Network Working Group K. McCloghrie
Request for Comments: 1447 Hughes LAN Systems
J. Galvin
Trusted Information Systems
April 1993
Party MIB
for version 2 of the
Simple Network Management Protocol (SNMPv2)
Status of this Memo
This RFC specifes an IAB standards track protocol for the
Internet community, and requests discussion and suggestions
for improvements. Please refer to the current edition of the
"IAB Official Protocol Standards" for the standardization
state and status of this protocol. Distribution of this memo
is unlimited.
Table of Contents
1 Introduction .......................................... 2
1.1 A Note on Terminology ............................... 2
2 Definitions ........................................... 3
3.1 Textual Conventions ................................. 4
3.2 Administrative Assignments .......................... 7
3.2.1 Initial Party and Context Identifiers ............. 8
3.3 Object Assignments .................................. 16
3.4 The SNMPv2 Party Database Group ..................... 16
3.5 The SNMPv2 Contexts Database Group .................. 29
3.5 The SNMPv2 Access Privileges Database Group ......... 36
3.6 The MIB View Database Group ......................... 40
3.7 Conformance Information ............................. 45
3.7.1 Compliance Statements ............................. 45
3.7.2 Units of Conformance .............................. 47
3 Acknowledgments ....................................... 48
4 References ............................................ 49
5 Security Considerations ............................... 50
6 Authors' Addresses .................................... 50
Galvin & McCloghrie [Page 1]
RFC 1447 Party MIB for SNMPv2 April 1993
1. Introduction
A network management system contains: several (potentially
many) nodes, each with a processing entity, termed an agent,
which has access to management instrumentation; at least one
management station; and, a management protocol, used to convey
management information between the agents and management
stations. Operations of the protocol are carried out under an
administrative framework which defines both authentication and
authorization policies.
Network management stations execute management applications
which monitor and control network elements. Network elements
are devices such as hosts, routers, terminal servers, etc.,
which are monitored and controlled through access to their
management information.
Management information is viewed as a collection of managed
objects, residing in a virtual information store, termed the
Management Information Base (MIB). Collections of related
objects are defined in MIB modules. These modules are written
using a subset of OSI's Abstract Syntax Notation One (ASN.1)
[1], termed the Structure of Management Information (SMI) [2].
The Administrative Model for SNMPv2 document [3] defines the
properties associated with SNMPv2 parties, SNMPv2 contexts,
and access control policies. It is the purpose of this
document, the Party MIB for SNMPv2, to define managed objects
which correspond to these properties.
1.1. A Note on Terminology
For the purpose of exposition, the original Internet-standard
Network Management Framework, as described in RFCs 1155, 1157,
and 1212, is termed the SNMP version 1 framework (SNMPv1).
The current framework is termed the SNMP version 2 framework
(SNMPv2).
Galvin & McCloghrie [Page 2]
RFC 1447 Party MIB for SNMPv2 April 1993
2. Definitions
SNMPv2-PARTY-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, snmpModules,
UInteger32
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, TruthValue
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF;
partyMIB MODULE-IDENTITY
LAST-UPDATED "9304010000Z"
ORGANIZATION "IETF SNMP Security Working Group"
CONTACT-INFO
" Keith McCloghrie
Postal: Hughes LAN Systems
1225 Charleston Road
Mountain View, CA 94043
US
Tel: +1 415 966 7934
Fax: +1 415 960 3738
E-mail: kzm@hls.com"
DESCRIPTION
"The MIB module describing SNMPv2 parties."
::= { snmpModules 3 }
Galvin & McCloghrie [Page 3]
RFC 1447 Party MIB for SNMPv2 April 1993
-- textual conventions
Party ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Denotes a SNMPv2 party identifier.
Note that agents may impose implementation
limitations on the length of OIDs used to identify
Parties. As such, management stations creating
new parties should be aware that using an
excessively long OID may result in the agent
refusing to perform the set operation and instead
returning the appropriate error response, e.g.,
noCreation."
SYNTAX OBJECT IDENTIFIER
TAddress ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Denotes a transport service address.
For snmpUDPDomain, a TAddress is 6 octets long,
the initial 4 octets containing the IP-address in
network-byte order and the last 2 containing the
UDP port in network-byte order. Consult [5] for
further information on snmpUDPDomain."
SYNTAX OCTET STRING
Galvin & McCloghrie [Page 4]
RFC 1447 Party MIB for SNMPv2 April 1993
Clock ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"A party's authentication clock - a non-negative
integer which is incremented as specified/allowed
by the party's Authentication Protocol.
For noAuth, a party's authentication clock is
unused and its value is undefined.
For v2md5AuthProtocol, a party's authentication
clock is a relative clock with 1-second
granularity."
SYNTAX UInteger32
Context ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Denotes a SNMPv2 context identifier.
Note that agents may impose implementation
limitations on the length of OIDs used to identify
Contexts. As such, management stations creating new
contexts should be aware that using an excessively
long OID may result in the agent refusing to
perform the set operation and instead returning
the appropriate error response, e.g., noCreation."
SYNTAX OBJECT IDENTIFIER
Galvin & McCloghrie [Page 5]
RFC 1447 Party MIB for SNMPv2 April 1993
StorageType ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Describes the memory realization of a conceptual
row. A row which is volatile(2) is lost upon
reboot. A row which is nonVolatile(3) is backed
up by stable storage. A row which is permanent(4)
cannot be changed nor deleted."
SYNTAX INTEGER {
other(1), -- eh?
volatile(2), -- e.g., in RAM
nonVolatile(3), -- e.g., in NVRAM
permanent(4) -- e.g., in ROM
}
Galvin & McCloghrie [Page 6]
RFC 1447 Party MIB for SNMPv2 April 1993
-- administrative assignments
partyAdmin OBJECT IDENTIFIER ::= { partyMIB 1 }
-- definitions of security protocols
partyProtocols OBJECT IDENTIFIER ::= { partyAdmin 1 }
-- the protocol without authentication
noAuth OBJECT IDENTIFIER ::= { partyProtocols 1 }
-- the protocol without privacy
noPriv OBJECT IDENTIFIER ::= { partyProtocols 2 }
-- the DES Privacy Protocol [4]
desPrivProtocol
OBJECT IDENTIFIER ::= { partyProtocols 3 }
-- the MD5 Authentication Protocol [4]
v2md5AuthProtocol
OBJECT IDENTIFIER ::= { partyProtocols 4 }
-- definitions of temporal domains
temporalDomains
OBJECT IDENTIFIER ::= { partyAdmin 2 }
-- this temporal domain refers to management information
-- at the current time
currentTime OBJECT IDENTIFIER ::= { temporalDomains 1 }
-- this temporal domain refers to management information
-- upon the next re-initialization of the managed device
restartTime OBJECT IDENTIFIER ::= { temporalDomains 2 }
-- the temporal domain { cacheTime N } refers to management
-- information that is cached and guaranteed to be at most
-- N seconds old
cacheTime OBJECT IDENTIFIER ::= { temporalDomains 3 }
Galvin & McCloghrie [Page 7]
RFC 1447 Party MIB for SNMPv2 April 1993
-- Definition of Initial Party and Context Identifiers
-- When devices are installed, they need to be configured
-- with an initial set of SNMPv2 parties and contexts. The
-- configuration of SNMPv2 parties and contexts requires (among
-- other things) the assignment of several OBJECT IDENTIFIERs.
-- Any local network administration can obtain the delegated
-- authority necessary to assign its own OBJECT IDENTIFIERs.
-- However, to provide for those administrations who have not
-- obtained the necessary authority, this document allocates a
-- branch of the naming tree for use with the following
-- conventions.
initialPartyId OBJECT IDENTIFIER ::= { partyAdmin 3 }
initialContextId
OBJECT IDENTIFIER ::= { partyAdmin 4 }
-- Note these are identified as "initial" party and context
-- identifiers since these allow secure SNMPv2 communication
-- to proceed, thereby allowing further SNMPv2 parties to be
-- configured through use of the SNMPv2 itself.
-- The following definitions identify a party identifier, and
-- specify the initial values of various object instances
-- indexed by that identifier. In addition, the SNMPv2
-- context, access control policy, and MIB view information
-- assigned, by convention, are identified.
Galvin & McCloghrie [Page 8]
RFC 1447 Party MIB for SNMPv2 April 1993
-- Party Identifiers for use as initial SNMPv2 parties
-- at IP address a.b.c.d
-- Note that for all OBJECT IDENTIFIERs assigned under
-- initialPartyId, the four sub-identifiers immediately
-- following initialPartyId represent the four octets of
-- an IP address. Initial party identifiers for other address
-- families are assigned under a different OBJECT IDENTIFIER,
-- as defined elsewhere.
-- Devices which support SNMPv2 as entities acting in an
-- agent role, and accessed via the snmpUDPDomain transport
-- domain, are required to be configured with the appropriate
-- set of the following as implicit assignments as and when
-- they are configured with an IP address. The appropriate
-- set is all those applicable to the authentication and
-- privacy protocols supported by the device.
Galvin & McCloghrie [Page 9]
RFC 1447 Party MIB for SNMPv2 April 1993
-- a noAuth/noPriv party which executes at the agent
-- partyIdentity = { initialPartyId a b c d 1 }
-- partyIndex = 1
-- partyTDomain = snmpUDPDomain
-- partyTAddress = a.b.c.d, 161
-- partyLocal = true (in agent's database)
-- partyAuthProtocol = noAuth
-- partyAuthClock = 0
-- partyAuthPrivate = ''H (the empty string)
-- partyAuthPublic = ''H (the empty string)
-- partyAuthLifetime = 0
-- partyPrivProtocol = noPriv
-- partyPrivPrivate = ''H (the empty string)
-- partyPrivPublic = ''H (the empty string)
-- a noAuth/noPriv party which executes at a manager
-- partyIdentity = { initialPartyId a b c d 2 }
-- partyIndex = 2
-- partyTDomain = snmpUDPDomain
-- partyTAddress = assigned by local administration
-- partyLocal = false (in agent's database)
-- partyAuthProtocol = noAuth
-- partyAuthClock = 0
-- partyAuthPrivate = ''H (the empty string)
-- partyAuthPublic = ''H (the empty string)
-- partyAuthLifetime = 0
-- partyPrivProtocol = noPriv
-- partyPrivPrivate = ''H (the empty string)
-- partyPrivPublic = ''H (the empty string)
Galvin & McCloghrie [Page 10]
RFC 1447 Party MIB for SNMPv2 April 1993
-- a md5Auth/noPriv party which executes at the agent
-- partyIdentity = { initialPartyId a b c d 3 }
-- partyIndex = 3
-- partyTDomain = snmpUDPDomain
-- partyTAddress = a.b.c.d, 161
-- partyLocal = true (in agent's database)
-- partyAuthProtocol = v2md5AuthProtocol
-- partyAuthClock = 0
-- partyAuthPrivate = assigned by local administration
-- partyAuthPublic = ''H (the empty string)
-- partyAuthLifetime = 300
-- partyPrivProtocol = noPriv
-- partyPrivPrivate = ''H (the empty string)
-- partyPrivPublic = ''H (the empty string)
-- a md5Auth/noPriv party which executes at a manager
-- partyIdentity = { initialPartyId a b c d 4 }
-- partyIndex = 4
-- partyTDomain = snmpUDPDomain
-- partyTAddress = assigned by local administration
-- partyLocal = false (in agent's database)
-- partyAuthProtocol = v2md5AuthProtocol
-- partyAuthClock = 0
-- partyAuthPrivate = assigned by local administration
-- partyAuthPublic = ''H (the empty string)
-- partyAuthLifetime = 300
-- partyPrivProtocol = noPriv
-- partyPrivPrivate = ''H (the empty string)
-- partyPrivPublic = ''H (the empty string)
Galvin & McCloghrie [Page 11]
RFC 1447 Party MIB for SNMPv2 April 1993
-- a md5Auth/desPriv party which executes at the agent
-- partyIdentity = { initialPartyId a b c d 5 }
-- partyIndex = 5
-- partyTDomain = snmpUDPDomain
-- partyTAddress = a.b.c.d, 161
-- partyLocal = true (in agent's database)
-- partyAuthProtocol = v2md5AuthProtocol
-- partyAuthClock = 0
-- partyAuthPrivate = assigned by local administration
-- partyAuthPublic = ''H (the empty string)
-- partyAuthLifetime = 300
-- partyPrivProtocol = desPrivProtocol
-- partyPrivPrivate = assigned by local administration
-- partyPrivPublic = ''H (the empty string)
-- a md5Auth/desPriv party which executes at a manager
-- partyIdentity = { initialPartyId a b c d 6 }
-- partyIndex = 6
-- partyTDomain = snmpUDPDomain
-- partyTAddress = assigned by local administration
-- partyLocal = false (in agent's database)
-- partyAuthProtocol = v2md5AuthProtocol
-- partyAuthClock = 0
-- partyAuthPrivate = assigned by local administration
-- partyAuthPublic = ''H (the empty string)
-- partyAuthLifetime = 300
-- partyPrivProtocol = desPrivProtocol
-- partyPrivPrivate = assigned by local administration
-- partyPrivPublic = ''H (the empty string)
Galvin & McCloghrie [Page 12]
RFC 1447 Party MIB for SNMPv2 April 1993
-- the initial SNMPv2 contexts assigned, by convention, are:
-- contextIdentity = { initialContextId a b c d 1 }
-- contextIndex = 1
-- contextLocal = true (in agent's database)
-- contextViewIndex = 1
-- contextLocalEntity = ''H (the empty string)
-- contextLocalTime = currentTime
-- contextProxyDstParty = { 0 0 }
-- contextProxySrcParty = { 0 0 }
-- contextProxyContext = { 0 0 }
-- contextIdentity = { initialContextId a b c d 2 }
-- contextIndex = 2
-- contextLocal = true (in agent's database)
-- contextViewIndex = 2
-- contextLocalEntity = ''H (the empty string)
-- contextLocalTime = currentTime
-- contextProxyDstParty = { 0 0 }
-- contextProxySrcParty = { 0 0 }
-- contextProxyContext = { 0 0 }
Galvin & McCloghrie [Page 13]
RFC 1447 Party MIB for SNMPv2 April 1993
-- The initial access control policy assigned, by
-- convention, is:
-- aclTarget = 1
-- aclSubject = 2
-- aclResources = 1
-- aclPrivileges = 35 (Get, Get-Next & Get-Bulk)
-- aclTarget = 2
-- aclSubject = 1
-- aclResources = 1
-- aclPrivileges = 132 (Response & SNMPv2-Trap)
-- aclTarget = 3
-- aclSubject = 4
-- aclResources = 2
-- aclPrivileges = 43 (Get, Get-Next, Set & Get-Bulk)
-- aclTarget = 4
-- aclSubject = 3
-- aclResources = 2
-- aclPrivileges = 4 (Response)
-- aclTarget = 5
-- aclSubject = 6
-- aclResources = 2
-- aclPrivileges = 43 (Get, Get-Next, Set & Get-Bulk)
-- aclTarget = 6
-- aclSubject = 5
-- aclResources = 2
-- aclPrivileges = 4 (Response)
-- Note that the initial context and access control
-- information assigned above, by default, to the
-- md5Auth/desPriv parties are identical to those assigned to
-- the md5Auth/noPriv parties. However, each administration
-- may choose to have different authorization policies,
-- depending on whether privacy is used.
Galvin & McCloghrie [Page 14]
RFC 1447 Party MIB for SNMPv2 April 1993
-- The initial MIB views assigned, by convention, are:
-- viewIndex = 1
-- viewSubtree = system
-- viewMask = ''H
-- viewType = included
-- viewIndex = 1
-- viewSubtree = snmpStats
-- viewMask = ''H
-- viewType = included
-- viewIndex = 1
-- viewSubtree = snmpParties
-- viewMask = ''H
-- viewType = included
-- viewIndex = 2
-- viewSubtree = internet
-- viewMask = ''H
-- viewType = included
-- Note that full access to the partyTable, contextTable,
-- aclTable, and viewTable gives a manager the ability to
-- configure any parties with any/all capabilities (the
-- equivalent of "root" access). A lesser manager can be
-- given access only to the partyTable so that it can
-- maintain its own parties, but not increase/decrease
-- their capabilities. Such a lesser manager can also
-- create new parties but they are of no use to it.
Galvin & McCloghrie [Page 15]
RFC 1447 Party MIB for SNMPv2 April 1993
-- object assignments
partyMIBObjects
OBJECT IDENTIFIER ::= { partyMIB 2 }
-- the SNMPv2 party database group
snmpParties OBJECT IDENTIFIER ::= { partyMIBObjects 1 }
partyTable OBJECT-TYPE
SYNTAX SEQUENCE OF PartyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The SNMPv2 Party database."
::= { snmpParties 1 }
partyEntry OBJECT-TYPE
SYNTAX PartyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Locally held information about a particular
SNMPv2 party."
INDEX { IMPLIED partyIdentity }
::= { partyTable 1 }
Galvin & McCloghrie [Page 16]
RFC 1447 Party MIB for SNMPv2 April 1993
PartyEntry ::=
SEQUENCE {
partyIdentity Party,
partyIndex INTEGER,
partyTDomain OBJECT IDENTIFIER,
partyTAddress TAddress,
partyMaxMessageSize INTEGER,
partyLocal TruthValue,
partyAuthProtocol OBJECT IDENTIFIER,
partyAuthClock Clock,
partyAuthPrivate OCTET STRING,
partyAuthPublic OCTET STRING,
partyAuthLifetime INTEGER,
partyPrivProtocol OBJECT IDENTIFIER,
partyPrivPrivate OCTET STRING,
partyPrivPublic OCTET STRING,
partyCloneFrom Party,
partyStorageType StorageType,
partyStatus RowStatus
}
partyIdentity OBJECT-TYPE
SYNTAX Party
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A party identifier uniquely identifying a
particular SNMPv2 party."
::= { partyEntry 1 }
partyIndex OBJECT-TYPE
SYNTAX INTEGER (1..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique value for each SNMPv2 party. The value
for each SNMPv2 party must remain constant at
least from one re-initialization of the entity's
network management system to the next re-
initialization."
::= { partyEntry 2 }
Galvin & McCloghrie [Page 17]
RFC 1447 Party MIB for SNMPv2 April 1993
partyTDomain OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Indicates the kind of transport service by which
the party receives network management traffic."
DEFVAL { snmpUDPDomain }
::= { partyEntry 3 }
partyTAddress OBJECT-TYPE
SYNTAX TAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The transport service address by which the party
receives network management traffic, formatted
according to the corresponding value of
partyTDomain. For snmpUDPDomain, partyTAddress is
formatted as a 4-octet IP Address concatenated
with a 2-octet UDP port number."