idnits 2.17.1 draft-li-isms-svacm-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 929. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 906. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 913. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 919. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 26, 2008) is 5807 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2579' is mentioned on line 626, but not defined Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 isms C. Li 3 Internet-Draft Y. Li 4 Expires: November 27, 2008 Huawei Technologies 5 May 26, 2008 7 Simplified View-based Access Control Model (SVACM) for the Simple 8 Network Management Protocol (SNMP) 9 draft-li-isms-svacm-00 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on November 27, 2008. 36 Copyright Notice 38 Copyright (C) The Internet Society (2008). 40 Abstract 42 This document introduces a Simplified View-based Access Control Model 43 (SVACM) for the Simple Network Management Protocol (SNMP), which is 44 useful for the access control application of SNMP protocol. 46 This document describes the procedure of access control in SVACM with 47 Remote Authentication Dial In User Service (RADIUS) server for 48 authorization. 50 This document also includes a Management Information Base (MIB) for 51 remotely managing the configuration parameters for SVACM. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.2. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Simplified View-based Access Control Model (SVACM) . . . . . . 4 59 2.1. Elements of SVACM . . . . . . . . . . . . . . . . . . . . 4 60 2.1.1. Groups . . . . . . . . . . . . . . . . . . . . . . . . 4 61 2.1.2. securityLevel . . . . . . . . . . . . . . . . . . . . 5 62 2.1.3. MIB Views . . . . . . . . . . . . . . . . . . . . . . 5 63 2.1.4. Access Policy . . . . . . . . . . . . . . . . . . . . 6 64 2.2. Elements of Procedure . . . . . . . . . . . . . . . . . . 6 65 2.2.1. Overview of isAccessAllowed Process . . . . . . . . . 8 66 2.2.2. Processing the isAccessAllowed Service Request . . . . 8 67 3. RADIUS authorization for SNMP . . . . . . . . . . . . . . . . 10 68 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 11 69 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 70 5.1. Recommended Practices . . . . . . . . . . . . . . . . . . 20 71 5.2. Defining Groups . . . . . . . . . . . . . . . . . . . . . 20 72 5.3. Conformance . . . . . . . . . . . . . . . . . . . . . . . 21 73 5.4. Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB . . . . . 21 74 6. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 75 7. Normative References . . . . . . . . . . . . . . . . . . . . . 22 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 77 Intellectual Property and Copyright Statements . . . . . . . . . . 24 79 1. Introduction 81 1.1. Motivation 83 View-based Access Control Model (VACM) of SNMP [RFC3415] is a 84 specific model of the Access Control Subsystem (ACS). VACM is 85 elaborate, comprehensive and agile, but it is difficult to understand 86 and configure, and it is not easy for administrators to deploy 87 correctly. The complexity of VACM and lack of support for RADIUS 88 impact its adoption. Simplified View-based Access Control Model 89 (SVACM) makes the Access Control Model more intuitive and operable. 91 1.2. General 93 This document defines another specific model of ACS, designated 94 SVACM, which simplifies VACM. SVACM inherits the basic thinking of 95 VACM, but simplifies some parameters, and confines the granularity of 96 a view to MIB module level. SVACM is less flexible than VACM, but is 97 simpler and easier to deploy. SVACM covers most common scenarios 98 which do not need fine granularity of MIB views. SVACM supports 99 RADIUS for the process of authorization. There is a parallel 100 relationship between VACM and SVACM. SVACM is not a replacement of 101 VACM. When administrators need the fine granularity of access 102 control, the VACM should be adopted. 104 This document also describes the procedure of access control in SVACM 105 with a RADIUS [RFC2865] server for authorization, using the attribute 106 of RADIUS protocol which is defined in [radman] to carry the access 107 policies. 109 It is important to understand the SNMP architecture and the 110 terminology of the architecture to understand where the Access 111 Control Model described in this memo fits into the architecture and 112 interacts with other subsystems and models within the architecture. 113 The reader is expected to have read and understood the description 114 and terminology of the SNMP architecture, as defined in [RFC3411]. 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 2. Simplified View-based Access Control Model (SVACM) 122 VACM determines the access rights of a group, representing zero or 123 more securityNames which have the same access rights. For a 124 particular context, identified by contextName, to which a group, 125 identified by groupName, has access using a particular securityModel 126 and securityLevel, that group's access rights are given by a read- 127 view, a write-view and a notify-view. 129 VACM defines the vacmContextTable that lists the locally available 130 contexts by contextName. A SNMP context is a collection of 131 management information accessible by a SNMP engine, but in a majority 132 of use cases, there is not multiple contexts in a single agent. 133 Moreover, administrators do not understand well what the concept of 134 context represents, so the configuration of context is difficult. To 135 be more practical, SVACM does not consider the context parameter any 136 more in access control process. SVACM just considers most common 137 situations, if several contexts are required in one agent, VACM is 138 still needed. 140 SVACM does not use the securityModel parameter like VACM. 141 SecurityModel is an identifier that uniquely identifies a Security 142 Model of the Security Subsystem within this SNMP Management 143 Architecture. In VACM the parameter securityModel is checked in 144 vacmSecurityToGroupTable and vacmAccessTable. SVACM removes the 145 securityModel from these two steps, the reasons are described in the 146 following sections. 148 SVACM inherits the same basic mechanism of groups and views as VACM, 149 but changes some details in them, to be simpler and easier for the 150 deployment. 152 2.1. Elements of SVACM 154 2.1.1. Groups 156 In VACM a group is a set of zero or more (securityModel, 157 securityName) tuples on whose behalf SNMP management objects can be 158 accessed. SVACM also uses the group mechanism, but it uses the 159 securityName as an only index for the mapping of groupName. The 160 parameter securityModel is not a mapping parameter any more in the 161 group mechanism. 163 In VACM, a user using different securityModel could be mapped into 164 different groups, and different users using different securityModel 165 respectively could be mapped into the same group. Thus introducing 166 securityModel in group mapping method makes people confused about the 167 meaning of a group. In general, a group is a set of users. Removing 168 securityModel parameter from vacmSecurityToGroupTable would make the 169 concept of group clear. Furthermore, one index in 170 vacmSecurityToGroupTable is more straightforward than two indexes. 171 The securityModel and securityLevel should indeed be taken into 172 account by access control process. They may influence access rights 173 of a group via the mapping from group into views, thereby it 174 indirectly influence access rights of a user. So SVACM does not 175 consider securityModel parameter in the group mapping step. 177 In SVACM, a securityName will be mapped into only one group. Whether 178 this mapping occurs in local database of SNMP engine or in an outer 179 server depends on the deployment. In the latter case, the outer 180 server such as a RADIUS server will transport the mapped groupName 181 information to the SNMP engine. The procedure of access control in 182 SVACM with a RADIUS server is described in Section 3. 184 2.1.2. securityLevel 186 SVACM uses the same securityLevel parameter as VACM. SecurityLevel 187 identifies the level of security that will be assumed when checking 188 for access rights. Different access rights for members of a group 189 can be defined for different levels of security, i.e., noAuthNoPriv, 190 authNoPriv, and authPriv. 192 2.1.3. MIB Views 194 In VACM, a "MIB view" details a specific set of managed object types 195 (and optionally, the specific instances of object types). The 196 definition of MIB views in VACM is agile, but configuring the 197 vacmViewTreeFamilyTable is complicated. To configure each MIB view 198 in the whole MIB tree, a network administrator must know clearly 199 about the MIB tree structure and exactly where a certain managed 200 object locates. It is too difficult for network administrators to 201 know all these details and to calculate the subtree mask. 203 SVACM also uses the definition of a "MIB view" to detail the managed 204 object types, but SVACM simplifies MIB Views by eliminating include/ 205 exclude, subtree masks, and ViewTreeFamilies. 207 SVACM defines a "MIB view" in a coarse granularity. Each MIB module 208 is defined as a MIB view. These MIB views are built in the 209 svacmViewTable and do not need to be configured by network 210 administrators. For example, OSPF-MIB is a MIB module which has a 211 definite OID, SVACM defines OSPF-MIB as a MIB view whose viewname is 212 OSPF-MIB. This view definition method omits the steps of configuring 213 the subtree OID and subtree mask. Administrators who know only the 214 MIB-module name are able to distribute each view the types of access 215 (read, write or notify). It improves human readability. Moreover, 216 ignoring subtree mask and remove of excluding a subtree would result 217 in that the examination of whether a variableName is in specific MIB 218 views is much faster than before. 220 There SHOULD be a built-in MIB view in the svacmViewTable, which 221 represents the whole MIB tree. Its name could be ALL-MIB or others. 223 2.1.4. Access Policy 225 In SVACM, the svacmAccessTable makes use of only the groupname and 226 securityLevel as indexes, the securityModel is discarded. The 227 securityModel is just an identifier of a security model, which does 228 not indicate the completeness of a protection measure. For 229 instances, the User-based Security Model(USM) [RFC3414] could be with 230 securityLevel of authNoPriv or authPriv. The Transport Security 231 Model (TSM) [TSM for SNMP] could also be with securityLevel of 232 authNoPriv or authPriv. No one can assert that a securityModel is 233 more secure than another one. For a given group, assigning different 234 access control rights for different securityModels with the same 235 securityLevel is meaningless. So the securityLevel is the key factor 236 in the access control process, the securityModel is not significant. 238 In vacmAccessTable of VACM, the group's access rights are given by a 239 read-view, a write-view or a notify-view. In SVACM, each view 240 includes a MIB-module subtree. Several views are distributed with 241 one type of access (read, write or notify). So one group could 242 access more than one read-view, more than one write-view or more than 243 one notify-view, which are configured in svacmAccessTable. This 244 configuration method of svacmAccessTable reuses each built-in view. 245 So it is more convenient and easy to configure. 247 Most MIB module names end in -MIB, so it could be simpler for an 248 agent to just list "BGP4, OSPF, MPLS, ..." in svacmAccessTable and 249 svacmViewTable, and it is useful in the length limitation of 250 SnmpAdminString. 252 2.2. Elements of Procedure 254 This section describes the procedures followed by an Access Control 255 Module that deploys SVACM, when checking access rights as requested 256 by an application. The abstract service primitive is: 258 statusInformation = -- success or errorIndication 259 isAccessAllowed( 260 securityModel -- Security Model in use, 261 unused in SVACM. 262 securityName -- principal who wants access 263 securityLevel -- Level of Security 264 viewType -- read, write, or notify view 265 contextName -- context containing variableName, 266 unused in SVACM 267 variableName -- OID for the managed object 268 ) 270 The abstract data elements are: 272 statusInformation - one of the following: 273 accessAllowed - MIB views were found and access is granted. 274 notInAllViews - MIB views were found but access is denied. 275 The variableName is not in any MIB views 276 for the specified viewType (e.g.,in the 277 relevant entry of svacmAccessTable). 278 noSuchViews - no MIB view found because no view has been 279 configured for specified viewType (e.g., in 280 the relevant entry in svacmAccessTable). 281 noGroupName - no MIB view found because no entry has been 282 configured in svacmSecurityToGroupTable 283 for the specified securityName. 284 noAccessEntry - no MIB view found because no entry has been 285 configured in svacmAccessTable for the 286 specified groupName (from 287 svacmSecurityToGroupTable). 288 otherError - failure, an undefined error occurred. 290 2.2.1. Overview of isAccessAllowed Process 292 The following picture shows how the decision for access control is 293 made by SVACM. This process will not check the parameters 294 contextName and securityModel which are unused in SVACM. 296 +-----------------------------------------------------------+ 297 | | 298 | securityName ---> groupName --+ | 299 | | | 300 | securityLevel ----------------+-> viewNames -+-> yes/no | 301 | | | decision | 302 | viewType (read/write/notify)--+ | | 303 | | | 304 | variableName (OID) --------------------------+ | 305 | | 306 +-----------------------------------------------------------+ 308 2.2.2. Processing the isAccessAllowed Service Request 310 This section describes the procedure followed by an Access Control 311 module that deploys SVACM whenever it receives an isAccessAllowed 312 request. 314 1) The svacmSecurityToGroupTable is consulted for mapping the 315 securityName into a groupName. If the information about this 316 securityName is absent from the table, then an 317 errorIndication (noGroupName) is returned to the calling 318 module, and the processing of the request stops. 320 2) The svacmAccessTable is consulted for information about the 321 groupName and securityLevel. If information about this 322 combination is absent from the table, then an 323 errorIndication (noAccessEntry) is returned to the calling 324 module, and the processing of the request stops. 326 3) a) If the viewType is "read", then the read views are used for 327 checking access rights. 329 b) If the viewType is "write", then the write views are used 330 for checking access rights. 332 c) If the viewType is "notify", then the notify views are used 333 for checking access rights. 335 If the viewtype is a zero length string, then an 336 errorIndication (noSuchViews) is returned to the calling 337 module, and the processing of the request stops. 339 4) a) If one view in the read-view (write-view or notify-view) 340 list is not built in the svacmViewTable, ignore this result 341 and go on match other views in the list. If none view 342 configured for the specified viewType is found in 343 svacmViewTable, then an errorIndication (noSuchViews) is 344 returned to the calling module, and the processing of the 345 request stops. 347 b) If the specified variableName (object instance) is not in 348 the MIB views then an errorIndication (notInAllViews) is 349 returned to the calling module, and the processing of the 350 request stops. 352 Otherwise, 354 c) The specified variableName is in the MIB views. A 355 statusInformation of success (accessAllowed) is returned 356 to the calling module. 358 3. RADIUS authorization for SNMP 360 SVACM is easy to be integrated with RADIUS. When a SNMP engine using 361 a RADIUS server to complete the authorization of access control, the 362 SNMP engine takes the role of NAS according to the RADIUS server. 363 The mapping from securityName into groupName is done by the RADIUS 364 server, instead of svacmSecurityToGroupTable of SVACM in the SNMP 365 engine. 367 [radman] defines a RADIUS attribute Management-Policy-Id which is 368 transported in an Access-Accept message, and it indicates the name of 369 the management access policy for users. When SVACM is integrated 370 with RADIUS, the Management-Policy-Id attribute indicates the 371 groupName which a user belongs to. 373 4. Definitions 375 SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN 377 IMPORTS 378 MODULE-COMPLIANCE FROM SNMPv2-CONF 379 MODULE-IDENTITY, OBJECT-TYPE, 380 snmpModules FROM SNMPv2-SMI 381 RowStatus, StorageType FROM SNMPv2-TC 382 SnmpAdminString FROM SNMP-FRAMEWORK-MIB; 384 snmpSvacmMIB MODULE-IDENTITY 385 LAST-UPDATED "" 386 ORGANIZATION "" 387 CONTACT-INFO " 388 " 389 DESCRIPTION "The management information definitions for the 390 Simplified View-based Access Control Model for 391 SNMP. 392 " 393 ::= { snmpModules x } 395 -- Administrative assignments ************************************* 397 svacmMIBObjects OBJECT IDENTIFIER ::= { snmpSvacmMIB 1 } 398 svacmMIBConformance OBJECT IDENTIFIER ::= { snmpSvacmMIB 2 } 400 -- Information about Groups *************************************** 402 svacmSecurityToGroupTable OBJECT-TYPE 403 SYNTAX SEQUENCE OF SvacmSecurityToGroupEntry 404 MAX-ACCESS not-accessible 405 STATUS current 406 DESCRIPTION "This table maps a securityName into a groupName 407 which is used to define an access control policy 408 for a group of principals. 409 " 410 ::= { svacmMIBObjects 1 } 412 svacmSecurityToGroupEntry OBJECT-TYPE 413 SYNTAX SvacmSecurityToGroupEntry 414 MAX-ACCESS not-accessible 415 STATUS current 416 DESCRIPTION "An entry in this table maps a securityName into a 417 groupName. 418 " 419 INDEX { 420 svacmSecurityName 422 } 423 ::= { svacmSecurityToGroupTable 1 } 425 SvacmSecurityToGroupEntry ::= SEQUENCE 426 { 427 svacmSecurityName SnmpAdminString, 428 svacmGroupName SnmpAdminString, 429 svacmSecurityToGroupStorageType StorageType, 430 svacmSecurityToGroupStatus RowStatus 431 } 433 svacmSecurityName OBJECT-TYPE 434 SYNTAX SnmpAdminString (SIZE(1..32)) 435 MAX-ACCESS not-accessible 436 STATUS current 437 DESCRIPTION "The securityName for the principal which is 438 mapped by this entry into a groupName. 439 " 440 ::= { svacmSecurityToGroupEntry 1 } 442 svacmGroupName OBJECT-TYPE 443 SYNTAX SnmpAdminString (SIZE(1..32)) 444 MAX-ACCESS read-create 445 STATUS current 446 DESCRIPTION "The name of the group which this entry (the 447 securityName) belongs to. 449 This groupName is used as an index in the 450 svacmAccessTable to select an access control 451 policy. However, a value in this table does not 452 imply that an instance with the value exists in 453 svacmAccesTable. 454 " 455 ::= { svacmSecurityToGroupEntry 2 } 457 svacmSecurityToGroupStorageType OBJECT-TYPE 458 SYNTAX StorageType 459 MAX-ACCESS read-create 460 STATUS current 461 DESCRIPTION "The storage type for this conceptual row. 462 Conceptual rows having the value 'permanent' need 463 not allow write-access to any columnar objects in 464 the row. 465 " 466 DEFVAL { nonVolatile } 467 ::= { svacmSecurityToGroupEntry 3 } 469 svacmSecurityToGroupStatus OBJECT-TYPE 470 SYNTAX RowStatus 471 MAX-ACCESS read-create 472 STATUS current 473 DESCRIPTION "The status of this conceptual row. 475 Until instances of all corresponding columns are 476 appropriately configured, the value of the 477 corresponding instance of the 478 svacmSecurityToGroupStatus column is 'notReady'. 480 In particular, a newly created row cannot be made 481 active until a value has been set for 482 svacmGroupName. 484 The RowStatus TC [RFC2579] requires that this 485 DESCRIPTION clause states under which circumstances 486 other objects in this row can be modified: 488 The value of this object has no effect on whether 489 other objects in this conceptual row can be 490 modified. 491 " 492 ::= { svacmSecurityToGroupEntry 4 } 494 -- Information about Access Rights ******************************** 496 svacmAccessTable OBJECT-TYPE 497 SYNTAX SEQUENCE OF SvacmAccessEntry 498 MAX-ACCESS not-accessible 499 STATUS current 500 DESCRIPTION "The table of access rights for groups. 502 Each entry is indexed by a groupName and a 503 svacmSecurityLevel. To determine whether access 504 is allowed, one entry from this table needs to 505 be selected and the proper viewNames from that 506 entry must be used for access control checking. 507 " 508 ::= { svacmMIBObjects 2 } 510 svacmAccessEntry OBJECT-TYPE 511 SYNTAX SvacmAccessEntry 512 MAX-ACCESS not-accessible 513 STATUS current 514 DESCRIPTION "An access right configured in Local Configuration 515 Datastore(LCD) authorizing access to an SNMP engine. 517 Entries in this table can use an instance value for 518 object svacmGroupName even if no entry in table 519 svacmAccessSecurityToGroupTable has a corresponding 520 value for object svacmGroupName. 521 " 522 INDEX { svacmGroupName, 523 svacmSecurityLevel 524 } 525 ::= { svacmAccessTable 1 } 527 SvacmAccessEntry ::= SEQUENCE 528 { 529 svacmSecurityLevel SnmpAdminString, 530 svacmAccessReadViewNames SnmpAdminString, 531 svacmAccessWriteViewNames SnmpAdminString, 532 svacmAccessNotifyViewNames SnmpAdminString, 533 svacmAccessStorageType StorageType, 534 svacmAccessStatus RowStatus 535 } 537 svacmSecurityLevel OBJECT-TYPE 538 SYNTAX SnmpAdminString (SIZE(0..32)) 539 MAX-ACCESS not-accessible 540 STATUS current 541 DESCRIPTION "The minimum level of security required in order to 542 gain the access rights allowed by this conceptual 543 row. A securityLevel of noAuthNoPriv is less than 544 authNoPriv which in turn is less than authPriv." 545 ::= { svacmAccessEntry 1 } 547 svacmAccessReadViewNames OBJECT-TYPE 548 SYNTAX SnmpAdminString 549 MAX-ACCESS read-create 550 STATUS current 551 DESCRIPTION "The value of an instance of this object identifies 552 the MIB views of the SNMP engine to which this 553 conceptual row authorizes read access. 555 One SnmpAdminString carries a list of Read view 556 names separated by comma. 558 The identified MIB views are that ones for which the 559 svacmViewName has the same value as the instance of 560 this object; if the value is the empty string or if 561 there is no active MIB view having this value of 562 svacmViewName, then no access is granted. 563 " 564 DEFVAL { ''H } -- the empty string 565 ::= { svacmAccessEntry 2 } 567 svacmAccessWriteViewNames OBJECT-TYPE 568 SYNTAX SnmpAdminString 569 MAX-ACCESS read-create 570 STATUS current 571 DESCRIPTION "The value of an instance of this object identifies 572 the MIB view of the SNMP engine to which this 573 conceptual row authorizes write access. 575 One SnmpAdminString carries a list of Write view 576 names separated by comma. 578 The identified MIB views are that ones for which the 579 svacmViewName has the same value as the instance of 580 this object; if the value is the empty string or if 581 there is no active MIB view having this value of 582 svacmViewName, then no access is granted. 583 " 584 DEFVAL { ''H } -- the empty string 585 ::= { svacmAccessEntry 3 } 587 svacmAccessNotifyViewNames OBJECT-TYPE 588 SYNTAX SnmpAdminString 589 MAX-ACCESS read-create 590 STATUS current 591 DESCRIPTION "The value of an instance of this object identifies 592 the MIB view of the SNMP engine to which this 593 conceptual row authorizes access for notifications. 595 One SnmpAdminString carries a list of Notify view 596 names separated by comma. 598 The identified MIB views are that ones for which the 599 svacmViewName has the same value as the instance of 600 this object; if the value is the empty string or if 601 there is no active MIB view having this value of 602 svacmViewName, then no access is granted. 603 " 604 DEFVAL { ''H } -- the empty string 605 ::= { svacmAccessEntry 4 } 607 svacmAccessStorageType OBJECT-TYPE 608 SYNTAX StorageType 609 MAX-ACCESS read-create 610 STATUS current 611 DESCRIPTION "The storage type for this conceptual row. 613 Conceptual rows having the value 'permanent' need 614 not allow write-access to any columnar objects in 615 the row. 616 " 617 DEFVAL { nonVolatile } 618 ::= { svacmAccessEntry 5 } 620 svacmAccessStatus OBJECT-TYPE 621 SYNTAX RowStatus 622 MAX-ACCESS read-create 623 STATUS current 624 DESCRIPTION "The status of this conceptual row. 626 The RowStatus TC [RFC2579] requires that this 627 DESCRIPTION clause states under which circumstances 628 other objects in this row can be modified: 630 The value of this object has no effect on whether 631 other objects in this conceptual row can be 632 modified. 633 " 634 ::= { svacmAccessEntry 6 } 636 -- Information about MIB views ************************************ 638 -- Support for MIB-module-granularity is compulsory. 640 svacmMIBViews OBJECT IDENTIFIER ::= { svacmMIBObjects 3 } 642 svacmViewTable OBJECT-TYPE 643 SYNTAX SEQUENCE OF SvacmViewEntry 644 MAX-ACCESS not-accessible 645 STATUS current 646 DESCRIPTION "Locally held information about MIB views. This table 647 is built in by the agent, and can not be altered or 648 deleted by any administrator. 650 Each MIB view is a included subtree in the unit of 651 MIB module with definite OID value. So the 652 definition of each view based on each MIB module 653 could be built in this table. 655 To determine whether a particular object instance is 656 in a particular MIB view, compare the object 657 instance's OBJECT IDENTIFIER with the MIB view's 658 active entry in this table. If none match, then the 659 object instance is not in the MIB view. If one 660 matches, then the object instance is included in. 662 If a administrator want to create/delete an entry in 663 the svacmViewTable, then an operation error must be 664 returned. 665 " 666 ::= { svacmMIBViews 1 } 668 svacmViewEntry OBJECT-TYPE 669 SYNTAX SvacmViewEntry 670 MAX-ACCESS not-accessible 671 STATUS current 672 DESCRIPTION "Information on a particular view subtree included 673 in a particular SNMP engine's MIB view. 675 If no conceptual rows exist in this table for a 676 given MIB view (viewName), then an errorIndication 677 (noSuchView) is returned. 678 " 679 INDEX { 680 svacmViewName 681 } 682 ::= { svacmViewTable 1 } 684 SvacmViewEntry ::= SEQUENCE 685 { 686 svacmViewName SnmpAdminString, 687 svacmViewSubtree OBJECT IDENTIFIER 688 } 690 svacmViewName OBJECT-TYPE 691 SYNTAX SnmpAdminString (SIZE(1..32)) 692 MAX-ACCESS read-only 693 STATUS current 694 DESCRIPTION "The human readable name for a MIB-module-granularity 695 view. 696 " 697 ::= { svacmViewEntry 1 } 699 svacmViewSubtree OBJECT-TYPE 700 SYNTAX OBJECT IDENTIFIER 701 MAX-ACCESS read-only 702 STATUS current 703 DESCRIPTION "The MIB subtree which defines a MIB-module- 704 granularity view. Corresponding to each 705 svacmViewName, its OID value is definite and built 706 in svacmViewTable. It does not need to be configured 707 by administrators. 708 " 709 ::= { svacmViewEntry 2 } 711 -- Conformance information **************************************** 713 svacmMIBCompliances OBJECT IDENTIFIER ::= { svacmMIBConformance 1 } 714 svacmMIBGroups OBJECT IDENTIFIER ::= { svacmMIBConformance 2 } 716 -- Compliance statements ****************************************** 718 svacmMIBCompliance MODULE-COMPLIANCE 719 STATUS current 720 DESCRIPTION "The compliance statement for SNMP engines which 721 deploy the SNMP simplified View-based Access 722 Control Model configuration MIB. 723 " 724 MODULE -- this module 725 MANDATORY-GROUPS { svacmBasicGroup } 727 OBJECT svacmAccessReadViewNames 728 MIN-ACCESS read-only 729 DESCRIPTION "Write access is not required." 731 OBJECT svacmAccessWriteViewNames 732 MIN-ACCESS read-only 733 DESCRIPTION "Write access is not required." 735 OBJECT svacmAccessNotifyViewNames 736 MIN-ACCESS read-only 737 DESCRIPTION "Write access is not required." 739 OBJECT svacmAccessStorageType 740 MIN-ACCESS read-only 741 DESCRIPTION "Write access is not required." 743 OBJECT svacmAccessStatus 744 MIN-ACCESS read-only 745 DESCRIPTION "Create/delete/modify access to the 746 svacmAccessTable is not required. 747 " 748 ::= { svacmMIBCompliances 1 } 750 -- Units of conformance *********************************** 752 svacmBasicGroup OBJECT-GROUP 753 OBJECTS { 754 svacmGroupName, 755 svacmSecurityLevel, 756 svacmSecurityToGroupStorageType, 757 svacmSecurityToGroupStatus, 758 svacmAccessReadViewNames, 759 svacmAccessWriteViewNames, 760 svacmAccessNotifyViewNames, 761 svacmAccessStorageType, 762 svacmAccessStatus 763 } 764 STATUS current 765 DESCRIPTION "A collection of objects providing for remote 766 configuration of an SNMP engine which deploys 767 the SNMP simplified View-based Access Control Model. 768 " 769 ::= { svacmMIBGroups 1 } 770 END 772 5. Security Considerations 774 5.1. Recommended Practices 776 This document is meant for use in the SNMP architecture. The 777 Simplified View-based Access Control Model described in this document 778 checks access rights to management information based on: 780 - groupName, representing a set of zero or more 781 securityNames. The securityName is mapped into a group in the 782 Simplified View-based Access Control Model. 784 - securityLevel under which access is requested. 786 - operation performed on the management information. 788 - MIB views for read, write or notify access. 790 When the User-based Security Module or transport security model is 791 called for checking access rights, it is assumed that the calling 792 module has ensured the authentication and privacy aspects as 793 specified by the securityLevel that is being passed. 795 5.2. Defining Groups 797 The groupNames are used to give access to a group of zero or more 798 securityNames. Within the Simplified View-Based Access Control 799 Model, a groupName is considered to exist if that groupName is listed 800 in the svacmSecurityToGroupTable. 802 By mapping the securityName into a groupName, an SNMP Command 803 Generator application can add/delete securityNames to/from a group, 804 if proper access is allowed. 806 Further it is important to realize that the grouping of securityName 807 in the svacmSecurityToGroupTable does not take securityLevel into 808 account. It is therefore important that the security administrator 809 uses the securityLevel index in the svacmAccessTable to separate 810 noAuthNoPriv from authPriv and/or authNoPriv access. 812 There is a parallel relationship between the View-based Access 813 Control Model and the Simplified View-based Access Control Model. An 814 application need to decide which ACM should be used (VACM or SVACM). 815 The Simplified View-based Access Control Model is used in scenarios 816 which do not consider the context parameter and with coarse 817 granularity of MIB views in MIB module level. When administrators 818 need the fine granularity of access control, or several contexts in 819 one agent, the View-based Access Control Model is still needed. 821 5.3. Conformance 823 For an implementation of the View-based Access Control Model to be 824 conformant, it MUST implement the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB 825 according to the svacmMIBCompliance. 827 5.4. Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB 829 The objects in this MIB control the access to all MIB data that is 830 accessible via the SNMP engine and they may be considered sensitive 831 in many environments. It is important to closely control (both read 832 and write) access to these MIB objects by using appropriately 833 configured Access Control models (for example the Simplified View- 834 based Access Control Model as specified in this document). 836 6. Notation 838 None. 840 7. Normative References 842 [RFC2119] Bradner, s., "Key words for use in RFCs to Indicate 843 Requirement Levels", BCP 14, RFC 2119, March 1997. 845 [RFC2865] Rigney, C., "Remote Authentication Dial In User Service 846 (RADIUS)", rfc 2865, June 2000, 847 . 849 [RFC3411] Harrington, D., "An Architecture for Describing Simple 850 Network Management Protocol (SNMP) Management Frameworks", 851 rfc 3411, std 62, December 2002, 852 . 854 [RFC3414] Blumenthal, U., "User-based Security Model (USM) for 855 version 3 of the Simple Network Management Protocol 856 (SNMPv3)", February 2008, 857 . 859 [RFC3415] Wijnen, B., "View-based Access Control Model (VACM) for 860 the Simple Network Management Protocol (SNMP)", rfc 3415, 861 December 2002, . 863 [TSM for SNMP] 864 Harrington, D., "Transport Security Model for SNMP 865 draft-ietf-isms-transport-security-model-07", 866 February 2008, . 869 [radman] Nelson, D., "Remote Authentication Dial-In User Service 870 (RADIUS) Authorization for Network Access Server (NAS) 871 Management", February 2008, . 875 Authors' Addresses 877 Chunxiu Li 878 Huawei Technologies 879 HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base 880 Beijing 100085 881 China 883 Phone: +86 010 82836081 884 Email: lichunxiu@huawei.com 885 URI: http://www.huawei.com 887 Yan Li 888 Huawei Technologies 889 HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base 890 Beijing 100085 891 China 893 Phone: +86 010 82836074 894 Email: liyan_77@huawei.com 895 URI: http://www.huawei.com 897 Intellectual Property Statement 899 The IETF takes no position regarding the validity or scope of any 900 Intellectual Property Rights or other rights that might be claimed to 901 pertain to the implementation or use of the technology described in 902 this document or the extent to which any license under such rights 903 might or might not be available; nor does it represent that it has 904 made any independent effort to identify any such rights. Information 905 on the procedures with respect to rights in RFC documents can be 906 found in BCP 78 and BCP 79. 908 Copies of IPR disclosures made to the IETF Secretariat and any 909 assurances of licenses to be made available, or the result of an 910 attempt made to obtain a general license or permission for the use of 911 such proprietary rights by implementers or users of this 912 specification can be obtained from the IETF on-line IPR repository at 913 http://www.ietf.org/ipr. 915 The IETF invites any interested party to bring to its attention any 916 copyrights, patents or patent applications, or other proprietary 917 rights that may cover technology that may be required to implement 918 this standard. Please address the information to the IETF at 919 ietf-ipr@ietf.org. 921 Disclaimer of Validity 923 This document and the information contained herein are provided on an 924 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 925 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 926 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 927 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 928 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 929 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 931 Copyright Statement 933 Copyright (C) The Internet Society (2008). This document is subject 934 to the rights, licenses and restrictions contained in BCP 78, and 935 except as set forth therein, the authors retain all their rights. 937 Acknowledgment 939 Funding for the RFC Editor function is currently provided by the 940 Internet Society.