USEC Config MIB
Keith McCloghrie <kzm@cisco.com> Sat, 05 August 1995 08:10 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa06856; 5 Aug 95 4:10 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa06852; 5 Aug 95 4:10 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa04511; 5 Aug 95 4:10 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa13834; 5 Aug 95 3:27 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa13830; 5 Aug 95 3:16 EDT
Received: from foxhound.cisco.com(171.69.1.171) by relay.tis.com via smap (g3.0.1) id xma028959; Sat, 5 Aug 95 03:07:24 -0400
Received: (kzm@localhost) by foxhound.cisco.com (8.6.8+c/8.6.5) id AAA20439; Sat, 5 Aug 1995 00:15:41 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Keith McCloghrie <kzm@cisco.com>
Message-Id: <199508050715.AAA20439@foxhound.cisco.com>
Subject: USEC Config MIB
To: snmpv2@tis.com
Date: Sat, 05 Aug 1995 00:15:41 -0700
Cc: "Marshall T. Rose" <mrose@dbc.mtview.ca.us>, Glenn Waters <gwaters@bnr.ca>, Brian O'Keefe <bok@nsmdserv.cnd.hp.com>
X-Mailer: ELM [version 2.3 PL11]
Here's our proposed MIB for USEC agents.
Keith.
----------
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
Managed Objects for the Configuration of
SNMPv2 Agents Implementing the
User-based Security Model
4 August 1995
draft-kzm-snmpv2-usec-conf-alt-00.txt
Keith McCloghrie
Cisco Systems, Inc.
kzm@cisco.com
Marshall T. Rose
Dover Beach Consulting, Inc.
mrose@dbc.mtview.ca.us
Glenn W. Waters
Bell-Northern Research Ltd.
gwaters@bnr.ca
Brian J. O'Keefe
Hewlett Packard Company
bok@cnd.hp.com
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
Expires February 1996 [Page 1]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
1. Introduction
A management system contains: several (potentially many) nodes, each
with a processing entity, termed an agent, which has access to
management instrumentation; at least one management station; and, a
management protocol, used to convey management information between the
agents and management stations. Operations of the protocol are carried
out under an administrative framework which defines authentication,
authorization, access control, and privacy policies.
Management stations execute management applications which monitor and
control managed elements. Managed elements are devices such as hosts,
routers, terminal servers, etc., which are monitored and controlled via
access to their management information.
The Administrative Infrastructure for SNMPv2 document [1] defines an
administrative framework which realizes effective management in a
variety of configurations and environments.
In the administrative framework, a security model defines the mechanisms
used to achieve an administratively-defined level of security for
protocol interactions. The User-based Security Model for SNMPv2 [2]
defines such a security model for the administrative framework.
The administrative framework includes the provision of an access control
model. The enforcement of access rights requires the means to identify
the entity on whose behalf a request is generated. The User-based
Security Model identifies an entity on whose behalf an SNMPv2 message is
generated as a "user".
It is the purpose of this document to define managed objects such that
an SNMPv2 agent can be configured via SNMPv2 to know about "users" and
their access rights.
1.1. A Note on Terminology
For the purpose of exposition, the original Internet-standard Network
Management Framework, as described in RFCs 1155, 1157, and 1212, is
termed the SNMP version 1 framework (SNMPv1). The current framework is
termed the SNMP version 2 framework (SNMPv2).
Expires February 1996 [Page 2]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
2. Potential Scope
An SNMPv2 manager and an SNMPv2 agent are defined as the operational
roles which can be assumed by an SNMPv2 entity. An SNMPv2 entity which
sometimes acts in an agent role and sometimes in a manager role is
termed an SNMPv2 dual-role entity [1].
In order to be configured via SNMPv2 to know about "users" and their
access rights, an SNMPv2 entity must act, at least some of the time, in
an agent role. Thus, the scope of managed objects to support such
remote configuration potentially extends to include both SNMPv2 agents
and SNMPv2 dual-role entities.
2.1. Requirements for SNMPv2 Agents
An SNMPv2 agent needs to know about all users on whose behalf it will
receive retrieval and/or modification requests. For each such user, an
SNMPv2 agent needs to know the authentication and privacy protocols and
their secret key values, as well as the access rights authorized for
that user. These access rights specify the types of operations
permitted as well as the MIB views to which access is authorized for a
particular local SNMPv2 context at a particular security level. It also
needs to know which notifications are authorized to be sent on behalf of
which users, and the transport addresses to which such notifications
should be sent. In addition, it is valuable for a manager to determine
the set of SNMPv2 local contexts which are (potentially) accessible via
this SNMPv2 agent, including an indication of the temporal domains [1]
of such contexts.
It is also possible for an SNMPv2 agent to be configured to send
notifications on behalf of only a subset of the authorized users. This
is sometimes called "notification filtering".
It is worth noting that in each of these situations, an SNMPv2 agent
never sends or receives a message having an agentID value [2] other than
its own. Thus, it has no need for any information other than is used to
access its own set of MIB objects. In particular, there is no need for
one agent to maintain information about the authentication/privacy
protocols and their secret key values used to access other agents.
Expires February 1996 [Page 3]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
2.2. Requirements for SNMPv2 Dual-Role Entities
There are two categories of SNMPv2 dual-role entities [1]: so-called
mid-level managers and proxy SNMPv2 agents. In each case, a dual-role
entity both sends and receives requests or notifications; it also sends
and receives messages for multiple values of agentID. In doing so, it
needs to maintain information about the (potentially different)
authentication/privacy protocols and their secret key values of users on
each SNMPv2 agent with which it communicates, and to differentiate
between these according to the value of agentID at each agent.
A proxy SNMPv2 agent also needs to know the context selector values
identifying SNMPv2 proxy contexts for which it acts as a proxy agent,
and for each such proxy context, the user, agentID and contextSelector
with which it forwards received retrieval/modification requests for that
context.
It is also likely that a SNMPv2 dual-role entity will need to maintain a
set of agentID to transport address mappings, either to record agents
which have been discovered by this dual-role entity or to allow it to be
configured with such information.
On the other hand, a SNMPv2 dual-role entity does not need to maintain
the authorization information about a user's access rights, nor
information about the composition of MIB views.
3. Actual Scope
It is clear from the foregoing discussion of potential scope that there
are significant differences between the requirements for configuration
of SNMPv2 agents as opposed to SNMPv2 dual-role entities. As such, this
memo defines only those managed objects which meet the configuration
needs of SNMPv2 agents. The definition of managed objects to meet the
configuration needs of SNMPv2 dual-role entities will be defined
elsewhere.
In addition, this memo only defines how to authorize the transmission of
a notification; additional information on the filtering of notifications
will be defined elsewhere.
Expires February 1996 [Page 4]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
3.1. Structure of MIB
This MIB consists of five tables and two scalars. The tables are:
- usecAgentUserTable: the table of users configured in the SNMPv2
agent's local configuration datastore (LCD).
- usecAgentContextTable: the table of all SNMPv2 contexts for which the
SNMPv2 agent receives requests; for a non-proxy SNMPv2 agent this
will be all local contexts; if a proxy SNMPv2 agent implements this
MIB, this table will also include information on proxy contexts.
- usecAgentAccessTable: the table of users' access rights configured in
the SNMPv2 agent's local configuration datastore.
- usecAgentViewTable: the table containing information on subtrees of
MIB views known to this SNMPv2 agent.
- usecAgentNotifyAddressTable: the table of transport addresses to
which notifications are authorized to be sent on behalf of specific
users.
The scalars are:
- usecAgentSecretSpinLock: an advisory lock used to allow several
cooperating SNMPv2 entities, all acting in a manager role, to
coordinate their use of facilities to alter secrets in the
usecAgentUserTable.
- usecAgentViewNextIndex: a currently unassigned index value for a MIB
view subtree in the usecAgentViewTable.
Expires February 1996 [Page 5]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
4. Authorizing Notifications
The destination(s) to which a notification is authorized to be sent is
determined by consulting the usecAgentAccessTable to find all entries
satisfying the following conditions:
(1) The value of usecAgentAccessPrivileges permits the relevant type of
notification.
(2) The value of usecAgentAccessContextSelector refers to a SNMPv2
context containing the local management information contained in
the notification.
(3) The notification's administratively assigned name is present in the
corresponding MIB view. (That is, the set of entries in the
usecAgentViewTable for which the instance of usecAgentViewIndex has
the same value as usecAgentAccessReadViewIndex, define a MIB view
which contains the notification's administratively assigned name.)
(4) If the OBJECTS clause is present in the invocation of the
corresponding NOTIFICATION-TYPE macro, then the correspondent
variables are all present in the MIB view corresponding to
usecAgentAccessReadViewIndex.
(5) For any additional variables which the generating SNMPv2 entity
chooses to include within the notification, then these variables
are all present in the MIB view corresponding to
usecAgentAccessReadViewIndex.
If multiple entries satisfying these conditions are located for the same
user and context, then all entries for the same user and context except
the one with the lowest QoS value are discarded, where 'noAuth' is lower
than 'auth', and 'auth' is lower than 'priv'.
Then, for each remaining entry, a notification is authorized to be sent
on behalf of the user associated with that entry, with the QoS
associated with that entry, with context usecAgentAccessContextSelector,
and to each transport address associated with that user in the
usecAgentNotifyAddressTable.
In the absence of other (filtering) information to the contrary, each of
these authorized notifications should be sent.
Expires February 1996 [Page 6]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
5. Changing A User's Secrets
An SNMPv2 manager uses the following procedure to change the
authentication secret configured for a user at a particular agent.
(1) The management station determines the value for the new secret and
generates an unpredictable value:
determine desired value for keyNew
randomValue = unpredictable()
It then computes the appropriate delta value using the following
algorithm:
iterations = (lenOfkeyNew - 1) / 16; /* integer division */
temp = keyOld;
for (i = 0; i < iterations; i++) {
temp = MD5 (temp || randomValue);
deltaValue[i*16 .. (i*16)+15] = temp XOR
keyNew[i*16 .. (i*16)+15];
}
temp = MD5 (temp || randomValue);
deltaValue[i*16 .. lenOfkeyNew-1] = temp XOR
keyNew[i*16 .. lenOfkeyNew-1];
(2) The management station initialises its knowledge of the current
state of the agent using an authenticated get operation, retrying
as necessary until a response is received:
get (
lastLock = usecAgentSecretSpinLock.0,
lastNovel = usecAgentPublic.<user>
)
Expires February 1996 [Page 7]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
(3) The management station generates a unique novel value (which must
be different from all previous values of lastNovel used with these
new secret values). It then concatenates the unpredictable and
delta values and conveys them to the agent in a single varbindlist,
together with the most recently retrieved value of the advisory
lock and the most recently generated unique novel value, using an
authenticated set operation with a previously unused value of
request-id.
set (
usecAgentSecretSpinLock.0 = lastLock,
usecAgentAuthChange.<user> = <randomValue || deltaValue>,
usecAgentPublic.<user> = uniqueNovelValue
)
If a successful response with the correct request-id value is
received, then goto step 4.
If no response or an error response (with the correct request-id)
is received, then the operation may or may not have been
successful, due to duplication and/or loss of the request and/or
the response(s). So,
- save the error-index and error-status values,
- re-issue the get operation in step 2;
- retry this get operation as necessary until a response is
received,
- if this response indicates that usecAgentPublic has the unique
novel value assigned in the last set operation, goto step 4.
Otherwise, the set operation failed, and the saved error values are
inspected to determine the cause of the failure.
- if no response was received or the error-index indicates a
problem with usecAgentSecretSpinLock, goto step 2.
- if the error-index indicates a problem with
usecAgentAuthChange or usecAgentPublic, the secret cannot be
changed to the new value.
(4) Record the new secret values in stable storage. The operation is
now successfully completed.
[Retry counts to prevent endlessly looping in the presence of certain
failures were omitted from the above procedure in the interest of
brevity.]
Expires February 1996 [Page 8]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
Note that during the period of time after the request has been sent and
before the success of the operation is determined, the management
station must keep track of both the old and new secret values. Since
the delay may be the result of a network failure, the management station
must be prepared to retain both values for an extended period of time,
including across reboots.
A user's secret privacy key is changed using the same procedure except
that usecAgentPrivChange is used instead of usecAgentAuthChange.
Expires February 1996 [Page 9]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
6. Definitions
SNMPv2-USEC-AGENT-CONF-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, snmpModules
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TestAndIncr, RowStatus, AutonomousType
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF;
usecAgentConfMIB MODULE-IDENTITY
LAST-UPDATED "9508040000Z"
ORGANIZATION "IETF SNMPv2 Working Group"
CONTACT-INFO ""
DESCRIPTION
"The MIB module for configuring SNMPv2 agents implementing
the user-based security model."
::= { snmpModules xx }
usecAgentAdmin OBJECT IDENTIFIER ::= { usecAgentConfMIB 1 }
usecAgentConfMIBObjects OBJECT IDENTIFIER ::= { usecAgentConfMIB 2 }
Expires February 1996 [Page 10]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- Textual Conventions
UserName ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"An octet string representing the name of a user for use in
accordance with the SNMPv2 User-based Security Model."
SYNTAX OCTET STRING (SIZE(1..32))
ContextSelector ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A SNMPv2 context."
SYNTAX OCTET STRING (SIZE (0..64))
MemoryType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Describes the memory realization of a conceptual row. A row
which is 'volatile' is lost upon reboot. A row which is
either 'nonVolatile', 'permanent' or 'readOnly', is backed up
by stable storage. A row which is 'permanent' can be changed
but not deleted. A row which is 'readOnly' cannot be changed
nor deleted.
If the value of an object with this syntax is either
Conversely, if the value is either 'other', 'volatile' or
The value 'nonVolatile' may not be written to an object with
this syntax. When this object is set to the row to
'nonVolatile' at its earliest convenience. If the memoryType
of the row is 'nonVolatile', and the row is modified, the
memoryType will be changed by the agent to
All rows with a state of 'nonVolatileRequested' can be forced
to the 'nonVolatile' state by setting a write-NVRAM object
[defined elsewhere].
Every usage of this textual convention is required to specify
the columnar objects which a 'permanent' row must at a minimum
allow to be writable."
SYNTAX INTEGER {
other(1), -- eh?
Expires February 1996 [Page 11]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
volatile(2), -- e.g., in RAM
-- waiting to move from RAM to NVRAM
nonVolatileRequested(3),
nonVolatile(4), -- e.g., in NVRAM
permanent(5), -- e.g., partially in ROM
readOnly(6) -- e.g., completely in ROM
}
TDomain ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Denotes a kind of transport service.
Some possible values, such as snmpUDPDomain, are defined in
'Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)'."
SYNTAX OBJECT IDENTIFIER
TAddress ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Denotes a transport service address.
For snmpUDPDomain, a TAddress is 6 octets long, the initial 4
octets containing the IP-address in network-byte order and the
last 2 containing the UDP port in network-byte order. Consult
'Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)' [5] for further information on
snmpUDPDomain."
SYNTAX OCTET STRING (SIZE (1..255))
Expires February 1996 [Page 12]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
QoS ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A level of security at which SNMPv2 messages can be sent; in
particular, one of:
- without authentication and privacy,
- with authentication but not privacy,
- with authentication and privacy."
SYNTAX INTEGER { noAuth(1), auth(2), priv(3) }
KeyChange ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Every definition of an object with this syntax must identify
a protocol, P, and a secret key, K. The object's value is a
manager-generated, partially-random value which, when
modified, causes the value of the secret key, K, to be
modified via a one-way function.
The value of an instance of this object is the concatenation
of two components: a 'random' component and a 'delta'
component. The lengths of the random and delta components are
given by the corresponding value of the protocol, P; if P
requires K to be a fixed length, the length of both the random
and delta components is that fixed length; if P allows the
length of K to be variable up to a particular maximum length,
the length of the random component is that maximum length and
the length of the delta component is any length less than or
equal to that maximum length. For example,
usecMD5AuthProtocol requires K to be a fixed length of 16
octets. Other protocols may define other sizes, as deemed
appropriate.
When an instance of this object is modified to have a new
value by the management protocol, the agent generates a new
value of K as follows:
- a temporary variable is initialized to the existing value
of K;
- if the length of the delta component is greater than 16
bytes, then:
- the random component is appended to the value of the
temporary variable, and the result is input to the MD5
hash algorithm to produce a digest value, and the
Expires February 1996 [Page 13]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
temporary variable is set to this digest value;
- the value of the temporary variable is XOR-ed with the
first (next) 16-bytes of the delta component to produce
the first (next) 16-bytes of the new value of K.
- the above two steps are repeated until the unused
portion of the delta component is 16 bytes or less,
- the random component is appended to the value of the
temporary variable, and the result is input to the MD5 hash
algorithm to produce a digest value;
- this digest value, truncated if necessary to be the same
length as the unused portion of the delta component, is
XOR-ed with the unused portion of the delta component to
produce the (final portion of the) new value of K.
i.e.,
iterations = (lenOfDelta - 1) / 16; /* integer division */
temp = keyold;
for (i = 0; i < iterations; i++) {
temp = MD5 (temp || random);
keynew[i*16 .. (i*16)+15] =
temp XOR delta[i*16 .. (i*16)+15];
}
temp = MD5 (temp || random);
keynew[i*16 .. lenOfDelta-1] =
temp XOR delta[i*16 .. lenOfDelta-1];
The value of an object with this syntax, whenever it is
retrieved by the management protocol, is always the zero-
length string."
SYNTAX OCTET STRING
Expires February 1996 [Page 14]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- administrative assignments
-- Authentication Protocols
usecAuthProtocols OBJECT IDENTIFIER ::= { usecAgentAdmin 1 }
-- no Authentication Protocol
usecNoAuthProtocol OBJECT IDENTIFIER ::= { usecAuthProtocols 1 }
-- the Digest Authentication Protocol
usecMD5AuthProtocol OBJECT IDENTIFIER ::= { usecAuthProtocols 2 }
-- Privacy Protocols
usecPrivProtocols OBJECT IDENTIFIER ::= { usecAgentAdmin 2 }
-- no Privacy Protocol
usecNoPrivProtocol OBJECT IDENTIFIER ::= { usecPrivProtocols 1 }
-- the Symmetric Encryption Protocol
usecDESPrivProtocol OBJECT IDENTIFIER ::= { usecPrivProtocols 2 }
-- Time Domains
usecTimeDomains OBJECT IDENTIFIER ::= { usecAgentAdmin 3 }
-- the Current Time Domain
usecCurrentTime OBJECT IDENTIFIER ::= { usecTimeDomains 1 }
-- the Restart Time Domain
usecRestartTime OBJECT IDENTIFIER ::= { usecTimeDomains 2 }
Expires February 1996 [Page 15]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- Information about users
usecAgentUser OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 1 }
usecAgentUserTable OBJECT-TYPE
SYNTAX SEQUENCE OF UsecAgentUserEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table of users configured in the SNMPv2 agent's local
configuration datastore (LCD)."
::= { usecAgentUser 1 }
usecAgentUserEntry OBJECT-TYPE
SYNTAX UsecAgentUserEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A user configured in the SNMPv2 agent's local configuration
datastore (LCD) for the User-based Security Model."
INDEX { IMPLIED usecAgentUserName }
::= { usecAgentUserTable 1 }
UsecAgentUserEntry ::= SEQUENCE {
usecAgentUserName UserName,
usecAgentUserAuthProtocol OBJECT IDENTIFIER,
usecAgentUserAuthChange KeyChange,
usecAgentUserPrivProtocol OBJECT IDENTIFIER,
usecAgentUserPrivChange KeyChange,
usecAgentUserPublic OCTET STRING,
usecAgentUserCloneFrom UserName,
usecAgentUserMemoryType MemoryType,
usecAgentUserStatus RowStatus
}
Expires February 1996 [Page 16]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentUserName OBJECT-TYPE
SYNTAX UserName
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An octet string representing the name of the user."
::= { usecAgentUserEntry 1 }
usecAgentUserAuthProtocol OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An indication of whether messages sent on behalf of this
user can be authenticated, and if so, the type of
authentication protocol which is used.
An instance of this object is created concurrently with the
creation of any other object instance for the same user
(i.e., as part of the processing of the set operation which
creates the first object instance in the same conceptual
row). Once created, the value of an instance of this object
can not be changed."
DEFVAL { usecMD5AuthProtocol }
::= { usecAgentUserEntry 2 }
usecAgentUserAuthChange OBJECT-TYPE
SYNTAX KeyChange -- typically (SIZE (0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An object, which when modified, causes the user's secret
authentication key to be modified via a one-way function.
The associated protocol is given by the value of
usecAgentUserAuthProtocol. The associated secret key is the
user's secret authentication key.
When creating a new user, it is a 'inconsistentName' error
for a set operation to refer to this object unless it is
previously or concurrently initialized through a set
operation on the corresponding value of
usecAgentUserCloneFrom."
DEFVAL { ''H } -- the empty string
::= { usecAgentUserEntry 3 }
Expires February 1996 [Page 17]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentUserPrivProtocol OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An indication of whether messages sent on behalf of this
user can be protected from disclosure, and if so, the type
of privacy protocol which is used.
An instance of this object is created concurrently with the
creation of any other object instance for the same user
(i.e., as part of the processing of the set operation which
creates the first object instance in the same conceptual
row). Once created, the value of an instance of this object
can not be changed."
DEFVAL { usecNoPrivProtocol }
::= { usecAgentUserEntry 4 }
usecAgentUserPrivChange OBJECT-TYPE
SYNTAX KeyChange -- typically (SIZE (0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An object, which when modified, causes the user's secret
privacy key to be modified via a one-way function.
The associated protocol is given by the value of
usecAgentUserPrivProtocol. The associated secret key is the
user's secret privacy key.
When creating a new user, it is a 'inconsistentName' error
for a set operation to refer to this object unless it is
previously or concurrently initialized through a set
operation on the corresponding value of
usecAgentUserCloneFrom."
DEFVAL { ''H } -- the empty string
::= { usecAgentUserEntry 5 }
Expires February 1996 [Page 18]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentUserPublic OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A publically-readable value which is written as part of the
procedure for changing a user's secret key(s), and later
read to determine whether the change of the secrets was
effected."
DEFVAL { '00'H } -- the empty string
::= { usecAgentUserEntry 6 }
usecAgentUserCloneFrom OBJECT-TYPE
SYNTAX UserName
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The identity of an active user from which authentication
and privacy parameters are cloned for this user. When read,
the zero length string is returned. When written, the first
write upon/after creation of an instance of this object
invokes the cloning process. Subsequent writes are
successful but invoke no action to be taken by the agent.
If instances of the following objects have not already
(e.g., in a previous set operation) been explicitly created
for the new user, then cloning causes them to be initialized
with values identical to those of the corresponding objects
for the cloning user:
usecAgentUserAuthProtocol
usecAgentUserPrivProtocol
Cloning also causes the initial values of the secret
authentication and privacy keys of the new user to be set to
the same values as the corresponding secrets of the cloning
user."
::= { usecAgentUserEntry 7 }
Expires February 1996 [Page 19]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentUserMemoryType OBJECT-TYPE
SYNTAX MemoryType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The memory type for this conceptual row.
Conceptual rows having the value 'permanent' must allow
write-access at a minimum to usecAgentUserAuthChange and
usecAgentUserPublic for a user which employs authentication,
and to usecAgentUserPrivChange for a user which employs
privacy.
Note that any user which employs authentication or privacy
must allow its secret(s) to be updated and thus cannot be
'readOnly'."
::= { usecAgentUserEntry 8 }
usecAgentUserStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row. Until instances of all
corresponding columns are appropriately configured, the
value of the corresponding instance of the
usecAgentUserStatus column is 'notReady'. In particular, if
the user has a usecAgentUserAuthProtocol other than
usecNoAuthProtocol, then a value must have been written to
the usecAgentUserCloneFrom.
For those columnar objects which permit write-access, their
value in an existing conceptual row can be changed
irrespective of the value of usecAgentUserStatus for that
row."
::= { usecAgentUserEntry 9 }
Expires February 1996 [Page 20]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentSecretSpinLock OBJECT-TYPE
SYNTAX TestAndIncr
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An advisory lock used to allow several cooperating SNMPv2
entities, all acting in a manager role, to coordinate their
use of facilities to alter secrets in the
usecAgentUserTable."
::= { usecAgentUser 2 }
Expires February 1996 [Page 21]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- Information about all SNMPv2 contexts for which the local
-- SNMPv2 agent receives requests.
usecAgentContext OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 2 }
usecAgentContextTable OBJECT-TYPE
SYNTAX SEQUENCE OF UsecAgentContextEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"All SNMPv2 contexts for which the local SNMPv2 agent
receives requests, which are configured in the local
configuration datastore. In particular, all local SNMPv2
contexts are included in this table. In addition, a proxy
SNMPv2 agent agent implementing this MIB will also include
its configured proxy SNMPv2 contexts in this table."
::= { usecAgentContext 1 }
usecAgentContextEntry OBJECT-TYPE
SYNTAX UsecAgentContextEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A SNMPv2 context configured in the local configuration
datastore."
INDEX { usecAgentContextSelector }
::= { usecAgentContextTable 1 }
UsecAgentContextEntry ::= SEQUENCE {
usecAgentContextSelector ContextSelector,
usecAgentContextType INTEGER,
usecAgentContextLocalTime AutonomousType
}
usecAgentContextSelector OBJECT-TYPE
SYNTAX ContextSelector
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The context selector by which the SNMPv2 context
represented by this conceptual row is locally known."
::= { usecAgentContextEntry 1 }
Expires February 1996 [Page 22]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentContextType OBJECT-TYPE
SYNTAX INTEGER { local(1), proxy(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of SNMPv2 context."
::= { usecAgentContextEntry 2 }
usecAgentContextLocalTime OBJECT-TYPE
SYNTAX AutonomousType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The temporal domain of this context."
::= { usecAgentContextEntry 3 }
Expires February 1996 [Page 23]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- Information about Access Rights
usecAgentAccess OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 3 }
usecAgentAccessTable OBJECT-TYPE
SYNTAX SEQUENCE OF UsecAgentAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table of users' access rights configured in the local
configuration datastore (LCD)."
::= { usecAgentAccess 1 }
usecAgentAccessEntry OBJECT-TYPE
SYNTAX UsecAgentAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An access right configured in the local configuration
datastore (LCD).
The value of the usecAgentUserName component of this index
represents the userName of the user to whom the access
rights apply."
INDEX { usecAgentAccessContextSelector, usecAgentUserName,
usecAgentAccessQoS }
::= { usecAgentAccessTable 1 }
UsecAgentAccessEntry ::= SEQUENCE {
usecAgentAccessContextSelector ContextSelector,
usecAgentAccessQoS QoS,
usecAgentAccessPrivileges INTEGER,
usecAgentAccessReadViewIndex INTEGER,
usecAgentAccessWriteViewIndex INTEGER,
usecAgentAccessMemoryType MemoryType,
usecAgentAccessStatus RowStatus
}
Expires February 1996 [Page 24]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentAccessContextSelector OBJECT-TYPE
SYNTAX ContextSelector
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The context selector for which this conceptual row grants
access rights."
::= { usecAgentAccessEntry 1 }
usecAgentAccessQoS OBJECT-TYPE
SYNTAX QoS
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The minimum level of security required of messages sent on
behalf of the user in order to gain the access rights
allowed by this conceptual row."
::= { usecAgentAccessEntry 2 }
usecAgentAccessPrivileges OBJECT-TYPE
SYNTAX INTEGER (0..255)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The access privileges authorized by this conceptual row.
Access privileges specify whether received retrieval and
modification requests are permitted to be processed, and
whether notifications are permitted to be transmitted.
The privileges are specified as a sum of values, where each
value specifies the SNMPv2 PDU type of a permitted
operation. The value for a particular PDU type is computed
as 2 raised to the value of the ASN.1 context-specific tag
for the appropriate SNMPv2 PDU type:
Get : 1
GetNext : 2
(unused : 4)
Set : 8
(unused : 16)
GetBulk : 32
Inform : 64
SNMPv2-Trap : 128
Expires February 1996 [Page 25]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
The null set is represented by the value zero."
DEFVAL { 35 } -- Get, Get-Next & Get-Bulk
::= { usecAgentAccessEntry 3 }
usecAgentAccessReadViewIndex OBJECT-TYPE
SYNTAX INTEGER (0..2147483647)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The value of an instance of this object identifies the MIB
view of the SNMPv2 context to which this conceptual row
authorizes read access. The identified MIB view is that for
which viewIndex has the same value as the instance of this
object; if the value is zero or there are no active view
subtrees for that value, then the identified MIB view is the
empty set of view subtrees. (Note that read access includes
access via retrieval requests as well as transmission of
information via notification requests.)
Otherwise, this object is ignored and can take any value at
the agent's discretion, e.g., zero."
DEFVAL { 0 }
::= { usecAgentAccessEntry 4 }
usecAgentAccessWriteViewIndex OBJECT-TYPE
SYNTAX INTEGER (0..2147483647)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The value of an instance of this object identifies the MIB
view of the SNMPv2 context to which this conceptual row
authorizes write access. The identified MIB view is that
for which viewIndex has the same value as the instance of
this object; if the value is zero or there are no active
view subtrees for that value, then the identified MIB view
is the empty set of view subtrees.
Otherwise, this object is ignored and can take any value at
the agent's discretion, e.g., zero."
DEFVAL { 0 }
::= { usecAgentAccessEntry 5 }
Expires February 1996 [Page 26]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentAccessMemoryType OBJECT-TYPE
SYNTAX MemoryType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The memory type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to
any columnar objects in the row."
DEFVAL { nonVolatileRequested }
::= { usecAgentAccessEntry 6 }
usecAgentAccessStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
For those columnar objects which permit write-access, their
value in an existing conceptual row can be changed
irrespective of the value of usecAgentAccessStatus for that
row.
A conceptual row in this table is not qualified for
activation until the context and the user it references are
active. Further, a conceptual row in this table is
immediately made notInService whenever the status of the
context or the user it references is made notInService,
Finally, a conceptual row in this table is immediately
destroyed whenever the context or the user it references is
destroyed."
::= { usecAgentAccessEntry 7 }
Expires February 1996 [Page 27]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- MIB views
-- Note that support for views having instance-level granularity
-- is optional
usecAgentViews OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 4 }
usecAgentViewNextIndex OBJECT-TYPE
SYNTAX INTEGER (0..2147483647)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A currently unassigned value of usecAgentViewIndex. The
value 0 indicates that no unassigned values are available.
In order to cause a non-zero value of this object to be
assigned for use as the usecAgentViewIndex of a future MIB
view, it must be successfully modified by a set operation.
When modified by a set operation, the new value supplied
must precisely match the value presently held by the object.
If not, the management protocol set operation fails with an
error of `inconsistentValue'.
Immediately after the completion of a successful set
operation, the agent must modify the value of this object.
The algorithm for modifying the value is implementation-
dependent, and may use a subset of values within
1..2147483647. However, the agent must guarantee that the
new value is not assigned to any in-use value of
usecAgentViewIndex, e.g., is not pointed to by any other MIB
object.
A management station creates a new MIB view using this
algorithm:
- issue a management protocol retrieval operation to
obtain the value of usecAgentViewNextIndex; if the
retrieved value is zero, a new MIB view cannot be
created at this time;
- issue a management protocol set operation for
usecAgentViewNextIndex, supplying the same value as
obtained in the previous step;
- if the set operation succeeds, use the supplied value
Expires February 1996 [Page 28]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
as the usecAgentViewIndex of the new MIB view;
- issue a management protocol set operation to create an
instance of the usecAgentViewStatus object setting its
value to `createAndGo' or `createAndWait' (as specified
in the description of the RowStatus textual
convention)."
::= { usecAgentViews 1 }
usecAgentViewTable OBJECT-TYPE
SYNTAX SEQUENCE OF UsecAgentViewEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Locally held information about subtrees of MIB views. Note
that a MIB view which has no subtrees defined for it has no
entries in this table.
Each MIB view is defined by two collections of view
subtrees: the included view subtrees, and the excluded view
subtrees. Every such subtree, both included and excluded,
is defined in this table.
To determine if a particular object instance is in a
particular MIB view, compare the object instance's OBJECT
IDENTIFIER with each of the MIB view's active entries in
this table. If none match, then the object instance is not
in the MIB view. If one or more match, then the object
instance is included in, or excluded from, the MIB view
according to the value of usecAgentViewType in the entry
whose value of usecAgentViewSubtree has the most sub-
identifiers. If multiple entries match and have the same
number of sub-identifiers, then the lexicographically
greatest instance of usecAgentViewType determines the
inclusion or exclusion.
An object instance's OBJECT IDENTIFIER X matches an active
entry in this table when the number of sub-identifiers in X
is at least as many as in the value of usecAgentViewSubtree
for the entry, and each sub-identifier in the value of
usecAgentViewSubtree matches its corresponding sub-
identifier in X. Two sub-identifiers match either if the
corresponding bit of usecAgentViewMask is zero (the 'wild
card' value), or if they are equal.
Expires February 1996 [Page 29]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
Due to this 'wild card' capability, we introduce the term, a
'family' of view subtrees, to refer to the set of subtrees
defined by a particular combination of values of
usecAgentViewSubtree and usecAgentViewMask. In the case
where no 'wild card' is defined in usecAgentViewMask, the
family of view subtrees reduces to a single view subtree."
::= { usecAgentViews 2 }
usecAgentViewEntry OBJECT-TYPE
SYNTAX UsecAgentViewEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Information on a particular family of view subtrees
included in or excluded from a particular SNMPv2 context's
MIB view.
Implementations must not restrict the number of families of
view subtrees for a given MIB view, except as dictated by
resource constraints on the overall number of entries in the
usecAgentViewTable."
INDEX { usecAgentViewIndex, IMPLIED usecAgentViewSubtree }
::= { usecAgentViewTable 1 }
UsecAgentViewEntry ::=
SEQUENCE {
usecAgentViewIndex INTEGER,
usecAgentViewSubtree OBJECT IDENTIFIER,
usecAgentViewMask OCTET STRING,
usecAgentViewType INTEGER,
usecAgentViewMemoryType MemoryType,
usecAgentViewStatus RowStatus
}
Expires February 1996 [Page 30]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentViewIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary unique value for each MIB view. The value for
each MIB view must remain constant at least from one re-
initialization of the entity's network management system to
the next re-initialization.
The specific value is meaningful only within a given SNMPv2
entity, i.e., it is not meaningful to any other SNMPv2
entity except to uniquely identify the view within the set
of all views known to this agent."
::= { usecAgentViewEntry 1 }
usecAgentViewSubtree OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A MIB subtree."
::= { usecAgentViewEntry 2 }
usecAgentViewMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The bit mask which, in combination with the corresponding
instance of usecAgentViewSubtree, defines a family of view
subtrees.
Each bit of this bit mask corresponds to a sub-identifier of
usecAgentViewSubtree, with the most significant bit of the
i-th octet of this octet string value (extended if
necessary, see below) corresponding to the (8*i - 7)-th
sub-identifier, and the least significant bit of the i-th
octet of this octet string corresponding to the (8*i)-th
sub-identifier, where i is in the range 1 through 16.
Each bit of this bit mask specifies whether or not the
corresponding sub-identifiers must match when determining if
an OBJECT IDENTIFIER is in this family of view subtrees; a
'1' indicates that an exact match must occur; a '0'
Expires February 1996 [Page 31]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
indicates 'wild card', i.e., any sub-identifier value
matches.
Thus, the OBJECT IDENTIFIER X of an object instance is
contained in a family of view subtrees if the following
criteria are met:
for each sub-identifier of the value of
usecAgentViewSubtree, either:
the i-th bit of usecAgentViewMask is 0, or
the i-th sub-identifier of X is equal to the i-th
sub-identifier of the value of
usecAgentViewSubtree.
If the value of this bit mask is M bits long and there are
more than M sub-identifiers in the corresponding instance of
usecAgentViewSubtree, then the bit mask is extended with 1's
to be the required length.
Note that when the value of this object is the zero-length
string, this extension rule results in a mask of all-1's
being used (i.e., no 'wild card'), and the family of view
subtrees is the one view subtree uniquely identified by the
corresponding instance of usecAgentViewSubtree."
DEFVAL { ''H }
::= { usecAgentViewEntry 3 }
usecAgentViewType OBJECT-TYPE
SYNTAX INTEGER { included(1), excluded(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The indication of whether the corresponding instances of
usecAgentViewSubtree and usecAgentViewMask define a family
of view subtrees which is included or excluded in the MIB
view."
DEFVAL { included }
::= { usecAgentViewEntry 4 }
Expires February 1996 [Page 32]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentViewMemoryType OBJECT-TYPE
SYNTAX MemoryType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this conceptual row. Conceptual rows
having the value 'permanent' need not allow write-access to
any columnar objects in the row."
DEFVAL { nonVolatile }
::= { usecAgentViewEntry 5 }
usecAgentViewStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
For those columnar objects which permit write-access, their
value in an existing conceptual row can be changed
irrespective of the value of usecAgentViewStatus for that
row."
::= { usecAgentViewEntry 6 }
Expires February 1996 [Page 33]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- transport addresses authorized for notifications
usecAgentNotification
OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 5 }
usecAgentNotifyAddressTable OBJECT-TYPE
SYNTAX SEQUENCE OF UsecAgentNotifyAddressEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The transport addresses to which notifications are
authorized to be sent on behalf of specific users."
::= { usecAgentNotification 1 }
usecAgentNotifyAddressEntry OBJECT-TYPE
SYNTAX UsecAgentNotifyAddressEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A transport address to which notifications are authorized
to be sent on behalf of a user, where the user is given by
the value of the usecAgentUserName component of this index."
INDEX { usecAgentUserName, usecAgentNotifyTDomain,
IMPLIED usecAgentNotifyTAddress }
::= { usecAgentNotifyAddressTable 1 }
UsecAgentNotifyAddressEntry ::= SEQUENCE {
usecAgentNotifyTDomain TDomain,
usecAgentNotifyTAddress TAddress,
usecAgentNotifyAddressStatus RowStatus
}
usecAgentNotifyTDomain OBJECT-TYPE
SYNTAX TDomain
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Indicates the kind of transport service for this transport
address."
::= { usecAgentNotifyAddressEntry 1 }
Expires February 1996 [Page 34]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
usecAgentNotifyTAddress OBJECT-TYPE
SYNTAX TAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The transport service address.
For snmpUDPDomain, usecAgentNotifyTAddress is formatted as a
4-octet IP Address concatenated with a 2-octet UDP port
number."
::= { usecAgentNotifyAddressEntry 2 }
usecAgentNotifyAddressStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row."
::= { usecAgentNotifyAddressEntry 3 }
Expires February 1996 [Page 35]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- conformance information
usecAgentMIBConformance
OBJECT IDENTIFIER ::= { usecAgentConfMIB 3 }
usecAgentMIBCompliances
OBJECT IDENTIFIER ::= { usecAgentMIBConformance 1 }
usecAgentMIBGroups
OBJECT IDENTIFIER ::= { usecAgentMIBConformance 2 }
-- compliance statements
usecAgentMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMPv2 entities which
implement the SNMPv2 USEC MIB."
MODULE -- this module
MANDATORY-GROUPS { usecAgentBasicGroup }
OBJECT usecAgentUserAuthProtocol
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT usecAgentUserPrivProtocol
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT usecAgentUserPrivChange
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT usecAgentViewNextIndex
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT usecAgentViewStatus
MIN-ACCESS read-only
DESCRIPTION
"Create access to the usecAgentViewTable is not required."
::= { usecAgentMIBCompliances 1 }
Expires February 1996 [Page 36]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
-- units of conformance
usecAgentBasicGroup OBJECT-GROUP
OBJECTS { usecAgentUserAuthProtocol, usecAgentUserAuthChange,
usecAgentUserPrivProtocol, usecAgentUserPrivChange,
usecAgentUserPublic, usecAgentUserCloneFrom,
usecAgentUserMemoryType, usecAgentUserStatus,
usecAgentSecretSpinLock,
usecAgentContextType, usecAgentContextLocalTime,
usecAgentAccessPrivileges, usecAgentAccessReadViewIndex,
usecAgentAccessWriteViewIndex, usecAgentAccessMemoryType,
usecAgentAccessStatus,
usecAgentViewNextIndex, usecAgentViewMask, usecAgentViewType,
usecAgentViewMemoryType, usecAgentViewStatus,
usecAgentNotifyAddressStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing for configuration of an
SNMPv2 agent which implements the SNMPv2 User-based Security
Model."
::= { usecAgentMIBGroups 1 }
END
Expires February 1996 [Page 37]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
7. Security Considerations
Security considerations for the User-Based Security Model are discussed
in [2].
8. Acknowledgements
The authors wish to acknowledge the contributions of the SNMPv2 Working
Group in general. In particular, the authors extend a special thanks
for the contributions of:
Dave Arneson (Cabletron)
Uri Blumenthal (IBM)
Doug Book (Chipcom)
Jeff Case (SNMP Research)
Kim Curran (Bell-Northern Research)
Chris Douglas (HP)
Maria Greene (Ascom Timeplex)
Deirdre Kostick (Bellcore)
Dave Harrington (Cabletron)
Peter Houck (HP)
Jeff Johnson (Cisco Systems)
David Levi (SNMP Research)
Brian O'Keefe (Hewlett Packard)
Andrew Pearson (SNMP Research)
Dave Perkins (Bay Networks)
Randy Presuhn (Peer Networks)
Aleksey Romanov (Quality Quorum)
Shawn Routhier (Epilogue)
Bob Stewart (Cisco Systems)
Kaj Tesink (Bellcore)
Bert Wijnen (IBM)
Steve Waldbusser (CMU)
9. References
[1] Galvin, J., McCloghrie, K., and Rose, M., "Administrative
Infrastructure for Version 2 of the Simple Network Management
Protocol (SNMPv2)", Internet Draft, Trusted Information Systems,
Cisco Systems, Dover Beach Consulting, Inc., May 1995.
[2] McCloghrie, K., Rose, M., and Waters, G., "User-based Security
Model for SNMPv2", Internet Draft, Cisco Systems, Dover Beach
Expires February 1996 [Page 38]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
Consulting, Inc., Bell-Northern Research Ltd., June 1995.
[3] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Protocol
Operations for Version 2 of the Simple Network Management Protocol
(SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems,
Dover Beach Consulting, Inc., Carnegie Mellon University, May 1995.
[4] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Management
Information Base for Version 2 of the Simple Network Management
Protocol (SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco
Systems, Dover Beach Consulting, Inc., Carnegie Mellon University,
May 1995.
[5] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Transport
Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems,
Dover Beach Consulting, Inc., Carnegie Mellon University, May 1995.
Expires February 1996 [Page 39]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
Authors' Addresses
Keith McCloghrie
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
US
Phone: +1 408 526 5260
Email: kzm@cisco.com
Marshall T. Rose
Dover Beach Consulting, Inc.
420 Whisman Court
Mountain View, CA 94043-2186
US
Phone: +1 415 968 1052
Email: mrose@dbc.mtview.ca.us
Glenn W. Waters
Bell-Northern Research Ltd.
P.O. Box 3511, Station C
Ottawa, Ontario K1Y 4H7
CA
Phone: +1 613 763 3933
Email: gwaters@bnr.ca
Brian J. O'Keefe
Hewlett-Packard Company
Fort Collins, CO 80525
US
Phone: +1 970 229 4303
Email: bok@cnd.hp.com
Expires February 1996 [Page 40]
Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995
Table of Contents
1 Introduction .................................................... 2
1.1 A Note on Terminology ......................................... 2
2 Potential Scope ................................................. 3
2.1 Requirements for SNMPv2 Agents ................................ 3
2.2 Requirements for SNMPv2 Dual-Role Entities .................... 4
3 Actual Scope .................................................... 4
3.1 Structure of MIB .............................................. 5
4 Authorizing Notifications ....................................... 6
5 Changing A User's Secrets ....................................... 7
6 Definitions ..................................................... 10
6.1 Textual Conventions ........................................... 11
6.2 Administrative Assignments .................................... 15
6.3 Users ......................................................... 16
6.4 Contexts ...................................................... 22
6.4 Access Rights ................................................. 24
6.5 MIB Views ..................................................... 28
6.6 Notification Addresses ........................................ 34
6.7 Conformance Information ....................................... 36
6.7.1 Compliance Statements ....................................... 36
6.7.2 Units of Conformance ........................................ 37
7 Security Considerations ......................................... 38
8 Acknowledgements ................................................ 38
9 References ...................................................... 38
Authors' Addresses ................................................ 40
Expires February 1996 [Page 41]
- USEC Config MIB Keith McCloghrie