idnits 2.17.1 draft-ietf-snmpv3-usm-v2-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 82 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 83 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 197 instances of too long lines in the document, the longest one being 3 characters in excess of 72. ** The abstract seems to contain references ([RFCxxx1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 3315 has weird spacing: '...Hashing for M...' == Line 3446 has weird spacing: '...ageType any...' == Line 3509 has weird spacing: '... u_int pass...' == Line 3511 has weird spacing: '... u_int engi...' == Line 3558 has weird spacing: '... u_int pass...' == (1 more instance...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCxxx4' is mentioned on line 157, but not defined == Missing Reference: 'MD5' is mentioned on line 3426, but not defined == Missing Reference: 'Localized-key' is mentioned on line 3256, but not defined -- Looks like a reference, but probably isn't: '64' on line 3515 -- Looks like a reference, but probably isn't: '72' on line 3564 == Unused Reference: 'RFC2028' is defined on line 3318, but no explicit reference was found in the text == Unused Reference: 'Localized-Key' is defined on line 3332, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Obsolete normative reference: RFC 1903 (Obsoleted by RFC 2579) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 1907 (Obsoleted by RFC 3418) ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Obsolete normative reference: RFC 2028 (Obsoleted by RFC 9281) -- Possible downref: Non-RFC (?) normative reference: ref. 'RFCxxx1' -- Possible downref: Non-RFC (?) normative reference: ref. 'RFCxxx2' -- Possible downref: Non-RFC (?) normative reference: ref. 'Localized-Key' -- Possible downref: Non-RFC (?) normative reference: ref. 'DES-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DES-ANSI' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESO-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESO-ANSI' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESG-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DEST-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'DESM-NIST' -- Possible downref: Non-RFC (?) normative reference: ref. 'SHA-NIST' Summary: 17 errors (**), 0 flaws (~~), 16 warnings (==), 16 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 SNMPv3 Working Group U. Blumenthal | 2 Internet-Draft IBM T. J. Watson Research | 3 Will Obsolete: RFC2274 B. Wijnen | 4 IBM T. J. Watson Research | 5 August 1998 | 7 User-based Security Model (USM) for version 3 of the 8 Simple Network Management Protocol (SNMPv3) 10 | 12 Status of this Memo 14 This document is an Internet-Draft. Internet-Drafts are working | 15 documents of the Internet Engineering Task Force (IETF), its areas, | 16 and its working groups. Note that other groups may also distribute | 17 working documents as Internet-Drafts. | 19 Internet-Drafts are draft documents valid for a maximum of six months | 20 and may be updated, replaced, or obsoleted by other documents at any | 21 time. It is inappropriate to use Internet- Drafts as reference | 22 material or to cite them other than as ``work in progress.'' | 24 To view the entire list of current Internet-Drafts, please check 25 the "1id-abstracts.txt" listing contained in the Internet-Drafts 26 Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net 27 (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au 28 (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu 29 (US West Coast). 31 Copyright Notice 33 Copyright (C) The Internet Society (1998). All Rights Reserved. 35 Removed IANA note | 37 Abstract 39 This document describes the User-based Security Model (USM) for SNMP 40 version 3 for use in the SNMP architecture [RFCxxx1]. It defines the 41 Elements of Procedure for providing SNMP message level security. 42 This document also includes a MIB for remotely monitoring/managing 43 the configuration parameters for this Security Model. 45 Table of Contents 47 1. Introduction 3 48 1.1. Threats 4 49 1.2. Goals and Constraints 5 50 1.3. Security Services 6 51 1.4. Module Organization 7 52 1.4.1. Timeliness Module 7 53 1.4.2. Authentication Protocol 8 54 1.4.3. Privacy Protocol 8 55 1.5. Protection against Message Replay, Delay and Redirection 8 56 1.5.1. Authoritative SNMP engine 8 57 1.5.2. Mechanisms 9 58 1.6. Abstract Service Interfaces. 10 59 1.6.1. User-based Security Model Primitives for Authentication 11 60 1.6.2. User-based Security Model Primitives for Privacy 11 61 2. Elements of the Model 12 62 2.1. User-based Security Model Users 12 63 2.2. Replay Protection 13 64 2.2.1. msgAuthoritativeEngineID 13 65 2.2.2. msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 14 66 2.2.3. Time Window 15 67 2.3. Time Synchronization 15 68 2.4. SNMP Messages Using this Security Model 16 69 2.5. Services provided by the User-based Security Model 17 70 2.5.1. Services for Generating an Outgoing SNMP Message 17 71 2.5.2. Services for Processing an Incoming SNMP Message 19 72 2.6. Key Localization Algorithm. 21 73 3. Elements of Procedure 21 74 3.1. Generating an Outgoing SNMP Message 22 75 3.2. Processing an Incoming SNMP Message 25 76 4. Discovery 30 77 5. Definitions 31 78 6. HMAC-MD5-96 Authentication Protocol 45 79 6.1. Mechanisms 45 80 6.1.1. Digest Authentication Mechanism 46 81 6.2. Elements of the Digest Authentication Protocol 46 82 6.2.1. Users 46 83 6.2.2. msgAuthoritativeEngineID 47 84 6.2.3. SNMP Messages Using this Authentication Protocol 47 85 6.2.4. Services provided by the HMAC-MD5-96 Authentication Module 47 86 6.2.4.1. Services for Generating an Outgoing SNMP Message 47 87 6.2.4.2. Services for Processing an Incoming SNMP Message 48 88 6.3. Elements of Procedure 49 89 6.3.1. Processing an Outgoing Message 49 90 6.3.2. Processing an Incoming Message 50 91 7. HMAC-SHA-96 Authentication Protocol 51 92 7.1. Mechanisms 51 93 7.1.1. Digest Authentication Mechanism 51 94 7.2. Elements of the HMAC-SHA-96 Authentication Protocol 52 95 7.2.1. Users 52 96 7.2.2. msgAuthoritativeEngineID 52 97 7.2.3. SNMP Messages Using this Authentication Protocol 53 98 7.2.4. Services provided by the HMAC-SHA-96 Authentication Module 53 99 7.2.4.1. Services for Generating an Outgoing SNMP Message 53 100 7.2.4.2. Services for Processing an Incoming SNMP Message 54 101 7.3. Elements of Procedure 54 102 7.3.1. Processing an Outgoing Message 55 103 7.3.2. Processing an Incoming Message 55 104 8. CBC-DES Symmetric Encryption Protocol 56 105 8.1. Mechanisms 56 106 8.1.1. Symmetric Encryption Protocol 57 107 8.1.1.1. DES key and Initialization Vector. 57 108 8.1.1.2. Data Encryption. 58 109 8.1.1.3. Data Decryption 59 110 8.2. Elements of the DES Privacy Protocol 59 111 8.2.1. Users 59 112 8.2.2. msgAuthoritativeEngineID 59 113 8.2.3. SNMP Messages Using this Privacy Protocol 60 114 8.2.4. Services provided by the DES Privacy Module 60 115 8.2.4.1. Services for Encrypting Outgoing Data 60 116 8.2.4.2. Services for Decrypting Incoming Data 61 117 8.3. Elements of Procedure. 61 118 8.3.1. Processing an Outgoing Message 61 119 8.3.2. Processing an Incoming Message 62 120 9. Intellectual Property 62 121 10. Acknowledgements 63 122 11. Security Considerations 64 123 11.1. Recommended Practices 64 124 11.2. Defining Users 66 125 11.3. Conformance 67 126 12. References 67 127 13. Editors' Addresses 69 128 A.1. SNMP engine Installation Parameters 70 129 A.2. Password to Key Algorithm 71 130 A.2.1. Password to Key Sample Code for MD5 71 131 A.2.2. Password to Key Sample Code for SHA 72 132 A.3. Password to Key Sample Results 73 133 A.3.1. Password to Key Sample Results using MD5 73 134 A.3.2. Password to Key Sample Results using SHA 74 135 A.4. Sample encoding of msgSecurityParameters 74 136 B. Full Copyright Statement 76 138 1. Introduction 140 The Architecture for describing Internet Management Frameworks 141 [RFCxxx1] describes that an SNMP engine is composed of: 143 1) a Dispatcher 144 2) a Message Processing Subsystem, 145 3) a Security Subsystem, and 146 4) an Access Control Subsystem. 148 Applications make use of the services of these subsystems. 150 It is important to understand the SNMP architecture and the 151 terminology of the architecture to understand where the Security 152 Model described in this document fits into the architecture and 153 interacts with other subsystems within the architecture. The reader 154 is expected to have read and understood the description of the SNMP 155 architecture, as defined in [RFCxxx1]. 157 This memo [RFCxxx4] describes the User-based Security Model as it is 158 used within the SNMP Architecture. The main idea is that we use the 159 traditional concept of a user (identified by a userName) with which 160 to associate security information. 162 This memo describes the use of HMAC-MD5-96 and HMAC-SHA-96 as the 163 authentication protocols and the use of CBC-DES as the privacy 164 protocol. The User-based Security Model however allows for other such 165 protocols to be used instead of or concurrent with these protocols. 166 Therefore, the description of HMAC-MD5-96, HMAC-SHA-96 and CBC-DES 167 are in separate sections to reflect their self-contained nature and 168 to indicate that they can be replaced or supplemented in the future. 170 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 171 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 172 document are to be interpreted as described in [RFC2119]. 174 1.1. Threats 176 Several of the classical threats to network protocols are applicable 177 to the network management problem and therefore would be applicable 178 to any SNMP Security Model. Other threats are not applicable to the 179 network management problem. This section discusses principal 180 threats, secondary threats, and threats which are of lesser 181 importance. 183 The principal threats against which this SNMP Security Model should 184 provide protection are: 186 - Modification of Information 187 The modification threat is the danger that some unauthorized entity 188 may alter in-transit SNMP messages generated on behalf of an 189 authorized user in such a way as to effect unauthorized management 190 operations, including falsifying the value of an object. 192 - Masquerade 193 The masquerade threat is the danger that management operations not 194 authorized for some user may be attempted by assuming the identity 195 of another user that has the appropriate authorizations. 197 Two secondary threats are also identified. The Security Model 198 defined in this memo provides limited protection against: 200 - Disclosure 201 The disclosure threat is the danger of eavesdropping on the 202 exchanges between managed agents and a management station. 203 Protecting against this threat may be required as a matter of local 204 policy. 206 - Message Stream Modification 207 The SNMP protocol is typically based upon a connection-less 208 transport service which may operate over any sub-network service. 209 The re-ordering, delay or replay of messages can and does occur 210 through the natural operation of many such sub-network services. 211 The message stream modification threat is the danger that messages 212 may be maliciously re-ordered, delayed or replayed to an extent 213 which is greater than can occur through the natural operation of a 214 sub-network service, in order to effect unauthorized management 215 operations. 217 There are at least two threats that an SNMP Security Model need not 218 protect against. The security protocols defined in this memo do not 219 provide protection against: 221 - Denial of Service 222 This SNMP Security Model does not attempt to address the broad 223 range of attacks by which service on behalf of authorized users is 224 denied. Indeed, such denial-of-service attacks are in many cases 225 indistinguishable from the type of network failures with which any 226 viable network management protocol must cope as a matter of course. 227 - Traffic Analysis 228 This SNMP Security Model does not attempt to address traffic 229 analysis attacks. Indeed, many traffic patterns are predictable - 230 devices may be managed on a regular basis by a relatively small 231 number of management applications - and therefore there is no 232 significant advantage afforded by protecting against traffic 233 analysis. 235 1.2. Goals and Constraints 237 Based on the foregoing account of threats in the SNMP network 238 management environment, the goals of this SNMP Security Model are as 239 follows. 241 1) Provide for verification that each received SNMP message has 242 not been modified during its transmission through the network. 244 2) Provide for verification of the identity of the user on whose 245 behalf a received SNMP message claims to have been generated. 247 3) Provide for detection of received SNMP messages, which request 248 or contain management information, whose time of generation was 249 not recent. 251 4) Provide, when necessary, that the contents of each received 252 SNMP message are protected from disclosure. 254 In addition to the principal goal of supporting secure network 255 management, the design of this SNMP Security Model is also influenced 256 by the following constraints: 258 1) When the requirements of effective management in times of 259 network stress are inconsistent with those of security, the design 260 should prefer the former. 262 2) Neither the security protocol nor its underlying security 263 mechanisms should depend upon the ready availability of other 264 network services (e.g., Network Time Protocol (NTP) or key 265 management protocols). 267 3) A security mechanism should entail no changes to the basic 268 SNMP network management philosophy. 270 1.3. Security Services 272 The security services necessary to support the goals of this SNMP 273 Security Model are as follows: 275 - Data Integrity 276 is the provision of the property that data has not been altered or 277 destroyed in an unauthorized manner, nor have data sequences been 278 altered to an extent greater than can occur non-maliciously. 280 - Data Origin Authentication 281 is the provision of the property that the claimed identity of the 282 user on whose behalf received data was originated is corroborated. 284 - Data Confidentiality 285 is the provision of the property that information is not made 286 available or disclosed to unauthorized individuals, entities, or 287 processes. 289 - Message timeliness and limited replay protection 290 is the provision of the property that a message whose generation 291 time is outside of a specified time window is not accepted. Note 292 that message reordering is not dealt with and can occur in normal 293 conditions too. 295 For the protocols specified in this memo, it is not possible to 296 assure the specific originator of a received SNMP message; rather, it 297 is the user on whose behalf the message was originated that is 298 authenticated. 300 For these protocols, it not possible to obtain data integrity without 301 data origin authentication, nor is it possible to obtain data origin 302 authentication without data integrity. Further, there is no 303 provision for data confidentiality without both data integrity and 304 data origin authentication. 306 The security protocols used in this memo are considered acceptably 307 secure at the time of writing. However, the procedures allow for new 308 authentication and privacy methods to be specified at a future time 309 if the need arises. 311 1.4. Module Organization 313 The security protocols defined in this memo are split in three 314 different modules and each has its specific responsibilities such 315 that together they realize the goals and security services described 316 above: 318 - The authentication module MUST provide for: 320 - Data Integrity, 322 - Data Origin Authentication 324 - The timeliness module MUST provide for: 326 - Protection against message delay or replay (to an extent 327 greater than can occur through normal operation) 329 The privacy module MUST provide for 331 - Protection against disclosure of the message payload. 333 The timeliness module is fixed for the User-based Security Model 334 while there is provision for multiple authentication and/or privacy 335 modules, each of which implements a specific authentication or 336 privacy protocol respectively. 338 1.4.1. Timeliness Module 340 Section 3 (Elements of Procedure) uses the timeliness values in an 341 SNMP message to do timeliness checking. The timeliness check is only 342 performed if authentication is applied to the message. Since the 343 complete message is checked for integrity, we can assume that the 344 timeliness values in a message that passes the authentication module 345 are trustworthy. 347 1.4.2. Authentication Protocol 349 Section 6 describes the HMAC-MD5-96 authentication protocol which is 350 the first authentication protocol that MUST be supported with the 351 User-based Security Model. Section 7 describes the HMAC-SHA-96 352 authentication protocol which is another authentication protocol that 353 SHOULD be supported with the User-based Security Model. In the 354 future additional or replacement authentication protocols may be 355 defined as new needs arise. 357 The User-based Security Model prescribes that, if authentication is 358 used, then the complete message is checked for integrity in the 359 authentication module. 361 For a message to be authenticated, it needs to pass authentication 362 check by the authentication module and the timeliness check which is 363 a fixed part of this User-based Security model. 365 1.4.3. Privacy Protocol 367 Section 8 describes the CBC-DES Symmetric Encryption Protocol which 368 is the first privacy protocol to be used with the User-based Security 369 Model. In the future additional or replacement privacy protocols may 370 be defined as new needs arise. 372 The User-based Security Model prescribes that the scopedPDU is 373 protected from disclosure when a message is sent with privacy. 375 The User-based Security Model also prescribes that a message needs to 376 be authenticated if privacy is in use. 378 1.5. Protection against Message Replay, Delay and Redirection 380 1.5.1. Authoritative SNMP engine 382 In order to protect against message replay, delay and redirection, 383 one of the SNMP engines involved in each communication is designated 384 to be the authoritative SNMP engine. When an SNMP message contains a 385 payload which expects a response (for example a Get, GetNext, 386 GetBulk, Set or Inform PDU), then the receiver of such messages is 387 authoritative. When an SNMP message contains a payload which does 388 not expect a response (for example an SNMPv2-Trap, Response or Report 389 PDU), then the sender of such a message is authoritative. 391 1.5.2. Mechanisms 393 The following mechanisms are used: 395 1) To protect against the threat of message delay or replay (to an 396 extent greater than can occur through normal operation), a set of 397 timeliness indicators (for the authoritative SNMP engine) are 398 included in each message generated. An SNMP engine evaluates the 399 timeliness indicators to determine if a received message is 400 recent. An SNMP engine may evaluate the timeliness indicators to 401 ensure that a received message is at least as recent as the last 402 message it received from the same source. A non-authoritative 403 SNMP engine uses received authentic messages to advance its notion 404 of the timeliness indicators at the remote authoritative source. 406 An SNMP engine MUST also use a mechanism to match incoming 407 Responses to outstanding Requests and it MUST drop any Responses 408 that do not match an outstanding request. For example, a msgID can 409 be inserted in every message to cater for this functionality. 411 These mechanisms provide for the detection of authenticated 412 messages whose time of generation was not recent. 414 This protection against the threat of message delay or replay does 415 not imply nor provide any protection against unauthorized deletion 416 or suppression of messages. Also, an SNMP engine may not be able 417 to detect message reordering if all the messages involved are sent 418 within the Time Window interval. Other mechanisms defined 419 independently of the security protocol can also be used to detect 420 the re-ordering replay, deletion, or suppression of messages 421 containing Set operations (e.g., the MIB variable snmpSetSerialNo 422 [RFC1907]). 424 2) Verification that a message sent to/from one authoritative SNMP 425 engine cannot be replayed to/as-if-from another authoritative SNMP 426 engine. 428 Included in each message is an identifier unique to the 429 authoritative SNMP engine associated with the sender or intended 430 recipient of the message. 432 A Report, Response or Trap message sent by an authoritative SNMP 433 engine to one non-authoritative SNMP engine can potentially be 434 replayed to another non-authoritative SNMP engine. The latter 435 non-authoritative SNMP engine might (if it knows about the same 436 userName with the same secrets at the authoritative SNMP engine) 437 as a result update its notion of timeliness indicators of the 438 authoritative SNMP engine, but that is not considered a threat. 439 In this case, A Report or Response message will be discarded by 440 the Message Processing Model, because there should not be an 441 outstanding Request message. A Trap will possibly be accepted. 442 Again, that is not considered a threat, because the communication 443 was authenticated and timely. It is as if the authoritative SNMP 444 engine was configured to start sending Traps to the second SNMP 445 engine, which theoretically can happen without the knowledge of 446 the second SNMP engine anyway. Anyway, the second SNMP engine may 447 not expect to receive this Trap, but is allowed to see the 448 management information contained in it. 450 3) Detection of messages which were not recently generated. 452 A set of time indicators are included in the message, indicating 453 the time of generation. Messages without recent time indicators 454 are not considered authentic. In addition, an SNMP engine MUST 455 drop any Responses that do not match an outstanding request. This 456 however is the responsibility of the Message Processing Model. 458 This memo allows the same user to be defined on multiple SNMP 459 engines. Each SNMP engine maintains a value, snmpEngineID, which 460 uniquely identifies the SNMP engine. This value is included in each 461 message sent to/from the SNMP engine that is authoritative (see 462 section 1.5.1). On receipt of a message, an authoritative SNMP 463 engine checks the value to ensure that it is the intended recipient, 464 and a non-authoritative SNMP engine uses the value to ensure that the 465 message is processed using the correct state information. 467 Each SNMP engine maintains two values, snmpEngineBoots and 468 snmpEngineTime, which taken together provide an indication of time at 469 that SNMP engine. Both of these values are included in an 470 authenticated message sent to/received from that SNMP engine. On 471 receipt, the values are checked to ensure that the indicated 472 timeliness value is within a Time Window of the current time. The 473 Time Window represents an administrative upper bound on acceptable 474 delivery delay for protocol messages. 476 For an SNMP engine to generate a message which an authoritative SNMP 477 engine will accept as authentic, and to verify that a message 478 received from that authoritative SNMP engine is authentic, such an 479 SNMP engine must first achieve timeliness synchronization with the 480 authoritative SNMP engine. See section 2.3. 482 1.6. Abstract Service Interfaces. 484 Abstract service interfaces have been defined to describe the 485 conceptual interfaces between the various subsystems within an SNMP 486 entity. Similarly a set of abstract service interfaces have been 487 defined within the User-based Security Model (USM) to describe the 488 conceptual interfaces between the generic USM services and the self- 489 contained authentication and privacy services. 491 These abstract service interfaces are defined by a set of primitives 492 that define the services provided and the abstract data elements that 493 must be passed when the services are invoked. This section lists the 494 primitives that have been defined for the User-based Security Model. 496 1.6.1. User-based Security Model Primitives for Authentication 498 The User-based Security Model provides the following internal 499 primitives to pass data back and forth between the Security Model 500 itself and the authentication service: 502 statusInformation = 503 authenticateOutgoingMsg( 504 IN authKey -- secret key for authentication 505 IN wholeMsg -- unauthenticated complete message 506 OUT authenticatedWholeMsg -- complete authenticated message 507 ) 509 statusInformation = 510 authenticateIncomingMsg( 511 IN authKey -- secret key for authentication 512 IN authParameters -- as received on the wire 513 IN wholeMsg -- as received on the wire 514 OUT authenticatedWholeMsg -- complete authenticated message 515 ) 517 1.6.2. User-based Security Model Primitives for Privacy 519 The User-based Security Model provides the following internal 520 primitives to pass data back and forth between the Security Model 521 itself and the privacy service: 523 statusInformation = 524 encryptData( 525 IN encryptKey -- secret key for encryption 526 IN dataToEncrypt -- data to encrypt (scopedPDU) 527 OUT encryptedData -- encrypted data (encryptedPDU) 528 OUT privParameters -- filled in by service provider 529 ) 531 statusInformation = 532 decryptData( 533 IN decryptKey -- secret key for decrypting 534 IN privParameters -- as received on the wire 535 IN encryptedData -- encrypted data (encryptedPDU) 536 OUT decryptedData -- decrypted data (scopedPDU) 537 ) 539 2. Elements of the Model 541 This section contains definitions required to realize the security 542 model defined by this memo. 544 2.1. User-based Security Model Users 546 Management operations using this Security Model make use of a defined 547 set of user identities. For any user on whose behalf management 548 operations are authorized at a particular SNMP engine, that SNMP 549 engine must have knowledge of that user. An SNMP engine that wishes 550 to communicate with another SNMP engine must also have knowledge of a 551 user known to that engine, including knowledge of the applicable 552 attributes of that user. 554 A user and its attributes are defined as follows: 556 userName 557 A string representing the name of the user. 559 securityName 560 A human-readable string representing the user in a format that is 561 Security Model independent. 563 authProtocol 564 An indication of whether messages sent on behalf of this user can 565 be authenticated, and if so, the type of authentication protocol 566 which is used. Two such protocols are defined in this memo: 567 - the HMAC-MD5-96 authentication protocol. 568 - the HMAC-SHA-96 authentication protocol. 570 authKey 571 If messages sent on behalf of this user can be authenticated, 572 the (private) authentication key for use with the authentication 573 protocol. Note that a user's authentication key will normally 574 be different at different authoritative SNMP engines. The authKey 575 is not accessible via SNMP. The length requirements of the authKey 576 are defined by the authProtocol in use. 578 authKeyChange and authOwnKeyChange 579 The only way to remotely update the authentication key. Does 580 that in a secure manner, so that the update can be completed 581 without the need to employ privacy protection. 583 privProtocol 584 An indication of whether messages sent on behalf of this user 585 can be protected from disclosure, and if so, the type of privacy 586 protocol which is used. One such protocol is defined in this 587 memo: the CBC-DES Symmetric Encryption Protocol. 589 privKey 590 If messages sent on behalf of this user can be en/decrypted, 591 the (private) privacy key for use with the privacy protocol. 592 Note that a user's privacy key will normally be different at 593 different authoritative SNMP engines. The privKey is not 594 accessible via SNMP. The length requirements of the privKey are 595 defined by the privProtocol in use. 597 privKeyChange and privOwnKeyChange 598 The only way to remotely update the encryption key. Does that 599 in a secure manner, so that the update can be completed without 600 the need to employ privacy protection. 602 2.2. Replay Protection 604 Each SNMP engine maintains three objects: 606 - snmpEngineID, which (at least within an administrative domain) 607 uniquely and unambiguously identifies an SNMP engine. 609 - snmpEngineBoots, which is a count of the number of times the 610 SNMP engine has re-booted/re-initialized since snmpEngineID 611 was last configured; and, 613 - snmpEngineTime, which is the number of seconds since the 614 snmpEngineBoots counter was last incremented. 616 Each SNMP engine is always authoritative with respect to these 617 objects in its own SNMP entity. It is the responsibility of a 618 non-authoritative SNMP engine to synchronize with the 619 authoritative SNMP engine, as appropriate. 621 An authoritative SNMP engine is required to maintain the values of 622 its snmpEngineID and snmpEngineBoots in non-volatile storage. 624 2.2.1. msgAuthoritativeEngineID 626 The msgAuthoritativeEngineID value contained in an authenticated 627 message is used to defeat attacks in which messages from one SNMP 628 engine to another SNMP engine are replayed to a different SNMP 629 engine. It represents the snmpEngineID at the authoritative SNMP 630 engine involved in the exchange of the message. 632 When an authoritative SNMP engine is first installed, it sets its 633 local value of snmpEngineID according to a enterprise-specific 634 algorithm (see the definition of the Textual Convention for 635 SnmpEngineID in the SNMP Architecture document [RFCxxx1]). 637 2.2.2. msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 639 The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime 640 values contained in an authenticated message are used to defeat 641 attacks in which messages are replayed when they are no longer 642 valid. They represent the snmpEngineBoots and snmpEngineTime 643 values at the authoritative SNMP engine involved in the exchange 644 of the message. 646 Through use of snmpEngineBoots and snmpEngineTime, there is no 647 requirement for an SNMP engine to have a non-volatile clock which 648 ticks (i.e., increases with the passage of time) even when the 649 SNMP engine is powered off. Rather, each time an SNMP engine 650 re-boots, it retrieves, increments, and then stores snmpEngineBoots 651 in non-volatile storage, and resets snmpEngineTime to zero. 653 When an SNMP engine is first installed, it sets its local values 654 of snmpEngineBoots and snmpEngineTime to zero. If snmpEngineTime 655 ever reaches its maximum value (2147483647), then snmpEngineBoots 656 is incremented as if the SNMP engine has re-booted and 657 snmpEngineTime is reset to zero and starts incrementing again. 659 Each time an authoritative SNMP engine re-boots, any SNMP engines 660 holding that authoritative SNMP engine's values of snmpEngineBoots 661 and snmpEngineTime need to re-synchronize prior to sending 662 correctly authenticated messages to that authoritative SNMP engine 663 (see Section 2.3 for (re-)synchronization procedures). Note, 664 however, that the procedures do provide for a notification to be 665 accepted as authentic by a receiving SNMP engine, when sent by an 666 authoritative SNMP engine which has re-booted since the receiving 667 SNMP engine last (re-)synchronized. 669 If an authoritative SNMP engine is ever unable to determine its 670 latest snmpEngineBoots value, then it must set its snmpEngineBoots 671 value to 2147483647. 673 Whenever the local value of snmpEngineBoots has the value 2147483647 674 it latches at that value and an authenticated message always causes 675 an notInTimeWindow authentication failure. 677 In order to reset an SNMP engine whose snmpEngineBoots value has 678 reached the value 2147483647, manual intervention is required. 679 The engine must be physically visited and re-configured, either 680 with a new snmpEngineID value, or with new secret values for the 681 authentication and privacy protocols of all users known to that 682 SNMP engine. Note that even if an SNMP engine re-boots once a second 683 that it would still take approximately 68 years before the max value 684 of 2147483647 would be reached. 686 2.2.3. Time Window 688 The Time Window is a value that specifies the window of time in 689 which a message generated on behalf of any user is valid. This 690 memo specifies that the same value of the Time Window, 150 seconds, 691 is used for all users. 693 2.3. Time Synchronization 695 Time synchronization, required by a non-authoritative SNMP engine 696 in order to proceed with authentic communications, has occurred 697 when the non-authoritative SNMP engine has obtained a local notion 698 of the authoritative SNMP engine's values of snmpEngineBoots and 699 snmpEngineTime from the authoritative SNMP engine. These values 700 must be (and remain) within the authoritative SNMP engine's Time 701 Window. So the local notion of the authoritative SNMP engine's 702 values must be kept loosely synchronized with the values stored 703 at the authoritative SNMP engine. In addition to keeping a local 704 copy of snmpEngineBoots and snmpEngineTime from the authoritative 705 SNMP engine, a non-authoritative SNMP engine must also keep one 706 local variable, latestReceivedEngineTime. This value records the 707 highest value of snmpEngineTime that was received by the 708 non-authoritative SNMP engine from the authoritative SNMP engine 709 and is used to eliminate the possibility of replaying messages 710 that would prevent the non-authoritative SNMP engine's notion of 711 the snmpEngineTime from advancing. 713 A non-authoritative SNMP engine must keep local notions of these 714 values for each authoritative SNMP engine with which it wishes to 715 communicate. Since each authoritative SNMP engine is uniquely 716 and unambiguously identified by its value of snmpEngineID, the 717 non-authoritative SNMP engine may use this value as a key in 718 order to cache its local notions of these values. 720 Time synchronization occurs as part of the procedures of receiving 721 an SNMP message (Section 3.2, step 7b). As such, no explicit time 722 synchronization procedure is required by a non-authoritative SNMP 723 engine. Note, that whenever the local value of snmpEngineID is 724 changed (e.g., through discovery) or when secure communications 725 are first established with an authoritative SNMP engine, the local 726 values of snmpEngineBoots and latestReceivedEngineTime should be 727 set to zero. This will cause the time synchronization to occur 728 when the next authentic message is received. 730 2.4. SNMP Messages Using this Security Model 732 The syntax of an SNMP message using this Security Model adheres 733 to the message format defined in the version-specific Message 734 Processing Model document (for example [RFCxxx2]). 736 The field msgSecurityParameters in SNMPv3 messages has a data type 737 of OCTET STRING. Its value is the BER serialization of the 738 following ASN.1 sequence: 740 USMSecurityParametersSyntax DEFINITIONS IMPLICIT TAGS ::= BEGIN 742 UsmSecurityParameters ::= 743 SEQUENCE { 744 -- global User-based security parameters 745 msgAuthoritativeEngineID OCTET STRING, 746 msgAuthoritativeEngineBoots INTEGER (0..2147483647), 747 msgAuthoritativeEngineTime INTEGER (0..2147483647), 748 msgUserName OCTET STRING (SIZE(0..32)), | 749 -- authentication protocol specific parameters 750 msgAuthenticationParameters OCTET STRING, 751 -- privacy protocol specific parameters 752 msgPrivacyParameters OCTET STRING 753 } 754 END 756 The fields of this sequence are: 758 - The msgAuthoritativeEngineID specifies the snmpEngineID of the 759 authoritative SNMP engine involved in the exchange of the message. 761 - The msgAuthoritativeEngineBoots specifies the snmpEngineBoots value 762 at the authoritative SNMP engine involved in the exchange of the 763 message. 765 - The msgAuthoritativeEngineTime specifies the snmpEngineTime value 766 at the authoritative SNMP engine involved in the exchange of the 767 message. 769 - The msgUserName specifies the user (principal) on whose behalf the 770 message is being exchanged. Note that a zero-length userName will | 771 not match any user, but it can be used for snmpEngineID discovery. 773 - The msgAuthenticationParameters are defined by the authentication 774 protocol in use for the message, as defined by the 775 usmUserAuthProtocol column in the user's entry in the usmUserTable. 777 - The msgPrivacyParameters are defined by the privacy protocol in use 778 for the message, as defined by the usmUserPrivProtocol column in 779 the user's entry in the usmUserTable). 781 See appendix A.4 for an example of the BER encoding of field 782 msgSecurityParameters. 784 2.5. Services provided by the User-based Security Model 786 This section describes the services provided by the User-based 787 Security Model with their inputs and outputs. 789 The services are described as primitives of an abstract service 790 interface and the inputs and outputs are described as abstract data 791 elements as they are passed in these abstract service primitives. 793 2.5.1. Services for Generating an Outgoing SNMP Message 795 When the Message Processing (MP) Subsystem invokes the User-based 796 Security module to secure an outgoing SNMP message, it must use the 797 appropriate service as provided by the Security module. These two 798 services are provided: 800 1) A service to generate a Request message. The abstract service 801 primitive is: 803 statusInformation = -- success or errorIndication 804 generateRequestMsg( 805 IN messageProcessingModel -- typically, SNMP version 806 IN globalData -- message header, admin data 807 IN maxMessageSize -- of the sending SNMP entity 808 IN securityModel -- for the outgoing message 809 IN securityEngineID -- authoritative SNMP entity 810 IN securityName -- on behalf of this principal 811 IN securityLevel -- Level of Security requested 812 IN scopedPDU -- message (plaintext) payload 813 OUT securityParameters -- filled in by Security Module 814 OUT wholeMsg -- complete generated message 815 OUT wholeMsgLength -- length of generated message 816 ) 818 2) A service to generate a Response message. The abstract service 819 primitive is: 821 statusInformation = -- success or errorIndication 822 generateResponseMsg( 823 IN messageProcessingModel -- typically, SNMP version 824 IN globalData -- message header, admin data 825 IN maxMessageSize -- of the sending SNMP entity 826 IN securityModel -- for the outgoing message 827 IN securityEngineID -- authoritative SNMP entity 828 IN securityName -- on behalf of this principal 829 IN securityLevel -- Level of Security requested 830 IN scopedPDU -- message (plaintext) payload 831 IN securityStateReference -- reference to security state 832 -- information from original 833 -- request 834 OUT securityParameters -- filled in by Security Module 835 OUT wholeMsg -- complete generated message 836 OUT wholeMsgLength -- length of generated message 837 ) 839 The abstract data elements passed as parameters in the abstract 840 service primitives are as follows: 842 statusInformation 843 An indication of whether the encoding and securing of the message 844 was successful. If not it is an indication of the problem. 845 essageProcessingModel 846 The SNMP version number for the message to be generated. This 847 data is not used by the User-based Security module. 848 globalData 849 The message header (i.e., its administrative information). This 850 data is not used by the User-based Security module. 851 maxMessageSize 852 The maximum message size as included in the message. This data is 853 not used by the User-based Security module. 854 securityParameters 855 These are the security parameters. They will be filled in by the 856 User-based Security module. 857 securityModel 858 The securityModel in use. Should be User-based Security Model. 859 This data is not used by the User-based Security module. 860 securityName 861 Together with the snmpEngineID it identifies a row in the 862 usmUserTable that is to be used for securing the message. The 863 securityName has a format that is independent of the Security 864 Model. In case of a response this parameter is ignored and the 865 value from the cache is used. 866 securityLevel 867 The Level of Security from which the User-based Security module 868 determines if the message needs to be protected from disclosure 869 and if the message needs to be authenticated. In case of a 870 response this parameter is ignored and the value from the cache is 871 used. 872 securityEngineID 873 The snmpEngineID of the authoritative SNMP engine to which a 874 Request message is to be sent. In case of a response it is implied 875 to be the processing SNMP engine's snmpEngineID and so if it is 876 specified, then it is ignored. 877 scopedPDU 878 The message payload. The data is opaque as far as the User-based 879 Security Model is concerned. 880 securityStateReference 881 A handle/reference to cachedSecurityData to be used when securing 882 an outgoing Response message. This is the exact same 883 handle/reference as it was generated by the User-based Security 884 module when processing the incoming Request message to which this 885 is the Response message. 886 wholeMsg 887 The fully encoded and secured message ready for sending on the 888 wire. 889 wholeMsgLength 890 The length of the encoded and secured message (wholeMsg). 892 Upon completion of the process, the User-based Security module 893 returns statusInformation. If the process was successful, the 894 completed message with privacy and authentication applied if such was 895 requested by the specified securityLevel is returned. If the process 896 was not successful, then an errorIndication is returned. 898 2.5.2. Services for Processing an Incoming SNMP Message 900 When the Message Processing (MP) Subsystem invokes the User-based 901 Security module to verify proper security of an incoming message, it 902 must use the service provided for an incoming message. The abstract 903 service primitive is: 905 statusInformation = -- errorIndication or success 906 -- error counter OID/value if error 907 processIncomingMsg( 908 IN messageProcessingModel -- typically, SNMP version 909 IN maxMessageSize -- of the sending SNMP entity 910 IN securityParameters -- for the received message 911 IN securityModel -- for the received message 912 IN securityLevel -- Level of Security 913 IN wholeMsg -- as received on the wire 914 IN wholeMsgLength -- length as received on the wire 915 OUT securityEngineID -- authoritative SNMP entity 916 OUT securityName -- identification of the principal 917 OUT scopedPDU, -- message (plaintext) payload 918 OUT maxSizeResponseScopedPDU -- maximum size of the Response PDU 919 OUT securityStateReference -- reference to security state 920 ) -- information, needed for response 922 The abstract data elements passed as parameters in the abstract 923 service primitives are as follows: 925 statusInformation 926 An indication of whether the process was successful or not. If 927 not, then the statusInformation includes the OID and the value of 928 the error counter that was incremented. 929 messageProcessingModel 930 The SNMP version number as received in the message. This data is 931 not used by the User-based Security module. 932 maxMessageSize 933 The maximum message size as included in the message. The User- 934 based Security module uses this value to calculate the 935 maxSizeResponseScopedPDU. 936 securityParameters 937 These are the security parameters as received in the message. 938 securityModel 939 The securityModel in use. Should be the User-based Security 940 Model. This data is not used by the User-based Security module. 941 securityLevel 942 The Level of Security from which the User-based Security module 943 determines if the message needs to be protected from disclosure 944 and if the message needs to be authenticated. 945 wholeMsg 946 The whole message as it was received. 947 wholeMsgLength 948 The length of the message as it was received (wholeMsg). 949 securityEngineID 950 The snmpEngineID that was extracted from the field 951 msgAuthoritativeEngineID and that was used to lookup the secrets 952 in the usmUserTable. 953 securityName 954 The security name representing the user on whose behalf the 955 message was received. The securityName has a format that is 956 independent of the Security Model. 957 scopedPDU 958 The message payload. The data is opaque as far as the User-based 959 Security Model is concerned. 960 maxSizeResponseScopedPDU 961 The maximum size of a scopedPDU to be included in a possible 962 Response message. The User-base Security module calculates this 963 size based on the mms (as received in the message) and the space 964 required for the message header (including the securityParameters) 965 for such a Response message. 966 securityStateReference 967 A handle/reference to cachedSecurityData to be used when securing 968 an outgoing Response message. When the Message Processing 969 Subsystem calls the User-based Security module to generate a 970 response to this incoming message it must pass this 971 handle/reference. 973 Upon completion of the process, the User-based Security module 974 returns statusInformation and, if the process was successful, the 975 additional data elements for further processing of the message. If 976 the process was not successful, then an errorIndication, possibly 977 with a OID and value pair of an error counter that was incremented. 979 2.6. Key Localization Algorithm. 981 A localized key is a secret key shared between a user U and one 982 authoritative SNMP engine E. Even though a user may have only one 983 password and therefore one key for the whole network, the actual 984 secrets shared between the user and each authoritative SNMP engine 985 will be different. This is achieved by key localization [Localized- 986 key]. 988 First, if a user uses a password, then the user's password is 989 converted into a key Ku using one of the two algorithms described in 990 Appendices A.2.1 and A.2.2. 992 To convert key Ku into a localized key Kul of user U at the 993 authoritative SNMP engine E, one appends the snmpEngineID of the 994 authoritative SNMP engine to the key Ku and then appends the key Ku 995 to the result, thus enveloping the snmpEngineID within the two copies 996 of user's key Ku. Then one runs a secure hash function (which one 997 depends on the authentication protocol defined for this user U at 998 authoritative SNMP engine E; this document defines two authentication 999 protocols with their associated algorithms based on MD5 and SHA). The 1000 output of the hash-function is the localized key Kul for user U at 1001 the authoritative SNMP engine E. 1003 3. Elements of Procedure 1005 This section describes the security related procedures followed by an 1006 SNMP engine when processing SNMP messages according to the User-based 1007 Security Model. 1009 3.1. Generating an Outgoing SNMP Message 1011 This section describes the procedure followed by an SNMP engine 1012 whenever it generates a message containing a management operation 1013 (like a request, a response, a notification, or a report) on behalf 1014 of a user, with a particular securityLevel. 1016 1) a) If any securityStateReference is passed (Response message), 1017 then information concerning the user is extracted from the 1018 cachedSecurityData. The securityEngineID and the 1019 securityLevel are extracted from the cachedSecurityData. The 1020 cachedSecurityData can now be discarded. 1022 Otherwise, 1024 b) based on the securityName, information concerning the user at 1025 the destination snmpEngineID, specified by the 1026 securityEngineID, is extracted from the Local Configuration 1027 Datastore (LCD, usmUserTable). If information about the user 1028 is absent from the LCD, then an error indication 1029 (unknownSecurityName) is returned to the calling module. 1031 2) If the securityLevel specifies that the message is to be 1032 protected from disclosure, but the user does not support both 1033 an authentication and a privacy protocol then the message 1034 cannot be sent. An error indication 1035 (unsupportedSecurityLevel) is returned to the calling module. 1037 3) If the securityLevel specifies that the message is to be 1038 authenticated, but the user does not support an authentication 1039 protocol, then the message cannot be sent. An error indication 1040 (unsupportedSecurityLevel) is returned to the calling module. 1042 4) a) If the securityLevel specifies that the message is to be 1043 protected from disclosure, then the octet sequence 1044 representing the serialized scopedPDU is encrypted according 1045 to the user's privacy protocol. To do so a call is made to the 1046 privacy module that implements the user's privacy protocol 1047 according to the abstract primitive: 1049 statusInformation = -- success or failure 1050 encryptData( 1051 IN encryptKey -- user's localized privKey 1052 IN dataToEncrypt -- serialized scopedPDU 1053 OUT encryptedData -- serialized encryptedPDU 1054 OUT privParameters -- serialized privacy parameters 1055 ) 1057 statusInformation 1058 indicates if the encryption process was successful or not. 1059 encryptKey 1060 the user's localized private privKey is the secret key that 1061 can be used by the encryption algorithm. 1062 dataToEncrypt 1063 the serialized scopedPDU is the data to be encrypted. | 1064 encryptedData 1065 the encryptedPDU represents the encrypted scopedPDU, 1066 encoded as an OCTET STRING. 1067 privParameters 1068 the privacy parameters, encoded as an OCTET STRING. 1070 If the privacy module returns failure, then the message cannot 1071 be sent and an error indication (encryptionError) is returned 1072 to the calling module. 1074 If the privacy module returns success, then the returned 1075 privParameters are put into the msgPrivacyParameters field of 1076 the securityParameters and the encryptedPDU serves as the 1077 payload of the message being prepared. 1079 Otherwise, 1081 b) If the securityLevel specifies that the message is not to be 1082 be protected from disclosure, then a zero-length OCTET STRING | 1083 is encoded into the msgPrivacyParameters field of the 1084 securityParameters and the plaintext scopedPDU serves as the 1085 payload of the message being prepared. 1087 5) The securityEngineID is encoded as an OCTET STRING into the | 1088 msgAuthoritativeEngineID field of the securityParameters. | 1089 Note that an empty (zero length) securityEngineID is OK for a | 1090 Request message, because that will cause the remote | 1091 (authoritative) SNMP engine to return a Report PDU with the | 1092 proper securityEngineID included in the | 1093 msgAuthoritativeEngineID in the securityParameters of that | 1094 returned Report PDU. 1096 6) a) If the securityLevel specifies that the message is to be 1097 authenticated, then the current values of snmpEngineBoots and | 1098 snmpEngineTime corresponding to the securityEngineID from the 1099 LCD are used. 1101 Otherwise, 1103 b) If this is a Response message, then the current value of 1104 snmpEngineBoots and snmpEngineTime corresponding to the local 1105 snmpEngineID from the LCD are used. 1107 Otherwise, 1109 c) If this is a Request message, then a zero value is used for 1110 both snmpEngineBoots and snmpEngineTime. This zero value gets 1111 used if snmpEngineID is empty. 1113 The values are encoded as INTEGER respectively into the 1114 msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields 1115 of the securityParameters. 1117 7) The userName is encoded as an OCTET STRING into the msgUserName 1118 field of the securityParameters. 1120 8) a) If the securityLevel specifies that the message is to be 1121 authenticated, the message is authenticated according to the 1122 user's authentication protocol. To do so a call is made to the 1123 authentication module that implements the user's 1124 authentication protocol according to the abstract service 1125 primitive: 1127 statusInformation = 1128 authenticateOutgoingMsg( 1129 IN authKey -- the user's localized authKey 1130 IN wholeMsg -- unauthenticated message 1131 OUT authenticatedWholeMsg -- authenticated complete message 1132 ) 1134 statusInformation 1135 indicates if authentication was successful or not. 1136 authKey 1137 the user's localized private authKey is the secret key that 1138 can be used by the authentication algorithm. 1139 wholeMsg 1140 the complete serialized message to be authenticated. 1141 authenticatedWholeMsg 1142 the same as the input given to the authenticateOutgoingMsg 1143 service, but with msgAuthenticationParameters properly 1144 filled in. 1146 If the authentication module returns failure, then the message 1147 cannot be sent and an error indication (authenticationFailure) 1148 is returned to the calling module. 1150 If the authentication module returns success, then the 1151 msgAuthenticationParameters field is put into the 1152 securityParameters and the authenticatedWholeMsg represents 1153 the serialization of the authenticated message being prepared. 1155 Otherwise, 1157 b) If the securityLevel specifies that the message is not to be 1158 authenticated then a zero-length OCTET STRING is encoded into | 1159 the msgAuthenticationParameters field of the 1160 securityParameters. The wholeMsg is now serialized and then 1161 represents the unauthenticated message being prepared. 1163 9) The completed message with its length is returned to the 1164 calling module with the statusInformation set to success. 1166 3.2. Processing an Incoming SNMP Message 1168 This section describes the procedure followed by an SNMP engine 1169 whenever it receives a message containing a management operation on 1170 behalf of a user, with a particular securityLevel. 1172 To simplify the elements of procedure, the release of state 1173 information is not always explicitly specified. As a general rule, if 1174 state information is available when a message gets discarded, the 1175 state information should also be released. Also, an error indication | 1176 can return an OID and value for an incremented counter and optionally | 1177 a value for securityLevel, and values for contextEngineID or | 1178 contextName for the counter. In addition, the securityStateReference | 1179 data is returned if any such information is available at the point | 1180 where the error is detected. 1182 1) If the received securityParameters is not the serialization 1183 (according to the conventions of [RFC1906]) of an OCTET STRING 1184 formatted according to the UsmSecurityParameters defined in 1185 section 2.4, then the snmpInASNParseErrs counter [RFC1907] is 1186 incremented, and an error indication (parseError) is returned to 1187 the calling module. Note that we return without the OID and 1188 value of the incremented counter, because in this case there is 1189 not enough information to generate a Report PDU. 1191 2) The values of the security parameter fields are extracted from 1192 the securityParameters. The securityEngineID to be returned to 1193 the caller is the value of the msgAuthoritativeEngineID field. 1194 The cachedSecurityData is prepared and a securityStateReference 1195 is prepared to reference this data. Values to be cached are: 1197 msgUserName 1198 securityEngineID 1199 securityLevel 1201 3) If the value of the msgAuthoritativeEngineID field in the 1202 securityParameters is unknown then: 1204 a) a non-authoritative SNMP engine that performs discovery may 1205 optionally create a new entry in its Local Configuration 1206 Datastore (LCD) and continue processing; 1208 or 1210 b) the usmStatsUnknownEngineIDs counter is incremented, and 1211 an error indication (unknownEngineID) together with the 1212 OID and value of the incremented counter is returned to 1213 the calling module. 1215 4) Information about the value of the msgUserName and 1216 msgAuthoritativeEngineID fields is extracted from the Local 1217 Configuration Datastore (LCD, usmUserTable). If no information 1218 is available for the user, then the usmStatsUnknownUserNames 1219 counter is incremented and an error indication 1220 (unknownSecurityName) together with the OID and value of the 1221 incremented counter is returned to the calling module. 1223 5) If the information about the user indicates that it does not 1224 support the securityLevel requested by the caller, then the 1225 usmStatsUnsupportedSecLevels counter is incremented and an 1226 error indication (unsupportedSecurityLevel) together with the 1227 OID and value of the incremented counter is returned to the 1228 calling module. 1230 6) If the securityLevel specifies that the message is to be 1231 authenticated, then the message is authenticated according to 1232 the user's authentication protocol. To do so a call is made 1233 to the authentication module that implements the user's 1234 authentication protocol according to the abstract service 1235 primitive: 1237 statusInformation = -- success or failure 1238 authenticateIncomingMsg( 1239 IN authKey -- the user's localized authKey 1240 IN authParameters -- as received on the wire 1241 IN wholeMsg -- as received on the wire 1242 OUT authenticatedWholeMsg -- checked for authentication 1243 ) 1245 statusInformation 1246 indicates if authentication was successful or not. 1247 authKey 1248 the user's localized private authKey is the secret key that 1249 can be used by the authentication algorithm. 1250 wholeMsg 1251 the complete serialized message to be authenticated. 1252 authenticatedWholeMsg 1253 the same as the input given to the authenticateIncomingMsg 1254 service, but after authentication has been checked. 1256 If the authentication module returns failure, then the message 1257 cannot be trusted, so the usmStatsWrongDigests counter is 1258 incremented and an error indication (authenticationFailure) 1259 together with the OID and value of the incremented counter is 1260 returned to the calling module. 1262 If the authentication module returns success, then the message 1263 is authentic and can be trusted so processing continues. 1265 7) If the securityLevel indicates an authenticated message, then 1266 the local values of snmpEngineBoots and snmpEngineTime 1267 corresponding to the value of the msgAuthoritativeEngineID 1268 field are extracted from the Local Configuration Datastore. 1270 a) If the extracted value of msgAuthoritativeEngineID is the 1271 same as the value of snmpEngineID of the processing SNMP 1272 engine (meaning this is the authoritative SNMP engine), 1273 then if any of the following conditions is true, then the 1274 message is considered to be outside of the Time Window: 1276 - the local value of snmpEngineBoots is 2147483647; 1278 - the value of the msgAuthoritativeEngineBoots field differs 1279 from the local value of snmpEngineBoots; or, 1281 - the value of the msgAuthoritativeEngineTime field differs 1282 from the local notion of snmpEngineTime by more than 1283 +/- 150 seconds. 1285 If the message is considered to be outside of the Time Window 1286 then the usmStatsNotInTimeWindows counter is incremented and 1287 an error indication (notInTimeWindow) together with the OID, 1288 the value of the incremented counter, and an indication that | 1289 the error must be reported with a escurtyLevel of authNoPriv, | 1290 is returned to the calling module. 1292 b) If the extracted value of msgAuthoritativeEngineID is not the 1293 same as the value snmpEngineID of the processing SNMP engine 1294 (meaning this is not the authoritative SNMP engine), then: 1296 1) if at least one of the following conditions is true: 1298 - the extracted value of the msgAuthoritativeEngineBoots 1299 field is greater than the local notion of the value of 1300 snmpEngineBoots; or, 1302 - the extracted value of the msgAuthoritativeEngineBoots 1303 field is equal to the local notion of the value of 1304 snmpEngineBoots, the extracted value of 1305 msgAuthoritativeEngineTime field is greater than the 1306 value of latestReceivedEngineTime, 1308 then the LCD entry corresponding to the extracted value 1309 of the msgAuthoritativeEngineID field is updated, by 1310 setting: 1312 - the local notion of the value of snmpEngineBoots to 1313 the value of the msgAuthoritativeEngineBoots field, 1314 - the local notion of the value of snmpEngineTime to 1315 the value of the msgAuthoritativeEngineTime field, 1316 and 1317 - the latestReceivedEngineTime to the value of the 1318 value of the msgAuthoritativeEngineTime field. 1320 2) if any of the following conditions is true, then the 1321 message is considered to be outside of the Time Window: 1323 - the local notion of the value of snmpEngineBoots is 1324 2147483647; 1326 - the value of the msgAuthoritativeEngineBoots field is 1327 less than the local notion of the value of 1328 snmpEngineBoots; or, 1330 - the value of the msgAuthoritativeEngineBoots field is 1331 equal to the local notion of the value of 1332 snmpEngineBoots and the value of the 1333 msgAuthoritativeEngineTime field is more than 150 1334 seconds less than the local notion of the value of | 1335 snmpEngineTime. 1337 If the message is considered to be outside of the Time 1338 Window then an error indication (notInTimeWindow) is 1339 returned to the calling module; 1341 Note that this means that a too old (possibly replayed) 1342 message has been detected and is deemed unauthentic. 1344 Note that this procedure allows for the value of 1345 msgAuthoritativeEngineBoots in the message to be greater 1346 than the local notion of the value of snmpEngineBoots to 1347 allow for received messages to be accepted as authentic 1348 when received from an authoritative SNMP engine that has 1349 re-booted since the receiving SNMP engine last 1350 (re-)synchronized. 1352 Note that this procedure does not allow for automatic 1353 time synchronization if the non-authoritative SNMP engine 1354 has a real out-of-sync situation whereby the authoritative 1355 SNMP engine is more than 150 seconds behind the 1356 non-authoritative SNMP engine. 1358 8) a) If the securityLevel indicates that the message was protected 1359 from disclosure, then the OCTET STRING representing the 1360 encryptedPDU is decrypted according to the user's privacy 1361 protocol to obtain an unencrypted serialized scopedPDU value. 1362 To do so a call is made to the privacy module that implements 1363 the user's privacy protocol according to the abstract 1364 primitive: 1366 statusInformation = -- success or failure 1367 decryptData( 1368 IN decryptKey -- the user's localized privKey 1369 IN privParameters -- as received on the wire 1370 IN encryptedData -- encryptedPDU as received 1371 OUT decryptedData -- serialized decrypted scopedPDU 1372 ) 1374 statusInformation 1375 indicates if the decryption process was successful or not. 1376 decryptKey 1377 the user's localized private privKey is the secret key that 1378 can be used by the decryption algorithm. 1379 privParameters 1380 the msgPrivacyParameters, encoded as an OCTET STRING. 1381 encryptedData 1382 the encryptedPDU represents the encrypted scopedPDU, encoded 1383 as an OCTET STRING. 1384 decryptedData 1385 the serialized scopedPDU if decryption is successful. 1387 If the privacy module returns failure, then the message can 1388 not be processed, so the usmStatsDecryptionErrors counter is 1389 incremented and an error indication (decryptionError) together 1390 with the OID and value of the incremented counter is returned 1391 to the calling module. 1393 If the privacy module returns success, then the decrypted 1394 scopedPDU is the message payload to be returned to the calling 1395 module. 1397 Otherwise, 1399 b) The scopedPDU component is assumed to be in plain text 1400 and is the message payload to be returned to the calling 1401 module. 1403 9) The maxSizeResponseScopedPDU is calculated. This is the 1404 maximum size allowed for a scopedPDU for a possible Response 1405 message. Provision is made for a message header that allows the 1406 same securityLevel as the received Request. 1408 10) The securityName for the user is retrieved from the 1409 usmUserTable. 1411 11) The security data is cached as cachedSecurityData, so that a 1412 possible response to this message can and will use the same 1413 authentication and privacy secrets, the same securityLevel and 1414 the same value for msgAuthoritativeEngineID. Information to be 1415 saved/cached is as follows: 1417 msgUserName, 1418 usmUserAuthProtocol, usmUserAuthKey 1419 usmUserPrivProtocol, usmUserPrivKey 1420 securityEngineID, securityLevel 1422 12) The statusInformation is set to success and a return is made to 1423 the calling module passing back the OUT parameters as specified 1424 in the processIncomingMsg primitive. 1426 4. Discovery 1428 The User-based Security Model requires that a discovery process 1429 obtains sufficient information about other SNMP engines in order to 1430 communicate with them. Discovery requires an non-authoritative SNMP 1431 engine to learn the authoritative SNMP engine's snmpEngineID value 1432 before communication may proceed. This may be accomplished by 1433 generating a Request message with a securityLevel of noAuthNoPriv, a | 1434 msgUserName of zero-length, a msgAuthoritativeEngineID value of zero 1435 length, and the varBindList left empty. The response to this message 1436 will be a Report message containing the snmpEngineID of the 1437 authoritative SNMP engine as the value of the 1438 msgAuthoritativeEngineID field within the msgSecurityParameters 1439 field. It contains a Report PDU with the usmStatsUnknownEngineIDs 1440 counter in the varBindList. 1442 If authenticated communication is required, then the discovery 1443 process should also establish time synchronization with the 1444 authoritative SNMP engine. This may be accomplished by sending an 1445 authenticated Request message with the value of 1446 msgAuthoritativeEngineID set to the newly learned snmpEngineID and 1447 with the values of msgAuthoritativeEngineBoots and 1448 msgAuthoritativeEngineTime set to zero. For an authenticated Request | 1449 message, a valid userName must be used in the msgUserName field. The 1450 response to this authenticated message will be a Report message 1451 containing the up to date values of the authoritative SNMP engine's 1452 snmpEngineBoots and snmpEngineTime as the value of the 1453 msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields 1454 respectively. It also contains the usmStatsNotInTimeWindows counter 1455 in the varBindList of the Report PDU. The time synchronization then 1456 happens automatically as part of the procedures in section 3.2 step 1457 7b. See also section 2.3. 1459 5. Definitions 1461 SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN 1463 IMPORTS 1464 MODULE-IDENTITY, OBJECT-TYPE, 1465 OBJECT-IDENTITY, 1466 snmpModules, Counter32 FROM SNMPv2-SMI 1467 TEXTUAL-CONVENTION, TestAndIncr, 1468 RowStatus, RowPointer, 1469 StorageType, AutonomousType FROM SNMPv2-TC 1470 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 1471 SnmpAdminString, SnmpEngineID, 1472 snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB; 1474 snmpUsmMIB MODULE-IDENTITY 1475 LAST-UPDATED "9808010000Z" -- 01 Aug 1998, midnight | 1476 ORGANIZATION "SNMPv3 Working Group" 1477 CONTACT-INFO "WG-email: snmpv3@tis.com 1478 Subscribe: majordomo@tis.com 1479 In msg body: subscribe snmpv3 1481 Chair: Russ Mundy 1482 Trusted Information Systems 1484 postal: 3060 Washington Rd 1485 Glenwood MD 21738 1486 USA 1487 email: mundy@tis.com 1488 phone: +1-301-854-6889 1490 Co-editor Uri Blumenthal 1491 IBM T. J. Watson Research 1492 postal: 30 Saw Mill River Pkwy, 1493 Hawthorne, NY 10532 1494 USA 1495 email: uri@watson.ibm.com 1496 phone: +1-914-784-7964 1498 Co-editor: Bert Wijnen 1499 IBM T. J. Watson Research 1500 postal: Schagen 33 1501 3461 GL Linschoten 1502 Netherlands 1503 email: wijnen@vnet.ibm.com 1504 phone: +31-348-432-794 1505 " 1506 DESCRIPTION "The management information definitions for the 1507 SNMP User-based Security Model. 1508 " 1509 -- Revision history | 1510 LAST-UPDATED "9808010000Z" -- 01 Aug 1998, midnight | 1511 DESCRIPTION "Clarifications, published as RFCxxx4" | 1513 REVISION "9711200000Z" -- 20 Nov 1997, midnight | 1514 DESCRIPTION "Initial version, published as RFC2274" | 1516 ::= { snmpModules 15 } 1518 -- Administrative assignments **************************************** 1520 usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 } 1521 usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 } 1523 -- Identification of Authentication and Privacy Protocols ************ 1525 usmNoAuthProtocol OBJECT-IDENTITY 1526 STATUS current 1527 DESCRIPTION "No Authentication Protocol." 1528 ::= { snmpAuthProtocols 1 } 1530 usmHMACMD5AuthProtocol OBJECT-IDENTITY 1531 STATUS current 1532 DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol." 1533 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC: 1534 Keyed-Hashing for Message Authentication, 1535 RFC2104, Feb 1997. 1536 - Rivest, R., Message Digest Algorithm MD5, RFC1321. 1537 " 1538 ::= { snmpAuthProtocols 2 } 1540 usmHMACSHAAuthProtocol OBJECT-IDENTITY 1541 STATUS current 1542 DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol." 1543 REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC: 1544 Keyed-Hashing for Message Authentication, 1545 RFC2104, Feb 1997. 1546 - Secure Hash Algorithm. NIST FIPS 180-1. 1547 " 1548 ::= { snmpAuthProtocols 3 } 1550 usmNoPrivProtocol OBJECT-IDENTITY 1551 STATUS current 1552 DESCRIPTION "No Privacy Protocol." 1553 ::= { snmpPrivProtocols 1 } 1555 usmDESPrivProtocol OBJECT-IDENTITY 1556 STATUS current 1557 DESCRIPTION "The CBC-DES Symmetric Encryption Protocol." 1558 REFERENCE "- Data Encryption Standard, National Institute of 1559 Standards and Technology. Federal Information 1560 Processing Standard (FIPS) Publication 46-1. 1561 Supersedes FIPS Publication 46, 1562 (January, 1977; reaffirmed January, 1988). 1564 - Data Encryption Algorithm, American National 1565 Standards Institute. ANSI X3.92-1981, 1566 (December, 1980). 1568 - DES Modes of Operation, National Institute of 1569 Standards and Technology. Federal Information 1570 Processing Standard (FIPS) Publication 81, 1571 (December, 1980). 1573 - Data Encryption Algorithm - Modes of Operation, 1574 American National Standards Institute. 1575 ANSI X3.106-1983, (May 1983). 1576 " 1577 ::= { snmpPrivProtocols 2 } 1579 -- Textual Conventions *********************************************** 1581 KeyChange ::= TEXTUAL-CONVENTION 1582 STATUS current 1583 DESCRIPTION 1584 "Every definition of an object with this syntax must identify 1585 a protocol P, a secret key K, and a hash algorithm H 1586 that produces output of L octets. 1588 The object's value is a manager-generated, partially-random 1589 value which, when modified, causes the value of the secret 1590 key K, to be modified via a one-way function. 1592 The value of an instance of this object is the concatenation 1593 of two components: first a 'random' component and then a 1594 'delta' component. 1596 The lengths of the random and delta components 1597 are given by the corresponding value of the protocol P; 1598 if P requires K to be a fixed length, the length of both the 1599 random and delta components is that fixed length; if P 1600 allows the length of K to be variable up to a particular 1601 maximum length, the length of the random component is that 1602 maximum length and the length of the delta component is any 1603 length less than or equal to that maximum length. 1604 For example, usmHMACMD5AuthProtocol requires K to be a fixed 1605 length of 16 octets and L - of 16 octets. 1606 usmHMACSHAAuthProtocol requires K to be a fixed length of 1607 20 octets and L - of 20 octets. Other protocols may define 1608 other sizes, as deemed appropriate. 1610 When a requestor wants to change the old key K to a new 1611 key keyNew on a remote entity, the 'random' component is 1612 obtained from either a true random generator, or from a 1613 pseudorandom generator, and the 'delta' component is 1614 computed as follows: 1616 - a temporary variable is initialized to the existing value 1617 of K; 1618 - if the length of the keyNew is greater than L octets, 1619 then: 1620 - the random component is appended to the value of the 1621 temporary variable, and the result is input to the 1622 the hash algorithm H to produce a digest value, and 1623 the temporary variable is set to this digest value; 1624 - the value of the temporary variable is XOR-ed with 1625 the first (next) L-octets (16 octets in case of MD5) 1626 of the keyNew to produce the first (next) L-octets 1627 (16 octets in case of MD5) of the 'delta' component. 1628 - the above two steps are repeated until the unused 1629 portion of the delta component is L octets or less, 1630 - the random component is appended to the value of the 1631 temporary variable, and the result is input to the 1632 hash algorithm H to produce a digest value; 1633 - this digest value, truncated if necessary to be the same 1634 length as the unused portion of the keyNew, is XOR-ed 1635 with the unused portion of the keyNew to produce the 1636 (final portion of the) 'delta' component. 1638 For example, using MD5 as the hash algorithm H: 1640 iterations = (lenOfDelta - 1)/16; /* integer division */ 1641 temp = keyOld; 1642 for (i = 0; i < iterations; i++) { 1643 temp = MD5 (temp || random); 1644 delta[i*16 .. (i*16)+15] = 1645 temp XOR keyNew[i*16 .. (i*16)+15]; 1646 } 1647 temp = MD5 (temp || random); 1648 delta[i*16 .. lenOfDelta-1] = 1649 temp XOR keyNew[i*16 .. lenOfDelta-1]; 1651 The 'random' and 'delta' components are then concatenated as 1652 described above, and the resulting octet string is sent to 1653 the receipient as the new value of an instance of this 1654 object. 1656 At the receiver side, when an instance of this object is set 1657 to a new value, then a new value of K is computed as follows: 1659 - a temporary variable is initialized to the existing value 1660 of K; 1661 - if the length of the delta component is greater than L 1662 octets, then: 1663 - the random component is appended to the value of the 1664 temporary variable, and the result is input to the 1665 the hash algorithm H to produce a digest value, and 1666 the temporary variable is set to this digest value; 1667 - the value of the temporary variable is XOR-ed with 1668 the first (next) L-octets (16 octets in case of MD5) 1669 of the delta component to produce the first (next) 1670 L-octets (16 octets in case of MD5) of the new value 1671 of K. 1672 - the above two steps are repeated until the unused 1673 portion of the delta component is L octets or less, 1675 - the random component is appended to the value of the 1676 temporary variable, and the result is input to the 1677 hash algorithm H to produce a digest value; 1678 - this digest value, truncated if necessary to be the same 1679 length as the unused portion of the delta component, is 1680 XOR-ed with the unused portion of the delta component to 1681 produce the (final portion of the) new value of K. 1683 For example, using MD5 as the hash algorithm H: 1685 iterations = (lenOfDelta - 1)/16; /* integer division */ 1686 temp = keyOld; 1687 for (i = 0; i < iterations; i++) { 1688 temp = MD5 (temp || random); 1689 keyNew[i*16 .. (i*16)+15] = 1690 temp XOR delta[i*16 .. (i*16)+15]; 1691 } 1692 temp = MD5 (temp || random); 1693 keyNew[i*16 .. lenOfDelta-1] = 1694 temp XOR delta[i*16 .. lenOfDelta-1]; 1696 The value of an object with this syntax, whenever it is 1697 retrieved by the management protocol, is always the zero 1698 length string. 1700 Note that the oldKey and newKey are the localized keys. | 1701 " 1702 SYNTAX OCTET STRING 1704 -- Statistics for the User-based Security Model ********************** 1706 usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 } 1708 usmStatsUnsupportedSecLevels OBJECT-TYPE 1709 SYNTAX Counter32 1710 MAX-ACCESS read-only 1711 STATUS current 1712 DESCRIPTION "The total number of packets received by the SNMP 1713 engine which were dropped because they requested a 1714 securityLevel that was unknown to the SNMP engine 1715 or otherwise unavailable. 1716 " 1717 ::= { usmStats 1 } 1719 usmStatsNotInTimeWindows OBJECT-TYPE 1720 SYNTAX Counter32 1721 MAX-ACCESS read-only 1722 STATUS current 1723 DESCRIPTION "The total number of packets received by the SNMP 1724 engine which were dropped because they appeared 1725 outside of the authoritative SNMP engine's window. 1726 " 1727 ::= { usmStats 2 } 1729 usmStatsUnknownUserNames OBJECT-TYPE 1730 SYNTAX Counter32 1731 MAX-ACCESS read-only 1732 STATUS current 1733 DESCRIPTION "The total number of packets received by the SNMP 1734 engine which were dropped because they referenced a 1735 user that was not known to the SNMP engine. 1736 " 1737 ::= { usmStats 3 } 1739 usmStatsUnknownEngineIDs OBJECT-TYPE 1740 SYNTAX Counter32 1741 MAX-ACCESS read-only 1742 STATUS current 1743 DESCRIPTION "The total number of packets received by the SNMP 1744 engine which were dropped because they referenced an 1745 snmpEngineID that was not known to the SNMP engine. 1746 " 1747 ::= { usmStats 4 } 1749 usmStatsWrongDigests OBJECT-TYPE 1750 SYNTAX Counter32 1751 MAX-ACCESS read-only 1752 STATUS current 1753 DESCRIPTION "The total number of packets received by the SNMP 1754 engine which were dropped because they didn't 1755 contain the expected digest value. 1756 " 1757 ::= { usmStats 5 } 1759 usmStatsDecryptionErrors OBJECT-TYPE 1760 SYNTAX Counter32 1761 MAX-ACCESS read-only 1762 STATUS current 1763 DESCRIPTION "The total number of packets received by the SNMP 1764 engine which were dropped because they could not be 1765 decrypted. 1766 " 1767 ::= { usmStats 6 } 1769 -- The usmUser Group ************************************************ 1771 usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 } 1773 usmUserSpinLock OBJECT-TYPE 1774 SYNTAX TestAndIncr 1775 MAX-ACCESS read-write 1776 STATUS current 1777 DESCRIPTION "An advisory lock used to allow several cooperating 1778 Command Generator Applications to coordinate their 1779 use of facilities to alter secrets in the 1780 usmUserTable. 1781 " 1782 ::= { usmUser 1 } 1784 -- The table of valid users for the User-based Security Model ******** 1786 usmUserTable OBJECT-TYPE 1787 SYNTAX SEQUENCE OF UsmUserEntry 1788 MAX-ACCESS not-accessible 1789 STATUS current 1790 DESCRIPTION "The table of users configured in the SNMP engine's 1791 Local Configuration Datastore (LCD)." 1792 ::= { usmUser 2 } 1794 usmUserEntry OBJECT-TYPE 1795 SYNTAX UsmUserEntry 1796 MAX-ACCESS not-accessible 1797 STATUS current 1798 DESCRIPTION "A user configured in the SNMP engine's Local 1799 Configuration Datastore (LCD) for the User-based 1800 Security Model. 1801 " 1802 INDEX { usmUserEngineID, 1803 usmUserName 1804 } 1805 ::= { usmUserTable 1 } 1807 UsmUserEntry ::= SEQUENCE 1808 { 1809 usmUserEngineID SnmpEngineID, 1810 usmUserName SnmpAdminString, 1811 usmUserSecurityName SnmpAdminString, 1812 usmUserCloneFrom RowPointer, 1813 usmUserAuthProtocol AutonomousType, 1814 usmUserAuthKeyChange KeyChange, 1815 usmUserOwnAuthKeyChange KeyChange, 1816 usmUserPrivProtocol AutonomousType, 1817 usmUserPrivKeyChange KeyChange, 1818 usmUserOwnPrivKeyChange KeyChange, 1819 usmUserPublic OCTET STRING, 1820 usmUserStorageType StorageType, 1821 usmUserStatus RowStatus 1822 } 1824 usmUserEngineID OBJECT-TYPE 1825 SYNTAX SnmpEngineID 1826 MAX-ACCESS not-accessible 1827 STATUS current 1828 DESCRIPTION "An SNMP engine's administratively-unique identifier. 1830 In a simple agent, this value is always that agent's 1831 own snmpEngineID value. 1833 The value can also take the value of the snmpEngineID 1834 of a remote SNMP engine with which this user can 1835 communicate. 1836 " 1837 ::= { usmUserEntry 1 } 1839 usmUserName OBJECT-TYPE 1840 SYNTAX SnmpAdminString (SIZE(1..32)) 1841 MAX-ACCESS not-accessible 1842 STATUS current 1843 DESCRIPTION "A human readable string representing the name of 1844 the user. 1846 This is the (User-based Security) Model dependent 1847 security ID. 1848 " 1849 ::= { usmUserEntry 2 } 1851 usmUserSecurityName OBJECT-TYPE 1852 SYNTAX SnmpAdminString 1853 MAX-ACCESS read-only 1854 STATUS current 1855 DESCRIPTION "A human readable string representing the user in 1856 Security Model independent format. 1858 The default transformation of the User-based Security 1859 Model dependent security ID to the securityName and 1860 vice versa is the identity function so that the 1861 securityName is the same as the userName. 1862 " 1863 ::= { usmUserEntry 3 } 1865 usmUserCloneFrom OBJECT-TYPE 1866 SYNTAX RowPointer 1867 MAX-ACCESS read-create 1868 STATUS current 1869 DESCRIPTION "A pointer to another conceptual row in this 1870 usmUserTable. The user in this other conceptual 1871 row is called the clone-from user. 1873 When a new user is created (i.e., a new conceptual 1874 row is instantiated in this table), the privacy and 1875 authentication parameters of the new user are cloned 1876 from its clone-from user. These parameters are: | 1877 - authentication protocol (usmUserAuthProtocol) | 1878 - privacy protocol (usmUserPrivProtocol) | 1879 They will be copied regardless of what the current | 1880 value is. | 1881 | 1882 Cloning also causes the initial values of the secret | 1883 authentication key (authKey) and the secret encryption | 1884 key (privKey) of the new user to be set to the same | 1885 value as the corresponding secret of the clone-from | 1886 user. | 1888 The first time an instance of this object is set by 1889 a management operation (either at or after its 1890 instantiation), the cloning process is invoked. 1891 Subsequent writes are successful but invoke no 1892 action to be taken by the receiver. 1893 The cloning process fails with an 'inconsistentName' 1894 error if the conceptual row representing the 1895 clone-from user does not exist or is not in an active | 1896 state when the cloning process is invoked. 1898 When this object is read, the ZeroDotZero OID 1899 is returned. 1900 " 1901 ::= { usmUserEntry 4 } 1903 usmUserAuthProtocol OBJECT-TYPE 1904 SYNTAX AutonomousType 1905 MAX-ACCESS read-create 1906 STATUS current 1907 DESCRIPTION "An indication of whether messages sent on behalf of 1908 this user to/from the SNMP engine identified by 1909 usmUserEngineID, can be authenticated, and if so, 1910 the type of authentication protocol which is used. 1912 An instance of this object is created concurrently 1913 with the creation of any other object instance for 1914 the same user (i.e., as part of the processing of 1915 the set operation which creates the first object 1916 instance in the same conceptual row). 1918 The value will be overwritten/set when a set operation | 1919 is performed on the corresponding instance of | 1920 usmUserCloneFrom. | 1922 The value of an instance of this object can only be | 1923 changed via a set operation to the value of | 1924 the usmNoAuthProtocol. | 1926 If a set operation tries to change the value of this | 1927 object to any value other than usmNoAuthProtocol, then | 1928 an 'inconsistentValue' error must be returned. | 1930 If a set operation tries to set the value to the | 1931 usmNoAuthProtocol while the usmUserPrivProtocol value | 1932 in the same row is not equal to usmNoPrivProtocol, | 1933 then an 'inconsistenValue' error must be returned. | 1934 That means that an SNMP command generator application | 1935 must first ensure that the usmUserPrivProtocol is set | 1936 to the usmNoPrivProtocol value before it can set | 1937 the usmUserAuthProtocol value to usmNoAuthProtocol. | 1939 If a set operation tries to set a value for an unknown 1940 or unsupported protocol, then a 'wrongValue' error must 1941 be returned. 1942 " 1943 -- note: changed DEFVAL clause, because the cloneFrom will overwrite it | 1944 -- if any auth or privProtocol will be used. | 1945 DEFVAL { usmNoAuthProtocol } | 1946 ::= { usmUserEntry 5 } 1948 usmUserAuthKeyChange OBJECT-TYPE 1949 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 | 1950 -- typically (SIZE (0 | 40)) for HMACSHA | 1951 MAX-ACCESS read-create 1952 STATUS current 1953 DESCRIPTION "An object, which when modified, causes the secret 1954 authentication key used for messages sent on behalf 1955 of this user to/from the SNMP engine identified by 1956 usmUserEngineID, to be modified via a one-way 1957 function. 1959 The associated protocol is the usmUserAuthProtocol. 1961 The associated secret key is the user's secret 1962 authentication key (authKey). The associated hash 1963 algorithm is the algorithm used by the user's 1964 usmUserAuthProtocol. 1966 When creating a new user, it is an 'inconsistentName' 1967 error for a set operation to refer to this object 1968 unless it is previously or concurrently initialized 1969 through a set operation on the corresponding instance | 1970 of usmUserCloneFrom. | 1972 When the value of the corresponding usmUserAuthProtocol | 1973 is usmNoAuthProtocol, then a set is successful, but | 1974 effectively is a no-op. | 1976 When this object is read, the zero-length (empty) | 1977 string is returned. | 1978 " 1979 DEFVAL { ''H } -- the empty string 1980 ::= { usmUserEntry 6 } 1982 usmUserOwnAuthKeyChange OBJECT-TYPE 1983 SYNTAX KeyChange -- typically (SIZE (0..32)) 1984 MAX-ACCESS read-create 1985 STATUS current 1986 DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one 1987 notable difference: in order for the set operation 1988 to succeed, the usmUserName of the operation 1989 requester must match the usmUserName that 1990 indexes the row which is targeted by this 1991 operation. 1992 In addition, the USM security model must be | 1993 used for this operation. | 1995 The idea here is that access to this column can be 1996 public, since it will only allow a user to change 1997 his own secret authentication key (authKey). 1998 Note that this can only be done once the row is active. | 2000 When a set is received and the usmUserName of the | 2001 requester is not the same as the umsUserName that | 2002 indexes the row which is targeted by this operation, | 2003 then a 'noAccess' error must be returned. | 2005 When a set is received and the security model in use | 2006 is not USM, then a 'noAccess' error must be returned. | 2007 " 2008 DEFVAL { ''H } -- the empty string 2009 ::= { usmUserEntry 7 } 2011 usmUserPrivProtocol OBJECT-TYPE 2012 SYNTAX AutonomousType 2013 MAX-ACCESS read-create 2014 STATUS current 2015 DESCRIPTION "An indication of whether messages sent on behalf of 2016 this user to/from the SNMP engine identified by 2017 usmUserEngineID, can be protected from disclosure, 2018 and if so, the type of privacy protocol which is used. 2020 An instance of this object is created concurrently 2021 with the creation of any other object instance for 2022 the same user (i.e., as part of the processing of 2023 the set operation which creates the first object 2024 instance in the same conceptual row). 2026 The value will be overwritten/set when a set operation | 2027 is performed on the corresponding instance of | 2028 usmUserCloneFrom. | 2030 The value of an instance of this object can only be | 2031 changed via a set operation to the value of | 2032 the usmNoPrivProtocol. | 2034 If a set operation tries to change the value of this | 2035 object to any value other than usmNoPrivProtocol, then | 2036 an 'inconsistentValue' error must be returned. | 2038 If a set operation tries to set a value for an unknown 2039 or unsupported protocol, then a 'wrongValue' error must 2040 be returned. 2041 " 2042 DEFVAL { usmNoPrivProtocol } 2043 ::= { usmUserEntry 8 } 2045 usmUserPrivKeyChange OBJECT-TYPE 2046 SYNTAX KeyChange -- typically (SIZE (0..32)) 2047 MAX-ACCESS read-create 2048 STATUS current 2049 DESCRIPTION "An object, which when modified, causes the secret 2050 encryption key used for messages sent on behalf 2051 of this user to/from the SNMP engine identified by 2052 usmUserEngineID, to be modified via a one-way 2053 function. 2055 The associated protocol is the usmUserPrivProtocol. 2056 The associated secret key is the user's secret 2057 privacy key (privKey). The associated hash 2058 algorithm is the algorithm used by the user's 2059 usmUserAuthProtocol. 2061 When creating a new user, it is an 'inconsistentName' 2062 error for a set operation to refer to this object 2063 unless it is previously or concurrently initialized 2064 through a set operation on the corresponding instance | 2065 of usmUserCloneFrom. | 2067 When the value of the corresponding usmUserPrivProtocol | 2068 is usmNoPrivProtocol, then a set is successful, but | 2069 effectively is a no-op. | 2071 When this object is read, the zero-length (empty) | 2072 string is returned. | 2073 " 2074 DEFVAL { ''H } -- the empty string 2075 ::= { usmUserEntry 9 } 2077 usmUserOwnPrivKeyChange OBJECT-TYPE 2078 SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES | 2079 MAX-ACCESS read-create 2080 STATUS current 2081 DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one 2082 notable difference: in order for the Set operation 2083 to succeed, the usmUserName of the operation 2084 requester must match the usmUserName that indexes 2085 the row which is targeted by this operation. 2086 In addition, the USM security model must be | 2087 used for this operation. | 2089 The idea here is that access to this column can be 2090 public, since it will only allow a user to change 2091 his own secret privacy key (privKey). 2092 Note that this can only be done once the row is active. | 2094 When a set is received and the usmUserName of the | 2095 requester is not the same as the umsUserName that | 2096 indexes the row which is targeted by this operation, | 2097 then a 'noAccess' error must be returned. | 2099 When a set is received and the security model in use | 2100 is not USM, then a 'noAccess' error must be returned. | 2101 " 2102 DEFVAL { ''H } -- the empty string 2103 ::= { usmUserEntry 10 } 2105 usmUserPublic OBJECT-TYPE 2106 SYNTAX OCTET STRING (SIZE(0..32)) 2107 MAX-ACCESS read-create 2108 STATUS current 2109 DESCRIPTION "A publicly-readable value which can be written as part | 2110 of the procedure for changing a user's secret 2111 authentication and/or privacy key, and later read to 2112 determine whether the change of the secret was 2113 effected. 2114 " 2115 DEFVAL { ''H } -- the empty string 2116 ::= { usmUserEntry 11 } 2118 usmUserStorageType OBJECT-TYPE 2119 SYNTAX StorageType 2120 MAX-ACCESS read-create 2121 STATUS current 2122 DESCRIPTION "The storage type for this conceptual row. 2124 Conceptual rows having the value 'permanent' must 2125 allow write-access at a minimum to: 2127 - usmUserAuthKeyChange, usmUserOwnAuthKeyChange 2128 and usmUserPublic for a user who employs 2129 authentication, and 2130 - usmUserPrivKeyChange, usmUserOwnPrivKeyChange 2131 and usmUserPublic for a user who employs 2132 privacy. 2134 Note that any user who employs authentication or 2135 privacy must allow its secret(s) to be updated and 2136 thus cannot be 'readOnly'. 2138 If an initial set operation tries to set the value to | 2139 'readOnly' for a user who employs authentication or | 2140 privacy, then an 'inconsistentValue' error must be | 2141 returned. Note that if the value has been previously | 2142 set (implicit or explicit) to any value, then the rules | 2143 as defined in the RowStatus Textual Convention apply. | 2145 -- Editor's note: There are still some open questions: | 2146 -- a) should we allow permanent and readOnly via SNMP SET at all | 2147 -- seems we need some input from people who will deploy this. | 2148 -- b) if wo do allow to create readOnly entries, then what do we | 2149 -- do with the cloneFrom? Let it succeed even if readOnly or | 2150 -- return inconsistentValue? Seems we should let it succeed, | 2151 -- otherwise the row can never become active!! | 2152 -- c) do we want to prescribe behaviour if a row is nonVolatile | 2153 -- and the rowStatus is changed to notInservice? | 2154 " 2155 DEFVAL { nonVolatile } 2156 ::= { usmUserEntry 12 } 2158 usmUserStatus OBJECT-TYPE 2159 SYNTAX RowStatus 2160 MAX-ACCESS read-create 2161 STATUS current 2162 DESCRIPTION "The status of this conceptual row. 2164 Until instances of all corresponding columns are 2165 appropriately configured, the value of the 2166 corresponding instance of the usmUserStatus column 2167 is 'notReady'. 2169 In particular, a newly created row for a user who | 2170 employs authentication, cannot be made active until the | 2171 corresponding usmUserCloneFrom and usmUserAuthKeyChange | 2172 have been set. | 2174 Further, a newly created row for a user who also | 2175 employs privacy, cannot be made active until the | 2176 usmUserPrivKeyChange has been set. | 2178 The RowStatus TC [RFC1903] requires that this 2179 DESCRIPTION clause states under which circumstances 2180 other objects in this row can be modified: 2182 The value of this object has no effect on whether 2183 other objects in this conceptual row can be modified. 2184 " 2185 ::= { usmUserEntry 13 } 2187 -- Conformance Information ******************************************* 2189 usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 } 2190 usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 } 2192 -- Compliance statements 2194 usmMIBCompliance MODULE-COMPLIANCE 2195 STATUS current 2196 DESCRIPTION "The compliance statement for SNMP engines which 2197 implement the SNMP-USER-BASED-SM-MIB. 2198 " 2200 MODULE -- this module 2201 MANDATORY-GROUPS { usmMIBBasicGroup } 2203 OBJECT usmUserAuthProtocol 2204 MIN-ACCESS read-only 2205 DESCRIPTION "Write access is not required." 2207 OBJECT usmUserPrivProtocol 2208 MIN-ACCESS read-only 2209 DESCRIPTION "Write access is not required." 2211 ::= { usmMIBCompliances 1 } 2213 -- Editor's note: Do we want to add a compliance statement that | 2214 -- allows to support the MIB in read-write only? | 2215 -- i.e. it would not need to allow row creation. | 2217 -- Units of compliance 2218 usmMIBBasicGroup OBJECT-GROUP 2219 OBJECTS { 2220 usmStatsUnsupportedSecLevels, 2221 usmStatsNotInTimeWindows, 2222 usmStatsUnknownUserNames, 2223 usmStatsUnknownEngineIDs, 2224 usmStatsWrongDigests, 2225 usmStatsDecryptionErrors, 2226 usmUserSpinLock, 2227 usmUserSecurityName, 2228 usmUserCloneFrom, 2229 usmUserAuthProtocol, 2230 usmUserAuthKeyChange, 2231 usmUserOwnAuthKeyChange, 2232 usmUserPrivProtocol, 2233 usmUserPrivKeyChange, 2234 usmUserOwnPrivKeyChange, 2235 usmUserPublic, 2236 usmUserStorageType, 2237 usmUserStatus 2238 } 2239 STATUS current 2240 DESCRIPTION "A collection of objects providing for configuration 2241 of an SNMP engine which implements the SNMP 2242 User-based Security Model. 2243 " 2244 ::= { usmMIBGroups 1 } 2246 END 2247 6. HMAC-MD5-96 Authentication Protocol 2249 This section describes the HMAC-MD5-96 authentication protocol. This 2250 authentication protocol is the first defined for the User-based 2251 Security Model. It uses MD5 hash-function which is described in 2252 [MD5], in HMAC mode described in [RFC2104], truncating the output to 2253 96 bits. 2255 This protocol is identified by usmHMACMD5AuthProtocol. 2257 Over time, other authentication protocols may be defined either as a 2258 replacement of this protocol or in addition to this protocol. 2260 6.1. Mechanisms 2262 - In support of data integrity, a message digest algorithm is 2263 required. A digest is calculated over an appropriate portion of an 2264 SNMP message and included as part of the message sent to the 2265 recipient. 2267 - In support of data origin authentication and data integrity, 2268 a secret value is prepended to SNMP message prior to computing the 2269 digest; the calculated digest is partially inserted into the SNMP 2270 message prior to transmission, and the prepended value is not 2271 transmitted. The secret value is shared by all SNMP engines 2272 authorized to originate messages on behalf of the appropriate user. 2274 6.1.1. Digest Authentication Mechanism 2276 The Digest Authentication Mechanism defined in this memo provides 2277 for: 2279 - verification of the integrity of a received message, i.e., the 2280 message received is the message sent. 2282 The integrity of the message is protected by computing a digest 2283 over an appropriate portion of the message. The digest is computed 2284 by the originator of the message, transmitted with the message, and 2285 verified by the recipient of the message. 2287 - verification of the user on whose behalf the message was generated. 2289 A secret value known only to SNMP engines authorized to generate 2290 messages on behalf of a user is used in HMAC mode (see [RFC2104]). 2291 It also recommends the hash-function output used as Message 2292 Authentication Code, to be truncated. 2294 This protocol uses the MD5 [MD5] message digest algorithm. A 128-bit 2295 MD5 digest is calculated in a special (HMAC) way over the designated 2296 portion of an SNMP message and the first 96 bits of this digest is 2297 included as part of the message sent to the recipient. The size of 2298 the digest carried in a message is 12 octets. The size of the private 2299 authentication key (the secret) is 16 octets. For the details see 2300 section 6.3. 2302 6.2. Elements of the Digest Authentication Protocol 2304 This section contains definitions required to realize the 2305 authentication module defined in this section of this memo. 2307 6.2.1. Users 2309 Authentication using this authentication protocol makes use of a 2310 defined set of userNames. For any user on whose behalf a message must 2311 be authenticated at a particular SNMP engine, that SNMP engine must 2312 have knowledge of that user. An SNMP engine that wishes to 2313 communicate with another SNMP engine must also have knowledge of a 2314 user known to that engine, including knowledge of the applicable 2315 attributes of that user. 2317 A user and its attributes are defined as follows: 2319 2320 A string representing the name of the user. 2321 2322 A user's secret key to be used when calculating a digest. 2323 It MUST be 16 octets long for MD5. 2325 6.2.2. msgAuthoritativeEngineID 2327 The msgAuthoritativeEngineID value contained in an authenticated 2328 message specifies the authoritative SNMP engine for that particular 2329 message (see the definition of SnmpEngineID in the SNMP Architecture 2330 document [RFCxxx1]). 2332 The user's (private) authentication key is normally different at each 2333 authoritative SNMP engine and so the snmpEngineID is used to select 2334 the proper key for the authentication process. 2336 6.2.3. SNMP Messages Using this Authentication Protocol 2338 Messages using this authentication protocol carry a 2339 msgAuthenticationParameters field as part of the 2340 msgSecurityParameters. For this protocol, the 2341 msgAuthenticationParameters field is the serialized OCTET STRING 2342 representing the first 12 octets of the HMAC-MD5-96 output done over 2343 the wholeMsg. 2345 The digest is calculated over the wholeMsg so if a message is 2346 authenticated, that also means that all the fields in the message are 2347 intact and have not been tampered with. 2349 6.2.4. Services provided by the HMAC-MD5-96 Authentication Module 2351 This section describes the inputs and outputs that the HMAC-MD5-96 2352 Authentication module expects and produces when the User-based 2353 Security module calls the HMAC-MD5-96 Authentication module for 2354 services. 2356 6.2.4.1. Services for Generating an Outgoing SNMP Message 2358 The HMAC-MD5-96 authentication protocol assumes that the selection of 2359 the authKey is done by the caller and that the caller passes the 2360 secret key to be used. 2362 Upon completion the authentication module returns statusInformation 2363 and, if the message digest was correctly calculated, the wholeMsg 2364 with the digest inserted at the proper place. The abstract service 2365 primitive is: 2367 statusInformation = -- success or failure 2368 authenticateOutgoingMsg( 2369 IN authKey -- secret key for authentication 2370 IN wholeMsg -- unauthenticated complete message 2371 OUT authenticatedWholeMsg -- complete authenticated message 2372 ) 2374 The abstract data elements are: 2376 statusInformation 2377 An indication of whether the authentication process was 2378 successful. If not it is an indication of the problem. 2379 authKey 2380 The secret key to be used by the authentication algorithm. 2381 The length of this key MUST be 16 octets. 2382 wholeMsg 2383 The message to be authenticated. 2384 authenticatedWholeMsg 2385 The authenticated message (including inserted digest) on output. 2387 Note, that authParameters field is filled by the authentication 2388 module and this field should be already present in the wholeMsg 2389 before the Message Authentication Code (MAC) is generated. 2391 6.2.4.2. Services for Processing an Incoming SNMP Message 2393 The HMAC-MD5-96 authentication protocol assumes that the selection of 2394 the authKey is done by the caller and that the caller passes the 2395 secret key to be used. 2397 Upon completion the authentication module returns statusInformation 2398 and, if the message digest was correctly calculated, the wholeMsg as 2399 it was processed. The abstract service primitive is: 2401 statusInformation = -- success or failure 2402 authenticateIncomingMsg( 2403 IN authKey -- secret key for authentication 2404 IN authParameters -- as received on the wire 2405 IN wholeMsg -- as received on the wire 2406 OUT authenticatedWholeMsg -- complete authenticated message 2407 ) 2409 The abstract data elements are: 2411 statusInformation 2412 An indication of whether the authentication process was 2413 successful. If not it is an indication of the problem. 2414 authKey 2415 The secret key to be used by the authentication algorithm. 2416 The length of this key MUST be 16 octets. 2417 authParameters 2418 The authParameters from the incoming message. 2419 wholeMsg 2420 The message to be authenticated on input and the authenticated 2421 message on output. 2422 authenticatedWholeMsg 2423 The whole message after the authentication check is complete. 2425 6.3. Elements of Procedure 2427 This section describes the procedures for the HMAC-MD5-96 2428 authentication protocol. 2430 6.3.1. Processing an Outgoing Message 2432 This section describes the procedure followed by an SNMP engine 2433 whenever it must authenticate an outgoing message using the 2434 usmHMACMD5AuthProtocol. 2436 1) The msgAuthenticationParameters field is set to the serialization, 2437 according to the rules in [RFC1906], of an OCTET STRING containing 2438 12 zero octets. 2440 2) From the secret authKey, two keys K1 and K2 are derived: 2442 a) extend the authKey to 64 octets by appending 48 zero 2443 octets; save it as extendedAuthKey 2444 b) obtain IPAD by replicating the octet 0x36 64 times; 2445 c) obtain K1 by XORing extendedAuthKey with IPAD; 2446 d) obtain OPAD by replicating the octet 0x5C 64 times; 2447 e) obtain K2 by XORing extendedAuthKey with OPAD. 2449 3) Prepend K1 to the wholeMsg and calculate MD5 digest over it 2450 according to [MD5]. 2452 4) Prepend K2 to the result of the step 4 and calculate MD5 digest 2453 over it according to [MD5]. Take the first 12 octets of the final 2454 digest - this is Message Authentication Code (MAC). 2456 5) Replace the msgAuthenticationParameters field with MAC obtained 2457 in the step 4. | 2459 6) The authenticatedWholeMsg is then returned to the caller 2460 together with statusInformation indicating success. 2462 6.3.2. Processing an Incoming Message 2464 This section describes the procedure followed by an SNMP engine 2465 whenever it must authenticate an incoming message using the 2466 usmHMACMD5AuthProtocol. 2468 ti -4 2469 1) If the digest received in the msgAuthenticationParameters field 2470 is not 12 octets long, then an failure and an errorIndication 2471 (authenticationError) is returned to the calling module. 2473 2) The MAC received in the msgAuthenticationParameters field 2474 is saved. 2476 3) The digest in the msgAuthenticationParameters field is replaced 2477 by the 12 zero octets. 2479 4) From the secret authKey, two keys K1 and K2 are derived: 2481 a) extend the authKey to 64 octets by appending 48 zero 2482 octets; save it as extendedAuthKey 2483 b) obtain IPAD by replicating the octet 0x36 64 times; 2484 c) obtain K1 by XORing extendedAuthKey with IPAD; 2485 d) obtain OPAD by replicating the octet 0x5C 64 times; 2486 e) obtain K2 by XORing extendedAuthKey with OPAD. 2488 5) The MAC is calculated over the wholeMsg: 2490 a) prepend K1 to the wholeMsg and calculate the MD5 digest 2491 over it; 2492 b) prepend K2 to the result of step 5.a and calculate the 2493 MD5 digest over it; 2494 c) first 12 octets of the result of step 5.b is the MAC. 2496 The msgAuthenticationParameters field is replaced with the MAC 2497 value that was saved in step 2. 2499 6) Then the newly calculated MAC is compared with the MAC 2500 saved in step 2. If they do not match, then an failure and an 2501 errorIndication (authenticationFailure) is returned to the 2502 calling module. 2504 7) The authenticatedWholeMsg and statusInformation indicating 2505 success are then returned to the caller. 2507 7. HMAC-SHA-96 Authentication Protocol 2509 This section describes the HMAC-SHA-96 authentication protocol. This 2510 protocol uses the SHA hash-function which is described in [SHA-NIST], 2511 in HMAC mode described in [RFC2104], truncating the output to 96 2512 bits. 2514 This protocol is identified by usmHMACSHAAuthProtocol. 2516 Over time, other authentication protocols may be defined either as a 2517 replacement of this protocol or in addition to this protocol. 2519 7.1. Mechanisms 2521 - In support of data integrity, a message digest algorithm is 2522 required. A digest is calculated over an appropriate portion of an 2523 SNMP message and included as part of the message sent to the 2524 recipient. 2526 - In support of data origin authentication and data integrity, 2527 a secret value is prepended to the SNMP message prior to computing 2528 the digest; the calculated digest is then partially inserted into 2529 the message prior to transmission. The prepended secret is not 2530 transmitted. The secret value is shared by all SNMP engines 2531 authorized to originate messages on behalf of the appropriate user. 2533 7.1.1. Digest Authentication Mechanism 2535 The Digest Authentication Mechanism defined in this memo provides 2536 for: 2538 - verification of the integrity of a received message, i.e., the 2539 the message received is the message sent. 2541 The integrity of the message is protected by computing a digest 2542 over an appropriate portion of the message. The digest is computed 2543 by the originator of the message, transmitted with the message, and 2544 verified by the recipient of the message. 2546 - verification of the user on whose behalf the message was generated. 2548 A secret value known only to SNMP engines authorized to generate 2549 messages on behalf of a user is used in HMAC mode (see [RFC2104]). 2550 It also recommends the hash-function output used as Message 2551 Authentication Code, to be truncated. 2553 This mechanism uses the SHA [SHA-NIST] message digest algorithm. A 2554 160-bit SHA digest is calculated in a special (HMAC) way over the 2555 designated portion of an SNMP message and the first 96 bits of this 2556 digest is included as part of the message sent to the recipient. The 2557 size of the digest carried in a message is 12 octets. The size of the 2558 private authentication key (the secret) is 20 octets. For the details 2559 see section 7.3. 2561 7.2. Elements of the HMAC-SHA-96 Authentication Protocol 2563 This section contains definitions required to realize the 2564 authentication module defined in this section of this memo. 2566 7.2.1. Users 2568 Authentication using this authentication protocol makes use of a 2569 defined set of userNames. For any user on whose behalf a message 2570 must be authenticated at a particular SNMP engine, that SNMP engine 2571 must have knowledge of that user. An SNMP engine that wishes to 2572 communicate with another SNMP engine must also have knowledge of a 2573 user known to that engine, including knowledge of the applicable 2574 attributes of that user. 2576 A user and its attributes are defined as follows: 2578 2579 A string representing the name of the user. 2580 2581 A user's secret key to be used when calculating a digest. 2582 It MUST be 20 octets long for SHA. 2584 7.2.2. msgAuthoritativeEngineID 2586 The msgAuthoritativeEngineID value contained in an authenticated 2587 message specifies the authoritative SNMP engine for that particular 2588 message (see the definition of SnmpEngineID in the SNMP Architecture 2589 document [RFCxxx1]). 2591 The user's (private) authentication key is normally different at each 2592 authoritative SNMP engine and so the snmpEngineID is used to select 2593 the proper key for the authentication process. 2595 7.2.3. SNMP Messages Using this Authentication Protocol 2597 Messages using this authentication protocol carry a 2598 msgAuthenticationParameters field as part of the 2599 msgSecurityParameters. For this protocol, the 2600 msgAuthenticationParameters field is the serialized OCTET STRING 2601 representing the first 12 octets of HMAC-SHA-96 output done over the 2602 wholeMsg. 2604 The digest is calculated over the wholeMsg so if a message is 2605 authenticated, that also means that all the fields in the message are 2606 intact and have not been tampered with. 2608 7.2.4. Services provided by the HMAC-SHA-96 Authentication Module 2610 This section describes the inputs and outputs that the HMAC-SHA-96 2611 Authentication module expects and produces when the User-based 2612 Security module calls the HMAC-SHA-96 Authentication module for 2613 services. 2615 7.2.4.1. Services for Generating an Outgoing SNMP Message 2617 HMAC-SHA-96 authentication protocol assumes that the selection of the 2618 authKey is done by the caller and that the caller passes the secret 2619 key to be used. 2621 Upon completion the authentication module returns statusInformation 2622 and, if the message digest was correctly calculated, the wholeMsg 2623 with the digest inserted at the proper place. The abstract service 2624 primitive is: 2626 statusInformation = -- success or failure 2627 authenticateOutgoingMsg( 2628 IN authKey -- secret key for authentication 2629 IN wholeMsg -- unauthenticated complete message 2630 OUT authenticatedWholeMsg -- complete authenticated message 2631 ) 2633 The abstract data elements are: 2635 statusInformation 2636 An indication of whether the authentication process was 2637 successful. If not it is an indication of the problem. 2638 authKey 2639 The secret key to be used by the authentication algorithm. 2640 The length of this key MUST be 20 octets. 2641 wholeMsg 2642 The message to be authenticated. 2643 authenticatedWholeMsg 2644 The authenticated message (including inserted digest) on output. 2646 Note, that authParameters field is filled by the authentication 2647 module and this field should be already present in the wholeMsg 2648 before the Message Authentication Code (MAC) is generated. 2650 7.2.4.2. Services for Processing an Incoming SNMP Message 2651 HMAC-SHA-96 authentication protocol assumes that the selection of the 2652 authKey is done by the caller and that the caller passes the secret 2653 key to be used. 2655 Upon completion the authentication module returns statusInformation 2656 and, if the message digest was correctly calculated, the wholeMsg as 2657 it was processed. The abstract service primitive is: 2659 statusInformation = -- success or failure 2660 authenticateIncomingMsg( 2661 IN authKey -- secret key for authentication 2662 IN authParameters -- as received on the wire 2663 IN wholeMsg -- as received on the wire 2664 OUT authenticatedWholeMsg -- complete authenticated message 2665 ) 2667 The abstract data elements are: 2669 statusInformation 2670 An indication of whether the authentication process was 2671 successful. If not it is an indication of the problem. 2672 authKey 2673 The secret key to be used by the authentication algorithm. 2674 The length of this key MUST be 20 octets. 2675 authParameters 2676 The authParameters from the incoming message. 2677 wholeMsg 2678 The message to be authenticated on input and the authenticated 2679 message on output. 2680 authenticatedWholeMsg 2681 The whole message after the authentication check is complete. 2683 7.3. Elements of Procedure 2685 This section describes the procedures for the HMAC-SHA-96 2686 authentication protocol. 2688 7.3.1. Processing an Outgoing Message 2690 This section describes the procedure followed by an SNMP engine 2691 whenever it must authenticate an outgoing message using the 2692 usmHMACSHAAuthProtocol. 2694 1) The msgAuthenticationParameters field is set to the 2695 serialization, according to the rules in [RFC1906], of an OCTET 2696 STRING containing 12 zero octets. 2698 2) From the secret authKey, two keys K1 and K2 are derived: 2700 a) extend the authKey to 64 octets by appending 44 zero 2701 octets; save it as extendedAuthKey 2702 b) obtain IPAD by replicating the octet 0x36 64 times; 2703 c) obtain K1 by XORing extendedAuthKey with IPAD; 2704 d) obtain OPAD by replicating the octet 0x5C 64 times; 2705 e) obtain K2 by XORing extendedAuthKey with OPAD. 2707 3) Prepend K1 to the wholeMsg and calculate the SHA digest over it 2708 according to [SHA-NIST]. 2710 4) Prepend K2 to the result of the step 4 and calculate SHA digest 2711 over it according to [SHA-NIST]. Take the first 12 octets of the 2712 final digest - this is Message Authentication Code (MAC). 2714 5) Replace the msgAuthenticationParameters field with MAC obtained 2715 in the step 5. 2717 6) The authenticatedWholeMsg is then returned to the caller 2718 together with statusInformation indicating success. 2720 7.3.2. Processing an Incoming Message 2722 This section describes the procedure followed by an SNMP engine 2723 whenever it must authenticate an incoming message using the 2724 usmHMACSHAAuthProtocol. 2726 1) If the digest received in the msgAuthenticationParameters field 2727 is not 12 octets long, then an failure and an errorIndication 2728 (authenticationError) is returned to the calling module. 2730 2) The MAC received in the msgAuthenticationParameters field 2731 is saved. 2733 3) The digest in the msgAuthenticationParameters field is 2734 replaced by the 12 zero octets. 2736 4) From the secret authKey, two keys K1 and K2 are derived: 2738 a) extend the authKey to 64 octets by appending 44 zero 2739 octets; save it as extendedAuthKey 2740 b) obtain IPAD by replicating the octet 0x36 64 times; 2741 c) obtain K1 by XORing extendedAuthKey with IPAD; 2742 d) obtain OPAD by replicating the octet 0x5C 64 times; 2743 e) obtain K2 by XORing extendedAuthKey with OPAD. 2745 5) The MAC is calculated over the wholeMsg: 2747 a) prepend K1 to the wholeMsg and calculate the SHA digest 2748 over it; 2749 b) prepend K2 to the result of step 5.a and calculate the 2750 SHA digest over it; 2751 c) first 12 octets of the result of step 5.b is the MAC. 2753 The msgAuthenticationParameters field is replaced with the MAC 2754 value that was saved in step 2. 2756 6) The the newly calculated MAC is compared with the MAC saved in 2757 step 2. If they do not match, then a failure and an 2758 errorIndication (authenticationFailure) are returned to the 2759 calling module. 2761 7) The authenticatedWholeMsg and statusInformation indicating 2762 success are then returned to the caller. 2764 8. CBC-DES Symmetric Encryption Protocol 2766 This section describes the CBC-DES Symmetric Encryption Protocol. 2767 This protocol is the first privacy protocol defined for the User- 2768 based Security Model. 2770 This protocol is identified by usmDESPrivProtocol. 2772 Over time, other privacy protocols may be defined either as a 2773 replacement of this protocol or in addition to this protocol. 2775 8.1. Mechanisms 2777 - In support of data confidentiality, an encryption algorithm is 2778 required. An appropriate portion of the message is encrypted prior 2779 to being transmitted. The User-based Security Model specifies that 2780 the scopedPDU is the portion of the message that needs to be 2781 encrypted. 2783 - A secret value in combination with a timeliness value is used 2784 to create the en/decryption key and the initialization vector. The 2785 secret value is shared by all SNMP engines authorized to originate 2786 messages on behalf of the appropriate user. 2788 8.1.1. Symmetric Encryption Protocol 2790 The Symmetric Encryption Protocol defined in this memo provides 2791 support for data confidentiality. The designated portion of an SNMP 2792 message is encrypted and included as part of the message sent to the 2793 recipient. 2795 Two organizations have published specifications defining the DES: 2797 the National Institute of Standards and Technology (NIST) [DES-NIST] 2798 and the American National Standards Institute [DES-ANSI]. There is a 2799 companion Modes of Operation specification for each definition 2800 ([DESO-NIST] and [DESO-ANSI], respectively). 2802 The NIST has published three additional documents that implementors 2803 may find useful. 2805 - There is a document with guidelines for implementing and using 2806 the DES, including functional specifications for the DES and its 2807 modes of operation [DESG-NIST]. 2809 - There is a specification of a validation test suite for the DES 2810 [DEST-NIST]. The suite is designed to test all aspects of the DES 2811 and is useful for pinpointing specific problems. 2813 - There is a specification of a maintenance test for the DES 2814 [DESM-NIST]. The test utilizes a minimal amount of data and 2815 processing to test all components of the DES. It provides a simple 2816 yes-or-no indication of correct operation and is useful to run as 2817 part of an initialization step, e.g., when a computer re-boots. 2819 8.1.1.1. DES key and Initialization Vector. 2821 The first 8 octets of the 16-octet secret (private privacy key) are 2822 used as a DES key. Since DES uses only 56 bits, the Least 2823 Significant Bit in each octet is disregarded. 2825 The Initialization Vector for encryption is obtained using the 2826 following procedure. 2828 The last 8 octets of the 16-octet secret (private privacy key) are 2829 used as pre-IV. 2831 In order to ensure that the IV for two different packets encrypted by 2832 the same key, are not the same (i.e., the IV does not repeat) we need 2833 to "salt" the pre-IV with something unique per packet. An 8-octet 2834 string is used as the "salt". The concatenation of the generating 2835 SNMP engine's 32-bit snmpEngineBoots and a local 32-bit integer, that 2836 the encryption engine maintains, is input to the "salt". The 32-bit 2837 integer is initialized to an arbitrary value at boot time. 2839 The 32-bit snmpEngineBoots is converted to the first 4 octets (Most 2840 Significant Byte first) of our "salt". The 32-bit integer is then 2841 converted to the last 4 octet (Most Significant Byte first) of our 2842 "salt". The resulting "salt" is then XOR-ed with the pre-IV. The 8- 2843 octet "salt" is then put into the privParameters field encoded as an 2844 OCTET STRING. The "salt" integer is then modified. We recommend 2845 that it be incremented by one and wrap when it reaches the maximum 2846 value. 2848 How exactly the value of the "salt" (and thus of the IV) varies, is 2849 an implementation issue, as long as the measures are taken to avoid 2850 producing a duplicate IV. 2852 The "salt" must be placed in the privParameters field to enable the 2853 receiving entity to compute the correct IV and to decrypt the 2854 message. 2856 8.1.1.2. Data Encryption. 2858 The data to be encrypted is treated as sequence of octets. Its length 2859 should be an integral multiple of 8 - and if it is not, the data is 2860 padded at the end as necessary. The actual pad value is irrelevant. 2862 The data is encrypted in Cipher Block Chaining mode. 2864 The plaintext is divided into 64-bit blocks. 2866 The plaintext for each block is XOR-ed with the ciphertext of the 2867 previous block, the result is encrypted and the output of the 2868 encryption is the ciphertext for the block. This procedure is 2869 repeated until there are no more plaintext blocks. 2871 For the very first block, the Initialization Vector is used instead 2872 of the ciphertext of the previous block. 2874 8.1.1.3. Data Decryption 2876 Before decryption, the encrypted data length is verified. If the 2877 length of the OCTET STRING to be decrypted is not an integral 2878 multiple of 8 octets, the decryption process is halted and an 2879 appropriate exception noted. When decrypting, the padding is 2880 ignored. 2882 The first ciphertext block is decrypted, the decryption output is 2883 XOR-ed with the Initialization Vector, and the result is the first 2884 plaintext block. 2886 For each subsequent block, the ciphertext block is decrypted, the 2887 decryption output is XOR-ed with the previous ciphertext block and 2888 the result is the plaintext block. 2890 8.2. Elements of the DES Privacy Protocol 2892 This section contains definitions required to realize the privacy 2893 module defined by this memo. 2895 8.2.1. Users 2897 Data en/decryption using this Symmetric Encryption Protocol makes use 2898 of a defined set of userNames. For any user on whose behalf a 2899 message must be en/decrypted at a particular SNMP engine, that SNMP 2900 engine must have knowledge of that user. An SNMP engine that wishes 2901 to communicate with another SNMP engine must also have knowledge of a 2902 user known to that SNMP engine, including knowledge of the applicable 2903 attributes of that user. 2905 A user and its attributes are defined as follows: 2907 2908 An octet string representing the name of the user. 2909 2910 A user's secret key to be used as input for the DES key and IV. 2911 The length of this key MUST be 16 octets. 2913 8.2.2. msgAuthoritativeEngineID 2915 The msgAuthoritativeEngineID value contained in an authenticated 2916 message specifies the authoritative SNMP engine for that particular 2917 message (see the definition of SnmpEngineID in the SNMP Architecture 2918 document [RFCxxx1]). 2920 The user's (private) privacy key is normally different at each 2921 authoritative SNMP engine and so the snmpEngineID is used to select 2922 the proper key for the en/decryption process. 2924 8.2.3. SNMP Messages Using this Privacy Protocol 2926 Messages using this privacy protocol carry a msgPrivacyParameters 2927 field as part of the msgSecurityParameters. For this protocol, the 2928 msgPrivacyParameters field is the serialized OCTET STRING 2929 representing the "salt" that was used to create the IV. 2931 8.2.4. Services provided by the DES Privacy Module 2933 This section describes the inputs and outputs that the DES Privacy 2934 module expects and produces when the User-based Security module 2935 invokes the DES Privacy module for services. 2937 8.2.4.1. Services for Encrypting Outgoing Data 2939 This DES privacy protocol assumes that the selection of the privKey 2940 is done by the caller and that the caller passes the secret key to be 2941 used. 2943 Upon completion the privacy module returns statusInformation and, if 2944 the encryption process was successful, the encryptedPDU and the 2945 msgPrivacyParameters encoded as an OCTET STRING. The abstract 2946 service primitive is: 2948 statusInformation = -- success of failure 2949 encryptData( 2950 IN encryptKey -- secret key for encryption 2951 IN dataToEncrypt -- data to encrypt (scopedPDU) 2952 OUT encryptedData -- encrypted data (encryptedPDU) 2953 OUT privParameters -- filled in by service provider 2954 ) 2956 The abstract data elements are: 2958 statusInformation 2959 An indication of the success or failure of the encryption 2960 process. In case of failure, it is an indication of the error. 2961 encryptKey 2962 The secret key to be used by the encryption algorithm. 2963 The length of this key MUST be 16 octets. 2964 dataToEncrypt 2965 The data that must be encrypted. 2966 encryptedData 2967 The encrypted data upon successful completion. 2968 privParameters 2969 The privParameters encoded as an OCTET STRING. 2971 8.2.4.2. Services for Decrypting Incoming Data 2973 This DES privacy protocol assumes that the selection of the privKey 2974 is done by the caller and that the caller passes the secret key to be 2975 used. 2977 Upon completion the privacy module returns statusInformation and, if 2978 the decryption process was successful, the scopedPDU in plain text. 2979 The abstract service primitive is: 2981 statusInformation = 2982 decryptData( 2983 IN decryptKey -- secret key for decryption 2984 IN privParameters -- as received on the wire 2985 IN encryptedData -- encrypted data (encryptedPDU) 2986 OUT decryptedData -- decrypted data (scopedPDU) 2987 ) 2989 The abstract data elements are: 2991 statusInformation 2992 An indication whether the data was successfully decrypted 2993 and if not an indication of the error. 2994 decryptKey 2995 The secret key to be used by the decryption algorithm. 2996 The length of this key MUST be 16 octets. 2997 privParameters 2998 The "salt" to be used to calculate the IV. 2999 encryptedData 3000 The data to be decrypted. 3001 decryptedData 3002 The decrypted data. 3004 8.3. Elements of Procedure. 3006 This section describes the procedures for the DES privacy protocol. 3008 8.3.1. Processing an Outgoing Message 3010 This section describes the procedure followed by an SNMP engine 3011 whenever it must encrypt part of an outgoing message using the 3012 usmDESPrivProtocol. 3014 1) The secret cryptKey is used to construct the DES encryption key, 3015 the "salt" and the DES pre-IV (as described in section 8.1.1.1). 3017 2) The privParameters field is set to the serialization according 3018 to the rules in [RFC1906] of an OCTET STRING representing the the 3019 "salt" string. 3021 3) The scopedPDU is encrypted (as described in section 8.1.1.2) 3022 and the encrypted data is serialized according to the rules in 3023 [RFC1906] as an OCTET STRING. 3025 4) The serialized OCTET STRING representing the encrypted 3026 scopedPDU together with the privParameters and statusInformation 3027 indicating success is returned to the calling module. 3029 8.3.2. Processing an Incoming Message 3031 This section describes the procedure followed by an SNMP engine 3032 whenever it must decrypt part of an incoming message using the 3033 usmDESPrivProtocol. 3035 1) If the privParameters field is not an 8-octet OCTET STRING, 3036 then an error indication (decryptionError) is returned to the 3037 calling module. 3039 2) The "salt" is extracted from the privParameters field. 3041 3) The secret cryptKey and the "salt" are then used to construct the 3042 DES decryption key and pre-IV (as described in section 8.1.1.1). 3044 4) The encryptedPDU is then decrypted (as described in 3045 section 8.1.1.3). 3047 5) If the encryptedPDU cannot be decrypted, then an error 3048 indication (decryptionError) is returned to the calling module. 3050 6) The decrypted scopedPDU and statusInformation indicating 3051 success are returned to the calling module. 3053 9. Intellectual Property 3055 The IETF takes no position regarding the validity or scope of any 3056 intellectual property or other rights that might be claimed to 3057 pertain to the implementation or use of the technology described in 3058 this document or the extent to which any license under such rights 3059 might or might not be available; neither does it represent that it 3060 has made any effort to identify any such rights. Information on the 3061 IETF's procedures with respect to rights in standards-track and 3062 standards-related documentation can be found in BCP-11. Copies of 3063 claims of rights made available for publication and any assurances of 3064 licenses to be made available, or the result of an attempt made to 3065 obtain a general license or permission for the use of such 3066 proprietary rights by implementors or users of this specification can 3067 be obtained from the IETF Secretariat. 3069 The IETF invites any interested party to bring to its attention any 3070 copyrights, patents or patent applications, or other proprietary 3071 rights which may cover technology that may be required to practice 3072 this standard. Please address the information to the IETF Executive 3073 Director. 3075 10. Acknowledgements 3077 This document is the result of the efforts of the SNMPv3 Working 3078 Group. Some special thanks are in order to the following SNMPv3 WG 3079 members: 3081 Dave Battle (SNMP Research, Inc.) 3082 Uri Blumenthal (IBM T.J. Watson Research Center) 3083 Jeff Case (SNMP Research, Inc.) 3084 John Curran (BBN) 3085 T. Max Devlin (Hi-TECH Connections) 3086 John Flick (Hewlett Packard) 3087 David Harrington (Cabletron Systems Inc.) 3088 N.C. Hien (IBM T.J. Watson Research Center) 3089 Dave Levi (SNMP Research, Inc.) 3090 Louis A Mamakos (UUNET Technologies Inc.) 3091 Paul Meyer (Secure Computing Corporation) 3092 Keith McCloghrie (Cisco Systems) 3093 Russ Mundy (Trusted Information Systems, Inc.) 3094 Bob Natale (ACE*COMM Corporation) 3095 Mike O'Dell (UUNET Technologies Inc.) 3096 Dave Perkins (DeskTalk) 3097 Peter Polkinghorne (Brunel University) 3098 Randy Presuhn (BMC Software, Inc.) 3099 David Reid (SNMP Research, Inc.) 3100 Shawn Routhier (Epilogue) 3101 Juergen Schoenwaelder (TU Braunschweig) 3102 Bob Stewart (Cisco Systems) 3103 Bert Wijnen (IBM T.J. Watson Research Center) 3105 The document is based on recommendations of the IETF Security and 3106 Administrative Framework Evolution for SNMP Advisory Team. Members 3107 of that Advisory Team were: 3109 David Harrington (Cabletron Systems Inc.) 3110 Jeff Johnson (Cisco Systems) 3111 David Levi (SNMP Research Inc.) 3112 John Linn (Openvision) 3113 Russ Mundy (Trusted Information Systems) chair 3114 Shawn Routhier (Epilogue) 3115 Glenn Waters (Nortel) 3116 Bert Wijnen (IBM T. J. Watson Research Center) 3118 As recommended by the Advisory Team and the SNMPv3 Working Group 3119 Charter, the design incorporates as much as practical from previous 3120 RFCs and drafts. As a result, special thanks are due to the authors 3121 of previous designs known as SNMPv2u and SNMPv2*: 3123 Jeff Case (SNMP Research, Inc.) 3124 David Harrington (Cabletron Systems Inc.) 3125 David Levi (SNMP Research, Inc.) 3126 Keith McCloghrie (Cisco Systems) 3127 Brian O'Keefe (Hewlett Packard) 3128 Marshall T. Rose (Dover Beach Consulting) 3129 Jon Saperia (BGS Systems Inc.) 3130 Steve Waldbusser (International Network Services) 3131 Glenn W. Waters (Bell-Northern Research Ltd.) 3133 11. Security Considerations 3135 11.1. Recommended Practices 3137 This section describes practices that contribute to the secure, 3138 effective operation of the mechanisms defined in this memo. 3140 - An SNMP engine must discard SNMP Response messages that do not 3141 correspond to any currently outstanding Request message. It is the 3142 responsibility of the Message Processing module to take care of 3143 this. For example it can use a msgID for that. 3145 An SNMP Command Generator Application must discard any Response PDU 3146 for which there is no currently outstanding Request PDU; for 3147 example for SNMPv2 [RFC1905] PDUs, the request-id component in the 3148 PDU can be used to correlate Responses to outstanding Requests. 3150 Although it would be typical for an SNMP engine and an SNMP Command 3151 Generator Application to do this as a matter of course, when using 3152 these security protocols it is significant due to the possibility 3153 of message duplication (malicious or otherwise). 3155 - If an SNMP engine uses a msgID for correlating Response messages 3156 to outstanding Request messages, then it MUST use different msgIDs 3157 in all such Request messages that it sends out during a Time Window 3158 (150 seconds) period. 3160 A Command Generator or Notification Originator Application MUST use 3161 different request-ids in all Request PDUs that it sends out during 3162 a TimeWindow (150 seconds) period. 3164 This must be done to protect against the possibility of message 3165 duplication (malicious or otherwise). 3167 For example, starting operations with a msgID and/or request-id 3168 value of zero is not a good idea. Initializing them with an 3169 unpredictable number (so they do not start out the same after each 3170 reboot) and then incrementing by one would be acceptable. 3172 - An SNMP engine should perform time synchronization using 3173 authenticated messages in order to protect against the possibility 3174 of message duplication (malicious or otherwise). 3176 - When sending state altering messages to a managed authoritative 3177 SNMP engine, a Command Generator Application should delay sending 3178 successive messages to that managed SNMP engine until a positive 3179 acknowledgement is received for the previous message or until the 3180 previous message expires. 3182 No message ordering is imposed by the SNMP. Messages may be 3183 received in any order relative to their time of generation and each 3184 will be processed in the ordered received. Note that when an 3185 authenticated message is sent to a managed SNMP engine, it will be 3186 valid for a period of time of approximately 150 seconds under 3187 normal circumstances, and is subject to replay during this period. 3188 Indeed, an SNMP engine and SNMP Command Generator Applications must 3189 cope with the loss and re-ordering of messages resulting from 3190 anomalies in the network as a matter of course. 3192 However, a managed object, snmpSetSerialNo [RFC1907], is 3193 specifically defined for use with SNMP Set operations in order to 3194 provide a mechanism to ensure that the processing of SNMP messages 3195 occurs in a specific order. 3197 - The frequency with which the secrets of a User-based Security 3198 Model user should be changed is indirectly related to the frequency 3199 of their use. 3201 Protecting the secrets from disclosure is critical to the overall 3202 security of the protocols. Frequent use of a secret provides a 3203 continued source of data that may be useful to a cryptanalyst in 3204 exploiting known or perceived weaknesses in an algorithm. Frequent 3205 changes to the secret avoid this vulnerability. 3207 Changing a secret after each use is generally regarded as the most 3208 secure practice, but a significant amount of overhead may be 3209 associated with that approach. 3211 Note, too, in a local environment the threat of disclosure may be 3212 less significant, and as such the changing of secrets may be less 3213 frequent. However, when public data networks are used as the 3214 communication paths, more caution is prudent. 3216 11.2 Defining Users 3218 The mechanisms defined in this document employ the notion of users on 3219 whose behalf messages are sent. How "users" are defined is subject 3220 to the security policy of the network administration. For example, 3221 users could be individuals (e.g., "joe" or "jane"), or a particular 3222 role (e.g., "operator" or "administrator"), or a combination (e.g., 3223 "joe-operator", "jane-operator" or "joe-admin"). Furthermore, a user 3224 may be a logical entity, such as an SNMP Application or a set of SNMP 3225 Applications, acting on behalf of an individual or role, or set of 3226 individuals, or set of roles, including combinations. 3228 Appendix A describes an algorithm for mapping a user "password" to a | 3229 16/20 octet value for use as either a user's authentication key or 3230 privacy key (or both). Note however, that using the same password 3231 (and therefore the same key) for both authentication and privacy is 3232 very poor security practice and should be strongly discouraged. 3233 Passwords are often generated, remembered, and input by a human. | 3234 Human-generated passwords may be less than the 16/20 octets required 3235 by the authentication and privacy protocols, and brute force attacks 3236 can be quite easy on a relatively short ASCII character set. 3237 Therefore, the algorithm is Appendix A performs a transformation on 3238 the password. If the Appendix A algorithm is used, SNMP 3239 implementations (and SNMP configuration applications) must ensure 3240 that passwords are at least 8 characters in length. Please note that | 3241 longer passwords with repetitive strings may results in exactly the | 3242 same key. For example, a password of 3244 Because the Appendix A algorithm uses such passwords (nearly) 3245 directly, it is very important that they not be easily guessed. It 3246 is suggested that they be composed of mixed-case alphanumeric and 3247 punctuation characters that don't form words or phrases that might be 3248 found in a dictionary. Longer passwords improve the security of the 3249 system. Users may wish to input multiword phrases to make their 3250 password string longer while ensuring that it is memorable. 3252 Since it is infeasible for human users to maintain different 3253 passwords for every SNMP engine, but security requirements strongly 3254 discourage having the same key for more than one SNMP engine, the 3255 User-based Security Model employs a compromise proposed in 3256 [Localized-key]. It derives the user keys for the SNMP engines from 3257 user's password in such a way that it is practically impossible to 3258 either determine the user's password, or user's key for another SNMP 3259 engine from any combination of user's keys on SNMP engines. 3261 Note however, that if user's password is disclosed, then key 3262 localization will not help and network security may be compromised in 3263 this case. Therefore a user's password or non-localized key MUST NOT 3264 be stored on a managed device/node. Instead the localized key SHALL 3265 be stored (if at all) , so that, in case a device does get 3266 compromised, no other managed or managing devices get compromised. 3268 11.3. Conformance 3270 To be termed a "Secure SNMP implementation" based on the User-based 3271 Security Model, an SNMP implementation MUST: 3273 - implement one or more Authentication Protocol(s). The HMAC-MD5-96 3274 and HMAC-SHA-96 Authentication Protocols defined in this memo are 3275 examples of such protocols. 3277 - to the maximum extent possible, prohibit access to the secret(s) 3278 of each user about which it maintains information in a Local 3279 Configuration Datastore (LCD) under all circumstances except as 3280 required to generate and/or validate SNMP messages with respect to 3281 that user. 3283 - implement the key-localization mechanism. 3285 - implement the SNMP-USER-BASED-SM-MIB. 3287 In addition, an authoritative SNMP engine SHOULD provide initial 3288 configuration in accordance with Appendix A.1. 3290 Implementation of a Privacy Protocol (the DES Symmetric Encryption 3291 Protocol defined in this memo is one such protocol) is optional. 3293 12. References 3295 [RFC1321] Rivest, R., "Message Digest Algorithm MD5", 3296 RFC 1321, April 1992. 3298 [RFC1903] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3299 "Textual Conventions for Version 2 of the Simple Network 3300 Management Protocol (SNMPv2)", RFC 1903, January 1996. 3302 [RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3303 "Protocol Operations for Version 2 of the Simple Network 3304 Management Protocol (SNMPv2)", RFC 1905, January 1996. 3306 [RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3307 "Transport Mappings for Version 2 of the Simple Network Management 3308 Protocol (SNMPv2)", RFC 1906, January 1996. 3310 [RFC1907] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, 3311 "Management Information Base for Version 2 of the Simple Network 3312 Management Protocol (SNMPv2)", RFC 1907 January 1996. 3314 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: 3315 Keyed-Hashing for Message Authentication", RFC 2104, February 3316 1997. 3318 [RFC2028] Hovey, R., and S. Bradner, "The Organizations Involved in 3319 the IETF Standards Process", BCP 11, RFC 2028, October 1996. 3321 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3322 Requirement Levels", BCP 14, RFC 2119, March 1997. 3324 [RFCxxx1] Harrington, D., Presuhn, R., and B. Wijnen, "An 3325 Architecture for describing SNMP Management Frameworks", RFC xxx1, 3326 January 1998. 3328 [RFCxxx2] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 3329 "Message Processing and Dispatching for the Simple Network 3330 Management Protocol (SNMP)", RFC xxx2, January 1998. 3332 [Localized-Key] U. Blumenthal, N. C. Hien, B. Wijnen 3333 "Key Derivation for Network Management Applications" IEEE Network 3334 Magazine, April/May issue, 1997. 3336 [DES-NIST] Data Encryption Standard, National Institute of Standards 3337 and Technology. Federal Information Processing Standard (FIPS) 3338 Publication 46-1. Supersedes FIPS Publication 46, (January, 1977; 3339 reaffirmed January, 1988). 3341 [DES-ANSI] Data Encryption Algorithm, American National Standards 3342 Institute. ANSI X3.92-1981, (December, 1980). 3344 [DESO-NIST] DES Modes of Operation, National Institute of Standards 3345 and Technology. Federal Information Processing Standard (FIPS) 3346 Publication 81, (December, 1980). 3348 [DESO-ANSI] Data Encryption Algorithm - Modes of Operation, American 3349 National Standards Institute. ANSI X3.106-1983, (May 1983). 3351 [DESG-NIST] Guidelines for Implementing and Using the NBS Data 3352 Encryption Standard, National Institute of Standards and 3353 Technology. Federal Information Processing Standard (FIPS) 3354 Publication 74, (April, 1981). 3356 [DEST-NIST] Validating the Correctness of Hardware Implementations of 3357 the NBS Data Encryption Standard, National Institute of Standards 3358 and Technology. Special Publication 500-20. 3360 [DESM-NIST] Maintenance Testing for the Data Encryption Standard, 3361 National Institute of Standards and Technology. Special 3362 Publication 500-61, (August, 1980). 3364 [SHA-NIST] Secure Hash Algorithm. NIST FIPS 180-1, (April, 1995) 3365 http://csrc.nist.gov/fips/fip180-1.txt (ASCII) 3366 http://csrc.nist.gov/fips/fip180-1.ps (Postscript) 3368 13. Editors' Addresses 3370 Uri Blumenthal 3371 IBM T. J. Watson Research 3372 30 Saw Mill River Pkwy, 3373 Hawthorne, NY 10532 3374 USA 3376 EMail: uri@watson.ibm.com 3377 Phone: +1-914-784-7064 3379 Bert Wijnen 3380 IBM T. J. Watson Research 3381 Schagen 33 3382 3461 GL Linschoten 3383 Netherlands 3385 EMail: wijnen@vnet.ibm.com 3386 Phone: +31-348-432-794 3388 APPENDIX A - Installation 3390 A.1. SNMP engine Installation Parameters 3392 During installation, an authoritative SNMP engine SHOULD (in the 3393 meaning as defined in [RFC2119]) be configured with several initial 3394 parameters. These include: 3396 1) A security posture 3398 The choice of security posture determines if initial configuration 3399 is implemented and if so how. One of three possible choices is 3400 selected: 3402 minimum-secure, 3403 semi-secure, 3404 very-secure (i.e., no-initial-configuration) 3406 In the case of a very-secure posture, there is no initial 3407 configuration, and so the following steps are irrelevant. 3409 2) one or more secrets 3411 These are the authentication/privacy secrets for the first user to be 3412 configured. 3414 One way to accomplish this is to have the installer enter a 3415 "password" for each required secret. The password is then 3416 algorithmically converted into the required secret by: 3418 - forming a string of length 1,048,576 octets by repeating the 3419 value of the password as often as necessary, truncating 3420 accordingly, and using the resulting string as the input to the MD5 3421 algorithm [MD5]. The resulting digest, termed "digest1", is used 3422 in the next step. 3424 - a second string is formed by concatenating digest1, the SNMP 3425 engine's snmpEngineID value, and digest1. This string is used as 3426 input to the MD5 algorithm [MD5]. 3428 The resulting digest is the required secret (see Appendix A.2). 3430 With these configured parameters, the SNMP engine instantiates the 3431 following usmUserEntry in the usmUserTable: 3433 no privacy support privacy support 3434 ------------------ --------------- 3435 usmUserEngineID localEngineID localEngineID 3436 usmUserName "initial" "initial" 3437 usmUserSecurityName "initial" "initial" 3438 usmUserCloneFrom ZeroDotZero ZeroDotZero 3439 usmUserAuthProtocol usmHMACMD5AuthProtocol usmHMACMD5AuthProtocol 3440 usmUserAuthKeyChange "" "" 3441 usmUserOwnAuthKeyChange "" "" 3442 usmUserPrivProtocol none usmDESPrivProtocol 3443 usmUserPrivKeyChange "" "" 3444 usmUserOwnPrivKeyChange "" "" 3445 usmUserPublic "" "" 3446 usmUserStorageType anyValidStorageType anyValidStorageType 3447 usmUserStatus active active 3449 -- Editor's note. It seems (from the interoperability experiemnts) | 3450 -- that it would be usefull to recommend template users from which | 3451 -- new users can be cloned. | 3452 -- Here is the proposed text. | 3454 It is recommended to also instantiate a set of template | 3455 usmUserEntries which can be used as clone-from users for newly | 3456 created usmUserEntries. These are the two suggested entries: | 3457 no privacy support privacy support | 3458 ------------------ --------------- | 3459 usmUserEngineID localEngineID localEngineID | 3460 usmUserName "templateMD5" "templateMD5" | 3461 usmUserSecurityName "templateMD5" "templateMD5" | 3462 usmUserCloneFrom ZeroDotZero ZeroDotZero | 3463 usmUserAuthProtocol usmHMACMD5AuthProtocol usmHMACMD5AuthProtocol | 3464 usmUserAuthKeyChange "" "" | 3465 usmUserOwnAuthKeyChange "" "" | 3466 usmUserPrivProtocol none usmDESPrivProtocol | 3467 usmUserPrivKeyChange "" "" | 3468 usmUserOwnPrivKeyChange "" "" | 3469 usmUserPublic "" "" | 3470 usmUserStorageType permanent permanent | 3471 usmUserStatus active active | 3472 no privacy support privacy support | 3473 ------------------ --------------- | 3474 usmUserEngineID localEngineID localEngineID | 3475 usmUserName "templateSHA" "templateSHA" | 3476 usmUserSecurityName "templateSHA" "templateSHA" | 3477 usmUserCloneFrom ZeroDotZero ZeroDotZero | 3478 usmUserAuthProtocol usmHMACSHAAuthProtocol usmHMACSHAAuthProtocol | 3479 usmUserAuthKeyChange "" "" | 3480 usmUserOwnAuthKeyChange "" "" | 3481 usmUserPrivProtocol none usmDESPrivProtocol | 3482 usmUserPrivKeyChange "" "" | 3483 usmUserOwnPrivKeyChange "" "" | 3484 usmUserPublic "" "" | 3485 usmUserStorageType permanent permanent | 3486 usmUserStatus active active | 3487 | 3489 A.2. Password to Key Algorithm 3491 A sample code fragment (section A.2.1) demonstrates the password to 3492 key algorithm which can be used when mapping a password to an 3493 authentication or privacy key using MD5. The reference source code 3494 of MD5 is available in [RFC1321]. 3496 Another sample code fragment (section A.2.2) demonstrates the 3497 password to key algorithm which can be used when mapping a password 3498 to an authentication or privacy key using SHA (documented in 3499 SHA-NIST). 3501 An example of the results of a correct implementation is provided 3502 (section A.3) which an implementor can use to check if his 3503 implementation produces the same result. 3505 A.2.1. Password to Key Sample Code for MD5 3507 void password_to_key_md5( 3508 u_char *password, /* IN */ 3509 u_int passwordlen, /* IN */ 3510 u_char *engineID, /* IN - pointer to snmpEngineID */ 3511 u_int engineLength,/* IN - length of snmpEngineID */ | 3512 u_char *key) /* OUT - pointer to caller 16-octet buffer */ 3513 { 3514 MD5_CTX MD; 3515 u_char *cp, password_buf[64]; 3516 u_long password_index = 0; 3517 u_long count = 0, i; 3519 MD5Init (&MD); /* initialize MD5 */ 3520 /**********************************************/ 3521 /* Use while loop until we've done 1 Megabyte */ 3522 /**********************************************/ 3523 while (count < 1048576) { 3524 cp = password_buf; 3525 for (i = 0; i < 64; i++) { 3526 /*************************************************/ 3527 /* Take the next octet of the password, wrapping */ 3528 /* to the beginning of the password as necessary.*/ 3529 /*************************************************/ 3530 *cp++ = password[password_index++ % passwordlen]; 3531 } 3532 MD5Update (&MD, password_buf, 64); 3533 count += 64; 3534 } 3535 MD5Final (key, &MD); /* tell MD5 we're done */ 3537 /*****************************************************/ 3538 /* Now localize the key with the engineID and pass */ 3539 /* through MD5 to produce final key */ 3540 /* May want to ensure that engineLength <= 32, */ 3541 /* otherwise need to use a buffer larger than 64 */ 3542 /*****************************************************/ 3543 memcpy(password_buf, key, 16); 3544 memcpy(password_buf+16, engineID, engineLength); 3545 memcpy(password_buf+16+engineLength, key, 16); | 3547 MD5Init(&MD); 3548 MD5Update(&MD, password_buf, 32+engineLength); 3549 MD5Final(key, &MD); 3551 return; 3552 } 3554 A.2.2. Password to Key Sample Code for SHA 3556 void password_to_key_sha( 3557 u_char *password, /* IN */ 3558 u_int passwordlen, /* IN */ 3559 u_char *engineID, /* IN - pointer to snmpEngineID */ 3560 u_int engineLength,/* IN - length of snmpEngineID */ | 3561 u_char *key) /* OUT - pointer to caller 20-octet buffer */ 3562 { 3563 SHA_CTX SH; 3564 u_char *cp, password_buf[72]; 3565 u_long password_index = 0; 3566 u_long count = 0, i; 3567 SHAInit (&SH); /* initialize SHA */ 3569 /**********************************************/ 3570 /* Use while loop until we've done 1 Megabyte */ 3571 /**********************************************/ 3572 while (count < 1048576) { 3573 cp = password_buf; 3574 for (i = 0; i < 64; i++) { 3575 /*************************************************/ 3576 /* Take the next octet of the password, wrapping */ 3577 /* to the beginning of the password as necessary.*/ 3578 /*************************************************/ 3579 *cp++ = password[password_index++ % passwordlen]; 3580 } 3581 SHAUpdate (&SH, password_buf, 64); 3582 count += 64; 3583 } 3584 SHAFinal (key, &SH); /* tell SHA we're done */ 3586 /*****************************************************/ 3587 /* Now localize the key with the engineID and pass */ 3588 /* through SHA to produce final key */ 3589 /* May want to ensure that engineLength <= 32, */ 3590 /* otherwise need to use a buffer larger than 72 */ 3591 /*****************************************************/ 3592 memcpy(password_buf, key, 20); 3593 memcpy(password_buf+20, engineID, engineLength); 3594 memcpy(password_buf+20+engineLength, key, 20); | 3596 SHAInit(&SH); 3597 SHAUpdate(&SH, password_buf, 40+engineLength); 3598 SHAFinal(key, &SH); 3600 return; 3601 } 3603 A.3. Password to Key Sample Results 3605 A.3.1. Password to Key Sample Results using MD5 3607 The following shows a sample output of the password to key algorithm 3608 for a 16-octet key using MD5. 3610 With a password of "maplesyrup" the output of the password to key 3611 algorithm before the key is localized with the SNMP engine's 3612 snmpEngineID is: 3614 '9f af 32 83 88 4e 92 83 4e bc 98 47 d8 ed d9 63'H 3616 After the intermediate key (shown above) is localized with the 3617 snmpEngineID value of: 3619 '00 00 00 00 00 00 00 00 00 00 00 02'H 3621 the final output of the password to key algorithm is: 3623 '52 6f 5e ed 9f cc e2 6f 89 64 c2 93 07 87 d8 2b'H 3625 A.3.2. Password to Key Sample Results using SHA 3627 The following shows a sample output of the password to key 3628 algorithm for a 20-octet key using SHA. 3630 With a password of "maplesyrup" the output of the password to key 3631 algorithm before the key is localized with the SNMP engine's 3632 snmpEngineID is: 3634 '9f b5 cc 03 81 49 7b 37 93 52 89 39 ff 78 8d 5d 79 14 52 11'H | 3636 After the intermediate key (shown above) is localized with the 3637 snmpEngineID value of: 3639 '00 00 00 00 00 00 00 00 00 00 00 02'H 3641 the final output of the password to key algorithm is: 3643 '66 95 fe bc 92 88 e3 62 82 23 5f c7 15 1f 12 84 97 b3 8f 3f'H | 3645 A.4. Sample encoding of msgSecurityParameters 3647 The msgSecurityParameters in an SNMP message are represented as an 3648 OCTET STRING. This OCTET STRING should be considered opaque outside a 3649 specific Security Model. 3651 The User-based Security Model defines the contents of the OCTET 3652 STRING as a SEQUENCE (see section 2.4). 3654 Given these two properties, the following is an example of the 3655 msgSecurityParameters for the User-based Security Model, encoded as 3656 an OCTET STRING: 3658 04 3659 30 3660 04 3661 02 3662 02 3663 04 3664 04 0c 3665 04 08 3667 Here is the example once more, but now with real values (except for 3668 the digest in msgAuthenticationParameters and the salt in 3669 msgPrivacyParameters, which depend on variable data that we have not 3670 defined here): 3672 Hex Data Description 3673 -------------- ----------------------------------------------- 3674 04 39 OCTET STRING, length 57 3675 30 37 SEQUENCE, length 55 3676 04 0c 80000002 msgAuthoritativeEngineID: IBM 3677 01 IPv4 address 3678 09840301 9.132.3.1 3679 02 01 01 msgAuthoritativeEngineBoots: 1 3680 02 02 0101 msgAuthoritativeEngineTime: 257 3681 04 04 62657274 msgUserName: bert 3682 04 0c 01234567 msgAuthenticationParameters: sample value 3683 89abcdef 3684 fedcba98 3685 04 08 01234567 msgPrivacyParameters: sample value 3686 89abcdef 3688 B. Full Copyright Statement 3690 Copyright (C) The Internet Society (1998). All Rights Reserved. 3692 This document and translations of it may be copied and furnished to 3693 others, and derivative works that comment on or otherwise explain it 3694 or assist in its implementation may be prepared, copied, published 3695 and distributed, in whole or in part, without restriction of any 3696 kind, provided that the above copyright notice and this paragraph are 3697 included on all such copies and derivative works. However, this 3698 document itself may not be modified in any way, such as by removing 3699 the copyright notice or references to the Internet Society or other 3700 Internet organizations, except as needed for the purpose of 3701 developing Internet standards in which case the procedures for 3702 copyrights defined in the Internet Standards process must be 3703 followed, or as required to translate it into languages other than 3704 English. 3706 The limited permissions granted above are perpetual and will not be 3707 revoked by the Internet Society or its successors or assigns. 3709 This document and the information contained herein is provided on an 3710 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3711 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3712 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3713 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3714 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.