idnits 2.17.1 draft-labarre-iimc-party-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-24) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 69 longer pages, the longest (page 0) being 62 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. (A line matching the expected section header was found, but with an unexpected indentation: ' 1.2 OVERVIEW OF IIMC' ) ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** There are 271 instances of too long lines in the document, the longest one being 13 characters in excess of 72. ** The abstract seems to contain references ([2], [38], [3], [21], [4], [17], [13,14,15,16], [ISO10165-4], [RFC1442], [18], [24], [19], [6], [25], [7], [RFC1212], [30], [31], [32], [27], [33], [28], [34], [8,9,10], [12], [IIMCOMIBTRANS], [35], [36], [IIMCIMIBTRANS], [1], [ISO10165-1], [37]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 931 has weird spacing: '.... The minim...' == Line 1406 has weird spacing: '...efer to the s...' == Line 1409 has weird spacing: '...ined in viewM...' == Line 1948 has weird spacing: '...ue. In parti...' == Line 2021 has weird spacing: '...ication key w...' == (11 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'IIMCOMIBTRANS' on line 294 looks like a reference -- Missing reference section? 'IIMCMIB-II' on line 25 looks like a reference -- Missing reference section? 'IIMCPROXY' on line 26 looks like a reference -- Missing reference section? 'IIMCIMIBTRANS' on line 293 looks like a reference -- Missing reference section? '27' on line 2965 looks like a reference -- Missing reference section? '32' on line 235 looks like a reference -- Missing reference section? '6' on line 191 looks like a reference -- Missing reference section? '8' on line 192 looks like a reference -- Missing reference section? '9' on line 192 looks like a reference -- Missing reference section? '10' on line 192 looks like a reference -- Missing reference section? '19' on line 1101 looks like a reference -- Missing reference section? '28' on line 1584 looks like a reference -- Missing reference section? '18' on line 196 looks like a reference -- Missing reference section? '24' on line 277 looks like a reference -- Missing reference section? '37' on line 216 looks like a reference -- Missing reference section? '33' on line 458 looks like a reference -- Missing reference section? '30' on line 344 looks like a reference -- Missing reference section? '31' on line 3059 looks like a reference -- Missing reference section? '35' on line 265 looks like a reference -- Missing reference section? 'RFC1212' on line 293 looks like a reference -- Missing reference section? 'ISO10165-1' on line 293 looks like a reference -- Missing reference section? 'RFC1442' on line 294 looks like a reference -- Missing reference section? 'ISO10165-4' on line 294 looks like a reference -- Missing reference section? '21' on line 344 looks like a reference -- Missing reference section? '38' on line 474 looks like a reference -- Missing reference section? '13' on line 922 looks like a reference -- Missing reference section? '14' on line 922 looks like a reference -- Missing reference section? '15' on line 922 looks like a reference -- Missing reference section? '16' on line 922 looks like a reference -- Missing reference section? '7' on line 1113 looks like a reference -- Missing reference section? '25' on line 1584 looks like a reference -- Missing reference section? '12' on line 864 looks like a reference -- Missing reference section? '34' on line 996 looks like a reference -- Missing reference section? '17' on line 1083 looks like a reference -- Missing reference section? '36' on line 1054 looks like a reference -- Missing reference section? '4' on line 1003 looks like a reference -- Missing reference section? '1' on line 2808 looks like a reference -- Missing reference section? '2' on line 2776 looks like a reference -- Missing reference section? '3' on line 2779 looks like a reference Summary: 13 errors (**), 0 flaws (~~), 8 warnings (==), 42 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET DRAFT Expires August, 1994 4 ISO/CCITT and Internet Management Coexistence (IIMC): 6 ISO/CCITT to Internet Management Security 8 (IIMCSEC) 10 February, 1993 12 Lee LaBarre (Editor) 14 The MITRE Corporation 15 Burlington Road 16 Bedford, MA 01730 17 cel@mbunix.mitre.org 19 Status of this Memo 21 This document provides information to the network and 22 systems management community. This document is intended as 23 a contribution to ongoing work in the area of multi-protocol 24 management coexistence and interworking. This document is 25 part of a package; see also [IIMCOMIBTRANS] [IIMCMIB-II] 26 [IIMCPROXY] and [IIMCIMIBTRANS]. Distribution of this 27 document is unlimited. Comments should be sent to the 28 Network Management Forum IIMC working group 29 (iimc@thumper.bellcore.com). 31 This document is an Internet Draft. Internet Drafts are 32 working documents of the Internet Engineering Task Force 33 (IETF), its Areas, and its Working Groups. Note that other 34 groups may also distribute working documents as Internet 35 Drafts. 37 Internet Drafts are draft documents valid for a maximum of 38 six months. Internet Drafts may be updated, replaced, or 39 obsoleted by other documents at any time. It is not 40 appropriate to use Internet Drafts as reference material or 41 to cite them other than as a "working draft" or "work in 42 progress." 44 Please check the 1id-abstracts.txt listing contained in the 45 internet-drafts Shadow Directories on ds.internic.net, 46 nic.nordu.net, ftp.nisc.sri.com, munnari.oz.au to learn the 47 current status of any Internet Draft. 49 DRAFT February, 1994 51 Abstract 53 This document is intended to facilitate the multi-protocol 54 management coexistence and interworking for networks that 55 are managed using the ISO/CCITT Common Management 56 Information Protocol (CMIP) and networks that are managed 57 using the Internet Simple Network Management Protocol 58 (SNMP). This document defines the end-to-end security 59 architecture, services, and mechanisms for use with 60 ISO/CCITT-Internet proxies. This document also contains the 61 ISO/CCITT GDMO definition and registration of the SNMP 62 Parties MIB, derived from the Internet SNMP Parties MIB [27] 63 according to the procedures defined in "Translation of 64 Internet MIBs to ISO/CCITT GDMO MIBs" [32]. 66 Table of Contents 68 1. INTRODUCTION ..........................................1 70 1.1 PROBLEM STATEMENT.................................1 72 1.2 OVERVIEW OF IIMC..................................2 74 1.3 MIB TRANSLATION PROCEDURES........................3 76 1.4 NATIVE MANAGEMENT MODEL...........................3 78 1.5 PROXY MANAGEMENT MODEL............................5 80 1.6 SCOPE OF THIS DOCUMENT............................6 82 1.7 TERMS AND CONVENTIONS.............................6 84 2. SECURITY AND MANAGEMENT CONSIDERATIONS ................8 86 2.1 GENERAL CONSIDERATIONS.............................8 87 2.1.1 Security of Management .......................8 88 2.1.2 Management of Security .......................8 89 2.1.3 Threat Characterization ......................9 90 2.1.3.1 Communications Path Security.........9 91 2.1.3.2 Managed System Security..............10 93 2.2 ISO/CCITT TO INTERNET SECURITY ENVIRONMENT.........11 94 2.2.1 Security Model ...............................11 95 2.2.2 Security Capabilities ........................12 96 2.2.3 Internet Management Security .................13 97 2.2.3.1 SNMPv1 Security......................13 98 2.2.3.2 SNMPv2 Security......................13 99 2.2.4 Constraints on Mapping Security Services .....14 100 2.2.5 SNMP Security and the ISO Access Control 101 Framework....................................16 103 3. SECURITY SPECIFICATIONS ...............................17 104 DRAFT February, 1994 106 3.1 ISO MANAGER TO ISO/CCITT-INTERNET PROXY SECURITY...17 107 3.1.1 Peer Authentication Services .................17 108 3.1.2 Transfer of SNMP Security Parameters .........18 109 3.1.3 ISO/CCITT-Internet Proxy Party MIB ...........20 111 3.2 ISO/CCITT-INTERNET PROXY TO INTERNET AGENT 112 SECURITY ...........................................20 114 3.3 ISO/CCITT-INTERNET PROXY ACCESS CONTROL 115 ENFORCEMENT ........................................20 117 4. IIMC PARTY MIB ........................................21 119 -- 4.1 PARTY MIB GDMO TEMPLATES.......................21 120 -- 4.1.1 Party MIB Managed Object Classes .........22 121 -- 4.1.2 Party MIB Attribute Types ................26 122 -- 4.1.3 Party MIB Attributes .....................28 123 -- 4.1.4 Party MIB Name Bindings ..................48 125 -- 4.2 PARTY MIB ASN.1 MODULES........................50 127 5. IIMC ACL MIB ..........................................53 129 -- 5.1 IIMC ACL MIB GDMO TEMPLATES.....................55 130 -- 5.1.1 IIMC ACL MIB Managed Object Classes .......55 131 -- 5.1.2 IIMC ACL MIB Attributes ...................56 132 -- 5.1.3 IIMC ACL MIB Name Bindings ................57 134 -- 5.2 IIMC ACL MIB ASN.1 MODULES......................58 136 6. CONFORMANCE ...........................................59 138 ANNEX A (NORMATIVE): MANAGED OBJECT CONFORMANCE 139 STATEMENTS (MOCS)......................................A-1 141 ANNEX B: GLOSSARY ........................................B-1 143 ANNEX C: REFERENCES ......................................C-1 145 List of Figures 147 FIGURE 1. MIB TRANSLATION ................................3 149 FIGURE 2. NATIVE MANAGEMENT ..............................4 151 FIGURE 3. PROXY MANAGEMENT ...............................5 153 FIGURE 4. IIMC END-TO-END SECURITY MODEL .................12 155 List of Tables 157 TABLE 1. SNMP SECURITY SERVICES ..........................15 158 DRAFT February, 1994 160 TABLE 2. SNMP SECURITY PARAMETERS ........................19 162 REVISION HISTORY 164 Issue 1.0, October 1993 166 This is the first issue of this document. The internet draft 167 , dated February, 1994, is 168 identical in content to Issue 1.0, October 1993. It has been 169 reformatted for posting as an internet draft. 171 DRAFT February, 1994 173 1. INTRODUCTION 175 This section provides an overview of ISO/CCITT and Internet 176 Management Coexistence (IIMC) activities, insight into the 177 problem being addressed by IIMC, and a brief introduction to 178 the strategy adopted by IIMC: use of translated MIBs in 179 either a proxy or native implementation. The section 180 concludes by describing the scope of this document, and 181 terms and conventions used by this document. 183 1.1 PROBLEM STATEMENT 185 The need for enterprise network management has been 186 addressed by development of network management standards 187 within various communities, most notably the ISO/CCITT and 188 Internet communities. 190 * The ISO/CCITT community developed the Common Management 191 Information Protocol (CMIP) [6], and related SMI 192 documents [8,9,10]. 194 * The Internet community developed the Simple Network 195 Management Protocol (SNMP) [19], and its successor, 196 SNMPv2 [28]. The Internet SMI is defined in [18] and 197 [24]. 199 These standards share a nearly common management model, but 200 diverge due to differing management philosophies. Although 201 functionally similar, the Internet and ISO/CCITT protocols 202 and SMIs differ in terms of their complexity and specific 203 operations. Business requirements for end-to-end enterprise 204 management include the need to integrate the management of 205 many different devices, potentially owned or administered by 206 many independent organizations. This requires components to 207 be accessed by ISO/CCITT management, Internet management, 208 and proprietary management mechanisms in a manner which 209 presents a unified view of the network, despite protocol and 210 SMI differences. 212 For example, many telecommunications and computer vendors, 213 represented by organizations such as the Network Management 214 Forum (NMF), and the U.S. government, as specified in the 215 Government Network Management Profile (GNMP) Version 1.0 216 [37], have based their enterprise management model on the 217 ISO/CCITT management model. These organizations are 218 particularly interested in integrated management of devices 219 that use the Internet management. This interest is primarily 220 due to the widespread commercial implementation and use of 221 DRAFT February, 1994 223 such devices, especially devices that use the Internet 224 TCP/IP protocol suite. 226 1.2 OVERVIEW OF IIMC 228 The ISO/CCITT and Internet Management Coexistence (IIMC) 229 package includes the following documents. 231 IIMCIMIBTRANS Translation of Internet MIBs to ISO/CCITT 232 GDMO MIBs [33] 234 IIMCOMIBTRANS Translation of ISO/CCITT GDMO MIBs to 235 Internet MIBs [32] 237 IIMCMIB-II Translation of Internet MIB-II (RFC 1213) to 238 ISO/CCITT GDMO MIB [30] 240 IIMCPROXY ISO/CCITT to Internet Management Proxy [31] 242 IIMCSEC ISO/CCITT to Internet Management Security 244 These documents together comprise a package aimed at 245 integrating ISO/CCITT-based and Internet-based management 246 systems. 248 IIMC specifications address the problem that end-to-end 249 management requires an integrated, unified view of the 250 managed network, despite differences in management protocol 251 and information structure. Integrated management can be 252 facilitated by the development of "proxy" mechanisms which 253 translate between functionally equivalent service, protocol, 254 and SMI differences to create this unified view. MIB 255 translation procedures can be used to support proxy 256 management, as well as to take advantage of existing MIB 257 definition and avoid duplication of effort. In this way, 258 commercial investment in both ISO/CCITT and Internet-based 259 management technologies can be preserved through deployment 260 of common methods and tools which support integration. 262 This overall strategy was outlined in a joint publication 263 developed by the NM Forum and X/Open entitled "ISO/CCITT and 264 Internet Management: Coexistence and Interworking Strategy" 265 [35]. The documents included in the IIMC package are the 266 next level of detailed specifications which implement 267 several of the methodologies identified in the strategy. 268 Additional specifications may be defined in the future. 270 DRAFT February, 1994 272 1.3 MIB TRANSLATION PROCEDURES 274 The foundation of IIMC is provided by a pair of Management 275 Information Base (MIB) translation procedures. 277 * IIMCIMIBTRANS [24] specifies translation procedures for 278 converting MIBs from Internet MIB macro format into 279 ISO/CCITT GDMO template format. 281 * IIMCOMIBTRANS [33] specifies translation procedures for 282 converting MIBs from ISO/CCITT GDMO template format into 283 Internet MIB macro format. 285 The IIMC approach is to specify direct translation 286 procedures which yield a pair of functionally-equivalent 287 MIBs, as shown in Figure 1. 289 +----------------+ +--------------------+ +----------------+ 290 | Internet MIB | | MIB Translation | | GDMO MIB | 291 | | | Procedures | | | 292 | Format = | | Specified By | | Format = | 293 | [RFC1212] & |---->| [IIMCIMIBTRANS] or |---->| [ISO10165-1] & | 294 | [RFC1442] |<----| [IIMCOMIBTRANS] |<----| [ISO10165-4] | 295 +----------------+ +--------------------+ +----------------+ 297 Figure 1. MIB translation. 299 MIBs translated by these procedures may be used to take 300 advantage of existing MIB definitions when business needs 301 require deployment in a different management environment. 302 Translated MIBs may also be used to provide uniformity when 303 multiple management environments are supported by a single 304 system (e.g., dual stack managers). Finally, IIMC MIB 305 translation procedures may be used to support service 306 emulation by a proxy. 308 1.4 NATIVE MANAGEMENT MODEL 310 The basic model for ISO/CCITT and Internet management is 311 illustrated in the following diagram. 313 DRAFT February, 1994 315 Manager Agent 316 +-----------------------+ +----------------------+ 317 |+---------------------+| |+-------------------+ | 318 || Management || || Managed | | 319 || Applications || || Resources | | 320 |+---------------------+| |+-------------------+ | 321 | | | | | | 322 | | | | | | 323 |+-----------+---------+| |+----------+---------+| 324 || Manager | MIB || || Agent | MIB || 325 |+-----------+---------+| |+----------+---------+| 326 | | | | | | 327 | | Management | | | Management | 328 | | Services | | | Services | 329 +-----------------------+ +----------------------+ 330 | Management Protocol | | Management Protocol | 331 +-----------------------+ +----------------------+ 332 ^ ^ 333 | | 334 +------------------------------------+ 335 Protocol Messages 337 Figure 2. Native management. 339 Within IIMC documents, this model is referred to as the 340 "native" management model. MIBs translated using IIMC 341 procedures can be used by "native" agent implementations. 342 For example, an ISO/CCITT agent can make visible TCP/IP 343 managed resources using the translated GDMO version of the 344 Internet MIB-II [21] specified by [30]. Dual-stack managers 345 or agents may also be implemented which support both the 346 original MIB and the translated MIB generated using IIMC- 347 specified procedures. 349 DRAFT February, 1994 351 1.5 PROXY MANAGEMENT MODEL 353 The basic model for ISO/CCITT to Internet proxy management 354 is illustrated in the following diagram. This proxy is 355 specified by [31]. A similar approach could also be taken to 356 specify an Internet to ISO/CCITT proxy, although no such 357 IIMC document is currently specified. 359 Manager Proxy Agent 360 +-----------------------+ +---------------------+ +------------------ 361 |+---------------------+| |+------+ +----------+| |+----------------- 362 || Management || || GDMO | | Internet || || Managed 363 || Applications || || MIB | | MIB || || Resources 364 |+---------------------+| |+------+ +----------+| |+----------------- 365 | | | |+-------------------+| | | 366 | | | || Service || | | 367 | | | || Emulation || | | 368 | | | ||(scoping) || | | 369 | | | || (filtering) || | | 370 |+-----------+---------+| || (operations) || |+----------+------ 371 || ISO/CCITT | GDMO || || (message || || Internet | Inter 372 || Manager | MIB || || transformation)|| || Agent | MIB 373 |+-----------+---------+| |+-------------------+| |+----------+------ 374 | | | | |CMIS | | | | 375 | | CMIS Services | | |Services | | | | SNMP "Servic 376 | | | | | | | | | 377 | | | | | SNMP| | | | 378 | | | | | "Services"| | | | 379 +-----------------------+ +---------------------+ +------------------ 380 | CMIP | | CMIP | SNMP | | SNMP 381 +-----------------------+ +---------------------+ +------------------ 382 ^ ^ ^ ^ 383 | | | | 384 +---------------------+ +-------------------+ 385 CMIP Messages SNMP Messages 387 Figure 3. Proxy management. 389 This ISO/CCITT to Internet proxy provides emulation of CMIS 390 services by mapping to the corresponding SNMP message(s) 391 necessary to carry out the service request. The service 392 emulation allows management of Internet objects by an 393 ISO/CCITT manager. The left hand side of the proxy behaves 394 like an ISO/CCITT agent, communicating with the ISO/CCITT 395 manager using CMIP protocols. The right hand side of the 396 proxy behaves like an Internet manager, communicating with 397 the Internet agent using SNMP protocols. 399 The proxy relies on the existence of a pair of directly- 400 related MIB definitions, where the Internet MIB has been 401 translated into ISO/CCITT GDMO using the procedures 402 specified in IIMCIMIBTRANS. The proxy uses these MIB 403 definitions and rules to provide run-time translation of 404 DRAFT February, 1994 406 management information carried in service requests and 407 responses. 409 The proxy is designed with a specified interface between the 410 proxy and the underlying protocol stacks, and so deals 411 primarily in terms of CMIS services and SNMP "services". The 412 proxy emulates services such as CMIS scoping and filtering, 413 processing of CMIP operations, and forwarding/logging of 414 CMIS notifications by performing a mapping process which 415 must be tailored for each protocol (for example, SNMPv1 and 416 SNMPv2 are variants of the same protocol mapping process). 418 1.6 SCOPE OF THIS DOCUMENT 420 One of the IIMC objectives is to provide for the secure end- 421 to-end management of resources managed using ISO/CCITT and 422 Internet management services, protocols and SMI. Security and 423 management by their very nature are entwined such that each 424 needs the services of the other. Security services are 425 required to protect management services. Management services 426 are required to monitor and control security services. 428 This document (IIMCSEC) defines the security architecture 429 for end-to-end security between an ISO/CCITT manager and an 430 Internet agent via proxies such as that defined in [31]. The 431 architecture requires that information required to support 432 Internet security mechanisms from an end-to-end perspective, 433 and to manage it, be translated into the ISO/CCITT SMI. 434 This document applies the procedures described in [33] to 435 the translation and registration of the Internet SNMP 436 Parties MIB defined in [27]. 438 This document primarily addresses issues concerning security 439 architecture and interoperability of security mechanisms. 440 Issues concerning trusted implementations, although 441 important, are beyond the scope of this document. 443 1.7 TERMS AND CONVENTIONS 445 This document assumes that the reader is familiar with the 446 ISO/CCITT SMI and Internet SMI, and the terminology of each. 447 The term SNMP will be used throughout the document to 448 indicate either SNMPv1 or SNMPv2, unless a distinction needs 449 to be made. 451 This document assumes that the reader is familiar with the 452 ISO/CCITT and Internet management security services, 453 protocols and mechanisms. 455 DRAFT February, 1994 457 This document assumes that the reader is familiar with the 458 Internet to SMI translation procedures defined in [33]. 460 Other terms and conventions used throughout this document 461 are defined in Section 2. 463 DRAFT February, 1994 465 2. SECURITY AND MANAGEMENT CONSIDERATIONS 467 Security and management are entwined by their very nature such 468 that each needs the services of the other. Security services 469 are needed to protect management services. Management 470 services are needed to monitor and control security services. 471 These considerations are briefly presented in this section. 472 Additional background information can be found in ISO/IEC 473 7498-2, OSI Reference Model - Part 2: Security Architecture 474 [38]. 476 2.1 GENERAL CONSIDERATIONS 478 2.1.1 Security of Management 480 Management is most vulnerable to security attacks at the 481 manager user interface, the communications path over which 482 management messages are transmitted, and at the managed 483 system that contains the resources being managed. 484 Accordingly, management's security considerations are to 485 overcome these threats by: 487 * Preventing unauthorized operator access to manager 488 applications and associated management information 489 contained in a manager workstation, 491 * Protecting management information in transit between 492 managers and agents, and 494 * Enforcing management policy regarding access to 495 information within the managed system. 497 Preventing unauthorized access to manager applications is 498 beyond the scope of this document, and therefore will not be 499 discussed. The characterization of the security threats in 500 relation to the other two vulnerable areas are discussed 501 more fully in the following sections. 503 2.1.2 Management of Security 505 Security requires management support for three basic 506 activities: 508 * monitoring and control of security mechanisms, 509 * detection of security related events through security 510 alarm generation, reporting and audit trail analysis, and 511 * damage assessment and recovery from a security attack. 513 DRAFT February, 1994 515 Security mechanisms and algorithm resources are modeled as 516 managed objects and the management information is stored in 517 the management information base. The same management and 518 security mechanisms used to manage non-security managed 519 objects may be applied to the management of security 520 objects, and the generation of security notifications 521 associated with their operation. 523 2.1.3 Threat Characterization 525 Security threats for management are the same as for any 526 distributed application. Security threats can be 527 characterized as being active or passive. Active threats to 528 a management system may effect changes to the state or 529 operation of the managed resource. Examples of active 530 threats are malicious changes to the routing tables of a 531 system, or to the objects used to control decisions related 532 to policies, such as security policies relating to resource 533 access. 535 Active threats include: 537 * masquerade, 538 * modification and fabrication of messages and stored data, 539 * replay and reordering of messages, and 540 * denial of management services. 542 Passive threats are those which, if realized, would not 543 result in any modifications to information contained in the 544 system, e.g., management information, and where neither the 545 operation nor the state of the system is changed. 547 Passive threats include: 549 * disclosure of message contents and stored data, 550 * traffic analysis, and 551 * repudiation. 553 2.1.3.1 Communications Path Security 555 The threats to the communications path used for manager to 556 agent communications, and applicable security services 557 include: 559 * modification and fabrication of management messages 560 * integrity 562 * disclosure of management message data 563 * confidentiality, selective field confidentiality 565 * replay and reordering of messages 566 * integrity 567 DRAFT February, 1994 569 * denial of management services 570 * continuity of operations 572 * traffic analysis 573 * confidentiality 575 Note that the communications path from the manager to an 576 agent may be direct, or indirect via the management 577 applications of an intermediate manager or proxy. In the 578 indirect case, the portion of the message that must be 579 exposed in the intermediate manager for the purpose of 580 application layer relaying is subject to unauthorized 581 disclosure and modification. Such entities must be trusted 582 not to perform such modifications and not to disclose the 583 contents of the management messages. Selective field 584 confidentially services may be needed if intermediate 585 managers or proxies are acting as application layer relays 586 in the path. Such selective field services allow only the 587 information in management messages needed for application 588 layer routing to be unprotected while preventing other 589 fields in the message from disclosure or modification. 591 2.1.3.2 Managed System Security 593 The threats to the managed system include: 595 * masquerade of a manager application or operator 596 * peer authentication, data origin authentication 598 * modification and fabrication of data residing in the 599 management information base 600 * access control, data integrity 602 * disclosure of management data in the managed system 603 * access control, confidentiality 605 * repudiation of management requests at destination 606 * non-repudiation at destination. 608 Non-repudiation services may be provided in circumstances 609 where such accountability is needed. While the non- 610 repudiation service does nothing to protect the network, it 611 does provide the capability to trace the entities that are to 612 be blamed for mis-management. 614 DRAFT February, 1994 616 2.2 ISO/CCITT TO INTERNET SECURITY ENVIRONMENT 618 2.2.1 Security Model 620 The model for IIMC end-to-end security is illustrated in 621 Figure 4. The objective is to provide continuity of 622 security services from the ISO/CCITT Manager through to the 623 Internet Agent. The end-to-end solution is constrained by 624 the security services available at the Internet agent and 625 those available at the ISO/CCITT Manager. The mapping of 626 security services is provided by the ISO/CCITT-Internet 627 proxy. The mapping of those services at the proxy depends 628 upon the availability of the services and the compatibility 629 of the mechanisms used to provide the services. 631 This figure illustrates the proxy in a separate device from 632 the manager or the agent. If the proxy function is 633 performed in the manager, then how the manager's internal 634 security mechanisms map to Internet security services is 635 beyond the scope of this document. If ISO management 636 services and protocol are provided in the managed device 637 (native CMIP agent), the ISO security services apply at the 638 managed system. The mapping of any ISO security services 639 that may still possibly apply at the internal proxy to 640 Internet agent interface into equivalent Internet services, 641 e.g., authentication and access control, is beyond the scope 642 of this document. 644 DRAFT February, 1994 646 ISO/CCITT Manager ISO/CCITT-Internet Proxy Internet Agent 647 +-----------------------+ +----------------------+ +-------------+ 648 | | |+--------------------+| | | 649 | | || security service || | | 650 | | || mapping || | | 651 | | |+--------------------+| | | 652 |+---------------------+| |+-------+ +----------+| |+-----------+| 653 || ISO/CCITT || || ISO | | Internet || || Internet || 654 || Manager || || agent | | manager || || agent || 655 || role || || role | | role || || role || 656 |+---------------------+| |+-------+ +----------+| |+-----------+| 657 | CMIP | | CMIP | | SNMP || | SNMP | 658 +-----------------------+ +---------------------+ +-------------+ 659 ^ ^ ^ ^ 660 | | | | 661 +---------------------+ +-------------------+ 662 CMIP Messages SNMP Messages 664 * ISO peer authentication 665 * ISO data origin authentication* * Internet data origin authentication 666 * ISO integrity, confidentiality* * Internet integrity, confidentiality 667 * Internet access control * Internet access control# 668 * ISO access control+ 670 * OSI application layer standards [13,14,15,16] are in progress. These 671 services may also be provided by lower layers in some environments, e. 672 transport and network 674 # SNMPv1 mechanisms differ 676 + ISO access control may be applied by the proxy to GDMO objects, if 677 enforcement is at the proxy. 679 Figure 4. IIMC End-to-end Security Model. 681 All security services do not have to be provided at the same 682 layers in the protocol suites on the two external proxy 683 interfaces. For example, integrity and confidentiality 684 services may be applied at the transport or network layer at 685 the interface to the ISO/CCITT manager, and at the 686 application layer at the interface to the Internet agent. 687 However, authentication and access control services should 688 be provided at the application layer so that the same 689 granularity of control may be achieved on both sides of the 690 interface. For example, access should be controlled to the 691 application user, and to the level of individual attributes 692 within OSI objects. 694 Some security services may not be needed depending on the 695 environment and the security policy. For example, data 696 origin authentication and confidentiality services may not 697 be needed between the proxy and ISO/CCITT manager if the two 698 DRAFT February, 1994 700 devices are close together and physical security is adequate 701 to satisfy the security policy. 703 2.2.2 Security Capabilities 705 The basic security capabilities that should be met by an 706 architecture for providing end-to-end security services are: 708 * enforcement of SNMPv1 security services at the agent 709 (community string, and possibly source node address), 711 * enforcement of SNMPv2 security services at the agent 712 (party/context based), 714 * enforcement of access control at the proxy using OSI 715 access control mechanisms [7] for the ISO/CCITT managed 716 objects derived from Internet objects for all proxied 717 agents, and for the MIB specific to the proxy [31], 719 * OSI security services between the ISO/CCITT manager and 720 the proxy, e.g., those provided by [13,14,15,16], and 722 * mapping of OSI security services into Internet security 723 services, where possible, and forwarding from the 724 ISO/CCITT manager of information needed for Internet 725 security mechanisms. 727 2.2.3 Internet Management Security 729 The security services for Internet management differs 730 depending on the version of SNMP (SNMPv1 or SNMPv2) used. 732 2.2.3.1 SNMPv1 Security 734 The SNMPv1 security relies on the transfer of an unprotected 735 community string that represents the capabilities that the 736 initiator has with respect to operations on a set of 737 objects. 739 2.2.3.2 SNMPv2 Security 741 The SNMPv2 security architecture relies on the 742 identification of distinct, globally unique, entities, 743 called "parties", for peers that exchange SNMP messages 744 [25]. Multiple parties may exist at the manager and at the 745 agent. 747 Each distinct SNMPv2 peer is identified by a "party 748 identifier", an OID. Associated with the party identifier 749 are it's agent address, and parameters for access control, 750 authentication, integrity and confidentiality services which 751 may be used when communicating with other parties. Since 752 DRAFT February, 1994 754 parties form a peer relationship, these security service 755 parameters for peer parties must be compatible. 757 The peer relationship between SNMPv2 parties is established 758 via an associated "context", identified by an OID, which 759 provides a means to identify constraints on valid management 760 operations and access to associated resources (MIB objects). 761 The context also specifies whether the constraints apply to 762 local resources or to remote resources via a (yet another) 763 proxy relationship. 765 The minimal SNMPv2 security service allowed is access 766 control as specified by the source (srcParty), destination 767 party (dstParty), and context identifiers. SNMPv2 requests 768 that do not contain all three identifiers are discarded. 770 As discussed in 2.2.5, the access control scheme used by 771 SNMP security can be considered a form of capability scheme. 773 2.2.4 Constraints on Mapping Security Services 775 The mapping of security services end-to-end is constrained 776 by the security services available at the Internet agent. 777 The possible application level security services at Internet 778 agents is well defined for SNMPv1, and for SNMPv2. However, 779 it cannot be assumed that all Internet agents will implement 780 the full range of their defined security services, or that 781 they are all required for any given environment. 783 Given the known potential availability of Internet security 784 services at Internet agents, and at the Internet proxy, 785 three major problems arise in proxy situations: 787 a) Selection from the security services available at the 788 Internet proxy to Internet agent interface of those 789 services that are appropriate to the threats at that 790 interface, according to the established security policy. 792 b) Providing security services at the ISO manager to 793 Internet proxy interface that are appropriate to the 794 threats at that interface, according to the established 795 security policy. 797 c) Transfer to the Internet proxy from the ISO manager of 798 security parameters required for Internet proxy to 799 Internet agent security. 801 Note: An exact mapping of security services between both 802 Internet proxy interfaces may not be required. The 803 environments at the two interfaces may be completely 804 different, e.g., the manager and proxy may be in the 805 same room while the agents are geographically 806 distributed. 808 DRAFT February, 1994 810 Assume the following environment and constraints. 812 i)The ISO/CCITT-Internet proxy is geographically remote from 813 both the ISO/CCITT manager and the Internet agents, and 814 the threats at both interfaces are the same. 816 ii)Only application level security services are used. 818 iii)The Internet agents and Internet proxy support the full 819 range of security services defined for them. They 820 include, for the respective SNMP versions: 822 Service SNMPv1 SNMPv2 823 Peer Authentication - X 824 Data Origin Authentication - X 825 Access Control X X 826 Connectionless Integrity - X 827 Connectionless Confidentiality - X 828 Replay, Reorder Protection - X 829 Table 1. SNMP security services. 831 The first problem (a) can be solved by configuring the 832 security parameters of the Internet agents and Internet 833 proxy, either through local or remote management mechanisms. 835 The second problem (b) can be solved by implementing the 836 appropriate OSI management services in the ISO/CCITT manager 837 and ISO/CCITT-Internet proxy, and configuring the mechanisms 838 to provide the service. This problem is complicated by the 839 current lack of Stable OSI security standards for data 840 origin authentication, integrity, confidentiality, and 841 access control. Future documents will describe how the 842 stable versions of [7], Objects and Attributes for Access 843 Control, will be applied to access control at the proxy, and 844 [13,14,15,16], Generic Upper Layer Security, will be applied 845 to provide data origin authentication, integrity, and 846 confidentiality services between the ISO/CCITT manager and 847 the proxy. 849 The third problem (c) can be solved by using an access 850 control certificate to transfer the Internet security 851 parameters. This problem is complicated by the current lack 852 of a stable standard for access control certificates. Given 853 the necessity for such transfers in proxy situations, an 854 preliminary Access Control Certificate (ACC) will have to be 855 used. However, an attempt should be made to align as 856 closely as possible with proposed ISO standards. 858 DRAFT February, 1994 860 2.2.5 SNMP Security and the ISO Access Control Framework 862 The SNMP access control schemes can be most nearly categorized 863 as capability schemes using the definitions in the ISO Access 864 Control Framework [12]. A capability defines a set of allowed 865 operations that the initiator of the operation is allowed to 866 perform on an identified set of targets. 868 The SNMPv1 scheme is a very weak capability scheme which 869 uses the community string to identify which operations are 870 permitted or not permitted on a set of objects. However the 871 community string is not bound to the initiator, i.e., it may 872 possibly be changed in transit. Proof of its authenticity 873 can be inferred from the fact that the SNMPv1 agent is 874 configured to have knowledge of the capabilities represented 875 by the community string. In that sense, the person that 876 configured the community string, either via local 877 mechanisms, or via remote management mechanisms can be 878 considered to provide the third party level of authenticity 879 which is acceptable for the environment. However, if 880 security management parameters, exchanged between the 881 manager and the agent, or proxy, are not protected, then 882 authenticity is not guaranteed since the community string 883 may have been compromised. 885 The SNMPv2 scheme is a stronger capability scheme, tied to a 886 strong source authentication mechanism, which uses the 887 combination of SNMPv2 srcParty, dstParty, and context 888 identifiers to identify which operations are permitted or 889 not-permitted on a set of objects. The srcParty binds it to 890 the initiator of the request. Proof of its authenticity can 891 be inferred from the fact that the SNMPv2 agent is 892 configured to have knowledge of the capabilities represented 893 by the interrelated parameters. In that sense, the person 894 that configured the Internet Party MIB, either via local 895 mechanisms, or via remote management mechanisms can be 896 considered to provide the third party level of authenticity 897 which is acceptable for the environment. However, if 898 security management parameters, exchanged between the 899 manager and the agent, or proxy, are not protected, then 900 authenticity is not guaranteed since the security parameters 901 may have been compromised. 903 Capabilities may be carried in access control tokens or access 904 control certificates. Tokens and certificates are similar. A 905 token differs from a certificate in that it is not created by 906 an entity which is a security authority, and it does not 907 necessarily contain an indication of the time period for which 908 it is valid. The sealing of the ACC by a security authority 909 and the provision of a time period for which it is valid 910 provides third party proof of its authenticity. 912 DRAFT February, 1994 914 3. SECURITY SPECIFICATIONS 916 3.1 ISO MANAGER TO ISO/CCITT-INTERNET PROXY SECURITY 918 OSI data origin authentication services, integrity services, 919 confidentiality services, and access control services are 920 currently beyond the scope of this document due to the lack of 921 stable relevant ISO security standards. Specifications for 922 these services, based on [7] and [13,14,15,16], will be 923 defined in a future Issue when the relevant base standards 924 become International Standards. 926 3.1.1 Peer Authentication Services 928 OSI peer authentication services shall be supported in 929 accordance with OMNIPoint 1 security specifications in [34] 930 Annex B. The authentication class supported shall be Class 2, 931 as defined in [34] Annex G. The minimum requirements for 932 Class 2 authentication are support for the use of simple 933 authentication with protected password as specified in [34] 934 Annex B.2. 936 The authentication value for Class 2 authentication shall 937 include the ASN.1 SimpleCredentials definition contained in 938 [34] Annex B.2, including the name field (an ASN.1 939 DistinguishedName), the validity field with sub-field time1 940 included, and the password field with the choice of PROTECTED 941 OCTET STRING that contains the OID for the hash algorithm used 942 in the hashing function and a transformed password. 944 The procedure for producing the transformed password shall 945 be as follows: 947 1) Insert the initiator Distinguished Name into the name 948 field of the SimpleCredentials construct. 950 2) Insert the current time into the validity.time1 field 951 of the SimpleCredentials construct. 953 3) Insert the password value into the password field of 954 the SimpleCredentials construct. 956 4) Encode the SimpleCredentials construct using the 957 Distinguished Encoding Rules as specified in [17], Part 958 12, clause 7.14.1. 960 DRAFT February, 1994 962 5) Apply the hash algorithm to the encoded 963 SimpleCredentials to produce the hash value, i.e., the 964 transformed password. 966 The password field of the SimpleCredentials construct shall 967 be an octet string formatted as: 969 || "@" || 971 where "||" means concatenate, and: 973 - the alphanumeric form of the OID 974 that contains the OID sub-identifiers represented as 975 decimal integers separated by decimal points, i.e., the 976 familiar "dot" notation. 978 3.1.2 Transfer of SNMP Security Parameters 980 Support shall be provided for the transfer of Internet 981 security service parameters from the ISO/CCITT manager to an 982 ISO/CCITT-Internet proxy at the time of management 983 association establishment, and with CMIP requests. Access 984 control security parameters shall be transferred as security 985 attributes of an Access Control Certificate (ACC), also 986 referred to as a Privilege Attribute Certificate (PAC). 987 Implementations shall support the ACC defined in OMNIPoint 1 988 [34] Annex K, and the associated PICS in Annex E.8.8. 990 To allow for later inclusion of security attributes for OSI 991 access control, the ACC transferred to an ISO/CCITT-Internet 992 proxy shall be a compound ACC, with the first ACC in the 993 sequence of contained ACCs being the ACC with the SNMP 994 security attributes. The containing ACC of the compound ACC 995 transferred to an ISO/CCITT-Internet proxy shall contain the 996 privilegeAttributes sequence, in accordance with [34] Annex 997 E.8.8. The privilegeAttributes sequence may be empty. 999 The Internet security parameters shall be transferred using 1000 the security attributes defined by [36]. The security 1001 attributes are defined in the Security-Services-Attributes 1002 module in [36] using the attribute macro defined for the ISO 1003 Directory Services [4]. 1004 Note: For ease of use, these definitions are repeated 1005 below; in the event of transcription error, the 1006 original source specification [36] is normative. 1008 The security parameters to be transferred in the ACC shall 1009 include the Security-capability-type-1 attribute as defined 1010 in [36]. 1012 The Security-capability-type-1 attribute grants access of 1013 the type accessType to the object(s) defined by 1014 objectDefiner. 1016 DRAFT February, 1994 1018 Security-capability-type-1 ::= ATTRIBUTE 1019 WITH ATTRIBUTE-SYNTAX CapabilityType1 1020 SINGLE VALUE 1022 CapabilityType1 ::= SEQUENCE { 1023 objectDefiner ObjectDefiner, 1024 accessType AccessDefiner} 1026 ObjectDefiner ::= IntegerOrString 1027 AccessDefiner ::= IntegerOrString 1029 IntegerOrString ::= CHOICE { 1030 integerPart INTEGER, 1031 stringPart IA5String} 1033 The IntegerOrString choice shall be IA5String. 1035 The Security-capability-type-1 attribute is registered as: 1037 desd-att-capability-type-1 OBJECT IDENTIFIER ::= 1038 {iso(1) identified-organization(3) icd-ecma(0012) 1039 standard(0) desd(138) attributeIdentifiers(3) 4} 1041 The Security-capability-type-1 attribute shall be used for 1042 proxy to SNMPv1 agents to carry the community string 1043 indicating the accessType. The objectDefiner shall be 1044 undefined and represented as an empty string (''H). 1046 The Security-capability-type-1 attribute shall be used for 1047 proxy to SNMPv2 agents to carry the srcParty and dstParty as 1048 the objectDefiners, and the context identifier as the 1049 accessType. 1051 The contents of the Security-capability-type-1 attribute 1052 shall be as described below. 1054 ECMA [36] SNMPv2 Security SNMPv1 Security 1055 Security Attribute Parameter Parameter 1056 Security- 1057 capability-type-1 1058 objectDefiner src/dst Parties ""H 1059 accessType context community string 1060 Table 2. SNMP security parameters. 1062 The src/dst Parties are the srcParty and dstParty SNMPv2 1063 parameters separated by a slash (/). The SNMPv2 parameters 1064 shall be ASN.1 object identifiers represented using the 1065 "dot" notation convention, where the OID sub-identifiers are 1066 represented in decimal character form and separated by 1067 decimal points. For example, {1 3 6 1 6 3 3 2 3 1 1 3} is 1068 represented as "1.3.6.1.6.3.3.2.3.1.1.3". 1070 DRAFT February, 1994 1072 3.1.3 ISO/CCITT-Internet Proxy Party MIB 1074 The ISO/CCITT-Internet proxy shall maintain the security 1075 parameters used for communicating with the ISO/CCITT manager 1076 in a partyEntry managed object within the Party MIB 1077 instantiated in the proxy. 1079 The OID for the hash algorithm used for authentication shall 1080 be contained in the partyAuthProtocol object. 1082 The OID for the default MD5 hash algorithm shall be as 1083 defined in [17], clause 7.10.4.1. 1085 The password used for authentication shall be contained in 1086 the partyAuthPrivate columnar object, and shall be stored 1087 and updated in accordance with the procedures defined for 1088 the object, i.e., the exclusive OR mechanism. 1090 The partyAuthLifetime object shall contain the value, in 1091 seconds, to be added to the time1 value contained in the 1092 SimpleCredentials construct passed to the proxy by the 1093 manager. If the value of time1, augmented by the 1094 partyAuthLifetime value, is less than the proxy's local 1095 notion of time, then the authentication shall be considered 1096 invalid. 1098 3.2 ISO/CCITT-INTERNET PROXY TO INTERNET AGENT SECURITY 1100 An ISO/CCITT-Internet proxy that supports SNMPv1 shall support 1101 the community string security services as defined in [19]. 1103 An ISO/CCITT-Internet proxy that supports SNMPv2 shall support 1104 the security services as defined in [27], with minimal support 1105 for the "Party No Privacy" compliance level specified by 1106 clause 3.7.1 of [27]. 1108 3.3 ISO/CCITT-INTERNET PROXY ACCESS CONTROL ENFORCEMENT 1110 Access control enforcement at the ISO/CCITT-Internet proxy is 1111 currently beyond the scope of this document. However, access 1112 control enforcement at the proxy will be based on OSI access 1113 control for management as defined in [7] when it becomes an 1114 International Standard. 1116 DRAFT February, 1994 1118 4. IIMC PARTY MIB 1120 Support for the SNMPv2 security services requires that some of 1121 the Internet Party MIB [27] be instantiated in the ISO/CCITT- 1122 Internet proxy, and SNMPv2 agents. The IIMC Party MIB is 1123 derived from the Internet Party MIB defined in [27]. 1124 Adjustments have been made to the behavior of some elements in 1125 the MIB to accommodate SNMPv1 community string based security. 1127 A Naming Tree diagram for IIMC Party MIB managed object 1128 classes is illustrated below. The IIMC Party MIB is 1129 subordinate to the ISO/CCITT system managed object that 1130 represents the Internet agent or proxy. 1132 "Rec. X.721 | ISO/IEC 10165-2 : 1992":system 1133 | 1134 | 1135 partyMIBObjects 1136 | 1137 |---partyEntry 1138 | 1139 |---contextEntry 1140 | 1141 |---aclEntry (instantiated only at agent) 1142 | 1143 |---viewEntry (instantiated only at agent) 1145 The IIMC Party MIB elements that are specific to the proxy, 1146 i.e., local instantiations of partyMIBGroup, partyEntry and 1147 contextEntry, should be instantiated under the ISO system 1148 object that is specific to the proxy. The IIMC MIB elements 1149 that are specific to each SNMP agent are actually instantiated 1150 in the SNMP agent. Duplicates of MIB elements instantiated in 1151 the SNMP agent should not be instantiated in the proxy if a 1152 stateless approach to proxy is used as described in [31]. 1154 The GDMO templates and ASN.1 modules are included here in one 1155 section to facilitate automated processing. Comments and 1156 subsection headers are included in the form of ASN.1 comments, 1157 i.e., preceded by "--". 1159 This document (IIMCSEC) is allocated the following 1160 registration identifier for purposes of referencing the 1161 translated RFC 1147 Party MIB contained herein. 1163 iimcRFC1447 OBJECT IDENTIFIER ::={ iimcAutoDocument 1447 } 1165 -- 4.1 PARTY MIB GDMO TEMPLATES 1166 DRAFT February, 1994 1168 -- 4.1.1 Party MIB Managed Object Classes 1170 aclEntry MANAGED OBJECT CLASS 1171 DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top; 1172 CHARACTERIZED BY 1173 aclEntryPkg PACKAGE 1174 BEHAVIOUR 1175 aclEntryPkgBehaviour BEHAVIOUR 1176 DEFINED AS 1177 !BEGINPARSE 1178 REFERENCE 1179 !!This managed object class maps to aclEntry 1180 object in [27].!!; 1181 DESCRIPTION 1182 !!The access privileges for a particular 1183 requesting SNMP party in accessing a particular 1184 target SNMP party.!!; 1185 INDEX SNMPv2-Party-MIB.aclTarget, 1186 SNMPv2-Party-MIB.aclSubject, 1187 SNMPv2-Party-MIB.aclResources; 1188 ENDPARSE!;; 1189 ATTRIBUTES 1190 aclEntryId GET, 1191 aclTarget GET, 1192 aclSubject GET, 1193 aclResources GET, 1194 aclPrivileges 1195 DEFAULT VALUE IIMCRFC1447ASN1.c-aclPrivileges 1196 GET-REPLACE, 1197 aclStorageType 1198 DEFAULT VALUE 1199 IIMCRFC1447ASN1.c-DEFAULTStorageType 1200 GET-REPLACE, 1201 aclStatus GET-REPLACE;;; 1202 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1}; 1204 contextEntry MANAGED OBJECT CLASS 1205 DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top; 1206 CHARACTERIZED BY 1207 contextEntryPkg PACKAGE 1208 BEHAVIOUR 1209 contextEntryPkgBehaviour BEHAVIOUR 1210 DEFINED AS 1211 !BEGINPARSE 1212 REFERENCE 1213 !!This managed object class maps to 1214 contextEntry object in [27].!!; 1215 DESCRIPTION 1216 !!Locally held information about a particular 1217 SNMPv2 context.!!; 1218 INDEX IMPLIED SNMPv2-Party-MIB.contextIdentity; 1219 ENDPARSE!;; 1220 ATTRIBUTES 1221 DRAFT February, 1994 1223 contextEntryId GET, 1224 contextIdentity GET, 1225 contextIndex GET-REPLACE, 1226 contextLocal 1227 DEFAULT VALUE IIMCRFC1447ASN1.c-contextLocal 1228 GET-REPLACE, 1229 contextViewIndex GET-REPLACE, 1230 contextLocalEntity 1231 DEFAULT VALUE 1232 IIMCRFC1447ASN1.c-DEFAULTNullString 1233 GET-REPLACE, 1234 contextLocalTime 1235 DEFAULT VALUE 1236 IIMCRFC1447ASN1.c-contextLocalTime 1237 GET-REPLACE, 1238 contextProxyDstParty GET-REPLACE, 1239 contextProxySrcParty GET-REPLACE, 1240 contextProxyContext GET-REPLACE, 1241 contextStorageType 1242 DEFAULT VALUE 1243 IIMCRFC1447ASN1.c-DEFAULTStorageType 1244 GET-REPLACE, 1245 contextStatus GET-REPLACE;;; 1246 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1}; 1248 partyEntry MANAGED OBJECT CLASS 1249 DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992":top; 1250 CHARACTERIZED BY 1251 partyEntryPkg PACKAGE 1252 BEHAVIOUR 1253 partyEntryPkgBehaviour BEHAVIOUR 1254 DEFINED AS 1255 !REFERENCE 1256 !!This managed object class maps to 1257 partyEntry object in [27].!!; 1258 DESCRIPTION 1259 !!Locally held information about a particular 1260 SNMPv2 party.!!; 1261 INDEX IMPLIED SNMPv2-Party-MIB.partyIdentity; 1262 ENDPARSE!;; 1263 ATTRIBUTES 1264 partyEntryId GET, 1265 partyIdentity GET, 1266 partyIndex GET, 1267 partyTDomain 1268 DEFAULT VALUE IIMCRFC1447ASN1.c-partyTDomain 1269 GET-REPLACE, 1270 partyTAddress 1271 DEFAULT VALUE IIMCRFC1447ASN1.c-partyTAddress 1272 GET-REPLACE, 1273 partyMaxMessageSize 1274 DEFAULT VALUE 1275 IIMCRFC1447ASN1.c-partyMaxMessageSize 1276 GET-REPLACE, 1277 DRAFT February, 1994 1279 partyLocal 1280 DEFAULT VALUE IIMCRFC1447ASN1.c-partyLocal 1281 GET-REPLACE, 1282 partyAuthProtocol 1283 DEFAULT VALUE 1284 IIMCRFC1447ASN1.c-partyAuthProtocol 1285 GET-REPLACE, 1286 partyAuthClock 1287 DEFAULT VALUE 1288 IIMCRFC1447ASN1.c-partyAuthClock 1289 GET-REPLACE, 1290 partyAuthPrivate 1291 DEFAULT VALUE 1292 IIMCRFC1447ASN1.c-DEFAULTNullString 1293 GET-REPLACE, 1294 partyAuthPublic 1295 DEFAULT VALUE 1296 IIMCRFC1447ASN1.c-DEFAULTNullString 1297 GET-REPLACE, 1298 partyAuthLifetime 1299 DEFAULT VALUE 1300 IIMCRFC1447ASN1.c-partyAuthLifetime 1301 GET-REPLACE, 1302 partyPrivProtocol 1303 DEFAULT VALUE 1304 IIMCRFC1447ASN1.c-partyPrivProtocol 1305 GET-REPLACE, 1306 partyPrivPrivate 1307 DEFAULT VALUE 1308 IIMCRFC1447ASN1.c-DEFAULTNullString 1309 GET-REPLACE, 1310 partyPrivPublic 1311 DEFAULT VALUE 1312 IIMCRFC1447ASN1.c-DEFAULTNullString 1313 GET-REPLACE, 1314 partyCloneFrom GET-REPLACE, 1315 partyStorageType 1316 DEFAULT VALUE 1317 IIMCRFC1447ASN1.c-DEFAULTStorageType 1318 GET-REPLACE, 1319 partyStatus GET-REPLACE;;; 1320 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1}; 1322 partyMIBObjects MANAGED OBJECT CLASS 1323 DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top; 1324 CHARACTERIZED BY 1325 partyMIBObjectsPkg PACKAGE 1326 BEHAVIOUR 1327 partyMIBObjectsPkgBehaviour BEHAVIOUR 1328 DEFINED AS 1329 !BEGINPARSE 1330 REFERENCE 1331 !!This managed object class maps to 1332 partyMIBObjects group OID in [27].!!; 1333 DRAFT February, 1994 1335 DESCRIPTION 1336 !!This group contains the security related 1337 parameters needed for communicating with SNMP 1338 agents. The security services to which these 1339 parameters apply are authentication, integrity, 1340 confidentiality, and access control. 1342 This object class contains only the naming 1343 attribute.!!; 1344 ENDPARSE!;; 1345 ATTRIBUTES 1346 partyMIBObjectsId GET;;; 1347 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2}; 1349 viewEntry MANAGED OBJECT CLASS 1350 DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top; 1351 CHARACTERIZED BY 1352 viewEntryPkg PACKAGE 1353 BEHAVIOUR 1354 viewEntryPkgBehaviour BEHAVIOUR 1355 DEFINED AS 1356 !BEGINPARSE 1357 REFERENCE 1358 !!This managed object class maps to viewEntry 1359 object in [27].!!; 1360 INDEX SNMPv2-Party-MIB.viewIndex, 1361 IMPLIED SNMPv2-Party-MIB.viewSubtree; 1362 DESCRIPTION 1363 !!Information on a particular family of view 1364 subtrees included in or excluded from a 1365 particular SNMPv2 context's MIB view. 1367 Each SNMPv2 context which is locally 1368 accessible has a single MIB view which is 1369 defined by two collections of view subtrees: 1370 the included view subtrees, and the excluded 1371 view subtrees. Every such subtree, both 1372 included and excluded, is defined in an 1373 entry. 1375 To determine if a particular object instance 1376 is in a particular MIB view, compare the 1377 object instance's OBJECT IDENTIFIER with each 1378 of the MIB view's entries. If none match, 1379 then the object instance is not in the MIB 1380 view. If one or more match, then the object 1381 instance is included in, or excluded from, 1382 the MIB view according to the value of 1383 viewType in the entry whose value of 1384 viewSubtree has the most sub-identifiers. If 1385 multiple entries match and have the same 1386 number of sub-identifiers, then the 1387 lexicographically greatest instance of 1388 DRAFT February, 1994 1390 viewType determines the inclusion or 1391 exclusion. 1393 An object instance's OBJECT IDENTIFIER X 1394 matches an entry when the number of sub- 1395 identifiers in X is at least as many as in 1396 the value of viewSubtree for the entry, and 1397 each sub- identifier in the value of 1398 viewSubtree matches its corresponding sub- 1399 identifier in X. Two sub identifiers match 1400 either if the corresponding bit of viewMask 1401 is zero (the 'wild card' value), or if they 1402 are equal. 1404 Due to this 'wild card' capability, we 1405 introduce the term, a 'family' of view 1406 subtrees, to refer to the set of subtrees 1407 defined by a particular combination of values 1408 of viewSubtree and viewMask. In the case 1409 where no 'wild card' is defined in viewMask, 1410 the family of view subtrees reduces to a 1411 single view subtree. 1413 Implementations must not restrict the number of 1414 families of view subtrees for a given MIB view, 1415 except as dictated by resource constraints on 1416 the overall number of entries in the 1417 viewTable.!!; 1418 ENDPARSE!;; 1419 ATTRIBUTES 1420 viewEntryId GET, 1421 viewIndex GET, 1422 viewSubtree GET, 1423 viewMask 1424 DEFAULT VALUE 1425 IIMCRFC1447ASN1.c-DEFAULTNullString 1426 GET-REPLACE, 1427 viewType 1428 DEFAULT VALUE IIMCRFC1447ASN1.c-viewType 1429 GET-REPLACE, 1430 viewStorageType 1431 DEFAULT VALUE 1432 IIMCRFC1447ASN1.c-DEFAULTStorageType 1433 GET-REPLACE, 1434 viewStatus GET-REPLACE;;; 1435 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1}; 1437 -- 4.1.2 Party MIB Attribute Types 1439 party ATTRIBUTE 1440 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ObjectIdentifier; 1441 MATCHES FOR EQUALITY, ORDERING; 1442 BEHAVIOUR 1443 DRAFT February, 1994 1445 partyBehaviour BEHAVIOUR 1446 DEFINED AS 1447 !BEGINPARSE 1448 REFERENCE 1449 !!This corresponds to the type defined in 1450 [27] by the same name.!!; 1451 DESCRIPTION 1452 !!Denotes a SNMPv2 party identifier. Note 1453 that agents may impose implementation 1454 limitations on the length of OIDs used to 1455 identify Parties. As such, management 1456 stations creating new parties should be aware 1457 that using an excessively long OID may result 1458 in the agent refusing to perform the set 1459 operation and instead returning the 1460 appropriate error response, e.g., 1461 noCreation.!!; 1462 ENDPARSE!;;; 1464 tAddress ATTRIBUTE 1465 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.OctetString; 1466 MATCHES FOR EQUALITY, ORDERING; 1467 BEHAVIOUR 1468 tAddressBehaviour BEHAVIOUR 1469 DEFINED AS 1470 !BEGINPARSE 1471 REFERENCE 1472 !!This corresponds to the type defined in 1473 [27] by the same name.!!; 1474 DESCRIPTION 1475 !!Denotes a transport service address. For 1476 snmpUDPDomain, a TAddress is 6 octets long, 1477 the initial 4 octets containing the IP- 1478 address in network-byte order and the last 2 1479 containing the UDP port in network-byte 1480 order. Consult [28] for further information 1481 on snmpUDPDomain.!!; 1482 ENDPARSE!;;; 1484 clock ATTRIBUTE 1485 DERIVED FROM {iimcIIMCIMIBTRANS}:uInteger32; 1486 BEHAVIOUR 1487 clockBehaviour BEHAVIOUR 1488 DEFINED AS 1489 !BEGINPARSE 1490 REFERENCE 1491 !!This corresponds to the type defined in 1492 [27] by the same name.!!; 1493 DESCRIPTION 1494 !!A party's authentication clock - a non- 1495 negative integer which is incremented as 1496 specified/allowed by the party's 1497 Authentication Protocol. For noAuth, a 1498 DRAFT February, 1994 1500 party's authentication clock is unused and 1501 its value is undefined. 1503 For v2md5AuthProtocol, a party's 1504 authentication clock is a relative clock with 1505 1-second granularity.!!; 1506 ENDPARSE!;;; 1508 context ATTRIBUTE 1509 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ObjectIdentifier; 1510 MATCHES FOR EQUALITY, ORDERING; 1511 BEHAVIOUR 1512 contextBehaviour BEHAVIOUR 1513 DEFINED AS 1514 !BEGINPARSE 1515 REFERENCE 1516 !!This corresponds to the type defined in 1517 [27] by the same name.!!; 1518 DESCRIPTION 1519 !!Denotes a SNMPv2 context identifier. Note 1520 that agents may impose implementation 1521 limitations on the length of OIDs used to 1522 identify Parties. As such, management 1523 stations creating new parties should be aware 1524 that using an excessively long OID may result 1525 in the agent refusing to perform the set 1526 operation and instead returning the 1527 appropriate error response, e.g., 1528 noCreation.!!; 1529 ENDPARSE!;;; 1531 storageType ATTRIBUTE 1532 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.StorageType; 1533 MATCHES FOR EQUALITY, ORDERING; 1534 BEHAVIOUR 1535 storageTypeBehaviour BEHAVIOUR 1536 DEFINED AS 1537 !BEGINPARSE 1538 REFERENCE 1539 !!This corresponds to the type defined in 1540 [27] by the same name.!!; 1541 DESCRIPTION 1542 !!Describes the memory realization of a 1543 conceptual row. A row which is volatile(2) 1544 is lost upon reboot. A row which is 1545 nonVolatile(3) is backed up by stable 1546 storage. A row which is permanent(4) cannot 1547 be changed nor deleted.!!; 1548 ENDPARSE!;;; 1550 -- 4.1.3 Party MIB Attributes 1551 DRAFT February, 1994 1553 aclEntryId ATTRIBUTE 1554 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.AclEntryIdValue; 1555 MATCHES FOR EQUALITY; 1556 BEHAVIOUR 1557 aclEntryIdBehaviour BEHAVIOUR 1558 DEFINED AS 1559 !The naming attribute for object class aclEntry!;; 1560 REGISTERED AS {iimcAutoName 1 3 6 1 6 3 3 2 3 1 1}; 1562 aclPrivileges ATTRIBUTE 1563 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.AclPrivileges; 1564 MATCHES FOR EQUALITY, ORDERING; 1565 BEHAVIOUR 1566 aclPrivilegesBehaviour BEHAVIOUR 1567 DEFINED AS 1568 !BEGINPARSE 1569 REFERENCE 1570 !!This corresponds to the object type defined 1571 in [27] by the same name.!!; 1572 DESCRIPTION 1573 !!The access privileges which govern what 1574 management operations a particular target party 1575 may perform with respect to a particular SNMPv2 1576 context when requested by a particular subject 1577 party. These privileges are specified as a sum of 1578 values, where each value specifies a SNMPv2 PDU 1579 type by which the subject party may request a 1580 permitted operation. The value for a particular 1581 PDU type is computed as 2 raised to the value of 1582 the ASN.1 context-specific tag for the appropriate 1583 SNMPv2 PDU type. The values (for the tags defined 1584 in [28]) are defined in [25] as: 1586 Get : 1 1587 GetNext : 2 1588 Response : 4 1589 Set : 8 1590 unused : 16 1591 GetBulk : 32 1592 Inform : 64 1593 SNMPv2-Trap : 128 1594 The null set is represented by the value 1595 zero.!!; 1596 ENDPARSE!;; 1597 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1 4}; 1599 aclResources ATTRIBUTE 1600 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 1601 MATCHES FOR EQUALITY, ORDERING; 1602 BEHAVIOUR 1603 aclResourcesBehaviour BEHAVIOUR 1604 DEFINED AS 1605 !BEGINPARSE 1606 REFERENCE 1607 DRAFT February, 1994 1609 !!This corresponds to the object type efined 1610 in [27] by the same name.!!; 1611 DESCRIPTION 1612 !!The value of an instance of this object 1613 identifies a SNMPv2 context in an access 1614 control policy, and has the same value as the 1615 instance of the contextIndex object for that 1616 SNMPv2 context.!!; 1617 ENDPARSE!;; 1618 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1 3}; 1620 aclStatus ATTRIBUTE 1621 DERIVED FROM {iimcIIMCIMIBTRANS}:rowStatus; 1622 BEHAVIOUR 1623 aclStatusBehaviour BEHAVIOUR 1624 DEFINED AS 1625 !BEGINPARSE 1626 REFERENCE 1627 !!This corresponds to the object type defined 1628 in [27] by the same name.!!; 1629 DESCRIPTION 1630 !!The status of this conceptual row in the 1631 aclTable.!!; 1632 ENDPARSE!;; 1633 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1 6}; 1635 aclStorageType ATTRIBUTE 1636 DERIVED FROM storageType; 1637 BEHAVIOUR 1638 aclStorageTypeBehaviour BEHAVIOUR 1639 DEFINED AS 1640 !BEGINPARSE 1641 REFERENCE 1642 !!This corresponds to the object type defined 1643 in [27] by the same name.!!; 1644 DESCRIPTION 1645 !!The storage type for this conceptual row in 1646 the aclTable.!!; 1647 ENDPARSE!;; 1648 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1 5}; 1650 aclSubject ATTRIBUTE 1651 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 1652 MATCHES FOR EQUALITY, ORDERING; 1653 BEHAVIOUR 1654 aclSubjectBehaviour BEHAVIOUR 1655 DEFINED AS 1656 !BEGINPARSE 1657 REFERENCE 1658 !!This corresponds to the object type defined 1659 in [27] by the same name.!!; 1660 DESCRIPTION 1661 !!The value of an instance of this object 1662 identifies a SNMPv2 party which is the subject 1663 DRAFT February, 1994 1665 of an access control policy, and has the same 1666 value as the instance of the partyIndex object 1667 for that SNMPv2 party.!!; 1668 ENDPARSE!;; 1669 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1 2}; 1671 aclTarget ATTRIBUTE 1672 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 1673 MATCHES FOR EQUALITY, ORDERING; 1674 BEHAVIOUR 1675 aclTargetBehaviour BEHAVIOUR 1676 DEFINED AS 1677 !BEGINPARSE 1678 REFERENCE 1679 !!This corresponds to the object type defined 1680 in [27] by the same name.!!; 1681 DESCRIPTION 1682 !!The value of an instance of this object 1683 identifies a SNMPv2 party which is the target 1684 of an access control policy, and has the same 1685 value as the instance of the partyIndex object 1686 for that party.!!; 1687 ENDPARSE!;; 1688 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 3 1 1 1}; 1690 contextEntryId ATTRIBUTE 1691 WITH ATTRIBUTE SYNTAX 1692 IIMCRFC1447ASN1.ContextEntryIdValue; 1693 MATCHES FOR EQUALITY; 1694 BEHAVIOUR 1695 contextEntryIdBehaviour BEHAVIOUR 1696 DEFINED AS 1697 !The naming attribute for object class 1698 contextEntry!;; 1699 REGISTERED AS {iimcAutoName 1 3 6 1 6 3 3 2 2 1 1}; 1701 contextIdentity ATTRIBUTE 1702 DERIVED FROM context; 1703 BEHAVIOUR 1704 contextIdentityBehaviour BEHAVIOUR 1705 DEFINED AS 1706 !BEGINPARSE 1707 REFERENCE 1708 !!This corresponds to the object type defined 1709 in [27] by the same name.!!; 1710 DESCRIPTION 1711 !!A context identifier uniquely identifying a 1712 particular SNMPv2 context.!!; 1713 ENDPARSE!;; 1714 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 1}; 1716 contextIndex ATTRIBUTE 1717 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 1718 MATCHES FOR EQUALITY, ORDERING; 1719 DRAFT February, 1994 1721 BEHAVIOUR 1722 contextIndexBehaviour BEHAVIOUR 1723 DEFINED AS 1724 !BEGINPARSE 1725 REFERENCE 1726 !!This corresponds to the object type defined 1727 in [27] by the same name.!!; 1728 DESCRIPTION 1729 !!A unique value for each SNMPv2 context. The 1730 value for each SNMPv2 context must remain 1731 constant at least from one re-initialization of 1732 the entity's network management system to the 1733 next re-initialization.!!; 1734 ENDPARSE!;; 1735 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 2}; 1737 contextLocal ATTRIBUTE 1738 DERIVED FROM {iimcIIMCIMIBTRANS}:truthValue; 1739 BEHAVIOUR 1740 contextLocalBehaviour BEHAVIOUR 1741 DEFINED AS 1742 !BEGINPARSE 1743 REFERENCE 1744 !!This corresponds to the object type defined 1745 in [27] by the same name.!!; 1746 DESCRIPTION 1747 !!An indication of whether this context is 1748 realized by this SNMPv2 entity.!!; 1749 ENDPARSE!;; 1750 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 3}; 1752 contextViewIndex ATTRIBUTE 1753 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 1754 MATCHES FOR EQUALITY, ORDERING; 1755 BEHAVIOUR 1756 contextViewIndexBehaviour BEHAVIOUR 1757 DEFINED AS 1758 !BEGINPARSE 1759 REFERENCE 1760 !!This corresponds to the object type defined 1761 in [27] by the same name.!!; 1762 DESCRIPTION 1763 !!If the value of an instance of this object is 1764 zero, then this corresponding conceptual row in 1765 the contextTable refers to a SNMPv2 context which 1766 identifies a proxy relationship; the values of the 1767 corresponding instances of the 1768 contextProxyDstParty, contextProxySrcParty, and 1769 contextProxyContext objects provide further 1770 information on the proxy relationship. 1772 Otherwise, if the value of an instance of this 1773 object is greater than zero, then this 1774 corresponding conceptual row in the 1775 DRAFT February, 1994 1777 contextTable refers to a SNMPv2 context which 1778 identifies a MIB view of a locally accessible 1779 entity; the value of the instance identifies 1780 the particular MIB view which has the same 1781 value of viewIndex; and the value of the 1782 corresponding instances of the 1783 contextLocalEntity and contextLocalTime objects 1784 provide further information on the local entity 1785 and its temporal domain.!!; 1786 ENDPARSE!;; 1787 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 4}; 1789 contextLocalEntity ATTRIBUTE 1790 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.OctetString; 1791 MATCHES FOR EQUALITY, ORDERING; 1792 BEHAVIOUR 1793 contextLocalEntityBehaviour BEHAVIOUR 1794 DEFINED AS 1795 !BEGINPARSE 1796 REFERENCE 1797 !!This corresponds to the object type defined 1798 in [27] by the same name.!!; 1799 DESCRIPTION 1800 !!If the value of the corresponding instance of 1801 the contextViewIndex is greater than zero, then 1802 the value of an instance of this object 1803 identifies the local entity whose management 1804 information is in the SNMPv2 context's MIB 1805 view. The empty string indicates that the MIB 1806 view contains the SNMPv2 entity's own local 1807 management information; otherwise, a non-empty 1808 string indicates that the MIB view contains 1809 management information of some other local 1810 entity, e.g.,'Repeater1'.!!; 1811 ENDPARSE!;; 1812 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 5}; 1814 contextLocalTime ATTRIBUTE 1815 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ObjectIdentifier; 1816 MATCHES FOR EQUALITY, ORDERING; 1817 BEHAVIOUR 1818 contextLocalTimeBehaviour BEHAVIOUR 1819 DEFINED AS 1820 !BEGINPARSE 1821 REFERENCE 1822 !!This corresponds to the object type defined 1823 in [27] by the same name.!!; 1824 DESCRIPTION 1825 !!If the value of the corresponding instance of 1826 the contextViewIndex is greater than zero, then 1827 the value of an instance of this object 1828 identifies the temporal context of the 1829 management information in the MIB view.!!; 1830 ENDPARSE!;; 1831 DRAFT February, 1994 1833 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 6}; 1835 contextProxyDstParty ATTRIBUTE 1836 DERIVED FROM party; 1837 BEHAVIOUR 1838 contextProxyDstPartyBehaviour BEHAVIOUR 1839 DEFINED AS 1840 !BEGINPARSE 1841 REFERENCE 1842 !!This corresponds to the object type defined 1843 in [27] by the same name.!!; 1844 DESCRIPTION 1845 !!If the value of the corresponding instance of 1846 the contextViewIndex is equal to zero, then the 1847 value of an instance of this object identifies a 1848 SNMPv2 party which is the proxy destination of a 1849 proxy relationship. 1851 If the value of the corresponding instance of 1852 the contextViewIndex is greater than zero, then 1853 the value of an instance of this object is 1854 zero.!!; 1855 ENDPARSE!;; 1856 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 7}; 1858 contextProxySrcParty ATTRIBUTE 1859 DERIVED FROM party; 1860 BEHAVIOUR 1861 contextProxySrcPartyBehaviour BEHAVIOUR 1862 DEFINED AS 1863 !BEGINPARSE 1864 REFERENCE 1865 !!This corresponds to the object type defined 1866 in [27] by the same name.!!; 1867 DESCRIPTION 1868 !!If the value of the corresponding instance of 1869 the contextViewIndex is equal to zero, then the 1870 value of an instance of this object identifies a 1871 SNMPv2 party which is the proxy source of a proxy 1872 relationship. 1874 Interpretation of an instance of this object 1875 depends upon the value of the transport domain 1876 associated with the SNMPv2 party used as the proxy 1877 destination in this proxy relationship. 1879 If the value of the corresponding instance of 1880 the contextViewIndex is greater than zero, then 1881 the value of an instance of this object is 1882 zero.!!; 1883 ENDPARSE!;; 1884 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 8}; 1886 contextProxyContext ATTRIBUTE 1887 DRAFT February, 1994 1889 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ObjectIdentifier; 1890 MATCHES FOR EQUALITY, ORDERING; 1891 BEHAVIOUR 1892 contextProxyContextBehaviour BEHAVIOUR 1893 DEFINED AS 1894 !BEGINPARSE 1895 REFERENCE 1896 !!This corresponds to the object type defined 1897 in [27] by the same name.!!; 1898 DESCRIPTION 1899 !!If the value of the corresponding instance of 1900 the contextViewIndex is equal to zero, then the 1901 value of an instance of this object identifies the 1902 context of a proxy relationship. 1904 Interpretation of an instance of this object 1905 depends upon the value of the transport domain 1906 associated with the SNMPv2 party used as the proxy 1907 destination in this proxy relationship. 1909 If the value of the corresponding instance of 1910 the contextViewIndex is greater than zero, then 1911 the value of an instance of this object is { 0 1912 0 }.!!; 1913 ENDPARSE!;; 1914 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 9}; 1916 contextStorageType ATTRIBUTE 1917 DERIVED FROM storageType; 1918 BEHAVIOUR 1919 contextStorageTypeBehaviour BEHAVIOUR 1920 DEFINED AS 1921 !BEGINPARSE 1922 REFERENCE 1923 !!This corresponds to the object type defined 1924 in [27] by the same name.!!; 1925 DESCRIPTION 1926 !!The storage type for this conceptual row in 1927 the contextTable.!!; 1928 ENDPARSE!;; 1929 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 10}; 1931 contextStatus ATTRIBUTE 1932 DERIVED FROM {iimcIIMCIMIBTRANS}:rowStatus; 1933 BEHAVIOUR 1934 contextStatusBehaviour BEHAVIOUR 1935 DEFINED AS 1936 !BEGINPARSE 1937 REFERENCE 1938 !!This corresponds to the object type defined 1939 in [27] by the same name.!!; 1940 DESCRIPTION 1941 !!The status of this conceptual row in the 1942 contextTable. 1944 DRAFT February, 1994 1946 A context is not qualified for activation until 1947 instances of all corresponding columns have the 1948 appropriate value. In particular, if the 1949 context's contextViewIndex is greater than 1950 zero, then the viewStatus column of the 1951 associated conceptual row(s) in the viewTable 1952 must have the value `active'. Until instances 1953 of all corresponding columns are appropriately 1954 configured, the value of the corresponding 1955 instance of the contextStatus column is 1956 `notReady'.!!; 1957 ENDPARSE!;; 1958 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 2 1 1 11}; 1960 partyAuthClock ATTRIBUTE 1961 DERIVED FROM clock; 1962 BEHAVIOUR 1963 partyAuthClockBehaviour BEHAVIOUR 1964 DEFINED AS 1965 !BEGINPARSE 1966 REFERENCE 1967 !!This corresponds to the object type defined 1968 in [27] by the same name.!!; 1969 DESCRIPTION 1970 !!The authentication clock which represents the 1971 local notion of the current time specific to 1972 the party. This value must not be decremented 1973 unless the party's secret information is 1974 changed simultaneously, at which time the 1975 party's nonce and last-timestamp values must 1976 also be reset to zero, and the new value of the 1977 clock, respectively.!!; 1978 ENDPARSE!;; 1979 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 8}; 1981 partyAuthLifetime ATTRIBUTE 1982 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.PartyAuthLifetime; 1983 MATCHES FOR EQUALITY, ORDERING; 1984 BEHAVIOUR 1985 partyAuthLifetimeBehaviour BEHAVIOUR 1986 DEFINED AS 1987 !BEGINPARSE 1988 REFERENCE 1989 !!This corresponds to the object type defined 1990 in [27] by the same name.!!; 1991 DESCRIPTION 1992 !!The lifetime (in units of seconds) which 1993 represents an administrative upper bound on 1994 acceptable delivery delay for protocol messages 1995 generated by the party.!!; 1996 ENDPARSE!;; 1997 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 11}; 1998 DRAFT February, 1994 2000 partyAuthPrivate ATTRIBUTE 2001 WITH ATTRIBUTE SYNTAX 2002 IIMCRFC1447ASN1.OctetString; 2003 MATCHES FOR EQUALITY, SUBSTRINGS; 2004 BEHAVIOUR 2005 partypartyAuthPrivateBehaviour BEHAVIOUR 2006 DEFINED AS 2007 !BEGINPARSE 2008 REFERENCE 2009 !!This corresponds to the object type efined 2010 in [27] by the same name. It is modified to 2011 accommodate SNMPv1 community strings.!!; 2012 DESCRIPTION 2013 !!If the value of partyAuthProtocol is 2014 {snmpv1CommString} then this attribute 2015 contains the community string to be used with 2016 SNMPv1 security. 2018 If the value of partyAuthProtocol is not 2019 {snmpv1CommString} then this attribute 2020 contains an encoding of the party's private 2021 authentication key which may be needed to 2022 support the authentication protocol. 2023 Although the value of this variable may be 2024 altered by a management operation (e.g., a 2025 SNMPv2 Set-Request), its value can never be 2026 retrieved by a management operation: when 2027 read, the value of this variable is the zero 2028 length OCTET STRING. 2030 The private authentication key is NOT directly 2031 represented by the value of this variable, but 2032 rather it is represented according to an 2033 encoding. This encoding is the bitwise 2034 exclusive-OR of the old key with the new key, 2035 i.e., of the old private authentication key 2036 (prior to the alteration) with the new private 2037 authentication key (after the alteration). 2038 Thus, when processing a received protocol Set 2039 operation, the new private authentication key 2040 is obtained from the value of this variable as 2041 the result of a bitwise exclusive-OR of the 2042 variable's value and the old private 2043 authentication key. In calculating the 2044 exclusive-OR, if the old key is shorter than 2045 the new key, zero-valued padding is appended to 2046 the old key. If no value for the old key 2047 exists, a zero-length OCTET STRING is used in 2048 the calculation.!!; 2049 ENDPARSE!;; 2050 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 9}; 2052 partyAuthProtocol ATTRIBUTE 2053 WITH ATTRIBUTE SYNTAX 2054 DRAFT February, 1994 2056 IIMCRFC1447ASN1.ObjectIdentifier; 2057 MATCHES FOR EQUALITY; 2058 BEHAVIOUR 2059 partypartyAuthProtocolBehaviour BEHAVIOUR 2060 DEFINED AS 2061 !BEGINPARSE 2062 REFERENCE 2063 !!This corresponds to the object type defined 2064 in [27] by the same name.!!; 2065 DESCRIPTION 2066 !!The authentication protocol by which all 2067 messages generated by the party are 2068 authenticated as to origin and integrity. In 2069 this context, the value {noAuth } signifies 2070 that messages generated by the party are not 2071 authenticated. 2073 The value {snmpv1CommString} indicates that 2074 SNMPv1 community string is to be used. The 2075 community string shall be present in 2076 partyAuthPrivate!!; 2077 ENDPARSE!;; 2078 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 7}; 2080 partyAuthPublic ATTRIBUTE 2081 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.OctetString; 2082 MATCHES FOR EQUALITY; 2083 BEHAVIOUR 2084 partyAuthPublicBehaviour BEHAVIOUR 2085 DEFINED AS 2086 !BEGINPARSE 2087 REFERENCE 2088 !!This corresponds to the object type defined 2089 in [27] by the same name.!!; 2090 DESCRIPTION 2091 !!A publicly-readable value for the party. 2092 Depending on the party's authentication 2093 protocol,this value may be needed to support 2094 the party's authentication protocol. 2095 Alternatively, it may be used by a manager 2096 during the procedure foraltering secret 2097 information about a party. (For example, by 2098 altering the value of an instance of this 2099 object in the same SNMP Set-Request used to 2100 update an instance of partyAuthPrivate, a 2101 subsequent Get-Request can determine if the 2102 Set- Request was successful in the event that 2103 no response to the Set-Request is received, 2104 see RFC1446.) 2106 The length of the value is dependent on the 2107 party's authentication protocol. If not used 2108 by the authentication protocol, it is 2109 recommended that agents support values of any 2110 DRAFT February, 1994 2112 length up to and including the length of the 2113 corresponding partyAuthPrivate object.!!; 2114 ENDPARSE!;; 2115 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 10}; 2117 partyCloneFrom ATTRIBUTE 2118 DERIVED FROM party; 2119 BEHAVIOUR 2120 partyCloneFromBehaviour BEHAVIOUR 2121 DEFINED AS 2122 !BEGINPARSE 2123 REFERENCE 2124 !!This corresponds to the object type defined 2125 in [27] by the same name.!!; 2126 DESCRIPTION 2127 !!The identity of a party to clone authentication 2128 and privacy parameters from. When read, the value 2129 { 0 0 } is returned. 2131 This value can only be written when the 2132 associated instance of partyStatus either 2133 does not exist or has the value `notReady'. 2134 When written, the value identifies a party, 2135 the cloning party, whose status column has 2136 the value `active'. The cloning party is 2137 used in two ways. 2139 One, if instances of the following objects do 2140 not exist for the party being created, then 2141 they are created with values identical to 2142 those of the corresponding objects for the 2143 cloning party: 2145 partyAuthProtocol 2146 partyAuthPublic 2147 partyAuthLifetime 2148 partyPrivProtocol 2149 partyPrivPublic 2151 Two, instances of the following objects are 2152 updated using the corresponding values of the 2153 cloning party: 2155 partyAuthPrivate 2156 partyPrivPrivate 2158 (e.g., the value of the cloning party's 2159 instance of the partyAuthPrivate object is 2160 XOR'd with the value of the partyAuthPrivate 2161 instances of the party being created.)!!; 2162 ENDPARSE!;; 2163 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 15}; 2165 partyEntryId ATTRIBUTE 2166 DRAFT February, 1994 2168 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.PartyEntryIdValue; 2169 MATCHES FOR EQUALITY; 2170 BEHAVIOUR 2171 partyEntryIdBehaviour BEHAVIOUR 2172 DEFINED AS 2173 !The naming attribute for object class partyEntry!;; 2174 REGISTERED AS {iimcAutoName 1 3 6 1 6 3 3 2 1 1 1}; 2176 partyIdentity ATTRIBUTE 2177 DERIVED FROM party; 2178 BEHAVIOUR 2179 partyIdentityBehaviour BEHAVIOUR 2180 DEFINED AS 2181 !BEGINPARSE 2182 REFERENCE 2183 !!This corresponds to the object type defined 2184 in [27] by the same name.!!; 2185 DESCRIPTION 2186 !!A party identifier uniquely identifying a 2187 particular SNMP party.!!; 2188 ENDPARSE!;; 2189 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 1}; 2191 partyIndex ATTRIBUTE 2192 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 2193 MATCHES FOR EQUALITY, ORDERING; 2194 BEHAVIOUR 2195 partyIndexBehaviour BEHAVIOUR 2196 DEFINED AS 2197 !BEGINPARSE 2198 REFERENCE 2199 !!This corresponds to the object type defined 2200 in [27] by the same name.!!; 2201 DESCRIPTION 2202 !!A unique value for each SNMPv2 party. The 2203 value for each SNMPv2 party must remain 2204 constant at least from one re-initialization of 2205 the entity's network management system to the 2206 next reinitialization.!!; 2207 ENDPARSE!;; 2208 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 2}; 2210 partyLocal ATTRIBUTE 2211 DERIVED FROM {iimcIIMCIMIBTRANS}:truthValue; 2212 BEHAVIOUR 2213 partyLocalBehaviour BEHAVIOUR 2214 DEFINED AS 2215 !BEGINPARSE 2216 REFERENCE 2217 !!This corresponds to the object type defined 2218 in [27] by the same name.!!; 2219 DESCRIPTION 2220 !!An indication of whether this party 2221 executes at this SNMPv2 entity. If this 2222 DRAFT February, 1994 2224 object has a value of true(1), then the 2225 SNMPv2 entity will listen for SNMPv2 messages 2226 on the partyTAddress associated with this 2227 party. If this object has the value 2228 false(2), then the SNMPv2 entity will not 2229 listen for SNMPv2 messages on the 2230 partyTAddress associated with this party.!!; 2231 ENDPARSE!;; 2232 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 6}; 2234 partyMaxMessageSize ATTRIBUTE 2235 WITH ATTRIBUTE SYNTAX 2236 IIMCRFC1447ASN1.PartyMaxMessageSize; 2237 MATCHES FOR EQUALITY, ORDERING; 2238 BEHAVIOUR 2239 partyMaxMessageSizeBehaviour BEHAVIOUR 2240 DEFINED AS 2241 !BEGINPARSE 2242 REFERENCE 2243 !!This corresponds to the object type defined 2244 in [27] by the same name.!!; 2245 DESCRIPTION 2246 !!The maximum length in octets of a SNMP 2247 message which this party will accept. For 2248 parties which execute at an agent, the agent 2249 initializes this object to the maximum length 2250 supported by the agent, and does not let the 2251 object be set to any larger value. For 2252 parties which do not execute at the agent, 2253 the agent must allow the manager to set this 2254 object to any legal value, even if it is 2255 larger than the agent can generate.!!; 2256 ENDPARSE!;; 2257 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 5}; 2259 partyMIBObjectsId ATTRIBUTE 2260 WITH ATTRIBUTE SYNTAX 2261 IIMCRFC1447ASN1.PartyMIBObjectsIdValue; 2262 MATCHES FOR EQUALITY; 2263 BEHAVIOUR 2264 partyMIBObjectsIdBehaviour BEHAVIOUR 2265 DEFINED AS 2266 !The naming attribute for object class 2267 partyMIBObjects!;; 2268 REGISTERED AS {iimcAutoName 1 3 6 1 6 3 3 2}; 2270 partyPrivProtocol ATTRIBUTE 2271 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ObjectIdentifier; 2272 MATCHES FOR EQUALITY, ORDERING; 2273 BEHAVIOUR 2274 partyPrivProtocolBehaviour BEHAVIOUR 2275 DEFINED AS 2276 !BEGINPARSE 2277 REFERENCE 2278 DRAFT February, 1994 2280 !!This corresponds to the object type defined 2281 in [27] by the same name.!!; 2282 DESCRIPTION 2283 !!The privacy protocol by which all protocol 2284 messages received by the party are protected 2285 from disclosure. In this context, the value { 2286 noPriv } signifies that messages received by 2287 the party are not protected.!!; 2288 ENDPARSE!;; 2289 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 12}; 2291 partyPrivPrivate ATTRIBUTE 2292 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.OctetString; 2293 MATCHES FOR EQUALITY, ORDERING; 2294 BEHAVIOUR 2295 partyPrivPrivateBehaviour BEHAVIOUR 2296 DEFINED AS 2297 !BEGINPARSE 2298 REFERENCE 2299 !!This corresponds to the object type defined 2300 in [27] by the same name.!!; 2301 DESCRIPTION 2302 !!An encoding of the party's private 2303 encryption key which may be needed to support 2304 the privacy protocol. Although the value of 2305 this variable may be altered by a management 2306 operation (e.g., a SNMPv2 Set-Request), its 2307 value can never be retrieved by a management 2308 operation: when read, the value of this 2309 variable is the zero length OCTET STRING. 2311 The private encryption key is NOT directly 2312 represented by the value of this variable, 2313 but rather it is represented according to an 2314 encoding. This encoding is the bitwise 2315 exclusive-OR of the old key with the new key, 2316 i.e., of the old private encryption key 2317 (prior to the alteration) with the new 2318 private encryption key (after the 2319 alteration). Thus, when processing a received 2320 protocol Set operation, the new private 2321 encryption key is obtained from the value of 2322 this variable as the result of a bitwise 2323 exclusive-OR of the variable's value and the 2324 old private encryption key. In calculating 2325 the exclusive-OR, if the old key is shorter 2326 than the new key, zero-valued padding is 2327 appended to the old key. If no value for the 2328 old key exists, a zero-length OCTET STRING is 2329 used in the calculation.!!; 2330 ENDPARSE!;; 2331 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 13}; 2333 partyPrivPublic ATTRIBUTE 2334 DRAFT February, 1994 2336 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.OctetString; 2337 MATCHES FOR EQUALITY, ORDERING; 2338 BEHAVIOUR 2339 partyPrivPublicBehaviour BEHAVIOUR 2340 DEFINED AS 2341 !BEGINPARSE 2342 REFERENCE 2343 !!This corresponds to the object type defined 2344 in [27] by the same name.!!; 2345 DESCRIPTION 2346 !!A publicly-readable value for the party. 2347 Depending on the party's privacy protocol, 2348 this value may be needed to support the 2349 party's privacy protocol. Alternatively, it 2350 may be used by a manager as a part of its 2351 procedure for altering secret information 2352 about a party. (For example, by altering the 2353 value of an instance of this object in the 2354 same SNMP Set-Request used to update an 2355 instance of partyPrivPrivate, a subsequent 2356 Get-Request can determine if the Set-Request 2357 was successful in the event that no response 2358 to the Set-Request is received, see RFC 2359 1446.) 2361 The length of the value is dependent on the 2362 party's privacy protocol. If not used by the 2363 privacy protocol, it is recommended that 2364 agents support values of any length up to and 2365 including the length of the corresponding 2366 partyPrivPrivate object.!!; 2367 ENDPARSE!;; 2368 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 14}; 2370 partyStatus ATTRIBUTE 2371 DERIVED FROM {iimcIIMCIMIBTRANS}:rowStatus; 2372 BEHAVIOUR 2373 partyStatusBehaviour BEHAVIOUR 2374 DEFINED AS 2375 !BEGINPARSE 2376 REFERENCE 2377 !!This corresponds to the object type defined 2378 in [27] by the same name.!!; 2379 DESCRIPTION 2380 !!The status of this conceptual row in the 2381 partyTable. 2383 A party is not qualified for activation until 2384 instances of all columns of its partyEntry 2385 row have an appropriate value. In 2386 particular: 2388 A value must be written to the Party's 2389 partyCloneFrom object. 2391 DRAFT February, 1994 2393 If the Party's partyAuthProtocol object has 2394 the value md5AuthProtocol, then the 2395 corresponding instance of partyAuthPrivate 2396 must contain a secret of the appropriate 2397 length. Further, at least one management 2398 protocol set operation updating the value of 2399 the party's partyAuthPrivate object must be 2400 successfully processed, before the 2401 partyAuthPrivate column is considered 2402 appropriately configured. 2404 If the Party's partyPrivProtocol object has 2405 the value desPrivProtocol, then the 2406 corresponding instance of partyPrivPrivate 2407 must contain a secret of the appropriate 2408 length. Further, at least one management 2409 protocol set operation updating the value of 2410 the party's partyPrivPrivate object must be 2411 successfully processed, before the 2412 partyPrivPrivate column is considered 2413 appropriately configured. 2415 Until instances of all corresponding columns 2416 are appropriately configured, the value of 2417 the corresponding instance of the partyStatus 2418 column is `notReady'.!!; 2419 ENDPARSE!;; 2420 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 17}; 2422 partyStorageType ATTRIBUTE 2423 DERIVED FROM storageType; 2424 BEHAVIOUR 2425 partyStorageTypeBehaviour BEHAVIOUR 2426 DEFINED AS 2427 !BEGINPARSE 2428 REFERENCE 2429 !!This corresponds to the object type defined 2430 in [27] by the same name.!!; 2431 DESCRIPTION 2432 !!The storage type for this conceptual row in 2433 the partyTable.!!; 2434 ENDPARSE!;; 2435 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 16}; 2437 partyTAddress ATTRIBUTE 2438 DERIVED FROM tAddress; 2439 BEHAVIOUR 2440 partyTAddressBehaviour BEHAVIOUR 2441 DEFINED AS 2442 !BEGINPARSE 2443 REFERENCE 2444 !!This corresponds to the object type defined 2445 in [27] by the same name.!!; 2446 DRAFT February, 1994 2448 DESCRIPTION 2449 !!The transport service address by which the 2450 party receives network management traffic, 2451 formatted according to the corresponding 2452 value of partyTDomain. For rfc1351Domain, 2453 partyTAddress is formatted as a 4-octet IP 2454 Address concatenated with a 2-octet UDP port 2455 number.!!; 2456 ENDPARSE!;; 2457 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 4}; 2459 partyTDomain ATTRIBUTE 2460 WITH ATTRIBUTE SYNTAX 2461 IIMCRFC1447ASN1.ObjectIdentifier; 2462 MATCHES FOR EQUALITY; 2463 BEHAVIOUR 2464 partyTDomainBehaviour BEHAVIOUR 2465 DEFINED AS 2466 !BEGINPARSE 2467 REFERENCE 2468 !!This corresponds to the object type defined 2469 in [27] by the same name.!!; 2470 DESCRIPTION 2471 !!Indicates the kind of transport service by 2472 which the party receives network management 2473 traffic. An example of a transport domain is 2474 'rfc1351Domain' (SNMP over UDP).!!; 2475 ENDPARSE!;; 2476 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 1 1 1 3}; 2478 viewEntryId ATTRIBUTE 2479 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ViewEntryIdValue; 2480 MATCHES FOR EQUALITY; 2481 BEHAVIOUR 2482 viewEntryIdBehaviour BEHAVIOUR 2483 DEFINED AS 2484 !The naming attribute for object class viewEntry!;; 2485 REGISTERED AS {iimcAutoName 1 3 6 1 6 3 3 2 4 1 1}; 2487 viewIndex ATTRIBUTE 2488 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.Index; 2489 MATCHES FOR EQUALITY, ORDERING; 2490 BEHAVIOUR 2491 viewIndexBehaviour BEHAVIOUR 2492 DEFINED AS 2493 !BEGINPARSE 2494 REFERENCE 2495 !!This corresponds to the object type defined 2496 in [27] by the same name.!!; 2497 DESCRIPTION 2498 !!A unique value for each MIB view. The 2499 value for each MIB view must remain constant 2500 at least from one re-initialization of the 2501 DRAFT February, 1994 2503 entity's network management system to the 2504 next re-initialization.!!; 2505 ENDPARSE!;; 2506 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1 1}; 2508 viewMask ATTRIBUTE 2509 WITH ATTRIBUTE SYNTAX 2510 IIMCRFC1447ASN1.ViewMask; 2511 MATCHES FOR EQUALITY, ORDERING; 2512 BEHAVIOUR 2513 viewMaskBehaviour BEHAVIOUR 2514 DEFINED AS 2515 !BEGINPARSE 2516 REFERENCE 2517 !!This corresponds to the object type defined 2518 in [27] by the same name.!!; 2519 DESCRIPTION 2520 !!The bit mask which, in combination with the 2521 corresponding instance of viewSubtree, defines a 2522 family of view subtrees. 2524 Each bit of this bit mask corresponds to a 2525 sub-identifier of viewSubtree, with the most 2526 significant bit of the i-th octet of this 2527 octet string value (extended if necessary, 2528 see below) corresponding to the (8*i - 7)-th 2529 sub-identifier, and the least significant bit 2530 of the i-th octet of this octet string 2531 corresponding to the (8*i)-th sub-identifier, 2532 where i is in the range 1 through 16. 2534 Each bit of this bit mask specifies whether 2535 or not the corresponding sub-identifiers must 2536 match when determining if an OBJECT 2537 IDENTIFIER is in this family of view 2538 subtrees; a '1' indicates that an exact match 2539 must occur; a '0' indicates 'wild card', 2540 i.e., any sub-identifier value matches. Thus, 2541 the OBJECT IDENTIFIER X of an object instance 2542 is contained in a family of view subtrees if 2543 the following criteria are met: 2545 for each sub-identifier of the value of 2546 viewSubtree, either: 2548 the i-th bit of viewMask is 0, or 2550 the i-th sub-identifier of X is equal to the 2551 i-th sub-identifier of 2552 the value of viewSubtree. 2554 If the value of this bit mask is M bits long 2555 and there are more than M sub-identifiers in 2556 the corresponding instance of viewSubtree, 2557 DRAFT February, 1994 2559 then the bit mask is extended with 1's to be 2560 the required length. 2562 Note that when the value of this object is 2563 the zero-length string, this extension rule 2564 results in a mask of all-1's being used 2565 (i.e., no 'wild card'), and the family of 2566 view subtrees is the one view subtree 2567 uniquely identified by the corresponding 2568 instance of viewSubtree.!!; 2569 ENDPARSE!;; 2570 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1 3}; 2572 viewStatus ATTRIBUTE 2573 DERIVED FROM {iimcIIMCIMIBTRANS}:rowStatus; 2574 BEHAVIOUR 2575 viewStatusBehaviour BEHAVIOUR 2576 DEFINED AS 2577 !BEGINPARSE 2578 REFERENCE 2579 !!This corresponds to the object type defined 2580 in [27] by the same name.!!; 2581 DESCRIPTION 2582 !!The status of this conceptual row in the 2583 viewTable.!!; 2584 ENDPARSE!;; 2585 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1 6}; 2587 viewStorageType ATTRIBUTE 2588 DERIVED FROM storageType; 2589 BEHAVIOUR 2590 viewStorageTypeBehaviour BEHAVIOUR 2591 DEFINED AS 2592 !BEGINPARSE 2593 REFERENCE 2594 !!This corresponds to the object type defined 2595 in [27] by the same name.!!; 2596 DESCRIPTION 2597 !!The storage type for this conceptual row in 2598 the viewTable.!!; 2599 ENDPARSE!;; 2600 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1 5}; 2602 viewSubtree ATTRIBUTE 2603 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ObjectIdentifier; 2604 MATCHES FOR EQUALITY, ORDERING; 2605 BEHAVIOUR 2606 viewSubtreeBehaviour BEHAVIOUR 2607 DEFINED AS 2608 !BEGINPARSE 2609 REFERENCE 2610 !!This corresponds to the object type defined 2611 in [27] by the same name.!!; 2612 DESCRIPTION 2613 DRAFT February, 1994 2615 !!A MIB subtree.!!; 2616 ENDPARSE!;; 2617 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1 2}; 2619 viewType ATTRIBUTE 2620 WITH ATTRIBUTE SYNTAX IIMCRFC1447ASN1.ViewType; 2621 MATCHES FOR EQUALITY, ORDERING; 2622 BEHAVIOUR 2623 viewTypeBehaviour BEHAVIOUR 2624 DEFINED AS 2625 !BEGINPARSE 2626 REFERENCE 2627 !!This corresponds to the object type defined 2628 in [27] by the same name.!!; 2629 DESCRIPTION 2630 !!The status of a particular family of view 2631 subtrees within the particular SNMPv2 2632 context's MIB view. The value 'included(1)' 2633 indicates that the corresponding instances of 2634 viewSubtree and viewMask define a family of 2635 view subtrees included in the MIB view. The 2636 value 'excluded(2)' indicates that the 2637 corresponding instances of viewSubtree and 2638 viewMask define a family of view subtrees 2639 excluded from the MIB view.!!; 2640 ENDPARSE!;; 2641 REGISTERED AS {iimcAutoObjAndAttr 1 3 6 1 6 3 3 2 4 1 1 4}; 2643 -- 4.1.4 Party MIB Name Bindings 2645 aclEntry-partyMIBObjectsNB NAME BINDING 2646 SUBORDINATE OBJECT CLASS aclEntry AND SUBCLASSES; 2647 NAMED BY SUPERIOR OBJECT CLASS partyMIBObjects AND 2648 SUBCLASSES; 2649 WITH ATTRIBUTE aclEntryId; 2650 BEHAVIOUR 2651 aclEntry-partyMIBObjectsNBBehaviour BEHAVIOUR 2652 DEFINED AS 2653 !BEGINPARSE 2654 INDEX SNMPv2-Party-MIB.aclTarget, 2655 SNMPv2-Party-MIB.aclSubject, 2656 SNMPv2-Party-MIB.aclResources; 2657 DELETEATT aclStatus; 2658 DELETEVALUE SNMPV2ROWSTATUS; 2659 ENDPARSE!;; 2660 CREATE WITH-AUTOMATIC-INSTANCE-NAMING, 2661 WITH-REFERENCE-OBJECT; 2662 DELETE DELETES-CONTAINED-OBJECTS; 2663 REGISTERED AS {iimcAutoNameBinding 1 3 6 1 6 3 3 2 3 1 1}; 2665 contextEntry-partyMIBObjectsNB NAME BINDING 2666 SUBORDINATE OBJECT CLASS contextEntry AND SUBCLASSES; 2667 DRAFT February, 1994 2669 NAMED BY SUPERIOR OBJECT CLASS partyMIBObjects AND 2670 SUBCLASSES; 2671 WITH ATTRIBUTE contextEntryId; 2672 BEHAVIOUR 2673 contextEntry-partyMIBObjectsNBBehaviour BEHAVIOUR 2674 DEFINED AS 2675 !BEGINPARSE 2676 INDEX IMPLIED SNMPv2-Party-MIB.contextIdentity; 2677 DELETEATT contextStatus; 2678 DELETEVALUE SNMPV2ROWSTATUS; 2679 ENDPARSE!;; 2680 CREATE WITH-AUTOMATIC-INSTANCE-NAMING, 2681 WITH-REFERENCE-OBJECT; 2682 DELETE DELETES-CONTAINED-OBJECTS; 2683 REGISTERED AS {iimcAutoNameBinding 1 3 6 1 6 3 3 2 2 1 1}; 2685 partyEntry-partyMIBObjectsNB NAME BINDING 2686 SUBORDINATE OBJECT CLASS partyEntry AND SUBCLASSES; 2687 NAMED BY SUPERIOR OBJECT CLASS partyMIBObjects AND 2688 SUBCLASSES; 2689 WITH ATTRIBUTE partyEntryId; 2690 BEHAVIOUR 2691 partyEntry-partyMIBObjectsNBBehaviour BEHAVIOUR 2692 DEFINED AS 2693 !BEGINPARSE 2694 INDEX IMPLIED SNMPv2-Party-MIB.partyIdentity; 2695 DELETEATT partyStatus; 2696 DELETEVALUE SNMPV2ROWSTATUS; 2697 ENDPARSE!;; 2698 CREATE WITH-AUTOMATIC-INSTANCE-NAMING, 2699 WITH-REFERENCE-OBJECT; 2700 DELETE DELETES-CONTAINED-OBJECTS; 2701 REGISTERED AS {iimcAutoNameBinding 1 3 6 1 6 3 3 2 1 1 1}; 2703 viewEntry-partyMIBObjectsNB NAME BINDING 2704 SUBORDINATE OBJECT CLASS viewEntry AND SUBCLASSES; 2705 NAMED BY SUPERIOR OBJECT CLASS partyMIBObjects AND 2706 SUBCLASSES; 2707 WITH ATTRIBUTE viewEntryId; 2708 BEHAVIOUR 2709 viewEntry-partyMIBObjectsNBBehaviour BEHAVIOUR 2710 DEFINED AS 2711 !BEGINPARSE 2712 INDEX SNMPv2-Party-MIB.viewIndex, 2713 IMPLIED SNMPv2-Party-MIB.viewSubtree; 2714 DELETEATT viewStatus; 2715 DELETEVALUE SNMPV2ROWSTATUS; 2716 ENDPARSE!;; 2717 CREATE WITH-AUTOMATIC-INSTANCE-NAMING, 2718 WITH-REFERENCE-OBJECT; 2719 DELETE DELETES-CONTAINED-OBJECTS; 2720 REGISTERED AS {iimcAutoNameBinding 1 3 6 1 6 3 3 2 4 1 1}; 2722 partyMIBObjects-systemNB NAME BINDING 2723 DRAFT February, 1994 2725 SUBORDINATE OBJECT CLASS partyMIBObjects AND 2726 SUBCLASSES; 2727 NAMED BY SUPERIOR OBJECT CLASS 2728 "Rec. X.721 | ISO/IEC 10165-2 : 1992":system AND 2729 SUBCLASSES; 2730 WITH ATTRIBUTE partyMIBObjectsId; 2731 BEHAVIOUR 2732 partyMIBObjects-systemNBBehaviour BEHAVIOUR 2733 DEFINED AS 2734 !BEGINPARSE 2735 INDEX NULL; 2736 ENDPARSE!;; 2737 CREATE WITH-AUTOMATIC-INSTANCE-NAMING, 2738 WITH-REFERENCE-OBJECT; 2739 DELETE DELETES-CONTAINED-OBJECTS; 2740 REGISTERED AS {iimcAutoNameBinding 1 3 6 1 6 3 3 2}; 2742 -- 4.2 PARTY MIB ASN.1 MODULES 2744 IIMCRFC1447ASN1 2745 {iso(1) member-body(2) 124 forum(360501) iimcAutoTrans(14) 2746 iimcAutoModule(0) 1447} 2747 DEFINITIONS IMPLICIT TAGS ::= BEGIN 2748 IMPORTS 2749 UInteger32, snmpv2 2750 FROM SNMPv2-SMI 2751 partyAdmin, partyProtocols, noAuth, noPriv, 2752 desPrivProtocol, v2md5AuthProtocol, 2753 temporalDomains, currentTime, restartTime, 2754 cacheTime, initialPartyId, 2755 initialContextId 2756 FROM SNMPv2-Party-MIB 2757 snmpUDPDomain 2758 FROM SNMPv2-TM 2759 iimcAutoModule, iimcAutoObjAndAttr, 2760 iimcAutoNameBinding, 2761 iimcAutoDocument, iimcAutoName, iimcIIMCIMIBTRANS, 2762 FROM IimcAssignedOIDs 2763 {iso(1) member-body(2) 124 forum(360501) 2764 iimcManual(15) iimcModule(0) 1} 2765 Integer, OctetString, ObjectIdentifier 2766 FROM IimcCommonDef 2767 {iso(1) member-body(2) 124 forum(360501) 2768 iimcManual(15) iimcModule(0) 2}; 2770 iimcRFC1447 OBJECT IDENTIFIER ::= {iimcAutoDocument 1447} 2772 AclPrivileges ::= INTEGER (0..255) 2774 AclEntryIdValue ::= SEQUENCE { 2775 aclTarget [1] Index, 2776 aclSubject [2] Index, 2777 DRAFT February, 1994 2779 aclResources [3] Index 2780 } 2782 Clock ::= UInteger32 2784 ContextEntryIdValue ::= SEQUENCE { 2785 contextIdentity [1] OBJECT IDENTIFIER 2786 } 2788 Index ::= INTEGER (1..65535) 2790 PartyAuthLifetime ::= INTEGER (0..2147483647) 2792 PartyEntryIdValue ::= SEQUENCE { 2793 partyIdentity [1] OBJECT IDENTIFIER 2794 } 2796 PartyMIBObjectsIdValue ::= NULL 2798 PartyMaxMessageSize ::= INTEGER (484..65507) 2800 StorageType ::= INTEGER { 2801 other(1), -- eh? 2802 volatile(2), -- e.g., in RAM 2803 nonVolatile(3), -- e.g., in NVRAM 2804 permanent(4) -- e.g., in ROM 2805 } 2807 ViewEntryIdValue ::= SEQUENCE { 2808 viewIdentity [1] OBJECT IDENTIFIER 2809 } 2811 ViewMask ::= OCTET STRING (SIZE (0..16)) 2813 ViewType ::= INTEGER { 2814 included(1), 2815 excluded(2) 2816 } 2818 -- Default value constants 2820 c-aclPrivileges INTEGER ::= 35 2821 c-contextLocal BOOLEAN ::= TRUE 2822 c-DEFAULTNullString OCTET STRING ::= ''H 2823 c-contextLocalTime Clock ::= currentTime 2824 c-DEFAULTStorageType INTEGER ::= 3 2825 c-partyTDomain OBJECT IDENTIFIER ::= snmpUDPDomain 2826 c-partyTAddress OCTET STRING ::= '000000000000'H 2827 c-partyMaxMessageSize INTEGER ::= 484 2828 c-partyLocal BOOLEAN ::= FALSE 2829 c-partyAuthProtocol OBJECT IDENTIFIER ::= v2md5AuthProtocol 2830 c-partyAuthClock INTEGER ::= 0 2831 c-partyAuthLifetime INTEGER ::= 300 2832 DRAFT February, 1994 2834 c-partyPrivProtocol OBJECT IDENTIFIER ::= noPriv 2835 c-viewType INTEGER ::= 1 2837 END 2838 DRAFT February, 1994 2840 5. IIMC ACL MIB 2842 The use of parties and contexts and community strings can be 2843 very confusing for application programmers. Also the actual 2844 privileges associated with an individual user of an 2845 application are not generally at the discretion of the user 2846 or programmer, but are at the discretion of the person 2847 responsible for enforcing the security policy, i.e., 2848 configuring the security MIB elements. The actual party 2849 identities and associated contexts, or community strings 2850 that the user needs for access could remain hidden from the 2851 user - and perhaps should. 2853 A mechanism for hiding most of the assignment and 2854 configuration of security parameters associated with user 2855 security privileges for proxy/agent communications is to 2856 implement an access control list (ACL) scheme at the proxy. 2857 The ACL scheme allows an identity to be specified with the 2858 CMIP request, or ACSE association, have it authenticated, 2859 and on the basis of that authenticated identity be assigned 2860 the context and source/destination party pairs, or community 2861 string, that grants or denies them access to specific 2862 operations on specific objects associated with specific 2863 managed systems. The actual association between the 2864 identity and the party/context or community string shall be 2865 accomplished by configuring the security management 2866 parameters within the aclSecurityInfoEntry objects of the 2867 proxy system. 2869 The information for the access control list for ISO/CCITT- 2870 Internet shall be maintained in a table of entries 2871 (aclSecurityInfoEntry) that contain: 2873 * an associated with a user, application, or role, 2875 * the SNMP agent identification, and 2877 * the associated party/context or community string 2878 information needed to determine, from other elements in 2879 the MIB, the security and communication parameters 2880 required to communicate with the remote SNMP agent. 2882 The shall be provided in the access control 2883 certificate (ACC) used for security services between the 2884 ISO/CCITT manager and the proxy. Therefore, no additional 2885 information needs to be delivered in a contained ACC that 2886 holds security parameters for proxy to SNMP agent 2887 communications. It is a local security policy matter 2888 whether the SNMP security parameters delivered in an ACC 2889 over an association, or in a CMIP PDU, will have precedence 2890 over those in the aclSecurityInfoEntry's parameters. 2892 DRAFT February, 1994 2894 The naming attribute of the aclSecurityInfoEntry shall 2895 contain a sequence of the (an octet string) and 2896 the . The shall be the same format as 2897 that specified for the cmipsnmpProxyAgentId attribute of the 2898 cmipsnmpProxyAgent object class [31]. 2900 The proxy shall determine the transport address of the SNMP 2901 agent from data in the Proxy MIB [31], i.e., in the 2902 cmipsnmpProxyAgent entry that contains the indicated . It shall then formulate the combination of identity 2904 and transport address necessary to find the 2905 party/context/community string in a aclSecurityInfoEntry. 2907 The combination of SNMP agent transport address and 2908 community string provides sufficient information to 2909 communicate with an SNMPv1 agent. 2911 The partyEntry and contextEntry associated with the parties 2912 and context found in the aclSecurityInfoEntry provide the 2913 communication and security parameters necessary to 2914 communicate with the SNMPv2 agent. 2916 For efficiency, this mechanism has been adapted for use with 2917 defined parties and contexts in the UDP domain that are 2918 derived from the IP address of the agent, as described in 2919 [27]. 2921 To accommodate defined UDP contexts and parties, the 2922 iimcAclIdentity naming attribute shall be allowed to have 2923 values that do not contain the "" component. The 2924 naming attribute shall also be allowed to have the 2925 associated party and context OIDs of the form for the 2926 default party {initialPartyId 0 0 0 0 x} and default context 2927 {initialContextId 0 0 0 0 x} as defined in [27]. The string 2928 of "0"s are to be interpreted as the OID fragment 2929 representation of the IP address. The x assumes the value 2930 as defined in [27]. 2932 For example the aclSecurityInfoEntry below, associated with 2933 "John Doe" provides for access to any SNMPv2 device in the 2934 snmpUDPDomain conforming to [27], that uses the defaults for 2935 mD5Auth/noPriv and allows Get, Get-Next, Set, and Get-Bulk 2936 operations. 2938 iimcAclIdentity = "John Doe" 2940 aclTarget = {initialPartyId 0 0 0 0 3 } 2941 aclSubject = {initialPartyId 0 0 0 0 4 } 2942 aclResources = {initialContextId 0 0 0 0 2 } 2943 snmpv1CommunityString = ''H 2944 DRAFT February, 1994 2946 The proxy can determine the actual party and context OIDs by 2947 filling in the "0 0 0 0" portion of the OIDs with the agents 2948 IP address. 2950 It is possible for "John Doe" to have different privileges 2951 for different SNMP agents. Other entries could exist for 2952 "John Doe" that are specific to the agent. Therefore, a 2953 procedure must be established for processing entries in the 2954 table. The procedure for processing the table of 2955 aclSecurityInfoEntry shall be: 2957 1) check for an entry that may be specific to an agent; 2959 2) if an agent specific entry is not found, then check for 2960 an entry for a generic agent. 2962 The above technique avoids the necessity for creating a 2963 table entry for every party pair and context for each agent. 2964 It is also possible to extend the generic policies by using 2965 the same technique defined in [27]. 2967 The objects, attributes, and name bindings for an access 2968 control list scheme within a proxy are defined below. 2969 Support for this access control list scheme shall require 2970 the proxy to instantiate the partyEntry and the contextEntry 2971 managed objects for communicating with SNMP agents. 2973 A Naming Tree diagram for the ACL related managed object 2974 classes is illustrated below. The aclSecurityInfoEntry is 2975 subordinate to the ISO/CCITT system managed object that 2976 represents the proxy. 2978 "Rec. X.721 | ISO/IEC 10165-2 : 1992" : system 2979 | 2980 |--- aclSecurityInfoEntry 2982 This document (IIMCSEC) is allocated the following 2983 registration identifier for purposes of referencing the ACL 2984 MIB contained herein. 2986 iimcIIMCACLMIB OBJECT IDENTIFIER ::= { iimcDocument 4 } 2988 -- 5.1 IIMC ACL MIB GDMO TEMPLATES 2990 -- 5.1.1 IIMC ACL MIB Managed Object Classes 2992 aclSecurityInfoEntry MANAGED OBJECT CLASS 2993 DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top; 2994 CHARACTERIZED BY 2995 DRAFT February, 1994 2997 aclSecurityInfoEntryPkg PACKAGE 2998 BEHAVIOUR 2999 aclSecurityInfoEntryPkgBehaviour BEHAVIOUR 3000 DEFINED AS 3001 !BEGINPARSE 3002 DESCRIPTION 3003 !!The security information for a particular 3004 requesting identity when communicating with a 3005 particular SNMP agent. The identity is 3006 associated with either the specific SNMP 3007 source party, destination party, and context 3008 triplet, or the community string to be used 3009 for the communication between the proxy and 3010 the SNMP agent. 3012 Attributes for this object are read only. 3014 When created, only the security information 3015 specific to the SNMP protocol version needs 3016 to be provided. The security parameters for 3017 the version not chosen are set to default 3018 values indicating that they are not 3019 applicable for communicating with the SNMP 3020 agent.!!; 3021 ENDPARSE!;; 3022 ATTRIBUTES 3023 iimcAclIdentity GET, 3024 {iimcRFC1447}:aclTarget 3025 DEFAULT VALUE IIMCACLMIBASN1.c-DEFAULToidNA 3026 GET, 3028 {iimcRFC1447}:aclSubject 3029 DEFAULT VALUE IIMCACLMIBASN1.c-DEFAULToidNA 3030 GET, 3032 {iimcRFC1447}:aclResources 3033 DEFAULT VALUE IIMCACLMIBASN1.c-DEFAULToidNA 3034 GET, 3036 snmpv1CommunityString 3037 DEFAULT VALUE IIMCACLMIBASN1.c-DEFAULTNullString 3038 GET;;; 3039 REGISTERED AS {iimcObjectClass 5}; 3041 -- 5.1.2 IIMC ACL MIB Attributes 3043 iimcAclIdentity ATTRIBUTE 3044 WITH ATTRIBUTE SYNTAX IIMCACLMIBASN1.IimcAclIdentity; 3045 MATCHES FOR EQUALITY, ORDERING; 3046 BEHAVIOUR 3047 iimcAclIdentityBehaviour BEHAVIOUR 3048 DEFINED AS 3049 DRAFT February, 1994 3051 !The value of an instance of this object is an 3052 identity that is associated either with a specific 3053 source party, destination party, and context 3054 triplet, or a community string. It may optionally 3055 include the specific SNMP agent identity, where 3056 the agent identity shall be the same format as is 3057 specified for the 3058 {iimcIIMCProxy}:cmipsnmpProxyAgentId attribute 3059 defined in [31].!;; 3060 REGISTERED AS {iimcAttribute 18}; 3062 snmpv1CommunityString ATTRIBUTE 3063 WITH ATTRIBUTE SYNTAX IIMCACLMIBASN1.OctetString; 3064 MATCHES FOR EQUALITY, ORDERING; 3065 BEHAVIOUR 3066 snmpv1CommunityStringBehaviour BEHAVIOUR 3067 DEFINED AS 3068 !The value of an instance of this object is an 3069 SNMPv1 community string that is associated with 3070 the remote SNMP agent.!;; 3071 REGISTERED AS {iimcAttribute 19}; 3073 -- 5.1.3 IIMC ACL MIB Name Bindings 3075 aclSecurityInfoEntry-systemNB NAME BINDING 3076 SUBORDINATE OBJECT CLASS aclSecurityInfoEntry AND 3077 SUBCLASSES ; 3078 NAMED BY SUPERIOR OBJECT CLASS 3079 "Rec. X.721 | ISO/IEC 10165-2 : 1992":system AND 3080 SUBCLASSES; 3081 WITH ATTRIBUTE iimcAclIdentity; 3082 CREATE WITH-AUTOMATIC-INSTANCE-NAMING, 3083 WITH-REFERENCE-OBJECT; 3084 DELETE DELETES-CONTAINED-OBJECTS; 3085 REGISTERED AS {iimcNameBinding 4}; 3086 DRAFT February, 1994 3088 -- 5.2 IIMC ACL MIB ASN.1 MODULES 3090 IIMCACLMIBASN1 3091 {iso(1) member-body(2) 124 forum(360501) iimcManual(15) 3092 iimcModule(0) 4} 3093 DEFINITIONS IMPLICIT TAGS ::= BEGIN 3094 IMPORTS 3095 iimcModule, iimcDocument, iimcObjectClass, 3096 iimcAttribute, 3097 iimcNameBinding, iimcIIMCACLMIB 3098 FROM IimcAssignedOIDs 3099 {iso(1) member-body(2) 124 forum(360501) 3100 iimcManual(15) iimcModule(0) 1} 3101 OctetString 3102 FROM IimcCommonDef 3103 {iso(1) member-body(2) 124 forum(360501) 3104 iimcManual(15) iimcModule(0) 2} 3105 CmipsnmpProxyAgentId 3106 FROM IimcProxyASN1 3107 {iso(1) member-body(2) 124 forum(360501) 3108 iimcManual(15) iimcModule(0) 3}; 3110 IimcAclIdentity ::= SEQUENCE { 3111 identity OCTET STRING, 3112 agentId CmipsnmpProxyAgentId 3113 OPTIONAL} 3115 c-DEFAULToidNA OBJECT IDENTIFIER ::= {0 0} 3116 c-DEFAULTNullString OCTET STRING ::= ''H 3118 END 3119 DRAFT February, 1994 3121 6. CONFORMANCE 3123 An implementation claiming conformance to this document: 3125 (a) shall conform the to translated ISO/CCITT GDMO Party 3126 MIB {iimcRFC1447} requirements stated in the corresponding 3127 MOCS proforma specified by Annex A; 3129 (b) shall optionally conform to all of the ISO Manager to 3130 ISO/CCITT Internet Proxy security requirements stated in 3131 section 3.1, in the agent role; 3133 (c) shall support all of the ISO/CCITT-Internet Proxy to 3134 Internet Agent security requirements stated in section 3135 3.2, in the manager role; and 3137 (d) shall optionally conform to the aclSecurityInfoEntry 3138 class requirements stated in the corresponding MOCS 3139 proforma specified by Annex A. 3141 DRAFT February, 1994 3143 ANNEX A (NORMATIVE): MANAGED OBJECT CONFORMANCE STATEMENTS (MOCS) 3145 Class Status Support 3146 partyEntry m 3147 contextEntry m 3148 viewEntry c1 3149 aclEntry c1 3150 aclInfoEntry o 3151 c1: - if ISO/CCITT-Internet Proxy implementation, else m 3153 This section available only in Postscript Format. 3155 DRAFT February, 1994 3157 ANNEX B: GLOSSARY 3159 ACC Access Control Certificate 3160 ACL Access Control List 3161 ACSE Association Control Service Element 3162 ASN.1 Abstract Syntax Notation One 3163 CCITT Consultative Committee on Telephony and Telegraphy 3164 CMIP Common Management Information Protocol 3165 CMIS Common Management Information Service 3166 DN Distinguished Name 3167 GDMO Guidelines for the Definition of Managed Objects 3168 GNMP Government Network Management Profile 3169 IIMC ISO/CCITT and Internet Management Coexistence 3170 ISO International Standards Organization 3171 MD5 Message Digest 5 3172 MIB Management Information Base 3173 MOCS Managed Object Conformance Statement 3174 NMF Network Management Forum 3175 OID Object Identifier 3176 OSI Open Systems Interconnection 3177 PDU Protocol Data Unit 3178 RDN Relative Distinguished Name 3179 RFC Request For Comments 3180 SMI Structure of Management Information 3181 SNMP Simple Network Management Protocol 3182 SNMPv1 Simple Network Management Protocol Version 1 3183 SNMPv2 Simple Network Management Protocol Version 2 3184 TCP/IP Transmission Control Protocol/Internetwork Protocol 3185 DRAFT February, 1994 3187 ANNEX C: REFERENCES 3189 1) CCITT Recommendation X.700, Management Framework 3190 Definition for Open Systems Interconnection (OSI). 3192 ISO/IEC 7498-4: 1989, Information Processing Systems -- 3193 Open Systems Interconnection -Basic Reference Model Part 3194 4 -- Management Framework. 3196 2) ISO/IEC 8824: Information Technology -- Open System 3197 Interconnection -- Specification of Abstract Syntax 3198 Notation One (ASN.1),1990. 3200 3) CCITT Recommendation X.209 (1988), Specification of basic 3201 encoding rules for abstract syntax notation one (ASN.1). 3203 ISO/IEC 8825: 1990, Information Technology -- Open System 3204 Interconnection -- Specification of Basic Encoding Rules 3205 for Abstract Syntax Notation One (ASN.1). 3207 4) CCITT Recommendation X.500 | ISO/IEC 9594, Information 3208 Technology - Open System Interconnection - The Directory 3209 - Parts 1-8. 3211 5) CCITT Recommendation X.710, (1991), Common Management 3212 Information Service Definition for CCITT Applications. 3214 ISO/IEC 9595: 1991, Information Technology -- Open System 3215 Interconnection -- Common Management Information Service 3216 Definition. 3218 6) CCITT Recommendation X.711 | ISO/IEC 9596-1: 1991, 3219 Information Technology -- Open Systems Interconnection -- 3220 Common Management Information Protocol -- Part 1: 3221 Specification. 3223 7) CCITT Recommendation X.733 (1992) | ISO/IEC DIS 10164-9, 3224 Information Technology -- Open Systems Interconnection -- 3225 Systems Management -- Part 9: Objects and Attributes for 3226 Access Control, ISO/IEC JTC1/SC21/N7661, March, 1993. 3228 8) CCITT Recommendation X.720 (1992) | ISO/IEC 10165-1: 3229 1992, Information Technology -- Open Systems 3230 Interconnection -- Structure of Management Information -- 3231 Part 1: Management Information Model. 3233 9) CCITT Recommendation X.721 (1992) | ISO/IEC 10165-2: 3234 1992, Information Technology -- Open Systems 3235 Interconnection -- Structure of Management Information -- 3236 Part 2: Definition of Management Information. 3238 DRAFT February, 1994 3240 10) CCITT Recommendation X.721 (1992) | ISO/IEC 10165-4: 3241 1992, Information Technology -- Open Systems 3242 Interconnection -- Structure of Management Information -- 3243 Part 4: Guidelines for the Definition of Managed Objects. 3245 11) CCITT Recommendation X.723 (1993) | ISO/IEC 10165-6: 3246 1993, Information Technology -- Open Systems 3247 Interconnection -- Structure of Management Information -- 3248 Part 6: Requirements and Guidelines for Implementation 3249 Conformance Statement Proformas associated with OSI 3250 Management. 3252 12) ISO/IEC DIS 10181-3, Information Technology , OSI 3253 Security Model, Part 3: Access Control Framework, 1993. 3255 13) ISO/IEC CD 11586-1, Information Technology - Generic 3256 Upper Layers Security - Part 1: Overview, Models and 3257 Notation, November 1992. 3259 14) ISO/IEC CD 11586-2, Information Technology - Generic 3260 Upper Layers Security - Part 2: Security Exchange Service 3261 Element(SESE) Service Definition, November 1992. 3263 15) ISO/IEC CD 11586-3, Information Technology -Generic 3264 Upper Layers Security - Part 3: Security Exchange Service 3265 Element(SESE) Protocol Specification, November 1992. 3267 16) ISO/IEC CD 11586-4, Information Technology - Generic 3268 Upper Layers Security - Part 4: Protecting Transfer 3269 Syntax Specification, November 1992. 3271 17) NIST Special Publication 500-206, Stable Implementation 3272 Agreements for Open Systems Interconnection Protocols, 3273 Version 6, Edition 1, December 1992 3275 18) RFC1155, M. Rose and K. McCloghrie, Structure and 3276 Identification of Management Information for TCP/IP based 3277 internets, May 1990. 3279 19) RFC1157, J.D. Case, M.S. Fedor, M.L. Schoffstall,C. 3280 Davin, Simple Network Management Protocol (SNMP), May 3281 1990. 3283 20) RFC1212, M. Rose, K. McCloghrie -- Editors, Concise MIB 3284 Definitions, March 1991. 3286 21) RFC1213, K. McCloghrie and M. Rose -- Editors, 3287 Management Information Base for Network Management of 3288 TCP/IP-based internets: MIB-II, March 1991. 3290 22) RFC1215, M. Rose -- Editor, A convention for Defining 3291 Traps for use with the SNMP, March 1991. 3293 DRAFT February, 1994 3295 23) RFC1441, J.D. Case, K. McCloghrie, M.T. Rose, 3296 S.L.Waldbusser, Introduction to version 2 of the 3297 Internet-standard Network Management Framework, April 3298 1993. 3300 24) RFC1442, J.D. Case, K. McCloghrie, M.T. Rose, 3301 S.L.Waldbusser, Structure of Management Information for 3302 version 2 of the Simple Network Management Protocol 3303 (SNMPv2), April 1993. 3305 25) RFC1445, J.R. Davin, J.M. Galvin, K.McCloghrie, 3306 Administrative Model for version 2 of the Simple Network 3307 Management Protocol (SNMPv2), April 1993. 3309 26) RFC1446, J.M. Galvin, K. McCloghrie, J.R. Davin, Security 3310 Protocols for version 2 of the Simple Network Management 3311 Protocol (SNMPv2), April 1993. 3313 27) RFC1447, J.D. Case, K. McCloghrie, M.T. Rose, S.L. 3314 Waldbusser, Party MIB for version 2 of the Simple Network 3315 Management Protocol (SNMPv2), April 1993. 3317 28) RFC1448, J.D. Case, K. McCloghrie, M.T. Rose, 3318 S.L.Waldbusser, Protocol Operations for version 2 of the 3319 Simple Network Management Protocol (SNMPv2), April 1993. 3321 29) RFC1452, J.D. Case, K. McCloghrie, M.T. Rose, 3322 S.L.Waldbusser, Coexistence between version 1 and version 3323 2 of the Internet Network Management Framework, April 3324 1993. 3326 30) Network Management Forum: Forum 029, Translation of 3327 Internet MIB-II (RFC 1213) to ISO/CCITT GDMO MIB, Issue 3328 1.0, October 1993. 3330 31) Network Management Forum: Forum 028, ISO/CCITT to 3331 Internet Management Proxy, Issue 1.0, 1993. 3333 32) Network Management Forum: Forum 026, Translation of 3334 Internet MIBs to ISO/CCITT GDMO MIBs, Issue 1.0, October 3335 1993. 3337 33) Network Management Forum: Forum 030, Translation of 3338 ISO/CCITT GDMO MIBs to Internet MIBs, Issue 1.0, October 3339 1993. 3341 34) Network Management Forum: Forum 016, Application 3342 Services: Security of Management, Issue 1.0, August, 3343 1992. 3345 35) NM Forum and X/Open, ISO/CCITT and Internet Management: 3346 Coexistence and Interworking Strategy, Issue 1.0, 3347 October, 1992. 3349 DRAFT February, 1994 3351 36) ECMA-138, Security in Open Systems: Data Elements and 3352 Service Definitions, December 1989. 3354 37) Federal Information Processing Standards Publication 3355 179 -- Government Network Management Profile v1.0, 3356 December 1992. 3358 38) ISO/IEC 7498-2, Information Processing Systems -- Open 3359 Systems Interconnection -Basic Reference Model Part 2 -- 3360 Security Architecture.