Internet DRAFT - draft-lebarre-iimc-party
draft-lebarre-iimc-party
INTERNET DRAFT Expires August 27, 1993
ISO/CCITT and Internet Management Coexistence (IIMC):
ISO/CCITT to Internet Management Security
(IIMCSEC)
March 26, 1993
Lee LaBarre (Editor)
The MITRE Corporation
Burlington Road
Bedford, MA 01730
cel@mbunix.mitre.org
Status of this Memo
This document provides information to the network and
systems management community. This document is intended as
a contribution to ongoing work in the area of multi-protocol
management coexistence and interworking. This document is
part of a package; see also [IIMCIMIBTRANS] [IIMCMIB-II]
[IIMCPROXY] and [IIMCOMIBTRANS]. Distribution of this
document is unlimited. Comments should be sent to the
Network Management Forum IIMC working group
(iimc@thumper.bellcore.com).
This document is an Internet Draft. Internet Drafts are
working documents of the Internet Engineering Task Force
(IETF), its Areas, and its Working Groups. Note that other
groups may also distribute working documents as Internet
Drafts.
Internet Drafts are draft documents valid for a maximum of
six months. Internet Drafts may be updated, replaced, or
obsoleted by other documents at any time. It is not
appropriate to use Internet Drafts as reference material or
to cite them other than as a ``working draft'' or ``work in
progress.''
Please check the 1id-abstracts.txt listing contained in the
internet-drafts Shadow Directories on nic.ddn.mil,
nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, munnari.oz.au
to learn the current status of any Internet Draft.
Editor's Note: Readers are warned that this draft is
incomplete as to the security architecture, but fairly
complete as to the Party MIB translation.
LaBarre Expires August 27, 1993 Page i
Draft ISO/CCITT to Internet Management Security 3/26/93
Abstract
This document is intended to facilitate the multi-protocol
management coexistence and interworking for networks that
are managed using the ISO/CCITT Common Management
Information Protocol (CMIP) and networks that are managed
using the Internet Simple Network Management Protocol
(SNMP). This document defines the end-to-end security
architecture, services, and mechanisms for use with
ISO/CCITT-Internet proxies. This document also contains the
ISO/CCITT GDMO definition and registration of the SNMP
Parties MIB, derived from the Internet SNMP Parties MIB
[SNMPv2PARTY] according to the procedures defined in
"Translation of Internet MIBs to ISO/CCITT GDMO MIBs"
[IIMCIMIBTRANS].
Table of Contents
Status of this Memo ......................................i
Abstract .................................................ii
Table of Contents ........................................ii
Revision History .........................................iii
1.Introduction ...........................................1
1.1 Background ...........................................1
1.2 Overview .............................................2
1.3 Scope ................................................4
1.4 Terms and Conventions ................................5
2. Security and Management Requirements ..................5
2.1 Security of Management ...............................5
2.2 Management of Security ...............................5
2.3 Threat Characterization ..............................6
2.3.1 Communications Path Security .......................6
2.3.2 Managed System Security ............................7
3. Security Model, Requirements, and Constraints .........8
3.1 Security Model .......................................8
3.2 Requirements .........................................9
3.3 Constraints on Mapping Security Services .............10
3.4 Consequences of Requirements and Constraints .........11
4. Manager to Internet Proxy Security ....................11
5. Internet Proxy to Internet Agent Security .............12
6. Party MIB .............................................12
6.1 Attribute Types ......................................12
6.2 Object Class Definitions .............................15
6.3 Attribute Definitions ................................21
6.4 The Containment Hierarchy ............................36
6.5 ASN.1 Definitions ....................................38
7.MOCS ...................................................40
8. Acknowledgments .......................................40
References ...............................................41
LaBarre Expires August 27, 1993 Page ii
Draft ISO/CCITT to Internet Management Security 3/26/93
Revision History
Draft 0 - October 9, 1992
Initial draft of this document (previously entitled
"IIMC: Translation of Internet Party MIB (RFC1353) to
ISO/CCITT GDMO MIB" [IIMCPARTY]).
Draft 1 - March 26, 1993
Current draft of this document (replaces Draft 0).
Major Changes Since Last Revision
1. Changed title to reflect new scope of document.
2. Added security architecture text.
3. Aligned MIB translation with latest SNMPv2 document
[SNMPv2PARTY].
4. Aligned templates with changes as per [IIMCIMIBTRANS].
- Revised OID translation procedure.
- Revised generic notification replaces previous
notifications.
- Updated to reflect SNMPv2 changes.
- Added parsing capability to entry type templates.
- Revised registration of documents and modules.
Action Item Proposals Contained In This Document
#22 Revamp Party MIB (proposed)
Outstanding Issues
1. Lack of standards and implementation agreements for
ISO/CCITT security.
2. Create and delete modifiers in name bindings.
Editor's Note: [All object identifier assignments in this
document will be resolved before final publication of this
document.]
Editor's Note: [This document will change to reflect the
new scope. It is preliminary, and incomplete as to the
security architecture, but fairly complete as to the Party
MIB translation.]
LaBarre Expires August 27, 1993 Page iii
Draft ISO/CCITT to Internet Management Security 3/26/93
1.Introduction
The past decade has witnessed the development of enterprise
wide networks composed of a multi-vendor environment
containing heterogeneous protocol and hardware suites.
Organizations have become increasingly dependent on these
enterprise networks for their daily operations. This
dependence has focused attention on the need for operation,
administration, maintenance, and provisioning (OAM&P) of the
multi-vendor enterprise network on an end-to-end basis.
1.1 Background
This document is part of a package of ISO/CCITT and Internet
Management Coexistence (IIMC) drafts. Other documents
included in this package are:
[IIMCIMIBTRANS] Translation of Internet MIBs to
ISO/CCITT GDMO MIBs
[IIMCOMIBTRANS] Translation of ISO/CCITT GDMO MIBs to
Internet MIBs
[IIMCMIB-II] Translation of Internet MIB-II to
ISO/CCITT GDMO MIB
[IIMCPROXY] ISO/CCITT to Internet Management Proxy
These documents together comprise a package aimed at
integrating ISO/CCITT-based and Internet-based management
systems. These documents represent coexistence and
interworking efforts underway within the IIMC working group,
chartered under the auspices of the Network Management Forum
Architecture Integration ISO/Internet technical team.
This work was initiated, in part, by NM Forum efforts to
translate RFC 1214 for use with OMNIPoint 1 implementations.
Through this effort, it became obvious that end-to-end
management requires an integrated, unified view of the
managed network, despite differences in management protocol
and information structure. Integrated management can be
facilitated by the development of "proxy" mechanisms which
translate between functionally equivalent service, protocol,
and SMI differences to create this unified view. MIB
translation procedures can be used to support proxy
management, as well as to take advantage of existing MIB
definition and avoid duplication of effort. In this way,
commercial investment in both ISO/CCITT and Internet-based
management technologies can be preserved through deployment
of common methods and tools which support integration.
This overall strategy was outlined in a joint publication
developed by the NM Forum and X/Open entitled "ISO/CCITT and
LaBarre Expires August 27, 1993 Page 1
Draft ISO/CCITT to Internet Management Security 3/26/93
Internet Management: Coexistence and Interworking Strategy"
[NMFMC92]. The documents included in the IIMC package are
the next level of detailed specifications which implement
several of the methodologies identified in the strategy.
1.2 Overview
The response to the need for OAM&P of enterprise networks
has been the development of network management standards
within various networking communities - most notably the
ISO/CCITT and Internet communities. However, coordination of
standards activities between these two communities has not
occurred. As a result, although they share a nearly common
management model, differences in their management protocols
and structures of management information (SMIs) have
developed due to differing management philosophies.
The ISO/CCITT community has developed the Common Management
Information Protocol (CMIP) [ISO9596-1], and related SMI
documents [ISO10165-1,2,4]. The Internet community has
developed the Simple Network Management Protocol (SNMP)
[RFC1157], and its successor, SNMPv2 [SNMPv2PROT]. The
Internet SMI is defined in [RFC1155] and [SNMPv2SMI].
Although functionally similar, the Internet and ISO/CCITT
protocols and SMIs differ in terms of their complexity and
specific operations.
The focus on the need for end-to-end enterprise management
has indicated the need to integrate the management of
components accessed by ISO/CCITT management, Internet
management and proprietary management mechanisms in a manner
which presents a unified view of the network, despite
protocol and SMI differences. One way to integrate
management is by the development of "proxy" mechanisms which
translate between functionally equivalent services, protocol
and SMI differences to create this unified view.
A body of telecommunications and computer vendors,
represented by organizations such as the Network Management
Forum (NMF), and the U.S. government, as specified in the
Government Network Management Profile (GNMP) have based
their integrated management model on the ISO/CCITT
management model using CMIP and the ISO/CCITT SMI. These
organizations are particularly interested in the development
of proxies for devices that use the Internet management
protocols and SMI. Their interest is primarily due to the
widespread commercial implementation and use of such devices
within their enterprises, especially devices that use the
Internet TCP/IP protocol suite.
LaBarre Expires August 27, 1993 Page 2
Draft ISO/CCITT to Internet Management Security 3/26/93
The basic model for ISO/CCITT-Internet proxy management is
illustrated in the following diagram.
Manager Proxy
Agent
+-----------------------+ +---------------------+ +------
----------------+
|+---------------------+| |+------+ +----------+| |+-----
--------------+ |
|| Management || || GDMO | | Internet || ||
Managed | |
|| Applications || || MIB | | MIB || ||
Resources | |
|+---------------------+| |+------+ +----------+| |+-----
--------------+ |
| | | |+-------------------+| |
| |
| | | || Service || |
| |
| | | || Emulation || |
| |
| | | ||(scoping) || |
| |
| | | || (filtering) || |
| |
| | || (operations)|| |
| |
|+-----------+---------+| |+-------------------+| |+-----
-----+---------+|
|| ISO/CCITT | GDMO || || Protocols Mapping || ||
Internet | Internet||
|| Manager | MIB || || CMIS |...| SNMP || ||
Agent | MIB ||
|+-----------+---------+| |+-------------------+| |+-----
-----+---------+|
| | | | |CMIS | | | |
|
| | CMIS Services | | |Services | | | |
SNMP "Services" |
| | | | | | | | |
|
| | | | | SNMP| | | |
|
| | | | | "Services"| | | |
|
+-----------------------+ +---------------------+ +------
----------------+
| CMIP | | CMIP | SNMP | |
SNMP |
+-----------------------+ +---------------------+ +------
----------------+
^ ^ ^
^
LaBarre Expires August 27, 1993 Page 3
Draft ISO/CCITT to Internet Management Security 3/26/93
| | |
|
+---------------------+ +---------------
----+
CMIP Messages SNMP
Messages
The proxy architecture provides emulation of CMIS services
by mapping to the corresponding SNMP message(s) necessary to
carry out the service request. The service emulation allows
management of Internet objects by an ISO/CCITT manager. The
left hand side of the proxy behaves like an ISO/CCITT agent,
communicating with the ISO/CCITT manager using CMIP
protocols. The right hand side of the proxy behaves like
an Internet manager, communicating with the Internet agent
using SNMP protocols.
The proxy relies on the existence of a pair of directly-
related MIB definitions, where the Internet MIB has been
translated into ISO/CCITT GDMO using the procedures
specified in [IIMCIMIBTRANS]. The proxy defined in
[IIMCPROXY] uses these MIB definitions and rules to provide
run-time translation of management information carried in
service requests and responses.
The proxy architecture is designed with a specified
interface between the proxy and the underlying protocol
stacks, and so deals primarily in terms of CMIS services and
SNMP "services". The proxy emulates services such as CMIS
scoping and filtering, processing of CMIS operations, and
forwarding/logging of CMIS notifications by performing a
mapping process which must be tailored for each protocol
(for example, SNMP and SNMPv2 are variants of the same
protocol mapping process).
In addition, [IIMCOMIBTRANS] specifies translation
procedures
for converting ISO/CCITT GDMO MIBs into Internet MIBs. MIBs
generated by this translation process cannot be utilized by
the Proxy defined in [IIMCPROXY], although another kind of
Proxy could be defined for this purpose in the future.
Finally, note that MIBs translated by procedures such as
those defined by [IIMCIMIBTRANS] and [IIMCOMIBTRANS] may
also be used without a proxy. For example, a translated MIB
may be used to take advantage of existing MIB definitions
when business needs require deployment in a different
management environment. Translated MIBs may also be used to
provide uniformity when multiple management environments are
supported by a single system (e.g., dual stack managers).
1.3 Scope
One of the IIMC objectives is to provide for the secure end-
LaBarre Expires August 27, 1993 Page 4
Draft ISO/CCITT to Internet Management Security 3/26/93
to-end management of resources managed using ISO/CCITT and
Internet management services, protocols and SMI. Security and
management by their very nature are entwined such that each
needs the services of the other. Security services are
required to protect management services. Management services
are required to monitor and control security services.
This document defines the security architecture for end-to-
end security between an ISO/CCITT manager and an Internet
agent via proxies such as that defined in [IIMCPROXY]. The
architecture requires that information required to support
Internet security mechanisms from an end-to-end perspective,
and to manage it, be translated into the ISO/CCITT SMI.
This document applies the procedures described in
[IIMCMIBTRANS] to the translation and registration of the
Internet SNMP Parties MIB defined in [SNMPv2PARTY].
This document assumes that the reader is familiar with the
ISO/CCITT and Internet management security services,
protocols and mechanisms.
This document assumes that the reader is familiar with the
Internet and ISO/CCITT SMIs and terminology as well as the
Internet to SMI translation defined in [IIMCIMIBTRANS].
This document is allocated the following registration
identifier for purposes of referencing material contained
herein.
iimcSEC OBJECT IDENTIFIER ::={iimcManagementDocMan 3}
Editor's Note: [The iimcManagementDocMan will be resolved
before the final publication of this document.]
1.4 Terms and Conventions
Editor's Note: [To Be Provided.]
2. Security and Management Requirements
Security and management are entwined by their very nature such
that each needs the services of the other. Security services
are required to protect management services. Management
services are required to monitor and control security
services. These requirements are briefly presented in this
section.
2.1 Security of Management
Management is most vulnerable to security attacks at the
manager user interface, the communications path over which
management messages are transmitted, and at the managed
system that contains the resources being managed.
Accordingly, management's security requirements are to
LaBarre Expires August 27, 1993 Page 5
Draft ISO/CCITT to Internet Management Security 3/26/93
overcome these threats by:
- Preventing unauthorized operator access to manager
applications and associated management information
contained in a manager workstation,
- Protecting management information in transit between
managers and agents, and
- Enforcing management policy regarding access to
information within the managed system.
Preventing unauthorized access to manager applications is
beyond the scope of this document, and therefore will not be
discussed. The characterization of the security threats in
relation to the other two vulnerable areas are discussed
more fully in the following sections.
2.2 Management of Security
Security requires management support for three basic
activities:
- monitoring and control of security mechanisms,
- detection of security related events through security
alarm generation, reporting
and audit trail analysis,
- damage assessment and recovery from a security attack.
Security mechanisms and algorithm resources are modeled as
managed objects and the management information is stored in
a secure portion of the management information base. The
same management and security mechanisms used to manage non-
security managed objects may be applied to the management of
security objects.
2.3 Threat Characterization
Security threats for management are the same as for any
distributed application. Security threats can be
characterized as being active or passive. Active threats to
a management system may effect changes to the state or
operation of the managed resource. Examples of active
threats are malicious changes to the routing tables of a
system, or to the objects used to control decisions related
to policies, such as security policies relating to resource
access.
Active threats include:
- masquerade,
- modification and fabrication of messages and stored
data,
- replay and reordering of messages, and
LaBarre Expires August 27, 1993 Page 6
Draft ISO/CCITT to Internet Management Security 3/26/93
- denial of management services.
Passive threats are those which, if realized, would not
result in any modifications to information contained in the
system, e.g., management information, and where neither the
operation nor the state of the system is changed.
Passive threats include:
- disclosure of message contents and stored data,
- traffic analysis, and
- repudiation.
2.3.1 Communications Path Security
The threats to the communications path used for manager to
agent communications, and applicable security services
include:
- modification and fabrication of management messages
* integrity
- disclosure of management message data
* confidentiality, selective field confidentiality
- replay and reordering of messages
* integrity
- denial of management services
* continuity of operations
- traffic analysis
* confidentiality
Note that the communications path from the manager to an
agent may be direct, or indirect via the management
applications of an intermediate manager or proxy. In the
indirect case, the portion of the message that must be
exposed in the intermediate manager for the purpose of
application layer relaying is subject to unauthorized
disclosure and modification. Such entities must be trusted
not to perform such modifications or to disclose the
contents of the management messages. Selective field
confidentially services may be required if intermediate
managers or proxies are acting as application layer relays
in the path. Such selective field services allow only the
information in management messages required for application
layer routing to be unprotected while preventing other
fields in the message from disclosure or modification.
2.3.2 Managed System Security
The threats to the managed system include:
LaBarre Expires August 27, 1993 Page 7
Draft ISO/CCITT to Internet Management Security 3/26/93
- masquerade of a manager application or operator
* peer authentication, data origin authentication
- modification and fabrication of data residing in the
management information base
* access control, data integrity
- disclosure of management data in the managed system
* access control, confidentiality
- repudiation of management requests at the destination
* non-repudiation at destination.
Non-repudiation services may be provided in circumstances
where such accountability is required. While the non-
repudiation service does nothing to protect the network, it
does provide the capability to trace the entities that are
to be blamed for mis-management.
3. Security Model, Requirements, and Constraints
3.1 Security Model
The model for IIMC end-to-end security is illustrated in
Figure 2. The objective is to provide continuity of
security services from the ISO/CCITT Manager through to the
Internet Agent. The end-to-end solution is constrained by
the security services available at the Internet agent and
those available at the ISO/CCITT Manager. The mapping of
security services is provided by the ISO/CCITT-Internet
proxy. The mapping of those services at the proxy will
depend upon the availability of the services and the
compatibility of the mechanisms used to provide the
services.
Figure 2 illustrates the proxy in a separate device from the
manager or the agent. If the proxy function is performed in
the manager, then how the manager's internal security
mechanisms map to Internet security services is beyond the
scope of this document. If ISO management services and
protocol are provided in the managed device, and the proxy
function is still applied, then ISO security services apply
at the managed system. The mapping of ISO security services
that still apply at the internal proxy to Internet agent
interface into equivalent Internet services, e.g.,
authentication and access control, is beyond the scope of
this document.
ISO/CCITT Manager ISO/CCITT-Internet Proxy
Internet Agent
+-----------------------+ +----------------------+ +----
---------+
| | |+--------------------+| |
LaBarre Expires August 27, 1993 Page 8
Draft ISO/CCITT to Internet Management Security 3/26/93
|
| | || security service || |
|
| | || mapping || |
|
| | |+--------------------+| |
|
|+---------------------+| |+-------+ +----------+| |+---
--------+|
|| ISO/CCITT || || ISO | | Internet || ||
Internet ||
|| Manager || || agent | | manager || ||
agent ||
|| role || || role | | role || ||
||
|+---------------------+| |+-------+ +----------+| |+---
--------+|
| CMIP | | CMIP | | SNMP || |
SNMP |
+-----------------------+ +---------------------+ +----
---------+
^ ^ ^
^
| | |
|
+---------------------+ +---------------
----+
CMIP Messages SNMP
Messages
- ISO peer authentication
- ISO data origin authentication* - Internet data
origin authentication#
- ISO integrity, confidentiality* - Internet
integrity, confidentiality
- Internet access control - Internet access
control#
- ISO access control+
* OSI application layer standards are in progress.
These services maybe
provided by lower layers in some environments, e.g.,
transport and network
# SNMPv1 and SNMPv2 have different mechanisms
+ ISO access control may be applied by the proxy to
GDMO objects, if
enforcement is at the proxy.
Figure 2: IIMC End-to-end Security Model
LaBarre Expires August 27, 1993 Page 9
Draft ISO/CCITT to Internet Management Security 3/26/93
The security services are not required to be provided at the
same layers in the protocol suites on the two external proxy
interfaces. For example, integrity and confidentiality
services may be applied at the transport or network layer at
the interface to the ISO/CCITT manager, and at the
application layer at the interface to the Internet agent.
Depending on the environment, some security services may not
be required proxy's interface to the ISO/CCITT manager. For
example, data origin authentication and confidentiality
services may not be required if the two devices are close
together and physical security is adequate to satisfy the
security policy.
3.2 Requirements
The basic requirements to be met by the architecture for
providing end-to-end security services are support for:
- enforcement of SNMPv1 security services at the agent
(community string).
- enforcement of SNMPv2 security services at the agent
(party based).
- optional enforcement of access control at the proxy on
either SNMPv1 or SNMPv2 agents. Since SNMPv1 does not
support access control, this implies that SNMPv2 party
based access control shall be enforced at the proxy
for both SNMPv1 and SNMPv2 agents.
- optional enforcement of access control at the proxy
using OSI access control mechanisms (ISO 10164-9) to
the ISO/CCITT managed objects derived from Internet
objects for all proxied agents.
- enforcement of access control at the proxy for MIB
objects and attributes defined specifically for the
proxy operation.
- OSI security services between the ISO/CCITT manager
and the proxy.
- mapping of OSI security services into Internet
security services, where possible, and forwarding form
the ISO/CCITT manager of information required Internet
security mechanisms.
LaBarre Expires August 27, 1993 Page 10
Draft ISO/CCITT to Internet Management Security 3/26/93
3.3 Constraints on Mapping Security Services
The major constraint on mapping security services is that
there is no way that all information required for Internet
security services can be derived from parameters provided
with OSI security services. The security mechanisms are
dissimilar enough that mappings do not exist. The result is
that the ISO/CCITT manager must be aware of Internet
security services used by the proxy, and transfer the
information required for those services to operate.
The Internet management SNMPv2 security architecture relies
on the identification of distinct entities, called
"parties", for peers that exchange SNMP messages
[SNMPv2ADMIN]. Multiple parties may exist at the manager
and at the agent.
Each distinct SNMPv2 peer is identified by a "party
identifier", an OID. Associated with the party identifier
are it's agent address, and parameters for authentication,
integrity and confidentiality services to be used when
communicating with other parties. Since parties form a peer
relationship, these security service parameters for peer
parties must be compatible.
The peer relationship between SNMPv2 parties is established
via an associated "context", identified by an OID, which
provides a means to identify constraints on valid management
operations and associated resources (MIB objects). The
context also specifies whether the constraints apply to
local resources or to remote resources via a proxy
relationship.
Therefore, SNMPv2 security requires that the peer parties
and their context be identified before an SNMPv2 message
will even be accepted by an agent - even if no security
services are to be invoked. Only then may data
authentication, integrity, confidentiality, and access
control services be invoked.
The problem, from a decoupling perspective, is that there is
no way that party and context information required for
Internet security services can be derived from parameters
provided with OSI security services. The same concepts
simply do not exist. The result is that the ISO/CCITT
manager must be aware of Internet security services used by
the proxy, and transfer the party and context information
required for those services to operate.
Note, however, that the Internet has registered a set of
default parties and contexts that cover a few basic security
policies when communicating directly with SNMPv2 agents.
These include: no authentication and confidentiality with
restricted monitoring privileges; authentication (using MD5)
LaBarre Expires August 27, 1993 Page 11
Draft ISO/CCITT to Internet Management Security 3/26/93
without confidentiality but with full management privileges,
and authentication(using MD5) with confidentiality using DES
and with full management privileges. If the ISO/CCITT
manager specifies to the Internet agent (or proxy) which of
these default sets of parties and contexts to use, then the
specific parties and contexts need not be known to the
manager.
Editor's Note: [We could provide the capability of
specifying the default community string, parties and
contexts to use when the proxy communicates to agents. This
capability could relieve the ISO/CCITT manager from being
aware of specific community string or party based security
service requirements. The sets could be specified in
attributes of the cmipsnmpProxyagent object. In the absence
of security parameters being provided by the ISO/CCITT
manager, the default parties and context would be in effect.
Of course, agents must be configured to support these sets,
and the manager would be constrained to work within the
limits of these sets.]
3.4 Consequences of Requirements and Constraints
The consequences of the constraint described in 3.3 are:
- the ISO/CCITT-Internet proxy shall use community
string and party/context information provided by the
ISO/CCITT manager to determine security services to be
invoked relative to an Internet agent.
- if access control mechanisms are used by the proxy on
behalf of Internet agents, then the security parameters
that would be required by the agent to enforce access
control shall be maintained by the proxy. This applies
whether Internet or OSI access control mechanisms are
used.
4. Manager to Internet Proxy Security
OSI peer authentication services shall be supported in
accordance with OMNIPoint 1 security specifications. [NMFSEC]
OSI data origin authentication services shall optionally be
supported in accordance with (TBD)
Editor's Note: [To Be Provided.]
Integrity services shall optionally be supported using (TBD).
Editor's Note: [To Be Provided.]
Confidentiality services shall optionally be supported using
LaBarre Expires August 27, 1993 Page 12
Draft ISO/CCITT to Internet Management Security 3/26/93
(TBD).
Editor's Note: [The use of security services for transport
(TLSP), network (NLSP), or the generic upper layer
security(GULS) [ISO11586-1,2,3,4] to provide these services
might be appropriate.]
OSI access control services shall optionally be supported in
accordance with [ISO10164-9].
Internet security services shall optionally be supported as
follows:
- the following privileged attribute certificate (PAC)
shall be used to convey Internet security parameters:
Editor's Note: [Format is TBD. Contents shall include party
and context, or community string information.]
5. Internet Proxy to Internet Agent Security
All SNMPv1 and SNMPv2 security services shall be supported.
Editor's Note: [Should we have conformance classes?]
6. Party MIB
The IIMC Party MIB is derived from the Internet Party MIB
defined in[SNMPv2PARTY]. Adjustments have been made to the
behavior of some elements in the MIB to accommodate SNMPv1
community string based security.
6.1 Attribute Types
party ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:ObjectIdentifier;
MATCHES FOR EQUALITY ORDERING;
BEHAVIOUR
partyBehaviour BEHAVIOUR
DEFINED AS
!Denotes a SNMPv2 party identifier. Note that
agents may impose implementation limitations on the
length of OIDs used to identify Parties. As such,
management stations creating new parties should be
aware that using an excessively long OID may result
in the agent refusing to perform the set operation
and instead returning the appropriate error
response, e.g., noCreation.!
tAddress ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:OctetString;
LaBarre Expires August 27, 1993 Page 13
Draft ISO/CCITT to Internet Management Security 3/26/93
MATCHES FOR EQUALITY ORDERING;
BEHAVIOUR
tAddressBehaviour BEHAVIOUR
DEFINED AS
!Denotes a transport service address. For
snmpUDPDomain, a TAddress is 6 octets long,
the initial 4 octets containing the IP-address in
network-byte order and the last 2 containing the
UDP port in network-byte order. Consult [5] for
further information on snmpUDPDomain.!
clock ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:UInteger32;
BEHAVIOUR
clockBehaviour BEHAVIOUR
DEFINED AS
!A party's authentication clock - a non-negative
integer which is incremented as specified/allowed
by the party's Authentication Protocol. For
noAuth, a party's authentication clock is
unused and its value is undefined.
For v2md5AuthProtocol, a party's authentication
clock is a relative clock with 1-second
granularity.!
context ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:ObjectIdentifier;
MATCHES FOR EQUALITY ORDERING;
BEHAVIOUR
contextBehaviour BEHAVIOUR
DEFINED AS
!Denotes a SNMPv2 context identifier. Note that
agents may impose implementation limitations on the
length of OIDs used to identify Parties. As such,
management stations creating new parties should be
aware that using an excessively long OID may result
in the agent refusing to perform the set operation
and instead returning the appropriate error
response, e.g., noCreation.!
storageType ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:StorageType;
MATCHES FOR EQUALITY ORDERING;
BEHAVIOUR
storageTypeBehaviour BEHAVIOUR
DEFINED AS
!Describes the memory realization of a conceptual
row. A row which is volatile(2) is lost upon
LaBarre Expires August 27, 1993 Page 14
Draft ISO/CCITT to Internet Management Security 3/26/93
reboot. A row which is nonVolatile(3) is backed
up by stable storage. A row which is permanent(4)
cannot be changed nor deleted.!
LaBarre Expires August 27, 1993 Page 15
Draft ISO/CCITT to Internet Management Security 3/26/93
6.2 Object Class Definitions
The Internet SNMP Parties MIB objects [RFC1353]are recast into
OSI GDMO templates as defined in [ISO10165-4], and registered,
using the procedures defined in [IIMCIMIBTRANS].
The object identifier {iimcAutoTrans} is defined in
[IIMCIMIBTRANS].
The templates for the object classes are listed in
alphabetical order.
Editor's Note: [The OID fragment "iimcAutoTrans-partyMIB" will
be resolved when the iimcAutotrans and partyMIB OID are
allocated.]
aclEntry MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
aclEntryPkg PACKAGE
BEHAVIOUR
aclEntryPkgBehaviour BEHAVIOUR
DEFINED AS
!PARSE
REFERENCE !!This managed object class maps to
aclEntry object in [SNMPv2PARTY].!!;
MULTIPLEINSTANCES
INDEX aclSubject, aclTarget, aclResources;
CREATEDELETEATT aclStatus;
CREATEDELETEVALUE SNMPV2ROWSTATUS;
ENDMULTIPLEINSTANCES
ENDPARSE
The access privileges for a particular requesting
SNMP party in accessing a particular target SNMP
party.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId GET,
aclTarget GET,
aclSubject GET,
aclResources GET,
aclPrivileges GET-REPLACE
DEFAULT VALUE IIMCPartyMIB.c-aclPrivileges,
aclStorageType GET-REPLACE
DEFAULT VALUE IIMCPartyMIB.c-aclStorageType,
aclStatus GET-REPLACE;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 3 11};
aclTable MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
aclTablePkg PACKAGE
LaBarre Expires August 27, 1993 Page 16
Draft ISO/CCITT to Internet Management Security 3/26/93
BEHAVIOUR
aclTableBehaviour BEHAVIOUR
DEFINED AS !The access privileges database.!;;
ATTRIBUTES
{iimcManagementDocMan 1}:internetClassId GET;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 3 1};
contextEntry MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
contextEntryPkg PACKAGE
BEHAVIOUR
contextEntryPkgBehaviour BEHAVIOUR
DEFINED AS
!PARSE
REFERENCE !!This managed object class maps to
contextEntry object in [SNMPv2PARTY].!!;
MULTIPLEINSTANCES
INDEX contextIdentity;
CREATEDELETEATT contextStatus;
CREATEDELETEVALUE SNMPV2ROWSTATUS;
ENDMULTIPLEINSTANCES
ENDPARSE
Locally held information about a particular
SNMPv2 context.!;;
ATTRIBUTES
{iimcManagementDocMan 1}:internetClassId GET,
contextIdentity GET,
contextIndex GET-REPLACE,
contextLocal GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-contextLocal,
contextViewIndex GET-REPLACE,
contextLocalEntity GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-contextLocalEntity,
contextLocalTime GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-contextLocalTime,
contextProxyDstParty GET-REPLACE,
contextProxySrcParty GET-REPLACE,
contextProxyContext GET-REPLACE,
contextStorageType GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-contextStorageType,
contextStatus GET-REPLACE;;;
REGISTERED AS { partyMIB 2 2 1 1};
contextTable MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
contextTablePkg PACKAGE
BEHAVIOUR
LaBarre Expires August 27, 1993 Page 17
Draft ISO/CCITT to Internet Management Security 3/26/93
contextTablePkgBehaviour BEHAVIOUR
DEFINED AS
!The SNMPv2 Context database.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId
GET;;;
REGISTERED AS { partyMIB 2 2 1};
familyEntry MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992":top;
CHARACTERIZED BY
familtEntryPkg PACKAGE
BEHAVIOUR
familyEntryPkgBehaviour BEHAVIOUR
DEFINED AS
!PARSE
REFERENCE !!This managed object class maps to
familyEntry object in [SNMPv2PARTY].!!;
MULTIPLEINSTANCES
INDEX familyIndex;
CREATEDELETEATT familyStatus;
CREATEDELETEVALUE SNMPV2ROWSTATUS;
ENDMULTIPLEINSTANCES
ENDPARSE
Information on a particular family of view
subtrees.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId GET,
familyIndex GET,
familySubtree GET-REPLACE,
familyMask GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-familyMask,
familyStorageType GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-familyStorageType,
familyStatus GET-REPLACE;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 4 21};
familyTable MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
familyTablePkg PACKAGE
BEHAVIOUR
familyTablePkgBehaviour BEHAVIOUR
DEFINED AS
!Locally held information about a family of view
subtrees.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId
GET;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 4 2 };
LaBarre Expires August 27, 1993 Page 18
Draft ISO/CCITT to Internet Management Security 3/26/93
partyEntry MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992":top;
CHARACTERIZED BY
partyEntryPkg PACKAGE
BEHAVIOUR
partyEntryPkgBehaviour BEHAVIOUR
DEFINED AS
!PARSE
REFERENCE !!This managed object class maps to
partyEntry object in [SNMPv2PARTY].!!;
MULTIPLEINSTANCES
INDEX partyIdentity;
CREATEDELETEATT partyStatus;
CREATEDELETEVALUE SNMPV2ROWSTATUS;
ENDMULTIPLEINSTANCES
ENDPARSE
Locally held information about a particular
SNMPv2 party.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId GET,
partyIdentity GET-REPLACE,
partyIndex GET,
partyTDomain GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyTDomain,
partyTAddress GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyTAddress,
partyMaxMessageSize GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyMaxMessageSize,
partyLocal GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyLocal,
partyAuthProtocol GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyAuthProtocol,
partyAuthClock GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyAuthClock,
partyAuthPrivate GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyAuthPrivate,
partyAuthPublic GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyAuthPublic,
partyAuthLifetime GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyAuthLifetime,
partyPrivProtocol GET-REPLACE
DEFAULT VALUE
LaBarre Expires August 27, 1993 Page 19
Draft ISO/CCITT to Internet Management Security 3/26/93
IIMCPartyMIB.c-partyPrivProtocol,
partyPrivPrivate GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyPrivPrivate,
partyPrivPublic GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyPrivPublic,
partyCloneFrom GET-REPLACE,
partyStorageType GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-partyStorageType,
partyStatus GET-REPLACE;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 1 11};
partyTable MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
partyTablePkg PACKAGE
BEHAVIOUR
partyTablePkgBehaviour BEHAVIOUR
DEFINED AS
!The SNMPv2 Party database.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId
GET;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 1 1 };
viewEntry MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
viewEntryPkg PACKAGE
BEHAVIOUR
viewEntryPkgBehaviour BEHAVIOUR
DEFINED AS
!PARSE
REFERENCE !!This managed object class maps to
viewEntry object in [SNMPv2PARTY].!!;
MULTIPLEINSTANCES
INDEX viewIndex, viewSubtree;
CREATEDELETEATT viewStatus;
CREATEDELETEVALUE SNMPV2ROWSTATUS;
ENDMULTIPLEINSTANCES
ENDPARSE
Information on a particular family of view
subtrees included in or excluded from a
particular SNMPv2 context's MIB view.
Implementations must not restrict the number of
families of view subtrees for a given MIB view,
except as dictated by resource constraints on the
overall number of entries in the viewTable.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId GET,
LaBarre Expires August 27, 1993 Page 20
Draft ISO/CCITT to Internet Management Security 3/26/93
viewIndex GET,
viewSubtree GET,
viewMask GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-viewMask,
viewType GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-viewType,
viewStorageType GET-REPLACE
DEFAULT VALUE
IIMCPartyMIB.c-viewStorageType,
viewStatus GET-REPLACE;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 4 11};
viewTable MANAGED OBJECT CLASS
DERIVED FROM "Rec. X.721 | ISO/IEC 10165-2 : 1992" :top;
CHARACTERIZED BY
viewTablePkg PACKAGE
BEHAVIOUR
viewTableBehaviour BEHAVIOUR
DEFINED AS
!Locally held information about the MIB views
known to this SNMPv2 entity.
Each SNMPv2 context which is locally accessible
has a single MIB view which is defined by two
collections of view subtrees: the included view
subtrees, and the excluded view subtrees. Every
such subtree, both included and excluded, is
defined in this table.
To determine if a particular object instance is in
a particular MIB view, compare the object
instance's OBJECT IDENTIFIER with each of the MIB
view's entries in this table. If none match, then
the object instance is not in the MIB view. If
one or more match, then the object instance is
included in, or excluded from, the MIB view
according to the value of viewType in the entry
whose value of viewSubtree has the most sub-
identifiers. If multiple entries match and have
the same number of sub-identifiers, then the
lexicographically greatest instance of viewType
determines the inclusion or exclusion.
An object instance's OBJECT IDENTIFIER X matches
an entry in this table when the number of sub-
identifiers in X is at least as many as in the
value of viewSubtree for the entry, and each sub-
identifier in the value of viewSubtree matches its
corresponding sub-identifier in X. Two sub-
identifiers match either if the corresponding bit
of viewMask is zero (the 'wild card' value), or if
LaBarre Expires August 27, 1993 Page 21
Draft ISO/CCITT to Internet Management Security 3/26/93
they are equal.
Due to this 'wild card' capability, we introduce
the term, a 'family' of view subtrees, to refer to
the set of subtrees defined by a particular
combination of values of viewSubtree and viewMask.
In the case where no 'wild card' is defined in
viewMask, the family of view subtrees reduces to a
single view subtree.!;;
ATTRIBUTES
{iimcManagementDocMan 1}: internetClassId
GET;;;
REGISTERED AS { iimcAutoTrans-partyMIB 2 4 1 };
6.3 Attribute Definitions
The templates for the IIMC Proxy SNMP Parties attributes are
listed in alphabetical order. The object
identifier{cmipsnmpProxyIMIB} is defined in [IIMCIMIBTRANS].
aclPrivileges ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:AclPrivileges;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
aclPrivilegesBehaviour BEHAVIOUR
DEFINED AS
!The access privileges which govern what
management operations a particular target party
may perform with respect to a particular SNMPv2
context when requested by a particular subject
party. These privileges are specified as a sum of
values, where each value specifies a SNMPv2 PDU
type by which the subject party may request a
permitted operation. The value for a particular
PDU type is computed as 2 raised to the value of
the ASN.1 context-specific tag for the appropriate
SNMPv2 PDU type. The values (for the tags defined
in [5]) are defined in [3] as:
Get : 1
GetNext : 2
Response : 4
Set : 8
unused : 16
GetBulk : 32
Inform : 64
SNMPv2-Trap : 128
The null set is represented by the value zero.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 3 1 1 4};
aclResources ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
LaBarre Expires August 27, 1993 Page 22
Draft ISO/CCITT to Internet Management Security 3/26/93
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
aclResourcesBehaviour BEHAVIOUR
DEFINED AS
!The value of an instance of this object
identifies a SNMPv2 context in an access control
policy, and has the same value as the instance of
the contextIndex object for that SNMPv2 context.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 3 1 1 3};
aclStatus ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:rowStatus;
BEHAVIOUR
aclStatusBehaviour BEHAVIOUR
DEFINED AS !The status of this conceptual row in the
aclTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 3 1 1 6};
aclStorageType ATTRIBUTE
DERIVED FROM storageType;
BEHAVIOUR
aclStorageTypeBehaviour BEHAVIOUR
DEFINED AS
!The storage type for this conceptual row in the
aclTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 3 1 1 5};
aclSubject ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
aclSubjectBehaviour BEHAVIOUR
DEFINED AS
!The value of an instance of this object
identifies a SNMPv2 party which is the subject of
an access control policy, and has the same value
as the instance of the partyIndex object for that
SNMPv2 party.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 3 1 1 2};
aclTarget ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
aclTargetBehaviour BEHAVIOUR
DEFINED AS
!The value of an instance of this object
identifies a SNMPv2 party which is the target of
an access control policy, and has the same value
as the instance of the partyIndex object for that
party.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 3 1 1 1};
contextIdentity ATTRIBUTE
LaBarre Expires August 27, 1993 Page 23
Draft ISO/CCITT to Internet Management Security 3/26/93
DERIVED FROM context;
BEHAVIOUR
contextIdentityBehaviour BEHAVIOUR
DEFINED AS
!A context identifier uniquely identifying a
particular SNMPv2 context.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 1};
contextIndex ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
contextIndexBehaviour BEHAVIOUR
DEFINED AS
!A unique value for each SNMPv2 context. The
value for each SNMPv2 context must remain constant
at least from one re-initialization of the
entity's network management system to the next
re-initialization.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 2};
contextLocal ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:truthValue;
BEHAVIOUR
contextLocalBehaviour BEHAVIOUR
DEFINED AS
!An indication of whether this context is realized
by this SNMPv2 entity.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 3};
contextViewIndex ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
contextViewIndexBehaviour BEHAVIOUR
DEFINED AS
!If the value of an instance of this object is
zero, then this corresponding conceptual row in
the contextTable refers to a SNMPv2 context which
identifies a proxy relationship; the values of the
corresponding instances of the
contextProxyDstParty, contextProxySrcParty, and
contextProxyContext objects provide further
information on the proxy relationship.
Otherwise, if the value of an instance of this
object is greater than zero, then this
corresponding conceptual row in the contextTable
refers to a SNMPv2 context which identifies a MIB
view of a locally accessible entity; the value of
the instance identifies the particular MIB view
which has the same value of viewIndex; and the
value of the corresponding instances of the
contextLocalEntity and contextLocalTime objects
LaBarre Expires August 27, 1993 Page 24
Draft ISO/CCITT to Internet Management Security 3/26/93
provide further information on the local entity
and its temporal domain.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 4};
contextLocalEntity ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.OctetString;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
contextLocalEntityBehaviour BEHAVIOUR
DEFINED AS
!If the value of the corresponding instance of the
contextViewIndex is greater than zero, then the
value of an instance of this object identifies the
local entity whose management information is in
the SNMPv2 context's MIB view. The empty string
indicates that the MIB view contains the SNMPv2
entity's own local management information;
otherwise, a non-empty string indicates that the
MIB view contains management information of some
other local entity, e.g.,'Repeater1'.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 5};
contextLocalTime ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.ObjectIdentifier;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
contextLocalTimeBehaviour BEHAVIOUR
DEFINED AS
!If the value of the corresponding instance of the
contextViewIndex is greater than zero, then the
value of an instance of this object identifies the
temporal context of the management information in
the MIB view.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 6};
contextProxyDstParty ATTRIBUTE
DERIVED FROM party;
BEHAVIOUR
contextProxyDstPartyBehaviour BEHAVIOUR
DEFINED AS
!If the value of the corresponding instance of the
contextViewIndex is equal to zero, then the value
of an instance of this object identifies a SNMPv2
party which is the proxy destination of a proxy
relationship.
If the value of the corresponding instance of the
contextViewIndex is greater than zero, then the
value of an instance of this object is zero.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 7};
contextProxySrcParty ATTRIBUTE
DERIVED FROM party;
BEHAVIOUR
LaBarre Expires August 27, 1993 Page 25
Draft ISO/CCITT to Internet Management Security 3/26/93
contextProxySrcPartyBehaviour BEHAVIOUR
DEFINED AS
!If the value of the corresponding instance of the
contextViewIndex is equal to zero, then the value
of an instance of this object identifies a SNMPv2
party which is the proxy source of a proxy
relationship.
Interpretation of an instance of this object
depends upon the value of the transport domain
associated with the SNMPv2 party used as the proxy
destination in this proxy relationship.
If the value of the corresponding instance of the
contextViewIndex is greater than zero, then the
value of an instance of this object is zero.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 8};
contextProxyContext ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.ObjectIdentifier;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
contextProxyContextBehaviour BEHAVIOUR
DEFINED AS
!If the value of the corresponding instance of the
contextViewIndex is equal to zero, then the value
of an instance of this object identifies the
context of a proxy relationship.
Interpretation of an instance of this object
depends upon the value of the transport domain
associated with the SNMPv2 party used as the proxy
destination in this proxy relationship.
If the value of the corresponding instance of the
contextViewIndex is greater than zero, then the
value of an instance of this object is { 0 0 }.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 9};
contextStorageType ATTRIBUTE
DERIVED FROM storageType;
BEHAVIOUR
contextStorageTypeBehaviour BEHAVIOUR
DEFINED AS
!The storage type for this conceptual row in the
contextTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 10};
contextStatus ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:rowStatus;
BEHAVIOUR
contextStatusBehaviour BEHAVIOUR
DEFINED AS
LaBarre Expires August 27, 1993 Page 26
Draft ISO/CCITT to Internet Management Security 3/26/93
!The status of this conceptual row in the
contextTable.
A context is not qualified for activation until
instances of all corresponding columns have the
appropriate value. In particular, if the
context's contextViewIndex is greater than zero,
then the viewStatus column of the associated
conceptual row(s) in the viewTable must have the
value `active'. Until instances of all
corresponding columns are appropriately
configured, the value of the corresponding
instance of the contextStatus column is
`notReady'.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1 1 11};
familyIndex ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
familyIndexBehaviour BEHAVIOUR
DEFINED AS
!A unique value for each family of view subtrees.
The value for each family of view subtrees must
remain constant at least from one re-
initialization of the entity's network management
system to the next re-initialization.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 2 1 1};
familySubtree ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.ObjectIdentifier;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
familySubtreeBehaviour BEHAVIOUR
DEFINED AS
!An object identifier which, in combination with
the corresponding instance of familyMask, defines a
family of view subtrees.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 2 1 2};
familyMask ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:OctetString16;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
familyMaskBehaviour BEHAVIOUR
DEFINED AS
!The bit mask which, in combination with the
corresponding instance of familySubtree, defines a
family of view subtrees.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 2 1 3};
familyStorageType ATTRIBUTE
DERIVED FROM storageType;
LaBarre Expires August 27, 1993 Page 27
Draft ISO/CCITT to Internet Management Security 3/26/93
BEHAVIOUR
familyStorageTypeBehaviour BEHAVIOUR
DEFINED AS
!The storage type for this conceptual row in the
familyTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 2 1 4};
familyStatus ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:rowStatus;
BEHAVIOUR
familyStatusBehaviour BEHAVIOUR
DEFINED AS
!The status of this conceptual row in the
familyTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 2 1 5};
partyAuthClock ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCRFC1353ProxyASN1.Clock;
MATCHES FOR EQUALITY;
BEHAVIOUR
partyAuthClockBehaviour BEHAVIOUR
DEFINED AS
!The authentication clock which represents the
local notion of the current time specific to the
party. This value must not be decremented unless
the party's secret information is changed
simultaneously, at which time the party's nonce
and last-timestamp values must also be reset to
zero, and the new value of the clock,
respectively.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 8};
partyAuthLifetime ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:PartyLifetime;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
partyAuthLifetimeBehaviour BEHAVIOUR
DEFINED AS
!The lifetime (in units of seconds) which
represents an administrative upper bound on
acceptable delivery delay for protocol messages
generated by the party.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 11};
partyAuthPrivate ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB.OctetString;
MATCHES FOR EQUALITY, SUBSTRINGS;
BEHAVIOUR
partypartyAuthPrivateBehaviour BEHAVIOUR
DEFINED AS
!If the value of partyAuthProtocol is
{snmpv1CommString} then this attribute contains the
community string to be used with SNMPv1 security.
LaBarre Expires August 27, 1993 Page 28
Draft ISO/CCITT to Internet Management Security 3/26/93
If the value of partyAuthProtocol is not
{snmpv1CommString} then this attribute contains an
encoding of the party's private authentication
key which may be needed to support the
authentication protocol. Although the value of
this variable may be altered by a management
operation (e.g., a SNMPv2 Set-Request), its value
can never be retrieved by a management operation:
when read, the value of this variable is the zero
length OCTET STRING.
The private authentication key is NOT directly
represented by the value of this variable, but
rather it is represented according to an encoding.
This encoding is the bitwise exclusive-OR of the
old key with the new key, i.e., of the old private
authentication key (prior to the alteration) with
the new private authentication key (after the
alteration). Thus, when processing a received
protocol Set operation, the new private
authentication key is obtained from the value of
this variable as the result of a bitwise
exclusive-OR of the variable's value and the old
private authentication key. In calculating the
exclusive-OR, if the old key is shorter than the
new key, zero-valued padding is appended to the
old key. If no value for the old key exists, a
zero-length OCTET STRING is used in the
calculation.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 9};
partyAuthProtocol ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB.ObjectIdentifier;
MATCHES FOR EQUALITY;
BEHAVIOUR
partypartyAuthProtocolBehaviour BEHAVIOUR
DEFINED AS
!The authentication protocol by which all messages
generated by the party are authenticated as to
origin and integrity. In this context, the value
{ noAuth } signifies that messages generated by
the party are not authenticated.
The value {snmpv1CommString} indicates that SNMPv1
community string is to be used. The community string
shall be present in partyAuthPrivate!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 7};
partyAuthPublic ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:OctetString16;
MATCHES FOR EQUALITY;
BEHAVIOUR
LaBarre Expires August 27, 1993 Page 29
Draft ISO/CCITT to Internet Management Security 3/26/93
partyAuthPublicBehaviour BEHAVIOUR
DEFINED AS
!A publicly-readable value for the party.
Depending on the party's authentication protocol,
this value may be needed to support the party's
authentication protocol. Alternatively, it may be
used by a manager during the procedure for
altering secret information about a party. (For
example, by altering the value of an instance of
this object in the same SNMP Set-Request used to
update an instance of partyAuthPrivate, a
subsequent Get-Request can determine if the Set-
Request was successful in the event that no
response to the Set-Request is received, see RFC1352.)
The length of the value is dependent on the
party's authentication protocol. If not used by
the authentication protocol, it is recommended
that agents support values of any length up to and
including the length of the corresponding
partyAuthPrivate object.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 10};
partyCloneFrom ATTRIBUTE
DERIVED FROM party;
BEHAVIOUR
partyCloneFromBehaviour BEHAVIOUR
DEFINED AS
!The identity of a party to clone authentication
and privacy parameters from. When read, the value
{ 0 0 } is returned.
This value can only be written when the associated
instance of partyStatus either does not exist or
has the value `notReady'. When written, the value
identifies a party, the cloning party, whose
status column has the value `active'. The cloning
party is used in two ways.
One, if instances of the following objects do not
exist for the party being created, then they are
created with values identical to those of the
corresponding objects for the cloning party:
partyAuthProtocol
partyAuthPublic
partyAuthLifetime
partyPrivProtocol
partyPrivPublic
Two, instances of the following objects are
updated using the corresponding values of the
cloning party:
LaBarre Expires August 27, 1993 Page 30
Draft ISO/CCITT to Internet Management Security 3/26/93
partyAuthPrivate
partyPrivPrivate
(e.g., the value of the cloning party's instance
of the partyAuthPrivate object is XOR'd with the
value of the partyAuthPrivate instances of the
party being created.)!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 15};
partyIdentity ATTRIBUTE
DERIVED FROM party;
BEHAVIOUR
partyIdentityBehaviour BEHAVIOUR
DEFINED AS
!A party identifier uniquely identifying a
particular SNMP party.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 1};
partyIndex ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
partyIndexBehaviour BEHAVIOUR
DEFINED AS
!A unique value for each SNMPv2 party. The value
for each SNMPv2 party must remain constant at
least from one re-initialization of the entity's
network management system to the next re-
initialization.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 2};
partyLocal ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:truthValue;
BEHAVIOUR
partyLocalBehaviour BEHAVIOUR
DEFINED AS
!An indication of whether this party executes at
this SNMPv2 entity. If this object has a value of
true(1), then the SNMPv2 entity will listen for
SNMPv2 messages on the partyTAddress associated
with this party. If this object has the value
false(2), then the SNMPv2 entity will not listen
for SNMPv2 messages on the partyTAddress
associated with this party.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 6};
partyMaxMessageSize ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:PartyMaxMessageSize;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
partyMaxMessageSizeBehaviour BEHAVIOUR
DEFINED AS
!The maximum length in octets of a SNMP message
LaBarre Expires August 27, 1993 Page 31
Draft ISO/CCITT to Internet Management Security 3/26/93
which this party will accept. For parties which
execute at an agent, the agent initializes this
object to the maximum length supported by the
agent, and does not let the object be set to any
larger value. For parties which do not execute at
the agent, the agent must allow the manager to set
this object to any legal value, even if it is
larger than the agent can generate.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 5};
partyPrivProtocol ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.ObjectIdentifier;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
partyPrivProtocolBehaviour BEHAVIOUR
DEFINED AS
!The privacy protocol by which all protocol
messages received by the party are protected from
disclosure. In this context, the value { noPriv }
signifies that messages received by the party are
not protected.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 12};
partyPrivPrivate ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:OctetString16;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
partyPrivPrivateBehaviour BEHAVIOUR
DEFINED AS
!An encoding of the party's private encryption key
which may be needed to support the privacy
protocol. Although the value of this variable may
be altered by a management operation (e.g., a
SNMPv2 Set-Request), its value can never be
retrieved by a management operation: when read,
the value of this variable is the zero length
OCTET STRING.
The private encryption key is NOT directly
represented by the value of this variable, but
rather it is represented according to an encoding.
This encoding is the bitwise exclusive-OR of the
old key with the new key, i.e., of the old private
encryption key (prior to the alteration) with the
new private encryption key (after the alteration).
Thus, when processing a received protocol Set
operation, the new private encryption key is
obtained from the value of this variable as the
result of a bitwise exclusive-OR of the variable's
value and the old private encryption key. In
calculating the exclusive-OR, if the old key is
shorter than the new key, zero-valued padding is
appended to the old key. If no value for the old
key exists, a zero-length OCTET STRING is used in
LaBarre Expires August 27, 1993 Page 32
Draft ISO/CCITT to Internet Management Security 3/26/93
the calculation.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 13};
partyPrivPublic ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:OctetString16;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
partyPrivPublicBehaviour BEHAVIOUR
DEFINED AS
!A publicly-readable value for the party.
Depending on the party's privacy protocol, this
value may be needed to support the party's privacy
protocol. Alternatively, it may be used by a
manager as a part of its procedure for altering
secret information about a party. (For example,
by altering the value of an instance of this
object in the same SNMP Set-Request used to update
an instance of partyPrivPrivate, a subsequent
Get-Request can determine if the Set-Request was
successful in the event that no response to the
Set-Request is received, see RFC 1352.)
The length of the value is dependent on the
party's privacy protocol. If not used by the
privacy protocol, it is recommended that agents
support values of any length up to and including
the length of the corresponding partyPrivPrivate
object.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 14};
partyStatus ATTRIBUTE
DERIVED FROM {iimcManagementDocMan 1}:rowStatus;
BEHAVIOUR
partyStatusBehaviour BEHAVIOUR
DEFINED AS
!The status of this conceptual row in the
partyTable.
A party is not qualified for activation until
instances of all columns of its partyEntry row
have an appropriate value. In particular:
A value must be written to the Party's
partyCloneFrom object.
If the Party's partyAuthProtocol object has the
value md5AuthProtocol,
then the corresponding instance of
partyAuthPrivate must contain a secret of the
appropriate length. Further, at least one
management protocol set operation updating the
value of the party's partyAuthPrivate object
must be successfully processed, before the
LaBarre Expires August 27, 1993 Page 33
Draft ISO/CCITT to Internet Management Security 3/26/93
partyAuthPrivate column is considered
appropriately configured.
If the Party's partyPrivProtocol object has the
value desPrivProtocol,
then the corresponding instance of
partyPrivPrivate must contain a secret of the
appropriate length. Further, at least one
management protocol set operation updating the
value of the party's partyPrivPrivate object
must be successfully processed, before the
partyPrivPrivate column is considered
appropriately configured.
Until instances of all corresponding columns are
appropriately configured, the value of the
corresponding instance of the partyStatus column is
`notReady'.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 17};
partyStorageType ATTRIBUTE
DERIVED FROM storageType;
BEHAVIOUR
partyStorageTypeBehaviour BEHAVIOUR
DEFINED AS
!The storage type for this conceptual row in the
partyTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 16};
partyTAddress ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.OctetString;
MATCHES FOR EQUALITY, SUBSTRINGS;
BEHAVIOUR
partyTAddressBehaviour BEHAVIOUR
DEFINED AS
!The transport service address by which the party
receives network management traffic, formatted
according to the corresponding value of
partyTDomain. For rfc1351Domain, partyTAddress is
formatted as a 4-octet IP Address concatenated
with a 2-octet UDP port number.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 4};
partyTDomain ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB.ObjectIdentifier;
MATCHES FOR EQUALITY;
BEHAVIOUR
partyTDomainBehaviour BEHAVIOUR
DEFINED AS
!Indicates the kind of transport service by which
the party receives network management traffic. An
example of a transport domain is 'rfc1351Domain'
(SNMP over UDP).!;;
LaBarre Expires August 27, 1993 Page 34
Draft ISO/CCITT to Internet Management Security 3/26/93
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1 3};
viewIndex ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB.Integer64k;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
viewIndexBehaviour BEHAVIOUR
DEFINED AS
!A unique value for each MIB view. The value for
each MIB view must remain constant at least from
one re-initialization of the entity's network
management system to the next re-initialization.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1 1};
viewMask ATTRIBUTE
WITH ATTRIBUTE SYNTAX
IIMCPartyMIB:OctetString16;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
viewMaskBehaviour BEHAVIOUR
DEFINED AS
!The bit mask which, in combination with the
corresponding instance of viewSubtree, defines a
family of view subtrees.
Each bit of this bit mask corresponds to a sub-
identifier of viewSubtree, with the most
significant bit of the i-th octet of this octet
string value (extended if necessary, see below)
corresponding to the (8*i - 7)-th sub-identifier,
and the least significant bit of the i-th octet of
this octet string corresponding to the (8*i)-th
sub-identifier, where i is in the range 1 through 16.
Each bit of this bit mask specifies whether or not
the corresponding sub-identifiers must match when
determining if an OBJECT IDENTIFIER is in this
family of view subtrees; a '1' indicates that an
exact match must occur; a '0' indicates 'wild
card', i.e., any sub-identifier value matches.
Thus, the OBJECT IDENTIFIER X of an object
instance is contained in a family of view subtrees
if the following criteria are met:
for each sub-identifier of the value of
viewSubtree, either:
the i-th bit of viewMask is 0, or
the i-th sub-identifier of X is equal to
the i-th sub-identifier of the value of
viewSubtree.
LaBarre Expires August 27, 1993 Page 35
Draft ISO/CCITT to Internet Management Security 3/26/93
If the value of this bit mask is M bits long and
there are more than M sub-identifiers in the
corresponding instance of viewSubtree, then the
bit mask is extended with 1's to be the required
length.
Note that when the value of this object is the
zero-length string, this extension rule results in
a mask of all-1's being used (i.e., no 'wild
card'), and the family of view subtrees is the one
view subtree uniquely identified by the
corresponding instance of viewSubtree.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1 3};
viewStatus ATTRIBUTE
DERIVED FROM (iimcManagementDocMan 1}:rowStatus;
BEHAVIOUR
viewStatusBehaviour BEHAVIOUR
DEFINED AS
!The status of this conceptual row in the
viewTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1 6};
viewStorageType ATTRIBUTE
DERIVED FROM storageType;
BEHAVIOUR
viewStorageTypeBehaviour BEHAVIOUR
DEFINED AS
!The storage type for this conceptual row in the
viewTable.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1 5};
viewSubtree ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:ObjectIdentifier;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
viewSubtreeBehaviour BEHAVIOUR
DEFINED AS
!A MIB subtree.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1 2};
viewType ATTRIBUTE
WITH ATTRIBUTE SYNTAX IIMCPartyMIB:ViewType;
MATCHES FOR EQUALITY, ORDERING;
BEHAVIOUR
viewTypeBehaviour BEHAVIOUR
DEFINED AS
!The status of a particular family of view
subtrees within the particular SNMPv2 context's
MIB view. The value 'included(1)' indicates that
the corresponding instances of viewSubtree and
viewMask define a family of view subtrees included
in the MIB view. The value 'excluded(2)'
LaBarre Expires August 27, 1993 Page 36
Draft ISO/CCITT to Internet Management Security 3/26/93
indicates that the corresponding instances of
viewSubtree and viewMask define a family of view
subtrees excluded from the MIBview.!;;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1 4};
6.4 The Containment Hierarchy
A Naming Tree diagram for IIMC Party MIB managed object
classes is illustrated below. The IIMC Party MIB is
subordinate to the ISO/CCITT system managed object that
represents the Internet agent or proxy.
"Rec. X.721 | ISO/IEC 10165-2 : 1992" : system
|
|
|-- partyTable --- partyEntry
|
|-- contextTable --- contextEntry
|
|-- aclTAble --- aclEntry
|
|-- viewTable --- viewEntry
Name Binding templates that define the containment hierarchy
for the IIMC Party MIB managed object classes are listed here
in alphabetical order. The object identifier {iimcAutotrans}
is assigned in [IIMCIMIBTRANS].
Editor's Note: [The OID fragment "iimcAutoTrans-partyMIB" will
be resolved when the iimcAutotrans and partyMIB OID are
allocated.]
aclEntry-aclTableNB NAME BINDING
SUBORDINATE OBJECT CLASS aclEntry
AND SUBCLASSES ;
NAMED BY SUPERIOR OBJECT CLASS aclTable
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE;
REGISTERED AS { iimcAutoTrans-partyMIB 2 3 1 1};
aclTable-systemNB NAME BINDING
SUBORDINATE OBJECT CLASS aclTable
AND SUBCLASSES ;
NAMED BY SUPERIOR OBJECT CLASS
"Rec. X.721 | ISO/IEC 10165-2 : 1992" :
system
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
LaBarre Expires August 27, 1993 Page 37
Draft ISO/CCITT to Internet Management Security 3/26/93
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS { iimcAutoTrans-partyMIB 2 3 1};
contextEntry-contextTableNB NAME BINDING
SUBORDINATE OBJECT CLASS contextEntry
AND SUBCLASSES;
NAMED BY SUPERIOR OBJECT CLASS
contextTable
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE;
REGISTERED AS { iimcAutoTrans-partyMIB 2 2 1 1};
contextTable-systemNB NAME BINDING
SUBORDINATE OBJECT CLASS contextTable
AND SUBCLASSES;
NAMED BY SUPERIOR OBJECT CLASS
"Rec. X.721 | ISO/IEC 10165-2 : 1992" :system
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS {iimcAutoTrans-partyMIB 2 2 1};
partyEntry-partyTableNB NAME BINDING
SUBORDINATE OBJECT CLASS partyEntry
AND SUBCLASSES;
NAMED BY SUPERIOR OBJECT CLASS partyTable
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1 1};
partyTable-systemNB NAME BINDING
SUBORDINATE OBJECT CLASS partyTable
AND SUBCLASSES;
NAMED BY SUPERIOR OBJECT CLASS
"Rec. X.721 | ISO/IEC 10165-2 : 1992" :system
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS {iimcAutoTrans-partyMIB 2 1 1};
viewEntry-viewTableNB NAME BINDING
LaBarre Expires August 27, 1993 Page 38
Draft ISO/CCITT to Internet Management Security 3/26/93
SUBORDINATE OBJECT CLASS viewEntry
AND SUBCLASSES;
NAMED BY SUPERIOR OBJECT CLASS viewTable
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1 1};
viewTable-systemNB NAME BINDING
SUBORDINATE OBJECT CLASS viewTable
AND SUBCLASSES;
NAMED BY SUPERIOR OBJECT CLASS
"Rec. X.721 | ISO/IEC 10165-2 : 1992" :system
AND SUBCLASSES;
WITH ATTRIBUTE
{iimcManagementDocMan 1}: internetClassId;
CREATE WITH-AUTOMATIC-INSTANCE-NAMING;
DELETE ONLY-IF-NO-CONTAINED-OBJECTS;
REGISTERED AS {iimcAutoTrans-partyMIB 2 4 1};
6.5 ASN.1 Definitions
IIMCPartyMIB {iimcManagementModMan 3}
DEFINITIONS IMPLICIT TAGS ::= BEGIN
IMPORTS Integer, OctetString, ObjectIdentifier
FROM IimcCommonDef
iimcAutoTrans, iimcManagementDoc
FROM IimcAssignedOIDs
mib-2, private, internet
FROM RFC1155-SMI;
iimcSEC OBJECT IDENTIFIER ::= {iimcManagementDocMan 3}
partyMIB OBJECT IDENTIFIER ::= { TBD }
Clock ::= INTEGER (0..2147483647)
-- A party's authentication clock - a non-negative integer
-- which is incremented as specified/allowed by the party's
-- Authentication Protocol.
-- For noAuth, a party's authentication clock is unused and
-- its value is undefined.
-- For v2md5AuthProtocol, a party's authentication clock is a
-- relative clock with 1-second granularity.
TAddress ::= OCTET STRING
-- A textual convention denoting a transport service address.
-- For snmpUDPDomain, a TAddress is 6 octets long,
LaBarre Expires August 27, 1993 Page 39
Draft ISO/CCITT to Internet Management Security 3/26/93
-- the initial 4 octets containing the IP-address in
-- network-byte order and the last 2 containing the
-- UDP port in network-byte order.
Integer64k ::= INTEGER (1..65535)
OctetString16 ::= OCTET STRING (SIZE (0..16))
PartyAuthLifetime ::= INTEGER (0..2147483647)
PartyMaxMessageSize ::= INTEGER (484..65507)
StorageType ::= INTEGER {
other(1), -- eh?
volatile(2), -- e.g., in RAM
nonVolatile(3), -- e.g., in NVRAM
permanent(4) -- e.g., in ROM
}
ViewType ::= INTEGER {
included(1),
excluded(2)
}
AclPrivileges ::= INTEGER (0..31)
-- assigned OIDs
snmpv2 OBJECT IDENTIFIER ::= { TBD }
snmpUDPDomain OBJECT IDENTIFIER ::= {snmpv2 1 1 1}
partyAdmin OBJECT IDENTIFIER ::= { partyMIB 1 }
partyProtocols OBJECT IDENTIFIER ::= { partyAdmin 1 }
noAuth OBJECT IDENTIFIER ::= { partyProtocols 1 }
noPriv OBJECT IDENTIFIER ::= { partyProtocols 2 }
desPrivProtocol OBJECT IDENTIFIER ::= { partyProtocols 3 }
v2md5AuthProtocol OBJECT IDENTIFIER ::= { partyProtocols 4 }
temporalDomains OBJECT IDENTIFIER ::= { partyAdmin 2 }
currentTime OBJECT IDENTIFIER ::= { temporalDomains 1 }
restartTime OBJECT IDENTIFIER ::= { temporalDomains 2 }
cacheTime OBJECT IDENTIFIER ::= { temporalDomains 3 }
initialPartyId OBJECT IDENTIFIER ::= { partyAdmin 3 }
initialContextId OBJECT IDENTIFIER ::= { partyAdmin 4 }
-- Default value constants
c-aclPrivileges INTEGER ::= 35
c-aclStorageType INTEGER ::= 3
c-contextLocal BOOLEAN ::= TRUE
c-contextLocalEntity OCTET STRING ::= ''h
c-contextLocalTime OBJECT IDENTIFIER ::= {currentTime}
c-contextStorageType INTEGER ::= 3
c-familyMask OCTET STRING ::= ''h
c-familyStorageType INTEGER ::= 3
c-partyTDomain snmpUDPDomain
LaBarre Expires August 27, 1993 Page 40
Draft ISO/CCITT to Internet Management Security 3/26/93
c-partyTAddress OCTET STRING ::= '000000000000'h
c-partyMaxMessageSize INTEGER ::= 484
c-partyLocal BOOLEAN ::= FALSE
c-partyAuthProtocol OBJECT IDENTIFIER ::=
{v2md5AuthProtocol}
c-partyAuthClock INTEGER ::= 0
c-partyAuthPrivate OCTET STRING ::= ''h
c-partyAuthPublic OCTET STRING ::= ''h
c-partyAuthLifetime INTEGER ::= 300
c-partyPrivProtocol OBJECT IDENTIFIER ::= {noPriv}
c-partyPrivPrivate OCTET STRING ::= ''h
c-partyPrivPublic OCTET STRING ::= ''h
c-partyStorageType INTEGER ::= 3
c-viewMask OCTET STRING ::= ''h
c-viewType INTEGER ::= 1
c-viewStorageType INTEGER ::= 3
END
7.MOCS
Editor's Note: [To Be Provided.]
8. Acknowledgments
The following individuals have contributed to this effort.
Bob Aronoff - NIST
Jon Biggar - NetLabs
Mary Brady - NIST
April Chang - NetLabs
Jock Embry - Opening Technologies
Paul Golick - IBM
Pramod Kalyanas - University of Delaware
Lee LaBarre - The MITRE Corporation
David Liu - Northern Telecom, Inc
Owen Newnan - U S West Advanced Technologies
Steve Ng - MPR Teltech
Yasuhiro Ohara - NTT
George Pavlou - UCL
Lisa Phifer - Bellcore
Tom Rutt - AT&T
Mark Smith - Hewlett-Packard
Einar Stefferud - Network Management Associates, Inc.
Dean Voiss - NetLabs
Yoshi Yamashita - NKK Corporation
LaBarre Expires August 27, 1993 Page 41
Draft ISO/CCITT to Internet Management Security 3/26/93
References
[ISO8824] ISO/IEC IS 8824: Information Technology - Open
System Interconnection - Specification of Abstract Syntax
Notation One(ASN.1),1990.
[ISO9595] ISO/IEC IS 9595, Information Technology - Open
System Interconnection - Common Management Information
Service Definition, 1991.
[ISO9596-1] ISO/IEC IS 9596-1, Information Technology - Open
Systems Interconnection - Common Management Information
Protocol - Part 1: Specification, 1991.
[ISO10164-9] ISO DIS 10165-9, Information Processing Systems
-Open Systems Interconnection - Structure of Management
Information - Part 9: Objects and Attributes for Access
Control, 1993
[ISO10165-1] ISO/IEC IS 10165-1: Information Technology -
Open Systems Interconnection - Structure of Management
Information - Part 1: Management Information Model, 1991.
[ISO10165-2] ISO/IEC IS 10165-2: Information Technology -
Open Systems Interconnection - Structure of Management
Information - Part 2: Definition of Management Information,
1992.
[ISO10165-4] ISO/IEC IS 10165-4: Information Technology -
Open Systems Interconnection - Structure of Management
Information - Part 4: Guidelines for the Definition of
Managed Objects, 1991.
[ISO11586-1] ISO/IEC CD11586-1, Information Technology -
Generic Upper Layers Security - Part 1: Overview, Models and
Notation, November 1992.
[ISO11586-2] ISO/IEC CD11586-2, Information Technology -
Generic Upper Layers Security - Part 2: Security Exchange
Service Element(SESE) Service Definition, November 1992.
[ISO11586-3] ISO/IEC CD11586-3, Information Technology -
Generic Upper Layers Security - Part 3: Security Exchange
Service Element(SESE) Protocol Specification, November 1992.
[ISO11586-4] ISO/IEC CD11586-4, Information Technology -
Generic Upper Layers Security - Part 4: Protecting Transfer
Syntax Specification, November 1992.
[RFC1155] RFC1155, M. Rose and K. McCloghrie, Structure and
Identification of Management Information for TCP/IP based
internets, May 1990.
[RFC1157] RFC 1157, J.D. Case, M.S. Fedor, M.L.
LaBarre Expires August 27, 1993 Page 42
Draft ISO/CCITT to Internet Management Security 3/26/93
Schoffstall,C. Davin, Simple Network Management Protocol
(SNMP), May 1990.
[RFC1213] RFC1213, K. McCloghrie and M. Rose - Editors,
Management Information Base for Network Management of
TCP/IP-basedinternets: MIB-II, March 1991.
[RFC1214] RFC1214, L. LaBarre - editor, OSI Internet
Management: Management Information Base, April 1991.
[SNMPv2COEX] J.D. Case, K. McCloghrie, M.T. Rose,
S.L.Waldbusser, Coexistence between version 1 and version 2
of the Internet Network Management Framework, Internet-
draft, December 1992.
[SNMPv2PROT] J.D. Case, K. McCloghrie, M.T. Rose,
S.L.Waldbusser, Protocol Operations for version 2 of the
Simple Network Management Protocol (SNMPv2), Internet-draft,
January 1992.
[SNMPv2SMI] J.D. Case, K. McCloghrie, M.T. Rose,
S.L.Waldbusser, Structure of Management Information for
version 2 of the Simple Network Management Protocol
(SNMPv2), Internet-draft, December 1992.
[SNMPv2MIB] J.D. Case, K. McCloghrie, M.T. Rose,
S.L.Waldbusser, Management Information Base for version 2 of
the Simple Network Management Protocol (SNMPv2), Internet-
draft, December 1992.
[SNMPv2TC] J.D. Case, K. McCloghrie, M.T. Rose,
S.L.Waldbusser, Textual Conventions for version 2 of the
Simple Network Management Protocol (SNMPv2), Internet-draft,
December 1992.
[SNMPv2ADMIN] J.R. Davin, J.M. Galvin, K.McCloghrie,
Administrative Model for version 2 of the Simple Network
Management Protocol (SNMPv2), Internet-Draft, January 1993.
[SNMPv2SEC] J.M. Galvin, K. McCloghrie, J.R. Davin, Security
Protocols for version 2 of the Simple Network Management
Protocol (SNMPv2), Internet-Draft, January 1993.
[SNMPv2TM] J.D. Case, K. McCloghrie, M.T. Rose, S.L. Waldbusser,
Transport Mappings for version 2 of the Simple Network
Management Protocol (SNMPv2), Internet-Draft, January 1993.
[SNMPv2PARTY] J.D. Case, K. McCloghrie, M.T. Rose, S.L.
Waldbusser, Party MIB for version 2 of the Simple Network
Management Protocol (SNMPv2), Internet-Draft, January 1993.
[IIMCIMIBTRANS] ISO/CCITT and Internet Management
Coexistence (IIMC): Translation of Internet MIBs to
ISO/CCITT GDMO MIBs, Draft 1 March 26,1993.
LaBarre Expires August 27, 1993 Page 43
Draft ISO/CCITT to Internet Management Security 3/26/93
[IIMCMIB-II] ISO/CCITT and Internet Management Coexistence
(IIMC): Translation of Internet MIB-II (RFC1213) to
ISO/CCITT GDMO MIB, Draft 1, March 26, 1993.
[IIMCPROXY] ISO/CCITT and Internet Management Coexistence
(IIMC): ISO/CCITT to Internet Management Proxy, Draft 1,
March, 1993 [to be distributed].
[IIMCOMIBTRANS] ISO/CCITT and Internet Management
Coexistence (IIMC): Translation of ISO/CCITT GDMO MIBs to
Internet MIBs, Draft 1, March 26, 1993.
[NMFMC92] NM Forum and X/Open, ISO/CCITT and Internet
Management: Coexistence and Interworking Strategy, October,
1992.
[NMFSEC] Network Management Forum: Forum 016, Application
Services: Security of Management, Issue 1.0, August 1992.
INTERNET DRAFT - EXPIRES AUGUST 27, 1993
LaBarre Expires August 27, 1993 Page 44