rfc1446.txt
来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,792 行 · 第 1/5 页
TXT
1,792 行
SnmpParty ::= SEQUENCE { partyIdentity OBJECT IDENTIFIER, partyTDomain OBJECT IDENTIFIER, partyTAddress OCTET STRING, partyMaxMessageSize INTEGER, partyAuthProtocol OBJECT IDENTIFIER, partyAuthClock INTEGER, partyAuthPrivate OCTET STRING, partyAuthPublic OCTET STRING, partyAuthLifetime INTEGER, partyPrivProtocol OBJECT IDENTIFIER, partyPrivPrivate OCTET STRING, partyPrivPublic OCTET STRING } For each SnmpParty value that represents a SNMPv2 party, the generic significance of each of its components is defined in [1]. For each SNMPv2 party that supports the generation of messages using the Digest Authentication Protocol, additional, special significance is attributed to certain components of that party's representation: o Its partyAuthProtocol component is called the authentication protocol and identifies a combination of the Digest Authentication Protocol with a particular digest algorithm (such as that defined in Section 1.5.1). This combined mechanism is used to authenticate the origin and integrity of all messages generated by the party. Galvin & McCloghrie [Page 12]
RFC 1446 Security Protocols for SNMPv2 April 1993 o Its partyAuthClock component is called the authentication clock and represents a notion of the current time that is specific to the party. o Its partyAuthPrivate component is called the private authentication key and represents any secret value needed to support the Digest Authentication Protocol and associated digest algorithm. o Its partyAuthPublic component is called the public authentication key and represents any public value that may be needed to support the authentication protocol. This component is not significant except as suggested in Section 5.4. o Its partyAuthLifetime component is called the lifetime and represents an administrative upper bound on acceptable delivery delay for protocol messages generated by the party. For each SNMPv2 party that supports the receipt of messages via the Symmetric Privacy Protocol, additional, special significance is attributed to certain components of that party's representation: o Its partyPrivProtocol component is called the privacy protocol and identifies a combination of the Symmetric Privacy Protocol with a particular encryption algorithm (such as that defined in Section 1.5.2). This combined mechanism is used to protect from disclosure all protocol messages received by the party. o Its partyPrivPrivate component is called the private privacy key and represents any secret value needed to support the Symmetric Privacy Protocol and associated encryption algorithm. o Its partyPrivPublic component is called the public privacy key and represents any public value that may be needed to support the privacy protocol. This component is not significant except as suggested in Section 5.4. Galvin & McCloghrie [Page 13]
RFC 1446 Security Protocols for SNMPv2 April 1993 3. Digest Authentication Protocol This section describes the Digest Authentication Protocol. It provides both for verifying the integrity of a received message (i.e., the message received is the message sent) and for verifying the origin of a message (i.e., the reliable identification of the originator). The integrity of the message is protected by computing a digest over an appropriate portion of a message. The digest is computed by the originator of the message, transmitted with the message, and verified by the recipient of the message. A secret value known only to the originator and recipient of the message is prefixed to the message prior to the digest computation. Thus, the origin of the message is known implicitly with the verification of the digest. A requirement on parties using this Digest Authentication Protocol is that they shall not originate messages for transmission to any destination party which does not also use this Digest Authentication Protocol. This restriction excludes undesirable side effects of communication between a party which uses these security protocols and a party which does not. Recall from [1] that a SNMPv2 management communication is represented by an ASN.1 value with the following syntax: SnmpMgmtCom ::= [2] IMPLICIT SEQUENCE { dstParty OBJECT IDENTIFIER, srcParty OBJECT IDENTIFIER, context OBJECT IDENTIFIER, pdu PDUs } For each SnmpMgmtCom value that represents a SNMPv2 management communication, the following statements are true: o Its dstParty component is called the destination and identifies the SNMPv2 party to which the communication is directed. Galvin & McCloghrie [Page 14]
RFC 1446 Security Protocols for SNMPv2 April 1993 o Its srcParty component is called the source and identifies the SNMPv2 party from which the communication is originated. o Its context component identifies the SNMPv2 context containing the management information referenced by the communication. o Its pdu component has the form and significance attributed to it in [12]. Recall from [1] that a SNMPv2 authenticated management communication is represented by an ASN.1 value with the following syntax: SnmpAuthMsg ::= [1] IMPLICIT SEQUENCE { authInfo ANY, - defined by authentication protocol authData SnmpMgmtCom } For each SnmpAuthMsg value that represents a SNMPv2 authenticated management communication, the following statements are true: o Its authInfo component is called the authentication information and represents information required in support of the authentication protocol used by both the SNMPv2 party originating the message, and the SNMPv2 party receiving the message. The detailed significance of the authentication information is specific to the authentication protocol in use; it has no effect on the application semantics of the communication other than its use by the authentication protocol in determining whether the communication is authentic or not. o Its authData component is called the authentication data Galvin & McCloghrie [Page 15]
RFC 1446 Security Protocols for SNMPv2 April 1993 and represents a SNMPv2 management communication. In support of the Digest Authentication Protocol, an authInfo component is of type AuthInformation: AuthInformation ::= [2] IMPLICIT SEQUENCE { authDigest OCTET STRING, authDstTimestamp UInteger32, authSrcTimestamp UInteger32 } For each AuthInformation value that represents authentication information, the following statements are true: o Its authDigest component is called the authentication digest and represents the digest computed over an appropriate portion of the message, where the message is temporarily prefixed with a secret value for the purposes of computing the digest. o Its authSrcTimestamp component is called the authentication timestamp and represents the time of the generation of the message according to the partyAuthClock of the SNMPv2 party that originated it. Note that the granularity of the authentication timestamp is 1 second. o Its authDstTimestamp component is called the authentication timestamp and represents the time of the generation of the message according to the partyAuthClock of the SNMPv2 party that is to receive it. Note that the granularity of the authentication timestamp is 1 second. 3.1. Generating a Message This section describes the behavior of a SNMPv2 entity when it acts as a SNMPv2 party for which the authentication protocol is administratively specified as the Digest Authentication Protocol. Insofar as the behavior of a SNMPv2 entity when transmitting protocol messages is defined generically in [1], only those aspects of that behavior that are specific to the Digest Authentication Protocol are described below. In Galvin & McCloghrie [Page 16]
RFC 1446 Security Protocols for SNMPv2 April 1993 particular, this section describes the encapsulation of a SNMPv2 management communication into a SNMPv2 authenticated management communication. According to Section 3.1 of [1], a SnmpAuthMsg value is constructed during Step 3 of generic processing. In particular, it states the authInfo component is constructed according to the authentication protocol identified for the SNMPv2 party originating the message. When the relevant authentication protocol is the Digest Authentication Protocol, the procedure performed by a SNMPv2 entity whenever a management communication is to be transmitted by a SNMPv2 party is as follows. (1) The local database is consulted to determine the authentication clock and private authentication key (extracted, for example, according to the conventions defined in Section 1.5.1) of the SNMPv2 party originating the message. The local database is also consulted to determine the authentication clock of the receiving SNMPv2 party. (2) The authSrcTimestamp component is set to the retrieved authentication clock value of the message's source. The authDstTimestamp component is set to the retrieved authentication clock value of the message's intended recipient. (3) The authentication digest is temporarily set to the private authentication key of the SNMPv2 party originating the message. The SnmpAuthMsg value is serialized according to the conventions of [13] and [12]. A digest is computed over the octet sequence representing that serialized value using, for example, the algorithm specified in Section 1.5.1. The authDigest component is set to the computed digest value. As set forth in [1], the SnmpAuthMsg value is then encapsulated according to the appropriate privacy protocol into a SnmpPrivMsg value. This latter value is then serialized and transmitted to the receiving SNMPv2 party. Galvin & McCloghrie [Page 17]
RFC 1446 Security Protocols for SNMPv2 April 1993 3.2. Receiving a Message This section describes the behavior of a SNMPv2 entity upon receipt of a protocol message from a SNMPv2 party for which the authentication protocol is administratively specified as the Digest Authentication Protocol. Insofar as the behavior of a SNMPv2 entity when receiving protocol messages is defined generically in [1], only those aspects of that behavior that⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?