draft-ietf-snmpv3-intro-04.txt   rfc2570.txt 
INTERNET-DRAFT Jeffrey D. Case Network Working Group J. Case
SNMP Research, Inc. Request for Comments: 2570 SNMP Research, Inc.
Russ Mundy Category: Informational R. Mundy
TIS Labs at Network Associates, Inc. TIS Labs at Network Associates, Inc.
David Partain D. Partain
SNMP Research Europe Ericsson
Bob Stewart B. Stewart
Cisco Systems Cisco Systems
April 1999
Introduction to Version 3 of the Introduction to Version 3 of the
Internet standard Network Management Framework Internet-standard Network Management Framework
1999/02/10 14:47:33
draft-ietf-snmpv3-intro-04.txt
1.13 -- 1999/02/10 14:47:33
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This memo provides information for the Internet community. It does
provisions of Section 10 of RFC2026. not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Internet-Drafts are working documents of the Internet Engineering Task Copyright Notice
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Copyright (C) The Internet Society (1999). All Rights Reserved.
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Abstract
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The purpose of this document is to provide an overview of the third
http://www.ietf.org/shadow.html. version of the Internet-standard Management Framework, termed the
SNMP version 3 Framework (SNMPv3). This Framework is derived from
and builds upon both the original Internet-standard Management
Framework (SNMPv1) and the second Internet-standard Management
Framework (SNMPv2).
Abstract The architecture is designed to be modular to allow the evolution of
the Framework over time.
The purpose of this document is to provide an overview of the Table of Contents
third version of the Internet-standard Management Framework,
termed the SNMP version 3 Framework (SNMPv3). This Framework is
derived from and builds upon both the original Internet-standard
Management Framework (SNMPv1) and the second Internet-standard
Management Framework (SNMPv2).
The architecture is designed to be modular to allow the evolu- 1 Introduction .....................................................2
tion of the Framework over time. 2 The Internet Standard Management Framework .......................3
2.1 Basic Structure and Components .................................3
2.2 Architecture of the Internet Standard Management Framework .....3
3 The SNMPv1 Management Framework ..................................4
3.1 The SNMPv1 Data Definition Language ............................5
3.2 Management Information .........................................6
3.3 Protocol Operations ............................................6
3.4 SNMPv1 Security and Administration .............................6
4 The SNMPv2 Management Framework ..................................7
5 The SNMPv3 Working Group .........................................8
6 SNMPv3 Framework Module Specifications ..........................10
6.1 Data Definition Language ......................................10
6.2 MIB Modules ...................................................11
6.3 Protocol Operations and Transport Mappings ....................12
6.4 SNMPv3 Security and Administration ............................12
7 Document Summaries ..............................................13
7.1 Structure of Management Information ...........................13
7.1.1 Base SMI Specification ......................................13
7.1.2 Textual Conventions .........................................14
7.1.3 Conformance Statements ......................................15
7.2 Protocol Operations ...........................................15
7.3 Transport Mappings ............................................15
7.4 Protocol Instrumentation ......................................16
7.5 Architecture / Security and Administration ....................16
7.6 Message Processing and Dispatch (MPD) .........................16
7.7 SNMP Applications .............................................17
7.8 User-based Security Model (USM) ...............................17
7.9 View-based Access Control (VACM) ..............................18
7.10 SNMPv3 Coexistence and Transition ............................18
8 Security Considerations .........................................19
9 Editors' Addresses ..............................................19
10 References .....................................................20
11 Full Copyright Statement .......................................23
1. Introduction 1 Introduction
This document is an introduction to the third version of the Internet- This document is an introduction to the third version of the
standard Management Framework, termed the SNMP version 3 Management Internet-standard Management Framework, termed the SNMP version 3
Framework (SNMPv3) and has multiple purposes. Management Framework (SNMPv3) and has multiple purposes.
First, it describes the relationship between the SNMP version 3 (SNMPv3) First, it describes the relationship between the SNMP version 3
specifications and the specifications of the SNMP version 1 (SNMPv1) (SNMPv3) specifications and the specifications of the SNMP version 1
Management Framework, the SNMP version 2 (SNMPv2) Management Framework, (SNMPv1) Management Framework, the SNMP version 2 (SNMPv2) Management
and the Community-based Administrative Framework for SNMPv2. Framework, and the Community-based Administrative Framework for
SNMPv2.
Second, it provides a roadmap to the multiple documents which contain Second, it provides a roadmap to the multiple documents which contain
the relevant specifications. the relevant specifications.
Third, this document provides a brief easy-to-read summary of the Third, this document provides a brief easy-to-read summary of the
contents of each of the relevant specification documents. contents of each of the relevant specification documents.
This document is intentionally tutorial in nature and, as such, may This document is intentionally tutorial in nature and, as such, may
occasionally be "guilty" of oversimplification. In the event of a occasionally be "guilty" of oversimplification. In the event of a
conflict or contradiction between this document and the more detailed conflict or contradiction between this document and the more detailed
documents for which this document is a roadmap, the specifications in documents for which this document is a roadmap, the specifications in
the more detailed documents shall prevail. the more detailed documents shall prevail.
Further, the detailed documents attempt to maintain separation between Further, the detailed documents attempt to maintain separation
the various component modules in order to specify well-defined between the various component modules in order to specify well-
interfaces between them. This roadmap document, however, takes a defined interfaces between them. This roadmap document, however,
different approach and attempts to provide an integrated view of the takes a different approach and attempts to provide an integrated view
various component modules in the interest of readability. of the various component modules in the interest of readability.
2. The Internet Standard Management Framework 2 The Internet Standard Management Framework
The third version of the Internet Standard Management Framework (the The third version of the Internet Standard Management Framework (the
SNMPv3 Framework) is derived from and builds upon both the original SNMPv3 Framework) is derived from and builds upon both the original
Internet-standard Management Framework (SNMPv1) and the second Internet-standard Management Framework (SNMPv1) and the second
Internet-standard Management Framework (SNMPv2). Internet-standard Management Framework (SNMPv2).
All versions (SNMPv1, SNMPv2, and SNMPv3) of the Internet Standard All versions (SNMPv1, SNMPv2, and SNMPv3) of the Internet Standard
Management Framework share the same basic structure and components. Management Framework share the same basic structure and components.
Furthermore, all versions of the specifications of the Internet Standard Furthermore, all versions of the specifications of the Internet
Management Framework follow the same architecture. Standard Management Framework follow the same architecture.
2.1. Basic Structure and Components 2.1 Basic Structure and Components
An enterprise deploying the Internet Standard Management Framework An enterprise deploying the Internet Standard Management Framework
contains four basic components: contains four basic components:
* several (typically many) managed nodes, each with an SNMP entity * several (typically many) managed nodes, each with an SNMP entity
which provides remote access to management instrumentation which provides remote access to management instrumentation
(traditionally called an agent); (traditionally called an agent);
* at least one SNMP entity with management applications (typically * at least one SNMP entity with management applications (typically
called a manager), called a manager),
* a management protocol used to convey management information * a management protocol used to convey management information
between the SNMP entities, and between the SNMP entities, and
* management information. * management information.
The management protocol is used to convey management information between The management protocol is used to convey management information
SNMP entities such as managers and agents. between SNMP entities such as managers and agents.
This basic structure is common to all versions of the Internet Standard This basic structure is common to all versions of the Internet
Management Framework; i.e., SNMPv1, SNMPv2, and SNMPv3. Standard Management Framework; i.e., SNMPv1, SNMPv2, and SNMPv3.
2.2. Architecture of the Internet Standard Management Framework 2.2 Architecture of the Internet Standard Management Framework
The specifications of the Internet Standard Management Framework are The specifications of the Internet Standard Management Framework are
based on a modular architecture. This framework is more than just a based on a modular architecture. This framework is more than just a
protocol for moving data. It consists of: protocol for moving data. It consists of:
* a data definition language, * a data definition language,
* definitions of management information (the Management
Information Base, or MIB),
* a protocol definition, and * definitions of management information (the Management
Information Base, or MIB),
* security and administration. * a protocol definition, and
Over time, as the Framework has evolved from SNMPv1, through SNMPv2, to * security and administration.
SNMPv3, the definitions of each of these architectural components have
become richer and more clearly defined, but the fundamental architecture
has remained consistent.
One prime motivator for this modularity was to enable the ongoing Over time, as the Framework has evolved from SNMPv1, through SNMPv2,
evolution of the Framework as is documented in RFC 1052 [14]. When to SNMPv3, the definitions of each of these architectural components
originally envisioned, this capability was to be used to ease the have become richer and more clearly defined, but the fundamental
transition from SNMP-based management of internets to management based architecture has remained consistent.
on OSI protocols. To this end, the framework was architected with a
protocol-independent data definition language and Management Information
Base along with a MIB-independent protocol. This separation was
designed to allow the SNMP-based protocol to be replaced without
requiring the management information to be redefined or reinstrumented.
History has shown that the selection of this architecture was the right
decision for the wrong reason -- it turned out that this architecture
has eased the transition from SNMPv1 to SNMPv2 and from SNMPv2 to SNMPv3
rather than easing the transition away from management based on the
Simple Network Management Protocol.
The SNMPv3 Framework builds and extends these architectural principles One prime motivator for this modularity was to enable the ongoing
by: evolution of the Framework as is documented in RFC 1052 [14]. When
originally envisioned, this capability was to be used to ease the
transition from SNMP-based management of internets to management
based on OSI protocols. To this end, the framework was architected
with a protocol-independent data definition language and Management
Information Base along with a MIB-independent protocol. This
separation was designed to allow the SNMP-based protocol to be
replaced without requiring the management information to be redefined
or reinstrumented. History has shown that the selection of this
architecture was the right decision for the wrong reason -- it turned
out that this architecture has eased the transition from SNMPv1 to
SNMPv2 and from SNMPv2 to SNMPv3 rather than easing the transition
away from management based on the Simple Network Management Protocol.
* building on these four basic architectural components, in some The SNMPv3 Framework builds and extends these architectural
cases incorporating them from the SNMPv2 Framework by reference, principles by:
and
* by using these same layering principles in the definition of new * building on these four basic architectural components, in some
capabilities in the security and administration portion of the cases incorporating them from the SNMPv2 Framework by reference,
architecture. and
Those who are familiar with the architecture of the SNMPv1 Management * by using these same layering principles in the definition of new
Framework and the SNMPv2 Management Framework will find many familiar capabilities in the security and administration portion of the
concepts in the architecture of the SNMPv3 Management Framework. architecture.
However, in some cases, the terminology may be somewhat different.
3. The SNMPv1 Management Framework Those who are familiar with the architecture of the SNMPv1 Management
Framework and the SNMPv2 Management Framework will find many familiar
concepts in the architecture of the SNMPv3 Management Framework.
However, in some cases, the terminology may be somewhat different.
The original Internet-standard Network Management Framework (SNMPv1) is 3 The SNMPv1 Management Framework
defined in the following documents:
* STD 16, RFC 1155 [1] which defines the Structure of Management The original Internet-standard Network Management Framework (SNMPv1)
Information (SMI), the mechanisms used for describing and naming is defined in the following documents:
objects for the purpose of management.
* STD 16, RFC 1212 [2] which defines a more concise description * STD 16, RFC 1155 [1] which defines the Structure of Management
mechanism for describing and naming management information objects, Information (SMI), the mechanisms used for describing and naming
but which is wholly consistent with the SMI. objects for the purpose of management.
* STD 15, RFC 1157 [3] which defines the Simple Network Management * STD 16, RFC 1212 [2] which defines a more concise description
Protocol (SNMP), the protocol used for network access to managed mechanism for describing and naming management information objects,
objects and event notification. Note this document also defines an but which is wholly consistent with the SMI.
initial set of event notifications.
Additionally, two documents are generally considered to be companions to * STD 15, RFC 1157 [3] which defines the Simple Network Management
these three: Protocol (SNMP), the protocol used for network access to managed
objects and event notification. Note this document also defines an
initial set of event notifications.
* STD 17, RFC 1213 [13] which contains definitions for the base Additionally, two documents are generally considered to be companions
set of management information to these three:
* RFC 1215 [25] defines a concise description mechanism for * STD 17, RFC 1213 [13] which contains definitions for the base
defining event notifications, which are called traps in the SNMPv1 set of management information
protocol. It also specifies the generic traps from RFC 1157 in the
concise notation.
These documents describe the four parts of the first version of the SNMP * RFC 1215 [25] defines a concise description mechanism for
Framework. defining event notifications, which are called traps in the SNMPv1
protocol. It also specifies the generic traps from RFC 1157 in the
concise notation.
3.1. The SNMPv1 Data Definition Language These documents describe the four parts of the first version of the
SNMP Framework.
The first two and the last document describe the SNMPv1 data definition 3.1 The SNMPv1 Data Definition Language
language. Note that due to the initial requirement that the SMI be
protocol-independent, the first two SMI documents do not provide a means
for defining event notifications (traps). Instead, the SNMP protocol
document defines a few standardized event notifications (generic traps)
and provides a means for additional event notifications to be defined.
The last document specifies a straight-forward approach towards defining
event notifications used with the SNMPv1 protocol. At the time that it
was written, use of traps in the Internet-standard network management
framework was controversial. As such, RFC 1215 was put forward with the
status of "Informational", which was never updated because it was
believed that the second version of the SNMP Framework would replace the
first version. Note that the SNMPv1 data definition language is
sometimes referred to as SMIv1.
3.2. Management Information The first two and the last document describe the SNMPv1 data
definition language. Note that due to the initial requirement that
the SMI be protocol-independent, the first two SMI documents do not
provide a means for defining event notifications (traps). Instead,
the SNMP protocol document defines a few standardized event
notifications (generic traps) and provides a means for additional
event notifications to be defined. The last document specifies a
straight-forward approach towards defining event notifications used
with the SNMPv1 protocol. At the time that it was written, use of
traps in the Internet-standard network management framework was
controversial. As such, RFC 1215 was put forward with the status of
"Informational", which was never updated because it was believed that
the second version of the SNMP Framework would replace the first
version. Note that the SNMPv1 data definition language is sometimes
referred to as SMIv1.
The data definition language described in the first two documents was 3.2 Management Information
first used to define the now-historic MIB-I as specified in RFC 1066
[12], and was subsequently used to define MIB-II as specified in RFC
1213 [13].
Later, after the publication of MIB-II, a different approach to The data definition language described in the first two documents was
management information definition was taken from the earlier approach of first used to define the now-historic MIB-I as specified in RFC 1066
having a single committee staffed by generalists work on a single [12], and was subsequently used to define MIB-II as specified in RFC
document to define the Internet-standard MIB. Rather, many mini-MIB 1213 [13].
documents were produced in a parallel and distributed fashion by groups
chartered to produce a specification for a focused portion of the
Internet-standard MIB and staffed by personnel with expertise in those
particular areas ranging from various aspects of network management, to
system management, and application management.
3.3. Protocol Operations Later, after the publication of MIB-II, a different approach to
management information definition was taken from the earlier approach
of having a single committee staffed by generalists work on a single
document to define the Internet-standard MIB. Rather, many mini-MIB
documents were produced in a parallel and distributed fashion by
groups chartered to produce a specification for a focused portion of
the Internet-standard MIB and staffed by personnel with expertise in
those particular areas ranging from various aspects of network
management, to system management, and application management.
The third document, STD 15, describes the SNMPv1 protocol operations 3.3 Protocol Operations
performed by protocol data units (PDUs) on lists of variable bindings
and describes the format of SNMPv1 messages. The operators defined by
SNMPv1 are: get, get-next, get-response, set-request, and trap.
Typical layering of SNMP on a connectionless transport service is also
defined.
3.4. SNMPv1 Security and Administration The third document, STD 15, describes the SNMPv1 protocol operations
performed by protocol data units (PDUs) on lists of variable bindings
and describes the format of SNMPv1 messages. The operators defined by
SNMPv1 are: get, get-next, get-response, set-request, and trap.
Typical layering of SNMP on a connectionless transport service is
also defined.
STD 15 also describes an approach to security and administration. Many 3.4 SNMPv1 Security and Administration
of these concepts are carried forward and some, particularly security,
are extended by the SNMPv3 Framework.
The SNMPv1 Framework describes the encapsulation of SNMPv1 PDUs in SNMP STD 15 also describes an approach to security and administration.
messages between SNMP entities and distinguishes between application Many of these concepts are carried forward and some, particularly
entities and protocol entities. In SNMPv3, these are renamed security, are extended by the SNMPv3 Framework.
applications and engines, respectively.
The SNMPv1 Framework also introduces the concept of an authentication The SNMPv1 Framework describes the encapsulation of SNMPv1 PDUs in
service supporting one or more authentication schemes. In addition to SNMP messages between SNMP entities and distinguishes between
authentication, SNMPv3 defines the additional security capability application entities and protocol entities. In SNMPv3, these are
referred to as privacy. (Note: some literature from the security renamed applications and engines, respectively.
community would describe SNMPv3 security capabilities as providing data
integrity, source authenticity, and confidentiality.) The modular
nature of the SNMPv3 Framework permits both changes and additions to the
security capabilities.
Finally, the SNMPv1 Framework introduces access control based on a The SNMPv1 Framework also introduces the concept of an authentication
concept called an SNMP MIB view. The SNMPv3 Framework specifies a service supporting one or more authentication schemes. In addition
fundamentally similar concept called view-based access control. With to authentication, SNMPv3 defines the additional security capability
this capability, SNMPv3 provides the means for controlling access to referred to as privacy. (Note: some literature from the security
information on managed devices. community would describe SNMPv3 security capabilities as providing
data integrity, source authenticity, and confidentiality.) The
modular nature of the SNMPv3 Framework permits both changes and
additions to the security capabilities.
However, while the SNMPv1 Framework anticipated the definition of Finally, the SNMPv1 Framework introduces access control based on a
multiple authentication schemes, it did not define any such schemes concept called an SNMP MIB view. The SNMPv3 Framework specifies a
other than a trivial authentication scheme based on community strings. fundamentally similar concept called view-based access control. With
This was a known fundamental weakness in the SNMPv1 Framework but it was this capability, SNMPv3 provides the means for controlling access to
thought at that time that the definition of commercial grade security information on managed devices.
might be contentious in its design and difficult to get approved because
"security" means many different things to different people. To that
end, and because some users do not require strong authentication, the
SNMPv1 architected an authentication service as a separate block to be
defined "later" and the SNMPv3 Framework provides an architecture for
use within that block as well as a definition for its subsystems.
4. The SNMPv2 Management Framework However, while the SNMPv1 Framework anticipated the definition of
multiple authentication schemes, it did not define any such schemes
other than a trivial authentication scheme based on community
strings. This was a known fundamental weakness in the SNMPv1
Framework but it was thought at that time that the definition of
commercial grade security might be contentious in its design and
difficult to get approved because "security" means many different
things to different people. To that end, and because some users do
not require strong authentication, the SNMPv1 architected an
authentication service as a separate block to be defined "later" and
the SNMPv3 Framework provides an architecture for use within that
block as well as a definition for its subsystems.
The SNMPv2 Management Framework is fully described in [4-9] and 4 The SNMPv2 Management Framework
coexistence and transition issues relating to SNMPv1 and SNMPv2 are
discussed in [10].
SNMPv2 provides several advantages over SNMPv1, including: The SNMPv2 Management Framework is fully described in [4-9] and
coexistence and transition issues relating to SNMPv1 and SNMPv2 are
discussed in [10].
* expanded data types (e.g., 64 bit counter) SNMPv2 provides several advantages over SNMPv1, including:
* improved efficiency and performance (get-bulk operator) * expanded data types (e.g., 64 bit counter)
* confirmed event notification (inform operator) * improved efficiency and performance (get-bulk operator)
* richer error handling (errors and exceptions) * confirmed event notification (inform operator)
* improved sets, especially row creation and deletion
* fine tuning of the data definition language * richer error handling (errors and exceptions)
However, the SNMPv2 Framework, as described in these documents, is * improved sets, especially row creation and deletion
incomplete in that it does not meet the original design goals of the
SNMPv2 project. The unmet goals included provision of security and
administration delivering so-called "commercial grade" security with
* authentication: origin identification, message integrity, * fine tuning of the data definition language
and some aspects of replay protection;
* privacy: confidentiality; However, the SNMPv2 Framework, as described in these documents, is
incomplete in that it does not meet the original design goals of the
SNMPv2 project. The unmet goals included provision of security and
administration delivering so-called "commercial grade" security with
* authorization and access control; and * authentication: origin identification, message integrity,
and some aspects of replay protection;
* suitable remote configuration and administration capabilities * privacy: confidentiality;
for these features. * authorization and access control; and
The SNMPv3 Management Framework, as described in this document and the * suitable remote configuration and administration capabilities
companion documents, addresses these significant deficiencies. for these features.
5. The SNMPv3 Working Group The SNMPv3 Management Framework, as described in this document and
the companion documents, addresses these significant deficiencies.
This document, and its companion documents, were produced by the SNMPv3 5 The SNMPv3 Working Group
Working Group of the Internet Engineering Task Force (IETF). The SNMPv3
Working Group was chartered to prepare recommendations for the next
generation of SNMP. The goal of the Working Group was to produce the
necessary set of documents that provide a single standard for the next
generation of core SNMP functions. The single, most critical need in
the next generation is a definition of security and administration that
makes SNMP-based management transactions secure in a way which is useful
for users who wish to use SNMPv3 to manage networks, the systems that
make up those networks, and the applications which reside on those
systems, including manager-to-agent, agent-to-manager, and manager-to-
manager transactions.
In the several years prior to the chartering of the Working Group, there This document, and its companion documents, were produced by the
were a number of activities aimed at incorporating security and other SNMPv3 Working Group of the Internet Engineering Task Force (IETF).
improvements to SNMP. These efforts included: The SNMPv3 Working Group was chartered to prepare recommendations for
the next generation of SNMP. The goal of the Working Group was to
produce the necessary set of documents that provide a single standard
for the next generation of core SNMP functions. The single, most
critical need in the next generation is a definition of security and
administration that makes SNMP-based management transactions secure
in a way which is useful for users who wish to use SNMPv3 to manage
networks, the systems that make up those networks, and the
applications which reside on those systems, including manager-to-
agent, agent-to-manager, and manager-to-manager transactions.
* "SNMP Security" circa 1991-1992 [RFC 1351 - RFC 1353], In the several years prior to the chartering of the Working Group,
there were a number of activities aimed at incorporating security and
other improvements to SNMP. These efforts included:
* "SMP" circa 1992-1993, * "SNMP Security" circa 1991-1992 [RFC 1351 - RFC 1353],
* "The Party-based SNMPv2" circa 1993-1995 [RFC 1441 - RFC 1452].
Each of these efforts incorporated commercial grade, industrial strength * "SMP" circa 1992-1993,
security including authentication, privacy, authorization, view-based
access control, and administration, including remote configuration.
These efforts fed the development of the SNMPv2 Management Framework as * "The Party-based SNMPv2" circa 1993-1995 [RFC 1441 - RFC 1452].
described in RFCs 1902 - 1908. However, the Framework described in
those RFCs had no standards-based security and administrative framework
of its own; rather, it was associated with multiple security and
administrative frameworks, including:
* "The Community-based SNMPv2" (SNMPv2c) [RFC 1901], Each of these efforts incorporated commercial grade, industrial
strength security including authentication, privacy, authorization,
view-based access control, and administration, including remote
configuration.
* "SNMPv2u" [RFCs 1909 - 1910] and These efforts fed the development of the SNMPv2 Management Framework
as described in RFCs 1902 - 1908. However, the Framework described
in those RFCs had no standards-based security and administrative
framework of its own; rather, it was associated with multiple
security and administrative frameworks, including:
* "SNMPv2*". * "The Community-based SNMPv2" (SNMPv2c) [RFC 1901],
SNMPv2c had the endorsement of the IETF but no security and * "SNMPv2u" [RFCs 1909 - 1910] and
administration whereas both SNMPv2u and SNMPv2* had security but lacked * "SNMPv2*".
the endorsement of the IETF.
The SNMPv3 Working Group was chartered to produce a single set of SNMPv2c had the endorsement of the IETF but no security and
specifications for the next generation of SNMP, based upon a convergence administration whereas both SNMPv2u and SNMPv2* had security but
of the concepts and technical elements of SNMPv2u and SNMPv2*, as was lacked the endorsement of the IETF.
suggested by an advisory team which was formed to provide a single
recommended approach for SNMP evolution.
In so doing, the Working Group charter defined the following objectives: The SNMPv3 Working Group was chartered to produce a single set of
specifications for the next generation of SNMP, based upon a
convergence of the concepts and technical elements of SNMPv2u and
SNMPv2*, as was suggested by an advisory team which was formed to
provide a single recommended approach for SNMP evolution.
* accommodate the wide range of operational environments with In so doing, the Working Group charter defined the following
differing management demands; objectives:
* facilitate the need to transition from previous, multiple * accommodate the wide range of operational environments with
protocols to SNMPv3; differing management demands;
* facilitate the ease of setup and maintenance activities. * facilitate the need to transition from previous, multiple
protocols to SNMPv3;
In the initial work of the SNMPv3 Working Group, the group focused on * facilitate the ease of setup and maintenance activities.
security and administration, including
* authentication and privacy, In the initial work of the SNMPv3 Working Group, the group focused on
security and administration, including
* authorization and view-based access control, and * authentication and privacy,
* standards-based remote configuration of the above.
The SNMPv3 Working Group did not "reinvent the wheel," but reused the * authorization and view-based access control, and
SNMPv2 Draft Standard documents, i.e., RFCs 1902 through 1908 for those
portions of the design that were outside the focused scope.
Rather, the primary contributors to the SNMPv3 Working Group, and the * standards-based remote configuration of the above.
Working Group in general, devoted their considerable efforts to
addressing the missing link -- security and administration -- and in the
process made invaluable contributions to the state-of-the-art of
management.
They produced a design based on a modular architecture with evolutionary The SNMPv3 Working Group did not "reinvent the wheel," but reused the
capabilities with emphasis on layering. As a result, SNMPv3 can be SNMPv2 Draft Standard documents, i.e., RFCs 1902 through 1908 for
thought of as SNMPv2 with additional security and administration those portions of the design that were outside the focused scope.
capabilities.
In doing so, the Working Group achieved the goal of producing a single Rather, the primary contributors to the SNMPv3 Working Group, and the
specification which has not only the endorsement of the IETF but also Working Group in general, devoted their considerable efforts to
has security and administration. addressing the missing link -- security and administration -- and in
the process made invaluable contributions to the state-of-the-art of
management.
6. SNMPv3 Framework Module Specifications They produced a design based on a modular architecture with
evolutionary capabilities with emphasis on layering. As a result,
SNMPv3 can be thought of as SNMPv2 with additional security and
administration capabilities.
The specification of the SNMPv3 Management Framework is partitioned in a In doing so, the Working Group achieved the goal of producing a
modular fashion among several documents. It is the intention of the single specification which has not only the endorsement of the IETF
SNMPv3 Working Group that, with proper care, any or all of the but also has security and administration.
individual documents can be revised, upgraded, or replaced as
requirements change, new understandings are obtained, and new
technologies become available.
Whenever feasible, the initial document set which defines the SNMPv3 6 SNMPv3 Framework Module Specifications
Management Framework leverages prior investments defining and
implementing the SNMPv2 Management Framework by incorporating by
reference each of the specifications of the SNMPv2 Management Framework.
The SNMPv3 Framework augments those specifications with specifications The specification of the SNMPv3 Management Framework is partitioned
for security and administration for SNMPv3. in a modular fashion among several documents. It is the intention of
the SNMPv3 Working Group that, with proper care, any or all of the
individual documents can be revised, upgraded, or replaced as
requirements change, new understandings are obtained, and new
technologies become available.
The documents which specify the SNMPv3 Management Framework follow the Whenever feasible, the initial document set which defines the SNMPv3
same architecture as those of the prior versions and can be organized Management Framework leverages prior investments defining and
for expository purposes into four main categories as follows: implementing the SNMPv2 Management Framework by incorporating by
reference each of the specifications of the SNMPv2 Management
Framework.
* the data definition language, The SNMPv3 Framework augments those specifications with
specifications for security and administration for SNMPv3.
* Management Information Base (MIB) modules, The documents which specify the SNMPv3 Management Framework follow
the same architecture as those of the prior versions and can be
organized for expository purposes into four main categories as
follows:
* protocol operations, and * the data definition language,
* security and administration. * Management Information Base (MIB) modules,
The first three sets of documents are incorporated from SNMPv2. The * protocol operations, and
fourth set of documents are new to SNMPv3, but, as described previously,
build on significant prior related works.
6.1. Data Definition Language * security and administration.
The specifications of the data definition language includes RFC 1902, The first three sets of documents are incorporated from SNMPv2. The
"The Structure of Management Information for Version 2 of the Simple fourth set of documents are new to SNMPv3, but, as described
Network Management Protocol (SNMPv2)" [4], and related specifications. previously, build on significant prior related works.
The Structure of Management Information (SMI) defines fundamental data
types, an object model, and the rules for writing and revising MIB
modules. Related specifications include RFC 1903 and RFC 1904. The
updated data definition language is sometimes referred to as SMIv2.
RFC 1903, "Textual Conventions for Version 2 of the Simple Network 6.1 Data Definition Language
Management Protocol (SNMPv2)" [5], defines an initial set of shorthand
abbreviations which are available for use within all MIB modules for the
convenience of human readers and writers.
RFC 1904, "Conformance Statements for Version 2 of the Simple Network The specifications of the data definition language includes STD 58,
Management Protocol (SNMPv2)" [6], defines the format for compliance RFC 2578, "Structure of Management Information Version 2 (SMIv2)"
statements which are used for describing requirements for agent [26], and related specifications. These documents are updates of
implementations and capability statements which can be used to document RFCs 1902 - 1904 [4-6] which have evolved independently from the
the characteristics of particular implementations. other parts of the framework and were republished as STD 58, RFCs
2578 - 2580 [26-28] when promoted from Draft Standard.
6.2. MIB Modules The Structure of Management Information (SMIv2) defines fundamental
data types, an object model, and the rules for writing and revising
MIB modules. Related specifications include STD 58, RFCs 2579, 2580.
The updated data definition language is sometimes referred to as
SMIv2.
MIB modules usually contain object definitions, may contain definitions STD 58, RFC 2579, "Textual Conventions for SMIv2" [27], defines an
of event notifications, and sometimes include compliance statements initial set of shorthand abbreviations which are available for use
specified in terms of appropriate object and event notification groups. within all MIB modules for the convenience of human readers and
As such, MIB modules define the management information maintained by the writers.
instrumentation in managed nodes, made remotely accessible by management
agents, conveyed by the management protocol, and manipulated by
management applications.
MIB modules are defined according the rules defined in the documents STD 58, RFC 2580, "Conformance Statements for SMIv2" [28], defines
which specify the data definition language, principally the SMI as the format for compliance statements which are used for describing
supplemented by the related specifications. requirements for agent implementations and capability statements
which can be used to document the characteristics of particular
implementations.
There is a large and growing number of standards-based MIB modules, as 6.2 MIB Modules
defined in the periodically updated list of standard protocols [STD
0001, RFC 2400]. As of this writing, there are nearly 100 standards-
based MIB modules with a total number of defined objects approaching
10,000. In addition, there is an even larger and growing number of
enterprise-specific MIB modules defined unilaterally by various vendors,
research groups, consortia, and the like resulting in an unknown and
virtually uncountable number of defined objects.
In general, management information defined in any MIB module, regardless MIB modules usually contain object definitions, may contain
of the version of the data definition language used, can be used with definitions of event notifications, and sometimes include compliance
any version of the protocol. For example, MIB modules defined in terms statements specified in terms of appropriate object and event
of the SNMPv1 SMI (SMIv1) are compatible with the SNMPv3 Management notification groups. As such, MIB modules define the management
Framework and can be conveyed by the protocols specified therein. information maintained by the instrumentation in managed nodes, made
Furthermore, MIB modules defined in terms of the SNMPv2 SMI (SMIv2) are remotely accessible by management agents, conveyed by the management
compatible with SNMPv1 protocol operations and can be conveyed by it. protocol, and manipulated by management applications.
However, there is one noteworthy exception: the Counter64 datatype
which can be defined in a MIB module defined in SMIv2 format but which
cannot be conveyed by an SNMPv1 protocol engine.
6.3. Protocol Operations and Transport Mappings MIB modules are defined according the rules defined in the documents
which specify the data definition language, principally the SMI as
supplemented by the related specifications.
The specifications for the protocol operations and transport mappings of There is a large and growing number of standards-based MIB modules,
the SNMPv3 Framework are incorporated by reference to the two SNMPv2 as defined in the periodically updated list of standard protocols
Framework documents. [STD 1, RFC 2400]. As of this writing, there are nearly 100
standards-based MIB modules with a total number of defined objects
approaching 10,000. In addition, there is an even larger and growing
number of enterprise-specific MIB modules defined unilaterally by
various vendors, research groups, consortia, and the like resulting
in an unknown and virtually uncountable number of defined objects.
The specification for protocol operations is found in RFC 1905, In general, management information defined in any MIB module,
"Protocol Operations for Version 2 of the Simple Network Management regardless of the version of the data definition language used, can
Protocol (SNMPv2)" [7]. The SNMPv3 Framework is designed to allow be used with any version of the protocol. For example, MIB modules
various portions of the architecture to evolve independently. For defined in terms of the SNMPv1 SMI (SMIv1) are compatible with the
example, it might be possible for a new specification of protocol SNMPv3 Management Framework and can be conveyed by the protocols
operations to be defined within the Framework to allow for additional specified therein. Furthermore, MIB modules defined in terms of the
protocol operations. SNMPv2 SMI (SMIv2) are compatible with SNMPv1 protocol operations and
can be conveyed by it. However, there is one noteworthy exception:
The specification of transport mappings is found in RFC 1906, "Transport the Counter64 datatype which can be defined in a MIB module defined
Mappings for Version 2 of the Simple Network Management Protocol in SMIv2 format but which cannot be conveyed by an SNMPv1 protocol
(SNMPv2)" [8]. engine.
6.4. SNMPv3 Security and Administration 6.3 Protocol Operations and Transport Mappings
The SNMPv3 document series defined by the SNMPv3 Working Group consists The specifications for the protocol operations and transport mappings
of seven documents at this time: of the SNMPv3 Framework are incorporated by reference to the two
SNMPv2 Framework documents.
RFC xxxx (draft-ietf-snmpv3-intro-04.txt), "Introduction to The specification for protocol operations is found in RFC 1905,
Version 3 of the Internet-standard Network Management Framework", "Protocol Operations for Version 2 of the Simple Network Management
which is this document. Protocol (SNMPv2)" [7]. The SNMPv3 Framework is designed to allow
various portions of the architecture to evolve independently. For
example, it might be possible for a new specification of protocol
operations to be defined within the Framework to allow for additional
protocol operations.
RFC xxx1 (draft-ietf-snmpv3-arch-05.txt), "An Architecture for The specification of transport mappings is found in RFC 1906,
Describing SNMP Management Frameworks" [15], describes the overall "Transport Mappings for Version 2 of the Simple Network Management
architecture with special emphasis on the architecture for Protocol (SNMPv2)" [8].
security and administration.
RFC xxx2 (draft-ietf-snmpv3-mpc-05.txt), "Message Processing and 6.4 SNMPv3 Security and Administration
Dispatching for the Simple Network Management Protocol (SNMP)"
[16], describes the possibly multiple message processing models
and the dispatcher portion that can be a part of an SNMP protocol
engine.
RFC xxx3 (draft-ietf-snmpv3-appl-v2-03.txt), "SNMP Applications" The SNMPv3 document series defined by the SNMPv3 Working Group
[17], describes the five types of applications that can be consists of seven documents at this time:
associated with an SNMPv3 engine and their elements of procedure.
RFC xxx4 (draft-ietf-snmpv3-usm-v2-05.txt), "The User-Based RFC 2570, "Introduction to Version 3 of the Internet-standard
Security Model for Version 3 of the Simple Network Management Network Management Framework", which is this document.
Protocol (SNMPv3)" [18], describes the threats, mechanisms,
protocols, and supporting data used to provide SNMP message-level
security.
RFC xxx5 (draft-ietf-snmpv3-vacm-04.txt), "View-based Access RFC 2571, "An Architecture for Describing SNMP Management
Control Model for the Simple Network Management Protocol (SNMP)" Frameworks" [15], describes the overall architecture with special
[19], describes how view-based access control can be applied emphasis on the architecture for security and administration.
within command responder and notification originator applications.
RFC yyyy (draft-ietf-snmpv3-coex-03.txt), "Coexistence between RFC 2572, "Message Processing and Dispatching for the Simple
Version 1, Version 2, and Version 3 of the Internet-standard Network Management Protocol (SNMP)" [16], describes the possibly
Network Management Framework" [20], describes coexistence between multiple message processing models and the dispatcher portion that
the SNMPv3 Management Framework, the SNMPv2 Management Framework, can be a part of an SNMP protocol engine.
and the original SNMPv1 Management Framework.
7. Document Summaries RFC 2573, "SNMP Applications" [17], describes the five types of
applications that can be associated with an SNMPv3 engine and
their elements of procedure.
The following sections provide brief summaries of each document with RFC 2574, "The User-Based Security Model for Version 3 of the
slightly more detail than is provided in the overviews above. Simple Network Management Protocol (SNMPv3)" [18], describes the
threats, mechanisms, protocols, and supporting data used to
provide SNMP message-level security.
7.1. Structure of Management Information RFC 2575, "View-based Access Control Model for the Simple Network
Management Protocol (SNMP)" [19], describes how view-based access
control can be applied within command responder and notification
originator applications.
Management information is viewed as a collection of managed objects, The Work in Progress, "Coexistence between Version 1, Version 2,
residing in a virtual information store, termed the Management and Version 3 of the Internet-standard Network Management
Information Base (MIB). Collections of related objects are defined in Framework" [20], describes coexistence between the SNMPv3
MIB modules. These modules are written in the SNMP MIB module language, Management Framework, the SNMPv2 Management Framework, and the
which contains elements of OSI's Abstract Syntax Notation One (ASN.1) original SNMPv1 Management Framework.
[11] language. RFC 1902, RFC 1903, and RFC 1904 together define the MIB
module language, specify the base data types for objects, specify a core
set of short-hand specifications for data types called textual
conventions, and specify a few administrative assignments of object
identifier (OID) values.
The SMI is divided into three parts: module definitions, object 7 Document Summaries
definitions, and notification definitions.
(1) Module definitions are used when describing information modules. The following sections provide brief summaries of each document with
An ASN.1 macro, MODULE-IDENTITY, is used to convey concisely the slightly more detail than is provided in the overviews above.
semantics of an information module.
(2) Object definitions are used when describing managed objects. An 7.1 Structure of Management Information
ASN.1 macro, OBJECT-TYPE, is used to convey concisely the syntax
and semantics of a managed object.
(3) Notification definitions are used when describing unsolicited Management information is viewed as a collection of managed objects,
transmissions of management information. An ASN.1 macro, residing in a virtual information store, termed the Management
NOTIFICATION-TYPE, is used to convey concisely the syntax and Information Base (MIB). Collections of related objects are defined
semantics of a notification. in MIB modules. These modules are written in the SNMP MIB module
language, which contains elements of OSI's Abstract Syntax Notation
One (ASN.1) [11] language. STD 58, RFCs 2578, 2579, 2580, together
define the MIB module language, specify the base data types for
objects, specify a core set of short-hand specifications for data
types called textual conventions, and specify a few administrative
assignments of object identifier (OID) values.
7.1.1. Base SMI Specification The SMI is divided into three parts: module definitions, object
definitions, and notification definitions.
RFC 1902 specifies the base data types for the MIB module language, (1) Module definitions are used when describing information modules.
which include: Integer32, enumerated integers, Unsigned32, Gauge32, An ASN.1 macro, MODULE-IDENTITY, is used to convey concisely the
Counter32, Counter64, TimeTicks, INTEGER, OCTET STRING, OBJECT semantics of an information module.
IDENTIFIER, IpAddress, Opaque, and BITS. It also assigns values to
several object identifiers. RFC 1902 further defines the following
constructs of the MIB module language:
* IMPORTS to allow the specification of items that are used (2) Object definitions are used when describing managed objects. An
in a MIB module, but defined in another MIB module. ASN.1 macro, OBJECT-TYPE, is used to convey concisely the syntax
and semantics of a managed object.
* MODULE-IDENTITY to specify for a MIB module a description (3) Notification definitions are used when describing unsolicited
and administrative information such as contact and revision transmissions of management information. An ASN.1 macro,
history. NOTIFICATION-TYPE, is used to convey concisely the syntax and
semantics of a notification.
* OBJECT-IDENTITY and OID value assignments to specify a 7.1.1 Base SMI Specification
an OID value.
* OBJECT-TYPE to specify the data type, status, and the semantics STD 58, RFC 2578 specifies the base data types for the MIB module
of managed objects. language, which include: Integer32, enumerated integers, Unsigned32,
Gauge32, Counter32, Counter64, TimeTicks, INTEGER, OCTET STRING,
OBJECT IDENTIFIER, IpAddress, Opaque, and BITS. It also assigns
values to several object identifiers. STD 58, RFC 2578 further
defines the following constructs of the MIB module language:
* SEQUENCE type assignment to list the columnar objects in * IMPORTS to allow the specification of items that are used
a table. in a MIB module, but defined in another MIB module.
* NOTIFICATION-TYPE construct to specify an event notification. * MODULE-IDENTITY to specify for a MIB module a description
and administrative information such as contact and revision
history.
7.1.2. Textual Conventions * OBJECT-IDENTITY and OID value assignments to specify a
an OID value.
When designing a MIB module, it is often useful to specify in a short- * OBJECT-TYPE to specify the data type, status, and the semantics
hand way the semantics for a set of objects with similar behavior. This of managed objects.
is done by defining a new data type using a base data type specified in
the SMI. Each new type has a different name, and specifies a base type
with more restrictive semantics. These newly defined types are termed
textual conventions, and are used for the convenience of humans reading
a MIB module and potentially by "intelligent" management applications.
It is the purpose of RFC 1903, Textual Conventions for SNMPv2 [5], to
define the construct, TEXTUAL-CONVENTION, of the MIB module language
used to define such new types and to specify an initial set of textual
conventions available to all MIB modules.
7.1.3. Conformance Statements * SEQUENCE type assignment to list the columnar objects in
a table.
It may be useful to define the acceptable lower-bounds of * NOTIFICATION-TYPE construct to specify an event notification.
implementation, along with the actual level of implementation achieved.
It is the purpose of RFC 1904, Conformance Statements for SNMPv2 [6], to
define the constructs of the MIB module language used for these
purposes. There are two kinds of constructs:
(1) Compliance statements are used when describing requirements for 7.1.2 Textual Conventions
agents with respect to object and event notification definitions.
The MODULE-COMPLIANCE construct is used to convey concisely
such requirements.
(2) Capability statements are used when describing capabilities of When designing a MIB module, it is often useful to specify in a
agents with respect to object and event notification definitions. short-hand way the semantics for a set of objects with similar
The AGENT-CAPABILITIES construct is used to convey concisely such behavior. This is done by defining a new data type using a base data
capabilities. type specified in the SMI. Each new type has a different name, and
specifies a base type with more restrictive semantics. These newly
defined types are termed textual conventions, and are used for the
convenience of humans reading a MIB module and potentially by
"intelligent" management applications. It is the purpose of STD 58,
RFC 2579, Textual Conventions for SMIv2 [27], to define the
construct, TEXTUAL-CONVENTION, of the MIB module language used to
define such new types and to specify an initial set of textual
conventions available to all MIB modules.
Finally, collections of related objects and collections of related event 7.1.3 Conformance Statements
notifications are grouped together to form a unit of conformance. The
OBJECT-GROUP construct is used to convey concisely the objects in and
the semantics of an object group. The NOTIFICATION-GROUP construct is
used to convey concisely the event notifications in and the semantics of
an event notification group.
7.2. Protocol Operations It may be useful to define the acceptable lower-bounds of
implementation, along with the actual level of implementation
achieved. It is the purpose of STD 58, RFC 2580, Conformance
Statements for SMIv2 [28], to define the constructs of the MIB module
language used for these purposes. There are two kinds of constructs:
The management protocol provides for the exchange of messages which (1) Compliance statements are used when describing requirements for
convey management information between the agents and the management agents with respect to object and event notification
stations. The form of these messages is a message "wrapper" which definitions. The MODULE-COMPLIANCE construct is used to convey
encapsulates a Protocol Data Unit (PDU). concisely such requirements.
It is the purpose of RFC 1905, Protocol Operations for SNMPv2 [7], to (2) Capability statements are used when describing capabilities of
define the operations of the protocol with respect to the sending and agents with respect to object and event notification
receiving of the PDUs. definitions. The AGENT-CAPABILITIES construct is used to convey
concisely such capabilities.
7.3. Transport Mappings Finally, collections of related objects and collections of related
event notifications are grouped together to form a unit of
conformance. The OBJECT-GROUP construct is used to convey concisely
the objects in and the semantics of an object group. The
NOTIFICATION-GROUP construct is used to convey concisely the event
notifications in and the semantics of an event notification group.
SNMP Messages may be used over a variety of protocol suites. It is the 7.2 Protocol Operations
purpose of RFC 1906, Transport Mappings for SNMPv2 [8], to define how
SNMP messages maps onto an initial set of transport domains. Other
mappings may be defined in the future.
Although several mappings are defined, the mapping onto UDP is the The management protocol provides for the exchange of messages which
preferred mapping. As such, to provide for the greatest level of convey management information between the agents and the management
interoperability, systems which choose to deploy other mappings should stations. The form of these messages is a message "wrapper" which
also provide for proxy service to the UDP mapping. encapsulates a Protocol Data Unit (PDU).
7.4. Protocol Instrumentation It is the purpose of RFC 1905, Protocol Operations for SNMPv2 [7], to
define the operations of the protocol with respect to the sending and
receiving of the PDUs.
It is the purpose of RFC 1907, the Management Information Base for 7.3 Transport Mappings
SNMPv2 document [9] to define managed objects which describe the
behavior of an SNMPv2 entity.
7.5. Architecture / Security and Administration SNMP Messages may be used over a variety of protocol suites. It is
the purpose of RFC 1906, Transport Mappings for SNMPv2 [8], to define
how SNMP messages maps onto an initial set of transport domains.
Other mappings may be defined in the future.
It is the purpose of RFC xxx1 (draft-ietf-snmpv3-arch-05.txt), "An Although several mappings are defined, the mapping onto UDP is the
Architecture for Describing SNMP Management Frameworks" [15], to define preferred mapping. As such, to provide for the greatest level of
an architecture for specifying SNMP Management Frameworks. While interoperability, systems which choose to deploy other mappings
addressing general architectural issues, it focuses on aspects related should also provide for proxy service to the UDP mapping.
to security and administration. It defines a number of terms used
throughout the SNMPv3 Management Framework and, in so doing, clarifies
and extends the naming of
* engines and applications, 7.4 Protocol Instrumentation
* entities (service providers such as the engines in agents It is the purpose of RFC 1907, the Management Information Base for
and managers), SNMPv2 document [9] to define managed objects which describe the
behavior of an SNMPv2 entity.
* identities (service users), and 7.5 Architecture / Security and Administration
* management information, including support for multiple It is the purpose of RFC 2571, "An Architecture for Describing SNMP
logical contexts. Management Frameworks" [15], to define an architecture for specifying
SNMP Management Frameworks. While addressing general architectural
issues, it focuses on aspects related to security and administration.
It defines a number of terms used throughout the SNMPv3 Management
Framework and, in so doing, clarifies and extends the naming of
The document contains a small MIB module which is implemented by all * engines and applications,
authoritative SNMPv3 protocol engines.
7.6. Message Processing and Dispatch (MPD) * entities (service providers such as the engines in agents
and managers),
RFC xxx2 (draft-ietf-snmpv3-mpc-05.txt), "Message Processing and * identities (service users), and
Dispatching for the Simple Network Management Protocol (SNMP)" [16],
describes the Message Processing and Dispatching for SNMP messages
within the SNMP architecture. It defines the procedures for dispatching
potentially multiple versions of SNMP messages to the proper SNMP
Message Processing Models, and for dispatching PDUs to SNMP
applications. This document also describes one Message Processing Model
- the SNMPv3 Message Processing Model.
It is expected that an SNMPv3 protocol engine MUST support at least one * management information, including support for multiple
Message Processing Model. An SNMPv3 protocol engine MAY support more logical contexts.
than one, for example in a multi-lingual system which provides
simultaneous support of SNMPv3 and SNMPv1 and/or SNMPv2c.
7.7. SNMP Applications The document contains a small MIB module which is implemented by all
authoritative SNMPv3 protocol engines.
It is the purpose of RFC xxx3 (draft-ietf-snmpv3-appl-v2-03.txt), "SNMP 7.6 Message Processing and Dispatch (MPD)
Applications" to describe the five types of applications which can be
associated with an SNMP engine. They are: Command Generators, Command
Responders, Notification Originators, Notification Receivers, and Proxy
Forwarders.
The document also defines MIB modules for specifying targets of RFC 2572, "Message Processing and Dispatching for the Simple Network
management operations (including notifications), for notification Management Protocol (SNMP)" [16], describes the Message Processing
filtering, and for proxy forwarding. and Dispatching for SNMP messages within the SNMP architecture. It
defines the procedures for dispatching potentially multiple versions
of SNMP messages to the proper SNMP Message Processing Models, and
for dispatching PDUs to SNMP applications. This document also
describes one Message Processing Model - the SNMPv3 Message
Processing Model.
7.8. User-based Security Model (USM) It is expected that an SNMPv3 protocol engine MUST support at least
one Message Processing Model. An SNMPv3 protocol engine MAY support
more than one, for example in a multi-lingual system which provides
simultaneous support of SNMPv3 and SNMPv1 and/or SNMPv2c.
RFC xxx4 (draft-ietf-snmpv3-usm-v2-05.txt), the "User-based Security 7.7 SNMP Applications
Model (USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)" describes the User-based Security Model for SNMPv3. It
defines the Elements of Procedure for providing SNMP message-level
security.
The document describes the two primary and two secondary threats which It is the purpose of RFC 2573, "SNMP Applications" to describe the
are defended against by the User-based Security Model. They are: five types of applications which can be associated with an SNMP
modification of information, masquerade, message stream modification, engine. They are: Command Generators, Command Responders,
and disclosure. Notification Originators, Notification Receivers, and Proxy
Forwarders.
The USM utilizes MD5 [21] and the Secure Hash Algorithm [22] as keyed The document also defines MIB modules for specifying targets of
hashing algorithms [23] for digest computation to provide data integrity management operations (including notifications), for notification
filtering, and for proxy forwarding.
* to directly protect against data modification attacks, 7.8 User-based Security Model (USM)
* to indirectly provide data origin authentication, and RFC 2574, the "User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)" describes the User-based
Security Model for SNMPv3. It defines the Elements of Procedure for
providing SNMP message-level security.
* to defend against masquerade attacks. The document describes the two primary and two secondary threats
which are defended against by the User-based Security Model. They
are: modification of information, masquerade, message stream
modification, and disclosure.
The USM uses loosely synchronized monotonically increasing time The USM utilizes MD5 [21] and the Secure Hash Algorithm [22] as keyed
indicators to defend against certain message stream modification hashing algorithms [23] for digest computation to provide data
attacks. Automatic clock synchronization mechanisms based on the integrity
protocol are specified without dependence on third-party time sources
and concomitant security considerations.
The USM uses the Data Encryption Standard (DES) [24] in the cipher block * to directly protect against data modification attacks,
chaining mode (CBC) if disclosure protection is desired. Support for
DES in the USM is optional, primarily because export and usage
restrictions in many countries make it difficult to export and use
products which include cryptographic technology.
The document also includes a MIB suitable for remotely monitoring and * to indirectly provide data origin authentication, and
managing the configuration parameters for the USM, including key
distribution and key management.
An entity may provide simultaneous support for multiple security models * to defend against masquerade attacks.
as well as multiple authentication and privacy protocols. All of the
protocols used by the USM are based on pre-placed keys, i.e., private
key mechanisms. The SNMPv3 architecture permits the use of asymmetric
mechanisms and protocols (commonly called "public key cryptography") but
as of this writing, no such SNMPv3 security models utilizing public key
cryptography have been published.
7.9. View-based Access Control (VACM) The USM uses loosely synchronized monotonically increasing time
indicators to defend against certain message stream modification
attacks. Automatic clock synchronization mechanisms based on the
protocol are specified without dependence on third-party time sources
and concomitant security considerations.
The purpose of RFC xxx5 (draft-ietf-snmpv3-vacm-04.txt), the "View-based The USM uses the Data Encryption Standard (DES) [24] in the cipher
Access Control Model (VACM) for the Simple Network Management Protocol block chaining mode (CBC) if disclosure protection is desired.
(SNMP)" is to describe the View-based Access Control Model for use in Support for DES in the USM is optional, primarily because export and
the SNMP architecture. The VACM can simultaneously be associated in a usage restrictions in many countries make it difficult to export and
single engine implementation with multiple Message Processing Models and use products which include cryptographic technology.
multiple Security Models.
It is architecturally possible to have multiple, different, Access The document also includes a MIB suitable for remotely monitoring and
Control Models active and present simultaneously in a single engine managing the configuration parameters for the USM, including key
implementation, but this is expected to be *_very_* rare in practice and distribution and key management.
*_far_* less common than simultaneous support for multiple Message
Processing Models and/or multiple Security Models.
7.10. SNMPv3 Coexistence and Transition An entity may provide simultaneous support for multiple security
models as well as multiple authentication and privacy protocols. All
of the protocols used by the USM are based on pre-placed keys, i.e.,
private key mechanisms. The SNMPv3 architecture permits the use of
asymmetric mechanisms and protocols (commonly called "public key
cryptography") but as of this writing, no such SNMPv3 security models
utilizing public key cryptography have been published.
The purpose of RFC yyyy (draft-ietf-snmpv3-coex-03.txt), "Coexistence 7.9 View-based Access Control (VACM)
between Version 1, Version 2, and Version 3 of the Internet-standard
Network Management Framework" is to describe coexistence between the
SNMPv3 Management Framework, the SNMPv2 Management Framework, and the
original SNMPv1 Management Framework. In particular, this document
describes four aspects of coexistence:
* Conversion of MIB documents from SMIv1 to SMIv2 format The purpose of RFC 2575, the "View-based Access Control Model (VACM)
for the Simple Network Management Protocol (SNMP)" is to describe the
View-based Access Control Model for use in the SNMP architecture.
The VACM can simultaneously be associated in a single engine
implementation with multiple Message Processing Models and multiple
Security Models.
* Mapping of notification parameters It is architecturally possible to have multiple, different, Access
Control Models active and present simultaneously in a single engine
implementation, but this is expected to be *_very_* rare in practice
and *_far_* less common than simultaneous support for multiple
Message Processing Models and/or multiple Security Models.
* Approaches to coexistence between entities which support 7.10 SNMPv3 Coexistence and Transition
the various versions of SNMP in a multi-lingual network, in
particular the processing of protocol operations in
multi-lingual implementations, as well as behaviour of
proxy implementations
* The SNMPv1 Message Processing Model and Community-Based The purpose of "Coexistence between Version 1, Version 2, and Version
Security Model, which provides mechanisms for adapting 3 of the Internet-standard Network Management Framework" is to
SNMPv1 and SNMPv2c into the View-Based Access Control Model describe coexistence between the SNMPv3 Management Framework, the
(VACM) [19] SNMPv2 Management Framework, and the original SNMPv1 Management
Framework. In particular, this document describes four aspects of
coexistence:
8. Security Considerations * Conversion of MIB documents from SMIv1 to SMIv2 format
As this document is primarily a roadmap document, it introduces no new * Mapping of notification parameters
security considerations. The reader is referred to the relevant
sections of each of the referenced documents for information about
security considerations.
9. Editors' Addresses * Approaches to coexistence between entities which support
the various versions of SNMP in a multi-lingual network, in
particular the processing of protocol operations in
multi-lingual implementations, as well as behavior of
proxy implementations
* The SNMPv1 Message Processing Model and Community-Based
Security Model, which provides mechanisms for adapting
SNMPv1 and SNMPv2c into the View-Based Access Control Model
(VACM) [19]
8 Security Considerations
As this document is primarily a roadmap document, it introduces no
new security considerations. The reader is referred to the relevant
sections of each of the referenced documents for information about
security considerations.
9 Editors' Addresses
Jeffrey Case Jeffrey Case
SNMP Research, Inc. SNMP Research, Inc.
3001 Kimberlin Heights Road 3001 Kimberlin Heights Road
Knoxville, TN 37920-9716 Knoxville, TN 37920-9716
USA USA
Phone: +1 423 573 1434 Phone: +1 423 573 1434
EMail: case@snmp.com EMail: case@snmp.com
Russ Mundy Russ Mundy
TIS Labs at Network Associates TIS Labs at Network Associates
3060 Washington Rd 3060 Washington Rd
Glenwood, MD 21738 Glenwood, MD 21738
USA USA
Phone: +1 301 854 6889 Phone: +1 301 854 6889
EMail: mundy@tis.com EMail: mundy@tislabs.com
David Partain David Partain
SNMP Research Europe Ericsson Radio Systems
Teknikringen 1 Research and Innovation
S-583 30 Linkoping P.O. Box 1248
SE-581 12 Linkoping
Sweden Sweden
Phone: +46 13 21 18 81 Phone: +46 13 28 41 44
EMail: partain@europe.snmp.com EMail: David.Partain@ericsson.com
Bob Stewart Bob Stewart
Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive 170 West Tasman Drive
San Jose, CA 95134-1706 San Jose, CA 95134-1706
U.S.A. U.S.A.
Phone: +1 603 654 6923 Phone: +1 603 654 6923
EMail: bstewart@cisco.com EMail: bstewart@cisco.com
10. Full Copyright Statement 10 References
Copyright (C) The Internet Society (1998). All Rights Reserved. [1] Rose, M. and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based internets", STD 16, RFC
1155, May 1990.
This document and translations of it may be copied and furnished to [2] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16,
others, and derivative works that comment on or otherwise explain it RFC 1212, March 1991.
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be [3] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
revoked by the Internet Society or its successors or assigns. Network Management Protocol", STD 15, RFC 1157, May 1990.
This document and the information contained herein is provided on an [4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING Waldbusser, "Structure of Management Information for Version 2
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING of the Simple Network Management Protocol (SNMPv2)", RFC 1902,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION January 1996.
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
11. References [5] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Textual Conventions for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1903, January 1996.
[1] Rose, M., and K. McCloghrie, "Structure and Identification of [6] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
Management Information for TCP/IP-based internets", STD 16, RFC Waldbusser, "Conformance Statements for Version 2 of the Simple
1155, May 1990. Network Management Protocol (SNMPv2)", RFC 1904, January 1996.
[2] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16, [7] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
RFC 1212, March 1991. Waldbusser, "Protocol Operations for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1905, January 1996.
[3] Case, J., Fedor, M., Schoffstall, M., Davin, J., "Simple Network [8] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
Management Protocol", STD 15, RFC 1157, SNMP Research, Performance Waldbusser, "Transport Mappings for Version 2 of the Simple
Systems International, MIT Laboratory for Computer Science, May Network Management Protocol (SNMPv2)", RFC 1906, January 1996.
1990.
[4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [9] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
S. Waldbusser, "Structure of Management Information for Version 2 Waldbusser, "Management Information Base for Version 2 of the
of the Simple Network Management Protocol (SNMPv2)", RFC 1902, Simple Network Management Protocol (SNMPv2)", RFC 1907, January
January 1996. 1996.
[5] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [10] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
S. Waldbusser, "Textual Conventions for Version 2 of the Simple Waldbusser, "Coexistence between Version 1 and Version 2 of the
Network Management Protocol (SNMPv2)", RFC 1903, January 1996. Internet-standard Network Management Framework", RFC 1908,
January 1996.
[6] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [11] Information processing systems - Open Systems Interconnection -
S. Waldbusser, "Conformance Statements for Version 2 of the Simple Specification of Abstract Syntax Notation One (ASN.1),
Network Management Protocol (SNMPv2)", RFC 1904, January 1996. International Organization for Standardization. International
Standard 8824, (December, 1987).
[7] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [12] McCloghrie, K. and M. Rose, "Management Information Base for
S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management of TCP/IP-based Internets", RFC 1066, August
Network Management Protocol (SNMPv2)", RFC 1905, January 1996. 1988.
[8] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [13] McCloghrie, K. and M. Rose, "Management Information Base for
S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management of TCP/IP-based internets: MIB-II, STD 17,
Network Management Protocol (SNMPv2)", RFC 1906, January 1996. RFC 1213, March 1991.
[9] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [14] Cerf, V., "IAB Recommendations for the Development of Internet
S. Waldbusser, "Management Information Base for Version 2 of the Network Management Standards", RFC 1052, April 1988.
Simple Network Management Protocol (SNMPv2)", RFC 1907,
January 1996.
[10] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and [15] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for
S. Waldbusser, "Coexistence between Version 1 and Version 2 of the Describing SNMP Management Frameworks", RFC 2571, April 1999.
Internet-standard Network Management Framework", RFC 1908,
January 1996.
[11] Information processing systems - Open Systems Interconnection - [16] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message
Specification of Abstract Syntax Notation One (ASN.1), Processing and Dispatching for the Simple Network Management
International Organization for Standardization. International Protocol (SNMP)", RFC 2572, April 1999.
Standard 8824, (December, 1987).
[12] McCloghrie, K., and M. Rose, "Management Information Base for [17] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC
Network Management of TCP/IP-based Internets", RFC 1066, 2573, April 1999.
August 1988.
[13] McCloghrie, K., and M. Rose, "Management Information Base for [18] Blumenthal, U. and B. Wijnen, "The User-Based Security Model for
Network Management of TCP/IP-based internets: MIB-II, RFC 1213, Version 3 of the Simple Network Management Protocol (SNMPv3)",
March 1991. RFC 2574, April 1999.
[14] Cerf, V., "IAB Recommendations for the Development of Internet [19] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Network Management Standards", RFC 1052, April 1988. Control Model for the Simple Network Management Protocol
(SNMP)", RFC 2575, April 1999.
[15] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture [20] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence
for Describing SNMP Management Frameworks", between Version 1, Version 2, and Version 3 of the Internet-
<draft-ietf-snmpv3-arch-05.txt>, January 1999. standard Network Management Framework", Work in Progress.
[16] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message [21] Rivest, R., "Message Digest Algorithm MD5", RFC 1321, April
Processing and Dispatching for the Simple Network Management 1992.
Protocol (SNMP)", <draft-ietf-snmpv3-mpc-05.txt>,
January, 1999.
[17] Levi, D., Meyer, P., and B. Stewart, "SNMP Applications", [22] Secure Hash Algorithm. NIST FIPS 180-1, (April, 1995)
<draft-ietf-snmpv3-appl-v2-03.txt>, January 1999. http://csrc.nist.gov/fips/fip180-1.txt (ASCII)
http://csrc.nist.gov/fips/fip180-1.ps (Postscript)
[18] Blumenthal, U. and B. Wijnen, "The User-Based Security [23] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
Model for Version 3 of the Simple Network Management Protocol for Message Authentication", RFC 2104, February 1997.
(SNMPv3)", <draft-ietf-snmpv3-usm-v2-05.txt>, January 1999.
[19] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based [24] Data Encryption Standard, National Institute of Standards and
Access Control Model for the Simple Network Management Protocol Technology. Federal Information Processing Standard (FIPS)
(SNMP)", <draft-ietf-snmpv3-vacm-04.txt>, January 1999. Publication 46-1. Supersedes FIPS Publication 46, (January,
1977; reaffirmed January, 1988).
[20] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence [25] Rose, M., "A Convention for Defining Traps for use with the
between Version 1, Version 2, and Version 3 of the SNMP", RFC 1215, March 1991.
Internet-standard Network Management Framework",
<draft-ietf-snmpv3-coex-03.txt>, January 1999.
[21] Rivest, R., "Message Digest Algorithm MD5", RFC 1321, April 1992. [26] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[22] Secure Hash Algorithm. NIST FIPS 180-1, (April, 1995) [27] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
http://csrc.nist.gov/fips/fip180-1.txt (ASCII) M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
http://csrc.nist.gov/fips/fip180-1.ps (Postscript) RFC 2579, April 1999.
[23] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: [28] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
Keyed-Hashing for Message Authentication", RFC 2104, February M. and S. Waldbusser, "Conformance Statements for SMIv2", STD
1997. 58, RFC 2580, April 1999.
[24] Data Encryption Standard, National Institute of Standards 11 Full Copyright Statement
and Technology. Federal Information Processing Standard (FIPS)
Publication 46-1. Supersedes FIPS Publication 46, (January, 1977;
reaffirmed January, 1988).
[25] M.T. Rose, "A Convention for Defining Traps for use with the Copyright (C) The Internet Society (1998). All Rights Reserved.
SNMP", RFC 1215, March 1991.
Table of Contents This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
1 Introduction .................................................... 3 The limited permissions granted above are perpetual and will not be
2 The Internet Standard Management Framework ...................... 4 revoked by the Internet Society or its successors or assigns.
2.1 Basic Structure and Components ................................ 4
2.2 Architecture of the Internet Standard Management Framework .... 4 This document and the information contained herein is provided on an
3 The SNMPv1 Management Framework ................................. 6 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
3.1 The SNMPv1 Data Definition Language ........................... 6 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
3.2 Management Information ........................................ 7 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
3.3 Protocol Operations ........................................... 7 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
3.4 SNMPv1 Security and Administration ............................ 7 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
4 The SNMPv2 Management Framework ................................. 8
5 The SNMPv3 Working Group ........................................ 9 Acknowledgement
6 SNMPv3 Framework Module Specifications .......................... 12
6.1 Data Definition Language ...................................... 12 Funding for the RFC Editor function is currently provided by
6.2 MIB Modules ................................................... 13 the Internet Society.
6.3 Protocol Operations and Transport Mappings .................... 14
6.4 SNMPv3 Security and Administration ............................ 14
7 Document Summaries .............................................. 16
7.1 Structure of Management Information ........................... 16
7.1.1 Base SMI Specification ...................................... 16
7.1.2 Textual Conventions ......................................... 17
7.1.3 Conformance Statements ...................................... 17
7.2 Protocol Operations ........................................... 18
7.3 Transport Mappings ............................................ 18
7.4 Protocol Instrumentation ...................................... 18
7.5 Architecture / Security and Administration .................... 19
7.6 Message Processing and Dispatch (MPD) ......................... 19
7.7 SNMP Applications ............................................. 19
7.8 User-based Security Model (USM) ............................... 20
7.9 View-based Access Control (VACM) .............................. 21
7.10 SNMPv3 Coexistence and Transition ............................ 21
8 Security Considerations ......................................... 23
9 Editors' Addresses .............................................. 23
10 Full Copyright Statement ....................................... 24
11 References ..................................................... 24
 End of changes. 235 change blocks. 
726 lines changed or deleted 758 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/