idnits 2.17.1 draft-ietf-snmpv3-appl-v3-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([SNMP-ARCH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 8 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 3387 has weird spacing: '...tyLevel auth...' == Line 3388 has weird spacing: '...tDomain snmp...' == Line 3394 has weird spacing: '...tyLevel auth...' == Line 3397 has weird spacing: '...tDomain snmp...' == Line 3410 has weird spacing: '...for the purpo...' == (2 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (22 Feb 2001) is 8464 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC1157' is defined on line 3211, but no explicit reference was found in the text == Unused Reference: 'RFC1213' is defined on line 3217, but no explicit reference was found in the text == Unused Reference: 'RFC2578' is defined on line 3241, but no explicit reference was found in the text == Unused Reference: 'RFC2579' is defined on line 3248, but no explicit reference was found in the text == Unused Reference: 'RFC2580' is defined on line 3254, but no explicit reference was found in the text == Unused Reference: 'SNMP-MPD' is defined on line 3265, but no explicit reference was found in the text == Unused Reference: 'SNMP-ACM' is defined on line 3274, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2576 (Obsoleted by RFC 3584) ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1907 (Obsoleted by RFC 3418) ** Obsolete normative reference: RFC 2571 (ref. 'SNMP-ARCH') (Obsoleted by RFC 3411) ** Obsolete normative reference: RFC 2572 (ref. 'SNMP-MPD') (Obsoleted by RFC 3412) == Outdated reference: A later version (-01) exists of draft-ietf-snmpv3-appl-v3-00 -- Possible downref: Normative reference to a draft: ref. 'SNMP-APPL' ** Obsolete normative reference: RFC 2575 (ref. 'SNMP-ACM') (Obsoleted by RFC 3415) Summary: 14 errors (**), 0 flaws (~~), 17 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft SNMP Applications 22 Feb 2001 4 INTERNET-DRAFT David B. Levi 5 Nortel Networks 6 Paul Meyer 7 Secure Computing Corporation 8 Bob Stewart 9 Cisco Systems 10 22 Feb 2001 12 SNMP Applications 13 15 Status of this Memo 17 This document is an Internet-Draft and is in full conformance with 18 all provisions of Section 10 of RFC2026. Internet-Drafts are working 19 documents of the Internet Engineering Task Force (IETF), its areas, 20 and its working groups. Note that other groups may also distribute 21 working documents as Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html 34 Copyright Notice 36 Copyright (C) The Internet Society (2001). All Rights Reserved. 38 Abstract 40 This memo describes five types of SNMP applications which make use of 41 an SNMP engine as described in [SNMP-ARCH]. The types of application 42 described are Command Generators, Command Responders, Notification 43 Originators, Notification Receivers, and Proxy Forwarders. 45 This memo also defines MIB modules for specifying targets of 46 management operations, for notification filtering, and for proxy 47 forwarding. 49 This memo will obsolete RFC2273. 51 Table Of Contents 53 1. Overview 55 This document describes five types of SNMP applications: 57 - Applications which initiate SNMP Read-Class, and/or Write- 58 Class requests, called 'command generators.' 60 - Applications which respond to SNMP Read-Class, and/or Write- 61 Class requests, called 'command responders.' 63 - Applications which generate SNMP Notification-Class PDUs, 64 called 'notification originators.' 66 - Applications which receive SNMP Notification-Class PDUs, 67 called 'notification receivers.' 69 - Applications which forward SNMP messages, called 'proxy 70 forwarders.' 72 Note that there are no restrictions on which types of applications 73 may be associated with a particular SNMP engine. For example, a 74 single SNMP engine may, in fact, be associated with both command 75 generator and command responder applications. 77 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 78 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 79 document are to be interpreted as described in [RFC2119]. 81 1.1. Command Generator Applications 83 A command generator application initiates SNMP Read-Class and/or 84 Write-Class requests, as well as processing the response to a request 85 which it generated. 87 1.2. Command Responder Applications 89 A command responder application receives SNMP Read-Class and/or 90 Write-Class requests destined for the local system as indicated by 91 the fact that the contextEngineID in the received request is equal to 92 that of the local engine through which the request was received. The 93 command responder application will perform the appropriate protocol 94 operation, using access control, and will generate a response message 95 to be sent to the request's originator. 97 1.3. Notification Originator Applications 99 A notification originator application conceptually monitors a system 100 for particular events or conditions, and generates Notification-Class 101 messages based on these events or conditions. A notification 102 originator must have a mechanism for determining where to send 103 messages, and what SNMP version and security parameters to use when 104 sending messages. A mechanism and MIB module for this purpose is 105 provided in this document. Note that Notification-Class PDUs 106 generated by a notification originator may be either Confirmed-Class 107 or Unconfirmed-Class PDU types. 109 1.4. Notification Receiver Applications 111 A notification receiver application listens for notification 112 messages, and generates response messages when a message containing a 113 Confirmed-Class PDU is received. 115 1.5. Proxy Forwarder Applications 117 A proxy forwarder application forwards SNMP messages. Note that 118 implementation of a proxy forwarder application is optional. The 119 sections describing proxy (4.5, 5.3, and 8) may be skipped for 120 implementations that do not include a proxy forwarder application. 122 The term "proxy" has historically been used very loosely, with 123 multiple different meanings. These different meanings include (among 124 others): 126 (1) the forwarding of SNMP requests to other SNMP entities without 127 regard for what managed object types are being accessed; for 128 example, in order to forward an SNMP request from one transport 129 domain to another, or to translate SNMP requests of one version 130 into SNMP requests of another version; 132 (2) the translation of SNMP requests into operations of some non-SNMP 133 management protocol; and 135 (3) support for aggregated managed objects where the value of one 136 managed object instance depends upon the values of multiple other 137 (remote) items of management information. 139 Each of these scenarios can be advantageous; for example, support for 140 aggregation of management information can significantly reduce the 141 bandwidth requirements of large-scale management activities. 143 However, using a single term to cover multiple different scenarios 144 causes confusion. 146 To avoid such confusion, this document uses the term "proxy" with a 147 much more tightly defined meaning. The term "proxy" is used in this 148 document to refer to a proxy forwarder application which forwards 149 either SNMP messages without regard for what managed objects are 150 contained within those messages. This definition is most closely 151 related to the first definition above. Note, however, that in the 152 SNMP architecture [SNMP-ARCH], a proxy forwarder is actually an 153 application, and need not be associated with what is traditionally 154 thought of as an SNMP agent. 156 Specifically, the distinction between a traditional SNMP agent and a 157 proxy forwarder application is simple: 159 - a proxy forwarder application forwards SNMP messages to other 160 SNMP engines according to the context, and irrespective of the 161 specific managed object types being accessed, and forwards the 162 response to such previously forwarded messages back to the 163 SNMP engine from which the original message was received; 165 - in contrast, the command responder application that is part of 166 what is traditionally thought of as an SNMP agent, and which 167 processes SNMP requests according to the (names of the) 168 individual managed object types and instances being accessed, 169 is NOT a proxy forwarder application from the perspective of 170 this document. 172 Thus, when a proxy forwarder application forwards a request or 173 notification for a particular contextEngineID / contextName pair, not 174 only is the information on how to forward the request specifically 175 associated with that context, but the proxy forwarder application has 176 no need of a detailed definition of a MIB view (since the proxy 177 forwarder application forwards the request irrespective of the 178 managed object types). 180 In contrast, a command responder application must have the detailed 181 definition of the MIB view, and even if it needs to issue requests to 182 other entities, via SNMP or otherwise, that need is dependent on the 183 individual managed object instances being accessed (i.e., not only on 184 the context). 186 Note that it is a design goal of a proxy forwarder application to act 187 as an intermediary between the endpoints of a transaction. In 188 particular, when forwarding Confirmed Notification-Class messages, 189 the associated response is forwarded when it is received from the 190 target to which the Notification-Class message was forwarded, rather 191 than generating a response immediately when the Notification-Class 192 message is received. 194 2. Management Targets 196 Some types of applications (notification generators and proxy 197 forwarders in particular) require a mechanism for determining where 198 and how to send generated messages. This document provides a 199 mechanism and MIB module for this purpose. The set of information 200 that describes where and how to send a message is called a 201 'Management Target', and consists of two kinds of information: 203 - Destination information, consisting of a transport domain and 204 a transport address. This is also termed a transport 205 endpoint. 207 - SNMP parameters, consisting of message processing model, 208 security model, security level, and security name information. 210 The SNMP-TARGET-MIB module described later in this document contains 211 one table for each of these types of information. There can be a 212 many-to-many relationship in the MIB between these two types of 213 information. That is, there may be multiple transport endpoints 214 associated with a particular set of SNMP parameters, or a particular 215 transport endpoint may be associated with several sets of SNMP 216 parameters. 218 3. Elements Of Procedure 220 The following sections describe the procedures followed by each type 221 of application when generating messages for transmission or when 222 processing received messages. Applications communicate with the 223 Dispatcher using the abstract service interfaces defined in [SNMP- 224 ARCH]. 226 3.1. Command Generator Applications 228 A command generator initiates an SNMP request by calling the 229 Dispatcher using the following abstract service interface: 231 statusInformation = -- sendPduHandle if success 232 -- errorIndication if failure 233 sendPdu( 234 IN transportDomain -- transport domain to be used 235 IN transportAddress -- destination network address 236 IN messageProcessingModel -- typically, SNMP version 237 IN securityModel -- Security Model to use 238 IN securityName -- on behalf of this principal 239 IN securityLevel -- Level of Security requested 240 IN contextEngineID -- data from/at this entity 241 IN contextName -- data from/in this context 242 IN pduVersion -- the version of the PDU 243 IN PDU -- SNMP Protocol Data Unit 244 IN expectResponse -- TRUE or FALSE 245 ) 247 Where: 249 - The transportDomain is that of the destination of the message. 251 - The transportAddress is that of the destination of the 252 message. 254 - The messageProcessingModel indicates which Message Processing 255 Model the application wishes to use. 257 - The securityModel is the security model that the application 258 wishes to use. 260 - The securityName is the security model independent name for 261 the principal on whose behalf the application wishes the 262 message is to be generated. 264 - The securityLevel is the security level that the application 265 wishes to use. 267 - The contextEngineID is provided by the command generator if it 268 wishes to explicitly specify the location of the management 269 information it is requesting. 271 - The contextName is provided by the command generator if it 272 wishes to explicitly specify the local context name for the 273 management information it is requesting. 275 - The pduVersion indicates the version of the PDU to be sent. 277 - The PDU is a value constructed by the command generator 278 containing the management operation that the command generator 279 wishes to perform. 281 - The expectResponse argument indicates that a response is 282 expected. 284 The result of the sendPdu interface indicates whether the PDU was 285 successfully sent. If it was successfully sent, the returned value 286 will be a sendPduHandle. The command generator should store the 287 sendPduHandle so that it can correlate a response to the original 288 request. 290 The Dispatcher is responsible for delivering the response to a 291 particular request to the correct command generator application. The 292 abstract service interface used is: 294 processResponsePdu( -- process Response PDU 295 IN messageProcessingModel -- typically, SNMP version 296 IN securityModel -- Security Model in use 297 IN securityName -- on behalf of this principal 298 IN securityLevel -- Level of Security 299 IN contextEngineID -- data from/at this SNMP entity 300 IN contextName -- data from/in this context 301 IN pduVersion -- the version of the PDU 302 IN PDU -- SNMP Protocol Data Unit 303 IN statusInformation -- success or errorIndication 304 IN sendPduHandle -- handle from sendPdu 305 ) 307 Where: 309 - The messageProcessingModel is the value from the received 310 response. 312 - The securityModel is the value from the received response. 314 - The securityName is the value from the received response. 316 - The securityLevel is the value from the received response. 318 - The contextEngineID is the value from the received response. 320 - The contextName is the value from the received response. 322 - The pduVersion indicates the version of the PDU in the 323 received response. 325 - The PDU is the value from the received response. 327 - The statusInformation indicates success or failure in 328 receiving the response. 330 - The sendPduHandle is the value returned by the sendPdu call 331 which generated the original request to which this is a 332 response. 334 The procedure when a command generator receives a message is as 335 follows: 337 (1) If the received values of messageProcessingModel, securityModel, 338 securityName, contextEngineID, contextName, and pduVersion are not 339 all equal to the values used in the original request, the response 340 is discarded. 342 (2) The operation type, request-id, error-status, error-index, and 343 variable-bindings are extracted from the PDU and saved. If the 344 request-id is not equal to the value used in the original request, 345 the response is discarded. 347 (3) At this point, it is up to the application to take an appropriate 348 action. The specific action is implementation dependent. If the 349 statusInformation indicates that the request failed, an appropriate 350 action might be to attempt to transmit the request again, or to 351 notify the person operating the application that a failure 352 occurred. 354 3.2. Command Responder Applications 356 Before a command responder application can process messages, it must 357 first associate itself with an SNMP engine. The abstract service 358 interface used for this purpose is: 360 statusInformation = -- success or errorIndication 361 registerContextEngineID( 362 IN contextEngineID -- take responsibility for this one 363 IN pduType -- the pduType(s) to be registered 364 ) 366 Where: 368 - The statusInformation indicates success or failure of the 369 registration attempt. 371 - The contextEngineID is equal to the snmpEngineID of the SNMP 372 engine with which the command responder is registering. 374 - The pduType indicates a Read-Class and/or Write-Class PDU. 376 Note that if another command responder application is already 377 registered with an SNMP engine, any further attempts to register with 378 the same contextEngineID and pduType will be denied. This implies 379 that separate command responder applications could register 380 separately for the various pdu types. However, in practice this is 381 undesirable, and only a single command responder application should 382 be registered with an SNMP engine at any given time. 384 A command responder application can disassociate with an SNMP engine 385 using the following abstract service interface: 387 unregisterContextEngineID( 388 IN contextEngineID -- give up responsibility for this one 389 IN pduType -- the pduType(s) to be unregistered 390 ) 392 Where: 394 - The contextEngineID is equal to the snmpEngineID of the SNMP 395 engine with which the command responder is cancelling the 396 registration. 398 - The pduType indicates a Read-Class and/or Write-Class PDU. 400 Once the command responder has registered with the SNMP engine, it 401 waits to receive SNMP messages. The abstract service interface used 402 for receiving messages is: 404 processPdu( -- process Request/Notification PDU 405 IN messageProcessingModel -- typically, SNMP version 406 IN securityModel -- Security Model in use 407 IN securityName -- on behalf of this principal 408 IN securityLevel -- Level of Security 409 IN contextEngineID -- data from/at this SNMP entity 410 IN contextName -- data from/in this context 411 IN pduVersion -- the version of the PDU 412 IN PDU -- SNMP Protocol Data Unit 413 IN maxSizeResponseScopedPDU -- maximum size of the Response PDU 414 IN stateReference -- reference to state information 415 ) -- needed when sending a response 417 Where: 419 - The messageProcessingModel indicates which Message Processing 420 Model received and processed the message. 422 - The securityModel is the value from the received message. 424 - The securityName is the value from the received message. 426 - The securityLevel is the value from the received message. 428 - The contextEngineID is the value from the received message. 430 - The contextName is the value from the received message. 432 - The pduVersion indicates the version of the PDU in the 433 received message. 435 - The PDU is the value from the received message. 437 - The maxSizeResponseScopedPDU is the maximum allowable size of 438 a ScopedPDU containing a Response PDU (based on the maximum 439 message size that the originator of the message can accept). 441 - The stateReference is a value which references cached 442 information about each received request message. This value 443 must be returned to the Dispatcher in order to generate a 444 response. 446 The procedure when a message is received is as follows. 448 (1) The operation type is determined from the ASN.1 tag value 449 associated with the PDU parameter. The operation type should 450 always be one of the types previously registered by the 451 application. 453 (2) The request-id is extracted from the PDU and saved. 455 (3) Any PDU type specific parameters are extracted from the PDU and 456 saved (for example, if the PDU type is an SNMPv2 GetBulk PDU, the 457 non-repeaters and max-repetitions values are extracted). 459 (4) The variable-bindings are extracted from the PDU and saved. 461 (5) The management operation represented by the PDU type is performed 462 with respect to the relevant MIB view within the context named by 463 the contextName (for an SNMPv2 PDU type, the operation is performed 464 according to the procedures set forth in [RFC1905]). The relevant 465 MIB view is determined by the securityLevel, securityModel, 466 contextName, securityName, and the class of the PDU type. To 467 determine whether a particular object instance is within the 468 relevant MIB view, the following abstract service interface is 469 called: 471 statusInformation = -- success or errorIndication 472 isAccessAllowed( 473 IN securityModel -- Security Model in use 474 IN securityName -- principal who wants to access 475 IN securityLevel -- Level of Security 476 IN viewType -- read, write, or notify view 477 IN contextName -- context containing variableName 478 IN variableName -- OID for the managed object 479 ) 481 Where: 483 - The securityModel is the value from the received message. 485 - The securityName is the value from the received message. 487 - The securityLevel is the value from the received message. 489 - The viewType indicates whether the PDU type is a Read-Class or 490 Write-Class operation. 492 - The contextName is the value from the received message. 494 - The variableName is the object instance of the variable for 495 which access rights are to be checked. 497 Normally, the result of the management operation will be a new PDU 498 value, and processing will continue in step (6) below. However, at 499 any time during the processing of the management operation: 501 - If the isAccessAllowed ASI returns a noSuchView, 502 noAccessEntry, or noGroupName error, processing of the 503 management operation is halted, a PDU value is constructed 504 using the values from the originally received PDU, but 505 replacing the error_status with an authorizationError code, 506 and error_index value of 0, and control is passed to step (6) 507 below. 509 - If the isAccessAllowed ASI returns an otherError, processing 510 of the management operation is halted, a different PDU value 511 is constructed using the values from the originally received 512 PDU, but replacing the error_status with a genError code, and 513 control is passed to step (6) below. 515 - If the isAccessAllowed ASI returns a noSuchContext error, 516 processing of the management operation is halted, no result 517 PDU is generated, the snmpUnknownContexts counter is 518 incremented, and control is passed to step (6) below. 520 - If the context named by the contextName parameter is 521 unavailable, processing of the management operation is halted, 522 no result PDU is generated, the snmpUnavailableContexts 523 counter is incremented, and control is passed to step (6) 524 below. 526 (6) The Dispatcher is called to generate a response or report message. 527 The abstract service interface is: 529 returnResponsePdu( 530 IN messageProcessingModel -- typically, SNMP version 531 IN securityModel -- Security Model in use 532 IN securityName -- on behalf of this principal 533 IN securityLevel -- same as on incoming request 534 IN contextEngineID -- data from/at this SNMP entity 535 IN contextName -- data from/in this context 536 IN pduVersion -- the version of the PDU 537 IN PDU -- SNMP Protocol Data Unit 538 IN maxSizeResponseScopedPDU -- maximum size of the Response PDU 539 IN stateReference -- reference to state information 540 -- as presented with the request 541 IN statusInformation -- success or errorIndication 542 ) -- error counter OID/value if error 544 Where: 546 - The messageProcessingModel is the value from the processPdu 547 call. 549 - The securityModel is the value from the processPdu call. 551 - The securityName is the value from the processPdu call. 553 - The securityLevel is the value from the processPdu call. 555 - The contextEngineID is the value from the processPdu call. 557 - The contextName is the value from the processPdu call. 559 - The pduVersion indicates the version of the PDU to be 560 returned. If no result PDU was generated, the pduVersion is 561 an undefined value. 563 - The PDU is the result generated in step (5) above. If no 564 result PDU was generated, the PDU is an undefined value. 566 - The maxSizeResponseScopedPDU is a local value indicating the 567 maximum size of a ScopedPDU that the application can accept. 569 - The stateReference is the value from the processPdu call. 571 - The statusInformation either contains an indication that no 572 error occurred and that a response should be generated, or 573 contains an indication that an error occurred along with the 574 OID and counter value of the appropriate error counter object. 576 Note that a command responder application should always call the 577 returnResponsePdu abstract service interface, even in the event of an 578 error such as a resource allocation error. In the event of such an 579 error, the PDU value passed to returnResponsePdu should contain 580 appropriate values for errorStatus and errorIndex. 582 Note that the text above describes situations where the 583 snmpUnknownContexts counter is incremented, and where the 584 snmpUnavailableContexts counter is incremented. The difference 585 between these is that the snmpUnknownContexts counter is incremented 586 when a request is received for a context which unknown to the SNMP 587 entity. The snmpUnavailableContexts counter is incremented when a 588 request is received for a context which is known to the SNMP entity, 589 but is currently unavailable. Determining when a context is 590 unavailable is implementation specific, and some implementations may 591 never encounter this situation, and so may never increment the 592 snmpUnavailableContexts counter. 594 3.3. Notification Originator Applications 596 A notification originator application generates SNMP messages 597 containing Notification-Class PDUs (for example, SNMPv2-Trap PDUs or 598 Inform PDUs). There is no requirement as to what specific types of 599 Notification-Class PDUs a particular implementation must be capable 600 of generating. 602 Notification originator applications require a mechanism for 603 identifying the management targets to which notifications should be 604 sent. The particular mechanism used is implementation dependent. 605 However, if an implementation makes the configuration of management 606 targets SNMP manageable, it MUST use the SNMP-TARGET-MIB module 607 described in this document. 609 When a notification originator wishes to generate a notification, it 610 must first determine in which context the information to be conveyed 611 in the notification exists, i.e., it must determine the 612 contextEngineID and contextName. It must then determine the set of 613 management targets to which the notification should be sent. The 614 application must also determine, for each management target, what 615 specific PDU type the notification message should contain, and if it 616 is to contain a Confirmed-Class PDU, the number of retries and 617 retransmission algorithm. 619 The mechanism by which a notification originator determines this 620 information is implementation dependent. Once the application has 621 determined this information, the following procedure is performed for 622 each management target: 624 (1) Any appropriate filtering mechanisms are applied to determine 625 whether the notification should be sent to the management target. 626 If such filtering mechanisms determine that the notification should 627 not be sent, processing continues with the next management target. 628 Otherwise, 630 (2) The appropriate set of variable-bindings is retrieved from local 631 MIB instrumentation within the relevant MIB view. The relevant MIB 632 view is determined by the securityLevel, securityModel, 633 contextName, and securityName of the management target. To 634 determine whether a particular object instance is within the 635 relevant MIB view, the isAccessAllowed abstract service interface 636 is used, in the same manner as described in the preceding section. 637 If the statusInformation returned by isAccessAllowed does not 638 indicate accessAllowed, the notification is not sent to the 639 management target. 641 (3) The NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this 642 is the value of the element of the variable bindings whose name is 643 snmpTrapOID.0, i.e., the second variable binding) is checked using 644 the isAccessAllowed abstract service interface, using the same 645 parameters used in the preceding step. If the statusInformation 646 returned by isAccessAllowed does not indicate accessAllowed, the 647 notification is not sent to the management target. 649 (4) A PDU is constructed using a locally unique request-id value, a PDU 650 type as determined by the implementation, an error-status and 651 error-index value of 0, and the variable-bindings supplied 652 previously in step (2). 654 (5) If the notification contains an Unconfirmed-Class PDU, the 655 Dispatcher is called using the following abstract service 656 interface: 658 statusInformation = -- sendPduHandle if success 659 -- errorIndication if failure 660 sendPdu( 661 IN transportDomain -- transport domain to be used 662 IN transportAddress -- destination network address 663 IN messageProcessingModel -- typically, SNMP version 664 IN securityModel -- Security Model to use 665 IN securityName -- on behalf of this principal 666 IN securityLevel -- Level of Security requested 667 IN contextEngineID -- data from/at this entity 668 IN contextName -- data from/in this context 669 IN pduVersion -- the version of the PDU 670 IN PDU -- SNMP Protocol Data Unit 671 IN expectResponse -- TRUE or FALSE 672 ) 674 Where: 676 - The transportDomain is that of the management target. 678 - The transportAddress is that of the management target. 680 - The messageProcessingModel is that of the management target. 682 - The securityModel is that of the management target. 684 - The securityName is that of the management target. 686 - The securityLevel is that of the management target. 688 - The contextEngineID is the value originally determined for the 689 notification. 691 - The contextName is the value originally determined for the 692 notification. 694 - The pduVersion is the version of the PDU to be sent. 696 - The PDU is the value constructed in step (3) above. 698 - The expectResponse argument indicates that no response is 699 expected. 701 Otherwise, 703 (6) If the notification contains a Confirmed-Class PDU, then: 705 a) The Dispatcher is called using the sendPdu abstract service 706 interface as described in step (4) above, except that the 707 expectResponse argument indicates that a response is expected. 709 b) The application caches information about the management 710 target. 712 c) If a response is received within an appropriate time interval 713 from the transport endpoint of the management target, the 714 notification is considered acknowledged and the cached 715 information is deleted. Otherwise, 717 d) If a response is not received within an appropriate time 718 period, or if a report indication is received, information 719 about the management target is retrieved from the cache, and 720 steps a) through d) are repeated. The number of times these 721 steps are repeated is equal to the previously determined retry 722 count. If this retry count is exceeded, the acknowledgement 723 of the notification is considered to have failed, and 724 processing of the notification for this management target is 725 halted. Note that some report indications might be considered 726 a failure. Such report indications should be interpreted to 727 mean that the acknowledgement of the notification has failed. 729 Responses to Confirmed-Class PDU notifications will be received via 730 the processResponsePdu abstract service interface. 732 To summarize, the steps that a notification originator follows when 733 determining where to send a notification are: 735 - Determine the targets to which the notification should be 736 sent. 738 - Apply any required filtering to the list of targets. 740 - Determine which targets are authorized to receive the 741 notification. 743 3.4. Notification Receiver Applications 745 Notification receiver applications receive SNMP Notification messages 746 from the Dispatcher. Before any messages can be received, the 747 notification receiver must register with the Dispatcher using the 748 registerContextEngineID abstract service interface. The parameters 749 used are: 751 - The contextEngineID is an undefined 'wildcard' value. 752 Notifications are delivered to a registered notification 753 receiver regardless of the contextEngineID contained in the 754 notification message. 756 - The pduType indicates the type of notifications that the 757 application wishes to receive (for example, SNMPv2-Trap PDUs 758 or Inform PDUs). 760 Once the notification receiver has registered with the Dispatcher, 761 messages are received using the processPdu abstract service 762 interface. Parameters are: 764 - The messageProcessingModel indicates which Message Processing 765 Model received and processed the message. 767 - The securityModel is the value from the received message. 769 - The securityName is the value from the received message. 771 - The securityLevel is the value from the received message. 773 - The contextEngineID is the value from the received message. 775 - The contextName is the value from the received message. 777 - The pduVersion indicates the version of the PDU in the 778 received message. 780 - The PDU is the value from the received message. 782 - The maxSizeResponseScopedPDU is the maximum allowable size of 783 a ScopedPDU containing a Response PDU (based on the maximum 784 message size that the originator of the message can accept). 786 - If the message contains an Unconfirmed-Class PDU, the 787 stateReference is undefined and unused. Otherwise, the 788 stateReference is a value which references cached information 789 about the notification. This value must be returned to the 790 Dispatcher in order to generate a response. 792 When an Unconfirmed-Class PDU is delivered to a notification receiver 793 application, it first extracts the SNMP operation type, request-id, 794 error-status, error-index, and variable-bindings from the PDU. After 795 this, processing depends on the particular implementation. 797 When a Confirmed-Class PDU is received, the notification receiver 798 application follows the following procedure: 800 (1) The PDU type, request-id, error-status, error-index, and variable- 801 bindings are extracted from the PDU. 803 (2) A Response-Class PDU is constructed using the extracted request-id 804 and variable-bindings, and with error-status and error-index both 805 set to 0. 807 (3) The Dispatcher is called to generate a response message using the 808 returnResponsePdu abstract service interface. Parameters are: 810 - The messageProcessingModel is the value from the processPdu 811 call. 813 - The securityModel is the value from the processPdu call. 815 - The securityName is the value from the processPdu call. 817 - The securityLevel is the value from the processPdu call. 819 - The contextEngineID is the value from the processPdu call. 821 - The contextName is the value from the processPdu call. 823 - The pduVersion indicates the version of the PDU to be 824 returned. 826 - The PDU is the result generated in step (2) above. 828 - The maxSizeResponseScopedPDU is a local value indicating the 829 maximum size of a ScopedPDU that the application can accept. 831 - The stateReference is the value from the processPdu call. 833 - The statusInformation indicates that no error occurred and 834 that a response should be generated. 836 3.5. Proxy Forwarder Applications 838 A proxy forwarder application deals with forwarding SNMP messages. 839 There are four basic types of messages which a proxy forwarder 840 application may need to forward. These are grouped according to the 841 class of PDU type contained in a message. The four basic types of 842 messages are: 844 - Those containing Read-Class or Write-Class PDU types (for 845 example, Get, GetNext, GetBulk, and Set PDU types). These 846 deal with requesting or modifying information located within a 847 particular context. 849 - Those containing Notification-Class PDU types (for example, 850 SNMPv2-Trap and Inform PDU types). These deal with 851 notifications concerning information located within a 852 particular context. 854 - Those containing a Response-Class PDU type. Forwarding of 855 Response PDUs always occurs as a result of receiving a 856 response to a previously forwarded message. 858 - Those containing Internal-Class PDU types (for example, a 859 Report PDU). Forwarding of Internal-Class PDU types always 860 occurs as a result of receiving an Internal-Class PDU in 861 response to a previously forwarded message. 863 For the first type, the proxy forwarder's role is to deliver a 864 request for management information to an SNMP engine which is 865 "closer" or "downstream in the path" to the SNMP engine which has 866 access to that information, and to deliver the response containing 867 the information back to the SNMP engine from which the request was 868 received. The context information in a request is used to determine 869 which SNMP engine has access to the requested information, and this 870 is used to determine where and how to forward the request. 872 For the second type, the proxy forwarder's role is to determine which 873 SNMP engines should receive notifications about management 874 information from a particular location. The context information in a 875 notification message determines the location to which the information 876 contained in the notification applies. This is used to determine 877 which SNMP engines should receive notification about this 878 information. 880 For the third type, the proxy forwarder's role is to determine which 881 previously forwarded request or notification (if any) the response 882 matches, and to forward the response back to the initiator of the 883 request or notification. 885 For the fourth type, the proxy forwarder's role is to determine which 886 previously forwarded request or notification (if any) the Internal- 887 Class PDU matches, and to forward the Internal-Class PDU back to the 888 initiator of the request or notification. 890 When forwarding messages, a proxy forwarder application must perform 891 a translation of incoming management target information into outgoing 892 management target information. How this translation is performed is 893 implementation specific. In many cases, this will be driven by a 894 preconfigured translation table. If a proxy forwarder application 895 makes the contents of this table SNMP manageable, it MUST use the 896 SNMP-PROXY-MIB module defined in this document. 898 3.5.1. Request Forwarding 900 There are two phases for request forwarding. First, the incoming 901 request needs to be passed through the proxy application. Then, the 902 resulting response needs to be passed back. These phases are 903 described in the following two sections. 905 3.5.1.1. Processing an Incoming Request 907 A proxy forwarder application that wishes to forward request messages 908 must first register with the Dispatcher using the 909 registerContextEngineID abstract service interface. The proxy 910 forwarder must register each contextEngineID for which it wishes to 911 forward messages, as well as for each pduType. Note that as the 912 configuration of a proxy forwarder is changed, the particular 913 contextEngineID values for which it is forwarding may change. The 914 proxy forwarder should call the registerContextEngineID and 915 unregisterContextEngineID abstract service interfaces as needed to 916 reflect its current configuration. 918 A proxy forwarder application should never attempt to register a 919 value of contextEngineID which is equal to the snmpEngineID of the 920 SNMP engine to which the proxy forwarder is associated. 922 Once the proxy forwarder has registered for the appropriate 923 contextEngineID values, it can start processing messages. The 924 following procedure is used: 926 (1) A message is received using the processPdu abstract service 927 interface. The incoming management target information received 928 from the processPdu interface is translated into outgoing 929 management target information. Note that this translation may vary 930 for different values of contextEngineID and/or contextName. The 931 translation should result in a single management target. 933 (2) If appropriate outgoing management target information cannot be 934 found, the proxy forwarder increments the snmpProxyDrops counter 935 [RFC1907], and then calls the Dispatcher using the 936 returnResponsePdu abstract service interface. Parameters are: 938 - The messageProcessingModel is the value from the processPdu 939 call. 941 - The securityModel is the value from the processPdu call. 943 - The securityName is the value from the processPdu call. 945 - The securityLevel is the value from the processPdu call. 947 - The contextEngineID is the value from the processPdu call. 949 - The contextName is the value from the processPdu call. 951 - The pduVersion is the value from the processPdu call. 953 - The PDU is an undefined value. 955 - The maxSizeResponseScopedPDU is a local value indicating the 956 maximum size of a ScopedPDU that the application can accept. 958 - The stateReference is the value from the processPdu call. 960 - The statusInformation indicates that an error occurred and 961 includes the OID and value of the snmpProxyDrops object. 963 Processing of the message stops at this point. Otherwise, 965 (3) A new PDU is constructed. A unique value of request-id should be 966 used in the new PDU (this value will enable a subsequent response 967 message to be correlated with this request). The remainder of the 968 new PDU is identical to the received PDU, unless the incoming SNMP 969 version and the outgoing SNMP version support different PDU 970 versions, in which case the proxy forwarder may need to perform a 971 translation on the PDU (A method for performing such a translation 972 is described in [RFC2576].) 974 (4) The proxy forwarder calls the Dispatcher to generate the forwarded 975 message, using the sendPdu abstract service interface. The 976 parameters are: 978 - The transportDomain is that of the outgoing management target. 980 - The transportAddress is that of the outgoing management 981 target. 983 - The messageProcessingModel is that of the outgoing management 984 target. 986 - The securityModel is that of the outgoing management target. 988 - The securityName is that of the outgoing management target. 990 - The securityLevel is that of the outgoing management target. 992 - The contextEngineID is the value from the processPdu call. 994 - The contextName is the value from the processPdu call. 996 - The pduVersion is the version of the PDU to be sent. 998 - The PDU is the value constructed in step (3) above. 1000 - The expectResponse argument indicates that a response is 1001 expected. If the sendPdu call is unsuccessful, the proxy 1002 forwarder performs the steps described in (2) above. 1003 Otherwise: 1005 (5) The proxy forwarder caches the following information in order to 1006 match an incoming response to the forwarded request: 1008 - The sendPduHandle returned from the call to sendPdu, 1010 - The request-id from the received PDU. 1012 - the contextEngineID, 1014 - the contextName, 1016 - the stateReference, 1018 - the incoming management target information, 1019 - the outgoing management information, 1021 - any other information needed to match an incoming response to 1022 the forwarded request. 1024 If this information cannot be cached (possibly due to a lack of 1025 resources), the proxy forwarder performs the steps described in (2) 1026 above. Otherwise: 1028 (6) Processing of the request stops until a response to the forwarded 1029 request is received, or until an appropriate time interval has 1030 expired. If this time interval expires before a response has been 1031 received, the cached information about this request is removed. 1033 3.5.1.2. Processing an Incoming Response 1035 A proxy forwarder follows the following procedure when an incoming 1036 response is received: 1038 (1) The incoming response is received using the processResponsePdu 1039 interface. The proxy forwarder uses the received parameters to 1040 locate an entry in its cache of pending forwarded requests. This 1041 is done by matching the received parameters with the cached values 1042 of sendPduHandle, contextEngineID, contextName, outgoing management 1043 target information, and the request-id contained in the received 1044 PDU (the proxy forwarder must extract the request-id for this 1045 purpose). If an appropriate cache entry cannot be found, 1046 processing of the response is halted. Otherwise: 1048 (2) The cache information is extracted, and removed from the cache. 1050 (3) A new Response-Class PDU is constructed, using the request-id value 1051 from the original forwarded request (as extracted from the cache). 1052 All other values are identical to those in the received Response- 1053 Class PDU, unless the incoming SNMP version and the outgoing SNMP 1054 version support different PDU versions, in which case the proxy 1055 forwarder may need to perform a translation on the PDU. (A method 1056 for performing such a translation is described in [RFC2576].) 1058 (4) The proxy forwarder calls the Dispatcher using the 1059 returnResponsePdu abstract service interface. Parameters are: 1061 - The messageProcessingModel indicates the Message Processing 1062 Model by which the original incoming message was processed. 1064 - The securityModel is that of the original incoming management 1065 target extracted from the cache. 1067 - The securityName is that of the original incoming management 1068 target extracted from the cache. 1070 - The securityLevel is that of the original incoming management 1071 target extracted from the cache. 1073 - The contextEngineID is the value extracted from the cache. 1075 - The contextName is the value extracted from the cache. 1077 - The pduVersion indicates the version of the PDU to be 1078 returned. 1080 - The PDU is the (possibly translated) Response PDU. 1082 - The maxSizeResponseScopedPDU is a local value indicating the 1083 maximum size of a ScopedPDU that the application can accept. 1085 - The stateReference is the value extracted from the cache. 1087 - The statusInformation indicates that no error occurred and 1088 that a Response PDU message should be generated. 1090 3.5.1.3. Processing an Incoming Internal-Class PDU 1092 A proxy forwarder follows the following procedure when an incoming 1093 Internal-Class PDU is received: 1095 (1) The incoming Internal-Class PDU is received using the 1096 processResponsePdu interface. The proxy forwarder uses the 1097 received parameters to locate an entry in its cache of pending 1098 forwarded requests. This is done by matching the received 1099 parameters with the cached values of sendPduHandle. If an 1100 appropriate cache entry cannot be found, processing of the 1101 Internal-Class PDU is halted. Otherwise: 1103 (2) The cache information is extracted, and removed from the cache. 1105 (3) If the original incoming management target information indicates an 1106 SNMP version which does not support Report PDUs, processing of the 1107 Internal-Class PDU is halted. 1109 (4) The proxy forwarder calls the Dispatcher using the 1110 returnResponsePdu abstract service interface. Parameters are: 1112 - The messageProcessingModel indicates the Message Processing 1113 Model by which the original incoming message was processed. 1115 - The securityModel is that of the original incoming management 1116 target extracted from the cache. 1118 - The securityName is that of the original incoming management 1119 target extracted from the cache. 1121 - The securityLevel is that of the original incoming management 1122 target extracted from the cache. 1124 - The contextEngineID is the value extracted from the cache. 1126 - The contextName is the value extracted from the cache. 1128 - The pduVersion indicates the version of the PDU to be 1129 returned. 1131 - The PDU is unused. 1133 - The maxSizeResponseScopedPDU is a local value indicating the 1134 maximum size of a ScopedPDU that the application can accept. 1136 - The stateReference is the value extracted from the cache. 1138 - The statusInformation contains values specific to the 1139 Internal-Class PDU type (for example, for a Report PDU, the 1140 statusInformation contains the contextEngineID, contextName, 1141 counter OID, and counter value received in the incoming Report 1142 PDU). 1144 3.5.2. Notification Forwarding 1146 A proxy forwarder receives notifications in the same manner as a 1147 notification receiver application, using the processPdu abstract 1148 service interface. The following procedure is used when a 1149 notification is received: 1151 (1) The incoming management target information received from the 1152 processPdu interface is translated into outgoing management target 1153 information. Note that this translation may vary for different 1154 values of contextEngineID and/or contextName. The translation may 1155 result in multiple management targets. 1157 (2) If appropriate outgoing management target information cannot be 1158 found and the notification was an Unconfirmed-Class PDU, processing 1159 of the notification is halted. If appropriate outgoing management 1160 target information cannot be found and the notification was a 1161 Confirmed-Class PDU, the proxy forwarder increments the 1162 snmpProxyDrops object, and calls the Dispatcher using the 1163 returnResponsePdu abstract service interface. The parameters are: 1165 - The messageProcessingModel is the value from the processPdu 1166 call. 1168 - The securityModel is the value from the processPdu call. 1170 - The securityName is the value from the processPdu call. 1172 - The securityLevel is the value from the processPdu call. 1174 - The contextEngineID is the value from the processPdu call. 1176 - The contextName is the value from the processPdu call. 1178 - The pduVersion is the value from the processPdu call. 1180 - The PDU is an undefined and unused value. 1182 - The maxSizeResponseScopedPDU is a local value indicating the 1183 maximum size of a ScopedPDU that the application can accept. 1185 - The stateReference is the value from the processPdu call. 1187 - The statusInformation indicates that an error occurred and 1188 that a Report message should be generated. 1190 Processing of the message stops at this point. Otherwise, 1192 (3) The proxy forwarder generates a notification using the procedures 1193 described in the preceding section on Notification Originators, 1194 with the following exceptions: 1196 - The contextEngineID and contextName values from the original 1197 received notification are used. 1199 - The outgoing management targets previously determined are 1200 used. 1202 - No filtering mechanisms are applied. 1204 - The variable-bindings from the original received notification 1205 are used, rather than retrieving variable-bindings from local 1206 MIB instrumentation. In particular, no access-control is 1207 applied to these variable-bindings. 1209 - If the original notification contains a Confirmed-Class PDU, 1210 then any outgoing management targets for which the outgoing 1211 SNMP version does not support any PDU types that are both 1212 Notification-Class and Confirmed-Class PDUs will not be used 1213 when generating the forwarded notifications. 1215 - If, for any of the outgoing management targets, the incoming 1216 SNMP version and the outgoing SNMP version support different 1217 PDU versions, the proxy forwarder may need to perform a 1218 translation on the PDU. (A method for performing such a 1219 translation is described in [RFC2576].) 1221 (4) If the original received notification contains an Unconfirmed-Class 1222 PDU, processing of the notification is now completed. Otherwise, 1223 the original received notification must contain a Confirmed-Class 1224 PDU, and processing continues. 1226 (5) If the forwarded notifications included any Confirmed-Class PDUs, 1227 processing continues when the procedures described in the section 1228 for Notification Originators determine that either: 1230 - None of the generated notifications containing Confirmed-Class 1231 PDUs have been successfully acknowledged within the longest of 1232 the time intervals, in which case processing of the original 1233 notification is halted, or, 1235 - At least one of the generated notifications containing 1236 Confirmed-Class PDUs is successfully acknowledged, in which 1237 case a response to the original received notification 1238 containing an Confirmed-Class PDU is generated as described in 1239 the following steps. 1241 (6) A Response-Class PDU is constructed, using the values of request-id 1242 and variable-bindings from the original received Notification-Class 1243 PDU, and error-status and error-index values of 0. 1245 (7) The Dispatcher is called using the returnResponsePdu abstract 1246 service interface. Parameters are: 1248 - The messageProcessingModel is the value from the processPdu 1249 call. 1251 - The securityModel is the value from the processPdu call. 1253 - The securityName is the value from the processPdu call. 1255 - The securityLevel is the value from the processPdu call. 1257 - The contextEngineID is the value from the processPdu call. 1259 - The contextName is the value from the processPdu call. 1261 - The pduVersion indicates the version of the PDU constructed in 1262 step (6) above. 1264 - The PDU is the value constructed in step (6) above. 1266 - The maxSizeResponseScopedPDU is a local value indicating the 1267 maximum size of a ScopedPDU that the application can accept. 1269 - The stateReference is the value from the processPdu call. 1271 - The statusInformation indicates that no error occurred and 1272 that a Response-Class PDU message should be generated. 1274 4. The Structure of the MIB Modules 1276 There are three separate MIB modules described in this document, the 1277 management target MIB, the notification MIB, and the proxy MIB. The 1278 following sections describe the structure of these three MIB modules. 1280 The use of these MIBs by particular types of applications is 1281 described later in this document: 1283 - The use of the management target MIB and the notification MIB 1284 in notification originator applications is described in 1285 section 6. 1287 - The use of the notification MIB for filtering notifications in 1288 notification originator applications is described in section 1289 7. 1291 - The use of the management target MIB and the proxy MIB in 1292 proxy forwarding applications is described in section 8. 1294 4.1. The Management Target MIB Module 1296 The SNMP-TARGET-MIB module contains objects for defining management 1297 targets. It consists of two tables and conformance/compliance 1298 statements. 1300 The first table, the snmpTargetAddrTable, contains information about 1301 transport domains and addresses. It also contains an object, 1302 snmpTargetAddrTagList, which provides a mechanism for grouping 1303 entries. 1305 The second table, the snmpTargetParamsTable, contains information 1306 about SNMP version and security information to be used when sending 1307 messages to particular transport domains and addresses. 1309 The Management Target MIB is intended to provide a general-purpose 1310 mechanism for specifying transport address, and for specifying 1311 parameters of SNMP messages generated by an SNMP entity. It is used 1312 within this document for generation of notifications and for proxy 1313 forwarding. However, it may be used for other purposes. If another 1314 document makes use of this MIB, that document is responsible for 1315 specifying how it is used. For example, [RFC2576] uses this MIB for 1316 source address validation of SNMPv1 messages. 1318 4.1.1. Tag Lists 1320 The snmpTargetAddrTagList object is used for grouping entries in the 1321 snmpTargetAddrTable. The value of this object contains a list of tag 1322 values which are used to select target addresses to be used for a 1323 particular operation. 1325 A tag value, which may also be used in MIB objects other than 1326 snmpTargetAddrTagList, is an arbitrary string of octets, but may not 1327 contain a delimiter character. Delimiter characters are defined to 1328 be one of the following characters: 1330 - An ASCII space character (0x20). 1332 - An ASCII TAB character (0x09). 1334 - An ASCII carriage return (CR) character (0x0D). 1336 - An ASCII line feed (LF) character (0x0B). 1338 In addition, a tag value may not have a zero length. Generally, a 1339 particular MIB object may contain either 1341 - a single tag value, in which case the value of the MIB object 1342 may not contain a delimiter character, or: 1344 - a MIB object may contain a list of tag values, separated by 1345 single delimiter characters. 1347 For a list of tag values, these constraints imply certain 1348 restrictions on the value of a MIB object: 1350 - There cannot be a leading or trailing delimiter character. 1352 - There cannot be multiple adjacent delimiter characters. 1354 4.1.2. Definitions 1356 SNMP-TARGET-MIB DEFINITIONS ::= BEGIN 1358 IMPORTS 1359 MODULE-IDENTITY, 1360 OBJECT-TYPE, 1361 snmpModules, 1362 Counter32, 1363 Integer32 1364 FROM SNMPv2-SMI 1366 TEXTUAL-CONVENTION, 1367 TDomain, 1368 TAddress, 1369 TimeInterval, 1370 RowStatus, 1371 StorageType, 1372 TestAndIncr 1373 FROM SNMPv2-TC 1375 SnmpSecurityModel, 1376 SnmpMessageProcessingModel, 1377 SnmpSecurityLevel, 1378 SnmpAdminString 1379 FROM SNMP-FRAMEWORK-MIB 1381 MODULE-COMPLIANCE, 1382 OBJECT-GROUP 1383 FROM SNMPv2-CONF; 1385 snmpTargetMIB MODULE-IDENTITY 1386 LAST-UPDATED "9808040000Z" 1387 ORGANIZATION "IETF SNMPv3 Working Group" 1388 CONTACT-INFO 1389 "WG-email: snmpv3@lists.tislabs.com 1390 Subscribe: majordomo@lists.tislabs.com 1391 In message body: subscribe snmpv3 1393 Co-Chair: Russ Mundy 1394 Trusted Information Systems 1395 Postal: 3060 Washington Rd 1396 Glenwood, Maryland 21738 1397 USA 1398 EMail: mundy@tislabs.com 1399 Phone: +1-301-854-6889 1401 Co-Chair: David Harrington 1402 Enterasys Networks 1403 Postal: 35 Industrial Way 1404 P. O. Box 5004 1405 Rochester, New Hampshire 03866-5005 1406 USA 1407 EMail: dbh@enterasys.com 1408 Phone: +1 603-337-2614 1410 Co-editor: David B. Levi 1411 Nortel Networks 1412 Postal: 3505 Kesterwood Drive 1413 Knoxville, Tennessee 37918 1414 EMail: dlevi@nortelnetworks.com 1415 Phone: +1 865 686 0432 1417 Co-editor: Paul Meyer 1418 Secure Computing Corporation 1419 Postal: 2675 Long Lake Road 1420 Roseville, Minnesota 55113 1421 EMail: paul_meyer@securecomputing.com 1422 Phone: +1 651 628 1592 1424 Co-editor: Bob Stewart 1425 Cisco Systems, Inc. 1426 Postal: 170 West Tasman Drive 1427 San Jose, California 95134-1706 1428 EMail: bstewart@cisco.com 1429 Phone: +1 603 654 2686" 1430 DESCRIPTION 1431 "This MIB module defines MIB objects which provide 1432 mechanisms to remotely configure the parameters used 1433 by an SNMP entity for the generation of SNMP messages." 1434 REVISION "9808040000Z" 1435 DESCRIPTION "Clarifications, published as 1436 draft-ietf-snmpv3-appl-v2-01.txt." 1437 REVISION "9707140000Z" 1438 DESCRIPTION "The initial revision, published as RFC2273." 1439 ::= { snmpModules 12 } 1441 snmpTargetObjects OBJECT IDENTIFIER ::= { snmpTargetMIB 1 } 1442 snmpTargetConformance OBJECT IDENTIFIER ::= { snmpTargetMIB 3 } 1444 SnmpTagValue ::= TEXTUAL-CONVENTION 1445 DISPLAY-HINT "255a" 1446 STATUS current 1447 DESCRIPTION 1448 "An octet string containing a tag value. 1449 Tag values are preferably in human-readable form. 1451 To facilitate internationalization, this information 1452 is represented using the ISO/IEC IS 10646-1 character 1453 set, encoded as an octet string using the UTF-8 1454 character encoding scheme described in RFC 2279. 1456 Since additional code points are added by amendments 1457 to the 10646 standard from time to time, 1458 implementations must be prepared to encounter any code 1459 point from 0x00000000 to 0x7fffffff. 1461 The use of control codes should be avoided, and certain 1462 control codes are not allowed as described below. 1464 For code points not directly supported by user 1465 interface hardware or software, an alternative means 1466 of entry and display, such as hexadecimal, may be 1467 provided. 1469 For information encoded in 7-bit US-ASCII, the UTF-8 1470 representation is identical to the US-ASCII encoding. 1472 Note that when this TC is used for an object that 1473 is used or envisioned to be used as an index, then a 1474 SIZE restriction must be specified so that the number 1475 of sub-identifiers for any object instance does not 1476 exceed the limit of 128, as defined by [RFC1905]. 1478 An object of this type contains a single tag value 1479 which is used to select a set of entries in a table. 1481 A tag value is an arbitrary string of octets, but 1482 may not contain a delimiter character. Delimiter 1483 characters are defined to be one of the following: 1485 - An ASCII space character (0x20). 1487 - An ASCII TAB character (0x09). 1489 - An ASCII carriage return (CR) character (0x0D). 1491 - An ASCII line feed (LF) character (0x0B). 1493 Delimiter characters are used to separate tag values 1494 in a tag list. An object of this type may only 1495 contain a single tag value, and so delimiter 1496 characters are not allowed in a value of this type. 1498 Some examples of valid tag values are: 1500 - 'acme' 1502 - 'router' 1504 - 'host' 1506 The use of a tag value to select table entries is 1507 application and MIB specific." 1508 SYNTAX OCTET STRING (SIZE (0..255)) 1510 SnmpTagList ::= TEXTUAL-CONVENTION 1511 DISPLAY-HINT "255a" 1512 STATUS current 1513 DESCRIPTION 1514 "An octet string containing a list of tag values. 1515 Tag values are preferably in human-readable form. 1517 To facilitate internationalization, this information 1518 is represented using the ISO/IEC IS 10646-1 character 1519 set, encoded as an octet string using the UTF-8 1520 character encoding scheme described in RFC 2279. 1522 Since additional code points are added by amendments 1523 to the 10646 standard from time to time, 1524 implementations must be prepared to encounter any code 1525 point from 0x00000000 to 0x7fffffff. 1527 The use of control codes should be avoided, except as 1528 described below. 1530 For code points not directly supported by user 1531 interface hardware or software, an alternative means 1532 of entry and display, such as hexadecimal, may be 1533 provided. 1535 For information encoded in 7-bit US-ASCII, the UTF-8 1536 representation is identical to the US-ASCII encoding. 1538 An object of this type contains a list of tag values 1539 which are used to select a set of entries in a table. 1541 A tag value is an arbitrary string of octets, but 1542 may not contain a delimiter character. Delimiter 1543 characters are defined to be one of the following: 1545 - An ASCII space character (0x20). 1547 - An ASCII TAB character (0x09). 1549 - An ASCII carriage return (CR) character (0x0D). 1551 - An ASCII line feed (LF) character (0x0B). 1553 Delimiter characters are used to separate tag values 1554 in a tag list. Only a single delimiter character may 1555 occur between two tag values. A tag value may not 1556 have a zero length. These constraints imply certain 1557 restrictions on the contents of this object: 1559 - There cannot be a leading or trailing delimiter 1560 character. 1562 - There cannot be multiple adjacent delimiter 1563 characters. 1565 Some examples of valid tag lists are: 1567 - An empty string 1569 - 'acme router' 1571 - 'host managerStation' 1573 Note that although a tag value may not have a length of 1574 zero, an empty string is still valid. This indicates 1575 an empty list (i.e. there are no tag values in the list). 1577 The use of the tag list to select table entries is 1578 application and MIB specific. Typically, an application 1579 will provide one or more tag values, and any entry 1580 which contains some combination of these tag values 1581 will be selected." 1582 SYNTAX OCTET STRING (SIZE (0..255)) 1584 -- 1585 -- 1586 -- The snmpTargetObjects group 1587 -- 1588 -- 1590 snmpTargetSpinLock OBJECT-TYPE 1591 SYNTAX TestAndIncr 1592 MAX-ACCESS read-write 1593 STATUS current 1594 DESCRIPTION 1595 "This object is used to facilitate modification of table 1596 entries in the SNMP-TARGET-MIB module by multiple 1597 managers. In particular, it is useful when modifying 1598 the value of the snmpTargetAddrTagList object. 1600 The procedure for modifying the snmpTargetAddrTagList 1601 object is as follows: 1603 1. Retrieve the value of snmpTargetSpinLock and 1604 of snmpTargetAddrTagList. 1606 2. Generate a new value for snmpTargetAddrTagList. 1608 3. Set the value of snmpTargetSpinLock to the 1609 retrieved value, and the value of 1610 snmpTargetAddrTagList to the new value. If 1611 the set fails for the snmpTargetSpinLock 1612 object, go back to step 1." 1613 ::= { snmpTargetObjects 1 } 1615 snmpTargetAddrTable OBJECT-TYPE 1616 SYNTAX SEQUENCE OF SnmpTargetAddrEntry 1617 MAX-ACCESS not-accessible 1618 STATUS current 1619 DESCRIPTION 1620 "A table of transport addresses to be used in the generation 1621 of SNMP messages." 1622 ::= { snmpTargetObjects 2 } 1624 snmpTargetAddrEntry OBJECT-TYPE 1625 SYNTAX SnmpTargetAddrEntry 1626 MAX-ACCESS not-accessible 1627 STATUS current 1628 DESCRIPTION 1629 "A transport address to be used in the generation 1630 of SNMP operations. 1632 Entries in the snmpTargetAddrTable are created and 1633 deleted using the snmpTargetAddrRowStatus object." 1634 INDEX { IMPLIED snmpTargetAddrName } 1635 ::= { snmpTargetAddrTable 1 } 1637 SnmpTargetAddrEntry ::= SEQUENCE { 1638 snmpTargetAddrName SnmpAdminString, 1639 snmpTargetAddrTDomain TDomain, 1640 snmpTargetAddrTAddress TAddress, 1641 snmpTargetAddrTimeout TimeInterval, 1642 snmpTargetAddrRetryCount Integer32, 1643 snmpTargetAddrTagList SnmpTagList, 1644 snmpTargetAddrParams SnmpAdminString, 1645 snmpTargetAddrStorageType StorageType, 1646 snmpTargetAddrRowStatus RowStatus 1648 } 1650 snmpTargetAddrName OBJECT-TYPE 1651 SYNTAX SnmpAdminString (SIZE(1..32)) 1652 MAX-ACCESS not-accessible 1653 STATUS current 1654 DESCRIPTION 1655 "The locally arbitrary, but unique identifier associated 1656 with this snmpTargetAddrEntry." 1657 ::= { snmpTargetAddrEntry 1 } 1659 snmpTargetAddrTDomain OBJECT-TYPE 1660 SYNTAX TDomain 1661 MAX-ACCESS read-create 1662 STATUS current 1663 DESCRIPTION 1664 "This object indicates the transport type of the address 1665 contained in the snmpTargetAddrTAddress object." 1666 ::= { snmpTargetAddrEntry 2 } 1668 snmpTargetAddrTAddress OBJECT-TYPE 1669 SYNTAX TAddress 1670 MAX-ACCESS read-create 1671 STATUS current 1672 DESCRIPTION 1673 "This object contains a transport address. The format of 1674 this address depends on the value of the 1675 snmpTargetAddrTDomain object." 1676 ::= { snmpTargetAddrEntry 3 } 1678 snmpTargetAddrTimeout OBJECT-TYPE 1679 SYNTAX TimeInterval 1680 MAX-ACCESS read-create 1681 STATUS current 1682 DESCRIPTION 1683 "This object should reflect the expected maximum round 1684 trip time for communicating with the transport address 1685 defined by this row. When a message is sent to this 1686 address, and a response (if one is expected) is not 1687 received within this time period, an implementation 1688 may assume that the response will not be delivered. 1690 Note that the time interval that an application waits 1691 for a response may actually be derived from the value 1692 of this object. The method for deriving the actual time 1693 interval is implementation dependent. One such method 1694 is to derive the expected round trip time based on a 1695 particular retransmission algorithm and on the number 1696 of timeouts which have occurred. The type of message may 1697 also be considered when deriving expected round trip 1698 times for retransmissions. For example, if a message is 1699 being sent with a securityLevel that indicates both 1700 authentication and privacy, the derived value may be 1701 increased to compensate for extra processing time spent 1702 during authentication and encryption processing." 1703 DEFVAL { 1500 } 1704 ::= { snmpTargetAddrEntry 4 } 1706 snmpTargetAddrRetryCount OBJECT-TYPE 1707 SYNTAX Integer32 (0..255) 1708 MAX-ACCESS read-create 1709 STATUS current 1710 DESCRIPTION 1711 "This object specifies a default number of retries to be 1712 attempted when a response is not received for a generated 1713 message. An application may provide its own retry count, 1714 in which case the value of this object is ignored." 1715 DEFVAL { 3 } 1716 ::= { snmpTargetAddrEntry 5 } 1718 snmpTargetAddrTagList OBJECT-TYPE 1719 SYNTAX SnmpTagList 1720 MAX-ACCESS read-create 1721 STATUS current 1722 DESCRIPTION 1723 "This object contains a list of tag values which are 1724 used to select target addresses for a particular 1725 operation." 1726 DEFVAL { "" } 1727 ::= { snmpTargetAddrEntry 6 } 1729 snmpTargetAddrParams OBJECT-TYPE 1730 SYNTAX SnmpAdminString (SIZE(1..32)) 1731 MAX-ACCESS read-create 1732 STATUS current 1733 DESCRIPTION 1734 "The value of this object identifies an entry in the 1735 snmpTargetParamsTable. The identified entry 1736 contains SNMP parameters to be used when generating 1737 messages to be sent to this transport address." 1738 ::= { snmpTargetAddrEntry 7 } 1740 snmpTargetAddrStorageType OBJECT-TYPE 1741 SYNTAX StorageType 1742 MAX-ACCESS read-create 1743 STATUS current 1744 DESCRIPTION 1745 "The storage type for this conceptual row." 1746 DEFVAL { nonVolatile } 1747 ::= { snmpTargetAddrEntry 8 } 1749 snmpTargetAddrRowStatus OBJECT-TYPE 1750 SYNTAX RowStatus 1751 MAX-ACCESS read-create 1752 STATUS current 1753 DESCRIPTION 1754 "The status of this conceptual row. 1756 To create a row in this table, a manager must 1757 set this object to either createAndGo(4) or 1758 createAndWait(5). 1760 Until instances of all corresponding columns are 1761 appropriately configured, the value of the 1762 corresponding instance of the snmpTargetAddrRowStatus 1763 column is 'notReady'. 1765 In particular, a newly created row cannot be made 1766 active until the corresponding instances of 1767 snmpTargetAddrTDomain, snmpTargetAddrTAddress, and 1768 snmpTargetAddrParams have all been set. 1770 The following objects may not be modified while the 1771 value of this object is active(1): 1772 - snmpTargetAddrTDomain 1773 - snmpTargetAddrTAddress 1774 An attempt to set these objects while the value of 1775 snmpTargetAddrRowStatus is active(1) will result in 1776 an inconsistentValue error." 1777 ::= { snmpTargetAddrEntry 9 } 1779 snmpTargetParamsTable OBJECT-TYPE 1780 SYNTAX SEQUENCE OF SnmpTargetParamsEntry 1781 MAX-ACCESS not-accessible 1782 STATUS current 1783 DESCRIPTION 1784 "A table of SNMP target information to be used 1785 in the generation of SNMP messages." 1786 ::= { snmpTargetObjects 3 } 1788 snmpTargetParamsEntry OBJECT-TYPE 1789 SYNTAX SnmpTargetParamsEntry 1790 MAX-ACCESS not-accessible 1791 STATUS current 1792 DESCRIPTION 1793 "A set of SNMP target information. 1795 Entries in the snmpTargetParamsTable are created and 1796 deleted using the snmpTargetParamsRowStatus object." 1797 INDEX { IMPLIED snmpTargetParamsName } 1798 ::= { snmpTargetParamsTable 1 } 1800 SnmpTargetParamsEntry ::= SEQUENCE { 1801 snmpTargetParamsName SnmpAdminString, 1802 snmpTargetParamsMPModel SnmpMessageProcessingModel, 1803 snmpTargetParamsSecurityModel SnmpSecurityModel, 1804 snmpTargetParamsSecurityName SnmpAdminString, 1805 snmpTargetParamsSecurityLevel SnmpSecurityLevel, 1806 snmpTargetParamsStorageType StorageType, 1807 snmpTargetParamsRowStatus RowStatus 1808 } 1810 snmpTargetParamsName OBJECT-TYPE 1811 SYNTAX SnmpAdminString (SIZE(1..32)) 1812 MAX-ACCESS not-accessible 1813 STATUS current 1814 DESCRIPTION 1815 "The locally arbitrary, but unique identifier associated 1816 with this snmpTargetParamsEntry." 1817 ::= { snmpTargetParamsEntry 1 } 1819 snmpTargetParamsMPModel OBJECT-TYPE 1820 SYNTAX SnmpMessageProcessingModel 1821 MAX-ACCESS read-create 1822 STATUS current 1823 DESCRIPTION 1824 "The Message Processing Model to be used when generating 1825 SNMP messages using this entry." 1826 ::= { snmpTargetParamsEntry 2 } 1828 snmpTargetParamsSecurityModel OBJECT-TYPE 1829 SYNTAX SnmpSecurityModel (1..2147483647) 1830 MAX-ACCESS read-create 1831 STATUS current 1832 DESCRIPTION 1833 "The Security Model to be used when generating SNMP 1834 messages using this entry. An implementation may 1835 choose to return an inconsistentValue error if an 1836 attempt is made to set this variable to a value 1837 for a security model which the implementation does 1838 not support." 1839 ::= { snmpTargetParamsEntry 3 } 1841 snmpTargetParamsSecurityName OBJECT-TYPE 1842 SYNTAX SnmpAdminString 1843 MAX-ACCESS read-create 1844 STATUS current 1845 DESCRIPTION 1846 "The securityName which identifies the Principal on 1847 whose behalf SNMP messages will be generated using 1848 this entry." 1849 ::= { snmpTargetParamsEntry 4 } 1851 snmpTargetParamsSecurityLevel OBJECT-TYPE 1852 SYNTAX SnmpSecurityLevel 1853 MAX-ACCESS read-create 1854 STATUS current 1855 DESCRIPTION 1856 "The Level of Security to be used when generating 1857 SNMP messages using this entry." 1858 ::= { snmpTargetParamsEntry 5 } 1860 snmpTargetParamsStorageType OBJECT-TYPE 1861 SYNTAX StorageType 1862 MAX-ACCESS read-create 1863 STATUS current 1864 DESCRIPTION 1865 "The storage type for this conceptual row." 1866 DEFVAL { nonVolatile } 1867 ::= { snmpTargetParamsEntry 6 } 1869 snmpTargetParamsRowStatus OBJECT-TYPE 1870 SYNTAX RowStatus 1871 MAX-ACCESS read-create 1872 STATUS current 1873 DESCRIPTION 1874 "The status of this conceptual row. 1876 To create a row in this table, a manager must 1877 set this object to either createAndGo(4) or 1878 createAndWait(5). 1880 Until instances of all corresponding columns are 1881 appropriately configured, the value of the 1882 corresponding instance of the snmpTargetParamsRowStatus 1883 column is 'notReady'. 1885 In particular, a newly created row cannot be made 1886 active until the corresponding 1887 snmpTargetParamsMPModel, 1888 snmpTargetParamsSecurityModel, 1889 snmpTargetParamsSecurityName, 1890 and snmpTargetParamsSecurityLevel have all been set. 1892 The following objects may not be modified while the 1893 value of this object is active(1): 1894 - snmpTargetParamsMPModel 1895 - snmpTargetParamsSecurityModel 1896 - snmpTargetParamsSecurityName 1897 - snmpTargetParamsSecurityLevel 1898 An attempt to set these objects while the value of 1899 snmpTargetParamsRowStatus is active(1) will result in 1900 an inconsistentValue error." 1901 ::= { snmpTargetParamsEntry 7 } 1903 snmpUnavailableContexts OBJECT-TYPE 1904 SYNTAX Counter32 1905 MAX-ACCESS read-only 1906 STATUS current 1907 DESCRIPTION 1908 "The total number of packets received by the SNMP 1909 engine which were dropped because the context 1910 contained in the message was unavailable." 1911 ::= { snmpTargetObjects 4 } 1913 snmpUnknownContexts OBJECT-TYPE 1914 SYNTAX Counter32 1915 MAX-ACCESS read-only 1916 STATUS current 1917 DESCRIPTION 1918 "The total number of packets received by the SNMP 1919 engine which were dropped because the context 1920 contained in the message was unknown." 1921 ::= { snmpTargetObjects 5 } 1923 -- 1924 -- 1925 -- Conformance information 1926 -- 1927 -- 1929 snmpTargetCompliances OBJECT IDENTIFIER ::= 1930 { snmpTargetConformance 1 } 1931 snmpTargetGroups OBJECT IDENTIFIER ::= 1932 { snmpTargetConformance 2 } 1934 -- 1935 -- 1936 -- Compliance statements 1937 -- 1938 -- 1940 snmpTargetCommandResponderCompliance MODULE-COMPLIANCE 1941 STATUS current 1942 DESCRIPTION 1943 "The compliance statement for SNMP entities which include 1944 a command responder application." 1945 MODULE -- This Module 1946 MANDATORY-GROUPS { snmpTargetCommandResponderGroup } 1947 ::= { snmpTargetCompliances 1 } 1949 snmpTargetBasicGroup OBJECT-GROUP 1950 OBJECTS { 1951 snmpTargetSpinLock, 1952 snmpTargetAddrTDomain, 1953 snmpTargetAddrTAddress, 1954 snmpTargetAddrTagList, 1955 snmpTargetAddrParams, 1956 snmpTargetAddrStorageType, 1957 snmpTargetAddrRowStatus, 1958 snmpTargetParamsMPModel, 1959 snmpTargetParamsSecurityModel, 1960 snmpTargetParamsSecurityName, 1961 snmpTargetParamsSecurityLevel, 1962 snmpTargetParamsStorageType, 1963 snmpTargetParamsRowStatus 1964 } 1965 STATUS current 1966 DESCRIPTION 1967 "A collection of objects providing basic remote 1968 configuration of management targets." 1969 ::= { snmpTargetGroups 1 } 1971 snmpTargetResponseGroup OBJECT-GROUP 1972 OBJECTS { 1973 snmpTargetAddrTimeout, 1974 snmpTargetAddrRetryCount 1975 } 1976 STATUS current 1977 DESCRIPTION 1978 "A collection of objects providing remote configuration 1979 of management targets for applications which generate 1980 SNMP messages for which a response message would be 1981 expected." 1982 ::= { snmpTargetGroups 2 } 1984 snmpTargetCommandResponderGroup OBJECT-GROUP 1985 OBJECTS { 1986 snmpUnavailableContexts, 1987 snmpUnknownContexts 1988 } 1989 STATUS current 1990 DESCRIPTION 1991 "A collection of objects required for command responder 1992 applications, used for counting error conditions." 1993 ::= { snmpTargetGroups 3 } 1995 END 1997 4.2. The Notification MIB Module 1999 The SNMP-NOTIFICATION-MIB module contains objects for the remote 2000 configuration of the parameters used by an SNMP entity for the 2001 generation of notifications. It consists of three tables and 2002 conformance/compliance statements. The first table, the 2003 snmpNotifyTable, contains entries which select which entries in the 2004 snmpTargetAddrTable should be used for generating notifications, and 2005 the type of notifications to be generated. 2007 The second table sparsely augments the snmpTargetAddrTable with an 2008 object which is used to associate a set of filters with a particular 2009 management target. 2011 The third table defines filters which are used to limit the number of 2012 notifications which are generated using particular management 2013 targets. 2015 4.2.1. Definitions 2017 SNMP-NOTIFICATION-MIB DEFINITIONS ::= BEGIN 2019 IMPORTS 2020 MODULE-IDENTITY, 2021 OBJECT-TYPE, 2022 snmpModules 2023 FROM SNMPv2-SMI 2025 RowStatus, 2026 StorageType 2027 FROM SNMPv2-TC 2029 SnmpAdminString 2030 FROM SNMP-FRAMEWORK-MIB 2032 SnmpTagValue, 2033 snmpTargetParamsName 2034 FROM SNMP-TARGET-MIB 2036 MODULE-COMPLIANCE, 2037 OBJECT-GROUP 2038 FROM SNMPv2-CONF; 2040 snmpNotificationMIB MODULE-IDENTITY 2041 LAST-UPDATED "9808040000Z" 2042 ORGANIZATION "IETF SNMPv3 Working Group" 2043 CONTACT-INFO 2044 "WG-email: snmpv3@lists.tislabs.com 2045 Subscribe: majordomo@lists.tislabs.com 2046 In message body: subscribe snmpv3 2048 Co-Chair: Russ Mundy 2049 Trusted Information Systems 2050 Postal: 3060 Washington Rd 2051 Glenwood, Maryland 21738 2052 USA 2053 EMail: mundy@tislabs.com 2054 Phone: +1-301-854-6889 2056 Co-Chair: David Harrington 2057 Enterasys Networks 2058 Postal: 35 Industrial Way 2059 P. O. Box 5004 2060 Rochester, New Hampshire 03866-5005 2061 USA 2062 EMail: dbh@enterasys.com 2063 Phone: +1 603-337-2614 2065 Co-editor: David B. Levi 2066 Nortel Networks 2067 Postal: 3505 Kesterwood Drive 2068 Knoxville, Tennessee 37918 2069 EMail: dlevi@nortelnetworks.com 2070 Phone: +1 865 686 0432 2072 Co-editor: Paul Meyer 2073 Secure Computing Corporation 2074 Postal: 2675 Long Lake Road 2075 Roseville, Minnesota 55113 2076 EMail: paul_meyer@securecomputing.com 2077 Phone: +1 651 628 1592 2079 Co-editor: Bob Stewart 2080 Cisco Systems, Inc. 2081 Postal: 170 West Tasman Drive 2082 San Jose, California 95134-1706 2083 EMail: bstewart@cisco.com 2084 Phone: +1 603 654 2686" 2085 DESCRIPTION 2086 "This MIB module defines MIB objects which provide 2087 mechanisms to remotely configure the parameters 2088 used by an SNMP entity for the generation of 2089 notifications." 2091 REVISION "9808040000Z" 2092 DESCRIPTION "Clarifications, published as 2093 draft-ietf-snmpv3-appl-v2-01.txt." 2094 REVISION "9707140000Z" 2095 DESCRIPTION "The initial revision, published as RFC2273." 2096 ::= { snmpModules 13 } 2098 snmpNotifyObjects OBJECT IDENTIFIER ::= 2099 { snmpNotificationMIB 1 } 2100 snmpNotifyConformance OBJECT IDENTIFIER ::= 2101 { snmpNotificationMIB 3 } 2103 -- 2104 -- 2105 -- The snmpNotifyObjects group 2106 -- 2107 -- 2109 snmpNotifyTable OBJECT-TYPE 2110 SYNTAX SEQUENCE OF SnmpNotifyEntry 2111 MAX-ACCESS not-accessible 2112 STATUS current 2113 DESCRIPTION 2114 "This table is used to select management targets which should 2115 receive notifications, as well as the type of notification 2116 which should be sent to each selected management target." 2117 ::= { snmpNotifyObjects 1 } 2119 snmpNotifyEntry OBJECT-TYPE 2120 SYNTAX SnmpNotifyEntry 2121 MAX-ACCESS not-accessible 2122 STATUS current 2123 DESCRIPTION 2124 "An entry in this table selects a set of management targets 2125 which should receive notifications, as well as the type of 2126 notification which should be sent to each selected 2127 management target. 2129 Entries in the snmpNotifyTable are created and 2130 deleted using the snmpNotifyRowStatus object." 2131 INDEX { IMPLIED snmpNotifyName } 2132 ::= { snmpNotifyTable 1 } 2134 SnmpNotifyEntry ::= SEQUENCE { 2135 snmpNotifyName SnmpAdminString, 2136 snmpNotifyTag SnmpTagValue, 2137 snmpNotifyType INTEGER, 2138 snmpNotifyStorageType StorageType, 2139 snmpNotifyRowStatus RowStatus 2140 } 2142 snmpNotifyName OBJECT-TYPE 2143 SYNTAX SnmpAdminString (SIZE(1..32)) 2144 MAX-ACCESS not-accessible 2145 STATUS current 2146 DESCRIPTION 2147 "The locally arbitrary, but unique identifier associated 2148 with this snmpNotifyEntry." 2149 ::= { snmpNotifyEntry 1 } 2151 snmpNotifyTag OBJECT-TYPE 2152 SYNTAX SnmpTagValue 2153 MAX-ACCESS read-create 2154 STATUS current 2155 DESCRIPTION 2156 "This object contains a single tag value which is used 2157 to select entries in the snmpTargetAddrTable. Any entry 2158 in the snmpTargetAddrTable which contains a tag value 2159 which is equal to the value of an instance of this 2160 object is selected. If this object contains a value 2161 of zero length, no entries are selected." 2162 DEFVAL { "" } 2163 ::= { snmpNotifyEntry 2 } 2165 snmpNotifyType OBJECT-TYPE 2166 SYNTAX INTEGER { 2167 trap(1), 2168 inform(2) 2169 } 2170 MAX-ACCESS read-create 2171 STATUS current 2172 DESCRIPTION 2173 "This object determines the type of notification to 2174 be generated for entries in the snmpTargetAddrTable 2175 selected by the corresponding instance of 2176 snmpNotifyTag. This value is only used when 2177 generating notifications, and is ignored when 2178 using the snmpTargetAddrTable for other purposes. 2180 If the value of this object is trap(1), then any 2181 messages generated for selected rows will contain 2182 Unconfirmed-Class PDUs. 2184 If the value of this object is inform(2), then any 2185 messages generated for selected rows will contain 2186 Confirmed-Class PDUs. 2188 Note that if an SNMP entity only supports 2189 generation of Unconfirmed-Class PDUs (and not 2190 Confirmed-Class PDUs), then this object may be 2191 read-only." 2192 DEFVAL { trap } 2193 ::= { snmpNotifyEntry 3 } 2195 snmpNotifyStorageType OBJECT-TYPE 2196 SYNTAX StorageType 2197 MAX-ACCESS read-create 2198 STATUS current 2199 DESCRIPTION 2200 "The storage type for this conceptual row." 2201 DEFVAL { nonVolatile } 2202 ::= { snmpNotifyEntry 4 } 2204 snmpNotifyRowStatus OBJECT-TYPE 2205 SYNTAX RowStatus 2206 MAX-ACCESS read-create 2207 STATUS current 2208 DESCRIPTION 2209 "The status of this conceptual row. 2211 To create a row in this table, a manager must 2212 set this object to either createAndGo(4) or 2213 createAndWait(5)." 2214 ::= { snmpNotifyEntry 5 } 2216 snmpNotifyFilterProfileTable OBJECT-TYPE 2217 SYNTAX SEQUENCE OF SnmpNotifyFilterProfileEntry 2218 MAX-ACCESS not-accessible 2219 STATUS current 2220 DESCRIPTION 2221 "This table is used to associate a notification filter 2222 profile with a particular set of target parameters." 2223 ::= { snmpNotifyObjects 2 } 2225 snmpNotifyFilterProfileEntry OBJECT-TYPE 2226 SYNTAX SnmpNotifyFilterProfileEntry 2227 MAX-ACCESS not-accessible 2228 STATUS current 2229 DESCRIPTION 2230 "An entry in this table indicates the name of the filter 2231 profile to be used when generating notifications using 2232 the corresponding entry in the snmpTargetParamsTable. 2234 Entries in the snmpNotifyFilterProfileTable are created 2235 and deleted using the snmpNotifyFilterProfileRowStatus 2236 object." 2237 INDEX { IMPLIED snmpTargetParamsName } 2238 ::= { snmpNotifyFilterProfileTable 1 } 2240 SnmpNotifyFilterProfileEntry ::= SEQUENCE { 2241 snmpNotifyFilterProfileName SnmpAdminString, 2242 snmpNotifyFilterProfileStorType StorageType, 2243 snmpNotifyFilterProfileRowStatus RowStatus 2244 } 2246 snmpNotifyFilterProfileName OBJECT-TYPE 2247 SYNTAX SnmpAdminString (SIZE(1..32)) 2248 MAX-ACCESS read-create 2249 STATUS current 2250 DESCRIPTION 2251 "The name of the filter profile to be used when generating 2252 notifications using the corresponding entry in the 2253 snmpTargetAddrTable." 2254 ::= { snmpNotifyFilterProfileEntry 1 } 2256 snmpNotifyFilterProfileStorType OBJECT-TYPE 2257 SYNTAX StorageType 2258 MAX-ACCESS read-create 2259 STATUS current 2260 DESCRIPTION 2261 "The storage type of this conceptual row." 2262 DEFVAL { nonVolatile } 2263 ::= { snmpNotifyFilterProfileEntry 2 } 2265 snmpNotifyFilterProfileRowStatus OBJECT-TYPE 2266 SYNTAX RowStatus 2267 MAX-ACCESS read-create 2268 STATUS current 2269 DESCRIPTION 2270 "The status of this conceptual row. 2272 To create a row in this table, a manager must 2273 set this object to either createAndGo(4) or 2274 createAndWait(5). 2276 Until instances of all corresponding columns are 2277 appropriately configured, the value of the 2278 corresponding instance of the 2279 snmpNotifyFilterProfileRowStatus column is 'notReady'. 2281 In particular, a newly created row cannot be made 2282 active until the corresponding instance of 2283 snmpNotifyFilterProfileName has been set." 2284 ::= { snmpNotifyFilterProfileEntry 3 } 2286 snmpNotifyFilterTable OBJECT-TYPE 2287 SYNTAX SEQUENCE OF SnmpNotifyFilterEntry 2288 MAX-ACCESS not-accessible 2289 STATUS current 2290 DESCRIPTION 2291 "The table of filter profiles. Filter profiles are used 2292 to determine whether particular management targets should 2293 receive particular notifications. 2295 When a notification is generated, it must be compared 2296 with the filters associated with each management target 2297 which is configured to receive notifications, in order to 2298 determine whether it may be sent to each such management 2299 target. 2301 A more complete discussion of notification filtering 2302 can be found in section 6. of [SNMP-APPL]." 2303 ::= { snmpNotifyObjects 3 } 2305 snmpNotifyFilterEntry OBJECT-TYPE 2306 SYNTAX SnmpNotifyFilterEntry 2307 MAX-ACCESS not-accessible 2308 STATUS current 2309 DESCRIPTION 2310 "An element of a filter profile. 2312 Entries in the snmpNotifyFilterTable are created and 2313 deleted using the snmpNotifyFilterRowStatus object." 2314 INDEX { snmpNotifyFilterProfileName, 2315 IMPLIED snmpNotifyFilterSubtree } 2316 ::= { snmpNotifyFilterTable 1 } 2318 SnmpNotifyFilterEntry ::= SEQUENCE { 2319 snmpNotifyFilterSubtree OBJECT IDENTIFIER, 2320 snmpNotifyFilterMask OCTET STRING, 2321 snmpNotifyFilterType INTEGER, 2322 snmpNotifyFilterStorageType StorageType, 2323 snmpNotifyFilterRowStatus RowStatus 2324 } 2325 snmpNotifyFilterSubtree OBJECT-TYPE 2326 SYNTAX OBJECT IDENTIFIER 2327 MAX-ACCESS not-accessible 2328 STATUS current 2329 DESCRIPTION 2330 "The MIB subtree which, when combined with the corresponding 2331 instance of snmpNotifyFilterMask, defines a family of 2332 subtrees which are included in or excluded from the 2333 filter profile." 2334 ::= { snmpNotifyFilterEntry 1 } 2336 snmpNotifyFilterMask OBJECT-TYPE 2337 SYNTAX OCTET STRING (SIZE(0..16)) 2338 MAX-ACCESS read-create 2339 STATUS current 2340 DESCRIPTION 2341 "The bit mask which, in combination with the corresponding 2342 instance of snmpNotifyFilterSubtree, defines a family of 2343 subtrees which are included in or excluded from the 2344 filter profile. 2346 Each bit of this bit mask corresponds to a 2347 sub-identifier of snmpNotifyFilterSubtree, with the 2348 most significant bit of the i-th octet of this octet 2349 string value (extended if necessary, see below) 2350 corresponding to the (8*i - 7)-th sub-identifier, and 2351 the least significant bit of the i-th octet of this 2352 octet string corresponding to the (8*i)-th 2353 sub-identifier, where i is in the range 1 through 16. 2355 Each bit of this bit mask specifies whether or not 2356 the corresponding sub-identifiers must match when 2357 determining if an OBJECT IDENTIFIER matches this 2358 family of filter subtrees; a '1' indicates that an 2359 exact match must occur; a '0' indicates 'wild card', 2360 i.e., any sub-identifier value matches. 2362 Thus, the OBJECT IDENTIFIER X of an object instance 2363 is contained in a family of filter subtrees if, for 2364 each sub-identifier of the value of 2365 snmpNotifyFilterSubtree, either: 2367 the i-th bit of snmpNotifyFilterMask is 0, or 2369 the i-th sub-identifier of X is equal to the i-th 2370 sub-identifier of the value of 2371 snmpNotifyFilterSubtree. 2373 If the value of this bit mask is M bits long and 2374 there are more than M sub-identifiers in the 2375 corresponding instance of snmpNotifyFilterSubtree, 2376 then the bit mask is extended with 1's to be the 2377 required length. 2379 Note that when the value of this object is the 2380 zero-length string, this extension rule results in 2381 a mask of all-1's being used (i.e., no 'wild card'), 2382 and the family of filter subtrees is the one 2383 subtree uniquely identified by the corresponding 2384 instance of snmpNotifyFilterSubtree." 2385 DEFVAL { ''H } 2386 ::= { snmpNotifyFilterEntry 2 } 2388 snmpNotifyFilterType OBJECT-TYPE 2389 SYNTAX INTEGER { 2390 included(1), 2391 excluded(2) 2392 } 2393 MAX-ACCESS read-create 2394 STATUS current 2395 DESCRIPTION 2396 "This object indicates whether the family of filter subtrees 2397 defined by this entry are included in or excluded from a 2398 filter. A more detailed discussion of the use of this 2399 object can be found in section 6. of [SNMP-APPL]." 2400 DEFVAL { included } 2401 ::= { snmpNotifyFilterEntry 3 } 2403 snmpNotifyFilterStorageType OBJECT-TYPE 2404 SYNTAX StorageType 2405 MAX-ACCESS read-create 2406 STATUS current 2407 DESCRIPTION 2408 "The storage type of this conceptual row." 2409 DEFVAL { nonVolatile } 2410 ::= { snmpNotifyFilterEntry 4 } 2412 snmpNotifyFilterRowStatus OBJECT-TYPE 2413 SYNTAX RowStatus 2414 MAX-ACCESS read-create 2415 STATUS current 2416 DESCRIPTION 2417 "The status of this conceptual row. 2419 To create a row in this table, a manager must 2420 set this object to either createAndGo(4) or 2421 createAndWait(5)." 2422 ::= { snmpNotifyFilterEntry 5 } 2424 -- 2425 -- 2426 -- Conformance information 2427 -- 2428 -- 2430 snmpNotifyCompliances OBJECT IDENTIFIER ::= 2431 { snmpNotifyConformance 1 } 2432 snmpNotifyGroups OBJECT IDENTIFIER ::= 2433 { snmpNotifyConformance 2 } 2435 -- 2436 -- 2437 -- Compliance statements 2438 -- 2439 -- 2441 snmpNotifyBasicCompliance MODULE-COMPLIANCE 2442 STATUS current 2443 DESCRIPTION 2444 "The compliance statement for minimal SNMP entities which 2445 implement only SNMP Unconfirmed-Class notifications and 2446 read-create operations on only the snmpTargetAddrTable." 2447 MODULE SNMP-TARGET-MIB 2448 MANDATORY-GROUPS { snmpTargetBasicGroup } 2450 OBJECT snmpTargetParamsMPModel 2451 MIN-ACCESS read-only 2452 DESCRIPTION 2453 "Create/delete/modify access is not required." 2455 OBJECT snmpTargetParamsSecurityModel 2456 MIN-ACCESS read-only 2457 DESCRIPTION 2458 "Create/delete/modify access is not required." 2460 OBJECT snmpTargetParamsSecurityName 2461 MIN-ACCESS read-only 2462 DESCRIPTION 2463 "Create/delete/modify access is not required." 2465 OBJECT snmpTargetParamsSecurityLevel 2466 MIN-ACCESS read-only 2467 DESCRIPTION 2468 "Create/delete/modify access is not required." 2470 OBJECT snmpTargetParamsStorageType 2471 SYNTAX INTEGER { 2472 readOnly(5) 2473 } 2474 MIN-ACCESS read-only 2475 DESCRIPTION 2476 "Create/delete/modify access is not required. 2477 Support of the values other(1), volatile(2), 2478 nonVolatile(3), and permanent(4) is not required." 2480 OBJECT snmpTargetParamsRowStatus 2481 SYNTAX INTEGER { 2482 active(1) 2483 } 2484 MIN-ACCESS read-only 2485 DESCRIPTION 2486 "Create/delete/modify access to the 2487 snmpTargetParamsTable is not required. 2488 Support of the values notInService(2), notReady(3), 2489 createAndGo(4), createAndWait(5), and destroy(6) is 2490 not required." 2492 MODULE -- This Module 2493 MANDATORY-GROUPS { snmpNotifyGroup } 2495 OBJECT snmpNotifyTag 2496 MIN-ACCESS read-only 2497 DESCRIPTION 2498 "Create/delete/modify access is not required." 2500 OBJECT snmpNotifyType 2501 SYNTAX INTEGER { 2502 trap(1) 2503 } 2504 MIN-ACCESS read-only 2505 DESCRIPTION 2506 "Create/delete/modify access is not required. 2507 Support of the value notify(2) is not required." 2509 OBJECT snmpNotifyStorageType 2510 SYNTAX INTEGER { 2511 readOnly(5) 2512 } 2513 MIN-ACCESS read-only 2514 DESCRIPTION 2515 "Create/delete/modify access is not required. 2516 Support of the values other(1), volatile(2), 2517 nonVolatile(3), and permanent(4) is not required." 2519 OBJECT snmpNotifyRowStatus 2520 SYNTAX INTEGER { 2521 active(1) 2522 } 2523 MIN-ACCESS read-only 2524 DESCRIPTION 2525 "Create/delete/modify access to the 2526 snmpNotifyTable is not required. 2527 Support of the values notInService(2), notReady(3), 2528 createAndGo(4), createAndWait(5), and destroy(6) is 2529 not required." 2531 ::= { snmpNotifyCompliances 1 } 2533 snmpNotifyBasicFiltersCompliance MODULE-COMPLIANCE 2534 STATUS current 2535 DESCRIPTION 2536 "The compliance statement for SNMP entities which implement 2537 SNMP Unconfirmed-Class notifications with filtering, and 2538 read-create operations on all related tables." 2539 MODULE SNMP-TARGET-MIB 2540 MANDATORY-GROUPS { snmpTargetBasicGroup } 2541 MODULE -- This Module 2542 MANDATORY-GROUPS { snmpNotifyGroup, 2543 snmpNotifyFilterGroup } 2544 ::= { snmpNotifyCompliances 2 } 2546 snmpNotifyFullCompliance MODULE-COMPLIANCE 2547 STATUS current 2548 DESCRIPTION 2549 "The compliance statement for SNMP entities which either 2550 implement only SNMP Confirmed-Class notifications, or both 2551 SNMP Unconfirmed-Class and Confirmed-Class notifications, 2552 plus filtering and read-create operations on all related 2553 tables." 2554 MODULE SNMP-TARGET-MIB 2555 MANDATORY-GROUPS { snmpTargetBasicGroup, 2556 snmpTargetResponseGroup } 2557 MODULE -- This Module 2558 MANDATORY-GROUPS { snmpNotifyGroup, 2559 snmpNotifyFilterGroup } 2560 ::= { snmpNotifyCompliances 3 } 2562 snmpNotifyGroup OBJECT-GROUP 2563 OBJECTS { 2564 snmpNotifyTag, 2565 snmpNotifyType, 2566 snmpNotifyStorageType, 2567 snmpNotifyRowStatus 2568 } 2569 STATUS current 2570 DESCRIPTION 2571 "A collection of objects for selecting which management 2572 targets are used for generating notifications, and the 2573 type of notification to be generated for each selected 2574 management target." 2575 ::= { snmpNotifyGroups 1 } 2577 snmpNotifyFilterGroup OBJECT-GROUP 2578 OBJECTS { 2579 snmpNotifyFilterProfileName, 2580 snmpNotifyFilterProfileStorType, 2581 snmpNotifyFilterProfileRowStatus, 2582 snmpNotifyFilterMask, 2583 snmpNotifyFilterType, 2584 snmpNotifyFilterStorageType, 2585 snmpNotifyFilterRowStatus 2586 } 2587 STATUS current 2588 DESCRIPTION 2589 "A collection of objects providing remote configuration 2590 of notification filters." 2591 ::= { snmpNotifyGroups 2 } 2593 END 2595 4.3. The Proxy MIB Module 2597 The SNMP-PROXY-MIB module, which defines MIB objects that provide 2598 mechanisms to remotely configure the parameters used by an SNMP 2599 entity for proxy forwarding operations, contains a single table. 2600 This table, snmpProxyTable, is used to define translations between 2601 management targets for use when forwarding messages. 2603 4.3.1. Definitions 2605 SNMP-PROXY-MIB DEFINITIONS ::= BEGIN 2607 IMPORTS 2608 MODULE-IDENTITY, 2609 OBJECT-TYPE, 2610 snmpModules 2611 FROM SNMPv2-SMI 2613 RowStatus, 2614 StorageType 2615 FROM SNMPv2-TC 2617 SnmpEngineID, 2618 SnmpAdminString 2619 FROM SNMP-FRAMEWORK-MIB 2621 SnmpTagValue 2622 FROM SNMP-TARGET-MIB 2624 MODULE-COMPLIANCE, 2625 OBJECT-GROUP 2626 FROM SNMPv2-CONF; 2628 snmpProxyMIB MODULE-IDENTITY 2629 LAST-UPDATED "9808040000Z" 2630 ORGANIZATION "IETF SNMPv3 Working Group" 2631 CONTACT-INFO 2632 "WG-email: snmpv3@lists.tislabs.com 2633 Subscribe: majordomo@lists.tislabs.com 2634 In message body: subscribe snmpv3 2636 Co-Chair: Russ Mundy 2637 Trusted Information Systems 2638 Postal: 3060 Washington Rd 2639 Glenwood, Maryland 21738 2640 USA 2642 EMail: mundy@tislabs.com 2643 Phone: +1-301-854-6889 2645 Co-Chair: David Harrington 2646 Enterasys Networks 2647 Postal: 35 Industrial Way 2648 P. O. Box 5004 2649 Rochester, New Hampshire 03866-5005 2650 USA 2651 EMail: dbh@enterasys.com 2652 Phone: +1 603-337-2614 2654 Co-editor: David B. Levi 2655 Nortel Networks 2656 Postal: 3505 Kesterwood Drive 2657 Knoxville, Tennessee 37918 2658 EMail: dlevi@nortelnetworks.com 2659 Phone: +1 865 686 0432 2661 Co-editor: Paul Meyer 2662 Secure Computing Corporation 2663 Postal: 2675 Long Lake Road 2664 Roseville, Minnesota 55113 2665 EMail: paul_meyer@securecomputing.com 2666 Phone: +1 651 628 1592 2668 Co-editor: Bob Stewart 2669 Cisco Systems, Inc. 2670 Postal: 170 West Tasman Drive 2671 San Jose, California 95134-1706 2672 EMail: bstewart@cisco.com 2673 Phone: +1 603 654 2686" 2674 DESCRIPTION 2675 "This MIB module defines MIB objects which provide 2676 mechanisms to remotely configure the parameters 2677 used by a proxy forwarding application." 2678 REVISION "9808040000Z" 2679 DESCRIPTION "Clarifications, published as 2680 draft-ietf-snmpv3-appl-v2-01.txt." 2681 REVISION "9707140000Z" 2682 DESCRIPTION "The initial revision, published as RFC2273." 2683 ::= { snmpModules 14 } 2685 snmpProxyObjects OBJECT IDENTIFIER ::= { snmpProxyMIB 1 } 2686 snmpProxyConformance OBJECT IDENTIFIER ::= { snmpProxyMIB 3 } 2688 -- 2689 -- 2690 -- The snmpProxyObjects group 2691 -- 2692 -- 2694 snmpProxyTable OBJECT-TYPE 2695 SYNTAX SEQUENCE OF SnmpProxyEntry 2696 MAX-ACCESS not-accessible 2697 STATUS current 2698 DESCRIPTION 2699 "The table of translation parameters used by proxy forwarder 2700 applications for forwarding SNMP messages." 2701 ::= { snmpProxyObjects 2 } 2703 snmpProxyEntry OBJECT-TYPE 2704 SYNTAX SnmpProxyEntry 2705 MAX-ACCESS not-accessible 2706 STATUS current 2707 DESCRIPTION 2708 "A set of translation parameters used by a proxy forwarder 2709 application for forwarding SNMP messages. 2711 Entries in the snmpProxyTable are created and deleted 2712 using the snmpProxyRowStatus object." 2713 INDEX { IMPLIED snmpProxyName } 2714 ::= { snmpProxyTable 1 } 2716 SnmpProxyEntry ::= SEQUENCE { 2717 snmpProxyName SnmpAdminString, 2718 snmpProxyType INTEGER, 2719 snmpProxyContextEngineID SnmpEngineID, 2720 snmpProxyContextName SnmpAdminString, 2721 snmpProxyTargetParamsIn SnmpAdminString, 2722 snmpProxySingleTargetOut SnmpAdminString, 2723 snmpProxyMultipleTargetOut SnmpTagValue, 2724 snmpProxyStorageType StorageType, 2725 snmpProxyRowStatus RowStatus 2726 } 2728 snmpProxyName OBJECT-TYPE 2729 SYNTAX SnmpAdminString (SIZE(1..32)) 2730 MAX-ACCESS not-accessible 2731 STATUS current 2732 DESCRIPTION 2733 "The locally arbitrary, but unique identifier associated 2734 with this snmpProxyEntry." 2735 ::= { snmpProxyEntry 1 } 2737 snmpProxyType OBJECT-TYPE 2738 SYNTAX INTEGER { 2739 read(1), 2740 write(2), 2741 trap(3), 2742 inform(4) 2743 } 2744 MAX-ACCESS read-create 2745 STATUS current 2746 DESCRIPTION 2747 "The type of message that may be forwarded using 2748 the translation parameters defined by this entry." 2749 ::= { snmpProxyEntry 2 } 2751 snmpProxyContextEngineID OBJECT-TYPE 2752 SYNTAX SnmpEngineID 2753 MAX-ACCESS read-create 2754 STATUS current 2755 DESCRIPTION 2756 "The contextEngineID contained in messages that 2757 may be forwarded using the translation parameters 2758 defined by this entry." 2759 ::= { snmpProxyEntry 3 } 2761 snmpProxyContextName OBJECT-TYPE 2762 SYNTAX SnmpAdminString 2763 MAX-ACCESS read-create 2764 STATUS current 2765 DESCRIPTION 2766 "The contextName contained in messages that may be 2767 forwarded using the translation parameters defined 2768 by this entry. 2770 This object is optional, and if not supported, the 2771 contextName contained in a message is ignored when 2772 selecting an entry in the snmpProxyTable." 2773 ::= { snmpProxyEntry 4 } 2775 snmpProxyTargetParamsIn OBJECT-TYPE 2776 SYNTAX SnmpAdminString 2777 MAX-ACCESS read-create 2778 STATUS current 2779 DESCRIPTION 2780 "This object selects an entry in the snmpTargetParamsTable. 2781 The selected entry is used to determine which row of the 2782 snmpProxyTable to use for forwarding received messages." 2783 ::= { snmpProxyEntry 5 } 2785 snmpProxySingleTargetOut OBJECT-TYPE 2786 SYNTAX SnmpAdminString 2787 MAX-ACCESS read-create 2788 STATUS current 2789 DESCRIPTION 2790 "This object selects a management target defined in the 2791 snmpTargetAddrTable (in the SNMP-TARGET-MIB). The 2792 selected target is defined by an entry in the 2793 snmpTargetAddrTable whose index value (snmpTargetAddrName) 2794 is equal to this object. 2796 This object is only used when selection of a single 2797 target is required (i.e. when forwarding an incoming 2798 read or write request)." 2799 ::= { snmpProxyEntry 6 } 2801 snmpProxyMultipleTargetOut OBJECT-TYPE 2802 SYNTAX SnmpTagValue 2803 MAX-ACCESS read-create 2804 STATUS current 2805 DESCRIPTION 2806 "This object selects a set of management targets defined 2807 in the snmpTargetAddrTable (in the SNMP-TARGET-MIB). 2809 This object is only used when selection of multiple 2810 targets is required (i.e. when forwarding an incoming 2811 notification)." 2812 ::= { snmpProxyEntry 7 } 2814 snmpProxyStorageType OBJECT-TYPE 2815 SYNTAX StorageType 2816 MAX-ACCESS read-create 2817 STATUS current 2818 DESCRIPTION 2819 "The storage type of this conceptual row." 2820 DEFVAL { nonVolatile } 2821 ::= { snmpProxyEntry 8 } 2823 snmpProxyRowStatus OBJECT-TYPE 2824 SYNTAX RowStatus 2825 MAX-ACCESS read-create 2826 STATUS current 2827 DESCRIPTION 2828 "The status of this conceptual row. 2830 To create a row in this table, a manager must 2831 set this object to either createAndGo(4) or 2832 createAndWait(5). 2834 The following objects may not be modified while the 2835 value of this object is active(1): 2836 - snmpProxyType 2837 - snmpProxyContextEngineID 2838 - snmpProxyContextName 2839 - snmpProxyTargetParamsIn 2840 - snmpProxySingleTargetOut 2841 - snmpProxyMultipleTargetOut" 2842 ::= { snmpProxyEntry 9 } 2844 -- 2845 -- 2846 -- Conformance information 2847 -- 2848 -- 2850 snmpProxyCompliances OBJECT IDENTIFIER ::= 2851 { snmpProxyConformance 1 } 2852 snmpProxyGroups OBJECT IDENTIFIER ::= 2853 { snmpProxyConformance 2 } 2855 -- 2856 -- 2857 -- Compliance statements 2858 -- 2859 -- 2861 snmpProxyCompliance MODULE-COMPLIANCE 2862 STATUS current 2863 DESCRIPTION 2864 "The compliance statement for SNMP entities which include 2865 a proxy forwarding application." 2866 MODULE SNMP-TARGET-MIB 2867 MANDATORY-GROUPS { snmpTargetBasicGroup, 2868 snmpTargetResponseGroup } 2869 MODULE -- This Module 2870 MANDATORY-GROUPS { snmpProxyGroup } 2871 ::= { snmpProxyCompliances 1 } 2873 snmpProxyGroup OBJECT-GROUP 2874 OBJECTS { 2875 snmpProxyType, 2876 snmpProxyContextEngineID, 2877 snmpProxyTargetParamsIn, 2878 snmpProxySingleTargetOut, 2879 snmpProxyMultipleTargetOut, 2880 snmpProxyStorageType, 2881 snmpProxyRowStatus 2882 } 2883 STATUS current 2884 DESCRIPTION 2885 "A collection of objects providing remote configuration of 2886 management target translation parameters for use by 2887 proxy forwarder applications." 2888 ::= { snmpProxyGroups 3 } 2890 END 2892 5. Identification of Management Targets in Notification Originators 2894 This section describes the mechanisms used by a notification 2895 originator application when using the MIB module described in this 2896 document to determine the set of management targets to be used when 2897 generating a notification. 2899 A notification originator uses all active entries in the 2900 snmpNotifyTable to find the management targets to be used for 2901 generating notifications. Each active entry in this table selects 2902 zero or more entries in the snmpTargetAddrTable. When a notification 2903 is generated, it is sent to all of the targets specified by the 2904 selected snmpTargetAddrTable entries (subject to the application of 2905 access control and notification filtering). 2907 Any entry in the snmpTargetAddrTable whose snmpTargetAddrTagList 2908 object contains a tag value which is equal to a value of 2909 snmpNotifyTag is selected by the snmpNotifyEntry which contains that 2910 instance of snmpNotifyTag. Note that a particular 2911 snmpTargetAddrEntry may be selected by multiple entries in the 2912 snmpNotifyTable, resulting in multiple notifications being generated 2913 using that snmpTargetAddrEntry (this allows, for example, both traps 2914 and informs to be sent to the same target). 2916 Each snmpTargetAddrEntry contains a pointer to the 2917 snmpTargetParamsTable (snmpTargetAddrParams). This pointer selects a 2918 set of SNMP parameters to be used for generating notifications. If 2919 the selected entry in the snmpTargetParamsTable does not exist, the 2920 management target is not used to generate notifications. 2922 The decision as to whether a notification should contain an 2923 Unconfirmed-Class or a Confirmed-Class PDU is determined by the value 2924 of the snmpNotifyType object. If the value of this object is 2925 trap(1), the notification should contain an Unconfirmed-Class PDU. 2926 If the value of this object is inform(2), then the notification 2927 should contain a Confirmed-Class PDU, and the timeout time and number 2928 of retries for the notification are the value of 2929 snmpTargetAddrTimeout and snmpTargetAddrRetryCount. Note that the 2930 exception to these rules is when the snmpTargetParamsMPModel object 2931 indicates an SNMP version which supports a different PDU version. In 2932 this case, the notification may be sent using a different PDU type 2933 ([RFC2576] defines the PDU type in the case where the outgoing SNMP 2934 version is SNMPv1). 2936 6. Notification Filtering 2938 This section describes the mechanisms used by a notification 2939 originator application when using the MIB module described in this 2940 document to filter generation of notifications. 2942 A notification originator uses the snmpNotifyFilterTable to filter 2943 notifications. A notification filter profile may be associated with 2944 a particular entry in the snmpTargetParamsTable. The associated 2945 filter profile is identified by an entry in the 2946 snmpNotifyFilterProfileTable whose index is equal to the index of the 2947 entry in the snmpTargetParamsTable. If no such entry exists in the 2948 snmpNotifyFilterProfileTable, no filtering is performed for that 2949 management target. 2951 If such an entry does exist, the value of snmpNotifyFilterProfileName 2952 of the entry is compared with the corresponding portion of the index 2953 of all active entries in the snmpNotifyFilterTable. All such entries 2954 for which this comparison results in an exact match are used for 2955 filtering a notification generated using the associated 2956 snmpTargetParamsEntry. If no such entries exist, no filtering is 2957 performed, and a notification may be sent to the management target. 2959 Otherwise, if matching entries do exist, a notification may be sent 2960 if the NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this 2961 is the value of the element of the variable bindings whose name is 2962 snmpTrapOID.0, i.e., the second variable binding) is specifically 2963 included, and none of the object instances to be included in the 2964 variable-bindings of the notification are specifically excluded by 2965 the matching entries. 2967 Each set of snmpNotifyFilterTable entries is divided into two 2968 collections of filter subtrees: the included filter subtrees, and 2969 the excluded filter subtrees. The snmpNotifyFilterType object 2970 defines the collection to which each matching entry belongs. 2972 To determine whether a particular notification name or object 2973 instance is excluded by the set of matching entries, compare the 2974 notification name's or object instance's OBJECT IDENTIFIER with each 2975 of the matching entries. For a notification name, if none match, 2976 then the notification name is considered excluded, and the 2977 notification should not be sent to this management target. For an 2978 object instance, if none match, the object instance is considered 2979 included, and the notification may be sent to this management target. 2980 If one or more match, then the notification name or object instance 2981 is included or excluded, according to the value of 2982 snmpNotifyFilterType in the entry whose value of 2983 snmpNotifyFilterSubtree has the most sub-identifiers. If multiple 2984 entries match and have the same number of sub-identifiers, then the 2985 value of snmpNotifyFilterType, in the entry among those which match, 2986 and whose instance is lexicographically the largest, determines the 2987 inclusion or exclusion. 2989 A notification name or object instance's OBJECT IDENTIFIER X matches 2990 an entry in the snmpNotifyFilterTable when the number of sub- 2991 identifiers in X is at least as many as in the value of 2992 snmpNotifyFilterSubtree for the entry, and each sub-identifier in the 2993 value of snmpNotifyFilterSubtree matches its corresponding sub- 2994 identifier in X. Two sub-identifiers match either if the 2995 corresponding bit of snmpNotifyFilterMask is zero (the 'wild card' 2996 value), or if the two sub-identifiers are equal. 2998 7. Management Target Translation in Proxy Forwarder Applications 3000 This section describes the mechanisms used by a proxy forwarder 3001 application when using the MIB module described in this document to 3002 translate incoming management target information into outgoing 3003 management target information for the purpose of forwarding messages. 3004 There are actually two mechanisms a proxy forwarder may use, one for 3005 forwarding request messages, and one for forwarding notification 3006 messages. 3008 7.1. Management Target Translation for Request Forwarding 3010 When forwarding request messages, the proxy forwarder will select a 3011 single entry in the snmpProxyTable. To select this entry, it will 3012 perform the following comparisons: 3014 - The snmpProxyType must be read(1) if the request is a Read- 3015 Class PDU. The snmpProxyType must be write(2) if the request 3016 is a Write-Class PDU. 3018 - The contextEngineID must equal the snmpProxyContextEngineID 3019 object. 3021 - If the snmpProxyContextName object is supported, it must equal 3022 the contextName. 3024 - The snmpProxyTargetParamsIn object identifies an entry in the 3025 snmpTargetParamsTable. The messageProcessingModel, 3026 securityLevel, security model, and securityName must match the 3027 values of snmpTargetParamsMPModel, 3028 snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, 3029 and snmpTargetParamsSecurityLevel of the identified entry in 3030 the snmpTargetParamsTable. 3032 There may be multiple entries in the snmpProxyTable for which these 3033 comparisons succeed. The entry whose snmpProxyName has the 3034 lexicographically smallest value and for which the comparisons 3035 succeed will be selected by the proxy forwarder. 3037 The outgoing management target information is identified by the value 3038 of the snmpProxySingleTargetOut object of the selected entry. This 3039 object identifies an entry in the snmpTargetAddrTable. The 3040 identified entry in the snmpTargetAddrTable also contains a reference 3041 to the snmpTargetParamsTable (snmpTargetAddrParams). If either the 3042 identified entry in the snmpTargetAddrTable does not exist, or the 3043 identified entry in the snmpTargetParamsTable does not exist, then 3044 this snmpProxyEntry does not identify valid forwarding information, 3045 and the proxy forwarder should attempt to identify another row. 3047 If there is no entry in the snmpProxyTable for which all of the 3048 conditions above may be met, then there is no appropriate forwarding 3049 information, and the proxy forwarder should take appropriate actions. 3051 Otherwise, The snmpTargetAddrTDomain, snmpTargetAddrTAddress, 3052 snmpTargetAddrTimeout, and snmpTargetRetryCount of the identified 3053 snmpTargetAddrEntry, and the snmpTargetParamsMPModel, 3054 snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, and 3055 snmpTargetParamsSecurityLevel of the identified snmpTargetParamsEntry 3056 are used as the destination management target. 3058 7.2. Management Target Translation for Notification Forwarding 3060 When forwarding notification messages, the proxy forwarder will 3061 select multiple entries in the snmpProxyTable. To select these 3062 entries, it will perform the following comparisons: 3064 - The snmpProxyType must be trap(3) if the notification is an 3065 Unconfirmed-Class PDU. The snmpProxyType must be inform(4) if 3066 the request is a Confirmed-Class PDU. 3068 - The contextEngineID must equal the snmpProxyContextEngineID 3069 object. 3071 - If the snmpProxyContextName object is supported, it must equal 3072 the contextName. 3074 - The snmpProxyTargetParamsIn object identifies an entry in the 3075 snmpTargetParamsTable. The messageProcessingModel, 3076 securityLevel, security model, and securityName must match the 3077 values of snmpTargetParamsMPModel, 3078 snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, 3079 and snmpTargetParamsSecurityLevel of the identified entry in 3080 the snmpTargetParamsTable. 3082 All entries for which these conditions are met are selected. The 3083 snmpProxyMultipleTargetOut object of each such entry is used to 3084 select a set of entries in the snmpTargetAddrTable. Any 3085 snmpTargetAddrEntry whose snmpTargetAddrTagList object contains a tag 3086 value equal to the value of snmpProxyMultipleTargetOut, and whose 3087 snmpTargetAddrParams object references an existing entry in the 3088 snmpTargetParamsTable, is selected as a destination for the forwarded 3089 notification. 3091 8. Intellectual Property 3093 The IETF takes no position regarding the validity or scope of any 3094 intellectual property or other rights that might be claimed to 3095 pertain to the implementation or use of the technology described in 3096 this document or the extent to which any license under such rights 3097 might or might not be available; neither does it represent that it 3098 has made any effort to identify any such rights. Information on the 3099 IETF's procedures with respect to rights in standards-track and 3100 standards-related documentation can be found in BCP-11. Copies of 3101 claims of rights made available for publication and any assurances of 3102 licenses to be made available, or the result of an attempt made to 3103 obtain a general license or permission for the use of such 3104 proprietary rights by implementors or users of this specification can 3105 be obtained from the IETF Secretariat. 3107 The IETF invites any interested party to bring to its attention any 3108 copyrights, patents or patent applications, or other proprietary 3109 rights which may cover technology that may be required to practice 3110 this standard. Please address the information to the IETF Executive 3111 Director. 3113 9. Acknowledgments 3115 This document is the result of the efforts of the SNMPv3 Working 3116 Group. Some special thanks are in order to the following SNMPv3 WG 3117 members: 3119 Harald Tveit Alvestrand (Maxware) 3120 Dave Battle (SNMP Research, Inc.) 3121 Alan Beard (Disney Worldwide Services) 3122 Paul Berrevoets (SWI Systemware/Halcyon Inc.) 3123 Martin Bjorklund (Ericsson) 3124 Uri Blumenthal (IBM T.J. Watson Research Center) 3125 Jeff Case (SNMP Research, Inc.) 3126 John Curran (BBN) 3127 Mike Daniele (Compaq Computer Corporation) 3128 T. Max Devlin (Eltrax Systems) 3129 John Flick (Hewlett Packard) 3130 Rob Frye (MCI) 3131 Wes Hardaker (U.C.Davis, Information Technology - D.C.A.S.) 3132 David Harrington (Enterasys Networks) 3133 Lauren Heintz (BMC Software, Inc.) 3134 N.C. Hien (IBM T.J. Watson Research Center) 3135 Michael Kirkham (InterWorking Labs, Inc.) 3136 Dave Levi (Nortel Networks) 3137 Louis A Mamakos (UUNET Technologies Inc.) 3138 Joe Marzot (Nortel Networks) 3139 Paul Meyer (Secure Computing Corporation) 3140 Keith McCloghrie (Cisco Systems) 3141 Bob Moore (IBM) 3142 Russ Mundy (TIS Labs at Network Associates) 3143 Bob Natale (ACE*COMM Corporation) 3144 Mike O'Dell (UUNET Technologies Inc.) 3145 Dave Perkins (DeskTalk) 3146 Peter Polkinghorne (Brunel University) 3147 Randy Presuhn (BMC Software, Inc.) 3148 David Reeder (TIS Labs at Network Associates) 3149 David Reid (SNMP Research, Inc.) 3150 Aleksey Romanov (Quality Quorum) 3151 Shawn Routhier (Epilogue) 3152 Juergen Schoenwaelder (TU Braunschweig) 3153 Bob Stewart (Cisco Systems) 3154 Mike Thatcher (Independent Consultant) 3155 Bert Wijnen (Lucent Technologies) 3157 The document is based on recommendations of the IETF Security and 3158 Administrative Framework Evolution for SNMP Advisory Team. Members of 3159 that Advisory Team were: 3161 David Harrington (Enterasys Networks) 3162 Jeff Johnson (Cisco Systems) 3163 David Levi (Nortel Networks) 3164 John Linn (Openvision) 3165 Russ Mundy (Trusted Information Systems) chair 3166 Shawn Routhier (Epilogue) 3167 Glenn Waters (Nortel) 3168 Bert Wijnen (Lucent Technologies) 3170 As recommended by the Advisory Team and the SNMPv3 Working Group 3171 Charter, the design incorporates as much as practical from previous 3172 RFCs and drafts. As a result, special thanks are due to the authors 3173 of previous designs known as SNMPv2u and SNMPv2*: 3175 Jeff Case (SNMP Research, Inc.) 3176 David Harrington (Enterasys Networks) 3177 David Levi (Nortel Networks) 3178 Keith McCloghrie (Cisco Systems) 3179 Brian O'Keefe (Hewlett Packard) 3180 Marshall T. Rose (Dover Beach Consulting) 3181 Jon Saperia (BGS Systems Inc.) 3182 Steve Waldbusser (International Network Services) 3183 Glenn W. Waters (Bell-Northern Research Ltd.) 3185 10. Security Considerations 3187 The SNMP applications described in this document typically have 3188 direct access to MIB instrumentation. Thus, it is very important 3189 that these applications be strict in their application of access 3190 control as described in this document. 3192 In addition, there may be some types of notification generator 3193 applications which, rather than accessing MIB instrumentation using 3194 access control, will obtain MIB information through other means (such 3195 as from a command line). The implementors and users of such 3196 applications must be responsible for not divulging MIB information 3197 that normally would be inaccessible due to access control. 3199 Finally, the MIBs described in this document contain potentially 3200 sensitive information. A security administrator may wish to limit 3201 access to these MIBs. 3203 11. References 3205 [RFC2576] 3206 The SNMPv3 Working Group, Frye, R.,Levi, D., Wijnen, B., 3207 "Coexistence between Version 1, Version 2, and Version 3 of the 3208 Internet-standard Network Management Framework", RFC 2576, February 3209 1999. 3211 [RFC1157] 3212 Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 3213 Management Protocol", RFC 1157, SNMP Research, Performance Systems 3214 International, Performance Systems International, MIT Laboratory 3215 for Computer Science, May 1990. 3217 [RFC1213] 3218 McCloghrie, K., and M. Rose, Editors, "Management Information Base 3219 for Network Management of TCP/IP-based internets: MIB-II", STD 17, 3220 RFC 1213, Hughes LAN Systems, Performance Systems International, 3221 March 1991. 3223 [RFC1905] 3224 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3225 Waldbusser, "Protocol Operations for Version 2 of the Simple 3226 Network Management Protocol (SNMPv2)", RFC1905, SNMP Research,Inc., 3227 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 3228 Network Services, January 1996. 3230 [RFC1907] 3231 SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. 3232 Waldbusser, "Management Information Base for Version 2 of the 3233 Simple Network Management Protocol (SNMPv2)", RFC1907, SNMP 3234 Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 3235 International Network Services, January 1996. 3237 [RFC2119] 3238 Bradner, S., "Key words for use in RFCs to Indicate Requirement 3239 Levels", BCP 14, RFC2119, March 1997. 3241 [RFC2578] 3242 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., 3243 and S. Waldbusser, "Structure of Management Information Version 2 3244 (SMIv2)", RFC 2578, STD 58, Cisco Systems, SNMPinfo, TU 3245 Braunschweig, SNMP Research, First Virtual Holdings, International 3246 Network Services, April 1999. 3248 [RFC2579] 3249 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., 3250 and S. Waldbusser, "Textual Conventions for SMIv2", RFC 2579, STD 3251 58, Cisco Systems, SNMPinfo, TU Braunschweig, SNMP Research, First 3252 Virtual Holdings, International Network Services, April 1999. 3254 [RFC2580] 3255 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., 3256 and S. Waldbusser, "Conformance Statements for SMIv2", RFC 2580, 3257 STD 58, Cisco Systems, SNMPinfo, TU Braunschweig, SNMP Research, 3258 First Virtual Holdings, International Network Services, April 1999. 3260 [SNMP-ARCH] 3261 The SNMPv3 Working Group, Harrington, D., Wijnen, B., "An 3262 Architecture for Describing SNMP Management Frameworks", RFC 2571, 3263 May 1999. 3265 [SNMP-MPD] 3266 The SNMPv3 Working Group, Case, J., Harrington, D., Wijnen, B., 3267 "Message Processing and Dispatching for the Simple Network 3268 Management Protocol (SNMP)", RFC 2572, May 1999. 3270 [SNMP-APPL] 3271 The SNMPv3 Working Group, Levi, D., Meyer, P., Stewart, B., "SNMP 3272 Applications", draft-ietf-snmpv3-appl-v3-00.txt, February 2001. 3274 [SNMP-ACM] 3275 The SNMPv3 Working Group, Wijnen, B., Presuhn, R., McCloghrie, K., 3276 "View-based Access Control Model for the Simple Network Management 3277 Protocol (SNMP)", RFC 2575, May 1999. 3279 12. Editor's Address 3281 David B. Levi 3282 SNMP Research, Inc. 3283 3001 Kimberlin Heights Road 3284 Knoxville, TN 37920-9716 3285 U.S.A. 3286 Phone: +1 423 573 1434 3287 EMail: levi@snmp.com 3289 Paul Meyer 3290 Secure Computing Corporation 3291 2675 Long Lake Road 3292 Roseville, MN 55113 3293 U.S.A. 3294 Phone: +1 651 628 1592 3295 EMail: paul_meyer@securecomputing.com 3297 Bob Stewart 3298 Cisco Systems, Inc. 3299 170 West Tasman Drive 3300 San Jose, CA 95134-1706 3301 U.S.A. 3302 Phone: +1 603 654 2686 3303 EMail: bstewart@cisco.com 3305 APPENDIX A - Trap Configuration Example 3307 This section describes an example configuration for a Notification 3308 Generator application which implements the snmpNotifyBasicCompliance 3309 level. The example configuration specifies that the Notification 3310 Generator should send notifications to 3 separate managers, using 3311 authentication and no privacy for the first 2 managers, and using 3312 both authentication and privacy for the third manager. 3314 The configuration consists of three rows in the snmpTargetAddrTable, 3315 and two rows in the snmpTargetTable. 3317 snmpTargetAddrName SnmpAdminString, 3318 snmpTargetAddrTDomain TDomain, 3319 snmpTargetAddrTAddress TAddress, 3320 snmpTargetAddrTimeout TimeInterval, 3321 snmpTargetAddrRetryCount Integer32, 3322 snmpTargetAddrTagList SnmpAdminString, 3323 snmpTargetAddrParams SnmpAdminString, 3324 snmpTargetAddrStorageType StorageType, 3325 snmpTargetAddrRowStatus RowStatus 3327 * snmpTargetAddrName = "addr1" 3328 snmpTargetAddrTDomain = snmpUDPDomain 3329 snmpTargetAddrTAddress = 128.1.2.3/162 3330 snmpTargetAddrTagList = "group1" 3331 snmpTargetAddrParams = "AuthNoPriv-joe" 3332 snmpTargetAddrStorageType = readOnly(5) 3333 snmpTargetAddrRowStatus = active(1) 3335 * snmpTargetAddrName = "addr2" 3336 snmpTargetAddrTDomain = snmpUDPDomain 3337 snmpTargetAddrTAddress = 128.2.4.6/162 3338 snmpTargetAddrTagList = "group1" 3339 snmpTargetAddrParams = "AuthNoPriv-joe" 3340 snmpTargetAddrStorageType = readOnly(5) 3341 snmpTargetAddrRowStatus = active(1) 3343 * snmpTargetAddrName = "addr3" 3344 snmpTargetAddrTDomain = snmpUDPDomain 3345 snmpTargetAddrTAddress = 128.1.2.3/162 3346 snmpTargetAddrTagList = "group2" 3347 snmpTargetAddrParams = "AuthPriv-bob" 3348 snmpTargetAddrStorageType = readOnly(5) 3349 snmpTargetAddrRowStatus = active(1) 3351 * snmpTargetParamsName = "AuthNoPriv-joe" 3352 snmpTargetParamsMPModel = 3 3353 snmpTargetParamsSecurityModel = 3 (USM) 3354 snmpTargetParamsSecurityName = "joe" 3355 snmpTargetParamsSecurityLevel = authNoPriv(2) 3356 snmpTargetParamsStorageType = readOnly(5) 3357 snmpTargetParamsRowStatus = active(1) 3359 * snmpTargetParamsName = "AuthPriv-bob" 3360 snmpTargetParamsMPModel = 3 3361 snmpTargetParamsSecurityModel = 3 (USM) 3362 snmpTargetParamsSecurityName = "bob" 3363 snmpTargetParamsSecurityLevel = authPriv(3) 3364 snmpTargetParamsStorageType = readOnly(5) 3365 snmpTargetParamsRowStatus = active(1) 3367 * snmpNotifyName = "group1" 3368 snmpNotifyTag = "group1" 3369 snmpNotifyType = trap(1) 3370 snmpNotifyStorageType = readOnly(5) 3371 snmpNotifyRowStatus = active(1) 3373 * snmpNotifyName = "group2" 3374 snmpNotifyTag = "group2" 3375 snmpNotifyType = trap(1) 3376 snmpNotifyStorageType = readOnly(5) 3377 snmpNotifyRowStatus = active(1) 3379 These entries define two groups of management targets. The first 3380 group contains two management targets: 3382 first target second target 3383 ------------ ------------- 3384 messageProcessingModel SNMPv3 SNMPv3 3385 securityModel 3 (USM) 3 (USM) 3386 securityName "joe" "joe" 3387 securityLevel authNoPriv(2) authNoPriv(2) 3388 transportDomain snmpUDPDomain snmpUDPDomain 3389 transportAddress 128.1.2.3/162 128.2.4.6/162 3391 And the second group contains a single management target: 3393 messageProcessingModel SNMPv3 3394 securityLevel authPriv(3) 3395 securityModel 3 (USM) 3396 securityName "bob" 3397 transportDomain snmpUDPDomain 3398 transportAddress 128.1.5.9/162 3400 B. Full Copyright Statement 3402 This document and translations of it may be copied and furnished to 3403 others, and derivative works that comment on or otherwise explain it 3404 or assist in its implementation may be prepared, copied, published 3405 and distributed, in whole or in part, without restriction of any 3406 kind, provided that the above copyright notice and this paragraph are 3407 included on all such copies and derivative works. However, this 3408 document itself may not be modified in any way, such as by removing 3409 the copyright notice or references to the Internet Society or other 3410 Internet organizations, except as needed for the purpose of 3411 developing Internet standards in which case the procedures for 3412 copyrights defined in the Internet Standards process must be 3413 followed, or as required to translate it into languages other than 3414 English. 3416 The limited permissions granted above are perpetual and will not be 3417 revoked by the Internet Society or its successors or assigns. 3419 This document and the information contained herein is provided on an 3420 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3421 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3422 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3423 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3424 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3426 Table of Contents 3428 1 Overview ..................................................... 4 3429 1.1 Command Generator Applications ............................. 4 3430 1.2 Command Responder Applications ............................. 4 3431 1.3 Notification Originator Applications ....................... 5 3432 1.4 Notification Receiver Applications ......................... 5 3433 1.5 Proxy Forwarder Applications ............................... 5 3434 2 Management Targets ........................................... 7 3435 3 Elements Of Procedure ........................................ 7 3436 3.1 Command Generator Applications ............................. 7 3437 3.2 Command Responder Applications ............................. 11 3438 3.3 Notification Originator Applications ....................... 17 3439 3.4 Notification Receiver Applications ......................... 21 3440 3.5 Proxy Forwarder Applications ............................... 23 3441 3.5.1 Request Forwarding ....................................... 24 3442 3.5.1.1 Processing an Incoming Request ......................... 24 3443 3.5.1.2 Processing an Incoming Response ........................ 27 3444 3.5.1.3 Processing an Incoming Internal-Class PDU .............. 28 3445 3.5.2 Notification Forwarding .................................. 29 3446 4 The Structure of the MIB Modules ............................. 33 3447 4.1 The Management Target MIB Module ........................... 33 3448 4.1.1 Tag Lists ................................................ 34 3449 4.1.2 Definitions .............................................. 34 3450 4.2 The Notification MIB Module ................................ 49 3451 4.2.1 Definitions .............................................. 49 3452 4.3 The Proxy MIB Module ....................................... 62 3453 4.3.1 Definitions .............................................. 62 3454 5 Identification of Management Targets in Notification 3455 Originators ............................................... 69 3456 6 Notification Filtering ....................................... 70 3457 7 Management Target Translation in Proxy Forwarder 3458 Applications .............................................. 72 3459 7.1 Management Target Translation for Request Forwarding ....... 72 3460 7.2 Management Target Translation for Notification Forwarding 3461 ........................................................... 73 3462 8 Intellectual Property ........................................ 74 3463 9 Acknowledgments .............................................. 74 3464 10 Security Considerations ..................................... 76 3465 11 References .................................................. 77 3466 12 Editor's Address ............................................ 79 3467 A. Trap Configuration Example .................................. 80 3468 B. Full Copyright Statement .................................... 82