rfc9456.original | rfc9456.txt | |||
---|---|---|---|---|
Internet Engineering Task Force K. Vaughn, Ed. | Internet Engineering Task Force (IETF) K. Vaughn, Ed. | |||
Internet-Draft Trevilon LLC | Request for Comments: 9456 Trevilon LLC | |||
Updates: 6353 (if approved) 8 May 2023 | Updates: 6353 November 2023 | |||
Intended status: Standards Track | Category: Standards Track | |||
Expires: 9 November 2023 | ISSN: 2070-1721 | |||
Updates to the TLS Transport Model for SNMP | Updates to the TLS Transport Model for SNMP | |||
draft-ietf-opsawg-tlstm-update-15 | ||||
Abstract | Abstract | |||
This document updates RFC 6353 "Transport Layer Security (TLS) | This document updates RFC 6353 ("Transport Layer Security (TLS) | |||
Transport Model for the Simple Network Management Protocol (SNMP)", | Transport Model for the Simple Network Management Protocol (SNMP)") | |||
to reflect changes necessary to support Transport Layer Security | to reflect changes necessary to support Transport Layer Security | |||
Version 1.3 (TLS 1.3) and Datagram Transport Layer Security Version | version 1.3 (TLS 1.3) and Datagram Transport Layer Security version | |||
1.3 (DTLS 1.3), which are jointly known as "(D)TLS 1.3". This | 1.3 (DTLS 1.3), which are jointly known as "(D)TLS 1.3". This | |||
document is compatible with (D)TLS 1.2 and is intended to be | document is compatible with (D)TLS 1.2 and is intended to be | |||
compatible with future versions of SNMP and (D)TLS. | compatible with future versions of SNMP and (D)TLS. | |||
This document updates the SNMP-TLS-TM-MIB as defined in RFC 6353. | This document updates the SNMP-TLS-TM-MIB as defined in RFC 6353. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 9 November 2023. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9456. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. The Internet-Standard Management Framework | |||
2. Changes from RFC 6353 . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Conventions | |||
2.1. TLSTM Fingerprint . . . . . . . . . . . . . . . . . . . . 4 | 2. Changes from RFC 6353 | |||
2.2. Security Level . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. TLSTM Fingerprint | |||
2.3. (D)TLS Version . . . . . . . . . . . . . . . . . . . . . 6 | 2.2. Security Level | |||
3. Additional Rules for TLS 1.3 . . . . . . . . . . . . . . . . 6 | 2.3. (D)TLS Version | |||
3.1. Zero Round Trip Time Resumption (0-RTT) . . . . . . . . . 6 | 3. Additional Rules for TLS 1.3 | |||
3.2. TLS cipher suites, extensions and protocol invariants . . 6 | 3.1. Zero Round-Trip Time Resumption (0-RTT) | |||
4. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 7 | 3.2. TLS Cipher Suites, Extensions, and Protocol Invariants | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | 4. MIB Module Definitions | |||
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | 5. Security Considerations | |||
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32 | 6. IANA Considerations | |||
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 | 7. References | |||
8.1. Normative References . . . . . . . . . . . . . . . . . . 32 | 7.1. Normative References | |||
8.2. Informative References . . . . . . . . . . . . . . . . . 33 | 7.2. Informative References | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 34 | Acknowledgements | |||
Author's Address | ||||
1. Introduction | 1. Introduction | |||
This document updates and clarifies how the rules of [RFC6353] apply | This document updates and clarifies how the rules of [RFC6353] apply | |||
when using Transport Layer Security (TLS) or Datagram Transport Layer | when using Transport Layer Security (TLS) or Datagram Transport Layer | |||
Security (DTLS) versions later than 1.2. This document jointly | Security (DTLS) versions later than 1.2. This document jointly | |||
refers to these two protocols as "(D)TLS". The update also | refers to these two protocols as "(D)TLS". The update also | |||
emphasizes the [RFC8996] requirement that prohibits the use of TLS | emphasizes the requirement in [RFC8996] prohibiting the use of TLS | |||
versions prior to TLS 1.2 when using SNMP. Although the text of this | versions prior to TLS 1.2 [RFC5246] when using SNMP. Although the | |||
document specifically references SNMPv3 and (D)TLS 1.3, this document | text of this document specifically references SNMPv3 and (D)TLS 1.3, | |||
may be applicable to future versions of these protocols and is | this document may be applicable to future versions of these protocols | |||
backwards compatible with (D)TLS 1.2. | and is backwards compatible with (D)TLS 1.2. | |||
1.1. Conventions | 1.1. The Internet-Standard Management Framework | |||
Within this document the terms "TLS", "DTLS", and "(D)TLS" apply to | For a detailed overview of the documents that describe the current | |||
Internet-Standard Management Framework, please refer to Section 7 of | ||||
[RFC3410]. | ||||
Managed objects are accessed via a virtual information store, termed | ||||
the Management Information Base or MIB. MIB objects are generally | ||||
accessed through the Simple Network Management Protocol (SNMP). | ||||
Objects in the MIB are defined using the mechanisms defined in the | ||||
Structure of Management Information (SMI). This memo specifies a MIB | ||||
module that is compliant to the SMIv2, which is described in STD 58 | ||||
([RFC2578], [RFC2579], and [RFC2580]). | ||||
1.2. Conventions | ||||
Within this document, the terms "TLS", "DTLS", and "(D)TLS" apply to | ||||
all versions of the indicated protocols. The term "SNMP" means | all versions of the indicated protocols. The term "SNMP" means | |||
"SNMPv3" unless a specific version number is indicated. Specific | "SNMPv3" unless a specific version number is indicated. Specific | |||
version numbers are used when the text needs to emphasize version | version numbers are used when the text needs to emphasize version | |||
numbers. | numbers. | |||
For consistency with SNMP-related specifications, this document | For consistency with SNMP-related specifications, this document | |||
favors terminology as defined in [STD62], rather than favoring | favors terminology as defined in [STD62], rather than favoring | |||
terminology that is consistent with non-SNMP specifications. This is | terminology that is consistent with non-SNMP specifications. This is | |||
consistent with the IESG decision to not require the SNMP terminology | consistent with the IESG decision to not require that the SNMP | |||
be modified to match the usage of other non-SNMP specifications when | terminology be modified to match the usage of other non-SNMP | |||
SNMP was advanced to a Full Standard. "Authentication" in this | specifications when SNMP was advanced to an Internet Standard. | |||
document typically refers to the English meaning of "serving to prove | "Authentication" in this document typically refers to the English | |||
the authenticity of" the message, not data source authentication or | meaning of "serving to prove the authenticity of" the message, not | |||
peer identity authentication. The terms "manager" and "agent" are | data source authentication or peer identity authentication. The | |||
not used in this document because, in the RFC3411 architecture, all | terms "manager" and "agent" are not used in this document because, in | |||
SNMP entities have the capability of acting as manager, agent, or | the architecture defined in [RFC3411], all SNMP entities have the | |||
both depending on the SNMP application types supported in the | capability of acting as manager, agent, or both, depending on the | |||
implementation. Where distinction is necessary, the application | SNMP application types supported in the implementation. Where | |||
names of command generator, command responder, notification | distinction is necessary, the application names of command generator, | |||
originator, notification receiver, and proxy forwarder are used. See | command responder, notification originator, notification receiver, | |||
"SNMP Applications" (RFC3411) for further information. | and proxy forwarder are used. See "An Architecture for Describing | |||
Simple Network Management Protocol (SNMP) Management Frameworks" | ||||
[RFC3411] for further information. | ||||
Throughout this document, the terms "client" and "server" are used to | Throughout this document, the terms "client" and "server" are used to | |||
refer to the two ends of the TLS transport connection. The client | refer to the two ends of the TLS transport connection. The client | |||
actively opens the TLS connection, and the server passively listens | actively opens the TLS connection, and the server passively listens | |||
for the incoming TLS connection. An SNMP entity MAY act as a TLS | for the incoming TLS connection. An SNMP entity MAY act as a TLS | |||
client or server or both, depending on the SNMP applications | client, TLS server, or both, depending on the SNMP applications | |||
supported. | supported. | |||
Throughout this document, the term "session" is used to refer to a | Throughout this document, the term "session" is used to refer to a | |||
secure association between two instances of the TLS Transport Model | secure association between two instances of the TLS Transport Model | |||
(TLSTM) that permits the transmission of one or more SNMP messages | (TLSTM) that permits the transmission of one or more SNMP messages | |||
within the lifetime of the session. The TLS protocol also has an | within the lifetime of the session. The TLS protocol also has an | |||
internal notion of a session and although these two concepts of a | internal notion of a session, and although these two concepts of a | |||
session are related, when the term "session" is used this document is | session are related, when the term "session" is used, this document | |||
referring to the TLSTM's specific session and not directly to the TLS | is referring to the TLSTM's specific session and not directly to the | |||
protocol's session. | TLS protocol's session. | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
2. Changes from RFC 6353 | 2. Changes from RFC 6353 | |||
This document updates [RFC6353]. The changes from [RFC6353] are | This document updates [RFC6353]. The changes from [RFC6353] are | |||
defined in the following clauses. | defined in the following subsections. | |||
2.1. TLSTM Fingerprint | 2.1. TLSTM Fingerprint | |||
[RFC6353] defines a fingerprint algorithm that references the one- | [RFC6353] defines the SnmpTLSFingerprint textual convention to | |||
octet TLS 1.2 hash algorithm identifier. TLS 1.3 replaced the one- | include the one-octet TLS 1.2 hash algorithm identifier. This one- | |||
octet hash algorithm identifier with a two-octet TLS 1.3 cipher suite | octet algorithm identifier is only applicable to (D)TLS protocol | |||
identifier. The TLS community does not plan to ever add additional | versions prior to 1.3. The TLS community does not plan to ever add | |||
values to the TLS 1.2 hash algorithm registry because some might | additional values to the "TLS HashAlgorithm" registry [RFC5246], | |||
incorrectly infer that using a new hash algorithm with TLS 1.2 would | because some might incorrectly infer that using a new hash algorithm | |||
overcome the limitations of TLS 1.2. However, there is still a need | with TLS 1.2 would overcome the limitations of TLS 1.2. However, | |||
within TLSTM to support new values as they are developed. | there is still a need within TLSTM to support new values as they are | |||
developed. | ||||
This document updates the definition of SnmpTLSFingerprint to clarify | This document updates the definition of SnmpTLSFingerprint to clarify | |||
that the one-octet identifier in the fingerprint algorithm uses the | that the one-octet algorithm identifier uses the values in the IANA | |||
IANA SNMP-TLSTM HashAlgorithm Registry; this registry is consistent | "SNMP-TLSTM HashAlgorithms" registry; this registry is consistent | |||
with the IANA TLS HashAlgorithm Registry for its initial values but | with the IANA "TLS HashAlgorithm" registry for its initial values but | |||
can be extended as needed to support new hashing algorithms without | can be extended as needed to support new hashing algorithms without | |||
implying that the new values can be used by TLS version 1.2. This | implying that the new values can be used by TLS version 1.2. This | |||
change allows the reuse of the existing fingerprint TEXTUAL- | change allows the reuse of the existing fingerprint textual | |||
CONVENTION and minimizes the impact to [RFC6353]. | convention and minimizes the impact to [RFC6353]. | |||
A "Y" in the "Recommended" column indicates that the registered value | A "Y" in the "Recommended" column (Table 1) indicates that the | |||
has been recommended through a formal Standards Action. Not all | registered value has been recommended through a formal Standards | |||
parameters defined in Standards Track documents are necessarily | Action [RFC8126]. Not all parameters defined in Standards Track | |||
marked as "Recommended". | documents are necessarily marked as "Recommended". | |||
An "N" in the "Recommended" column does not necessarily mean that it | An "N" in the "Recommended" column does not necessarily mean that the | |||
is flawed; rather, it indicates that the item either has not been | value is flawed; rather, it indicates that the item either has not | |||
through the IETF consensus process, has limited applicability, or is | been through the IETF consensus process, has limited applicability, | |||
intended only for specific use cases. | or is intended only for specific use cases. | |||
The initial values for the SNMP-TLSTM HashAlgorithm Registry are | The initial values for the "SNMP-TLSTM HashAlgorithms" registry are | |||
defined below: | defined below: | |||
+=========+=============+=============+===========+ | +=========+==========================+=============+============+ | |||
| Value | Description | Recommended | Reference | | | Value | Description | Recommended | References | | |||
+=========+=============+=============+===========+ | +=========+==========================+=============+============+ | |||
| 0 | none | N | [RFC5246] | | | 0 | none | N | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 1 | md5 | N | [RFC5246] | | | 1 | md5 | N | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 2 | sha1 | N | [RFC5246] | | | 2 | sha1 | N | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 3 | sha224 | Y | [RFC5246] | | | 3 | sha224 | Y | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 4 | sha256 | Y | [RFC5246] | | | 4 | sha256 | Y | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 5 | sha384 | Y | [RFC5246] | | | 5 | sha384 | Y | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 6 | sha512 | Y | [RFC5246] | | | 6 | sha512 | Y | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 7 | reserved | | [RFC8447] | | | 7 | Reserved | | [RFC8447] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 8 | intrinsic | N | [RFC8422] | | | 8 | Intrinsic | N | [RFC8422] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 9-223 | reserved | | [RFC8447] | | | 9-223 | Unassigned | | | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
| 224-255 | private | | [RFC5246] | | | 224-255 | Reserved for Private Use | | [RFC5246] | | |||
+---------+-------------+-------------+-----------+ | +---------+--------------------------+-------------+------------+ | |||
Table 1: SNMP-TLSTM Hash Algorithms | Table 1: SNMP-TLSTM Hash Algorithms | |||
Values 0 through 2 MUST NOT be used by implementations of this | Values 0 through 2 MUST NOT be used by implementations of this | |||
document but are listed for historical consistency. | document but are listed for historical consistency. | |||
2.2. Security Level | 2.2. Security Level | |||
The RFC3411 architecture recognizes three levels of security: | The architecture defined in [RFC3411] recognizes three levels of | |||
security: | ||||
* without authentication and without privacy (noAuthNoPriv) | * without authentication and without privacy (noAuthNoPriv) | |||
* with authentication but without privacy (authNoPriv) | * with authentication but without privacy (authNoPriv) | |||
* with authentication and with privacy (authPriv) | * with authentication and with privacy (authPriv) | |||
Cipher suites for (D)TLS 1.3 defined in [RFC8446] provide both | Cipher suites for (D)TLS 1.3 defined in [RFC8446] provide both | |||
authentication and privacy. Cipher suites defined in [RFC9150] for | authentication and privacy. Cipher suites defined in [RFC9150] for | |||
(D)TLS 1.3 provide only authentication, without any privacy | (D)TLS 1.3 provide only authentication, without any privacy | |||
protection. Implementations MAY choose to force (D)TLS 1.3 to only | protection. Implementations MAY choose to force (D)TLS 1.3 to only | |||
allow cipher suites that provide both authentication and privacy. | allow cipher suites that provide both authentication and privacy. | |||
2.3. (D)TLS Version | 2.3. (D)TLS Version | |||
[RFC6353] states that TLSTM clients and servers MUST NOT request, | [RFC6353] states that TLSTM clients and servers MUST NOT request, | |||
offer, or use SSL 2.0. [RFC8996] prohibits the use of (D)TLS | offer, or use SSL 2.0. [RFC8996] prohibits the use of (D)TLS | |||
versions prior to version 1.2. TLSTM MUST only be used with (D)TLS | versions prior to version 1.2. TLSTM MUST only be used with (D)TLS | |||
version 1.2 and later. | versions 1.2 and later. | |||
3. Additional Rules for TLS 1.3 | 3. Additional Rules for TLS 1.3 | |||
This document specifies additional rules and clarifications for the | This document specifies additional rules and clarifications for the | |||
use of TLS 1.3. These rules may additionally apply to future | use of TLS 1.3. These rules may additionally apply to future | |||
versions of TLS. | versions of TLS. | |||
3.1. Zero Round Trip Time Resumption (0-RTT) | 3.1. Zero Round-Trip Time Resumption (0-RTT) | |||
TLS 1.3 implementations for SNMP MUST NOT enable the 0-RTT mode of | TLS 1.3 implementations for SNMP MUST NOT enable the 0-RTT mode of | |||
session resumption (either sending or accepting) and MUST NOT | session resumption (either sending or accepting) and MUST NOT | |||
automatically resend 0-RTT data if it is rejected by the server. The | automatically resend 0-RTT data if it is rejected by the server. | |||
reason 0-RTT is disallowed is that there are no "safe" SNMP messages | 0-RTT is disallowed because there are no "safe" SNMP messages that, | |||
that if replayed will be guaranteed to cause no harm at a server | if replayed, will be guaranteed to cause no harm at the server side: | |||
side: all incoming notification or command responses are meant to be | all incoming notifications or command responses are meant to be acted | |||
acted upon only once. See Security considerations section for | upon only once. See Section 5 ("Security Considerations") for | |||
further details. | further details. | |||
TLS TM clients and servers MUST NOT request, offer, or use the 0-RTT | TLSTM clients and servers MUST NOT request, offer, or use the 0-RTT | |||
mode of TLS 1.3. [RFC8446] removed the renegotiation supported in | mode of TLS 1.3. [RFC8446] removed the renegotiation supported in | |||
TLS 1.2 [RFC5246]; for session resumption, it introduced a zero-RTT | TLS 1.2 [RFC5246]; for session resumption, it introduced a zero-RTT | |||
(0-RTT) mode, saving a round-trip at connection setup at the cost of | (0-RTT) mode, saving a round trip at connection setup at the cost of | |||
increased risk of replay attacks (it is possible for servers to guard | increased risk of replay attacks (it is possible for servers to guard | |||
against this attack by keeping track of all the messages received). | against this attack by keeping track of all the messages received). | |||
[RFC8446] requires a profile be written for any application that | [RFC8446] requires that a profile be written for any application that | |||
wants to use 0-RTT, specifying which messages are "safe to use" on | wants to use 0-RTT, specifying which messages are "safe to use" with | |||
this mode. Within SNMP, there are no messages that are "safe to use" | this mode. Within SNMP, there are no messages that are "safe to use" | |||
with this mode. | with this mode. | |||
Renegotiation of sessions is not supported as it is not supported by | Renegotiation of sessions is not supported, as it is not supported by | |||
TLS 1.3. If a future version of TLS supports renegotiation, this RFC | TLS 1.3. If a future version of TLS supports renegotiation, this RFC | |||
should be updated to indicate whether there are any additional | should be updated to indicate whether there are any additional | |||
requirements related to its use. | requirements related to its use. | |||
3.2. TLS cipher suites, extensions and protocol invariants | 3.2. TLS Cipher Suites, Extensions, and Protocol Invariants | |||
[RFC8446] section 9 requires that, in the absence of application | Section 9 of [RFC8446] requires that, in the absence of application | |||
profiles, certain cipher suites, TLS extensions, and TLS protocol | profiles, certain cipher suites, TLS extensions, and TLS protocol | |||
invariants are mandatory to implement. This document does not | invariants be mandatory to implement. This document does not specify | |||
specify an application profile, hence all the compliance requirements | an application profile; hence, all the compliance requirements in | |||
in [RFC8446] apply. | [RFC8446] apply. | |||
4. MIB Module Definition | 4. MIB Module Definitions | |||
This module makes references to [RFC1123], RFC2578, RFC2579, RFC2580, | This SNMP-TLS-TM-MIB module imports items from [RFC2578], [RFC2579], | |||
RFC3411, RFC3413, [RFC5246], [RFC5280], [RFC5890], [RFC5952], | [RFC2580], [RFC3411], and [RFC3413]. It also references [RFC1123], | |||
[RFC5953], [RFC6353], and [STD58] | [RFC5246], [RFC5280], [RFC5591], [RFC5890], [RFC5952], [RFC5953], | |||
[RFC6353], and [STD58]. | ||||
<CODE BEGINS> file "SNMP-TLS-TM-MIB" | ||||
SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN | SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN | |||
IMPORTS | IMPORTS | |||
MODULE-IDENTITY, OBJECT-TYPE, | MODULE-IDENTITY, OBJECT-TYPE, | |||
OBJECT-IDENTITY, mib-2, snmpDomains, | OBJECT-IDENTITY, mib-2, snmpDomains, | |||
Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE | Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE | |||
FROM SNMPv2-SMI -- RFC 2578 or any update thereof | FROM SNMPv2-SMI -- RFC 2578 or any update thereof | |||
TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, | TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, | |||
AutonomousType | AutonomousType | |||
FROM SNMPv2-TC -- RFC 2579 or any update thereof | FROM SNMPv2-TC -- RFC 2579 or any update thereof | |||
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP | MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP | |||
FROM SNMPv2-CONF -- RFC 2580 or any update thereof | FROM SNMPv2-CONF -- RFC 2580 or any update thereof | |||
SnmpAdminString | SnmpAdminString | |||
FROM SNMP-FRAMEWORK-MIB -- RFC 3411 or any update thereof | FROM SNMP-FRAMEWORK-MIB -- RFC 3411 or any update thereof | |||
snmpTargetParamsName, snmpTargetAddrName | snmpTargetParamsName, snmpTargetAddrName | |||
FROM SNMP-TARGET-MIB -- RFC 3413 or any update thereof | FROM SNMP-TARGET-MIB -- RFC 3413 or any update thereof | |||
; | ; | |||
snmpTlstmMIB MODULE-IDENTITY | snmpTlstmMIB MODULE-IDENTITY | |||
LAST-UPDATED "202303010000Z" | LAST-UPDATED "202310310000Z" | |||
ORGANIZATION "OPSA Working Group" | ||||
CONTACT-INFO "WG-EMail: opsawg@ietf.org | ||||
Mailing list subscription info: | ||||
https://www.ietf.org/mailman/listinfo/opsawg | ||||
Kenneth Vaughn | ORGANIZATION "Operations and Management Area Working Group | |||
Trevilon LLC | <mailto:opsawg@ietf.org>" | |||
1060 Hwy 107 South | CONTACT-INFO | |||
Del Rio, TN 37727 | "Author: Kenneth Vaughn | |||
United States | <mailto:kvaughn@trevilon.com>" | |||
Phone: +1 571 331 5670 | DESCRIPTION | |||
Email: kvaughn@trevilon.com" | "This is the MIB module for the TLS Transport Model | |||
DESCRIPTION " | (TLSTM). | |||
The TLS Transport Model MIB | ||||
Copyright (c) 2010-2022 IETF Trust and the persons identified | Copyright (c) 2023 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, | |||
without modification, is permitted pursuant to, and subject | with or without modification, is permitted pursuant | |||
to the license terms contained in, the Revised BSD License | to, and subject to the license terms contained in, | |||
set forth in Section 4.c of the IETF Trust's Legal Provisions | the Revised BSD License set forth in Section 4.c | |||
Relating to IETF Documents | of the IETF Trust's Legal Provisions Relating to IETF | |||
(http://trustee.ietf.org/license-info). | Documents (https://trustee.ietf.org/license-info). | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||
RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | |||
be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) | are to be interpreted as described in BCP 14 (RFC 2119) | |||
when, and only when, they appear in all capitals, as shown | (RFC 8174) when, and only when, they appear in all | |||
here." | capitals, as shown here." | |||
REVISION "202303010000Z" | REVISION "202310310000Z" | |||
DESCRIPTION "This version of this MIB module is part of | DESCRIPTION | |||
RFC XXXX; see the RFC itself for full legal | "This version of this MIB module is part of | |||
notices. This version: [ Note to RFC Editor: | RFC 9456; see the RFC itself for full legal | |||
please replace the above XXXX with the RFC number | notices. This version does the following: | |||
of this document ] | ||||
1. Updates the definition of SnmpTLSFingerprint | 1) Updates the definition of SnmpTLSFingerprint | |||
to clarify the registry used for the one-octet | to clarify the registry used for the one-octet | |||
hash algorithm identifier. | hash algorithm identifier. | |||
2. Capitalizes key words in conformance with | ||||
BCP 14 | 2) Capitalizes key words in conformance with | |||
3. Replaces 'may not' with 'MUST NOT' to clarify | BCP 14. | |||
intent in several locations. | ||||
4. Replaces 'may not' with a clarification within | 3) Replaces 'may not' with 'MUST NOT' to clarify | |||
the definition of SnmpTLSAddress" | intent in several locations. | |||
4) Replaces 'may not' with a clarification within | ||||
the definition of SnmpTLSAddress. | ||||
5) Applies cosmetic grammar improvements and | ||||
reformatting causing whitespace changes." | ||||
REVISION "201107190000Z" | REVISION "201107190000Z" | |||
DESCRIPTION "This version of this MIB module is part of | DESCRIPTION | |||
RFC 6353; see the RFC itself for full legal | "This version of this MIB module is part of | |||
notices. The only change was to introduce | RFC 6353; see the RFC itself for full legal | |||
new wording to reflect require changes for | notices. The only change was to introduce | |||
IDNA addresses in the SnmpTLSAddress TC." | new wording to reflect required changes for | |||
Internationalized Domain Names for Applications | ||||
(IDNA) addresses in the SnmpTLSAddress textual | ||||
convention (TC)." | ||||
REVISION "201005070000Z" | REVISION "201005070000Z" | |||
DESCRIPTION "This version of this MIB module is part of | DESCRIPTION | |||
RFC 5953; see the RFC itself for full legal | "This version of this MIB module is part of | |||
notices." | RFC 5953; see the RFC itself for full legal | |||
notices." | ||||
::= { mib-2 198 } | ::= { mib-2 198 } | |||
-- ************************************************ | -- ************************************************ | |||
-- subtrees of the SNMP-TLS-TM-MIB | -- subtrees of the SNMP-TLS-TM-MIB | |||
-- ************************************************ | -- ************************************************ | |||
snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 } | snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 } | |||
snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 } | snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 } | |||
snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 } | snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 } | |||
snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 } | snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 } | |||
snmpTlstmHashAlgorithms OBJECT-IDENTITY | snmpTlstmHashAlgorithms OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A node used to register hashing algorithm identifiers recorded | "A node used to register hashing algorithm identifiers | |||
in the IANA SNMP-TLSTM HashAlgorithm Registry." | recorded in the IANA 'SNMP-TLSTM HashAlgorithms' registry." | |||
::= { snmpTlstmMIB 4 } | ::= { snmpTlstmMIB 4 } | |||
-- ************************************************ | -- ************************************************ | |||
-- snmpTlstmObjects - Objects | -- snmpTlstmObjects - Objects | |||
-- ************************************************ | -- ************************************************ | |||
snmpTLSTCPDomain OBJECT-IDENTITY | snmpTLSTCPDomain OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The SNMP over TLS via TCP transport domain. The | "The OBJECT IDENTIFIER representing the TDomain for the | |||
SNMP over TLS via TCP transport domain. The | ||||
corresponding transport address is of type SnmpTLSAddress. | corresponding transport address is of type SnmpTLSAddress. | |||
The securityName prefix to be associated with the | The securityName prefix to be associated with the | |||
snmpTLSTCPDomain is 'tls'. This prefix MAY be used by | snmpTLSTCPDomain is 'tls'. This prefix MAY be used by | |||
security models or other components to identify which secure | security models or other components to identify which secure | |||
transport infrastructure authenticated a securityName." | transport infrastructure authenticated a securityName." | |||
REFERENCE | REFERENCE | |||
"RFC 2579: Textual Conventions for SMIv2" | "TDomain, as defined in RFC 2579: Textual Conventions | |||
for SMIv2" | ||||
::= { snmpDomains 8 } | ::= { snmpDomains 8 } | |||
snmpDTLSUDPDomain OBJECT-IDENTITY | snmpDTLSUDPDomain OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The SNMP over DTLS via UDP transport domain. The | "The OBJECT IDENTIFIER representing the TDomain for the | |||
SNMP over DTLS via UDP transport domain. The | ||||
corresponding transport address is of type SnmpTLSAddress. | corresponding transport address is of type SnmpTLSAddress. | |||
The securityName prefix to be associated with the | The securityName prefix to be associated with the | |||
snmpDTLSUDPDomain is 'dtls'. This prefix MAY be used by | snmpDTLSUDPDomain is 'dtls'. This prefix MAY be used by | |||
security models or other components to identify which secure | security models or other components to identify which secure | |||
transport infrastructure authenticated a securityName." | transport infrastructure authenticated a securityName." | |||
REFERENCE | REFERENCE | |||
"RFC 2579: Textual Conventions for SMIv2" | "TDomain, as defined in RFC 2579: Textual Conventions | |||
for SMIv2" | ||||
::= { snmpDomains 9 } | ::= { snmpDomains 9 } | |||
SnmpTLSAddress ::= TEXTUAL-CONVENTION | SnmpTLSAddress ::= TEXTUAL-CONVENTION | |||
DISPLAY-HINT "1a" | DISPLAY-HINT "1a" | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Represents an IPv4 address, an IPv6 address, or a | "Represents an IPv4 address, an IPv6 address, or an | |||
US-ASCII-encoded hostname and port number. | ASCII-encoded host name and port number. | |||
An IPv4 address MUST be in dotted decimal format followed by | An IPv4 address MUST be in dotted decimal format followed | |||
a colon ':' (US-ASCII character 0x3A) and a decimal port | by a colon ':' (ASCII character 0x3A) and a decimal | |||
number in US-ASCII. | port number in ASCII. | |||
An IPv6 address MUST be a colon-separated format (as | An IPv6 address MUST be a colon-separated format (as | |||
described in RFC 5952), surrounded by square brackets ('[', | described in RFC 5952), surrounded by square brackets | |||
US-ASCII character 0x5B, and ']', US-ASCII character 0x5D), | ('[', ASCII character 0x5B, and ']', ASCII character | |||
followed by a colon ':' (US-ASCII character 0x3A) and a | 0x5D), followed by a colon ':' (ASCII character 0x3A) | |||
decimal port number in US-ASCII. | and a decimal port number in ASCII. | |||
A hostname MUST be in US-ASCII (as per RFC 1123); | A host name MUST be in ASCII (as per RFC 1123); | |||
internationalized hostnames MUST be encoded as A-labels as | internationalized host names MUST be encoded as A-labels as | |||
specified in RFC 5890. The hostname is followed by a | specified in RFC 5890. The host name is followed by a | |||
colon ':' (US-ASCII character 0x3A) and a decimal port number | colon ':' (ASCII character 0x3A) and a decimal port | |||
in US-ASCII. The name SHOULD be fully qualified whenever | number in ASCII. The name SHOULD be fully qualified | |||
possible. | whenever possible. | |||
Values of this textual convention are not guaranteed to be | Values of this textual convention are not guaranteed to be | |||
directly usable as transport layer addressing information, | directly usable as transport-layer addressing information, | |||
potentially requiring additional processing, such as run-time | potentially requiring additional processing, such as | |||
resolution. As such, applications that write them MUST be | run-time resolution. As such, applications that write | |||
prepared for handling errors if such values are not | them MUST be prepared for handling errors if such values | |||
supported, or cannot be resolved (if resolution occurs at the | are not supported or cannot be resolved (if resolution | |||
time of the management operation). | occurs at the time of the management operation). | |||
The DESCRIPTION clause of TransportAddress objects that may | The DESCRIPTION clause of TransportAddress objects that | |||
have SnmpTLSAddress values MUST fully describe how (and | may have SnmpTLSAddress values MUST fully describe how | |||
when) such names are to be resolved to IP addresses and vice | (and when) such names are to be resolved to IP addresses | |||
versa. | and vice versa. | |||
This textual convention SHOULD NOT be used directly in object | This textual convention SHOULD NOT be used directly in | |||
definitions since it restricts addresses to a specific | object definitions, since it restricts addresses to a | |||
format. However, if it is used, it MAY be used either on its | specific format. However, if it is used, it MAY be used | |||
own or in conjunction with TransportAddressType or | either on its own or in conjunction with | |||
TransportDomain as a pair. | TransportAddressType or TransportDomain as a pair. | |||
When this textual convention is used as a syntax of an index | When this textual convention is used as a syntax of an | |||
object, there may be issues with the limit of 128 | index object, there may be issues with the limit of 128 | |||
sub-identifiers specified in SMIv2 (STD 58). It is | sub-identifiers specified in SMIv2 (STD 58). It is | |||
RECOMMENDED that all MIB documents using this textual | RECOMMENDED that all MIB documents using this textual | |||
convention make explicit any limitations on index component | convention make explicit any limitations on index | |||
lengths that management software MUST observe. This MAY be | component lengths that management software MUST observe. | |||
done either by including SIZE constraints on the index | This MAY be done by either 1) including SIZE constraints | |||
components or by specifying applicable constraints in the | on the index components or 2) specifying applicable | |||
conceptual row DESCRIPTION clause or in the surrounding | constraints in the conceptual row's DESCRIPTION clause or | |||
documentation." | in the surrounding documentation." | |||
REFERENCE | REFERENCE | |||
"RFC 1123: Requirements for Internet Hosts - Application and | "RFC 1123: Requirements for Internet Hosts - Application and | |||
Support | Support | |||
RFC 5890: Internationalized Domain Names for Applications | RFC 5890: Internationalized Domain Names for Applications | |||
(IDNA): Definitions and Document Framework | (IDNA): Definitions and Document Framework | |||
RFC 5952: A Recommendation for IPv6 Address Text | RFC 5952: A Recommendation for IPv6 Address Text | |||
Representation" | Representation" | |||
SYNTAX OCTET STRING (SIZE (1..255)) | SYNTAX OCTET STRING (SIZE (1..255)) | |||
SnmpTLSFingerprint ::= TEXTUAL-CONVENTION | SnmpTLSFingerprint ::= TEXTUAL-CONVENTION | |||
DISPLAY-HINT "1x:1x" | DISPLAY-HINT "1x:1x" | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A fingerprint value that can be used to uniquely reference | "A fingerprint value that can be used to uniquely reference | |||
other data of potentially arbitrary length. | other data of potentially arbitrary length. | |||
An SnmpTLSFingerprint value is composed of a 1-octet hashing | An SnmpTLSFingerprint value is composed of a one-octet | |||
algorithm identifier followed by the fingerprint value. The | hashing algorithm identifier followed by the fingerprint | |||
1-octet identifier value encoded is taken from IANA SNMP-TLSTM | value. The one-octet identifier value encoded is taken | |||
HashAlgorithm Registry. The remaining octets of the | from the IANA 'SNMP-TLSTM HashAlgorithms' registry. The | |||
SnmpTLSFingerprint value are filled using the results of the | remaining octets of the SnmpTLSFingerprint value are | |||
hashing algorithm. | filled using the results of the hashing algorithm. | |||
Historically, the 1-octet hashing algorithm identifier was | Historically, the one-octet hashing algorithm identifier | |||
based on the IANA TLS HashAlgorithm Registry (RFC 5246); | was based on the IANA 'TLS HashAlgorithm' registry | |||
however, this registry is no longer in use for TLS 1.3 | (RFC 5246); however, this registry is no longer in use for | |||
and above and are not expected to have any new registrations | TLS 1.3 and above and is not expected to have any new | |||
added to it. To | registrations added to it. To allow the fingerprint | |||
allow the fingerprint algorithm to support additional hashing | algorithm to support additional hashing algorithms that | |||
algorithms that might be used by later versions of (D)TLS, the | might be used by later versions of (D)TLS, the octet value | |||
octet value encoded is now taken from IANA SNMP-TLSTM | encoded is now taken from the IANA | |||
HashAlgorithm Registry. The initial values within this | 'SNMP-TLSTM HashAlgorithms' registry. The initial values | |||
registry are identical to the values in the TLS HashAlgorithm | within this registry are identical to the values in the | |||
registry but can be extended to support new hashing algorithms | 'TLS HashAlgorithm' registry but can be extended to | |||
as needed. | support new hashing algorithms as needed. | |||
This TEXTUAL-CONVENTION allows for a zero-length (blank) | This textual convention allows for a zero-length (blank) | |||
SnmpTLSFingerprint value for use in tables where the | SnmpTLSFingerprint value for use in tables where the | |||
fingerprint value MAY be optional. MIB definitions or | fingerprint value MAY be optional. MIB definitions or | |||
implementations MAY refuse to accept a zero-length value as | implementations MAY refuse to accept a zero-length value | |||
appropriate." | as appropriate." | |||
REFERENCE "https://www.iana.org/assignments/smi-numbers/ | REFERENCE | |||
smi-numbers.xhtml" | "RFC 5246: The Transport Layer Security (TLS) Protocol | |||
Version 1.2 | ||||
https://www.iana.org/assignments/smi-numbers/" | ||||
SYNTAX OCTET STRING (SIZE (0..255)) | SYNTAX OCTET STRING (SIZE (0..255)) | |||
-- Identities for use in the snmpTlstmCertToTSNTable | -- Identities for use in the snmpTlstmCertToTSNTable | |||
snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER | snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER ::= | |||
::= { snmpTlstmIdentities 1 } | { snmpTlstmIdentities 1 } | |||
snmpTlstmCertSpecified OBJECT-IDENTITY | snmpTlstmCertSpecified OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Directly specifies the tmSecurityName to be used for this | "Directly specifies the tmSecurityName to be used for this | |||
certificate. The value of the tmSecurityName to use is | certificate. The value of the tmSecurityName to use is | |||
specified in the snmpTlstmCertToTSNData column. The | specified in the 'snmpTlstmCertToTSNData' column. The | |||
snmpTlstmCertToTSNData column MUST contain a non-zero length | 'snmpTlstmCertToTSNData' column MUST contain a | |||
SnmpAdminString compliant value or the mapping described in | non-zero-length SnmpAdminString-compliant value, or the | |||
this row MUST be considered a failure." | mapping described in this row MUST be considered a | |||
failure." | ||||
::= { snmpTlstmCertToTSNMIdentities 1 } | ::= { snmpTlstmCertToTSNMIdentities 1 } | |||
snmpTlstmCertSANRFC822Name OBJECT-IDENTITY | snmpTlstmCertSANRFC822Name OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Maps a subjectAltName's rfc822Name to a tmSecurityName. The | "Maps a subjectAltName's rfc822Name to a tmSecurityName. | |||
local part of the rfc822Name is passed unaltered but the | The local-part of the rfc822Name is passed unaltered, but | |||
host-part of the name MUST be passed in lowercase. This | the domain of the name MUST be passed in lowercase. | |||
mapping results in a 1:1 correspondence between equivalent | This mapping results in a 1:1 correspondence between | |||
subjectAltName rfc822Name values and tmSecurityName values | equivalent subjectAltName rfc822Name values and | |||
except that the host-part of the name MUST be passed in | tmSecurityName values, except that the domain of the | |||
lowercase. | name MUST be passed in lowercase. | |||
Example rfc822Name Field: FooBar@Example.COM is mapped to | Example rfc822Name field: FooBar@Example.COM is mapped to | |||
tmSecurityName: FooBar@example.com." | tmSecurityName: FooBar@example.com." | |||
::= { snmpTlstmCertToTSNMIdentities 2 } | ::= { snmpTlstmCertToTSNMIdentities 2 } | |||
snmpTlstmCertSANDNSName OBJECT-IDENTITY | snmpTlstmCertSANDNSName OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Maps a subjectAltName's dNSName to a tmSecurityName after | "Maps a subjectAltName's dNSName to a tmSecurityName after | |||
first converting it to all lowercase (RFC 5280 does not | first converting it to all lowercase (RFC 5280 does not | |||
specify converting to lowercase, so this involves an extra | specify converting to lowercase, so this involves an extra | |||
step). This mapping results in a 1:1 correspondence between | step). This mapping results in a 1:1 correspondence | |||
subjectAltName dNSName values and the tmSecurityName values." | between subjectAltName dNSName values and the | |||
REFERENCE "RFC 5280 - Internet X.509 Public Key Infrastructure | tmSecurityName values." | |||
Certificate and Certificate Revocation List | REFERENCE | |||
(CRL) Profile." | "RFC 5280: Internet X.509 Public Key Infrastructure | |||
Certificate and Certificate Revocation | ||||
List (CRL) Profile" | ||||
::= { snmpTlstmCertToTSNMIdentities 3 } | ::= { snmpTlstmCertToTSNMIdentities 3 } | |||
snmpTlstmCertSANIpAddress OBJECT-IDENTITY | snmpTlstmCertSANIpAddress OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Maps a subjectAltName's iPAddress to a tmSecurityName by | "Maps a subjectAltName's iPAddress to a tmSecurityName by | |||
transforming the binary encoded address as follows: | transforming the binary-encoded address as follows: | |||
1) for IPv4, the value is converted into a decimal-dotted quad | 1) For IPv4, the value is converted into a | |||
address (e.g., '192.0.2.1'). | decimal-dotted quad address (e.g., '192.0.2.1'). | |||
2) for IPv6 addresses, the value is converted into a 32- | 2) For IPv6 addresses, the value is converted into a | |||
character all lowercase hexadecimal string without any colon | 32-character all-lowercase hexadecimal string | |||
separators. | without any colon separators. | |||
This mapping results in a 1:1 correspondence between | This mapping results in a 1:1 correspondence between | |||
subjectAltName iPAddress values and the tmSecurityName values. | subjectAltName iPAddress values and the tmSecurityName | |||
values. | ||||
The resulting length of an encoded IPv6 address is the maximum | The resulting length of an encoded IPv6 address is the | |||
length supported by the View-Based Access Control Model | maximum length supported by the View-based Access Control | |||
(VACM). Using both the Transport Security Model's support for | Model (VACM). Using an IPv6 address while the value of | |||
transport prefixes (see the SNMP-TSM-MIB's | snmpTsmConfigurationUsePrefix is 'true' (see the | |||
snmpTsmConfigurationUsePrefix object for details) will result | SNMP-TSM-MIB, as defined in RFC 5591) will result in | |||
in securityName lengths that exceed what VACM can handle." | securityName lengths that exceed what the VACM can handle." | |||
REFERENCE | ||||
"RFC 5591: Transport Security Model for the Simple Network | ||||
Management Protocol (SNMP)" | ||||
::= { snmpTlstmCertToTSNMIdentities 4 } | ::= { snmpTlstmCertToTSNMIdentities 4 } | |||
snmpTlstmCertSANAny OBJECT-IDENTITY | snmpTlstmCertSANAny OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Maps any of the following fields using the corresponding | "Maps any of the following fields using the corresponding | |||
mapping algorithms: | mapping algorithms: | |||
|------------+----------------------------| | |------------+----------------------------| | |||
| Type | Algorithm | | | Type | Algorithm | | |||
|------------+----------------------------| | |------------+----------------------------| | |||
| rfc822Name | snmpTlstmCertSANRFC822Name | | | rfc822Name | snmpTlstmCertSANRFC822Name | | |||
| dNSName | snmpTlstmCertSANDNSName | | | dNSName | snmpTlstmCertSANDNSName | | |||
| iPAddress | snmpTlstmCertSANIpAddress | | | iPAddress | snmpTlstmCertSANIpAddress | | |||
|------------+----------------------------| | |------------+----------------------------| | |||
The first matching subjectAltName value found in the | The first subjectAltName value contained in the certificate | |||
certificate of the above types MUST be used when deriving the | that matches any of the above types MUST be used when | |||
tmSecurityName. The mapping algorithm specified in the | deriving the tmSecurityName. The mapping algorithm | |||
'Algorithm' column MUST be used to derive the tmSecurityName. | specified in the 'Algorithm' column of the corresponding | |||
row MUST be used to derive the tmSecurityName. | ||||
This mapping results in a 1:1 correspondence between | This mapping results in a 1:1 correspondence between | |||
subjectAltName values and tmSecurityName values. The three | subjectAltName values and tmSecurityName values. The | |||
sub-mapping algorithms produced by this combined algorithm | three sub-mapping algorithms produced by this combined | |||
cannot produce conflicting results between themselves." | algorithm cannot produce conflicting results between | |||
themselves." | ||||
::= { snmpTlstmCertToTSNMIdentities 5 } | ::= { snmpTlstmCertToTSNMIdentities 5 } | |||
snmpTlstmCertCommonName OBJECT-IDENTITY | snmpTlstmCertCommonName OBJECT-IDENTITY | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Maps a certificate's CommonName to a tmSecurityName after | "Maps a certificate's CommonName to a tmSecurityName after | |||
converting it to a UTF-8 encoding. The usage of CommonNames | converting it to a UTF-8 encoding. The usage of | |||
is deprecated and users are encouraged to use subjectAltName | CommonNames is deprecated, and users are encouraged to use | |||
mapping methods instead. This mapping results in a 1:1 | subjectAltName mapping methods instead. This mapping | |||
correspondence between certificate CommonName values and | results in a 1:1 correspondence between certificate | |||
tmSecurityName values." | CommonName values and tmSecurityName values." | |||
::= { snmpTlstmCertToTSNMIdentities 6 } | ::= { snmpTlstmCertToTSNMIdentities 6 } | |||
-- The snmpTlstmSession Group | -- The snmpTlstmSession Group | |||
snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 } | snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 } | |||
snmpTlstmSessionOpens OBJECT-TYPE | snmpTlstmSessionOpens OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times an openSession() request has been | "The number of times an openSession() request has been | |||
executed as a (D)TLS client, regardless of whether it | executed as a (D)TLS client, regardless of whether it | |||
succeeded or failed." | succeeded or failed." | |||
::= { snmpTlstmSession 1 } | ::= { snmpTlstmSession 1 } | |||
snmpTlstmSessionClientCloses OBJECT-TYPE | snmpTlstmSessionClientCloses OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times a closeSession() request has been | "The number of times a closeSession() request has been | |||
executed as a (D)TLS client, regardless of whether it | executed as a (D)TLS client, regardless of whether it | |||
succeeded or failed." | succeeded or failed." | |||
::= { snmpTlstmSession 2 } | ::= { snmpTlstmSession 2 } | |||
snmpTlstmSessionOpenErrors OBJECT-TYPE | snmpTlstmSessionOpenErrors OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times an openSession() request failed to open | "The number of times an openSession() request failed to | |||
a session as a (D)TLS client, for any reason." | open a session as a (D)TLS client, for any reason." | |||
::= { snmpTlstmSession 3 } | ::= { snmpTlstmSession 3 } | |||
snmpTlstmSessionAccepts OBJECT-TYPE | snmpTlstmSessionAccepts OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times a (D)TLS server has accepted a new | "The number of times a (D)TLS server has accepted a new | |||
connection from a client and has received at least one SNMP | connection from a client and has received at least one | |||
message through it." | SNMP message through it." | |||
::= { snmpTlstmSession 4 } | ::= { snmpTlstmSession 4 } | |||
snmpTlstmSessionServerCloses OBJECT-TYPE | snmpTlstmSessionServerCloses OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times a closeSession() request has been | "The number of times a closeSession() request has been | |||
executed as a (D)TLS server, regardless of whether it | executed as a (D)TLS server, regardless of whether it | |||
succeeded or failed." | succeeded or failed." | |||
::= { snmpTlstmSession 5 } | ::= { snmpTlstmSession 5 } | |||
snmpTlstmSessionNoSessions OBJECT-TYPE | snmpTlstmSessionNoSessions OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times an outgoing message was dropped because | "The number of times an outgoing message was dropped | |||
the session associated with the passed tmStateReference was | because the session associated with the passed | |||
no longer (or was never) available." | tmStateReference was no longer (or never) available." | |||
::= { snmpTlstmSession 6 } | ::= { snmpTlstmSession 6 } | |||
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE | snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times an incoming session was not established | "The number of times an incoming session was not | |||
on a (D)TLS server because the presented client certificate | established on a (D)TLS server because the presented | |||
was invalid. Reasons for invalidation include, but are not | client certificate was invalid. Reasons for invalidation | |||
limited to, cryptographic validation failures or lack of a | include, but are not limited to, cryptographic validation | |||
suitable mapping row in the snmpTlstmCertToTSNTable." | failures or lack of a suitable mapping row in the | |||
snmpTlstmCertToTSNTable." | ||||
::= { snmpTlstmSession 7 } | ::= { snmpTlstmSession 7 } | |||
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times an outgoing session was not established | "The number of times an outgoing session was not | |||
on a (D)TLS client because the server certificate presented | established on a (D)TLS client because the server | |||
by an SNMP over (D)TLS server was invalid because no | certificate presented by an SNMP over (D)TLS server was | |||
configured fingerprint or Certification Authority (CA) was | invalid because no configured fingerprint or Certification | |||
acceptable to validate it. | Authority (CA) was acceptable to validate it. This may | |||
This may result because there was no entry in the | result because there was no entry in the | |||
snmpTlstmAddrTable or because no path could be found to a | snmpTlstmAddrTable or because no path to a known CA could | |||
known CA." | be found." | |||
::= { snmpTlstmSession 8 } | ::= { snmpTlstmSession 8 } | |||
snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE | snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of times an outgoing session was not established | "The number of times an outgoing session was not | |||
on a (D)TLS client because the server certificate presented | established on a (D)TLS client because the server | |||
by an SNMP over (D)TLS server could not be validated even if | certificate presented by an SNMP over (D)TLS server could | |||
the fingerprint or expected validation path was known. That | not be validated even if the fingerprint or expected | |||
is, a cryptographic validation error occurred during | validation path was known. That is, a cryptographic | |||
certificate validation processing. | validation error occurred during certificate validation | |||
processing. | ||||
Reasons for invalidation include, but are not | Reasons for invalidation include, but are not limited to, | |||
limited to, cryptographic validation failures." | cryptographic validation failures." | |||
::= { snmpTlstmSession 9 } | ::= { snmpTlstmSession 9 } | |||
snmpTlstmSessionInvalidCaches OBJECT-TYPE | snmpTlstmSessionInvalidCaches OBJECT-TYPE | |||
SYNTAX Counter32 | SYNTAX Counter32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The number of outgoing messages dropped because the | "The number of outgoing messages dropped because the | |||
tmStateReference referred to an invalid cache." | tmStateReference referred to an invalid cache." | |||
::= { snmpTlstmSession 10 } | ::= { snmpTlstmSession 10 } | |||
-- Configuration Objects | -- Configuration Objects | |||
snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 } | snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 } | |||
-- Certificate mapping | -- Certificate mapping | |||
snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= {snmpTlstmConfig 1} | snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= | |||
{ snmpTlstmConfig 1 } | ||||
snmpTlstmCertToTSNCount OBJECT-TYPE | snmpTlstmCertToTSNCount OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A count of the number of entries in the | "A count of the number of entries in the | |||
snmpTlstmCertToTSNTable." | snmpTlstmCertToTSNTable." | |||
::= { snmpTlstmCertificateMapping 1 } | ::= { snmpTlstmCertificateMapping 1 } | |||
snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE | snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE | |||
SYNTAX TimeStamp | SYNTAX TimeStamp | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The value of sysUpTime.0 when the snmpTlstmCertToTSNTable | "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable | |||
was last modified through any means, or 0 if it has not been | was last modified through any means, or 0 if it has not | |||
modified since the command responder was started." | been modified since the command responder was started." | |||
::= { snmpTlstmCertificateMapping 2 } | ::= { snmpTlstmCertificateMapping 2 } | |||
snmpTlstmCertToTSNTable OBJECT-TYPE | snmpTlstmCertToTSNTable OBJECT-TYPE | |||
SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry | SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"This table is used by a (D)TLS server to map the (D)TLS | "This table is used by a (D)TLS server to map the (D)TLS | |||
client's presented X.509 certificate to a tmSecurityName. | client's presented X.509 certificate to a tmSecurityName. | |||
On an incoming (D)TLS/SNMP connection, the client's presented | On an incoming (D)TLS/SNMP connection, the client's | |||
certificate MUST either be validated based on an established | presented certificate either MUST be validated based on an | |||
trust anchor, or it MUST directly match a fingerprint in this | established trust anchor or MUST directly match a | |||
table. This table does not provide any mechanisms for | fingerprint in this table. This table does not provide | |||
configuring the trust anchors; the transfer of any needed | any mechanisms for configuring the trust anchors; the | |||
trusted certificates for path validation is expected to occur | transfer of any needed trusted certificates for path | |||
through an out-of-band transfer. | validation is expected to occur through an out-of-band | |||
transfer. | ||||
Once the certificate has been found acceptable (either by | Once the certificate has been found acceptable (either via | |||
path validation or directly matching a fingerprint in this | path validation or by directly matching a fingerprint in | |||
table), this table is consulted to determine the appropriate | this table), this table is consulted to determine the | |||
tmSecurityName to identify with the remote connection. This | appropriate tmSecurityName to identify with the remote | |||
is done by considering each active row from this table in | connection. This is done by considering each active row | |||
prioritized order according to its snmpTlstmCertToTSNID | from this table in prioritized order according to its | |||
value. Each row's snmpTlstmCertToTSNFingerprint value | snmpTlstmCertToTSNID value. Each row's | |||
determines whether the row is a match for the incoming | snmpTlstmCertToTSNFingerprint value determines whether the | |||
connection: | row is a match for the incoming connection: | |||
1) If the row's snmpTlstmCertToTSNFingerprint value | 1) If the row's snmpTlstmCertToTSNFingerprint value | |||
identifies the presented certificate, then consider | identifies the presented certificate, then consider | |||
the row as a successful match. | the row as a successful match. | |||
2) If the row's snmpTlstmCertToTSNFingerprint value | 2) If the row's snmpTlstmCertToTSNFingerprint value | |||
identifies a locally held copy of a trusted CA | identifies a locally held copy of a trusted CA | |||
certificate and that CA certificate was used to | certificate and that CA certificate was used to | |||
validate the path to the presented certificate, then | validate the path to the presented certificate, then | |||
consider the row as a successful match. | consider the row as a successful match. | |||
Once a matching row has been found, the | Once a matching row has been found, the | |||
snmpTlstmCertToTSNMapType value can be used to determine how | snmpTlstmCertToTSNMapType value can be used to determine | |||
the tmSecurityName to associate with the session should be | how the tmSecurityName to associate with the session | |||
determined. See the snmpTlstmCertToTSNMapType column's | should be determined. See the 'snmpTlstmCertToTSNMapType' | |||
DESCRIPTION for details on determining the tmSecurityName | column's DESCRIPTION clause for details on determining the | |||
value. If it is impossible to determine a tmSecurityName | tmSecurityName value. If it is impossible to determine a | |||
from the row's data combined with the data presented in the | tmSecurityName from the row's data combined with the data | |||
certificate, then additional rows MUST be searched looking | presented in the certificate, then additional rows MUST be | |||
for another potential match. If a resulting tmSecurityName | searched to look for another potential match. If a | |||
mapped from a given row is not compatible with the needed | resulting tmSecurityName mapped from a given row is not | |||
requirements of a tmSecurityName (e.g., VACM imposes a | compatible with the needed requirements of a | |||
32-octet-maximum length and the certificate derived | tmSecurityName (e.g., the VACM imposes a 32-octet-maximum | |||
securityName could be longer), then it MUST be considered an | length and the certificate-derived securityName could be | |||
invalid match and additional rows MUST be searched looking | longer), then it MUST be considered an invalid match and | |||
for another potential match. | additional rows MUST be searched to look for another | |||
potential match. | ||||
If no matching and valid row can be found, the connection | If no matching and valid row can be found, the connection | |||
MUST be closed and SNMP messages MUST NOT be accepted over | MUST be closed and SNMP messages MUST NOT be accepted over | |||
it. | it. | |||
Missing values of snmpTlstmCertToTSNID are acceptable and | Missing values of snmpTlstmCertToTSNID are acceptable, and | |||
implementations SHOULD continue to the next highest numbered | implementations SHOULD continue to the | |||
row. It is RECOMMENDED that administrators skip index values | next-highest-numbered row. It is RECOMMENDED that | |||
to leave room for the insertion of future rows (for example, | administrators skip index values to leave room for the | |||
use values of 10 and 20 when creating initial rows). | insertion of future rows (for example, use values of 10 | |||
and 20 when creating initial rows). | ||||
Users are encouraged to make use of certificates with | Users are encouraged to make use of certificates with | |||
subjectAltName fields that can be used as tmSecurityNames so | subjectAltName fields that can be used as tmSecurityNames. | |||
that a single root CA certificate can allow all child | This allows all child certificates of a single root CA | |||
certificate's subjectAltName to map directly to a | certificate to include a subjectAltName that maps directly | |||
tmSecurityName via a 1:1 transformation. However, this table | to a tmSecurityName via a 1:1 transformation. However, | |||
is flexible to allow for situations where existing deployed | this table is flexible, to allow for situations where | |||
certificate infrastructures do not provide adequate | existing deployed certificate infrastructures do not provide | |||
subjectAltName values for use as tmSecurityNames. | adequate subjectAltName values for use as tmSecurityNames. | |||
Certificates MAY also be mapped to tmSecurityNames using the | Certificates MAY also be mapped to tmSecurityNames using | |||
CommonName portion of the Subject field. However, the usage | the CommonName portion of the Subject field. However, the | |||
of the CommonName field is deprecated and thus this usage is | usage of the CommonName field is deprecated, and thus this | |||
NOT RECOMMENDED. Direct mapping from each individual | usage is NOT RECOMMENDED. Direct mapping from each | |||
certificate fingerprint to a tmSecurityName is also possible | individual certificate fingerprint to a tmSecurityName is | |||
but requires one entry in the table per tmSecurityName and | also possible but requires one entry in the table per | |||
requires more management operations to completely configure a | tmSecurityName and requires more management operations to | |||
device." | completely configure a device." | |||
::= { snmpTlstmCertificateMapping 3 } | ::= { snmpTlstmCertificateMapping 3 } | |||
snmpTlstmCertToTSNEntry OBJECT-TYPE | snmpTlstmCertToTSNEntry OBJECT-TYPE | |||
SYNTAX SnmpTlstmCertToTSNEntry | SYNTAX SnmpTlstmCertToTSNEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A row in the snmpTlstmCertToTSNTable that specifies a | "A row in the snmpTlstmCertToTSNTable that specifies a | |||
mapping for an incoming (D)TLS certificate to a | mapping for an incoming (D)TLS certificate to a | |||
tmSecurityName to use for a connection." | tmSecurityName to use for a connection." | |||
INDEX { snmpTlstmCertToTSNID } | INDEX { snmpTlstmCertToTSNID } | |||
::= { snmpTlstmCertToTSNTable 1 } | ::= { snmpTlstmCertToTSNTable 1 } | |||
SnmpTlstmCertToTSNEntry ::= SEQUENCE { | SnmpTlstmCertToTSNEntry ::= SEQUENCE { | |||
snmpTlstmCertToTSNID Unsigned32, | snmpTlstmCertToTSNID Unsigned32, | |||
snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint, | snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint, | |||
snmpTlstmCertToTSNMapType AutonomousType, | snmpTlstmCertToTSNMapType AutonomousType, | |||
snmpTlstmCertToTSNData OCTET STRING, | snmpTlstmCertToTSNData OCTET STRING, | |||
snmpTlstmCertToTSNStorageType StorageType, | snmpTlstmCertToTSNStorageType StorageType, | |||
snmpTlstmCertToTSNRowStatus RowStatus | snmpTlstmCertToTSNRowStatus RowStatus | |||
} | } | |||
snmpTlstmCertToTSNID OBJECT-TYPE | snmpTlstmCertToTSNID OBJECT-TYPE | |||
SYNTAX Unsigned32 (1..4294967295) | SYNTAX Unsigned32 (1..4294967295) | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A unique, prioritized index for the given entry. Lower | "A unique, prioritized index for the given entry. Lower | |||
numbers indicate a higher priority." | numbers indicate a higher priority." | |||
::= { snmpTlstmCertToTSNEntry 1 } | ::= { snmpTlstmCertToTSNEntry 1 } | |||
snmpTlstmCertToTSNFingerprint OBJECT-TYPE | snmpTlstmCertToTSNFingerprint OBJECT-TYPE | |||
SYNTAX SnmpTLSFingerprint (SIZE(1..255)) | SYNTAX SnmpTLSFingerprint (SIZE (1..255)) | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A cryptographic hash of an X.509 certificate. The results | "A cryptographic hash of an X.509 certificate. The results | |||
of a successful matching fingerprint to either the trusted CA | of a successful matching fingerprint to either the trusted | |||
in the certificate validation path or to the certificate | CA in the certificate validation path or the certificate | |||
itself is dictated by the snmpTlstmCertToTSNMapType column." | itself is dictated by the 'snmpTlstmCertToTSNMapType' | |||
column." | ||||
::= { snmpTlstmCertToTSNEntry 2 } | ::= { snmpTlstmCertToTSNEntry 2 } | |||
snmpTlstmCertToTSNMapType OBJECT-TYPE | snmpTlstmCertToTSNMapType OBJECT-TYPE | |||
SYNTAX AutonomousType | SYNTAX AutonomousType | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Specifies the mapping type for deriving a tmSecurityName | "Specifies the mapping type for deriving a tmSecurityName | |||
from a certificate. Details for mapping of a particular type | from a certificate. Details for mapping of a particular | |||
SHALL be specified in the DESCRIPTION clause of the OBJECT- | type SHALL be specified in the DESCRIPTION clause of the | |||
IDENTITY that describes the mapping. If a mapping succeeds | OBJECT-IDENTITY that describes the mapping. If a mapping | |||
it will return a tmSecurityName for use by the TLSTM model | succeeds, it will return a tmSecurityName for use by the | |||
and processing stops. | TLSTM and processing will stop. | |||
If the resulting mapped value is not compatible with the | If the resulting mapped value is not compatible with the | |||
needed requirements of a tmSecurityName (e.g., VACM imposes a | needed requirements of a tmSecurityName (e.g., the VACM | |||
32-octet-maximum length and the certificate derived | imposes a 32-octet-maximum length and the | |||
securityName could be longer), then future rows MUST be | certificate-derived securityName could be longer), then | |||
searched for additional snmpTlstmCertToTSNFingerprint matches | future rows MUST be searched for additional | |||
to look for a mapping that succeeds. | snmpTlstmCertToTSNFingerprint matches to look for a | |||
mapping that succeeds. | ||||
Suitable values for assigning to this object that are defined | Suitable values for assigning to this object that are | |||
within the SNMP-TLS-TM-MIB can be found in the | defined within the SNMP-TLS-TM-MIB can be found in the | |||
snmpTlstmCertToTSNMIdentities portion of the MIB tree." | snmpTlstmCertToTSNMIdentities portion of the MIB tree." | |||
DEFVAL { snmpTlstmCertSpecified } | DEFVAL { snmpTlstmCertSpecified } | |||
::= { snmpTlstmCertToTSNEntry 3 } | ::= { snmpTlstmCertToTSNEntry 3 } | |||
snmpTlstmCertToTSNData OBJECT-TYPE | snmpTlstmCertToTSNData OBJECT-TYPE | |||
SYNTAX OCTET STRING (SIZE(0..1024)) | SYNTAX OCTET STRING (SIZE (0..1024)) | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Auxiliary data used as optional configuration information | "Auxiliary data used as optional configuration information | |||
for a given mapping specified by the | for a given mapping specified by the | |||
snmpTlstmCertToTSNMapType column. Only some mapping | 'snmpTlstmCertToTSNMapType' column. Only some mapping | |||
systems will make use of this column. The value in this | systems will make use of this column. The value in this | |||
column MUST be ignored for any mapping type that does not | column MUST be ignored for any mapping type that does not | |||
require data present in this column." | require that data be present in this column." | |||
DEFVAL { "" } | DEFVAL { "" } | |||
::= { snmpTlstmCertToTSNEntry 4 } | ::= { snmpTlstmCertToTSNEntry 4 } | |||
snmpTlstmCertToTSNStorageType OBJECT-TYPE | snmpTlstmCertToTSNStorageType OBJECT-TYPE | |||
SYNTAX StorageType | SYNTAX StorageType | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The storage type for this conceptual row. Conceptual rows | "The storage type for this conceptual row. Conceptual rows | |||
having the value 'permanent' need not allow write-access to | having the value 'permanent' need not allow write-access | |||
any columnar objects in the row." | to any columnar objects in the row." | |||
DEFVAL { nonVolatile } | DEFVAL { nonVolatile } | |||
::= { snmpTlstmCertToTSNEntry 5 } | ::= { snmpTlstmCertToTSNEntry 5 } | |||
snmpTlstmCertToTSNRowStatus OBJECT-TYPE | snmpTlstmCertToTSNRowStatus OBJECT-TYPE | |||
SYNTAX RowStatus | SYNTAX RowStatus | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The status of this conceptual row. This object MAY be used | "The status of this conceptual row. This object MAY be | |||
to create or remove rows from this table. | used to create or remove rows from this table. | |||
To create a row in this table, an administrator MUST set this | To create a row in this table, an administrator MUST set | |||
object to either createAndGo(4) or createAndWait(5). | this object to either createAndGo(4) or createAndWait(5). | |||
Until instances of all corresponding columns are | Until instances of all corresponding columns are | |||
appropriately configured, the value of the corresponding | appropriately configured, the value of the corresponding | |||
instance of the snmpTlstmParamsRowStatus column is | instance of the 'snmpTlstmParamsRowStatus' column is | |||
notReady(3). | notReady(3). | |||
In particular, a newly created row cannot be made active | In particular, a newly created row cannot be made active | |||
until the corresponding snmpTlstmCertToTSNFingerprint, | until the corresponding 'snmpTlstmCertToTSNFingerprint', | |||
snmpTlstmCertToTSNMapType, and snmpTlstmCertToTSNData columns | 'snmpTlstmCertToTSNMapType', and 'snmpTlstmCertToTSNData' | |||
have been set. | columns have been set. | |||
The following objects MUST NOT be modified while the | The following objects MUST NOT be modified while the | |||
value of this object is active(1): | value of this object is active(1): | |||
- snmpTlstmCertToTSNFingerprint | - snmpTlstmCertToTSNFingerprint | |||
- snmpTlstmCertToTSNMapType | - snmpTlstmCertToTSNMapType | |||
- snmpTlstmCertToTSNData | - snmpTlstmCertToTSNData | |||
An attempt to set these objects while the value of | An attempt to set these objects while the value of | |||
snmpTlstmParamsRowStatus is active(1) will result in | snmpTlstmParamsRowStatus is active(1) will result in | |||
an inconsistentValue error." | an inconsistentValue error." | |||
::= { snmpTlstmCertToTSNEntry 6 } | ::= { snmpTlstmCertToTSNEntry 6 } | |||
-- Maps tmSecurityNames to certificates for use by the | -- Maps tmSecurityNames to certificates for use by the | |||
-- SNMP-TARGET-MIB | -- SNMP-TARGET-MIB | |||
snmpTlstmParamsCount OBJECT-TYPE | snmpTlstmParamsCount OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A count of the number of entries in the | "A count of the number of entries in the | |||
snmpTlstmParamsTable." | snmpTlstmParamsTable." | |||
::= { snmpTlstmCertificateMapping 4 } | ::= { snmpTlstmCertificateMapping 4 } | |||
snmpTlstmParamsTableLastChanged OBJECT-TYPE | snmpTlstmParamsTableLastChanged OBJECT-TYPE | |||
SYNTAX TimeStamp | SYNTAX TimeStamp | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The value of sysUpTime.0 when the snmpTlstmParamsTable | "The value of sysUpTime.0 when the snmpTlstmParamsTable | |||
was last modified through any means, or 0 if it has not been | was last modified through any means, or 0 if it has not | |||
modified since the command responder was started." | been modified since the command responder was started." | |||
::= { snmpTlstmCertificateMapping 5 } | ::= { snmpTlstmCertificateMapping 5 } | |||
snmpTlstmParamsTable OBJECT-TYPE | snmpTlstmParamsTable OBJECT-TYPE | |||
SYNTAX SEQUENCE OF SnmpTlstmParamsEntry | SYNTAX SEQUENCE OF SnmpTlstmParamsEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"This table is used by a (D)TLS client when a (D)TLS | "This table is used by a (D)TLS client when a (D)TLS | |||
connection is being set up using an entry in the | connection is being set up using an entry in the | |||
SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's | SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's | |||
snmpTargetParamsTable with a fingerprint of a certificate to | snmpTargetParamsTable with a fingerprint of a certificate | |||
use when establishing such a (D)TLS connection." | to use when establishing such a (D)TLS connection." | |||
::= { snmpTlstmCertificateMapping 6 } | ::= { snmpTlstmCertificateMapping 6 } | |||
snmpTlstmParamsEntry OBJECT-TYPE | snmpTlstmParamsEntry OBJECT-TYPE | |||
SYNTAX SnmpTlstmParamsEntry | SYNTAX SnmpTlstmParamsEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A conceptual row containing a fingerprint hash of a locally | "A conceptual row containing a fingerprint hash of a | |||
held certificate for a given snmpTargetParamsEntry. The | locally held certificate for a given | |||
values in this row SHOULD be ignored if the connection that | snmpTargetParamsEntry. The values in this row SHOULD be | |||
needs to be established, as indicated by the SNMP-TARGET-MIB | ignored if the connection that needs to be established, as | |||
infrastructure, is not a certificate and (D)TLS based | indicated by the SNMP-TARGET-MIB infrastructure, is not a | |||
connection. The connection SHOULD NOT be established if the | certificate-based and (D)TLS-based connection. The | |||
certificate fingerprint stored in this entry does not point | connection SHOULD NOT be established if the certificate | |||
to a valid locally held certificate or if it points to an | fingerprint stored in this entry does not point to a valid | |||
unusable certificate (such as might happen when the | locally held certificate or if it points to an unusable | |||
certificate's expiration date has been reached)." | certificate (such as might happen when the certificate's | |||
expiration date has been reached)." | ||||
INDEX { IMPLIED snmpTargetParamsName } | INDEX { IMPLIED snmpTargetParamsName } | |||
::= { snmpTlstmParamsTable 1 } | ::= { snmpTlstmParamsTable 1 } | |||
SnmpTlstmParamsEntry ::= SEQUENCE { | SnmpTlstmParamsEntry ::= SEQUENCE { | |||
snmpTlstmParamsClientFingerprint SnmpTLSFingerprint, | snmpTlstmParamsClientFingerprint SnmpTLSFingerprint, | |||
snmpTlstmParamsStorageType StorageType, | snmpTlstmParamsStorageType StorageType, | |||
snmpTlstmParamsRowStatus RowStatus | snmpTlstmParamsRowStatus RowStatus | |||
} | } | |||
snmpTlstmParamsClientFingerprint OBJECT-TYPE | snmpTlstmParamsClientFingerprint OBJECT-TYPE | |||
SYNTAX SnmpTLSFingerprint | SYNTAX SnmpTLSFingerprint | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"This object stores the hash of the public portion of a | "This object stores the hash of the public portion of a | |||
locally held X.509 certificate. The X.509 certificate, its | locally held X.509 certificate. The X.509 certificate, | |||
public key, and the corresponding private key will be used | its public key, and the corresponding private key will be | |||
when initiating a (D)TLS connection as a (D)TLS client." | used when initiating a (D)TLS connection as a (D)TLS | |||
client." | ||||
::= { snmpTlstmParamsEntry 1 } | ::= { snmpTlstmParamsEntry 1 } | |||
snmpTlstmParamsStorageType OBJECT-TYPE | snmpTlstmParamsStorageType OBJECT-TYPE | |||
SYNTAX StorageType | SYNTAX StorageType | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The storage type for this conceptual row. Conceptual rows | "The storage type for this conceptual row. Conceptual rows | |||
having the value 'permanent' need not allow write-access to | having the value 'permanent' need not allow write-access | |||
any columnar objects in the row." | to any columnar objects in the row." | |||
DEFVAL { nonVolatile } | DEFVAL { nonVolatile } | |||
::= { snmpTlstmParamsEntry 2 } | ::= { snmpTlstmParamsEntry 2 } | |||
snmpTlstmParamsRowStatus OBJECT-TYPE | snmpTlstmParamsRowStatus OBJECT-TYPE | |||
SYNTAX RowStatus | SYNTAX RowStatus | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The status of this conceptual row. This object MAY be used | "The status of this conceptual row. This object MAY be | |||
to create or remove rows from this table. | used to create or remove rows from this table. | |||
To create a row in this table, an administrator MUST set this | To create a row in this table, an administrator MUST set | |||
object to either createAndGo(4) or createAndWait(5). | this object to either createAndGo(4) or createAndWait(5). | |||
Until instances of all corresponding columns are | Until instances of all corresponding columns are | |||
appropriately configured, the value of the corresponding | appropriately configured, the value of the corresponding | |||
instance of the snmpTlstmParamsRowStatus column is | instance of the 'snmpTlstmParamsRowStatus' column is | |||
notReady(3). | notReady(3). | |||
In particular, a newly created row cannot be made active | In particular, a newly created row cannot be made active | |||
until the corresponding snmpTlstmParamsClientFingerprint | until the corresponding 'snmpTlstmParamsClientFingerprint' | |||
column has been set. | column has been set. | |||
The snmpTlstmParamsClientFingerprint object MUST NOT be | The snmpTlstmParamsClientFingerprint object MUST NOT be | |||
modified while the value of this object is active(1). | modified while the value of this object is active(1). | |||
An attempt to set these objects while the value of | An attempt to set these objects while the value of | |||
snmpTlstmParamsRowStatus is active(1) will result in | snmpTlstmParamsRowStatus is active(1) will result in | |||
an inconsistentValue error." | an inconsistentValue error." | |||
::= { snmpTlstmParamsEntry 3 } | ::= { snmpTlstmParamsEntry 3 } | |||
snmpTlstmAddrCount OBJECT-TYPE | snmpTlstmAddrCount OBJECT-TYPE | |||
SYNTAX Gauge32 | SYNTAX Gauge32 | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A count of the number of entries in the snmpTlstmAddrTable." | "A count of the number of entries in the | |||
snmpTlstmAddrTable." | ||||
::= { snmpTlstmCertificateMapping 7 } | ::= { snmpTlstmCertificateMapping 7 } | |||
snmpTlstmAddrTableLastChanged OBJECT-TYPE | snmpTlstmAddrTableLastChanged OBJECT-TYPE | |||
SYNTAX TimeStamp | SYNTAX TimeStamp | |||
MAX-ACCESS read-only | MAX-ACCESS read-only | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The value of sysUpTime.0 when the snmpTlstmAddrTable | "The value of sysUpTime.0 when the snmpTlstmAddrTable | |||
was last modified through any means, or 0 if it has not been | was last modified through any means, or 0 if it has not | |||
modified since the command responder was started." | been modified since the command responder was started." | |||
::= { snmpTlstmCertificateMapping 8 } | ::= { snmpTlstmCertificateMapping 8 } | |||
snmpTlstmAddrTable OBJECT-TYPE | snmpTlstmAddrTable OBJECT-TYPE | |||
SYNTAX SEQUENCE OF SnmpTlstmAddrEntry | SYNTAX SEQUENCE OF SnmpTlstmAddrEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"This table is used by a (D)TLS client when a (D)TLS | "This table is used by a (D)TLS client when a (D)TLS | |||
connection is being set up using an entry in the | connection is being set up using an entry in the | |||
SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's | SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's | |||
snmpTargetAddrTable so that the client can verify that the | snmpTargetAddrTable so that the client can verify that the | |||
correct server has been reached. This verification can use | correct server has been reached. This verification can | |||
either a certificate fingerprint, or an identity | use either 1) a certificate fingerprint or 2) an | |||
authenticated via certification path validation. | identity authenticated via certification path validation. | |||
If there is an active row in this table corresponding to the | If there is an active row in this table corresponding to | |||
entry in the SNMP-TARGET-MIB that was used to establish the | the entry in the SNMP-TARGET-MIB that was used to | |||
connection, and the row's snmpTlstmAddrServerFingerprint | establish the connection and the row's | |||
column has non-empty value, then the server's presented | 'snmpTlstmAddrServerFingerprint' column has a non-empty | |||
certificate is compared with the | value, then the server's presented certificate is compared | |||
snmpTlstmAddrServerFingerprint value (and the | with the snmpTlstmAddrServerFingerprint value (and the | |||
snmpTlstmAddrServerIdentity column is ignored). If the | 'snmpTlstmAddrServerIdentity' column is ignored). If the | |||
fingerprint matches, the verification has succeeded. If the | fingerprint matches, the verification has succeeded. If | |||
fingerprint does not match, then the connection MUST be | the fingerprint does not match, then the connection MUST | |||
closed. | be closed. | |||
If the server's presented certificate has passed | If the server's presented certificate has passed | |||
certification path validation [RFC5280] to a configured | certification path validation (RFC 5280) to a configured | |||
trust anchor, and an active row exists with a zero-length | trust anchor and an active row exists with a zero-length | |||
snmpTlstmAddrServerFingerprint value, then the | snmpTlstmAddrServerFingerprint value, then the | |||
snmpTlstmAddrServerIdentity column contains the expected | 'snmpTlstmAddrServerIdentity' column contains the expected | |||
host name. This expected host name is then compared against | host name. This expected host name is then compared | |||
the server's certificate as follows: | against the server's certificate as follows: | |||
- Implementations MUST support matching the expected host | - Implementations MUST support matching the expected | |||
name against a dNSName in the subjectAltName extension | host name against a dNSName in the subjectAltName | |||
field and MAY support checking the name against the | extension field and MAY support checking the name | |||
CommonName portion of the subject distinguished name. | against the CommonName portion of the subject | |||
distinguished name. | ||||
- The '*' (ASCII 0x2a) wildcard character is allowed in the | - The '*' (ASCII 0x2A) wildcard character is allowed in | |||
dNSName of the subjectAltName extension (and in common | the dNSName of the subjectAltName extension (and in | |||
name, if used to store the host name), but only as the | CommonName, if used to store the host name), but | |||
left-most (least significant) DNS label in that value. | only as the leftmost (least significant) DNS label | |||
This wildcard matches any left-most DNS label in the | in that value. This wildcard matches any leftmost | |||
server name. That is, the subject *.example.com matches | DNS label in the server name. That is, the subject | |||
the server names a.example.com and b.example.com, but does | *.example.com matches the server names a.example.com | |||
not match example.com or a.b.example.com. Implementations | and b.example.com but does not match example.com or | |||
MUST support wildcards in certificates as specified above, | a.b.example.com. Implementations MUST support | |||
but MAY provide a configuration option to disable them. | wildcards in certificates as specified above but MAY | |||
provide a configuration option to disable them. | ||||
- If the locally configured name is an internationalized | - If the locally configured name is an | |||
domain name, conforming implementations MUST convert it to | internationalized domain name, conforming | |||
the ASCII Compatible Encoding (ACE) format for performing | implementations MUST convert it to the ASCII | |||
comparisons, as specified in Section 7 of [RFC5280]. | Compatible Encoding (ACE) format for performing | |||
comparisons, as specified in Section 7 of RFC 5280. | ||||
If the expected host name fails these conditions then the | If the expected host name fails these conditions, then the | |||
connection MUST be closed. | connection MUST be closed. | |||
If there is no row in this table corresponding to the entry | If there is no row in this table corresponding to the | |||
in the SNMP-TARGET-MIB and the server can be authorized by | entry in the SNMP-TARGET-MIB and the server can be | |||
another, implementation-dependent means, then the connection | authorized by another, implementation-dependent means, | |||
MAY still proceed." | then the connection MAY still proceed." | |||
::= { snmpTlstmCertificateMapping 9 } | ::= { snmpTlstmCertificateMapping 9 } | |||
snmpTlstmAddrEntry OBJECT-TYPE | snmpTlstmAddrEntry OBJECT-TYPE | |||
SYNTAX SnmpTlstmAddrEntry | SYNTAX SnmpTlstmAddrEntry | |||
MAX-ACCESS not-accessible | MAX-ACCESS not-accessible | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A conceptual row containing a copy of a certificate's | "A conceptual row containing a copy of a certificate's | |||
fingerprint for a given snmpTargetAddrEntry. The values in | fingerprint for a given snmpTargetAddrEntry. The values | |||
this row SHOULD be ignored if the connection that needs to be | in this row SHOULD be ignored if the connection that needs | |||
established, as indicated by the SNMP-TARGET-MIB | to be established, as indicated by the SNMP-TARGET-MIB | |||
infrastructure, is not a (D)TLS based connection. If an | infrastructure, is not a (D)TLS-based connection. If an | |||
snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, | snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, | |||
then the presented server certificate MUST match or the | then the presented server certificate MUST match or the | |||
connection MUST NOT be established. If a row in this table | connection MUST NOT be established. If a row in this | |||
does not exist to match an snmpTargetAddrEntry row, then the | table does not exist to match an snmpTargetAddrEntry row, | |||
connection SHOULD still proceed if some other certificate | then the connection SHOULD still proceed if some other | |||
validation path algorithm (e.g., RFC 5280) can be used." | certification path validation algorithm (e.g., RFC 5280) | |||
can be used." | ||||
INDEX { IMPLIED snmpTargetAddrName } | INDEX { IMPLIED snmpTargetAddrName } | |||
::= { snmpTlstmAddrTable 1 } | ::= { snmpTlstmAddrTable 1 } | |||
SnmpTlstmAddrEntry ::= SEQUENCE { | SnmpTlstmAddrEntry ::= SEQUENCE { | |||
snmpTlstmAddrServerFingerprint SnmpTLSFingerprint, | snmpTlstmAddrServerFingerprint SnmpTLSFingerprint, | |||
snmpTlstmAddrServerIdentity SnmpAdminString, | snmpTlstmAddrServerIdentity SnmpAdminString, | |||
snmpTlstmAddrStorageType StorageType, | snmpTlstmAddrStorageType StorageType, | |||
snmpTlstmAddrRowStatus RowStatus | snmpTlstmAddrRowStatus RowStatus | |||
} | } | |||
snmpTlstmAddrServerFingerprint OBJECT-TYPE | snmpTlstmAddrServerFingerprint OBJECT-TYPE | |||
SYNTAX SnmpTLSFingerprint | SYNTAX SnmpTLSFingerprint | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A cryptographic hash of a public X.509 certificate. This | "A cryptographic hash of a public X.509 certificate. This | |||
object should store the hash of the public X.509 certificate | object should store the hash of the public X.509 | |||
that the remote server should present during the (D)TLS | certificate that the remote server should present during | |||
connection setup. The fingerprint of the presented | the (D)TLS connection setup. The fingerprint of the | |||
certificate and this hash value MUST match exactly, or the | presented certificate and this hash value MUST match | |||
connection MUST NOT be established." | exactly, or the connection MUST NOT be established." | |||
DEFVAL { "" } | DEFVAL { "" } | |||
::= { snmpTlstmAddrEntry 1 } | ::= { snmpTlstmAddrEntry 1 } | |||
snmpTlstmAddrServerIdentity OBJECT-TYPE | snmpTlstmAddrServerIdentity OBJECT-TYPE | |||
SYNTAX SnmpAdminString | SYNTAX SnmpAdminString | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The reference identity to check against the identity | "The reference identity to check against the identity | |||
presented by the remote system." | presented by the remote system." | |||
DEFVAL { "" } | DEFVAL { "" } | |||
::= { snmpTlstmAddrEntry 2 } | ::= { snmpTlstmAddrEntry 2 } | |||
snmpTlstmAddrStorageType OBJECT-TYPE | snmpTlstmAddrStorageType OBJECT-TYPE | |||
SYNTAX StorageType | SYNTAX StorageType | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The storage type for this conceptual row. Conceptual rows | "The storage type for this conceptual row. Conceptual rows | |||
having the value 'permanent' need not allow write-access to | having the value 'permanent' need not allow write-access | |||
any columnar objects in the row." | to any columnar objects in the row." | |||
DEFVAL { nonVolatile } | DEFVAL { nonVolatile } | |||
::= { snmpTlstmAddrEntry 3 } | ::= { snmpTlstmAddrEntry 3 } | |||
snmpTlstmAddrRowStatus OBJECT-TYPE | snmpTlstmAddrRowStatus OBJECT-TYPE | |||
SYNTAX RowStatus | SYNTAX RowStatus | |||
MAX-ACCESS read-create | MAX-ACCESS read-create | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The status of this conceptual row. This object may be used | "The status of this conceptual row. This object may be | |||
to create or remove rows from this table. | used to create or remove rows from this table. | |||
To create a row in this table, an administrator MUST set this | To create a row in this table, an administrator MUST set | |||
object to either createAndGo(4) or createAndWait(5). | this object to either createAndGo(4) or createAndWait(5). | |||
Until instances of all corresponding columns are | Until instances of all corresponding columns are | |||
appropriately configured, the value of the | appropriately configured, the value of the corresponding | |||
corresponding instance of the snmpTlstmAddrRowStatus | instance of the 'snmpTlstmAddrRowStatus' column is | |||
column is notReady(3). | notReady(3). | |||
In particular, a newly created row cannot be made active | In particular, a newly created row cannot be made active | |||
until the corresponding snmpTlstmAddrServerFingerprint column | until the corresponding 'snmpTlstmAddrServerFingerprint' | |||
has been set. | column has been set. | |||
Rows MUST NOT be active if the snmpTlstmAddrServerFingerprint | Rows MUST NOT be active if the | |||
column is blank and the snmpTlstmAddrServerIdentity is set to | 'snmpTlstmAddrServerFingerprint' column is blank and the | |||
'*' since this would insecurely accept any presented | snmpTlstmAddrServerIdentity is set to '*', since this | |||
certificate. | would insecurely accept any presented certificate. | |||
The snmpTlstmAddrServerFingerprint object MUST NOT be | The snmpTlstmAddrServerFingerprint object MUST NOT be | |||
modified while the value of this object is active(1). | modified while the value of this object is active(1). | |||
An attempt to set these objects while the value of | An attempt to set these objects while the value of | |||
snmpTlstmAddrRowStatus is active(1) will result in | snmpTlstmAddrRowStatus is active(1) will result in | |||
an inconsistentValue error." | an inconsistentValue error." | |||
::= { snmpTlstmAddrEntry 4 } | ::= { snmpTlstmAddrEntry 4 } | |||
-- ************************************************ | -- ************************************************ | |||
-- snmpTlstmNotifications - Notifications Information | -- snmpTlstmNotifications - Notifications Information | |||
-- ************************************************ | -- ************************************************ | |||
snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE | snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE | |||
OBJECTS { snmpTlstmSessionUnknownServerCertificate } | OBJECTS { snmpTlstmSessionUnknownServerCertificate } | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Notification that the server certificate presented by an | "Notification that the server certificate presented by an | |||
SNMP over (D)TLS server was invalid because no configured | SNMP over (D)TLS server was invalid because no configured | |||
fingerprint or CA was acceptable to validate it. This may | fingerprint or CA was acceptable to validate it. This may | |||
be because there was no entry in the snmpTlstmAddrTable or | be because there was no entry in the snmpTlstmAddrTable or | |||
because no path could be found to known Certification | because no path to a known CA could be found. | |||
Authority. | ||||
To avoid notification loops, this notification MUST NOT be | To avoid notification loops, this notification MUST NOT be | |||
sent to servers that themselves have triggered the | sent to servers that themselves have triggered the | |||
notification." | notification." | |||
::= { snmpTlstmNotifications 1 } | ::= { snmpTlstmNotifications 1 } | |||
snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE | snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE | |||
OBJECTS { snmpTlstmAddrServerFingerprint, | OBJECTS { | |||
snmpTlstmSessionInvalidServerCertificates} | snmpTlstmAddrServerFingerprint, | |||
snmpTlstmSessionInvalidServerCertificates | ||||
} | ||||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Notification that the server certificate presented by an | "Notification that the server certificate presented by an | |||
SNMP over (D)TLS server could not be validated even if the | SNMP over (D)TLS server could not be validated even if the | |||
fingerprint or expected validation path was known. That is, | fingerprint or expected validation path was known. | |||
a cryptographic validation error occurred during certificate | That is, a cryptographic validation error occurred during | |||
validation processing. | certificate validation processing. | |||
To avoid notification loops, this notification MUST NOT be | To avoid notification loops, this notification MUST NOT be | |||
sent to servers that themselves have triggered the | sent to servers that themselves have triggered the | |||
notification." | notification." | |||
::= { snmpTlstmNotifications 2 } | ::= { snmpTlstmNotifications 2 } | |||
-- ************************************************ | -- ************************************************ | |||
-- snmpTlstmCompliances - Conformance Information | -- snmpTlstmCompliances - Conformance Information | |||
-- ************************************************ | -- ************************************************ | |||
skipping to change at page 28, line 10 ¶ | skipping to change at line 1334 ¶ | |||
snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 } | snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 } | |||
-- ************************************************ | -- ************************************************ | |||
-- Compliance statements | -- Compliance statements | |||
-- ************************************************ | -- ************************************************ | |||
snmpTlstmCompliance MODULE-COMPLIANCE | snmpTlstmCompliance MODULE-COMPLIANCE | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"The compliance statement for SNMP engines that support the | "The compliance statement for SNMP engines that support the | |||
SNMP-TLS-TM-MIB" | SNMP-TLS-TM-MIB." | |||
MODULE | MODULE | |||
MANDATORY-GROUPS { snmpTlstmStatsGroup, | MANDATORY-GROUPS { snmpTlstmStatsGroup, | |||
snmpTlstmIncomingGroup, | snmpTlstmIncomingGroup, | |||
snmpTlstmOutgoingGroup, | snmpTlstmOutgoingGroup, | |||
snmpTlstmNotificationGroup } | snmpTlstmNotificationGroup } | |||
::= { snmpTlstmCompliances 1 } | ::= { snmpTlstmCompliances 1 } | |||
-- ************************************************ | -- ************************************************ | |||
-- Units of conformance | -- Units of conformance | |||
-- ************************************************ | -- ************************************************ | |||
skipping to change at page 28, line 22 ¶ | skipping to change at line 1346 ¶ | |||
MODULE | MODULE | |||
MANDATORY-GROUPS { snmpTlstmStatsGroup, | MANDATORY-GROUPS { snmpTlstmStatsGroup, | |||
snmpTlstmIncomingGroup, | snmpTlstmIncomingGroup, | |||
snmpTlstmOutgoingGroup, | snmpTlstmOutgoingGroup, | |||
snmpTlstmNotificationGroup } | snmpTlstmNotificationGroup } | |||
::= { snmpTlstmCompliances 1 } | ::= { snmpTlstmCompliances 1 } | |||
-- ************************************************ | -- ************************************************ | |||
-- Units of conformance | -- Units of conformance | |||
-- ************************************************ | -- ************************************************ | |||
snmpTlstmStatsGroup OBJECT-GROUP | snmpTlstmStatsGroup OBJECT-GROUP | |||
OBJECTS { | OBJECTS { | |||
snmpTlstmSessionOpens, | snmpTlstmSessionOpens, | |||
snmpTlstmSessionClientCloses, | snmpTlstmSessionClientCloses, | |||
snmpTlstmSessionOpenErrors, | snmpTlstmSessionOpenErrors, | |||
snmpTlstmSessionAccepts, | snmpTlstmSessionAccepts, | |||
snmpTlstmSessionServerCloses, | snmpTlstmSessionServerCloses, | |||
snmpTlstmSessionNoSessions, | snmpTlstmSessionNoSessions, | |||
snmpTlstmSessionInvalidClientCertificates, | snmpTlstmSessionInvalidClientCertificates, | |||
snmpTlstmSessionUnknownServerCertificate, | snmpTlstmSessionUnknownServerCertificate, | |||
snmpTlstmSessionInvalidServerCertificates, | snmpTlstmSessionInvalidServerCertificates, | |||
snmpTlstmSessionInvalidCaches | snmpTlstmSessionInvalidCaches | |||
} | } | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A collection of objects for maintaining | "A collection of objects for maintaining statistical | |||
statistical information of an SNMP engine that | information of an SNMP engine that implements the SNMP | |||
implements the SNMP TLS Transport Model." | TLSTM." | |||
::= { snmpTlstmGroups 1 } | ::= { snmpTlstmGroups 1 } | |||
snmpTlstmIncomingGroup OBJECT-GROUP | snmpTlstmIncomingGroup OBJECT-GROUP | |||
OBJECTS { | OBJECTS { | |||
snmpTlstmCertToTSNCount, | snmpTlstmCertToTSNCount, | |||
snmpTlstmCertToTSNTableLastChanged, | snmpTlstmCertToTSNTableLastChanged, | |||
snmpTlstmCertToTSNFingerprint, | snmpTlstmCertToTSNFingerprint, | |||
snmpTlstmCertToTSNMapType, | snmpTlstmCertToTSNMapType, | |||
snmpTlstmCertToTSNData, | snmpTlstmCertToTSNData, | |||
snmpTlstmCertToTSNStorageType, | snmpTlstmCertToTSNStorageType, | |||
snmpTlstmCertToTSNRowStatus | snmpTlstmCertToTSNRowStatus | |||
} | } | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A collection of objects for maintaining | "A collection of objects for maintaining incoming | |||
incoming connection certificate mappings to | connection certificate mappings to tmSecurityNames of an | |||
tmSecurityNames of an SNMP engine that implements the | SNMP engine that implements the SNMP TLSTM." | |||
SNMP TLS Transport Model." | ||||
::= { snmpTlstmGroups 2 } | ::= { snmpTlstmGroups 2 } | |||
snmpTlstmOutgoingGroup OBJECT-GROUP | snmpTlstmOutgoingGroup OBJECT-GROUP | |||
OBJECTS { | OBJECTS { | |||
snmpTlstmParamsCount, | snmpTlstmParamsCount, | |||
snmpTlstmParamsTableLastChanged, | snmpTlstmParamsTableLastChanged, | |||
snmpTlstmParamsClientFingerprint, | snmpTlstmParamsClientFingerprint, | |||
snmpTlstmParamsStorageType, | snmpTlstmParamsStorageType, | |||
snmpTlstmParamsRowStatus, | snmpTlstmParamsRowStatus, | |||
snmpTlstmAddrCount, | snmpTlstmAddrCount, | |||
snmpTlstmAddrTableLastChanged, | snmpTlstmAddrTableLastChanged, | |||
snmpTlstmAddrServerFingerprint, | snmpTlstmAddrServerFingerprint, | |||
snmpTlstmAddrServerIdentity, | snmpTlstmAddrServerIdentity, | |||
snmpTlstmAddrStorageType, | snmpTlstmAddrStorageType, | |||
snmpTlstmAddrRowStatus | snmpTlstmAddrRowStatus | |||
} | } | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"A collection of objects for maintaining | "A collection of objects for maintaining outgoing | |||
outgoing connection certificates to use when opening | connection certificates to use when opening connections as | |||
connections as a result of SNMP-TARGET-MIB settings." | a result of SNMP-TARGET-MIB settings." | |||
::= { snmpTlstmGroups 3 } | ::= { snmpTlstmGroups 3 } | |||
snmpTlstmNotificationGroup NOTIFICATION-GROUP | snmpTlstmNotificationGroup NOTIFICATION-GROUP | |||
NOTIFICATIONS { | NOTIFICATIONS { | |||
snmpTlstmServerCertificateUnknown, | snmpTlstmServerCertificateUnknown, | |||
snmpTlstmServerInvalidCertificate | snmpTlstmServerInvalidCertificate | |||
} | } | |||
STATUS current | STATUS current | |||
DESCRIPTION | DESCRIPTION | |||
"Notifications" | "Notifications." | |||
::= { snmpTlstmGroups 4 } | ::= { snmpTlstmGroups 4 } | |||
END | END | |||
<CODE ENDS> | ||||
5. Security Considerations | 5. Security Considerations | |||
This document updates a transport model that permits SNMP to utilize | This document updates a transport model that permits SNMP to utilize | |||
(D)TLS security services. The security threats and how the TLS | (D)TLS security services. The security threats and how the TLSTM | |||
transport model mitigates these threats are covered throughout this | mitigates these threats are covered throughout this document and in | |||
document and in [RFC6353]. Security considerations for TLS are | [RFC6353]. Security considerations for TLS are described in | |||
described in Section 10 and Appendix E of TLS 1.3 [RFC8446]. | Section 10 and Appendix E of TLS 1.3 [RFC8446]. Security | |||
Security considerations for DTLS are described in Section 11 of DTLS | considerations for DTLS are described in Section 11 of DTLS 1.3 | |||
1.3 [RFC9147]. | [RFC9147]. | |||
Implementations should consider the latest recommendations on the use | Implementations should consider the latest recommendations on the use | |||
of (DTLS), such as that documented in [RFC9325]. | of (DTLS), such as those documented in [RFC9325]. | |||
SNMP versions prior to SNMPv3 did not include adequate security. | SNMP versions prior to SNMPv3 did not include adequate security. | |||
Even if the network itself is secure (for example, by using IPsec), | Even if the network itself is secure (for example, by using IPsec), | |||
there is no control as to who on the secure network is allowed to | there is no control as to who on the secure network is allowed to | |||
access and GET/SET (read/change/create/delete) the objects in this | access and GET/SET (read/change/create/delete) the objects in this | |||
MIB module. | MIB module. | |||
It is RECOMMENDED that only SNMPv3 messages using the Transport | It is RECOMMENDED that only SNMPv3 messages using the Transport | |||
Security Model (TSM) or another secure-transport aware security model | Security Model (TSM) or another secure-transport-aware security model | |||
be sent over the TLSTM transport. | be sent over the TLSTM transport. | |||
6. IANA Considerations | 6. IANA Considerations | |||
IANA is asked to create a new registry called the SNMP-TLSTM | IANA has created a new registry called "SNMP-TLSTM HashAlgorithms" | |||
HashAlgorithm Registry in the Structure of Management Information | within the "Structure of Management Information (SMI) Numbers (MIB | |||
(SMI) Numbers (MIB Module Registrations) Group and to update the | Module Registrations)" group. The description of this registry is | |||
proposed URL reference in the above MIB (listed as | "iso.org.dod.internet.mgmt.mib-2.snmpTlstmMIB.snmpTlstmHashAlgorithms | |||
"https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml" | (1.3.6.1.2.1.198.4)". | |||
under SnmpTLSFingerprint), if needed, to accurately reflect its | ||||
location. The description of this registry should be: | ||||
iso.org.dod.internet.mgmt.mib-2.snmpTlstmMIB.snmpTlstmHashAlgorithms | ||||
(1.3.6.1.2.1.198.4). IANA is also asked to either 1) create the | ||||
snmp-tlstm-reg-review@ietf.org email address that appears later | ||||
within this section or 2) update the email address to an appropriate | ||||
address. | ||||
The registry should have the following fields: value, description, | The registry has the following fields: Value, Description, | |||
recommended, and reference. The range of values is zero to 255, with | Recommended, and References. The range of values is zero to 255, | |||
initial assignments shown in Section 2.1. The "recommended" column | with initial assignments shown in Section 2.1. The "Recommended" | |||
indicates "Y" for hashing algorithms that are standards track and are | column indicates "Y" for hashing algorithms that are Standards Track | |||
deemed to be acceptable for widely applicable current use and "N" for | and are deemed to be acceptable for widely applicable current use and | |||
hashing algorithms that reflect meanings that are not recommended | "N" for hashing algorithms that reflect meanings that are not | |||
(e.g., they do not provide sufficient security for modern systems, | recommended (e.g., they do not provide sufficient security for modern | |||
they are not standards track, they have limited applicability). A | systems, they are not Standards Track, and they have limited | |||
blank field indicates that no recommendation is made (e.g., because | applicability). A blank field indicates that no recommendation is | |||
the value is reserved or left for private use). | made (e.g., because the value is unassigned or left for private use). | |||
This registry is expected to be updated infrequently and, as such, | This registry is expected to be updated infrequently; as such, its | |||
its values are limited to one octet. | values are limited to one octet. | |||
The policy for updates to the SNMP-TLSTM HashAlgorithm Registry is | The policy for updates to the "SNMP-TLSTM HashAlgorithms" registry is | |||
Expert Review. Registry requests should be sent to the <snmp-tlstm- | Expert Review [RFC8126]. Registry requests should be sent to the | |||
reg-review@ietf.org> mailing list. Registration requests sent to the | <mailto:snmp-tlstm-reg-review@ietf.org> mailing list. Registration | |||
mailing list for review SHOULD use an appropriate subject (e.g., | requests sent to the mailing list for review SHOULD use an | |||
"Request to register value in SNMP-TLSTM HashAlgorithm Registry"). | appropriate subject (e.g., 'Request to register value in "SNMP-TLSTM | |||
In addition, designated experts should consult with the tls-reg- | HashAlgorithms" registry'). In addition, designated experts should | |||
review@ietf.org mailing list to make sure any new hash algorithms are | consult with the <mailto:tls-reg-review@ietf.org> mailing list to | |||
considered for inclusion in this registry. | make sure that any new hash algorithms are considered for inclusion | |||
in this registry. | ||||
Designated experts SHOULD ascertain the existence of suitable | Designated experts SHOULD ascertain the existence of suitable | |||
documentation that defines a hash algorithm and SHOULD also verify | documentation that defines a hash algorithm and SHOULD also verify | |||
that the request does not conflict or duplicate other entries in the | that the request does not conflict with or duplicate other entries in | |||
registry. The experts should also provide a recommendation as to how | the registry. The experts should also provide a recommendation as to | |||
the recommended column of the registry should be updated. Only | how the "Recommended" column of the registry should be updated. Only | |||
publicly available specifications that represent current industry- | publicly available specifications that represent current industry- | |||
accepted practices should receive an assignment of "Y" in the | accepted practices should receive an assignment of "Y" in the | |||
recommneded column; all other specific assignments in the registry | "Recommended" column; all other specific assignments in the registry | |||
should receive an of "N". Assignments that are inspecific (e.g., | should receive an assignment of "N". Assignments that are | |||
reserved values) SHOULD not receive an assigned value for the | nonspecific (e.g., reserved values) SHOULD NOT receive an assigned | |||
recommended column. | value for the "Recommended" column. | |||
Within the three-week review period, the designated experts will | Within the three-week review period, the designated experts will | |||
either approve or deny the registration request, communicating this | either approve or deny the registration request, communicating this | |||
decision to the review list and IANA. Denials SHOULD include an | decision to the review list and IANA. Denials SHOULD include an | |||
explanation and, if applicable, suggestions as to how to make the | explanation and, if applicable, suggestions as to how to make the | |||
request successful. Registration requests that are undetermined for | request successful. Registration requests that are undetermined for | |||
a period longer than 21 days can be brought to the IESG's attention | a period longer than three weeks can be brought to the IESG's | |||
(using the <iesg@ietf.org> mailing list) for resolution. | attention (using the <mailto:iesg@ietf.org> mailing list) for | |||
resolution. | ||||
IANA MUST only accept registry updates from the designated experts | IANA MUST only accept registry updates from the designated experts | |||
and SHOULD direct all requests for registration to the review mailing | and SHOULD direct all requests for registration to the review mailing | |||
list. While future additions to the IANA TLS HashAlgorithm Registry | list. While future additions to the "TLS HashAlgorithm" registry | |||
(i.e., the registry from which the SNMP-TLSTM HashAlgorithm Registry | (i.e., the registry from which the "SNMP-TLSTM HashAlgorithms" | |||
was spawned) are not expected, any future addition to the IANA TLS | registry was spawned) are not expected, any future additions to the | |||
HashAlgorithm Registry MUST be consistent with the values assigned in | "TLS HashAlgorithm" registry MUST be consistent with the values | |||
the IANA SNMP-TLSTM HashAlgorithm Registry. | assigned in the "SNMP-TLSTM HashAlgorithms" registry. | |||
It is suggested that multiple designated experts be appointed who are | It is suggested that multiple designated experts be appointed who are | |||
able to represent the perspectives of different applications using | able to represent the perspectives of different applications using | |||
this specification, in order to enable broadly informed review of | this specification, in order to enable broadly informed reviews of | |||
registration decisions. In cases where a registration decision could | registration decisions. In cases where a registration decision could | |||
be perceived as creating a conflict of interest for a particular | be perceived as creating a conflict of interest for a particular | |||
Expert, that Expert SHOULD defer to the judgment of the other | expert, that expert SHOULD defer to the judgment of the other | |||
Experts. | experts. | |||
7. Acknowledgements | ||||
This document is based on [RFC6353]. This document was reviewed by | ||||
the following people who helped provide useful comments: Michaela | ||||
Vanderveen, Joe Clarke, Jurgen Schonwalder, and Tom Petch. | ||||
8. References | 7. References | |||
8.1. Normative References | 7.1. Normative References | |||
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - | [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - | |||
Application and Support", STD 3, RFC 1123, | Application and Support", STD 3, RFC 1123, | |||
DOI 10.17487/RFC1123, October 1989, | DOI 10.17487/RFC1123, October 1989, | |||
<https://www.rfc-editor.org/info/rfc1123>. | <https://www.rfc-editor.org/info/rfc1123>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, | ||||
"Introduction and Applicability Statements for Internet- | ||||
Standard Management Framework", RFC 3410, | ||||
DOI 10.17487/RFC3410, December 2002, | ||||
<https://www.rfc-editor.org/info/rfc3410>. | ||||
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
<https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
[RFC5890] Klensin, J., "Internationalized Domain Names for | [RFC5890] Klensin, J., "Internationalized Domain Names for | |||
Applications (IDNA): Definitions and Document Framework", | Applications (IDNA): Definitions and Document Framework", | |||
RFC 5890, DOI 10.17487/RFC5890, August 2010, | RFC 5890, DOI 10.17487/RFC5890, August 2010, | |||
<https://www.rfc-editor.org/info/rfc5890>. | <https://www.rfc-editor.org/info/rfc5890>. | |||
skipping to change at page 33, line 17 ¶ | skipping to change at line 1571 ¶ | |||
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. | |||
McCloghrie, K., Ed., Perkins, D., Ed., and J. | McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
Schoenwaelder, Ed., "Textual Conventions for SMIv2", | Schoenwaelder, Ed., "Textual Conventions for SMIv2", | |||
STD 58, RFC 2579, April 1999. | STD 58, RFC 2579, April 1999. | |||
McCloghrie, K., Ed., Perkins, D., Ed., and J. | McCloghrie, K., Ed., Perkins, D., Ed., and J. | |||
Schoenwaelder, Ed., "Conformance Statements for SMIv2", | Schoenwaelder, Ed., "Conformance Statements for SMIv2", | |||
STD 58, RFC 2580, April 1999. | STD 58, RFC 2580, April 1999. | |||
<https://www.rfc-editor.org/info/std58> | ||||
[STD62] Harrington, D., Presuhn, R., and B. Wijnen, "An | [STD62] Harrington, D., Presuhn, R., and B. Wijnen, "An | |||
Architecture for Describing Simple Network Management | Architecture for Describing Simple Network Management | |||
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, | |||
December 2002. | December 2002. | |||
Case, J., Harrington, D., Presuhn, R., and B. Wijnen, | Case, J., Harrington, D., Presuhn, R., and B. Wijnen, | |||
"Message Processing and Dispatching for the Simple Network | "Message Processing and Dispatching for the Simple Network | |||
Management Protocol (SNMP)", STD 62, RFC 3412, December | Management Protocol (SNMP)", STD 62, RFC 3412, December | |||
2002. | 2002. | |||
skipping to change at page 33, line 52 ¶ | skipping to change at line 1608 ¶ | |||
STD 62, RFC 3416, December 2002. | STD 62, RFC 3416, December 2002. | |||
Presuhn, R., Ed., "Transport Mappings for the Simple | Presuhn, R., Ed., "Transport Mappings for the Simple | |||
Network Management Protocol (SNMP)", STD 62, RFC 3417, | Network Management Protocol (SNMP)", STD 62, RFC 3417, | |||
December 2002. | December 2002. | |||
Presuhn, R., Ed., "Management Information Base (MIB) for | Presuhn, R., Ed., "Management Information Base (MIB) for | |||
the Simple Network Management Protocol (SNMP)", STD 62, | the Simple Network Management Protocol (SNMP)", STD 62, | |||
RFC 3418, December 2002. | RFC 3418, December 2002. | |||
8.2. Informative References | <https://www.rfc-editor.org/info/std62> | |||
7.2. Informative References | ||||
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
(TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
<https://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model | ||||
for the Simple Network Management Protocol (SNMP)", | ||||
STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009, | ||||
<https://www.rfc-editor.org/info/rfc5591>. | ||||
[RFC5953] Hardaker, W., "Transport Layer Security (TLS) Transport | [RFC5953] Hardaker, W., "Transport Layer Security (TLS) Transport | |||
Model for the Simple Network Management Protocol (SNMP)", | Model for the Simple Network Management Protocol (SNMP)", | |||
RFC 5953, DOI 10.17487/RFC5953, August 2010, | RFC 5953, DOI 10.17487/RFC5953, August 2010, | |||
<https://www.rfc-editor.org/info/rfc5953>. | <https://www.rfc-editor.org/info/rfc5953>. | |||
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | ||||
Writing an IANA Considerations Section in RFCs", BCP 26, | ||||
RFC 8126, DOI 10.17487/RFC8126, June 2017, | ||||
<https://www.rfc-editor.org/info/rfc8126>. | ||||
[RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic | [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic | |||
Curve Cryptography (ECC) Cipher Suites for Transport Layer | Curve Cryptography (ECC) Cipher Suites for Transport Layer | |||
Security (TLS) Versions 1.2 and Earlier", RFC 8422, | Security (TLS) Versions 1.2 and Earlier", RFC 8422, | |||
DOI 10.17487/RFC8422, August 2018, | DOI 10.17487/RFC8422, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8422>. | <https://www.rfc-editor.org/info/rfc8422>. | |||
[RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | |||
and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8447>. | <https://www.rfc-editor.org/info/rfc8447>. | |||
skipping to change at page 34, line 45 ¶ | skipping to change at line 1662 ¶ | |||
Integrity-Only Cipher Suites", RFC 9150, | Integrity-Only Cipher Suites", RFC 9150, | |||
DOI 10.17487/RFC9150, April 2022, | DOI 10.17487/RFC9150, April 2022, | |||
<https://www.rfc-editor.org/info/rfc9150>. | <https://www.rfc-editor.org/info/rfc9150>. | |||
[RFC9325] Sheffer, Y., Saint-Andre, P., and T. Fossati, | [RFC9325] Sheffer, Y., Saint-Andre, P., and T. Fossati, | |||
"Recommendations for Secure Use of Transport Layer | "Recommendations for Secure Use of Transport Layer | |||
Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
(DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November | (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November | |||
2022, <https://www.rfc-editor.org/info/rfc9325>. | 2022, <https://www.rfc-editor.org/info/rfc9325>. | |||
Acknowledgements | ||||
This document is based on [RFC6353]. This document was reviewed by | ||||
the following people, who helped provide useful comments: Michaela | ||||
Vanderveen, Joe Clarke, Jürgen Schönwälder, and Tom Petch. | ||||
Author's Address | Author's Address | |||
Kenneth Vaughn (editor) | Kenneth Vaughn (editor) | |||
Trevilon LLC | Trevilon LLC | |||
1060 Highway 107 South | 1060 Highway 107 South | |||
Del Rio, TN 37727 | Del Rio, TN 37727 | |||
United States of America | United States of America | |||
Phone: +1 571 331 5670 | Phone: +1 571 331 5670 | |||
Email: kvaughn@trevilon.com | Email: kvaughn@trevilon.com | |||
End of changes. 190 change blocks. | ||||
653 lines changed or deleted | 720 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |