Internet Engineering Task Force (IETF) W. Hardaker Request for Comments: 5953 SPARTA, Inc. Category: Standards Track August 2010 ISSN: 2070-1721
Internet Engineering Task Force (IETF) W. Hardaker Request for Comments: 5953 SPARTA, Inc. Category: Standards Track August 2010 ISSN: 2070-1721
Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)
简单网络管理协议(SNMP)的传输层安全(TLS)传输模型
Abstract
摘要
This document describes a Transport Model for the Simple Network Management Protocol (SNMP), that uses either the Transport Layer Security protocol or the Datagram Transport Layer Security (DTLS) protocol. The TLS and DTLS protocols provide authentication and privacy services for SNMP applications. This document describes how the TLS Transport Model (TLSTM) implements the needed features of a SNMP Transport Subsystem to make this protection possible in an interoperable way.
本文档描述了简单网络管理协议(SNMP)的传输模型,该协议使用传输层安全协议或数据报传输层安全(DTLS)协议。TLS和DTLS协议为SNMP应用程序提供身份验证和隐私服务。本文档描述了TLS传输模型(TLSTM)如何实现SNMP传输子系统所需的功能,以便以可互操作的方式实现此保护。
This Transport Model is designed to meet the security and operational needs of network administrators. It supports the sending of SNMP messages over TLS/TCP and DTLS/UDP. The TLS mode can make use of TCP's improved support for larger packet sizes and the DTLS mode provides potentially superior operation in environments where a connectionless (e.g., UDP) transport is preferred. Both TLS and DTLS integrate well into existing public keying infrastructures.
此传输模型旨在满足网络管理员的安全和操作需求。它支持通过TLS/TCP和DTLS/UDP发送SNMP消息。TLS模式可以利用TCP对更大数据包大小的改进支持,DTLS模式在首选无连接(如UDP)传输的环境中提供潜在的优越操作。TLS和DTL都很好地集成到现有的公钥基础设施中。
This document also defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular, it defines objects for managing the TLS Transport Model for SNMP.
本文档还定义了用于网络管理协议的管理信息库(MIB)的一部分。特别是,它定义了用于管理SNMP的TLS传输模型的对象。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5953.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5953.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction ....................................................4 1.1. Conventions ................................................7 2. The Transport Layer Security Protocol ...........................8 3. How the TLSTM Fits into the Transport Subsystem .................8 3.1. Security Capabilities of this Model .......................10 3.1.1. Threats ............................................10 3.1.2. Message Protection .................................11 3.1.3. (D)TLS Connections .................................12 3.2. Security Parameter Passing ................................13 3.3. Notifications and Proxy ...................................13 4. Elements of the Model ..........................................14 4.1. X.509 Certificates ........................................14 4.1.1. Provisioning for the Certificate ...................14 4.2. (D)TLS Usage ..............................................16 4.3. SNMP Services .............................................17 4.3.1. SNMP Services for an Outgoing Message ..............17 4.3.2. SNMP Services for an Incoming Message ..............18 4.4. Cached Information and References .........................19 4.4.1. TLS Transport Model Cached Information .............19
1. Introduction ....................................................4 1.1. Conventions ................................................7 2. The Transport Layer Security Protocol ...........................8 3. How the TLSTM Fits into the Transport Subsystem .................8 3.1. Security Capabilities of this Model .......................10 3.1.1. Threats ............................................10 3.1.2. Message Protection .................................11 3.1.3. (D)TLS Connections .................................12 3.2. Security Parameter Passing ................................13 3.3. Notifications and Proxy ...................................13 4. Elements of the Model ..........................................14 4.1. X.509 Certificates ........................................14 4.1.1. Provisioning for the Certificate ...................14 4.2. (D)TLS Usage ..............................................16 4.3. SNMP Services .............................................17 4.3.1. SNMP Services for an Outgoing Message ..............17 4.3.2. SNMP Services for an Incoming Message ..............18 4.4. Cached Information and References .........................19 4.4.1. TLS Transport Model Cached Information .............19
4.4.1.1. tmSecurityName ............................19 4.4.1.2. tmSessionID ...............................20 4.4.1.3. Session State .............................20 5. Elements of Procedure ..........................................20 5.1. Procedures for an Incoming Message ........................20 5.1.1. DTLS over UDP Processing for Incoming Messages .....21 5.1.2. Transport Processing for Incoming SNMP Messages ....22 5.2. Procedures for an Outgoing SNMP Message ...................24 5.3. Establishing or Accepting a Session .......................25 5.3.1. Establishing a Session as a Client .................25 5.3.2. Accepting a Session as a Server ....................27 5.4. Closing a Session .........................................28 6. MIB Module Overview ............................................29 6.1. Structure of the MIB Module ...............................29 6.2. Textual Conventions .......................................29 6.3. Statistical Counters ......................................29 6.4. Configuration Tables ......................................29 6.4.1. Notifications ......................................30 6.5. Relationship to Other MIB Modules .........................30 6.5.1. MIB Modules Required for IMPORTS ...................30 7. MIB Module Definition ..........................................30 8. Operational Considerations .....................................53 8.1. Sessions ..................................................53 8.2. Notification Receiver Credential Selection ................54 8.3. contextEngineID Discovery .................................54 8.4. Transport Considerations ..................................55 9. Security Considerations ........................................55 9.1. Certificates, Authentication, and Authorization ...........55 9.2. (D)TLS Security Considerations ............................56 9.2.1. TLS Version Requirements ...........................56 9.2.2. Perfect Forward Secrecy ............................56 9.3. Use with SNMPv1/SNMPv2c Messages ..........................56 9.4. MIB Module Security .......................................57 10. IANA Considerations ...........................................58 11. Acknowledgements ..............................................59 12. References ....................................................60 12.1. Normative References .....................................60 12.2. Informative References ...................................61 Appendix A. Target and Notification Configuration Example ........63 A.1. Configuring a Notification Originator .....................63 A.2. Configuring TLSTM to Utilize a Simple Derivation of tmSecurityName ............................................64 A.3. Configuring TLSTM to Utilize Table-Driven Certificate Mapping ...................................................64
4.4.1.1. tmSecurityName ............................19 4.4.1.2. tmSessionID ...............................20 4.4.1.3. Session State .............................20 5. Elements of Procedure ..........................................20 5.1. Procedures for an Incoming Message ........................20 5.1.1. DTLS over UDP Processing for Incoming Messages .....21 5.1.2. Transport Processing for Incoming SNMP Messages ....22 5.2. Procedures for an Outgoing SNMP Message ...................24 5.3. Establishing or Accepting a Session .......................25 5.3.1. Establishing a Session as a Client .................25 5.3.2. Accepting a Session as a Server ....................27 5.4. Closing a Session .........................................28 6. MIB Module Overview ............................................29 6.1. Structure of the MIB Module ...............................29 6.2. Textual Conventions .......................................29 6.3. Statistical Counters ......................................29 6.4. Configuration Tables ......................................29 6.4.1. Notifications ......................................30 6.5. Relationship to Other MIB Modules .........................30 6.5.1. MIB Modules Required for IMPORTS ...................30 7. MIB Module Definition ..........................................30 8. Operational Considerations .....................................53 8.1. Sessions ..................................................53 8.2. Notification Receiver Credential Selection ................54 8.3. contextEngineID Discovery .................................54 8.4. Transport Considerations ..................................55 9. Security Considerations ........................................55 9.1. Certificates, Authentication, and Authorization ...........55 9.2. (D)TLS Security Considerations ............................56 9.2.1. TLS Version Requirements ...........................56 9.2.2. Perfect Forward Secrecy ............................56 9.3. Use with SNMPv1/SNMPv2c Messages ..........................56 9.4. MIB Module Security .......................................57 10. IANA Considerations ...........................................58 11. Acknowledgements ..............................................59 12. References ....................................................60 12.1. Normative References .....................................60 12.2. Informative References ...................................61 Appendix A. Target and Notification Configuration Example ........63 A.1. Configuring a Notification Originator .....................63 A.2. Configuring TLSTM to Utilize a Simple Derivation of tmSecurityName ............................................64 A.3. Configuring TLSTM to Utilize Table-Driven Certificate Mapping ...................................................64
It is important to understand the modular SNMPv3 architecture as defined by [RFC3411] and enhanced by the Transport Subsystem [RFC5590]. It is also important to understand the terminology of the SNMPv3 architecture in order to understand where the Transport Model described in this document fits into the architecture and how it interacts with the other architecture subsystems. For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to Section 7 of [RFC3410].
理解[RFC3411]定义并通过传输子系统[RFC5590]增强的模块化SNMPv3体系结构非常重要。理解SNMPv3体系结构的术语也很重要,以便理解本文档中描述的传输模型在体系结构中的位置,以及它如何与其他体系结构子系统交互。有关描述当前互联网标准管理框架的文件的详细概述,请参阅[RFC3410]第7节。
This document describes a Transport Model that makes use of the Transport Layer Security (TLS) [RFC5246] and the Datagram Transport Layer Security (DTLS) Protocol [RFC4347], within a Transport Subsystem [RFC5590]. DTLS is the datagram variant of the Transport Layer Security (TLS) protocol [RFC5246]. The Transport Model in this document is referred to as the Transport Layer Security Transport Model (TLSTM). TLS and DTLS take advantage of the X.509 public keying infrastructure [RFC5280]. While (D)TLS supports multiple authentication mechanisms, this document only discusses X.509 certificate-based authentication. Although other forms of authentication are possible, they are outside the scope of this specification. This transport model is designed to meet the security and operational needs of network administrators, operating in both environments where a connectionless (e.g., UDP) transport is preferred and in environments where large quantities of data need to be sent (e.g., over a TCP-based stream). Both TLS and DTLS integrate well into existing public keying infrastructures. This document supports sending of SNMP messages over TLS/TCP and DTLS/UDP.
本文档描述了在传输子系统[RFC5590]内使用传输层安全性(TLS)[RFC5246]和数据报传输层安全性(DTLS)协议[RFC4347]的传输模型。DTLS是传输层安全(TLS)协议[RFC5246]的数据报变体。本文档中的传输模型称为传输层安全传输模型(TLSTM)。TLS和DTL利用X.509公钥基础设施[RFC5280]。虽然(D)TLS支持多种身份验证机制,但本文档仅讨论X.509基于证书的身份验证。尽管可以使用其他形式的身份验证,但它们不在本规范的范围内。此传输模型旨在满足网络管理员的安全和操作需求,可在首选无连接(如UDP)传输的环境和需要发送大量数据(如通过基于TCP的流)的环境中运行。TLS和DTL都很好地集成到现有的公钥基础设施中。本文档支持通过TLS/TCP和DTLS/UDP发送SNMP消息。
This document also defines a portion of the Management Information Base (MIB) for use with network management protocols. In particular, it defines objects for managing the TLS Transport Model for SNMP.
本文档还定义了用于网络管理协议的管理信息库(MIB)的一部分。特别是,它定义了用于管理SNMP的TLS传输模型的对象。
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58: [RFC2578], [RFC2579], and [RFC2580].
托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,该模块在STD 58:[RFC2578]、[RFC2579]和[RFC2580]中有描述。
The diagram shown below gives a conceptual overview of two SNMP entities communicating using the TLS Transport Model (shown as "TLSTM"). One entity contains a command responder and notification originator application, and the other a command generator and notification receiver application. It should be understood that this particular mix of application types is an example only and other combinations are equally valid.
下图给出了使用TLS传输模型(显示为“TLSTM”)进行通信的两个SNMP实体的概念性概述。一个实体包含命令响应者和通知发起人应用程序,另一个实体包含命令生成器和通知接收方应用程序。应该理解,应用程序类型的这种特定组合只是一个示例,其他组合同样有效。
Note: this diagram shows the Transport Security Model (TSM) being used as the security model that is defined in [RFC5591].
注:此图显示了用作[RFC5591]中定义的安全模型的传输安全模型(TSM)。
+---------------------------------------------------------------------+ | Network | +---------------------------------------------------------------------+ ^ | ^ | |Notifications |Commands |Commands |Notifications +---|---------------------|-------+ +--|---------------|--------------+ | | V | | | V | | +------------+ +------------+ | | +-----------+ +----------+ | | | (D)TLS | | (D)TLS | | | | (D)TLS | | (D)TLS | | | | (Client) | | (Server) | | | | (Client) | | (Server) | | | +------------+ +------------+ | | +-----------+ +----------+ | | ^ ^ | | ^ ^ | | | | | | | | | | +-------------+ | | +--------------+ | | +-----|------------+ | | +-----|------------+ | | | V | | | | V | | | | +--------+ | +-----+ | | | +--------+ | +-----+ | | | | TLS TM |<--------->|Cache| | | | | TLS TM |<--------->|Cache| | | | +--------+ | +-----+ | | | +--------+ | +-----+ | | |Transport Subsys. | ^ | | |Transport Subsys. | ^ | | +------------------+ | | | +------------------+ | | | ^ | | | ^ | | | | +--+ | | | +--+ | | v | | | V | | | +-----+ +--------+ +-------+ | | | +-----+ +--------+ +-------+ | | | | | |Message | |Securi.| | | | | | |Message | |Securi.| | | | |Disp.| |Proc. | |Subsys.| | | | |Disp.| |Proc. | |Subsys.| | | | | | |Subsys. | | | | | | | | |Subsys. | | | | | | | | | | | | | | | | | | | | | | | | | | | +----+ | | +---+ | | | | | | | +----+ | | +---+ | | | | | <--->|v3MP|<--> |TSM|<--+ | | | <--->|v3MP|<--->|TSM|<--+ | | | | | +----+ | | +---+ | | | | | | +----+ | | +---+ | | | | | | | | | | | | | | | | | | | +-----+ +--------+ +-------+ | | +-----+ +--------+ +-------+ | | ^ | | ^ | | | | | | | | +-+------------+ | | +-+----------+ | | | | | | | | | | v v | | v V | | +-------------+ +-------------+ | | +-------------+ +-------------+ | | | COMMAND | | NOTIFICAT. | | | | COMMAND | | NOTIFICAT. | | | | RESPONDER | | ORIGINATOR | | | | GENERATOR | | RECEIVER | | | | application | | application | | | | application | | application | | | +-------------+ +-------------+ | | +-------------+ +-------------+ | | SNMP entity | | SNMP entity | +---------------------------------+ +---------------------------------+
+---------------------------------------------------------------------+ | Network | +---------------------------------------------------------------------+ ^ | ^ | |Notifications |Commands |Commands |Notifications +---|---------------------|-------+ +--|---------------|--------------+ | | V | | | V | | +------------+ +------------+ | | +-----------+ +----------+ | | | (D)TLS | | (D)TLS | | | | (D)TLS | | (D)TLS | | | | (Client) | | (Server) | | | | (Client) | | (Server) | | | +------------+ +------------+ | | +-----------+ +----------+ | | ^ ^ | | ^ ^ | | | | | | | | | | +-------------+ | | +--------------+ | | +-----|------------+ | | +-----|------------+ | | | V | | | | V | | | | +--------+ | +-----+ | | | +--------+ | +-----+ | | | | TLS TM |<--------->|Cache| | | | | TLS TM |<--------->|Cache| | | | +--------+ | +-----+ | | | +--------+ | +-----+ | | |Transport Subsys. | ^ | | |Transport Subsys. | ^ | | +------------------+ | | | +------------------+ | | | ^ | | | ^ | | | | +--+ | | | +--+ | | v | | | V | | | +-----+ +--------+ +-------+ | | | +-----+ +--------+ +-------+ | | | | | |Message | |Securi.| | | | | | |Message | |Securi.| | | | |Disp.| |Proc. | |Subsys.| | | | |Disp.| |Proc. | |Subsys.| | | | | | |Subsys. | | | | | | | | |Subsys. | | | | | | | | | | | | | | | | | | | | | | | | | | | +----+ | | +---+ | | | | | | | +----+ | | +---+ | | | | | <--->|v3MP|<--> |TSM|<--+ | | | <--->|v3MP|<--->|TSM|<--+ | | | | | +----+ | | +---+ | | | | | | +----+ | | +---+ | | | | | | | | | | | | | | | | | | | +-----+ +--------+ +-------+ | | +-----+ +--------+ +-------+ | | ^ | | ^ | | | | | | | | +-+------------+ | | +-+----------+ | | | | | | | | | | v v | | v V | | +-------------+ +-------------+ | | +-------------+ +-------------+ | | | COMMAND | | NOTIFICAT. | | | | COMMAND | | NOTIFICAT. | | | | RESPONDER | | ORIGINATOR | | | | GENERATOR | | RECEIVER | | | | application | | application | | | | application | | application | | | +-------------+ +-------------+ | | +-------------+ +-------------+ | | SNMP entity | | SNMP entity | +---------------------------------+ +---------------------------------+
For consistency with SNMP-related specifications, this document favors terminology as defined in STD 62, rather than favoring terminology that is consistent with non-SNMP specifications. This is consistent with the IESG decision to not require the SNMPv3 terminology be modified to match the usage of other non-SNMP specifications when SNMPv3 was advanced to a Full Standard.
为了与SNMP相关规范保持一致,本文件支持STD 62中定义的术语,而不是与非SNMP规范一致的术语。这与IESG的决定一致,即当SNMPv3被提升为完整标准时,不要求修改SNMPv3术语以匹配其他非SNMP规范的使用。
"Authentication" in this document typically refers to the English meaning of "serving to prove the authenticity of" the message, not data source authentication or peer identity authentication.
本文档中的“身份验证”通常指“用于证明”消息真实性的英文含义,而不是数据源身份验证或对等身份验证。
The terms "manager" and "agent" are not used in this document because, in the [RFC3411] architecture, all SNMP entities have the capability of acting as manager, agent, or both depending on the SNMP application types supported in the implementation. Where distinction is required, the application names of command generator, command responder, notification originator, notification receiver, and proxy forwarder are used. See "SNMP Applications" [RFC3413] for further information.
本文档中未使用术语“管理器”和“代理”,因为在[RFC3411]体系结构中,所有SNMP实体都具有充当管理器和/或代理的能力,具体取决于实施中支持的SNMP应用程序类型。如果需要区分,则使用命令生成器、命令响应者、通知发起人、通知接收方和代理转发器的应用程序名称。有关更多信息,请参阅“SNMP应用程序”[RFC3413]。
Large portions of this document simultaneously refer to both TLS and DTLS when discussing TLSTM components that function equally with either protocol. "(D)TLS" is used in these places to indicate that the statement applies to either or both protocols as appropriate. When a distinction between the protocols is needed, they are referred to independently through the use of "TLS" or "DTLS". The Transport Model, however, is named "TLS Transport Model" and refers not to the TLS or DTLS protocol but to the specification in this document, which includes support for both TLS and DTLS.
在讨论与任一协议功能相同的TLSTM组件时,本文档的大部分同时涉及TLS和DTL。“(D)在这些地方使用“TLS”表示该声明适用于其中一项或两项议定书(视情况而定)。当需要对协议进行区分时,通过使用“TLS”或“DTL”独立地引用它们。然而,传输模型被命名为“TLS传输模型”,并不是指TLS或DTLS协议,而是指本文档中的规范,其中包括对TLS和DTLS的支持。
Throughout this document, the terms "client" and "server" are used to refer to the two ends of the (D)TLS transport connection. The client actively opens the (D)TLS connection, and the server passively listens for the incoming (D)TLS connection. An SNMP entity may act as a (D)TLS client or server or both, depending on the SNMP applications supported.
在本文档中,术语“客户端”和“服务器”用于指(D)TLS传输连接的两端。客户端主动打开(D)TLS连接,服务器被动侦听传入的(D)TLS连接。SNMP实体可以充当(D)TLS客户机或服务器,或者两者兼有,具体取决于所支持的SNMP应用程序。
The User-Based Security Model (USM) [RFC3414] is a mandatory-to-implement Security Model in STD 62. While (D)TLS and USM frequently refer to a user, the terminology preferred in RFC 3411 and in this memo is "principal". A principal is the "who" on whose behalf services are provided or processing takes place. A principal can be, among other things, an individual acting in a particular role; a set of individuals, with each acting in a particular role; an application or a set of applications, or a combination of these within an administrative domain.
基于用户的安全模型(USM)[RFC3414]是STD 62中实现安全模型的必备工具。虽然(D)TLS和USM经常指用户,但RFC 3411和本备忘录中首选的术语是“委托人”。委托人是代表其提供服务或进行处理的“谁”。除其他外,委托人可以是扮演特定角色的个人;一组个人,每个人都扮演一个特定的角色;管理域中的一个应用程序或一组应用程序,或这些应用程序的组合。
Throughout this document, the term "session" is used to refer to a secure association between two TLS Transport Models that permits the transmission of one or more SNMP messages within the lifetime of the session. The (D)TLS protocols also have an internal notion of a session and although these two concepts of a session are related, when the term "session" is used this document is referring to the TLSTM's specific session and not directly to the (D)TLS protocol's session.
在本文档中,术语“会话”用于指两个TLS传输模型之间的安全关联,允许在会话的生命周期内传输一个或多个SNMP消息。(D)TLS协议也有会话的内部概念,尽管这两个会话概念是相关的,但当使用术语“会话”时,本文件指的是TLSTM的特定会话,而不是直接指(D)TLS协议的会话。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
(D)TLS provides authentication, data message integrity, and privacy at the transport layer (see [RFC4347]).
(D) TLS在传输层提供身份验证、数据消息完整性和隐私(请参见[RFC4347])。
The primary goals of the TLS Transport Model are to provide privacy, peer identity authentication and data integrity between two communicating SNMP entities. The TLS and DTLS protocols provide a secure transport upon which the TLSTM is based. Please refer to [RFC5246] and [RFC4347] for complete descriptions of the protocols.
TLS传输模型的主要目标是在两个通信的SNMP实体之间提供隐私、对等身份验证和数据完整性。TLS和DTLS协议提供了TLSTM所基于的安全传输。有关协议的完整说明,请参考[RFC5246]和[RFC4347]。
A transport model is a component of the Transport Subsystem. The TLS Transport Model thus fits between the underlying (D)TLS transport layer and the Message Dispatcher [RFC3411] component of the SNMP engine.
运输模型是运输子系统的一个组成部分。因此,TLS传输模型适合于底层(D)TLS传输层和SNMP引擎的消息调度程序[RFC3411]组件。
The TLS Transport Model will establish a session between itself and the TLS Transport Model of another SNMP engine. The sending transport model passes unencrypted and unauthenticated messages from the Dispatcher to (D)TLS to be encrypted and authenticated, and the receiving transport model accepts decrypted and authenticated/ integrity-checked incoming messages from (D)TLS and passes them to the Dispatcher.
TLS传输模型将在自身和另一个SNMP引擎的TLS传输模型之间建立会话。发送传输模型将来自调度器的未加密和未经验证的消息传递给(D)个要加密和验证的TLS,接收传输模型接受来自(D)个TLS的解密和验证/完整性检查的传入消息,并将其传递给调度器。
After a TLS Transport Model session is established, SNMP messages can conceptually be sent through the session from one SNMP message Dispatcher to another SNMP Message Dispatcher. If multiple SNMP messages are needed to be passed between two SNMP applications they MAY be passed through the same session. A TLSTM implementation engine MAY choose to close the session to conserve resources.
TLS传输模型会话建立后,从概念上讲,SNMP消息可以通过会话从一个SNMP消息调度器发送到另一个SNMP消息调度器。如果需要在两个SNMP应用程序之间传递多个SNMP消息,则可以通过同一会话传递这些消息。TLSTM实现引擎可以选择关闭会话以节省资源。
The TLS Transport Model of an SNMP engine will perform the translation between (D)TLS-specific security parameters and SNMP-specific, model-independent parameters.
SNMP引擎的TLS传输模型将执行(D)TLS特定安全参数与SNMP特定、模型独立参数之间的转换。
The diagram below depicts where the TLS Transport Model (shown as "(D)TLS TM") fits into the architecture described in RFC 3411 and the Transport Subsystem:
下图描述了TLS传输模型(显示为“(D)TLS TM”)与RFC 3411和传输子系统中描述的体系结构相适应的位置:
+------------------------------+ | Network | +------------------------------+ ^ ^ ^ | | | v v v +-------------------------------------------------------------------+ | +--------------------------------------------------+ | | | Transport Subsystem | +--------+ | | | +-----+ +-----+ +-------+ +-------+ | | | | | | | UDP | | SSH | |(D)TLS | . . . | other |<--->| Cache | | | | | | | TM | | TM | | | | | | | | | +-----+ +-----+ +-------+ +-------+ | +--------+ | | +--------------------------------------------------+ ^ | | ^ | | | | | | | Dispatcher v | | | +--------------+ +---------------------+ +----------------+ | | | | Transport | | Message Processing | | Security | | | | | Dispatch | | Subsystem | | Subsystem | | | | | | | +------------+ | | +------------+ | | | | | | | +->| v1MP |<--->| | USM | | | | | | | | | +------------+ | | +------------+ | | | | | | | | +------------+ | | +------------+ | | | | | | | +->| v2cMP |<--->| | Transport | | | | | | Message | | | +------------+ | | | Security |<--+ | | | Dispatch <---->| +------------+ | | | Model | | | | | | | +->| v3MP |<--->| +------------+ | | | | | | | +------------+ | | +------------+ | | | | PDU Dispatch | | | +------------+ | | | Other | | | | +--------------+ | +->| otherMP |<--->| | Model(s) | | | | ^ | +------------+ | | +------------+ | | | | +---------------------+ +----------------+ | | v | | +-------+-------------------------+---------------+ | | ^ ^ ^ | | | | | | | v v v |
+------------------------------+ | Network | +------------------------------+ ^ ^ ^ | | | v v v +-------------------------------------------------------------------+ | +--------------------------------------------------+ | | | Transport Subsystem | +--------+ | | | +-----+ +-----+ +-------+ +-------+ | | | | | | | UDP | | SSH | |(D)TLS | . . . | other |<--->| Cache | | | | | | | TM | | TM | | | | | | | | | +-----+ +-----+ +-------+ +-------+ | +--------+ | | +--------------------------------------------------+ ^ | | ^ | | | | | | | Dispatcher v | | | +--------------+ +---------------------+ +----------------+ | | | | Transport | | Message Processing | | Security | | | | | Dispatch | | Subsystem | | Subsystem | | | | | | | +------------+ | | +------------+ | | | | | | | +->| v1MP |<--->| | USM | | | | | | | | | +------------+ | | +------------+ | | | | | | | | +------------+ | | +------------+ | | | | | | | +->| v2cMP |<--->| | Transport | | | | | | Message | | | +------------+ | | | Security |<--+ | | | Dispatch <---->| +------------+ | | | Model | | | | | | | +->| v3MP |<--->| +------------+ | | | | | | | +------------+ | | +------------+ | | | | PDU Dispatch | | | +------------+ | | | Other | | | | +--------------+ | +->| otherMP |<--->| | Model(s) | | | | ^ | +------------+ | | +------------+ | | | | +---------------------+ +----------------+ | | v | | +-------+-------------------------+---------------+ | | ^ ^ ^ | | | | | | | v v v |
| +-------------+ +---------+ +--------------+ +-------------+ | | | COMMAND | | ACCESS | | NOTIFICATION | | PROXY | | | | RESPONDER |<->| CONTROL |<->| ORIGINATOR | | FORWARDER | | | | application | | | | applications | | application | | | +-------------+ +---------+ +--------------+ +-------------+ | | ^ ^ | | | | | | v v | | +----------------------------------------------+ | | | MIB instrumentation | SNMP entity | +-------------------------------------------------------------------+
| +-------------+ +---------+ +--------------+ +-------------+ | | | COMMAND | | ACCESS | | NOTIFICATION | | PROXY | | | | RESPONDER |<->| CONTROL |<->| ORIGINATOR | | FORWARDER | | | | application | | | | applications | | application | | | +-------------+ +---------+ +--------------+ +-------------+ | | ^ ^ | | | | | | v v | | +----------------------------------------------+ | | | MIB instrumentation | SNMP entity | +-------------------------------------------------------------------+
The TLS Transport Model provides protection against the threats identified by the RFC 3411 architecture [RFC3411]:
TLS传输模型针对RFC 3411体系结构[RFC3411]识别的威胁提供保护:
1. Modification of Information - The modification threat is the danger that an unauthorized entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object.
1. 信息修改-修改威胁是指未经授权的实体可能以影响未经授权的管理操作的方式更改代表授权主体生成的传输中SNMP消息的危险,包括伪造对象的值。
(D)TLS provides verification that the content of each received message has not been modified during its transmission through the network, data has not been altered or destroyed in an unauthorized manner, and data sequences have not been altered to an extent greater than can occur non-maliciously.
(D) TLS验证了每个接收到的消息的内容在通过网络传输的过程中没有被修改,数据没有以未经授权的方式被修改或破坏,数据序列没有被修改到非恶意的程度。
2. Masquerade - The masquerade threat is the danger that management operations unauthorized for a given principal may be attempted by assuming the identity of another principal that has the appropriate authorizations.
2. 伪装-伪装威胁是指通过假定具有适当授权的另一个主体的身份,可能试图对给定主体进行未经授权的管理操作的危险。
The TLSTM verifies the identity of the (D)TLS server through the use of the (D)TLS protocol and X.509 certificates. A TLS Transport Model implementation MUST support the authentication of both the server and the client.
TLSTM通过使用(D)TLS协议和X.509证书验证(D)TLS服务器的身份。TLS传输模型实现必须支持服务器和客户端的身份验证。
3. Message stream modification - The re-ordering, delay, or replay of messages can and does occur through the natural operation of many connectionless transport services. The message stream modification threat is the danger that messages may be maliciously re-ordered, delayed or replayed to an extent that is
3. 消息流修改—通过许多无连接传输服务的自然操作,消息的重新排序、延迟或重播可以并且确实发生。消息流修改威胁是指消息可能被恶意重新排序、延迟或重播到以下程度的危险:
greater than can occur through the natural operation of connectionless transport services, in order to effect unauthorized management operations.
大于可通过无连接传输服务的自然运行发生,以影响未经授权的管理操作。
(D)TLS provides replay protection with a Message Authentication Code (MAC) that includes a sequence number. Since UDP provides no sequencing ability, DTLS uses a sliding window protocol with the sequence number used for replay protection (see [RFC4347]).
(D) TLS通过包含序列号的消息身份验证码(MAC)提供重播保护。由于UDP不提供排序功能,DTLS使用滑动窗口协议,序列号用于重播保护(请参见[RFC4347])。
4. Disclosure - The disclosure threat is the danger of eavesdropping on the exchanges between SNMP engines.
4. 泄露-泄露威胁是在SNMP引擎之间的交换上进行窃听的危险。
(D)TLS provides protection against the disclosure of information to unauthorized recipients or eavesdroppers by allowing for encryption of all traffic between SNMP engines. A TLS Transport Model implementation MUST support message encryption to protect sensitive data from eavesdropping attacks.
(D) TLS允许对SNMP引擎之间的所有通信进行加密,从而防止信息泄露给未经授权的收件人或窃听者。TLS传输模型实现必须支持消息加密,以保护敏感数据免受窃听攻击。
5. Denial of Service - the RFC 3411 architecture [RFC3411] states that denial-of-service (DoS) attacks need not be addressed by an SNMP security protocol. However, connectionless transports (like DTLS over UDP) are susceptible to a variety of DoS attacks because they are more vulnerable to spoofed IP addresses. See Section 4.2 for details on how the cookie mechanism is used. Note, however, that this mechanism does not provide any defense against DoS attacks mounted from valid IP addresses.
5. 拒绝服务-RFC 3411体系结构[RFC3411]指出,拒绝服务(DoS)攻击不需要通过SNMP安全协议解决。但是,无连接传输(如UDP上的DTL)容易受到各种DoS攻击,因为它们更容易受到伪造IP地址的攻击。有关如何使用cookie机制的详细信息,请参见第4.2节。但是,请注意,此机制不会对从有效IP地址装载的DoS攻击提供任何防御。
See Section 9 for more detail on the security considerations associated with the TLSTM and these security threats.
有关与TLSTM和这些安全威胁相关的安全注意事项的更多详细信息,请参见第9节。
The RFC 3411 architecture recognizes three levels of security:
RFC 3411体系结构可识别三个安全级别:
o without authentication and without privacy (noAuthNoPriv)
o 没有身份验证和隐私(noAuthNoPriv)
o with authentication but without privacy (authNoPriv)
o 具有身份验证但不具有隐私(authNoPriv)
o with authentication and with privacy (authPriv)
o 具有身份验证和隐私(authPriv)
The TLS Transport Model determines from (D)TLS the identity of the authenticated principal, the transport type and the transport address associated with an incoming message. The TLS Transport Model provides the identity and destination type and address to (D)TLS for outgoing messages.
TLS传输模型根据(D)TLS确定已验证主体的身份、传输类型以及与传入消息关联的传输地址。TLS传输模型向(D)TLS提供传出消息的标识和目的地类型以及地址。
When an application requests a session for a message, it also requests a security level for that session. The TLS Transport Model MUST ensure that the (D)TLS connection provides security at least as high as the requested level of security. How the security level is translated into the algorithms used to provide data integrity and privacy is implementation dependent. However, the NULL integrity and encryption algorithms MUST NOT be used to fulfill security level requests for authentication or privacy. Implementations MAY choose to force (D)TLS to only allow cipher_suites that provide both authentication and privacy to guarantee this assertion.
当应用程序请求消息的会话时,它还请求该会话的安全级别。TLS传输模型必须确保(D)TLS连接提供的安全性至少与请求的安全性级别相同。如何将安全级别转换为用于提供数据完整性和隐私的算法取决于实现。但是,空完整性和加密算法不得用于满足身份验证或隐私的安全级别请求。实现可能会选择强制(D)TLS仅允许同时提供身份验证和隐私的密码套件来保证此断言。
If a suitable interface between the TLS Transport Model and the (D)TLS Handshake Protocol is implemented to allow the selection of security-level-dependent algorithms (for example, a security level to cipher_suites mapping table), then different security levels may be utilized by the application.
如果实现了TLS传输模型和(D)TLS握手协议之间的合适接口以允许选择安全级别相关算法(例如,安全级别到密码套件映射表),则应用程序可以使用不同的安全级别。
The authentication, integrity, and privacy algorithms used by the (D)TLS Protocols may vary over time as the science of cryptography continues to evolve and the development of (D)TLS continues over time. Implementers are encouraged to plan for changes in operator trust of particular algorithms. Implementations SHOULD offer configuration settings for mapping algorithms to SNMPv3 security levels.
随着密码学的不断发展和(D)TLS的不断发展,(D)TLS协议使用的身份验证、完整性和隐私算法可能会随着时间的推移而变化。鼓励实施者计划改变操作员对特定算法的信任。实现应提供将算法映射到SNMPv3安全级别的配置设置。
(D)TLS connections are opened by the TLS Transport Model during the elements of procedure for an outgoing SNMP message. Since the sender of a message initiates the creation of a (D)TLS connection if needed, the (D)TLS connection will already exist for an incoming message.
(D) TLS连接由TLS传输模型在传出SNMP消息的过程元素期间打开。由于消息的发送方在需要时启动(D)TLS连接的创建,因此传入消息的(D)TLS连接将已经存在。
Implementations MAY choose to instantiate (D)TLS connections in anticipation of outgoing messages. This approach might be useful to ensure that a (D)TLS connection to a given target can be established before it becomes important to send a message over the (D)TLS connection. Of course, there is no guarantee that a pre-established session will still be valid when needed.
实现可以选择实例化(D)TLS连接,以预期传出消息。这种方法可能有助于确保在通过(D)TLS连接发送消息变得重要之前,可以建立到给定目标的(D)TLS连接。当然,不能保证预先建立的会话在需要时仍然有效。
DTLS connections, when used over UDP, are uniquely identified within the TLS Transport Model by the combination of transportDomain, transportAddress, tmSecurityName, and requestedSecurityLevel associated with each session. Each unique combination of these parameters MUST have a locally chosen unique tlstmSessionID for each active session. For further information, see Section 5. TLS over TCP sessions, on the other hand, do not require a unique pairing of
当通过UDP使用DTLS连接时,通过与每个会话关联的transportDomain、transportAddress、tmSecurityName和requestedSecurityLevel的组合在TLS传输模型中唯一标识。对于每个活动会话,这些参数的每个唯一组合必须具有本地选择的唯一tlstmSessionID。有关更多信息,请参见第5节。另一方面,TCP会话上的TLS不需要唯一的
address and port attributes since their lower-layer protocols (TCP) already provide adequate session framing. But they must still provide a unique tlstmSessionID for referencing the session.
地址和端口属性,因为它们的较低层协议(TCP)已经提供了足够的会话帧。但它们仍然必须提供唯一的tlstmSessionID以引用会话。
The tlstmSessionID MUST NOT change during the entire duration of the session from the TLSTM's perspective, and MUST uniquely identify a single session. As an implementation hint: note that the (D)TLS internal SessionID does not meet these requirements, since it can change over the life of the connection as seen by the TLSTM (for example, during renegotiation), and does not necessarily uniquely identify a TLSTM session (there can be multiple TLSTM sessions sharing the same D(TLS) internal SessionID).
从TLSTM的角度来看,tlstmSessionID在整个会话期间不得更改,并且必须唯一标识单个会话。作为实现提示:请注意,(D)TLS internal SessionID不满足这些要求,因为它可以在TLSTM看到的连接生命周期内改变(例如,在重新协商期间),并且不一定唯一标识TLSTM会话(可以有多个TLSTM会话共享同一个D(TLS)内部会议d)。
For the (D)TLS server-side, (D)TLS-specific security parameters (i.e., cipher_suites, X.509 certificate fields, IP addresses, and ports) are translated by the TLS Transport Model into security parameters for the TLS Transport Model and security model (e.g., tmSecurityLevel, tmSecurityName, transportDomain, transportAddress). The transport-related and (D)TLS-security-related information, including the authenticated identity, are stored in a cache referenced by tmStateReference.
对于(D)TLS服务器端,(D)TLS特定的安全参数(即,密码套件、X.509证书字段、IP地址和端口)由TLS传输模型转换为TLS传输模型和安全模型的安全参数(例如,tmSecurityLevel、tmSecurityName、transportDomain、transportAddress)。传输相关信息和(D)TLS安全相关信息,包括认证身份,存储在tmStateReference引用的缓存中。
For the (D)TLS client side, the TLS Transport Model takes input provided by the Dispatcher in the sendMessage() Abstract Service Interface (ASI) and input from the tmStateReference cache. The (D)TLS Transport Model converts that information into suitable security parameters for (D)TLS and establishes sessions as needed.
对于(D)TLS客户端,TLS传输模型接收发送器在sendMessage()抽象服务接口(ASI)中提供的输入和来自tmStateReference缓存的输入。(D)TLS传输模型将该信息转换为(D)TLS的适当安全参数,并根据需要建立会话。
The elements of procedure in Section 5 discuss these concepts in much greater detail.
第5节中的程序要素更详细地讨论了这些概念。
(D)TLS connections may be initiated by (D)TLS clients on behalf of SNMP applications that initiate communications, such as command generators, notification originators, proxy forwarders. Command generators are frequently operated by a human, but notification originators and proxy forwarders are usually unmanned automated processes. The targets to whom notifications and proxied requests should be sent is typically determined and configured by a network administrator.
(D) TLS连接可由(D)TLS客户端代表启动通信的SNMP应用程序启动,如命令生成器、通知发起者、代理转发器。命令生成器通常由人工操作,但通知发起者和代理转发器通常是无人操作的自动化流程。通知和代理请求应发送到的目标通常由网络管理员确定和配置。
The SNMP-TARGET-MIB module [RFC3413] contains objects for defining management targets, including transportDomain, transportAddress, securityName, securityModel, and securityLevel parameters, for notification originator, proxy forwarder, and SNMP-controllable
SNMP-TARGET-MIB模块[RFC3413]包含用于定义管理目标的对象,包括通知发起人、代理转发器和SNMP的transportDomain、transportAddress、securityName、securityModel和securityLevel参数
command generator applications. Transport domains and transport addresses are configured in the snmpTargetAddrTable, and the securityModel, securityName, and securityLevel parameters are configured in the snmpTargetParamsTable. This document defines a MIB module that extends the SNMP-TARGET-MIB's snmpTargetParamsTable to specify a (D)TLS client-side certificate to use for the connection.
命令生成器应用程序。传输域和传输地址在snmpTargetAddrTable中配置,securityModel、securityName和securityLevel参数在snmpTargetParamsTable中配置。本文档定义了一个MIB模块,该模块扩展了SNMP-TARGET-MIB的snmpTargetParamsTable,以指定用于连接的(D)TLS客户端证书。
When configuring a (D)TLS target, the snmpTargetAddrTDomain and snmpTargetAddrTAddress parameters in snmpTargetAddrTable SHOULD be set to the snmpTLSTCPDomain or snmpDTLSUDPDomain object and an appropriate snmpTLSAddress value. When used with the SNMPv3 message processing model, the snmpTargetParamsMPModel column of the snmpTargetParamsTable SHOULD be set to a value of 3. The snmpTargetParamsSecurityName SHOULD be set to an appropriate securityName value and the snmpTlstmParamsClientFingerprint parameter of the snmpTlstmParamsTable SHOULD be set a value that refers to a locally held certificate (and the corresponding private key) to be used. Other parameters, for example, cryptographic configuration such as which cipher_suites to use, must come from configuration mechanisms not defined in this document.
配置(D)TLS目标时,应将snmpTargetAddrTable中的snmpTargetAddrTDomain和SNMPTargetADDRTADDDRADDRATE参数设置为SNMPTLSCPDOMAIN或snmpDTLSUDPDomain对象以及适当的snmpTLSAddress值。与SNMPv3消息处理模型一起使用时,snmpTargetParamsTable的snmpTargetParamsMPModel列应设置为值3。应将SNMPTargetParamAssetSecurityName设置为适当的securityName值,并将snmpTlstmParamsTable的snmpTlstmParamsClientFingerprint参数设置为引用要使用的本地持有的证书(以及相应的私钥)的值。其他参数,例如,加密配置,例如要使用的密码套件,必须来自本文档中未定义的配置机制。
The securityName defined in the snmpTargetParamsSecurityName column will be used by the access control model to authorize any notifications that need to be sent.
访问控制模型将使用SNMPTargetParamsseSecurityName列中定义的securityName来授权需要发送的任何通知。
This section contains definitions required to realize the (D)TLS Transport Model defined by this document.
本节包含实现本文件定义的(D)TLS传输模型所需的定义。
(D)TLS can make use of X.509 certificates for authentication of both sides of the transport. This section discusses the use of X.509 certificates in the TLSTM.
(D) TLS可以使用X.509证书对传输双方进行身份验证。本节讨论在TLSTM中使用X.509证书。
While (D)TLS supports multiple authentication mechanisms, this document only discusses X.509-certificate-based authentication; other forms of authentication are outside the scope of this specification. TLSTM implementations are REQUIRED to support X.509 certificates.
虽然(D)TLS支持多种身份验证机制,但本文档仅讨论X.509-基于证书的身份验证;其他形式的认证不在本规范的范围内。TLSTM实现需要支持X.509证书。
Authentication using (D)TLS will require that SNMP entities have certificates, either signed by trusted Certification Authorities (CAs), or self signed. Furthermore, SNMP entities will most commonly need to be provisioned with root certificates that represent the list of trusted CAs that an SNMP entity can use for certificate
使用(D)TLS的身份验证将要求SNMP实体具有由可信证书颁发机构(CA)签名或自签名的证书。此外,SNMP实体通常需要配置根证书,这些根证书表示SNMP实体可用于证书的受信任CA列表
verification. SNMP entities SHOULD also be provisioned with a X.509 certificate revocation mechanism which can be used to verify that a certificate has not been revoked. Trusted public keys from either CA certificates and/or self-signed certificates MUST be installed into the server through a trusted out-of-band mechanism and their authenticity MUST be verified before access is granted.
验证。SNMP实体还应配备X.509证书吊销机制,该机制可用于验证证书是否已被吊销。来自CA证书和/或自签名证书的受信任公钥必须通过受信任的带外机制安装到服务器中,并且必须在授予访问权限之前验证其真实性。
Having received a certificate from a connecting TLSTM client, the authenticated tmSecurityName of the principal is derived using the snmpTlstmCertToTSNTable. This table allows mapping of incoming connections to tmSecurityNames through defined transformations. The transformations defined in the SNMP-TLS-TM-MIB include:
从连接的TLSTM客户端接收到证书后,使用SNMPTLSMCERTTOTSNTSNTABLE派生主体的经过身份验证的tmSecurityName。此表允许通过定义的转换将传入连接映射到tmSecurityNames。SNMP-TLS-TM-MIB中定义的转换包括:
o Mapping a certificate's subjectAltName or CommonName components to a tmSecurityName, or
o 将证书的subjectAltName或CommonName组件映射到tmSecurityName,或
o Mapping a certificate's fingerprint value to a directly specified tmSecurityName
o 将证书的指纹值映射到直接指定的tmSecurityName
As an implementation hint: implementations may choose to discard any connections for which no potential snmpTlstmCertToTSNTable mapping exists before performing certificate verification to avoid expending computational resources associated with certificate verification.
作为实现提示:在执行证书验证之前,实现可以选择放弃任何不存在潜在snmpTlstmCertToTSNTable映射的连接,以避免消耗与证书验证相关的计算资源。
Deployments SHOULD map the "subjectAltName" component of X.509 certificates to the TLSTM specific tmSecurityNames. The authenticated identity can be obtained by the TLS Transport Model by extracting the subjectAltName(s) from the peer's certificate. The receiving application will then have an appropriate tmSecurityName for use by other SNMPv3 components like an access control model.
部署应将X.509证书的“subjectAltName”组件映射到TLSTM特定的tmSecurityNames。TLS传输模型可以通过从对等方的证书中提取subjectAltName来获得经过身份验证的身份。然后,接收应用程序将具有适当的tmSecurityName,供其他SNMPv3组件(如访问控制模型)使用。
An example of this type of mapping setup can be found in Appendix A.
附录A中提供了此类映射设置的示例。
This tmSecurityName may be later translated from a TLSTM specific tmSecurityName to a SNMP engine securityName by the security model. A security model, like the TSM security model [RFC5591], may perform an identity mapping or a more complex mapping to derive the securityName from the tmSecurityName offered by the TLS Transport Model.
该tmSecurityName稍后可通过安全模型从特定于TLSTM的tmSecurityName转换为SNMP引擎securityName。安全模型,如TSM安全模型[RFC5591],可执行身份映射或更复杂的映射,以从TLS传输模型提供的tmSecurityName派生securityName。
The standard View-Based Access Control Model (VACM) access control model constrains securityNames to be 32 octets or less in length. A TLSTM generated tmSecurityName, possibly in combination with a messaging or security model that increases the length of the securityName, might cause the securityName length to exceed 32 octets. For example, a 32-octet tmSecurityName derived from an IPv6 address, paired with a TSM prefix, will generate a 36-octet
标准的基于视图的访问控制模型(VACM)访问控制模型将SecurityName的长度限制为32个八位字节或更短。TLSTM生成的TMSSecurityName可能与增加securityName长度的消息传递或安全模型结合使用,可能会导致securityName长度超过32个八位字节。例如,从IPv6地址派生的32个八位字节的tmSecurityName与TSM前缀配对,将生成36个八位字节
securityName. Such a securityName will not be able to be used with standard VACM or TARGET MIB modules. Operators should be careful to select algorithms and subjectAltNames to avoid this situation.
securityName。这样的securityName将无法与标准VACM或目标MIB模块一起使用。操作员应小心选择算法和SubjectAltName以避免这种情况。
A pictorial view of the complete transformation process (using the TSM security model for the example) is shown below:
完整转换过程的图示视图(以TSM安全模型为例)如下所示:
+-------------+ +-------+ +-----+ | Certificate | | | | | | Path | | TLSTM | tmSecurityName | TSM | | Validation | --> | | ----------------->| | +-------------+ +-------+ +-----+ | | securityName V +-------------+ | application | +-------------+
+-------------+ +-------+ +-----+ | Certificate | | | | | | Path | | TLSTM | tmSecurityName | TSM | | Validation | --> | | ----------------->| | +-------------+ +-------+ +-----+ | | securityName V +-------------+ | application | +-------------+
(D)TLS MUST negotiate a cipher_suite that uses X.509 certificates for authentication, and MUST authenticate both the client and the server. The mandatory-to-implement cipher_suite is specified in the TLS specification [RFC5246].
(D) TLS必须协商使用X.509证书进行身份验证的密码套件,并且必须对客户端和服务器进行身份验证。TLS规范[RFC5246]中规定了实现密码套件的强制要求。
TLSTM verifies the certificates when the connection is opened (see Section 5.3). For this reason, TLS renegotiation with different certificates MUST NOT be done. That is, implementations MUST either disable renegotiation completely (RECOMMENDED), or they MUST present the same certificate during renegotiation (and MUST verify that the other end presented the same certificate).
TLSTM在连接打开时验证证书(参见第5.3节)。因此,不得使用不同的证书进行TLS重新协商。也就是说,实现必须完全禁用重新协商(推荐),或者在重新协商期间必须提供相同的证书(并且必须验证另一端是否提供了相同的证书)。
For DTLS over UDP, each SNMP message MUST be placed in a single UDP datagram; it MAY be split to multiple DTLS records. In other words, if a single datagram contains multiple DTLS application_data records, they are concatenated when received. The TLSTM implementation SHOULD return an error if the SNMP message does not fit in the UDP datagram, and thus cannot be sent.
对于UDP上的DTL,每个SNMP消息必须放在单个UDP数据报中;它可以拆分为多个DTLS记录。换句话说,如果一个数据报包含多个DTLS应用程序_数据记录,则在接收时将它们连接起来。如果SNMP消息不适合UDP数据报,因此无法发送,则TLSTM实现应返回错误。
For DTLS over UDP, the DTLS server implementation MUST support DTLS cookies ([RFC4347] already requires that clients support DTLS cookies). Implementations are not required to perform the cookie exchange for every DTLS handshake; however, enabling it by default is RECOMMENDED.
对于UDP上的DTLS,DTLS服务器实现必须支持DTLS cookies([RFC4347]已经要求客户端支持DTLS cookies)。实现不需要为每次DTLS握手执行cookie交换;但是,建议在默认情况下启用它。
For DTLS, replay protection MUST be used.
对于DTL,必须使用重播保护。
This section describes the services provided by the TLS Transport Model with their inputs and outputs. The services are between the Transport Model and the Dispatcher.
本节描述了TLS传输模型提供的服务及其输入和输出。服务位于传输模型和调度器之间。
The services are described as primitives of an abstract service interface (ASI) and the inputs and outputs are described as abstract data elements as they are passed in these abstract service primitives.
服务被描述为抽象服务接口(ASI)的原语,输入和输出被描述为在这些抽象服务原语中传递的抽象数据元素。
The Dispatcher passes the information to the TLS Transport Model using the ASI defined in the Transport Subsystem:
调度员使用传输子系统中定义的ASI将信息传递给TLS传输模型:
statusInformation = sendMessage( IN destTransportDomain -- transport domain to be used IN destTransportAddress -- transport address to be used IN outgoingMessage -- the message to send IN outgoingMessageLength -- its length IN tmStateReference -- reference to transport state )
statusInformation = sendMessage( IN destTransportDomain -- transport domain to be used IN destTransportAddress -- transport address to be used IN outgoingMessage -- the message to send IN outgoingMessageLength -- its length IN tmStateReference -- reference to transport state )
The abstract data elements returned from or passed as parameters into the abstract service primitives are as follows:
从抽象服务原语返回或作为参数传递到抽象服务原语的抽象数据元素如下:
statusInformation: An indication of whether the sending of the message was successful. If not, it is an indication of the problem.
statusInformation:指示消息发送是否成功。如果不是,则表明存在问题。
destTransportDomain: The transport domain for the associated destTransportAddress. The Transport Model uses this parameter to determine the transport type of the associated destTransportAddress. This document specifies the snmpTLSTCPDomain and the snmpDTLSUDPDomain transport domains.
destTransportDomain:关联destTransportAddress的传输域。传输模型使用此参数确定关联destTransportAddress的传输类型。本文档指定SNMPTLSCPDOMAIN和snmpDTLSUDPDomain传输域。
destTransportAddress: The transport address of the destination TLS Transport Model in a format specified by the SnmpTLSAddress TEXTUAL-CONVENTION.
destTransportAddress:目标TLS传输模型的传输地址,格式由SNMPTLAddress文本约定指定。
outgoingMessage: The outgoing message to send to (D)TLS for encapsulation and transmission.
outgoingMessage:发送给(D)TLS进行封装和传输的传出消息。
outgoingMessageLength: The length of the outgoingMessage.
outgoingMessageLength:outgoingMessage的长度。
tmStateReference: A reference used to pass model-specific and mechanism-specific parameters between the Transport Subsystem and transport-aware Security Models.
tmStateReference:用于在传输子系统和传输感知安全模型之间传递特定于模型和特定于机制的参数的参考。
The TLS Transport Model processes the received message from the network using the (D)TLS service and then passes it to the Dispatcher using the following ASI:
TLS传输模型使用(D)TLS服务处理从网络接收的消息,然后使用以下ASI将其传递给调度器:
statusInformation = receiveMessage( IN transportDomain -- origin transport domain IN transportAddress -- origin transport address IN incomingMessage -- the message received IN incomingMessageLength -- its length IN tmStateReference -- reference to transport state )
statusInformation = receiveMessage( IN transportDomain -- origin transport domain IN transportAddress -- origin transport address IN incomingMessage -- the message received IN incomingMessageLength -- its length IN tmStateReference -- reference to transport state )
The abstract data elements returned from or passed as parameters into the abstract service primitives are as follows:
从抽象服务原语返回或作为参数传递到抽象服务原语的抽象数据元素如下:
statusInformation: An indication of whether the passing of the message was successful. If not, it is an indication of the problem.
statusInformation:指示消息传递是否成功。如果不是,则表明存在问题。
transportDomain: The transport domain for the associated transportAddress. This document specifies the snmpTLSTCPDomain and the snmpDTLSUDPDomain transport domains.
transportDomain:关联transportAddress的传输域。本文档指定SNMPTLSCPDOMAIN和snmpDTLSUDPDomain传输域。
transportAddress: The transport address of the source of the received message in a format specified by the SnmpTLSAddress TEXTUAL-CONVENTION.
transportAddress:以SnmpTLSAddress文本约定指定的格式接收的消息源的传输地址。
incomingMessage: The whole SNMP message after being processed by (D)TLS.
incomingMessage:经过(D)TLS处理后的整个SNMP消息。
incomingMessageLength: The length of the incomingMessage.
incomingMessageLength:incomingMessage的长度。
tmStateReference: A reference used to pass model-specific and mechanism-specific parameters between the Transport Subsystem and transport-aware Security Models.
tmStateReference:用于在传输子系统和传输感知安全模型之间传递特定于模型和特定于机制的参数的参考。
When performing SNMP processing, there are two levels of state information that may need to be retained: the immediate state linking a request-response pair, and potentially longer-term state relating to transport and security. "Transport Subsystem for the Simple Network Management Protocol (SNMP)" [RFC5590] defines general requirements for caches and references.
在执行SNMP处理时,可能需要保留两个级别的状态信息:链接请求-响应对的即时状态,以及与传输和安全性相关的潜在长期状态。“简单网络管理协议(SNMP)的传输子系统”[RFC5590]定义了缓存和引用的一般要求。
The TLS Transport Model has specific responsibilities regarding the cached information. See the Elements of Procedure in Section 5 for detailed processing instructions on the use of the tmStateReference fields by the TLS Transport Model.
TLS传输模型对缓存的信息负有特定的责任。有关TLS传输模型使用参考场的详细处理说明,请参见第5节中的程序要素。
The tmSecurityName MUST be a human-readable name (in snmpAdminString format) representing the identity that has been set according to the procedures in Section 5. The tmSecurityName MUST be constant for all traffic passing through a single TLSTM session. Messages MUST NOT be sent through an existing (D)TLS connection that was established using a different tmSecurityName.
tmSecurityName必须是人类可读的名称(SNMPAdministring格式),表示根据第5节中的过程设置的标识。对于通过单个TLSTM会话的所有流量,tmSecurityName必须为常量。不得通过使用其他tmSecurityName建立的现有(D)TLS连接发送消息。
On the (D)TLS server side of a connection, the tmSecurityName is derived using the procedures described in Section 5.3.2 and the SNMP-TLS-TM-MIB's snmpTlstmCertToTSNTable DESCRIPTION clause.
在连接的(D)TLS服务器端,使用第5.3.2节中描述的过程和SNMP-TLS-TM-MIB的SNMPTLSMCERTTOTSNTSNTABLE描述子句导出tmSecurityName。
On the (D)TLS client side of a connection, the tmSecurityName is presented to the TLS Transport Model by the security model through the tmStateReference. This tmSecurityName is typically a copy of or is derived from the securityName that was passed by application (possibly because of configuration specified in the SNMP-TARGET-MIB). The Security Model likely derived the tmSecurityName from the securityName presented to the Security Model by the application (possibly because of configuration specified in the SNMP-TARGET-MIB).
在连接的(D)TLS客户端,安全模型通过tmStateReference将tmSecurityName提供给TLS传输模型。此tmSecurityName通常是应用程序传递的securityName的副本或从中派生(可能是因为SNMP-TARGET-MIB中指定的配置)。安全模型可能从应用程序提供给安全模型的securityName派生出tmSecurityName(可能是因为SNMP-TARGET-MIB中指定的配置)。
Transport-Model-aware security models derive tmSecurityName from a securityName, possibly configured in MIB modules for notifications and access controls. Transport Models SHOULD use predictable tmSecurityNames so operators will know what to use when configuring MIB modules that use securityNames derived from tmSecurityNames. The TLSTM generates predictable tmSecurityNames based on the configuration found in the SNMP-TLS-TM-MIB's snmpTlstmCertToTSNTable and relies on the network operators to have configured this table appropriately.
支持传输模型的安全模型从securityName派生出tmSecurityName,securityName可能在MIB模块中配置用于通知和访问控制。传输模型应使用可预测的tmSecurityNames,以便操作员在配置使用从tmSecurityNames派生的securityNames的MIB模块时知道要使用什么。TLSTM根据SNMP-TLS-TM-MIB的SNMPTLSMCERTTOTSN表中的配置生成可预测的tmSecurityNames,并依赖网络运营商对该表进行适当配置。
The tmSessionID MUST be recorded per message at the time of receipt. When tmSameSecurity is set, the recorded tmSessionID can be used to determine whether the (D)TLS connection available for sending a corresponding outgoing message is the same (D)TLS connection as was used when receiving the incoming message (e.g., a response to a request).
必须在收到每条消息时记录TMSSessionID。设置tmSameSecurity时,记录的TMSSessionID可用于确定可用于发送相应传出消息的(D)TLS连接是否与接收传入消息时使用的(D)TLS连接相同(例如,对请求的响应)。
The per-session state that is referenced by tmStateReference may be saved across multiple messages in a Local Configuration Datastore. Additional session/connection state information might also be stored in a Local Configuration Datastore.
tmStateReference引用的每会话状态可以跨本地配置数据存储中的多条消息保存。其他会话/连接状态信息也可能存储在本地配置数据存储中。
Abstract service interfaces have been defined by [RFC3411] and further augmented by [RFC5590] to describe the conceptual data flows between the various subsystems within an SNMP entity. The TLSTM uses some of these conceptual data flows when communicating between subsystems.
抽象服务接口由[RFC3411]定义,并由[RFC5590]进一步扩展,以描述SNMP实体内各子系统之间的概念数据流。TLSTM在子系统之间通信时使用其中一些概念数据流。
To simplify the elements of procedure, the release of state information is not always explicitly specified. As a general rule, if state information is available when a message gets discarded, the message-state information should also be released. If state information is available when a session is closed, the session state information should also be released. Sensitive information, like cryptographic keys, should be overwritten appropriately prior to being released.
为了简化过程的元素,并不总是明确指定状态信息的发布。作为一般规则,如果在丢弃消息时状态信息可用,则还应释放消息状态信息。如果会话关闭时状态信息可用,则还应释放会话状态信息。敏感信息,如加密密钥,应在发布前适当覆盖。
An error indication in statusInformation will typically include the Object Identifier (OID) and value for an incremented error counter. This may be accompanied by the requested securityLevel and the tmStateReference. Per-message context information is not accessible to Transport Models, so for the returned counter OID and value, contextEngine would be set to the local value of snmpEngineID and contextName to the default context for error counters.
statusInformation中的错误指示通常包括对象标识符(OID)和递增错误计数器的值。这可能伴随着请求的securityLevel和tmStateReference。传输模型无法访问每条消息的上下文信息,因此对于返回的计数器OID和值,contextEngine将设置为snmpEngineID的本地值,contextName将设置为错误计数器的默认上下文。
This section describes the procedures followed by the (D)TLS Transport Model when it receives a (D)TLS protected packet. The required functionality is broken into two different sections.
本节描述了(D)TLS传输模型在接收(D)TLS保护数据包时遵循的过程。所需的功能分为两个不同的部分。
Section 5.1.1 describes the processing required for de-multiplexing multiple DTLS connections, which is specifically needed for DTLS over UDP sessions. It is assumed that TLS protocol implementations already provide appropriate message demultiplexing.
第5.1.1节描述了对多个DTLS连接进行解复用所需的处理,这是UDP会话上DTLS特别需要的。假定TLS协议实现已经提供了适当的消息解复用。
Section 5.1.2 describes the transport processing required once the (D)TLS processing has been completed. This will be needed for all (D)TLS-based connections.
第5.1.2节描述了(D)TLS处理完成后所需的运输处理。所有(D)基于TLS的连接都需要这样做。
Demultiplexing of incoming packets into separate DTLS sessions MUST be implemented. For connection-oriented transport protocols, such as TCP, the transport protocol takes care of demultiplexing incoming packets to the right connection. For DTLS over UDP, this demultiplexing will either need to be done within the DTLS implementation, if supported, or by the TLSTM implementation.
必须将传入数据包解复用到单独的DTLS会话中。对于面向连接的传输协议(如TCP),传输协议负责将传入数据包解复用到正确的连接。对于UDP上的DTLS,此解复用需要在DTLS实现中完成(如果支持),或者由TLSTM实现完成。
Like TCP, DTLS over UDP uses the four-tuple <source IP, destination IP, source port, destination port> for identifying the connection (and relevant DTLS connection state). This means that when establishing a new session, implementations MUST use a different UDP source port number for each active connection to a remote destination IP-address/port-number combination to ensure the remote entity can disambiguate between multiple connections.
与TCP一样,UDP上的DTLS使用四元组<源IP、目标IP、源端口、目标端口>,来标识连接(以及相关的DTLS连接状态)。这意味着,在建立新会话时,实现必须为到远程目标IP地址/端口号组合的每个活动连接使用不同的UDP源端口号,以确保远程实体可以消除多个连接之间的歧义。
If demultiplexing received UDP datagrams to DTLS connection state is done by the TLSTM implementation (instead of the DTLS implementation), the steps below describe one possible method to accomplish this.
如果通过TLSTM实现(而不是DTLS实现)将接收到的UDP数据报解复用到DTLS连接状态,则以下步骤描述了实现这一点的一种可能方法。
The important output results from the steps in this process are the remote transport address, incomingMessage, incomingMessageLength, and the tlstmSessionID.
此过程中步骤的重要输出结果是远程传输地址、incomingMessage、incomingMessageLength和tlstmSessionID。
1) The TLS Transport Model examines the raw UDP message, in an implementation-dependent manner.
1) TLS传输模型以依赖于实现的方式检查原始UDP消息。
2) The TLS Transport Model queries the Local Configuration Datastore (LCD) (see [RFC3411] Section 3.4.2) using the transport parameters (source and destination IP addresses and ports) to determine if a session already exists.
2) TLS传输模型使用传输参数(源和目标IP地址和端口)查询本地配置数据存储(LCD)(参见[RFC3411]第3.4.2节),以确定会话是否已经存在。
2a) If a matching entry in the LCD does not exist, then the UDP packet is passed to the DTLS implementation for processing. If the DTLS implementation decides to continue with the connection and allocate state for it, it returns a new DTLS connection handle (an implementation dependent detail). In
2a)如果LCD中不存在匹配条目,则UDP数据包将传递给DTLS实现进行处理。如果DTLS实现决定继续连接并为其分配状态,它将返回一个新的DTLS连接句柄(依赖于实现的详细信息)。在里面
this case, TLSTM selects a new tlstmSessionId, and caches this and the DTLS connection handle as a new entry in the LCD (indexed by the transport parameters). If the DTLS implementation returns an error or does not allocate connection state (which can happen with the stateless cookie exchange), processing stops.
在这种情况下,TLSTM选择一个新的tlstmSessionId,并将其和DTLS连接句柄缓存为LCD中的一个新条目(由传输参数索引)。如果DTLS实现返回错误或未分配连接状态(无状态cookie交换可能会发生这种情况),则处理将停止。
2b) If a session does exist in the LCD, then its DTLS connection handle (an implementation dependent detail) and its tlstmSessionId is extracted from the LCD. The UDP packet and the connection handle is passed to the DTLS implementation. If the DTLS implementation returns success but does not return an incomingMessage and an incomingMessageLength then processing stops (this is the case when the UDP datagram contained DTLS handshake messages, for example). If the DTLS implementation returns an error then processing stops.
2b)如果LCD中确实存在会话,则从LCD中提取其DTLS连接句柄(依赖于实现的详细信息)及其tlstmSessionId。UDP数据包和连接句柄被传递给DTLS实现。如果DTLS实现返回success,但未返回incomingMessage和incomingMessageLength,则处理停止(例如,当UDP数据报包含DTLS握手消息时)。如果DTLS实现返回错误,则处理停止。
3) Retrieve the incomingMessage and an incomingMessageLength from DTLS. These results and the tlstmSessionID are used below in Section 5.1.2 to complete the processing of the incoming message.
3) 从DTLS检索incomingMessage和incomingMessageLength。这些结果和tlstmSessionID在下面的第5.1.2节中用于完成传入消息的处理。
The procedures in this section describe how the TLS Transport Model should process messages that have already been properly extracted from the (D)TLS stream. Note that care must be taken when processing messages originating from either TLS or DTLS to ensure they're complete and single. For example, multiple SNMP messages can be passed through a single DTLS message and partial SNMP messages may be received from a TLS stream. These steps describe the processing of a singular SNMP message after it has been delivered from the (D)TLS stream.
本节中的过程描述了TLS传输模型应如何处理已从(D)TLS流中正确提取的消息。请注意,在处理来自TLS或DTL的消息时必须小心,以确保它们是完整和单一的。例如,可以通过单个DTLS消息传递多个SNMP消息,并且可以从TLS流接收部分SNMP消息。这些步骤描述了从(D)TLS流传递单一SNMP消息后的处理。
1) Determine the tlstmSessionID for the incoming message. The tlstmSessionID MUST be a unique session identifier for this (D)TLS connection. The contents and format of this identifier are implementation dependent as long as it is unique to the session. A session identifier MUST NOT be reused until all references to it are no longer in use. The tmSessionID is equal to the tlstmSessionID discussed in Section 5.1.1. tmSessionID refers to the session identifier when stored in the tmStateReference and tlstmSessionID refers to the session identifier when stored in the LCD. They MUST always be equal when processing a given session's traffic.
1) 确定传入消息的tlstmSessionID。tlstmSessionID必须是此(D)TLS连接的唯一会话标识符。此标识符的内容和格式取决于实现,只要它对会话是唯一的。在不再使用对会话标识符的所有引用之前,不得重用该会话标识符。TMSSessionID等于第5.1.1节中讨论的tlstmSessionID。TMSSessionID指存储在tmStateReference中的会话标识符,tlstmSessionID指存储在LCD中的会话标识符。在处理给定会话的流量时,它们必须始终相等。
If this is the first message received through this session, and the session does not have an assigned tlstmSessionID yet, then the snmpTlstmSessionAccepts counter is incremented and a tlstmSessionID for the session is created. This will only happen on the server side of a connection because a client would have already assigned a tlstmSessionID during the openSession() invocation. Implementations may have performed the procedures described in Section 5.3.2 prior to this point or they may perform them now, but the procedures described in Section 5.3.2 MUST be performed before continuing beyond this point.
如果这是通过该会话接收到的第一条消息,并且该会话尚未分配tlstmSessionID,则SNMPTLTSessionAccepts计数器将递增,并为该会话创建tlstmSessionID。这只会发生在连接的服务器端,因为客户端在openSession()调用期间已经分配了tlstmSessionID。在这一点之前,实施可能已经执行了第5.3.2节中所述的程序,也可能现在执行,但在继续执行这一点之前,必须执行第5.3.2节中所述的程序。
2) Create a tmStateReference cache for the subsequent reference and assign the following values within it:
2) 为后续引用创建tmStateReference缓存,并在其中分配以下值:
tmTransportDomain = snmpTLSTCPDomain or snmpDTLSUDPDomain as appropriate.
tmTransportDomain=SNMPTLSCPDOMAIN或snmpDTLSUDPDomain(视情况而定)。
tmTransportAddress = The address from which the message originated.
tmTransportAddress=消息来源的地址。
tmSecurityLevel = The derived tmSecurityLevel for the session, as discussed in Sections 3.1.2 and 5.3.
tmSecurityLevel=会话的衍生tmSecurityLevel,如第3.1.2节和第5.3节所述。
tmSecurityName = The derived tmSecurityName for the session as discussed in Section 5.3. This value MUST be constant during the lifetime of the session.
tmSecurityName=第5.3节中讨论的会话的派生tmSecurityName。在会话的生存期内,此值必须为常量。
tmSessionID = The tlstmSessionID described in step 1 above.
TmsSessionID=上面步骤1中描述的tlstmSessionID。
3) The incomingMessage and incomingMessageLength are assigned values from the (D)TLS processing.
3) incomingMessage和incomingMessageLength是从(D)TLS处理中分配的值。
4) The TLS Transport Model passes the transportDomain, transportAddress, incomingMessage, and incomingMessageLength to the Dispatcher using the receiveMessage ASI:
4) TLS传输模型使用receiveMessage ASI将transportDomain、transportAddress、incomingMessage和incomingMessageLength传递给调度器:
statusInformation = receiveMessage( IN transportDomain -- snmpTLSTCPDomain or snmpDTLSUDPDomain, IN transportAddress -- address for the received message IN incomingMessage -- the whole SNMP message from (D)TLS IN incomingMessageLength -- the length of the SNMP message IN tmStateReference -- transport info )
statusInformation = receiveMessage( IN transportDomain -- snmpTLSTCPDomain or snmpDTLSUDPDomain, IN transportAddress -- address for the received message IN incomingMessage -- the whole SNMP message from (D)TLS IN incomingMessageLength -- the length of the SNMP message IN tmStateReference -- transport info )
The Dispatcher sends a message to the TLS Transport Model using the following ASI:
调度器使用以下ASI向TLS传输模型发送消息:
statusInformation = sendMessage( IN destTransportDomain -- transport domain to be used IN destTransportAddress -- transport address to be used IN outgoingMessage -- the message to send IN outgoingMessageLength -- its length IN tmStateReference -- transport info )
statusInformation = sendMessage( IN destTransportDomain -- transport domain to be used IN destTransportAddress -- transport address to be used IN outgoingMessage -- the message to send IN outgoingMessageLength -- its length IN tmStateReference -- transport info )
This section describes the procedure followed by the TLS Transport Model whenever it is requested through this ASI to send a message.
本节描述TLS传输模型在通过此ASI请求发送消息时遵循的过程。
1) If tmStateReference does not refer to a cache containing values for tmTransportDomain, tmTransportAddress, tmSecurityName, tmRequestedSecurityLevel, and tmSameSecurity, then increment the snmpTlstmSessionInvalidCaches counter, discard the message, and return the error indication in the statusInformation. Processing of this message stops.
1) 如果tmStateReference未引用包含tmTransportDomain、tmTransportAddress、tmSecurityName、tmRequestedSecurityLevel和tmSameSecurity值的缓存,则递增SNMPTLSMSessionInvalidCaches计数器,丢弃消息,并在状态信息中返回错误指示。此消息的处理将停止。
2) Extract the tmSessionID, tmTransportDomain, tmTransportAddress, tmSecurityName, tmRequestedSecurityLevel, and tmSameSecurity values from the tmStateReference. Note: the tmSessionID value may be undefined if no session exists yet over which the message can be sent.
2) 从tmStateReference中提取TMSSessionID、tmTransportDomain、tmTransportAddress、tmSecurityName、tmRequestedSecurityLevel和tmSameSecurity值。注意:如果尚未存在可发送消息的会话,则TMSSessionID值可能未定义。
3) If tmSameSecurity is true and tmSessionID is either undefined or refers to a session that is no longer open, then increment the snmpTlstmSessionNoSessions counter, discard the message, and return the error indication in the statusInformation. Processing of this message stops.
3) 如果tmSameSecurity为true,且TMSSessionID未定义或引用的会话不再打开,则增加SNMPTLSMSessionNoSessions计数器,丢弃消息,并在状态信息中返回错误指示。此消息的处理将停止。
4) If tmSameSecurity is false and tmSessionID refers to a session that is no longer available, then an implementation SHOULD open a new session, using the openSession() ASI (described in greater detail in step 5b). Instead of opening a new session an implementation MAY return a snmpTlstmSessionNoSessions error to the calling module and stop the processing of the message.
4) 如果tmSameSecurity为false,且TMSSessionID引用的会话不再可用,则实现应使用openSession()ASI(在步骤5b中更详细地描述)打开新会话。实现可能会向调用模块返回SNMPTLSMSESSIONNOSESSIONS错误并停止消息处理,而不是打开新会话。
5) If tmSessionID is undefined, then use tmTransportDomain, tmTransportAddress, tmSecurityName, and tmRequestedSecurityLevel to see if there is a corresponding entry in the LCD suitable to send the message over.
5) 如果未定义tmSessionID,则使用tmTransportDomain、tmTransportAddress、tmSecurityName和tmRequestedSecurityLevel查看LCD中是否有适合发送消息的相应条目。
5a) If there is a corresponding LCD entry, then this session will be used to send the message.
5a)如果有相应的LCD条目,则此会话将用于发送消息。
5b) If there is no corresponding LCD entry, then open a session using the openSession() ASI (discussed further in Section 5.3.1). Implementations MAY wish to offer message buffering to prevent redundant openSession() calls for the same cache entry. If an error is returned from openSession(), then discard the message, discard the tmStateReference, increment the snmpTlstmSessionOpenErrors, return an error indication to the calling module, and stop the processing of the message.
5b)如果没有相应的LCD条目,则使用openSession()ASI打开会话(详见第5.3.1节)。实现可能希望提供消息缓冲,以防止对同一缓存项进行冗余openSession()调用。如果openSession()返回错误,则放弃消息,放弃tmStateReference,增加SNMPTLSMSessionOpenErrors,向调用模块返回错误指示,并停止消息处理。
6) Using either the session indicated by the tmSessionID (if there was one) or the session resulting from a previous step (4 or 5), pass the outgoingMessage to (D)TLS for encapsulation and transmission.
6) 使用TMSSessionID指示的会话(如果有)或前一步骤(4或5)产生的会话,将Outgoing消息传递给(D)TLS进行封装和传输。
Establishing a (D)TLS connection as either a client or a server requires slightly different processing. The following two sections describe the necessary processing steps.
作为客户端或服务器建立(D)TLS连接需要稍微不同的处理。以下两部分描述了必要的处理步骤。
The TLS Transport Model provides the following primitive for use by a client to establish a new (D)TLS connection:
TLS传输模型提供以下原语,供客户端用于建立新(D)TLS连接:
statusInformation = -- errorIndication or success openSession( IN tmStateReference -- transport information to be used OUT tmStateReference -- transport information to be used IN maxMessageSize -- of the sending SNMP entity )
statusInformation = -- errorIndication or success openSession( IN tmStateReference -- transport information to be used OUT tmStateReference -- transport information to be used IN maxMessageSize -- of the sending SNMP entity )
The following describes the procedure to follow when establishing an SNMP over a (D)TLS connection between SNMP engines for exchanging SNMP messages. This process is followed by any SNMP client's engine when establishing a session for subsequent use.
以下描述了在SNMP引擎之间建立SNMP over(D)TLS连接以交换SNMP消息时要遵循的过程。在建立会话以供后续使用时,任何SNMP客户端的引擎都会遵循此过程。
This procedure MAY be done automatically for an SNMP application that initiates a transaction, such as a command generator, a notification originator, or a proxy forwarder.
对于启动事务的SNMP应用程序(如命令生成器、通知发起人或代理转发器),可以自动执行此过程。
1) The snmpTlstmSessionOpens counter is incremented.
1) snmptlsmessionopens计数器递增。
2) The client selects the appropriate certificate and cipher_suites for the key agreement based on the tmSecurityName and the tmRequestedSecurityLevel for the session. For sessions being established as a result of an SNMP-TARGET-MIB based operation, the certificate will potentially have been identified via the snmpTlstmParamsTable mapping and the cipher_suites will have to be taken from a system-wide or implementation-specific configuration. If no row in the snmpTlstmParamsTable exists, then implementations MAY choose to establish the connection using a default client certificate available to the application. Otherwise, the certificate and appropriate cipher_suites will need to be passed to the openSession() ASI as supplemental information or configured through an implementation-dependent mechanism. It is also implementation-dependent and possibly policy-dependent how tmRequestedSecurityLevel will be used to influence the security capabilities provided by the (D)TLS connection. However this is done, the security capabilities provided by (D)TLS MUST be at least as high as the level of security indicated by the tmRequestedSecurityLevel parameter. The actual security level of the session is reported in the tmStateReference cache as tmSecurityLevel. For (D)TLS to provide strong authentication, each principal acting as a command generator SHOULD have its own certificate.
2) 客户端根据会话的tmSecurityName和tmRequestedSecurityLevel为密钥协议选择适当的证书和密码套件。对于由于基于SNMP-TARGET-MIB的操作而建立的会话,证书可能已通过SNMPTLSMPARAMSTABLE映射识别,密码套件必须从系统范围或特定于实现的配置中获取。如果snmptlsmparamstable中不存在任何行,则实现可以选择使用应用程序可用的默认客户端证书建立连接。否则,需要将证书和适当的密码套件作为补充信息传递给openSession()ASI,或通过依赖于实现的机制进行配置。tmRequestedSecurityLevel如何用于影响(D)TLS连接提供的安全功能,还取决于实现,可能取决于策略。无论如何,由(D)TLS提供的安全功能必须至少与tmRequestedSecurityLevel参数指示的安全级别一样高。会话的实际安全级别在tmStateReference缓存中报告为TMSSecurityLevel。为了(D)TLS提供强身份验证,充当命令生成器的每个主体都应该有自己的证书。
3) Using the destTransportDomain and destTransportAddress values, the client will initiate the (D)TLS handshake protocol to establish session keys for message integrity and encryption.
3) 使用destTransportDomain和destTransportAddress值,客户机将启动(D)TLS握手协议,以建立会话密钥以实现消息完整性和加密。
If the attempt to establish a session is unsuccessful, then snmpTlstmSessionOpenErrors is incremented, an error indication is returned, and processing stops. If the session failed to open because the presented server certificate was unknown or invalid, then the snmpTlstmSessionUnknownServerCertificate or snmpTlstmSessionInvalidServerCertificates MUST be incremented and an snmpTlstmServerCertificateUnknown or snmpTlstmServerInvalidCertificate notification SHOULD be sent as appropriate. Reasons for server certificate invalidation includes, but is not limited to, cryptographic validation failures and an unexpected presented certificate identity.
如果尝试建立会话失败,则SNMPTLSMSESSIONOPENERRORS递增,返回错误指示,并停止处理。如果由于提供的服务器证书未知或无效而导致会话无法打开,则必须递增snmpTlstmSessionUnknownServerCertificate或SNMPTLSTMSessionInvalidServerCertificate,并根据需要发送snmpTlstmServerCertificateUnknown或snmpTlstmServerInvalidCertificate通知。服务器证书无效的原因包括但不限于加密验证失败和意外呈现的证书标识。
4) The (D)TLS client MUST then verify that the (D)TLS server's presented certificate is the expected certificate. The (D)TLS client MUST NOT transmit SNMP messages until the server certificate has been authenticated, the client certificate has been transmitted and the TLS connection has been fully established.
4) 然后,(D)TLS客户端必须验证(D)TLS服务器提供的证书是否是预期的证书。在服务器证书经过身份验证、客户端证书已传输且TLS连接已完全建立之前,(D)TLS客户端不得传输SNMP消息。
If the connection is being established from a configuration based on SNMP-TARGET-MIB configuration, then the snmpTlstmAddrTable DESCRIPTION clause describes how the verification is done (using either a certificate fingerprint, or an identity authenticated via certification path validation).
如果连接是从基于SNMP-TARGET-MIB配置的配置建立的,则SNMPTLSMADDRTABLE DESCRIPTION子句描述如何完成验证(使用证书指纹或通过认证路径验证进行身份验证)。
If the connection is being established for reasons other than configuration found in the SNMP-TARGET-MIB, then configuration and procedures outside the scope of this document should be followed. Configuration mechanisms SHOULD be similar in nature to those defined in the snmpTlstmAddrTable to ensure consistency across management configuration systems. For example, a command-line tool for generating SNMP GETs might support specifying either the server's certificate fingerprint or the expected host name as a command-line argument.
如果建立连接的原因不是SNMP-TARGET-MIB中的配置,则应遵循本文档范围之外的配置和过程。配置机制的性质应与SNMPTLSMADDRTable中定义的机制类似,以确保管理配置系统的一致性。例如,用于生成SNMP GET的命令行工具可能支持将服务器的证书指纹或预期的主机名指定为命令行参数。
5) (D)TLS provides assurance that the authenticated identity has been signed by a trusted configured Certification Authority. If verification of the server's certificate fails in any way (for example, because of failures in cryptographic verification or the presented identity did not match the expected named entity) then the session establishment MUST fail, the snmpTlstmSessionInvalidServerCertificates object is incremented. If the session cannot be opened for any reason at all, including cryptographic verification failures and snmpTlstmCertToTSNTable lookup failures, then the snmpTlstmSessionOpenErrors counter is incremented and processing stops.
5) (D) TLS保证经过身份验证的身份已由可信配置的证书颁发机构签名。如果服务器证书的验证以任何方式失败(例如,由于加密验证失败或提供的标识与预期的命名实体不匹配),则会话建立必须失败,snmpTlstmSessionInvalidServerCertificates对象将递增。如果由于任何原因(包括加密验证失败和SNMPTLSTMCERTTOTOTSNTABLE查找失败)无法打开会话,则snmpTlstmSessionOpenErrors计数器将递增,处理将停止。
6) The TLSTM-specific session identifier (tlstmSessionID) is set in the tmSessionID of the tmStateReference passed to the TLS Transport Model to indicate that the session has been established successfully and to point to a specific (D)TLS connection for future use. The tlstmSessionID is also stored in the LCD for later lookup during processing of incoming messages (Section 5.1.2).
6) 在传递给TLS传输模型的tmStateReference的TMSSessionID中设置TLSTM特定会话标识符(tlstmSessionID),以指示会话已成功建立,并指向特定(D)TLS连接以供将来使用。tlstmSessionID也存储在LCD中,以便在处理传入消息期间进行后续查找(第5.1.2节)。
A (D)TLS server should accept new session connections from any client for which it is able to verify the client's credentials. This is done by authenticating the client's presented certificate through a certificate path validation process (e.g., [RFC5280]) or through certificate fingerprint verification using fingerprints configured in the snmpTlstmCertToTSNTable. Afterward, the server will determine the identity of the remote entity using the following procedures.
(D)TLS服务器应接受来自其能够验证客户端凭据的任何客户端的新会话连接。通过证书路径验证过程(例如,[RFC5280])或使用snmpTlstmCertToTSNTable中配置的指纹通过证书指纹验证来验证客户端提供的证书。之后,服务器将使用以下过程确定远程实体的标识。
The (D)TLS server identifies the authenticated identity from the (D)TLS client's principal certificate using configuration information from the snmpTlstmCertToTSNTable mapping table. The (D)TLS server MUST request and expect a certificate from the client and MUST NOT accept SNMP messages over the (D)TLS connection until the client has sent a certificate and it has been authenticated. The resulting derived tmSecurityName is recorded in the tmStateReference cache as tmSecurityName. The details of the lookup process are fully described in the DESCRIPTION clause of the snmpTlstmCertToTSNTable MIB object. If any verification fails in any way (for example, because of failures in cryptographic verification or because of the lack of an appropriate row in the snmpTlstmCertToTSNTable), then the session establishment MUST fail, and the snmpTlstmSessionInvalidClientCertificates object is incremented. If the session cannot be opened for any reason at all, including cryptographic verification failures, then the snmpTlstmSessionOpenErrors counter is incremented and processing stops.
(D)TLS服务器使用SNMPTLSMCERTTOTSNTABLE映射表中的配置信息,从(D)TLS客户端的主体证书中标识经过身份验证的标识。(D)TLS服务器必须请求并期望从客户端获得证书,并且在客户端发送证书并对其进行身份验证之前,不得通过(D)TLS连接接受SNMP消息。生成的派生tmSecurityName作为tmSecurityName记录在tmStateReference缓存中。snmpTlstmCertToTSNTable MIB对象的DESCRIPTION子句中详细描述了查找过程。如果任何验证以任何方式失败(例如,由于加密验证失败或由于SNMPTLSMCERTTOTSNTSNTABLE中缺少适当的行),则会话建立必须失败,并且SNMPTLSMSEssionInvalidClientCertificates对象将递增。如果由于任何原因(包括加密验证失败)无法打开会话,则SNMPTLSMSESSIONOpenErrors计数器将递增,处理将停止。
Servers that wish to support multiple principals at a particular port SHOULD make use of a (D)TLS extension that allows server-side principal selection like the Server Name Indication extension defined in Section 3.1 of [RFC4366]. Supporting this will allow, for example, sending notifications to a specific principal at a given TCP or UDP port.
希望在特定端口支持多个主体的服务器应使用允许服务器端主体选择的(D)TLS扩展,如[RFC4366]第3.1节中定义的服务器名称指示扩展。例如,支持此功能将允许在给定的TCP或UDP端口向特定主体发送通知。
The TLS Transport Model provides the following primitive to close a session:
TLS传输模型提供以下原语来关闭会话:
statusInformation = closeSession( IN tmSessionID -- session ID of the session to be closed )
statusInformation=closeSession(在TMSSessionID中——要关闭的会话的会话ID)
The following describes the procedure to follow to close a session between a client and server. This process is followed by any SNMP engine closing the corresponding SNMP session.
以下描述关闭客户端和服务器之间的会话所遵循的过程。在此过程之后,任何SNMP引擎都会关闭相应的SNMP会话。
1) Increment either the snmpTlstmSessionClientCloses or the snmpTlstmSessionServerCloses counter as appropriate.
1) 根据需要递增snmpTlstmSessionClientCloses或snmpTlstmSessionServerCloses计数器。
2) Look up the session using the tmSessionID.
2) 使用TMSSessionID查找会话。
3) If there is no open session associated with the tmSessionID, then closeSession processing is completed.
3) 如果没有与TMSSessionID关联的打开会话,则关闭会话处理完成。
4) Have (D)TLS close the specified connection. This MUST include sending a close_notify TLS Alert to inform the other side that session cleanup may be performed.
4) 让(D)TLS关闭指定的连接。这必须包括发送close_notify TLS警报,通知另一方可能会执行会话清理。
This MIB module provides management of the TLS Transport Model. It defines needed textual conventions, statistical counters, notifications, and configuration infrastructure necessary for session establishment. Example usage of the configuration tables can be found in Appendix A.
此MIB模块提供TLS传输模型的管理。它定义了会话建立所需的文本约定、统计计数器、通知和配置基础结构。配置表的使用示例见附录A。
Objects in this MIB module are arranged into subtrees. Each subtree is organized as a set of related objects. The overall structure and assignment of objects to their subtrees, and the intended purpose of each subtree, is shown below.
此MIB模块中的对象被排列到子树中。每个子树都组织为一组相关对象。下面显示了对象的总体结构和对其子树的分配,以及每个子树的预期用途。
Generic and Common Textual Conventions used in this module can be found summarized at http://www.ops.ietf.org/mib-common-tcs.html.
本模块中使用的通用和通用文本约定可在http://www.ops.ietf.org/mib-common-tcs.html.
This module defines the following new Textual Conventions:
此模块定义以下新的文本约定:
o A new TransportAddress format for describing (D)TLS connection addressing requirements.
o 一种新的TransportAddress格式,用于描述(D)TLS连接寻址需求。
o A certificate fingerprint allowing MIB module objects to generically refer to a stored X.509 certificate using a cryptographic hash as a reference pointer.
o 一种证书指纹,允许MIB模块对象使用加密散列作为引用指针一般引用存储的X.509证书。
The SNMP-TLS-TM-MIB defines counters that provide network management stations with information about session usage and potential errors that a device may be experiencing.
SNMP-TLS-TM-MIB定义计数器,这些计数器向网络管理站提供有关会话使用情况和设备可能遇到的潜在错误的信息。
The SNMP-TLS-TM-MIB defines configuration tables that an administrator can use for configuring a device for sending and receiving SNMP messages over (D)TLS. In particular, there are MIB tables that extend the SNMP-TARGET-MIB for configuring (D)TLS certificate usage and a MIB table for mapping incoming (D)TLS client certificates to SNMPv3 tmSecurityNames.
SNMP-TLS-TM-MIB定义了管理员可用于配置设备以通过(D)TLS发送和接收SNMP消息的配置表。特别是,存在扩展SNMP-TARGET-MIB以配置(D)TLS证书使用的MIB表和将传入(D)TLS客户端证书映射到SNMPv3 tmSecurityNames的MIB表。
The SNMP-TLS-TM-MIB defines notifications to alert management stations when a (D)TLS connection fails because a server's presented certificate did not meet an expected value (snmpTlstmServerCertificateUnknown) or because cryptographic validation failed (snmpTlstmServerInvalidCertificate).
SNMP-TLS-TM-MIB定义了当(D)TLS连接因服务器提供的证书未满足预期值(SNMPTLSMSERVERCERTIFATEREUNKNOWN)或加密验证失败(SNMPTLSMSERVERINVALIDCERTIficate)而失败时,向管理站发出警报的通知。
Some management objects defined in other MIB modules are applicable to an entity implementing the TLS Transport Model. In particular, it is assumed that an entity implementing the SNMP-TLS-TM-MIB will implement the SNMPv2-MIB [RFC3418], the SNMP-FRAMEWORK-MIB [RFC3411], the SNMP-TARGET-MIB [RFC3413], the SNMP-NOTIFICATION-MIB [RFC3413], and the SNMP-VIEW-BASED-ACM-MIB [RFC3415].
其他MIB模块中定义的一些管理对象适用于实现TLS传输模型的实体。具体而言,假设实现SNMP-TLS-TM-MIB的实体将实现SNMPv2 MIB[RFC3418]、SNMP-FRAMEWORK-MIB[RFC3411]、SNMP-TARGET-MIB[RFC3413]、SNMP-NOTIFICATION-MIB[RFC3413]和基于SNMP-VIEW的ACM-MIB[RFC3415]。
The SNMP-TLS-TM-MIB module contained in this document is for managing TLS Transport Model information.
本文档中包含的SNMP-TLS-TM-MIB模块用于管理TLS传输模型信息。
The SNMP-TLS-TM-MIB module imports items from SNMPv2-SMI [RFC2578], SNMPv2-TC [RFC2579], SNMP-FRAMEWORK-MIB [RFC3411], SNMP-TARGET-MIB [RFC3413], and SNMPv2-CONF [RFC2580].
SNMP-TLS-TM-MIB模块从SNMPv2 SMI[RFC2578]、SNMPv2 TC[RFC2579]、SNMP-FRAMEWORK-MIB[RFC3411]、SNMP-TARGET-MIB[RFC3413]和SNMPv2 CONF[RFC2580]导入项目。
SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN
SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, mib-2, snmpDomains, Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE FROM SNMPv2-SMI -- RFC 2578 or any update thereof TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, AutonomousType FROM SNMPv2-TC -- RFC 2579 or any update thereof MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- RFC 2580 or any update thereof SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- RFC 3411 or any update thereof snmpTargetParamsName, snmpTargetAddrName FROM SNMP-TARGET-MIB -- RFC 3413 or any update thereof ;
从SNMPv2 SMI--RFC 2578或其任何更新中导入MODULE-IDENTITY、OBJECT-TYPE、OBJECT-IDENTITY、mib-2、snmpDomains、Counter32、Unsigned32、Gauge32、NOTIFICATION-TYPE或SNMPv2 TC--RFC 2579中的文本约定、时间戳、RowStatus、StorageType、AutonomousType或其任何更新的MODULE-COMPLIANCE、OBJECT-GROUP、,SNMPv2 CONF--RFC 2580中的NOTIFICATION-GROUP或SNMP-FRAMEWORK-MIB--RFC 3411中的SNMPAdminInstalling的任何更新,或SNMP-TARGET-MIB--RFC 3413中的SNMPTargetRamsName的任何更新,或其任何更新;
snmpTlstmMIB MODULE-IDENTITY LAST-UPDATED "201005070000Z" ORGANIZATION "ISMS Working Group" CONTACT-INFO "WG-EMail: isms@lists.ietf.org Subscribe: isms-request@lists.ietf.org
SNMPTLSMIB模块标识最后更新的“201005070000Z”组织ISMS工作组“联系方式”工作组电子邮件:isms@lists.ietf.org订阅:isms-request@lists.ietf.org
Chairs: Juergen Schoenwaelder Jacobs University Bremen Campus Ring 1 28725 Bremen Germany +49 421 200-3587 j.schoenwaelder@jacobs-university.de
主席:Juergen Schoenwaeld Jacobs大学不来梅校区环128725德国不来梅+49 421 200-3587 j。schoenwaelder@jacobs-德国大学
Russ Mundy SPARTA, Inc. 7110 Samuel Morse Drive Columbia, MD 21046 USA
Russ Mundy SPARTA,Inc.美国马里兰州哥伦比亚塞缪尔莫尔斯大道7110号,邮编:21046
Editor: Wes Hardaker SPARTA, Inc. P.O. Box 382 Davis, CA 95617 USA ietf@hardakers.net "
编辑:韦斯·哈达克斯巴达公司,美国加利福尼亚州戴维斯市382号邮政信箱,邮编95617ietf@hardakers.net "
DESCRIPTION " The TLS Transport Model MIB
说明“TLS传输模型MIB
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info)."
根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info)."
REVISION "201005070000Z" DESCRIPTION "This version of this MIB module is part of RFC 5953; see the RFC itself for full legal notices."
修订版“201005070000Z”说明“此MIB模块版本是RFC 5953的一部分;有关完整的法律通知,请参阅RFC本身。”
::= { mib-2 198 }
::= { mib-2 198 }
-- ************************************************ -- subtrees of the SNMP-TLS-TM-MIB -- ************************************************
-- ************************************************ -- subtrees of the SNMP-TLS-TM-MIB -- ************************************************
snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 } snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 } snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 } snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 }
snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 } snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 } snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 } snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 }
-- ************************************************ -- snmpTlstmObjects - Objects -- ************************************************
-- ************************************************ -- snmpTlstmObjects - Objects -- ************************************************
snmpTLSTCPDomain OBJECT-IDENTITY STATUS current DESCRIPTION "The SNMP over TLS via TCP transport domain. The corresponding transport address is of type SnmpTLSAddress.
SNMPTLSCPDOMAIN对象标识状态当前描述“通过TCP传输域通过TLS传输的SNMP。相应的传输地址为SNMPTLASDRESS类型。
The securityName prefix to be associated with the snmpTLSTCPDomain is 'tls'. This prefix may be used by security models or other components to identify which secure transport infrastructure authenticated a securityName." REFERENCE "RFC 2579: Textual Conventions for SMIv2"
要与snmpTLSTCPDomain关联的securityName前缀为“tls”。安全模型或其他组件可以使用此前缀来标识哪个安全传输基础结构验证了securityName。“参考”RFC 2579:SMIv2的文本约定
::= { snmpDomains 8 }
::= { snmpDomains 8 }
snmpDTLSUDPDomain OBJECT-IDENTITY STATUS current DESCRIPTION "The SNMP over DTLS via UDP transport domain. The corresponding transport address is of type SnmpTLSAddress.
snmpDTLSUDPDomain OBJECT-IDENTITY STATUS current DESCRIPTION“通过UDP传输域通过DTLS传输的SNMP。相应的传输地址为SnmpTLSAddress类型。
The securityName prefix to be associated with the snmpDTLSUDPDomain is 'dtls'. This prefix may be used by security models or other components to identify which secure transport infrastructure authenticated a securityName." REFERENCE "RFC 2579: Textual Conventions for SMIv2"
要与snmpDTLSUDPDomain关联的securityName前缀为“dtls”。安全模型或其他组件可以使用此前缀来标识哪个安全传输基础结构验证了securityName。“参考”RFC 2579:SMIv2的文本约定
::= { snmpDomains 9 }
::= { snmpDomains 9 }
SnmpTLSAddress ::= TEXTUAL-CONVENTION DISPLAY-HINT "1a" STATUS current DESCRIPTION "Represents an IPv4 address, an IPv6 address, or a US-ASCII-encoded hostname and port number.
SnmpTLSAddress ::= TEXTUAL-CONVENTION DISPLAY-HINT "1a" STATUS current DESCRIPTION "Represents an IPv4 address, an IPv6 address, or a US-ASCII-encoded hostname and port number.
An IPv4 address must be in dotted decimal format followed by a colon ':' (US-ASCII character 0x3A) and a decimal port number in US-ASCII.
IPv4地址必须采用点十进制格式,后跟冒号“:”(US-ASCII字符0x3A)和US-ASCII格式的十进制端口号。
An IPv6 address must be a colon-separated format (as described in RFC 5952), surrounded by square brackets ('[', US-ASCII character 0x5B, and ']', US-ASCII character 0x5D), followed by a colon ':' (US-ASCII character 0x3A) and a decimal port number in US-ASCII.
IPv6地址必须是冒号分隔格式(如RFC 5952中所述),由方括号(“[”,US-ASCII字符0x5B和“]”,US-ASCII字符0x5D)包围,后跟冒号“:”(US-ASCII字符0x3A)和US-ASCII十进制端口号。
A hostname is always in US-ASCII (as per [RFC1033]); internationalized hostnames are encoded in US-ASCII as domain names after transformation via the ToASCII operation specified in [RFC3490]. The ToASCII operation MUST be performed with the UseSTD3ASCIIRules flag set. The hostname is followed by a colon ':' (US-ASCII character 0x3A) and a decimal port number in US-ASCII. The name SHOULD be fully qualified whenever possible.
主机名始终使用US-ASCII(根据[RFC1033]);国际化主机名在通过[RFC3490]中指定的ToASCII操作转换后以US-ASCII编码为域名。ToASCII操作必须在设置UseSTD3ASCIIRules标志的情况下执行。主机名后面是冒号“:”(US-ASCII字符0x3A)和十进制端口号(US-ASCII)。名称应尽可能完全限定。
Values of this textual convention may not be directly usable as transport-layer addressing information, and may require run-time resolution. As such, applications that write them must be prepared for handling errors if such values are not supported, or cannot be resolved (if resolution occurs at the time of the management operation).
此文本约定的值可能无法直接用作传输层寻址信息,并且可能需要运行时解析。因此,如果这些值不受支持或无法解析(如果在管理操作时发生解析),则编写这些值的应用程序必须准备好处理错误。
The DESCRIPTION clause of TransportAddress objects that may have SnmpTLSAddress values must fully describe how (and when) such names are to be resolved to IP addresses and vice versa.
可能具有SnmpTLSAddress值的TransportAddress对象的DESCRIPTION子句必须完全描述如何(以及何时)将此类名称解析为IP地址,反之亦然。
This textual convention SHOULD NOT be used directly in object definitions since it restricts addresses to a specific format. However, if it is used, it MAY be used either on its own or in conjunction with TransportAddressType or TransportDomain as a pair.
此文本约定不应直接用于对象定义,因为它将地址限制为特定格式。但是,如果使用,它可以单独使用,也可以与TransportAddressType或TransportDomain成对使用。
When this textual convention is used as a syntax of an index object, there may be issues with the limit of 128 sub-identifiers specified in SMIv2 (STD 58). It is RECOMMENDED that all MIB documents using this textual convention make
当此文本约定用作索引对象的语法时,SMIv2(STD 58)中指定的128个子标识符的限制可能存在问题。建议使用此文本约定的所有MIB文档
explicit any limitations on index component lengths that management software must observe. This may be done either by including SIZE constraints on the index components or by specifying applicable constraints in the conceptual row DESCRIPTION clause or in the surrounding documentation."
明确管理软件必须遵守的索引组件长度限制。这可以通过在索引组件上包含大小约束或在概念行描述子句或周围文档中指定适用的约束来实现。”
REFERENCE "RFC 1033: DOMAIN ADMINISTRATORS OPERATIONS GUIDE RFC 3490: Internationalizing Domain Names in Applications RFC 5952: A Recommendation for IPv6 Address Text Representation " SYNTAX OCTET STRING (SIZE (1..255))
参考“RFC 1033:域管理员操作指南RFC 3490:应用程序中的域名国际化RFC 5952:IPv6地址文本表示的建议”语法八位字符串(大小(1..255))
SnmpTLSFingerprint ::= TEXTUAL-CONVENTION DISPLAY-HINT "1x:1x" STATUS current DESCRIPTION "A fingerprint value that can be used to uniquely reference other data of potentially arbitrary length.
SnmpTLSFingerprint ::= TEXTUAL-CONVENTION DISPLAY-HINT "1x:1x" STATUS current DESCRIPTION "A fingerprint value that can be used to uniquely reference other data of potentially arbitrary length.
An SnmpTLSFingerprint value is composed of a 1-octet hashing algorithm identifier followed by the fingerprint value. The octet value encoded is taken from the IANA TLS HashAlgorithm Registry (RFC 5246). The remaining octets are filled using the results of the hashing algorithm.
SNMPTLSFrignet值由一个1-octet哈希算法标识符和指纹值组成。编码的八位字节值取自IANA TLS哈希算法注册表(RFC 5246)。使用哈希算法的结果填充剩余的八位字节。
This TEXTUAL-CONVENTION allows for a zero-length (blank) SnmpTLSFingerprint value for use in tables where the fingerprint value may be optional. MIB definitions or implementations may refuse to accept a zero-length value as appropriate." REFERENCE "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 http://www.iana.org/assignments/tls-parameters/ " SYNTAX OCTET STRING (SIZE (0..255))
此文本约定允许在表中使用零长度(空白)SNMPTLSFrignet值,其中指纹值可能是可选的。MIB定义或实现可能拒绝接受适当的零长度值。“参考”RFC 5246:传输层安全(TLS)协议版本1.2http://www.iana.org/assignments/tls-parameters/ “语法八位字符串(大小(0..255))
-- Identities for use in the snmpTlstmCertToTSNTable
--SNMPTLSMCERTTOTSNTSNTABLE中使用的标识
snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER ::= { snmpTlstmIdentities 1 }
snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER ::= { snmpTlstmIdentities 1 }
snmpTlstmCertSpecified OBJECT-IDENTITY STATUS current DESCRIPTION "Directly specifies the tmSecurityName to be used for this certificate. The value of the tmSecurityName to use is specified in the snmpTlstmCertToTSNData column. The snmpTlstmCertToTSNData column must
SNMPTLSMCERTSpecified OBJECT-IDENTITY STATUS current DESCRIPTION“直接指定用于此证书的tmSecurityName。要使用的tmSecurityName的值在SNMPTLSMCERTTOTSNDATA列中指定。SNMPTLSMCERTTOTSNDATA列必须
contain a non-zero length SnmpAdminString compliant value or the mapping described in this row must be considered a failure." ::= { snmpTlstmCertToTSNMIdentities 1 }
contain a non-zero length SnmpAdminString compliant value or the mapping described in this row must be considered a failure." ::= { snmpTlstmCertToTSNMIdentities 1 }
snmpTlstmCertSANRFC822Name OBJECT-IDENTITY STATUS current DESCRIPTION "Maps a subjectAltName's rfc822Name to a tmSecurityName. The local part of the rfc822Name is passed unaltered but the host-part of the name must be passed in lowercase. This mapping results in a 1:1 correspondence between equivalent subjectAltName rfc822Name values and tmSecurityName values except that the host-part of the name MUST be passed in lowercase.
SNMPTLSMCERTSANRFC822名称对象标识状态当前说明“将subjectAltName的RFC822名称映射到tmSecurityName。RFC822名称的本地部分未经更改地传递,但名称的主机部分必须以小写形式传递。此映射导致等效subjectAltName rfc822Name值和tmSecurityName值之间的对应关系为1:1,但名称的主机部分必须以小写形式传递。
Example rfc822Name Field: FooBar@Example.COM is mapped to tmSecurityName: FooBar@example.com." ::= { snmpTlstmCertToTSNMIdentities 2 }
Example rfc822Name Field: FooBar@Example.COM is mapped to tmSecurityName: FooBar@example.com." ::= { snmpTlstmCertToTSNMIdentities 2 }
snmpTlstmCertSANDNSName OBJECT-IDENTITY STATUS current DESCRIPTION "Maps a subjectAltName's dNSName to a tmSecurityName after first converting it to all lowercase (RFC 5280 does not specify converting to lowercase so this involves an extra step). This mapping results in a 1:1 correspondence between subjectAltName dNSName values and the tmSecurityName values." REFERENCE "RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile." ::= { snmpTlstmCertToTSNMIdentities 3 }
snmpTlstmCertSANDNSName OBJECT-IDENTITY STATUS current DESCRIPTION "Maps a subjectAltName's dNSName to a tmSecurityName after first converting it to all lowercase (RFC 5280 does not specify converting to lowercase so this involves an extra step). This mapping results in a 1:1 correspondence between subjectAltName dNSName values and the tmSecurityName values." REFERENCE "RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile." ::= { snmpTlstmCertToTSNMIdentities 3 }
snmpTlstmCertSANIpAddress OBJECT-IDENTITY STATUS current DESCRIPTION "Maps a subjectAltName's iPAddress to a tmSecurityName by transforming the binary encoded address as follows:
snmpTlstmCertSANIpAddress OBJECT-IDENTITY STATUS current DESCRIPTION“通过如下转换二进制编码地址,将subjectAltName的iPAddress映射到tmSecurityName:
1) for IPv4, the value is converted into a decimal-dotted quad address (e.g., '192.0.2.1').
1) 对于IPv4,该值转换为十进制虚线四元地址(例如,“192.0.2.1”)。
2) for IPv6 addresses, the value is converted into a 32-character all lowercase hexadecimal string without any colon separators.
2) 对于IPv6地址,该值将转换为32个字符的全小写十六进制字符串,不带任何冒号分隔符。
This mapping results in a 1:1 correspondence between subjectAltName iPAddress values and the tmSecurityName values.
此映射导致subjectAltName iPAddress值与tmSecurityName值之间的对应关系为1:1。
The resulting length of an encoded IPv6 address is the maximum length supported by the View-Based Access Control Model (VACM). Using both the Transport Security Model's support for transport prefixes (see the SNMP-TSM-MIB's snmpTsmConfigurationUsePrefix object for details) will result in securityName lengths that exceed what VACM can handle." ::= { snmpTlstmCertToTSNMIdentities 4 }
The resulting length of an encoded IPv6 address is the maximum length supported by the View-Based Access Control Model (VACM). Using both the Transport Security Model's support for transport prefixes (see the SNMP-TSM-MIB's snmpTsmConfigurationUsePrefix object for details) will result in securityName lengths that exceed what VACM can handle." ::= { snmpTlstmCertToTSNMIdentities 4 }
snmpTlstmCertSANAny OBJECT-IDENTITY STATUS current DESCRIPTION "Maps any of the following fields using the corresponding mapping algorithms:
SNMPTLSTMCERTSANY OBJECT-IDENTITY STATUS current DESCRIPTION“使用相应的映射算法映射以下任何字段:
|------------+----------------------------| | Type | Algorithm | |------------+----------------------------| | rfc822Name | snmpTlstmCertSANRFC822Name | | dNSName | snmpTlstmCertSANDNSName | | iPAddress | snmpTlstmCertSANIpAddress | |------------+----------------------------|
|------------+----------------------------| | Type | Algorithm | |------------+----------------------------| | rfc822Name | snmpTlstmCertSANRFC822Name | | dNSName | snmpTlstmCertSANDNSName | | iPAddress | snmpTlstmCertSANIpAddress | |------------+----------------------------|
The first matching subjectAltName value found in the certificate of the above types MUST be used when deriving the tmSecurityName. The mapping algorithm specified in the 'Algorithm' column MUST be used to derive the tmSecurityName.
派生tmSecurityName时,必须使用在上述类型的证书中找到的第一个匹配subjectAltName值。“算法”列中指定的映射算法必须用于派生tmSecurityName。
This mapping results in a 1:1 correspondence between subjectAltName values and tmSecurityName values. The three sub-mapping algorithms produced by this combined algorithm cannot produce conflicting results between themselves." ::= { snmpTlstmCertToTSNMIdentities 5 }
This mapping results in a 1:1 correspondence between subjectAltName values and tmSecurityName values. The three sub-mapping algorithms produced by this combined algorithm cannot produce conflicting results between themselves." ::= { snmpTlstmCertToTSNMIdentities 5 }
snmpTlstmCertCommonName OBJECT-IDENTITY STATUS current
SNMPTLSMCERTCommonName对象标识状态当前
DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName after converting it to a UTF-8 encoding. The usage of CommonNames is deprecated and users are encouraged to use subjectAltName mapping methods
DESCRIPTION“将证书的CommonName转换为UTF-8编码后映射到tmSecurityName。不推荐使用CommonName,并鼓励用户使用subjectAltName映射方法
instead. This mapping results in a 1:1 correspondence between certificate CommonName values and tmSecurityName values." ::= { snmpTlstmCertToTSNMIdentities 6 }
instead. This mapping results in a 1:1 correspondence between certificate CommonName values and tmSecurityName values." ::= { snmpTlstmCertToTSNMIdentities 6 }
-- The snmpTlstmSession Group
--snmpTlstmSession组
snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 }
snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 }
snmpTlstmSessionOpens OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an openSession() request has been executed as a (D)TLS client, regardless of whether it succeeded or failed." ::= { snmpTlstmSession 1 }
snmpTlstmSessionOpens OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an openSession() request has been executed as a (D)TLS client, regardless of whether it succeeded or failed." ::= { snmpTlstmSession 1 }
snmpTlstmSessionClientCloses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times a closeSession() request has been executed as an (D)TLS client, regardless of whether it succeeded or failed." ::= { snmpTlstmSession 2 }
snmpTlstmSessionClientCloses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times a closeSession() request has been executed as an (D)TLS client, regardless of whether it succeeded or failed." ::= { snmpTlstmSession 2 }
snmpTlstmSessionOpenErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an openSession() request failed to open a session as a (D)TLS client, for any reason." ::= { snmpTlstmSession 3 }
snmpTlstmSessionOpenErrors OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an openSession() request failed to open a session as a (D)TLS client, for any reason." ::= { snmpTlstmSession 3 }
snmpTlstmSessionAccepts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times a (D)TLS server has accepted a new connection from a client and has received at least one SNMP message through it." ::= { snmpTlstmSession 4 }
snmpTlstmSessionAccepts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times a (D)TLS server has accepted a new connection from a client and has received at least one SNMP message through it." ::= { snmpTlstmSession 4 }
snmpTlstmSessionServerCloses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times a closeSession() request has been executed as an (D)TLS server, regardless of whether it succeeded or failed." ::= { snmpTlstmSession 5 }
snmpTlstmSessionServerCloses OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times a closeSession() request has been executed as an (D)TLS server, regardless of whether it succeeded or failed." ::= { snmpTlstmSession 5 }
snmpTlstmSessionNoSessions OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an outgoing message was dropped because the session associated with the passed tmStateReference was no longer (or was never) available." ::= { snmpTlstmSession 6 }
snmpTlstmSessionNoSessions OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an outgoing message was dropped because the session associated with the passed tmStateReference was no longer (or was never) available." ::= { snmpTlstmSession 6 }
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an incoming session was not established on an (D)TLS server because the presented client certificate was invalid. Reasons for invalidation include, but are not limited to, cryptographic validation failures or lack of a suitable mapping row in the snmpTlstmCertToTSNTable." ::= { snmpTlstmSession 7 }
snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an incoming session was not established on an (D)TLS server because the presented client certificate was invalid. Reasons for invalidation include, but are not limited to, cryptographic validation failures or lack of a suitable mapping row in the snmpTlstmCertToTSNTable." ::= { snmpTlstmSession 7 }
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an outgoing session was not established on an (D)TLS client because the server certificate presented by an SNMP over (D)TLS server was invalid because no configured fingerprint or Certification Authority (CA) was acceptable to validate it. This may result because there was no entry in the snmpTlstmAddrTable or because no path could be found to a known CA." ::= { snmpTlstmSession 8 }
snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an outgoing session was not established on an (D)TLS client because the server certificate presented by an SNMP over (D)TLS server was invalid because no configured fingerprint or Certification Authority (CA) was acceptable to validate it. This may result because there was no entry in the snmpTlstmAddrTable or because no path could be found to a known CA." ::= { snmpTlstmSession 8 }
snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of times an outgoing session was not established on an (D)TLS client because the server certificate presented by an SNMP over (D)TLS server could not be validated even if the fingerprint or expected validation path was known. That is, a cryptographic validation error occurred during certificate validation processing.
SNMPTLSMSessionInvalidServerCertificates对象类型语法计数器32 MAX-ACCESS只读状态当前描述“由于SNMP在(D)上提供服务器证书而导致(D)TLS客户端上未建立传出会话的次数”即使指纹或预期的验证路径已知,也无法验证TLS服务器。即,在证书验证过程中发生加密验证错误。
Reasons for invalidation include, but are not limited to, cryptographic validation failures." ::= { snmpTlstmSession 9 }
Reasons for invalidation include, but are not limited to, cryptographic validation failures." ::= { snmpTlstmSession 9 }
snmpTlstmSessionInvalidCaches OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outgoing messages dropped because the tmStateReference referred to an invalid cache." ::= { snmpTlstmSession 10 }
snmpTlstmSessionInvalidCaches OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of outgoing messages dropped because the tmStateReference referred to an invalid cache." ::= { snmpTlstmSession 10 }
-- Configuration Objects
--配置对象
snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 }
snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 }
-- Certificate mapping
--证书映射
snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= { snmpTlstmConfig 1 }
snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= { snmpTlstmConfig 1 }
snmpTlstmCertToTSNCount OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "A count of the number of entries in the snmpTlstmCertToTSNTable." ::= { snmpTlstmCertificateMapping 1 }
snmpTlstmCertToTSNCount OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "A count of the number of entries in the snmpTlstmCertToTSNTable." ::= { snmpTlstmCertificateMapping 1 }
snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable was last modified through any means, or 0 if it has not been modified since the command responder was started." ::= { snmpTlstmCertificateMapping 2 }
snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable was last modified through any means, or 0 if it has not been modified since the command responder was started." ::= { snmpTlstmCertificateMapping 2 }
snmpTlstmCertToTSNTable OBJECT-TYPE SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used by a (D)TLS server to map the (D)TLS client's presented X.509 certificate to a tmSecurityName.
SNMPTLSMCERTTOTSNTTABLE SNMPTLSMCERTTOTSNTRY MAX-ACCESS的对象类型语法序列不可访问状态当前描述“此表由(D)TLS服务器用于将(D)TLS客户端提供的X.509证书映射到tmSecurityName。
On an incoming (D)TLS/SNMP connection, the client's presented certificate must either be validated based on an established trust anchor, or it must directly match a fingerprint in this table. This table does not provide any mechanisms for configuring the trust anchors; the transfer of any needed trusted certificates for path validation is expected to occur through an out-of-band transfer.
在传入(D)TLS/SNMP连接上,必须根据已建立的信任锚验证客户端提供的证书,或者必须直接匹配此表中的指纹。此表未提供任何配置信任锚的机制;路径验证所需的任何受信任证书的传输预计将通过带外传输进行。
Once the certificate has been found acceptable (either by path validation or directly matching a fingerprint in this table), this table is consulted to determine the appropriate tmSecurityName to identify with the remote connection. This is done by considering each active row from this table in prioritized order according to its snmpTlstmCertToTSNID value. Each row's snmpTlstmCertToTSNFingerprint value determines whether the row is a match for the incoming connection:
一旦发现证书是可接受的(通过路径验证或直接匹配此表中的指纹),将参考此表以确定用于识别远程连接的适当tmSecurityName。这是通过根据SNMPTLSMCERTTOTSNID值按优先级顺序考虑此表中的每个活动行来实现的。每行的snmpTlstmCertToTSNFingerprint值确定该行是否与传入连接匹配:
1) If the row's snmpTlstmCertToTSNFingerprint value identifies the presented certificate, then consider the row as a successful match.
1) 如果行的SNMPTLSTMcReToTTSNoLink值标识所呈现的证书,则将该行视为成功匹配。
2) If the row's snmpTlstmCertToTSNFingerprint value identifies a locally held copy of a trusted CA certificate and that CA certificate was used to validate the path to the presented certificate, then consider the row as a successful match.
2) 如果行的SNMPTLSTMcReToTTSNoLink值标识可信CA证书的本地持有副本,并且CA证书用于验证所提交证书的路径,则将该行视为成功匹配。
Once a matching row has been found, the snmpTlstmCertToTSNMapType value can be used to determine how the tmSecurityName to associate with the session should be
找到匹配的行后,可以使用SNMPTLSMCERTTOTSNMAPTYPE值来确定要与会话关联的tmSecurityName的设置方式
determined. See the snmpTlstmCertToTSNMapType column's DESCRIPTION for details on determining the tmSecurityName value. If it is impossible to determine a tmSecurityName from the row's data combined with the data presented in the certificate, then additional rows MUST be searched looking for another potential match. If a resulting tmSecurityName mapped from a given row is not compatible with the needed requirements of a tmSecurityName (e.g., VACM imposes a 32-octet-maximum length and the certificate derived securityName could be longer), then it must be considered an invalid match and additional rows MUST be searched looking for another potential match.
决心有关确定tmSecurityName值的详细信息,请参阅SNMPTLSMCERTTOTSNMAPTYPE列的说明。如果无法根据行的数据和证书中显示的数据确定tmSecurityName,则必须搜索其他行以查找其他可能的匹配项。如果从给定行映射的结果tmSecurityName与tmSecurityName的所需要求不兼容(例如,VACM规定了32个八位字节的最大长度,并且证书派生的securityName可能更长),则必须将其视为无效匹配,并且必须搜索其他行以查找其他潜在匹配。
If no matching and valid row can be found, the connection MUST be closed and SNMP messages MUST NOT be accepted over it.
如果找不到匹配的有效行,则必须关闭连接,并且不能通过该连接接受SNMP消息。
Missing values of snmpTlstmCertToTSNID are acceptable and implementations should continue to the next highest numbered row. It is recommended that administrators skip index values to leave room for the insertion of future rows (for example, use values of 10 and 20 when creating initial rows).
SNMPTLSMCERTTOTSNID的缺失值是可以接受的,实现应该继续到下一个编号最高的行。建议管理员跳过索引值,以便为将来插入行留出空间(例如,在创建初始行时使用10和20的值)。
Users are encouraged to make use of certificates with subjectAltName fields that can be used as tmSecurityNames so that a single root CA certificate can allow all child certificate's subjectAltName to map directly to a tmSecurityName via a 1:1 transformation. However, this table is flexible to allow for situations where existing deployed certificate infrastructures do not provide adequate subjectAltName values for use as tmSecurityNames. Certificates may also be mapped to tmSecurityNames using the CommonName portion of the Subject field. However, the usage of the CommonName field is deprecated and thus this usage is NOT RECOMMENDED. Direct mapping from each individual certificate fingerprint to a tmSecurityName is also possible but requires one entry in the table per tmSecurityName and requires more management operations to completely configure a device." ::= { snmpTlstmCertificateMapping 3 }
Users are encouraged to make use of certificates with subjectAltName fields that can be used as tmSecurityNames so that a single root CA certificate can allow all child certificate's subjectAltName to map directly to a tmSecurityName via a 1:1 transformation. However, this table is flexible to allow for situations where existing deployed certificate infrastructures do not provide adequate subjectAltName values for use as tmSecurityNames. Certificates may also be mapped to tmSecurityNames using the CommonName portion of the Subject field. However, the usage of the CommonName field is deprecated and thus this usage is NOT RECOMMENDED. Direct mapping from each individual certificate fingerprint to a tmSecurityName is also possible but requires one entry in the table per tmSecurityName and requires more management operations to completely configure a device." ::= { snmpTlstmCertificateMapping 3 }
snmpTlstmCertToTSNEntry OBJECT-TYPE SYNTAX SnmpTlstmCertToTSNEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the snmpTlstmCertToTSNTable that specifies a mapping for an incoming (D)TLS certificate to a tmSecurityName to use for a connection."
snmpTlstmCertToTSNEntry对象类型语法snmpTlstmCertToTSNEntry MAX-ACCESS不可访问状态当前描述“snmpTlstmCertToTSNTable中的一行,用于指定传入(D)TLS证书到用于连接的tmSecurityName的映射。”
INDEX { snmpTlstmCertToTSNID } ::= { snmpTlstmCertToTSNTable 1 }
INDEX { snmpTlstmCertToTSNID } ::= { snmpTlstmCertToTSNTable 1 }
SnmpTlstmCertToTSNEntry ::= SEQUENCE { snmpTlstmCertToTSNID Unsigned32, snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint, snmpTlstmCertToTSNMapType AutonomousType, snmpTlstmCertToTSNData OCTET STRING, snmpTlstmCertToTSNStorageType StorageType, snmpTlstmCertToTSNRowStatus RowStatus }
SnmpTlstmCertToTSNEntry ::= SEQUENCE { snmpTlstmCertToTSNID Unsigned32, snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint, snmpTlstmCertToTSNMapType AutonomousType, snmpTlstmCertToTSNData OCTET STRING, snmpTlstmCertToTSNStorageType StorageType, snmpTlstmCertToTSNRowStatus RowStatus }
snmpTlstmCertToTSNID OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique, prioritized index for the given entry. Lower numbers indicate a higher priority." ::= { snmpTlstmCertToTSNEntry 1 }
snmpTlstmCertToTSNID OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique, prioritized index for the given entry. Lower numbers indicate a higher priority." ::= { snmpTlstmCertToTSNEntry 1 }
snmpTlstmCertToTSNFingerprint OBJECT-TYPE SYNTAX SnmpTLSFingerprint (SIZE(1..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "A cryptographic hash of a X.509 certificate. The results of a successful matching fingerprint to either the trusted CA in the certificate validation path or to the certificate itself is dictated by the snmpTlstmCertToTSNMapType column." ::= { snmpTlstmCertToTSNEntry 2 }
snmpTlstmCertToTSNFingerprint OBJECT-TYPE SYNTAX SnmpTLSFingerprint (SIZE(1..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "A cryptographic hash of a X.509 certificate. The results of a successful matching fingerprint to either the trusted CA in the certificate validation path or to the certificate itself is dictated by the snmpTlstmCertToTSNMapType column." ::= { snmpTlstmCertToTSNEntry 2 }
snmpTlstmCertToTSNMapType OBJECT-TYPE SYNTAX AutonomousType MAX-ACCESS read-create STATUS current DESCRIPTION "Specifies the mapping type for deriving a tmSecurityName from a certificate. Details for mapping of a particular type SHALL be specified in the DESCRIPTION clause of the OBJECT-IDENTITY that describes the mapping. If a mapping succeeds it will return a tmSecurityName for use by the TLSTM model and processing stops.
SNMPTLSMCERTTOTSNMAPTYPE对象类型语法自治类型MAX-ACCESS读取创建状态当前描述“指定从证书派生tmSecurityName的映射类型。特定类型映射的详细信息应在描述映射的对象标识的描述条款中规定。如果映射成功,它将返回一个tmSecurityName供TLSTM模型使用,并停止处理。
If the resulting mapped value is not compatible with the needed requirements of a tmSecurityName (e.g., VACM imposes a 32-octet-maximum length and the certificate derived
如果生成的映射值与tmSecurityName的所需要求不兼容(例如,VACM施加32个八位字节的最大长度,并派生证书
securityName could be longer), then future rows MUST be searched for additional snmpTlstmCertToTSNFingerprint matches to look for a mapping that succeeds.
securityName可能更长),然后必须在以后的行中搜索其他SNMPTLSTMCERTTOTTSNFrignet匹配项,以查找成功的映射。
Suitable values for assigning to this object that are defined within the SNMP-TLS-TM-MIB can be found in the snmpTlstmCertToTSNMIdentities portion of the MIB tree." DEFVAL { snmpTlstmCertSpecified } ::= { snmpTlstmCertToTSNEntry 3 }
Suitable values for assigning to this object that are defined within the SNMP-TLS-TM-MIB can be found in the snmpTlstmCertToTSNMIdentities portion of the MIB tree." DEFVAL { snmpTlstmCertSpecified } ::= { snmpTlstmCertToTSNEntry 3 }
snmpTlstmCertToTSNData OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "Auxiliary data used as optional configuration information for a given mapping specified by the snmpTlstmCertToTSNMapType column. Only some mapping systems will make use of this column. The value in this column MUST be ignored for any mapping type that does not require data present in this column." DEFVAL { "" } ::= { snmpTlstmCertToTSNEntry 4 }
snmpTlstmCertToTSNData OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "Auxiliary data used as optional configuration information for a given mapping specified by the snmpTlstmCertToTSNMapType column. Only some mapping systems will make use of this column. The value in this column MUST be ignored for any mapping type that does not require data present in this column." DEFVAL { "" } ::= { snmpTlstmCertToTSNEntry 4 }
snmpTlstmCertToTSNStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { snmpTlstmCertToTSNEntry 5 }
snmpTlstmCertToTSNStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { snmpTlstmCertToTSNEntry 5 }
snmpTlstmCertToTSNRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. This object may be used to create or remove rows from this table.
snmpTlstmCertToTSNRowStatus对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此概念行的状态。此对象可用于从此表中创建或删除行。
To create a row in this table, an administrator must set this object to either createAndGo(4) or createAndWait(5).
若要在此表中创建行,管理员必须将此对象设置为createAndGo(4)或createAndWait(5)。
Until instances of all corresponding columns are appropriately configured, the value of the corresponding instance of the snmpTlstmParamsRowStatus column is notReady(3).
在正确配置所有对应列的实例之前,snmpTlstmParamsRowStatus列的对应实例的值为notReady(3)。
In particular, a newly created row cannot be made active until the corresponding snmpTlstmCertToTSNFingerprint, snmpTlstmCertToTSNMapType, and snmpTlstmCertToTSNData columns have been set.
特别是,在设置相应的snmpTlstmCertToTSNFingerprint、snmpTlstmCertToTSNMapType和snmpTlstmCertToTSNData列之前,新创建的行无法激活。
The following objects may not be modified while the value of this object is active(1): - snmpTlstmCertToTSNFingerprint - snmpTlstmCertToTSNMapType - snmpTlstmCertToTSNData An attempt to set these objects while the value of snmpTlstmParamsRowStatus is active(1) will result in an inconsistentValue error." ::= { snmpTlstmCertToTSNEntry 6 }
The following objects may not be modified while the value of this object is active(1): - snmpTlstmCertToTSNFingerprint - snmpTlstmCertToTSNMapType - snmpTlstmCertToTSNData An attempt to set these objects while the value of snmpTlstmParamsRowStatus is active(1) will result in an inconsistentValue error." ::= { snmpTlstmCertToTSNEntry 6 }
-- Maps tmSecurityNames to certificates for use by the SNMP-TARGET-MIB
--将tmSecurityNames映射到证书,以供SNMP-TARGET-MIB使用
snmpTlstmParamsCount OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "A count of the number of entries in the snmpTlstmParamsTable." ::= { snmpTlstmCertificateMapping 4 }
snmpTlstmParamsCount OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "A count of the number of entries in the snmpTlstmParamsTable." ::= { snmpTlstmCertificateMapping 4 }
snmpTlstmParamsTableLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime.0 when the snmpTlstmParamsTable was last modified through any means, or 0 if it has not been modified since the command responder was started." ::= { snmpTlstmCertificateMapping 5 }
snmpTlstmParamsTableLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime.0 when the snmpTlstmParamsTable was last modified through any means, or 0 if it has not been modified since the command responder was started." ::= { snmpTlstmCertificateMapping 5 }
snmpTlstmParamsTable OBJECT-TYPE SYNTAX SEQUENCE OF SnmpTlstmParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used by a (D)TLS client when a (D)TLS connection is being set up using an entry in the SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's snmpTargetParamsTable with a fingerprint of a certificate to use when establishing such a (D)TLS connection." ::= { snmpTlstmCertificateMapping 6 }
snmpTlstmParamsTable OBJECT-TYPE SYNTAX SEQUENCE OF SnmpTlstmParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used by a (D)TLS client when a (D)TLS connection is being set up using an entry in the SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's snmpTargetParamsTable with a fingerprint of a certificate to use when establishing such a (D)TLS connection." ::= { snmpTlstmCertificateMapping 6 }
snmpTlstmParamsEntry OBJECT-TYPE SYNTAX SnmpTlstmParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row containing a fingerprint hash of a locally held certificate for a given snmpTargetParamsEntry. The values in this row should be ignored if the connection that needs to be established, as indicated by the SNMP-TARGET-MIB infrastructure, is not a certificate and (D)TLS based connection. The connection SHOULD NOT be established if the certificate fingerprint stored in this entry does not point to a valid locally held certificate or if it points to an unusable certificate (such as might happen when the certificate's expiration date has been reached)." INDEX { IMPLIED snmpTargetParamsName } ::= { snmpTlstmParamsTable 1 }
snmpTlstmParamsEntry OBJECT-TYPE SYNTAX SnmpTlstmParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row containing a fingerprint hash of a locally held certificate for a given snmpTargetParamsEntry. The values in this row should be ignored if the connection that needs to be established, as indicated by the SNMP-TARGET-MIB infrastructure, is not a certificate and (D)TLS based connection. The connection SHOULD NOT be established if the certificate fingerprint stored in this entry does not point to a valid locally held certificate or if it points to an unusable certificate (such as might happen when the certificate's expiration date has been reached)." INDEX { IMPLIED snmpTargetParamsName } ::= { snmpTlstmParamsTable 1 }
SnmpTlstmParamsEntry ::= SEQUENCE { snmpTlstmParamsClientFingerprint SnmpTLSFingerprint, snmpTlstmParamsStorageType StorageType, snmpTlstmParamsRowStatus RowStatus }
SnmpTlstmParamsEntry ::= SEQUENCE { snmpTlstmParamsClientFingerprint SnmpTLSFingerprint, snmpTlstmParamsStorageType StorageType, snmpTlstmParamsRowStatus RowStatus }
snmpTlstmParamsClientFingerprint OBJECT-TYPE SYNTAX SnmpTLSFingerprint MAX-ACCESS read-create STATUS current DESCRIPTION "This object stores the hash of the public portion of a locally held X.509 certificate. The X.509 certificate, its public key, and the corresponding private key will be used when initiating a (D)TLS connection as a (D)TLS client." ::= { snmpTlstmParamsEntry 1 }
snmpTlstmParamsClientFingerprint OBJECT-TYPE SYNTAX SnmpTLSFingerprint MAX-ACCESS read-create STATUS current DESCRIPTION "This object stores the hash of the public portion of a locally held X.509 certificate. The X.509 certificate, its public key, and the corresponding private key will be used when initiating a (D)TLS connection as a (D)TLS client." ::= { snmpTlstmParamsEntry 1 }
snmpTlstmParamsStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { snmpTlstmParamsEntry 2 }
snmpTlstmParamsStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { snmpTlstmParamsEntry 2 }
snmpTlstmParamsRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. This object may be used to create or remove rows from this table.
SNMPTLSMPARAMSROWSTATUS对象类型语法RowStatus MAX-ACCESS read create STATUS current DESCRIPTION“此概念行的状态。此对象可用于在此表中创建或删除行。
To create a row in this table, an administrator must set this object to either createAndGo(4) or createAndWait(5).
若要在此表中创建行,管理员必须将此对象设置为createAndGo(4)或createAndWait(5)。
Until instances of all corresponding columns are appropriately configured, the value of the corresponding instance of the snmpTlstmParamsRowStatus column is notReady(3).
在正确配置所有对应列的实例之前,snmpTlstmParamsRowStatus列的对应实例的值为notReady(3)。
In particular, a newly created row cannot be made active until the corresponding snmpTlstmParamsClientFingerprint column has been set.
特别是,在设置相应的snmpTlstmParamsClientFingerprint列之前,无法激活新创建的行。
The snmpTlstmParamsClientFingerprint object may not be modified while the value of this object is active(1).
当snmpTlstmParamsClientFingerprint对象的值处于活动状态时,不能修改该对象(1)。
An attempt to set these objects while the value of snmpTlstmParamsRowStatus is active(1) will result in an inconsistentValue error." ::= { snmpTlstmParamsEntry 3 }
An attempt to set these objects while the value of snmpTlstmParamsRowStatus is active(1) will result in an inconsistentValue error." ::= { snmpTlstmParamsEntry 3 }
snmpTlstmAddrCount OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "A count of the number of entries in the snmpTlstmAddrTable." ::= { snmpTlstmCertificateMapping 7 }
snmpTlstmAddrCount OBJECT-TYPE SYNTAX Gauge32 MAX-ACCESS read-only STATUS current DESCRIPTION "A count of the number of entries in the snmpTlstmAddrTable." ::= { snmpTlstmCertificateMapping 7 }
snmpTlstmAddrTableLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime.0 when the snmpTlstmAddrTable was last modified through any means, or 0 if it has not been modified since the command responder was started." ::= { snmpTlstmCertificateMapping 8 }
snmpTlstmAddrTableLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime.0 when the snmpTlstmAddrTable was last modified through any means, or 0 if it has not been modified since the command responder was started." ::= { snmpTlstmCertificateMapping 8 }
snmpTlstmAddrTable OBJECT-TYPE SYNTAX SEQUENCE OF SnmpTlstmAddrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used by a (D)TLS client when a (D)TLS connection is being set up using an entry in the SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's snmpTargetAddrTable so that the client can verify that the correct server has been reached. This verification can use either a certificate fingerprint, or an identity authenticated via certification path validation.
SNMPTLSMADDRTABLE SNMPTLSMADDRETRY MAX-ACCESS的对象类型语法序列不可访问状态当前描述“此表由(D)TLS客户端在正在使用SNMP-TARGET-MIB中的条目设置TLS连接。它扩展了SNMP-TARGET-MIB的SNMPTARGETADRDR表,以便客户端可以验证是否已到达正确的服务器。此验证可以使用证书指纹,也可以使用通过证书路径验证验证的身份。
If there is an active row in this table corresponding to the entry in the SNMP-TARGET-MIB that was used to establish the connection, and the row's snmpTlstmAddrServerFingerprint column has non-empty value, then the server's presented certificate is compared with the snmpTlstmAddrServerFingerprint value (and the snmpTlstmAddrServerIdentity column is ignored). If the fingerprint matches, the verification has succeeded. If the fingerprint does not match, then the connection MUST be closed.
如果此表中有一个活动行对应于用于建立连接的SNMP-TARGET-MIB中的条目,并且该行的SNMPTLSMADDRServerFingerprint列具有非空值,则会将服务器提供的证书与SNMPTLSMADDRServerFingerprint值进行比较(并忽略SNMPTLSMADDRServerIdentity列)。如果指纹匹配,则验证已成功。如果指纹不匹配,则必须关闭连接。
If the server's presented certificate has passed certification path validation [RFC5280] to a configured trust anchor, and an active row exists with a zero-length snmpTlstmAddrServerFingerprint value, then the snmpTlstmAddrServerIdentity column contains the expected host name. This expected host name is then compared against the server's certificate as follows:
如果服务器提供的证书已通过认证路径验证[RFC5280]到配置的信任锚点,并且存在长度为零的SNMPTLSMADDRServerFingerprint值的活动行,则SNMPTLSMADDRServerIdentity列包含预期的主机名。然后将此预期主机名与服务器的证书进行比较,如下所示:
- Implementations MUST support matching the expected host name against a dNSName in the subjectAltName extension field and MAY support checking the name against the CommonName portion of the subject distinguished name.
- 实现必须支持将预期主机名与subjectAltName扩展字段中的dNSName进行匹配,并且可能支持将名称与主题可分辨名称的CommonName部分进行检查。
- The '*' (ASCII 0x2a) wildcard character is allowed in the dNSName of the subjectAltName extension (and in common name, if used to store the host name), but only as the left-most (least significant) DNS label in that value. This wildcard matches any left-most DNS label in the server name. That is, the subject *.example.com matches the server names a.example.com and b.example.com, but does not match example.com or a.b.example.com. Implementations MUST support wildcards in certificates as specified above, but MAY provide a configuration option to disable them.
- subjectAltName扩展名的dNSName中允许使用“*”(ASCII 0x2a)通配符(如果用于存储主机名,则允许使用通用名),但只能作为该值中最左侧(最低有效)的DNS标签。此通配符与服务器名称中最左边的DNS标签匹配。也就是说,subject*.example.com与服务器名a.example.com和b.example.com匹配,但与example.com或a.b.example.com不匹配。实现必须支持上面指定的证书中的通配符,但可以提供一个配置选项来禁用它们。
- If the locally configured name is an internationalized domain name, conforming implementations MUST convert it to the ASCII Compatible Encoding (ACE) format for performing comparisons, as specified in Section 7 of [RFC5280].
- 如果本地配置的名称是国际化域名,则一致性实现必须将其转换为ASCII兼容编码(ACE)格式以进行比较,如[RFC5280]第7节所述。
If the expected host name fails these conditions then the connection MUST be closed.
如果预期的主机名无法满足这些条件,则必须关闭连接。
If there is no row in this table corresponding to the entry in the SNMP-TARGET-MIB and the server can be authorized by another, implementation-dependent means, then the connection MAY still proceed."
如果此表中没有与SNMP-TARGET-MIB中的条目对应的行,并且服务器可以通过另一种依赖于实现的方式进行授权,则连接仍可以继续。”
::= { snmpTlstmCertificateMapping 9 }
::= { snmpTlstmCertificateMapping 9 }
snmpTlstmAddrEntry OBJECT-TYPE SYNTAX SnmpTlstmAddrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row containing a copy of a certificate's fingerprint for a given snmpTargetAddrEntry. The values in this row should be ignored if the connection that needs to be established, as indicated by the SNMP-TARGET-MIB infrastructure, is not a (D)TLS based connection. If an snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, then the presented server certificate MUST match or the connection MUST NOT be established. If a row in this table does not exist to match an snmpTargetAddrEntry row, then the connection SHOULD still proceed if some other certificate validation path algorithm (e.g., RFC 5280) can be used." INDEX { IMPLIED snmpTargetAddrName } ::= { snmpTlstmAddrTable 1 }
snmpTlstmAddrEntry OBJECT-TYPE SYNTAX SnmpTlstmAddrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A conceptual row containing a copy of a certificate's fingerprint for a given snmpTargetAddrEntry. The values in this row should be ignored if the connection that needs to be established, as indicated by the SNMP-TARGET-MIB infrastructure, is not a (D)TLS based connection. If an snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, then the presented server certificate MUST match or the connection MUST NOT be established. If a row in this table does not exist to match an snmpTargetAddrEntry row, then the connection SHOULD still proceed if some other certificate validation path algorithm (e.g., RFC 5280) can be used." INDEX { IMPLIED snmpTargetAddrName } ::= { snmpTlstmAddrTable 1 }
SnmpTlstmAddrEntry ::= SEQUENCE { snmpTlstmAddrServerFingerprint SnmpTLSFingerprint, snmpTlstmAddrServerIdentity SnmpAdminString, snmpTlstmAddrStorageType StorageType, snmpTlstmAddrRowStatus RowStatus }
SnmpTlstmAddrEntry ::= SEQUENCE { snmpTlstmAddrServerFingerprint SnmpTLSFingerprint, snmpTlstmAddrServerIdentity SnmpAdminString, snmpTlstmAddrStorageType StorageType, snmpTlstmAddrRowStatus RowStatus }
snmpTlstmAddrServerFingerprint OBJECT-TYPE SYNTAX SnmpTLSFingerprint MAX-ACCESS read-create STATUS current DESCRIPTION "A cryptographic hash of a public X.509 certificate. This object should store the hash of the public X.509 certificate that the remote server should present during the (D)TLS connection setup. The fingerprint of the presented certificate and this hash value MUST match exactly or the connection MUST NOT be established." DEFVAL { "" } ::= { snmpTlstmAddrEntry 1 }
snmpTlstmAddrServerFingerprint OBJECT-TYPE SYNTAX SnmpTLSFingerprint MAX-ACCESS read-create STATUS current DESCRIPTION "A cryptographic hash of a public X.509 certificate. This object should store the hash of the public X.509 certificate that the remote server should present during the (D)TLS connection setup. The fingerprint of the presented certificate and this hash value MUST match exactly or the connection MUST NOT be established." DEFVAL { "" } ::= { snmpTlstmAddrEntry 1 }
snmpTlstmAddrServerIdentity OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The reference identity to check against the identity presented by the remote system." DEFVAL { "" } ::= { snmpTlstmAddrEntry 2 }
snmpTlstmAddrServerIdentity OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The reference identity to check against the identity presented by the remote system." DEFVAL { "" } ::= { snmpTlstmAddrEntry 2 }
snmpTlstmAddrStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { snmpTlstmAddrEntry 3 }
snmpTlstmAddrStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row." DEFVAL { nonVolatile } ::= { snmpTlstmAddrEntry 3 }
snmpTlstmAddrRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current
SNMPTLSMADDRROWSTATUS对象类型语法RowStatus MAX-ACCESS read create STATUS current
DESCRIPTION "The status of this conceptual row. This object may be used to create or remove rows from this table.
DESCRIPTION“此概念行的状态。此对象可用于在此表中创建或删除行。
To create a row in this table, an administrator must set this object to either createAndGo(4) or createAndWait(5).
若要在此表中创建行,管理员必须将此对象设置为createAndGo(4)或createAndWait(5)。
Until instances of all corresponding columns are appropriately configured, the value of the corresponding instance of the snmpTlstmAddrRowStatus column is notReady(3).
在正确配置所有对应列的实例之前,snmptlsmaddrrowstatus列的对应实例的值为notReady(3)。
In particular, a newly created row cannot be made active until the corresponding snmpTlstmAddrServerFingerprint column has been set.
特别是,在设置相应的snmptlsmaddrserverfingerprint列之前,新创建的行不能被激活。
Rows MUST NOT be active if the snmpTlstmAddrServerFingerprint column is blank and the snmpTlstmAddrServerIdentity is set to '*' since this would insecurely accept any presented certificate.
如果snmptlsmaddrserverfingerprint列为空,并且snmptlsmaddrserveridentity设置为“*”,则行不能处于活动状态,因为这将不安全地接受任何提供的证书。
The snmpTlstmAddrServerFingerprint object may not be modified while the value of this object is active(1).
SNMPTLSMADDRServerFingerprint对象的值处于活动状态时,不能修改该对象(1)。
An attempt to set these objects while the value of snmpTlstmAddrRowStatus is active(1) will result in an inconsistentValue error." ::= { snmpTlstmAddrEntry 4 }
An attempt to set these objects while the value of snmpTlstmAddrRowStatus is active(1) will result in an inconsistentValue error." ::= { snmpTlstmAddrEntry 4 }
-- ************************************************ -- snmpTlstmNotifications - Notifications Information -- ************************************************
-- ************************************************ -- snmpTlstmNotifications - Notifications Information -- ************************************************
snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE OBJECTS { snmpTlstmSessionUnknownServerCertificate } STATUS current DESCRIPTION "Notification that the server certificate presented by an SNMP over (D)TLS server was invalid because no configured fingerprint or CA was acceptable to validate it. This may be because there was no entry in the snmpTlstmAddrTable or because no path could be found to known Certification Authority.
snmpTlstmServerCertificateUnknown通知类型对象{snmpTlstmSessionUnknownServerCertificate}状态当前描述“通知SNMP提供的服务器证书已通过(D)TLS服务器无效,因为没有配置的指纹或CA可用于验证它。这可能是因为SNMPTLSMADDRTable中没有条目,或者找不到已知证书颁发机构的路径。
To avoid notification loops, this notification MUST NOT be sent to servers that themselves have triggered the notification." ::= { snmpTlstmNotifications 1 }
To avoid notification loops, this notification MUST NOT be sent to servers that themselves have triggered the notification." ::= { snmpTlstmNotifications 1 }
snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE OBJECTS { snmpTlstmAddrServerFingerprint, snmpTlstmSessionInvalidServerCertificates} STATUS current DESCRIPTION "Notification that the server certificate presented by an SNMP over (D)TLS server could not be validated even if the fingerprint or expected validation path was known. That is, a cryptographic validation error occurred during certificate validation processing.
snmpTlstmServerInvalidCertificate通知类型对象{snmptlstmsmaddrserverFingerprint,snmpTlstmSessionInvalidServerCertificates}状态当前描述“通知SNMP提供的服务器证书超过(D)即使指纹或预期的验证路径已知,也无法验证TLS服务器。即,在证书验证过程中发生加密验证错误。
To avoid notification loops, this notification MUST NOT be sent to servers that themselves have triggered the notification." ::= { snmpTlstmNotifications 2 }
To avoid notification loops, this notification MUST NOT be sent to servers that themselves have triggered the notification." ::= { snmpTlstmNotifications 2 }
-- ************************************************ -- snmpTlstmCompliances - Conformance Information -- ************************************************
-- ************************************************ -- snmpTlstmCompliances - Conformance Information -- ************************************************
snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 }
snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 }
snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 }
snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 }
-- ************************************************ -- Compliance statements -- ************************************************
-- ************************************************ -- Compliance statements -- ************************************************
snmpTlstmCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines that support the SNMP-TLS-TM-MIB" MODULE MANDATORY-GROUPS { snmpTlstmStatsGroup, snmpTlstmIncomingGroup, snmpTlstmOutgoingGroup, snmpTlstmNotificationGroup } ::= { snmpTlstmCompliances 1 }
snmpTlstmCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines that support the SNMP-TLS-TM-MIB" MODULE MANDATORY-GROUPS { snmpTlstmStatsGroup, snmpTlstmIncomingGroup, snmpTlstmOutgoingGroup, snmpTlstmNotificationGroup } ::= { snmpTlstmCompliances 1 }
-- ************************************************ -- Units of conformance -- ************************************************ snmpTlstmStatsGroup OBJECT-GROUP OBJECTS { snmpTlstmSessionOpens, snmpTlstmSessionClientCloses, snmpTlstmSessionOpenErrors, snmpTlstmSessionAccepts, snmpTlstmSessionServerCloses, snmpTlstmSessionNoSessions, snmpTlstmSessionInvalidClientCertificates, snmpTlstmSessionUnknownServerCertificate, snmpTlstmSessionInvalidServerCertificates, snmpTlstmSessionInvalidCaches } STATUS current DESCRIPTION "A collection of objects for maintaining statistical information of an SNMP engine that implements the SNMP TLS Transport Model." ::= { snmpTlstmGroups 1 }
-- ************************************************ -- Units of conformance -- ************************************************ snmpTlstmStatsGroup OBJECT-GROUP OBJECTS { snmpTlstmSessionOpens, snmpTlstmSessionClientCloses, snmpTlstmSessionOpenErrors, snmpTlstmSessionAccepts, snmpTlstmSessionServerCloses, snmpTlstmSessionNoSessions, snmpTlstmSessionInvalidClientCertificates, snmpTlstmSessionUnknownServerCertificate, snmpTlstmSessionInvalidServerCertificates, snmpTlstmSessionInvalidCaches } STATUS current DESCRIPTION "A collection of objects for maintaining statistical information of an SNMP engine that implements the SNMP TLS Transport Model." ::= { snmpTlstmGroups 1 }
snmpTlstmIncomingGroup OBJECT-GROUP OBJECTS { snmpTlstmCertToTSNCount, snmpTlstmCertToTSNTableLastChanged, snmpTlstmCertToTSNFingerprint, snmpTlstmCertToTSNMapType, snmpTlstmCertToTSNData, snmpTlstmCertToTSNStorageType, snmpTlstmCertToTSNRowStatus } STATUS current DESCRIPTION "A collection of objects for maintaining incoming connection certificate mappings to tmSecurityNames of an SNMP engine that implements the SNMP TLS Transport Model." ::= { snmpTlstmGroups 2 }
snmpTlstmIncomingGroup OBJECT-GROUP OBJECTS { snmpTlstmCertToTSNCount, snmpTlstmCertToTSNTableLastChanged, snmpTlstmCertToTSNFingerprint, snmpTlstmCertToTSNMapType, snmpTlstmCertToTSNData, snmpTlstmCertToTSNStorageType, snmpTlstmCertToTSNRowStatus } STATUS current DESCRIPTION "A collection of objects for maintaining incoming connection certificate mappings to tmSecurityNames of an SNMP engine that implements the SNMP TLS Transport Model." ::= { snmpTlstmGroups 2 }
snmpTlstmOutgoingGroup OBJECT-GROUP OBJECTS { snmpTlstmParamsCount, snmpTlstmParamsTableLastChanged, snmpTlstmParamsClientFingerprint, snmpTlstmParamsStorageType, snmpTlstmParamsRowStatus,
snmptlsmotgoinggroup OBJECT-GROUP OBJECTS{snmptlsmparamscont,snmptlsmparamstablelastchanged,snmptlsmparamsclientfingerprint,snmptlsmparamsstoragetype,snmptlsmparamsrowstatus,
snmpTlstmAddrCount, snmpTlstmAddrTableLastChanged, snmpTlstmAddrServerFingerprint, snmpTlstmAddrServerIdentity, snmpTlstmAddrStorageType, snmpTlstmAddrRowStatus } STATUS current DESCRIPTION "A collection of objects for maintaining outgoing connection certificates to use when opening connections as a result of SNMP-TARGET-MIB settings." ::= { snmpTlstmGroups 3 }
snmpTlstmAddrCount, snmpTlstmAddrTableLastChanged, snmpTlstmAddrServerFingerprint, snmpTlstmAddrServerIdentity, snmpTlstmAddrStorageType, snmpTlstmAddrRowStatus } STATUS current DESCRIPTION "A collection of objects for maintaining outgoing connection certificates to use when opening connections as a result of SNMP-TARGET-MIB settings." ::= { snmpTlstmGroups 3 }
snmpTlstmNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { snmpTlstmServerCertificateUnknown, snmpTlstmServerInvalidCertificate } STATUS current DESCRIPTION "Notifications" ::= { snmpTlstmGroups 4 }
snmpTlstmNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { snmpTlstmServerCertificateUnknown, snmpTlstmServerInvalidCertificate } STATUS current DESCRIPTION "Notifications" ::= { snmpTlstmGroups 4 }
END
终止
This section discusses various operational aspects of deploying TLSTM.
本节讨论部署TLSTM的各个操作方面。
A session is discussed throughout this document as meaning a security association between two TLSTM instances. State information for the sessions are maintained in each TLSTM implementation and this information is created and destroyed as sessions are opened and closed. A "broken" session (one side up and one side down) can result if one side of a session is brought down abruptly (i.e., reboot, power outage, etc.). Whenever possible, implementations SHOULD provide graceful session termination through the use of TLS disconnect messages. Implementations SHOULD also have a system in place for detecting "broken" sessions through the use of heartbeats [HEARTBEAT] or other detection mechanisms.
在本文档中,会话被讨论为两个TLSTM实例之间的安全关联。在每个TLSTM实现中维护会话的状态信息,并在会话打开和关闭时创建和销毁该信息。如果会话的一侧突然关闭(即重新启动、断电等),可能会导致“中断”会话(一侧向上,一侧向下)。只要可能,实现应该通过使用TLS断开消息来提供优雅的会话终止。实现还应该有一个系统,通过使用心跳或其他检测机制来检测“中断”的会话。
Implementations SHOULD limit the lifetime of established sessions depending on the algorithms used for generation of the master session secret, the privacy and integrity algorithms used to protect messages, the environment of the session, the amount of data transferred, and the sensitivity of the data.
根据用于生成主会话秘密的算法、用于保护消息的隐私和完整性算法、会话环境、传输的数据量和数据的敏感性,实现应限制已建立会话的生存期。
When an SNMP engine needs to establish an outgoing session for notifications, the snmpTargetParamsTable includes an entry for the snmpTargetParamsSecurityName of the target. Servers that wish to support multiple principals at a particular port SHOULD make use of the Server Name Indication extension defined in Section 3.1 of [RFC4366]. Without the Server Name Indication the receiving SNMP engine (server) will not know which (D)TLS certificate to offer to the client so that the tmSecurityName identity-authentication will be successful.
当SNMP引擎需要为通知建立传出会话时,snmpTargetParamsTable包含目标的snmpTargetParamsSecurityName条目。希望在特定端口支持多个主体的服务器应使用[RFC4366]第3.1节中定义的服务器名称指示扩展。如果没有服务器名称指示,接收SNMP引擎(服务器)将不知道向客户端提供哪个(D)TLS证书,以便tmSecurityName身份验证将成功。
Another solution is to maintain a one-to-one mapping between certificates and incoming ports for notification receivers. This can be handled at the notification originator by configuring the snmpTargetAddrTable (snmpTargetAddrTDomain and snmpTargetAddrTAddress) and requiring the receiving SNMP engine to monitor multiple incoming static ports based on which principals are capable of receiving notifications.
另一个解决方案是为通知接收者维护证书和传入端口之间的一对一映射。这可以在通知发起人处通过配置SNMPTargetADRDR表(SNMPTargetADRDTDOMain和SNMPTargetADRDDRTADRAddress)并要求接收SNMP引擎监视多个传入静态端口(主体能够基于这些端口接收通知)来处理。
Implementations MAY also choose to designate a single Notification Receiver Principal to receive all incoming notifications or select an implementation specific method of selecting a server certificate to present to clients.
实现还可以选择指定单个通知接收方主体来接收所有传入的通知,或者选择特定于实现的方法来选择要呈现给客户端的服务器证书。
SNMPv3 requires that an application know the identifier (snmpEngineID) of the remote SNMP protocol engine in order to retrieve or manipulate objects maintained on the remote SNMP entity.
SNMPv3要求应用程序知道远程SNMP协议引擎的标识符(snmpEngineID),以便检索或操作远程SNMP实体上维护的对象。
[RFC5343] introduces a well-known localEngineID and a discovery mechanism that can be used to learn the snmpEngineID of a remote SNMP protocol engine. Implementations are RECOMMENDED to support and use the contextEngineID discovery mechanism defined in [RFC5343].
[RFC5343]介绍了著名的localEngineID和发现机制,可用于学习远程SNMP协议引擎的snmpEngineID。建议实现支持并使用[RFC5343]中定义的contextEngineID发现机制。
This document defines how SNMP messages can be transmitted over the TLS- and DTLS-based protocols. Each of these protocols are additionally based on other transports (TCP and UDP). These two base protocols also have operational considerations that must be taken into consideration when selecting a (D)TLS-based protocol to use such as its performance in degraded or limited networks. It is beyond the scope of this document to summarize the characteristics of these transport mechanisms. Please refer to the base protocol documents for details on messaging considerations with respect to MTU size, fragmentation, performance in lossy networks, etc.
本文档定义了如何通过基于TLS和DTLS的协议传输SNMP消息。这些协议中的每一个都另外基于其他传输(TCP和UDP)。这两个基本协议在选择(D)个基于TLS的协议时也必须考虑操作方面的因素,例如在降级或受限网络中的性能。总结这些运输机制的特点超出了本文件的范围。有关MTU大小、碎片、有损网络中的性能等消息传递注意事项的详细信息,请参阅基本协议文档。
This document describes a transport model that permits SNMP to utilize (D)TLS security services. The security threats and how the (D)TLS transport model mitigates these threats are covered in detail throughout this document. Security considerations for DTLS are covered in [RFC4347] and security considerations for TLS are described in Section 11 and Appendices D, E, and F of TLS 1.2 [RFC5246]. When run over a connectionless transport such as UDP, DTLS is more vulnerable to denial-of-service attacks from spoofed IP addresses; see Section 4.2 for details how the cookie exchange is used to address this issue.
本文档描述了允许SNMP利用(D)TLS安全服务的传输模型。本文档将详细介绍安全威胁以及(D)TLS传输模型如何缓解这些威胁。[RFC4347]介绍了DTL的安全注意事项,TLS 1.2[RFC5246]第11节和附录D、E和F介绍了TLS的安全注意事项。当在UDP等无连接传输上运行时,DTLS更容易受到来自伪造IP地址的拒绝服务攻击;有关如何使用cookie交换解决此问题的详细信息,请参见第4.2节。
Implementations are responsible for providing a security certificate installation and configuration mechanism. Implementations SHOULD support certificate revocation lists.
实现负责提供安全证书安装和配置机制。实现应该支持证书撤销列表。
(D)TLS provides for authentication of the identity of both the (D)TLS server and the (D)TLS client. Access to MIB objects for the authenticated principal MUST be enforced by an access control subsystem (e.g., the VACM).
(D) TLS提供(D)TLS服务器和(D)TLS客户端的身份验证。必须由访问控制子系统(例如,VACM)强制对经过身份验证的主体的MIB对象进行访问。
Authentication of the command generator principal's identity is important for use with the SNMP access control subsystem to ensure that only authorized principals have access to potentially sensitive data. The authenticated identity of the command generator principal's certificate is mapped to an SNMP model-independent securityName for use with SNMP access control.
命令生成器主体的身份验证对于与SNMP访问控制子系统一起使用非常重要,以确保只有经过授权的主体才能访问潜在的敏感数据。命令生成器主体证书的经过身份验证的标识映射到与SNMP模型无关的securityName,以用于SNMP访问控制。
The (D)TLS handshake only provides assurance that the certificate of the authenticated identity has been signed by a configured accepted Certification Authority. (D)TLS has no way to further authorize or reject access based on the authenticated identity. An Access Control
(D)TLS握手仅提供认证身份的证书已由配置的可接受证书颁发机构签名的保证。(D) TLS无法基于经过身份验证的身份进一步授权或拒绝访问。访问控制
Model (such as the VACM) provides access control and authorization of a command generator's requests to a command responder and a notification receiver's authorization to receive Notifications from a notification originator. However, to avoid man-in-the-middle attacks, both ends of the (D)TLS-based connection MUST check the certificate presented by the other side against what was expected. For example, command generators must check that the command responder presented and authenticated itself with a X.509 certificate that was expected. Not doing so would allow an impostor, at a minimum, to present false data, receive sensitive information and/or provide a false belief that configuration was actually received and acted upon. Authenticating and verifying the identity of the (D)TLS server and the (D)TLS client for all operations ensures the authenticity of the SNMP engine that provides MIB data.
模型(如VACM)提供对命令生成器向命令响应者发出的请求的访问控制和授权,以及通知接收者从通知发起人接收通知的授权。但是,为了避免中间人攻击,基于(D)TLS的连接的两端必须根据预期检查另一方提供的证书。例如,命令生成器必须检查命令响应程序是否提供了预期的X.509证书并对其进行了身份验证。如果不这样做,至少会允许冒名顶替者提供虚假数据、接收敏感信息和/或提供虚假的信念,即配置已被实际接收并执行。对(D)TLS服务器和(D)TLS客户端的身份进行身份验证和验证,以确保提供MIB数据的SNMP引擎的真实性。
The instructions found in the DESCRIPTION clause of the snmpTlstmCertToTSNTable object must be followed exactly. It is also important that the rows of the table be searched in prioritized order starting with the row containing the lowest numbered snmpTlstmCertToTSNID value.
必须严格遵循SNMPTLSMCERTTOTSNTABLE对象的DESCRIPTION子句中的说明。同样重要的是,从包含编号最低的SNMPTLSMCERTTOTSNID值的行开始,按优先级顺序搜索表中的行。
This section discusses security considerations specific to the usage of (D)TLS.
本节讨论特定于(D)TLS使用的安全注意事项。
Implementations of TLS typically support multiple versions of the Transport Layer Security protocol as well as the older Secure Sockets Layer (SSL) protocol. Because of known security vulnerabilities, TLSTM clients and servers MUST NOT request, offer, or use SSL 2.0. See Appendix E.2 of [RFC5246] for further details.
TLS的实现通常支持传输层安全协议的多个版本以及较旧的安全套接字层(SSL)协议。由于已知的安全漏洞,TLSTM客户端和服务器不得请求、提供或使用SSL 2.0。有关更多详细信息,请参见[RFC5246]的附录E.2。
The use of Perfect Forward Secrecy is RECOMMENDED and can be provided by (D)TLS with appropriately selected cipher_suites, as discussed in Appendix F of [RFC5246].
建议使用完全前向保密,并可由(D)TLS提供,以及适当选择的密码套件,如[RFC5246]附录F所述。
The SNMPv1 and SNMPv2c message processing described in [RFC3584] (BCP 74) always selects the SNMPv1 or SNMPv2c Security Models, respectively. Both of these and the User-based Security Model typically used with SNMPv3 derive the securityName and securityLevel from the SNMP message received, even when the message was received over a secure transport. Access control decisions are therefore made
[RFC3584](BCP 74)中描述的SNMPv1和SNMPv2c消息处理始终分别选择SNMPv1或SNMPv2c安全模型。这两个模型以及通常与SNMPv3一起使用的基于用户的安全模型都从接收到的SNMP消息中派生securityName和securityLevel,即使消息是通过安全传输接收的。因此作出访问控制决定
based on the contents of the SNMP message, rather than using the authenticated identity and securityLevel provided by the TLS Transport Model. It is RECOMMENDED that only SNMPv3 messages using the Transport Security Model (TSM) or another secure-transport aware security model be sent over the TLSTM transport.
基于SNMP消息的内容,而不是使用TLS传输模型提供的经过身份验证的标识和安全级别。建议仅通过TLSTM传输发送使用传输安全模型(TSM)或其他安全传输感知安全模型的SNMPv3消息。
Using a non-transport-aware Security Model with a secure Transport Model is NOT RECOMMENDED. See [RFC5590] Section 7.1 for additional details on the coexistence of security-aware transports and non-transport-aware security models.
不建议将非传输感知安全模型与安全传输模型一起使用。有关安全感知传输和非传输感知安全模型共存的更多详细信息,请参见[RFC5590]第7.1节。
There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability:
此MIB模块中定义了许多管理对象,其MAX-ACCESS子句为read-write和/或read-create。在某些网络环境中,此类对象可能被视为敏感或易受攻击。在没有适当保护的非安全环境中支持SET操作可能会对网络操作产生负面影响。以下是表和对象及其敏感度/漏洞:
o The snmpTlstmParamsTable can be used to change the outgoing X.509 certificate used to establish a (D)TLS connection. Modification to objects in this table need to be adequately authenticated since modification to values in this table will have profound impacts to the security of outbound connections from the device. Since knowledge of authorization rules and certificate usage mechanisms may be considered sensitive, protection from disclosure of the SNMP traffic via encryption is also highly recommended.
o SNMPTLSMPARAMSTABLE可用于更改用于建立(D)TLS连接的传出X.509证书。对该表中对象的修改需要进行充分的身份验证,因为对该表中值的修改将对来自设备的出站连接的安全性产生深远的影响。由于对授权规则和证书使用机制的了解可能会被认为是敏感的,因此强烈建议通过加密防止SNMP流量泄露。
o The snmpTlstmAddrTable can be used to change the expectations of the certificates presented by a remote (D)TLS server. Modification to objects in this table need to be adequately authenticated since modification to values in this table will have profound impacts to the security of outbound connections from the device. Since knowledge of authorization rules and certificate usage mechanisms may be considered sensitive, protection from disclosure of the SNMP traffic via encryption is also highly recommended.
o SNMPTLSMADDRTABLE可用于更改远程(D)TLS服务器提供的证书的期望值。对该表中对象的修改需要进行充分的身份验证,因为对该表中值的修改将对来自设备的出站连接的安全性产生深远的影响。由于对授权规则和证书使用机制的了解可能会被认为是敏感的,因此强烈建议通过加密防止SNMP流量泄露。
o The snmpTlstmCertToTSNTable is used to specify the mapping of incoming X.509 certificates to tmSecurityNames, which eventually get mapped to a SNMPv3 securityName. Modification to objects in this table need to be adequately authenticated since modification to values in this table will have profound impacts to the security of incoming connections to the device. Since knowledge of authorization rules and certificate usage mechanisms may be considered sensitive, protection from disclosure of the SNMP
o snmpTlstmCertToTSNTable用于指定传入X.509证书到tmSecurityNames的映射,最终映射到SNMPv3 securityName。对该表中对象的修改需要进行充分的身份验证,因为对该表中值的修改将对设备的传入连接的安全性产生深远的影响。由于对授权规则和证书使用机制的了解可能会被认为是敏感的,所以保护SNMP不被泄露
traffic via encryption is also highly recommended. When this table contains a significant number of rows it may affect the system performance when accepting new (D)TLS connections.
还强烈建议通过加密进行通信。当此表包含大量行时,在接受新(D)TLS连接时可能会影响系统性能。
Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability:
在某些网络环境中,此MIB模块中的某些可读对象(即具有MAX-ACCESS而非not ACCESS的对象)可能被视为敏感或易受攻击。因此,在通过SNMP通过网络发送这些对象时,控制甚至获取和/或通知对这些对象的访问,甚至可能加密这些对象的值,这一点非常重要。以下是表和对象及其敏感度/漏洞:
o This MIB contains a collection of counters that monitor the (D)TLS connections being established with a device. Since knowledge of connection and certificate usage mechanisms may be considered sensitive, protection from disclosure of the SNMP traffic via encryption is highly recommended.
o 此MIB包含一组计数器,用于监视与设备建立的(D)TLS连接。由于对连接和证书使用机制的了解可能被认为是敏感的,因此强烈建议通过加密防止SNMP流量泄露。
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example, by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.
SNMPv3之前的SNMP版本未包含足够的安全性。即使网络本身是安全的(例如,通过使用IPsec),即使如此,也无法控制安全网络上的谁可以访问和获取/设置(读取/更改/创建/删除)此MIB模块中的对象。
It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], Section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).
建议实施者考虑SNMPv3框架所提供的安全特性(参见[RCFC310],第8节),包括对SNMPv3加密机制的完全支持(用于身份验证和隐私)。
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
此外,不建议部署SNMPv3之前的SNMP版本。相反,建议部署SNMPv3并启用加密安全性。然后,客户/运营商应负责确保授予访问此MIB模块实例权限的SNMP实体已正确配置为仅授予那些拥有确实获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。
IANA has assigned:
IANA已分配:
1. Two TCP/UDP port numbers from the "Registered Ports" range of the Port Numbers registry, with the following keywords:
1. 端口号注册表“已注册端口”范围中的两个TCP/UDP端口号,具有以下关键字:
Keyword Decimal Description References ------- ------- ----------- ---------- snmptls 10161/tcp SNMP-TLS [RFC5953] snmpdtls 10161/udp SNMP-DTLS [RFC5953] snmptls-trap 10162/tcp SNMP-Trap-TLS [RFC5953] snmpdtls-trap 10162/udp SNMP-Trap-DTLS [RFC5953]
Keyword Decimal Description References ------- ------- ----------- ---------- snmptls 10161/tcp SNMP-TLS [RFC5953] snmpdtls 10161/udp SNMP-DTLS [RFC5953] snmptls-trap 10162/tcp SNMP-Trap-TLS [RFC5953] snmpdtls-trap 10162/udp SNMP-Trap-DTLS [RFC5953]
These are the default ports for receipt of SNMP command messages (snmptls and snmpdtls) and SNMP notification messages (snmptls- trap and snmpdtls-trap) over a TLS Transport Model as defined in this document.
这些是通过本文档中定义的TLS传输模型接收SNMP命令消息(snmptls和snmpdtls)和SNMP通知消息(snmptls-陷阱和snmpdtls陷阱)的默认端口。
2. An SMI number (8) under snmpDomains for the snmpTLSTCPDomain object identifier
2. snmpTLSTCPDomain对象标识符的snmpDomains下的SMI编号(8)
3. An SMI number (9) under snmpDomains for the snmpDTLSUDPDomain object identifier
3. snmpDTLSUDPDomain对象标识符的snmpDomains下的SMI编号(9)
4. An SMI number (198) under mib-2, for the MIB module in this document
4. mib-2下的SMI编号(198),用于本文档中的mib模块
5. "tls" as the corresponding prefix for the snmpTLSTCPDomain in the SNMP Transport Domains registry
5. “tls”作为SNMP传输域注册表中snmpTLSTCPDomain的相应前缀
6. "dtls" as the corresponding prefix for the snmpDTLSUDPDomain in the SNMP Transport Domains registry
6. “dtls”作为SNMP传输域注册表中snmpDTLSUDPDomain的相应前缀
This document closely follows and copies the Secure Shell Transport Model for SNMP documented by David Harrington and Joseph Salowey in [RFC5592].
本文档严格遵循并复制了David Harrington和Joseph Salowey在[RFC5592]中记录的SNMP安全外壳传输模型。
This document was reviewed by the following people who helped provide useful comments (in alphabetical order): Andy Donati, Pasi Eronen, David Harrington, Jeffrey Hutzelman, Alan Luchuk, Michael Peck, Tom Petch, Randy Presuhn, Ray Purvis, Peter Saint-Andre, Joseph Salowey, Juergen Schoenwaelder, Dave Shield, and Robert Story.
本文件由以下人员审阅,他们提供了有用的意见(按字母顺序排列):安迪·多纳蒂、帕西·埃隆、大卫·哈林顿、杰弗里·哈泽尔曼、艾伦·卢丘克、迈克尔·佩克、汤姆·佩奇、兰迪·普雷森、雷·普维斯、彼得·圣安德烈、约瑟夫·萨洛维、于尔根·舍恩瓦尔德、戴夫·希尔德和罗伯特·斯托里。
This work was supported in part by the United States Department of Defense. Large portions of this document are based on work by General Dynamics C4 Systems and the following individuals: Brian Baril, Kim Bryant, Dana Deluca, Dan Hanson, Tim Huemiller, John Holzhauer, Colin Hoogeboom, Dave Kornbau, Chris Knaian, Dan Knaul, Charles Limoges, Steve Moccaldi, Gerardo Orlando, and Brandon Yip.
这项工作得到了美国国防部的部分支持。本文件的大部分内容基于通用动力C4系统公司和以下个人的工作:布赖恩·巴里尔、金·布莱恩特、达纳·德卢卡、丹·汉森、蒂姆·胡埃米勒、约翰·霍尔扎乌尔、科林·胡格博姆、戴夫·科恩博、克里斯·克纳恩、丹·克纳尔、查尔斯·利莫格斯、史蒂夫·莫卡迪、杰拉尔多·奥兰多和叶布兰登。
[RFC1033] Lottor, M., "Domain administrators operations guide", RFC 1033, November 1987.
[RFC1033]洛托,M.,“域管理员操作指南”,RFC1033,1987年11月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2578]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.
[RFC2579]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.
[RFC2580]McCloghrie,K.,Perkins,D.,和J.Schoenwaeld,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.
[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002.
[RFC3413]Levi,D.,Meyer,P.,和B.Stewart,“简单网络管理协议(SNMP)应用”,STD 62,RFC 3413,2002年12月。
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)版本3的基于用户的安全模型(USM)”,STD 62,RFC 3414,2002年12月。
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002.
[RFC3415]Wijnen,B.,Presuhn,R.,和K.McCloghrie,“用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,STD 62,RFC 3415,2002年12月。
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002.
[RFC3418]Presohn,R.,“简单网络管理协议(SNMP)的管理信息库(MIB)”,STD 62,RFC 3418,2002年12月。
[RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, "Internationalizing Domain Names in Applications (IDNA)", RFC 3490, March 2003.
[RFC3490]Faltstrom,P.,Hoffman,P.,和A.Costello,“应用程序中的域名国际化(IDNA)”,RFC 34902003年3月。
[RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework", BCP 74, RFC 3584, August 2003.
[RFC3584]Frye,R.,Levi,D.,Routhier,S.,和B.Wijnen,“互联网标准网络管理框架版本1,版本2和版本3之间的共存”,BCP 74,RFC 3584,2003年8月。
[RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006.
[RFC4347]Rescorla,E.和N.Modadugu,“数据报传输层安全”,RFC 4347,2006年4月。
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, April 2006.
[RFC4366]Blake Wilson,S.,Nystrom,M.,Hopwood,D.,Mikkelsen,J.,和T.Wright,“传输层安全(TLS)扩展”,RFC 4366,2006年4月。
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。
[RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem for the Simple Network Management Protocol (SNMP)", RFC 5590, June 2009.
[RFC5590]Harrington,D.和J.Schoenwaeld,“简单网络管理协议(SNMP)的传输子系统”,RFC 55902009年6月。
[RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model for the Simple Network Management Protocol (SNMP)", RFC 5591, June 2009.
[RFC5591]Harrington,D.和W.Hardaker,“简单网络管理协议(SNMP)的传输安全模型”,RFC 55912009年6月。
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, August 2010.
[RFC5952]Kawamura,S.和M.Kawashima,“IPv6地址文本表示的建议”,RFC 59522010年8月。
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.
[RFC3410]Case,J.,Mundy,R.,Partain,D.,和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 34102002年12月。
[RFC5343] Schoenwaelder, J., "Simple Network Management Protocol (SNMP) Context EngineID Discovery", RFC 5343, September 2008.
[RFC5343]Schoenwaeld,J.,“简单网络管理协议(SNMP)上下文引擎ID发现”,RFC 5343,2008年9月。
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, June 2009.
[RFC5592]Harrington,D.,Salowey,J.,和W.Hardaker,“简单网络管理协议(SNMP)的安全外壳传输模型”,RFC 55922009年6月。
[HEARTBEAT] Seggelmann, R., Tuexen, M., and M. Williams, "Transport Layer Security and Datagram Transport Layer Security Heartbeat Extension", Work in Progress, February 2010.
[心跳]塞格尔曼,R.,图克森,M.威廉姆斯,“传输层安全和数据报传输层安全心跳扩展”,正在进行的工作,2010年2月。
The following sections describe example configuration for the SNMP-TLS-TM-MIB, the SNMP-TARGET-MIB, the NOTIFICATION-MIB, and the SNMP-VIEW-BASED-ACM-MIB.
以下各节描述了SNMP-TLS-TM-MIB、SNMP-TARGET-MIB、NOTITITIONG-MIB和SNMP-VIEW-BASED-ACM-MIB的配置示例。
The following row adds the "Joe Cool" user to the "administrators" group:
下一行将“Joe Cool”用户添加到“administrators”组:
vacmSecurityModel = 4 (TSM) vacmSecurityName = "Joe Cool" vacmGroupName = "administrators" vacmSecurityToGroupStorageType = 3 (nonVolatile) vacmSecurityToGroupStatus = 4 (createAndGo)
vacmSecurityModel=4(TSM)vacmSecurityName=“Joe Cool”vacmGroupName=“administrators”vacmSecurityToGroupStorageType=3(非易失性)vacmSecurityToGroupStatus=4(createAndGo)
The following row configures the snmpTlstmAddrTable to use certificate path validation and to require the remote notification receiver to present a certificate for the "server.example.org" identity.
下一行将SNMPTLSMADDRTABLE配置为使用证书路径验证,并要求远程通知接收器提供“server.example.org”标识的证书。
snmpTargetAddrName = "toNRAddr" snmpTlstmAddrServerFingerprint = "" snmpTlstmAddrServerIdentity = "server.example.org" snmpTlstmAddrStorageType = 3 (nonVolatile) snmpTlstmAddrRowStatus = 4 (createAndGo)
snmptargetadrname=“toNRAddr”snmptlsmaddrserverfingerprint=”“snmptlsmaddrserveridentity=“server.example.org”snmptlsmaddrstoragetype=3(非易失性)snmptlsmaddrrowstatus=4(createAndGo)
The following row configures the snmpTargetAddrTable to send notifications using TLS/TCP to the snmptls-trap port at 192.0.2.1:
下一行将SNMPTargetADRDR表配置为使用TLS/TCP向位于192.0.2.1的snmptls陷阱端口发送通知:
snmpTargetAddrName = "toNRAddr" snmpTargetAddrTDomain = snmpTLSTCPDomain snmpTargetAddrTAddress = "192.0.2.1:10162" snmpTargetAddrTimeout = 1500 snmpTargetAddrRetryCount = 3 snmpTargetAddrTagList = "toNRTag" snmpTargetAddrParams = "toNR" (MUST match below) snmpTargetAddrStorageType = 3 (nonVolatile) snmpTargetAddrColumnStatus = 4 (createAndGo)
snmptargetadrname=“toNRAddr”snmptargetadrdtdomain=snmpTLSTCPDomain snmptargetadrdrtaddress=“192.0.2.1:10162”snmptargetadrdrtimeout=1500 snmpTargetAddrRetryCount=3 snmptargetadrdrttaglist=“toNRTag”snmptargetadrdras=“toNR”(必须在下面匹配)snmptargetadrdrststoragetype=3(非易失性)snmptargetadrdrcumnstaultstatus=4(createAndGo)
The following row configures the snmpTargetParamsTable to send the notifications to "Joe Cool", using authPriv SNMPv3 notifications through the TransportSecurityModel [RFC5591]:
下一行通过TransportSecurityModel[RFC5591]使用authPriv SNMPv3通知配置snmpTargetParamsTable以将通知发送给“Joe Cool”:
snmpTargetParamsName = "toNR" (must match above) snmpTargetParamsMPModel = 3 (SNMPv3) snmpTargetParamsSecurityModel = 4 (TransportSecurityModel) snmpTargetParamsSecurityName = "Joe Cool" snmpTargetParamsSecurityLevel = 3 (authPriv) snmpTargetParamsStorageType = 3 (nonVolatile) snmpTargetParamsRowStatus = 4 (createAndGo0
snmpTargetParamsName=“toNR”(必须与上面匹配)snmpTargetParamsSMPModel=3(SNMPv3)snmpTargetParamsSecurityModel=4(TransportSecurityModel)snmpTargetParamsSecurityName=“Joe Cool”snmpTargetParamsSecurityLevel=3(authPriv)snmpTargetParamsStorageType=3(非易失性)snmpTargetParamsRowStatus=4(createAndGo0
The following row configures the snmpTlstmCertToTSNTable to map a validated client certificate, referenced by the client's public X.509 hash fingerprint, to a tmSecurityName using the subjectAltName component of the certificate.
下一行配置snmpTlstmCertToTSNTable,以使用证书的subjectAltName组件将客户端的公共X.509哈希指纹引用的已验证客户端证书映射到tmSecurityName。
snmpTlstmCertToTSNID = 1 (chosen by ordering preference) snmpTlstmCertToTSNFingerprint = HASH (appropriate fingerprint) snmpTlstmCertToTSNMapType = snmpTlstmCertSANAny snmpTlstmCertToTSNData = "" (not used) snmpTlstmCertToTSNStorageType = 3 (nonVolatile) snmpTlstmCertToTSNRowStatus = 4 (createAndGo)
snmpTlstmCertToTSNID=1(通过排序首选项选择)snmpTlstmCertToTSNFingerprint=HASH(适当指纹)snmpTlstmCertToTSNMapType=snmpTlstmCertToTSNData=“”(未使用)snmpTlstmCertToTSNStorageType=3(非易失性)snmpTlstmCertToTSNRowStatus=4(createAndGo)
This type of configuration should only be used when the naming conventions of the (possibly multiple) Certification Authorities are well understood, so two different principals cannot inadvertently be identified by the same derived tmSecurityName.
只有在充分理解(可能有多个)证书颁发机构的命名约定时,才应使用这种类型的配置,这样,两个不同的主体就不会被同一个派生的tmSecurityName无意中标识出来。
The following row configures the snmpTlstmCertToTSNTable to map a validated client certificate, referenced by the client's public X.509 hash fingerprint, to the directly specified tmSecurityName of "Joe Cool".
下一行配置snmpTlstmCertToTSNTable,以将客户端的公共X.509哈希指纹引用的已验证客户端证书映射到直接指定的tmSecurityName“Joe Cool”。
snmpTlstmCertToTSNID = 2 (chosen by ordering preference) snmpTlstmCertToTSNFingerprint = HASH (appropriate fingerprint) snmpTlstmCertToTSNMapType = snmpTlstmCertSpecified snmpTlstmCertToTSNSecurityName = "Joe Cool" snmpTlstmCertToTSNStorageType = 3 (nonVolatile) snmpTlstmCertToTSNRowStatus = 4 (createAndGo)
snmpTlstmCertToTSNID=2(通过排序首选项选择)snmpTlstmCertToTSNFingerprint=HASH(适当指纹)snmpTlstmCertToTSNMapType=snmpTlstmCertToTSNSecurityName=“Joe Cool”snmpTlstmCertToTSNStorageType=3(非易失性)snmpTlstmCertToTSNRowStatus=4(createAndGo)
Author's Address
作者地址
Wes Hardaker SPARTA, Inc. P.O. Box 382 Davis, CA 95617 USA
美国加利福尼亚州戴维斯市韦斯哈达克斯巴达公司邮政信箱382号,邮编95617
Phone: +1 530 792 1913 EMail: ietf@hardakers.net
Phone: +1 530 792 1913 EMail: ietf@hardakers.net