📄 rfcrfc2570.txt
字号:
它们是:命令发生器、命令响应器、通知产生器、通知接收器、和代理转发器。
本文也定义了为详细描述管理操作(包括通知),通知过滤,和代理转发对象的
MIB模块。
7.8基于用户的安全模块(USM)
RFC 2574,“简单网络管理协议第三版(SNMPv3)的基于用户的安全模块(USM)”,
描述了SNMPv3的基于用户的安全模块。它定义了提供SNMP消息级安全性的程序原理。
本文描述了两种主要的和两种次要的基于用户的安全模块所要防范的威胁。它们是:信
息的修改、伪装、信息流的修改和泄露。
USM使用MD5[21]与安全扰码运算法则[22]作为主要的散列算法[23]来确保数据的完整
性。
? 直接确保数据不遭到修改的攻击
? 间接确保数据源授权
? 防止伪装攻击
USM 使用松散的同步时钟计时器来防止信息流被修改。自动同步时钟机制遵循协议
中不依赖第三方时间源和相关的安全考虑制定。
USM在密码块序列模式(CBC)中使用数据加密标准(DES)[24]来防止泄露。USM
中的DES功能为可选项,主要是因为许多国家的出口和使用限制使其包括加密技术再内难
以出口和使用。
本文也包括适合远程控制与管理USM的配置参数的MIB,包括密钥分配方式和密钥
管理方式。
如同可以提供多种授权与私有协议,实体可以同时提供多种安全模式。USM使用的所
有协议都建立在预先设置密钥的基础上,例如,私有密钥机制。SNMPv3体系结构允许不
对称机制和协议(通常被叫做“公用密钥加密算法”)然而尽管如此,还没有公布的可供
SNMPv3安全模型使用的公用密钥加密算法。
7.9 基于视图的访问控制(VACM)
RFC2575,“简单网络管理协议(SNMP)的基于视图的访问控制”,的目的在于描述应
用于SNMP体系结构的访问控制模型。VACM可以同时应用于含带多消息处理模块和多安
全模块的单一引擎的执行。
在一个引擎的执行中,体系结构可能存在多种,不同的,同时出现并处于激活状态的访
问控制模块,然而在实践中却很少有“真正的”和“几乎” 难以实现的同时支持多消息处
理模块和多安全模块。
7.10 SNMPv3的共存与转换
“国际网络管理框架的第一,第二和第三版本的共存”的目的在于描述SNMPv3管理框
架,SNMPv2的框架和最初的SNMPv1的管理框架的共存。本文特别描述了如下四方面的
共存:
? 从SMIv1到SMIv2格式的MIB文档的共存
? 通知参数的映射
? 支持多种版本的SNMP的多协议网络的共存方式,特别是多协议执行协议操作的处理,
例如代理的执行
? SNMPv1消息处理模型和基于共同体的安全模型,提供使SNMPv1、SNMPv2适应基
于视图的访问控制模型的转化机制。
8 安全性考虑
本文作为路标文档,没有提供新的安全考虑。读者可以参考相关的参考文献汲取安全考
虑的信息。
9作者地址
Jeffrey Case
SNMP Research, Inc.
3001 Kimberlin Heights Road
Knoxville, TN 37920-9716
USA
Phone: +1 423 573 1434
EMail: case@snmp.com
Russ Mundy
TIS Labs at Network Associates
3060 Washington Rd
Glenwood, MD 21738
USA
Phone: +1 301 854 6889
EMail: mundy@tislabs.com
David Partain
Ericsson Radio Systems
Research and Innovation
P.O. Box 1248
SE-581 12 Linkoping
Sweden
Phone: +46 13 28 41 44
EMail: David.Partain@ericsson.com
Bob Stewart
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
U.S.A.
Phone: +1 603 654 6923
EMail: bstewart@cisco.com
10 参考书目
[1] Rose, M. and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based internets", STD 16, RFC
1155, May 1990.
[2] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16,
RFC 1212, March 1991.
[3] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
[4] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Structure of Management Information for Version 2
of the Simple Network Management Protocol (SNMPv2)", RFC 1902,
January 1996.
[5] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Textual Conventions for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1903, January 1996.
[6] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
Waldbusser, "Conformance Statements for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1904, January 1996.
[7] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
Waldbusser, "Protocol Operations for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1905, January 1996.
[8] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
Waldbusser, "Transport Mappings for Version 2 of the Simple
Network Management Protocol (SNMPv2)", RFC 1906, January 1996.
[9] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
Waldbusser, "Management Information Base for Version 2 of the
Simple Network Management Protocol (SNMPv2)", RFC 1907, January
1996.
[10] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M. and S.
Waldbusser, "Coexistence between Version 1 and Version 2 of the
Internet-standard Network Management Framework", RFC 1908,
January 1996.
[11] Information processing systems - Open Systems Interconnection -
Specification of Abstract Syntax Notation One (ASN.1),
International Organization for Standardization. International
Standard 8824, (December, 1987).
[12] McCloghrie, K. and M. Rose, "Management Information Base for
Network Management of TCP/IP-based Internets", RFC 1066, August
1988.
[13] McCloghrie, K. and M. Rose, "Management Information Base for
Network Management of TCP/IP-based internets: MIB-II, STD 17,
RFC 1213, March 1991.
[14] Cerf, V., "IAB Recommendations for the Development of Internet
Network Management Standards", RFC 1052, April 1988.
[15] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for
Describing SNMP Management Frameworks", RFC 2571, April 1999.
[16] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, April 1999.
[17] Levi, D., Meyer, P. and B. Stewart, "SNMP Applications", RFC
2573, April 1999.
[18] Blumenthal, U. and B. Wijnen, "The User-Based Security Model for
Version 3 of the Simple Network Management Protocol (SNMPv3)",
RFC 2574, April 1999.
[19] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Control Model for the Simple Network Management Protocol
(SNMP)", RFC 2575, April 1999.
[20] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence
between Version 1, Version 2, and Version 3 of the Internet-
standard Network Management Framework", Work in Progress.
[21] Rivest, R., "Message Digest Algorithm MD5", RFC 1321, April
1992.
[22] Secure Hash Algorithm. NIST FIPS 180-1, (April, 1995)
http://csrc.nist.gov/fips/fip180-1.txt (ASCII)
http://csrc.nist.gov/fips/fip180-1.ps (Postscript)
[23] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.
[24] Data Encryption Standard, National Institute of Standards and
Technology. Federal Information Processing Standard (FIPS)
Publication 46-1. Supersedes FIPS Publication 46, (January,
1977; reaffirmed January, 1988).
[25] Rose, M., "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991.
[26] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[27] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
RFC 2579, April 1999.
[28] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Conformance Statements for SMIv2", STD
58, RFC 2580, April 1999.
11 版权声明
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
12. 鸣谢
感谢互联网协会提供的RFC编者基金。
标准互联网络管理框架第三版介绍
RFC2570 Introduction to Version 3 of the Internet-standard Network Management Framework
1
RFC文档中文翻译计划
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -