rfc3414.txt

开发snmp的开发包有两个开放的SNMP开发库

Blumenthal & Wijnen         Standards Track                    [Page 22]

RFC 3414                     USM for SNMPv3                December 2002


   1) a) If any securityStateReference is passed (Response or Report
         message), then information concerning the user is extracted
         from the cachedSecurityData.  The cachedSecurityData can now be
         discarded.  The securityEngineID is set to the local
         snmpEngineID.  The securityLevel is set to the value specified
         by the calling module.

         Otherwise,

      b) based on the securityName, information concerning the user at
         the destination snmpEngineID, specified by the
         securityEngineID, is extracted from the Local Configuration
         Datastore (LCD, usmUserTable).  If information about the user
         is absent from the LCD, then an error indication
         (unknownSecurityName) is returned to the calling module.

   2) If the securityLevel specifies that the message is to be protected
      from disclosure, but the user does not support both an
      authentication and a privacy protocol then the message cannot be
      sent.  An error indication (unsupportedSecurityLevel) is returned
      to the calling module.

   3) If the securityLevel specifies that the message is to be
      authenticated, but the user does not support an authentication
      protocol, then the message cannot be sent.  An error indication
      (unsupportedSecurityLevel) is returned to the calling module.

   4) a) If the securityLevel specifies that the message is to be
         protected from disclosure, then the octet sequence representing
         the serialized scopedPDU is encrypted according to the user's
         privacy protocol.  To do so a call is made to the privacy
         module that implements the user's privacy protocol according to
         the abstract primitive:

         statusInformation =       -- success or failure
           encryptData(
           IN    encryptKey        -- user's localized privKey
           IN    dataToEncrypt     -- serialized scopedPDU
           OUT   encryptedData     -- serialized encryptedPDU
           OUT   privParameters    -- serialized privacy parameters
                 )

         statusInformation
           indicates if the encryption process was successful or not.

         encryptKey
           the user's localized private privKey is the secret key that
           can be used by the encryption algorithm.



Blumenthal & Wijnen         Standards Track                    [Page 23]

RFC 3414                     USM for SNMPv3                December 2002


         dataToEncrypt
           the serialized scopedPDU is the data to be encrypted.

         encryptedData
           the encryptedPDU represents the encrypted scopedPDU, encoded
           as an OCTET STRING.

         privParameters
           the privacy parameters, encoded as an OCTET STRING.

         If the privacy module returns failure, then the message cannot
         be sent and an error indication (encryptionError) is returned
         to the calling module.

         If the privacy module returns success, then the returned
         privParameters are put into the msgPrivacyParameters field of
         the securityParameters and the encryptedPDU serves as the
         payload of the message being prepared.

         Otherwise,

      b) If the securityLevel specifies that the message is not to be be
         protected from disclosure, then a zero-length OCTET STRING is
         encoded into the msgPrivacyParameters field of the
         securityParameters and the plaintext scopedPDU serves as the
         payload of the message being prepared.

   5) The securityEngineID is encoded as an OCTET STRING into the
      msgAuthoritativeEngineID field of the securityParameters.  Note
      that an empty (zero length) securityEngineID is OK for a Request
      message, because that will cause the remote (authoritative) SNMP
      engine to return a Report PDU with the proper securityEngineID
      included in the msgAuthoritativeEngineID in the securityParameters
      of that returned Report PDU.

   6) a) If the securityLevel specifies that the message is to be
         authenticated, then the current values of snmpEngineBoots and
         snmpEngineTime corresponding to the securityEngineID from the
         LCD are used.

         Otherwise,

      b) If this is a Response or Report message, then the current value
         of snmpEngineBoots and snmpEngineTime corresponding to the
         local snmpEngineID from the LCD are used.






Blumenthal & Wijnen         Standards Track                    [Page 24]

RFC 3414                     USM for SNMPv3                December 2002


         Otherwise,

      c) If this is a Request message, then a zero value is used for
         both snmpEngineBoots and snmpEngineTime.  This zero value gets
         used if snmpEngineID is empty.

         The values are encoded as INTEGER respectively into the
         msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime
         fields of the securityParameters.

   7) The userName is encoded as an OCTET STRING into the msgUserName
      field of the securityParameters.

   8) a) If the securityLevel specifies that the message is to be
         authenticated, the message is authenticated according to the
         user's authentication protocol.  To do so a call is made to the
         authentication module that implements the user's authentication
         protocol according to the abstract service primitive:

         statusInformation =
           authenticateOutgoingMsg(
           IN  authKey               -- the user's localized authKey
           IN  wholeMsg              -- unauthenticated message
           OUT authenticatedWholeMsg -- authenticated complete message
               )

         statusInformation
           indicates if authentication was successful or not.

         authKey
           the user's localized private authKey is the secret key that
           can be used by the authentication algorithm.

         wholeMsg
           the complete serialized message to be authenticated.

         authenticatedWholeMsg
           the same as the input given to the authenticateOutgoingMsg
           service, but with msgAuthenticationParameters properly
           filled in.

         If the authentication module returns failure, then the message
         cannot be sent and an error indication (authenticationFailure)
         is returned to the calling module.







Blumenthal & Wijnen         Standards Track                    [Page 25]

RFC 3414                     USM for SNMPv3                December 2002


         If the authentication module returns success, then the
         msgAuthenticationParameters field is put into the
         securityParameters and the authenticatedWholeMsg represents the
         serialization of the authenticated message being prepared.

         Otherwise,

      b) If the securityLevel specifies that the message is not to be
         authenticated then a zero-length OCTET STRING is encoded into
         the msgAuthenticationParameters field of the
         securityParameters.  The wholeMsg is now serialized and then
         represents the unauthenticated message being prepared.

   9) The completed message with its length is returned to the calling
      module with the statusInformation set to success.

3.2. Processing an Incoming SNMP Message

   This section describes the procedure followed by an SNMP engine
   whenever it receives a message containing a management operation on
   behalf of a user, with a particular securityLevel.

   To simplify the elements of procedure, the release of state
   information is not always explicitly specified.  As a general rule,
   if state information is available when a message gets discarded, the
   state information should also be released.  Also, an error indication
   can return an OID and value for an incremented counter and optionally
   a value for securityLevel, and values for contextEngineID or
   contextName for the counter.  In addition, the securityStateReference
   data is returned if any such information is available at the point
   where the error is detected.

   1)  If the received securityParameters is not the serialization
       (according to the conventions of [RFC3417]) of an OCTET STRING
       formatted according to the UsmSecurityParameters defined in
       section 2.4, then the snmpInASNParseErrs counter [RFC3418] is
       incremented, and an error indication (parseError) is returned to
       the calling module.  Note that we return without the OID and
       value of the incremented counter, because in this case there is
       not enough information to generate a Report PDU.

   2)  The values of the security parameter fields are extracted from
       the securityParameters.  The securityEngineID to be returned to
       the caller is the value of the msgAuthoritativeEngineID field.
       The cachedSecurityData is prepared and a securityStateReference
       is prepared to reference this data.  Values to be cached are:

          msgUserName



Blumenthal & Wijnen         Standards Track                    [Page 26]

RFC 3414                     USM for SNMPv3                December 2002


   3)  If the value of the msgAuthoritativeEngineID field in the
       securityParameters is unknown then:

       a) a non-authoritative SNMP engine that performs discovery may
          optionally create a new entry in its Local Configuration
          Datastore (LCD) and continue processing;

          or

       b) the usmStatsUnknownEngineIDs counter is incremented, and an
          error indication (unknownEngineID) together with the OID and
          value of the incremented counter is returned to the calling
          module.

       Note in the event that a zero-length, or other illegally sized
       msgAuthoritativeEngineID is received, b) should be chosen to
       facilitate engineID discovery.  Otherwise the choice between a)
       and b) is an implementation issue.

   4)  Information about the value of the msgUserName and
       msgAuthoritativeEngineID fields is extracted from the Local
       Configuration Datastore (LCD, usmUserTable).  If no information
       is available for the user, then the usmStatsUnknownUserNames
       counter is incremented and an error indication
       (unknownSecurityName) together with the OID and value of the
       incremented counter is returned to the calling module.

   5)  If the information about the user indicates that it does not
       support the securityLevel requested by the caller, then the
       usmStatsUnsupportedSecLevels counter is incremented and an error
       indication (unsupportedSecurityLevel) together with the OID and
       value of the incremented counter is returned to the calling
       module.

   6)  If the securityLevel specifies that the message is to be
       authenticated, then the message is authenticated according to the
       user's authentication protocol.  To do so a call is made to the
       authentication module that implements the user's authentication
       protocol according to the abstract service primitive:

       statusInformation =          -- success or failure
         authenticateIncomingMsg(
         IN   authKey               -- the user's localized authKey
         IN   authParameters        -- as received on the wire
         IN   wholeMsg              -- as received on the wire
         OUT  authenticatedWholeMsg -- checked for authentication
              )




Blumenthal & Wijnen         Standards Track                    [Page 27]

RFC 3414                     USM for SNMPv3                December 2002


       statusInformation
         indicates if authentication was successful or not.

       authKey
         the user's localized private authKey is the secret key that
         can be used by the authentication algorithm.

       wholeMsg
         the complete serialized message to be authenticated.

       authenticatedWholeMsg
         the same as the input given to the authenticateIncomingMsg
         service, but after authentication has been checked.

       If the authentication module returns failure, then the message
       cann