draft-ietf-isms-dtls-tm-06.txt   draft-ietf-isms-dtls-tm-07.txt 
ISMS W. Hardaker ISMS W. Hardaker
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Intended status: Standards Track January 27, 2010 Intended status: Standards Track January 27, 2010
Expires: July 31, 2010 Expires: July 31, 2010
Transport Layer Security (TLS) Transport Model for SNMP Transport Layer Security (TLS) Transport Model for SNMP
draft-ietf-isms-dtls-tm-06.txt draft-ietf-isms-dtls-tm-07.txt
Abstract Abstract
This document describes a Transport Model for the Simple Network This document describes a Transport Model for the Simple Network
Management Protocol (SNMP), that uses either the Transport Layer Management Protocol (SNMP), that uses either the Transport Layer
Security protocol or the Datagram Transport Layer Security (DTLS) Security protocol or the Datagram Transport Layer Security (DTLS)
protocol. The TLS and DTLS protocols provide authentication and protocol. The TLS and DTLS protocols provide authentication and
privacy services for SNMP applications. This document describes how privacy services for SNMP applications. This document describes how
the TLS Transport Model (TLSTM) implements the needed features of a the TLS Transport Model (TLSTM) implements the needed features of a
SNMP Transport Subsystem to make this protection possible in an SNMP Transport Subsystem to make this protection possible in an
skipping to change at page 3, line 36 skipping to change at page 3, line 36
4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19
4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19
4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19
5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19
5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20
5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20
5.1.2. Transport Processing for Incoming SNMP Messages . . . 22 5.1.2. Transport Processing for Incoming SNMP Messages . . . 22
5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23
5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 24 5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 24
5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 27 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 27
6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 27 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 28
6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28
6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 28 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 28
6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 28 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 28
6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 28 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 28
6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 28 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 29
6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29
6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 29 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 29
7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 29 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 29
8. Operational Considerations . . . . . . . . . . . . . . . . . . 50 8. Operational Considerations . . . . . . . . . . . . . . . . . . 51
8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 51 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.2. Notification Receiver Credential Selection . . . . . . . . 51 8.2. Notification Receiver Credential Selection . . . . . . . . 52
8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 52 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 52
8.4. Transport Considerations . . . . . . . . . . . . . . . . . 52 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 52
9. Security Considerations . . . . . . . . . . . . . . . . . . . 52 9. Security Considerations . . . . . . . . . . . . . . . . . . . 53
9.1. Certificates, Authentication, and Authorization . . . . . 52 9.1. Certificates, Authentication, and Authorization . . . . . 53
9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 53 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 54
9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 54 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 54
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 56 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 57 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58
12.1. Normative References . . . . . . . . . . . . . . . . . . . 57 12.1. Normative References . . . . . . . . . . . . . . . . . . . 58
12.2. Informative References . . . . . . . . . . . . . . . . . . 58 12.2. Informative References . . . . . . . . . . . . . . . . . . 59
Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 59 Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 60
A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 59 A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 60
A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 60 A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 61
Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 61 Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 62
Appendix C. Target and Notification Configuration Example . . . . 62 Appendix C. Target and Notification Configuration Example . . . . 63
C.1. Configuring the Notification Originator . . . . . . . . . 63 C.1. Configuring the Notification Originator . . . . . . . . . 64
C.2. Configuring the Command Responder . . . . . . . . . . . . 63 C.2. Configuring the Command Responder . . . . . . . . . . . . 64
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 65
1. Introduction 1. Introduction
It is important to understand the modular SNMPv3 architecture as It is important to understand the modular SNMPv3 architecture as
defined by [RFC3411] and enhanced by the Transport Subsystem defined by [RFC3411] and enhanced by the Transport Subsystem
[RFC5590]. It is also important to understand the terminology of the [RFC5590]. It is also important to understand the terminology of the
SNMPv3 architecture in order to understand where the Transport Model SNMPv3 architecture in order to understand where the Transport Model
described in this document fits into the architecture and how it described in this document fits into the architecture and how it
interacts with the other architecture subsystems. For a detailed interacts with the other architecture subsystems. For a detailed
overview of the documents that describe the current Internet-Standard overview of the documents that describe the current Internet-Standard
skipping to change at page 21, line 47 skipping to change at page 21, line 47
previously (as described both above and in Section 5.3) even if previously (as described both above and in Section 5.3) even if
no message had yet been sent through the newly established no message had yet been sent through the newly established
session. An entry may not exist, however, if a message not session. An entry may not exist, however, if a message not
intended the SNMP entity was routed to it by mistake. An entry intended the SNMP entity was routed to it by mistake. An entry
might also be missing because of a "broken" session (see might also be missing because of a "broken" session (see
operational considerations). operational considerations).
3) Retrieve the tlstmSessionID from the LCD. 3) Retrieve the tlstmSessionID from the LCD.
4) The UDP packet and the tlstmSessionID are passed to DTLS for 4) The UDP packet and the tlstmSessionID are passed to DTLS for
integrity checking and decryption. integrity checking and decryption. If processing does not return
an incomingMessage and an incomingMessageLength then processing
If the message fails integrity checks or other (D)TLS security stops.
processing then increment the tlstmDTLSProtectionErrors counter,
discard and stop processing the message.
5) DTLS should return an incomingMessage and an 5) Retrieve the incomingMessage and an incomingMessageLength from
incomingMessageLength. These results and the tlstmSessionID are DTLS. These results and the tlstmSessionID are used below in
used below in Section 5.1.2 to complete the processing of the Section 5.1.2 to complete the processing of the incoming message.
incoming message.
5.1.2. Transport Processing for Incoming SNMP Messages 5.1.2. Transport Processing for Incoming SNMP Messages
The procedures in this section describe how the TLS Transport Model The procedures in this section describe how the TLS Transport Model
should process messages that have already been properly extracted should process messages that have already been properly extracted
from the (D)TLS stream. Note that care must be taken when processing from the (D)TLS stream. Note that care must be taken when processing
messages originating from either TLS or DTLS to ensure they're messages originating from either TLS or DTLS to ensure they're
complete and single. For example, multiple SNMP messages can be complete and single. For example, multiple SNMP messages can be
passed through a single DTLS message and partial SNMP messages may be passed through a single DTLS message and partial SNMP messages may be
received from a TLS stream. These steps describe the processing of a received from a TLS stream. These steps describe the processing of a
skipping to change at page 26, line 5 skipping to change at page 26, line 5
certificate invalidation includes, but is not limited to, certificate invalidation includes, but is not limited to,
cryptographic validation failures and an unexpected presented cryptographic validation failures and an unexpected presented
certificate identity. certificate identity.
3) Once a (D)TLS secured session is established and both sides have 3) Once a (D)TLS secured session is established and both sides have
verified the authenticity of the peer's certificate (e.g. verified the authenticity of the peer's certificate (e.g.
[RFC5280]) then each side will determine and/or check the [RFC5280]) then each side will determine and/or check the
identity of the remote entity using the procedures described identity of the remote entity using the procedures described
below. below.
a) The (D)TLS server side of the connection identifies the a) The (D)TLS server side of the connection increments the
snmpTlstmSessionServerOpens counter and identifies the
authenticated identity from the (D)TLS client's principal authenticated identity from the (D)TLS client's principal
certificate using configuration information from the certificate using configuration information from the
tlstmCertToTSNTable mapping table. The (D)TLS server MUST tlstmCertToTSNTable mapping table. The (D)TLS server MUST
request and expect a certificate from the client and MUST NOT request and expect a certificate from the client and MUST NOT
accept SNMP messages over the (D)TLS session until the client accept SNMP messages over the (D)TLS session until the client
has sent a certificate and it has been authenticated. The has sent a certificate and it has been authenticated. The
resulting derived tmSecurityName is recorded in the resulting derived tmSecurityName is recorded in the
tmStateReference cache as tmSecurityName. The details of the tmStateReference cache as tmSecurityName. The details of the
lookup process are fully described in the DESCRIPTION clause lookup process are fully described in the DESCRIPTION clause
of the tlstmCertToTSNTable MIB object. If any verification of the tlstmCertToTSNTable MIB object. If any verification
fails in any way (for example because of failures in fails in any way (for example because of failures in
cryptographic verification or because of the lack of an cryptographic verification or because of the lack of an
appropriate row in the tlstmCertToTSNTable) then the session appropriate row in the tlstmCertToTSNTable) then the session
establishment MUST fail, the establishment MUST fail, the
snmpTlstmSessionInvalidClientCertificates object is snmpTlstmSessionInvalidClientCertificates object is
incremented and processing stops. incremented. If the session can not be opened for any reason
at all, including cryptographic verification failures, then
the snmpTlstmSessionClientOpenErrors counter is incremented
and processing stops.
b) The (D)TLS client side of the connection MUST verify that the b) The (D)TLS client side of the connection increments the
(D)TLS server's presented certificate is the expected snmpTlstmSessionClientOpens counter. The (D)TLS client side
certificate. The (D)TLS client MUST NOT transmit SNMP of the connection MUST then verify that the (D)TLS server's
messages until the server certificate has been authenticated presented certificate is the expected certificate. The
and the client certificate has been transmitted. (D)TLS client MUST NOT transmit SNMP messages until the
server certificate has been authenticated and the client
certificate has been transmitted.
If the connection is being established from configuration If the connection is being established from configuration
based on SNMP-TARGET-MIB configuration then the procedures in based on SNMP-TARGET-MIB configuration then the procedures in
the tlstmAddrTable DESCRIPTION clause should be followed to the tlstmAddrTable DESCRIPTION clause should be followed to
determine if the presented identity matches the expectations determine if the presented identity matches the expectations
of the configuration. Validation procedures (like the path of the configuration. Validation procedures (like the path
validation procedures defined in [RFC5280] or through the use validation procedures defined in [RFC5280] or through the use
of fingerprints as defined by the tlstmAddrServerIdentity of fingerprints as defined by the tlstmAddrServerIdentity
column) MUST be followed. If a server identity name has been column) MUST be followed. If a server identity name has been
configured in the tlstmAddrServerIdentity column then this configured in the tlstmAddrServerIdentity column then this
skipping to change at page 27, line 4 skipping to change at page 27, line 10
configuration and procedures outside the scope of this configuration and procedures outside the scope of this
document should be followed. document should be followed.
(D)TLS provides assurance that the authenticated identity has (D)TLS provides assurance that the authenticated identity has
been signed by a trusted configured certificate authority. been signed by a trusted configured certificate authority.
If verification of the server's certificate fails in any way If verification of the server's certificate fails in any way
(for example because of failures in cryptographic (for example because of failures in cryptographic
verification or the presented identity did not match the verification or the presented identity did not match the
expected named entity) then the session establishment MUST expected named entity) then the session establishment MUST
fail, the snmpTlstmSessionInvalidServerCertificates object is fail, the snmpTlstmSessionInvalidServerCertificates object is
incremented and processing stops. incremented. If the session can not be opened for any reason
at all, including cryptographic verification failures, then
the snmpTlstmSessionClientOpenErrors counter is incremented
and processing stops.
4) The TLSTM-specific session identifier (tlstmSessionID) is set in 4) The TLSTM-specific session identifier (tlstmSessionID) is set in
the tmSessionID of the tmStateReference passed to the TLS the tmSessionID of the tmStateReference passed to the TLS
Transport Model to indicate that the session has been established Transport Model to indicate that the session has been established
successfully and to point to a specific (D)TLS session for future successfully and to point to a specific (D)TLS session for future
use. The tlstmSessionID is also stored in the LCD for later use. The tlstmSessionID is also stored in the LCD for later
lookup during processing of incoming messages (Section 5.1.2). lookup during processing of incoming messages (Section 5.1.2).
Servers that wish to support multiple principals at a particular port Servers that wish to support multiple principals at a particular port
SHOULD make use of a (D)TLS extension that allows server-side SHOULD make use of a (D)TLS extension that allows server-side
skipping to change at page 27, line 34 skipping to change at page 27, line 43
statusInformation = statusInformation =
closeSession( closeSession(
IN tmSessionID -- session ID of the session to be closed IN tmSessionID -- session ID of the session to be closed
) )
The following describes the procedure to follow to close a session The following describes the procedure to follow to close a session
between a client and server. This process is followed by any SNMP between a client and server. This process is followed by any SNMP
engine closing the corresponding SNMP session. engine closing the corresponding SNMP session.
1) Increment the snmpTlstmSessionCloses counter. 1) Increment either the snmpTlstmSessionClientCloses or the
snmpTlstmSessionServerCloses counter as appropriate.
2) Look up the session using the tmSessionID. 2) Look up the session using the tmSessionID.
3) If there is no open session associated with the tmSessionID, then 3) If there is no open session associated with the tmSessionID, then
closeSession processing is completed. closeSession processing is completed.
4) Have (D)TLS close the specified session. This SHOULD include 4) Have (D)TLS close the specified session. This SHOULD include
sending a close_notify TLS Alert to inform the other side that sending a close_notify TLS Alert to inform the other side that
session cleanup may be performed. session cleanup may be performed.
skipping to change at page 35, line 51 skipping to change at page 36, line 16
STATUS current STATUS current
DESCRIPTION "Maps a certificate's CommonName to a DESCRIPTION "Maps a certificate's CommonName to a
tmSecurityName by directly passing the value without tmSecurityName by directly passing the value without
any transformations." any transformations."
::= { tlstmCertToTSNMIdentities 6 } ::= { tlstmCertToTSNMIdentities 6 }
-- The snmpTlstmSession Group -- The snmpTlstmSession Group
snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 }
snmpTlstmSessionOpens OBJECT-TYPE snmpTlstmSessionClientOpens OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession() request has been "The number of times an openSession() request has been
executed as an (D)TLS client, whether it succeeded or failed." executed as an (D)TLS client, whether it succeeded or failed."
::= { snmpTlstmSession 1 } ::= { snmpTlstmSession 1 }
snmpTlstmSessionCloses OBJECT-TYPE snmpTlstmSessionClientCloses OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times a closeSession() request has been "The number of times a closeSession() request has been
executed as an (D)TLS client, whether it succeeded or failed." executed as an (D)TLS client, whether it succeeded or failed."
::= { snmpTlstmSession 2 } ::= { snmpTlstmSession 2 }
snmpTlstmSessionOpenErrors OBJECT-TYPE snmpTlstmSessionClientOpenErrors OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession() request failed to open a "The number of times an openSession() request failed to open a
session as a (D)TLS client, for any reason." session as a (D)TLS client, for any reason."
::= { snmpTlstmSession 3 } ::= { snmpTlstmSession 3 }
snmpTlstmSessionServerOpens OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times an openSession request has been
executed as an (D)TLS server, whether it succeeded or failed."
::= { snmpTlstmSession 4 }
snmpTlstmSessionServerCloses OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times a closeSession() request has been
executed as an (D)TLS server, whether it succeeded or failed."
::= { snmpTlstmSession 5 }
snmpTlstmSessionServerOpenErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times an openSession() request failed to open a
session as a (D)TLS server for any reason."
::= { snmpTlstmSession 6 }
snmpTlstmSessionNoSessions OBJECT-TYPE snmpTlstmSessionNoSessions OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing message was dropped because "The number of times an outgoing message was dropped because
the session associated with the passed tmStateReference was no the session associated with the passed tmStateReference was no
longer (or was never) available." longer (or was never) available."
::= { snmpTlstmSession 4 } ::= { snmpTlstmSession 7 }
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an incoming session was not established "The number of times an incoming session was not established
on an (D)TLS server because the presented client certificate was on an (D)TLS server because the presented client certificate was
invalid. Reasons for invalidation include, but are not invalid. Reasons for invalidation include, but are not
limited to, cryptographic validation failures or lack of a limited to, cryptographic validation failures or lack of a
suitable mapping row in the tlstmCertToTSNTable." suitable mapping row in the tlstmCertToTSNTable."
::= { snmpTlstmSession 5 } ::= { snmpTlstmSession 8 }
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by a SNMP over (D)TLS server was invalid because no by a SNMP over (D)TLS server was invalid because no
configured fingerprint or CA was acceptable to validate it. configured fingerprint or CA was acceptable to validate it.
skipping to change at page 37, line 12 skipping to change at page 38, line 4
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by a SNMP over (D)TLS server was invalid because no by a SNMP over (D)TLS server was invalid because no
configured fingerprint or CA was acceptable to validate it. configured fingerprint or CA was acceptable to validate it.
This may result because there was no entry in the This may result because there was no entry in the
tlstmAddrTable or because no path could be found to a known tlstmAddrTable or because no path could be found to a known
certificate authority." certificate authority."
::= { snmpTlstmSession 6 } ::= { snmpTlstmSession 9 }
snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by an SNMP over (D)TLS server could not be validated even if by an SNMP over (D)TLS server could not be validated even if
the fingerprint or expected validation path was known. I.E., the fingerprint or expected validation path was known. I.E.,
a cryptographic validation error occurred during certificate a cryptographic validation error occurred during certificate
validation processing. validation processing.
Reasons for invalidation include, but are not Reasons for invalidation include, but are not
limited to, cryptographic validation failures." limited to, cryptographic validation failures."
::= { snmpTlstmSession 7 } ::= { snmpTlstmSession 10 }
snmpTlstmSessionInvalidCaches OBJECT-TYPE snmpTlstmSessionInvalidCaches OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of outgoing messages dropped because the "The number of outgoing messages dropped because the
tmStateReference referred to an invalid cache." tmStateReference referred to an invalid cache."
::= { snmpTlstmSession 8 } ::= { snmpTlstmSession 11 }
snmpTlstmTLSProtectionErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times (D)TLS processing resulted in a message
being discarded because it failed its integrity test,
decryption processing or other (D)TLS processing."
::= { snmpTlstmSession 9 }
-- Configuration Objects -- Configuration Objects
tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 }
-- Certificate mapping -- Certificate mapping
tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 }
tlstmCertToTSNCount OBJECT-TYPE tlstmCertToTSNCount OBJECT-TYPE
skipping to change at page 49, line 23 skipping to change at page 50, line 5
tlstmIncomingGroup, tlstmIncomingGroup,
tlstmOutgoingGroup, tlstmOutgoingGroup,
tlstmNotificationGroup } tlstmNotificationGroup }
::= { tlstmCompliances 1 } ::= { tlstmCompliances 1 }
-- ************************************************ -- ************************************************
-- Units of conformance -- Units of conformance
-- ************************************************ -- ************************************************
tlstmStatsGroup OBJECT-GROUP tlstmStatsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
snmpTlstmSessionOpens, snmpTlstmSessionClientOpens,
snmpTlstmSessionCloses, snmpTlstmSessionClientCloses,
snmpTlstmSessionOpenErrors, snmpTlstmSessionClientOpenErrors,
snmpTlstmSessionServerOpens,
snmpTlstmSessionServerCloses,
snmpTlstmSessionServerOpenErrors,
snmpTlstmSessionNoSessions, snmpTlstmSessionNoSessions,
snmpTlstmSessionInvalidClientCertificates, snmpTlstmSessionInvalidClientCertificates,
snmpTlstmSessionUnknownServerCertificate, snmpTlstmSessionUnknownServerCertificate,
snmpTlstmSessionInvalidServerCertificates, snmpTlstmSessionInvalidServerCertificates,
snmpTlstmSessionInvalidCaches, snmpTlstmSessionInvalidCaches
snmpTlstmTLSProtectionErrors
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
statistical information of an SNMP engine which statistical information of an SNMP engine which
implements the SNMP TLS Transport Model." implements the SNMP TLS Transport Model."
::= { tlstmGroups 1 } ::= { tlstmGroups 1 }
tlstmIncomingGroup OBJECT-GROUP tlstmIncomingGroup OBJECT-GROUP
OBJECTS { OBJECTS {
 End of changes. 26 change blocks. 
62 lines changed or deleted 89 lines changed or added

This html diff was produced by rfcdiff 1.37c. The latest version is available from http://tools.ietf.org/tools/rfcdiff/