rfc1910.txt

来自「<VC++网络游戏建摸与实现>源代码」· 文本 代码 · 共 1,516 行 · 第 1/5 页

   An SNMPv2 message is an ASN.1 value with the following syntax:

     Message ::=
         SEQUENCE {
             version
                 INTEGER { v2 (2) },

             parameters
                 OCTET STRING,
             -- <model=1>
             --      <qoS><agentID><agentBoots><agentTime><maxSize>
             --      <userLen><userName><authLen><authDigest>
             --      <contextSelector>

             data
                 CHOICE {
                     plaintext
                         PDUs,
                     encrypted
                         OCTET STRING
                 }
         }

where:

  parameters
     a concatenation of the following values in network-byte order.  If
     the first octet (<model>) is one, then

     <qoS>    = 8-bits of quality-of-service

              bitnumber
              7654 3210     meaning
              ---- ----     --------------------------------
              .... ..00     no authentication nor privacy
              .... ..01     authentication, no privacy
              .... ..1.     authentication and privacy
              .... .1..     generation of report PDU allowed



Waters                        Experimental                     [Page 17]

RFC 1910          User-based Security Model for SNMPv2     February 1996


              where bit 7 is the most significant bit.

     <agentID>    = 12 octets
          a unique identifier for the agent (or dual-role entity).

     <agentBoots> = 32-bits
          an unsigned quantity (0..4294967295) in network-byte order.

     <agentTime>  = 32-bits
          an unsigned quantity (0..2147483647) in network-byte order.

     <maxSize>    = 16-bits
          an unsigned quantity (484..65507) in network-byte order, which
          identifies the maximum message size which the sender of this
          message can receive using the same transport domain as used
          for this message.

     <userLen>    = 1 octet
          the length of following <userName> field.

     <userName>   = 1..16 arbitrary octets
          the user on whose behalf this message is sent.

     <authLen>    = 1 octet
          the length of following <authDigest> field.

     <authDigest> = 0..255 octets
          for authenticated messages, the authentication digest.
          Otherwise, the value has zero-length on transmission and is
          ignored on receipt.

     <contextSelector> = 0..40 arbitrary octets
          the context selector which in combination with agentID
          identifies the SNMPv2 context containing the management
          information referenced by the SNMPv2 message.

  plaintext
     an SNMPv2 PDU as defined in [12].

  encrypted
     the encrypted form of an SNMPv2 PDU.

2.10.  Local Configuration Datastore (LCD)

   Each SNMPv2 entity maintains a local conceptually database, called
   the Local Configuration Datastore (LCD), which holds its known set of
   information about SNMPv2 users and other associated (e.g., access
   control) information.  An LCD may potentially be required to hold



Waters                        Experimental                     [Page 18]

RFC 1910          User-based Security Model for SNMPv2     February 1996


   information about multiple SNMPv2 agent entities. As such, the
   <agentID> should be used to identify a particular agent entity in the
   LCD.

   It is a local implementation issue as to whether information in the
   LCD is stored information or whether it is obtained dynamically
   (e.g., as a part of an SNMPv2 manager's API) on an as-needed basis.

3.  Elements of Procedure

   This section describes the procedures followed by an SNMPv2 entity in
   processing SNMPv2 messages.

3.1.  Generating a Request or Notification

   This section describes the procedure followed by an SNMPv2 entity
   whenever it generates a message containing a management operation
   (either a request or a notification) on behalf of a user, for a
   particular context and with a particular qoS value.

(1)  Information concerning the user is extracted from the LCD.  The
     transport domain and transport address to which the operation is to
     be sent is determined.  The context is resolved into an agentID
     value and a contextSelector value.

(2)  If the qoS specifies that the message is to be protected from
     disclosure, but the user does not support both an authentication
     and a privacy protocol, or does not have configured authentication
     and privacy keys, then the operation cannot be sent.

(3)  If the qoS specifies that the message is to be authenticated, but
     the user does not support an authentication protocol, or does not
     have a configured authentication key, then the operation cannot be
     sent.

(4)  The operation is serialized (i.e., encoded) according to the
     conventions of [13] and [12] into a PDUs value.

(5)  If the operation is a Get, GetNext, GetBulk, or Set then the report
     flag in the qoS is set to the value 1.

(6)  An SNMPv2 message is constructed using the ASN.1 Message syntax:

     - the version component is set to the value 2.

     - if the qoS specifies that the message is to be protected from
       disclosure, then the octet sequence representing the serialized
       PDUs value is encrypted according to the user's privacy protocol



Waters                        Experimental                     [Page 19]

RFC 1910          User-based Security Model for SNMPv2     February 1996


       and privacy key, and the encrypted data is encoded as an octet
       string and is used as the data component of the message.

     - if the qoS specifies that the message is not to be protected from
       disclosure, then the serialized PDUs value is used directly as
       the value of the data component.

     - the parameters component is constructed using:

       - the requested qoS, userName, agentID and context selector,

       - if the qoS specifies that the message is to be authenticated or
         the management operation is a notification, then the current
         values of agentBoots, and agentTime corresponding to agentID
         from the LCD are used.  Otherwise, the <agentBoots> and
         <agentTime> fields are set to zero-filled octets.

       - the <maxSize> field is set to the maximum message size which
         the local SNMPv2 entity can receive using the transport domain
         which will be used to send this message.

       - if the qoS specifies that the message is to be authenticated,
         then the <authDigest> field is temporarily set to the user's
         authentication key.  Otherwise, the <authDigest> field is set
         to the zero-length string.

(7)  The constructed Message value is serialized (i.e., encoded)
     according to the conventions of [13] and [12].

(8)  If the qoS specifies that the message is to be authenticated, then
     an MD5 digest value is computed over the octet sequence
     representing the concatenation of the serialized Message value and
     the user's authentication key.  The <authDigest> field is then set
     to the computed digest value.

(9)  The serialized Message value is transmitted to the determined
     transport address.

3.2.  Processing a Received Communication

   This section describes the procedure followed by an SNMPv2 entity
   whenever it receives an SNMPv2 message.  This procedure is
   independent of the transport service address at which the message was
   received.  For clarity, some of the details of this procedure are
   left out and are described in Section 3.2.1 and its sub-sections.

(1)  The snmpInPkts counter [15] is incremented.  If the received
     message is not the serialization (according to the conventions of



Waters                        Experimental                     [Page 20]

RFC 1910          User-based Security Model for SNMPv2     February 1996


     [13]) of a Message value, then the snmpInASNParseErrs counter [15]
     is incremented, and the message is discarded without further
     processing.

(2)  If the value of the version component has a value other than 2,
     then the message is either processed according to some other
     version of this protocol, or the snmpInBadVersions counter [15] is
     incremented, and the message is discarded without further
     processing.

(3)  The value of the <model> field is extracted from the parameters
     component of the Message value.  If the value of the <model> field
     is not 1, then either the message is processed according to some
     other security model, or the usecStatsBadParameters counter is
     incremented, and the message is discarded without further
     processing.

(4)  The values of the rest of the fields are extracted from the
     parameters component of the Message value.

(5)  If the <agentID> field contained in the parameters is unknown then:

     - a manager that performs discovery may optionally create a new LCD
       entry and continue processing; or

     - the usecStatsUnknownContexts counter is incremented, a report PDU
       is generated, and the received message is discarded without
       further processing.

(6)  The LCD is consulted for information about the SNMPv2 context
     identified by the combination of the <agentID> and
     <contextSelector> fields.  If information about this SNMPv2 context
     is absent from the LCD, then the usecStatsUnknownContexts counter
     is incremented, a report PDU is generated, and the received message
     is discarded without further processing.

(7)  Information about the value of the <userName> field is extracted
     from the LCD.  If no information is available, then the
     usecStatsUnknownUserNames counter is incremented, a report PDU [1]
     is generated, and the received message is discarded without further
     processing.

(8)  If the information about the user indicates that it does not
     support the quality of service indicated by the <qoS> field, then
     the usecStatsUnsupportedQoS counter is incremented, a report PDU is
     generated, and the received message is discarded without further
     processing.




Waters                        Experimental                     [Page 21]

RFC 1910          User-based Security Model for SNMPv2     February 1996


(9)  If the <qoS> field indicates an authenticated message and the
     user's authentication protocol is the Digest Authentication
     Protocol described in this memo, then:

     a) the local values of agentBoots and agentTime corresponding to
        the value of the <agentID> field are extracted from the LCD.

     b) the value of <authDigest> field is temporarily saved.  A new
        serialized Message is constructed which differs from that
        received in exactly one respect: that the <authDigest> field
        within it has the value of the user's authentication key.  An
        MD5 digest value is computed over the octet sequence
        representing the concatenation of the new serialized Message and
        the user's authentication key.

     c) if the LCD information indicates the SNMPv2 context is of type
        local (i.e., an agent), then:

        - if the computed digest differs from the saved authDigest
          value, then the usecStatsWrongDigestValues counter is
          incremented, a report PDU is generated, and the received
          message is discarded without further processing. However, if
          the snmpEnableAuthenTraps object [15] is enabled, then the
          SNMPv2 entity sends authenticationFailure traps [15] according
          to its configuration.

        - if any of the following conditions is true, then the message
          is considered to be outside of the Time Window:

          - the local value of agentBoots is 0xffffffff;

          - the <agentBoots> field differs from the local value of
            agentBoots; or,