Re: Some questions

"Christopher K. Young" <cyoung@ctron.ctron.com> Fri, 05 March 1993 18:29 UTC

Date: Fri, 05 Mar 1993 13:05:47 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "Christopher K. Young" <cyoung@ctron.ctron.com>
Message-Id: <9303051805.AA23010@cardinals.ctron>
To: snmp-sec-dev@tis.com
Subject: Re: Some questions
In-Reply-To: Mail from 'snmp-sec-dev-request@sleepy.TIS.COM Fri Mar 5 12:42:29 1993' dated Fri, 5 Mar 93 17:07:37 GMT

> 1. What happens with a Get-Next or Get-Bulk when there are no more
> instances to return and it trys to return the next lexicographic object
> which happens to be outside the MIB view for this communication.

The varbind is filled with the end-of-mib-view implicit null.  If all the 
varbinds in any given interation are set to end-of-mib-view processing stops
and the response is sent out.

> 2. In the Security Protocols for SNMPv2 doc section 5.3 it says that case
> four can not be handled by the selective clock acceleration mechanism. It
> doesn't say why anywhere and reception of a authenticated pdu appears
> to use both timestamps to update both party clocks. Can you explain why 
> only the first three cases are handled.

Perhaps it assumes that an management clock that lags the agent clock will
have its packets thrown out as unauthentic.  This is only the case when MD5
is used but I guess a fair constraint on generic acceration methods.

> 3. If a device cannot provide NVRam for all the required objects is it 
> non conformant? Also, in the Admin Model document, section 4.1 it says

I don't know whose going to label the boxes (conformant or no).  But if 
the important objects don't have NVRAM support then the box won't receive
much use.  I guess you could refuse to set your partyStorageType, 
contextStorageType, aclStorageType to non-volatile if you wanted.  Or only use 
the permanent option (keep it in ROM).

> that a minimal secure agent must provide party id's and transport addresses
> in NVRam, but in section 5.5 (Crash Recovery) of Security Protocols document
> it doesn't include the transport address in the list that should be
> kept in NVRam.

No because the agent doesn't need it.  Requests are sent back to the manager
on the received address regardless of the party database.

> 4. The Crash Recovery section of Security Protocols document, talks about
> an agent crashing, what about when a manager crashes? Do you need to 

What would happen if the manager crashed?  Probally nothing to awful.

> ensure that a shadow manager can take over or have a manual reconfiguration 
> of the agents. Also, when the agent crashes how does the manager communicate
> with it to rebuild the party table, without a complete parrty table, ACL
> table etc, won't the agent reject all communication?

The manager will not be able to talk with the agent when it is crashed but 
when it is rebooted (or whatever, recovers).  Then things proceed as ususal.

> 5. The Admin doc talks about a PDU starting with 30 hex. If this identifies
> an SNMP PDU what does an SNMPv2 PDU start with?

a SnmpPrivMsg starts with an IMPLICIT SEQUENCE 0xA1 or 161.

> 6. In several places the party identifiers are shown as containing the IP 
> address of the target entity. Do party ids have to contain transport
> addresses of the entity to conform or can they be allocated in some other 
> arbitrary manner?

I am unsure of this.  I think they can use some other scheme.  I have the 
a similiar question outstanding about the initial contextIdentities.

Chris Young

Some questions Jacqueline Balfour
Re: Some questions Christopher K. Young
Re: Some questions Marshall Rose