📄 rfc2274.txt
字号:
the authoritative SNMP engine E.
3. Elements of Procedure
This section describes the security related procedures followed by an
SNMP engine when processing SNMP messages according to the User-based
Security Model.
Blumenthal & Wijnen Standards Track [Page 21]
RFC 2274 USM for SNMPv3 January 1998
3.1. Generating an Outgoing SNMP Message
This section describes the procedure followed by an SNMP engine
whenever it generates a message containing a management operation
(like a request, a response, a notification, or a report) on behalf
of a user, with a particular securityLevel.
1) a) If any securityStateReference is passed (Response message),
then information concerning the user is extracted from the
cachedSecurityData. The securityEngineID and the
securityLevel are extracted from the cachedSecurityData. The
cachedSecurityData can now be discarded.
Otherwise,
b) based on the securityName, information concerning the
user at the destination snmpEngineID, specified by the
securityEngineID, is extracted from the Local Configuration
Datastore (LCD, usmUserTable). If information about the user
is absent from the LCD, then an error indication
(unknownSecurityName) is returned to the calling module.
2) If the securityLevel specifies that the message is to be
protected from disclosure, but the user does not support both an
authentication and a privacy protocol then the message cannot be
sent. An error indication (unsupportedSecurityLevel) is returned
to the calling module.
3) If the securityLevel specifies that the message is to be
authenticated, but the user does not support an authentication
protocol, then the message cannot be sent. An error indication
(unsupportedSecurityLevel) is returned to the calling module.
4) a) If the securityLevel specifies that the message is to be
protected from disclosure, then the octet sequence
representing the serialized scopedPDU is encrypted according
to the user's privacy protocol. To do so a call is made to the
privacy module that implements the user's privacy protocol
according to the abstract primitive:
statusInformation = -- success or failure
encryptData(
IN encryptKey -- user's localized privKey
IN dataToEncrypt -- serialized scopedPDU
OUT encryptedData -- serialized encryptedPDU
OUT privParameters -- serialized privacy parameters
)
Blumenthal & Wijnen Standards Track [Page 22]
RFC 2274 USM for SNMPv3 January 1998
statusInformation
indicates if the encryption process was successful or not.
encryptKey
the user's localized private privKey is the secret key that
can be used by the encryption algorithm.
dataToEncrypt
the serialized scopedPDU is the data that to be encrypted.
encryptedData
the encryptedPDU represents the encrypted scopedPDU,
encoded as an OCTET STRING.
privParameters
the privacy parameters, encoded as an OCTET STRING.
If the privacy module returns failure, then the message cannot
be sent and an error indication (encryptionError) is returned
to the calling module.
If the privacy module returns success, then the returned
privParameters are put into the msgPrivacyParameters field of
the securityParameters and the encryptedPDU serves as the
payload of the message being prepared.
Otherwise,
b) If the securityLevel specifies that the message is not to be
protected from disclosure, then the NULL string is encoded as
an OCTET STRING and put into the msgPrivacyParameters field of
the securityParameters and the plaintext scopedPDU serves as
the payload of the message being prepared.
5) The snmpEngineID is encoded as an OCTET STRING into the
msgAuthoritativeEngineID field of the securityParameters. Note
that an empty (zero length) snmpEngineID is OK for a Request
message, because that will cause the remote (authoritative) SNMP
engine to return a Report PDU with the proper snmpEngineID
included in the msgAuthoritativeEngineID in the
securityParameters of that returned Report PDU.
6) a) If the securityLevel specifies that the message is to be
authenticated, then the current values of snmpEngineBoots and
snmpEngineTime corresponding to the snmpEngineID from the LCD
are used.
Otherwise,
b) If this is a Response message, then the current value of
snmpEngineBoots and snmpEngineTime corresponding to the local
snmpEngineID from the LCD are used.
Blumenthal & Wijnen Standards Track [Page 23]
RFC 2274 USM for SNMPv3 January 1998
Otherwise,
c) If this is a Request message, then a zero value is used
for both snmpEngineBoots and snmpEngineTime. This zero value
gets used if snmpEngineID is empty.
The values are encoded as INTEGER respectively into the
msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields
of the securityParameters.
7) The userName is encoded as an OCTET STRING into the msgUserName
field of the securityParameters.
8) a) If the securityLevel specifies that the message is to be
authenticated, the message is authenticated according to the
user's authentication protocol. To do so a call is made to the
authentication module that implements the user's
authentication protocol according to the abstract service
primitive:
statusInformation =
authenticateOutgoingMsg(
IN authKey -- the user's localized authKey
IN wholeMsg -- unauthenticated message
OUT authenticatedWholeMsg -- authenticated complete message
)
statusInformation
indicates if authentication was successful or not.
authKey
the user's localized private authKey is the secret key that
can be used by the authentication algorithm.
wholeMsg
the complete serialized message to be authenticated.
authenticatedWholeMsg
the same as the input given to the authenticateOutgoingMsg
service, but with msgAuthenticationParameters properly
filled in.
If the authentication module returns failure, then the message
cannot be sent and an error indication (authenticationFailure)
is returned to the calling module.
If the authentication module returns success, then the
msgAuthenticationParameters field is put into the
securityParameters and the authenticatedWholeMsg represents
the serialization of the authenticated message being prepared.
Blumenthal & Wijnen Standards Track [Page 24]
RFC 2274 USM for SNMPv3 January 1998
Otherwise,
b) If the securityLevel specifies that the message is not to
be authenticated then the NULL string is encoded as an OCTET
STRING into the msgAuthenticationParameters field of the
securityParameters. The wholeMsg is now serialized and then
represents the unauthenticated message being prepared.
9) The completed message with its length is returned to the
calling module with the statusInformation set to success.
3.2. Processing an Incoming SNMP Message
This section describes the procedure followed by an SNMP engine
whenever it receives a message containing a management operation on
behalf of a user, with a particular securityLevel.
To simplify the elements of procedure, the release of state
information is not always explicitly specified. As a general rule, if
state information is available when a message gets discarded, the
state information should also be released. Also, when an error
indication with an OID and value for an incremented counter is
returned, then the available information (like
securityStateReference) must be passed back to the caller so it can
generate a Report PDU.
1) If the received securityParameters is not the serialization
(according to the conventions of [RFC1906]) of an OCTET STRING
formatted according to the UsmSecurityParameters defined in
section 2.4, then the snmpInASNParseErrs counter [RFC1907] is
incremented, and an error indication (parseError) is returned to
the calling module. Note that we return without the OID and
value of the incremented counter, because in this case there is
not enough information to generate a Report PDU.
2) The values of the security parameter fields are extracted from
the securityParameters. The securityEngineID to be returned to
the caller is the value of the msgAuthoritativeEngineID field.
The cachedSecurityData is prepared and a securityStateReference
is prepared to reference this data. Values to be cached are:
msgUserName
securityEngineID
securityLevel
3) If the value of the msgAuthoritativeEngineID field in the
securityParameters is unknown then:
Blumenthal & Wijnen Standards Track [Page 25]
RFC 2274 USM for SNMPv3 January 1998
a) a non-authoritative SNMP engine that performs discovery may
optionally create a new entry in its Local Configuration
Datastore (LCD) and continue processing;
or
b) the usmStatsUnknownEngineIDs counter is incremented, and
an error indication (unknownEngineID) together with the
OID and value of the incremented counter is returned to
the calling module.
4) Information about the value of the msgUserName and
msgAuthoritativeEngineID fields is extracted from the Local
Configuration Datastore (LCD, usmUserTable). If no information
is available for the user, then the usmStatsUnknownUserNames
counter is incremented and an error indication
(unknownSecurityName) together with the OID and value of the
incremented counter is returned to the calling module.
5) If the information about the user indicates that it does not
support the securityLevel requested by the caller, then the
usmStatsUnsupportedSecLevels counter is incremented and an
error indication (unsupportedSecurityLevel) together with the
OID and value of the incremented counter is returned to the
calling module.
6) If the securityLevel specifies that the message is to be
authenticated, then the message is authenticated according to
the user's authentication protocol. To do so a call is made
to the authentication module that implements the user's
authentication protocol according to the abstract service
primitive:
statusInformation = -- success or failure
authenticateIncomingMsg(
IN authKey -- the user's localized authKey
IN authParameters -- as received on the wire
IN wholeMsg -- as received on the wire
OUT authenticatedWholeMsg -- checked for authentication
)
statusInformation
indicates if authentication was successful or not.
authKey
the user's localized private authKey is the secret key that
can be used by the authentication algorithm.
wholeMsg
the complete serialized message to ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -