Re: Some questions
Marshall Rose <mrose@dbc.mtview.ca.us> Fri, 05 March 1993 19:09 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa14082; 5 Mar 93 14:09 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa14076; 5 Mar 93 14:09 EST
Received: from SLEEPY.TIS.COM by CNRI.Reston.VA.US id aa18177; 5 Mar 93 14:09 EST
Received: from sleepy.tis.com by sleepy.TIS.COM id aa00501; 5 Mar 93 18:41 GMT
Received: from tis.com by sleepy.TIS.COM id aa00496; 5 Mar 93 13:36 EST
Received: from dbc.mtview.ca.us (ppp.dbc.mtview.ca.us) by TIS.COM (4.1/SUN-5.64) id AA16918; Fri, 5 Mar 93 13:36:40 EST
Received: from localhost by dbc.mtview.ca.us (5.65/3.1.090690) id AA29408; Fri, 5 Mar 93 10:34:05 -0800
To: Jacqueline Balfour <jackie@netmanz.hpl.hp.com>
Reply-To: snmp-sec-dev@tis.com
Cc: snmp-sec-dev@tis.com
Subject: Re: Some questions
In-Reply-To: Your message of "Fri, 05 Mar 1993 17:07:37 GMT." <9303051707.AA02786@netmanz.hpl.hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 05 Mar 1993 10:33:52 -0800
Message-Id: <29400.731356432@dbc.mtview.ca.us>
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Marshall Rose <mrose@dbc.mtview.ca.us>
> 1. What happens with a Get-Next or Get-Bulk when there are no more > instances to return and it trys to return the next lexicographic object > which happens to be outside the MIB view for this communication. According to the proto document, you get back an exception, endOfMibView, for each variable being processed. If all variables in an iteration of get-bulk result in endOfMibView, then get-bulk processing terminates early (since all further processing would do is return more exceptions). > 2. In the Security Protocols for SNMPv2 doc section 5.3 it says that case > four can not be handled by the selective clock acceleration mechanism. It > doesn't say why anywhere and reception of a authenticated pdu appears > to use both timestamps to update both party clocks. Can you explain why > only the first three cases are handled. When using the v2md5AuthProtocol, the receiver warps the clocks of both the sender and receiver, if need be. So let's look at the cases clock situation comments -------- --------- -------- sender sender's value > receiver's value receiver will warp sender receiver's value > sender's value receiver will discard receiver sender's value > receiver's value receiver will warp receiver receiver's value > sender's value receiver will ignore So, the only case in which the clocks won't synchronize is when the receiver's notion of the sender's clock is fast. In this case, the sender retrieves the clock, using a noAuth party, saves the old value, warps it to the new value, and retrieves the clock using the md5Auth party. If things work, the old value is discarded. > 3. If a device cannot provide NVRam for all the required objects is it > non conformant? Also, in the Admin Model document, section 4.1 it says > that a minimal secure agent must provide party id's and transport addresses > in NVRam, but in section 5.5 (Crash Recovery) of Security Protocols document > it doesn't include the transport address in the list that should be > kept in NVRam. In the PARTY document, it describes the different levels of stability that a party definition might take. In general, if you can't provide NV-storage then it is somewhat difficult to provide a secure system. > 4. The Crash Recovery section of Security Protocols document, talks about > an agent crashing, what about when a manager crashes? Do you need to > ensure that a shadow manager can take over or have a manual reconfiguration > of the agents. Also, when the agent crashes how does the manager communicate > with it to rebuild the party table, without a complete parrty table, ACL > table etc, won't the agent reject all communication? Management stations tend to be co-located with personnel, so crash recovery is not usually an issue. If an agent loses its stable storage, then you have to reconfigure it by hand. > 5. The Admin doc talks about a PDU starting with 30 hex. If this identifies > an SNMP PDU what does an SNMPv2 PDU start with? According to the ADMIN document, the top-level message is called an SnmpPrivMsg which is defined as SnmpPrivMsg ::= [1] IMPLICIT SEQUENCE ... I'll let you consult the basic encoding rules to figure out what the hex value is. > 6. In several places the party identifiers are shown as containing the IP > address of the target entity. Do party ids have to contain transport > addresses of the entity to conform or can they be allocated in some other > arbitrary manner? In the PARTY document, it describes a *convention* for assigning OIDs. You are free to use whatever assignment mechanism you want. /mtr
- Some questions Jacqueline Balfour
- Re: Some questions Christopher K. Young
- Re: Some questions Marshall Rose