Network Working Group                                        M. St. Johns
Request for Comments: 2786                                    Excite@Home
Category: Experimental                                         March 2000
        
Network Working Group                                        M. St. Johns
Request for Comments: 2786                                    Excite@Home
Category: Experimental                                         March 2000
        

Diffie-Helman USM Key Management Information Base and Textual Convention

Diffie-Helman USM密钥管理信息库和文本约定

Status of this Memo

本备忘录的状况

This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.

这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

IESG Note

IESG注释

This document specifies an experimental MIB. Readers, implementers and users of this MIB should be aware that in the future the IETF may charter an IETF Working Group to develop a standards track MIB to address the same problem space that this MIB addresses. It is quite possible that an incompatible standards track MIB may result from that effort.

本文档指定了一个实验性MIB。本MIB的读者、实施者和用户应意识到,未来IETF可能会组建一个IETF工作组,以开发一个标准跟踪MIB,以解决该MIB所解决的相同问题空间。这很可能导致不兼容的标准跟踪MIB。

Abstract

摘要

This memo defines an experimental portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a textual convention for doing Diffie-Helman key agreement key exchanges and a set of objects which extend the usmUserTable to permit the use of a DH key exchange in addition to the key change method described in [12]. In otherwords, this MIB adds the possibility of forward secrecy to the USM model. It also defines a set of objects that can be used to kick start security on an SNMPv3 agent when the out of band path is authenticated, but not necessarily private or confidential.

本备忘录定义了管理信息库(MIB)的实验部分,用于互联网社区中的网络管理协议。特别是,它定义了用于进行Diffie-Helman密钥协议密钥交换的文本约定和一组对象,这些对象扩展了usmUserTable,除了[12]中描述的密钥更改方法外,还允许使用DH密钥交换。换句话说,这个MIB为USM模型增加了前向保密的可能性。它还定义了一组对象,当带外路径经过身份验证时,这些对象可用于启动SNMPv3代理上的安全性,但不一定是私有或机密的。

The KeyChange textual convention described in [12] permits secure key changes, but has the property that if a third-party has knowledge of the original key (e.g. if the agent was manufactured with a standard default key) and could capture all SNMP exchanges, the third-party would know the new key. The Diffie-Helman key change described here

[12]中描述的KeyChange文本约定允许安全密钥更改,但其属性是,如果第三方知道原始密钥(例如,如果代理使用标准默认密钥制造),并且可以捕获所有SNMP交换,则第三方将知道新密钥。这里描述的Diffie-Helman密钥更改

limits knowledge of the new key to the agent and the manager making the change. In otherwords, this process adds forward secrecy to the key change process.

限制代理和进行更改的经理对新密钥的了解。换句话说,这个过程为密钥更改过程增加了前向保密性。

The recommendation in [12] is that the usmUserTable be populated out of band - e.g. not via SNMP. If the number of agents to be configured is small, this can be done via a console port and manually. If the number of agents is large, as is the case for a cable modem system, the manual approach doesn't scale well. The combination of the two mechanisms specified here - the DH key change mechanism, and the DH key ignition mechanism - allows managable use of SNMPv3 USM in a system of millions of devices.

[12]中的建议是usmUserTable应在带外填充-例如,不通过SNMP填充。如果要配置的代理数量较少,则可以通过控制台端口手动完成。如果代理的数量很大,如有线调制解调器系统,则手动方法不能很好地扩展。此处指定的两种机制(DH钥匙更换机制和DH钥匙点火机制)的组合允许在数百万设备的系统中管理SNMPv3 USM。

This memo specifies a MIB module in a manner that is compliant to the SNMP SMIv2[5][6][7]. The set of objects is consistent with the SNMP framework and existing SNMP standards and is intended for use with the SNMPv3 User Security Model MIB and other security related MIBs.

此备忘录以符合SNMP SMIv2[5][6][7]的方式指定MIB模块。该对象集与SNMP框架和现有SNMP标准一致,并用于SNMPv3用户安全模型MIB和其他安全相关MIB。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [16].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[16]中所述进行解释。

This memo is a private submission by the author, but is applicable to the SNMPv3 working group within the Internet Engineering Task Force. Comments are solicited and should be addressed to the the author.

本备忘录由作者私人提交,但适用于互联网工程任务组内的SNMPv3工作组。征求意见,并应提交给作者。

Table of Contents

目录

   1 The SNMP Management Framework .................................   2
   1.1 Structure of the MIB ........................................   3
   2 Theory of Operation ...........................................   4
   2.1 Diffie-Helman Key Changes ...................................   4
   2.2 Diffie-Helman Key Ignition ..................................   4
   3 Definitions ...................................................   6
   4 References ....................................................  17
   5 Security Considerations .......................................  18
   6 Intellectual Property .........................................  19
   7 Author's Address ..............................................  19
   8 Full Copyright Statement ......................................  20
        
   1 The SNMP Management Framework .................................   2
   1.1 Structure of the MIB ........................................   3
   2 Theory of Operation ...........................................   4
   2.1 Diffie-Helman Key Changes ...................................   4
   2.2 Diffie-Helman Key Ignition ..................................   4
   3 Definitions ...................................................   6
   4 References ....................................................  17
   5 Security Considerations .......................................  18
   6 Intellectual Property .........................................  19
   7 Author's Address ..............................................  19
   8 Full Copyright Statement ......................................  20
        

1. The SNMP Management Framework The SNMP Management Framework presently consists of five major components:

1. SNMP管理框架SNMP管理框架目前由五个主要组件组成:

o An overall architecture, described in RFC 2271 [1].

o RFC 2271[1]中描述的总体架构。

o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD

o 为管理目的描述和命名对象和事件的机制。这种管理信息结构(SMI)的第一个版本称为SMIv1,在STD中进行了描述

16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], STD 58, RFC 2579 [6] and STD 58, RFC 2580 [7].

16,RFC 1155[2],STD 16,RFC 1212[3]和RFC 1215[4]。第二个版本称为SMIv2,在STD 58、RFC 2578[5]、STD 58、RFC 2579[6]和STD 58、RFC 2580[7]中进行了描述。

o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12].

o 用于传输管理信息的消息协议。SNMP消息协议的第一个版本称为SNMPv1,在STD 15、RFC 1157[8]中进行了描述。SNMP消息协议的第二个版本不是互联网标准跟踪协议,称为SNMPv2c,在RFC 1901[9]和RFC 1906[10]中进行了描述。消息协议的第三个版本称为SNMPv3,在RFC 1906[10]、RFC 2272[11]和RFC 2274[12]中进行了描述。

o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13].

o 访问管理信息的协议操作。STD 15、RFC 1157[8]中描述了第一组协议操作和相关PDU格式。RFC 1905[13]中描述了第二组协议操作和相关PDU格式。

o A set of fundamental applications described in RFC 2273 [14] and the view-based access control mechanism described in RFC 2275 [15].

o RFC 2273[14]中描述的一组基本应用程序和RFC 2275[15]中描述的基于视图的访问控制机制。

Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI.

托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB中的对象是使用SMI中定义的机制定义的。

This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB.

此备忘录指定了符合SMIv2的MIB模块。通过适当的翻译,可以生成符合SMIv1的MIB。生成的已翻译MIB必须在语义上等效,除非由于无法翻译而省略了对象或事件(使用计数器64)。在翻译过程中,SMIv2中的一些机器可读信息将转换为SMIv1中的文本描述。但是,这种机器可读信息的丢失不被认为会改变MIB的语义。

1.1. Structure of the MIB
1.1. MIB的结构

This MIB is structured into three groups and a single textual convention:

此MIB分为三个组和一个文本约定:

o The DHKeyChange textual convention defines the process for changing a secret key value via a Diffie-Helman key exchange.

o DHKeyChange文本约定定义了通过Diffie-Helman密钥交换更改密钥值的过程。

o The usmDHPublicObjects group contains a single object which describes the public Diffie-Helman parameters required by any instance of a DHKeyChange typed object.

o USMDHPPublicObjects组包含一个对象,该对象描述DHKeyChange类型对象的任何实例所需的公共Diffie-Helman参数。

o The usmDHUserKeyTable augments and extends the usmUserTable defined in the SNMPv3 User-based Security Model MIB [12] by providing objects which permit the updating of the Authentication and Privacy keys for a row in this table through the use of a Diffie-Helman key exchange.

o usmDHUserKeyTable通过提供允许通过使用Diffie-Helman密钥交换更新该表中某一行的身份验证和隐私密钥的对象,扩充和扩展了SNMPv3基于用户的安全模型MIB[12]中定义的usmUserTable。

o The usmDHKickstartTable provides a mechanism for a management station to be able to agree upon a set of authentication and confidentiality keys and their associated row in the usmUserTable.

o usmDHKickstartTable为管理站提供了一种机制,使其能够在usmUserTable中商定一组身份验证和机密密钥及其相关行。

2. Theory of Operation
2. 操作理论
2.1. Diffie-Helman Key Changes
2.1. 迪菲·赫尔曼的关键变化

Upon row creation (in the usmUserTable), or object change (either of the object in the usmDHUserKeyTable or its associated value in the usmUserTable), the agent generates a random number. From this random number, the agent uses the DH parameters and transforms to derive a DH public value which is then published to the associated MIB object. The management station reads one or more of the objects in the usmDHUserKeyTable to get the agent's DH public values.

在创建行(在usmUserTable中)或对象更改(在usmDHUserKeyTable中的对象或在usmUserTable中的关联值)时,代理将生成一个随机数。根据该随机数,代理使用DH参数和转换来导出DH公共值,然后将该值发布到关联的MIB对象。管理站读取usmDHUserKeyTable中的一个或多个对象,以获取代理的DH公共值。

The management station generates a random number, derives a DH public value from that random number (as described in the DHKeyChange Textual Convention), and does an SNMP SET against the object in the usmDHUserKeyTable. The set consists of the concatenation of the agent's derived DH public value and the manager's derived DH public value (to ensure the DHKeyChange object hasn't otherwise changed in the meantime).

管理站生成一个随机数,从该随机数中导出DH公共值(如DHKeyChange文本约定中所述),并针对usmDHUserKeyTable中的对象进行SNMP设置。该集合由代理的派生DH公共值和管理器的派生DH公共值的串联组成(以确保DHKeyChange对象在此期间没有发生其他更改)。

Upon successful completion of the set, the underlying key (authentication or confidentiality) for the associated object in the usmUserTable is changed to a key derived from the DH shared secret. Both the agent and the management station are able to calculate this value based on their knowledge of their own random number and the other's DH public number.

成功完成集合后,usmUserTable中关联对象的基础密钥(身份验证或机密性)将更改为从DH共享密钥派生的密钥。代理和管理站都能够根据他们自己的随机数和另一方的DH公共数的知识计算该值。

2.2. Diffie-Helman Key Ignition
2.2. Diffie-Helman钥匙点火开关

[12] recommends that the usmUserTable be populated out of band, for example - manually. This works reasonably well if there are a small number of agents, or if all the agents are using the same key material, and if the device is physically accessible for that action. It does not scale very well to the case of possibly millions of devices located in thousands of locations in hundreds of markets in

[12] 建议在带外填充usmUserTable,例如手动填充。如果存在少量代理,或者如果所有代理都使用相同的密钥材料,并且设备可以物理访问以执行该操作,则此功能相当有效。它无法很好地扩展到全球数百个市场的数千个地点,可能有数百万台设备

multiple countries. In other words, it doesn't work well with a cable modem system, and may not work all that well with other large-scale consumer broadband IP offerings.

多个国家。换句话说,它不能很好地与有线调制解调器系统配合使用,也不能很好地与其他大型消费宽带IP产品配合使用。

The methods described in the objects under the usmDHKickstartGroup can be used to populate the usmUserTable in the circumstances where you may be able to provide at least limited integrity for the provisioning process, but you can't guarantee confidentiality. In addition, as a side effect of using the DH exchange, the operational USM keys for each agent will differ from the operational USM keys for every other device in the system, ensuring that compromise of one device does not compromise the system as a whole.

在您可以为资源调配过程提供至少有限的完整性,但无法保证机密性的情况下,可以使用usmDHKickstartGroup下的对象中描述的方法填充usmUserTable。此外,作为使用DH exchange的一个副作用,每个代理的操作USM密钥将不同于系统中每个其他设备的操作USM密钥,以确保一个设备的危害不会危害整个系统。

The vendor who implements these objects is expected to provide one or more usmSecurityNames which map to a set of accesses defined in the VACM [15] tables. For example, the vendor may provide a 'root' user who has access to the entire device for read-write, and 'operator' user who has access to the network specific monitoring objects and can also reset the device, and a 'customer' user who has access to a subset of the monitoring objects which can be used to help the customer debug the device in conjunction with customer service questions.

实现这些对象的供应商应提供一个或多个USMSecurityName,这些名称映射到VACM[15]表中定义的一组访问。例如,供应商可以提供一个“root”用户,该用户可以访问整个设备进行读写,以及一个“operator”用户,该用户可以访问特定于网络的监控对象,还可以重置设备,以及“客户”用户,其具有对监控对象子集的访问权,该监控对象可用于结合客户服务问题帮助客户调试设备。

To use, the system manager (the organization or individual who own the group of devices) generates one or more random numbers - R. The manager derives the DH Public Numbers R' from these random numbers, associates the public numbers with a security name, and configures the agent with this association. The configuration would be done either manually (in the case of a small number of devices), or via some sort of distributed configuration file. The actual mechanism is outside the scope of this document. The agent in turn generates a random number for each name/number pair, and publishes the DH Public Number derived from its random number in the usmDHKickstartTable along with the manager's public number and provided security name.

要使用,系统管理员(拥有设备组的组织或个人)生成一个或多个随机数-R。管理员从这些随机数中导出DH公用数R',将公用数与安全名称关联,并使用此关联配置代理。配置可以手动完成(对于少量设备),也可以通过某种分布式配置文件完成。实际机制不在本文件范围内。代理依次为每个名称/数字对生成一个随机数,并在usmDHKickstartTable中发布从其随机数派生的DH公用号以及管理者的公用号和提供的安全名称。

Once the agent is initialized, an SNMP Manager can read the contents of the usmDHKickstartTable using the security name of 'dhKickstart' with no authentication. The manager looks for one or more entries in this table where it knows the random number used to derive the usmDHKickstartMgrPublic number. Given the manager's knowledge of the private random number, and the usmDHKickstartMyPublic number, the manager can calculate the DH shared secret. From that shared secret, it can derive the operational authentication and confidentiality keys for the usmUserTable row which has the matching security name. Given the keys and the security name, the manager can then use normal USM mechanisms to access the remainder of the agent's MIB space.

代理初始化后,SNMP管理器可以使用安全名称“dhKickstart”读取usmDHKickstartTable的内容,而无需进行身份验证。管理器在此表中查找一个或多个条目,其中它知道用于派生usmDHKickstartMgrPublic编号的随机数。考虑到管理者对私有随机数和usmDHKickstartMyPublic数的了解,管理者可以计算DH共享秘密。从该共享机密中,它可以为具有匹配安全名称的usmUserTable行派生操作身份验证和机密密钥。给定密钥和安全名称,管理器就可以使用普通的USM机制访问代理的MIB空间的其余部分。

3. Definitions
3. 定义
SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
        
SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
        

IMPORTS MODULE-IDENTITY, OBJECT-TYPE, -- OBJECT-IDENTITY, experimental, Integer32 FROM SNMPv2-SMI TEXTUAL-CONVENTION FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF usmUserEntry FROM SNMP-USER-BASED-SM-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB;

从SNMPv2 SMI文本约定从SNMPv2 TC MODULE-COMPLIANCE从SNMPv2 CONF usmUserEntry从SNMP-USER-BASED-SM-MIB SnmpAdminString从SNMP-FRAMEWORK-MIB导入模块标识、对象类型、-对象标识、实验、整数32;

snmpUsmDHObjectsMIB MODULE-IDENTITY LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight ORGANIZATION "Excite@Home" CONTACT-INFO "Author: Mike StJohns Postal: Excite@Home 450 Broadway Redwood City, CA 94063 Email: stjohns@corp.home.net Phone: +1-650-556-5368"

snmpUsmDHObjectsMIB模块标识最后更新的“2000036000Z”-2000年3月6日,午夜组织”Excite@Home“联系人信息”作者:Mike StJohns Postal:Excite@Home加利福尼亚州百老汇红木城450号94063电子邮件:stjohns@corp.home.net电话:+1-650-556-5368“

DESCRIPTION "The management information definitions for providing forward secrecy for key changes for the usmUserTable, and for providing a method for 'kickstarting' access to the agent via a Diffie-Helman key agreement."

说明“管理信息定义,用于为usmUserTable的关键更改提供前向保密,并通过Diffie-Helman密钥协议提供“启动”代理访问的方法。”

REVISION "200003060000Z" DESCRIPTION "Initial version published as RFC 2786."

修订版“2000036000Z”说明“初始版本发布为RFC 2786。”

    ::= { experimental 101 }  -- IANA DHKEY-CHANGE 101
        
    ::= { experimental 101 }  -- IANA DHKEY-CHANGE 101
        

-- Administrative assignments

--行政任务

usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
        
usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
        

-- Textual conventions

--文本约定

DHKeyChange ::=         TEXTUAL-CONVENTION
    STATUS              current
    DESCRIPTION
        "Upon initialization, or upon creation of a row containing an
    object of this type, and after any successful SET of this value, a
    GET of this value returns 'y' where y = g^xa MOD p, and where g is
    the base from usmDHParameters, p is the prime from
    usmDHParameters, and xa is a new random integer selected by the
    agent in the interval 2^(l-1) <= xa < 2^l < p-1.  'l' is the
    optional privateValueLength from usmDHParameters in bits.  If 'l'
    is omitted, then xa (and xr below) is selected in the interval 0
    <= xa < p-1.  y is expressed as an OCTET STRING 'PV' of length 'k'
    which satisfies
        
DHKeyChange ::=         TEXTUAL-CONVENTION
    STATUS              current
    DESCRIPTION
        "Upon initialization, or upon creation of a row containing an
    object of this type, and after any successful SET of this value, a
    GET of this value returns 'y' where y = g^xa MOD p, and where g is
    the base from usmDHParameters, p is the prime from
    usmDHParameters, and xa is a new random integer selected by the
    agent in the interval 2^(l-1) <= xa < 2^l < p-1.  'l' is the
    optional privateValueLength from usmDHParameters in bits.  If 'l'
    is omitted, then xa (and xr below) is selected in the interval 0
    <= xa < p-1.  y is expressed as an OCTET STRING 'PV' of length 'k'
    which satisfies
        

k y = SUM 2^(8(k-i)) PV'i i=1

ky=SUM 2^(8(k-i))PV'i=1

where PV1,...,PVk are the octets of PV from first to last, and where PV1 <> 0.

其中PV1,…,PVk是从第一个到最后一个的PV的八位字节,其中PV1<>0。

A successful SET consists of the value 'y' expressed as an OCTET STRING as above concatenated with the value 'z'(expressed as an OCTET STRING in the same manner as y) where z = g^xr MOD p, where g, p and l are as above, and where xr is a new random integer selected by the manager in the interval 2^(l-1) <= xr < 2^l < p-1. A SET to an object of this type will fail with the error wrongValue if the current 'y' does not match the 'y' portion of the value of the varbind for the object. (E.g. GET yout, SET concat(yin, z), yout <> yin).

一个成功的集合由值“y”组成,表示为八位字符串,如上所述,与值“z”(表示为八位字符串,方式与y相同),其中z=g^xr MOD p,其中g、p和l如上所述,其中xr是管理器在间隔2^(l-1)<=xr<2^l<p-1中选择的新随机整数。如果当前的“y”与对象的varbind值的“y”部分不匹配,则对此类型的对象的设置将失败,并返回错误值。(例如,获取yout,设置concat(yin,z),yout<>yin)。

Note that the private values xa and xr are never transmitted from manager to device or vice versa, only the values y and z. Obviously, these values must be retained until a successful SET on the associated object.

请注意,专用值xa和xr从未从管理器传输到设备,反之亦然,只有值y和z。显然,必须保留这些值,直到在关联对象上成功设置为止。

The shared secret 'sk' is calculated at the agent as sk = z^xa MOD p, and at the manager as sk = y^xr MOD p.

共享密钥“sk”在代理处计算为sk=z^xa MOD p,在管理器处计算为sk=y^xr MOD p。

Each object definition of this type MUST describe how to map from the shared secret 'sk' to the operational key value used by the protocols and operations related to the object. In general, if n bits of key are required, the author suggests using the n right-most bits of the shared secret as the operational key value." REFERENCE "-- Diffie-Hellman Key-Agreement Standard, PKCS #3; RSA Laboratories, November 1993" SYNTAX OCTET STRING

此类型的每个对象定义必须描述如何从共享密钥“sk”映射到与对象相关的协议和操作所使用的操作密钥值。一般来说,如果需要n位密钥,作者建议使用共享密钥最右边的n位作为操作密钥值。“参考”--Diffie-Hellman密钥协议标准,PKCS#3;RSA实验室,1993年11月“语法八位字节字符串

-- Diffie Hellman public values

--迪菲·赫尔曼公共价值观

usmDHPublicObjects      OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }
        
usmDHPublicObjects      OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }
        

usmDHParameters OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-write STATUS current DESCRIPTION "The public Diffie-Hellman parameters for doing a Diffie-Hellman key agreement for this device. This is encoded as an ASN.1 DHParameter per PKCS #3, section 9. E.g.

USMDHPParameters对象类型语法八位字符串MAX-ACCESS读写状态当前描述“用于为此设备执行Diffie-Hellman密钥协议的公共Diffie-Hellman参数。根据PKCS#3第9节,该参数被编码为ASN.1 DHParameter。例如:。

        DHParameter ::= SEQUENCE {
           prime   INTEGER,   -- p
           base    INTEGER,   -- g
           privateValueLength  INTEGER OPTIONAL }
        
        DHParameter ::= SEQUENCE {
           prime   INTEGER,   -- p
           base    INTEGER,   -- g
           privateValueLength  INTEGER OPTIONAL }
        

Implementors are encouraged to use either the values from Oakley Group 1 or the values of from Oakley Group 2 as specified in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the default for this object. Other values may be used, but the security properties of those values MUST be well understood and MUST meet the requirements of PKCS #3 for the selection of Diffie-Hellman primes.

鼓励实施者使用RFC-2409《互联网密钥交换》第6.1、6.2节中规定的来自Oakley组1的值或来自Oakley组2的值作为此对象的默认值。可以使用其他值,但必须充分了解这些值的安全属性,并且必须满足PKCS#3中选择Diffie-Hellman素数的要求。

        In addition, any time usmDHParameters changes, all values of
    type DHKeyChange will change and new random numbers MUST be
    generated by the agent for each DHKeyChange object."
    REFERENCE
        "-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
            RSA Laboratories, November 1993
         -- The Internet Key Exchange, RFC 2409, November 1998,
            Sec 6.1, 6.2"
    ::= { usmDHPublicObjects 1 }
        
        In addition, any time usmDHParameters changes, all values of
    type DHKeyChange will change and new random numbers MUST be
    generated by the agent for each DHKeyChange object."
    REFERENCE
        "-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
            RSA Laboratories, November 1993
         -- The Internet Key Exchange, RFC 2409, November 1998,
            Sec 6.1, 6.2"
    ::= { usmDHPublicObjects 1 }
        

usmDHUserKeyTable OBJECT-TYPE SYNTAX SEQUENCE OF UsmDHUserKeyEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table augments and extends the usmUserTable and provides 4 objects which exactly mirror the objects in that table with the textual convention of 'KeyChange'. This extension allows key changes to be done in a manner where the knowledge of the current secret plus knowledge of the key change data exchanges (e.g. via wiretapping) will not reveal the new key."

UsmDHUserKeyEntry MAX-ACCESS的usmDHUserKeyTable对象类型语法序列不可访问状态当前描述“此表扩充和扩展了usmUserTable,并提供了4个对象,这些对象使用“KeyChange”文本约定精确镜像该表中的对象。此扩展允许以一种方式进行密钥更改,即了解当前机密加上了解密钥更改数据交换(例如通过窃听)不会泄露新密钥。”

    ::= { usmDHPublicObjects 2 }
        
    ::= { usmDHPublicObjects 2 }
        
usmDHUserKeyEntry OBJECT-TYPE
    SYNTAX  UsmDHUserKeyEntry
    MAX-ACCESS not-accessible
    STATUS  current
    DESCRIPTION
        "A row of DHKeyChange objects which augment or replace the
    functionality of the KeyChange objects in the base table row."
    AUGMENTS { usmUserEntry }
    ::= {usmDHUserKeyTable 1 }
        
usmDHUserKeyEntry OBJECT-TYPE
    SYNTAX  UsmDHUserKeyEntry
    MAX-ACCESS not-accessible
    STATUS  current
    DESCRIPTION
        "A row of DHKeyChange objects which augment or replace the
    functionality of the KeyChange objects in the base table row."
    AUGMENTS { usmUserEntry }
    ::= {usmDHUserKeyTable 1 }
        
UsmDHUserKeyEntry ::= SEQUENCE {
        usmDHUserAuthKeyChange          DHKeyChange,
    usmDHUserOwnAuthKeyChange   DHKeyChange,
        usmDHUserPrivKeyChange          DHKeyChange,
        usmDHUserOwnPrivKeyChange       DHKeyChange
        }
        
UsmDHUserKeyEntry ::= SEQUENCE {
        usmDHUserAuthKeyChange          DHKeyChange,
    usmDHUserOwnAuthKeyChange   DHKeyChange,
        usmDHUserPrivKeyChange          DHKeyChange,
        usmDHUserOwnPrivKeyChange       DHKeyChange
        }
        

usmDHUserAuthKeyChange OBJECT-TYPE SYNTAX DHKeyChange MAX-ACCESS read-create STATUS current DESCRIPTION "The object used to change any given user's Authentication Key using a Diffie-Hellman key exchange.

usmDHUserAuthKeyChange对象类型语法DHKeyChange MAX-ACCESS read create STATUS current DESCRIPTION“用于使用Diffie-Hellman密钥交换更改任何给定用户的身份验证密钥的对象。

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserAuthProtocol, are installed as the operational
    authentication key for this row after a successful SET."
    ::= { usmDHUserKeyEntry 1 }
        
    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserAuthProtocol, are installed as the operational
    authentication key for this row after a successful SET."
    ::= { usmDHUserKeyEntry 1 }
        

usmDHUserOwnAuthKeyChange OBJECT-TYPE SYNTAX DHKeyChange MAX-ACCESS read-create STATUS current DESCRIPTION "The object used to change the agents own Authentication Key using a Diffie-Hellman key exchange.

usmDHUserOwnAuthKeyChange对象类型语法DHKeyChange MAX-ACCESS read create STATUS current DESCRIPTION“用于使用Diffie-Hellman密钥交换更改代理自己的身份验证密钥的对象。

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserAuthProtocol, are installed as the operational
    authentication key for this row after a successful SET."
    ::= { usmDHUserKeyEntry 2 }
        
    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserAuthProtocol, are installed as the operational
    authentication key for this row after a successful SET."
    ::= { usmDHUserKeyEntry 2 }
        

usmDHUserPrivKeyChange OBJECT-TYPE

usmDHUserPrivKeyChange对象类型

SYNTAX DHKeyChange MAX-ACCESS read-create STATUS current DESCRIPTION "The object used to change any given user's Privacy Key using a Diffie-Hellman key exchange.

语法DHKeyChange MAX-ACCESS read create STATUS current DESCRIPTION“用于使用Diffie-Hellman密钥交换更改任何给定用户的隐私密钥的对象。

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserPrivProtocol, are installed as the operational privacy key
    for this row after a successful SET."
    ::= { usmDHUserKeyEntry 3 }
        
    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserPrivProtocol, are installed as the operational privacy key
    for this row after a successful SET."
    ::= { usmDHUserKeyEntry 3 }
        

usmDHUserOwnPrivKeyChange OBJECT-TYPE SYNTAX DHKeyChange MAX-ACCESS read-create STATUS current DESCRIPTION "The object used to change the agent's own Privacy Key using a Diffie-Hellman key exchange.

usmDHUserOwnPrivKeyChange对象类型语法DHKeyChange MAX-ACCESS read create STATUS current DESCRIPTION“用于使用Diffie-Hellman密钥交换更改代理自己的隐私密钥的对象。

    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserPrivProtocol, are installed as the operational privacy key
    for this row after a successful SET."
    ::= { usmDHUserKeyEntry 4 }
        
    The right-most n bits of the shared secret 'sk', where 'n' is the
    number of bits required for the protocol defined by
    usmUserPrivProtocol, are installed as the operational privacy key
    for this row after a successful SET."
    ::= { usmDHUserKeyEntry 4 }
        
usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }
        
usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }
        

usmDHKickstartTable OBJECT-TYPE SYNTAX SEQUENCE OF UsmDHKickstartEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of mappings between zero or more Diffie-Helman key agreement values and entries in the usmUserTable. Entries in this table are created by providing the associated device with a Diffie-Helman public value and a usmUserName/usmUserSecurityName pair during initialization. How these values are provided is outside the scope of this MIB, but could be provided manually, or through a configuration file. Valid public value/name pairs result in the creation of a row in this table as well as the creation of an associated row (with keys derived as indicated) in the usmUserTable. The actual access the related usmSecurityName has is dependent on the entries in the VACM tables. In general, an implementor will specify one or more standard security names and will provide entries in the VACM tables granting various levels of access to those names. The actual content of the VACM

UsmDHKickstartEntry MAX-ACCESS的usmDHKickstartTable对象类型语法序列不可访问状态当前说明“零个或多个Diffie Helman密钥协议值与usmUserTable中的条目之间的映射表。此表中的条目是通过在初始化期间向关联设备提供Diffie Helman公共值和usmUserName/USMusersSecurityName对来创建的。如何提供这些值超出了此MIB的范围,但可以手动提供,也可以通过配置文件提供。有效的公共值/名称对会导致在此表中创建一行,以及在usmUserTable中创建一个关联行(按指示派生键)。相关usmSecurityName的实际访问权限取决于VACM表中的条目。通常,实现者将指定一个或多个标准安全名称,并在VACM表中提供条目,授予对这些名称的不同级别的访问权限。VACM的实际内容

table is beyond the scope of this MIB.

表超出了此MIB的范围。

    Note: This table is expected to be readable without authentication
    using the usmUserSecurityName 'dhKickstart'.  See the conformance
    statements for details."
    ::= { usmDHKickstartGroup 1 }
        
    Note: This table is expected to be readable without authentication
    using the usmUserSecurityName 'dhKickstart'.  See the conformance
    statements for details."
    ::= { usmDHKickstartGroup 1 }
        

usmDHKickstartEntry OBJECT-TYPE SYNTAX UsmDHKickstartEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION

usmDHKickstartEntry对象类型语法usmDHKickstartEntry MAX-ACCESS不可访问状态当前说明

"An entry in the usmDHKickstartTable. The agent SHOULD either delete this entry or mark it as inactive upon a successful SET of any of the KeyChange-typed objects in the usmUserEntry or upon a successful SET of any of the DHKeyChange-typed objects in the usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of usmUserTable or row of ushDhKeyChangeTable) equals this entry's usmDhKickstartSecurityName. In otherwords, once you've changed one or more of the keys for a row in usmUserTable with a particular security name, the row in this table with that same security name is no longer useful or meaningful."

“usmDHKickstartTable中的一个条目。在USMuseEntry中成功设置了任何KeyChange类型的对象后,或者在usmDhKeyChangeEntry中成功设置了任何DHKeyChange类型的对象(其中相关的USMSSecurityName(例如,usmUserTable的行或ushDhKeyChangeTable的行)等于此条目的usmDhKickstartSecurityName。换句话说,一旦您更改了usmUserTable中具有特定安全名称的行的一个或多个键,此表中具有相同安全名称的行将不再有用或有意义。”

    INDEX   { usmDHKickstartIndex }
    ::= {usmDHKickstartTable 1 }
        
    INDEX   { usmDHKickstartIndex }
    ::= {usmDHKickstartTable 1 }
        
UsmDHKickstartEntry ::= SEQUENCE  {
        usmDHKickstartIndex     Integer32,
        usmDHKickstartMyPublic  OCTET STRING,
        usmDHKickstartMgrPublic OCTET STRING,
        usmDHKickstartSecurityName      SnmpAdminString
        }
        
UsmDHKickstartEntry ::= SEQUENCE  {
        usmDHKickstartIndex     Integer32,
        usmDHKickstartMyPublic  OCTET STRING,
        usmDHKickstartMgrPublic OCTET STRING,
        usmDHKickstartSecurityName      SnmpAdminString
        }
        
usmDHKickstartIndex OBJECT-TYPE
    SYNTAX      Integer32  (1..2147483647)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "Index value for this row."
    ::= { usmDHKickstartEntry 1 }
        
usmDHKickstartIndex OBJECT-TYPE
    SYNTAX      Integer32  (1..2147483647)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
        "Index value for this row."
    ::= { usmDHKickstartEntry 1 }
        

usmDHKickstartMyPublic OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The agent's Diffie-Hellman public value for this row. At

usmDHKickstartMyPublic对象类型语法八位组字符串MAX-ACCESS只读状态当前描述“此行的代理的Diffie Hellman公共值。位于

    initialization, the agent generates a random number and derives
    its public value from that number.  This public value is published
    here.  This public value 'y' equals g^r MOD p where g is the from
    the set of Diffie-Hellman parameters, p is the prime from those
    parameters, and r is a random integer selected by the agent in the
    interval 2^(l-1) <= r < p-1 < 2^l.  If l is unspecified, then r is
    a random integer selected in the interval 0 <= r < p-1
        
    initialization, the agent generates a random number and derives
    its public value from that number.  This public value is published
    here.  This public value 'y' equals g^r MOD p where g is the from
    the set of Diffie-Hellman parameters, p is the prime from those
    parameters, and r is a random integer selected by the agent in the
    interval 2^(l-1) <= r < p-1 < 2^l.  If l is unspecified, then r is
    a random integer selected in the interval 0 <= r < p-1
        

The public value is expressed as an OCTET STRING 'PV' of length 'k' which satisfies

公共值表示为长度为“k”的八位字节字符串“PV”,满足

k y = SUM 2^(8(k-i)) PV'i i = 1

ky=SUM 2^(8(k-i))PV'i=1

where PV1,...,PVk are the octets of PV from first to last, and where PV1 != 0.

其中PV1,…,PVk是从第一个到最后一个的PV的八位字节,其中PV1!=0

The following DH parameters (Oakley group #2, RFC 2409, sec 6.1, 6.2) are used for this object:

以下DH参数(Oakley group#2,RFC 2409,第6.1、6.2节)用于该对象:

    g = 2
    p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
        29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
        EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
        E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
        EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
        FFFFFFFF FFFFFFFF
    l=1024
    "
    REFERENCE
        "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
            RSA Laboratories, November 1993
         -- The Internet Key Exchange, RFC2409;
            Harkins, D., Carrel, D.; November 1998"
    ::= { usmDHKickstartEntry 2 }
        
    g = 2
    p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
        29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
        EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
        E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
        EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
        FFFFFFFF FFFFFFFF
    l=1024
    "
    REFERENCE
        "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
            RSA Laboratories, November 1993
         -- The Internet Key Exchange, RFC2409;
            Harkins, D., Carrel, D.; November 1998"
    ::= { usmDHKickstartEntry 2 }
        

usmDHKickstartMgrPublic OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION

usmDHKickstartMgrPublic对象类型语法八位字符串MAX-ACCESS只读状态当前说明

"The manager's Diffie-Hellman public value for this row. Note that this value is not set via the SNMP agent, but may be set via some out of band method, such as the device's configuration file.

“管理器此行的Diffie-Hellman公共值。请注意,此值不是通过SNMP代理设置的,而是可以通过某些带外方法设置的,例如设备的配置文件。”。

The manager calculates this value in the same manner and using the same parameter set as the agent does. E.g. it selects a random number 'r', calculates y = g^r mod p and provides 'y' as the public number expressed as an OCTET STRING. See usmDHKickstartMyPublic for details.

管理器以与代理相同的方式和使用相同的参数集计算此值。例如,它选择一个随机数“r”,计算y=g^r mod p,并提供“y”作为表示为八位字节字符串的公共数。有关详细信息,请参阅usmDHKickstartMyPublic。

When this object is set with a valid value during initialization, a row is created in the usmUserTable with the following values:

如果在初始化期间使用有效值设置此对象,则会在usmUserTable中创建一行,其中包含以下值:

usmUserEngineID localEngineID usmUserName [value of usmDHKickstartSecurityName] usmUserSecurityName [value of usmDHKickstartSecurityName] usmUserCloneFrom ZeroDotZero usmUserAuthProtocol usmHMACMD5AuthProtocol usmUserAuthKeyChange -- derived from set value usmUserOwnAuthKeyChange -- derived from set value usmUserPrivProtocol usmDESPrivProtocol usmUserPrivKeyChange -- derived from set value usmUserOwnPrivKeyChange -- derived from set value usmUserPublic '' usmUserStorageType permanent usmUserStatus active

usmUserEngineID localEngineID usmUserName[usmDHKickstartSecurityName的值]usmUserSecurityName[usmDHKickstartSecurityName的值]USMUSERCONE从零点零usmUserAuthProtocol usmHMACMD5AuthProtocol usmUserAuthKeyChange从设定值USMUSEROWNAUTKEYCHANGE从设定值usmUserPrivProtocol usmDESPrivProtocol usmUserPrivKeyChange从设定值USMUSERROWNPRIVKEYCHANGE从设定值usmUserPublic“”usmUserStorageType派生永久性usmUserStatus激活

A shared secret 'sk' is calculated at the agent as sk = mgrPublic^r mod p where r is the agents random number and p is the DH prime from the common parameters. The underlying privacy key for this row is derived from sk by applying the key derivation function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, and iterationCount of 500, a keyLength of 16 (for usmDESPrivProtocol), and a prf (pseudo random function) of 'id-hmacWithSHA1'. The underlying authentication key for this row is derived from sk by applying the key derivation function PBKDF2 with a salt of 0x98dfb5ac , an interation count of 500, a keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of 'id-hmacWithSHA1'. Note: The salts are the first two words in the ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied Cryptography' by Bruce Schnier - they could be any relatively random string of bits.

共享秘密“sk”在代理处计算为sk=mgrPublic^r mod p,其中r是代理随机数,p是公共参数的DH素数。通过应用PKCS#5v2.0中定义的密钥派生函数PBKDF2,salt为0xd1310ba6,迭代计数为500,密钥长度为16(对于usmDESPrivProtocol),prf(伪随机函数)为“id-hmacWithSHA1”,从sk派生出此行的底层隐私密钥。此行的基础身份验证密钥是通过应用密钥派生函数PBKDF2从sk派生的,其salt为0x98dfb5ac,交互计数为500,密钥长度为16(对于usmHMAC5AuthProtocol),prf为“id-hmacWithSHA1”。注:SALT是Bruce Schnier的“应用加密”中的BLOWFISH密码ks0[密钥表0]中的前两个字-它们可以是任何相对随机的比特串。

The manager can use its knowledge of its own random number and the agent's public value to kickstart its access to the agent in a secure manner. Note that the security of this approach is directly related to the strength of the authorization security of the out of band provisioning of the managers public value (e.g. the configuration file), but is not dependent at all on the strength of the confidentiality of the out of band provisioning data." REFERENCE

管理者可以利用其对自身随机数和代理的公共价值的了解,以安全的方式启动对代理的访问。请注意,此方法的安全性与Manager公共值(例如,配置文件)带外资源调配的授权安全强度直接相关,但完全不依赖于带外资源调配数据的保密性。”参考

        "-- Password-Based Cryptography Standard, PKCS#5v2.0;
            RSA Laboratories, March 1999
         -- Applied Cryptography, 2nd Ed.; B. Schneier,
            Counterpane Systems; John Wiley & Sons, 1996"
    ::= { usmDHKickstartEntry 3 }
        
        "-- Password-Based Cryptography Standard, PKCS#5v2.0;
            RSA Laboratories, March 1999
         -- Applied Cryptography, 2nd Ed.; B. Schneier,
            Counterpane Systems; John Wiley & Sons, 1996"
    ::= { usmDHKickstartEntry 3 }
        
usmDHKickstartSecurityName OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "The usmUserName and usmUserSecurityName in the usmUserTable
    associated with this row.  This is provided in the same manner and
    at the same time as the usmDHKickstartMgrPublic value -
    e.g. possibly manually, or via the device's configuration file."
    ::= { usmDHKickstartEntry 4 }
        
usmDHKickstartSecurityName OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
        "The usmUserName and usmUserSecurityName in the usmUserTable
    associated with this row.  This is provided in the same manner and
    at the same time as the usmDHKickstartMgrPublic value -
    e.g. possibly manually, or via the device's configuration file."
    ::= { usmDHKickstartEntry 4 }
        

-- Conformance Information

--一致性信息

usmDHKeyMIBCompliances  OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 }
usmDHKeyMIBGroups       OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 }
        
usmDHKeyMIBCompliances  OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 }
usmDHKeyMIBGroups       OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 }
        

-- Compliance statements

--合规声明

usmDHKeyMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for this module." MODULE GROUP usmDHKeyMIBBasicGroup DESCRIPTION "This group MAY be implemented by any agent which implements the usmUserTable and which wishes to provide the ability to change user and agent authentication and privacy keys via Diffie-Hellman key exchanges."

USMDHKEYMIB符合性模块-符合性状态当前说明“此模块的符合性声明”。模块组USMDHKEYMIB基本组说明“此组可由实现usmUserTable并希望通过Diffie-Hellman密钥交换提供更改用户和代理身份验证和隐私密钥的能力的任何代理实现。”

GROUP usmDHKeyParamGroup DESCRIPTION "This group MUST be implemented by any agent which implements a MIB containing the DHKeyChange Textual Convention defined in this module."

GROUP usmDHKeyParamGroup DESCRIPTION“此组必须由实现包含此模块中定义的DHKeyChange文本约定的MIB的任何代理实现。”

GROUP usmDHKeyKickstartGroup DESCRIPTION "This group MAY be implemented by any agent which implements the usmUserTable and which wishes the ability to populate the USM table based on out-of-band provided DH ignition values.

组usmDHKeyKickstartGroup DESCRIPTION“此组可由实现usmUserTable的任何代理实现,并且希望能够基于带外提供的DH点火值填充USM表。

Any agent implementing this group is expected to provide preinstalled entries in the vacm tables as follows:

实现此组的任何代理都应在vacm表中提供预安装的条目,如下所示:

In the usmUserTable: This entry allows access to the system and dhKickstart groups

在usmUserTable中:此条目允许访问系统和dhKickstart组

usmUserEngineID localEngineID usmUserName 'dhKickstart' usmUserSecurityName 'dhKickstart' usmUserCloneFrom ZeroDotZero usmUserAuthProtocol none usmUserAuthKeyChange '' usmUserOwnAuthKeyChange '' usmUserPrivProtocol none usmUserPrivKeyChange '' usmUserOwnPrivKeyChange '' usmUserPublic '' usmUserStorageType permanent usmUserStatus active

usmUserEngineID localEngineID usmUserName“dhKickstart”usmUserSecurityName“dhKickstart”UsmuserClone from zero usmUserAuthProtocol无usmUserAuthKeyChange“”UsmuserRowNauthKeyChange“”usmUserPrivKeyChange“”usmUserPublic“”usmUserStorageType永久UsurStatus激活

In the vacmSecurityToGroupTable: This maps the initial user into the accessible objects.

在vacmSecurityToGroupTable中:将初始用户映射到可访问对象。

vacmSecurityModel 3 (USM) vacmSecurityName 'dhKickstart' vacmGroupName 'dhKickstart' vacmSecurityToGroupStorageType permanent vacmSecurityToGroupStatus active

vacmSecurityModel 3(USM)vacmSecurityName“dhKickstart”vacmGroupName“dhKickstart”VacMsecurityToGroup存储类型永久VacMsecurityToGroup状态激活

In the vacmAccessTable: Group name to view name translation.

在vacmAccessTable中:组名以查看名称转换。

vacmGroupName 'dhKickstart' vacmAccessContextPrefix '' vacmAccessSecurityModel 3 (USM) vacmAccessSecurityLevel noAuthNoPriv vacmAccessContextMatch exact vacmAccessReadViewName 'dhKickRestricted' vacmAccessWriteViewName '' vacmAccessNotifyViewName 'dhKickRestricted' vacmAccessStorageType permanent vacmAccessStatus active

vacmGroupName“dhKickstart”vacmAccessContextPrefix“vacmAccessSecurityModel 3(USM)vacmAccessSecurityLevel noAuthNoPriv vacmAccessContextMatch精确vacmAccessReadViewName“dhKickRestricted”vacmAccessWriteViewName“vacmAccessNotifyViewName”dhKickRestricted“vacmAccessStorageType永久vacmAccessStatus活动

In the vacmViewTreeFamilyTable: Two entries to allow the initial entry to access the system and kickstart groups.

在vacmViewTreeFamilyTable中:两个条目,允许初始条目访问系统和kickstart组。

vacmViewTreeFamilyViewName 'dhKickRestricted' vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system) vacmViewTreeFamilyMask ''

vacmViewTreeFamilyViewName“dhKickRestricted”VacMViewtreeFamily子树1.3.6.1.2.1.1(系统)vacmViewTreeFamilyMask“

vacmViewTreeFamilyType 1 vacmViewTreeFamilyStorageType permanent vacmViewTreeFamilyStatus active

vacmViewTreeFamilyType 1 vacmViewTreeFamilyStorageType永久性vacmViewTreeFamilyStatus激活

vacmViewTreeFamilyViewName 'dhKickRestricted' vacmViewTreeFamilySubtree (usmDHKickstartTable OID) vacmViewTreeFamilyMask '' vacmViewTreeFamilyType 1 vacmViewTreeFamilyStorageType permanent vacmViewTreeFamilyStatus active "

vacmViewTreeFamilyViewName“dhKickRestricted”vacmViewTreeFamilySubtree(USMDHKICKStartable OID)vacmViewTreeFamilyMask“vacmViewTreeFamilyType 1 vacmViewTreeFamilyStorageType永久vacmViewTreeFamilyStatus激活”

OBJECT usmDHParameters MIN-ACCESS read-only DESCRIPTION "It is compliant to implement this object as read-only for any device."

对象usmDHParameters MIN-ACCESS只读说明“将此对象实现为任何设备的只读是符合要求的。”

    ::= { usmDHKeyMIBCompliances 1 }
        
    ::= { usmDHKeyMIBCompliances 1 }
        

-- Units of Compliance

--遵守单位

usmDHKeyMIBBasicGroup OBJECT-GROUP
    OBJECTS     {
                  usmDHUserAuthKeyChange,
                  usmDHUserOwnAuthKeyChange,
                  usmDHUserPrivKeyChange,
                  usmDHUserOwnPrivKeyChange
                }
    STATUS      current
    DESCRIPTION
        ""
    ::= { usmDHKeyMIBGroups 1 }
        
usmDHKeyMIBBasicGroup OBJECT-GROUP
    OBJECTS     {
                  usmDHUserAuthKeyChange,
                  usmDHUserOwnAuthKeyChange,
                  usmDHUserPrivKeyChange,
                  usmDHUserOwnPrivKeyChange
                }
    STATUS      current
    DESCRIPTION
        ""
    ::= { usmDHKeyMIBGroups 1 }
        
usmDHKeyParamGroup OBJECT-GROUP
    OBJECTS     {
                  usmDHParameters
                }
    STATUS      current
    DESCRIPTION
        "The mandatory object for all MIBs which use the DHKeyChange
    textual convention."
    ::= { usmDHKeyMIBGroups 2 }
        
usmDHKeyParamGroup OBJECT-GROUP
    OBJECTS     {
                  usmDHParameters
                }
    STATUS      current
    DESCRIPTION
        "The mandatory object for all MIBs which use the DHKeyChange
    textual convention."
    ::= { usmDHKeyMIBGroups 2 }
        

usmDHKeyKickstartGroup OBJECT-GROUP OBJECTS { usmDHKickstartMyPublic, usmDHKickstartMgrPublic,

usmDHKeyKickstartGroup对象组对象{usmDHKickstartMyPublic,usmDHKickstartMgrPublic,

                  usmDHKickstartSecurityName
                }
    STATUS      current
    DESCRIPTION
        "The objects used for kickstarting one or more SNMPv3 USM
    associations via a configuration file or other out of band,
    non-confidential access."
    ::= { usmDHKeyMIBGroups 3 }
        
                  usmDHKickstartSecurityName
                }
    STATUS      current
    DESCRIPTION
        "The objects used for kickstarting one or more SNMPv3 USM
    associations via a configuration file or other out of band,
    non-confidential access."
    ::= { usmDHKeyMIBGroups 3 }
        

END

终止

4. References
4. 工具书类

[1] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999.

[1] Harrington,D.,Presohn,R.和B.Wijnen,“描述SNMP管理框架的体系结构”,RFC 2571,1999年4月。

[2] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990.

[2] Rose,M.和K.McCloghrie,“基于TCP/IP的互联网管理信息的结构和识别”,STD 16,RFC 1155,1990年5月。

[3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991.

[3] Rose,M.和K.McCloghrie,“简明MIB定义”,STD 16,RFC 1212,1991年3月。

[4] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991.

[4] Rose,M.“定义用于SNMP的陷阱的约定”,RFC1215,1991年3月。

[5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

[5] McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。

[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.

[6] McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。

[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.

[7] McCloghrie,K.,Perkins,D.,Schoenwaeld,J.,Case,J.,Rose,M.和S.Waldbusser,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。

[8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990.

[8] Case,J.,Fedor,M.,Schoffstall,M.和J.Davin,“简单网络管理协议”,STD 15,RFC 1157,1990年5月。

[9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996.

[9] Case,J.,McCloghrie,K.,Rose,M.和S.Waldbusser,“基于社区的SNMPv2简介”,RFC 19011996年1月。

[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996.

[10] Case,J.,McCloghrie,K.,Rose,M.和S.Waldbusser,“简单网络管理协议(SNMPv2)版本2的传输映射”,RFC 1906,1996年1月。

[11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999.

[11] Case,J.,Harrington D.,Presohn R.和B.Wijnen,“简单网络管理协议(SNMP)的消息处理和调度”,RFC 2572,1999年4月。

[12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999.

[12] Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)第3版的基于用户的安全模型(USM)”,RFC 2574,1999年4月。

[13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996.

[13] Case,J.,McCloghrie,K.,Rose,M.和S.Waldbusser,“简单网络管理协议(SNMPv2)版本2的协议操作”,RFC 1905,1996年1月。

[14] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999.

[14] Levi,D.,Meyer,P.和B.Stewart,“SNMPv3应用”,RFC2573,1999年4月。

[15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999.

[15] Wijnen,B.,Presuhn,R.和K.McCloghrie,“用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,RFC2575,1999年4月。

[16] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[16] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[17] "Diffie-Hellman Key-Agreement Standard, Version 1.4", PKCS #3, RSA Laboratories, November 1993.

[17] “Diffie-Hellman密钥协议标准,1.4版”,PKCS#3,RSA实验室,1993年11月。

[18] Harkins, D. and D. Carrel, "The Internet Key Exchange", RFC 2409, November 1988.

[18] Harkins,D.和D.Carrel,“互联网密钥交换”,RFC 2409,1988年11月。

[19] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.

[19] Eastlake,D.,Crocker,S.和J.Schiller,“安全性的随机性建议”,RFC 1750,1994年12月。

5. Security Considerations
5. 安全考虑

Objects in the usmDHUserKeyTable should be considered to have the same security sensitivity as the objects of the KeyChange type in usmUserTable and should be afforded the same level of protection. Specifically, the VACM should not grant more or less access to these objects than it grants to the usmUserTable KeyChange object.

应将usmDHUserKeyTable中的对象视为具有与usmUserTable中KeyChange类型的对象相同的安全敏感性,并应提供相同级别的保护。具体而言,VACM不应授予对这些对象的访问权限,而应授予对usmUserTable KeyChange对象的访问权限。

The improper selection of parameters for use with Diffie-Hellman key changes may adversely affect the security of the agent. Please see the body of the MIB for specific recommendations or requirements on the selection of the DH parameters.

选择用于Diffie-Hellman密钥更改的参数不当可能会对代理的安全性产生不利影响。有关DH参数选择的具体建议或要求,请参见MIB正文。

An unauthenticated DH exchange is subject to "man-in-the-middle" attacks. The use of the DH exchange in any specific environment should balance risk versus threat.

未经验证的DH exchange受到“中间人”攻击。在任何特定环境中使用DH exchange都应平衡风险与威胁。

Good security from a DH exchange requires a good source of random numbers. If your application cannot provide a reasonable source of randomness, do not use a DH exchange. For more information, see "Randomness Recommendations for Security" [19].

DH交换的良好安全性需要一个良好的随机数源。如果您的应用程序无法提供合理的随机性来源,请不要使用DH交换。有关更多信息,请参阅“安全性随机性建议”[19]。

6. Intellectual Property
6. 知识产权

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。

7. Author's Address
7. 作者地址

Michael C. StJohns Excite@Home 450 Broadway Redwood City, CA 94063 USA

迈克尔·C·斯特约翰斯Excite@Home美国加利福尼亚州百老汇红木城450号,邮编94063

   Phone: +1-650-556-5368
   EMail: stjohns@corp.home.net
        
   Phone: +1-650-556-5368
   EMail: stjohns@corp.home.net
        
9. Full Copyright Statement
9. 完整版权声明

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。