Node-Red configuration
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

rfc3412.txt 93KB


  1. Network Working Group J. Case
  2. Request for Comments: 3412 SNMP Research, Inc.
  3. STD: 62 D. Harrington
  4. Obsoletes: 2572 Enterasys Networks
  5. Category: Standards Track R. Presuhn
  6. BMC Software, Inc.
  7. B. Wijnen
  8. Lucent Technologies
  9. December 2002
  10. Message Processing and Dispatching for the
  11. Simple Network Management Protocol (SNMP)
  12. Status of this Memo
  13. This document specifies an Internet standards track protocol for the
  14. Internet community, and requests discussion and suggestions for
  15. improvements. Please refer to the current edition of the "Internet
  16. Official Protocol Standards" (STD 1) for the standardization state
  17. and status of this protocol. Distribution of this memo is unlimited.
  18. Copyright Notice
  19. Copyright (C) The Internet Society (2002). All Rights Reserved.
  20. Abstract
  21. This document describes the Message Processing and Dispatching for
  22. Simple Network Management Protocol (SNMP) messages within the SNMP
  23. architecture. It defines the procedures for dispatching potentially
  24. multiple versions of SNMP messages to the proper SNMP Message
  25. Processing Models, and for dispatching PDUs to SNMP applications.
  26. This document also describes one Message Processing Model - the
  27. SNMPv3 Message Processing Model. This document obsoletes RFC 2572.
  28. Case, et al. Standards Track [Page 1]
  29. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  30. Table of Contents
  31. 1. Introduction ................................................ 3
  32. 2. Overview .................................................... 4
  33. 2.1. The Dispatcher ............................................ 5
  34. 2.2. Message Processing Subsystem .............................. 5
  35. 3. Elements of Message Processing and Dispatching .............. 6
  36. 3.1. messageProcessingModel .................................... 6
  37. 3.2. pduVersion ................................................ 6
  38. 3.3. pduType ................................................... 7
  39. 3.4. sendPduHandle ............................................. 7
  40. 4. Dispatcher Elements of Procedure ............................ 7
  41. 4.1. Sending an SNMP Message to the Network .................... 7
  42. 4.1.1. Sending a Request or Notification ....................... 8
  43. 4.1.2. Sending a Response to the Network ....................... 9
  44. 4.2. Receiving an SNMP Message from the Network ................ 11
  45. 4.2.1. Message Dispatching of received SNMP Messages ........... 11
  46. 4.2.2. PDU Dispatching for Incoming Messages ................... 12
  47. 4.2.2.1. Incoming Requests and Notifications ................... 13
  48. 4.2.2.2. Incoming Responses .................................... 14
  49. 4.3. Application Registration for Handling PDU types ........... 15
  50. 4.4. Application Unregistration for Handling PDU Types ......... 16
  51. 5. Definitions ................................................. 16
  52. 5.1. Definitions for SNMP Message Processing and Dispatching ... 16
  53. 6. The SNMPv3 Message Format ................................... 19
  54. 6.1. msgVersion ................................................ 20
  55. 6.2. msgID ..................................................... 20
  56. 6.3. msgMaxSize ................................................ 21
  57. 6.4. msgFlags .................................................. 21
  58. 6.5. msgSecurityModel .......................................... 24
  59. 6.6. msgSecurityParameters ..................................... 24
  60. 6.7. scopedPduData ............................................. 24
  61. 6.8. scopedPDU ................................................. 24
  62. 6.8.1. contextEngineID ......................................... 24
  63. 6.8.2. contextName ............................................. 25
  64. 6.8.3. data .................................................... 25
  65. 7. Elements of Procedure for v3MP .............................. 25
  66. 7.1. Prepare an Outgoing SNMP Message .......................... 26
  67. 7.2. Prepare Data Elements from an Incoming SNMP Message ....... 32
  68. 8. Intellectual Property ....................................... 37
  69. 9. Acknowledgements ............................................ 38
  70. 10. Security Considerations .................................... 39
  71. 11. References ................................................. 40
  72. 11.1. Normative References ..................................... 40
  73. 11.2. Informative References ................................... 41
  74. 12. Editors' Addresses ......................................... 42
  75. 13. Full Copyright Statement ................................... 43
  76. Case, et al. Standards Track [Page 2]
  77. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  78. 1. Introduction
  79. The Architecture for describing Internet Management Frameworks
  80. [RFC3411] describes that an SNMP engine is composed of:
  81. 1) a Dispatcher
  82. 2) a Message Processing Subsystem,
  83. 3) a Security Subsystem, and
  84. 4) an Access Control Subsystem.
  85. Applications make use of the services of these subsystems.
  86. It is important to understand the SNMP architecture and its
  87. terminology to understand where the Message Processing Subsystem and
  88. Dispatcher described in this document fit into the architecture and
  89. interact with other subsystems within the architecture. The reader
  90. is expected to have read and understood the description of the SNMP
  91. architecture, defined in [RFC3411].
  92. The Dispatcher in the SNMP engine sends and receives SNMP messages.
  93. It also dispatches SNMP PDUs to SNMP applications. When an SNMP
  94. message needs to be prepared or when data needs to be extracted from
  95. an SNMP message, the Dispatcher delegates these tasks to a message
  96. version-specific Message Processing Model within the Message
  97. Processing Subsystem.
  98. A Message Processing Model is responsible for processing an SNMP
  99. version-specific message and for coordinating the interaction with
  100. the Security Subsystem to ensure proper security is applied to the
  101. SNMP message being handled.
  102. Interactions between the Dispatcher, the Message Processing
  103. Subsystem, and applications are modeled using abstract data elements
  104. and abstract service interface primitives defined by the SNMP
  105. architecture.
  106. Similarly, interactions between the Message Processing Subsystem and
  107. the Security Subsystem are modeled using abstract data elements and
  108. abstract service interface primitives as defined by the SNMP
  109. architecture.
  110. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  111. "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
  112. document are to be interpreted as described in BCP 14, RFC 2119.
  113. Case, et al. Standards Track [Page 3]
  114. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  115. 2. Overview
  116. The following illustration depicts the Message Processing in relation
  117. to SNMP applications, the Security Subsystem and Transport Mappings.
  118. +-------------------------------------------------------------------+
  119. | SNMP Entity |
  120. | |
  121. | +---------------------------------------------------------------+ |
  122. | | Applications | |
  123. | | +-----------+ +--------------+ | |
  124. | | | Command | | Notification | | |
  125. | | | Generator | | Originator | +-----------+ +--------------+| |
  126. | | +-----------+ +--------------+ | Proxy | | Other || |
  127. | | +-----------+ +--------------+ | Forwarder | |Application(s)|| |
  128. | | | Command | | Notification | +-----------+ +--------------+| |
  129. | | | Responder | | Receiver | | |
  130. | | +-----------+ +--------------+ | |
  131. | +---------------------------------------------------------------+ |
  132. | ^ ^ ^ ^ |
  133. | | | | | |
  134. | v v v v |
  135. | +--------+-------+---------------+-----------+ |
  136. | ^ |
  137. | | +---------------------+ +-----------------+ |
  138. | | | Message Processing | | Security | |
  139. | Dispatcher v | Subsystem | | Subsystem | |
  140. | +------------------+ | +------------+ | | | |
  141. | | PDU Dispatcher | | +->| v1MP * |<--->| +-------------+ | |
  142. | | | | | +------------+ | | | Other | | |
  143. | | | | | +------------+ | | | Security | | |
  144. | | | | +->| v2cMP * |<--->| | Model | | |
  145. | | Message | | | +------------+ | | +-------------+ | |
  146. | | Dispatcher <-------->+ | | | |
  147. | | | | | +------------+ | | +-------------+ | |
  148. | | | | +->| v3MP * |<--->| | User-based | | |
  149. | | Transport | | | +------------+ | | | Security | | |
  150. | | Mapping | | | +------------+ | | | Model | | |
  151. | | (e.g., RFC 3417) | | +->| otherMP * |<--->| +-------------+ | |
  152. | +------------------+ | +------------+ | | | |
  153. | ^ +---------------------+ +-----------------+ |
  154. | | |
  155. +----------|--------------------------------------------------------+
  156. v
  157. +------------------+
  158. | Network | * One or more models may be present.
  159. +------------------+
  160. Case, et al. Standards Track [Page 4]
  161. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  162. 2.1. The Dispatcher
  163. The Dispatcher is a key piece of an SNMP engine. There is only one
  164. in an SNMP engine, and its job is to dispatch tasks to the multiple
  165. version-specific Message Processing Models, and to dispatch PDUs to
  166. various applications.
  167. For outgoing messages, an application provides a PDU to be sent, plus
  168. the data needed to prepare and send the message, and the application
  169. specifies which version-specific Message Processing Model will be
  170. used to prepare the message with the desired security processing.
  171. Once the message is prepared, the Dispatcher sends the message.
  172. For incoming messages, the Dispatcher determines the SNMP version of
  173. the incoming message and passes the message to the version-specific
  174. Message Processing Model to extract the components of the message and
  175. to coordinate the processing of security services for the message.
  176. After version-specific processing, the PDU Dispatcher determines
  177. which application, if any, should receive the PDU for processing and
  178. forwards it accordingly.
  179. The Dispatcher, while sending and receiving SNMP messages, collects
  180. statistics about SNMP messages and the behavior of the SNMP engine in
  181. managed objects to make them accessible to remote SNMP entities.
  182. This document defines these managed objects, the MIB module which
  183. contains them, and how these managed objects might be used to provide
  184. useful management.
  185. 2.2. Message Processing Subsystem
  186. The SNMP Message Processing Subsystem is the part of an SNMP engine
  187. which interacts with the Dispatcher to handle the version-specific
  188. SNMP messages. It contains one or more Message Processing Models.
  189. This document describes one Message Processing Model, the SNMPv3
  190. Message Processing Model, in Section 6. The SNMPv3 Message
  191. Processing Model is defined in a separate section to show that
  192. multiple (independent) Message Processing Models can exist at the
  193. same time and that such Models can be described in different
  194. documents. The SNMPv3 Message Processing Model can be replaced or
  195. supplemented with other Message Processing Models in the future. Two
  196. Message Processing Models which are expected to be developed in the
  197. future are the SNMPv1 message format [RFC1157] and the SNMPv2c
  198. message format [RFC1901]. Others may be developed as needed.
  199. Case, et al. Standards Track [Page 5]
  200. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  201. 3. Elements of Message Processing and Dispatching
  202. See [RFC3411] for the definitions of:
  203. contextEngineID
  204. contextName
  205. scopedPDU
  206. maxSizeResponseScopedPDU
  207. securityModel
  208. securityName
  209. securityLevel
  210. messageProcessingModel
  211. For incoming messages, a version-specific message processing module
  212. provides these values to the Dispatcher. For outgoing messages, an
  213. application provides these values to the Dispatcher.
  214. For some version-specific processing, the values may be extracted
  215. from received messages; for other versions, the values may be
  216. determined by algorithm, or by an implementation-defined mechanism.
  217. The mechanism by which the value is determined is irrelevant to the
  218. Dispatcher.
  219. The following additional or expanded definitions are for use within
  220. the Dispatcher.
  221. 3.1. messageProcessingModel
  222. The value of messageProcessingModel identifies a Message Processing
  223. Model. A Message Processing Model describes the version-specific
  224. procedures for extracting data from messages, generating messages,
  225. calling upon a securityModel to apply its security services to
  226. messages, for converting data from a version-specific message format
  227. into a generic format usable by the Dispatcher, and for converting
  228. data from Dispatcher format into a version-specific message format.
  229. 3.2. pduVersion
  230. The value of pduVersion represents a specific version of protocol
  231. operation and its associated PDU formats, such as SNMPv1 or SNMPv2
  232. [RFC3416]. The values of pduVersion are specific to the version of
  233. the PDU contained in a message, and the PDUs processed by
  234. applications. The Dispatcher does not use the value of pduVersion
  235. directly.
  236. Case, et al. Standards Track [Page 6]
  237. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  238. An application specifies the pduVersion when it requests the PDU
  239. Dispatcher to send a PDU to another SNMP engine. The Dispatcher
  240. passes the pduVersion to a Message Processing Model, so it knows how
  241. to handle the PDU properly.
  242. For incoming messages, the pduVersion is provided to the Dispatcher
  243. by a version-specific Message Processing module. The PDU Dispatcher
  244. passes the pduVersion to the application so it knows how to handle
  245. the PDU properly. For example, a command responder application needs
  246. to know whether to use [RFC3416] elements of procedure and syntax
  247. instead of those specified for SNMPv1.
  248. 3.3. pduType
  249. A value of the pduType represents a specific type of protocol
  250. operation. The values of the pduType are specific to the version of
  251. the PDU contained in a message.
  252. Applications register to support particular pduTypes for particular
  253. contextEngineIDs.
  254. For incoming messages, pduType is provided to the Dispatcher by a
  255. version-specific Message Processing module. It is subsequently used
  256. to dispatch the PDU to the application which registered for the
  257. pduType for the contextEngineID of the associated scopedPDU.
  258. 3.4. sendPduHandle
  259. This handle is generated for coordinating the processing of requests
  260. and responses between the SNMP engine and an application. The handle
  261. must be unique across all version-specific Message Processing Models,
  262. and is of local significance only.
  263. 4. Dispatcher Elements of Procedure
  264. This section describes the procedures followed by the Dispatcher when
  265. generating and processing SNMP messages.
  266. 4.1. Sending an SNMP Message to the Network
  267. This section describes the procedure followed by an SNMP engine
  268. whenever it sends an SNMP message.
  269. Case, et al. Standards Track [Page 7]
  270. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  271. 4.1.1. Sending a Request or Notification
  272. The following procedures are followed by the Dispatcher when an
  273. application wants to send an SNMP PDU to another (remote)
  274. application, i.e., to initiate a communication by originating a
  275. message, such as one containing a request or a notification.
  276. 1) The application requests this using the abstract service
  277. primitive:
  278. statusInformation = -- sendPduHandle if success
  279. -- errorIndication if failure
  280. sendPdu(
  281. IN transportDomain -- transport domain to be used
  282. IN transportAddress -- destination network address
  283. IN messageProcessingModel -- typically, SNMP version
  284. IN securityModel -- Security Model to use
  285. IN securityName -- on behalf of this principal
  286. IN securityLevel -- Level of Security requested
  287. IN contextEngineID -- data from/at this entity
  288. IN contextName -- data from/in this context
  289. IN pduVersion -- the version of the PDU
  290. IN PDU -- SNMP Protocol Data Unit
  291. IN expectResponse -- TRUE or FALSE
  292. )
  293. 2) If the messageProcessingModel value does not represent a Message
  294. Processing Model known to the Dispatcher, then an errorIndication
  295. (implementation-dependent) is returned to the calling application.
  296. No further processing is performed.
  297. 3) The Dispatcher generates a sendPduHandle to coordinate subsequent
  298. processing.
  299. Case, et al. Standards Track [Page 8]
  300. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  301. 4) The Message Dispatcher sends the request to the version-specific
  302. Message Processing module identified by messageProcessingModel
  303. using the abstract service primitive:
  304. statusInformation = -- success or error indication
  305. prepareOutgoingMessage(
  306. IN transportDomain -- as specified by application
  307. IN transportAddress -- as specified by application
  308. IN messageProcessingModel -- as specified by application
  309. IN securityModel -- as specified by application
  310. IN securityName -- as specified by application
  311. IN securityLevel -- as specified by application
  312. IN contextEngineID -- as specified by application
  313. IN contextName -- as specified by application
  314. IN pduVersion -- as specified by application
  315. IN PDU -- as specified by application
  316. IN expectResponse -- as specified by application
  317. IN sendPduHandle -- as determined in step 3.
  318. OUT destTransportDomain -- destination transport domain
  319. OUT destTransportAddress -- destination transport address
  320. OUT outgoingMessage -- the message to send
  321. OUT outgoingMessageLength -- the message length
  322. )
  323. 5) If the statusInformation indicates an error, the errorIndication
  324. is returned to the calling application. No further processing is
  325. performed.
  326. 6) If the statusInformation indicates success, the sendPduHandle is
  327. returned to the application, and the outgoingMessage is sent. The
  328. transport used to send the outgoingMessage is returned via
  329. destTransportDomain, and the address to which it was sent is
  330. returned via destTransportAddress.
  331. Outgoing Message Processing is complete.
  332. 4.1.2. Sending a Response to the Network
  333. The following procedure is followed when an application wants to
  334. return a response back to the originator of an SNMP Request.
  335. Case, et al. Standards Track [Page 9]
  336. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  337. 1) An application can request this using the abstract service
  338. primitive:
  339. result =
  340. returnResponsePdu(
  341. IN messageProcessingModel -- typically, SNMP version
  342. IN securityModel -- Security Model in use
  343. IN securityName -- on behalf of this principal
  344. IN securityLevel -- same as on incoming request
  345. IN contextEngineID -- data from/at this SNMP entity
  346. IN contextName -- data from/in this context
  347. IN pduVersion -- the version of the PDU
  348. IN PDU -- SNMP Protocol Data Unit
  349. IN maxSizeResponseScopedPDU -- maximum size of Response PDU
  350. IN stateReference -- reference to state information
  351. -- as presented with the request
  352. IN statusInformation -- success or errorIndication
  353. ) -- (error counter OID and value
  354. -- when errorIndication)
  355. 2) The Message Dispatcher sends the request to the appropriate
  356. Message Processing Model indicated by the received value of
  357. messageProcessingModel using the abstract service primitive:
  358. result = -- SUCCESS or errorIndication
  359. prepareResponseMessage(
  360. IN messageProcessingModel -- specified by application
  361. IN securityModel -- specified by application
  362. IN securityName -- specified by application
  363. IN securityLevel -- specified by application
  364. IN contextEngineID -- specified by application
  365. IN contextName -- specified by application
  366. IN pduVersion -- specified by application
  367. IN PDU -- specified by application
  368. IN maxSizeResponseScopedPDU -- specified by application
  369. IN stateReference -- specified by application
  370. IN statusInformation -- specified by application
  371. OUT destTransportDomain -- destination transport domain
  372. OUT destTransportAddress -- destination transport address
  373. OUT outgoingMessage -- the message to send
  374. OUT outgoingMessageLength -- the message length
  375. )
  376. 3) If the result is an errorIndication, the errorIndication is
  377. returned to the calling application. No further processing is
  378. performed.
  379. Case, et al. Standards Track [Page 10]
  380. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  381. 4) If the result is success, the outgoingMessage is sent. The
  382. transport used to send the outgoingMessage is returned via
  383. destTransportDomain, and the address to which it was sent is
  384. returned via destTransportAddress.
  385. Message Processing is complete.
  386. 4.2. Receiving an SNMP Message from the Network
  387. This section describes the procedure followed by an SNMP engine
  388. whenever it receives an SNMP message.
  389. Please note, that for the sake of clarity and to prevent the text
  390. from being even longer and more complicated, some details were
  391. omitted from the steps below. In particular, the elements of
  392. procedure do not always explicitly indicate when state information
  393. needs to be released. The general rule is that if state information
  394. is available when a message is to be "discarded without further
  395. processing", then the state information must also be released at that
  396. same time.
  397. 4.2.1. Message Dispatching of received SNMP Messages
  398. 1) The snmpInPkts counter [RFC3418] is incremented.
  399. 2) The version of the SNMP message is determined in an
  400. implementation-dependent manner. If the packet cannot be
  401. sufficiently parsed to determine the version of the SNMP message,
  402. then the snmpInASNParseErrs [RFC3418] counter is incremented, and
  403. the message is discarded without further processing. If the
  404. version is not supported, then the snmpInBadVersions [RFC3418]
  405. counter is incremented, and the message is discarded without
  406. further processing.
  407. 3) The origin transportDomain and origin transportAddress are
  408. determined.
  409. Case, et al. Standards Track [Page 11]
  410. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  411. 4) The message is passed to the version-specific Message Processing
  412. Model which returns the abstract data elements required by the
  413. Dispatcher. This is performed using the abstract service
  414. primitive:
  415. result = -- SUCCESS or errorIndication
  416. prepareDataElements(
  417. IN transportDomain -- origin as determined in step 3.
  418. IN transportAddress -- origin as determined in step 3.
  419. IN wholeMsg -- as received from the network
  420. IN wholeMsgLength -- as received from the network
  421. OUT messageProcessingModel -- typically, SNMP version
  422. OUT securityModel -- Security Model specified
  423. OUT securityName -- on behalf of this principal
  424. OUT securityLevel -- Level of Security specified
  425. OUT contextEngineID -- data from/at this entity
  426. OUT contextName -- data from/in this context
  427. OUT pduVersion -- the version of the PDU
  428. OUT PDU -- SNMP Protocol Data Unit
  429. OUT pduType -- SNMP PDU type
  430. OUT sendPduHandle -- handle for a matched request
  431. OUT maxSizeResponseScopedPDU -- maximum size of Response PDU
  432. OUT statusInformation -- success or errorIndication
  433. -- (error counter OID and value
  434. -- when errorIndication)
  435. OUT stateReference -- reference to state information
  436. -- to be used for a possible
  437. ) -- Response
  438. 5) If the result is a FAILURE errorIndication, the message is
  439. discarded without further processing.
  440. 6) At this point, the abstract data elements have been prepared and
  441. processing continues as described in Section 4.2.2, PDU
  442. Dispatching for Incoming Messages.
  443. 4.2.2. PDU Dispatching for Incoming Messages
  444. The elements of procedure for the dispatching of PDUs depends on the
  445. value of sendPduHandle. If the value of sendPduHandle is <none>,
  446. then this is a request or notification and the procedures specified
  447. in Section 4.2.2.1 apply. If the value of snmpPduHandle is not
  448. <none>, then this is a response and the procedures specified in
  449. Section 4.2.2.2 apply.
  450. Case, et al. Standards Track [Page 12]
  451. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  452. 4.2.2.1. Incoming Requests and Notifications
  453. The following procedures are followed for the dispatching of PDUs
  454. when the value of sendPduHandle is <none>, indicating this is a
  455. request or notification.
  456. 1) The combination of contextEngineID and pduType is used to
  457. determine which application has registered for this request or
  458. notification.
  459. 2) If no application has registered for the combination, then:
  460. a) The snmpUnknownPDUHandlers counter is incremented.
  461. b) A Response message is generated using the abstract service
  462. primitive:
  463. result = -- SUCCESS or FAILURE
  464. prepareResponseMessage(
  465. IN messageProcessingModel -- as provided by MP module
  466. IN securityModel -- as provided by MP module
  467. IN securityName -- as provided by MP module
  468. IN securityLevel -- as provided by MP module
  469. IN contextEngineID -- as provided by MP module
  470. IN contextName -- as provided by MP module
  471. IN pduVersion -- as provided by MP module
  472. IN PDU -- as provided by MP module
  473. IN maxSizeResponseScopedPDU -- as provided by MP module
  474. IN stateReference -- as provided by MP module
  475. IN statusInformation -- errorIndication plus
  476. -- snmpUnknownPDUHandlers OID
  477. -- value pair.
  478. OUT destTransportDomain -- destination transportDomain
  479. OUT destTransportAddress -- destination transportAddress
  480. OUT outgoingMessage -- the message to send
  481. OUT outgoingMessageLength -- its length
  482. )
  483. c) If the result is SUCCESS, then the prepared message is sent to
  484. the originator of the request as identified by the
  485. transportDomain and transportAddress. The transport used to
  486. send the outgoingMessage is returned via destTransportDomain,
  487. and the address to which it was sent is returned via
  488. destTransportAddress.
  489. d) The incoming message is discarded without further processing.
  490. Message Processing for this message is complete.
  491. Case, et al. Standards Track [Page 13]
  492. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  493. 3) The PDU is dispatched to the application, using the abstract
  494. service primitive:
  495. processPdu( -- process Request/Notification
  496. IN messageProcessingModel -- as provided by MP module
  497. IN securityModel -- as provided by MP module
  498. IN securityName -- as provided by MP module
  499. IN securityLevel -- as provided by MP module
  500. IN contextEngineID -- as provided by MP module
  501. IN contextName -- as provided by MP module
  502. IN pduVersion -- as provided by MP module
  503. IN PDU -- as provided by MP module
  504. IN maxSizeResponseScopedPDU -- as provided by MP module
  505. IN stateReference -- as provided by MP module
  506. -- needed when sending response
  507. )
  508. Message processing for this message is complete.
  509. 4.2.2.2. Incoming Responses
  510. The following procedures are followed for the dispatching of PDUs
  511. when the value of sendPduHandle is not <none>, indicating this is a
  512. response.
  513. 1) The value of sendPduHandle is used to determine, in an
  514. implementation-defined manner, which application is waiting for a
  515. response associated with this sendPduHandle.
  516. 2) If no waiting application is found, the message is discarded
  517. without further processing, and the stateReference is released.
  518. The snmpUnknownPDUHandlers counter is incremented. Message
  519. Processing is complete for this message.
  520. 3) Any cached information, including stateReference, about the
  521. message is discarded.
  522. Case, et al. Standards Track [Page 14]
  523. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  524. 4) The response is dispatched to the application using the abstract
  525. service primitive:
  526. processResponsePdu( -- process Response PDU
  527. IN messageProcessingModel -- provided by the MP module
  528. IN securityModel -- provided by the MP module
  529. IN securityName -- provided by the MP module
  530. IN securityLevel -- provided by the MP module
  531. IN contextEngineID -- provided by the MP module
  532. IN contextName -- provided by the MP module
  533. IN pduVersion -- provided by the MP module
  534. IN PDU -- provided by the MP module
  535. IN statusInformation -- provided by the MP module
  536. IN sendPduHandle -- provided by the MP module
  537. )
  538. Message Processing is complete for this message.
  539. 4.3. Application Registration for Handling PDU types
  540. Applications that want to process certain PDUs must register with the
  541. PDU Dispatcher. Applications specify the combination of
  542. contextEngineID and pduType(s) for which they want to take
  543. responsibility.
  544. 1) An application registers according to the abstract interface
  545. primitive:
  546. statusInformation = -- success or errorIndication
  547. registerContextEngineID(
  548. IN contextEngineID -- take responsibility for this one
  549. IN pduType -- the pduType(s) to be registered
  550. )
  551. Note: Implementations may provide a means of requesting
  552. registration for simultaneous multiple contextEngineID values,
  553. e.g., all contextEngineID values, and may also provide a means for
  554. requesting simultaneous registration for multiple values of the
  555. pduType.
  556. 2) The parameters may be checked for validity; if they are not, then
  557. an errorIndication (invalidParameter) is returned to the
  558. application.
  559. 3) Each combination of contextEngineID and pduType can be registered
  560. only once. If another application has already registered for the
  561. specified combination, then an errorIndication (alreadyRegistered)
  562. is returned to the application.
  563. Case, et al. Standards Track [Page 15]
  564. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  565. 4) Otherwise, the registration is saved so that SNMP PDUs can be
  566. dispatched to this application.
  567. 4.4. Application Unregistration for Handling PDU Types
  568. Applications that no longer want to process certain PDUs must
  569. unregister with the PDU Dispatcher.
  570. 1) An application unregisters using the abstract service primitive:
  571. unregisterContextEngineID(
  572. IN contextEngineID -- give up responsibility for this
  573. IN pduType -- the pduType(s) to be unregistered
  574. )
  575. Note: Implementations may provide a means for requesting the
  576. unregistration for simultaneous multiple contextEngineID values,
  577. e.g., all contextEngineID values, and may also provide a means for
  578. requesting simultaneous unregistration for multiple values of
  579. pduType.
  580. 2) If the contextEngineID and pduType combination has been
  581. registered, then the registration is deleted.
  582. If no such registration exists, then the request is ignored.
  583. 5. Definitions
  584. 5.1. Definitions for SNMP Message Processing and Dispatching
  585. SNMP-MPD-MIB DEFINITIONS ::= BEGIN
  586. IMPORTS
  587. MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
  588. MODULE-IDENTITY, OBJECT-TYPE,
  589. snmpModules, Counter32 FROM SNMPv2-SMI;
  590. snmpMPDMIB MODULE-IDENTITY
  591. LAST-UPDATED "200210140000Z"
  592. ORGANIZATION "SNMPv3 Working Group"
  593. CONTACT-INFO "WG-EMail: snmpv3@lists.tislabs.com
  594. Subscribe: snmpv3-request@lists.tislabs.com
  595. Co-Chair: Russ Mundy
  596. Network Associates Laboratories
  597. postal: 15204 Omega Drive, Suite 300
  598. Rockville, MD 20850-4601
  599. USA
  600. Case, et al. Standards Track [Page 16]
  601. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  602. EMail: mundy@tislabs.com
  603. phone: +1 301-947-7107
  604. Co-Chair &
  605. Co-editor: David Harrington
  606. Enterasys Networks
  607. postal: 35 Industrial Way
  608. P. O. Box 5005
  609. Rochester NH 03866-5005
  610. USA
  611. EMail: dbh@enterasys.com
  612. phone: +1 603-337-2614
  613. Co-editor: Jeffrey Case
  614. SNMP Research, Inc.
  615. postal: 3001 Kimberlin Heights Road
  616. Knoxville, TN 37920-9716
  617. USA
  618. EMail: case@snmp.com
  619. phone: +1 423-573-1434
  620. Co-editor: Randy Presuhn
  621. BMC Software, Inc.
  622. postal: 2141 North First Street
  623. San Jose, CA 95131
  624. USA
  625. EMail: randy_presuhn@bmc.com
  626. phone: +1 408-546-1006
  627. Co-editor: Bert Wijnen
  628. Lucent Technologies
  629. postal: Schagen 33
  630. 3461 GL Linschoten
  631. Netherlands
  632. EMail: bwijnen@lucent.com
  633. phone: +31 348-680-485
  634. "
  635. DESCRIPTION "The MIB for Message Processing and Dispatching
  636. Copyright (C) The Internet Society (2002). This
  637. version of this MIB module is part of RFC 3412;
  638. see the RFC itself for full legal notices.
  639. "
  640. REVISION "200210140000Z" -- 14 October 2002
  641. DESCRIPTION "Updated addresses, published as RFC 3412."
  642. REVISION "199905041636Z" -- 4 May 1999
  643. DESCRIPTION "Updated addresses, published as RFC 2572."
  644. Case, et al. Standards Track [Page 17]
  645. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  646. REVISION "199709300000Z" -- 30 September 1997
  647. DESCRIPTION "Original version, published as RFC 2272."
  648. ::= { snmpModules 11 }
  649. -- Administrative assignments ***************************************
  650. snmpMPDAdmin OBJECT IDENTIFIER ::= { snmpMPDMIB 1 }
  651. snmpMPDMIBObjects OBJECT IDENTIFIER ::= { snmpMPDMIB 2 }
  652. snmpMPDMIBConformance OBJECT IDENTIFIER ::= { snmpMPDMIB 3 }
  653. -- Statistics for SNMP Messages *************************************
  654. snmpMPDStats OBJECT IDENTIFIER ::= { snmpMPDMIBObjects 1 }
  655. snmpUnknownSecurityModels OBJECT-TYPE
  656. SYNTAX Counter32
  657. MAX-ACCESS read-only
  658. STATUS current
  659. DESCRIPTION "The total number of packets received by the SNMP
  660. engine which were dropped because they referenced a
  661. securityModel that was not known to or supported by
  662. the SNMP engine.
  663. "
  664. ::= { snmpMPDStats 1 }
  665. snmpInvalidMsgs OBJECT-TYPE
  666. SYNTAX Counter32
  667. MAX-ACCESS read-only
  668. STATUS current
  669. DESCRIPTION "The total number of packets received by the SNMP
  670. engine which were dropped because there were invalid
  671. or inconsistent components in the SNMP message.
  672. "
  673. ::= { snmpMPDStats 2 }
  674. snmpUnknownPDUHandlers OBJECT-TYPE
  675. SYNTAX Counter32
  676. MAX-ACCESS read-only
  677. STATUS current
  678. DESCRIPTION "The total number of packets received by the SNMP
  679. engine which were dropped because the PDU contained
  680. in the packet could not be passed to an application
  681. responsible for handling the pduType, e.g. no SNMP
  682. application had registered for the proper
  683. combination of the contextEngineID and the pduType.
  684. "
  685. ::= { snmpMPDStats 3 }
  686. Case, et al. Standards Track [Page 18]
  687. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  688. -- Conformance information ******************************************
  689. snmpMPDMIBCompliances OBJECT IDENTIFIER ::= {snmpMPDMIBConformance 1}
  690. snmpMPDMIBGroups OBJECT IDENTIFIER ::= {snmpMPDMIBConformance 2}
  691. -- Compliance statements
  692. snmpMPDCompliance MODULE-COMPLIANCE
  693. STATUS current
  694. DESCRIPTION "The compliance statement for SNMP entities which
  695. implement the SNMP-MPD-MIB.
  696. "
  697. MODULE -- this module
  698. MANDATORY-GROUPS { snmpMPDGroup }
  699. ::= { snmpMPDMIBCompliances 1 }
  700. snmpMPDGroup OBJECT-GROUP
  701. OBJECTS {
  702. snmpUnknownSecurityModels,
  703. snmpInvalidMsgs,
  704. snmpUnknownPDUHandlers
  705. }
  706. STATUS current
  707. DESCRIPTION "A collection of objects providing for remote
  708. monitoring of the SNMP Message Processing and
  709. Dispatching process.
  710. "
  711. ::= { snmpMPDMIBGroups 1 }
  712. END
  713. 6. The SNMPv3 Message Format
  714. This section defines the SNMPv3 message format and the corresponding
  715. SNMP version 3 Message Processing Model (v3MP).
  716. SNMPv3MessageSyntax DEFINITIONS IMPLICIT TAGS ::= BEGIN
  717. SNMPv3Message ::= SEQUENCE {
  718. -- identify the layout of the SNMPv3Message
  719. -- this element is in same position as in SNMPv1
  720. -- and SNMPv2c, allowing recognition
  721. -- the value 3 is used for snmpv3
  722. msgVersion INTEGER ( 0 .. 2147483647 ),
  723. -- administrative parameters
  724. msgGlobalData HeaderData,
  725. -- security model-specific parameters
  726. -- format defined by Security Model
  727. Case, et al. Standards Track [Page 19]
  728. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  729. msgSecurityParameters OCTET STRING,
  730. msgData ScopedPduData
  731. }
  732. HeaderData ::= SEQUENCE {
  733. msgID INTEGER (0..2147483647),
  734. msgMaxSize INTEGER (484..2147483647),
  735. msgFlags OCTET STRING (SIZE(1)),
  736. -- .... ...1 authFlag
  737. -- .... ..1. privFlag
  738. -- .... .1.. reportableFlag
  739. -- Please observe:
  740. -- .... ..00 is OK, means noAuthNoPriv
  741. -- .... ..01 is OK, means authNoPriv
  742. -- .... ..10 reserved, MUST NOT be used.
  743. -- .... ..11 is OK, means authPriv
  744. msgSecurityModel INTEGER (1..2147483647)
  745. }
  746. ScopedPduData ::= CHOICE {
  747. plaintext ScopedPDU,
  748. encryptedPDU OCTET STRING -- encrypted scopedPDU value
  749. }
  750. ScopedPDU ::= SEQUENCE {
  751. contextEngineID OCTET STRING,
  752. contextName OCTET STRING,
  753. data ANY -- e.g., PDUs as defined in [RFC3416]
  754. }
  755. END
  756. 6.1. msgVersion
  757. The msgVersion field is set to snmpv3(3) and identifies the message
  758. as an SNMP version 3 Message.
  759. 6.2. msgID
  760. The msgID is used between two SNMP entities to coordinate request
  761. messages and responses, and by the v3MP to coordinate the processing
  762. of the message by different subsystem models within the architecture.
  763. Values for msgID SHOULD be generated in a manner that avoids re-use
  764. of any outstanding values. Doing so provides protection against some
  765. replay attacks. One possible implementation strategy would be to use
  766. the low-order bits of snmpEngineBoots [RFC3411] as the high-order
  767. Case, et al. Standards Track [Page 20]
  768. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  769. portion of the msgID value and a monotonically increasing integer for
  770. the low-order portion of msgID.
  771. Note that the request-id in a PDU may be used by SNMP applications to
  772. identify the PDU; the msgID is used by the engine to identify the
  773. message which carries a PDU. The engine needs to identify the
  774. message even if decryption of the PDU (and request-id) fails. No
  775. assumption should be made that the value of the msgID and the value
  776. of the request-id are equivalent.
  777. The value of the msgID field for a response takes the value of the
  778. msgID field from the message to which it is a response. By use of
  779. the msgID value, an engine can distinguish the (potentially multiple)
  780. outstanding requests, and thereby correlate incoming responses with
  781. outstanding requests. In cases where an unreliable datagram service
  782. is used, the msgID also provides a simple means of identifying
  783. messages duplicated by the network. If a request is retransmitted, a
  784. new msgID value SHOULD be used for each retransmission.
  785. 6.3. msgMaxSize
  786. The msgMaxSize field of the message conveys the maximum message size
  787. supported by the sender of the message, i.e., the maximum message
  788. size that the sender can accept when another SNMP engine sends an
  789. SNMP message (be it a response or any other message) to the sender of
  790. this message on the transport in use for this message.
  791. When an SNMP message is being generated, the msgMaxSize is provided
  792. by the SNMP engine which generates the message. At the receiving
  793. SNMP engine, the msgMaxSize is used to determine the maximum message
  794. size the sender can accommodate.
  795. 6.4. msgFlags
  796. The msgFlags field of the message contains several bit fields which
  797. control processing of the message.
  798. The reportableFlag is a secondary aid in determining whether a Report
  799. PDU MUST be sent. It is only used in cases where the PDU portion of
  800. a message cannot be decoded, due to, for example, an incorrect
  801. encryption key. If the PDU can be decoded, the PDU type forms the
  802. basis for decisions on sending Report PDUs.
  803. When the reportableFlag is used, if its value is one, a Report PDU
  804. MUST be returned to the sender under those conditions which can cause
  805. the generation of Report PDUs. Similarly, when the reportableFlag is
  806. used and its value is zero, then a Report PDU MUST NOT be sent. The
  807. reportableFlag MUST always be zero when the message contains a PDU
  808. Case, et al. Standards Track [Page 21]
  809. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  810. from the Unconfirmed Class, such as a Report PDU, a response-type PDU
  811. (such as a Response PDU), or an unacknowledged notification-type PDU
  812. (such as an SNMPv2-trap PDU). The reportableFlag MUST always be one
  813. for a PDU from the Confirmed Class, including request-type PDUs (such
  814. as a Get PDU) and acknowledged notification-type PDUs (such as an
  815. Inform PDU).
  816. If the reportableFlag is set to one for a message containing a PDU
  817. from the Unconfirmed Class, such as a Report PDU, a response-type PDU
  818. (such as a Response PDU), or an unacknowledged notification-type PDU
  819. (such as an SNMPv2-trap PDU), then the receiver of that message MUST
  820. process it as though the reportableFlag had been set to zero.
  821. If the reportableFlag is set to zero for a message containing a
  822. request-type PDU (such as a Get PDU) or an acknowledged
  823. notification-type PDU (such as an Inform PDU), then the receiver of
  824. that message MUST process it as though the reportableFlag had been
  825. set to one.
  826. Report PDUs are generated directly by the SNMPv3 Message Processing
  827. Model, and support engine-to-engine communications, but may be passed
  828. to applications for processing.
  829. An SNMP engine that receives a reportPDU may use it to determine what
  830. kind of problem was detected by the remote SNMP engine. It can do so
  831. based on the error counter included as the first (and only) varBind
  832. of the reportPDU. Based on the detected error, the SNMP engine may
  833. try to send a corrected SNMP message. If that is not possible, it
  834. may pass an indication of the error to the application on whose
  835. behalf the failed SNMP request was issued.
  836. The authFlag and privFlag portions of the msgFlags field are set by
  837. the sender to indicate the securityLevel that was applied to the
  838. message before it was sent on the wire. The receiver of the message
  839. MUST apply the same securityLevel when the message is received and
  840. the contents are being processed.
  841. There are three securityLevels, namely noAuthNoPriv, which is less
  842. than authNoPriv, which is in turn less than authPriv. See the SNMP
  843. architecture document [RFC3411] for details about the securityLevel.
  844. a) authFlag
  845. If the authFlag is set to one, then the securityModel used by the
  846. SNMP engine which sent the message MUST identify the securityName
  847. on whose behalf the SNMP message was generated and MUST provide,
  848. in a securityModel-specific manner, sufficient data for the
  849. receiver of the message to be able to authenticate that
  850. Case, et al. Standards Track [Page 22]
  851. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  852. identification. In general, this authentication will allow the
  853. receiver to determine with reasonable certainty that the message
  854. was:
  855. - sent on behalf of the principal associated with the
  856. securityName,
  857. - was not redirected,
  858. - was not modified in transit, and
  859. - was not replayed.
  860. If the authFlag is zero, then the securityModel used by the SNMP
  861. engine which sent the message MUST identify the securityName on
  862. whose behalf the SNMP message was generated but it does not need
  863. to provide sufficient data for the receiver of the message to
  864. authenticate the identification, as there is no need to
  865. authenticate the message in this case.
  866. b) privFlag
  867. If the privFlag is set, then the securityModel used by the SNMP
  868. engine which sent the message MUST also protect the scopedPDU in
  869. an SNMP message from disclosure, i.e., it MUST encrypt/decrypt the
  870. scopedPDU. If the privFlag is zero, then the securityModel in use
  871. does not need to protect the data from disclosure.
  872. It is an explicit requirement of the SNMP architecture that if
  873. privacy is selected, then authentication is also required. That
  874. means that if the privFlag is set, then the authFlag MUST also be
  875. set to one.
  876. The combination of the authFlag and the privFlag comprises a Level
  877. of Security as follows:
  878. authFlag zero, privFlag zero -> securityLevel is noAuthNoPriv
  879. authFlag zero, privFlag one -> invalid combination, see below
  880. authFlag one, privFlag zero -> securityLevel is authNoPriv
  881. authFlag one, privFlag one -> securityLevel is authPriv
  882. The elements of procedure (see below) describe the action to be taken
  883. when the invalid combination of authFlag equal to zero and privFlag
  884. equal to one is encountered.
  885. The remaining bits in msgFlags are reserved, and MUST be set to zero
  886. when sending a message and SHOULD be ignored when receiving a
  887. message.
  888. Case, et al. Standards Track [Page 23]
  889. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  890. 6.5. msgSecurityModel
  891. The v3MP supports the concurrent existence of multiple Security
  892. Models to provide security services for SNMPv3 messages. The
  893. msgSecurityModel field in an SNMPv3 Message identifies which Security
  894. Model was used by the sender to generate the message and therefore
  895. which securityModel MUST be used by the receiver to perform security
  896. processing for the message. The mapping to the appropriate
  897. securityModel implementation within an SNMP engine is accomplished in
  898. an implementation-dependent manner.
  899. 6.6. msgSecurityParameters
  900. The msgSecurityParameters field of the SNMPv3 Message is used for
  901. communication between the Security Model modules in the sending and
  902. receiving SNMP engines. The data in the msgSecurityParameters field
  903. is used exclusively by the Security Model, and the contents and
  904. format of the data is defined by the Security Model. This OCTET
  905. STRING is not interpreted by the v3MP, but is passed to the local
  906. implementation of the Security Model indicated by the
  907. msgSecurityModel field in the message.
  908. 6.7. scopedPduData
  909. The scopedPduData field represents either the plain text scopedPDU if
  910. the privFlag in the msgFlags is zero, or it represents an
  911. encryptedPDU (encoded as an OCTET STRING) which MUST be decrypted by
  912. the securityModel in use to produce a plaintext scopedPDU.
  913. 6.8. scopedPDU
  914. The scopedPDU contains information to identify an administratively
  915. unique context and a PDU. The object identifiers in the PDU refer to
  916. managed objects which are (expected to be) accessible within the
  917. specified context.
  918. 6.8.1. contextEngineID
  919. The contextEngineID in the SNMPv3 message uniquely identifies, within
  920. an administrative domain, an SNMP entity that may realize an instance
  921. of a context with a particular contextName.
  922. For incoming messages, the contextEngineID is used in conjunction
  923. with the pduType to determine to which application the scopedPDU will
  924. be sent for processing.
  925. For outgoing messages, the v3MP sets the contextEngineID to the value
  926. provided by the application in the request for a message to be sent.
  927. Case, et al. Standards Track [Page 24]
  928. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  929. 6.8.2. contextName
  930. The contextName field in an SNMPv3 message, in conjunction with the
  931. contextEngineID field, identifies the particular context associated
  932. with the management information contained in the PDU portion of the
  933. message. The contextName is unique within the SNMP entity specified
  934. by the contextEngineID, which may realize the managed objects
  935. referenced within the PDU. An application which originates a message
  936. provides the value for the contextName field and this value may be
  937. used during processing by an application at the receiving SNMP
  938. Engine.
  939. 6.8.3. data
  940. The data field of the SNMPv3 Message contains the PDU. Among other
  941. things, the PDU contains the PDU type that is used by the v3MP to
  942. determine the type of the incoming SNMP message. The v3MP specifies
  943. that the PDU MUST be one of those specified in [RFC3416].
  944. 7. Elements of Procedure for v3MP
  945. This section describes the procedures followed by an SNMP engine when
  946. generating and processing SNMP messages according to the SNMPv3
  947. Message Processing Model.
  948. Please note, that for the sake of clarity and to prevent the text
  949. from being even longer and more complicated, some details were
  950. omitted from the steps below.
  951. a) Some steps specify that when some error conditions are
  952. encountered when processing a received message, a message
  953. containing a Report PDU is generated and the received message
  954. is discarded without further processing. However, a Report-PDU
  955. MUST NOT be generated unless the PDU causing generation of the
  956. Report PDU can be determined to be a member of the Confirmed
  957. Class, or the reportableFlag is set to one and the PDU class
  958. cannot be determined.
  959. b) The elements of procedure do not always explicitly indicate
  960. when state information needs to be released. The general rule
  961. is that if state information is available when a message is to
  962. be "discarded without further processing", then the state
  963. information should also be released at that same time.
  964. Case, et al. Standards Track [Page 25]
  965. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  966. 7.1. Prepare an Outgoing SNMP Message
  967. This section describes the procedure followed to prepare an SNMPv3
  968. message from the data elements passed by the Message Dispatcher.
  969. 1) The Message Dispatcher may request that an SNMPv3 message
  970. containing a Read Class, Write Class, or Notification Class PDU be
  971. prepared for sending.
  972. a) It makes such a request according to the abstract service
  973. primitive:
  974. statusInformation = -- success or errorIndication
  975. prepareOutgoingMessage(
  976. IN transportDomain -- requested transport domain
  977. IN transportAddress -- requested destination address
  978. IN messageProcessingModel -- typically, SNMP version
  979. IN securityModel -- Security Model to use
  980. IN securityName -- on behalf of this principal
  981. IN securityLevel -- Level of Security requested
  982. IN contextEngineID -- data from/at this entity
  983. IN contextName -- data from/in this context
  984. IN pduVersion -- version of the PDU *
  985. IN PDU -- SNMP Protocol Data Unit
  986. IN expectResponse -- TRUE or FALSE *
  987. IN sendPduHandle -- the handle for matching
  988. -- incoming responses
  989. OUT destTransportDomain -- destination transport domain
  990. OUT destTransportAddress -- destination transport address
  991. OUT outgoingMessage -- the message to send
  992. OUT outgoingMessageLength -- the length of the message
  993. )
  994. * The SNMPv3 Message Processing Model does not use the values of
  995. expectResponse or pduVersion.
  996. b) A unique msgID is generated. The number used for msgID should
  997. not have been used recently, and MUST NOT be the same as was
  998. used for any outstanding request.
  999. 2) The Message Dispatcher may request that an SNMPv3 message
  1000. containing a Response Class or Internal Class PDU be prepared for
  1001. sending.
  1002. Case, et al. Standards Track [Page 26]
  1003. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1004. a) It makes such a request according to the abstract service
  1005. primitive:
  1006. result = -- SUCCESS or FAILURE
  1007. prepareResponseMessage(
  1008. IN messageProcessingModel -- typically, SNMP version
  1009. IN securityModel -- same as on incoming request
  1010. IN securityName -- same as on incoming request
  1011. IN securityLevel -- same as on incoming request
  1012. IN contextEngineID -- data from/at this SNMP entity
  1013. IN contextName -- data from/in this context
  1014. IN pduVersion -- version of the PDU
  1015. IN PDU -- SNMP Protocol Data Unit
  1016. IN maxSizeResponseScopedPDU -- maximum size sender can
  1017. -- accept
  1018. IN stateReference -- reference to state
  1019. -- information presented with
  1020. -- the request
  1021. IN statusInformation -- success or errorIndication
  1022. -- error counter OID and value
  1023. -- when errorIndication
  1024. OUT destTransportDomain -- destination transport domain
  1025. OUT destTransportAddress -- destination transport address
  1026. OUT outgoingMessage -- the message to send
  1027. OUT outgoingMessageLength -- the length of the message
  1028. )
  1029. b) The cached information for the original request is retrieved
  1030. via the stateReference, including:
  1031. - msgID,
  1032. - contextEngineID,
  1033. - contextName,
  1034. - securityModel,
  1035. - securityName,
  1036. - securityLevel,
  1037. - securityStateReference,
  1038. - reportableFlag,
  1039. - transportDomain, and
  1040. - transportAddress.
  1041. The SNMPv3 Message Processing Model does not allow cached data
  1042. to be overridden, except by error indications as detailed in
  1043. (3) below.
  1044. Case, et al. Standards Track [Page 27]
  1045. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1046. 3) If statusInformation contains values for an OID/value combination
  1047. (potentially also containing a securityLevel value,
  1048. contextEngineID value, or contextName value), then:
  1049. a) If a PDU is provided, it is the PDU from the original request.
  1050. If possible, extract the request-id and pduType.
  1051. b) If the pduType is determined to not be a member of the
  1052. Confirmed Class, or if the reportableFlag is zero and the
  1053. pduType cannot be determined, then the original message is
  1054. discarded, and no further processing is done. A result of
  1055. FAILURE is returned. SNMPv3 Message Processing is complete.
  1056. c) A Report PDU is prepared:
  1057. 1) the varBindList is set to contain the OID and value from the
  1058. statusInformation.
  1059. 2) error-status is set to 0.
  1060. 3) error-index is set to 0.
  1061. 4) request-id is set to the value extracted in step b).
  1062. Otherwise, request-id is set to 0.
  1063. d) The errorIndication in statusInformation may be accompanied by
  1064. a securityLevel value, a contextEngineID value, or a
  1065. contextName value.
  1066. 1) If statusInformation contains a value for securityLevel,
  1067. then securityLevel is set to that value, otherwise it is set
  1068. to noAuthNoPriv.
  1069. 2) If statusInformation contains a value for contextEngineID,
  1070. then contextEngineID is set to that value, otherwise it is
  1071. set to the value of this entity's snmpEngineID.
  1072. 3) If statusInformation contains a value for contextName, then
  1073. contextName is set to that value, otherwise it is set to the
  1074. default context of "" (zero-length string).
  1075. e) PDU is set to refer to the new Report-PDU. The old PDU is
  1076. discarded.
  1077. f) Processing continues with step 6) below.
  1078. Case, et al. Standards Track [Page 28]
  1079. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1080. 4) If the contextEngineID is not yet determined, then the
  1081. contextEngineID is determined, in an implementation-dependent
  1082. manner, possibly using the transportDomain and transportAddress.
  1083. 5) If the contextName is not yet determined, the contextName is set
  1084. to the default context.
  1085. 6) A scopedPDU is prepared from the contextEngineID, contextName, and
  1086. PDU.
  1087. 7) msgGlobalData is constructed as follows:
  1088. a) The msgVersion field is set to snmpv3(3).
  1089. b) msgID is set as determined in step 1 or 2 above.
  1090. c) msgMaxSize is set to an implementation-dependent value.
  1091. d) msgFlags are set as follows:
  1092. - If securityLevel specifies noAuthNoPriv, then authFlag and
  1093. privFlag are both set to zero.
  1094. - If securityLevel specifies authNoPriv, then authFlag is set
  1095. to one and privFlag is set to zero.
  1096. - If securityLevel specifies authPriv, then authFlag is set to
  1097. one and privFlag is set to one.
  1098. - If the PDU is from the Unconfirmed Class, then the
  1099. reportableFlag is set to zero.
  1100. - If the PDU is from the Confirmed Class then the
  1101. reportableFlag is set to one.
  1102. - All other msgFlags bits are set to zero.
  1103. e) msgSecurityModel is set to the value of securityModel.
  1104. Case, et al. Standards Track [Page 29]
  1105. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1106. 8) If the PDU is from the Response Class or the Internal Class, then:
  1107. a) The specified Security Model is called to generate the message
  1108. according to the primitive:
  1109. statusInformation =
  1110. generateResponseMsg(
  1111. IN messageProcessingModel -- SNMPv3 Message Processing
  1112. -- Model
  1113. IN globalData -- msgGlobalData from step 7
  1114. IN maxMessageSize -- from msgMaxSize (step 7c)
  1115. IN securityModel -- as determined in step 7e
  1116. IN securityEngineID -- the value of snmpEngineID
  1117. IN securityName -- on behalf of this principal
  1118. IN securityLevel -- for the outgoing message
  1119. IN scopedPDU -- as prepared in step 6)
  1120. IN securityStateReference -- as determined in step 2
  1121. OUT securityParameters -- filled in by Security Module
  1122. OUT wholeMsg -- complete generated message
  1123. OUT wholeMsgLength -- length of generated message
  1124. )
  1125. If, upon return from the Security Model, the statusInformation
  1126. includes an errorIndication, then any cached information about
  1127. the outstanding request message is discarded, and an
  1128. errorIndication is returned, so it can be returned to the
  1129. calling application. SNMPv3 Message Processing is complete.
  1130. b) A SUCCESS result is returned. SNMPv3 Message Processing is
  1131. complete.
  1132. 9) If the PDU is from the Confirmed Class or the Notification Class,
  1133. then:
  1134. a) If the PDU is from the Unconfirmed Class, then securityEngineID
  1135. is set to the value of this entity's snmpEngineID.
  1136. Otherwise, the snmpEngineID of the target entity is determined,
  1137. in an implementation-dependent manner, possibly using
  1138. transportDomain and transportAddress. The value of the
  1139. securityEngineID is set to the value of the target entity's
  1140. snmpEngineID.
  1141. Case, et al. Standards Track [Page 30]
  1142. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1143. b) The specified Security Model is called to generate the message
  1144. according to the primitive:
  1145. statusInformation =
  1146. generateRequestMsg(
  1147. IN messageProcessingModel -- SNMPv3 Message Processing Model
  1148. IN globalData -- msgGlobalData, from step 7
  1149. IN maxMessageSize -- from msgMaxSize in step 7 c)
  1150. IN securityModel -- as provided by caller
  1151. IN securityEngineID -- authoritative SNMP entity
  1152. -- from step 9 a)
  1153. IN securityName -- as provided by caller
  1154. IN securityLevel -- as provided by caller
  1155. IN scopedPDU -- as prepared in step 6
  1156. OUT securityParameters -- filled in by Security Module
  1157. OUT wholeMsg -- complete generated message
  1158. OUT wholeMsgLength -- length of the generated message
  1159. )
  1160. If, upon return from the Security Model, the statusInformation
  1161. includes an errorIndication, then the message is discarded, and
  1162. the errorIndication is returned, so it can be returned to the
  1163. calling application, and no further processing is done. SNMPv3
  1164. Message Processing is complete.
  1165. c) If the PDU is from the Confirmed Class, information about the
  1166. outgoing message is cached, and an implementation-specific
  1167. stateReference is created. Information to be cached includes
  1168. the values of:
  1169. - sendPduHandle
  1170. - msgID
  1171. - snmpEngineID
  1172. - securityModel
  1173. - securityName
  1174. - securityLevel
  1175. - contextEngineID
  1176. - contextName
  1177. d) A SUCCESS result is returned. SNMPv3 Message Processing is
  1178. complete.
  1179. Case, et al. Standards Track [Page 31]
  1180. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1181. 7.2. Prepare Data Elements from an Incoming SNMP Message
  1182. This section describes the procedure followed to extract data from an
  1183. SNMPv3 message, and to prepare the data elements required for further
  1184. processing of the message by the Message Dispatcher.
  1185. 1) The message is passed in from the Message Dispatcher according to
  1186. the abstract service primitive:
  1187. result = -- SUCCESS or errorIndication
  1188. prepareDataElements(
  1189. IN transportDomain -- origin transport domain
  1190. IN transportAddress -- origin transport address
  1191. IN wholeMsg -- as received from the network
  1192. IN wholeMsgLength -- as received from the network
  1193. OUT messageProcessingModel -- typically, SNMP version
  1194. OUT securityModel -- Security Model to use
  1195. OUT securityName -- on behalf of this principal
  1196. OUT securityLevel -- Level of Security requested
  1197. OUT contextEngineID -- data from/at this entity
  1198. OUT contextName -- data from/in this context
  1199. OUT pduVersion -- version of the PDU
  1200. OUT PDU -- SNMP Protocol Data Unit
  1201. OUT pduType -- SNMP PDU type
  1202. OUT sendPduHandle -- handle for matched request
  1203. OUT maxSizeResponseScopedPDU -- maximum size sender can accept
  1204. OUT statusInformation -- success or errorIndication
  1205. -- error counter OID and value
  1206. -- when errorIndication
  1207. OUT stateReference -- reference to state information
  1208. -- to be used for a possible
  1209. ) -- Response
  1210. 2) If the received message is not the serialization (according to
  1211. the conventions of [RFC3417]) of an SNMPv3Message value, then the
  1212. snmpInASNParseErrs counter [RFC3418] is incremented, the message
  1213. is discarded without further processing, and a FAILURE result is
  1214. returned. SNMPv3 Message Processing is complete.
  1215. 3) The values for msgVersion, msgID, msgMaxSize, msgFlags,
  1216. msgSecurityModel, msgSecurityParameters, and msgData are
  1217. extracted from the message.
  1218. 4) If the value of the msgSecurityModel component does not match a
  1219. supported securityModel, then the snmpUnknownSecurityModels
  1220. counter is incremented, the message is discarded without further
  1221. processing, and a FAILURE result is returned. SNMPv3 Message
  1222. Processing is complete.
  1223. Case, et al. Standards Track [Page 32]
  1224. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1225. 5) The securityLevel is determined from the authFlag and the
  1226. privFlag bits of the msgFlags component as follows:
  1227. a) If the authFlag is not set and the privFlag is not set, then
  1228. securityLevel is set to noAuthNoPriv.
  1229. b) If the authFlag is set and the privFlag is not set, then
  1230. securityLevel is set to authNoPriv.
  1231. c) If the authFlag is set and the privFlag is set, then
  1232. securityLevel is set to authPriv.
  1233. d) If the authFlag is not set and privFlag is set, then the
  1234. snmpInvalidMsgs counter is incremented, the message is
  1235. discarded without further processing, and a FAILURE result is
  1236. returned. SNMPv3 Message Processing is complete.
  1237. e) Any other bits in the msgFlags are ignored.
  1238. 6) The security module implementing the Security Model as specified
  1239. by the securityModel component is called for authentication and
  1240. privacy services. This is done according to the abstract service
  1241. primitive:
  1242. statusInformation = -- errorIndication or success
  1243. -- error counter OID and
  1244. -- value if error
  1245. processIncomingMsg(
  1246. IN messageProcessingModel -- SNMPv3 Message Processing Model
  1247. IN maxMessageSize -- of the sending SNMP entity
  1248. IN securityParameters -- for the received message
  1249. IN securityModel -- for the received message
  1250. IN securityLevel -- Level of Security
  1251. IN wholeMsg -- as received on the wire
  1252. IN wholeMsgLength -- length as received on the wire
  1253. OUT securityEngineID -- authoritative SNMP entity
  1254. OUT securityName -- identification of the principal
  1255. OUT scopedPDU, -- message (plaintext) payload
  1256. OUT maxSizeResponseScopedPDU -- maximum size sender can accept
  1257. OUT securityStateReference -- reference to security state
  1258. ) -- information, needed for
  1259. -- response
  1260. If an errorIndication is returned by the security module, then:
  1261. a) If statusInformation contains values for an OID/value pair,
  1262. then generation of a Report PDU is attempted (see step 3 in
  1263. section 7.1).
  1264. Case, et al. Standards Track [Page 33]
  1265. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1266. 1) If the scopedPDU has been returned from processIncomingMsg,
  1267. then determine contextEngineID, contextName, and PDU.
  1268. 2) Information about the message is cached and a
  1269. stateReference is created (implementation-specific).
  1270. Information to be cached includes the values of:
  1271. msgVersion,
  1272. msgID,
  1273. securityLevel,
  1274. msgFlags,
  1275. msgMaxSize,
  1276. securityModel,
  1277. maxSizeResponseScopedPDU,
  1278. securityStateReference
  1279. 3) Request that a Report-PDU be prepared and sent, according
  1280. to the abstract service primitive:
  1281. result = -- SUCCESS or FAILURE
  1282. returnResponsePdu(
  1283. IN messageProcessingModel -- SNMPv3(3)
  1284. IN securityModel -- same as on incoming request
  1285. IN securityName -- from processIncomingMsg
  1286. IN securityLevel -- same as on incoming request
  1287. IN contextEngineID -- from step 6 a) 1)
  1288. IN contextName -- from step 6 a) 1)
  1289. IN pduVersion -- SNMPv2-PDU
  1290. IN PDU -- from step 6 a) 1)
  1291. IN maxSizeResponseScopedPDU -- from processIncomingMsg
  1292. IN stateReference -- from step 6 a) 2)
  1293. IN statusInformation -- from processIncomingMsg
  1294. )
  1295. b) The incoming message is discarded without further processing,
  1296. and a FAILURE result is returned. SNMPv3 Message Processing
  1297. is complete.
  1298. 7) The scopedPDU is parsed to extract the contextEngineID, the
  1299. contextName and the PDU. If any parse error occurs, then the
  1300. snmpInASNParseErrs counter [RFC3418] is incremented, the security
  1301. state information is discarded, the message is discarded without
  1302. further processing, and a FAILURE result is returned. SNMPv3
  1303. Message Processing is complete. Treating an unknown PDU type is
  1304. treated as a parse error is an implementation option.
  1305. Case, et al. Standards Track [Page 34]
  1306. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1307. 8) The pduVersion is determined in an implementation-dependent
  1308. manner. For SNMPv3, the pduVersion would be an SNMPv2-PDU.
  1309. 9) The pduType is determined, in an implementation-dependent manner.
  1310. For [RFC3416], the pduTypes include:
  1311. - GetRequest-PDU,
  1312. - GetNextRequest-PDU,
  1313. - GetBulkRequest-PDU,
  1314. - SetRequest-PDU,
  1315. - InformRequest-PDU,
  1316. - SNMPv2-Trap-PDU,
  1317. - Response-PDU,
  1318. - Report-PDU.
  1319. 10) If the pduType is from the Response Class or the Internal Class,
  1320. then:
  1321. a) The value of the msgID component is used to find the cached
  1322. information for a corresponding outstanding Request message.
  1323. If no such outstanding Request message is found, then the
  1324. security state information is discarded, the message is
  1325. discarded without further processing, and a FAILURE result is
  1326. returned. SNMPv3 Message Processing is complete.
  1327. b) sendPduHandle is retrieved from the cached information.
  1328. Otherwise, sendPduHandle is set to <none>, an implementation
  1329. defined value.
  1330. 11) If the pduType is from the Internal Class, then:
  1331. a) statusInformation is created using the contents of the
  1332. Report-PDU, in an implementation-dependent manner. This
  1333. statusInformation will be forwarded to the application
  1334. associated with the sendPduHandle.
  1335. b) The cached data for the outstanding message, referred to by
  1336. stateReference, is retrieved. If the securityModel or
  1337. securityLevel values differ from the cached ones, it is
  1338. important to recognize that Internal Class PDUs delivered at
  1339. the security level of noAuthNoPriv open a window of
  1340. opportunity for spoofing or replay attacks. If the receiver
  1341. of such messages is aware of these risks, the use of such
  1342. unauthenticated messages is acceptable and may provide a
  1343. useful function for discovering engine IDs or for detecting
  1344. misconfiguration at remote nodes.
  1345. Case, et al. Standards Track [Page 35]
  1346. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1347. When the securityModel or securityLevel values differ from the
  1348. cached ones, an implementation may retain the cached
  1349. information about the outstanding Request message, in
  1350. anticipation of the possibility that the Internal Class PDU
  1351. received might be illegitimate. Otherwise, any cached
  1352. information about the outstanding Request message is
  1353. discarded.
  1354. c) The security state information for this incoming message is
  1355. discarded.
  1356. d) stateReference is set to <none>.
  1357. e) A SUCCESS result is returned. SNMPv3 Message Processing is
  1358. complete.
  1359. 12) If the pduType is from the Response Class, then:
  1360. a) The cached data for the outstanding request, referred to by
  1361. stateReference, is retrieved, including:
  1362. - snmpEngineID
  1363. - securityModel
  1364. - securityName
  1365. - securityLevel
  1366. - contextEngineID
  1367. - contextName
  1368. b) If the values extracted from the incoming message differ from
  1369. the cached data, then any cached information about the
  1370. outstanding Request message is discarded, the incoming message
  1371. is discarded without further processing, and a FAILURE result
  1372. is returned. SNMPv3 Message Processing is complete.
  1373. When the securityModel or securityLevel values differ from the
  1374. cached ones, an implementation may retain the cached
  1375. information about the outstanding Request message, in
  1376. anticipation of the possibility that the Response Class PDU
  1377. received might be illegitimate.
  1378. c) Otherwise, any cached information about the outstanding
  1379. Request message is discarded, and the stateReference is set to
  1380. <none>.
  1381. d) A SUCCESS result is returned. SNMPv3 Message Processing is
  1382. complete.
  1383. 13) If the pduType is from the Confirmed Class, then:
  1384. Case, et al. Standards Track [Page 36]
  1385. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1386. a) If the value of securityEngineID is not equal to the value of
  1387. snmpEngineID, then the security state information is
  1388. discarded, any cached information about this message is
  1389. discarded, the incoming message is discarded without further
  1390. processing, and a FAILURE result is returned. SNMPv3 Message
  1391. Processing is complete.
  1392. b) Information about the message is cached and a stateReference
  1393. is created (implementation-specific). Information to be
  1394. cached includes the values of:
  1395. msgVersion,
  1396. msgID,
  1397. securityLevel,
  1398. msgFlags,
  1399. msgMaxSize,
  1400. securityModel,
  1401. maxSizeResponseScopedPDU,
  1402. securityStateReference
  1403. c) A SUCCESS result is returned. SNMPv3 Message Processing is
  1404. complete.
  1405. 14) If the pduType is from the Unconfirmed Class, then a SUCCESS
  1406. result is returned. SNMPv3 Message Processing is complete.
  1407. 8. Intellectual Property
  1408. The IETF takes no position regarding the validity or scope of any
  1409. intellectual property or other rights that might be claimed to
  1410. pertain to the implementation or use of the technology described in
  1411. this document or the extent to which any license under such rights
  1412. might or might not be available; neither does it represent that it
  1413. has made any effort to identify any such rights. Information on the
  1414. IETF's procedures with respect to rights in standards-track and
  1415. standards-related documentation can be found in BCP-11. Copies of
  1416. claims of rights made available for publication and any assurances of
  1417. licenses to be made available, or the result of an attempt made to
  1418. obtain a general license or permission for the use of such
  1419. proprietary rights by implementors or users of this specification can
  1420. be obtained from the IETF Secretariat.
  1421. The IETF invites any interested party to bring to its attention any
  1422. copyrights, patents or patent applications, or other proprietary
  1423. rights which may cover technology that may be required to practice
  1424. this standard. Please address the information to the IETF Executive
  1425. Director.
  1426. Case, et al. Standards Track [Page 37]
  1427. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1428. 9. Acknowledgements
  1429. This document is the result of the efforts of the SNMPv3 Working
  1430. Group. Some special thanks are in order to the following SNMPv3 WG
  1431. members:
  1432. Harald Tveit Alvestrand (Maxware)
  1433. Dave Battle (SNMP Research, Inc.)
  1434. Alan Beard (Disney Worldwide Services)
  1435. Paul Berrevoets (SWI Systemware/Halcyon Inc.)
  1436. Martin Bjorklund (Ericsson)
  1437. Uri Blumenthal (IBM T. J. Watson Research Center)
  1438. Jeff Case (SNMP Research, Inc.)
  1439. John Curran (BBN)
  1440. Mike Daniele (Compaq Computer Corporation)
  1441. T. Max Devlin (Eltrax Systems)
  1442. John Flick (Hewlett Packard)
  1443. Rob Frye (MCI)
  1444. Wes Hardaker (U.C.Davis, Information Technology - D.C.A.S.)
  1445. David Harrington (Cabletron Systems Inc.)
  1446. Lauren Heintz (BMC Software, Inc.)
  1447. N.C. Hien (IBM T. J. Watson Research Center)
  1448. Michael Kirkham (InterWorking Labs, Inc.)
  1449. Dave Levi (SNMP Research, Inc.)
  1450. Louis A Mamakos (UUNET Technologies Inc.)
  1451. Joe Marzot (Nortel Networks)
  1452. Paul Meyer (Secure Computing Corporation)
  1453. Keith McCloghrie (Cisco Systems)
  1454. Bob Moore (IBM)
  1455. Russ Mundy (TIS Labs at Network Associates)
  1456. Bob Natale (ACE*COMM Corporation)
  1457. Mike O'Dell (UUNET Technologies Inc.)
  1458. Dave Perkins (DeskTalk)
  1459. Peter Polkinghorne (Brunel University)
  1460. Randy Presuhn (BMC Software, Inc.)
  1461. David Reeder (TIS Labs at Network Associates)
  1462. David Reid (SNMP Research, Inc.)
  1463. Aleksey Romanov (Quality Quorum)
  1464. Shawn Routhier (Epilogue)
  1465. Juergen Schoenwaelder (TU Braunschweig)
  1466. Bob Stewart (Cisco Systems)
  1467. Mike Thatcher (Independent Consultant)
  1468. Bert Wijnen (IBM T. J. Watson Research Center)
  1469. Case, et al. Standards Track [Page 38]
  1470. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1471. The document is based on recommendations of the IETF Security and
  1472. Administrative Framework Evolution for SNMP Advisory Team. Members
  1473. of that Advisory Team were:
  1474. David Harrington (Cabletron Systems Inc.)
  1475. Jeff Johnson (Cisco Systems)
  1476. David Levi (SNMP Research Inc.)
  1477. John Linn (Openvision)
  1478. Russ Mundy (Trusted Information Systems) chair
  1479. Shawn Routhier (Epilogue)
  1480. Glenn Waters (Nortel)
  1481. Bert Wijnen (IBM T. J. Watson Research Center)
  1482. As recommended by the Advisory Team and the SNMPv3 Working Group
  1483. Charter, the design incorporates as much as practical from previous
  1484. RFCs and drafts. As a result, special thanks are due to the authors
  1485. of previous designs known as SNMPv2u and SNMPv2*:
  1486. Jeff Case (SNMP Research, Inc.)
  1487. David Harrington (Cabletron Systems Inc.)
  1488. David Levi (SNMP Research, Inc.)
  1489. Keith McCloghrie (Cisco Systems)
  1490. Brian O'Keefe (Hewlett Packard)
  1491. Marshall T. Rose (Dover Beach Consulting)
  1492. Jon Saperia (BGS Systems Inc.)
  1493. Steve Waldbusser (International Network Services)
  1494. Glenn W. Waters (Bell-Northern Research Ltd.)
  1495. 10. Security Considerations
  1496. The Dispatcher coordinates the processing of messages to provide a
  1497. level of security for management messages and to direct the SNMP PDUs
  1498. to the proper SNMP application(s).
  1499. A Message Processing Model, and in particular the v3MP defined in
  1500. this document, interacts as part of the Message Processing with
  1501. Security Models in the Security Subsystem via the abstract service
  1502. interface primitives defined in [RFC3411] and elaborated above.
  1503. The level of security actually provided is primarily determined by
  1504. the specific Security Model implementation(s) and the specific SNMP
  1505. application implementation(s) incorporated into this framework.
  1506. Applications have access to data which is not secured. Applications
  1507. should take reasonable steps to protect the data from disclosure, and
  1508. when they send data across the network, they should obey the
  1509. securityLevel and call upon the services of an Access Control Model
  1510. as they apply access control.
  1511. Case, et al. Standards Track [Page 39]
  1512. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1513. The values for the msgID element used in communication between SNMP
  1514. entities MUST be chosen to avoid replay attacks. The values do not
  1515. need to be unpredictable; it is sufficient that they not repeat.
  1516. When exchanges are carried out over an insecure network, there is an
  1517. open opportunity for a third party to spoof or replay messages when
  1518. any message of an exchange is given at the security level of
  1519. noAuthNoPriv. For most exchanges, all messages exist at the same
  1520. security level. In the case where the final message is an Internal
  1521. Class PDU, this message may be delivered at a level of noAuthNoPriv
  1522. or authNoPriv, independent of the security level of the preceding
  1523. messages. Internal Class PDUs delivered at the level of authNoPriv
  1524. are not considered to pose a security hazard. Internal Class PDUs
  1525. delivered at the security level of noAuthNoPriv open a window of
  1526. opportunity for spoofing or replay attacks. If the receiver of such
  1527. messages is aware of these risks, the use of such unauthenticated
  1528. messages is acceptable and may provide a useful function for
  1529. discovering engine IDs or for detecting misconfiguration at remote
  1530. nodes.
  1531. This document also contains a MIB definition module. None of the
  1532. objects defined is writable, and the information they represent is
  1533. not deemed to be particularly sensitive. However, if they are deemed
  1534. sensitive in a particular environment, access to them should be
  1535. restricted through the use of appropriately configured Security and
  1536. Access Control models.
  1537. 11. References
  1538. 11.1. Normative References
  1539. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
  1540. Requirement Levels", BCP 14, RFC 2119, March 1997.
  1541. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
  1542. Rose, M. and S. Waldbusser, "Structure of Management
  1543. Information Version 2 (SMIv2)", STD 58, RFC 2578, April
  1544. 1999.
  1545. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
  1546. Rose, M. and S. Waldbusser, "Conformance Statements for
  1547. SMIv2", STD 58, RFC 2580, April 1999.
  1548. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An
  1549. Architecture for Describing Simple Network Management
  1550. Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
  1551. December 2002.
  1552. Case, et al. Standards Track [Page 40]
  1553. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1554. [RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network
  1555. Management Protocol (SNMP) Applications", STD 62, RFC
  1556. 3413, December 2002.
  1557. [RFC3414] Blumenthal, U. and B. Wijnen, "The User-Based Security
  1558. Model (USM) for Version 3 of the Simple Network
  1559. Management Protocol (SNMPv3)", STD 62, RFC 3414, December
  1560. 2002.
  1561. [RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
  1562. Access Control Model (VACM) for the Simple Network
  1563. Management Protocol (SNMP)", STD 62, RFC 3415, December
  1564. 2002.
  1565. [RFC3416] Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S.
  1566. Waldbusser, "Version 2 of the Protocol Operations for the
  1567. Simple Network Management Protocol (SNMP)", STD 62, RFC
  1568. 3416, December 2002.
  1569. [RFC3417] Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S.
  1570. Waldbusser, "Transport Mappings for the Simple Network
  1571. Management Protocol (SNMP)", STD 62, RFC 3417, December
  1572. 2002.
  1573. [RFC3418] Presuhn, R., Case, J., McCloghrie, K., Rose, M. and S.
  1574. Waldbusser, "Management Information Base (MIB) for the
  1575. Simple Network Management Protocol (SNMP)", STD 62, RFC
  1576. 3418, December 2002.
  1577. 11.2. Informative References
  1578. [RFC1901] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
  1579. "Introduction to Community-based SNMPv2", RFC 1901,
  1580. January 1996.
  1581. [RFC2028] Hovey, R. and S. Bradner, "The Organizations Involved in
  1582. the IETF Standards Process", BCP 11, RFC 2028, October
  1583. 1996.
  1584. [RFC2576] Frye, R., Levi, D., Routhier, S. and B. Wijnen,
  1585. "Coexistence between Version 1, Version 2, and Version 3
  1586. of the Internet-Standard Network Management Framework",
  1587. RFC 2576, March 2000.
  1588. [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
  1589. "Introduction and Applicability Statements for Internet-
  1590. Standard Management Framework", RFC 3410, December 2002.
  1591. Case, et al. Standards Track [Page 41]
  1592. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1593. 12. Editors' Addresses
  1594. Jeffrey Case
  1595. SNMP Research, Inc.
  1596. 3001 Kimberlin Heights Road
  1597. Knoxville, TN 37920-9716
  1598. USA
  1599. Phone: +1 423-573-1434
  1600. EMail: case@snmp.com
  1601. David Harrington
  1602. Enterasys Networks
  1603. 35 Industrial Way
  1604. Post Office Box 5005
  1605. Rochester, NH 03866-5005
  1606. USA
  1607. Phone: +1 603-337-2614
  1608. EMail: dbh@enterasys.com
  1609. Randy Presuhn
  1610. BMC Software, Inc.
  1611. 2141 North First Street
  1612. San Jose, CA 95131
  1613. USA
  1614. Phone: +1 408-546-1006
  1615. EMail: randy_presuhn@bmc.com
  1616. Bert Wijnen
  1617. Lucent Technologies
  1618. Schagen 33
  1619. 3461 GL Linschoten
  1620. Netherlands
  1621. Phone: +31 348-680-485
  1622. EMail: bwijnen@lucent.com
  1623. Case, et al. Standards Track [Page 42]
  1624. RFC 3412 Message Processing and Dispatching for SNMP December 2002
  1625. 13. Full Copyright Statement
  1626. Copyright (C) The Internet Society (2002). All Rights Reserved.
  1627. This document and translations of it may be copied and furnished to
  1628. others, and derivative works that comment on or otherwise explain it
  1629. or assist in its implementation may be prepared, copied, published
  1630. and distributed, in whole or in part, without restriction of any
  1631. kind, provided that the above copyright notice and this paragraph are
  1632. included on all such copies and derivative works. However, this
  1633. document itself may not be modified in any way, such as by removing
  1634. the copyright notice or references to the Internet Society or other
  1635. Internet organizations, except as needed for the purpose of
  1636. developing Internet standards in which case the procedures for
  1637. copyrights defined in the Internet Standards process must be
  1638. followed, or as required to translate it into languages other than
  1639. English.
  1640. The limited permissions granted above are perpetual and will not be
  1641. revoked by the Internet Society or its successors or assigns.
  1642. This document and the information contained herein is provided on an
  1643. "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
  1644. TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
  1645. BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
  1646. HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
  1647. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
  1648. Acknowledgement
  1649. Funding for the RFC Editor function is currently provided by the
  1650. Internet Society.
  1651. Case, et al. Standards Track [Page 43]