rfc2274.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

          securityLevel are extracted from the cachedSecurityData.  The
          cachedSecurityData can now be discarded.

          Otherwise,

       b) based on the securityName, information concerning the
          user at the destination snmpEngineID, specified by the
          securityEngineID, is extracted from the Local Configuration
          Datastore (LCD, usmUserTable). If information about the user
          is absent from the LCD, then an error indication
          (unknownSecurityName) is returned to the calling module.

   2)  If the securityLevel specifies that the message is to be
       protected from disclosure, but the user does not support both an
       authentication and a privacy protocol then the message cannot be
       sent.  An error indication (unsupportedSecurityLevel) is returned
       to the calling module.

   3)  If the securityLevel specifies that the message is to be
       authenticated, but the user does not support an authentication
       protocol, then the message cannot be sent. An error indication
       (unsupportedSecurityLevel) is returned to the calling module.

   4)  a) If the securityLevel specifies that the message is to be
          protected from disclosure, then the octet sequence
          representing the serialized scopedPDU is encrypted according
          to the user's privacy protocol. To do so a call is made to the
          privacy module that implements the user's privacy protocol
          according to the abstract primitive:

          statusInformation =       -- success or failure
            encryptData(
            IN    encryptKey        -- user's localized privKey
            IN    dataToEncrypt     -- serialized scopedPDU
            OUT   encryptedData     -- serialized encryptedPDU
            OUT   privParameters    -- serialized privacy parameters
                  )




Blumenthal & Wijnen         Standards Track                    [Page 22]

RFC 2274                     USM for SNMPv3                 January 1998


          statusInformation
            indicates if the encryption process was successful or not.
          encryptKey
            the user's localized private privKey is the secret key that
            can be used by the encryption algorithm.
          dataToEncrypt
            the serialized scopedPDU is the data that to be encrypted.
          encryptedData
            the encryptedPDU represents the encrypted scopedPDU,
            encoded as an OCTET STRING.
          privParameters
            the privacy parameters, encoded as an OCTET STRING.

          If the privacy module returns failure, then the message cannot
          be sent and an error indication (encryptionError) is returned
          to the calling module.

          If the privacy module returns success, then the returned
          privParameters are put into the msgPrivacyParameters field of
          the securityParameters and the encryptedPDU serves as the
          payload of the message being prepared.

          Otherwise,

       b) If the securityLevel specifies that the message is not to be
          protected from disclosure, then the NULL string is encoded as
          an OCTET STRING and put into the msgPrivacyParameters field of
          the securityParameters and the plaintext scopedPDU serves as
          the payload of the message being prepared.

   5)  The snmpEngineID is encoded as an OCTET STRING into the
       msgAuthoritativeEngineID field of the securityParameters.  Note
       that an empty (zero length) snmpEngineID is OK for a Request
       message, because that will cause the remote (authoritative) SNMP
       engine to return a Report PDU with the proper snmpEngineID
       included in the msgAuthoritativeEngineID in the
       securityParameters of that returned Report PDU.

   6)  a) If the securityLevel specifies that the message is to be
          authenticated, then the current values of snmpEngineBoots and
          snmpEngineTime corresponding to the snmpEngineID from the LCD
          are used.

          Otherwise,

       b) If this is a Response message, then the current value of
          snmpEngineBoots and snmpEngineTime corresponding to the local
          snmpEngineID from the LCD are used.



Blumenthal & Wijnen         Standards Track                    [Page 23]

RFC 2274                     USM for SNMPv3                 January 1998


          Otherwise,

       c) If this is a Request message, then a zero value is used
          for both snmpEngineBoots and snmpEngineTime. This zero value
          gets used if snmpEngineID is empty.

       The values are encoded as INTEGER respectively into the
       msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime fields
       of the securityParameters.

   7)  The userName is encoded as an OCTET STRING into the msgUserName
       field of the securityParameters.

   8)  a) If the securityLevel specifies that the message is to be
          authenticated, the message is authenticated according to the
          user's authentication protocol. To do so a call is made to the
          authentication module that implements the user's
          authentication protocol according to the abstract service
          primitive:

          statusInformation =
            authenticateOutgoingMsg(
            IN  authKey               -- the user's localized authKey
            IN  wholeMsg              -- unauthenticated message
            OUT authenticatedWholeMsg -- authenticated complete message
                )

          statusInformation
            indicates if authentication was successful or not.
          authKey
            the user's localized private authKey is the secret key that
            can be used by the authentication algorithm.
          wholeMsg
            the complete serialized message to be authenticated.
          authenticatedWholeMsg
            the same as the input given to the authenticateOutgoingMsg
            service, but with msgAuthenticationParameters properly
            filled in.

          If the authentication module returns failure, then the message
          cannot be sent and an error indication (authenticationFailure)
          is returned to the calling module.

          If the authentication module returns success, then the
          msgAuthenticationParameters field is put into the
          securityParameters and the authenticatedWholeMsg represents
          the serialization of the authenticated message being prepared.




Blumenthal & Wijnen         Standards Track                    [Page 24]

RFC 2274                     USM for SNMPv3                 January 1998


          Otherwise,

       b) If the securityLevel specifies that the message is not to
          be authenticated then the NULL string is encoded as an OCTET
          STRING into the msgAuthenticationParameters field of the
          securityParameters.  The wholeMsg is now serialized and then
          represents the unauthenticated message being prepared.

   9)  The completed message with its length is returned to the
       calling module with the statusInformation set to success.

3.2.  Processing an Incoming SNMP Message

   This section describes the procedure followed by an SNMP engine
   whenever it receives a message containing a management operation on
   behalf of a user, with a particular securityLevel.

   To simplify the elements of procedure, the release of state
   information is not always explicitly specified. As a general rule, if
   state information is available when a message gets discarded, the
   state information should also be released.  Also, when an error
   indication with an OID and value for an incremented counter is
   returned, then the available information (like
   securityStateReference) must be passed back to the caller so it can
   generate a Report PDU.

   1)  If the received securityParameters is not the serialization
       (according to the conventions of [RFC1906]) of an OCTET STRING
       formatted according to the UsmSecurityParameters defined in
       section 2.4, then the snmpInASNParseErrs counter [RFC1907] is
       incremented, and an error indication (parseError) is returned to
       the calling module.  Note that we return without the OID and
       value of the incremented counter, because in this case there is
       not enough information to generate a Report PDU.

   2)  The values of the security parameter fields are extracted from
       the securityParameters. The securityEngineID to be returned to
       the caller is the value of the msgAuthoritativeEngineID field.
       The cachedSecurityData is prepared and a securityStateReference
       is prepared to reference this data. Values to be cached are:

           msgUserName
           securityEngineID
           securityLevel

   3)  If the value of the msgAuthoritativeEngineID field in the
       securityParameters is unknown then:




Blumenthal & Wijnen         Standards Track                    [Page 25]

RFC 2274                     USM for SNMPv3                 January 1998


       a) a non-authoritative SNMP engine that performs discovery may
          optionally create a new entry in its Local Configuration
          Datastore (LCD) and continue processing;

          or

       b) the usmStatsUnknownEngineIDs counter is incremented, and
          an error indication (unknownEngineID) together with the
          OID and value of the incremented counter is returned to
          the calling module.

   4)  Information about the value of the msgUserName and
       msgAuthoritativeEngineID fields is extracted from the Local
       Configuration Datastore (LCD, usmUserTable).  If no information
       is available for the user, then the usmStatsUnknownUserNames
       counter is incremented and an error indication
       (unknownSecurityName) together with the OID and value of the
       incremented counter is returned to the calling module.

   5)  If the information about the user indicates that it does not
       support the securityLevel requested by the caller, then the
       usmStatsUnsupportedSecLevels counter is incremented and an
       error indication (unsupportedSecurityLevel) together with the
       OID and value of the incremented counter is returned to the
       calling module.

   6)  If the securityLevel specifies that the message is to be
       authenticated, then the message is authenticated according to
       the user's authentication protocol. To do so a call is made
       to the authentication module that implements the user's
       authentication protocol according to the abstract service
       primitive:

       statusInformation =          -- success or failure
         authenticateIncomingMsg(
         IN   authKey               -- the user's localized authKey
         IN   authParameters        -- as received on the wire
         IN   wholeMsg              -- as received on the wire
         OUT  authenticatedWholeMsg -- checked for authentication
                 )

       statusInformation
         indicates if authentication was successful or not.
       authKey
         the user's localized private authKey is the secret key that
         can be used by the authentication algorithm.
       wholeMsg
         the complete serialized message to be authenticated.



Blumenthal & Wijnen         Standards Track                    [Page 26]

RFC 2274                     USM for SNMPv3                 January 1998


       authenticatedWholeMsg
         the same as the input given to the authenticateIncomingMsg
         service, but after authentication has been checked.

       If the authentication module returns failure, then the message
              cannot be trusted, so the usmStatsWrongDigests counter is
       incremented and an error indication (authenticationFailure)
       together with the OID and value of the incremented counter is
       returned to the calling module.

       If the authentication module returns success, then the message
       is authentic and can be trusted so processing continues.

   7)  If the securityLevel indicates an authenticated message, then
       the local values of snmpEngineBoots and snmpEngineTime
       corresponding to the value of the msgAuthoritativeEngineID
       field are extracted from the Local Configuration Datastore.

       a) If the extracted value of msgAuthoritativeEngineID is the
          same as the value of snmpEngineID of the processing SNMP
          engine (meaning this is the authoritative SNMP engine),
          then if any of the following conditions is true, then the
          message is considered to be outside of the Time Window:

           - the local value of snmpEngineBoots is 2147483647;