draft-ietf-isms-dtls-tm-07.txt   draft-ietf-isms-dtls-tm-08.txt 
ISMS W. Hardaker ISMS W. Hardaker
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Intended status: Standards Track January 27, 2010 Intended status: Standards Track February 2, 2010
Expires: July 31, 2010 Expires: August 6, 2010
Transport Layer Security (TLS) Transport Model for SNMP Transport Layer Security (TLS) Transport Model for SNMP
draft-ietf-isms-dtls-tm-07.txt draft-ietf-isms-dtls-tm-08.txt
Abstract Abstract
This document describes a Transport Model for the Simple Network This document describes a Transport Model for the Simple Network
Management Protocol (SNMP), that uses either the Transport Layer Management Protocol (SNMP), that uses either the Transport Layer
Security protocol or the Datagram Transport Layer Security (DTLS) Security protocol or the Datagram Transport Layer Security (DTLS)
protocol. The TLS and DTLS protocols provide authentication and protocol. The TLS and DTLS protocols provide authentication and
privacy services for SNMP applications. This document describes how privacy services for SNMP applications. This document describes how
the TLS Transport Model (TLSTM) implements the needed features of a the TLS Transport Model (TLSTM) implements the needed features of a
SNMP Transport Subsystem to make this protection possible in an SNMP Transport Subsystem to make this protection possible in an
skipping to change at page 2, line 9 skipping to change at page 2, line 9
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 31, 2010. This Internet-Draft will expire on August 6, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 34 skipping to change at page 3, line 34
4.4. Cached Information and References . . . . . . . . . . . . 18 4.4. Cached Information and References . . . . . . . . . . . . 18
4.4.1. TLS Transport Model Cached Information . . . . . . . . 18 4.4.1. TLS Transport Model Cached Information . . . . . . . . 18
4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 19
4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 19
4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 19
5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 19
5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 20
5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20 5.1.1. DTLS Processing for Incoming Messages . . . . . . . . 20
5.1.2. Transport Processing for Incoming SNMP Messages . . . 22 5.1.2. Transport Processing for Incoming SNMP Messages . . . 22
5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 23
5.3. Establishing a Session . . . . . . . . . . . . . . . . . . 24 5.3. Establishing or Accepting a Session . . . . . . . . . . . 25
5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 27 5.3.1. Establishing a Session as a Client . . . . . . . . . . 25
5.3.2. Accepting a Session as a Server . . . . . . . . . . . 27
5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 28
6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 28 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 28
6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 28
6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 28 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 29
6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 28 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 29
6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 28 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 29
6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 29 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 29
6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 29
6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 29 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 30
7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 29 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 30
8. Operational Considerations . . . . . . . . . . . . . . . . . . 51 8. Operational Considerations . . . . . . . . . . . . . . . . . . 51
8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 51 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 52
8.2. Notification Receiver Credential Selection . . . . . . . . 52 8.2. Notification Receiver Credential Selection . . . . . . . . 52
8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 52 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 53
8.4. Transport Considerations . . . . . . . . . . . . . . . . . 52 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 53
9. Security Considerations . . . . . . . . . . . . . . . . . . . 53 9. Security Considerations . . . . . . . . . . . . . . . . . . . 53
9.1. Certificates, Authentication, and Authorization . . . . . 53 9.1. Certificates, Authentication, and Authorization . . . . . 53
9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 54 9.2. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 54
9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 54 9.3. MIB Module Security . . . . . . . . . . . . . . . . . . . 55
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 57
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 58
12.1. Normative References . . . . . . . . . . . . . . . . . . . 58 12.1. Normative References . . . . . . . . . . . . . . . . . . . 58
12.2. Informative References . . . . . . . . . . . . . . . . . . 59 12.2. Informative References . . . . . . . . . . . . . . . . . . 59
Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 60 Appendix A. (D)TLS Overview . . . . . . . . . . . . . . . . . . . 60
A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 60 A.1. The (D)TLS Record Protocol . . . . . . . . . . . . . . . . 60
A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 61 A.2. The (D)TLS Handshake Protocol . . . . . . . . . . . . . . 61
Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 62 Appendix B. PKIX Certificate Infrastructure . . . . . . . . . . . 62
Appendix C. Target and Notification Configuration Example . . . . 63 Appendix C. Target and Notification Configuration Example . . . . 63
skipping to change at page 19, line 15 skipping to change at page 19, line 15
4.4.1.1. tmSecurityName 4.4.1.1. tmSecurityName
The tmSecurityName MUST be a human-readable name (in snmpAdminString The tmSecurityName MUST be a human-readable name (in snmpAdminString
format) representing the identity that has been set according to the format) representing the identity that has been set according to the
procedures in Section 5. The tmSecurityName MUST be constant for all procedures in Section 5. The tmSecurityName MUST be constant for all
traffic passing through an TLSTM session. Messages MUST NOT be sent traffic passing through an TLSTM session. Messages MUST NOT be sent
through an existing (D)TLS session that was established using a through an existing (D)TLS session that was established using a
different tmSecurityName. different tmSecurityName.
On the (D)TLS server side of a connection the tmSecurityName is On the (D)TLS server side of a connection the tmSecurityName is
derived using the procedures described in Section 5.3 and the TLSTM- derived using the procedures described in Section 5.3.2 and the
MIB's tlstmCertToTSNTable DESCRIPTION clause. TLSTM-MIB's tlstmCertToTSNTable DESCRIPTION clause.
On the (D)TLS client side of a connection the tmSecurityName is On the (D)TLS client side of a connection the tmSecurityName is
presented to the TLS Transport Model by the application (possibly presented to the TLS Transport Model by the application (possibly
because of configuration specified in the SNMP-TARGET-MIB). because of configuration specified in the SNMP-TARGET-MIB).
The securityName MAY be derived from the tmSecurityName by a Security The securityName MAY be derived from the tmSecurityName by a Security
Model and MAY be used to configure notifications and access controls Model and MAY be used to configure notifications and access controls
in MIB modules. Transport Models SHOULD generate a predictable in MIB modules. Transport Models SHOULD generate a predictable
tmSecurityName so operators will know what to use when configuring tmSecurityName so operators will know what to use when configuring
MIB modules that use securityNames derived from tmSecurityNames. MIB modules that use securityNames derived from tmSecurityNames.
skipping to change at page 22, line 21 skipping to change at page 22, line 21
The procedures in this section describe how the TLS Transport Model The procedures in this section describe how the TLS Transport Model
should process messages that have already been properly extracted should process messages that have already been properly extracted
from the (D)TLS stream. Note that care must be taken when processing from the (D)TLS stream. Note that care must be taken when processing
messages originating from either TLS or DTLS to ensure they're messages originating from either TLS or DTLS to ensure they're
complete and single. For example, multiple SNMP messages can be complete and single. For example, multiple SNMP messages can be
passed through a single DTLS message and partial SNMP messages may be passed through a single DTLS message and partial SNMP messages may be
received from a TLS stream. These steps describe the processing of a received from a TLS stream. These steps describe the processing of a
singular SNMP message after it has been delivered from the (D)TLS singular SNMP message after it has been delivered from the (D)TLS
stream. stream.
1) Create a tmStateReference cache for the subsequent reference and 1) Determine the tlstmSessionID for the incoming message. The
tlstmSessionID MUST be a unique session identifier for this
(D)TLS connection. The contents and format of this identifier
are implementation-dependent as long as it is unique to the
session. A session identifier MUST NOT be reused until all
references to it are no longer in use. The tmSessionID is equal
to the tlstmSessionID discussed in Section 5.1.1. tmSessionID
refers to the session identifier when stored in the
tmStateReference and tlstmSessionID refers to the session
identifier when stored in the LCD. They MUST always be equal
when processing a given session's traffic.
If this is the first message received through this session and
the session does not have an assigned tlstmSessionID yet then the
snmpTlstmSessionAccepts counter is incremented and a
tlstmSessionID for the session is created. This will only happen
on the server side of a connection because a client would have
already assigned a tlstmSessionID during the openSession()
invocation. Implementations may have performed the procedures
described in Section 5.3.2 prior to this point or they may
perform them now, but the procedures described in Section 5.3.2
MUST be performed before continuing beyond this point.
2) Create a tmStateReference cache for the subsequent reference and
assign the following values within it: assign the following values within it:
tmTransportDomain = snmpTLSTCPDomain, snmpDTLSUDPDomain or tmTransportDomain = snmpTLSTCPDomain, snmpDTLSUDPDomain or
snmpDTLSSCTPDomain as appropriate. snmpDTLSSCTPDomain as appropriate.
tmTransportAddress = The address the message originated from. tmTransportAddress = The address the message originated from.
tmSecurityLevel = The derived tmSecurityLevel for the session, tmSecurityLevel = The derived tmSecurityLevel for the session,
as discussed in Section 3.1.2 and Section 5.3. as discussed in Section 3.1.2 and Section 5.3.
tmSecurityName = The derived tmSecurityName for the session as tmSecurityName = The derived tmSecurityName for the session as
discussed in Section 5.3. This value MUST be constant during discussed in Section 5.3. This value MUST be constant during
the lifetime of the (D)TLS session. the lifetime of the (D)TLS session.
tmSessionID = The tlstmSessionID, which MUST be a unique session tmSessionID = The tlstmSessionID described in step 1 above.
identifier for this (D)TLS connection. The contents and
format of this identifier are implementation-dependent as long
as it is unique to the session. A session identifier MUST NOT
be reused until all references to it are no longer in use.
The tmSessionID is equal to the tlstmSessionID discussed in
Section 5.1.1. tmSessionID refers to the session identifier
when stored in the tmStateReference and tlstmSessionID refers
to the session identifier when stored in the LCD. They MUST
always be equal when processing a given session's traffic.
2) The incomingMessage and incomingMessageLength are assigned values 3) The incomingMessage and incomingMessageLength are assigned values
from the (D)TLS processing. from the (D)TLS processing.
3) The TLS Transport Model passes the transportDomain, 4) The TLS Transport Model passes the transportDomain,
transportAddress, incomingMessage, and incomingMessageLength to transportAddress, incomingMessage, and incomingMessageLength to
the Dispatcher using the receiveMessage ASI: the Dispatcher using the receiveMessage ASI:
statusInformation = statusInformation =
receiveMessage( receiveMessage(
IN transportDomain -- snmpTLSTCPDomain, snmpDTLSUDPDomain, IN transportDomain -- snmpTLSTCPDomain, snmpDTLSUDPDomain,
-- or snmpDTLSSCTPDomain -- or snmpDTLSSCTPDomain
IN transportAddress -- address for the received message IN transportAddress -- address for the received message
IN incomingMessage -- the whole SNMP message from (D)TLS IN incomingMessage -- the whole SNMP message from (D)TLS
IN incomingMessageLength -- the length of the SNMP message IN incomingMessageLength -- the length of the SNMP message
skipping to change at page 24, line 9 skipping to change at page 24, line 27
3) If tmSameSecurity is true and either tmSessionID is undefined or 3) If tmSameSecurity is true and either tmSessionID is undefined or
refers to a session that is no longer open then increment the refers to a session that is no longer open then increment the
snmpTlstmSessionNoSessions counter, discard the message and snmpTlstmSessionNoSessions counter, discard the message and
return the error indication in the statusInformation. Processing return the error indication in the statusInformation. Processing
of this message stops. of this message stops.
4) If tmSameSecurity is false and tmSessionID refers to a session 4) If tmSameSecurity is false and tmSessionID refers to a session
that is no longer available then an implementation SHOULD open a that is no longer available then an implementation SHOULD open a
new session using the openSession() ASI (described in greater new session using the openSession() ASI (described in greater
detail in step 4b). Instead of opening a new session an detail in step 5b). Instead of opening a new session an
implementation MAY return a snmpTlstmSessionNoSessions error to implementation MAY return a snmpTlstmSessionNoSessions error to
the calling module and stop processing of the message. the calling module and stop processing of the message.
5) If tmSessionID is undefined, then use tmTransportDomain, 5) If tmSessionID is undefined, then use tmTransportDomain,
tmTransportAddress, tmSecurityName and tmRequestedSecurityLevel tmTransportAddress, tmSecurityName and tmRequestedSecurityLevel
to see if there is a corresponding entry in the LCD suitable to to see if there is a corresponding entry in the LCD suitable to
send the message over. send the message over.
5a) If there is a corresponding LCD entry, then this session 5a) If there is a corresponding LCD entry, then this session
will be used to send the message. will be used to send the message.
5b) If there is not a corresponding LCD entry, then open a 5b) If there is not a corresponding LCD entry, then open a
session using the openSession() ASI (discussed further in session using the openSession() ASI (discussed further in
Section 5.3). Implementations MAY wish to offer message Section 5.3.1). Implementations MAY wish to offer message
buffering to prevent redundant openSession() calls for the buffering to prevent redundant openSession() calls for the
same cache entry. If an error is returned from same cache entry. If an error is returned from
openSession(), then discard the message, discard the openSession(), then discard the message, discard the
tmStateReference, increment the snmpTlstmSessionOpenErrors, tmStateReference, increment the snmpTlstmSessionOpenErrors,
return an error indication to the calling module and stop return an error indication to the calling module and stop
processing of the message. processing of the message.
6) Using either the session indicated by the tmSessionID if there 6) Using either the session indicated by the tmSessionID if there
was one or the session resulting from a previous step (4 or 5), was one or the session resulting from a previous step (4 or 5),
pass the outgoingMessage to (D)TLS for encapsulation and pass the outgoingMessage to (D)TLS for encapsulation and
transmission. transmission.
5.3. Establishing a Session 5.3. Establishing or Accepting a Session
The TLS Transport Model provides the following primitive to establish Establishing a (D)TLS session as either a client or a server requires
a new (D)TLS session: slightly different processing. The following two sections describe
the necessary processing steps.
5.3.1. Establishing a Session as a Client
The TLS Transport Model provides the following primitive for use by a
client to establish a new (D)TLS session:
statusInformation = -- errorIndication or success statusInformation = -- errorIndication or success
openSession( openSession(
IN tmStateReference -- transport information to be used IN tmStateReference -- transport information to be used
OUT tmStateReference -- transport information to be used OUT tmStateReference -- transport information to be used
IN maxMessageSize -- of the sending SNMP entity IN maxMessageSize -- of the sending SNMP entity
) )
The following describes the procedure to follow when establishing a The following describes the procedure to follow when establishing a
SNMP over (D)TLS session between SNMP engines for exchanging SNMP SNMP over (D)TLS session between SNMP engines for exchanging SNMP
messages. This process is followed by any SNMP engine establishing a messages. This process is followed by any SNMP client's engine when
session for subsequent use. establishing a session for subsequent use.
This MAY be done automatically for an SNMP application that initiates This MAY be done automatically for an SNMP application that initiates
a transaction, such as a command generator, a notification a transaction, such as a command generator, a notification
originator, or a proxy forwarder. originator, or a proxy forwarder.
1) The client selects the appropriate certificate and cipher_suites 1) The snmpTlstmSessionOpens counter is incremented.
2) The client selects the appropriate certificate and cipher_suites
for the key agreement based on the tmSecurityName and the for the key agreement based on the tmSecurityName and the
tmRequestedSecurityLevel for the session. For sessions being tmRequestedSecurityLevel for the session. For sessions being
established as a result of a SNMP-TARGET-MIB based operation, the established as a result of a SNMP-TARGET-MIB based operation, the
certificate will potentially have been identified via the certificate will potentially have been identified via the
tlstmParamsTable mapping and the cipher_suites will have to be tlstmParamsTable mapping and the cipher_suites will have to be
taken from system-wide or implementation-specific configuration. taken from system-wide or implementation-specific configuration.
Otherwise, the certificate and appropriate cipher_suites will Otherwise, the certificate and appropriate cipher_suites will
need to be passed to the openSession() ASI as supplemental need to be passed to the openSession() ASI as supplemental
information or configured through an implementation-dependent information or configured through an implementation-dependent
mechanism. It is also implementation-dependent and possibly mechanism. It is also implementation-dependent and possibly
policy-dependent how tmRequestedSecurityLevel will be used to policy-dependent how tmRequestedSecurityLevel will be used to
influence the security capabilities provided by the (D)TLS influence the security capabilities provided by the (D)TLS
session. However this is done, the security capabilities session. However this is done, the security capabilities
provided by (D)TLS MUST be at least as high as the level of provided by (D)TLS MUST be at least as high as the level of
security indicated by the tmRequestedSecurityLevel parameter. security indicated by the tmRequestedSecurityLevel parameter.
The actual security level of the session is reported in the The actual security level of the session is reported in the
tmStateReference cache as tmSecurityLevel. For (D)TLS to provide tmStateReference cache as tmSecurityLevel. For (D)TLS to provide
strong authentication, each principal acting as a command strong authentication, each principal acting as a command
generator SHOULD have its own certificate. generator SHOULD have its own certificate.
2) Using the destTransportDomain and destTransportAddress values, 3) Using the destTransportDomain and destTransportAddress values,
the client will initiate the (D)TLS handshake protocol to the client will initiate the (D)TLS handshake protocol to
establish session keys for message integrity and encryption. establish session keys for message integrity and encryption.
If the attempt to establish a session is unsuccessful, then If the attempt to establish a session is unsuccessful, then
snmpTlstmSessionOpenErrors is incremented, an error indication is snmpTlstmSessionOpenErrors is incremented, an error indication is
returned, and processing stops. If the session failed to open returned, and processing stops. If the session failed to open
because the presented server certificate was unknown or invalid because the presented server certificate was unknown or invalid
then the snmpTlstmSessionUnknownServerCertificate or then the snmpTlstmSessionUnknownServerCertificate or
snmpTlstmSessionInvalidServerCertificates MUST be incremented and snmpTlstmSessionInvalidServerCertificates MUST be incremented and
a tlstmServerCertificateUnknown or tlstmServerInvalidCertificate a tlstmServerCertificateUnknown or tlstmServerInvalidCertificate
notification SHOULD be sent as appropriate. Reasons for server notification SHOULD be sent as appropriate. Reasons for server
certificate invalidation includes, but is not limited to, certificate invalidation includes, but is not limited to,
cryptographic validation failures and an unexpected presented cryptographic validation failures and an unexpected presented
certificate identity. certificate identity.
3) Once a (D)TLS secured session is established and both sides have 4) The (D)TLS client MUST then verify that the (D)TLS server's
verified the authenticity of the peer's certificate (e.g. presented certificate is the expected certificate. The (D)TLS
[RFC5280]) then each side will determine and/or check the client MUST NOT transmit SNMP messages until the server
identity of the remote entity using the procedures described certificate has been authenticated and the client certificate has
below. been transmitted.
a) The (D)TLS server side of the connection increments the
snmpTlstmSessionServerOpens counter and identifies the
authenticated identity from the (D)TLS client's principal
certificate using configuration information from the
tlstmCertToTSNTable mapping table. The (D)TLS server MUST
request and expect a certificate from the client and MUST NOT
accept SNMP messages over the (D)TLS session until the client
has sent a certificate and it has been authenticated. The
resulting derived tmSecurityName is recorded in the
tmStateReference cache as tmSecurityName. The details of the
lookup process are fully described in the DESCRIPTION clause
of the tlstmCertToTSNTable MIB object. If any verification
fails in any way (for example because of failures in
cryptographic verification or because of the lack of an
appropriate row in the tlstmCertToTSNTable) then the session
establishment MUST fail, the
snmpTlstmSessionInvalidClientCertificates object is
incremented. If the session can not be opened for any reason
at all, including cryptographic verification failures, then
the snmpTlstmSessionClientOpenErrors counter is incremented
and processing stops.
b) The (D)TLS client side of the connection increments the
snmpTlstmSessionClientOpens counter. The (D)TLS client side
of the connection MUST then verify that the (D)TLS server's
presented certificate is the expected certificate. The
(D)TLS client MUST NOT transmit SNMP messages until the
server certificate has been authenticated and the client
certificate has been transmitted.
If the connection is being established from configuration If the connection is being established from configuration based
based on SNMP-TARGET-MIB configuration then the procedures in on SNMP-TARGET-MIB configuration then the procedures in the
the tlstmAddrTable DESCRIPTION clause should be followed to tlstmAddrTable DESCRIPTION clause should be followed to determine
determine if the presented identity matches the expectations if the presented identity matches the expectations of the
of the configuration. Validation procedures (like the path configuration. Validation procedures (like the path validation
validation procedures defined in [RFC5280] or through the use procedures defined in [RFC5280] or through the use of
of fingerprints as defined by the tlstmAddrServerIdentity fingerprints as defined by the tlstmAddrServerIdentity column)
column) MUST be followed. If a server identity name has been MUST be followed. If a server identity name has been configured
configured in the tlstmAddrServerIdentity column then this in the tlstmAddrServerIdentity column then this reference
reference identity must be compared against the presented identity must be compared against the presented identity (for
identity (for example using procedures described in example using procedures described in
[I-D.saintandre-tls-server-id-check]). [I-D.saintandre-tls-server-id-check]).
If the connection is being established for other reasons then If the connection is being established for reasons other than
configuration and procedures outside the scope of this configuration found in the SNMP-TARGET-MIB then configuration and
document should be followed. procedures outside the scope of this document should be followed.
(D)TLS provides assurance that the authenticated identity has 5) (D)TLS provides assurance that the authenticated identity has
been signed by a trusted configured certificate authority. been signed by a trusted configured certificate authority. If
If verification of the server's certificate fails in any way verification of the server's certificate fails in any way (for
(for example because of failures in cryptographic example because of failures in cryptographic verification or the
verification or the presented identity did not match the presented identity did not match the expected named entity) then
expected named entity) then the session establishment MUST the session establishment MUST fail, the
fail, the snmpTlstmSessionInvalidServerCertificates object is snmpTlstmSessionInvalidServerCertificates object is incremented.
incremented. If the session can not be opened for any reason If the session can not be opened for any reason at all, including
at all, including cryptographic verification failures, then cryptographic verification failures, then the
the snmpTlstmSessionClientOpenErrors counter is incremented snmpTlstmSessionOpenErrors counter is incremented and processing
and processing stops. stops.
4) The TLSTM-specific session identifier (tlstmSessionID) is set in 6) The TLSTM-specific session identifier (tlstmSessionID) is set in
the tmSessionID of the tmStateReference passed to the TLS the tmSessionID of the tmStateReference passed to the TLS
Transport Model to indicate that the session has been established Transport Model to indicate that the session has been established
successfully and to point to a specific (D)TLS session for future successfully and to point to a specific (D)TLS session for future
use. The tlstmSessionID is also stored in the LCD for later use. The tlstmSessionID is also stored in the LCD for later
lookup during processing of incoming messages (Section 5.1.2). lookup during processing of incoming messages (Section 5.1.2).
5.3.2. Accepting a Session as a Server
A (D)TLS server should accept new session connections from any client
that it is able to verify the client's credentials for. This is done
by authenticating the client's presented certificate through a
certificate path validation process (e.g. [RFC5280]) or through
certificate fingerprint verification using fingerprints configure in
the tlstmCertToTSNTable. Afterward the server will determine the
identity of the remote entity using the following procedures.
The (D)TLS server identifies the authenticated identity from the
(D)TLS client's principal certificate using configuration information
from the tlstmCertToTSNTable mapping table. The (D)TLS server MUST
request and expect a certificate from the client and MUST NOT accept
SNMP messages over the (D)TLS session until the client has sent a
certificate and it has been authenticated. The resulting derived
tmSecurityName is recorded in the tmStateReference cache as
tmSecurityName. The details of the lookup process are fully
described in the DESCRIPTION clause of the tlstmCertToTSNTable MIB
object. If any verification fails in any way (for example because of
failures in cryptographic verification or because of the lack of an
appropriate row in the tlstmCertToTSNTable) then the session
establishment MUST fail, the
snmpTlstmSessionInvalidClientCertificates object is incremented. If
the session can not be opened for any reason at all, including
cryptographic verification failures, then the
snmpTlstmSessionOpenErrors counter is incremented and processing
stops.
Servers that wish to support multiple principals at a particular port Servers that wish to support multiple principals at a particular port
SHOULD make use of a (D)TLS extension that allows server-side SHOULD make use of a (D)TLS extension that allows server-side
principal selection like the Server Name Indication extension defined principal selection like the Server Name Indication extension defined
in Section 3.1 of [RFC4366]. Supporting this will allow, for in Section 3.1 of [RFC4366]. Supporting this will allow, for
example, sending notifications to a specific principal at a given example, sending notifications to a specific principal at a given
TCP, UDP or SCTP port. TCP, UDP or SCTP port.
5.4. Closing a Session 5.4. Closing a Session
The TLS Transport Model provides the following primitive to close a The TLS Transport Model provides the following primitive to close a
skipping to change at page 30, line 4 skipping to change at page 30, line 30
OBJECT-IDENTITY, snmpModules, snmpDomains, OBJECT-IDENTITY, snmpModules, snmpDomains,
Counter32, Unsigned32, NOTIFICATION-TYPE Counter32, Unsigned32, NOTIFICATION-TYPE
FROM SNMPv2-SMI FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType,
AutonomousType AutonomousType
FROM SNMPv2-TC FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB FROM SNMP-FRAMEWORK-MIB
snmpTargetParamsName, snmpTargetAddrName snmpTargetParamsName, snmpTargetAddrName
FROM SNMP-TARGET-MIB FROM SNMP-TARGET-MIB
; ;
tlstmMIB MODULE-IDENTITY tlstmMIB MODULE-IDENTITY
LAST-UPDATED "201001270000Z" LAST-UPDATED "201002020000Z"
ORGANIZATION "ISMS Working Group" ORGANIZATION "ISMS Working Group"
CONTACT-INFO "WG-EMail: isms@lists.ietf.org CONTACT-INFO "WG-EMail: isms@lists.ietf.org
Subscribe: isms-request@lists.ietf.org Subscribe: isms-request@lists.ietf.org
Chairs: Chairs:
Juergen Schoenwaelder Juergen Schoenwaelder
Jacobs University Bremen Jacobs University Bremen
Campus Ring 1 Campus Ring 1
28725 Bremen 28725 Bremen
Germany Germany
skipping to change at page 31, line 9 skipping to change at page 31, line 37
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC XXXX; This version of this MIB module is part of RFC XXXX;
see the RFC itself for full legal notices." see the RFC itself for full legal notices."
-- NOTE to RFC editor: replace XXXX with actual RFC number -- NOTE to RFC editor: replace XXXX with actual RFC number
-- for this document and remove this note -- for this document and remove this note
REVISION "201001270000Z" REVISION "201002020000Z"
DESCRIPTION "The initial version, published in RFC XXXX." DESCRIPTION "The initial version, published in RFC XXXX."
-- NOTE to RFC editor: replace XXXX with actual RFC number -- NOTE to RFC editor: replace XXXX with actual RFC number
-- for this document and remove this note -- for this document and remove this note
::= { snmpModules xxxx } ::= { snmpModules xxxx }
-- RFC Ed.: replace xxxx with IANA-assigned number and -- RFC Ed.: replace xxxx with IANA-assigned number and
-- remove this note -- remove this note
-- ************************************************ -- ************************************************
-- subtrees of the TLSTM-MIB -- subtrees of the TLSTM-MIB
skipping to change at page 36, line 16 skipping to change at page 36, line 45
STATUS current STATUS current
DESCRIPTION "Maps a certificate's CommonName to a DESCRIPTION "Maps a certificate's CommonName to a
tmSecurityName by directly passing the value without tmSecurityName by directly passing the value without
any transformations." any transformations."
::= { tlstmCertToTSNMIdentities 6 } ::= { tlstmCertToTSNMIdentities 6 }
-- The snmpTlstmSession Group -- The snmpTlstmSession Group
snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 } snmpTlstmSession OBJECT IDENTIFIER ::= { tlstmObjects 1 }
snmpTlstmSessionClientOpens OBJECT-TYPE snmpTlstmSessionOpens OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession() request has been "The number of times an openSession() request has been executed
executed as an (D)TLS client, whether it succeeded or failed." as an (D)TLS client, regardless of whether it succeeded or
failed."
::= { snmpTlstmSession 1 } ::= { snmpTlstmSession 1 }
snmpTlstmSessionClientCloses OBJECT-TYPE snmpTlstmSessionClientCloses OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times a closeSession() request has been "The number of times a closeSession() request has been
executed as an (D)TLS client, whether it succeeded or failed." executed as an (D)TLS client, regardless of whether it
succeeded or failed."
::= { snmpTlstmSession 2 } ::= { snmpTlstmSession 2 }
snmpTlstmSessionClientOpenErrors OBJECT-TYPE snmpTlstmSessionOpenErrors OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession() request failed to open a "The number of times an openSession() request failed to open a
session as a (D)TLS client, for any reason." session as a (D)TLS client, for any reason."
::= { snmpTlstmSession 3 } ::= { snmpTlstmSession 3 }
snmpTlstmSessionServerOpens OBJECT-TYPE snmpTlstmSessionAccepts OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an openSession request has been "The number of times a server has accepted a (D)TLS session and
executed as an (D)TLS server, whether it succeeded or failed." at least one SNMP message has been accepted through it."
::= { snmpTlstmSession 4 } ::= { snmpTlstmSession 4 }
snmpTlstmSessionServerCloses OBJECT-TYPE snmpTlstmSessionServerCloses OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times a closeSession() request has been "The number of times a closeSession() request has been
executed as an (D)TLS server, whether it succeeded or failed." executed as an (D)TLS server, regardless of whether it
succeeded or failed."
::= { snmpTlstmSession 5 } ::= { snmpTlstmSession 5 }
snmpTlstmSessionServerOpenErrors OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of times an openSession() request failed to open a
session as a (D)TLS server for any reason."
::= { snmpTlstmSession 6 }
snmpTlstmSessionNoSessions OBJECT-TYPE snmpTlstmSessionNoSessions OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing message was dropped because "The number of times an outgoing message was dropped because
the session associated with the passed tmStateReference was no the session associated with the passed tmStateReference was no
longer (or was never) available." longer (or was never) available."
::= { snmpTlstmSession 7 } ::= { snmpTlstmSession 6 }
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an incoming session was not established "The number of times an incoming session was not established
on an (D)TLS server because the presented client certificate was on an (D)TLS server because the presented client certificate was
invalid. Reasons for invalidation include, but are not invalid. Reasons for invalidation include, but are not
limited to, cryptographic validation failures or lack of a limited to, cryptographic validation failures or lack of a
suitable mapping row in the tlstmCertToTSNTable." suitable mapping row in the tlstmCertToTSNTable."
::= { snmpTlstmSession 8 } ::= { snmpTlstmSession 7 }
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by a SNMP over (D)TLS server was invalid because no by a SNMP over (D)TLS server was invalid because no
configured fingerprint or CA was acceptable to validate it. configured fingerprint or CA was acceptable to validate it.
skipping to change at page 38, line 4 skipping to change at page 38, line 28
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by a SNMP over (D)TLS server was invalid because no by a SNMP over (D)TLS server was invalid because no
configured fingerprint or CA was acceptable to validate it. configured fingerprint or CA was acceptable to validate it.
This may result because there was no entry in the This may result because there was no entry in the
tlstmAddrTable or because no path could be found to a known tlstmAddrTable or because no path could be found to a known
certificate authority." certificate authority."
::= { snmpTlstmSession 9 } ::= { snmpTlstmSession 8 }
snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of times an outgoing session was not established "The number of times an outgoing session was not established
on an (D)TLS client because the server certificate presented on an (D)TLS client because the server certificate presented
by an SNMP over (D)TLS server could not be validated even if by an SNMP over (D)TLS server could not be validated even if
the fingerprint or expected validation path was known. I.E., the fingerprint or expected validation path was known. I.E.,
a cryptographic validation error occurred during certificate a cryptographic validation error occurred during certificate
validation processing. validation processing.
Reasons for invalidation include, but are not Reasons for invalidation include, but are not
limited to, cryptographic validation failures." limited to, cryptographic validation failures."
::= { snmpTlstmSession 10 } ::= { snmpTlstmSession 9 }
snmpTlstmSessionInvalidCaches OBJECT-TYPE snmpTlstmSessionInvalidCaches OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The number of outgoing messages dropped because the "The number of outgoing messages dropped because the
tmStateReference referred to an invalid cache." tmStateReference referred to an invalid cache."
::= { snmpTlstmSession 11 } ::= { snmpTlstmSession 10 }
-- Configuration Objects -- Configuration Objects
tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 } tlstmConfig OBJECT IDENTIFIER ::= { tlstmObjects 2 }
-- Certificate mapping -- Certificate mapping
tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 } tlstmCertificateMapping OBJECT IDENTIFIER ::= { tlstmConfig 1 }
tlstmCertToTSNCount OBJECT-TYPE tlstmCertToTSNCount OBJECT-TYPE
skipping to change at page 50, line 5 skipping to change at page 50, line 25
tlstmIncomingGroup, tlstmIncomingGroup,
tlstmOutgoingGroup, tlstmOutgoingGroup,
tlstmNotificationGroup } tlstmNotificationGroup }
::= { tlstmCompliances 1 } ::= { tlstmCompliances 1 }
-- ************************************************ -- ************************************************
-- Units of conformance -- Units of conformance
-- ************************************************ -- ************************************************
tlstmStatsGroup OBJECT-GROUP tlstmStatsGroup OBJECT-GROUP
OBJECTS { OBJECTS {
snmpTlstmSessionClientOpens, snmpTlstmSessionOpens,
snmpTlstmSessionClientCloses, snmpTlstmSessionClientCloses,
snmpTlstmSessionClientOpenErrors, snmpTlstmSessionOpenErrors,
snmpTlstmSessionServerOpens, snmpTlstmSessionAccepts,
snmpTlstmSessionServerCloses, snmpTlstmSessionServerCloses,
snmpTlstmSessionServerOpenErrors,
snmpTlstmSessionNoSessions, snmpTlstmSessionNoSessions,
snmpTlstmSessionInvalidClientCertificates, snmpTlstmSessionInvalidClientCertificates,
snmpTlstmSessionUnknownServerCertificate, snmpTlstmSessionUnknownServerCertificate,
snmpTlstmSessionInvalidServerCertificates, snmpTlstmSessionInvalidServerCertificates,
snmpTlstmSessionInvalidCaches snmpTlstmSessionInvalidCaches
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects for maintaining "A collection of objects for maintaining
statistical information of an SNMP engine which statistical information of an SNMP engine which
 End of changes. 47 change blocks. 
132 lines changed or deleted 146 lines changed or added

This html diff was produced by rfcdiff 1.37c. The latest version is available from http://tools.ietf.org/tools/rfcdiff/