rfc1910.txt

来自「<VC++网络游戏建摸与实现>源代码」· 文本 代码 · 共 1,516 行 · 第 1/5 页

          - the value of the <agentTime> field differs from the local
            notion of agentTime by more than +/- 150 seconds.

        - if the message is considered to be outside of the Time Window
          then the usecStatsNotInWindows counter is incremented, an
          authenticated report PDU is generated (see section 2.7), and
          the received message is discarded without further processing.

     d) if the LCD information indicates the SNMPv2 context is not
        realized by the local SNMPv2 entity (i.e., a manager), then:

        - if the computed digest differs from the saved authDigest
          value, then the usecStatsWrongDigestValues counter is
          incremented and the received message is discarded without



Waters                        Experimental                     [Page 22]

RFC 1910          User-based Security Model for SNMPv2     February 1996


          further processing.

        - if all of the following conditions are true:

             - if the <qoS> field indicates that privacy is not in use;

             - the SNMPv2 operation type determined from the ASN.1 tag
               value associated with the PDU's component is a Report;

             - the Report was generated due to a usecStatsNotInWindows
               error condition; and,

             - the <agentBoots> field is greater than the local value of
               agentBoots, or the <agentBoots> field is equal to the
               local value of agentBoots and the <agentTime> field is
               greater than the value of latestReceivedAgentTime,

          then the LCD entry corresponding to the value of the <agentID>
          field is updated, by setting the local value of agentBoots
          from the <agentBoots> field, the value latestReceivedAgentTime
          from the <agentTime> field, and the local value of agentTime
          from the <agentTime> field.

        - if any of the following conditions is true, then the message
          is considered to be outside of the Time Window:

          - the local value of agentBoots is 0xffffffff;

          - the <agentBoots> field is less than the local value of
            agentBoots; or,

          - the <agentBoots> field is equal to the local value of
            agentBoots and the <agentTime> field is more than 150
            seconds less than the local notion of agentTime.

        - if the message is considered to be outside of the Time Window
          then the usecStatsNotInWindows counter is incremented, and the
          received message is discarded without further processing;
          however, time synchronization procedures may be invoked.  Note
          that this procedure allows for <agentBoots> to be greater than
          the local value of agentBoots to allow for received messages
          to be accepted as authentic when received from an agent that
          has rebooted since the manager last re-synchronized.

        - if at least one of the following conditions is true:

             - the <agentBoots> field is greater than the local value of
               agentBoots; or,



Waters                        Experimental                     [Page 23]

RFC 1910          User-based Security Model for SNMPv2     February 1996


             - the <agentBoots> field is equal to the local value of
               agentBoots and the <agentTime> field is greater than the
               value of latestReceivedAgentTime,

          then the LCD entry corresponding to the value of the <agentID>
          field is updated, by setting the local value of agentBoots
          from the <agentBoots> field, the local value
          latestReceivedAgentTime from the <agentTime> field, and the
          local value of agentTime from the <agentTime> field.

(10) If the <qoS> field indicates use of a privacy protocol, then the
     octet sequence representing the data component is decrypted
     according to the user's privacy protocol to obtain a serialized
     PDUs value.  Otherwise the data component is assumed to directly
     contain the PDUs value.

(11) The SNMPv2 operation type is determined from the ASN.1 tag value
     associated with the PDUs component.

(12) If the SNMPv2 operation type is a Report, then the request-id in
     the PDU is correlated to an outstanding request, and if the
     correlation is successful, the appropriate action is taken (e.g.,
     time synchronization, proxy error propagation, etc.); in
     particular, if the report PDU indicates a usecStatsNotInWindows
     condition, then the outstanding request may be retransmitted (since
     the procedure in Step 9d above should have resulted in time
     synchronization).

(13) If the SNMPv2 operation type is either a Get, GetNext, GetBulk, or
     Set operation, then:

     a) if the LCD information indicates that the SNMPv2 context is of
        type remote or remote-proxy, then the
        usecStatsUnauthorizedOperations counter is incremented, a report
        PDU is generated, and the received message is discarded without
        further processing.

     b) the LCD is consulted for access rights authorized for
        communications using the indicated qoS, on behalf of the
        indicated user, and concerning management information in the
        indicated SNMPv2 context for the particular SNMPv2 operation
        type.

     c) if the SNMPv2 operation type is not among the authorized access
        rights, then the usecStatsUnauthorizedOperations counter is
        incremented, a report PDU is generated, and the received message
        is discarded without further processing.




Waters                        Experimental                     [Page 24]

RFC 1910          User-based Security Model for SNMPv2     February 1996


     d) The information extracted from the LCD concerning the user and
        the SNMPv2 context, together with the sending transport address
        of the received message is cached for later use in generating a
        response message.

     e) if the LCD information indicates the SNMPv2 context is of type
        local, then the management operation represented by the PDUs
        value is performed by the receiving SNMPv2 entity with respect
        to the relevant MIB view within the SNMPv2 context according to
        the procedures set forth in [12], where the relevant MIB view is
        determined according to the user, the agentID, the
        contextSelector, the qoS values and the type of operation
        requested.

     f) if the LCD information indicates the SNMPv2 context is of type
        local-proxy, then:

        i. the user, qoS, agentID, contextSelector and transport address
           to be used to forward the request are extracted from the LCD.
           If insufficient information concerning the user is currently
           available, then snmpProxyDrops counter [15] is incremented, a
           report PDU is generated, and the received message is
           discarded.

        ii. if an administrative flag in the LCD indicates that the
           message is to be forwarded using the SNMPv1 administrative
           framework, then the procedures described in [4] are invoked.
           Otherwise, a new SNMPv2 message is constructed: its PDUs
           component is copied from that in the received message except
           that the contained request-id is replaced by a unique value
           (this value will enable a subsequent response message to be
           correlated with this request); the <userName>, <qoS>,
           <agentID> and <contextSelector> fields are set to the values
           extracted from the LCD; the <maxSize> field is set to the
           minimum of the value in the received message and the local
           system's maximum message size for the transport domain which
           will be used to forward the message; and finally, the message
           is authenticated and/or protected from disclosure according
           to the qoS value.

        iii. the information cached in Step 13d above is augmented with
           the request-id of the received message as well as the
           request-id, agentID and contextSelector of the constructed
           message.

        iv. the constructed message is forwarded to the extracted
           transport address.




Waters                        Experimental                     [Page 25]

RFC 1910          User-based Security Model for SNMPv2     February 1996


(14) If the SNMPv2 operation type is an Inform, then:

     a) if the LCD information indicates the SNMPv2 context is of type
        local or local-proxy then the usecStatsUnauthorizedOperations
        counter is incremented, a report PDU is generated, and the
        received message is discarded without further processing.

     b) if the LCD information indicates the SNMPv2 context is of type
        remote, then the Inform operation represented by the PDUs value
        is performed by the receiving SNMPv2 entity according to the
        procedures set forth in [12].

     c) if the LCD information indicates the SNMPv2 context is of type
        remote-proxy, then:

        i. a single unique request-id is selected for use by all
           forwarded copies of this request.  This value will enable the
           first response message to be correlated with this request;
           other responses are not required and should be discarded when
           received, since the agent that originated the Inform only
           requires one response to its Inform.

        ii. information is extracted from the LCD concerning all
           combinations of userName, qoS, agentID, contextSelector and
           transport address with which the received message is to be
           forwarded.

        iii. for each such combination whose access rights permit Inform
           operations to be forwarded, a new SNMPv2 message is
           constructed, as follows: its PDUs component is copied from
           that in the received message except that the contained
           request-id is replaced by the value selected in Step i above;
           its <userName>, <qoS>, <agentID> and <contextSelector> fields
           are set to the values extracted in Step ii above; and its
           <maxSize> field is set to the minimum of the value in the
           received message and the local system's maximum message size
           for the transport domain which will be used to forward this
           message.

        iv. for each constructed SNMPv2 message, information concerning
           the <userName>, <qoS>, <agentID>, <contextSelector>,
           request-id and sending transport address of the received
           message, as well as the request- id, agentID and
           contextSelector of the constructed message, is cached for
           later use in generating a response message.

        v. each constructed message is forwarded to the appropriate
           transport address extracted from the LCD in step ii above.



Waters                        Experimental                     [Page 26]

RFC 1910          User-based Security Model for SNMPv2     February 1996


(15) If the SNMPv2 operation type is a Response, then:

     a) if the LCD information indicates the SNMPv2 context is of type
        local, then the usecStatsUnauthorizedOperations counter is
        incremented, a report PDU is generated, and the received message
        is discarded without further processing.

     b) if the LCD information indicates the SNMPv2 context is of type
        remote, then the Response operation represented by the PDUs
        value is performed by the receiving SNMPv2 entity according to
        the procedures set forth in [12].

     c) if the LCD information indicates the SNMPv2 context is of type
        local-proxy or remote-proxy, then:

        i. the request-id is extracted from the PDUs component of the
           received message.  The context's agentID and contextSelector
           values together with the extracted request-id are used to
           correlate this response message to the corresponding values
           for a previously forwarded request by inspecting the cache of
           information as augmented in Substep iii of Step 13f above or
           in Substep iv of 14c above.  If no such correlated
           information is found, then the received message is discarded
           without further processing.

        ii. a new SNMPv2 message is constructed: its PDUs component is
           copied from that in the received message except that the
           contained request-id is replaced by the value saved in the
           correlated information from the original request; its
           <userName>, <qoS>, <agentID> and <contextSelector> fields are
           set to the values saved from the received message. The
           <maxSize> field is set to the minimum of the value in the
           received message and the local system's maximum message size
           for the transport domain which will be used to forward the
           message. The message is authenticated and/or protected from
           disclosure according to the saved qoS value.

        iii. the constructed message is forwarded to the transport
           address saved in the correlated information as the sending
           transport address of the original request.

        iv. the correlated information is deleted from the cache of
           information.

(16) If the SNMPv2 operation type is a SNMPv2-Trap, then:

     a) if the LCD information indicates the SNMPv2 context is of type
        local or local-proxy, then the usecStatsUnauthorizedOperations



Waters                        Experimental                     [Page 27]

RFC 1910          User-based Security Model for SNMPv2     Februa