Network Working Group B. Wijnen Request for Comments: 2265 IBM T. J. Watson Research Category: Standards Track R. Presuhn BMC Software, Inc. K. McCloghrie Cisco Systems, Inc. January 1998
Network Working Group B. Wijnen Request for Comments: 2265 IBM T. J. Watson Research Category: Standards Track R. Presuhn BMC Software, Inc. K. McCloghrie Cisco Systems, Inc. January 1998
View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1997). All Rights Reserved.
版权所有(C)互联网协会(1997年)。版权所有。
Abstract
摘要
This document describes the View-based Access Control Model for use in the SNMP architecture [RFC2261]. It defines the Elements of Procedure for controlling access to management information. This document also includes a MIB for remotely managing the configuration parameters for the View-based Access Control Model.
本文档描述了SNMP体系结构[RFC2261]中使用的基于视图的访问控制模型。它定义了控制管理信息访问的程序要素。本文档还包括一个MIB,用于远程管理基于视图的访问控制模型的配置参数。
Table of Contents
目录
1. Introduction 2 1.2. Access Control 2 1.3. Local Configuration Datastore 3 2. Elements of the Model 3 2.1. Groups 3 2.2. securityLevel 4 2.3. Contexts 4 2.4. MIB Views and View Families 4 2.4.1. View Subtree 5 2.4.2. ViewTreeFamily 5 2.5. Access Policy 6 3. Elements of Procedure 6 3.1. Overview of isAccessAllowed Process 8 3.2. Processing the isAccessAllowed Service Request 9 4. Definitions 10
1. 导言2 1.2。访问控制2 1.3。本地配置数据存储3 2。模型3.2.1的元素。第3组2.2。安全级别4 2.3。上下文4.2.4。MIB视图和视图族4 2.4.1。查看子树5 2.4.2。ViewTreeFamily 5 2.5。访问策略6 3。程序6.3.1的要素。isAccessAllowed Process 8 3.2概述。正在处理isAccessAllowed服务请求9 4。定义10
5. Intellectual Property 26 6. Acknowledgements 27 7. Security Considerations 28 7.1. Recommended Practices 28 7.2. Defining Groups 29 7.3. Conformance 29 8. References 29 9. Editors' Addresses 30 A.1. Installation Parameters 31 B. Full Copyright Statement 36
5. 知识产权26 6。致谢27 7。安全考虑28 7.1。建议做法28 7.2。定义组29 7.3。一致性29 8。参考文献29 9。编辑地址:A.1.30。安装参数31 B.完整版权声明36
The Architecture for describing Internet Management Frameworks [RFC2261] describes that an SNMP engine is composed of:
描述Internet管理框架的体系结构[RFC2261]描述了SNMP引擎由以下部分组成:
1) a Dispatcher 2) a Message Processing Subsystem, 3) a Security Subsystem, and 4) an Access Control Subsystem.
1) 调度器2)消息处理子系统、3)安全子系统和4)访问控制子系统。
Applications make use of the services of these subsystems.
应用程序利用这些子系统的服务。
It is important to understand the SNMP architecture and its terminology to understand where the View-based Access Control Model described in this document fits into the architecture and interacts with other subsystems within the architecture. The reader is expected to have read and understood the description and terminology of the SNMP architecture, as defined in [RFC2261].
理解SNMP体系结构及其术语对于理解本文档中描述的基于视图的访问控制模型适合体系结构的位置以及与体系结构中其他子系统的交互非常重要。读者应已阅读并理解[RFC2261]中定义的SNMP体系结构的描述和术语。
The Access Control Subsystem of an SNMP engine has the responsibility for checking whether a specific type of access (read, write, notify) to a particular object (instance) is allowed.
SNMP引擎的访问控制子系统负责检查是否允许对特定对象(实例)进行特定类型的访问(读、写、通知)。
It is the purpose of this document to define a specific model of the Access Control Subsystem, designated the View-based Access Control Model. Note that this is not necessarily the only Access Control Model.
本文档旨在定义访问控制子系统的特定模型,即基于视图的访问控制模型。注意,这不一定是唯一的访问控制模型。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Access Control occurs (either implicitly or explicitly) in an SNMP entity when processing SNMP retrieval or modification request messages from an SNMP entity. For example a Command Responder
当处理来自SNMP实体的SNMP检索或修改请求消息时,访问控制(隐式或显式)发生在SNMP实体中。例如,命令响应程序
application applies Access Control when processing requests that it received from a Command Generator application. These requests include these types of operations: GetRequest, GetNextRequest, GetBulkRequest, and SetRequest operations.
应用程序在处理从命令生成器应用程序收到的请求时应用访问控制。这些请求包括以下类型的操作:GetRequest、GetNextRequest、GetBulkRequest和SetRequest操作。
Access Control also occurs in an SNMP entity when an SNMP notification message is generated (by a Notification Originator application). These notification messages include these types of operations: InformRequest and SNMPv2-Trap operations.
当生成SNMP通知消息时(由通知发起人应用程序生成),SNMP实体中也会发生访问控制。这些通知消息包括以下类型的操作:InformRequest和SNMPv2陷阱操作。
The View-based Access Control Model defines a set of services that an application (such as a Command Responder or a Notification Originator application) can use for checking access rights. It is the responsibility of the application to make the proper service calls for access checking.
基于视图的访问控制模型定义了一组服务,应用程序(如命令响应程序或通知发起人应用程序)可以使用这些服务来检查访问权限。应用程序负责为访问检查发出适当的服务调用。
To implement the model described in this document, an SNMP entity needs to retain information about access rights and policies. This information is part of the SNMP engine's Local Configuration Datastore (LCD). See [RFC2261] for the definition of LCD.
要实现本文档中描述的模型,SNMP实体需要保留有关访问权限和策略的信息。此信息是SNMP引擎本地配置数据存储(LCD)的一部分。LCD的定义见[RFC2261]。
In order to allow an SNMP entity's LCD to be remotely configured, portions of the LCD need to be accessible as managed objects. A MIB module, the View-based Access Control Model Configuration MIB, which defines these managed object types is included in this document.
为了允许远程配置SNMP实体的LCD,LCD的某些部分需要作为托管对象进行访问。本文档中包含一个MIB模块,即基于视图的访问控制模型配置MIB,它定义了这些托管对象类型。
This section contains definitions to realize the access control service provided by the View-based Access Control Model.
本节包含实现基于视图的访问控制模型提供的访问控制服务的定义。
A group is a set of zero or more <securityModel, securityName> tuples on whose behalf SNMP management objects can be accessed. A group defines the access rights afforded to all securityNames which belong to that group. The combination of a securityModel and a securityName maps to at most one group. A group is identified by a groupName.
组是一组零个或多个<securityModel,securityName>元组,可以代表这些元组访问SNMP管理对象。组定义为属于该组的所有SecurityName提供的访问权限。securityModel和securityName的组合最多映射到一个组。组由组名标识。
The Access Control module assumes that the securityName has already been authenticated as needed and provides no further authentication of its own.
访问控制模块假定securityName已经根据需要进行了身份验证,并且不提供其自身的进一步身份验证。
The View-based Access Control Model uses the securityModel and the securityName as inputs to the Access Control module when called to check for access rights. It determines the groupName as a function
基于视图的访问控制模型在调用以检查访问权限时,使用securityModel和securityName作为访问控制模块的输入。它将groupName确定为一个函数
of securityModel and securityName.
securityModel和securityName的名称。
Different access rights for members of a group can be defined for different levels of security, i.e., noAuthNoPriv, authNoPriv, and authPriv. The securityLevel identifies the level of security that will be assumed when checking for access rights. See the SNMP Architecture document [RFC2261] for a definition of securityLevel.
可以为不同的安全级别定义组成员的不同访问权限,即noAuthNoPriv、authNoPriv和authPriv。securityLevel标识检查访问权限时将采用的安全级别。有关securityLevel的定义,请参阅SNMP体系结构文档[RFC2261]。
The View-based Access Control Model requires that the securityLevel is passed as input to the Access Control module when called to check for access rights.
基于视图的访问控制模型要求在调用securityLevel以检查访问权限时将其作为输入传递给访问控制模块。
An SNMP context is a collection of management information accessible by an SNMP entity. An item of management information may exist in more than one context. An SNMP entity potentially has access to many contexts. Details about the naming of management information can be found in the SNMP Architecture document [RFC2261].
SNMP上下文是可由SNMP实体访问的管理信息的集合。一项管理信息可能存在于多个上下文中。SNMP实体可能可以访问许多上下文。有关管理信息命名的详细信息,请参见SNMP体系结构文档[RFC2261]。
The View-based Access Control Model defines a vacmContextTable that lists the locally available contexts by contextName.
基于视图的访问控制模型定义了一个vacmContextTable,它按contextName列出本地可用的上下文。
For security reasons, it is often valuable to be able to restrict the access rights of some groups to only a subset of the management information in the management domain. To provide this capability, access to a context is via a "MIB view" which details a specific set of managed object types (and optionally, the specific instances of object types) within that context. For example, for a given context, there will typically always be one MIB view which provides access to all management information in that context, and often there will be other MIB views each of which contains some subset of the information. So, the access allowed for a group can be restricted in the desired manner by specifying its rights in terms of the particular (subset) MIB view it can access within each appropriate context.
出于安全原因,将某些组的访问权限限制为管理域中管理信息的一个子集通常很有价值。要提供此功能,可以通过“MIB视图”访问上下文,该视图详细说明该上下文中的一组特定的托管对象类型(以及可选的对象类型的特定实例)。例如,对于给定的上下文,通常会有一个MIB视图提供对该上下文中所有管理信息的访问,并且通常会有其他MIB视图,每个MIB视图都包含一些信息子集。因此,可以通过指定组在每个适当上下文中可以访问的特定(子集)MIB视图的权限,以期望的方式限制组允许的访问。
Since managed object types (and their instances) are identified via the tree-like naming structure of ISO's OBJECT IDENTIFIERs [ISO-ASN.1, RFC1902], it is convenient to define a MIB view as the combination of a set of "view subtrees", where each view subtree is a subtree within the managed object naming tree. Thus, a simple MIB view (e.g., all managed objects within the Internet Network Management Framework) can be defined as a single view subtree, while
由于托管对象类型(及其实例)通过ISO对象标识符的树状命名结构[ISO-ASN.1,RFC1902]进行标识,因此将MIB视图定义为一组“视图子树”的组合是很方便的,其中每个视图子树都是托管对象命名树中的子树。因此,简单的MIB视图(例如,Internet网络管理框架内的所有托管对象)可以定义为单个视图子树,而
more complicated MIB views (e.g., all information relevant to a particular network interface) can be represented by the union of multiple view subtrees.
更复杂的MIB视图(例如,与特定网络接口相关的所有信息)可以通过多个视图子树的并集来表示。
While any set of managed objects can be described by the union of some number of view subtrees, situations can arise that would require a very large number of view subtrees. This could happen, for example, when specifying all columns in one conceptual row of a MIB table because they would appear in separate subtrees, one per column, each with a very similar format. Because the formats are similar, the required set of subtrees can easily be aggregated into one structure. This structure is named a family of view subtrees after the set of subtrees that it conceptually represents. A family of view subtrees can either be included or excluded from a MIB view.
尽管任何一组托管对象都可以通过若干视图子树的并集来描述,但可能会出现需要大量视图子树的情况。例如,当在MIB表的一个概念行中指定所有列时,可能会发生这种情况,因为它们将出现在单独的子树中,每列一个,每个子树的格式非常相似。由于格式相似,所需的子树集可以很容易地聚合到一个结构中。此结构在概念上表示的子树集之后命名为视图子树族。视图子树族可以包含在MIB视图中,也可以从MIB视图中排除。
A view subtree is the set of all MIB object instances which have a common ASN.1 OBJECT IDENTIFIER prefix to their names. A view subtree is identified by the OBJECT IDENTIFIER value which is the longest OBJECT IDENTIFIER prefix common to all (potential) MIB object instances in that subtree.
视图子树是所有MIB对象实例的集合,这些实例的名称具有通用ASN.1对象标识符前缀。视图子树由对象标识符值标识,该值是该子树中所有(潜在)MIB对象实例共有的最长对象标识符前缀。
A family of view subtrees is a pairing of an OBJECT IDENTIFIER value (called the family name) together with a bit string value (called the family mask). The family mask indicates which sub-identifiers of the associated family name are significant to the family's definition.
视图子树族是对象标识符值(称为族名称)与位字符串值(称为族掩码)的配对。族掩码指示关联族名称的哪些子标识符对族的定义很重要。
For each possible managed object instance, that instance belongs to a particular ViewTreeFamily if both of the following conditions are true:
对于每个可能的托管对象实例,如果满足以下两个条件,则该实例属于特定的ViewTreeFamily:
- the OBJECT IDENTIFIER name of the managed object instance contains at least as many sub-identifiers as does the family name, and
- 托管对象实例的对象标识符名称至少包含与族名称相同数量的子标识符,以及
- each sub-identifier in the OBJECT IDENTIFIER name of the managed object instance matches the corresponding sub-identifier of the family name whenever the corresponding bit of the associated family mask is non-zero.
- 只要关联族掩码的对应位不为零,托管对象实例的对象标识符名称中的每个子标识符都与族名称的对应子标识符匹配。
When the configured value of the family mask is all ones, the view subtree family is identical to the single view subtree identified by the family name.
当族遮罩的配置值为“所有1”时,视图子树族与由族名称标识的单个视图子树相同。
When the configured value of the family mask is shorter than required to perform the above test, its value is implicitly extended with ones. Consequently, a view subtree family having a family mask of zero length always corresponds to a single view subtree.
当族掩码的配置值短于执行上述测试所需的值时,其值将隐式扩展为1。因此,具有零长度族掩码的视图子树族始终对应于单个视图子树。
The View-based Access Control Model determines the access rights of a group, representing zero or more securityNames which have the same access rights. For a particular context, identified by contextName, to which a group, identified by groupName, has access using a particular securityModel and securityLevel, that group's access rights are given by a read-view, a write-view and a notify-view.
基于视图的访问控制模型确定组的访问权限,表示零个或多个具有相同访问权限的SecurityName。对于由contextName标识的特定上下文,由groupName标识的组可以使用特定的securityModel和securityLevel访问该上下文,该组的访问权限由读视图、写视图和通知视图提供。
The read-view represents the set of object instances authorized for the group when reading objects. Reading objects occurs when processing a retrieval (for example a GetRequest, GetNextRequest, GetBulkRequest) operation.
读取视图表示读取对象时为组授权的对象实例集。读取对象发生在处理检索(例如GetRequest、GetNextRequest、GetBulkRequest)操作时。
The write-view represents the set of object instances authorized for the group when writing objects. Writing objects occurs when processing a write (for example a Set) operation.
写入视图表示写入对象时为组授权的对象实例集。处理写入(例如集合)操作时会写入对象。
The notify-view represents the set of object instances authorized for the group when sending objects in a notification, such as when sending a notification (for example an Inform or SNMPv2-Trap).
notify视图表示在通知中发送对象时为组授权的对象实例集,例如在发送通知时(例如,通知或SNMPv2陷阱)。
This section describes the procedures followed by an Access Control module that implements the View-based Access Control Model when checking access rights as requested by an application (for example a Command Responder or a Notification Originator application). The abstract service primitive is:
本节描述了访问控制模块在检查应用程序(例如命令响应程序或通知发起者应用程序)请求的访问权限时所遵循的过程,该模块实现了基于视图的访问控制模型。抽象服务原语是:
statusInformation = -- success or errorIndication isAccessAllowed( securityModel -- Security Model in use securityName -- principal who wants access securityLevel -- Level of Security viewType -- read, write, or notify view contextName -- context containing variableName variableName -- OID for the managed object )
statusInformation=--允许成功或错误指示(securityModel--正在使用的安全模型securityName--希望访问securityLevel的主体--安全级别viewType--读取、写入或通知视图contextName--包含变量名称的上下文variableName--托管对象的OID)
The abstract data elements are:
抽象数据元素包括:
statusInformation - one of the following: accessAllowed - a MIB view was found and access is granted. notInView - a MIB view was found but access is denied. The variableName is not in the configured MIB view for the specified viewType (e.g., in the relevant entry in the vacmAccessTable). noSuchView - no MIB view found because no view has been configured for specified viewType (e.g., in the relevant entry in the vacmAccessTable). noSuchContext - no MIB view found because of no entry in the vacmContextTable for specified contextName. noGroupName - no MIB view found because no entry has been configured in the vacmSecurityToGroupTable for the specified combination of securityModel and securityName. noAccessEntry - no MIB view found because no entry has been configured in the vacmAccessTable for the specified combination of contextName, groupName (from vacmSecurityToGroupTable), securityModel and securityLevel. otherError - failure, an undefined error occurred. securityModel - Security Model under which access is requested. securityName - the principal on whose behalf access is requested. securityLevel - Level of Security under which access is requested. viewType - view to be checked (read, write or notify). contextName - context in which access is requested. variableName - object instance to which access is requested.
statusInformation-以下选项之一:accessAllowed-找到MIB视图并授予访问权限。notInView-找到MIB视图,但访问被拒绝。variableName不在指定viewType的配置MIB视图中(例如,在vacmAccessTable中的相关条目中)。noSuchView-找不到MIB视图,因为没有为指定的视图类型配置视图(例如,在vacmAccessTable中的相关条目中)。noSuchContext-找不到MIB视图,因为vacmContextTable中没有指定contextName的条目。noGroupName-找不到MIB视图,因为在vacmSecurityToGroupTable中没有为指定的securityModel和securityName组合配置任何条目。noAccessEntry-找不到MIB视图,因为在vacmAccessTable中没有为contextName、groupName(从vacmSecurityToGroupTable)、securityModel和securityLevel的指定组合配置条目。otherError-失败,发生未定义的错误。securityModel—请求访问的安全模型。securityName—代表其请求访问的主体。securityLevel—请求访问的安全级别。viewType—要检查的视图(读、写或通知)。contextName—请求访问的上下文。variableName—请求访问的对象实例。
The following picture shows how the decision for access control is made by the View-based Access Control Model.
下图显示了基于视图的访问控制模型如何做出访问控制决策。
+--------------------------------------------------------------------+ | | | +-> securityModel -+ | | | (a) | | | who -+ +-> groupName ----+ | | (1) | | (x) | | | +-> securityName --+ | | | (b) | | | | | | where -> contextName ---------------------+ | | (2) (e) | | | | | | | | | +-> securityModel -------------------+ | | | (a) | | | how -+ +-> viewName -+ | | (3) | | (y) | | | +-> securityLevel -------------------+ | | | (c) | +-> yes/no | | | | decision | | why ---> viewType (read/write/notify) ----+ | (z) | | (4) (d) | | | | | | what --> object-type ------+ | | | (5) (m) | | | | +-> variableName (OID) ------+ | | | (f) | | which -> object-instance --+ | | (6) (n) | | | +--------------------------------------------------------------------+
+--------------------------------------------------------------------+ | | | +-> securityModel -+ | | | (a) | | | who -+ +-> groupName ----+ | | (1) | | (x) | | | +-> securityName --+ | | | (b) | | | | | | where -> contextName ---------------------+ | | (2) (e) | | | | | | | | | +-> securityModel -------------------+ | | | (a) | | | how -+ +-> viewName -+ | | (3) | | (y) | | | +-> securityLevel -------------------+ | | | (c) | +-> yes/no | | | | decision | | why ---> viewType (read/write/notify) ----+ | (z) | | (4) (d) | | | | | | what --> object-type ------+ | | | (5) (m) | | | | +-> variableName (OID) ------+ | | | (f) | | which -> object-instance --+ | | (6) (n) | | | +--------------------------------------------------------------------+
How the decision for isAccessAllowed is made.
如何作出批准的决定。
1) Inputs to the isAccessAllowed service are:
1) isAccessAllowed服务的输入为:
(a) securityModel -- Security Model in use (b) securityName -- principal who wants to access (c) securityLevel -- Level of Security (d) viewType -- read, write, or notify view (e) contextName -- context containing variableName (f) variableName -- OID for the managed object -- this is made up of:
(a) securityModel--正在使用的安全模型(b)securityName--希望访问的主体(c)securityLevel--安全级别(d)viewType--读、写或通知视图(e)contextName--包含variableName(f)variableName--托管对象的OID的上下文--它由以下部分组成:
- object-type (m) - object-instance (n)
- 对象类型(m)-对象实例(n)
2) The partial "who" (1), represented by the securityModel (a) and the securityName (b), are used as the indices (a,b) into the vacmSecurityToGroupTable to find a single entry that produces a group, represented by groupName (x).
2) 由securityModel(a)和securityName(b)表示的部分“who”(1)用作vacmSecurityToGroupTable中的索引(a,b),以查找生成由groupName(x)表示的组的单个条目。
3) The "where" (2), represented by the contextName (e), the "who", represented by the groupName (x) from the previous step, and the "how" (3), represented by securityModel (a) and securityLevel (c), are used as indices (e,x,a,c) into the vacmAccessTable to find a single entry that contains three MIB views.
3) 由contextName(e)表示的“where”(2)、“who”(由上一步中的groupName(x)表示)以及由securityModel(a)和securityLevel(c)表示的“how”(3)用作vacmAccessTable中的索引(e、x、a、c),以查找包含三个MIB视图的单个条目。
4) The "why" (4), represented by the viewType (d), is used to select the proper MIB view, represented by a viewName (y), from the vacmAccessEntry selected in the previous step. This viewName (y) is an index into the vacmViewTreeFamilyTable and selects the set of entries that define the variableNames which are included in or excluded from the MIB view identified by the viewName (y).
4) “为什么”(4)由viewType(d)表示,用于从上一步中选择的vacmAccessEntry中选择适当的MIB视图,由viewName(y)表示。此viewName(y)是vacmViewTreeFamilyTable的索引,并选择定义变量名称的一组条目,这些变量名称包含在由viewName(y)标识的MIB视图中或从中排除。
5) The "what" (5) type of management data and "which" (6) particular instance, represented by the variableName (f), is then checked to be in the MIB view or not, e.g., the yes/no decision (z).
5) 然后检查由variableName(f)表示的“什么”(5)类型的管理数据和“哪个”(6)特定实例是否在MIB视图中,例如,是/否决策(z)。
This section describes the procedure followed by an Access Control module that implements the View-based Access Control Model whenever it receives an isAccessAllowed request.
本节介绍访问控制模块所遵循的过程,该模块在收到isAccessAllowed请求时实现基于视图的访问控制模型。
1) The vacmContextTable is consulted for information about the SNMP context identified by the contextName. If information about this SNMP context is absent from the table, then an errorIndication (noSuchContext) is returned to the calling module.
1) 有关由contextName标识的SNMP上下文的信息,请参考vacmContextTable。如果表中缺少有关此SNMP上下文的信息,则会向调用模块返回错误指示(noSuchContext)。
2) The vacmSecurityToGroupTable is consulted for mapping the securityModel and securityName to a groupName. If the information about this combination is absent from the table, then an errorIndication (noGroupName) is returned to the calling module.
2) 将securityModel和securityName映射到groupName时,请参考vacmSecurityToGroupTable。如果表中没有关于此组合的信息,则会向调用模块返回一个错误指示(noGroupName)。
3) The vacmAccessTable is consulted for information about the groupName, contextName, securityModel and securityLevel. If information about this combination is absent from the table, then an errorIndication (noAccessEntry) is returned to the calling module.
3) 有关groupName、contextName、securityModel和securityLevel的信息,请参阅vacmAccessTable。如果表中没有关于此组合的信息,则会向调用模块返回错误指示(NOACCESENTRY)。
4) a) If the viewType is "read", then the read view is used for checking access rights.
4) a) 如果viewType为“read”,则read视图用于检查访问权限。
b) If the viewType is "write", then the write view is used for checking access rights.
b) 如果视图类型为“写入”,则写入视图用于检查访问权限。
c) If the viewType is "notify", then the notify view is used for checking access rights.
c) 如果viewType为“notify”,则notify视图用于检查访问权限。
If the view to be used is the empty view (zero length viewName) then an errorIndication (noSuchView) is returned to the calling module.
如果要使用的视图是空视图(零长度视图名),则会向调用模块返回错误指示(noSuchView)。
5) a) If there is no view configured for the specified viewType, then an errorIndication (noSuchView) is returned to the calling module.
5) a) 如果没有为指定的viewType配置视图,则会向调用模块返回错误指示(noSuchView)。
b) If the specified variableName (object instance) is not in the MIB view (see DESCRIPTION clause for vacmViewTreeFamilyTable in section 4), then an errorIndication (notInView) is returned to the calling module.
b) 如果指定的variableName(对象实例)不在MIB视图中(请参阅第4节中vacmViewTreeFamilyTable的描述子句),则会向调用模块返回错误指示(notInView)。
Otherwise,
否则
c) The specified variableName is in the MIB view. A statusInformation of success (accessAllowed) is returned to the calling module.
c) 指定的variableName位于MIB视图中。成功的状态信息(accessAllowed)返回给调用模块。
SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI TestAndIncr, RowStatus, StorageType FROM SNMPv2-TC SnmpAdminString, SnmpSecurityLevel, SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;
从SNMPv2 CONF MODULE-IDENTITY导入模块遵从性、对象组、从SNMPv2 SMI TestAndIncr导入SNMPv2模块、从SNMPv2 TC导入行状态、从SNMPAdministring导入存储类型、从SNMP-FRAMEWORK-MIB导入SnmpSecurityLevel、从SnmpSecurityModel;
snmpVacmMIB MODULE-IDENTITY LAST-UPDATED "9711200000Z" -- 20 Nov 1997, midnight ORGANIZATION "SNMPv3 Working Group" CONTACT-INFO "WG-email: snmpv3@tis.com Subscribe: majordomo@tis.com In message body: subscribe snmpv3
SNMPvCMIB模块标识最后更新的“9711200000Z”-1997年11月20日,午夜组织“SNMPv3工作组”联系信息工作组电子邮件:snmpv3@tis.com订阅:majordomo@tis.com在消息正文中:订阅snmpv3
Chair: Russ Mundy Trusted Information Systems postal: 3060 Washington Rd Glenwood MD 21738 USA email: mundy@tis.com phone: +1-301-854-6889
主席:Russ Mundy Trusted Information Systems邮政:美国马里兰州格伦伍德华盛顿路3060号21738电子邮件:mundy@tis.com电话:+1-301-854-6889
Co-editor: Bert Wijnen IBM T.J. Watson Research postal: Schagen 33 3461 GL Linschoten Netherlands email: wijnen@vnet.ibm.com phone: +31-348-432-794
合编:Bert Wijnen IBM T.J.Watson研究所邮政:Schagen 33 3461 GL Linschoten荷兰电子邮件:wijnen@vnet.ibm.com电话:+31-348-432-794
Co-editor: Randy Presuhn BMC Software, Inc postal: 1190 Saratoga Avenue, Suite 130 San Jose, CA 95129-3433 USA email: rpresuhn@bmc.com phone: +1-408-556-0720
合编:Randy Presohn BMC Software,Inc.邮政编码:美国加利福尼亚州圣何塞萨拉托加大道1190号130室95129-3433电子邮件:rpresuhn@bmc.com电话:+1-408-556-0720
Co-editor: Keith McCloghrie Cisco Systems, Inc. postal: 170 West Tasman Drive San Jose, CA 95134-1706 USA email: kzm@cisco.com phone: +1-408-526-5260 " DESCRIPTION "The management information definitions for the View-based Access Control Model for SNMP. " ::= { snmpModules 5 }
Co-editor: Keith McCloghrie Cisco Systems, Inc. postal: 170 West Tasman Drive San Jose, CA 95134-1706 USA email: kzm@cisco.com phone: +1-408-526-5260 " DESCRIPTION "The management information definitions for the View-based Access Control Model for SNMP. " ::= { snmpModules 5 }
-- Administrative assignments ****************************************
-- Administrative assignments ****************************************
vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 } vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }
vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 } vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 }
-- Information about Local Contexts **********************************
-- Information about Local Contexts **********************************
vacmContextTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmContextEntry MAX-ACCESS not-accessible STATUS current
vacmContextTable的VacmContextRetry MAX-ACCESS对象类型语法序列不可访问状态当前
DESCRIPTION "The table of locally available contexts.
DESCRIPTION“本地可用上下文表。
This table provides information to SNMP Command Generator applications so that they can properly configure the vacmAccessTable to control access to all contexts at the SNMP entity.
此表向SNMP命令生成器应用程序提供信息,以便它们可以正确配置vacmAccessTable以控制对SNMP实体中所有上下文的访问。
This table may change dynamically if the SNMP entity allows that contexts are added/deleted dynamically (for instance when its configuration changes). Such changes would happen only if the management instrumentation at that SNMP entity recognizes more (or fewer) contexts.
如果SNMP实体允许动态添加/删除上下文(例如,当其配置更改时),则此表可能会动态更改。只有当该SNMP实体的管理工具识别更多(或更少)上下文时,才会发生此类更改。
The presence of entries in this table and of entries in the vacmAccessTable are independent. That is, a context identified by an entry in this table is not necessarily referenced by any entries in the vacmAccessTable; and the context(s) referenced by an entry in the vacmAccessTable does not necessarily currently exist and thus need not be identified by an entry in this table.
此表中的条目和vacmAccessTable中的条目是独立的。也就是说,由该表中的条目标识的上下文不一定由vacmAccessTable中的任何条目引用;vacmAccessTable中的条目引用的上下文当前不一定存在,因此不需要通过该表中的条目来标识。
This table must be made accessible via the default context so that Command Responder applications have a standard way of retrieving the information.
必须通过默认上下文访问此表,以便命令响应程序应用程序具有检索信息的标准方式。
This table is read-only. It cannot be configured via SNMP. " ::= { vacmMIBObjects 1 }
This table is read-only. It cannot be configured via SNMP. " ::= { vacmMIBObjects 1 }
vacmContextEntry OBJECT-TYPE SYNTAX VacmContextEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information about a particular context." INDEX { vacmContextName } ::= { vacmContextTable 1 }
vacmContextEntry OBJECT-TYPE SYNTAX VacmContextEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information about a particular context." INDEX { vacmContextName } ::= { vacmContextTable 1 }
VacmContextEntry ::= SEQUENCE { vacmContextName SnmpAdminString }
VacmContextEntry ::= SEQUENCE { vacmContextName SnmpAdminString }
vacmContextName OBJECT-TYPE
vacmContextName对象类型
SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-only STATUS current DESCRIPTION "A human readable name identifying a particular context at a particular SNMP entity.
语法SnmpAdminString(大小(0..32))MAX-ACCESS只读状态当前描述“标识特定SNMP实体上特定上下文的人类可读名称。
The empty contextName (zero length) represents the default context. " ::= { vacmContextEntry 1 }
The empty contextName (zero length) represents the default context. " ::= { vacmContextEntry 1 }
-- Information about Groups ******************************************
-- Information about Groups ******************************************
vacmSecurityToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmSecurityToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table maps a combination of securityModel and securityName into a groupName which is used to define an access control policy for a group of principals. " ::= { vacmMIBObjects 2 }
vacmSecurityToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmSecurityToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table maps a combination of securityModel and securityName into a groupName which is used to define an access control policy for a group of principals. " ::= { vacmMIBObjects 2 }
vacmSecurityToGroupEntry OBJECT-TYPE SYNTAX VacmSecurityToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in this table maps the combination of a securityModel and securityName into a groupName. " INDEX { vacmSecurityModel, vacmSecurityName } ::= { vacmSecurityToGroupTable 1 }
vacmSecurityToGroupEntry OBJECT-TYPE SYNTAX VacmSecurityToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in this table maps the combination of a securityModel and securityName into a groupName. " INDEX { vacmSecurityModel, vacmSecurityName } ::= { vacmSecurityToGroupTable 1 }
VacmSecurityToGroupEntry ::= SEQUENCE { vacmSecurityModel SnmpSecurityModel, vacmSecurityName SnmpAdminString, vacmGroupName SnmpAdminString, vacmSecurityToGroupStorageType StorageType, vacmSecurityToGroupStatus RowStatus }
VacmSecurityToGroupEntry ::= SEQUENCE { vacmSecurityModel SnmpSecurityModel, vacmSecurityName SnmpAdminString, vacmGroupName SnmpAdminString, vacmSecurityToGroupStorageType StorageType, vacmSecurityToGroupStatus RowStatus }
vacmSecurityModel OBJECT-TYPE SYNTAX SnmpSecurityModel(1..2147483647) MAX-ACCESS not-accessible
vacmSecurityModel对象类型语法SnmpSecurityModel(1..2147483647)MAX-ACCESS不可访问
STATUS current DESCRIPTION "The Security Model, by which the vacmSecurityName referenced by this entry is provided.
STATUS current DESCRIPTION“安全模型,通过该模型提供此条目引用的vacmSecurityName。
Note, this object may not take the 'any' (0) value. " ::= { vacmSecurityToGroupEntry 1 }
Note, this object may not take the 'any' (0) value. " ::= { vacmSecurityToGroupEntry 1 }
vacmSecurityName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The securityName for the principal, represented in a Security Model independent format, which is mapped by this entry to a groupName.
vacmSecurityName对象类型语法SnmpAdminString(大小(1..32))MAX-ACCESS不可访问状态当前描述“主体的securityName,以安全模型独立格式表示,由此项映射到groupName。
The securityName for a principal represented in a Security Model independent format. " ::= { vacmSecurityToGroupEntry 2 }
The securityName for a principal represented in a Security Model independent format. " ::= { vacmSecurityToGroupEntry 2 }
vacmGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the group to which this entry (e.g., the combination of securityModel and securityName) belongs.
vacmGroupName对象类型语法SnmpAdminString(大小(1..32))MAX-ACCESS read create STATUS current DESCRIPTION“此项所属组的名称(例如securityModel和securityName的组合)。
This groupName is used as index into the vacmAccessTable to select an access control policy. " ::= { vacmSecurityToGroupEntry 3 }
This groupName is used as index into the vacmAccessTable to select an access control policy. " ::= { vacmSecurityToGroupEntry 3 }
vacmSecurityToGroupStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { vacmSecurityToGroupEntry 4 }
vacmSecurityToGroupStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { vacmSecurityToGroupEntry 4 }
vacmSecurityToGroupStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create
vacmSecurityToGroupStatus对象类型语法RowStatus MAX-ACCESS read create
STATUS current DESCRIPTION "The status of this conceptual row.
STATUS current DESCRIPTION“此概念行的状态。
The RowStatus TC [RFC1903] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:
RowStatus TC[RFC1903]要求此描述子句说明在何种情况下可以修改此行中的其他对象:
The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { vacmSecurityToGroupEntry 5 }
The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { vacmSecurityToGroupEntry 5 }
-- Information about Access Rights ***********************************
-- Information about Access Rights ***********************************
vacmAccessTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of access rights for groups.
vacmAccessTable对象类型VacmAccessEntry MAX-ACCESS的语法序列不可访问状态当前描述“组的访问权限表”。
Each entry is indexed by a contextPrefix, a groupName a securityModel and a securityLevel. To determine whether access is allowed, one entry from this table needs to be selected and the proper viewName from that entry must be used for access control checking.
每个条目都由contextPrefix、groupName、securityModel和securityLevel索引。要确定是否允许访问,需要从该表中选择一个条目,并且必须使用该条目中的正确viewName进行访问控制检查。
To select the proper entry, follow these steps:
要选择正确的条目,请执行以下步骤:
1) the set of possible matches is formed by the intersection of the following sets of entries: the set of entries with identical vacmGroupName the union of these two sets: - the set with identical vacmAccessContextPrefix - the set of entries with vacmAccessContextMatch value of 'prefix' and matching vacmAccessContextPrefix intersected with the union of these two sets: - the set of entries with identical vacmSecurityModel - the set of entries with vacmSecurityModel value of 'any' intersected with the set of entries with vacmAccessSecurityLevel value less than or equal to the requested securityLevel
1) 可能的匹配集由以下几组条目的交集组成:具有相同vacmGroupName的条目集这两个集合的并集:-具有相同VacMacAccessContextPrefix的集合-具有VacMacAccessContextMatch值“prefix”且与并集相交的匹配VacMacAccessContextPrefix的条目集这两组中:-具有相同vacmSecurityModel的条目集-vacmSecurityModel值为“any”的条目集与VacMacAccessSecurityLevel值小于或等于请求的securityLevel的条目集相交
2) if this set has only one member, we're done otherwise, it comes down to deciding how to weight the preferences between ContextPrefixes,
2) 如果这个集合只有一个成员,我们就完成了,否则的话,就要决定如何在ContextPrefixes之间加权首选项,
SecurityModels, and SecurityLevels as follows: a) if the subset of entries with identical securityModels is not empty, discard the rest. b) if the subset of entries with identical vacmAccessContextPrefix is not empty, discard the rest c) discard all entries with ContextPrefixes shorter than the longest one remaining in the set d) select the entry with the highest securityLevel
SecurityModels和SecurityLevel如下:a)如果具有相同SecurityModels的条目子集不为空,则放弃其余条目。b) 如果具有相同vacmAccessContextPrefix的条目子集不为空,则放弃其余的c)放弃所有ContextPrefix短于集合中剩余最长的条目d)选择具有最高securityLevel的条目
Please note that for securityLevel noAuthNoPriv, all groups are really equivalent since the assumption that the securityName has been authenticated does not hold. " ::= { vacmMIBObjects 4 }
Please note that for securityLevel noAuthNoPriv, all groups are really equivalent since the assumption that the securityName has been authenticated does not hold. " ::= { vacmMIBObjects 4 }
vacmAccessEntry OBJECT-TYPE SYNTAX VacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An access right configured in the Local Configuration Datastore (LCD) authorizing access to an SNMP context. " INDEX { vacmGroupName, vacmAccessContextPrefix, vacmAccessSecurityModel, vacmAccessSecurityLevel } ::= { vacmAccessTable 1 }
vacmAccessEntry OBJECT-TYPE SYNTAX VacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An access right configured in the Local Configuration Datastore (LCD) authorizing access to an SNMP context. " INDEX { vacmGroupName, vacmAccessContextPrefix, vacmAccessSecurityModel, vacmAccessSecurityLevel } ::= { vacmAccessTable 1 }
VacmAccessEntry ::= SEQUENCE { vacmAccessContextPrefix SnmpAdminString, vacmAccessSecurityModel SnmpSecurityModel, vacmAccessSecurityLevel SnmpSecurityLevel, vacmAccessContextMatch INTEGER, vacmAccessReadViewName SnmpAdminString, vacmAccessWriteViewName SnmpAdminString, vacmAccessNotifyViewName SnmpAdminString, vacmAccessStorageType StorageType, vacmAccessStatus RowStatus }
VacmAccessEntry ::= SEQUENCE { vacmAccessContextPrefix SnmpAdminString, vacmAccessSecurityModel SnmpSecurityModel, vacmAccessSecurityLevel SnmpSecurityLevel, vacmAccessContextMatch INTEGER, vacmAccessReadViewName SnmpAdminString, vacmAccessWriteViewName SnmpAdminString, vacmAccessNotifyViewName SnmpAdminString, vacmAccessStorageType StorageType, vacmAccessStatus RowStatus }
vacmAccessContextPrefix OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "In order to gain the access rights allowed by this
VacMacAccessContextPrefix对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS not accessible STATUS current DESCRIPTION“以获取此命令允许的访问权限
conceptual row, a contextName must match exactly (if the value of vacmAccessContextMatch is 'exact') or partially (if the value of vacmAccessContextMatch is 'prefix') to the value of the instance of this object. " ::= { vacmAccessEntry 1 }
conceptual row, a contextName must match exactly (if the value of vacmAccessContextMatch is 'exact') or partially (if the value of vacmAccessContextMatch is 'prefix') to the value of the instance of this object. " ::= { vacmAccessEntry 1 }
vacmAccessSecurityModel OBJECT-TYPE SYNTAX SnmpSecurityModel MAX-ACCESS not-accessible STATUS current DESCRIPTION "In order to gain the access rights allowed by this conceptual row, this securityModel must be in use. " ::= { vacmAccessEntry 2 }
vacmAccessSecurityModel OBJECT-TYPE SYNTAX SnmpSecurityModel MAX-ACCESS not-accessible STATUS current DESCRIPTION "In order to gain the access rights allowed by this conceptual row, this securityModel must be in use. " ::= { vacmAccessEntry 2 }
vacmAccessSecurityLevel OBJECT-TYPE SYNTAX SnmpSecurityLevel MAX-ACCESS not-accessible STATUS current DESCRIPTION "The minimum level of security required in order to gain the access rights allowed by this conceptual row. A securityLevel of noAuthNoPriv is less than authNoPriv which in turn is less than authPriv.
vacmAccessSecurityLevel对象类型语法SnmpSecurityLevel MAX-ACCESS不可访问状态当前描述“获取此概念行允许的访问权限所需的最低安全级别。noAuthNoPriv的securityLevel小于authNoPriv,后者又小于authPriv。
If multiple entries are equally indexed except for this vacmAccessSecurityLevel index, then the entry which has the highest value for vacmAccessSecurityLevel wins. " ::= { vacmAccessEntry 3 }
If multiple entries are equally indexed except for this vacmAccessSecurityLevel index, then the entry which has the highest value for vacmAccessSecurityLevel wins. " ::= { vacmAccessEntry 3 }
vacmAccessContextMatch OBJECT-TYPE SYNTAX INTEGER { exact (1), -- exact match of prefix and contextName prefix (2) -- Only match to the prefix } MAX-ACCESS read-create STATUS current DESCRIPTION "If the value of this object is exact(1), then all rows where the contextName exactly matches vacmAccessContextPrefix are selected.
vacmAccessContextMatch对象类型语法整数{exact(1),--前缀和contextName前缀的精确匹配(2)--仅匹配前缀}MAX-ACCESS读取创建状态当前描述“如果此对象的值为exact(1),则选择contextName与vacmAccessContextPrefix精确匹配的所有行。
If the value of this object is prefix(2), then all rows where the contextName whose starting octets exactly match vacmAccessContextPrefix are selected. This allows for a simple form of wildcarding.
如果此对象的值为prefix(2),则选择其起始八位字节完全匹配vacmAccessContextPrefix的contextName所在的所有行。这允许一种简单的通配符形式。
See also the example in the DESCRIPTION clause of the vacmAccessTable above. " ::= { vacmAccessEntry 4 }
See also the example in the DESCRIPTION clause of the vacmAccessTable above. " ::= { vacmAccessEntry 4 }
vacmAccessReadViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes read access.
vacmAccessReadViewName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS read create STATUS current DESCRIPTION“此对象的实例的值标识此概念行授权读取访问的SNMP上下文的MIB视图。
The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { vacmAccessEntry 5 }
The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { vacmAccessEntry 5 }
vacmAccessWriteViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes write access.
vacmAccessWriteViewName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS read create STATUS current DESCRIPTION“此对象的实例的值标识此概念行授权写入访问的SNMP上下文的MIB视图。
The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { vacmAccessEntry 6 }
The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { vacmAccessEntry 6 }
vacmAccessNotifyViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP context to which this conceptual row authorizes access for notifications.
vacmAccessNotifyViewName对象类型语法SnmpAdminString(大小(0..32))MAX-ACCESS read create STATUS current DESCRIPTION“此对象的实例的值标识SNMP上下文的MIB视图,此概念行授权访问通知。
The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { vacmAccessEntry 7 }
The identified MIB view is that one for which the vacmViewTreeFamilyViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of vacmViewTreeFamilyViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { vacmAccessEntry 7 }
vacmAccessStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row.
vacmAccessStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此概念行的存储类型。
Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { vacmAccessEntry 8 }
Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { vacmAccessEntry 8 }
vacmAccessStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row.
vacmAccessStatus对象类型语法RowStatus MAX-ACCESS读取创建状态当前描述“此概念行的状态。
The RowStatus TC [RFC1903] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:
RowStatus TC[RFC1903]要求此描述子句说明在何种情况下可以修改此行中的其他对象:
The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { vacmAccessEntry 9 }
The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { vacmAccessEntry 9 }
-- Information about MIB views ***************************************
-- Information about MIB views ***************************************
-- Support for instance-level granularity is optional. -- -- In some implementations, instance-level access control -- granularity may come at a high performance cost. Managers -- should avoid requesting such configurations unnecessarily.
-- Support for instance-level granularity is optional. -- -- In some implementations, instance-level access control -- granularity may come at a high performance cost. Managers -- should avoid requesting such configurations unnecessarily.
vacmMIBViews OBJECT IDENTIFIER ::= { vacmMIBObjects 5 }
vacmMIBViews OBJECT IDENTIFIER ::= { vacmMIBObjects 5 }
vacmViewSpinLock OBJECT-TYPE
vacmViewSpinLock对象类型
SYNTAX TestAndIncr MAX-ACCESS read-write STATUS current DESCRIPTION "An advisory lock used to allow cooperating SNMP Command Generator applications to coordinate their use of the Set operation in creating or modifying views.
SYNTAX TestAndIncr MAX-ACCESS读写状态当前描述“一种建议锁,用于允许协作的SNMP命令生成器应用程序在创建或修改视图时协调其对设置操作的使用。
When creating a new view or altering an existing view, it is important to understand the potential interactions with other uses of the view. The vacmViewSpinLock should be retrieved. The name of the view to be created should be determined to be unique by the SNMP Command Generator application by consulting the vacmViewTreeFamilyTable. Finally, the named view may be created (Set), including the advisory lock. If another SNMP Command Generator application has altered the views in the meantime, then the spin lock's value will have changed, and so this creation will fail because it will specify the wrong value for the spin lock.
创建新视图或更改现有视图时,了解与视图的其他用途的潜在交互非常重要。应检索vacmViewSpinLock。SNMP命令生成器应用程序应通过查阅vacmViewTreeFamilyTable,将要创建的视图的名称确定为唯一的。最后,可以创建(设置)命名视图,包括建议锁。如果另一个SNMP命令生成器应用程序同时更改了视图,则旋转锁的值将发生更改,因此此创建将失败,因为它将为旋转锁指定错误的值。
Since this is an advisory lock, the use of this lock is not enforced. " ::= { vacmMIBViews 1 }
Since this is an advisory lock, the use of this lock is not enforced. " ::= { vacmMIBViews 1 }
vacmViewTreeFamilyTable OBJECT-TYPE SYNTAX SEQUENCE OF VacmViewTreeFamilyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Locally held information about families of subtrees within MIB views.
vacmViewTreeFamilyTable VacmViewTreeFamilyEntry MAX-ACCESS的对象类型语法序列不可访问状态当前描述“有关MIB视图中子树族的本地保留信息”。
Each MIB view is defined by two sets of view subtrees: - the included view subtrees, and - the excluded view subtrees. Every such view subtree, both the included and the excluded ones, is defined in this table.
每个MIB视图由两组视图子树定义:-包含的视图子树和-排除的视图子树。每个这样的视图子树,包括和排除的子树,都在这个表中定义。
To determine if a particular object instance is in a particular MIB view, compare the object instance's OBJECT IDENTIFIER with each of the MIB view's active entries in this table. If none match, then the object instance is not in the MIB view. If one or more match, then the object instance is included in, or excluded from, the MIB view according to the
要确定特定对象实例是否位于特定MIB视图中,请将该对象实例的对象标识符与该表中每个MIB视图的活动项进行比较。如果不匹配,则对象实例不在MIB视图中。如果一个或多个匹配,则根据
value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub-identifiers. If multiple entries match and have the same number of sub-identifiers, then the lexicographically greatest instance of vacmViewTreeFamilyType determines the inclusion or exclusion.
vacmViewTreeFamilyType的值位于vacmViewTreeFamilySubtree的值具有最多子标识符的条目中。如果多个条目匹配并且具有相同数量的子标识符,则vacmViewTreeFamilyType的词典编纂最大实例确定包含或排除。
An object instance's OBJECT IDENTIFIER X matches an active entry in this table when the number of sub-identifiers in X is at least as many as in the value of vacmViewTreeFamilySubtree for the entry, and each sub-identifier in the value of vacmViewTreeFamilySubtree matches its corresponding sub-identifier in X. Two sub-identifiers match either if the corresponding bit of the value of vacmViewTreeFamilyMask for the entry is zero (the 'wild card' value), or if they are equal.
当对象实例的对象标识符X中的子标识符数量至少与该条目的vacmViewTreeFamilySubtree值中的子标识符数量相同时,该对象实例的对象标识符X与该表中的活动条目相匹配,vacmViewTreeFamilySubtree值中的每个子标识符与X中对应的子标识符匹配。如果条目的vacmViewTreeFamilyMask值的对应位为零(“通配符”值),或者如果它们相等,则两个子标识符匹配。
A 'family' of subtrees is the set of subtrees defined by a particular combination of values of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask. In the case where no 'wild card' is defined in the vacmViewTreeFamilyMask, the family of subtrees reduces to a single subtree.
子树的“族”是由vacmViewTreeFamilySubtree和vacmViewTreeFamilyMask的值的特定组合定义的子树集。在vacmViewTreeFamilyMask中未定义“通配符”的情况下,子树族将缩减为单个子树。
When creating or changing MIB views, an SNMP Command Generator application should utilize the vacmViewSpinLock to try to avoid collisions. See DESCRIPTION clause of vacmViewSpinLock.
创建或更改MIB视图时,SNMP命令生成器应用程序应利用vacmViewSpinLock来避免冲突。参见vacmViewSpinLock的说明条款。
When creating MIB views, it is strongly advised that first the 'excluded' vacmViewTreeFamilyEntries are created and then the 'included' entries.
创建MIB视图时,强烈建议首先创建“排除”的vacmViewTreeFamilyEntries,然后创建“包含”条目。
When deleting MIB views, it is strongly advised that first the 'included' vacmViewTreeFamilyEntries are deleted and then the 'excluded' entries.
删除MIB视图时,强烈建议首先删除“包含的”vacmViewTreeFamilyEntries,然后删除“排除的”条目。
If a create for an entry for instance-level access control is received and the implementation does not support instance-level granularity, then an inconsistentName error must be returned. " ::= { vacmMIBViews 2 }
If a create for an entry for instance-level access control is received and the implementation does not support instance-level granularity, then an inconsistentName error must be returned. " ::= { vacmMIBViews 2 }
vacmViewTreeFamilyEntry OBJECT-TYPE SYNTAX VacmViewTreeFamilyEntry
vacmViewTreeFamilyEntry对象类型语法vacmViewTreeFamilyEntry
MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information on a particular family of view subtrees included in or excluded from a particular SNMP context's MIB view.
MAX-ACCESS not ACCESS STATUS current DESCRIPTION“特定SNMP上下文MIB视图中包含或排除的特定视图子树族的信息。
Implementations must not restrict the number of families of view subtrees for a given MIB view, except as dictated by resource constraints on the overall number of entries in the vacmViewTreeFamilyTable.
实现不得限制给定MIB视图的视图子树族的数量,除非vacmViewTreeFamilyTable中条目的总体数量受到资源约束。
If no conceptual rows exist in this table for a given MIB view (viewName), that view may be thought of as consisting of the empty set of view subtrees. " INDEX { vacmViewTreeFamilyViewName, vacmViewTreeFamilySubtree } ::= { vacmViewTreeFamilyTable 1 }
If no conceptual rows exist in this table for a given MIB view (viewName), that view may be thought of as consisting of the empty set of view subtrees. " INDEX { vacmViewTreeFamilyViewName, vacmViewTreeFamilySubtree } ::= { vacmViewTreeFamilyTable 1 }
VacmViewTreeFamilyEntry ::= SEQUENCE { vacmViewTreeFamilyViewName SnmpAdminString, vacmViewTreeFamilySubtree OBJECT IDENTIFIER, vacmViewTreeFamilyMask OCTET STRING, vacmViewTreeFamilyType INTEGER, vacmViewTreeFamilyStorageType StorageType, vacmViewTreeFamilyStatus RowStatus }
VacmViewTreeFamilyEntry ::= SEQUENCE { vacmViewTreeFamilyViewName SnmpAdminString, vacmViewTreeFamilySubtree OBJECT IDENTIFIER, vacmViewTreeFamilyMask OCTET STRING, vacmViewTreeFamilyType INTEGER, vacmViewTreeFamilyStorageType StorageType, vacmViewTreeFamilyStatus RowStatus }
vacmViewTreeFamilyViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The human readable name for a family of view subtrees. " ::= { vacmViewTreeFamilyEntry 1 }
vacmViewTreeFamilyViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The human readable name for a family of view subtrees. " ::= { vacmViewTreeFamilyEntry 1 }
vacmViewTreeFamilySubtree OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "The MIB subtree which when combined with the corresponding instance of vacmViewTreeFamilyMask defines a family of view subtrees. " ::= { vacmViewTreeFamilyEntry 2 }
vacmViewTreeFamilySubtree OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS not-accessible STATUS current DESCRIPTION "The MIB subtree which when combined with the corresponding instance of vacmViewTreeFamilyMask defines a family of view subtrees. " ::= { vacmViewTreeFamilyEntry 2 }
vacmViewTreeFamilyMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..16)) MAX-ACCESS read-create STATUS current DESCRIPTION "The bit mask which, in combination with the corresponding instance of vacmViewTreeFamilySubtree, defines a family of view subtrees.
VACMVIEWTREEFAMILYMAK对象类型语法八位字符串(大小(0..16))MAX-ACCESS read create STATUS current DESCRIPTION“位掩码,它与相应的vacmViewTreeFamilySubtree实例一起定义了一系列视图子树。
Each bit of this bit mask corresponds to a sub-identifier of vacmViewTreeFamilySubtree, with the most significant bit of the i-th octet of this octet string value (extended if necessary, see below) corresponding to the (8*i - 7)-th sub-identifier, and the least significant bit of the i-th octet of this octet string corresponding to the (8*i)-th sub-identifier, where i is in the range 1 through 16.
该位掩码的每一位对应于vacmViewTreeFamilySubtree的子标识符,该八位字节字符串值的第i个八位字节的最高有效位(如有必要,请扩展,见下文)对应于第(8*i-7)个子标识符,该八位字节字符串的第i个八位字节的最低有效位对应于第(8*i)个八位字节-th子标识符,其中i在1到16的范围内。
Each bit of this bit mask specifies whether or not the corresponding sub-identifiers must match when determining if an OBJECT IDENTIFIER is in this family of view subtrees; a '1' indicates that an exact match must occur; a '0' indicates 'wild card', i.e., any sub-identifier value matches.
该位掩码的每一位指定在确定对象标识符是否在该视图子树族中时,对应的子标识符是否必须匹配;“1”表示必须发生精确匹配;“0”表示“通配符”,即任何子标识符值匹配。
Thus, the OBJECT IDENTIFIER X of an object instance is contained in a family of view subtrees if, for each sub-identifier of the value of vacmViewTreeFamilySubtree, either:
因此,对象实例的对象标识符X包含在视图子树族中,如果对于vacmViewTreeFamilySubtree的值的每个子标识符:
the i-th bit of vacmViewTreeFamilyMask is 0, or
vacmViewTreeFamilyMask的第i位为0,或
the i-th sub-identifier of X is equal to the i-th sub-identifier of the value of vacmViewTreeFamilySubtree.
X的第i子标识符等于vacmViewTreeFamilySubtree值的第i子标识符。
If the value of this bit mask is M bits long and there are more than M sub-identifiers in the corresponding instance of vacmViewTreeFamilySubtree, then the bit mask is extended with 1's to be the required length.
如果此位掩码的值为M位长,并且在vacmViewTreeFamilySubtree的相应实例中有M个以上的子标识符,则位掩码将扩展为1,以达到所需的长度。
Note that when the value of this object is the zero-length string, this extension rule results in a mask of all-1's being used (i.e., no 'wild card'), and the family of view subtrees is the one view subtree uniquely identified by the corresponding instance of vacmViewTreeFamilySubtree.
请注意,当此对象的值为零长度字符串时,此扩展规则会导致使用all-1的掩码(即,没有“通配符”),并且视图子树族是由相应的vacmViewTreeFamilySubtree实例唯一标识的一个视图子树。
Note that masks of length greater than zero length do not need to be supported. In this case this object is made read-only. " DEFVAL { ''H } ::= { vacmViewTreeFamilyEntry 3 }
Note that masks of length greater than zero length do not need to be supported. In this case this object is made read-only. " DEFVAL { ''H } ::= { vacmViewTreeFamilyEntry 3 }
vacmViewTreeFamilyType OBJECT-TYPE SYNTAX INTEGER { included(1), excluded(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the corresponding instances of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask define a family of view subtrees which is included in or excluded from the MIB view. " DEFVAL { included } ::= { vacmViewTreeFamilyEntry 4 }
vacmViewTreeFamilyType OBJECT-TYPE SYNTAX INTEGER { included(1), excluded(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the corresponding instances of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask define a family of view subtrees which is included in or excluded from the MIB view. " DEFVAL { included } ::= { vacmViewTreeFamilyEntry 4 }
vacmViewTreeFamilyStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row.
vacmViewTreeFamilyStorageType对象类型语法StorageType MAX-ACCESS读取创建状态当前描述“此概念行的存储类型。
Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { vacmViewTreeFamilyEntry 5 }
Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { vacmViewTreeFamilyEntry 5 }
vacmViewTreeFamilyStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row.
vacmViewTreeFamilyStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此概念行的状态。
The RowStatus TC [RFC1903] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified:
RowStatus TC[RFC1903]要求此描述子句说明在何种情况下可以修改此行中的其他对象:
The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { vacmViewTreeFamilyEntry 6 }
The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { vacmViewTreeFamilyEntry 6 }
-- Conformance information *******************************************
-- Conformance information *******************************************
vacmMIBCompliances OBJECT IDENTIFIER ::= { vacmMIBConformance 1 } vacmMIBGroups OBJECT IDENTIFIER ::= { vacmMIBConformance 2 }
vacmMIBCompliances OBJECT IDENTIFIER ::= { vacmMIBConformance 1 } vacmMIBGroups OBJECT IDENTIFIER ::= { vacmMIBConformance 2 }
-- Compliance statements *********************************************
-- Compliance statements *********************************************
vacmMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines which implement the SNMP View-based Access Control Model configuration MIB. " MODULE -- this module MANDATORY-GROUPS { vacmBasicGroup }
vacmMIBCompliance MODULE-COMPLIANCE STATUS当前描述“用于实现基于SNMP视图的访问控制模型配置MIB的SNMP引擎的符合性声明”。模块——此模块为强制性组{vacmBasicGroup}
OBJECT vacmAccessContextMatch MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT vacmAccessReadViewName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象vacmAccessContextMatch最小访问只读描述“不需要写入访问权限”。对象vacmAccessReadViewName最小访问只读描述“不需要写入访问权限。”
OBJECT vacmAccessWriteViewName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象vacmAccessWriteViewName最小访问只读描述“不需要写入访问。”
OBJECT vacmAccessNotifyViewName MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象vacmAccessNotifyViewName最小访问只读说明“不需要写入访问权限。”
OBJECT vacmAccessStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象vacmAccessStorageType最小访问只读说明“不需要写访问。”
OBJECT vacmAccessStatus MIN-ACCESS read-only DESCRIPTION "Create/delete/modify access to the vacmAccessTable is not required. "
对象vacmAccessStatus MIN-ACCESS只读说明“不需要创建/删除/修改对vacmAccessTable的访问权限。”
OBJECT vacmViewTreeFamilyMask WRITE-SYNTAX OCTET STRING (SIZE (0)) MIN-ACCESS read-only DESCRIPTION "Support for configuration via SNMP of subtree families using wild-cards is not required. "
对象vacmViewTreeFamilyMask WRITE-SYNTAX八进制字符串(大小(0))MIN-ACCESS只读说明“不需要通过SNMP对使用通配符的子树族进行配置。”
OBJECT vacmViewTreeFamilyType MIN-ACCESS read-only
对象vacmViewTreeFamilyType最小访问只读
DESCRIPTION "Write access is not required."
说明“不需要写访问权限。”
OBJECT vacmViewTreeFamilyStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required."
对象vacmViewTreeFamilyStorageType MIN-ACCESS只读说明“不需要写访问。”
OBJECT vacmViewTreeFamilyStatus MIN-ACCESS read-only DESCRIPTION "Create/delete/modify access to the vacmViewTreeFamilyTable is not required. " ::= { vacmMIBCompliances 1 }
OBJECT vacmViewTreeFamilyStatus MIN-ACCESS read-only DESCRIPTION "Create/delete/modify access to the vacmViewTreeFamilyTable is not required. " ::= { vacmMIBCompliances 1 }
-- Units of conformance **********************************************
-- Units of conformance **********************************************
vacmBasicGroup OBJECT-GROUP OBJECTS { vacmContextName, vacmGroupName, vacmSecurityToGroupStorageType, vacmSecurityToGroupStatus, vacmAccessContextMatch, vacmAccessReadViewName, vacmAccessWriteViewName, vacmAccessNotifyViewName, vacmAccessStorageType, vacmAccessStatus, vacmViewSpinLock, vacmViewTreeFamilyMask, vacmViewTreeFamilyType, vacmViewTreeFamilyStorageType, vacmViewTreeFamilyStatus } STATUS current DESCRIPTION "A collection of objects providing for remote configuration of an SNMP engine which implements the SNMP View-based Access Control Model. " ::= { vacmMIBGroups 1 }
vacmBasicGroup OBJECT-GROUP OBJECTS { vacmContextName, vacmGroupName, vacmSecurityToGroupStorageType, vacmSecurityToGroupStatus, vacmAccessContextMatch, vacmAccessReadViewName, vacmAccessWriteViewName, vacmAccessNotifyViewName, vacmAccessStorageType, vacmAccessStatus, vacmViewSpinLock, vacmViewTreeFamilyMask, vacmViewTreeFamilyType, vacmViewTreeFamilyStorageType, vacmViewTreeFamilyStatus } STATUS current DESCRIPTION "A collection of objects providing for remote configuration of an SNMP engine which implements the SNMP View-based Access Control Model. " ::= { vacmMIBGroups 1 }
END
终止
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可的范围,不采取任何立场
might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.
可能可用,也可能不可用;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。
This document is the result of the efforts of the SNMPv3 Working Group. Some special thanks are in order to the following SNMPv3 WG members:
本文件是SNMPv3工作组努力的结果。特别感谢以下SNMPv3工作组成员:
Dave Battle (SNMP Research, Inc.) Uri Blumenthal (IBM T.J. Watson Research Center) Jeff Case (SNMP Research, Inc.) John Curran (BBN) T. Max Devlin (Hi-TECH Connections) John Flick (Hewlett Packard) David Harrington (Cabletron Systems Inc.) N.C. Hien (IBM T.J. Watson Research Center) Dave Levi (SNMP Research, Inc.) Louis A Mamakos (UUNET Technologies Inc.) Paul Meyer (Secure Computing Corporation) Keith McCloghrie (Cisco Systems) Russ Mundy (Trusted Information Systems, Inc.) Bob Natale (ACE*COMM Corporation) Mike O'Dell (UUNET Technologies Inc.) Dave Perkins (DeskTalk) Peter Polkinghorne (Brunel University) Randy Presuhn (BMC Software, Inc.) David Reid (SNMP Research, Inc.) Shawn Routhier (Epilogue) Juergen Schoenwaelder (TU Braunschweig) Bob Stewart (Cisco Systems) Bert Wijnen (IBM T.J. Watson Research Center)
Dave Battle(SNMP研究公司)Uri Blumenthal(IBM T.J.Watson研究中心)Jeff Case(SNMP研究公司)John Curran(BBN)T.Max Devlin(高科技连接)John Flick(惠普)David Harrington(Cabletron Systems Inc.)N.C.Hien(IBM T.J.Watson研究中心)Dave Levi(SNMP研究公司)Louis A Mamakos(UUnit Technologies Inc.)保罗·迈耶(安全计算公司)基思·麦克洛赫里(思科系统公司)罗斯·蒙迪(可信信息系统公司)鲍勃·纳塔莱(ACE*通信公司)迈克·奥戴尔(UUnited Technologies Inc.)戴夫·珀金斯(DeskTalk)彼得·波尔金霍恩(布鲁内尔大学)兰迪·普雷森(BMC软件公司)大卫·里德(SNMP研究公司)肖恩·劳希尔(结语)尤尔根·舍恩瓦埃尔德(图布伦瑞克)鲍勃·斯图尔特(思科系统)伯特·维恩(IBM T.J.沃森研究中心)
The document is based on recommendations of the IETF Security and Administrative Framework Evolution for SNMP Advisory Team. Members of that Advisory Team were:
本文件基于IETF安全和管理框架演进SNMP咨询团队的建议。该咨询小组的成员是:
David Harrington (Cabletron Systems Inc.) Jeff Johnson (Cisco Systems) David Levi (SNMP Research Inc.) John Linn (Openvision) Russ Mundy (Trusted Information Systems) chair Shawn Routhier (Epilogue) Glenn Waters (Nortel) Bert Wijnen (IBM T. J. Watson Research Center)
David Harrington(Cabletron Systems Inc.)Jeff Johnson(Cisco Systems)David Levi(SNMP Research Inc.)John Linn(Openvision)Russ Mundy(Trusted Information Systems)Shawn Routhier(尾声)Glenn Waters(Nortel)Bert Wijnen(IBM T.J.Watson研究中心)
As recommended by the Advisory Team and the SNMPv3 Working Group Charter, the design incorporates as much as practical from previous RFCs and drafts. As a result, special thanks are due to the authors of previous designs known as SNMPv2u and SNMPv2*:
根据咨询小组和SNMPv3工作组章程的建议,该设计尽可能多地结合了先前RFC和草案中的实际内容。因此,我们特别感谢以前设计的SNMPv2u和SNMPv2*的作者:
Jeff Case (SNMP Research, Inc.) David Harrington (Cabletron Systems Inc.) David Levi (SNMP Research, Inc.) Keith McCloghrie (Cisco Systems) Brian O'Keefe (Hewlett Packard) Marshall T. Rose (Dover Beach Consulting) Jon Saperia (BGS Systems Inc.) Steve Waldbusser (International Network Services) Glenn W. Waters (Bell-Northern Research Ltd.)
Jeff Case(SNMP Research,Inc.)David Harrington(Cabletron Systems Inc.)David Levi(SNMP Research,Inc.)Keith McCloghrie(Cisco Systems)Brian O'Keefe(惠普)Marshall T.Rose(多佛海滩咨询)Jon Saperia(BGS Systems Inc.)Steve Waldbusser(国际网络服务)Glenn W.Waters(贝尔北方研究有限公司)
This document is meant for use in the SNMP architecture. The View-based Access Control Model described in this document checks access rights to management information based on:
本文档旨在用于SNMP体系结构。本文档中描述的基于视图的访问控制模型基于以下内容检查对管理信息的访问权限:
- contextName, representing a set of management information at the managed system where the Access Control module is running. - groupName, representing a set of zero or more securityNames. The combination of a securityModel and a securityName is mapped into a group in the View-based Access Control Model. - securityModel under which access is requested. - securityLevel under which access is requested. - operation performed on the management information. - MIB views for read, write or notify access.
- contextName,表示运行访问控制模块的受管系统上的一组管理信息。-groupName,表示一组零个或多个SecurityName。securityModel和securityName的组合映射到基于视图的访问控制模型中的组中。-请求访问的安全模型。-请求访问的安全级别。-对管理信息执行的操作。-用于读取、写入或通知访问的MIB视图。
When the User-based Access Control module is called for checking access rights, it is assumed that the calling module has ensured the authentication and privacy aspects as specified by the securityLevel that is being passed.
当基于用户的访问控制模块被调用以检查访问权限时,假定调用模块已确保通过的securityLevel指定的身份验证和隐私方面。
When creating entries in or deleting entries from the vacmViewFamiliyTreeTable it is important to do such in the sequence as recommended in the DESCRIPTION clause of the vacmViewFamilityTable definition. Otherwise unwanted access may be granted while changing the entries in the table.
在vacmViewFamiliyTreeTable中创建条目或从vacmViewFamiliyTreeTable中删除条目时,必须按照VacMViewFamiliytable定义的DESCRIPTION子句中建议的顺序执行此操作。否则,在更改表中的条目时,可能会授予不需要的访问权限。
The groupNames are used to give access to a group of zero or more securityNames. Within the View-Based Access Control Model, a groupName is considered to exist if that groupName is listed in the vacmSecurityToGroupTable.
GroupName用于授予对一组零个或多个SecurityName的访问权限。在基于视图的访问控制模型中,如果组名列在vacmSecurityToGroupTable中,则认为该组名存在。
By mapping the combination of a securityModel and securityName into a groupName, an SNMP Command Generator application can add/delete securityNames to/from a group, if proper access is allowed.
通过将securityModel和securityName的组合映射到groupName,如果允许正确访问,SNMP命令生成器应用程序可以在组中添加/删除securityName。
Further it is important to realize that the grouping of <securityModel, securityName> tuples in the vacmSecurityToGroupTable does not take securityLevel into account. It is therefore important that the security administrator uses the securityLevel index in the vacmAccessTable to separate noAuthNoPriv from authPriv and/or authNoPriv access.
此外,必须认识到,vacmSecurityToGroupTable中<securityModel,securityName>元组的分组不考虑securityLevel。因此,安全管理员使用VacMacAccessTable中的securityLevel索引将noAuthNoPriv与authPriv和/或authNoPriv访问分开是很重要的。
For an implementation of the View-based Access Control Model to be conformant, it MUST implement the SNMP-VIEW-BASED-ACM-MIB. It also SHOULD implement the initial configuration, described in appendix A.
为了使基于视图的访问控制模型的实现符合要求,它必须实现SNMP-View-based-ACM-MIB。它还应实现附录A中所述的初始配置。
[RFC1902] Case, J., McCloghrie, K., Rose, M. and S., Waldbusser, "Structure of Management Information for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1902, January 1996.
[RFC1902]Case,J.,McCloghrie,K.,Rose,M.和S.,Waldbusser,“简单网络管理协议(SNMPv2)版本2的管理信息结构”,RFC 1902,1996年1月。
[RFC1903] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1903, January 1996.
[RFC1903]Case,J.,McCloghrie,K.,Rose,M.和S.Waldbusser,“简单网络管理协议(SNMPv2)版本2的文本约定”,RFC 1903,1996年1月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2261] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for describing SNMP Management Frameworks", RFC 2261, January 1998.
[RFC2261]Harrington,D.,Presuhn,R.,和B.Wijnen,“描述SNMP管理框架的体系结构”,RFC 2261,1998年1月。
[RFC2262] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2262, January 1998.
[RFC2262]Case,J.,Harrington,D.,Presohn,R.,和B.Wijnen,“简单网络管理协议(SNMP)的消息处理和调度”,RFC 2262,1998年1月。
[RFC2264] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2264, January 1998.
[RFC2264]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)第3版的基于用户的安全模型(USM)”,RFC 2264,1998年1月。
[ISO-ASN.1] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization. International Standard 8824, (December, 1987).
[ISO-ASN.1]信息处理系统-开放系统互连-抽象语法符号1规范(ASN.1),国际标准化组织。国际标准8824(1987年12月)。
Bert Wijnen IBM T. J. Watson Research Schagen 33 3461 GL Linschoten Netherlands
Bert Wijnen IBM T.J.Watson Research Schagen 33 3461德国林肖顿荷兰
EMail: wijnen@vnet.ibm.com Phone: +31-348-432-794
EMail: wijnen@vnet.ibm.com Phone: +31-348-432-794
Randy Presuhn BMC Software, Inc 1190 Saratoga Avenue, Suite 130 San Jose, CA 95129-3433 USA
美国加利福尼亚州圣何塞萨拉托加大道1190号兰迪·普雷森BMC软件公司,130室,邮编95129-3433
EMail: rpresuhn@bmc.com Phone: +1-408-556-0720
EMail: rpresuhn@bmc.com Phone: +1-408-556-0720
Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
Keith McCloghrie Cisco Systems,Inc.美国加利福尼亚州圣何塞西塔斯曼大道170号,邮编95134-1706
EMail: kzm@cisco.com Phone: +1-408-526-5260
EMail: kzm@cisco.com Phone: +1-408-526-5260
APPENDIX A - Installation
附录A-安装
During installation, an authoritative SNMP engine which supports this View-based Access Control Model SHOULD be configured with several initial parameters. These include for the View-based Access Control Model:
在安装过程中,支持此基于视图的访问控制模型的权威SNMP引擎应配置几个初始参数。其中包括基于视图的访问控制模型:
1) A security configuration
1) 安全配置
The choice of security configuration determines if initial configuration is implemented and if so how. One of three possible choices is selected:
安全配置的选择决定了是否实现初始配置以及如何实现。选择三种可能的选择之一:
- initial-minimum-security-configuration - initial-semi-security-configuration - initial-no-access-configuration
- 初始最低安全配置-初始半安全配置-初始无访问配置
In the case of a initial-no-access-configuration, there is no initial configuration, and so the following steps are irrelevant.
在初始无访问配置的情况下,没有初始配置,因此以下步骤不相关。
2) A default context
2) 默认上下文
One entry in the vacmContextTable with a contextName of "" (the empty string), representing the default context. Note that this table gets created automatically if a default context exists.
vacmContextTable中的一个项,其contextName为“”(空字符串),表示默认上下文。请注意,如果存在默认上下文,则会自动创建此表。
no privacy support privacy support ------------------ --------------- vacmContextName "" ""
no privacy support privacy support ------------------ --------------- vacmContextName "" ""
3) An initial group
3) 最初的一组
One entry in the vacmSecurityToGroupTable to allow access to group "initial".
vacmSecurityToGroupTable中的一个条目,用于允许访问组“初始”。
no privacy support privacy support ------------------ --------------- vacmSecurityModel 3 (USM) 3 (USM) vacmSecurityName "initial" "initial" vacmGroupName "initial" "initial" vacmSecurityToGroupStorageType anyValidStorageType anyValidStorageType vacmSecurityToGroupStatus active active
no privacy support privacy support ------------------ --------------- vacmSecurityModel 3 (USM) 3 (USM) vacmSecurityName "initial" "initial" vacmGroupName "initial" "initial" vacmSecurityToGroupStorageType anyValidStorageType anyValidStorageType vacmSecurityToGroupStatus active active
4) Initial access rights
4) 初始访问权
Three entries in the vacmAccessTable as follows:
vacmAccessTable中的三个条目如下:
- read-notify access for securityModel USM, securityLevel "noAuthNoPriv" on behalf of securityNames that belong to the group "initial" to the <restricted> MIB view in the default context with contextName "".
- 在contextName为“”的默认上下文中,将属于组“initial”的SecurityName的securityModel USM、securityLevel“noAuthNoPriv”的notify access读取到<restricted>MIB视图。
- read-write-notify access for securityModel USM, securityLevel "authNoPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".
- 对于securityModel USM,securityLevel“authNoPriv”,代表属于组“initial”的securityNames对默认上下文中contextName为“”的<internet>MIB视图进行读写通知访问。
- if privacy is supported, read-write-notify access for securityModel USM, securityLevel "authPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".
- 如果支持隐私,则代表属于组“initial”的securityNames对securityModel USM、securityLevel“authPriv”的SecurityNotify access进行读写操作,以在默认上下文中使用contextName“”访问<internet>MIB视图。
That translates into the following entries in the vacmAccessTable. Those columns marked with (index) are index-only objects and are not really present in this table.
这将转换为vacmAccessTable中的以下条目。标记为(index)的列是仅索引的对象,不存在于该表中。
- One entry to be used for unauthenticated access (noAuthNoPriv):
- 一个用于未经验证的访问的条目(noAuthNoPriv):
no privacy support privacy support ------------------ --------------- vacmAccessContextPrefix "" "" vacmGroupName (index) "initial" "initial" vacmSecurityModel (index) 3 (USM) 3 (USM) vacmAccessSecurityLevel noAuthNoPriv noAuthNoPriv vacmAccessReadViewName "restricted" "restricted" vacmAccessWriteViewName "" "" vacmAccessNotifyViewName "restricted" "restricted" vacmAccessStorageType anyValidStorageType anyValidStorageType vacmAccessStatus active active
no privacy support privacy support ------------------ --------------- vacmAccessContextPrefix "" "" vacmGroupName (index) "initial" "initial" vacmSecurityModel (index) 3 (USM) 3 (USM) vacmAccessSecurityLevel noAuthNoPriv noAuthNoPriv vacmAccessReadViewName "restricted" "restricted" vacmAccessWriteViewName "" "" vacmAccessNotifyViewName "restricted" "restricted" vacmAccessStorageType anyValidStorageType anyValidStorageType vacmAccessStatus active active
- One entry to be used for authenticated access but without privacy (authNoPriv): no privacy support privacy support ------------------ --------------- vacmAccessContextPrefix "" "" vacmGroupName (index) "initial" "initial" vacmSecurityModel (index) 3 (USM) 3 (USM) vacmAccessSecurityLevel authNoPriv authNoPriv vacmAccessReadViewName "internet" "internet"
- 一个用于经过身份验证但没有隐私的访问的条目(authNoPriv):无隐私支持隐私支持-------------------vacmAccessContextPrefix“”vacmGroupName(index)“initial”initial“initial”vacmSecurityModel(index)3(USM)3(USM)vacmAccessSecurityLevel authNoPriv authNoPriv vacmAccessReadViewName“internet”“互联网”
vacmAccessWriteViewName "internet" "internet" vacmAccessNotifyViewName "internet" "internet" vacmAccessStorageType anyValidStorageType anyValidStorageType vacmAccessStatus active active
vacmAccessWriteViewName“internet”“internet”vacmAccessNotifyViewName“internet”“internet”vacmAccessStorageType anyValidStorageType anyValidStorageType vacmAccessStatus活动
- One entry to be used for authenticated access with privacy (authPriv):
- 一个用于隐私身份验证访问的条目(authPriv):
no privacy support privacy support ------------------ --------------- vacmAccessContextPrefix "" vacmGroupName (index) "initial" vacmSecurityModel (index) 3 (USM) vacmAccessSecurityLevel authPriv vacmAccessReadViewName "internet" vacmAccessWriteViewName "internet" vacmAccessNotifyViewName "internet" vacmAccessStorageType anyValidStorageType vacmAccessStatus active
no privacy support privacy support ------------------ --------------- vacmAccessContextPrefix "" vacmGroupName (index) "initial" vacmSecurityModel (index) 3 (USM) vacmAccessSecurityLevel authPriv vacmAccessReadViewName "internet" vacmAccessWriteViewName "internet" vacmAccessNotifyViewName "internet" vacmAccessStorageType anyValidStorageType vacmAccessStatus active
5) Two MIB views, of which the second one depends on the security configuration.
5) 两个MIB视图,其中第二个视图取决于安全配置。
- One view, the <internet> view, for authenticated access:
- 一个视图,即<internet>视图,用于认证访问:
- the <internet> MIB view is the following subtree: "internet" (subtree 1.3.6.1)
- <internet>MIB视图是以下子树:“internet”(子树1.3.6.1)
- A second view, the <restricted> view, for unauthenticated access. This view is configured according to the selected security configuration:
- 第二个视图是<restricted>视图,用于未经验证的访问。此视图根据所选的安全配置进行配置:
- For the initial-no-access-configuration there is no default initial configuration, so no MIB views are pre-scribed.
- 对于初始无访问配置,没有默认的初始配置,因此没有预先描述MIB视图。
- For the initial-semi-secure-configuration:
- 对于初始半安全配置:
the <restricted> MIB view is the union of these subtrees: (a) "system" (subtree 1.3.6.1.2.1.1) [RFC1907] (b) "snmp" (subtree 1.3.6.1.2.1.11) [RFC1907] (c) "snmpEngine" (subtree 1.3.6.1.6.3.7.2.1) [RFC2261] (d) "snmpMPDStats" (subtree 1.3.6.1.6.3.8.2.1) [RFC2262] (e) "usmStats" (subtree 1.3.6.1.6.3.9.2.1) [RFC2264]
the <restricted> MIB view is the union of these subtrees: (a) "system" (subtree 1.3.6.1.2.1.1) [RFC1907] (b) "snmp" (subtree 1.3.6.1.2.1.11) [RFC1907] (c) "snmpEngine" (subtree 1.3.6.1.6.3.7.2.1) [RFC2261] (d) "snmpMPDStats" (subtree 1.3.6.1.6.3.8.2.1) [RFC2262] (e) "usmStats" (subtree 1.3.6.1.6.3.9.2.1) [RFC2264]
- For the initial-minimum-secure-configuration:
- 对于初始最低安全配置:
the <restricted> MIB view is the following subtree. "internet" (subtree 1.3.6.1)
<restricted>MIB视图是以下子树。“互联网”(子树1.3.6.1)
This translates into the following "internet" entry in the vacmViewTreeFamilyTable:
这将转换为vacmViewTreeFamilyTable中的以下“internet”条目:
minimum-secure semi-secure ---------------- --------------- vacmViewTreeFamilyViewName "internet" "internet" vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1 vacmViewTreeFamilyMask "" "" vacmViewTreeFamilyType 1 (included) 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active
minimum-secure semi-secure ---------------- --------------- vacmViewTreeFamilyViewName "internet" "internet" vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1 vacmViewTreeFamilyMask "" "" vacmViewTreeFamilyType 1 (included) 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active
In addition it translates into the following "restricted" entries in the vacmViewTreeFamilyTable:
此外,它在vacmViewTreeFamilyTable中转换为以下“受限”条目:
minimum-secure semi-secure ---------------- --------------- vacmViewTreeFamilyViewName "restricted" "restricted" vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1.2.1.1 vacmViewTreeFamilyMask "" "" vacmViewTreeFamilyType 1 (included) 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active
minimum-secure semi-secure ---------------- --------------- vacmViewTreeFamilyViewName "restricted" "restricted" vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1.2.1.1 vacmViewTreeFamilyMask "" "" vacmViewTreeFamilyType 1 (included) 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active
vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.2.1.11 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.2.1.11 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活
vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.7.2.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.6.3.7.2.1 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活
vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.8.2.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyViewName“受限”VACMVIEWTREEFAMILY子树1.3.6.1.6.3.8.2.1 VACMVIEWTREEFAMILYMAK“vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType ANYVACMVIEWTREEFAMILYSTATUS激活
vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.9.2.1 vacmViewTreeFamilyMask ""
vacmViewTreeFamilyViewName“受限”VacMViewtreeFamily子树1.3.6.1.6.3.9.2.1 vacmViewTreeFamilyMask“
vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
vacmViewTreeFamilyType 1(包括)vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active
B. Full Copyright Statement
B.完整的版权声明
Copyright (C) The Internet Society (1997). All Rights Reserved.
版权所有(C)互联网协会(1997年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。