Rfc3411

792 views
722 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
792
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rfc3411

  1. 1. Architecture for SNMP Management Frameworks December 2002 RFC: 3411 Network Dictionary http://www.javvin.com/networkdiction- ary.html Network Protocols Map http://www.javvin.com/map.html Network Working Group D. Harrington Request for Comments: 34 Enterasys Networks Network Security Map STD: 62 R. Presuhn http://www.javvin.com/securitymap. Obsoletes: 257 BMC Software, Inc. html Wireless Communications Category: Standards Track B. Wijnen Technology Map Lucent Technologies http://www.javvin.com/wirelessmap. December 2002 html Network Protocols Hand- book http://www.javvin.com/model.html An Architecture for Describing Simple Network TCP/IP Quick Guide http://www.javvin.com/tcpipguide.html Management Protocol (SNMP) Management Frameworks Ethernet Quick Guide http://www.javvin.com/ethernetguide. html Packet Analyzer http://www.javvin.com/packet.html DiskShare http://www.javvin.com/diskshare.html DiskAccess http://www.javvin.com/diskaccess.html LANsurveyor http://www.javvin.com/LANsurveyor. html CyberGauge http://www.javvin.com/CyberGauge. html Easy Network Service Monitor http://www.javvin.com/easy.html Business Card Scanner http://www.javvin.com/businesscard- scanner.html Color Cards and Picture Scanner http://www.javvin.com/colorcardscan- ner.html Portable Document Scan- ner http://www.javvin.com/portablescan- ner.html www.javvin.com www.networkdictionary. com [ Page ]
  2. 2. Architecture for SNMP Management Frameworks December 2002 Status of this Memo Network Dictionary http://www.javvin.com/networkdiction- ary.html This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the quot;Internet Official Network Protocols Map Protocol Standardsquot; (STD ) for the standardization state and status of this protocol. Distribution of this http://www.javvin.com/map.html memo is unlimited. Network Security Map Copyright Notice http://www.javvin.com/securitymap. html Copyright (C) The Internet Society (2002). All Rights Reserved. Wireless Communications Technology Map Abstract http://www.javvin.com/wirelessmap. html Network Protocols Hand- This document describes an architecture for describing Simple Network Management Protocol (SNMP) Management Frameworks. The architecture is designed to be modular to allow the evolution of the SNMP book protocol standards over time. The major portions of the architecture are an SNMP engine containing a http://www.javvin.com/model.html Message Processing Subsystem, a Security Subsystem and an Access Control Subsystem, and possibly TCP/IP Quick Guide multiple SNMP applications which provide specific functional processing of management data. This docu- ment obsoletes RFC 257. http://www.javvin.com/tcpipguide.html Ethernet Quick Guide http://www.javvin.com/ethernetguide. html Packet Analyzer http://www.javvin.com/packet.html DiskShare http://www.javvin.com/diskshare.html DiskAccess http://www.javvin.com/diskaccess.html LANsurveyor http://www.javvin.com/LANsurveyor. html CyberGauge http://www.javvin.com/CyberGauge. html Easy Network Service Monitor http://www.javvin.com/easy.html Business Card Scanner http://www.javvin.com/businesscard- scanner.html Color Cards and Picture Scanner http://www.javvin.com/colorcardscan- ner.html Portable Document Scan- ner http://www.javvin.com/portablescan- ner.html www.javvin.com www.networkdictionary. com [ Page 2 ]
  3. 3. Architecture for SNMP Management Frameworks December 2002 Table of Contents Network Dictionary http://www.javvin.com/networkdiction- ary.html . Introduction ...................................................................................................5 Network Protocols Map .. Overview ...............................................................................................5 http://www.javvin.com/map.html .2. SNMP ....................................................................................................5 .3. Goals of this Architecture ......................................................................6 Network Security Map .4. Security Requirements of this Architecture ..........................................6 http://www.javvin.com/securitymap. .5. Design Decisions ...................................................................................7 html Wireless Communications Technology Map 2. Documentation Overview .............................................................................7 http://www.javvin.com/wirelessmap. 2.. Document Roadmap ..............................................................................8 html 2.2. Applicability Statement .........................................................................8 Network Protocols Hand- 2.3. Coexistence and Transition ...................................................................8 book 2.4. Transport Mappings ..............................................................................9 http://www.javvin.com/model.html 2.5. Message Processing ..............................................................................9 TCP/IP Quick Guide 2.6. Security .................................................................................................9 http://www.javvin.com/tcpipguide.html 2.7. Access Control ......................................................................................9 2.8. Protocol Operations ...............................................................................9 Ethernet Quick Guide 2.9. Applications .........................................................................................0 http://www.javvin.com/ethernetguide. 2.0. Structure of Management Information ..............................................0 html 2.. Textual Conventions .......................................................................... Packet Analyzer 2.2. Conformance Statements .................................................................. http://www.javvin.com/packet.html 2.3. Management Information Base Modules .......................................... DiskShare 2.3.. SNMP Instrumentation MIBs ......................................................... http://www.javvin.com/diskshare.html 2.4. SNMP Framework Documents ......................................................... DiskAccess 3. Elements of the Architecture ....................................................................... http://www.javvin.com/diskaccess.html 3.. The Naming of Entities .......................................................................2 LANsurveyor 3... SNMP engine ...................................................................................2 http://www.javvin.com/LANsurveyor. 3.... snmpEngineID ...............................................................................2 html 3...2. Dispatcher .....................................................................................3 CyberGauge 3...3. Message Processing Subsystem ....................................................3 http://www.javvin.com/CyberGauge. 3...3.. Message Processing Model ........................................................3 html 3...4. Security Subsystem .......................................................................3 Easy Network Service 3...4.. Security Model ...........................................................................4 Monitor 3...4.2. Security Protocol ........................................................................4 http://www.javvin.com/easy.html 3..2. Access Control Subsystem ...............................................................4 Business Card Scanner 3..2.. Access Control Model ...................................................................4 http://www.javvin.com/businesscard- 3..3. Applications ......................................................................................4 scanner.html 3..3.. SNMP Manager .............................................................................5 Color Cards and Picture 3..3.2. SNMP Agent .................................................................................5 Scanner 3.2. The Naming of Identities ....................................................................6 http://www.javvin.com/colorcardscan- 3.2.. Principal ...........................................................................................7 ner.html Portable Document Scan- 3.2.2. securityName ....................................................................................7 ner 3.2.3. Model-dependent security ID ...........................................................7 http://www.javvin.com/portablescan- 3.3. The Naming of Management Information ..........................................7 ner.html 3.3.. An SNMP Context ............................................................................8 www.javvin.com 3.3.2. contextEngineID ..............................................................................9 3.3.3. contextName ....................................................................................9 www.networkdictionary. 3.3.4. scopedPDU .......................................................................................9 com [ Page 3 ]
  4. 4. Architecture for SNMP Management Frameworks December 2002 3.4. Other Constructs ..................................................................................9 Network Dictionary http://www.javvin.com/networkdiction- 3.4.. maxSizeResponseScopedPDU .........................................................9 ary.html 3.4.2. Local Configuration Datastore .........................................................9 3.4.3. securityLevel ....................................................................................9 Network Protocols Map http://www.javvin.com/map.html 4. Abstract Service Interfaces .........................................................................9 Network Security Map 4.. Dispatcher Primitives ..........................................................................20 http://www.javvin.com/securitymap. 4.1.1. Generate Outgoing Request or Notification .....................................20 html 4.1.2. Process Incoming Request or Notification PDU ..............................20 Wireless Communications 4..3. Generate Outgoing Response ...........................................................20 Technology Map 4..4. Process Incoming Response PDU ....................................................2 http://www.javvin.com/wirelessmap. html 4..5. Registering Responsibility for Handling SNMP PDUs ...................2 Network Protocols Hand- 4.2. Message Processing Subsystem Primitives .........................................2 book 4.2.1. Prepare Outgoing SNMP Request or Notification Message ............2 http://www.javvin.com/model.html 4.2.2. Prepare an Outgoing SNMP Response Message..............................22 TCP/IP Quick Guide 4.2.3. Prepare Data Elements from an Incoming SNMP Message ............22 http://www.javvin.com/tcpipguide.html 4.3. Access Control Subsystem Primitives.................................................23 4.4. Security Subsystem Primitives ............................................................23 Ethernet Quick Guide 4.4.1. Generate a Request or Notification Message ...................................23 http://www.javvin.com/ethernetguide. 4.4.2. Process Incoming Message ..............................................................23 html 4.4.3. Generate a Response Message .........................................................23 Packet Analyzer 4.5. Common Primitives ............................................................................24 http://www.javvin.com/packet.html 4.5.. Release State Reference Information ...............................................24 4.6. Scenario Diagrams ..............................................................................24 DiskShare 4.6.1. Command Generator or Notification Originator ..............................24 http://www.javvin.com/diskshare.html 4.6.2. Scenario Diagram for a Command Responder Application .............25 DiskAccess http://www.javvin.com/diskaccess.html 5. Managed Object Definitions for SNMP Management Frameworks ...........26 LANsurveyor 6. IANA Considerations ..................................................................................33 http://www.javvin.com/LANsurveyor. html 6.. Security Models ..................................................................................33 6.2. Message Processing Models ...............................................................33 CyberGauge 6.3. SnmpEngineID Formats ......................................................................33 http://www.javvin.com/CyberGauge. html 7. Intellectual Property ....................................................................................33 Easy Network Service Monitor 8. Acknowledgements .....................................................................................33 http://www.javvin.com/easy.html Business Card Scanner 9. Security Considerations ..............................................................................34 http://www.javvin.com/businesscard- scanner.html 0. References .................................................................................................35 Color Cards and Picture 0.. Normative References .......................................................................35 Scanner 0.2. Informative References .....................................................................36 http://www.javvin.com/colorcardscan- ner.html Portable Document Scan- Appendix A .....................................................................................................36 ner A. Guidelines for Model Designers ...........................................................36 http://www.javvin.com/portablescan- A.. Security Model Design Requirements ................................................36 ner.html A... Threats .............................................................................................37 www.javvin.com A..2. Security Processing .........................................................................37 www.networkdictionary. A..3. Validate the security-stamp in a received message .........................37 com A..4. Security MIBs .................................................................................37 [ Page 4 ]
  5. 5. Architecture for SNMP Management Frameworks December 2002 A..5. Cached Security Data ......................................................................38 Network Dictionary http://www.javvin.com/networkdiction- A.2. Message Processing Model Design Requirements .............................38 ary.html A.2.. Receiving an SNMP Message from the Network ...........................38 A.2.2. Sending an SNMP Message to the Network ...................................38 Network Protocols Map http://www.javvin.com/map.html A.3. Application Design Requirements ......................................................38 A.3.. Applications that Initiate Messages .................................................39 Network Security Map A.3.2. Applications that Receive Responses ..............................................39 http://www.javvin.com/securitymap. A.3.3. Applications that Receive Asynchronous Messages .......................39 html A.3.4. Applications that Send Responses ...................................................39 Wireless Communications A.4. Access Control Model Design Requirements .....................................39 Technology Map http://www.javvin.com/wirelessmap. html Editors' Addresses ............................................................................................40 Network Protocols Hand- book Full Copyright Statement ................................................................................40 http://www.javvin.com/model.html TCP/IP Quick Guide Acknowledgement ..........................................................................................40 http://www.javvin.com/tcpipguide.html Ethernet Quick Guide http://www.javvin.com/ethernetguide. html Packet Analyzer http://www.javvin.com/packet.html DiskShare http://www.javvin.com/diskshare.html DiskAccess http://www.javvin.com/diskaccess.html LANsurveyor http://www.javvin.com/LANsurveyor. html CyberGauge http://www.javvin.com/CyberGauge. html Easy Network Service Monitor http://www.javvin.com/easy.html Business Card Scanner http://www.javvin.com/businesscard- scanner.html Color Cards and Picture Scanner http://www.javvin.com/colorcardscan- ner.html Portable Document Scan- ner http://www.javvin.com/portablescan- ner.html www.javvin.com www.networkdictionary. com [ Page 5 ]
  6. 6. Architecture for SNMP Management Frameworks December 2002 1. Introduction Network Dictionary http://www.javvin.com/networkdiction- ary.html 1.1. Overview Network Protocols Map This document defines a vocabulary for describing SNMP Management Frameworks, and an architecture http://www.javvin.com/map.html for describing the major portions of SNMP Management Frameworks. Network Security Map This document does not provide a general introduction to SNMP. Other documents and books can provide http://www.javvin.com/securitymap. a much better introduction to SNMP. Nor does this document provide a history of SNMP. That also can be html found in books and other documents. Wireless Communications Technology Map Section describes the purpose, goals, and design decisions of this architecture. http://www.javvin.com/wirelessmap. Section 2 describes various types of documents which define (elements of) SNMP Frameworks, and how html they fit into this architecture. It also provides a minimal road map to the documents which have previously Network Protocols Hand- defined SNMP frameworks. book http://www.javvin.com/model.html Section 3 details the vocabulary of this architecture and its pieces. This section is important for understand- ing the remaining sections, and for understanding documents which are written to fit within this architec- TCP/IP Quick Guide ture. http://www.javvin.com/tcpipguide.html Section 4 describes the primitives used for the abstract service interfaces between the various subsystems, models and applications within this architecture. Ethernet Quick Guide http://www.javvin.com/ethernetguide. Section 5 defines a collection of managed objects used to instrument SNMP entities within this architec- html ture. Packet Analyzer Sections 6, 7, 8, 9, 0 and are administrative in nature. http://www.javvin.com/packet.html Appendix A contains guidelines for designers of Models which are expected to fit within this architecture. DiskShare http://www.javvin.com/diskshare.html The key words quot;MUSTquot;, quot;MUST NOTquot;, quot;REQUIREDquot;, quot;SHALLquot;, quot;SHALL NOTquot;, quot;SHOULDquot;, quot;SHOULD NOTquot;, quot;RECOMMENDEDquot;, quot;MAYquot;, and quot;OPTIONALquot; in this document are to be inter- DiskAccess preted as described in [RFC29]. http://www.javvin.com/diskaccess.html 1.2. SNMP LANsurveyor http://www.javvin.com/LANsurveyor. An SNMP management system contains: html - several (potentially many) nodes, each with an SNMP entity containing command responder and noti- CyberGauge fication originator applications, which have access to management instrumentation (traditionally called http://www.javvin.com/CyberGauge. agents); html - at least one SNMP entity containing command generator and/or notification receiver applications (tradi- Easy Network Service tionally called a manager) and, Monitor - a management protocol, used to convey management information between the SNMP entities. http://www.javvin.com/easy.html Business Card Scanner SNMP entities executing command generator and notification receiver applications monitor and control http://www.javvin.com/businesscard- managed elements. Managed elements are devices such as hosts, routers, terminal servers, etc., which are scanner.html monitored and controlled via access to their management information. Color Cards and Picture It is the purpose of this document to define an architecture which can evolve to realize effective manage- Scanner ment in a variety of configurations and environments. The architecture has been designed to meet the needs http://www.javvin.com/colorcardscan- of implementations of: ner.html Portable Document Scan- - minimal SNMP entities with command responder and/or notification originator applications (traditionally ner called SNMP agents), http://www.javvin.com/portablescan- - SNMP entities with proxy forwarder applications (traditionally called SNMP proxy agents), ner.html www.javvin.com - command line driven SNMP entities with command generator and/or notification receiver applications (traditionally called SNMP command line managers), www.networkdictionary. com - SNMP entities with command generator and/or notification receiver, plus command responder and/or [ Page 6 ]
  7. 7. Architecture for SNMP Management Frameworks December 2002 Network Dictionary notification originator applications (traditionally called SNMP mid-level managers or dual-role entities), http://www.javvin.com/networkdiction- - SNMP entities with command generator and/or notification receiver and possibly other types of appli- ary.html cations for managing a potentially very large number of managed nodes (traditionally called (network) Network Protocols Map management stations). http://www.javvin.com/map.html 1.3. Goals of this Architecture Network Security Map This architecture was driven by the following goals: http://www.javvin.com/securitymap. html - Use existing materials as much as possible. It is heavily based on previous work, informally known as Wireless Communications SNMPv2u and SNMPv2*, based in turn on SNMPv2p. Technology Map http://www.javvin.com/wirelessmap. - Address the need for secure SET support, which is considered the most important deficiency in SNMPv1 html and SNMPv2c. Network Protocols Hand- - Make it possible to move portions of the architecture forward in the standards track, even if consensus book has not been reached on all pieces. http://www.javvin.com/model.html TCP/IP Quick Guide - Define an architecture that allows for longevity of the SNMP Frameworks that have been and will be defined. http://www.javvin.com/tcpipguide.html - Keep SNMP as simple as possible. Ethernet Quick Guide - Make it relatively inexpensive to deploy a minimal conforming implementation. http://www.javvin.com/ethernetguide. html - Make it possible to upgrade portions of SNMP as new approaches become available, without disrupting Packet Analyzer an entire SNMP framework. http://www.javvin.com/packet.html - Make it possible to support features required in large networks, but make the expense of supporting a feature directly related to the support of the feature. DiskShare http://www.javvin.com/diskshare.html 1.4. Security Requirements of this Architecture DiskAccess Several of the classical threats to network protocols are applicable to the management problem and there- http://www.javvin.com/diskaccess.html fore would be applicable to any Security Model used in an SNMP Management Framework. Other threats are not applicable to the management problem. This section discusses principal threats, secondary threats, LANsurveyor and threats which are of lesser importance. http://www.javvin.com/LANsurveyor. html The principal threats against which any Security Model used within this architecture SHOULD provide protection are: CyberGauge http://www.javvin.com/CyberGauge. Modification of Information html The modification threat is the danger that some unauthorized entity may alter in-transit SNMP mes- sages generated on behalf of an authorized principal in such a way as to effect unauthorized manage- Easy Network Service ment operations, including falsifying the value of an object. Monitor http://www.javvin.com/easy.html Masquerade The masquerade threat is the danger that management operations not authorized for some principal may Business Card Scanner be attempted by assuming the identity of another principal that has the appropriate authorizations. http://www.javvin.com/businesscard- scanner.html Secondary threats against which any Security Model used within this architecture SHOULD provide pro- Color Cards and Picture tection are: Scanner Message Stream Modification http://www.javvin.com/colorcardscan- The SNMP protocol is typically based upon a connectionless transport service which may operate over ner.html any subnetwork service. The re-ordering, delay or replay of messages can and does occur through the Portable Document Scan- natural operation of many such subnetwork services. The message stream modification threat is the ner danger that messages may be maliciously re-ordered, delayed or replayed to an extent which is greater http://www.javvin.com/portablescan- than can occur through the natural operation of a subnetwork service, in order to effect unauthorized ner.html management operations. www.javvin.com Disclosure The disclosure threat is the danger of eavesdropping on the exchanges between SNMP engines. Protect- www.networkdictionary. ing against this threat may be required as a matter of local policy. com [ Page 7 ]
  8. 8. Architecture for SNMP Management Frameworks December 2002 Network Dictionary There are at least two threats against which a Security Model within this architecture need not protect, since http://www.javvin.com/networkdiction- they are deemed to be of lesser importance in this context: ary.html Network Protocols Map Denial of Service A Security Model need not attempt to address the broad range of attacks by which service on behalf of http://www.javvin.com/map.html authorized users is denied. Indeed, such denial-of-service attacks are in many cases indistinguishable from the type of network failures with which any viable management protocol must cope as a matter Network Security Map of course. http://www.javvin.com/securitymap. html Traffic Analysis Wireless Communications A Security Model need not attempt to address traffic analysis attacks. Many traffic patterns are predict- Technology Map able - entities may be managed on a regular basis by a relatively small number of management stations - and therefore there is no significant advantage afforded by protecting against traffic analysis. http://www.javvin.com/wirelessmap. html 1.5. Design Decisions Network Protocols Hand- book Various design decisions were made in support of the goals of the architecture and the security require- http://www.javvin.com/model.html ments: TCP/IP Quick Guide - Architecture http://www.javvin.com/tcpipguide.html An architecture should be defined which identifies the conceptual boundaries between the documents. Subsystems should be defined which describe the abstract services provided by specific portions of an Ethernet Quick Guide SNMP framework. Abstract service interfaces, as described by service primitives, define the abstract boundaries between documents, and the abstract services that are provided by the conceptual subsys- http://www.javvin.com/ethernetguide. tems of an SNMP framework. html Packet Analyzer - Self-contained Documents Elements of procedure plus the MIB objects which are needed for processing for a specific portion of http://www.javvin.com/packet.html an SNMP framework should be defined in the same document, and as much as possible, should not be referenced in other documents. This allows pieces to be designed and documented as independent and DiskShare self- contained parts, which is consistent with the general SNMP MIB module approach. As portions of http://www.javvin.com/diskshare.html SNMP change over time, the documents describing other portions of SNMP are not directly impacted. This modularity allows, for example, Security Models, authentication and privacy mechanisms, and DiskAccess message formats to be upgraded and supplemented as the need arises. The self-contained documents http://www.javvin.com/diskaccess.html can move along the standards track on different time-lines. LANsurveyor This modularity of specification is not meant to be interpreted as imposing any specific requirements on implementation. http://www.javvin.com/LANsurveyor. html - Threats CyberGauge The Security Models in the Security Subsystem SHOULD protect against the principal and secondary threats: modification of information, masquerade, message stream modification and disclosure. They http://www.javvin.com/CyberGauge. do not need to protect against denial of service and traffic analysis. html Easy Network Service - Remote Configuration The Security and Access Control Subsystems add a whole new set of SNMP configuration parameters. Monitor The Security Subsystem also requires frequent changes of secrets at the various SNMP entities. To http://www.javvin.com/easy.html make this deployable in a large operational environment, these SNMP parameters must be remotely Business Card Scanner configurable. http://www.javvin.com/businesscard- - Controlled Complexity scanner.html It is recognized that producers of simple managed devices want to keep the resources used by SNMP Color Cards and Picture to a minimum. At the same time, there is a need for more complex configurations which can spend Scanner more resources for SNMP and thus provide more functionality. The design tries to keep the competing http://www.javvin.com/colorcardscan- requirements of these two environments in balance and allows the more complex environments to logi- ner.html cally extend the simple environment. Portable Document Scan- ner 2. Documentation Overview http://www.javvin.com/portablescan- ner.html The following figure shows the set of documents that fit within the SNMP Architecture. www.javvin.com www.networkdictionary. com [ Page 8 ]
  9. 9. Architecture for SNMP Management Frameworks December 2002 Network Dictionary http://www.javvin.com/networkdiction- ary.html Network Protocols Map http://www.javvin.com/map.html Network Security Map http://www.javvin.com/securitymap. html Wireless Communications Technology Map http://www.javvin.com/wirelessmap. html Network Protocols Hand- book http://www.javvin.com/model.html TCP/IP Quick Guide http://www.javvin.com/tcpipguide.html Ethernet Quick Guide http://www.javvin.com/ethernetguide. html Packet Analyzer http://www.javvin.com/packet.html DiskShare http://www.javvin.com/diskshare.html DiskAccess http://www.javvin.com/diskaccess.html Each of these documents may be replaced or supplemented. This Architecture document specifically de- scribes how new documents fit into the set of documents in the area of Message and PDU handling. LANsurveyor http://www.javvin.com/LANsurveyor. 2.1. Document Roadmap html CyberGauge One or more documents may be written to describe how sets of documents taken together form specific http://www.javvin.com/CyberGauge. Frameworks. The configuration of document sets might change over time, so the quot;road mapquot; should be html maintained in a document separate from the standards documents themselves. Easy Network Service An example of such a roadmap is quot;Introduction and Applicability Statements for the Internet-Standard Monitor Management Frameworkquot; [RFC340]. http://www.javvin.com/easy.html 2.2. Applicability Statement Business Card Scanner http://www.javvin.com/businesscard- SNMP is used in networks that vary widely in size and complexity, by organizations that vary widely in scanner.html their requirements of management. Some models will be designed to address specific problems of manage- Color Cards and Picture ment, such as message security. Scanner http://www.javvin.com/colorcardscan- One or more documents may be written to describe the environments to which certain versions of SNMP ner.html or models within SNMP would be appropriately applied, and those to which a given model might be inap- Portable Document Scan- propriately applied. ner 2.3. Coexistence and Transition http://www.javvin.com/portablescan- ner.html The purpose of an evolutionary architecture is to permit new models to replace or supplement existing www.javvin.com models. The interactions between models could result in incompatibilities, security quot;holesquot;, and other un- desirable effects. www.networkdictionary. com The purpose of Coexistence documents is to detail recognized anomalies and to describe required and rec- [ Page 9 ]
  10. 10. Architecture for SNMP Management Frameworks December 2002 Network Dictionary ommended behaviors for resolving the interactions between models within the architecture. http://www.javvin.com/networkdiction- Coexistence documents may be prepared separately from model definition documents, to describe and ary.html resolve interaction anomalies between a model definition and one or more other model definitions. Network Protocols Map Additionally, recommendations for transitions between models may also be described, either in a coexis- http://www.javvin.com/map.html tence document or in a separate document. Network Security Map One such coexistence document is [RFC2576], quot;Coexistence between Version , Version 2, and Version 3 http://www.javvin.com/securitymap. of the Internet-Standard Network Management Frameworkquot;. html Wireless Communications 2.4. Transport Mappings Technology Map http://www.javvin.com/wirelessmap. SNMP messages are sent over various transports. It is the purpose of Transport Mapping documents to html define how the mapping between SNMP and the transport is done. Network Protocols Hand- book 2.5. Message Processing http://www.javvin.com/model.html A Message Processing Model document defines a message format, which is typically identified by a ver- TCP/IP Quick Guide sion field in an SNMP message header. The document may also define a MIB module for use in message http://www.javvin.com/tcpipguide.html processing and for instrumentation of version-specific interactions. An SNMP engine includes one or more Message Processing Models, and thus may support sending and Ethernet Quick Guide receiving multiple versions of SNMP messages. http://www.javvin.com/ethernetguide. html 2.6. Security Packet Analyzer http://www.javvin.com/packet.html Some environments require secure protocol interactions. Security is normally applied at two different stages: DiskShare - in the transmission/receipt of messages, and http://www.javvin.com/diskshare.html - in the processing of the contents of messages. DiskAccess http://www.javvin.com/diskaccess.html For purposes of this document, quot;securityquot; refers to message-level security; quot;access controlquot; refers to the security applied to protocol operations. LANsurveyor http://www.javvin.com/LANsurveyor. Authentication, encryption, and timeliness checking are common functions of message level security. html A security document describes a Security Model, the threats against which the model protects, the goals CyberGauge of the Security Model, the protocols which it uses to meet those goals, and it may define a MIB module to http://www.javvin.com/CyberGauge. describe the data used during processing, and to allow the remote configuration of message-level security html parameters, such as keys. Easy Network Service An SNMP engine may support multiple Security Models concurrently. Monitor 2.7. Access Control http://www.javvin.com/easy.html Business Card Scanner During processing, it may be required to control access to managed objects for operations. http://www.javvin.com/businesscard- scanner.html An Access Control Model defines mechanisms to determine whether access to a managed object should Color Cards and Picture be allowed. An Access Control Model may define a MIB module used during processing and to allow the Scanner remote configuration of access control policies. http://www.javvin.com/colorcardscan- ner.html 2.8. Protocol Operations Portable Document Scan- ner SNMP messages encapsulate an SNMP Protocol Data Unit (PDU). SNMP PDUs define the operations performed by the receiving SNMP engine. It is the purpose of a Protocol Operations document to define the http://www.javvin.com/portablescan- operations of the protocol with respect to the processing of the PDUs. Every PDU belongs to one or more ner.html of the PDU classes defined below: www.javvin.com ) Read Class: www.networkdictionary. com The Read Class contains protocol operations that retrieve management information. For example, [ Page 0 ]
  11. 11. Architecture for SNMP Management Frameworks December 2002 Network Dictionary [RFC3416] defines the following protocol operations for the Read Class: GetRequest- PDU, GetNex- tRequest-PDU, and GetBulkRequest-PDU. http://www.javvin.com/networkdiction- ary.html 2) Write Class: Network Protocols Map The Write Class contains protocol operations which attempt to modify management information. For http://www.javvin.com/map.html example, [RFC3416] defines the following protocol operation for the Write Class: SetRequest-PDU. Network Security Map 3) Response Class: http://www.javvin.com/securitymap. html The Response Class contains protocol operations which are sent in response to a previous request. For Wireless Communications example, [RFC3416] defines the following for the Response Class: Response-PDU, Report-PDU. Technology Map 4) Notification Class: http://www.javvin.com/wirelessmap. html The Notification Class contains protocol operations which send a notification to a notification receiv- Network Protocols Hand- er application. For example, [RFC3416] defines the following operations for the Notification Class: book Trapv2-PDU, InformRequest-PDU. http://www.javvin.com/model.html 5) Internal Class: TCP/IP Quick Guide http://www.javvin.com/tcpipguide.html The Internal Class contains protocol operations which are exchanged internally between SNMP en- gines. For example, [RFC3416] defines the following operation for the Internal Class: Report-PDU. Ethernet Quick Guide The preceding five classifications are based on the functional properties of a PDU. It is also useful to clas- http://www.javvin.com/ethernetguide. sify PDUs based on whether a response is expected: html 6) Confirmed Class: Packet Analyzer http://www.javvin.com/packet.html The Confirmed Class contains all protocol operations which cause the receiving SNMP engine to send back a response. For example, [RFC3416] defines the following operations for the Confirmed Class: DiskShare GetRequest-PDU, GetNextRequest-PDU, GetBulkRequest-PDU, SetRequest-PDU, and InformRe- http://www.javvin.com/diskshare.html quest-PDU. DiskAccess 7) Unconfirmed Class: http://www.javvin.com/diskaccess.html The Unconfirmed Class contains all protocol operations which are not acknowledged. For example, [RFC3416] defines the following operations for the Unconfirmed Class: Report-PDU, Trapv2-PDU, LANsurveyor and GetResponse-PDU. http://www.javvin.com/LANsurveyor. html An application document defines which Protocol Operations are supported by the application. CyberGauge 2.9. Applications http://www.javvin.com/CyberGauge. html An SNMP entity normally includes a number of applications. Applications use the services of an SNMP en- Easy Network Service gine to accomplish specific tasks. They coordinate the processing of management information operations, and may use SNMP messages to communicate with other SNMP entities. Monitor http://www.javvin.com/easy.html An applications document describes the purpose of an application, the services required of the associated Business Card Scanner SNMP engine, and the protocol operations and informational model that the application uses to perform management operations. http://www.javvin.com/businesscard- scanner.html An application document defines which set of documents are used to specifically define the structure of Color Cards and Picture management information, textual conventions, conformance requirements, and operations supported by Scanner the application. http://www.javvin.com/colorcardscan- ner.html 2.10. Structure of Management Information Portable Document Scan- ner Management information is viewed as a collection of managed objects, residing in a virtual information http://www.javvin.com/portablescan- store, termed the Management Information Base (MIB). Collections of related objects are defined in MIB ner.html modules. www.javvin.com It is the purpose of a Structure of Management Information document to establish the notation for defining objects, modules, and other elements of managed information. www.networkdictionary. com [ Page ]
  12. 12. Architecture for SNMP Management Frameworks December 2002 2.11. Textual Conventions Network Dictionary http://www.javvin.com/networkdiction- ary.html When designing a MIB module, it is often useful to define new types similar to those defined in the SMI, but with more precise semantics, or which have special semantics associated with them. These newly Network Protocols Map defined types are termed textual conventions, and may be defined in separate documents, or within a MIB http://www.javvin.com/map.html module. Network Security Map 2.12. Conformance Statements http://www.javvin.com/securitymap. html It may be useful to define the acceptable lower-bounds of implementation, along with the actual level of Wireless Communications implementation achieved. It is the purpose of the Conformance Statements document to define the notation used for these purposes. Technology Map http://www.javvin.com/wirelessmap. 2.13. Management Information Base Modules html Network Protocols Hand- MIB documents describe collections of managed objects which instrument some aspect of a managed book node. http://www.javvin.com/model.html TCP/IP Quick Guide 2.13.1. SNMP Instrumentation MIBs http://www.javvin.com/tcpipguide.html An SNMP MIB document may define a collection of managed objects which instrument the SNMP proto- col itself. In addition, MIB modules may be defined within the documents which describe portions of the Ethernet Quick Guide SNMP architecture, such as the documents for Message processing Models, Security Models, etc. for the http://www.javvin.com/ethernetguide. purpose of instrumenting those Models, and for the purpose of allowing their remote configuration. html 2.14. SNMP Framework Documents Packet Analyzer http://www.javvin.com/packet.html This architecture is designed to allow an orderly evolution of portions of SNMP Frameworks. DiskShare Throughout the rest of this document, the term quot;subsystemquot; refers to an abstract and incomplete specifica- http://www.javvin.com/diskshare.html tion of a portion of a Framework, that is further refined by a model specification. DiskAccess A quot;modelquot; describes a specific design of a subsystem, defining additional constraints and rules for confor- http://www.javvin.com/diskaccess.html mance to the model. A model is sufficiently detailed to make it possible to implement the specification. LANsurveyor An quot;implementationquot; is an instantiation of a subsystem, conforming to one or more specific models. http://www.javvin.com/LANsurveyor. SNMP version (SNMPv), is the original Internet-Standard Network Management Framework, as de- html scribed in RFCs 55, 57, and 22. CyberGauge SNMP version 2 (SNMPv2), is the SNMPv2 Framework as derived from the SNMPv Framework. It is http://www.javvin.com/CyberGauge. described in STD 58, RFCs 2578, 2579, 2580, and STD 62, RFCs 346, 347, and 348. SNMPv2 has no html message definition. Easy Network Service The Community-based SNMP version 2 (SNMPv2c), is an experimental SNMP Framework which supple- Monitor ments the SNMPv2 Framework, as described in [RFC90]. It adds the SNMPv2c message format, which http://www.javvin.com/easy.html is similar to the SNMPv message format. Business Card Scanner SNMP version 3 (SNMPv3), is an extensible SNMP Framework which supplements the SNMPv2 Frame- http://www.javvin.com/businesscard- work, by supporting the following: scanner.html Color Cards and Picture - a new SNMP message format, Scanner http://www.javvin.com/colorcardscan- - Security for Messages, ner.html Portable Document Scan- - Access Control, and ner - Remote configuration of SNMP parameters. http://www.javvin.com/portablescan- ner.html Other SNMP Frameworks, i.e., other configurations of implemented subsystems, are expected to also be www.javvin.com consistent with this architecture. www.networkdictionary. 3. Elements of the Architecture com [ Page 2 ]

×