Re: Some questions

[Marshall Rose <mrose@dbc.mtview.ca.us>]

> 1. What happens with a Get-Next or Get-Bulk when there are no more
> instances to return and it trys to return the next lexicographic object
> which happens to be outside the MIB view for this communication.

According to the proto document, you get back an exception,
endOfMibView, for each variable being processed.  If all variables in an
iteration of get-bulk result in endOfMibView, then get-bulk processing
terminates early (since all further processing would do is return more
exceptions).

> 2. In the Security Protocols for SNMPv2 doc section 5.3 it says that case
> four can not be handled by the selective clock acceleration mechanism. It
> doesn't say why anywhere and reception of a authenticated pdu appears
> to use both timestamps to update both party clocks. Can you explain why 
> only the first three cases are handled.

When using the v2md5AuthProtocol, the receiver warps the clocks of both
the sender and receiver, if need be.  So let's look at the cases

	  
clock	   situation                           comments
--------   ---------			       --------
sender	   sender's value > receiver's value   receiver will warp
sender     receiver's value > sender's value   receiver will discard
receiver   sender's value > receiver's value   receiver will warp
receiver   receiver's value > sender's value   receiver will ignore

So, the only case in which the clocks won't synchronize is when the
receiver's notion of the sender's clock is fast.  In this case, the
sender retrieves the clock, using a noAuth party, saves the old value,
warps it to the new value, and retrieves the clock using the md5Auth party.
If things work, the old value is discarded.

> 3. If a device cannot provide NVRam for all the required objects is it 
> non conformant? Also, in the Admin Model document, section 4.1 it says
> that a minimal secure agent must provide party id's and transport addresses
> in NVRam, but in section 5.5 (Crash Recovery) of Security Protocols document
> it doesn't include the transport address in the list that should be
> kept in NVRam.

In the PARTY document, it describes the different levels of stability
that a party definition might take.  In general, if you can't provide
NV-storage then it is somewhat difficult to provide a secure system.

> 4. The Crash Recovery section of Security Protocols document, talks about
> an agent crashing, what about when a manager crashes? Do you need to 
> ensure that a shadow manager can take over or have a manual reconfiguration 
> of the agents. Also, when the agent crashes how does the manager communicate
> with it to rebuild the party table, without a complete parrty table, ACL
> table etc, won't the agent reject all communication?

Management stations tend to be co-located with personnel, so crash
recovery is not usually an issue.  If an agent loses its stable storage,
then you have to reconfigure it by hand.

> 5. The Admin doc talks about a PDU starting with 30 hex. If this identifies
> an SNMP PDU what does an SNMPv2 PDU start with?

According to the ADMIN document, the top-level message is called an
SnmpPrivMsg which is defined as

	SnmpPrivMsg ::= [1] IMPLICIT SEQUENCE ...

I'll let you consult the basic encoding rules to figure out what the hex
value is.

> 6. In several places the party identifiers are shown as containing the IP 
> address of the target entity. Do party ids have to contain transport
> addresses of the entity to conform or can they be allocated in some other 
> arbitrary manner?

In the PARTY document, it describes a *convention* for assigning OIDs.
You are free to use whatever assignment mechanism you want.

/mtr