USEC Config MIB
Keith McCloghrie <kzm@cisco.com> Sat, 05 August 1995 08:10 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa06856; 5 Aug 95 4:10 EDT
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa06852; 5 Aug 95 4:10 EDT
Received: from neptune.tis.com by CNRI.Reston.VA.US id aa04511; 5 Aug 95 4:10 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa13834; 5 Aug 95 3:27 EDT
Received: from relay.tis.com by neptune.TIS.COM id aa13830; 5 Aug 95 3:16 EDT
Received: from foxhound.cisco.com(171.69.1.171) by relay.tis.com via smap (g3.0.1) id xma028959; Sat, 5 Aug 95 03:07:24 -0400
Received: (kzm@localhost) by foxhound.cisco.com (8.6.8+c/8.6.5) id AAA20439; Sat, 5 Aug 1995 00:15:41 -0700
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Keith McCloghrie <kzm@cisco.com>
Message-Id: <199508050715.AAA20439@foxhound.cisco.com>
Subject: USEC Config MIB
To: snmpv2@tis.com
Date: Sat, 05 Aug 1995 00:15:41 -0700
Cc: "Marshall T. Rose" <mrose@dbc.mtview.ca.us>, Glenn Waters <gwaters@bnr.ca>, Brian O'Keefe <bok@nsmdserv.cnd.hp.com>
X-Mailer: ELM [version 2.3 PL11]
Here's our proposed MIB for USEC agents. Keith. ---------- Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 Managed Objects for the Configuration of SNMPv2 Agents Implementing the User-based Security Model 4 August 1995 draft-kzm-snmpv2-usec-conf-alt-00.txt Keith McCloghrie Cisco Systems, Inc. kzm@cisco.com Marshall T. Rose Dover Beach Consulting, Inc. mrose@dbc.mtview.ca.us Glenn W. Waters Bell-Northern Research Ltd. gwaters@bnr.ca Brian J. O'Keefe Hewlett Packard Company bok@cnd.hp.com Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Expires February 1996 [Page 1] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 1. Introduction A management system contains: several (potentially many) nodes, each with a processing entity, termed an agent, which has access to management instrumentation; at least one management station; and, a management protocol, used to convey management information between the agents and management stations. Operations of the protocol are carried out under an administrative framework which defines authentication, authorization, access control, and privacy policies. Management stations execute management applications which monitor and control managed elements. Managed elements are devices such as hosts, routers, terminal servers, etc., which are monitored and controlled via access to their management information. The Administrative Infrastructure for SNMPv2 document [1] defines an administrative framework which realizes effective management in a variety of configurations and environments. In the administrative framework, a security model defines the mechanisms used to achieve an administratively-defined level of security for protocol interactions. The User-based Security Model for SNMPv2 [2] defines such a security model for the administrative framework. The administrative framework includes the provision of an access control model. The enforcement of access rights requires the means to identify the entity on whose behalf a request is generated. The User-based Security Model identifies an entity on whose behalf an SNMPv2 message is generated as a "user". It is the purpose of this document to define managed objects such that an SNMPv2 agent can be configured via SNMPv2 to know about "users" and their access rights. 1.1. A Note on Terminology For the purpose of exposition, the original Internet-standard Network Management Framework, as described in RFCs 1155, 1157, and 1212, is termed the SNMP version 1 framework (SNMPv1). The current framework is termed the SNMP version 2 framework (SNMPv2). Expires February 1996 [Page 2] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 2. Potential Scope An SNMPv2 manager and an SNMPv2 agent are defined as the operational roles which can be assumed by an SNMPv2 entity. An SNMPv2 entity which sometimes acts in an agent role and sometimes in a manager role is termed an SNMPv2 dual-role entity [1]. In order to be configured via SNMPv2 to know about "users" and their access rights, an SNMPv2 entity must act, at least some of the time, in an agent role. Thus, the scope of managed objects to support such remote configuration potentially extends to include both SNMPv2 agents and SNMPv2 dual-role entities. 2.1. Requirements for SNMPv2 Agents An SNMPv2 agent needs to know about all users on whose behalf it will receive retrieval and/or modification requests. For each such user, an SNMPv2 agent needs to know the authentication and privacy protocols and their secret key values, as well as the access rights authorized for that user. These access rights specify the types of operations permitted as well as the MIB views to which access is authorized for a particular local SNMPv2 context at a particular security level. It also needs to know which notifications are authorized to be sent on behalf of which users, and the transport addresses to which such notifications should be sent. In addition, it is valuable for a manager to determine the set of SNMPv2 local contexts which are (potentially) accessible via this SNMPv2 agent, including an indication of the temporal domains [1] of such contexts. It is also possible for an SNMPv2 agent to be configured to send notifications on behalf of only a subset of the authorized users. This is sometimes called "notification filtering". It is worth noting that in each of these situations, an SNMPv2 agent never sends or receives a message having an agentID value [2] other than its own. Thus, it has no need for any information other than is used to access its own set of MIB objects. In particular, there is no need for one agent to maintain information about the authentication/privacy protocols and their secret key values used to access other agents. Expires February 1996 [Page 3] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 2.2. Requirements for SNMPv2 Dual-Role Entities There are two categories of SNMPv2 dual-role entities [1]: so-called mid-level managers and proxy SNMPv2 agents. In each case, a dual-role entity both sends and receives requests or notifications; it also sends and receives messages for multiple values of agentID. In doing so, it needs to maintain information about the (potentially different) authentication/privacy protocols and their secret key values of users on each SNMPv2 agent with which it communicates, and to differentiate between these according to the value of agentID at each agent. A proxy SNMPv2 agent also needs to know the context selector values identifying SNMPv2 proxy contexts for which it acts as a proxy agent, and for each such proxy context, the user, agentID and contextSelector with which it forwards received retrieval/modification requests for that context. It is also likely that a SNMPv2 dual-role entity will need to maintain a set of agentID to transport address mappings, either to record agents which have been discovered by this dual-role entity or to allow it to be configured with such information. On the other hand, a SNMPv2 dual-role entity does not need to maintain the authorization information about a user's access rights, nor information about the composition of MIB views. 3. Actual Scope It is clear from the foregoing discussion of potential scope that there are significant differences between the requirements for configuration of SNMPv2 agents as opposed to SNMPv2 dual-role entities. As such, this memo defines only those managed objects which meet the configuration needs of SNMPv2 agents. The definition of managed objects to meet the configuration needs of SNMPv2 dual-role entities will be defined elsewhere. In addition, this memo only defines how to authorize the transmission of a notification; additional information on the filtering of notifications will be defined elsewhere. Expires February 1996 [Page 4] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 3.1. Structure of MIB This MIB consists of five tables and two scalars. The tables are: - usecAgentUserTable: the table of users configured in the SNMPv2 agent's local configuration datastore (LCD). - usecAgentContextTable: the table of all SNMPv2 contexts for which the SNMPv2 agent receives requests; for a non-proxy SNMPv2 agent this will be all local contexts; if a proxy SNMPv2 agent implements this MIB, this table will also include information on proxy contexts. - usecAgentAccessTable: the table of users' access rights configured in the SNMPv2 agent's local configuration datastore. - usecAgentViewTable: the table containing information on subtrees of MIB views known to this SNMPv2 agent. - usecAgentNotifyAddressTable: the table of transport addresses to which notifications are authorized to be sent on behalf of specific users. The scalars are: - usecAgentSecretSpinLock: an advisory lock used to allow several cooperating SNMPv2 entities, all acting in a manager role, to coordinate their use of facilities to alter secrets in the usecAgentUserTable. - usecAgentViewNextIndex: a currently unassigned index value for a MIB view subtree in the usecAgentViewTable. Expires February 1996 [Page 5] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 4. Authorizing Notifications The destination(s) to which a notification is authorized to be sent is determined by consulting the usecAgentAccessTable to find all entries satisfying the following conditions: (1) The value of usecAgentAccessPrivileges permits the relevant type of notification. (2) The value of usecAgentAccessContextSelector refers to a SNMPv2 context containing the local management information contained in the notification. (3) The notification's administratively assigned name is present in the corresponding MIB view. (That is, the set of entries in the usecAgentViewTable for which the instance of usecAgentViewIndex has the same value as usecAgentAccessReadViewIndex, define a MIB view which contains the notification's administratively assigned name.) (4) If the OBJECTS clause is present in the invocation of the corresponding NOTIFICATION-TYPE macro, then the correspondent variables are all present in the MIB view corresponding to usecAgentAccessReadViewIndex. (5) For any additional variables which the generating SNMPv2 entity chooses to include within the notification, then these variables are all present in the MIB view corresponding to usecAgentAccessReadViewIndex. If multiple entries satisfying these conditions are located for the same user and context, then all entries for the same user and context except the one with the lowest QoS value are discarded, where 'noAuth' is lower than 'auth', and 'auth' is lower than 'priv'. Then, for each remaining entry, a notification is authorized to be sent on behalf of the user associated with that entry, with the QoS associated with that entry, with context usecAgentAccessContextSelector, and to each transport address associated with that user in the usecAgentNotifyAddressTable. In the absence of other (filtering) information to the contrary, each of these authorized notifications should be sent. Expires February 1996 [Page 6] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 5. Changing A User's Secrets An SNMPv2 manager uses the following procedure to change the authentication secret configured for a user at a particular agent. (1) The management station determines the value for the new secret and generates an unpredictable value: determine desired value for keyNew randomValue = unpredictable() It then computes the appropriate delta value using the following algorithm: iterations = (lenOfkeyNew - 1) / 16; /* integer division */ temp = keyOld; for (i = 0; i < iterations; i++) { temp = MD5 (temp || randomValue); deltaValue[i*16 .. (i*16)+15] = temp XOR keyNew[i*16 .. (i*16)+15]; } temp = MD5 (temp || randomValue); deltaValue[i*16 .. lenOfkeyNew-1] = temp XOR keyNew[i*16 .. lenOfkeyNew-1]; (2) The management station initialises its knowledge of the current state of the agent using an authenticated get operation, retrying as necessary until a response is received: get ( lastLock = usecAgentSecretSpinLock.0, lastNovel = usecAgentPublic.<user> ) Expires February 1996 [Page 7] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 (3) The management station generates a unique novel value (which must be different from all previous values of lastNovel used with these new secret values). It then concatenates the unpredictable and delta values and conveys them to the agent in a single varbindlist, together with the most recently retrieved value of the advisory lock and the most recently generated unique novel value, using an authenticated set operation with a previously unused value of request-id. set ( usecAgentSecretSpinLock.0 = lastLock, usecAgentAuthChange.<user> = <randomValue || deltaValue>, usecAgentPublic.<user> = uniqueNovelValue ) If a successful response with the correct request-id value is received, then goto step 4. If no response or an error response (with the correct request-id) is received, then the operation may or may not have been successful, due to duplication and/or loss of the request and/or the response(s). So, - save the error-index and error-status values, - re-issue the get operation in step 2; - retry this get operation as necessary until a response is received, - if this response indicates that usecAgentPublic has the unique novel value assigned in the last set operation, goto step 4. Otherwise, the set operation failed, and the saved error values are inspected to determine the cause of the failure. - if no response was received or the error-index indicates a problem with usecAgentSecretSpinLock, goto step 2. - if the error-index indicates a problem with usecAgentAuthChange or usecAgentPublic, the secret cannot be changed to the new value. (4) Record the new secret values in stable storage. The operation is now successfully completed. [Retry counts to prevent endlessly looping in the presence of certain failures were omitted from the above procedure in the interest of brevity.] Expires February 1996 [Page 8] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 Note that during the period of time after the request has been sent and before the success of the operation is determined, the management station must keep track of both the old and new secret values. Since the delay may be the result of a network failure, the management station must be prepared to retain both values for an extended period of time, including across reboots. A user's secret privacy key is changed using the same procedure except that usecAgentPrivChange is used instead of usecAgentAuthChange. Expires February 1996 [Page 9] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 6. Definitions SNMPv2-USEC-AGENT-CONF-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI TEXTUAL-CONVENTION, TestAndIncr, RowStatus, AutonomousType FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; usecAgentConfMIB MODULE-IDENTITY LAST-UPDATED "9508040000Z" ORGANIZATION "IETF SNMPv2 Working Group" CONTACT-INFO "" DESCRIPTION "The MIB module for configuring SNMPv2 agents implementing the user-based security model." ::= { snmpModules xx } usecAgentAdmin OBJECT IDENTIFIER ::= { usecAgentConfMIB 1 } usecAgentConfMIBObjects OBJECT IDENTIFIER ::= { usecAgentConfMIB 2 } Expires February 1996 [Page 10] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- Textual Conventions UserName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An octet string representing the name of a user for use in accordance with the SNMPv2 User-based Security Model." SYNTAX OCTET STRING (SIZE(1..32)) ContextSelector ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A SNMPv2 context." SYNTAX OCTET STRING (SIZE (0..64)) MemoryType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Describes the memory realization of a conceptual row. A row which is 'volatile' is lost upon reboot. A row which is either 'nonVolatile', 'permanent' or 'readOnly', is backed up by stable storage. A row which is 'permanent' can be changed but not deleted. A row which is 'readOnly' cannot be changed nor deleted. If the value of an object with this syntax is either Conversely, if the value is either 'other', 'volatile' or The value 'nonVolatile' may not be written to an object with this syntax. When this object is set to the row to 'nonVolatile' at its earliest convenience. If the memoryType of the row is 'nonVolatile', and the row is modified, the memoryType will be changed by the agent to All rows with a state of 'nonVolatileRequested' can be forced to the 'nonVolatile' state by setting a write-NVRAM object [defined elsewhere]. Every usage of this textual convention is required to specify the columnar objects which a 'permanent' row must at a minimum allow to be writable." SYNTAX INTEGER { other(1), -- eh? Expires February 1996 [Page 11] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 volatile(2), -- e.g., in RAM -- waiting to move from RAM to NVRAM nonVolatileRequested(3), nonVolatile(4), -- e.g., in NVRAM permanent(5), -- e.g., partially in ROM readOnly(6) -- e.g., completely in ROM } TDomain ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Denotes a kind of transport service. Some possible values, such as snmpUDPDomain, are defined in 'Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)'." SYNTAX OBJECT IDENTIFIER TAddress ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Denotes a transport service address. For snmpUDPDomain, a TAddress is 6 octets long, the initial 4 octets containing the IP-address in network-byte order and the last 2 containing the UDP port in network-byte order. Consult 'Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)' [5] for further information on snmpUDPDomain." SYNTAX OCTET STRING (SIZE (1..255)) Expires February 1996 [Page 12] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 QoS ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A level of security at which SNMPv2 messages can be sent; in particular, one of: - without authentication and privacy, - with authentication but not privacy, - with authentication and privacy." SYNTAX INTEGER { noAuth(1), auth(2), priv(3) } KeyChange ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Every definition of an object with this syntax must identify a protocol, P, and a secret key, K. The object's value is a manager-generated, partially-random value which, when modified, causes the value of the secret key, K, to be modified via a one-way function. The value of an instance of this object is the concatenation of two components: a 'random' component and a 'delta' component. The lengths of the random and delta components are given by the corresponding value of the protocol, P; if P requires K to be a fixed length, the length of both the random and delta components is that fixed length; if P allows the length of K to be variable up to a particular maximum length, the length of the random component is that maximum length and the length of the delta component is any length less than or equal to that maximum length. For example, usecMD5AuthProtocol requires K to be a fixed length of 16 octets. Other protocols may define other sizes, as deemed appropriate. When an instance of this object is modified to have a new value by the management protocol, the agent generates a new value of K as follows: - a temporary variable is initialized to the existing value of K; - if the length of the delta component is greater than 16 bytes, then: - the random component is appended to the value of the temporary variable, and the result is input to the MD5 hash algorithm to produce a digest value, and the Expires February 1996 [Page 13] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 temporary variable is set to this digest value; - the value of the temporary variable is XOR-ed with the first (next) 16-bytes of the delta component to produce the first (next) 16-bytes of the new value of K. - the above two steps are repeated until the unused portion of the delta component is 16 bytes or less, - the random component is appended to the value of the temporary variable, and the result is input to the MD5 hash algorithm to produce a digest value; - this digest value, truncated if necessary to be the same length as the unused portion of the delta component, is XOR-ed with the unused portion of the delta component to produce the (final portion of the) new value of K. i.e., iterations = (lenOfDelta - 1) / 16; /* integer division */ temp = keyold; for (i = 0; i < iterations; i++) { temp = MD5 (temp || random); keynew[i*16 .. (i*16)+15] = temp XOR delta[i*16 .. (i*16)+15]; } temp = MD5 (temp || random); keynew[i*16 .. lenOfDelta-1] = temp XOR delta[i*16 .. lenOfDelta-1]; The value of an object with this syntax, whenever it is retrieved by the management protocol, is always the zero- length string." SYNTAX OCTET STRING Expires February 1996 [Page 14] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- administrative assignments -- Authentication Protocols usecAuthProtocols OBJECT IDENTIFIER ::= { usecAgentAdmin 1 } -- no Authentication Protocol usecNoAuthProtocol OBJECT IDENTIFIER ::= { usecAuthProtocols 1 } -- the Digest Authentication Protocol usecMD5AuthProtocol OBJECT IDENTIFIER ::= { usecAuthProtocols 2 } -- Privacy Protocols usecPrivProtocols OBJECT IDENTIFIER ::= { usecAgentAdmin 2 } -- no Privacy Protocol usecNoPrivProtocol OBJECT IDENTIFIER ::= { usecPrivProtocols 1 } -- the Symmetric Encryption Protocol usecDESPrivProtocol OBJECT IDENTIFIER ::= { usecPrivProtocols 2 } -- Time Domains usecTimeDomains OBJECT IDENTIFIER ::= { usecAgentAdmin 3 } -- the Current Time Domain usecCurrentTime OBJECT IDENTIFIER ::= { usecTimeDomains 1 } -- the Restart Time Domain usecRestartTime OBJECT IDENTIFIER ::= { usecTimeDomains 2 } Expires February 1996 [Page 15] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- Information about users usecAgentUser OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 1 } usecAgentUserTable OBJECT-TYPE SYNTAX SEQUENCE OF UsecAgentUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of users configured in the SNMPv2 agent's local configuration datastore (LCD)." ::= { usecAgentUser 1 } usecAgentUserEntry OBJECT-TYPE SYNTAX UsecAgentUserEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user configured in the SNMPv2 agent's local configuration datastore (LCD) for the User-based Security Model." INDEX { IMPLIED usecAgentUserName } ::= { usecAgentUserTable 1 } UsecAgentUserEntry ::= SEQUENCE { usecAgentUserName UserName, usecAgentUserAuthProtocol OBJECT IDENTIFIER, usecAgentUserAuthChange KeyChange, usecAgentUserPrivProtocol OBJECT IDENTIFIER, usecAgentUserPrivChange KeyChange, usecAgentUserPublic OCTET STRING, usecAgentUserCloneFrom UserName, usecAgentUserMemoryType MemoryType, usecAgentUserStatus RowStatus } Expires February 1996 [Page 16] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentUserName OBJECT-TYPE SYNTAX UserName MAX-ACCESS not-accessible STATUS current DESCRIPTION "An octet string representing the name of the user." ::= { usecAgentUserEntry 1 } usecAgentUserAuthProtocol OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-create STATUS current DESCRIPTION "An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol which is used. An instance of this object is created concurrently with the creation of any other object instance for the same user (i.e., as part of the processing of the set operation which creates the first object instance in the same conceptual row). Once created, the value of an instance of this object can not be changed." DEFVAL { usecMD5AuthProtocol } ::= { usecAgentUserEntry 2 } usecAgentUserAuthChange OBJECT-TYPE SYNTAX KeyChange -- typically (SIZE (0..16)) MAX-ACCESS read-create STATUS current DESCRIPTION "An object, which when modified, causes the user's secret authentication key to be modified via a one-way function. The associated protocol is given by the value of usecAgentUserAuthProtocol. The associated secret key is the user's secret authentication key. When creating a new user, it is a 'inconsistentName' error for a set operation to refer to this object unless it is previously or concurrently initialized through a set operation on the corresponding value of usecAgentUserCloneFrom." DEFVAL { ''H } -- the empty string ::= { usecAgentUserEntry 3 } Expires February 1996 [Page 17] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentUserPrivProtocol OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-create STATUS current DESCRIPTION "An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. An instance of this object is created concurrently with the creation of any other object instance for the same user (i.e., as part of the processing of the set operation which creates the first object instance in the same conceptual row). Once created, the value of an instance of this object can not be changed." DEFVAL { usecNoPrivProtocol } ::= { usecAgentUserEntry 4 } usecAgentUserPrivChange OBJECT-TYPE SYNTAX KeyChange -- typically (SIZE (0..16)) MAX-ACCESS read-create STATUS current DESCRIPTION "An object, which when modified, causes the user's secret privacy key to be modified via a one-way function. The associated protocol is given by the value of usecAgentUserPrivProtocol. The associated secret key is the user's secret privacy key. When creating a new user, it is a 'inconsistentName' error for a set operation to refer to this object unless it is previously or concurrently initialized through a set operation on the corresponding value of usecAgentUserCloneFrom." DEFVAL { ''H } -- the empty string ::= { usecAgentUserEntry 5 } Expires February 1996 [Page 18] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentUserPublic OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "A publically-readable value which is written as part of the procedure for changing a user's secret key(s), and later read to determine whether the change of the secrets was effected." DEFVAL { '00'H } -- the empty string ::= { usecAgentUserEntry 6 } usecAgentUserCloneFrom OBJECT-TYPE SYNTAX UserName MAX-ACCESS read-create STATUS current DESCRIPTION "The identity of an active user from which authentication and privacy parameters are cloned for this user. When read, the zero length string is returned. When written, the first write upon/after creation of an instance of this object invokes the cloning process. Subsequent writes are successful but invoke no action to be taken by the agent. If instances of the following objects have not already (e.g., in a previous set operation) been explicitly created for the new user, then cloning causes them to be initialized with values identical to those of the corresponding objects for the cloning user: usecAgentUserAuthProtocol usecAgentUserPrivProtocol Cloning also causes the initial values of the secret authentication and privacy keys of the new user to be set to the same values as the corresponding secrets of the cloning user." ::= { usecAgentUserEntry 7 } Expires February 1996 [Page 19] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentUserMemoryType OBJECT-TYPE SYNTAX MemoryType MAX-ACCESS read-create STATUS current DESCRIPTION "The memory type for this conceptual row. Conceptual rows having the value 'permanent' must allow write-access at a minimum to usecAgentUserAuthChange and usecAgentUserPublic for a user which employs authentication, and to usecAgentUserPrivChange for a user which employs privacy. Note that any user which employs authentication or privacy must allow its secret(s) to be updated and thus cannot be 'readOnly'." ::= { usecAgentUserEntry 8 } usecAgentUserStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Until instances of all corresponding columns are appropriately configured, the value of the corresponding instance of the usecAgentUserStatus column is 'notReady'. In particular, if the user has a usecAgentUserAuthProtocol other than usecNoAuthProtocol, then a value must have been written to the usecAgentUserCloneFrom. For those columnar objects which permit write-access, their value in an existing conceptual row can be changed irrespective of the value of usecAgentUserStatus for that row." ::= { usecAgentUserEntry 9 } Expires February 1996 [Page 20] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentSecretSpinLock OBJECT-TYPE SYNTAX TestAndIncr MAX-ACCESS read-write STATUS current DESCRIPTION "An advisory lock used to allow several cooperating SNMPv2 entities, all acting in a manager role, to coordinate their use of facilities to alter secrets in the usecAgentUserTable." ::= { usecAgentUser 2 } Expires February 1996 [Page 21] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- Information about all SNMPv2 contexts for which the local -- SNMPv2 agent receives requests. usecAgentContext OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 2 } usecAgentContextTable OBJECT-TYPE SYNTAX SEQUENCE OF UsecAgentContextEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "All SNMPv2 contexts for which the local SNMPv2 agent receives requests, which are configured in the local configuration datastore. In particular, all local SNMPv2 contexts are included in this table. In addition, a proxy SNMPv2 agent agent implementing this MIB will also include its configured proxy SNMPv2 contexts in this table." ::= { usecAgentContext 1 } usecAgentContextEntry OBJECT-TYPE SYNTAX UsecAgentContextEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A SNMPv2 context configured in the local configuration datastore." INDEX { usecAgentContextSelector } ::= { usecAgentContextTable 1 } UsecAgentContextEntry ::= SEQUENCE { usecAgentContextSelector ContextSelector, usecAgentContextType INTEGER, usecAgentContextLocalTime AutonomousType } usecAgentContextSelector OBJECT-TYPE SYNTAX ContextSelector MAX-ACCESS not-accessible STATUS current DESCRIPTION "The context selector by which the SNMPv2 context represented by this conceptual row is locally known." ::= { usecAgentContextEntry 1 } Expires February 1996 [Page 22] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentContextType OBJECT-TYPE SYNTAX INTEGER { local(1), proxy(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "The type of SNMPv2 context." ::= { usecAgentContextEntry 2 } usecAgentContextLocalTime OBJECT-TYPE SYNTAX AutonomousType MAX-ACCESS read-only STATUS current DESCRIPTION "The temporal domain of this context." ::= { usecAgentContextEntry 3 } Expires February 1996 [Page 23] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- Information about Access Rights usecAgentAccess OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 3 } usecAgentAccessTable OBJECT-TYPE SYNTAX SEQUENCE OF UsecAgentAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of users' access rights configured in the local configuration datastore (LCD)." ::= { usecAgentAccess 1 } usecAgentAccessEntry OBJECT-TYPE SYNTAX UsecAgentAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An access right configured in the local configuration datastore (LCD). The value of the usecAgentUserName component of this index represents the userName of the user to whom the access rights apply." INDEX { usecAgentAccessContextSelector, usecAgentUserName, usecAgentAccessQoS } ::= { usecAgentAccessTable 1 } UsecAgentAccessEntry ::= SEQUENCE { usecAgentAccessContextSelector ContextSelector, usecAgentAccessQoS QoS, usecAgentAccessPrivileges INTEGER, usecAgentAccessReadViewIndex INTEGER, usecAgentAccessWriteViewIndex INTEGER, usecAgentAccessMemoryType MemoryType, usecAgentAccessStatus RowStatus } Expires February 1996 [Page 24] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentAccessContextSelector OBJECT-TYPE SYNTAX ContextSelector MAX-ACCESS not-accessible STATUS current DESCRIPTION "The context selector for which this conceptual row grants access rights." ::= { usecAgentAccessEntry 1 } usecAgentAccessQoS OBJECT-TYPE SYNTAX QoS MAX-ACCESS not-accessible STATUS current DESCRIPTION "The minimum level of security required of messages sent on behalf of the user in order to gain the access rights allowed by this conceptual row." ::= { usecAgentAccessEntry 2 } usecAgentAccessPrivileges OBJECT-TYPE SYNTAX INTEGER (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "The access privileges authorized by this conceptual row. Access privileges specify whether received retrieval and modification requests are permitted to be processed, and whether notifications are permitted to be transmitted. The privileges are specified as a sum of values, where each value specifies the SNMPv2 PDU type of a permitted operation. The value for a particular PDU type is computed as 2 raised to the value of the ASN.1 context-specific tag for the appropriate SNMPv2 PDU type: Get : 1 GetNext : 2 (unused : 4) Set : 8 (unused : 16) GetBulk : 32 Inform : 64 SNMPv2-Trap : 128 Expires February 1996 [Page 25] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 The null set is represented by the value zero." DEFVAL { 35 } -- Get, Get-Next & Get-Bulk ::= { usecAgentAccessEntry 3 } usecAgentAccessReadViewIndex OBJECT-TYPE SYNTAX INTEGER (0..2147483647) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMPv2 context to which this conceptual row authorizes read access. The identified MIB view is that for which viewIndex has the same value as the instance of this object; if the value is zero or there are no active view subtrees for that value, then the identified MIB view is the empty set of view subtrees. (Note that read access includes access via retrieval requests as well as transmission of information via notification requests.) Otherwise, this object is ignored and can take any value at the agent's discretion, e.g., zero." DEFVAL { 0 } ::= { usecAgentAccessEntry 4 } usecAgentAccessWriteViewIndex OBJECT-TYPE SYNTAX INTEGER (0..2147483647) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMPv2 context to which this conceptual row authorizes write access. The identified MIB view is that for which viewIndex has the same value as the instance of this object; if the value is zero or there are no active view subtrees for that value, then the identified MIB view is the empty set of view subtrees. Otherwise, this object is ignored and can take any value at the agent's discretion, e.g., zero." DEFVAL { 0 } ::= { usecAgentAccessEntry 5 } Expires February 1996 [Page 26] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentAccessMemoryType OBJECT-TYPE SYNTAX MemoryType MAX-ACCESS read-create STATUS current DESCRIPTION "The memory type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatileRequested } ::= { usecAgentAccessEntry 6 } usecAgentAccessStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. For those columnar objects which permit write-access, their value in an existing conceptual row can be changed irrespective of the value of usecAgentAccessStatus for that row. A conceptual row in this table is not qualified for activation until the context and the user it references are active. Further, a conceptual row in this table is immediately made notInService whenever the status of the context or the user it references is made notInService, Finally, a conceptual row in this table is immediately destroyed whenever the context or the user it references is destroyed." ::= { usecAgentAccessEntry 7 } Expires February 1996 [Page 27] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- MIB views -- Note that support for views having instance-level granularity -- is optional usecAgentViews OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 4 } usecAgentViewNextIndex OBJECT-TYPE SYNTAX INTEGER (0..2147483647) MAX-ACCESS read-write STATUS current DESCRIPTION "A currently unassigned value of usecAgentViewIndex. The value 0 indicates that no unassigned values are available. In order to cause a non-zero value of this object to be assigned for use as the usecAgentViewIndex of a future MIB view, it must be successfully modified by a set operation. When modified by a set operation, the new value supplied must precisely match the value presently held by the object. If not, the management protocol set operation fails with an error of `inconsistentValue'. Immediately after the completion of a successful set operation, the agent must modify the value of this object. The algorithm for modifying the value is implementation- dependent, and may use a subset of values within 1..2147483647. However, the agent must guarantee that the new value is not assigned to any in-use value of usecAgentViewIndex, e.g., is not pointed to by any other MIB object. A management station creates a new MIB view using this algorithm: - issue a management protocol retrieval operation to obtain the value of usecAgentViewNextIndex; if the retrieved value is zero, a new MIB view cannot be created at this time; - issue a management protocol set operation for usecAgentViewNextIndex, supplying the same value as obtained in the previous step; - if the set operation succeeds, use the supplied value Expires February 1996 [Page 28] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 as the usecAgentViewIndex of the new MIB view; - issue a management protocol set operation to create an instance of the usecAgentViewStatus object setting its value to `createAndGo' or `createAndWait' (as specified in the description of the RowStatus textual convention)." ::= { usecAgentViews 1 } usecAgentViewTable OBJECT-TYPE SYNTAX SEQUENCE OF UsecAgentViewEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Locally held information about subtrees of MIB views. Note that a MIB view which has no subtrees defined for it has no entries in this table. Each MIB view is defined by two collections of view subtrees: the included view subtrees, and the excluded view subtrees. Every such subtree, both included and excluded, is defined in this table. To determine if a particular object instance is in a particular MIB view, compare the object instance's OBJECT IDENTIFIER with each of the MIB view's active entries in this table. If none match, then the object instance is not in the MIB view. If one or more match, then the object instance is included in, or excluded from, the MIB view according to the value of usecAgentViewType in the entry whose value of usecAgentViewSubtree has the most sub- identifiers. If multiple entries match and have the same number of sub-identifiers, then the lexicographically greatest instance of usecAgentViewType determines the inclusion or exclusion. An object instance's OBJECT IDENTIFIER X matches an active entry in this table when the number of sub-identifiers in X is at least as many as in the value of usecAgentViewSubtree for the entry, and each sub-identifier in the value of usecAgentViewSubtree matches its corresponding sub- identifier in X. Two sub-identifiers match either if the corresponding bit of usecAgentViewMask is zero (the 'wild card' value), or if they are equal. Expires February 1996 [Page 29] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 Due to this 'wild card' capability, we introduce the term, a 'family' of view subtrees, to refer to the set of subtrees defined by a particular combination of values of usecAgentViewSubtree and usecAgentViewMask. In the case where no 'wild card' is defined in usecAgentViewMask, the family of view subtrees reduces to a single view subtree." ::= { usecAgentViews 2 } usecAgentViewEntry OBJECT-TYPE SYNTAX UsecAgentViewEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information on a particular family of view subtrees included in or excluded from a particular SNMPv2 context's MIB view. Implementations must not restrict the number of families of view subtrees for a given MIB view, except as dictated by resource constraints on the overall number of entries in the usecAgentViewTable." INDEX { usecAgentViewIndex, IMPLIED usecAgentViewSubtree } ::= { usecAgentViewTable 1 } UsecAgentViewEntry ::= SEQUENCE { usecAgentViewIndex INTEGER, usecAgentViewSubtree OBJECT IDENTIFIER, usecAgentViewMask OCTET STRING, usecAgentViewType INTEGER, usecAgentViewMemoryType MemoryType, usecAgentViewStatus RowStatus } Expires February 1996 [Page 30] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentViewIndex OBJECT-TYPE SYNTAX INTEGER (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An arbitrary unique value for each MIB view. The value for each MIB view must remain constant at least from one re- initialization of the entity's network management system to the next re-initialization. The specific value is meaningful only within a given SNMPv2 entity, i.e., it is not meaningful to any other SNMPv2 entity except to uniquely identify the view within the set of all views known to this agent." ::= { usecAgentViewEntry 1 } usecAgentViewSubtree OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "A MIB subtree." ::= { usecAgentViewEntry 2 } usecAgentViewMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..16)) MAX-ACCESS read-create STATUS current DESCRIPTION "The bit mask which, in combination with the corresponding instance of usecAgentViewSubtree, defines a family of view subtrees. Each bit of this bit mask corresponds to a sub-identifier of usecAgentViewSubtree, with the most significant bit of the i-th octet of this octet string value (extended if necessary, see below) corresponding to the (8*i - 7)-th sub-identifier, and the least significant bit of the i-th octet of this octet string corresponding to the (8*i)-th sub-identifier, where i is in the range 1 through 16. Each bit of this bit mask specifies whether or not the corresponding sub-identifiers must match when determining if an OBJECT IDENTIFIER is in this family of view subtrees; a '1' indicates that an exact match must occur; a '0' Expires February 1996 [Page 31] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 indicates 'wild card', i.e., any sub-identifier value matches. Thus, the OBJECT IDENTIFIER X of an object instance is contained in a family of view subtrees if the following criteria are met: for each sub-identifier of the value of usecAgentViewSubtree, either: the i-th bit of usecAgentViewMask is 0, or the i-th sub-identifier of X is equal to the i-th sub-identifier of the value of usecAgentViewSubtree. If the value of this bit mask is M bits long and there are more than M sub-identifiers in the corresponding instance of usecAgentViewSubtree, then the bit mask is extended with 1's to be the required length. Note that when the value of this object is the zero-length string, this extension rule results in a mask of all-1's being used (i.e., no 'wild card'), and the family of view subtrees is the one view subtree uniquely identified by the corresponding instance of usecAgentViewSubtree." DEFVAL { ''H } ::= { usecAgentViewEntry 3 } usecAgentViewType OBJECT-TYPE SYNTAX INTEGER { included(1), excluded(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "The indication of whether the corresponding instances of usecAgentViewSubtree and usecAgentViewMask define a family of view subtrees which is included or excluded in the MIB view." DEFVAL { included } ::= { usecAgentViewEntry 4 } Expires February 1996 [Page 32] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentViewMemoryType OBJECT-TYPE SYNTAX MemoryType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { usecAgentViewEntry 5 } usecAgentViewStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. For those columnar objects which permit write-access, their value in an existing conceptual row can be changed irrespective of the value of usecAgentViewStatus for that row." ::= { usecAgentViewEntry 6 } Expires February 1996 [Page 33] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- transport addresses authorized for notifications usecAgentNotification OBJECT IDENTIFIER ::= { usecAgentConfMIBObjects 5 } usecAgentNotifyAddressTable OBJECT-TYPE SYNTAX SEQUENCE OF UsecAgentNotifyAddressEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The transport addresses to which notifications are authorized to be sent on behalf of specific users." ::= { usecAgentNotification 1 } usecAgentNotifyAddressEntry OBJECT-TYPE SYNTAX UsecAgentNotifyAddressEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A transport address to which notifications are authorized to be sent on behalf of a user, where the user is given by the value of the usecAgentUserName component of this index." INDEX { usecAgentUserName, usecAgentNotifyTDomain, IMPLIED usecAgentNotifyTAddress } ::= { usecAgentNotifyAddressTable 1 } UsecAgentNotifyAddressEntry ::= SEQUENCE { usecAgentNotifyTDomain TDomain, usecAgentNotifyTAddress TAddress, usecAgentNotifyAddressStatus RowStatus } usecAgentNotifyTDomain OBJECT-TYPE SYNTAX TDomain MAX-ACCESS not-accessible STATUS current DESCRIPTION "Indicates the kind of transport service for this transport address." ::= { usecAgentNotifyAddressEntry 1 } Expires February 1996 [Page 34] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 usecAgentNotifyTAddress OBJECT-TYPE SYNTAX TAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "The transport service address. For snmpUDPDomain, usecAgentNotifyTAddress is formatted as a 4-octet IP Address concatenated with a 2-octet UDP port number." ::= { usecAgentNotifyAddressEntry 2 } usecAgentNotifyAddressStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row." ::= { usecAgentNotifyAddressEntry 3 } Expires February 1996 [Page 35] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- conformance information usecAgentMIBConformance OBJECT IDENTIFIER ::= { usecAgentConfMIB 3 } usecAgentMIBCompliances OBJECT IDENTIFIER ::= { usecAgentMIBConformance 1 } usecAgentMIBGroups OBJECT IDENTIFIER ::= { usecAgentMIBConformance 2 } -- compliance statements usecAgentMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMPv2 entities which implement the SNMPv2 USEC MIB." MODULE -- this module MANDATORY-GROUPS { usecAgentBasicGroup } OBJECT usecAgentUserAuthProtocol MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT usecAgentUserPrivProtocol MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT usecAgentUserPrivChange MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT usecAgentViewNextIndex MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT usecAgentViewStatus MIN-ACCESS read-only DESCRIPTION "Create access to the usecAgentViewTable is not required." ::= { usecAgentMIBCompliances 1 } Expires February 1996 [Page 36] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 -- units of conformance usecAgentBasicGroup OBJECT-GROUP OBJECTS { usecAgentUserAuthProtocol, usecAgentUserAuthChange, usecAgentUserPrivProtocol, usecAgentUserPrivChange, usecAgentUserPublic, usecAgentUserCloneFrom, usecAgentUserMemoryType, usecAgentUserStatus, usecAgentSecretSpinLock, usecAgentContextType, usecAgentContextLocalTime, usecAgentAccessPrivileges, usecAgentAccessReadViewIndex, usecAgentAccessWriteViewIndex, usecAgentAccessMemoryType, usecAgentAccessStatus, usecAgentViewNextIndex, usecAgentViewMask, usecAgentViewType, usecAgentViewMemoryType, usecAgentViewStatus, usecAgentNotifyAddressStatus } STATUS current DESCRIPTION "A collection of objects providing for configuration of an SNMPv2 agent which implements the SNMPv2 User-based Security Model." ::= { usecAgentMIBGroups 1 } END Expires February 1996 [Page 37] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 7. Security Considerations Security considerations for the User-Based Security Model are discussed in [2]. 8. Acknowledgements The authors wish to acknowledge the contributions of the SNMPv2 Working Group in general. In particular, the authors extend a special thanks for the contributions of: Dave Arneson (Cabletron) Uri Blumenthal (IBM) Doug Book (Chipcom) Jeff Case (SNMP Research) Kim Curran (Bell-Northern Research) Chris Douglas (HP) Maria Greene (Ascom Timeplex) Deirdre Kostick (Bellcore) Dave Harrington (Cabletron) Peter Houck (HP) Jeff Johnson (Cisco Systems) David Levi (SNMP Research) Brian O'Keefe (Hewlett Packard) Andrew Pearson (SNMP Research) Dave Perkins (Bay Networks) Randy Presuhn (Peer Networks) Aleksey Romanov (Quality Quorum) Shawn Routhier (Epilogue) Bob Stewart (Cisco Systems) Kaj Tesink (Bellcore) Bert Wijnen (IBM) Steve Waldbusser (CMU) 9. References [1] Galvin, J., McCloghrie, K., and Rose, M., "Administrative Infrastructure for Version 2 of the Simple Network Management Protocol (SNMPv2)", Internet Draft, Trusted Information Systems, Cisco Systems, Dover Beach Consulting, Inc., May 1995. [2] McCloghrie, K., Rose, M., and Waters, G., "User-based Security Model for SNMPv2", Internet Draft, Cisco Systems, Dover Beach Expires February 1996 [Page 38] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 Consulting, Inc., Bell-Northern Research Ltd., June 1995. [3] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems, Dover Beach Consulting, Inc., Carnegie Mellon University, May 1995. [4] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems, Dover Beach Consulting, Inc., Carnegie Mellon University, May 1995. [5] Case, J., McCloghrie, K., Rose, M., and Waldbusser, S., "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", Internet Draft, SNMP Research, Inc., Cisco Systems, Dover Beach Consulting, Inc., Carnegie Mellon University, May 1995. Expires February 1996 [Page 39] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 Authors' Addresses Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 US Phone: +1 408 526 5260 Email: kzm@cisco.com Marshall T. Rose Dover Beach Consulting, Inc. 420 Whisman Court Mountain View, CA 94043-2186 US Phone: +1 415 968 1052 Email: mrose@dbc.mtview.ca.us Glenn W. Waters Bell-Northern Research Ltd. P.O. Box 3511, Station C Ottawa, Ontario K1Y 4H7 CA Phone: +1 613 763 3933 Email: gwaters@bnr.ca Brian J. O'Keefe Hewlett-Packard Company Fort Collins, CO 80525 US Phone: +1 970 229 4303 Email: bok@cnd.hp.com Expires February 1996 [Page 40] Internet Draft User Configuration MIB for SNMPv2 Agents Aug 1995 Table of Contents 1 Introduction .................................................... 2 1.1 A Note on Terminology ......................................... 2 2 Potential Scope ................................................. 3 2.1 Requirements for SNMPv2 Agents ................................ 3 2.2 Requirements for SNMPv2 Dual-Role Entities .................... 4 3 Actual Scope .................................................... 4 3.1 Structure of MIB .............................................. 5 4 Authorizing Notifications ....................................... 6 5 Changing A User's Secrets ....................................... 7 6 Definitions ..................................................... 10 6.1 Textual Conventions ........................................... 11 6.2 Administrative Assignments .................................... 15 6.3 Users ......................................................... 16 6.4 Contexts ...................................................... 22 6.4 Access Rights ................................................. 24 6.5 MIB Views ..................................................... 28 6.6 Notification Addresses ........................................ 34 6.7 Conformance Information ....................................... 36 6.7.1 Compliance Statements ....................................... 36 6.7.2 Units of Conformance ........................................ 37 7 Security Considerations ......................................... 38 8 Acknowledgements ................................................ 38 9 References ...................................................... 38 Authors' Addresses ................................................ 40 Expires February 1996 [Page 41]
- USEC Config MIB Keith McCloghrie