draft-ietf-snmpv3-appl-v2-01.txt   draft-ietf-snmpv3-appl-v2-02.txt 
INTERNET-DRAFT David B. Levi INTERNET-DRAFT David B. Levi
SNMP Research, Inc. SNMP Research, Inc.
Paul Meyer Paul Meyer
Secure Computing Corporation Secure Computing Corporation
Bob Stewart Bob Stewart
Cisco Systems Cisco Systems
30 September 1998 21 January 1999
SNMP Applications SNMP Applications
<draft-ietf-snmpv3-appl-v2-01.txt> <draft-ietf-snmpv3-appl-v2-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
Rim).
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (date). All Rights Reserved. Copyright (C) The Internet Society (date). All Rights Reserved.
Abstract Abstract
This memo describes five types of SNMP applications which make use of This memo describes five types of SNMP applications which make use of
an SNMP engine as described in [SNMP-ARCH]. The types of application an SNMP engine as described in [SNMP-ARCH]. The types of application
described are Command Generators, Command Responders, Notification described are Command Generators, Command Responders, Notification
skipping to change at page 3, line 23 skipping to change at page 3, line 23
2 Management Targets ........................................... 7 2 Management Targets ........................................... 7
3 Elements Of Procedure ........................................ 7 3 Elements Of Procedure ........................................ 7
3.1 Command Generator Applications ............................. 7 3.1 Command Generator Applications ............................. 7
3.2 Command Responder Applications ............................. 11 3.2 Command Responder Applications ............................. 11
3.3 Notification Originator Applications ....................... 17 3.3 Notification Originator Applications ....................... 17
3.4 Notification Receiver Applications ......................... 21 3.4 Notification Receiver Applications ......................... 21
3.5 Proxy Forwarder Applications ............................... 23 3.5 Proxy Forwarder Applications ............................... 23
3.5.1 Request Forwarding ....................................... 24 3.5.1 Request Forwarding ....................................... 24
3.5.1.1 Processing an Incoming Request ......................... 24 3.5.1.1 Processing an Incoming Request ......................... 24
3.5.1.2 Processing an Incoming Response ........................ 27 3.5.1.2 Processing an Incoming Response ........................ 27
3.5.1.3 Processing an Incoming Report Indication ............... 28 3.5.1.3 Processing an Incoming Internal-Class PDU .............. 28
3.5.2 Notification Forwarding .................................. 29 3.5.2 Notification Forwarding .................................. 29
4 The Structure of the MIB Modules ............................. 33 4 The Structure of the MIB Modules ............................. 33
4.1 The Management Target MIB Module ........................... 33 4.1 The Management Target MIB Module ........................... 33
4.1.1 Tag Lists ................................................ 34 4.1.1 Tag Lists ................................................ 34
4.1.2 Definitions .............................................. 34 4.1.2 Definitions .............................................. 34
4.2 The Notification MIB Module ................................ 49 4.2 The Notification MIB Module ................................ 49
4.2.1 Definitions .............................................. 49 4.2.1 Definitions .............................................. 49
4.3 The Proxy MIB Module ....................................... 62 4.3 The Proxy MIB Module ....................................... 62
4.3.1 Definitions .............................................. 62 4.3.1 Definitions .............................................. 62
5 Identification of Management Targets in Notification Origi- 5 Identification of Management Targets in Notification Origi-
nators .................................................... 69 nators .................................................... 69
6 Notification Filtering ....................................... 70 6 Notification Filtering ....................................... 70
7 Management Target Translation in Proxy Forwarder Applica- 7 Management Target Translation in Proxy Forwarder Applica-
tions ..................................................... 72 tions ..................................................... 72
7.1 Management Target Translation for Request Forwarding ....... 72 7.1 Management Target Translation for Request Forwarding ....... 72
7.2 Management Target Translation for Notification Forwarding 7.2 Management Target Translation for Notification Forwarding
........................................................... 73 ........................................................... 73
8 Intellectual Property ........................................ 74 8 Intellectual Property ........................................ 74
9 Acknowledgments .............................................. 74 9 Acknowledgments .............................................. 74
10 Security Considerations ..................................... 75 10 Security Considerations ..................................... 76
11 References .................................................. 77 11 References .................................................. 77
12 Editor's Address ............................................ 79 12 Editor's Address ............................................ 79
A. Trap Configuration Example .................................. 80 A. Trap Configuration Example .................................. 80
B. Full Copyright Statement .................................... 82 B. Full Copyright Statement .................................... 82
1. Overview 1. Overview
This document describes five types of SNMP applications: This document describes five types of SNMP applications:
- Applications which initiate SNMP Get, GetNext, GetBulk, and/or - Applications which initiate SNMP Read-Class, and/or Write-
Set requests, called 'command generators.' Class requests, called 'command generators.'
- Applications which respond to SNMP Get, GetNext, GetBulk, - Applications which respond to SNMP Read-Class, and/or Write-
and/or Set requests, called 'command responders.' Class requests, called 'command responders.'
- Applications which generate notifications, called - Applications which generate SNMP Notification-Class PDUs,
'notification originators.' called 'notification originators.'
- Applications which receive notifications, called 'notification - Applications which receive SNMP Notification-Class PDUs,
receivers.' called 'notification receivers.'
- Applications which forward SNMP Get, GetNext, GetBulk, and/or - Applications which forward SNMP messages, called 'proxy
Set requests or notifications, called 'proxy forwarder.' forwarders.'
Note that there are no restrictions on which types of applications Note that there are no restrictions on which types of applications
may be associated with a particular SNMP engine. For example, a may be associated with a particular SNMP engine. For example, a
single SNMP engine may, in fact, be associated with both command single SNMP engine may, in fact, be associated with both command
generator and command responder applications. generator and command responder applications.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.1. Command Generator Applications 1.1. Command Generator Applications
A command generator application initiates SNMP Get, GetNext, GetBulk, A command generator application initiates SNMP Read-Class and/or
and/or Set requests, as well as processing the response to a request Write-Class requests, as well as processing the response to a request
which it generated. which it generated.
1.2. Command Responder Applications 1.2. Command Responder Applications
A command responder application receives SNMP Get, GetNext, GetBulk, A command responder application receives SNMP Read-Class and/or
and/or Set requests destined for the local system as indicated by the Write-Class requests destined for the local system as indicated by
fact that the contextEngineID in the received request is equal to the fact that the contextEngineID in the received request is equal to
that of the local engine through which the request was received. The that of the local engine through which the request was received. The
command responder application will perform the appropriate protocol command responder application will perform the appropriate protocol
operation, using access control, and will generate a response message operation, using access control, and will generate a response message
to be sent to the request's originator. to be sent to the request's originator.
1.3. Notification Originator Applications 1.3. Notification Originator Applications
A notification originator application conceptually monitors a system A notification originator application conceptually monitors a system
for particular events or conditions, and generates Trap and/or Inform for particular events or conditions, and generates Notification-Class
messages based on these events or conditions. A notification messages based on these events or conditions. A notification
originator must have a mechanism for determining where to send originator must have a mechanism for determining where to send
messages, and what SNMP version and security parameters to use when messages, and what SNMP version and security parameters to use when
sending messages. A mechanism and MIB module for this purpose is sending messages. A mechanism and MIB module for this purpose is
provided in this document. provided in this document. Note that Notification-Class PDUs
generated by a notification originator may be either Confirmed-Class
or Unconfirmed-Class PDU types.
1.4. Notification Receiver Applications 1.4. Notification Receiver Applications
A notification receiver application listens for notification A notification receiver application listens for notification
messages, and generates response messages when a message containing messages, and generates response messages when a message containing a
an Inform PDU is received. Confirmed-Class PDU is received.
1.5. Proxy Forwarder Applications 1.5. Proxy Forwarder Applications
A proxy forwarder application forwards SNMP messages. Note that A proxy forwarder application forwards SNMP messages. Note that
implementation of a proxy forwarder application is optional. The implementation of a proxy forwarder application is optional. The
sections describing proxy (4.5, 5.3, and 8) may be skipped for sections describing proxy (4.5, 5.3, and 8) may be skipped for
implementations that do not include a proxy forwarder application. implementations that do not include a proxy forwarder application.
The term "proxy" has historically been used very loosely, with The term "proxy" has historically been used very loosely, with
multiple different meanings. These different meanings include (among multiple different meanings. These different meanings include (among
skipping to change at page 5, line 48 skipping to change at page 6, line 4
(2) the translation of SNMP requests into operations of some non-SNMP (2) the translation of SNMP requests into operations of some non-SNMP
management protocol; and management protocol; and
(3) support for aggregated managed objects where the value of one (3) support for aggregated managed objects where the value of one
managed object instance depends upon the values of multiple other managed object instance depends upon the values of multiple other
(remote) items of management information. (remote) items of management information.
Each of these scenarios can be advantageous; for example, support for Each of these scenarios can be advantageous; for example, support for
aggregation of management information can significantly reduce the aggregation of management information can significantly reduce the
bandwidth requirements of large-scale management activities. bandwidth requirements of large-scale management activities.
However, using a single term to cover multiple different scenarios However, using a single term to cover multiple different scenarios
causes confusion. causes confusion.
To avoid such confusion, this document uses the term "proxy" with a To avoid such confusion, this document uses the term "proxy" with a
much more tightly defined meaning. The term "proxy" is used in this much more tightly defined meaning. The term "proxy" is used in this
document to refer to a proxy forwarder application which forwards document to refer to a proxy forwarder application which forwards
either SNMP requests, notifications, and responses without regard for either SNMP messages without regard for what managed objects are
what managed objects are contained within requests or notifications. contained within those messages. This definition is most closely
This definition is most closely related to the first definition related to the first definition above. Note, however, that in the
above. Note, however, that in the SNMP architecture [SNMP-ARCH], a SNMP architecture [SNMP-ARCH], a proxy forwarder is actually an
proxy forwarder is actually an application, and need not be application, and need not be associated with what is traditionally
associated with what is traditionally thought of as an SNMP agent. thought of as an SNMP agent.
Specifically, the distinction between a traditional SNMP agent and a Specifically, the distinction between a traditional SNMP agent and a
proxy forwarder application is simple: proxy forwarder application is simple:
- a proxy forwarder application forwards requests and/or - a proxy forwarder application forwards SNMP messages to other
notifications to other SNMP engines according to the context, SNMP engines according to the context, and irrespective of the
and irrespective of the specific managed object types being specific managed object types being accessed, and forwards the
accessed, and forwards the response to such previously response to such previously forwarded messages back to the
forwarded messages back to the SNMP engine from which the SNMP engine from which the original message was received;
original message was received;
- in contrast, the command responder application that is part of - in contrast, the command responder application that is part of
what is traditionally thought of as an SNMP agent, and which what is traditionally thought of as an SNMP agent, and which
processes SNMP requests according to the (names of the) processes SNMP requests according to the (names of the)
individual managed object types and instances being accessed, individual managed object types and instances being accessed,
is NOT a proxy forwarder application from the perspective of is NOT a proxy forwarder application from the perspective of
this document. this document.
Thus, when a proxy forwarder application forwards a request or Thus, when a proxy forwarder application forwards a request or
notification for a particular contextEngineID / contextName pair, not notification for a particular contextEngineID / contextName pair, not
skipping to change at page 6, line 48 skipping to change at page 6, line 50
managed object types). managed object types).
In contrast, a command responder application must have the detailed In contrast, a command responder application must have the detailed
definition of the MIB view, and even if it needs to issue requests to definition of the MIB view, and even if it needs to issue requests to
other entities, via SNMP or otherwise, that need is dependent on the other entities, via SNMP or otherwise, that need is dependent on the
individual managed object instances being accessed (i.e., not only on individual managed object instances being accessed (i.e., not only on
the context). the context).
Note that it is a design goal of a proxy forwarder application to act Note that it is a design goal of a proxy forwarder application to act
as an intermediary between the endpoints of a transaction. In as an intermediary between the endpoints of a transaction. In
particular, when forwarding Inform requests, the associated response particular, when forwarding Confirmed Notification-Class messages,
is forwarded when it is received from the target to which the Inform the associated response is forwarded when it is received from the
request was forwarded, rather than generating a response immediately target to which the Notification-Class message was forwarded, rather
when an Inform request is received. than generating a response immediately when the Notification-Class
message is received.
2. Management Targets 2. Management Targets
Some types of applications (notification generators and proxy Some types of applications (notification generators and proxy
forwarders in particular) require a mechanism for determining where forwarders in particular) require a mechanism for determining where
and how to send generated messages. This document provides a and how to send generated messages. This document provides a
mechanism and MIB module for this purpose. The set of information mechanism and MIB module for this purpose. The set of information
that describes where and how to send a message is called a that describes where and how to send a message is called a
'Management Target', and consists of two kinds of information: 'Management Target', and consists of two kinds of information:
skipping to change at page 9, line 22 skipping to change at page 9, line 28
processResponsePdu( -- process Response PDU processResponsePdu( -- process Response PDU
IN messageProcessingModel -- typically, SNMP version IN messageProcessingModel -- typically, SNMP version
IN securityModel -- Security Model in use IN securityModel -- Security Model in use
IN securityName -- on behalf of this principal IN securityName -- on behalf of this principal
IN securityLevel -- Level of Security IN securityLevel -- Level of Security
IN contextEngineID -- data from/at this SNMP entity IN contextEngineID -- data from/at this SNMP entity
IN contextName -- data from/in this context IN contextName -- data from/in this context
IN pduVersion -- the version of the PDU IN pduVersion -- the version of the PDU
IN PDU -- SNMP Protocol Data Unit IN PDU -- SNMP Protocol Data Unit
IN statusInformation -- success or errorIndication IN statusInformation -- success or errorIndication
IN sendPduHandle -- handle from sendPDU IN sendPduHandle -- handle from sendPdu
) )
Where: Where:
- The messageProcessingModel is the value from the received - The messageProcessingModel is the value from the received
response. response.
- The securityModel is the value from the received response. - The securityModel is the value from the received response.
- The securityName is the value from the received response. - The securityName is the value from the received response.
skipping to change at page 11, line 25 skipping to change at page 11, line 25
) )
Where: Where:
- The statusInformation indicates success or failure of the - The statusInformation indicates success or failure of the
registration attempt. registration attempt.
- The contextEngineID is equal to the snmpEngineID of the SNMP - The contextEngineID is equal to the snmpEngineID of the SNMP
engine with which the command responder is registering. engine with which the command responder is registering.
- The pduType indicates a Get, GetNext, GetBulk, or Set pdu. - The pduType indicates a Read-Class and/or Write-Class PDU.
Note that if another command responder application is already Note that if another command responder application is already
registered with an SNMP engine, any further attempts to register with registered with an SNMP engine, any further attempts to register with
the same contextEngineID and pduType will be denied. This implies the same contextEngineID and pduType will be denied. This implies
that separate command responder applications could register that separate command responder applications could register
separately for the various pdu types. However, in practice this is separately for the various pdu types. However, in practice this is
undesirable, and only a single command responder application should undesirable, and only a single command responder application should
be registered with an SNMP engine at any given time. be registered with an SNMP engine at any given time.
A command responder application can disassociate with an SNMP engine A command responder application can disassociate with an SNMP engine
skipping to change at page 11, line 49 skipping to change at page 11, line 49
IN contextEngineID -- give up responsibility for this one IN contextEngineID -- give up responsibility for this one
IN pduType -- the pduType(s) to be unregistered IN pduType -- the pduType(s) to be unregistered
) )
Where: Where:
- The contextEngineID is equal to the snmpEngineID of the SNMP - The contextEngineID is equal to the snmpEngineID of the SNMP
engine with which the command responder is cancelling the engine with which the command responder is cancelling the
registration. registration.
- The pduType indicates a Get, GetNext, GetBulk, or Set pdu. - The pduType indicates a Read-Class and/or Write-Class PDU.
Once the command responder has registered with the SNMP engine, it Once the command responder has registered with the SNMP engine, it
waits to receive SNMP messages. The abstract service interface used waits to receive SNMP messages. The abstract service interface used
for receiving messages is: for receiving messages is:
processPdu( -- process Request/Notification PDU processPdu( -- process Request/Notification PDU
IN messageProcessingModel -- typically, SNMP version IN messageProcessingModel -- typically, SNMP version
IN securityModel -- Security Model in use IN securityModel -- Security Model in use
IN securityName -- on behalf of this principal IN securityName -- on behalf of this principal
IN securityLevel -- Level of Security IN securityLevel -- Level of Security
skipping to change at page 13, line 12 skipping to change at page 13, line 12
The procedure when a message is received is as follows. The procedure when a message is received is as follows.
(1) The operation type is determined from the ASN.1 tag value (1) The operation type is determined from the ASN.1 tag value
associated with the PDU parameter. The operation type should associated with the PDU parameter. The operation type should
always be one of the types previously registered by the always be one of the types previously registered by the
application. application.
(2) The request-id is extracted from the PDU and saved. (2) The request-id is extracted from the PDU and saved.
(3) If the SNMPv2 operation type is GetBulk, the non-repeaters and (3) Any PDU type specific parameters are extracted from the PDU and
max-repetitions values are extracted from the PDU and saved. saved (for example, if the PDU type is an SNMPv2 GetBulk PDU, the
non-repeaters and max-repetitions values are extracted).
(4) The variable-bindings are extracted from the PDU and saved. (4) The variable-bindings are extracted from the PDU and saved.
(5) The management operation represented by the SNMPv2 operation type (5) The management operation represented by the PDU type is performed
is performed with respect to the relevant MIB view within the with respect to the relevant MIB view within the context named by
context named by the contextName, according to the procedures set the contextName (for an SNMPv2 PDU type, the operation is performed
forth in [RFC1905]. The relevant MIB view is determined by the according to the procedures set forth in [RFC1905]). The relevant
securityLevel, securityModel, contextName, securityName, and SNMPv2 MIB view is determined by the securityLevel, securityModel,
operation type. To determine whether a particular object instance contextName, securityName, and the class of the PDU type. To
is within the relevant MIB view, the following abstract service determine whether a particular object instance is within the
interface is called: relevant MIB view, the following abstract service interface is
called:
statusInformation = -- success or errorIndication statusInformation = -- success or errorIndication
isAccessAllowed( isAccessAllowed(
IN securityModel -- Security Model in use IN securityModel -- Security Model in use
IN securityName -- principal who wants to access IN securityName -- principal who wants to access
IN securityLevel -- Level of Security IN securityLevel -- Level of Security
IN viewType -- read, write, or notify view IN viewType -- read, write, or notify view
IN contextName -- context containing variableName IN contextName -- context containing variableName
IN variableName -- OID for the managed object IN variableName -- OID for the managed object
) )
Where: Where:
- The securityModel is the value from the received message. - The securityModel is the value from the received message.
- The securityName is the value from the received message. - The securityName is the value from the received message.
- The securityLevel is the value from the received message. - The securityLevel is the value from the received message.
- The viewType indicates whether the PDU type is a read or write - The viewType indicates whether the PDU type is a Read-Class or
operation. Write-Class operation.
- The contextName is the value from the received message. - The contextName is the value from the received message.
- The variableName is the object instance of the variable for - The variableName is the object instance of the variable for
which access rights are to be checked. which access rights are to be checked.
Normally, the result of the management operation will be a new PDU Normally, the result of the management operation will be a new PDU
value, and processing will continue in step (6) below. However, at value, and processing will continue in step (6) below. However, at
any time during the processing of the management operation: any time during the processing of the management operation:
- If the isAccessAllowed ASI returns a noSuchView, - If the isAccessAllowed ASI returns a noSuchView,
noAccessEntry, or noGroupName error, processing of the noAccessEntry, or noGroupName error, processing of the
management operation is halted, a PDU value is contructed management operation is halted, a PDU value is constructed
using the values from the originally received PDU, but using the values from the originally received PDU, but
replacing the error_status with an authorizationError code, replacing the error_status with an authorizationError code,
and error_index value of 0, and control is passed to step (6) and error_index value of 0, and control is passed to step (6)
below. below.
- If the isAccessAllowed ASI returns an otherError, processing - If the isAccessAllowed ASI returns an otherError, processing
of the management operation is halted, a different PDU value of the management operation is halted, a different PDU value
is contructed using the values from the originally received is constructed using the values from the originally received
PDU, but replacing the error_status with a genError code, and PDU, but replacing the error_status with a genError code, and
control is passed to step (6) below. control is passed to step (6) below.
- If the isAccessAllowed ASI returns a noSuchContext error, - If the isAccessAllowed ASI returns a noSuchContext error,
processing of the management operation is halted, no result processing of the management operation is halted, no result
PDU is generated, the snmpUnknownContexts counter is PDU is generated, the snmpUnknownContexts counter is
incremented, and control is passed to step (6) below. incremented, and control is passed to step (6) below.
- If the context named by the contextName parameter is - If the context named by the contextName parameter is
unavailable, processing of the management operation is halted, unavailable, processing of the management operation is halted,
skipping to change at page 17, line 7 skipping to change at page 17, line 7
when a request is received for a context which unknown to the SNMP when a request is received for a context which unknown to the SNMP
entity. The snmpUnavailableContexts counter is incremented when a entity. The snmpUnavailableContexts counter is incremented when a
request is received for a context which is known to the SNMP entity, request is received for a context which is known to the SNMP entity,
but is currently unavailable. Determining when a context is but is currently unavailable. Determining when a context is
unavailable is implementation specific, and some implementations may unavailable is implementation specific, and some implementations may
never encounter this situation, and so may never increment the never encounter this situation, and so may never increment the
snmpUnavailableContexts counter. snmpUnavailableContexts counter.
3.3. Notification Originator Applications 3.3. Notification Originator Applications
A notification originator application generates SNMP notification A notification originator application generates SNMP messages
messages. A notification message may, for example, contain an containing Notification-Class PDUs (for example, SNMPv2-Trap PDUs or
SNMPv2-Trap PDU or an Inform PDU. However, a particular Inform PDUs). There is no requirement as to what specific types of
implementation is not required to be capable of generating both types Notification-Class PDUs a particular implementation must be capable
of messages. of generating.
Notification originator applications require a mechanism for Notification originator applications require a mechanism for
identifying the management targets to which notifications should be identifying the management targets to which notifications should be
sent. The particular mechanism used is implementation dependent. sent. The particular mechanism used is implementation dependent.
However, if an implementation makes the configuration of management However, if an implementation makes the configuration of management
targets SNMP manageable, it MUST use the SNMP-TARGET-MIB module targets SNMP manageable, it MUST use the SNMP-TARGET-MIB module
described in this document. described in this document.
When a notification originator wishes to generate a notification, it When a notification originator wishes to generate a notification, it
must first determine in which context the information to be conveyed must first determine in which context the information to be conveyed
in the notification exists, i.e., it must determine the in the notification exists, i.e., it must determine the
contextEngineID and contextName. It must then determine the set of contextEngineID and contextName. It must then determine the set of
management targets to which the notification should be sent. The management targets to which the notification should be sent. The
application must also determine, for each management target, whether application must also determine, for each management target, what
the notification message should contain an SNMPv2-Trap PDU or Inform specific PDU type the notification message should contain, and if it
PDU, and if it is to contain an Inform PDU, the number of retries and is to contain a Confirmed-Class PDU, the number of retries and
retransmission algorithm. retransmission algorithm.
The mechanism by which a notification originator determines this The mechanism by which a notification originator determines this
information is implementation dependent. Once the application has information is implementation dependent. Once the application has
determined this information, the following procedure is performed for determined this information, the following procedure is performed for
each management target: each management target:
(1) Any appropriate filtering mechanisms are applied to determine (1) Any appropriate filtering mechanisms are applied to determine
whether the notification should be sent to the management target. whether the notification should be sent to the management target.
If such filtering mechanisms determine that the notification should If such filtering mechanisms determine that the notification should
skipping to change at page 18, line 13 skipping to change at page 18, line 13
management target. management target.
(3) The NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this (3) The NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this
is the value of the element of the variable bindings whose name is is the value of the element of the variable bindings whose name is
snmpTrapOID.0, i.e., the second variable binding) is checked using snmpTrapOID.0, i.e., the second variable binding) is checked using
the isAccessAllowed abstract service interface, using the same the isAccessAllowed abstract service interface, using the same
parameters used in the preceding step. If the statusInformation parameters used in the preceding step. If the statusInformation
returned by isAccessAllowed does not indicate accessAllowed, the returned by isAccessAllowed does not indicate accessAllowed, the
notification is not sent to the management target. notification is not sent to the management target.
(4) A PDU is constructed using a locally unique request-id value, an (4) A PDU is constructed using a locally unique request-id value, a PDU
operation type of SNMPv2-Trap or Inform, an error-status and type as determined by the implementation, an error-status and
error-index value of 0, and the variable-bindings supplied error-index value of 0, and the variable-bindings supplied
previously in step (2). previously in step (2).
(5) If the notification contains an SNMPv2-Trap PDU, the Dispatcher is (5) If the notification contains an Unconfirmed-Class PDU, the
called using the following abstract service interface: Dispatcher is called using the following abstract service
interface:
statusInformation = -- sendPduHandle if success statusInformation = -- sendPduHandle if success
-- errorIndication if failure -- errorIndication if failure
sendPdu( sendPdu(
IN transportDomain -- transport domain to be used IN transportDomain -- transport domain to be used
IN transportAddress -- destination network address IN transportAddress -- destination network address
IN messageProcessingModel -- typically, SNMP version IN messageProcessingModel -- typically, SNMP version
IN securityModel -- Security Model to use IN securityModel -- Security Model to use
IN securityName -- on behalf of this principal IN securityName -- on behalf of this principal
IN securityLevel -- Level of Security requested IN securityLevel -- Level of Security requested
skipping to change at page 19, line 20 skipping to change at page 19, line 20
- The pduVersion is the version of the PDU to be sent. - The pduVersion is the version of the PDU to be sent.
- The PDU is the value constructed in step (3) above. - The PDU is the value constructed in step (3) above.
- The expectResponse argument indicates that no response is - The expectResponse argument indicates that no response is
expected. expected.
Otherwise, Otherwise,
(6) If the notification contains an Inform PDU, then: (6) If the notification contains a Confirmed-Class PDU, then:
a) The Dispatcher is called using the sendPdu abstract service a) The Dispatcher is called using the sendPdu abstract service
interface as described in step (4) above, except that the interface as described in step (4) above, except that the
expectResponse argument indicates that a response is expected. expectResponse argument indicates that a response is expected.
b) The application caches information about the management b) The application caches information about the management
target. target.
c) If a response is received within an appropriate time interval c) If a response is received within an appropriate time interval
from the transport endpoint of the management target, the from the transport endpoint of the management target, the
skipping to change at page 19, line 46 skipping to change at page 19, line 46
about the management target is retrieved from the cache, and about the management target is retrieved from the cache, and
steps a) through d) are repeated. The number of times these steps a) through d) are repeated. The number of times these
steps are repeated is equal to the previously determined retry steps are repeated is equal to the previously determined retry
count. If this retry count is exceeded, the acknowledgement count. If this retry count is exceeded, the acknowledgement
of the notification is considered to have failed, and of the notification is considered to have failed, and
processing of the notification for this management target is processing of the notification for this management target is
halted. Note that some report indications might be considered halted. Note that some report indications might be considered
a failure. Such report indications should be interpreted to a failure. Such report indications should be interpreted to
mean that the acknowledgement of the notification has failed. mean that the acknowledgement of the notification has failed.
Responses to Inform PDU notifications will be received via the Responses to Confirmed-Class PDU notifications will be received via
processResponsePDU abstract service interface. the processResponsePdu abstract service interface.
To summarize, the steps that a notification originator follows when To summarize, the steps that a notification originator follows when
determing where to send a notification are: determining where to send a notification are:
- Determine the targets to which the notification should be - Determine the targets to which the notification should be
sent. sent.
- Apply any required filtering to the list of targets. - Apply any required filtering to the list of targets.
- Determine which targets are authorized to receive the - Determine which targets are authorized to receive the
notification. notification.
3.4. Notification Receiver Applications 3.4. Notification Receiver Applications
skipping to change at page 21, line 48 skipping to change at page 21, line 48
- The pduVersion indicates the version of the PDU in the - The pduVersion indicates the version of the PDU in the
received message. received message.
- The PDU is the value from the received message. - The PDU is the value from the received message.
- The maxSizeResponseScopedPDU is the maximum allowable size of - The maxSizeResponseScopedPDU is the maximum allowable size of
a ScopedPDU containing a Response PDU (based on the maximum a ScopedPDU containing a Response PDU (based on the maximum
message size that the originator of the message can accept). message size that the originator of the message can accept).
- If the message contains an SNMPv2-Trap PDU, the stateReference - If the message contains an Unconfirmed-Class PDU, the
is undefined and unused. Otherwise, the stateReference is a stateReference is undefined and unused. Otherwise, the
value which references cached information about the stateReference is a value which references cached information
notification. This value must be returned to the Dispatcher about the notification. This value must be returned to the
in order to generate a response. Dispatcher in order to generate a response.
When an SNMPv2-Trap PDU is delivered to a notification receiver When an Unconfirmed-Class PDU is delivered to a notification receiver
application, it first extracts the SNMP operation type, request-id, application, it first extracts the SNMP operation type, request-id,
error-status, error-index, and variable-bindings from the PDU. After error-status, error-index, and variable-bindings from the PDU. After
this, processing depends on the particular implementation. this, processing depends on the particular implementation.
When an Inform PDU is received, the notification receiver application When a Confirmed-Class PDU is received, the notification receiver
follows the following procedure: application follows the following procedure:
(1) The SNMPv2 operation type, request-id, error-status, error-index, (1) The PDU type, request-id, error-status, error-index, and variable-
and variable-bindings are extracted from the PDU. bindings are extracted from the PDU.
(2) A Response PDU is constructed using the extracted request-id and (2) A Response-Class PDU is constructed using the extracted request-id
variable-bindings, and with error-status and error-index both set and variable-bindings, and with error-status and error-index both
to 0. set to 0.
(3) The Dispatcher is called to generate a response message using the (3) The Dispatcher is called to generate a response message using the
returnResponsePdu abstract service interface. Parameters are: returnResponsePdu abstract service interface. Parameters are:
- The messageProcessingModel is the value from the processPdu - The messageProcessingModel is the value from the processPdu
call. call.
- The securityModel is the value from the processPdu call. - The securityModel is the value from the processPdu call.
- The securityName is the value from the processPdu call. - The securityName is the value from the processPdu call.
skipping to change at page 23, line 10 skipping to change at page 23, line 10
- The stateReference is the value from the processPdu call. - The stateReference is the value from the processPdu call.
- The statusInformation indicates that no error occurred and - The statusInformation indicates that no error occurred and
that a response should be generated. that a response should be generated.
3.5. Proxy Forwarder Applications 3.5. Proxy Forwarder Applications
A proxy forwarder application deals with forwarding SNMP messages. A proxy forwarder application deals with forwarding SNMP messages.
There are four basic types of messages which a proxy forwarder There are four basic types of messages which a proxy forwarder
application may need to forward. These are grouped according to the application may need to forward. These are grouped according to the
PDU type contained in a message, or according to whether a report class of PDU type contained in a message. The four basic types of
indication is contained in the message. The four basic types of
messages are: messages are:
- Those containing PDU types which were generated by a command - Those containing Read-Class or Write-Class PDU types (for
generator application (for example, Get, GetNext, GetBulk, and example, Get, GetNext, GetBulk, and Set PDU types). These
Set PDU types). These deal with requesting or modifying deal with requesting or modifying information located within a
information located within a particular context. particular context.
- Those containing PDU types which were generated by a - Those containing Notification-Class PDU types (for example,
notification originator application (for example, SNMPv2-Trap SNMPv2-Trap and Inform PDU types). These deal with
and Inform PDU types). These deal with notifications notifications concerning information located within a
concerning information located within a particular context. particular context.
- Those containing a Response PDU type. Forwarding of Response - Those containing a Response-Class PDU type. Forwarding of
PDUs always occurs as a result of receiving a response to a Response PDUs always occurs as a result of receiving a
previously forwarded message. response to a previously forwarded message.
- Those containing a report indication. Forwarding of report - Those containing Internal-Class PDU types (for example, a
indications always occurs as a result of receiving a report Report PDU). Forwarding of Internal-Class PDU types always
indication for a previously forwarded message. occurs as a result of receiving an Internal-Class PDU in
response to a previously forwarded message.
For the first type, the proxy forwarder's role is to deliver a For the first type, the proxy forwarder's role is to deliver a
request for management information to an SNMP engine which is request for management information to an SNMP engine which is
"closer" or "downstream in the path" to the SNMP engine which has "closer" or "downstream in the path" to the SNMP engine which has
access to that information, and to deliver the response containing access to that information, and to deliver the response containing
the information back to the SNMP engine from which the request was the information back to the SNMP engine from which the request was
received. The context information in a request is used to determine received. The context information in a request is used to determine
which SNMP engine has access to the requested information, and this which SNMP engine has access to the requested information, and this
is used to determine where and how to forward the request. is used to determine where and how to forward the request.
skipping to change at page 24, line 7 skipping to change at page 24, line 7
contained in the notification applies. This is used to determine contained in the notification applies. This is used to determine
which SNMP engines should receive notification about this which SNMP engines should receive notification about this
information. information.
For the third type, the proxy forwarder's role is to determine which For the third type, the proxy forwarder's role is to determine which
previously forwarded request or notification (if any) the response previously forwarded request or notification (if any) the response
matches, and to forward the response back to the initiator of the matches, and to forward the response back to the initiator of the
request or notification. request or notification.
For the fourth type, the proxy forwarder's role is to determine which For the fourth type, the proxy forwarder's role is to determine which
previously forwarded request or notification (if any) the report previously forwarded request or notification (if any) the Internal-
indication matches, and to forward the report indication back to the Class PDU matches, and to forward the Internal-Class PDU back to the
initiator of the request or notification. initiator of the request or notification.
When forwarding messages, a proxy forwarder application must perform When forwarding messages, a proxy forwarder application must perform
a translation of incoming management target information into outgoing a translation of incoming management target information into outgoing
management target information. How this translation is performed is management target information. How this translation is performed is
implementation specific. In many cases, this will be driven by a implementation specific. In many cases, this will be driven by a
preconfigured translation table. If a proxy forwarder application preconfigured translation table. If a proxy forwarder application
makes the contents of this table SNMP manageable, it MUST use the makes the contents of this table SNMP manageable, it MUST use the
SNMP-PROXY-MIB module defined in this document. SNMP-PROXY-MIB module defined in this document.
skipping to change at page 27, line 35 skipping to change at page 27, line 35
locate an entry in its cache of pending forwarded requests. This locate an entry in its cache of pending forwarded requests. This
is done by matching the received parameters with the cached values is done by matching the received parameters with the cached values
of sendPduHandle, contextEngineID, contextName, outgoing management of sendPduHandle, contextEngineID, contextName, outgoing management
target information, and the request-id contained in the received target information, and the request-id contained in the received
PDU (the proxy forwarder must extract the request-id for this PDU (the proxy forwarder must extract the request-id for this
purpose). If an appropriate cache entry cannot be found, purpose). If an appropriate cache entry cannot be found,
processing of the response is halted. Otherwise: processing of the response is halted. Otherwise:
(2) The cache information is extracted, and removed from the cache. (2) The cache information is extracted, and removed from the cache.
(3) A new Response PDU is constructed, using the request-id value from (3) A new Response-Class PDU is constructed, using the request-id value
the original forwarded request (as extracted from the cache). All from the original forwarded request (as extracted from the cache).
other values are identical to those in the received Response PDU, All other values are identical to those in the received Response-
unless the incoming SNMP version and the outgoing SNMP version Class PDU, unless the incoming SNMP version and the outgoing SNMP
support different PDU versions, in which case the proxy forwarder version support different PDU versions, in which case the proxy
may need to perform a translation on the PDU. (A method for forwarder may need to perform a translation on the PDU. (A method
performing such a translation is described in [COEX].) for performing such a translation is described in [COEX].)
(4) The proxy forwarder calls the Dispatcher using the (4) The proxy forwarder calls the Dispatcher using the
returnResponsePdu abstract service interface. Parameters are: returnResponsePdu abstract service interface. Parameters are:
- The messageProcessingModel indicates the Message Processing - The messageProcessingModel indicates the Message Processing
Model by which the original incoming message was processed. Model by which the original incoming message was processed.
- The securityModel is that of the original incoming management - The securityModel is that of the original incoming management
target extracted from the cache. target extracted from the cache.
skipping to change at page 28, line 31 skipping to change at page 28, line 31
- The PDU is the (possibly translated) Response PDU. - The PDU is the (possibly translated) Response PDU.
- The maxSizeResponseScopedPDU is a local value indicating the - The maxSizeResponseScopedPDU is a local value indicating the
maximum size of a ScopedPDU that the application can accept. maximum size of a ScopedPDU that the application can accept.
- The stateReference is the value extracted from the cache. - The stateReference is the value extracted from the cache.
- The statusInformation indicates that no error occurred and - The statusInformation indicates that no error occurred and
that a Response PDU message should be generated. that a Response PDU message should be generated.
3.5.1.3. Processing an Incoming Report Indication 3.5.1.3. Processing an Incoming Internal-Class PDU
A proxy forwarder follows the following procedure when an incoming A proxy forwarder follows the following procedure when an incoming
report indication is received: Internal-Class PDU is received:
(1) The incoming report indication is received using the (1) The incoming Internal-Class PDU is received using the
processResponsePdu interface. The proxy forwarder uses the processResponsePdu interface. The proxy forwarder uses the
received parameters to locate an entry in its cache of pending received parameters to locate an entry in its cache of pending
forwarded requests. This is done by matching the received forwarded requests. This is done by matching the received
parameters with the cached values of sendPduHandle. If an parameters with the cached values of sendPduHandle. If an
appropriate cache entry cannot be found, processing of the report appropriate cache entry cannot be found, processing of the
indication is halted. Otherwise: Internal-Class PDU is halted. Otherwise:
(2) The cache information is extracted, and removed from the cache. (2) The cache information is extracted, and removed from the cache.
(3) If the original incoming management target information indicates an (3) If the original incoming management target information indicates an
SNMP version which does not support Report PDUs, processing of the SNMP version which does not support Report PDUs, processing of the
report indication is halted. Internal-Class PDU is halted.
(4) The proxy forwarder calls the Dispatcher using the (4) The proxy forwarder calls the Dispatcher using the
returnResponsePdu abstract service interface. Parameters are: returnResponsePdu abstract service interface. Parameters are:
- The messageProcessingModel indicates the Message Processing - The messageProcessingModel indicates the Message Processing
Model by which the original incoming message was processed. Model by which the original incoming message was processed.
- The securityModel is that of the original incoming management - The securityModel is that of the original incoming management
target extracted from the cache. target extracted from the cache.
skipping to change at page 29, line 34 skipping to change at page 29, line 34
- The pduVersion indicates the version of the PDU to be - The pduVersion indicates the version of the PDU to be
returned. returned.
- The PDU is unused. - The PDU is unused.
- The maxSizeResponseScopedPDU is a local value indicating the - The maxSizeResponseScopedPDU is a local value indicating the
maximum size of a ScopedPDU that the application can accept. maximum size of a ScopedPDU that the application can accept.
- The stateReference is the value extracted from the cache. - The stateReference is the value extracted from the cache.
- The statusInformation contain the contextEngineID, - The statusInformation contains values specific to the
contextName, counter OID, and counter value received in the Internal-Class PDU type (for example, for a Report PDU, the
report indication. statusInformation contains the contextEngineID, contextName,
counter OID, and counter value received in the incoming Report
PDU).
3.5.2. Notification Forwarding 3.5.2. Notification Forwarding
A proxy forwarder receives notifications in the same manner as a A proxy forwarder receives notifications in the same manner as a
notification receiver application, using the processPdu abstract notification receiver application, using the processPdu abstract
service interface. The following procedure is used when a service interface. The following procedure is used when a
notification is received: notification is received:
(1) The incoming management target information received from the (1) The incoming management target information received from the
processPdu interface is translated into outgoing management target processPdu interface is translated into outgoing management target
information. Note that this translation may vary for different information. Note that this translation may vary for different
values of contextEngineID and/or contextName. The translation may values of contextEngineID and/or contextName. The translation may
result in multiple management targets. result in multiple management targets.
(2) If appropriate outgoing management target information cannot be (2) If appropriate outgoing management target information cannot be
found and the notification was a Trap, processing of the found and the notification was an Unconfirmed-Class PDU, processing
notification is halted. If appropriate outgoing management target of the notification is halted. If appropriate outgoing management
information cannot be found and the notification was an Inform, the target information cannot be found and the notification was a
proxy forwarder increments the snmpProxyDrops object, and calls the Confirmed-Class PDU, the proxy forwarder increments the
Dispatcher using the returnResponsePdu abstract service interface. snmpProxyDrops object, and calls the Dispatcher using the
The parameters are: returnResponsePdu abstract service interface. The parameters are:
- The messageProcessingModel is the received value. - The messageProcessingModel is the received value.
- The securityModel is the received value. - The securityModel is the received value.
- The securityName is the received value. - The securityName is the received value.
- The securityLevel is the received value. - The securityLevel is the received value.
- The contextEngineID is the received value. - The contextEngineID is the received value.
skipping to change at page 31, line 10 skipping to change at page 31, line 12
- The outgoing management targets previously determined are - The outgoing management targets previously determined are
used. used.
- No filtering mechanisms are applied. - No filtering mechanisms are applied.
- The variable-bindings from the original received notification - The variable-bindings from the original received notification
are used, rather than retrieving variable-bindings from local are used, rather than retrieving variable-bindings from local
MIB instrumentation. In particular, no access-control is MIB instrumentation. In particular, no access-control is
applied to these variable-bindings. applied to these variable-bindings.
- If the original notification contains an InformRequest PDU, - If the original notification contains a Confirmed-Class PDU,
then any outgoing management targets, for which the outgoing then any outgoing management targets, for which the outgoing
SNMP version does not support InformRequest PDUs, will not be SNMP version does not support and PDU types which are both
used when generating the forwarded notifications. Notification-Class and Confirmed-Class PDUs, will not be used
when generating the forwarded notifications.
- If, for any of the outgoing management targets, the incoming - If, for any of the outgoing management targets, the incoming
SNMP version and the outgoing SNMP version support different SNMP version and the outgoing SNMP version support different
PDU versions, the proxy forwarder may need to perform a PDU versions, the proxy forwarder may need to perform a
translation on the PDU. (A method for performing such a translation on the PDU. (A method for performing such a
translation is described in [COEX].) translation is described in [COEX].)
(4) If the original received notification contains an SNMPv2-Trap PDU, (4) If the original received notification contains an Unconfirmed-Class
processing of the notification is now completed. Otherwise, the PDU, processing of the notification is now completed. Otherwise,
original received notification must contain an Inform PDU, and the original received notification must contain a Confirmed-Class
processing continues. PDU, and processing continues.
(5) If the forwarded notifications included any Inform PDUs, processing (5) If the forwarded notifications included any Confirmed-Class PDUs,
continues when the procedures described in the section for processing continues when the procedures described in the section
Notification Originators determine that either: for Notification Originators determine that either:
- None of the generated notifications containing Inform PDUs - None of the generated notifications containing Confirmed-Class
have been successfully acknowledged within the longest of the PDUs have been successfully acknowledged within the longest of
time intervals, in which case processing of the original the time intervals, in which case processing of the original
notification is halted, or, notification is halted, or,
- At least one of the generated notifications containing Inform - At least one of the generated notifications containing
PDUs is successfully acknowledged, in which case a response to Confirmed-Class PDUs is successfully acknowledged, in which
the original received notification containing an Inform PDU is case a response to the original received notification
generated as described in the following steps. containing an Confirmed-Class PDU is generated as described in
the following steps.
(6) A Response PDU is constructed, using the values of request-id and (6) A Response-Class PDU is constructed, using the values of request-id
variable-bindings from the original received Inform PDU, and and variable-bindings from the original received Notification-Class
error-status and error-index values of 0. PDU, and error-status and error-index values of 0.
(7) The Dispatcher is called using the returnResponsePdu abstract (7) The Dispatcher is called using the returnResponsePdu abstract
service interface. Parameters are: service interface. Parameters are:
- The messageProcessingModel is the originally received value. - The messageProcessingModel is the originally received value.
- The securityModel is the originally received value. - The securityModel is the originally received value.
- The securityName is the originally received value. - The securityName is the originally received value.
skipping to change at page 32, line 24 skipping to change at page 32, line 28
step (6) above. step (6) above.
- The PDU is the value constructed in step (6) above. - The PDU is the value constructed in step (6) above.
- The maxSizeResponseScopedPDU is a local value indicating the - The maxSizeResponseScopedPDU is a local value indicating the
maximum size of a ScopedPDU that the application can accept. maximum size of a ScopedPDU that the application can accept.
- The stateReference is the originally received value. - The stateReference is the originally received value.
- The statusInformation indicates that no error occurred and - The statusInformation indicates that no error occurred and
that a Response PDU message should be generated. that a Response-Class PDU message should be generated.
4. The Structure of the MIB Modules 4. The Structure of the MIB Modules
There are three separate MIB modules described in this document, the There are three separate MIB modules described in this document, the
management target MIB, the notification MIB, and the proxy MIB. The management target MIB, the notification MIB, and the proxy MIB. The
following sections describe the structure of these three MIB modules. following sections describe the structure of these three MIB modules.
The use of these MIBs by particular types of applications is The use of these MIBs by particular types of applications is
described later in this document: described later in this document:
skipping to change at page 35, line 38 skipping to change at page 35, line 38
CONTACT-INFO CONTACT-INFO
"WG-email: snmpv3@tis.com "WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com Subscribe: majordomo@tis.com
In message body: subscribe snmpv3 In message body: subscribe snmpv3
Chair: Russ Mundy Chair: Russ Mundy
Trusted Information Systems Trusted Information Systems
Postal: 3060 Washington Rd Postal: 3060 Washington Rd
Glenwood MD 21738 Glenwood MD 21738
USA USA
Email: mundy@tis.com EMail: mundy@tis.com
Phone: +1-301-854-6889 Phone: +1-301-854-6889
Co-editor: David B. Levi Co-editor: David B. Levi
SNMP Research, Inc. SNMP Research, Inc.
Postal: 3001 Kimberlin Heights Road Postal: 3001 Kimberlin Heights Road
Knoxville, TN 37920-9716 Knoxville, TN 37920-9716
E-mail: levi@snmp.com EMail: levi@snmp.com
Phone: +1 423 573 1434 Phone: +1 423 573 1434
Co-editor: Paul Meyer Co-editor: Paul Meyer
Secure Computing Corporation Secure Computing Corporation
Postal: 2675 Long Lake Road Postal: 2675 Long Lake Road
Roseville, MN 55113 Roseville, MN 55113
E-mail: paul_meyer@securecomputing.com EMail: paul_meyer@securecomputing.com
Phone: +1 612 628 1592 Phone: +1 651 628 1592
Co-editor: Bob Stewart Co-editor: Bob Stewart
Cisco Systems, Inc. Cisco Systems, Inc.
Postal: 170 West Tasman Drive Postal: 170 West Tasman Drive
San Jose, CA 95134-1706 San Jose, CA 95134-1706
E-mail: bstewart@cisco.com EMail: bstewart@cisco.com
Phone: +1 603 654 2686" Phone: +1 603 654 2686"
DESCRIPTION DESCRIPTION
"This MIB module defines MIB objects which provide "This MIB module defines MIB objects which provide
mechanisms to remotely configure the parameters used mechanisms to remotely configure the parameters used
by an SNMP entity for the generation of SNMP messages." by an SNMP entity for the generation of SNMP messages."
REVISION "9808040000Z" REVISION "9808040000Z"
DESCRIPTION "Clarifications, published as DESCRIPTION "Clarifications, published as
draft-ietf-snmpv3-appl-v2-01.txt." draft-ietf-snmpv3-appl-v2-01.txt."
REVISION "9707140000Z" REVISION "9707140000Z"
DESCRIPTION "The initial revision, published as RFC2273." DESCRIPTION "The initial revision, published as RFC2273."
skipping to change at page 50, line 14 skipping to change at page 50, line 14
CONTACT-INFO CONTACT-INFO
"WG-email: snmpv3@tis.com "WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com Subscribe: majordomo@tis.com
In message body: subscribe snmpv3 In message body: subscribe snmpv3
Chair: Russ Mundy Chair: Russ Mundy
Trusted Information Systems Trusted Information Systems
Postal: 3060 Washington Rd Postal: 3060 Washington Rd
Glenwood MD 21738 Glenwood MD 21738
USA USA
Email: mundy@tis.com EMail: mundy@tis.com
Phone: +1-301-854-6889 Phone: +1-301-854-6889
Co-editor: David B. Levi Co-editor: David B. Levi
SNMP Research, Inc. SNMP Research, Inc.
Postal: 3001 Kimberlin Heights Road Postal: 3001 Kimberlin Heights Road
Knoxville, TN 37920-9716 Knoxville, TN 37920-9716
E-mail: levi@snmp.com EMail: levi@snmp.com
Phone: +1 423 573 1434 Phone: +1 423 573 1434
Co-editor: Paul Meyer Co-editor: Paul Meyer
Secure Computing Corporation Secure Computing Corporation
Postal: 2675 Long Lake Road Postal: 2675 Long Lake Road
Roseville, MN 55113 Roseville, MN 55113
E-mail: paul_meyer@securecomputing.com EMail: paul_meyer@securecomputing.com
Phone: +1 612 628 1592 Phone: +1 651 628 1592
Co-editor: Bob Stewart Co-editor: Bob Stewart
Cisco Systems, Inc. Cisco Systems, Inc.
Postal: 170 West Tasman Drive Postal: 170 West Tasman Drive
San Jose, CA 95134-1706 San Jose, CA 95134-1706
E-mail: bstewart@cisco.com EMail: bstewart@cisco.com
Phone: +1 603 654 2686" Phone: +1 603 654 2686"
DESCRIPTION DESCRIPTION
"This MIB module defines MIB objects which provide "This MIB module defines MIB objects which provide
mechanisms to remotely configure the parameters mechanisms to remotely configure the parameters
used by an SNMP entity for the generation of used by an SNMP entity for the generation of
notifications." notifications."
REVISION "9808040000Z" REVISION "9808040000Z"
DESCRIPTION "Clarifications, published as DESCRIPTION "Clarifications, published as
draft-ietf-snmpv3-appl-v2-01.txt." draft-ietf-snmpv3-appl-v2-01.txt."
REVISION "9707140000Z" REVISION "9707140000Z"
skipping to change at page 52, line 39 skipping to change at page 52, line 39
DESCRIPTION DESCRIPTION
"This object determines the type of notification to "This object determines the type of notification to
be generated for entries in the snmpTargetAddrTable be generated for entries in the snmpTargetAddrTable
selected by the corresponding instance of selected by the corresponding instance of
snmpNotifyTag. This value is only used when snmpNotifyTag. This value is only used when
generating notifications, and is ignored when generating notifications, and is ignored when
using the snmpTargetAddrTable for other purposes. using the snmpTargetAddrTable for other purposes.
If the value of this object is trap(1), then any If the value of this object is trap(1), then any
messages generated for selected rows will contain messages generated for selected rows will contain
SNMPv2-Trap PDUs. Unconfirmed-Class PDUs.
If the value of this object is inform(2), then any If the value of this object is inform(2), then any
messages generated for selected rows will contain messages generated for selected rows will contain
Inform PDUs. Confirmed-Class PDUs.
Note that if an SNMP entity only supports Note that if an SNMP entity only supports
generation of traps (and not informs), then this generation of Unconfirmed-Class PDUs (and not
object may be read-only." Confirmed-Class PDUs), then this object may be
read-only."
DEFVAL { trap } DEFVAL { trap }
::= { snmpNotifyEntry 3 } ::= { snmpNotifyEntry 3 }
snmpNotifyStorageType OBJECT-TYPE snmpNotifyStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this conceptual row." "The storage type for this conceptual row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { snmpNotifyEntry 4 } ::= { snmpNotifyEntry 4 }
skipping to change at page 55, line 12 skipping to change at page 55, line 12
SYNTAX SEQUENCE OF SnmpNotifyFilterEntry SYNTAX SEQUENCE OF SnmpNotifyFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The table of filter profiles. Filter profiles are used "The table of filter profiles. Filter profiles are used
to determine whether particular management targets should to determine whether particular management targets should
receive particular notifications. receive particular notifications.
When a notification is generated, it must be compared When a notification is generated, it must be compared
with the filters associated with each management target with the filters associated with each management target
which is configured to receive notifications. If the which is configured to receive notifications, in order to
notification is matched by a filter, it is not sent to determine whether it may be sent to each such management
the management target with which the filter is target.
associated.
A more complete discussion of notification filtering A more complete discussion of notification filtering
can be found in section 6. of this document." can be found in section 6. of [SNMP-APPL]."
::= { snmpNotifyObjects 3 } ::= { snmpNotifyObjects 3 }
snmpNotifyFilterEntry OBJECT-TYPE snmpNotifyFilterEntry OBJECT-TYPE
SYNTAX SnmpNotifyFilterEntry SYNTAX SnmpNotifyFilterEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An element of a filter profile. "An element of a filter profile.
Entries in the snmpNotifyFilterTable are created and Entries in the snmpNotifyFilterTable are created and
skipping to change at page 57, line 22 skipping to change at page 57, line 20
SYNTAX INTEGER { SYNTAX INTEGER {
included(1), included(1),
excluded(2) excluded(2)
} }
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object indicates whether the family of filter subtrees "This object indicates whether the family of filter subtrees
defined by this entry are included in or excluded from a defined by this entry are included in or excluded from a
filter. A more detailed discussion of the use of this filter. A more detailed discussion of the use of this
object can be found in section 6. of this document." object can be found in section 6. of [SNMP-APPL]."
DEFVAL { included } DEFVAL { included }
::= { snmpNotifyFilterEntry 3 } ::= { snmpNotifyFilterEntry 3 }
snmpNotifyFilterStorageType OBJECT-TYPE snmpNotifyFilterStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type of this conceptual row." "The storage type of this conceptual row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
skipping to change at page 58, line 21 skipping to change at page 58, line 19
-- --
-- --
-- Compliance statements -- Compliance statements
-- --
-- --
snmpNotifyBasicCompliance MODULE-COMPLIANCE snmpNotifyBasicCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for minimal SNMP entities which "The compliance statement for minimal SNMP entities which
implement only SNMP Traps and read-create operations on implement only SNMP Unconfirmed-Class notifications and
only the snmpTargetAddrTable." read-create operations on only the snmpTargetAddrTable."
MODULE SNMP-TARGET-MIB MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup } MANDATORY-GROUPS { snmpTargetBasicGroup }
OBJECT snmpTargetParamsMPModel OBJECT snmpTargetParamsMPModel
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Create/delete/modify access is not required." "Create/delete/modify access is not required."
OBJECT snmpTargetParamsSecurityModel OBJECT snmpTargetParamsSecurityModel
MIN-ACCESS read-only MIN-ACCESS read-only
skipping to change at page 60, line 19 skipping to change at page 60, line 17
Support of the values notInService(2), notReady(3), Support of the values notInService(2), notReady(3),
createAndGo(4), createAndWait(5), and destroy(6) is createAndGo(4), createAndWait(5), and destroy(6) is
not required." not required."
::= { snmpNotifyCompliances 1 } ::= { snmpNotifyCompliances 1 }
snmpNotifyBasicFiltersCompliance MODULE-COMPLIANCE snmpNotifyBasicFiltersCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities which implement "The compliance statement for SNMP entities which implement
SNMP Traps with filtering, and read-create operations on SNMP Unconfirmed-Class notifications with filtering, and
all related tables." read-create operations on all related tables."
MODULE SNMP-TARGET-MIB MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup } MANDATORY-GROUPS { snmpTargetBasicGroup }
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { snmpNotifyGroup, MANDATORY-GROUPS { snmpNotifyGroup,
snmpNotifyFilterGroup } snmpNotifyFilterGroup }
::= { snmpNotifyCompliances 2 } ::= { snmpNotifyCompliances 2 }
snmpNotifyFullCompliance MODULE-COMPLIANCE snmpNotifyFullCompliance MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The compliance statement for SNMP entities which either "The compliance statement for SNMP entities which either
implement only SNMP Informs, or both SNMP Traps and SNMP implement only SNMP Confirmed-Class notifications, or both
Informs, plus filtering and read-create operations on SNMP Unconfirmed-Class and Confirmed-Class notifications,
all related tables." plus filtering and read-create operations on all related
tables."
MODULE SNMP-TARGET-MIB MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup, MANDATORY-GROUPS { snmpTargetBasicGroup,
snmpTargetResponseGroup } snmpTargetResponseGroup }
MODULE -- This Module MODULE -- This Module
MANDATORY-GROUPS { snmpNotifyGroup, MANDATORY-GROUPS { snmpNotifyGroup,
snmpNotifyFilterGroup } snmpNotifyFilterGroup }
::= { snmpNotifyCompliances 3 } ::= { snmpNotifyCompliances 3 }
snmpNotifyGroup OBJECT-GROUP snmpNotifyGroup OBJECT-GROUP
OBJECTS { OBJECTS {
skipping to change at page 63, line 4 skipping to change at page 63, line 4
CONTACT-INFO CONTACT-INFO
"WG-email: snmpv3@tis.com "WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com Subscribe: majordomo@tis.com
In message body: subscribe snmpv3 In message body: subscribe snmpv3
Chair: Russ Mundy Chair: Russ Mundy
Trusted Information Systems Trusted Information Systems
Postal: 3060 Washington Rd Postal: 3060 Washington Rd
Glenwood MD 21738 Glenwood MD 21738
USA USA
Email: mundy@tis.com EMail: mundy@tis.com
Phone: +1-301-854-6889 Phone: +1-301-854-6889
Co-editor: David B. Levi Co-editor: David B. Levi
SNMP Research, Inc. SNMP Research, Inc.
Postal: 3001 Kimberlin Heights Road Postal: 3001 Kimberlin Heights Road
Knoxville, TN 37920-9716 Knoxville, TN 37920-9716
E-mail: levi@snmp.com EMail: levi@snmp.com
Phone: +1 423 573 1434 Phone: +1 423 573 1434
Co-editor: Paul Meyer Co-editor: Paul Meyer
Secure Computing Corporation Secure Computing Corporation
Postal: 2675 Long Lake Road Postal: 2675 Long Lake Road
Roseville, MN 55113 Roseville, MN 55113
E-mail: paul_meyer@securecomputing.com EMail: paul_meyer@securecomputing.com
Phone: +1 612 628 1592 Phone: +1 651 628 1592
Co-editor: Bob Stewart Co-editor: Bob Stewart
Cisco Systems, Inc. Cisco Systems, Inc.
Postal: 170 West Tasman Drive Postal: 170 West Tasman Drive
San Jose, CA 95134-1706 San Jose, CA 95134-1706
E-mail: bstewart@cisco.com EMail: bstewart@cisco.com
Phone: +1 603 654 2686" Phone: +1 603 654 2686"
DESCRIPTION DESCRIPTION
"This MIB module defines MIB objects which provide "This MIB module defines MIB objects which provide
mechanisms to remotely configure the parameters mechanisms to remotely configure the parameters
used by a proxy forwarding application." used by a proxy forwarding application."
REVISION "9808040000Z" REVISION "9808040000Z"
DESCRIPTION "Clarifications, published as DESCRIPTION "Clarifications, published as
draft-ietf-snmpv3-appl-v2-01.txt." draft-ietf-snmpv3-appl-v2-01.txt."
REVISION "9707140000Z" REVISION "9707140000Z"
DESCRIPTION "The initial revision, published as RFC2273." DESCRIPTION "The initial revision, published as RFC2273."
skipping to change at page 69, line 29 skipping to change at page 69, line 29
snmpTargetAddrEntry may be selected by multiple entries in the snmpTargetAddrEntry may be selected by multiple entries in the
snmpNotifyTable, resulting in multiple notifications being generated snmpNotifyTable, resulting in multiple notifications being generated
using that snmpTargetAddrEntry. using that snmpTargetAddrEntry.
Each snmpTargetAddrEntry contains a pointer to the Each snmpTargetAddrEntry contains a pointer to the
snmpTargetParamsTable (snmpTargetAddrParams). This pointer selects a snmpTargetParamsTable (snmpTargetAddrParams). This pointer selects a
set of SNMP parameters to be used for generating notifications. If set of SNMP parameters to be used for generating notifications. If
the selected entry in the snmpTargetParamsTable does not exist, the the selected entry in the snmpTargetParamsTable does not exist, the
management target is not used to generate notifications. management target is not used to generate notifications.
The decision as to whether a notification should contain an SNMPv2- The decision as to whether a notification should contain an
Trap or Inform PDU is determined by the value of the snmpNotifyType Unconfirmed-Class or a Confirmed-Class PDU is determined by the value
object. If the value of this object is trap(1), the notification of the snmpNotifyType object. If the value of this object is
should contain an SNMPv2-Trap PDU. If the value of this object is trap(1), the notification should contain an Unconfirmed-Class PDU.
inform(2), then the notification should contain an Inform PDU, and If the value of this object is inform(2), then the notification
the timeout time and number of retries for the Inform are the value should contain a Confirmed-Class PDU, and the timeout time and number
of snmpTargetAddrTimeout and snmpTargetAddrRetryCount. Note that the of retries for the notification are the value of
snmpTargetAddrTimeout and snmpTargetAddrRetryCount. Note that the
exception to these rules is when the snmpTargetParamsMPModel object exception to these rules is when the snmpTargetParamsMPModel object
indicates an SNMP version which supports a different PDU version. In indicates an SNMP version which supports a different PDU version. In
this case, the notification may be sent using a different PDU type this case, the notification may be sent using a different PDU type
([COEX] defines the PDU type in the case where the outgoing SNMP ([COEX] defines the PDU type in the case where the outgoing SNMP
version is SNMPv1). version is SNMPv1).
6. Notification Filtering 6. Notification Filtering
This section describes the mechanisms used by a notification This section describes the mechanisms used by a notification
originator application when using the MIB module described in this originator application when using the MIB module described in this
skipping to change at page 70, line 31 skipping to change at page 70, line 31
of the entry is compared with the corresponding portion of the index of the entry is compared with the corresponding portion of the index
of all active entries in the snmpNotifyFilterTable. All such entries of all active entries in the snmpNotifyFilterTable. All such entries
for which this comparison results in an exact match are used for for which this comparison results in an exact match are used for
filtering a notification generated using the associated filtering a notification generated using the associated
snmpTargetParamsEntry. If no such entries exist, no filtering is snmpTargetParamsEntry. If no such entries exist, no filtering is
performed, and a notification may be sent to the management target. performed, and a notification may be sent to the management target.
Otherwise, if matching entries do exist, a notification may be sent Otherwise, if matching entries do exist, a notification may be sent
if the NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this if the NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this
is the value of the element of the variable bindings whose name is is the value of the element of the variable bindings whose name is
snmpTrapOID.0, i.e., the second variable binding), and all of the snmpTrapOID.0, i.e., the second variable binding) is specifically
object instances to be included in the variable-bindings of the included, and none of the object instances to be included in the
notification, are not specifically excluded by the matching entries. variable-bindings of the notification are specifically excluded by
the matching entries.
Each set of snmpNotifyFilterTable entries is divided into two Each set of snmpNotifyFilterTable entries is divided into two
collections of filter subtrees: the included filter subtrees, and collections of filter subtrees: the included filter subtrees, and
the excluded filter subtrees. The snmpNotifyFilterType object the excluded filter subtrees. The snmpNotifyFilterType object
defines the collection to which each matching entry belongs. defines the collection to which each matching entry belongs.
To determine whether a particular notification name or object To determine whether a particular notification name or object
instance is excluded by the set of matching entries, compare the instance is excluded by the set of matching entries, compare the
notification name's or object instance's OBJECT IDENTIFIER with each notification name's or object instance's OBJECT IDENTIFIER with each
of the matching entries. If none match, then the notification name of the matching entries. For a notification name, if none match,
or object instance is considered excluded, and the notification then the notification name is considered excluded, and the
should not be sent to this management target. If one or more match, notification should not be sent to this management target. For an
then the notification name or object instance is included or object instance, if none match, the object instance is considered
excluded, according to the value of snmpNotifyFilterType in the entry included, and the notification may be sent to this management target.
whose value of snmpNotifyFilterSubtree has the most sub-identifiers. If one or more match, then the notification name or object instance
If multiple entries match and have the same number of sub- is included or excluded, according to the value of
identifiers, then the lexicographically greatest instance of snmpNotifyFilterType in the entry whose value of
snmpNotifyFilterType among those which match determines the inclusion snmpNotifyFilterSubtree has the most sub-identifiers. If multiple
or exclusion. entries match and have the same number of sub-identifiers, then the
lexicographically greatest instance of snmpNotifyFilterType among
those which match determines the inclusion or exclusion.
A notification name's or object instance's OBJECT IDENTIFIER X A notification name or object instance's OBJECT IDENTIFIER X matches
matches an entry in the snmpNotifyFilterTable when the number of an entry in the snmpNotifyFilterTable when the number of sub-
sub-identifiers in X is at least as many as in the value of identifiers in X is at least as many as in the value of
snmpNotifyFilterSubtree for the entry, and each sub-identifier in the snmpNotifyFilterSubtree for the entry, and each sub-identifier in the
value of snmpNotifyFilterSubtree matches its corresponding sub- value of snmpNotifyFilterSubtree matches its corresponding sub-
identifier in X. Two sub-identifiers match either if the identifier in X. Two sub-identifiers match either if the
corresponding bit of snmpNotifyFilterMask is zero (the 'wild card' corresponding bit of snmpNotifyFilterMask is zero (the 'wild card'
value), or if the two sub-identifiers are equal. value), or if the two sub-identifiers are equal.
7. Management Target Translation in Proxy Forwarder Applications 7. Management Target Translation in Proxy Forwarder Applications
This section describes the mechanisms used by a proxy forwarder This section describes the mechanisms used by a proxy forwarder
application when using the MIB module described in this document to application when using the MIB module described in this document to
skipping to change at page 72, line 21 skipping to change at page 72, line 21
There are actually two mechanisms a proxy forwarder may use, one for There are actually two mechanisms a proxy forwarder may use, one for
forwarding request messages, and one for forwarding notification forwarding request messages, and one for forwarding notification
messages. messages.
7.1. Management Target Translation for Request Forwarding 7.1. Management Target Translation for Request Forwarding
When forwarding request messages, the proxy forwarder will select a When forwarding request messages, the proxy forwarder will select a
single entry in the snmpProxyTable. To select this entry, it will single entry in the snmpProxyTable. To select this entry, it will
perform the following comparisons: perform the following comparisons:
- The snmpProxyType must be read(1) if the request is a Get, - The snmpProxyType must be read(1) if the request is a Read-
GetNext, or GetBulk request. The snmpProxyType must be Class PDU. The snmpProxyType must be write(2) if the request
write(2) if the request is a Set request. is a Write-Class PDU.
- The contextEngineID must equal the snmpProxyContextEngineID - The contextEngineID must equal the snmpProxyContextEngineID
object. object.
- If the snmpProxyContextName object is supported, it must equal - If the snmpProxyContextName object is supported, it must equal
the contextName. the contextName.
- The snmpProxyTargetParamsIn object identifies an entry in the - The snmpProxyTargetParamsIn object identifies an entry in the
snmpTargetParamsTable. The messageProcessingModel, snmpTargetParamsTable. The messageProcessingModel,
securityLevel, security model, and securityName must match the securityLevel, security model, and securityName must match the
skipping to change at page 73, line 24 skipping to change at page 73, line 24
snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, and snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, and
snmpTargetParamsSecurityLevel of the identified snmpTargetParamsEntry snmpTargetParamsSecurityLevel of the identified snmpTargetParamsEntry
are used as the destination management target. are used as the destination management target.
7.2. Management Target Translation for Notification Forwarding 7.2. Management Target Translation for Notification Forwarding
When forwarding notification messages, the proxy forwarder will When forwarding notification messages, the proxy forwarder will
select multiple entries in the snmpProxyTable. To select these select multiple entries in the snmpProxyTable. To select these
entries, it will perform the following comparisons: entries, it will perform the following comparisons:
- The snmpProxyType must be trap(3) if the notification is a - The snmpProxyType must be trap(3) if the notification is an
Trap. The snmpProxyType must be inform(4) if the request is Unconfirmed-Class PDU. The snmpProxyType must be inform(4) if
an Inform. the request is a Confirmed-Class PDU.
- The contextEngineID must equal the snmpProxyContextEngineID - The contextEngineID must equal the snmpProxyContextEngineID
object. object.
- If the snmpProxyContextName object is supported, it must equal - If the snmpProxyContextName object is supported, it must equal
the contextName. the contextName.
- The snmpProxyTargetParamsIn object identifies an entry in the - The snmpProxyTargetParamsIn object identifies an entry in the
snmpTargetParamsTable. The messageProcessingModel, snmpTargetParamsTable. The messageProcessingModel,
securityLevel, security model, and securityName must match the securityLevel, security model, and securityName must match the
skipping to change at page 74, line 33 skipping to change at page 74, line 33
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
9. Acknowledgments 9. Acknowledgments
This document is the result of the efforts of the SNMPv3 Working This document is the result of the efforts of the SNMPv3 Working
Group. Some special thanks are in order to the following SNMPv3 WG Group. Some special thanks are in order to the following SNMPv3 WG
members: members:
Harald Tveit Alvestrand (Maxware)
Dave Battle (SNMP Research, Inc.) Dave Battle (SNMP Research, Inc.)
Alan Beard (Disney Worldwide Services)
Paul Berrevoets (SWI Systemware/Halcyon Inc.)
Martin Bjorklund (Ericsson)
Uri Blumenthal (IBM T.J. Watson Research Center) Uri Blumenthal (IBM T.J. Watson Research Center)
Jeff Case (SNMP Research, Inc.) Jeff Case (SNMP Research, Inc.)
John Curran (BBN) John Curran (BBN)
Mike Daniele (Compaq Computer Corporation)
T. Max Devlin (Eltrax Systems) T. Max Devlin (Eltrax Systems)
John Flick (Hewlett Packard) John Flick (Hewlett Packard)
Rob Frye (MCI)
Wes Hardaker (U.C.Davis, Information Technology - D.C.A.S.)
David Harrington (Cabletron Systems Inc.) David Harrington (Cabletron Systems Inc.)
Lauren Heintz (BMC Software, Inc.)
N.C. Hien (IBM T.J. Watson Research Center) N.C. Hien (IBM T.J. Watson Research Center)
Michael Kirkham (InterWorking Labs, Inc.)
Dave Levi (SNMP Research, Inc.) Dave Levi (SNMP Research, Inc.)
Louis A Mamakos (UUNET Technologies Inc.) Louis A Mamakos (UUNET Technologies Inc.)
Joe Marzot (Nortel Networks)
Paul Meyer (Secure Computing Corporation) Paul Meyer (Secure Computing Corporation)
Keith McCloghrie (Cisco Systems) Keith McCloghrie (Cisco Systems)
Russ Mundy (Trusted Information Systems, Inc.) Bob Moore (IBM)
Russ Mundy (TIS Labs at Network Associates)
Bob Natale (ACE*COMM Corporation) Bob Natale (ACE*COMM Corporation)
Mike O'Dell (UUNET Technologies Inc.) Mike O'Dell (UUNET Technologies Inc.)
Dave Perkins (DeskTalk) Dave Perkins (DeskTalk)
Peter Polkinghorne (Brunel University) Peter Polkinghorne (Brunel University)
Randy Presuhn (BMC Software, Inc.) Randy Presuhn (BMC Software, Inc.)
David Reeder (TIS Labs at Network Associates)
David Reid (SNMP Research, Inc.) David Reid (SNMP Research, Inc.)
Aleksey Romanov (Quality Quorum)
Shawn Routhier (Epilogue) Shawn Routhier (Epilogue)
Juergen Schoenwaelder (TU Braunschweig) Juergen Schoenwaelder (TU Braunschweig)
Bob Stewart (Cisco Systems) Bob Stewart (Cisco Systems)
Mike Thatcher (Independent Consultant)
Bert Wijnen (IBM T.J. Watson Research Center) Bert Wijnen (IBM T.J. Watson Research Center)
The document is based on recommendations of the IETF Security and The document is based on recommendations of the IETF Security and
Administrative Framework Evolution for SNMP Advisory Team. Members of Administrative Framework Evolution for SNMP Advisory Team. Members of
that Advisory Team were: that Advisory Team were:
David Harrington (Cabletron Systems Inc.) David Harrington (Cabletron Systems Inc.)
Jeff Johnson (Cisco Systems) Jeff Johnson (Cisco Systems)
David Levi (SNMP Research Inc.) David Levi (SNMP Research Inc.)
John Linn (Openvision) John Linn (Openvision)
skipping to change at page 77, line 11 skipping to change at page 77, line 11
Finally, the MIBs described in this document contain potentially Finally, the MIBs described in this document contain potentially
sensitive information. A security administrator may wish to limit sensitive information. A security administrator may wish to limit
access to these MIBs. access to these MIBs.
11. References 11. References
[COEX] [COEX]
The SNMPv3 Working Group, Frye, R.,Levi, D., Wijnen, B., The SNMPv3 Working Group, Frye, R.,Levi, D., Wijnen, B.,
"Coexistence between Version 1, Version 2, and Version 3 of the "Coexistence between Version 1, Version 2, and Version 3 of the
Internet-standard Network Management Framework", draft-ietf- Internet-standard Network Management Framework", draft-ietf-
snmpv3-coex-01.txt, September 1998. snmpv3-coex-03.txt, January 1999.
[RFC1157] [RFC1157]
Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network
Management Protocol", RFC 1157, SNMP Research, Performance Systems Management Protocol", RFC 1157, SNMP Research, Performance Systems
International, Performance Systems International, MIT Laboratory International, Performance Systems International, MIT Laboratory
for Computer Science, May 1990. for Computer Science, May 1990.
[RFC1213] [RFC1213]
McCloghrie, K., and M. Rose, Editors, "Management Information Base McCloghrie, K., and M. Rose, Editors, "Management Information Base
for Network Management of TCP/IP-based internets: MIB-II", STD 17, for Network Management of TCP/IP-based internets: MIB-II", STD 17,
skipping to change at page 78, line 19 skipping to change at page 78, line 19
Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc.,
International Network Services, January 1996. International Network Services, January 1996.
[RFC2119] [RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC2119, March 1997. Levels", BCP 14, RFC2119, March 1997.
[SNMP-ARCH] [SNMP-ARCH]
The SNMPv3 Working Group, Harrington, D., Wijnen, B., "An The SNMPv3 Working Group, Harrington, D., Wijnen, B., "An
Architecture for Describing SNMP Management Frameworks", draft- Architecture for Describing SNMP Management Frameworks", draft-
ietf-snmpv3-arch-01.txt, September 1998. ietf-snmpv3-arch-03.txt, January 1999.
[SNMP-MPD] [SNMP-MPD]
The SNMPv3 Working Group, Case, J., Harrington, D., Wijnen, B., The SNMPv3 Working Group, Case, J., Harrington, D., Wijnen, B.,
"Message Processing and Dispatching for the Simple Network "Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", draft-ietf-snmpv3-mpc-01.txt, Management Protocol (SNMP)", draft-ietf-snmpv3-mpc-03.txt, January
September 1998. 1999.
[SNMP-ACM] [SNMP-ACM]
The SNMPv3 Working Group, Wijnen, B., Presuhn, R., McCloghrie, K., The SNMPv3 Working Group, Wijnen, B., Presuhn, R., McCloghrie, K.,
"View-based Access Control Model for the Simple Network Management "View-based Access Control Model for the Simple Network Management
Protocol (SNMP)", draft-ietf-snmpv3-vacm-01.txt, September 1998. Protocol (SNMP)", draft-ietf-snmpv3-vacm-03.txt, January 1999.
[SNMP-APPL]
The SNMPv3 Working Group, Levi, D., Meyer, P., Stewart, B., "SNMP
Applications", draft-ietf-snmpv3-appl-v2-02.txt, January 1999.
12. Editor's Address 12. Editor's Address
David B. Levi David B. Levi
SNMP Research, Inc. SNMP Research, Inc.
3001 Kimberlin Heights Road 3001 Kimberlin Heights Road
Knoxville, TN 37920-9716 Knoxville, TN 37920-9716
U.S.A. U.S.A.
Phone: +1 423 573 1434 Phone: +1 423 573 1434
EMail: levi@snmp.com EMail: levi@snmp.com
Paul Meyer Paul Meyer
Secure Computing Corporation Secure Computing Corporation
2675 Long Lake Road 2675 Long Lake Road
Roseville, MN 55113 Roseville, MN 55113
U.S.A. U.S.A.
Phone: +1 612 628 1592 Phone: +1 651 628 1592
EMail: paul_meyer@securecomputing.com EMail: paul_meyer@securecomputing.com
Bob Stewart Bob Stewart
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA 95134-1706 San Jose, CA 95134-1706
U.S.A. U.S.A.
Phone: +1 603 654 2686 Phone: +1 603 654 2686
EMail: bstewart@cisco.com EMail: bstewart@cisco.com
APPENDIX A - Trap Configuration Example APPENDIX A - Trap Configuration Example
skipping to change at page 80, line 30 skipping to change at page 80, line 30
snmpTargetAddrRetryCount Integer32, snmpTargetAddrRetryCount Integer32,
snmpTargetAddrTagList SnmpAdminString, snmpTargetAddrTagList SnmpAdminString,
snmpTargetAddrParams SnmpAdminString, snmpTargetAddrParams SnmpAdminString,
snmpTargetAddrStorageType StorageType, snmpTargetAddrStorageType StorageType,
snmpTargetAddrRowStatus RowStatus snmpTargetAddrRowStatus RowStatus
* snmpTargetAddrName = "addr1" * snmpTargetAddrName = "addr1"
snmpTargetAddrTDomain = snmpUDPDomain snmpTargetAddrTDomain = snmpUDPDomain
snmpTargetAddrTAddress = 128.1.2.3/162 snmpTargetAddrTAddress = 128.1.2.3/162
snmpTargetAddrTagList = "group1" snmpTargetAddrTagList = "group1"
snmpTargetAddrParams = "AuthNoPriv joe" snmpTargetAddrParams = "AuthNoPriv-joe"
snmpTargetAddrStorageType = readOnly(5) snmpTargetAddrStorageType = readOnly(5)
snmpTargetAddrRowStatus = active(1) snmpTargetAddrRowStatus = active(1)
* snmpTargetAddrName = "addr2" * snmpTargetAddrName = "addr2"
snmpTargetAddrTDomain = snmpUDPDomain snmpTargetAddrTDomain = snmpUDPDomain
snmpTargetAddrTAddress = 128.2.4.6/162 snmpTargetAddrTAddress = 128.2.4.6/162
snmpTargetAddrTagList = "group1" snmpTargetAddrTagList = "group1"
snmpTargetAddrParams = "AuthNoPriv-joe" snmpTargetAddrParams = "AuthNoPriv-joe"
snmpTargetAddrStorageType = readOnly(5) snmpTargetAddrStorageType = readOnly(5)
snmpTargetAddrRowStatus = active(1) snmpTargetAddrRowStatus = active(1)
 End of changes. 105 change blocks. 
218 lines changed or deleted 250 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/