draft-ietf-isms-dtls-tm-12.txt   draft-ietf-isms-dtls-tm-13.txt 
ISMS W. Hardaker ISMS W. Hardaker
Internet-Draft Sparta, Inc. Internet-Draft Sparta, Inc.
Intended status: Standards Track May 6, 2010 Intended status: Standards Track May 7, 2010
Expires: November 7, 2010 Expires: November 8, 2010
Transport Layer Security (TLS) Transport Model for the Simple Network Transport Layer Security (TLS) Transport Model for the Simple Network
Management Protocol (SNMP) Management Protocol (SNMP)
draft-ietf-isms-dtls-tm-12.txt draft-ietf-isms-dtls-tm-13.txt
Abstract Abstract
This document describes a Transport Model for the Simple Network This document describes a Transport Model for the Simple Network
Management Protocol (SNMP), that uses either the Transport Layer Management Protocol (SNMP), that uses either the Transport Layer
Security protocol or the Datagram Transport Layer Security (DTLS) Security protocol or the Datagram Transport Layer Security (DTLS)
protocol. The TLS and DTLS protocols provide authentication and protocol. The TLS and DTLS protocols provide authentication and
privacy services for SNMP applications. This document describes how privacy services for SNMP applications. This document describes how
the TLS Transport Model (TLSTM) implements the needed features of a the TLS Transport Model (TLSTM) implements the needed features of a
SNMP Transport Subsystem to make this protection possible in an SNMP Transport Subsystem to make this protection possible in an
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 7, 2010. This Internet-Draft will expire on November 8, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 28 skipping to change at page 3, line 28
4.1. X.509 Certificates . . . . . . . . . . . . . . . . . . . . 15 4.1. X.509 Certificates . . . . . . . . . . . . . . . . . . . . 15
4.1.1. Provisioning for the Certificate . . . . . . . . . . . 15 4.1.1. Provisioning for the Certificate . . . . . . . . . . . 15
4.2. (D)TLS Usage . . . . . . . . . . . . . . . . . . . . . . . 17 4.2. (D)TLS Usage . . . . . . . . . . . . . . . . . . . . . . . 17
4.3. SNMP Services . . . . . . . . . . . . . . . . . . . . . . 17 4.3. SNMP Services . . . . . . . . . . . . . . . . . . . . . . 17
4.3.1. SNMP Services for an Outgoing Message . . . . . . . . 18 4.3.1. SNMP Services for an Outgoing Message . . . . . . . . 18
4.3.2. SNMP Services for an Incoming Message . . . . . . . . 19 4.3.2. SNMP Services for an Incoming Message . . . . . . . . 19
4.4. Cached Information and References . . . . . . . . . . . . 19 4.4. Cached Information and References . . . . . . . . . . . . 19
4.4.1. TLS Transport Model Cached Information . . . . . . . . 20 4.4.1. TLS Transport Model Cached Information . . . . . . . . 20
4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 20 4.4.1.1. tmSecurityName . . . . . . . . . . . . . . . . . . 20
4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 20 4.4.1.2. tmSessionID . . . . . . . . . . . . . . . . . . . 20
4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 20 4.4.1.3. Session State . . . . . . . . . . . . . . . . . . 21
5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 21 5. Elements of Procedure . . . . . . . . . . . . . . . . . . . . 21
5.1. Procedures for an Incoming Message . . . . . . . . . . . . 21 5.1. Procedures for an Incoming Message . . . . . . . . . . . . 21
5.1.1. DTLS over UDP Processing for Incoming Messages . . . . 21 5.1.1. DTLS over UDP Processing for Incoming Messages . . . . 22
5.1.2. Transport Processing for Incoming SNMP Messages . . . 23 5.1.2. Transport Processing for Incoming SNMP Messages . . . 23
5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 24 5.2. Procedures for an Outgoing SNMP Message . . . . . . . . . 24
5.3. Establishing or Accepting a Session . . . . . . . . . . . 26 5.3. Establishing or Accepting a Session . . . . . . . . . . . 26
5.3.1. Establishing a Session as a Client . . . . . . . . . . 26 5.3.1. Establishing a Session as a Client . . . . . . . . . . 26
5.3.2. Accepting a Session as a Server . . . . . . . . . . . 28 5.3.2. Accepting a Session as a Server . . . . . . . . . . . 28
5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 29 5.4. Closing a Session . . . . . . . . . . . . . . . . . . . . 29
6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 29 6. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 29
6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 30 6.1. Structure of the MIB Module . . . . . . . . . . . . . . . 30
6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 30 6.2. Textual Conventions . . . . . . . . . . . . . . . . . . . 30
6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 30 6.3. Statistical Counters . . . . . . . . . . . . . . . . . . . 30
6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 30 6.4. Configuration Tables . . . . . . . . . . . . . . . . . . . 30
6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 30 6.4.1. Notifications . . . . . . . . . . . . . . . . . . . . 30
6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 30 6.5. Relationship to Other MIB Modules . . . . . . . . . . . . 30
6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 31 6.5.1. MIB Modules Required for IMPORTS . . . . . . . . . . . 31
7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 31 7. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 31
8. Operational Considerations . . . . . . . . . . . . . . . . . . 53 8. Operational Considerations . . . . . . . . . . . . . . . . . . 54
8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 53 8.1. Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 54
8.2. Notification Receiver Credential Selection . . . . . . . . 54 8.2. Notification Receiver Credential Selection . . . . . . . . 54
8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 54 8.3. contextEngineID Discovery . . . . . . . . . . . . . . . . 55
8.4. Transport Considerations . . . . . . . . . . . . . . . . . 55 8.4. Transport Considerations . . . . . . . . . . . . . . . . . 55
9. Security Considerations . . . . . . . . . . . . . . . . . . . 55 9. Security Considerations . . . . . . . . . . . . . . . . . . . 55
9.1. Certificates, Authentication, and Authorization . . . . . 55 9.1. Certificates, Authentication, and Authorization . . . . . 55
9.2. (D)TLS Security Considerations . . . . . . . . . . . . . . 56 9.2. (D)TLS Security Considerations . . . . . . . . . . . . . . 56
9.2.1. TLS Version Requirements . . . . . . . . . . . . . . . 56 9.2.1. TLS Version Requirements . . . . . . . . . . . . . . . 56
9.2.2. Perfect Forward Secrecy . . . . . . . . . . . . . . . 56 9.2.2. Perfect Forward Secrecy . . . . . . . . . . . . . . . 57
9.3. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 56 9.3. Use with SNMPv1/SNMPv2c Messages . . . . . . . . . . . . . 57
9.4. MIB Module Security . . . . . . . . . . . . . . . . . . . 57 9.4. MIB Module Security . . . . . . . . . . . . . . . . . . . 57
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 58 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 59 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 59
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60
12.1. Normative References . . . . . . . . . . . . . . . . . . . 60 12.1. Normative References . . . . . . . . . . . . . . . . . . . 60
12.2. Informative References . . . . . . . . . . . . . . . . . . 61 12.2. Informative References . . . . . . . . . . . . . . . . . . 62
Appendix A. Target and Notification Configuration Example . . . . 62 Appendix A. Target and Notification Configuration Example . . . . 62
A.1. Configuring a Notification Originator . . . . . . . . . . 62 A.1. Configuring a Notification Originator . . . . . . . . . . 62
A.2. Configuring TLSTM to Utilize a Simple Derivation of A.2. Configuring TLSTM to Utilize a Simple Derivation of
tmSecurityName . . . . . . . . . . . . . . . . . . . . . . 63 tmSecurityName . . . . . . . . . . . . . . . . . . . . . . 63
A.3. Configuring TLSTM to Utilize Table-Driven Certificate A.3. Configuring TLSTM to Utilize Table-Driven Certificate
Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 63 Mapping . . . . . . . . . . . . . . . . . . . . . . . . . 64
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 64
1. Introduction 1. Introduction
It is important to understand the modular SNMPv3 architecture as It is important to understand the modular SNMPv3 architecture as
defined by [RFC3411] and enhanced by the Transport Subsystem defined by [RFC3411] and enhanced by the Transport Subsystem
[RFC5590]. It is also important to understand the terminology of the [RFC5590]. It is also important to understand the terminology of the
SNMPv3 architecture in order to understand where the Transport Model SNMPv3 architecture in order to understand where the Transport Model
described in this document fits into the architecture and how it described in this document fits into the architecture and how it
interacts with the other architecture subsystems. For a detailed interacts with the other architecture subsystems. For a detailed
skipping to change at page 20, line 27 skipping to change at page 20, line 27
traffic passing through a single TLSTM session. Messages MUST NOT be traffic passing through a single TLSTM session. Messages MUST NOT be
sent through an existing (D)TLS connection that was established using sent through an existing (D)TLS connection that was established using
a different tmSecurityName. a different tmSecurityName.
On the (D)TLS server side of a connection the tmSecurityName is On the (D)TLS server side of a connection the tmSecurityName is
derived using the procedures described in Section 5.3.2 and the SNMP- derived using the procedures described in Section 5.3.2 and the SNMP-
TLS-TM-MIB's snmpTlstmCertToTSNTable DESCRIPTION clause. TLS-TM-MIB's snmpTlstmCertToTSNTable DESCRIPTION clause.
On the (D)TLS client side of a connection the tmSecurityName is On the (D)TLS client side of a connection the tmSecurityName is
presented to the TLS Transport Model by the application (possibly presented to the TLS Transport Model by the application (possibly
because of configuration specified in the SNMP-TARGET-MIB). because of configuration specified in the SNMP-TARGET-MIB). The
Security Model likely derived the tmSecurityName from the
securityName presented to the Security Model by the application
(possibly because of configuration specified in the SNMP-TARGET-MIB).
Transport-model-aware security models derive tmSecurityName from a Transport-model-aware security models derive tmSecurityName from a
securityName, possibly configured in MIB modules for notifications securityName, possibly configured in MIB modules for notifications
and access controls. Transport Models SHOULD use predictable and access controls. Transport Models SHOULD use predictable
tmSecurityNames so operators will know what to use when configuring tmSecurityNames so operators will know what to use when configuring
MIB modules that use securityNames derived from tmSecurityNames. The MIB modules that use securityNames derived from tmSecurityNames. The
TLSTM generates predictable tmSecurityNames based on the TLSTM generates predictable tmSecurityNames based on the
configuration found in the SNMP-TLS-TM-MIB's snmpTlstmCertToTSNTable configuration found in the SNMP-TLS-TM-MIB's snmpTlstmCertToTSNTable
and relies on the network operators to have configured this table and relies on the network operators to have configured this table
appropriately. appropriately.
skipping to change at page 31, line 39 skipping to change at page 31, line 39
FROM SNMPv2-TC -- RFC2579 or any update thereof FROM SNMPv2-TC -- RFC2579 or any update thereof
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF -- RFC2580 or any update thereof FROM SNMPv2-CONF -- RFC2580 or any update thereof
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC3411 or any update thereof FROM SNMP-FRAMEWORK-MIB -- RFC3411 or any update thereof
snmpTargetParamsName, snmpTargetAddrName snmpTargetParamsName, snmpTargetAddrName
FROM SNMP-TARGET-MIB -- RFC3413 or any update thereof FROM SNMP-TARGET-MIB -- RFC3413 or any update thereof
; ;
snmpTlstmMIB MODULE-IDENTITY snmpTlstmMIB MODULE-IDENTITY
LAST-UPDATED "201005060000Z" LAST-UPDATED "201005070000Z"
ORGANIZATION "ISMS Working Group" ORGANIZATION "ISMS Working Group"
CONTACT-INFO "WG-EMail: isms@lists.ietf.org CONTACT-INFO "WG-EMail: isms@lists.ietf.org
Subscribe: isms-request@lists.ietf.org Subscribe: isms-request@lists.ietf.org
Chairs: Chairs:
Juergen Schoenwaelder Juergen Schoenwaelder
Jacobs University Bremen Jacobs University Bremen
Campus Ring 1 Campus Ring 1
28725 Bremen 28725 Bremen
Germany Germany
skipping to change at page 32, line 35 skipping to change at page 32, line 35
Copyright (c) 2010 IETF Trust and the persons identified as Copyright (c) 2010 IETF Trust and the persons identified as
the document authors. All rights reserved. the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info)." (http://trustee.ietf.org/license-info)."
REVISION "201005060000Z" REVISION "201005070000Z"
DESCRIPTION "This version of this MIB module is part of DESCRIPTION "This version of this MIB module is part of
RFC XXXX; see the RFC itself for full legal RFC XXXX; see the RFC itself for full legal
notices." notices."
-- NOTE to RFC editor: replace XXXX with actual RFC number -- NOTE to RFC editor: replace XXXX with actual RFC number
-- for this document and change the date to the -- for this document and change the date to the
-- current date and remove this note -- current date and remove this note
::= { mib-2 www } ::= { mib-2 www }
-- RFC Ed.: replace www with IANA-assigned number under the mib-2 -- RFC Ed.: replace www with IANA-assigned number under the mib-2
skipping to change at page 36, line 23 skipping to change at page 36, line 23
contain a non-zero length SnmpAdminString compliant contain a non-zero length SnmpAdminString compliant
value or the mapping described in this row must be value or the mapping described in this row must be
considered a failure." considered a failure."
::= { snmpTlstmCertToTSNMIdentities 1 } ::= { snmpTlstmCertToTSNMIdentities 1 }
snmpTlstmCertSANRFC822Name OBJECT-IDENTITY snmpTlstmCertSANRFC822Name OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a subjectAltName's rfc822Name to a DESCRIPTION "Maps a subjectAltName's rfc822Name to a
tmSecurityName. The local part of the rfc822Name is tmSecurityName. The local part of the rfc822Name is
passed unaltered but the host-part of the name must passed unaltered but the host-part of the name must
be passed in lower case. be passed in lower case. This mapping results in a
1:1 correspondence between equivalent subjectAltName
rfc822Name values and tmSecurityName values except
that the host-part of the name MUST be passed in
lower case.
Example rfc822Name Field: FooBar@Example.COM Example rfc822Name Field: FooBar@Example.COM
is mapped to tmSecurityName: FooBar@example.com" is mapped to tmSecurityName: FooBar@example.com"
::= { snmpTlstmCertToTSNMIdentities 2 } ::= { snmpTlstmCertToTSNMIdentities 2 }
snmpTlstmCertSANDNSName OBJECT-IDENTITY snmpTlstmCertSANDNSName OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a subjectAltName's dNSName to a DESCRIPTION "Maps a subjectAltName's dNSName to a
tmSecurityName after first converting it to all tmSecurityName after first converting it to all
lower case (note that RFC5280 does not specify lower case (RFC5280 does not specify converting to
converting to lower case so this involves an extra lower case so this involves an extra step). This
step)." mapping results in a 1:1 correspondence between
subjectAltName dNSName values and the tmSecurityName
values."
REFERENCE "RFC5280 - Internet X.509 Public Key Infrastructure REFERENCE "RFC5280 - Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation Certificate and Certificate Revocation
List (CRL) Profile" List (CRL) Profile"
::= { snmpTlstmCertToTSNMIdentities 3 } ::= { snmpTlstmCertToTSNMIdentities 3 }
snmpTlstmCertSANIpAddress OBJECT-IDENTITY snmpTlstmCertSANIpAddress OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a subjectAltName's iPAddress to a DESCRIPTION "Maps a subjectAltName's iPAddress to a
tmSecurityName by transforming the binary encoded tmSecurityName by transforming the binary encoded
address as follows: address as follows:
1) for IPv4 the value is converted into a decimal 1) for IPv4 the value is converted into a decimal
dotted quad address (e.g. '192.0.2.1') dotted quad address (e.g. '192.0.2.1')
2) for IPv6 addresses the value is converted into a 2) for IPv6 addresses the value is converted into a
32-character all lowercase hexadecimal string 32-character all lowercase hexadecimal string
without any colon separators. without any colon separators.
Note that the resulting length is the maximum This mapping results in a 1:1 correspondence between
length supported by the View-Based Access Control subjectAltName iPAddress values and the
Model (VACM). Note that using both the Transport tmSecurityName values.
Security Model's support for transport prefixes
(see the SNMP-TSM-MIB's The resulting length is the maximum length supported
snmpTsmConfigurationUsePrefix object for details) by the View-Based Access Control Model (VACM).
will result in securityName lengths that exceed Using both the Transport Security Model's support
what VACM can handle." for transport prefixes (see the SNMP-TSM-MIB's
snmpTsmConfigurationUsePrefix object for details)
will result in securityName lengths that exceed what
VACM can handle."
::= { snmpTlstmCertToTSNMIdentities 4 } ::= { snmpTlstmCertToTSNMIdentities 4 }
snmpTlstmCertSANAny OBJECT-IDENTITY snmpTlstmCertSANAny OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps any of the following fields using the DESCRIPTION "Maps any of the following fields using the
corresponding mapping algorithms: corresponding mapping algorithms:
|------------+----------------------------| |------------+----------------------------|
| Type | Algorithm | | Type | Algorithm |
|------------+----------------------------| |------------+----------------------------|
| rfc822Name | snmpTlstmCertSANRFC822Name | | rfc822Name | snmpTlstmCertSANRFC822Name |
| dNSName | snmpTlstmCertSANDNSName | | dNSName | snmpTlstmCertSANDNSName |
| iPAddress | snmpTlstmCertSANIpAddress | | iPAddress | snmpTlstmCertSANIpAddress |
|------------+----------------------------| |------------+----------------------------|
The first matching subjectAltName value found in the The first matching subjectAltName value found in the
certificate of the above types MUST be used when certificate of the above types MUST be used when
deriving the tmSecurityName. The mapping algorithm deriving the tmSecurityName. The mapping algorithm
specified in the 'Algorithm' column MUST be used to specified in the 'Algorithm' column MUST be used to
derive the tmSecurityName." derive the tmSecurityName.
This mapping results in a 1:1 correspondence between
subjectAltName values and tmSecurityName values. The
three sub-mapping algorithms produced by this
combined algorithm cannot produce conflicting
results between themselves."
::= { snmpTlstmCertToTSNMIdentities 5 } ::= { snmpTlstmCertToTSNMIdentities 5 }
snmpTlstmCertCommonName OBJECT-IDENTITY snmpTlstmCertCommonName OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName
after converting it to a UTF-8 encoding. The usage after converting it to a UTF-8 encoding. The usage
of CommonNames is deprecated and users are of CommonNames is deprecated and users are
encouraged to use subjectAltName mapping methods encouraged to use subjectAltName mapping methods
instead." instead. This mapping results in a 1:1
correspondence between certificate CommonName values
and tmSecurityName values."
::= { snmpTlstmCertToTSNMIdentities 6 } ::= { snmpTlstmCertToTSNMIdentities 6 }
-- The snmpTlstmSession Group -- The snmpTlstmSession Group
snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 } snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 }
snmpTlstmSessionOpens OBJECT-TYPE snmpTlstmSessionOpens OBJECT-TYPE
SYNTAX Counter32 SYNTAX Counter32
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
 End of changes. 20 change blocks. 
32 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/