rfc1352.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.


RFC 1352                SNMP Security Protocols                July 1992


      SnmpMgmtCom ::= [1] IMPLICIT SEQUENCE {
        dstParty
           OBJECT IDENTIFIER,
        srcParty
           OBJECT IDENTIFIER,
        pdu   PDUs
      }


   For each SnmpMgmtCom value that represents a SNMP management
   communication, the following statements are true:

     o Its dstParty component is called the destination and
       identifies the SNMP party to which the communication
       is directed.

     o Its srcParty component is called the source and
       identifies the SNMP party from which the
       communication is originated.

     o Its pdu component has the form and significance
       attributed to it in [1].

   Recall from [2] that a SNMP authenticated management communication is
   represented by an ASN.1 value with the following syntax.

      SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE {
        authInfo
           ANY, - defined by authentication protocol
        authData
           SnmpMgmtCom
      }


   For each SnmpAuthMsg value that represents a SNMP authenticated
   management communication, the following statements are true:

     o Its authInfo component is called the authentication
       information and represents information required in
       support of the authentication protocol used by the
       SNMP party originating the message. The detailed
       significance of the authentication information is specific
       to the authentication protocol in use; it has no effect on
       the application semantics of the communication other
       than its use by the authentication protocol in
       determining whether the communication is authentic or
       not.




Galvin, McCloghrie, & Davin                                    [Page 12]

RFC 1352                SNMP Security Protocols                July 1992


     o Its authData component is called the authentication
       data and represents a SNMP management
       communication.

   In support of the Digest Authentication Protocol, an authInfo
   component is of type AuthInformation:

      AuthInformation ::= [1] IMPLICIT SEQUENCE {
        authTimestamp
           INTEGER (0..2147483647),
        authNonce
           INTEGER (0..2147483647),
        authDigest
           OCTET STRING
      }


   For each AuthInformation value that represents authentication
   information, the following statements are true:


     o Its authTimestamp component is called the
       authentication timestamp and represents the time of the
       generation of the message according to the
       partyAuthClock of the SNMP party that originated
       it. Note that the granularity of the authentication
       timestamp is 1 second.

     o Its authNonce component is called the authentication
       nonce and represents a non-negative integer value
       evaluated according to the authTimestamp value. In
       order not to limit transmission frequency of management
       communications to the granularity of the authentication
       timestamp, the authentication nonce is provided to
       differentiate between multiple messages sent with the
       same value of authTimestamp. The authentication
       nonce is a monotonically increasing sequence number,
       that is reset for each new authentication timestamp
       value.

     o Its authDigest component is called the authentication
       digest and represents the digest computed over an
       appropriate portion of the message, where the message is
       temporarily prefixed with a secret value for the purposes
       of computing the digest.






Galvin, McCloghrie, & Davin                                    [Page 13]

RFC 1352                SNMP Security Protocols                July 1992


4.1   Generating a Message

   This section describes the behavior of a SNMP protocol entity when it
   acts as a SNMP party for which the authentication protocol is
   administratively specified as the Digest Authentication Protocol.
   Insofar as the behavior of a SNMP protocol entity when transmitting
   protocol messages is defined generically in [2], only those aspects
   of that behavior that are specific to the Digest Authentication
   Protocol are described below. In particular, this section describes
   the encapsulation of a SNMP management communication into a SNMP
   authenticated management communication.

   According to [2], a SnmpAuthMsg value is constructed during Step 3 of
   generic processing. In particular, it states the authInfo component
   is constructed according to the authentication protocol identified
   for the SNMP party originating the message. When the relevant
   authentication protocol is the Digest Authentication Protocol, the
   procedure performed by a SNMP protocol entity whenever a management
   communication is to be transmitted by a SNMP party is as follows.

    1. The local database is consulted to determine the
       authentication clock, last-timestamp, nonce, and private
       authentication key (extracted, for example, according to
       the conventions defined in Section 2.4.1) of the SNMP
       party originating the message.

    2. The authTimestamp component is set to the retrieved
       authentication clock value.

    3. If the last-timestamp is equal to the authentication
       clock, the nonce is incremented. Otherwise the nonce is
       set to zero. The authNonce component is set to the
       nonce value. In the local database, the originating
       SNMP party's nonce and last-timestamp are set to the
       nonce value and the authentication clock, respectively.

    4. The authentication digest is temporarily set to the
       private authentication key. The SnmpAuthMsg value
       is serialized according to the conventions of [12] and [1].
       A digest is computed over the octet sequence
       representing that serialized value using, for example, the
       algorithm specified in Section 2.4.1. The authDigest
       component is set to the computed digest value.

   As set forth in [2], the SnmpAuthMsg value is then encapsulated
   according to the appropriate privacy protocol into a SnmpPrivMsg
   value. This latter value is then serialized and transmitted to the
   receiving SNMP party.



Galvin, McCloghrie, & Davin                                    [Page 14]

RFC 1352                SNMP Security Protocols                July 1992


4.2   Receiving a Message

   This section describes the behavior of a SNMP protocol entity upon
   receipt of a protocol message from a SNMP party for which the
   authentication protocol is administratively specified as the Digest
   Authentication Protocol. Insofar as the behavior of a SNMP protocol
   entity when receiving protocol messages is defined generically in
   [2], only those aspects of that behavior that are specific to the
   Digest Authentication Protocol are described below.

   According to [2], a SnmpAuthMsg value is evaluated during Step 9 of
   generic processing. In particular, it states the SnmpAuthMsg value is
   evaluated according to the authentication protocol identified for the
   SNMP party that originated the message. When the relevant
   authentication protocol is the Digest Authentication Protocol, the
   procedure performed by a SNMP protocol entity whenever a management
   communication is received by a SNMP party is as follows.

    1. If the ASN.1 type of the authInfo component is not
       AuthInformation, the message is evaluated as
       unauthentic. Otherwise, the authTimestamp,
       authNonce, and authDigest components are
       extracted from the SnmpAuthMsg value.

    2. The local database is consulted to determine the
       authentication clock, last-timestamp, nonce, private
       authentication key (extracted, for example, according to
       the conventions defined in Section 2.4.1), and lifetime of
       the SNMP party that originated the message.

    3. If the authTimestamp component plus the lifetime is
       less than the authentication clock, the message is
       evaluated as unauthentic.

    4. If the authTimestamp component is less than the
       last-timestamp recorded for the originating party in the
       local database, the message is evaluated as unauthentic.

    5. If the authTimestamp component is equal to the
       last-timestamp and if the authNonce component is less
       than or equal to the nonce, the message is evaluated as
       unauthentic.

    6. The authDigest component is extracted and
       temporarily recorded.

    7. A new SnmpAuthMsg value is constructed such that
       its authDigest component is set to the private



Galvin, McCloghrie, & Davin                                    [Page 15]

RFC 1352                SNMP Security Protocols                July 1992


       authentication key and its other components are set to
       the value of the corresponding components in the
       received SnmpAuthMsg value. This new
       SnmpAuthMsg value is serialized according to the
       conventions of [12] and [1]. A digest is computed over
       the octet sequence representing that serialized value
       using, for example, the algorithm specified in
       Section 2.4.1.

    8. If the computed digest value is not equal to the
       previously recorded digest value, the message is
       evaluated as unauthentic.

    9. The message is evaluated as authentic.

   10. The last-timestamp and nonce values locally recorded
       for the originating SNMP party are set to the
       authTimestamp value and the authNonce value,
       respectively.

   11. The authentication clock value locally recorded for the
       originating SNMP party is advanced to the
       authTimestamp value if this latter exceeds the
       recorded value.

   If the SnmpAuthMsg value is evaluated as unauthentic, an
   authentication failure is noted and the received message is discarded
   without further processing. Otherwise, processing of the received
   message continues as specified in [2].

5.  Symmetric Privacy Protocol

   This section describes the Symmetric Privacy Protocol. It provides
   for protection from disclosure of a received message.  An appropriate
   portion of the message is encrypted according to a secret key known
   only to the originator and recipient of the message.

   This protocol assumes the underlying mechanism is a symmetric
   encryption algorithm. In addition, the message to be encrypted must
   be protected according to the conventions of the Digest
   Authentication Protocol.

   Recall from [2] that a SNMP private management communication is
   represented by an ASN.1 value with the following syntax.







Galvin, McCloghrie, & Davin                                    [Page 16]

RFC 1352                SNMP Security Protocols                July 1992


      SnmpPrivMsg ::= [1] IMPLICIT SEQUENCE {
        privDst
           OBJECT IDENTIFIER,
        privData
           [1] IMPLICIT OCTET STRING
      }


   For each SnmpPrivMsg value that represents a SNMP private management
   communication, the following statements are true:

     o Its privDst component is called the privacy destination
       and identifies the SNMP party to which the
       communication is directed.

     o Its privData component is called the privacy data and
       represents the (possibly encrypted) serialization
       (according to the conventions of [12] and [1]) of a SNMP
       authenticated management communication.

5.1   Generating a Message

   This section describes the behavior of a SNMP protocol entity when it
   communicates with a SNMP party for which the privacy protocol is
   administratively specified as the Symmetric Privacy Protocol. Insofar