATUS current 2816 DESCRIPTION 2817 "This object selects a set of management targets defined 2818 in the snmpTargetAddrTable (in the SNMP-TARGET-MIB). 2820 This object is only used when selection of multiple 2821 targets is required (i.e. when forwarding an incoming 2822 notification)." 2823 ::= { snmpProxyEntry 7 } 2825 snmpProxyStorageType OBJECT-TYPE 2826 SYNTAX StorageType 2827 MAX-ACCESS read-create 2828 STATUS current 2829 DESCRIPTION 2830 "The storage type of this conceptual row." 2831 DEFVAL { nonVolatile } 2832 ::= { snmpProxyEntry 8 } 2834 snmpProxyRowStatus OBJECT-TYPE 2835 SYNTAX RowStatus 2836 MAX-ACCESS read-create 2837 STATUS current 2838 DESCRIPTION 2839 "The status of this conceptual row. 2841 To create a row in this table, a manager must 2842 set this object to either createAndGo(4) or 2843 createAndWait(5). 2845 The following objects may not be modified while the 2846 value of this object is active(1): 2847 - snmpProxyType 2848 - snmpProxyContextEngineID 2849 - snmpProxyContextName 2850 - snmpProxyTargetParamsIn 2851 - snmpProxySingleTargetOut 2852 - snmpProxyMultipleTargetOut" 2853 ::= { snmpProxyEntry 9 } 2855 -- 2856 -- 2857 -- Conformance information 2858 -- 2859 -- 2861 snmpProxyCompliances OBJECT IDENTIFIER ::= 2862 { snmpProxyConformance 1 } 2863 snmpProxyGroups OBJECT IDENTIFIER ::= 2864 { snmpProxyConformance 2 } 2866 -- 2867 -- 2868 -- Compliance statements 2869 -- 2870 -- 2872 snmpProxyCompliance MODULE-COMPLIANCE 2873 STATUS current 2874 DESCRIPTION 2875 "The compliance statement for SNMP entities which include 2876 a proxy forwarding application." 2877 MODULE SNMP-TARGET-MIB 2878 MANDATORY-GROUPS { snmpTargetBasicGroup, 2879 snmpTargetResponseGroup } 2880 MODULE -- This Module 2881 MANDATORY-GROUPS { snmpProxyGroup } 2882 ::= { snmpProxyCompliances 1 } 2884 snmpProxyGroup OBJECT-GROUP 2885 OBJECTS { 2886 snmpProxyType, 2887 snmpProxyContextEngineID, 2888 snmpProxyContextName, 2889 snmpProxyTargetParamsIn, 2890 snmpProxySingleTargetOut, 2891 snmpProxyMultipleTargetOut, 2892 snmpProxyStorageType, 2893 snmpProxyRowStatus 2894 } 2895 STATUS current 2896 DESCRIPTION 2897 "A collection of objects providing remote configuration of 2898 management target translation parameters for use by 2899 proxy forwarder applications." 2900 ::= { snmpProxyGroups 3 } 2902 END 2904 5. Identification of Management Targets in Notification Originators 2906 This section describes the mechanisms used by a notification 2907 originator application when using the MIB module described in this 2908 document to determine the set of management targets to be used when 2909 generating a notification. 2911 A notification originator uses each entry in the snmpNotifyTable to 2912 find the management targets to be used for generating notifications. 2913 Each active entry in this table identifies zero or more entries in 2914 the snmpTargetAddrTable. Any entry in the snmpTargetAddrTable whose 2915 snmpTargetAddrTagList object contains a tag value which is equal to a 2916 value of snmpNotifyTag is selected by the snmpNotifyEntry which 2917 contains that instance of snmpNotifyTag. Note that a particular 2918 snmpTargetAddrEntry may be selected by multiple entries in the 2919 snmpNotifyTable, resulting in multiple notifications being generated 2920 using that snmpTargetAddrEntry. 2922 Each snmpTargetAddrEntry contains a pointer to the 2923 snmpTargetParamsTable (snmpTargetAddrParams). This pointer selects a 2924 set of SNMP parameters to be used for generating notifications. If 2925 the selected entry in the snmpTargetParamsTable does not exist, the 2926 management target is not used to generate notifications. 2928 The decision as to whether a notification should contain an 2929 Unconfirmed-Class or a Confirmed-Class PDU is determined by the value 2930 of the snmpNotifyType object. If the value of this object is 2931 trap(1), the notification should contain an Unconfirmed-Class PDU. 2932 If the value of this object is inform(2), then the notification 2933 should contain a Confirmed-Class PDU, and the timeout time and number 2934 of retries for the notification are the value of 2935 snmpTargetAddrTimeout and snmpTargetAddrRetryCount. Note that the 2936 exception to these rules is when the snmpTargetParamsMPModel object 2937 indicates an SNMP version which supports a different PDU version. In 2938 this case, the notification may be sent using a different PDU type 2939 ([COEX] defines the PDU type in the case where the outgoing SNMP 2940 version is SNMPv1). 2942 6. Notification Filtering 2944 This section describes the mechanisms used by a notification 2945 originator application when using the MIB module described in this 2946 document to filter generation of notifications. 2948 A notification originator uses the snmpNotifyFilterTable to filter 2949 notifications. A notification filter profile may be associated with 2950 a particular entry in the snmpTargetParamsTable. The associated 2951 filter profile is identified by an entry in the 2952 snmpNotifyFilterProfileTable whose index is equal to the index of the 2953 entry in the snmpTargetParamsTable. If no such entry exists in the 2954 snmpNotifyFilterProfileTable, no filtering is performed for that 2955 management target. 2957 If such an entry does exist, the value of snmpNotifyFilterProfileName 2958 of the entry is compared with the corresponding portion of the index 2959 of all active entries in the snmpNotifyFilterTable. All such entries 2960 for which this comparison results in an exact match are used for 2961 filtering a notification generated using the associated 2962 snmpTargetParamsEntry. If no such entries exist, no filtering is 2963 performed, and a notification may be sent to the management target. 2965 Otherwise, if matching entries do exist, a notification may be sent 2966 if the NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this 2967 is the value of the element of the variable bindings whose name is 2968 snmpTrapOID.0, i.e., the second variable binding) is specifically 2969 included, and none of the object instances to be included in the 2970 variable-bindings of the notification are specifically excluded by 2971 the matching entries. 2973 Each set of snmpNotifyFilterTable entries is divided into two 2974 collections of filter subtrees: the included filter subtrees, and 2975 the excluded filter subtrees. The snmpNotifyFilterType object 2976 defines the collection to which each matching entry belongs. 2978 To determine whether a particular notification name or object 2979 instance is excluded by the set of matching entries, compare the 2980 notification name's or object instance's OBJECT IDENTIFIER with each 2981 of the matching entries. For a notification name, if none match, 2982 then the notification name is considered excluded, and the 2983 notification should not be sent to this management target. For an 2984 object instance, if none match, the object instance is considered 2985 included, and the notification may be sent to this management target. 2986 If one or more match, then the notification name or object instance 2987 is included or excluded, according to the value of 2988 snmpNotifyFilterType in the entry whose value of 2989 snmpNotifyFilterSubtree has the most sub-identifiers. If multiple 2990 entries match and have the same number of sub-identifiers, then the 2991 lexicographically greatest instance of snmpNotifyFilterType among 2992 those which match determines the inclusion or exclusion. 2994 A notification name or object instance's OBJECT IDENTIFIER X matches 2995 an entry in the snmpNotifyFilterTable when the number of sub- 2996 identifiers in X is at least as many as in the value of 2997 snmpNotifyFilterSubtree for the entry, and each sub-identifier in the 2998 value of snmpNotifyFilterSubtree matches its corresponding sub- 2999 identifier in X. Two sub-identifiers match either if the 3000 corresponding bit of snmpNotifyFilterMask is zero (the 'wild card' 3001 value), or if the two sub-identifiers are equal. 3003 7. Management Target Translation in Proxy Forwarder Applications 3005 This section describes the mechanisms used by a proxy forwarder 3006 application when using the MIB module described in this document to 3007 translate incoming management target information into outgoing 3008 management target information for the purpose of forwarding messages. 3009 There are actually two mechanisms a proxy forwarder may use, one for 3010 forwarding request messages, and one for forwarding notification 3011 messages. 3013 7.1. Management Target Translation for Request Forwarding 3015 When forwarding request messages, the proxy forwarder will select a 3016 single entry in the snmpProxyTable. To select this entry, it will 3017 perform the following comparisons: 3019 - The snmpProxyType must be read(1) if the request is a Read- 3020 Class PDU. The snmpProxyType must be write(2) if the request 3021 is a Write-Class PDU. 3023 - The contextEngineID must equal the snmpProxyContextEngineID 3024 object. 3026 - If the snmpProxyContextName object is supported, it must equal 3027 the contextName. 3029 - The snmpProxyTargetParamsIn object identifies an entry in the 3030 snmpTargetParamsTable. The messageProcessingModel, 3031 securityLevel, security model, and securityName must match the 3032 values of snmpTargetParamsMPModel, 3033 snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, 3034 and snmpTargetParamsSecurityLevel of the identified entry in 3035 the snmpTargetParamsTable. 3037 There may be multiple entries in the snmpProxyTable for which these 3038 comparisons succeed. The entry whose snmpProxyName has the 3039 lexicographically smallest value and for which the comparisons 3040 succeed will be selected by the proxy forwarder. 3042 The outgoing management target information is identified by the value 3043 of the snmpProxySingleTargetOut object of the selected entry. This 3044 object identifies an entry in the snmpTargetAddrTable. The 3045 identified entry in the snmpTargetAddrTable also contains a reference 3046 to the snmpTargetParamsTable (snmpTargetAddrParams). If either the 3047 identified entry in the snmpTargetAddrTable does not exist, or the 3048 identified entry in the snmpTargetParamsTable does not exist, then 3049 this snmpProxyEntry does not identify valid forwarding information, 3050 and the proxy forwarder should attempt to identify another row. 3052 If there is no entry in the snmpProxyTable for which all of the 3053 conditions above may be met, then there is no appropriate forwarding 3054 information, and the proxy forwarder should take appropriate actions. 3056 Otherwise, The snmpTargetAddrTDomain, snmpTargetAddrTAddress, 3057 snmpTargetAddrTimeout, and snmpTargetRetryCount of the identified 3058 snmpTargetAddrEntry, and the snmpTargetParamsMPModel, 3059 snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, and 3060 snmpTargetParamsSecurityLevel of the identified snmpTargetParamsEntry 3061 are used as the destination management target. 3063 7.2. Management Target Translation for Notification Forwarding 3065 When forwarding notification messages, the proxy forwarder will 3066 select multiple entries in the snmpProxyTable. To select these 3067 entries, it will perform the following comparisons: 3069 - The snmpProxyType must be trap(3) if the notification is an 3070 Unconfirmed-Class PDU. The snmpProxyType must be inform(4) if 3071 the request is a Confirmed-Class PDU. 3073 - The contextEngineID must equal the snmpProxyContextEngineID 3074 object. 3076 - If the snmpProxyContextName object is supported, it must equal 3077 the contextName. 3079 - The snmpProxyTargetParamsIn object identifies an entry in the 3080 snmpTargetParamsTable. The messageProcessingModel, 3081 securityLevel, security model, and securityName must match the 3082 values of snmpTargetParamsMPModel, 3083 snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, 3084 and snmpTargetParamsSecurityLevel of the identified entry in 3085 the snmpTargetParamsTable. 3087 All entries for which these conditions are met are selected. The 3088 snmpProxyMultipleTargetOut object of each such entry is used to 3089 select a set of entries in the snmpTargetAddrTable. Any 3090 snmpTargetAddrEntry whose snmpTargetAddrTagList object contains a tag 3091 value equal to the value of snmpProxyMultipleTargetOut, and whose 3092 snmpTargetAddrParams object references an existing entry in the 3093 snmpTargetParamsTable, is selected as a destination for the forwarded 3094 notification. 3096 8. Intellectual Property 3098 The IETF takes no position regarding the validity or scope of any 3099 intellectual property or other rights that might be claimed to 3100 pertain to the implementation or use of the technology described in 3101 this document or the extent to which any license under such rights 3102 might or might not be available; neither does it represent that it 3103 has made any effort to identify any such rights. Information on the 3104 IETF's procedures with respect to rights in standards-track and 3105 standards-related documentation can be found in BCP-11. Copies of 3106 claims of rights made available for publication and any assurances of 3107 licenses to be made available, or the result of an attempt made to 3108 obtain a general license or permission for the use of such 3109 proprietary rights by implementors or users of this specification can 3110 be obtained from the IETF Secretariat. 3112 The IETF invites any interested party to bring to its attention any 3113 copyrights, patents or patent applications, or other proprietary 3114 rights which may cover technology that may be required to practice 3115 this standard. Please address the information to the IETF Executive 3116 Director. 3118 9. Acknowledgments 3120 This document is the result of the efforts of the SNMPv3 Working 3121 Group. Some special thanks are in order to the following SNMPv3 WG 3122 members: 3124 Harald Tveit Alvestrand (Maxware) 3125 Dave Battle (SNMP Research, Inc.) 3126 Alan Beard (Disney Worldwide Services) 3127 Paul Berrevoets (SWI Systemware/Halcyon Inc.) 3128 Martin Bjorklund (Ericsson) 3129 Uri Blumenthal (IBM T.J. Watson Research Center) 3130 Jeff Case (SNMP Research, Inc.) 3131 John Curran (BBN) 3132 Mike Daniele (Compaq Computer Corporation) 3133 T. Max Devlin (Eltrax Systems) 3134 John Flick (Hewlett Packard) 3135 Rob Frye (MCI) 3136 Wes Hardaker (U.C.Davis, Information Technology - D.C.A.S.) 3137 David Harrington (Cabletron Systems Inc.) 3138 Lauren Heintz (BMC Software, Inc.) 3139 N.C. Hien (IBM T.J. Watson Research Center) 3140 Michael Kirkham (InterWorking Labs, Inc.) 3141 Dave Levi (SNMP Research, Inc.) 3142 Louis A Mamakos (UUNET Technologies Inc.) 3143 Joe Marzot (Nortel Networks) 3144 Paul Meyer (Secure Computing Corporation) 3145 Keith McCloghrie (Cisco Systems) 3146 Bob Moore (IBM) 3147 Russ Mundy (TIS Labs at Network Associates) 3148 Bob Natale (ACE*COMM Corporation) 3149 Mike O'Dell (UUNET Technologies Inc.) 3150 Dave Perkins (DeskTalk) 3151 Peter Polkinghorne (Brunel University) 3152 Randy Presuhn (BMC Software, Inc.) 3153 David Reeder (TIS Labs at Network Associates) 3154 David Reid (SNMP Research, Inc.) 3155 Aleksey Romanov (Quality Quorum) 3156 Shawn Routhier (Epilogue) 3157 Juergen Schoenwaelder (TU Braunschweig) 3158 Bob Stewart (Cisco Systems) 3159 Mike Thatcher (Independent Consultant) 3160 Bert Wijnen (IBM T.J. Watson Research Center) 3162 The document is based on recommendations of the IETF Security and 3163 Administrative Framework Evolution for SNMP Advisory Team. Members of 3164 that Advisory Team were: 3166 David Harrington (Cabletron Systems Inc.) 3167 Jeff Johnson (Cisco Systems) 3168 David Levi (SNMP Research Inc.) 3169 John Linn (Openvision) 3170 Russ Mundy (Trusted Information Systems) chair 3171 Shawn Routhier (Epilogue) 3172 Glenn Waters (Nortel) 3173 Bert Wijnen (IBM T. J. Watson Research Center) 3175 As recommended by the Advisory Team and the SNMPv3 Working Group 3176 Charter, the design incorporates as much as practical from previous 3177 RFCs and drafts. As a result, special thanks are due to the authors 3178 of previous designs known as SNMPv2u and SNMPv2*: 3180 Jeff Case (SNMP Research, Inc.) 3181 David Harrington (Cabletron Systems Inc.) 3182 David Levi (SNMP Research, Inc.) 3183 Keith McCloghrie (Cisco Systems) 3184 Brian O'Keefe (Hewlett Packard) 3185 Marshall T. Rose (Dover Beach Consulting) 3186 Jon Saperia (BGS Systems Inc.) 3187 Steve Waldbusser (International Network Services) 3188 Glenn W. Waters (Bell-Northern Research Ltd.) 3190 10. Security Considerations 3192 The SNMP applications described in this document typically have 3193 direct access to MIB instrumentation. Thus, it is very important 3194 that these applications be strict in their application of access 3195 control as described in this document. 3197 In addition, there may be some types of notification generator 3198 applications which, rather than accessing MIB instrumentation using 3199 access control, will obtain MIB information through other means (such 3200 as from a command line). The implementors and users of such 3201 applications must be responsible for not divulging MIB information 3202 that normally would be inaccessible due to access control. 3204 Finally, the MIBs described in this document contain potentially 3205 sensitive information. A security administrator may wish to limit 3206 access to these MIBs. 3208 11. References 3210 [COEX] 3211 The SNMPv3 Working Group, Frye, R.,Levi, D., Wijnen, B., 3212 "Coexistence between Version 1, Version 2, and Version 3 of the 3213 Internet-standard Network Management Framework", draft-ietf- 3214 snmpv3-coex-03.txt, January 1999. 3216 [RFC1157] 3217 Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 3218 Management Protocol", RFC 1157, SNMP Research, Performance Systems 3219 International, Performance Systems International, MIT Laboratory 3220 for Computer Science, May 1990. 3222 [RFC1213] 3223 McCloghrie, K., and M. Rose, Editors, "Management Information Base 3224 for Network Management of TCP/IP-based internets: MIB-II", STD 17, 3225 RFC 1213, Hughes LAN Systems, Performance Systems International, 3226 March 1991. 3228 [RFC1902] 3229 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3230 Waldbusser, "Structure of Management Information for Version 2 of 3231 the Simple Network Management Protocol (SNMPv2)", RFC1902, SNMP 3232 Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 3233 International Network Services, January 1996. 3235 [RFC1903] 3236 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3237 Waldbusser, "Textual Conventions for Version 2 of the Simple 3238 Network Management Protocol (SNMPv2)", RFC1903, SNMP Research,Inc., 3239 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 3240 Network Services, January 1996. 3242 [RFC1905] 3243 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3244 Waldbusser, "Protocol Operations for Version 2 of the Simple 3245 Network Management Protocol (SNMPv2)", RFC1905, SNMP Research,Inc., 3246 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 3247 Network Services, January 1996. 3249 [RFC1907] 3250 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3251 Waldbusser, "Management Information Base for Version 2 of the 3252 Simple Network Management Protocol (SNMPv2)", RFC1905, SNMP 3253 Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 3254 International Network Services, January 1996. 3256 [RFC1908] 3257 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3258 Waldbusser, "Coexistence between Version 1 and Version 2 of the 3259 Internet-standard Network Management Framework", RFC1905, SNMP 3260 Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 3261 International Network Services, January 1996. 3263 [RFC2119] 3264 Bradner, S., "Key words for use in RFCs to Indicate Requirement 3265 Levels", BCP 14, RFC2119, March 1997. 3267 [SNMP-ARCH] 3268 The SNMPv3 Working Group, Harrington, D., Wijnen, B., "An 3269 Architecture for Describing SNMP Management Frameworks", draft- 3270 ietf-snmpv3-arch-03.txt, January 1999. 3272 [SNMP-MPD] 3273 The SNMPv3 Working Group, Case, J., Harrington, D., Wijnen, B., 3274 "Message Processing and Dispatching for the Simple Network 3275 Management Protocol (SNMP)", draft-ietf-snmpv3-mpc-03.txt, January 3276 1999. 3278 [SNMP-ACM] 3279 The SNMPv3 Working Group, Wijnen, B., Presuhn, R., McCloghrie, K., 3280 "View-based Access Control Model for the Simple Network Management 3281 Protocol (SNMP)", draft-ietf-snmpv3-vacm-03.txt, January 1999. 3283 [SNMP-APPL] 3284 The SNMPv3 Working Group, Levi, D., Meyer, P., Stewart, B., "SNMP 3285 Applications", draft-ietf-snmpv3-appl-v2-02.txt, January 1999. 3287 12. Editor's Address 3289 David B. Levi 3290 SNMP Research, Inc. 3291 3001 Kimberlin Heights Road 3292 Knoxville, TN 37920-9716 3293 U.S.A. 3294 Phone: +1 423 573 1434 3295 EMail: levi@snmp.com 3297 Paul Meyer 3298 Secure Computing Corporation 3299 2675 Long Lake Road 3300 Roseville, MN 55113 3301 U.S.A. 3302 Phone: +1 651 628 1592 3303 EMail: paul_meyer@securecomputing.com 3305 Bob Stewart 3306 Cisco Systems, Inc. 3307 170 West Tasman Drive 3308 San Jose, CA 95134-1706 3309 U.S.A. 3310 Phone: +1 603 654 2686 3311 EMail: bstewart@cisco.com 3313 APPENDIX A - Trap Configuration Example 3315 This section describes an example configuration for a Notification 3316 Generator application which implements the snmpNotifyBasicCompliance 3317 level. The example configuration specifies that the Notification 3318 Generator should send notifications to 3 separate managers, using 3319 authentication and no privacy for the first 2 managers, and using 3320 both authentication and privacy for the third manager. 3322 The configuration consists of three rows in the snmpTargetAddrTable, 3323 and two rows in the snmpTargetTable. 3325 snmpTargetAddrName SnmpAdminString, 3326 snmpTargetAddrTDomain TDomain, 3327 snmpTargetAddrTAddress TAddress, 3328 snmpTargetAddrTimeout TimeInterval, 3329 snmpTargetAddrRetryCount Integer32, 3330 snmpTargetAddrTagList SnmpAdminString, 3331 snmpTargetAddrParams SnmpAdminString, 3332 snmpTargetAddrStorageType StorageType, 3333 snmpTargetAddrRowStatus RowStatus 3335 * snmpTargetAddrName = "addr1" 3336 snmpTargetAddrTDomain = snmpUDPDomain 3337 snmpTargetAddrTAddress = 128.1.2.3/162 3338 snmpTargetAddrTagList = "group1" 3339 snmpTargetAddrParams = "AuthNoPriv-joe" 3340 snmpTargetAddrStorageType = readOnly(5) 3341 snmpTargetAddrRowStatus = active(1) 3343 * snmpTargetAddrName = "addr2" 3344 snmpTargetAddrTDomain = snmpUDPDomain 3345 snmpTargetAddrTAddress = 128.2.4.6/162 3346 snmpTargetAddrTagList = "group1" 3347 snmpTargetAddrParams = "AuthNoPriv-joe" 3348 snmpTargetAddrStorageType = readOnly(5) 3349 snmpTargetAddrRowStatus = active(1) 3351 * snmpTargetAddrName = "addr3" 3352 snmpTargetAddrTDomain = snmpUDPDomain 3353 snmpTargetAddrTAddress = 128.1.2.3/162 3354 snmpTargetAddrTagList = "group2" 3355 snmpTargetAddrParams = "AuthPriv-bob" 3356 snmpTargetAddrStorageType = readOnly(5) 3357 snmpTargetAddrRowStatus = active(1) 3359 * snmpTargetParamsName = "AuthNoPriv-joe" 3360 snmpTargetParamsMPModel = 3 3361 snmpTargetParamsSecurityModel = 3 (USM) 3362 snmpTargetParamsSecurityName = "joe" 3363 snmpTargetParamsSecurityLevel = authNoPriv(2) 3364 snmpTargetParamsStorageType = readOnly(5) 3365 snmpTargetParamsRowStatus = active(1) 3367 * snmpTargetParamsName = "AuthPriv-bob" 3368 snmpTargetParamsMPModel = 3 3369 snmpTargetParamsSecurityModel = 3 (USM) 3370 snmpTargetParamsSecurityName = "bob" 3371 snmpTargetParamsSecurityLevel = authPriv(3) 3372 snmpTargetParamsStorageType = readOnly(5) 3373 snmpTargetParamsRowStatus = active(1) 3375 * snmpNotifyName = "group1" 3376 snmpNotifyTag = "group1" 3377 snmpNotifyType = trap(1) 3378 snmpNotifyStorageType = readOnly(5) 3379 snmpNotifyRowStatus = active(1) 3381 * snmpNotifyName = "group2" 3382 snmpNotifyTag = "group2" 3383 snmpNotifyType = trap(1) 3384 snmpNotifyStorageType = readOnly(5) 3385 snmpNotifyRowStatus = active(1) 3387 These entries define two groups of management targets. The first 3388 group contains two management targets: 3390 first target second target 3391 ------------ ------------- 3392 messageProcessingModel SNMPv3 SNMPv3 3393 securityModel 3 (USM) 3 (USM) 3394 securityName "joe" "joe" 3395 securityLevel authNoPriv(2) authNoPriv(2) 3396 transportDomain snmpUDPDomain snmpUDPDomain 3397 transportAddress 128.1.2.3/162 128.2.4.6/162 3399 And the second group contains a single management target: 3401 messageProcessingModel SNMPv3 3402 securityLevel authPriv(3) 3403 securityModel 3 (USM) 3404 securityName "bob" 3405 transportDomain snmpUDPDomain 3406 transportAddress 128.1.5.9/162 3408 B. Full Copyright Statement 3410 This document and translations of it may be copied and furnished to 3411 others, and derivative works that comment on or otherwise explain it 3412 or assist in its implementation may be prepared, copied, published 3413 and distributed, in whole or in part, without restriction of any 3414 kind, provided that the above copyright notice and this paragraph are 3415 included on all such copies and derivative works. However, this 3416 document itself may not be modified in any way, such as by removing 3417 the copyright notice or references to the Internet Society or other 3418 Internet organizations, except as needed for the purpose of 3419 developing Internet standards in which case the procedures for 3420 copyrights defined in the Internet Standards process must be 3421 followed, or as required to translate it into languages other than 3422 English. 3424 The limited permissions granted above are perpetual and will not be 3425 revoked by the Internet Society or its successors or assigns. 3427 This document and the information contained herein is provided on an 3428 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3429 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3430 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3431 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3432 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.