rfc2593.txt

来自「<VC++网络游戏建摸与实现>源代码」· 文本 代码 · 共 1,236 行 · 第 1/4 页

Network Working Group                                   J. Schoenwaelder
Request for Comments: 2593                               TU Braunschweig
Category: Experimental                                        J. Quittek
                                                         NEC Europe Ltd.
                                                                May 1999


             Script MIB Extensibility Protocol Version 1.0

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   The IETF Script MIB defines an interface for the delegation of
   management functions based on the Internet management framework. A
   management script is a set of instructions that are executed by a
   language specific runtime system. The Script MIB extensibility
   protocol (SMX) defined in this memo separates language specific
   runtime systems from language independent Script MIB implementations.

Table of Contents

   1. Introduction ................................................    2
   2. Process Model and Communication Model .......................    3
   3. Security Profiles ...........................................    3
   4. Start of Runtime Systems and Connection Establishment .......    4
   5. SMX Messages ................................................    5
   5.1 Common Definitions .........................................    5
   5.2 Commands ...................................................    7
   5.3 Replies ....................................................    8
   6. Elements of Procedure .......................................    9
   6.1 SMX Message Processing on the Runtime Systems ..............    9
   6.1.1 Processing the `hello' Command ...........................   10
   6.1.2 Processing the `start' Command ...........................   10
   6.1.3 Processing the `suspend' Command .........................   11
   6.1.4 Processing the `resume' Command ..........................   12
   6.1.5 Processing the `abort' Command ...........................   12
   6.1.6 Processing the `status' Command ..........................   12
   6.1.7 Generation of Asynchronous Notifications .................   13



Schoenwaelder & Quittek       Experimental                      [Page 1]

RFC 2593                    SMX Protocol 1.0                    May 1999


   6.2 SMX Message Processing on the SNMP Agent ...................   13
   6.2.1 Creating a Runtime System ................................   13
   6.2.2 Generating the `hello' Command ...........................   13
   6.2.3 Generating the `start' Command ...........................   14
   6.2.4 Generating the `suspend' Command .........................   15
   6.2.5 Generating the `resume' Command ..........................   16
   6.2.6 Generating the `abort' Command ...........................   16
   6.2.7 Generating the `status' Command ..........................   17
   6.2.8 Processing Asynchronous Notifications ....................   18
   7. An Example SMX Message Flow .................................   19
   8. Security Considerations .....................................   19
   9. Acknowledgments .............................................   20
   10. References .................................................   20
   11. Authors' Addresses .........................................   21
   12. Full Copyright Statement ...................................   22

1.  Introduction

   The Script MIB [1] defines a standard interface for the delegation of
   management functions based on the Internet management framework. In
   particular, it provides the following capabilities:

   1.   Transfer of management scripts to a distributed manager.

   2.   Initiating, suspending, resuming and terminating management
        scripts.

   3.   Transfer of arguments for management scripts.

   4.   Monitoring and control of running management scripts.

   5.   Transfer of results produced by management scripts.

   A management script is a set of instructions executed by a language
   specific runtime system. The Script MIB does not prescribe a specific
   language. Instead, it allows to control scripts written in different
   languages that are executing concurrently.

   The Script MIB Extensibility protocol (SMX) defined in this memo can
   be used to separate language specific runtime systems from the
   runtime system independent Script MIB implementations. The
   lightweight SMX protocol can be used to support different runtime
   systems without any changes to the language neutral part of a Script
   MIB implementation.

   Examples of languages and runtime systems considered during the
   design of the SMX protocol are the Java virtual machine [2] and the
   Tool Command Language (Tcl) [3]. Other languages with comparable



Schoenwaelder & Quittek       Experimental                      [Page 2]

RFC 2593                    SMX Protocol 1.0                    May 1999


   features should be easy to integrate as well.

2.  Process Model and Communication Model

   Figure 1 shows the process and communication model underlying the SMX
   protocol. The language and runtime system independent SNMP agent
   implementing the Script MIB communicates with one ore more runtime
   systems via the SMX protocol. A runtime system may be able to execute
   one or multiple scripts simultaneously (multi-threading). The SMX
   protocol supports multi-threading, but it does not require multi-
   threaded runtime systems.

   The SMX protocol uses a local storage device (usually implemented on
   top of the local file system) to transfer scripts from the SNMP agent
   to the runtime systems. The SNMP agent has read and write access to
   the script storage device while the runtime systems only need read
   access. The SMX protocol passes the location of a script in the local
   storage device to the runtime engines. It is then the responsibility
   of the runtime engines to load the script from the specified
   location.

                                                    runtime 1
                   +--------------+       SMX      +---------+
                   |              |<-------------->| O  O  O |<-+
           SNMP    |  Script MIB  |                +---------+  |
       <---------->|              |                             |
                   |  SNMP Agent  |                 runtime 2   |
                   |              |       SMX      +---------+  |
                   |              |<-------------->| O       |  |
                   +--------------+                +---------+  |
                           ^                            ^       |
                           |       +---------+          |       |
                           |       | script  |----------+       |
                           +------>| storage |------------------+
                                   +---------+

           Figure 1: SMX process and communication model


3.  Security Profiles

   Security profiles control what a running script is allowed to do. It
   is useful to distinguish two different classes of security profiles:

   -    The operating system security profile specifies the set of
        operating system services that can be used by the operating
        system level process which executes a script. Under UNIX, this
        maps to the effective user and group identity for the running



Schoenwaelder & Quittek       Experimental                      [Page 3]

RFC 2593                    SMX Protocol 1.0                    May 1999


        process. In addition, many UNIX versions allow to set other
        resource limits, such as the number of open files or the maximum
        stack sizes. Another mechanism in UNIX is the chroot() system
        call which changes the file system root for a process. The
        chroot() mechanism can be used to prevent runtime systems from
        accessing any system files. It is suggested to make use of all
        applicable operating system security mechanism in order to
        protect the operating system from malicious scripts or runtime
        systems.

   -    Secure runtime systems provide fine grained control over the set
        of services that can be used by a running script at a particular
        point during script execution. A runtime security profile
        specifying fine grained access control is runtime system
        dependent. For a Java virtual machine, the runtime security
        profile is interpreted by the SecurityManager and ClassLoader
        classes[4]. For Tcl, the runtime security profile maps to the
        interpreter's security profile [5].

   The SMX protocol allows to execute scripts under different operating
   system profiles and runtime system profiles. Multiple operating
   system security profiles are realized by using multiple runtime
   systems which execute in operating system processes with different
   security profiles.  Multiple runtime security profiles are supported
   by passing a security profile name to a runtime system during script
   invocation.

   The Script MIB does not define how operating system or runtime system
   security profiles are identified. This memo suggests that the
   smLaunchOwner is mapped to an operating system security profile and a
   runtime system security profile when a script is started.

4.  Start of Runtime Systems and Connection Establishment

   The SNMP agent starts runtime systems based on the static properties
   of the runtime system (multi-threaded or single-threaded) and the
   operating system security profiles. Starting a new runtime system
   requires to create a process environment which matches the operating
   system security profile.

   The SNMP agent initially passes information to the runtime system by
   means of environment variables. The information is needed to
   establish a trusted communication channel between the SNMP agent and
   a runtime system.

   The SNMP agent first creates a listening TCP socket which accepts
   connections from runtime systems. It is the responsibility of the
   runtime system to establish a connection to this TCP socket once it



Schoenwaelder & Quittek       Experimental                      [Page 4]

RFC 2593                    SMX Protocol 1.0                    May 1999


   has been started. The port number of the listening TCP socket is
   passed from the SNMP agent to the runtime system in the environment
   variable SMX_PORT.

   The SNMP agent must ensure that only authorized runtime systems
   establish a connection to the listening TCP socket. The following
   rules are used for this purpose:

   -    The TCP connection must originate from the local host.

   -    The SNMP agent queries the runtime system for a security cookie
        and closes the TCP connection if no valid response is received
        within a given time interval. The security cookie is a random
        number generated by the SNMP agent and passed to the runtime
        system as part of its environment. The cookie is found in the
        environment variable SMX_COOKIE.

   The security assumption here is that access to the process
   environment is protected by the operating system.

   Alternate transports (e.g. UNIX domain sockets) are possible but not
   defined at this point in time. The reason to choose TCP as the
   transport protocol for SMX was that TCP is supported by all potential
   runtime systems, while other transports are not universally
   available.

5.  SMX Messages

   The message formats described below are defined using the Augmented
   BNF (ABNF) defined in RFC 2234 [6]. The definitions for `ALPHA',
   `DIGIT', `HEXDIG', `WSP', `CRLF', `CR', `LF', `HTAB', `VCHAR' and
   `DQUOTE' are imported from appendix A of RFC 2234 and not repeated
   here.

5.1.  Common Definitions

   The following ABNF definitions are used in subsequent sections to
   define the SMX protocol messages.

     Zero          = %x30          ; the ASCII character '0'

     AlNum         = DIGIT / ALPHA / %x2D-2F
                                   ; digits, alphas plus '-', '.', '/'

     QuotedString  = DQUOTE *(VCHAR / WSP) DQUOTE

     HexString     = 1*(HEXDIG HEXDIG)




Schoenwaelder & Quittek       Experimental                      [Page 5]

RFC 2593                    SMX Protocol 1.0                    May 1999


     Id            = 1*DIGIT       ; identifier for an SMX transaction

     Script        = QuotedString  ; script file name

     RunId         = 1*DIGIT       ; globally unique identifier for a
                                   ; running script (note, smRunIndex
                                   ; is only unique for a smLaunchOwner,
                                   ; smLaunchName pair)

     Profile       = 1*AlNum       ; security profile name

     RunState      =  "1"          ; smRunState `initializing'
     RunState      =/ "2"          ; smRunState `executing'
     RunState      =/ "3"          ; smRunState `suspending'
     RunState      =/ "4"          ; smRunState `suspended'
     RunState      =/ "5"          ; smRunState `resuming'
     RunState      =/ "6"          ; smRunState `aborting'
     RunState      =/ "7"          ; smRunState `terminated'

     ExitCode      =  "1"          ; smRunExitCode `noError'
     ExitCode      =/ "2"          ; smRunExitCode `halted'
     ExitCode      =/ "3"          ; smRunExitCode `lifeTimeExceeded'
     ExitCode      =/ "4"          ; smRunExitCode `noResourcesLeft'