Internet Engineering Task Force (IETF)                        K. Narayan
Request for Comments: 6065                           Cisco Systems, Inc.
Category: Standards Track                                      D. Nelson
ISSN: 2070-1721                                    Elbrys Networks, Inc.
                                                         R. Presuhn, Ed.
                                                           December 2010
        
Internet Engineering Task Force (IETF)                        K. Narayan
Request for Comments: 6065                           Cisco Systems, Inc.
Category: Standards Track                                      D. Nelson
ISSN: 2070-1721                                    Elbrys Networks, Inc.
                                                         R. Presuhn, Ed.
                                                           December 2010
        

Using Authentication, Authorization, and Accounting Services to Dynamically Provision View-Based Access Control Model User-to-Group Mappings

使用身份验证、授权和记帐服务动态提供基于视图的访问控制模型用户到组的映射

Abstract

摘要

This memo defines a portion of the Management Information Base (MIB) for use with network management protocols. It describes the use of information provided by Authentication, Authorization, and Accounting (AAA) services, such as the Remote Authentication Dial-In User Service (RADIUS), to dynamically update user-to-group mappings in the View-based Access Control Model (VACM).

此备忘录定义了用于网络管理协议的管理信息库(MIB)的一部分。它描述了使用身份验证、授权和记帐(AAA)服务(如远程身份验证拨入用户服务(RADIUS))提供的信息动态更新基于视图的访问控制模型(VACM)中的用户到组映射。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6065.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6065.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从该文档中提取的代码组件必须

include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

包括信托法律条款第4.e节中所述的简化BSD许可证文本,且不提供简化BSD许可证中所述的担保。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Internet-Standard Management Framework . . . . . . . . . .  3
   3.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     4.1.  Using AAA services with SNMP . . . . . . . . . . . . . . .  4
     4.2.  Applicability  . . . . . . . . . . . . . . . . . . . . . .  5
   5.  Structure of the MIB Module  . . . . . . . . . . . . . . . . .  6
     5.1.  Textual Conventions  . . . . . . . . . . . . . . . . . . .  6
     5.2.  The Table Structure  . . . . . . . . . . . . . . . . . . .  6
   6.  Relationship to Other MIB Modules  . . . . . . . . . . . . . .  6
     6.1.  Relationship to the VACM MIB . . . . . . . . . . . . . . .  6
     6.2.  MIB modules Required for IMPORTS . . . . . . . . . . . . .  6
     6.3.  Documents Required for REFERENCE Clauses . . . . . . . . .  6
   7.  Elements of Procedure  . . . . . . . . . . . . . . . . . . . .  7
     7.1.  Sequencing Requirements  . . . . . . . . . . . . . . . . .  7
     7.2.  Actions upon Session Establishment Indication  . . . . . .  7
       7.2.1.  Required Information . . . . . . . . . . . . . . . . .  7
       7.2.2.  Creation of Entries in vacmAaaSecurityToGroupTable . .  8
       7.2.3.  Creation of Entries in vacmSecurityToGroupTable  . . .  8
       7.2.4.  Update of vacmGroupName  . . . . . . . . . . . . . . .  9
     7.3.  Actions upon Session Termination Indication  . . . . . . .  9
       7.3.1.  Deletion of Entries from
               vacmAaaSecurityToGroupTable  . . . . . . . . . . . . .  9
       7.3.2.  Deletion of Entries from vacmSecurityToGroupTable  . . 10
   8.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . . 10
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 14
     9.1.  Principal Identity Naming  . . . . . . . . . . . . . . . . 14
     9.2.  Management Information Considerations  . . . . . . . . . . 15
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 17
     12.2. Informative References . . . . . . . . . . . . . . . . . . 18
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  The Internet-Standard Management Framework . . . . . . . . . .  3
   3.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     4.1.  Using AAA services with SNMP . . . . . . . . . . . . . . .  4
     4.2.  Applicability  . . . . . . . . . . . . . . . . . . . . . .  5
   5.  Structure of the MIB Module  . . . . . . . . . . . . . . . . .  6
     5.1.  Textual Conventions  . . . . . . . . . . . . . . . . . . .  6
     5.2.  The Table Structure  . . . . . . . . . . . . . . . . . . .  6
   6.  Relationship to Other MIB Modules  . . . . . . . . . . . . . .  6
     6.1.  Relationship to the VACM MIB . . . . . . . . . . . . . . .  6
     6.2.  MIB modules Required for IMPORTS . . . . . . . . . . . . .  6
     6.3.  Documents Required for REFERENCE Clauses . . . . . . . . .  6
   7.  Elements of Procedure  . . . . . . . . . . . . . . . . . . . .  7
     7.1.  Sequencing Requirements  . . . . . . . . . . . . . . . . .  7
     7.2.  Actions upon Session Establishment Indication  . . . . . .  7
       7.2.1.  Required Information . . . . . . . . . . . . . . . . .  7
       7.2.2.  Creation of Entries in vacmAaaSecurityToGroupTable . .  8
       7.2.3.  Creation of Entries in vacmSecurityToGroupTable  . . .  8
       7.2.4.  Update of vacmGroupName  . . . . . . . . . . . . . . .  9
     7.3.  Actions upon Session Termination Indication  . . . . . . .  9
       7.3.1.  Deletion of Entries from
               vacmAaaSecurityToGroupTable  . . . . . . . . . . . . .  9
       7.3.2.  Deletion of Entries from vacmSecurityToGroupTable  . . 10
   8.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . . 10
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 14
     9.1.  Principal Identity Naming  . . . . . . . . . . . . . . . . 14
     9.2.  Management Information Considerations  . . . . . . . . . . 15
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 17
     12.2. Informative References . . . . . . . . . . . . . . . . . . 18
        
1. Introduction
1. 介绍

This memo specifies a way to dynamically provision selected View-based Access Control Model (VACM) [RFC3415] Management Information Base (MIB) objects, based on information received from an Authentication, Authorization, and Accounting (AAA) service, such as RADIUS [RFC2865] and [RFC5607]. It reduces the need for security administrators to manually update VACM configurations due to user churn, allowing a centralized AAA service to provide the information associating a given user with the access control policy (known as a "group" in VACM) governing that user's access to management information.

此备忘录指定了一种基于从身份验证、授权和记帐(AAA)服务(如RADIUS[RFC2865]和[RFC5607])接收到的信息,动态提供所选基于视图的访问控制模型(VACM)[RFC3415]管理信息库(MIB)对象的方法。它减少了安全管理员因用户流失而手动更新VACM配置的需要,从而允许集中式AAA服务提供将给定用户与控制该用户访问管理信息的访问控制策略(在VACM中称为“组”)关联的信息。

This memo requires no changes to the Abstract Service Interface for the Access Control Subsystem, and requires no changes to the Elements of Procedure for VACM. It provides a MIB module that reflects the information provided by the AAA service, along with elements of procedure for maintaining that information and performing corresponding updates to VACM MIB data.

本备忘录不需要更改访问控制子系统的抽象服务接口,也不需要更改VACM的程序元素。它提供反映AAA服务提供的信息的MIB模块,以及用于维护该信息和对VACM MIB数据执行相应更新的程序元素。

The reader is expected to be familiar with [RFC3415], [RFC5607], [RFC5608], and their supporting specifications.

读者应熟悉[RFC3415]、[RFC5607]、[RFC5608]及其支持规范。

2. The Internet-Standard Management Framework
2. 因特网标准管理框架

For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410].

有关描述当前互联网标准管理框架的文件的详细概述,请参阅RFC 3410[RFC3410]第7节。

Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580].

托管对象通过虚拟信息存储(称为管理信息库或MIB)进行访问。MIB对象通常通过简单网络管理协议(SNMP)进行访问。MIB中的对象是使用管理信息结构(SMI)中定义的机制定义的。本备忘录规定了符合SMIv2的MIB模块,如STD 58、RFC 2578[RFC2578]、STD 58、RFC 2579[RFC2579]和STD 58、RFC 2580[RFC2580]所述。

3. Conventions
3. 习俗

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照RFC 2119[RFC2119]中的说明进行解释。

4. Overview
4. 概述
4.1. Using AAA services with SNMP
4.1. 将AAA服务与SNMP结合使用

There are two use cases for AAA support of management access via SNMP. These are (a) service authorization and (b) access control authorization. The former is discussed in detail in [RFC5608]. The latter is the subject of this memo.

AAA支持通过SNMP进行管理访问有两个用例。它们是(a)服务授权和(b)访问控制授权。[RFC5608]中详细讨论了前者。后者是本备忘录的主题。

The use case assumption here is that roles within an organization (which are represented in VACM as groups, which in turn name access control policies) change infrequently, while the users assigned to those roles change much more frequently. This memo describes how the user-to-role (group) mapping can be delegated to the RADIUS server, avoiding the need to re-provision managed devices as users are added, deleted, or assigned new roles in an organization.

这里的用例假设是,组织内的角色(在VACM中表示为组,这些组依次命名访问控制策略)很少更改,而分配给这些角色的用户更改得更频繁。此备忘录描述了如何将用户到角色(组)映射委派给RADIUS服务器,从而避免在组织中添加、删除或分配新角色时重新调配受管设备。

This memo assumes that the detailed access control policies are pre-configured in VACM, and does not attempt to address the question of how the policy associated with a given role is put in place.

本备忘录假设详细的访问控制策略是在VACM中预先配置的,并不试图解决与给定角色关联的策略如何落实的问题。

The only additional information obtained from the AAA service is the mapping of the authenticated user's identifier to a specific role (or "group" in VACM terminology) in the access control policy. Dynamic user authorization for MIB database access control, as defined herein, is limited to mapping the authenticated user to a group, which in turn is mapped to whatever access control policies are already in place in VACM.

从AAA服务获得的唯一附加信息是已认证用户的标识符到访问控制策略中的特定角色(或VACM术语中的“组”)的映射。如本文所定义的,MIB数据库访问控制的动态用户授权仅限于将经过身份验证的用户映射到一个组,该组又映射到VACM中已经存在的任何访问控制策略。

The SNMP architecture [RFC3411] maintains strong modularity and separation of concerns, separating user identity (authentication) from user database access rights (authorization). RADIUS, on the other hand, allows for no such separation of authorization from authentication. Consequently, the approach here is to leverage existing RADIUS usage for identifying a principal, documented in [RFC5608], along with the RADIUS Management-Policy-Id Attribute [RFC5607].

SNMP体系结构[RFC3411]保持了强大的模块化和关注点分离,将用户身份(身份验证)与用户数据库访问权限(授权)分离。另一方面,RADIUS不允许将授权与身份验证分开。因此,这里的方法是利用现有的RADIUS使用来识别主体(记录在[RFC5608]中),以及RADIUS管理策略Id属性[RFC5607]。

A unique identifier is needed for each AAA-authorized "session", corresponding to a communication channel, such as a transport session, for which a principal has been AAA-authenticated and which is authorized to offer SNMP service. How these identifiers are assigned is implementation dependent. When a RADIUS Management-Policy-Id Attribute (or equivalent) is bound to such a session and principal authentication, this binding provides sufficient information to compute dynamic updates to VACM. How this information is communicated within an implementation is implementation dependent; this memo is only concerned with externally observable behavior.

每个AAA授权的“会话”都需要一个唯一的标识符,该标识符对应于通信信道,例如传输会话,主体已通过AAA认证,并被授权提供SNMP服务。如何分配这些标识符取决于实现。当RADIUS管理策略Id属性(或等效属性)绑定到此类会话和主体身份验证时,此绑定提供足够的信息来计算对VACM的动态更新。该信息在实施中的传播方式取决于实施;本备忘录仅涉及外部可观察到的行为。

The key concept here is that what we will informally call a "AAA binding" binds:

这里的关键概念是我们非正式地称之为“AAA绑定”的绑定:

1. a communications channel

1. 通信信道

2. an authenticated principal

2. 经过认证的委托人

3. service authorization

3. 服务授权

4. an access control policy name

4. 访问控制策略名称

Some of the binding is done via other specifications. A transport model, such as the Secure Shell Transport Model [RFC5592], provides a binding between 1 and 2 and 3, providing a securityName. In turn, [RFC5607] provides a binding between (1+2+3) and 4. This document extends that further, to create a binding between (1+2+3+4) and the local (VACM MIB) definition of the named policy, called a group in VACM.

一些绑定是通过其他规范完成的。传输模型(如安全Shell传输模型[RFC5592])提供1与2和3之间的绑定,并提供securityName。反过来,[RFC5607]提供(1+2+3)和4之间的绑定。本文档进一步扩展了这一点,以在命名策略的(1+2+3+4)和本地(VACM MIB)定义(在VACM中称为组)之间创建绑定。

4.2. Applicability
4.2. 适用性

Though this memo was motivated to support the use of specific Transport Models, such as the Secure Shell Transport Model [RFC5592], it MAY be used with other implementation environments satisfying these requirements:

尽管本备忘录旨在支持特定传输模型的使用,如安全外壳传输模型[RFC5592],但它也可用于满足这些要求的其他实现环境:

o use an AAA service for sign-on service and data access authorization;

o 使用AAA服务进行登录服务和数据访问授权;

o provide an indication of the start of a session for a particular authenticated principal in a particular role, based on information provided by the AAA service. The principal will be identified using an SNMP securityName [RFC3411]. The role will be identified by the name of the corresponding VACM group.

o 根据AAA服务提供的信息,为特定角色中的特定身份验证主体提供会话启动指示。主体将使用SNMP安全名称[RFC3411]进行标识。该角色将由相应的VACM组的名称标识。

o provide an indication of the end of the need for being able to make access decisions for a particular authenticated principal, as at the end of a session, whether due to disconnection, termination due to timeout, or any other reason.

o 在会话结束时,无论是由于断开连接、由于超时而终止还是任何其他原因,提供一个指示,表明能够为特定身份验证主体做出访问决策的需求结束。

Likewise, although this memo specifically refers to RADIUS, it MAY be used with other AAA services satisfying these requirements:

同样,尽管本备忘录特别提及RADIUS,但它也可用于满足以下要求的其他AAA服务:

o the service provides information semantically equivalent to the RADIUS Management-Policy-Id Attribute [RFC5607], which corresponds to the name of a VACM group;

o 该服务提供语义上等同于RADIUS管理策略Id属性[RFC5607]的信息,该属性对应于VACM组的名称;

o the service provides an authenticated principal identifier (e.g., the RADIUS User-Name Attribute [RFC2865]) that can be transformed to an equivalent principal identifier in the form of a securityName [RFC3411].

o 该服务提供经过身份验证的主体标识符(例如,RADIUS用户名属性[RFC2865]),该标识符可以转换为securityName[RFC3411]形式的等效主体标识符。

5. Structure of the MIB Module
5. MIB模块的结构
5.1. Textual Conventions
5.1. 文字约定

This MIB module makes use of the SnmpAdminString [RFC3411] and SnmpSecurityModel [RFC3411] textual conventions.

此MIB模块使用SNMPAdministring[RFC3411]和SnmpSecurityModel[RFC3411]文本约定。

5.2. The Table Structure
5.2. 表结构

This MIB module defines a single table, the vacmAaaSecurityToGroupTable. This table is indexed by the integer assigned to each security model, the protocol-independent securityName corresponding to a principal, and the unique identifier of a session.

此MIB模块定义了一个表,即VacmaaSecurityToGroupTable。此表由分配给每个安全模型的整数、与主体对应的协议无关的securityName以及会话的唯一标识符索引。

6. Relationship to Other MIB Modules
6. 与其他MIB模块的关系

This MIB module has a close operational relationship with the SNMP-VIEW-BASED-ACM-MIB (more commonly known as the "VACM MIB") from [RFC3415]. It also relies on IMPORTS from several other modules.

该MIB模块与[RFC3415]中的SNMP-VIEW-BASED-ACM-MIB(通常称为“VACM MIB”)具有密切的操作关系。它还依赖于从其他几个模块导入。

6.1. Relationship to the VACM MIB
6.1. 与VACM MIB的关系

Although the MIB module defined here has a close relationship with the VACM MIB's vacmSecurityToGroupTable, it in no way changes the elements of procedure for VACM, nor does it affect any other tables defined in VACM. See the elements of procedure (below) for details of how the contents of the vacmSecurityToGroupTable are affected by this MIB module.

尽管此处定义的MIB模块与VACM MIB的vacmSecurityToGroupTable关系密切,但它不会改变VACM的过程元素,也不会影响VACM中定义的任何其他表。有关此MIB模块如何影响vacmSecurityToGroupTable内容的详细信息,请参见下面的过程元素。

6.2. MIB modules Required for IMPORTS
6.2. 导入所需的MIB模块

This MIB module employs definitions from [RFC2578], [RFC2579], and [RFC3411].

此MIB模块采用[RFC2578]、[RFC2579]和[RFC3411]中的定义。

6.3. Documents Required for REFERENCE Clauses
6.3. 参考条款所需的文件

This MIB module contains REFERENCE clauses making reference to [RFC2865], [RFC3411], and [RFC5590].

此MIB模块包含参考[RFC2865]、[RFC3411]和[RFC5590]的参考条款。

7. Elements of Procedure
7. 程序要素

The following elements of procedure are formulated in terms of two types of events: an indication of the establishment of a session, and an indication that one has ended. These can result in the creation of entries in the vacmAaaSecurityToGroupTable, which can in turn trigger creation, update, or deletion of entries in the vacmSecurityToGroupTable.

以下程序要素是根据两种类型的事件制定的:一种表示会议已开始,另一种表示会议已结束。这些操作可能导致在VacMaaseCurityToGroupTable中创建条目,进而触发vacmSecurityToGroupTable中条目的创建、更新或删除。

There are various possible implementation-dependent error cases not spelled out here, such as running out of memory. By their nature, recovery in such cases will be implementation dependent. Implementors are advised to consider fail-safe strategies, e.g., prematurely terminating access in preference to erroneously perpetuating access.

这里没有详细说明各种可能的依赖于实现的错误情况,例如内存不足。就其性质而言,这种情况下的恢复将取决于执行情况。建议执行者考虑故障安全策略,例如过早地终止访问,尤其是错误地永久访问。

7.1. Sequencing Requirements
7.1. 排序要求

These procedures assume that a transport model, such as [RFC5592], coordinates session establishment with AAA authentication and authorization. They rely on the receipt by the AAA client of the RADIUS Management-Policy-Id [RFC5607] Attribute (or its equivalent) from the RADIUS Access-Accept message (or equivalent). They also assume that the User-Name [RFC2865] from the RADIUS Access-Request message (or equivalent) corresponds to a securityName [RFC3411].

这些过程假设传输模型(如[RFC5592])将会话建立与AAA身份验证和授权相协调。它们依赖于AAA客户端从RADIUS访问接受消息(或等效消息)接收RADIUS管理策略Id[RFC5607]属性(或其等效物)。他们还假设RADIUS访问请求消息(或等效消息)中的用户名[RFC2865]对应于securityName[RFC3411]。

To ensure correct processing of SNMP PDUs, the handling of the indication of the establishment of a session in accordance with the elements of procedure below MUST be completed before the isAccessAllowed() Abstract Service Interface [RFC3415] is invoked for any SNMP PDUs from that session.

为确保SNMP PDU的正确处理,在从会话中为任何SNMP PDU调用isAccessAllowed()抽象服务接口[RFC3415]之前,必须根据以下过程元素完成会话建立指示的处理。

If a session termination indication occurs before all invocations of the isAccessAllowed() Abstract Service Interface [RFC3415] have completed for all SNMP PDUs from that session, those remaining invocations MAY result in denial of access.

如果会话终止指示在该会话中所有SNMP PDU的isAccessAllowed()抽象服务接口[RFC3415]的所有调用完成之前出现,则这些剩余调用可能会导致拒绝访问。

7.2. Actions upon Session Establishment Indication
7.2. 会话建立指示时的操作
7.2.1. Required Information
7.2.1. 所需信息

Four pieces of information are needed to process the session establishment indication:

处理会话建立指示需要四条信息:

o the SnmpSecurityModel [RFC3411] needed as an index into the vacmSecurityToGroupTable;

o 需要将SnmpSecurityModel[RFC3411]作为vacmSecurityToGroupTable的索引;

o the RADIUS User-Name Attribute;

o RADIUS用户名属性;

o a session identifier, as a unique, definitive identifier of the session that the AAA authorization is tied to;

o 会话标识符,作为AAA授权绑定到的会话的唯一、确定标识符;

o the RADIUS Management-Policy-Id Attribute.

o RADIUS管理策略Id属性。

All four of these pieces of information are REQUIRED. In particular, if either the User-Name or Management-Policy-Id is absent, invalid, or a zero-length string, no further processing of the session establishment indication is undertaken.

所有这四条信息都是必需的。特别地,如果用户名或管理策略Id缺失、无效或长度为零的字符串,则不进行会话建立指示的进一步处理。

As noted in Section 4.2, the above text refers specifically to RADIUS attributes. Other AAA services can be substituted, but the requirements imposed on the User-Name and the Management-Policy-Id-Attribute MUST be satisfied using the equivalent fields for those services.

如第4.2节所述,上述文字专门指半径属性。可以替换其他AAA服务,但必须使用这些服务的等效字段来满足对用户名和管理策略Id属性的要求。

7.2.2. Creation of Entries in vacmAaaSecurityToGroupTable
7.2.2. 在VacmaaSecurityToGroupTable中创建条目

Whenever an indication arrives that a new session has been established, determine whether a corresponding entry exists in the vacmAaaSecurityToGroupTable. If one does not, create a new row with the columns populated as follows:

每当有迹象表明已建立新会话时,确定VacmaaSecurityToGroupTable中是否存在相应的条目。如果没有,请创建一个新行,并按如下方式填充列:

o vacmAaaSecurityModel = value of SnmpSecurityModel corresponding to the security model in use;

o VacmaaseCurityModel=与所用安全模型对应的SnmpSecurityModel的值;

o vacmAaaSecurityName = RADIUS User-Name Attribute or equivalent, the securityName that will be used in invocations of the isAccessAllowed() Abstract Service Interface [RFC3415];

o VacmaaseSecurityName=RADIUS用户名属性或等效属性,将在调用isAccessAllowed()抽象服务接口[RFC3415]时使用的securityName;

o vacmAaaSessionID = session identifier, unique across all open sessions of all of this SNMP engine's transport models;

o VacmaasessionId=会话标识符,在所有此SNMP引擎传输模型的所有打开会话中唯一;

o vacmAaaGroupName = RADIUS Management-Policy-Id Attribute or equivalent.

o VacmaaGroupName=半径管理策略Id属性或等效属性。

Otherwise, if the row already exists, update the vacmAaaGroupName with the RADIUS Management-Policy-Id Attribute or equivalent supplied.

否则,如果行已经存在,则使用提供的RADIUS管理策略Id属性或等效属性更新VACMAAGROUPNAME。

7.2.3. Creation of Entries in vacmSecurityToGroupTable
7.2.3. 在vacmSecurityToGroupTable中创建条目

Whenever an entry is created in the vacmAaaSecurityToGroupTable, the vacmSecurityToGroupTable is examined to determine whether a corresponding entry exists there, using the value of vacmAaaSecurityModel for vacmSecurityModel, and the value of vacmAaaSecurityName for vacmSecurityName. If no corresponding entry exists, create one using the vacmAaaGroupName of the newly created

无论何时在VacmaseCurityToGroupTable中创建条目,都会检查vacmSecurityToGroupTable,以确定是否存在相应的条目,使用VacmaseCurityModel的VacmaseCurityModel值和vacmSecurityName的VacmaseCurityName值。如果不存在相应的条目,请使用新创建的条目的名称创建一个条目

entry to fill in vacmGroupName, using a value of "volatile" for the row's StorageType, and a value of "active" for its RowStatus.

用于填写vacmGroupName的条目,该行的StorageType使用“volatile”值,RowStatus使用“active”值。

7.2.4. Update of vacmGroupName
7.2.4. 更新vacmGroupName

Whenever the value of an instance of vacmAaaGroupName is updated, if a corresponding entry exists in the vacmSecurityToGroupTable, and that entry's StorageType is "volatile" and its RowStatus is "active", update the value of vacmGroupName with the value from vacmAaaGroupName.

每当更新VacmAgroupName实例的值时,如果vacmSecurityToGroupTable中存在相应的条目,且该条目的StorageType为“volatile”且其RowStatus为“active”,则使用VacmAgroupName中的值更新vacmGroupName的值。

If a corresponding entry already exists in the vacmSecurityToGroupTable, and that row's StorageType is anything other than "volatile", or its RowStatus is anything other than "active", then that instance of vacmGroupName MUST NOT be modified.

如果vacmSecurityToGroupTable中已存在相应的条目,且该行的StorageType不是“volatile”,或者其RowStatus不是“active”,则不得修改vacmGroupName的该实例。

The operational assumption here is that if the row's StorageType is "volatile", then this entry was probably dynamically created; an entry created by a security administrator would not normally be given a StorageType of "volatile". If the value being provided by RADIUS (or another AAA service) is the same as what is already there, this is a no-op. If the value is different, the new information is understood as a more recent role (group) assignment for the user, which should supersede the one currently held there. The structure of the vacmSecurityToGroupTable makes it impossible for a (vacmSecurityModel, vacmSecurityName) tuple to map to more than one group.

这里的操作假设是,如果行的StorageType是“volatile”,那么这个条目可能是动态创建的;安全管理员创建的条目通常不会被赋予StorageType“volatile”。如果RADIUS(或其他AAA服务)提供的值与已有的值相同,则为不可操作。如果值不同,则新信息将被理解为用户的最新角色(组)分配,该分配应取代当前的角色(组)分配。vacmSecurityToGroupTable的结构使得(vacmSecurityModel,vacmSecurityName)元组无法映射到多个组。

7.3. Actions upon Session Termination Indication
7.3. 会话终止指示时的操作

Whenever a RADIUS (or other AAA) authenticated session ends for any reason, an indication is provided. This indication MUST provide means of determining the SnmpSecurityModel, and an identifier for the transport session tied to the AAA authorization. The manner in which this occurs is implementation dependent.

无论何时RADIUS(或其他AAA)认证会话出于任何原因结束,都会提供一个指示。该指示必须提供确定SnmpSecurityModel的方法,以及与AAA授权相关的传输会话的标识符。发生这种情况的方式取决于实现。

7.3.1. Deletion of Entries from vacmAaaSecurityToGroupTable
7.3.1. 从VacmaaSecurityToGroupTable中删除条目

Entries in the vacmAaaSecurityToGroupTable MUST NOT persist across system reboots.

VacMAASeCurityToGroupTable中的条目不得在系统重新启动期间保留。

When a session has been terminated, the vacmAaaSecurityToGroupTable is searched for a corresponding entry. A "matching" entry is any entry for which the SnmpSecurityModel and session ID match the information associated with the session termination indication. Any matching entries are deleted. It is possible that no entries will match; this is not an error, and no special processing is required in this case.

会话终止后,将在VacmaaSecurityToGroupTable中搜索相应的条目。“匹配”条目是SnmpSecurityModel和会话ID与会话终止指示相关信息匹配的任何条目。将删除所有匹配的条目。可能没有匹配的条目;这不是错误,在这种情况下不需要特殊处理。

7.3.2. Deletion of Entries from vacmSecurityToGroupTable
7.3.2. 从vacmSecurityToGroupTable中删除条目

Whenever the last remaining row bearing a particular (vacmAaaSecurityModel, vacmAaaSecurityName) pair is deleted from the vacmAaaSecurityToGroupTable, the vacmSecurityToGroupTable is examined for a corresponding row. If one exists, and if its StorageType is "volatile" and its RowStatus is "active", that row MUST be deleted as well. The mechanism to accomplish this task is implementation dependent.

每当从VacmaaSecurityToGroupTable中删除带有特定(VacmaaSecurityModel,VacmaaSecurityName)对的最后一行时,将检查vacmSecurityToGroupTable是否有对应的行。如果存在,并且其StorageType为“volatile”且其RowStatus为“active”,则该行也必须删除。完成此任务的机制取决于实现。

8. Definitions
8. 定义
SNMP-VACM-AAA-MIB DEFINITIONS ::= BEGIN
        
SNMP-VACM-AAA-MIB DEFINITIONS ::= BEGIN
        

IMPORTS MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MODULE-IDENTITY, OBJECT-TYPE, mib-2, Unsigned32 FROM SNMPv2-SMI SnmpAdminString, SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;

从SNMPv2 CONF MODULE-IDENTITY导入MODULE-COMPLIANCE、OBJECT-GROUP、从SNMPv2 SMI导入Unsigned32、从SNMP-FRAMEWORK-mib导入SnmpSecurityModel;

vacmAaaMIB MODULE-IDENTITY LAST-UPDATED "201012090000Z" -- 9 December 2010 ORGANIZATION "ISMS Working Group" CONTACT-INFO "WG-email: isms@ietf.org"

Vacmaamib模块标识最后更新“201012090000Z”-2010年12月9日组织“ISMS工作组”联系方式工作组电子邮件:isms@ietf.org"

DESCRIPTION "The management and local datastore information definitions for the AAA-Enabled View-based Access Control Model for SNMP.

DESCRIPTION“启用AAA的SNMP基于视图的访问控制模型的管理和本地数据存储信息定义。

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info).

根据IETF信托有关IETF文件的法律规定第4.c节规定的简化BSD许可证中包含的许可条款,允许以源代码和二进制格式重新分发和使用,无论是否修改(http://trustee.ietf.org/license-info).

This version of this MIB module is part of RFC 6065; see the RFC itself for full legal notices."

此版本的MIB模块是RFC 6065的一部分;有关完整的法律通知,请参见RFC本身。”

REVISION "201012090000Z" DESCRIPTION "Initial version, published as RFC 6065."

修订版“201012090000Z”说明“初始版本,发布为RFC 6065。”

     ::= { mib-2 199 }
        
     ::= { mib-2 199 }
        
vacmAaaMIBObjects   OBJECT IDENTIFIER ::= { vacmAaaMIB 1 }
        
vacmAaaMIBObjects   OBJECT IDENTIFIER ::= { vacmAaaMIB 1 }
        
vacmAaaMIBConformance OBJECT IDENTIFIER ::= { vacmAaaMIB 2 }
        
vacmAaaMIBConformance OBJECT IDENTIFIER ::= { vacmAaaMIB 2 }
        
vacmAaaSecurityToGroupTable OBJECT-TYPE
    SYNTAX       SEQUENCE OF VacmAaaSecurityToGroupEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "This table provides a listing of all currently active
                 sessions for which a mapping of the combination of
                 SnmpSecurityModel and securityName into the name of
                 a VACM group has been provided by an AAA service.
                 The group name (in VACM) in turn identifies an access
                 control policy to be used for the corresponding
                 principals."
    REFERENCE   "RFC 3411, Section 3.2.2, defines securityName."
    ::= { vacmAaaMIBObjects 1 }
        
vacmAaaSecurityToGroupTable OBJECT-TYPE
    SYNTAX       SEQUENCE OF VacmAaaSecurityToGroupEntry
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "This table provides a listing of all currently active
                 sessions for which a mapping of the combination of
                 SnmpSecurityModel and securityName into the name of
                 a VACM group has been provided by an AAA service.
                 The group name (in VACM) in turn identifies an access
                 control policy to be used for the corresponding
                 principals."
    REFERENCE   "RFC 3411, Section 3.2.2, defines securityName."
    ::= { vacmAaaMIBObjects 1 }
        

vacmAaaSecurityToGroupEntry OBJECT-TYPE SYNTAX VacmAaaSecurityToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in this table maps the combination of a SnmpSecurityModel and securityName into the name of a VACM group defining the access control policy that is to govern a particular session.

vacmaasecuritytogroupentry对象类型语法vacmaasecuritytogroupentry MAX-ACCESS not accessible STATUS current DESCRIPTION“此表中的条目将SnmpSecurityModel和securityName的组合映射到定义用于管理特定会话的访问控制策略的VACM组的名称中。

Each entry corresponds to a session.

每个条目对应一个会话。

Entries do not persist across reboots.

条目不会在重新启动期间持续存在。

An entry is created whenever an indication occurs that a new session has been established that would not have the same index values as an existing entry.

每当有迹象表明已建立的新会话的索引值与现有条目的索引值不同时,就会创建一个条目。

                 When a session is torn down, disconnected, timed out
                 (e.g., following the RADIUS Session-Timeout Attribute),
                 or otherwise terminated for any reason, the
                 corresponding vacmAaaSecurityToGroupEntry is deleted."
    REFERENCE   "RFC 3411, Section 3.2.2, defines securityName."
    INDEX       {
                  vacmAaaSecurityModel,
                  vacmAaaSecurityName,
                  vacmAaaSessionID
                }
    ::= { vacmAaaSecurityToGroupTable 1 }
        
                 When a session is torn down, disconnected, timed out
                 (e.g., following the RADIUS Session-Timeout Attribute),
                 or otherwise terminated for any reason, the
                 corresponding vacmAaaSecurityToGroupEntry is deleted."
    REFERENCE   "RFC 3411, Section 3.2.2, defines securityName."
    INDEX       {
                  vacmAaaSecurityModel,
                  vacmAaaSecurityName,
                  vacmAaaSessionID
                }
    ::= { vacmAaaSecurityToGroupTable 1 }
        
VacmAaaSecurityToGroupEntry ::= SEQUENCE
    {
        vacmAaaSecurityModel            SnmpSecurityModel,
        vacmAaaSecurityName             SnmpAdminString,
        vacmAaaSessionID                Unsigned32,
        vacmAaaGroupName                SnmpAdminString
    }
        
VacmAaaSecurityToGroupEntry ::= SEQUENCE
    {
        vacmAaaSecurityModel            SnmpSecurityModel,
        vacmAaaSecurityName             SnmpAdminString,
        vacmAaaSessionID                Unsigned32,
        vacmAaaGroupName                SnmpAdminString
    }
        

vacmAaaSecurityModel OBJECT-TYPE SYNTAX SnmpSecurityModel(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The security model associated with the AAA binding represented by this entry.

VacmaaSecurityModel对象类型语法SnmpSecurityModel(1..2147483647)MAX-ACCESS不可访问状态当前描述“与此条目表示的AAA绑定关联的安全模型。

                 This object cannot take the 'any' (0) value."
    ::= { vacmAaaSecurityToGroupEntry 1 }
        
                 This object cannot take the 'any' (0) value."
    ::= { vacmAaaSecurityToGroupEntry 1 }
        
vacmAaaSecurityName OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(1..32))
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "The securityName of the principal associated with the
                 AAA binding represented by this entry.  In RADIUS
                 environments, this corresponds to the User-Name
                 Attribute."
    REFERENCE   "RFC 3411, Section 3.2.2, defines securityName, and
                 RFC 2865, Section 5.1, defines User-Name."
    ::= { vacmAaaSecurityToGroupEntry 2 }
        
vacmAaaSecurityName OBJECT-TYPE
    SYNTAX       SnmpAdminString (SIZE(1..32))
    MAX-ACCESS   not-accessible
    STATUS       current
    DESCRIPTION "The securityName of the principal associated with the
                 AAA binding represented by this entry.  In RADIUS
                 environments, this corresponds to the User-Name
                 Attribute."
    REFERENCE   "RFC 3411, Section 3.2.2, defines securityName, and
                 RFC 2865, Section 5.1, defines User-Name."
    ::= { vacmAaaSecurityToGroupEntry 2 }
        

vacmAaaSessionID OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "An implementation-dependent identifier of the session.

VacmaaSessionId对象类型语法Unsigned32 MAX-ACCESS不可访问状态当前描述“会话的实现相关标识符。

This value MUST be unique among all currently open sessions of all of this SNMP engine's transport models. The value has no particular significance other than to distinguish sessions.

此值在该SNMP引擎的所有传输模型的所有当前打开的会话中必须是唯一的。该值除了用于区分会话之外没有特殊意义。

                 Implementations in which tmSessionID has a compatible
                 syntax and is unique across all transport models MAY
                 use that value."
    REFERENCE   "The Abstract Service Interface parameter tmSessionID
                 is defined in RFC 5590, Section 5.2.4."
    ::= { vacmAaaSecurityToGroupEntry 3 }
        
                 Implementations in which tmSessionID has a compatible
                 syntax and is unique across all transport models MAY
                 use that value."
    REFERENCE   "The Abstract Service Interface parameter tmSessionID
                 is defined in RFC 5590, Section 5.2.4."
    ::= { vacmAaaSecurityToGroupEntry 3 }
        

vacmAaaGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-only STATUS current DESCRIPTION "The name of the group to which this entry is to belong. In RADIUS environments, this comes from the RADIUS Management-Policy-Id Attribute.

VacmaaGroupName对象类型语法SnmpAdminString(大小(1..32))MAX-ACCESS只读状态当前描述“此项所属组的名称。在RADIUS环境中,此名称来自RADIUS管理策略Id属性。

                 When the appropriate conditions are met,
                 the value of this object is applied the vacmGroupName
                 in the corresponding vacmSecurityToGroupEntry."
    REFERENCE    "RFC 3415"
    ::= { vacmAaaSecurityToGroupEntry 4 }
        
                 When the appropriate conditions are met,
                 the value of this object is applied the vacmGroupName
                 in the corresponding vacmSecurityToGroupEntry."
    REFERENCE    "RFC 3415"
    ::= { vacmAaaSecurityToGroupEntry 4 }
        
-- Conformance information ******************************************
        
-- Conformance information ******************************************
        
vacmAaaMIBCompliances
               OBJECT IDENTIFIER ::= {vacmAaaMIBConformance 1}
vacmAaaMIBGroups
               OBJECT IDENTIFIER ::= {vacmAaaMIBConformance 2}
        
vacmAaaMIBCompliances
               OBJECT IDENTIFIER ::= {vacmAaaMIBConformance 1}
vacmAaaMIBGroups
               OBJECT IDENTIFIER ::= {vacmAaaMIBConformance 2}
        

-- compliance statements

--合规声明

vacmAaaMIBBasicCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines implementing the AAA-Enabled View-based Access Control Model for SNMP." MODULE -- this module MANDATORY-GROUPS { vacmAaaGroup }

VacmaaMibbasicCompliance MODULE-COMPLIANCE状态当前描述“实现SNMP基于AAA的视图访问控制模型的SNMP引擎的符合性声明”。模块--此模块为强制组{vacmAaaGroup}

    ::= { vacmAaaMIBCompliances 1 }
        
    ::= { vacmAaaMIBCompliances 1 }
        

-- units of conformance

--一致性单位

vacmAaaGroup OBJECT-GROUP
    OBJECTS {
              vacmAaaGroupName
            }
    STATUS       current
    DESCRIPTION "A collection of objects for supporting the use of AAA
                 services to provide user-to-group mappings for VACM."
    ::= { vacmAaaMIBGroups 1 }
        
vacmAaaGroup OBJECT-GROUP
    OBJECTS {
              vacmAaaGroupName
            }
    STATUS       current
    DESCRIPTION "A collection of objects for supporting the use of AAA
                 services to provide user-to-group mappings for VACM."
    ::= { vacmAaaMIBGroups 1 }
        

END

终止

9. Security Considerations
9. 安全考虑

The algorithms in this memo make heuristic use of the StorageType of entries in the vacmSecurityToGroupTable to distinguish those provisioned by a security administrator (which would presumably not be configured as "volatile") from those dynamically generated. In making this distinction, it assumes that those entries explicitly provisioned by a security administrator and given a non-"volatile" status are not to be dynamically overridden. Furthermore, it assumes that any active entries with "volatile" status can be treated as dynamic, and deleted or updated as needed. Users of this memo need to be aware of this operational assumption, which, while reasonable, is not necessarily universally valid. For example, this situation could also occur if the SNMP security administrator had mistakenly created these non-volatile entries in error.

此备忘录中的算法启发式地使用vacmSecurityToGroupTable中的StorageType条目,以区分由安全管理员提供的条目(可能不会配置为“volatile”)与动态生成的条目。在进行这种区分时,它假定那些由安全管理员显式提供并给定非“易失性”状态的条目不会被动态覆盖。此外,它假设任何具有“volatile”状态的活动条目都可以被视为动态条目,并根据需要删除或更新。本备忘录的用户需要了解这一操作假设,虽然合理,但不一定普遍有效。例如,如果SNMP安全管理员错误地创建了这些非易失性条目,也可能发生这种情况。

The design of VACM ensures that if an unknown policy (group name) is used in the vacmSecurityToGroupTable, no access is granted. A consequence of this is that no matter what information is provided by the AAA server, no user can gain SNMP access rights not already granted to some group through the VACM configuration.

VACM的设计确保,如果在vacmSecurityToGroupTable中使用未知策略(组名),则不会授予访问权限。其结果是,无论AAA服务器提供什么信息,任何用户都无法通过VACM配置获得尚未授予某些组的SNMP访问权限。

9.1. Principal Identity Naming
9.1. 主体身份命名

In order to ensure that the access control policy ultimately applied as a result of the mechanisms described here is indeed the intended policy for a given principal using a particular security model, care needs to be applied in the mapping of the authenticated user (principal) identity to the securityName used to make the access control decision. Broadly speaking, there are two approaches to ensure consistency of identity:

为了确保由于本文描述的机制而最终应用的访问控制策略确实是使用特定安全模型的给定主体的预期策略,需要在已认证用户(主体)的映射中小心应用用于做出访问控制决策的securityName的标识。广义而言,有两种方法可确保身份的一致性:

o Entries for the vacmSecurityToGroupTable corresponding to a given security model are created only through the operation of the procedures described in this memo. A consequence of this would be that all such entries would have been created using the RADIUS User-Name (or other AAA-authenticated identity) and RADIUS Management-Policy-Id Attribute (or equivalent).

o 与给定安全模型对应的vacmSecurityToGroupTable条目只能通过本备忘录中所述的操作创建。这样做的结果是,所有此类条目都将使用RADIUS用户名(或其他AAA身份验证标识)和RADIUS管理策略Id属性(或等效项)创建。

o Administrative policy allows a matching pre-configured entry to exist in the vacmSecurityToGroupTable, i.e., an entry with the corresponding vacmSecurityModel and with a vacmSecurityName matching the authenticated principal's RADIUS User-Name. In this case, administrative policy also needs to ensure consistency of identity between each authenticated principal's RADIUS User-Name and the administratively configured vacmSecurityName in the vacmSecurityToGroupTable row entries for that particular security model.

o 管理策略允许在vacmSecurityToGroupTable中存在匹配的预配置条目,即具有相应vacmSecurityModel和与已验证主体的RADIUS用户名匹配的vacmSecurityName的条目。在这种情况下,管理策略还需要确保每个经过身份验证的主体的RADIUS用户名与该特定安全模型的vacmSecurityToGroupTable行条目中管理配置的vacmSecurityName之间的身份一致性。

In the latter case, inconsistent re-use of the same name for different entities or individuals (principals) can cause the incorrect access control policy to be applied for the authenticated principal, depending on whether the policy that is configured using SNMP or the policy that is applied using the procedures of this memo is the intended policy. This may result in greater or lesser access rights than the administrative policy intended. Inadvertent misidentification in such cases may be undetectable by the SNMP engine or other software elements of the managed entity.

在后一种情况下,对不同实体或个人(主体)不一致地重复使用相同的名称可能会导致对经过身份验证的主体应用不正确的访问控制策略,取决于使用SNMP配置的策略还是使用本备忘录的过程应用的策略是预期策略。这可能导致访问权限大于或小于管理策略的预期权限。在这种情况下,SNMP引擎或受管实体的其他软件元素可能无法检测到无意中的错误识别。

9.2. Management Information Considerations
9.2. 管理信息注意事项

There are no management objects defined in this MIB module that have a MAX-ACCESS clause of read-write and/or read-create. So, if this MIB module is implemented correctly, then there is no risk that an intruder can alter or create any management objects of this MIB module via direct SNMP SET operations.

此MIB模块中未定义具有读写和/或读创建MAX-ACCESS子句的管理对象。因此,如果此MIB模块实现正确,则入侵者不会通过直接的SNMP集操作更改或创建此MIB模块的任何管理对象。

Some of the readable objects in this MIB module (including some objects with a MAX-ACCESS of not-accessible, whose values are exposed as a result of access to indexed objects) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability:

在某些网络环境中,此MIB模块中的某些可读对象(包括MAX-ACCESS为not ACCESS的某些对象,其值因访问索引对象而公开)可能被视为敏感或易受攻击。因此,在通过SNMP通过网络发送这些对象时,控制甚至获取和/或通知对这些对象的访问,甚至可能加密这些对象的值,这一点非常重要。以下是表和对象及其敏感度/漏洞:

o vacmAaaSecurityToGroupTable - the entire table is potentially sensitive, since walking the table will reveal user names, security models in use, session identifiers, and group names;

o VammaaseCurityToGroupTable—整个表可能是敏感的,因为遍历表将显示用户名、使用的安全模型、会话标识符和组名;

o vacmAaaSecurityModel - though not-accessible, this is exposed as an index of vacmAaaGroupName;

o VacmaaseCurityModel——虽然无法访问,但它作为VacmaaGroupName的索引公开;

o vacmAaaSecurityName - though not-accessible, this is exposed as an index of vacmAaaGroupName;

o VacmaaSecurityName-虽然不可访问,但它作为VacmaaGragoupName的索引公开;

o vacmAaaSessionID - though not-accessible, this is exposed as an index of vacmAaaGroupName;

o VacmaaSessionId-虽然不可访问,但它作为vacmAaaGroupName的索引公开;

o vacmAaaGroupName - since this identifies a security policy and associates it with a particular user, this is potentially sensitive.

o VacmaaGroupName—由于它标识安全策略并将其与特定用户关联,因此它可能是敏感的。

SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.

SNMPv3之前的SNMP版本未包含足够的安全性。即使网络本身是安全的(例如通过使用IPsec),即使如此,也无法控制安全网络上的谁可以访问和获取/设置(读取/更改/创建/删除)此MIB模块中的对象。

It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).

建议实施者考虑SNMPv3框架所提供的安全特性(参见[RCFC310],第8节),包括对SNMPv3加密机制的完全支持(用于身份验证和隐私)。

Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.

此外,不建议部署SNMPv3之前的SNMP版本。相反,建议部署SNMPv3并启用加密安全性。然后,客户/运营商应负责确保授予访问此MIB模块实例权限的SNMP实体已正确配置为仅授予那些拥有确实获取或设置(更改/创建/删除)对象的合法权限的主体(用户)访问对象。

10. IANA Considerations
10. IANA考虑

The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER value recorded in the SMI Numbers registry:

本文档中的MIB模块使用SMI编号注册表中记录的以下IANA分配对象标识符值:

      Descriptor        OBJECT IDENTIFIER value
      ----------        -----------------------
      vacmAaaMIB        { mib-2 199 }
        
      Descriptor        OBJECT IDENTIFIER value
      ----------        -----------------------
      vacmAaaMIB        { mib-2 199 }
        
11. Contributors
11. 贡献者

The following participants from the ISMS working group contributed to the development of this document:

ISMS工作组的以下与会者对本文件的编制做出了贡献:

o Andrew Donati

o 安德鲁·多纳蒂

o David Harrington

o 大卫·哈林顿

o Jeffrey Hutzelman

o 杰弗里·哈泽尔曼

o Juergen Schoenwaelder

o 尤尔根·舍恩瓦埃尔德

o Tom Petch

o 汤姆佩奇

o Wes Hardaker

o 韦斯·哈达克

During the IESG review, additional comments were received from:

在IESG审查期间,收到了以下方面的补充意见:

o Adrian Farrel

o 阿德里安·法雷尔

o Amanda Baber

o 阿曼达·巴伯

o Dan Romescanu

o 丹·罗梅斯坎努

o David Kessens

o 大卫·凯森斯

o Francis Dupont

o 弗朗西斯·杜邦

o Glenn Keeni

o 格伦·基尼

o Jari Arkko

o 贾里·阿克科

o Joel Jaeggli

o 乔尔贾格利

o Magnus Nystrom

o 眼大肌

o Mike Heard

o 迈克听说

o Robert Story

o 罗伯特的故事

o Russ Housley

o 侯斯雷

o Sean Turner

o 肖恩·特纳

o Tim Polk

o 蒂姆·波尔克

12. References
12. 工具书类
12.1. Normative References
12.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

[RFC2578]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“管理信息的结构版本2(SMIv2)”,STD 58,RFC 2578,1999年4月。

[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.

[RFC2579]McCloghrie,K.,Ed.,Perkins,D.,Ed.,和J.Schoenwaeld,Ed.“SMIv2的文本约定”,STD 58,RFC 2579,1999年4月。

[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.

[RFC2580]McCloghrie,K.,Perkins,D.,和J.Schoenwaeld,“SMIv2的一致性声明”,STD 58,RFC 25801999年4月。

[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.

[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。

[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002.

[RFC3415]Wijnen,B.,Presuhn,R.,和K.McCloghrie,“用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,STD 62,RFC 3415,2002年12月。

[RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem for the Simple Network Management Protocol (SNMP)", RFC 5590, June 2009.

[RFC5590]Harrington,D.和J.Schoenwaeld,“简单网络管理协议(SNMP)的传输子系统”,RFC 55902009年6月。

[RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management", RFC 5607, July 2009.

[RFC5607]Nelson,D.和G.Weber,“网络访问服务器(NAS)管理的远程认证拨入用户服务(RADIUS)授权”,RFC 5607,2009年7月。

[RFC5608] Narayan, K. and D. Nelson, "Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models", RFC 5608, August 2009.

[RFC5608]Narayan,K.和D.Nelson,“简单网络管理协议(SNMP)传输模型的远程认证拨入用户服务(RADIUS)使用”,RFC 5608,2009年8月。

12.2. Informative References
12.2. 资料性引用

[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002.

[RFC3410]Case,J.,Mundy,R.,Partain,D.,和B.Stewart,“互联网标准管理框架的介绍和适用性声明”,RFC 34102002年12月。

[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)", RFC 5592, June 2009.

[RFC5592]Harrington,D.,Salowey,J.,和W.Hardaker,“简单网络管理协议(SNMP)的安全外壳传输模型”,RFC 55922009年6月。

Authors' Addresses

作者地址

Kaushik Narayan Cisco Systems, Inc. 10 West Tasman Drive San Jose, CA 95134 USA

美国加利福尼亚州圣何塞西塔斯曼大道10号Kaushik Narayan思科系统公司,邮编95134

   Phone: +1 408-526-8168
   EMail: kaushik_narayan@yahoo.com
        
   Phone: +1 408-526-8168
   EMail: kaushik_narayan@yahoo.com
        

David Nelson Elbrys Networks, Inc. 282 Corporate Drive, Unit #1, Portsmouth, NH 03801 USA

David Nelson Elbrys Networks,Inc.美国新罕布什尔州朴茨茅斯市1单元企业大道282号,邮编:03801

   Phone: +1 603-570-2636
   EMail: d.b.nelson@comcast.net
        
   Phone: +1 603-570-2636
   EMail: d.b.nelson@comcast.net
        

Randy Presuhn (editor) San Jose, CA 95120 USA

兰迪·普雷森(编辑)美国加利福尼亚州圣何塞95120

   EMail: randy_presuhn@mindspring.com
        
   EMail: randy_presuhn@mindspring.com