[Search] [txt|pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03 04 rfc2263                                        
Internet-Draft            SNMPv3 Applications                  July 1997


                          SNMPv3 Applications

                             July 18, 1997

                    <draft-ietf-snmpv3-appl-00.txt>

                             David B. Levi
                          SNMP Research, Inc.
                             levi@snmp.com

                               Paul Meyer
                      Secure Computing Corporation
                     paul_meyer@securecomputing.com

                              Bob Stewart
                             Cisco Systems
                           bstewart@cisco.com





Status of this Memo

   This document is an Internet-Draft. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as ``work in progress.''

   To learn the current status of any Internet-Draft, please check the
   ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
   Directories on ds.internic.net (US East Coast), nic.nordu.net
   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
   Rim).












Expires January 1998                                      [Page 1]


Internet-Draft            SNMPv3 Applications                  July 1997


1.  Abstract

   This memo describes the various types of SNMP applications which make
   use of an SNMP engine as described in [SNMPV3-ARCH].  There are five
   types of application described herein:

       -  Applications which initiate SNMP Get, GetNext, GetBulk, and/or
          Set requests, called 'command generators'.

       -  Applications which respond to SNMP Get, GetNext, GetBulk,
          and/or Set requests, called 'command responders'.

       -  Applications which generate notifications, called
          'notification originators'.

       -  Applications which receive notifications, called 'notification
          receivers'.

       -  Applications which forward SNMP Get, GetNext, GetBulk, and/or
          Set requests or notifications, called 'proxy forwarders'.

   This memo also defines MIBs for specifying targets of management
   operations, for notification filtering, and for proxy forwarding.




























Expires January 1998                                      [Page 2]


Internet-Draft            SNMPv3 Applications                  July 1997


2.  Overview

   Traditionally there are two types of applications in SNMP, managers
   and agents.  However, it is useful to further divide these types of
   applications in order to define an overall architecture for SNMP.
   This document describes the five types of SNMP applications:


       -  Applications which initiate SNMP Get, GetNext, GetBulk, and/or
          Set requests, called 'command generators'.

       -  Applications which respond to SNMP Get, GetNext, GetBulk,
          and/or Set requests, called 'command responders'.

       -  Applications which generate notifications, called
          'notification originators'.

       -  Applications which receive notifications, called 'notification
          receivers'.

       -  Applications which forward SNMP Get, GetNext, GetBulk, and/or
          Set requests or notifications, called 'proxy forwarder'.

   Note that an agent, in the traditional meaning, can be thought of as
   a combination of a command responder application, a notification
   generator application, and the SNMP engine associated with these
   applications.  Likewise, a manager, in the traditional meaning, can
   be thought of as a combination of a command generator application, a
   notification receiver application, and the SNMP engine associated
   with these applications.  However, there are no restrictions on the
   types of applications that may be associated with a particular SNMP
   engine.  For example, a single SNMP engine may in fact be associated
   with both command generator and command responder applications.


2.1.  Command Generators

   A command generator application initiates SNMP Get, GetNext, GetBulk,
   and/or Set requests, as well as processing the response to a request
   which it generated.


2.2.  Command Responders

   A command responder application receives SNMP Get, GetNext, GetBulk,
   and/or Set requests for which the contextEngineID is equal to that of
   the local engine through which the request was received.  The command





Expires January 1998                                      [Page 3]


Internet-Draft            SNMPv3 Applications                  July 1997


   responder will perform the appropriate protocol operation, using
   access control, and will generate a response message to be sent to
   the request's originator.


2.3.  Notification Originators

   A notification originator conceptually monitors a system for
   particular events or conditions, and generates Trap and/or Inform
   messages based on these events or conditions.  A notification
   originator must have a mechanism for determining where to send
   messages, and what SNMP information to use when sending messages.  A
   mechanism and MIB for this purpose is provided in this document.


2.4.  Notification Receivers

   A notification receiver application listens for notification
   messages, and generates response messages when a message containing
   an Inform PDU is received.


2.5.  Proxy Forwarder

   A proxy forwarder application forwards SNMP messages.  Note that
   implementation of a proxy forwarder application is optional.  The
   sections describing proxy (4.5, 5.3, and 8) may be skipped for
   implementations that do not include a proxy forwarder application.

   The term "proxy" has historically been used very loosely, with
   multiple different meanings.  These different meanings include (among
   others):

(1)  the forwarding of SNMP requests to other SNMP agents without regard
     for what managed object types are being accessed; for example, in
     order to forward an SNMP request from one transport domain to
     another, or to translate SNMP requests of one version into SNMP
     requests of another version;

(2)  the translation of SNMP requests into operations of some non-SNMP
     management protocol; and

(3)  support for aggregated managed objects where the value of one
     managed object instance depends upon the values of multiple other
     (remote) items of management information.

   Each of these scenarios can be advantageous; for example, support for





Expires January 1998                                      [Page 4]


Internet-Draft            SNMPv3 Applications                  July 1997


   aggregation of management information can significantly reduce the
   bandwidth requirements of large-scale management activities.
   However, using a single term to cover multiple different scenarios
   causes confusion.

   To avoid such confusion, this document uses the term "proxy" with a
   much more tightly defined meaning.  The term "proxy" is used in this
   document to refer to a proxy forwarder application which forwards
   either SNMP requests or notifications without regard for what managed
   objects are contained within requests or notifications.  This
   definition is most closely related to the first definition above.
   Note however that in the SNMPv3 architecture, a proxy forwarder is
   actually an application, and need not actually be an SNMP agent.

   Specifically, the distinction between a regular SNMP agent and a
   "proxy forwarder application" is simple:

       -  a proxy forwarder application forwards requests and/or
          notifications on to other SNMP engines according to the
          context, and irrespective of the specific managed object types
          being accessed, and forwards the response to such previously
          forwarded messages back to the SNMP engine from which the
          original message was received;

       -  in contrast, the command responder application that is part of
          an SNMP agent processes SNMP requests according to the (names
          of the) individual managed object types and instances being
          accessed, is NOT a proxy forwarder application from the
          perspective of this document.

   Thus, when a proxy forwarder application forwards a request or
   notification for a particular context, not only is the information on
   how to forward the request specifically associated with that context,
   but the proxy forwarder application has no need of a detailed
   definition of a MIB view (since the proxy forwarder application
   forwards the request irrespective of the managed object types).

   In contrast, an SNMP agent must have the detailed definition of the
   MIB view, and even if it needs to issue requests to other agents,
   that need is dependent on the individual managed object instances
   being accessed (i.e., not only on the context).


3.  Management Targets

   Some types of applications (in particular notification generators and
   proxy forwarders) require a mechanism for determining where and how





Expires January 1998                                      [Page 5]


Internet-Draft            SNMPv3 Applications                  July 1997


   to send generated messages.  This document provides a mechanism and
   MIB for this purpose.  The set of information that describes where
   and how to send a message is called a 'Management Target', and
   consists of two kinds of information:

       -  Destination information, consisting of a transport domain and
          a transport address.  This is also termed a transport
          endpoint.

       -  SNMP information, consisting of message processing model,
          security model, level of security, and security name
          information.

   There can be a many-to-many relationship between these two types of
   information.  That is, there may be multiple transport endpoints
   associated with a particular set of SNMP information, or a particular
   transport endpoint may be associated with several sets of SNMP
   information.

   A management target is defined as the combination of a single set of
   SNMP information and a single transport endpoint.  Management targets
   are grouped according to their SNMP information.  That is, each
   distinct set of SNMP information may be associated with multiple
   transport endpoints.  The set of management targets which are defined
   by a distinct set of SNMP information are considered to be members of
   the same management target group.  For example, the following
   contains two management target groups, each of which contains three
   management targets:

      (version=snmpv3, secmodel=usm, secname=joe, udp=128.1.2.3:162)
      (version=snmpv3, secmodel=usm, secname=joe, udp=128.1.3.5:162)
      (version=snmpv3, secmodel=usm, secname=joe, udp=128.1.4.7:162)
      (version=snmpv3, secmodel=usm, secname=martha, udp=128.1.2.3:162)
      (version=snmpv3, secmodel=usm, secname=martha, udp=128.1.3.5:162)
      (version=snmpv3, secmodel=usm, secname=martha, udp=128.1.4.7:162)

   An application will generally make use of some subset of the entire
   set of management targets which are configured.


4.  Elements Of Procedure

   The following sections describe the procedures followed by each type
   of application when generating messages for transmission or when
   processing received messages.  Applications communicate with the
   Message Processing Subsystem using the abstract service interfaces
   defined in [SNMPV3-ARCH].





Expires January 1998                                      [Page 6]


Internet-Draft            SNMPv3 Applications                  July 1997


4.1.  Command Generators

   A command generator initiates an SNMP request by calling the Message
   Processing Subsystem using the following abstract service interface:

                sendPdu (
                    transportDomain
                    transportAddress
                    messageProcessingModel
                    securityModel
                    securityName
                    LoS
                    contextEngineID
                    contextName
                    PDU
                    expectResponse
                )

   Where:

       -  The transportDomain is that of the destination of the message.

       -  The transportAddress is the destination of the message.

       -  The messageProcessingModel indicates which Message Processing
          Subsystem the application wishes to use.

       -  The securityModel is the security model that the application
          wishes to use.

       -  The securityName is whatever the security model wishes to use.

       -  The LoS is the security level that the application wishes to
          use.

       -  The contextEngineID is provided by the command generator if it
          wishes to explicitly specify the location of the management
          information it is requesting.  The command generator may omit
          this parameter, in which case the Message Processing Subsystem
          should use the engineID of the SNMP engine to which the
          request is to be sent.

       -  The contextName is provided by the command generator if it
          wishes to explicitly specify the location of the management
          information it is requesting.  The command generator may omit
          this parameter, in which case the default context is used.





Expires January 1998                                      [Page 7]


Internet-Draft            SNMPv3 Applications                  July 1997


       -  The PDU is the value constructed in the previous step.

       -  The expectResponse argument indicates that a response is
          expected.

   The Message Processing Subsystem is responsible for delivering the
   response to a particular request to the correct command generator
   application.  The abstract service interface used is:

           processResponsePdu (
               contextEngineID
               contextName
               PDU
               LoS
               statusInformation
           )

   Where:

       -  The contextEngineID is the value from the received response.

       -  The contextName is the value from the received response.

       -  The PDU is the value from the received response.

       -  The LoS is the value from the received response.

       -  The statusInformation indicates success or failure in
          receiving the response.

   The procedure when a command generator receives a response is as
   follows:

(1)  The SNMPv2 operation type is determined from the ASN.1 tag value
     associated with the PDU parameter.  The operation type should
     always be a Response (the Message Processing Subsystem should never
     call a command generator application using the processResponsePdu
     interface for any other type of message).

(2)  The request-id, error-status, error-index, and variable-bindings
     are extracted from the PDU and saved.

(3)  At this point, it is up to the application as to how to continue
     processing the PDU.







Expires January 1998                                      [Page 8]


Internet-Draft            SNMPv3 Applications                  July 1997


4.2.  Command Responders

   Before a command responder application can process messages, it must
   first associate itself with an SNMP engine.  The abstract service
   interface used for this purpose is:

           statusInformation =
           registerContextEngineID (
               contextEngineID
               pduType
           )

   Where:

       -  The statusInformation indications success or failure of the
          registration attempt.

       -  The contextEngineID is equal to the snmpEngineID of the SNMP
          engine with which the command responder is registering.

       -  The pduType indicates a Get, GetNext, GetBulk, or Set pdu.

   Note that if another command responder application is already
   registered with an SNMP engine, any further attempts to register with
   the same contextEngineID and pduType will be ignored.  This implies
   that separate command responder applications could register
   separately for the various pdu types.  However, in practice this is
   undesirable, and only a single command responder application should
   be registered with an SNMP engine at any given time.

   A command responder application can disassociate with an SNMP engine
   using the following abstract service interface:

           unregisterContextEngineID (
               contextEngineID
               pduType
           )

   Where:

       -  The contextEngineID is equal to the snmpEngineID of the SNMP
          engine with which the command responder is cancelling the
          registration.

       -  The pduType indicates a Get, GetNext, GetBulk, or Set pdu.

   Once the command responder has registered with the SNMP engine, it





Expires January 1998                                      [Page 9]


Internet-Draft            SNMPv3 Applications                  July 1997


   waits to receive SNMP messages.  The abstract service interface used
   for receiving messages is:

           processPdu (
               contextEngineID
               contextName
               PDU
               maxSizeResponseScopedPDU
               securityModel
               securityName
               LoS
               stateReference
           )

   Where:

       -  The contextEngineID is the value from the received message.

       -  The contextName is the value from the received message.

       -  The PDU is the value from the received message.

       -  The maxSizeResponseScopedPDU is the value from the received
          message.

       -  The securityModel is the value from the received message.

       -  The securityName is the value from the received message.

       -  The LoS is the value from the received message.

       -  The stateReference is a value assigned by the Message
          Processing Subsystem.  This subsystem caches information about
          each received request message.  The stateReference is a
          reference to this cached information.  This value must be
          returned to the Message Processing Subsystem in order to
          generate a response.

   The procedure when a message is received is as follows.

(1)  The SNMPv2 operation type is determined from the ASN.1 tag value
     associated with the PDU parameter.  The operation type should
     always be a Get, GetNext, GetBulk, or Set (the Message Processing
     Subsystem should never call a command responder application using
     the processPdu interface for any other type of PDU).






Expires January 1998                                     [Page 10]


Internet-Draft            SNMPv3 Applications                  July 1997


(2)  The request-id is extracted from the PDU and saved.

(3)  If the SNMPv2 operation type is GetBulk, the non-repeaters and
     max-repetitions values are extracted from the PDU and saved.

(4)  The variable-bindings are extracted from the PDU and saved.

(5)  The management operation represented by the SNMPv2 operation type
     is performed with respect to the relevant MIB view within the
     context named by the contextName, according to the procedures set
     forth in [RFC1905].  The relevant MIB view is determined by the
     LoS, securityModel, contextName, securityName, and SNMPv2 operation
     type.  To determine whether a particular object instance is within
     the relevant MIB view, the following abstract service interface is
     called:

                  statusInformation =
                  isAccessAllowed (
                      securityModel
                      securityName
                      LoS
                      viewType
                      contextName
                      variableName
                  )

     Where:

       -  The securityModel is the value from the received message.

       -  The securityName is the value from the received message.

       -  The LoS is the value from the received message.

       -  The viewType indicates whether the pdu type is a read or write
          operation.

       -  The contextName is the value from the received message.

       -  The variableName is the object instance of the variable for
          which access rights are to be checked.

     Normally, the result of the management operation will be a new PDU
     value, and processing will continue in the next step.  However,
     there are two conditions under which a new PDU value will not be
     generated:





Expires January 1998                                     [Page 11]


Internet-Draft            SNMPv3 Applications                  July 1997


       -  If at any time during the processing of the management
          operation, the context named by the contextName parameter is
          unavailable, processing of the management operation is halted,
          no result PDU is generated, the snmpUnavailableContexts
          counter is incremented, and control is passed to the next
          step.

       -  The isAccessAllowed abstract service interface is conceptually
          called for each object in the variable-bindings (and possibly
          multiple times for a single variable-bindings in the case of a
          GetNext or GetBulk PDU).  At any point, if the returned
          statusInformation indicates an error, result indicates an
          error, processing of the management operation is halted, no
          result PDU is generated, the snmpUnavailableViews counter is
          incremented, and control is passed to the next step.

(6)  The Message Processing Subsystem is called to generate a response
     or report message.  The abstract service interface is:

                  returnResponsePdu (
                      contextEngineID
                      contextName
                      PDU
                      maxSizeResponseScopedPDU
                      securityModel
                      securityName
                      LoS
                      stateReference
                      statusInformation
                  )

     Where:

       -  The contextEngineID is the value from the processPdu call.

       -  The contextName is the value from the processPdu call.

       -  The PDU is the result generated in the previous step.  If no
          result PDU was generated, the PDU is an undefined value.

       -  The maxSizeResponseScopedPDU is a local value indicating the
          maximum size of a ScopedPDU that the application can accept.

       -  The securityModel is the value from the processPdu call.

       -  The securityName is the value from the processPdu call.





Expires January 1998                                     [Page 12]


Internet-Draft            SNMPv3 Applications                  July 1997


       -  The LoS is the value from the processPdu call.

       -  The stateReference is the value from the processPdu call.

       -  The statusInformation either contains an indication that no
          error occured and that a response should be generated, or
          contains an indication that an error occured along with the
          OID and counter value needed to generate a Report PDU.  In the
          latter case, the OID and counter value are that of the counter
          that was incremented in the previous step
          (snmpUnavailableContexts or snmpUnavailableViews).

   Note that a command responder application should always call the
   returnResponsePdu abstract service interface, even in the event of an
   error such as a resource allocation error.  In the event of such an
   error, the PDU value passed to returnResponsePdu should contain
   appropriate values for errorStatus and errorIndex.


































Expires January 1998                                     [Page 13]


Internet-Draft            SNMPv3 Applications                  July 1997


4.3.  Notification Originators

   A notification originator application generates SNMP notification
   messages.  A notification message can contain either an SNMPv2-Trap
   PDU or an Inform PDU.  However, a particular implementation is not
   required to be capable of generating both types of messages.

   Notification originator applications require a mechanism for
   identifying the management targets to which notifications should be
   sent.  The particular mechanism used is implementation dependent,
   however, if an implementation makes the configuration of management
   targets SNMP manageable, it MUST use the management target MIB
   described in this document.

   When a notification originator wishes to generate a notification, it
   must first determine the contextEngineID and contextName of the
   location where the information to be conveyed in the notification
   exists.  It must then determine the set of management targets to
   which the notification should be sent, and the grouping of these
   management targets.  The application must also determine, for each
   group of management targets, whether the notification message should
   contain an SNMPv2-Trap PDU or Inform PDU, and if it is to contain an
   Inform PDU, the number of retries and retransmission algorithm.

   The mechanism by which a notification originator determines this
   information is implementation dependent.  Once the application has
   determined this information, the following procedure is performed for
   each group of management targets:

(1)  Any appropriate filtering mechanisms are applied to determine
     whether the notification should be sent to the management targets
     in this group.  If such filtering mechanisms determine that the
     notification should not be sent, processing continues with the next
     group of management targets.  Otherwise,

(2)  The appropriate set of variable-bindings is retrieved from local
     MIB instrumentation within the relevant MIB view.  The relevant MIB
     view is determined by the LoS, securityModel, contextName, and
     securityName of the management target.  To determine whether a
     particular object instance is within the relevant MIB view, the
     isAccessAllowed abstract service interface is used, in the same
     manner as described in the preceeding section.  If the
     statusInformation returned by isAccessAllowed does not indicate
     accessAllowed, the notification is not sent to any of the
     management targets within this group.






Expires January 1998                                     [Page 14]


Internet-Draft            SNMPv3 Applications                  July 1997


(3)  A PDU is constructed using a locally unique request-id value, an
     operation type of Trap or Inform, an error-status and error-index
     value of 0, and the variable-bindings found in the previous step.

(4)  If the notification should be contain an SNMPv2-Trap PDU for this
     group, then for each management target in the group, the Message
     Processing Subsystem is called using the following abstract service
     interface:

                  sendPdu (
                      transportDomain
                      transportAddress
                      messageProcessingModel
                      securityModel
                      securityName
                      LoS
                      contextEngineID
                      contextName
                      PDU
                      expectResponse
                  )

     Where:

       -  The transportDomain is that of the management target.

       -  The transportAddress is that of the management target.

       -  The messageProcessingModel is that of the management target.

       -  The securityModel is that of the management target.

       -  The securityName is that of the management target.

       -  The LoS is that of the management target.

       -  The contextEngineID is the value originally determined for the
          notification.

       -  The contextName is the value originally determined for the
          notification.

       -  The PDU is the value constructed in the previous step.

       -  The expectResponse argument indicates that no response is
          expected.





Expires January 1998                                     [Page 15]


Internet-Draft            SNMPv3 Applications                  July 1997


     Otherwise,

(5)  If the notification should contain an Inform PDU for this group,
     then:

      a)  For each management target in the group, the Message
          Processing Subsystem is called using the sendPdu abstract
          service interface as described in the previous step, except
          that the expectResponse arguments indicates that a response is
          expected.

      b)   The application caches information about the management
          target group.

      c)  If a response is received within an appropriate time interval
          from any one transport endpoint within the group, the
          notification is considered acknowledged for this group, the
          cached information is deleted, and any further responses to
          this Inform are ignored.  Otherwise,

      d)  If a response is not received within an appropriate time
          period, information about the management target group is
          retrieved from the cache, and steps a) through d) are
          repeated.  The number of times these steps are repeated is as
          previously determined.  If this retry count is exceeded, the
          acknowledgement of the notification is considered to have
          failed, and processing of the notification for this group of
          management targets is halted.

   Responses to Inform PDU notifications will be received via the
   processResponsePDU abstract service interface.




















Expires January 1998                                     [Page 16]


Internet-Draft            SNMPv3 Applications                  July 1997


4.4.  Notification Receivers

   Notification receiver applications receive SNMP Notification messages
   from the Message Processing Subsystem.  Before any messages can be
   received, the notification receiver must register with the Message
   Processing Subsystem using the registerContextEngineID abstract
   service interface.  The parameters used are:

       -  The contextEngineID is an undefined 'wildcard' value.
          Notifications are delivered to a registered notification
          receiver regardless of the contextEngineID contains in the
          notification message.

       -  The pduType indicates either SNMPv2-Trap PDUs or Inform PDUs,
          or both.

   Once the notification receiver has registered with the Message
   Processing Subsystem, messages are received using the processPdu
   abstract service interface.  Parameters are:

       -  The contextEngineID is the value from the received message.

       -  The contextName is the value from the received message.

       -  The PDU is the value from the received message.

       -  The maxSizeResponseScopedPDU is the value from the received
          message.

       -  The securityModel is the value from the received message.

       -  The securityName is the value from the received message.

       -  The LoS is the value from the received message.

       -  If the message contains an SNMPv2-Trap PDU, the stateReference
          is undefined and unused.  Otherwise, the stateReference is a
          value assigned by the Message Processing Subsystem which
          references cached information about the notification.  This
          value must be returned to the Message Processing Subsystem in
          order to generate a response.

   When an SNMPv2-Trap PDU is delivered to a notification receiver
   application, it first extracts the SNMP operation type, request-id,
   error-status, error-index, and variable-bindings from the PDU.  After
   this, processing depends on the particular implementation.





Expires January 1998                                     [Page 17]


Internet-Draft            SNMPv3 Applications                  July 1997


   When an Inform PDU is received, the notification receiver application
   follows the following procedure:

(1)  The SNMPv2 operation type, request-id, error-status, error-index,
     and variable-bindings are extracted from the PDU.

(2)  A Response PDU is constructed using the extracted request-id and
     variable-bindings, and with error-status and error-index both set
     to 0.

(3)  The Message Processing Subsystem is called to generate a response
     message using the returnResponsePdu abstract service interface.
     Parameters are:

       -  The contextEngineID is the value from the processPdu call.

       -  The contextName is the value from the processPdu call.

       -  The PDU is the result generated in the previous step.

       -  The maxSizeResponseScopedPDU is a local value indicating the
          maximum size of a ScopedPDU that the application can accept.

       -  The securityModel is the value from the processPdu call.

       -  The securityName is the value from the processPdu call.

       -  The LoS is the value from the processPdu call.

       -  The stateReference is the value from the processPdu call.

       -  The statusInformation indicates that no error occured and that
          a response should be generated.

   Note that there may be multiple notification receiver applications
   associated with a particular SNMP engine.  Despite this, only a
   single response should be generated when an Inform PDU is received.
   The mechanism to ensure this is implementation specific.  One
   strategy to accomplish this is to simply let the Message Processing
   Subsystem delete the stateReference when the first response is
   generated.  Subsequent attempts to send the response will fail
   because the stateReference no longer exists within the Message
   Processing Subsystem.








Expires January 1998                                     [Page 18]


Internet-Draft            SNMPv3 Applications                  July 1997


4.5.  Proxy Forwarders

   A proxy forwarder application deals with forwarding messages which
   contain Get, GetNext, GetBulk, Set, SNMPv2-Trap, and Inform PDUs.  Of
   these PDU types, the first four (Get, GetNext, GetBulk, Set) deal
   with requesting or modifying information located within a particular
   context, and the last two (Trap, Inform) deal with notifications
   concerning information located within a particular context.  A proxy
   forwarder application treats these two situations slightly different.

   In the first situation, the proxy forwarder's role is ultimately to
   deliver a request for management information to the SNMP engine which
   has access to that information, and to deliver the response
   containing the information back to the SNMP engine which initiated
   the request.  The context information in a request is used to
   determine which SNMP engine has access to the requested information,
   and this is used to determine where and how to forward the request.

   In the second situation, the proxy forwarder's role is to determine
   which SNMP engines should receive notification about management
   information from a particular location.  The context information in a
   notification message determines the location to which the information
   contained in the notification applies.  This is used to determine
   which SNMP engines should receive notification about this
   information.

   When forwarding messages, a proxy forwarder application must perform
   a translation of incoming management target information into outgoing
   management target information.  How this translation is performed is
   implementation specific.  In many cases, this will be driven by a
   preconfigured translation table.  If a proxy forwarder application
   makes the contents of this table SNMP manageable, it MUST use the MIB
   defined in this document.


4.5.1.  Request Forwarding

   There are two phases for request forwarding, processing an incoming
   request, and processing and incoming response.  These are described
   in the following two sections.


4.5.1.1.  Processing an Incoming Request

   A proxy forwarder application that wishes to forward request messages
   must first register with the Message Processing Subsystem using the
   registerContextEngineID abstract service interface.  The proxy





Expires January 1998                                     [Page 19]


Internet-Draft            SNMPv3 Applications                  July 1997


   forwarder must register each contextEngineID for which it wishes to
   forward messages, as well as for each pduType.  Note that as the
   configuration of a proxy forwarder is changed, the particular
   contextEngineID values for which it is forwarding may change.  The
   proxy forwarder should call the registerContextEngineID and
   unregisterContextEngineID abstract service interfaces as needed to
   reflect its current configuration.

   A proxy forwarder application should never attempt to register a
   value of contextEngineID which is equal to the snmpEngineID of the
   SNMP engine to which the proxy forwarder is associated.

   Once the proxy forwarder has registered for the appropriate
   contextEngineId values, it can start processing messages.  The
   following procedure is used:

(1)  A message is received using the processPdu abstract service
     interface.  The incoming management target information received
     from the processPdu interface is translated into outgoing
     management target information.  Note that this translation may vary
     for different values of contextEngineID and/or contextName.  The
     translation should result in a single management target.

(2)  If appropriate outgoing management target information cannot be
     found, the proxy forwarder increments the snmpProxyDrops counter
     [RFC1907], and then calls the Message Processing Subsystem using
     the returnResponsePdu abstract service interface.  Parameters are:

       -  The contextEngineID is the value from the processPdu call.

       -  The contextName is the value from the processPdu call.

       -  The PDU is an undefined value.

       -  The maxSizeResponseScopedPDU is a local value indicating the
          maximum size of a ScopedPDU that the application can accept.

       -  The securityModel is the value from the processPdu call.

       -  The securityName is the value from the processPdu call.

       -  The LoS is the value from the processPdu call.

       -  The stateReference is the value from the processPdu call.

       -  The statusInformation indicates that an error occured and that
          an snmpProxyDrops Report message should be generated.





Expires January 1998                                     [Page 20]


Internet-Draft            SNMPv3 Applications                  July 1997


     Processing of the message stops at this point.  Otherwise,

(3)  A new PDU is constructed.  A unique value of request-id should be
     used in the new PDU (this value will enable a subsequent response
     message to be correlated with this request).  The remainder of the
     new PDU is identical to the received PDU, unless the incoming SNMP
     version is SNMPv1 and the outgoing SNMP version is SNMPv2 or
     SNMPv3, or vice-versa, in which case the proxy forwarder must apply
     the translation rules as documented in [RFC1908].

(4)  The proxy forwarder calls the Message Processing Subsystem to
     generate the forwarded message, using the sendPdu abstract service
     interface.  The parameters are:

       -  The transportDomain is that of the outgoing management target.

       -  The transportAddress is that of the outgoing management
          target.

       -  The messageProcessingModel is that of the outgoing management
          target.

       -  The securityModel is that of the outgoing management target.

       -  The securityName is that of the outgoing management target.

       -  The LoS is that of the outgoing management target.

       -  The contextEngineID is the value originally received.

       -  The contextName is the value originally received.

       -  The PDU is the value constructed in the previous step.

       -  The expectResponse argument indicates that a response is
          expected.  If the sendPdu call is unsuccessful, the proxy
          forwarder performs the steps described in (2) above.
          Otherwise:

(5)  The proxy forwarder caches the contextEngineId, contextName,
     stateReference, incoming management target information, outgoing
     management information, and any other information needed to match
     an incoming response to the forwarded request.  If this information
     cannot be cached (possibly due to a lack of resources), the proxy
     forwarder performs the steps described in (2) above.  Otherwise:






Expires January 1998                                     [Page 21]


Internet-Draft            SNMPv3 Applications                  July 1997


(6)  Processing of the request stops until a response to the forwarded
     request is received, or until an appropriate time interval has
     expired.  If this time interval expires before a response has been
     received, the cached information about this request is removed, and
     the proxy forwarder performs the steps described in (2) above using
     the cached information.


4.5.1.2.  Processing an Incoming Response

   A proxy forwarder follows the following procedure when an incoming
   response is received:

(1)  The incoming response is received using the processPdu interface.
     The proxy forwarder uses the received parameters to locate an entry
     in its cache of pending forwarded requests.  This is done by
     matching the received parameters with the cached values of
     contextEngineID, contextName, outgoing management target
     information, and the request-id contained in the received PDU (the
     proxy forwarder must extract the request-id for this purpose).  If
     an appropriate cache entry cannot be found, processing of the
     response is halted.  Otherwise:

(2)  The cache information is extracted, and removed from the cache.

(3)  If the incoming SNMP version is SNMPv1 and the outgoing SNMP
     version is SNMPv2 or SNMPv3, or vice-versa, the proxy forwarder
     must apply the translation rules documented in [RFC1908].

(4)  The proxy forwarder calls the Message Processing Subsystem using
     the returnResponsePdu abstract service interface.  Parameters are:

       -  The contextEngineID is the value extracted from the cache.

       -  The contextName is the value extracted from the cache.

       -  The PDU is the (possibly translated) Response PDU.

       -  The maxSizeResponseScopedPDU is a local value indicating the
          maximum size of a ScopedPDU that the application can accept.

       -  The securityModel is that of the original incoming management
          target extracted from the cache.

       -  The securityName is that of the original incoming management
          target extracted from the cache.





Expires January 1998                                     [Page 22]


Internet-Draft            SNMPv3 Applications                  July 1997


       -  The LoS is that of the original incoming management target
          extracted from the cache.

       -  The stateReference is the value extracted from the cache.

       -  The statusInformation indicates that no error occured and that
          a Response message should be generated.


4.5.2.  Notification Forwarding

   A proxy forwarder receives notifications in the same manner as a
   notification receiver application, using the processPdu abstract
   service interface.  The following procedure is used when a
   notification is received:

(1)  The incoming management target information received from the
     processPdu interface is translated into outgoing management target
     information.  Note that this translation may vary for different
     values of contextEngineId and/or contextName.  The translation may
     result in one or more management target groups, each of which may
     contain multiple management targets.

(2)  If appropriate outgoing management target information cannot be
     found and the notification was a Trap, processing of the
     notification is halted.  If appropriate outgoing management target
     information cannot be found and the notification was an Inform, the
     proxy forwarder increments the snmpProxyDrops object, and calls the
     Message Processing Subsystem using the returnResponsePdu abstract
     service interface.  The parameters are:

       -  The contextEngineID is the received value.

       -  The contextName is the received value.

       -  The PDU is an undefined and unused value.

       -  The maxSizeResponseScopedPDU is a local value indicating the
          maximum size of a ScopedPDU that the application can accept.

       -  The securityModel is the received value.

       -  The securityName is the received value.

       -  The LoS is the received value.






Expires January 1998                                     [Page 23]


Internet-Draft            SNMPv3 Applications                  July 1997


       -  The stateReference is the received value.

       -  The statusInformation indicates that an error occured and that
          a Report message should be generated.

     Processing of the message stops at this point.  Otherwise,

(3)  The proxy forwarder generates a notification using the procedures
     described in the preceeding section on Notification Originators,
     with the following exceptions:

       -  The contextEngineID and contextName values from the original
          received notification are used.

       -  The outgoing management targets previously determined are
          used.

       -  No filtering mechanisms are applied.

       -  The variable-bindings from the original received notification
          are used, rather than retrieving variable-bindings from local
          MIB instrumentation.  In particular, no access-control is
          applied to these variable-bindings.

       -  If for any of the outgoing management targets, the incoming
          SNMP version is SNMPv1 and the outgoing SNMP version is SNMPv2
          or SNMPv3, the proxy forwarder must apply the translation
          rules as documented in [RFC1908].

       -  If for any of the outgoing management targets, the incoming
          SNMP version is SNMPv2 or SNMPv3, and the outgoing SNMP
          version is SNMPv1, this outgoing management target is not used
          when generating the forwarded notifications.

(4)  If the original received notification contains an SNMPv2-Trap PDU,
     processing of the notification is now completed.  Otherwise, the
     original received notification must contain an Inform PDU, and
     processing continues.

(5)  If the forwarded notifications included any Inform PDUs, processing
     continues when the procedures described in the section for
     Notification Originators determine that either:

       -  None of the generated notifications containing Inform PDUs
          have been successfully acknowledged within the longest of the
          time intervals, in which case processing of the original
          notification is halted and an snmpProxyDrops Report PDU is





Expires January 1998                                     [Page 24]


Internet-Draft            SNMPv3 Applications                  July 1997


          generated, or,

       -  At least one of the generated notifications containing Inform
          PDUs is successfully acknowledged, in which case a response to
          the original received notification containing an Inform PDU is
          generated as described in the following steps.

(6)  A Response pdu is constructed, using the values of request-id and
     variable-bindings from the original received Inform PDU, and
     error-status and error-index values of 0.

(7)  The Message Processing Subsystem is called using the
     returnResponsePdu abstract service interface.  Parameters are:

       -  The contextEngineID is the originally received value.

       -  The contextName is the originally received value.

       -  The PDU is the value constructed in the previous step.

       -  The maxSizeResponseScopedPDU is a local value indicating the
          maximum size of a ScopedPDU that the application can accept.

       -  The securityModel is the originally received value.

       -  The securityName is the originally received value.

       -  The LoS is the originally received value.

       -  The stateReference is the originally received value.

       -  The statusInformation indicates that no error occured and that
          a Response message should be generated.


















Expires January 1998                                     [Page 25]


Internet-Draft            SNMPv3 Applications                  July 1997


5.  The Structure of the MIBs

   There are three separate MIBs described in this document, the
   management target MIB, the notification MIB, and the proxy MIB.  The
   following sections describe the structure of these three MIBs.


5.1.  The Management Target MIB

   This MIB contains objects for defining management targets.  It
   consists of one scalar, two tables, and conformance/compliance
   statements.

   The scalar, snmpTargetAddressSpinLock, is used by managers when
   creating new rows in the snmpTargetAddrTable.

   The first table, the snmpTargetAddrTable, contains information about
   transport domains/addresses.  The table is indexed by an
   SnmpAdminString type object and an integer type object.  This allows
   domains/addresses to be organized into groups.

   The second table, the snmpTargetTable, contains information about
   SNMP version and security information to be used when sending
   messages to a particular group of transport domains/addresses.


5.1.1.  Definitions

   SNMPV3-TARGET-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-IDENTITY,
       OBJECT-TYPE,
       OBJECT-IDENTITY,
       Integer32
           FROM SNMPv2-SMI

       TDomain,
       TAddress,
       TruthValue,
       TimeInterval,
       RowStatus,
       StorageType
           FROM SNMPv2-TC

       SnmpSecurityModel,
       SnmpLoS,





Expires January 1998                                     [Page 26]


Internet-Draft            SNMPv3 Applications                  July 1997


       SnmpAdminString
           FROM SNMP-FRAMEWORK-MIB

       MODULE-COMPLIANCE,
       OBJECT-GROUP
           FROM SNMPv2-CONF;

   snmpTargetMIB MODULE-IDENTITY
       LAST-UPDATED "9707140000Z"
       ORGANIZATION "IETF SNMPv3 Working Group"
       CONTACT-INFO
           "David B. Levi
            SNMP Research, Inc.
            3001 Kimberlin Heights Road
            Knoxville, TN 37920-9716
            Tel: +1 423 573 1434
            E-mail: levi@snmp.com

            Paul Meyer
            Secure Computing Corporation
            2675 Long Lake Road
            Roseville, MN 55113
            Tel: +1 612 628 1592
            E-mail: paul_meyer@securecomputing.com

            Bob Stewart
            Cisco Systems
            ????
            ????
            Tel: +1 603 654 6923
            E-mail: bstewart@cisco.com"
       DESCRIPTION
           "This MIB module defines a MIB which provides mechanisms to
            remotely configure the parameters used by an SNMPv3 entity
            for the generation of notifications."
       REVISION        "9707140000Z"
       DESCRIPTION
           "The initial revision."
       ::= { snmpModules 11 }        -- TBD

   snmpTargetObjects       OBJECT IDENTIFIER ::= { snmpTargetMIB 1 }
   snmpTargetConformance   OBJECT IDENTIFIER ::= { snmpTargetMIB 2 }

   -- ------------------------------------------------------------------
   --
   -- The snmpTargetObjects group
   --





Expires January 1998                                     [Page 27]


Internet-Draft            SNMPv3 Applications                  July 1997


   -- ------------------------------------------------------------------

   snmpTargetAddressSpinLock OBJECT-TYPE
       SYNTAX      TestAndIncr
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
           "This object is used to facilitate creation of rows in the
            snmpTargetAddrTable.  There are two situations where an
            SNMP entity may wish to create a new row, when a new group
            of addresses must be created, and when an address must be
            added to an existing group.

            When an SNMP entity wishes to create a new group of
            addresses, it should follow the following procedure:
                a) Retrieve the value of this object.
                b) Retrieve all existing index values of
                   snmpTargetAddrName (this can be accomplished
                   by retrieving all instances of any columnar
                   object in the snmpTargetAddrTable).
                c) Retrieve the value of this object.  If the value is
                   not equal to the last retrieved value, go back to
                   step b).
                d) Select a new unique index value for
                   snmpTargetAddrName, and an arbitrary value for
                   snmpTargetAddrSubIndex.  Attempt a set request
                   containing these varbinds:
                       - The last retrieved value of this object.
                       - An instance of the snmpTargetAddrRowStatus
                         object whose indices are equal to the selected
                         index values of snmpTargetAddrName and
                         snmpTargetAddrSubIndex.
                       - Additional varbinds for initializing other
                         columnar objects in the row.
                   If this set fails, the SNMP entity may return to
                   step a) and try again.

            When an SNMP entity wishes to create a new address within
            an existing group of addresses, it should follow the
            following procedure:
                a) Retrieve all existing values of
                   snmpTargetAddrSubIndex corresponding to the desired
                   index value of snmpTargetAddrName.  (this can be
                   accomplished by retrieving all instances of any
                   columnar object in the snmpTargetAddrTable whose
                   index begins with the desired index value of
                   snmpTargetAddrName).





Expires January 1998                                     [Page 28]


Internet-Draft            SNMPv3 Applications                  July 1997


                b) Select a new value for snmpTargetAddrSubIndex.
                   Attempt a set request containing these varbinds:
                       - An instance of the snmpTargetAddrRowStatus
                         object whose indices are equal to the desired
                         index value of snmpTargetAddrName and the
                         selected index value of snmpTargetAddrSubIndex.
                       - Additional varbinds for initializing other
                         columnar objects in the row.
                   If this set fails, the SNMP entity may return to
                   step a) and try again."
       ::= { snmpTargetObjects 1 }

   snmpTargetAddrTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SnmpV3TargetAddrEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetObjects 2 }

   snmpTargetAddrEntry OBJECT-TYPE
       SYNTAX      SnmpV3TargetAddrEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       INDEX { snmpTargetAddrName, snmpTargetAddrSubIndex }
       ::= { snmpTargetAddrTable 1 }

   SnmpV3TargetAddrEntry ::= SEQUENCE {
       snmpTargetAddrSubIndex            Integer32,
       snmpTargetAddrTDomain             TDomain,
       snmpTargetAddrTAddress            TAddress,
       snmpTargetAddrTimeout             TimeInterval,
       snmpTargetAddrStorageType         StorageType,
       snmpTargetAddrRowStatus           RowStatus
   }

   snmpTargetAddrSubIndex OBJECT-TYPE
       SYNTAX      Integer32  (1..2147483647)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The locally arbitrary, but unique identifier associated
            an snmpTargetAddrEntry within a group of entries in the
            snmpTargetAddrTable."
       ::= { snmpTargetAddrEntry 1 }





Expires January 1998                                     [Page 29]


Internet-Draft            SNMPv3 Applications                  July 1997


   snmpTargetAddrTDomain OBJECT-TYPE
       SYNTAX      TDomain
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object indicates the transport type of the address
            contained in the snmpTargetAddrTAddress object."
       ::= { snmpTargetAddrEntry 2 }

   snmpTargetAddrTAddress OBJECT-TYPE
       SYNTAX      TAddress
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object contains a transport address.  The format of
            this address depends on the value of the
            snmpTargetAddrTDomain object."
       ::= { snmpTargetAddrEntry 3 }

   snmpTargetAddrTimeout OBJECT-TYPE
       SYNTAX      TimeInterval
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object should reflect the expected round trip time
            for communicating with the transport address defined by
            this row.  When a message is sent to this address, and
            a response (if one is expected) is not received within
            this time period, an implementation may assume that the
            response will not be delivered.

            Note that the time interval that an application waits
            for a response may actually be derived from the value
            of this object.  The method for deriving the actual time
            interval is implementation dependent.  One such method
            is to derive the expected round trip time based on a
            particular retransmission algorithm and on the number
            of timeouts which have occured.  The type of message may
            also be considered when deriving expected round trip
            times for retransmissions.  For example, if a message is
            being sent with an LoS that indicates both
            authentication and privacy, the derived value may be
            increased to compensate for extra processing time spent
            during authentication and encryption processing."
       DEFVAL { 1500 }
       ::= { snmpTargetAddrEntry 4 }





Expires January 1998                                     [Page 30]


Internet-Draft            SNMPv3 Applications                  July 1997


   snmpTargetAddrStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetAddrEntry 5 }

   snmpTargetAddrRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetAddrEntry 6 }

   snmpTargetTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SnmpV3TargetEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetObjects 3 }

   snmpTargetEntry OBJECT-TYPE
       SYNTAX      SnmpV3TargetEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       INDEX { snmpTargetName }
       ::= { snmpTargetTable 1 }

   SnmpV3TargetEntry ::= SEQUENCE {
       snmpTargetName                   SnmpAdminString,
       snmpTargetAddrName               SnmpAdminString,
       snmpTargetMessageProcessingModel INTEGER,
       snmpTargetSecurityModel          SnmpSecurityModel,
       snmpTargetSecurityName           SnmpAdminString,
       snmpTargetLoS                    SnmpLoS,
       snmpTargetRetryCount             Integer32,
       snmpTargetStorageType            StorageType,
       snmpTargetRowStatus              RowStatus
   }

   snmpTargetName OBJECT-TYPE
       SYNTAX      SnmpAdminString





Expires January 1998                                     [Page 31]


Internet-Draft            SNMPv3 Applications                  July 1997


       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The locally arbitrary, but unique identifier associated
            with this snmpTargetEntry."
       ::= { snmpTargetEntry 1 }

   snmpTargetAddrName OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "The group of addresses to which management operations will
            be sent when using this set of security parameters."
       ::= { snmpTargetEntry 2 }

   snmpTargetMessageProcessingModel OBJECT-TYPE
       SYNTAX      INTEGER (SIZE(0..64))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetEntry 3 }

   snmpTargetSecurityModel OBJECT-TYPE
       SYNTAX      SnmpSecurityModel
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetEntry 4 }

   snmpTargetSecurityName OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetEntry 5 }

   snmpTargetLoS OBJECT-TYPE
       SYNTAX      SnmpLoS
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetEntry 6 }





Expires January 1998                                     [Page 32]


Internet-Draft            SNMPv3 Applications                  July 1997


   snmpTargetRetryCount OBJECT-TYPE
       SYNTAX      Integer32 (0..2147483647)
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies a default number of retries to be
            attempted when a response is not received for a generated
            message.  The number of retries is an indication of how
            important delivery of a particular message is considered.
            An application may provide its own retry count, in which
            case the value of this object is ignored."
       ::= { snmpTargetEntry 7 }

   snmpTargetStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetEntry 8 }

   snmpTargetRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpTargetEntry 9 }

   snmpTargetDefaultRetryAlgorithm OBJECT-TYPE
       SYNTAX      INTEGER {
                       constant(1),
                       linearBackOff(2),
                       exponentialBackOff(3),
                       randomBackOff(4)
                   }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object specifies a default algorithm to be used
            when adjusting timeout times when retransmitting a
            request whose response was not received in a timely
            manner.  An application may provide its own
            retransmission algorithm, in which case the value of
            this object is ignored.

   Can we really predict all the algorithms that people might want to use?





Expires January 1998                                     [Page 33]


Internet-Draft            SNMPv3 Applications                  July 1997


   There are alternatives to making this be an enumerated integer.

   One alternative is to make it be a set of 6 parameters for a quadratic
   equation which would be used to recalculate retry intervals, i.e.,:
     interval(n) = ((A1 / A2) * interval(n-1) * interval(n-1)) +
                   ((B1 / B2) * interval(n-1)) +
                   (C1 / C2)
   The advantage to this is that a manager can define a wide range of
   algorithms, and the agent does not need to support a specific set
   of algorithms.

   Another alternative is to identify retransmission algorithms by OID rather
   than by integer.  The advantage to using OIDs is that we can define
   additional algorithms later.  If we do this, we can either make this object
   be an OID, or we can have a table that maps the OIDs to integers, and have
   the value of this object point at one of the entries in the mapping table.
   The advantage to a mapping table is that it allows a manager to discover
   what algorithms an agent supports.
           "
       ::= { snmpTargetObjects 4 }

   -- ------------------------------------------------------------------
   --
   -- Conformance information
   --
   -- ------------------------------------------------------------------

   snmpTargetCompliances OBJECT IDENTIFIER ::=
                                           { snmpTargetConformance 1 }
   snmpTargetGroups      OBJECT IDENTIFIER ::=
                                           { snmpTargetConformance 2 }

   -- ------------------------------------------------------------------
   --
   -- Compliance statements
   --
   -- ------------------------------------------------------------------

   snmpTargetBasicCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities which require
            remote configuration of management targets."
       MODULE      -- this module
       MANDATORY-GROUPS { snmpTargetBasicGroup }
       ::= { snmpTargetCompliances 1 }





Expires January 1998                                     [Page 34]


Internet-Draft            SNMPv3 Applications                  July 1997


   snmpTargetFullCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities which require
            remote configuration of management targets."
       MODULE      -- this module
       MANDATORY-GROUPS { snmpTargetBasicGroup }
       ::= { snmpTargetCompliances 2 }

   snmpTargetReadCreateCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities which require
            remote configuration of management targets."
       MODULE      -- this module
       MANDATORY-GROUPS { snmpTargetBasicGroup }
       ::= { snmpTargetCompliances 3 }

   snmpTargetBasicGroup OBJECT-GROUP
       OBJECTS {
           snmpTargetAddressSpinLock,
           snmpTargetAddrTDomain,
           snmpTargetAddrTAddress,
           snmpTargetAddrStorageType,
           snmpTargetAddrRowStatus,
           snmpTargetAddrName,
           snmpTargetMessageProcessingModel,
           snmpTargetSecurityModel,
           snmpTargetSecurityName,
           snmpTargetLoS,
           snmpTargetStorageType,
           snmpTargetRowStatus
       }
       STATUS      current
       DESCRIPTION
           "A collection of objects providing basic remote
            configuration of management targets."
       ::= { snmpTargetGroups 1 }

   snmpTargetResponseGroup OBJECT-GROUP
       OBJECTS {
           snmpTargetAddrTimeout,
           snmpTargetRetryCount,
           snmpTargetDefaultRetryAlgorithm
       }
       STATUS      current
       DESCRIPTION





Expires January 1998                                     [Page 35]


Internet-Draft            SNMPv3 Applications                  July 1997


           "A collection of objects providing remote configuration
            of management targets for applications which generate
            Get, GetNext, GetBulk, Set, or Inform requests."
       ::= { snmpTargetGroups 2 }

   END













































Expires January 1998                                     [Page 36]


Internet-Draft            SNMPv3 Applications                  July 1997


5.2.  The Notification MIB

   This MIB contains three tables.  The first table, the
   snmpNotifyTargetTable, simply augments the snmpTargetTable with a
   single object which is used to determine whether a particular
   management target should be used for generating notifications, and
   the type of notification to be generated.  The second table sparsely
   augments the snmpNotifyTargetTable with a single object.  This object
   is used to associate a set of filters with a particular management
   target.  The third table defines filters which are used to limit the
   number of notifications which are generated using particular
   management targets.


5.2.1.  Definitions

   SNMPV3-NOTIFICATION-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-IDENTITY,
       OBJECT-TYPE,
       OBJECT-IDENTITY,
       Integer32
           FROM SNMPv2-SMI

       TDomain,
       TAddress,
       TruthValue,
       TimeInterval,
       RowStatus,
       StorageType
           FROM SNMPv2-TC

       SnmpSecurityModel,
       SnmpLoS,
       SnmpAdminString
           FROM SNMP-FRAMEWORK-MIB

       snmpTargetEntry,
       snmpTargetName
           FROM SNMPV3-TARGET-MIB

       MODULE-COMPLIANCE,
       OBJECT-GROUP
           FROM SNMPv2-CONF;

   snmpNotificationMIB MODULE-IDENTITY





Expires January 1998                                     [Page 37]


Internet-Draft            SNMPv3 Applications                  July 1997


       LAST-UPDATED "9707140000Z"
       ORGANIZATION "IETF SNMPv3 Working Group"
       CONTACT-INFO
           "David B. Levi
            SNMP Research, Inc.
            3001 Kimberlin Heights Road
            Knoxville, TN 37920-9716
            Tel: +1 423 573 1434
            E-mail: levi@snmp.com

            Paul Meyer
            Secure Computing Corporation
            2675 Long Lake Road
            Roseville, MN 55113
            Tel: +1 612 628 1592
            E-mail: paul_meyer@securecomputing.com

            Bob Stewart
            Cisco Systems
            ????
            ????
            Tel: +1 603 654 6923
            E-mail: bstewart@cisco.com"
       DESCRIPTION
           "This MIB module defines a MIB which provides mechanisms
            to remotely configure management targets used by an
            SNMPv3 entity."
       REVISION    "9707140000Z"
       DESCRIPTION
           "The initial revision."
       ::= { snmpModules 12 }      -- TBD

   snmpNotifyObjects       OBJECT IDENTIFIER ::=
                                             { snmpNotificationMIB 1 }
   snmpNotifyConformance   OBJECT IDENTIFIER ::=
                                             { snmpNotificationMIB 2 }

   -- ------------------------------------------------------------------
   --
   -- The snmpNotifyObjects group
   --
   -- ------------------------------------------------------------------

   snmpNotifyTargetTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SnmpV3NotifyTargetEntry
       MAX-ACCESS  not-accessible
       STATUS      current





Expires January 1998                                     [Page 38]


Internet-Draft            SNMPv3 Applications                  July 1997


       DESCRIPTION
           "This table is used to select management targets which should
            receive notifications, as well as the type of notification
            which should be sent to each selected management target."
       ::= { snmpNotifyObjects 1 }

   snmpNotifyTargetEntry OBJECT-TYPE
       SYNTAX      SnmpV3NotifyTargetEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       AUGMENTS { snmpTargetEntry }
       ::= { snmpNotifyTargetTable 1 }

   SnmpV3NotifyTargetEntry ::= SEQUENCE {
       snmpNotifyTargetType     INTEGER
   }

   snmpNotifyTargetType OBJECT-TYPE
       SYNTAX      INTEGER {
                       trap(1),
                       inform(2),
                       nothing(3)
                   }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object determines whether a particular entry in
            the snmpTargetTable should be used for generating
            notifications, and the type of notification to be
            generated.  If the value of this object is trap(1),
            then the entry will be used to generate messages
            containing SNMPv2-Trap PDUs.  If the value is
            inform(2), then the entry will be used to generate
            messages containing Inform PDUs.  If the value is
            nothing(3), then the entry is not used to generate
            notifications.

            Note that the default value for this object is
            nothing(3).  This ensures that if an entry is created
            for a purpose other than notification generation,
            whoever creates the row need not do anything special
            to prevent the use of the entry when generating
            notifications.

            Also note that if an SNMP entity only supports





Expires January 1998                                     [Page 39]


Internet-Draft            SNMPv3 Applications                  July 1997


            generation of traps (and not informs), then this
            object need not be supported, and its value is
            assumed to be trap(1)."
       DEFVAL { nothing }
       ::= { snmpNotifyTargetEntry 1 }

   snmpNotifyFilterProfileTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SnmpV3NotifyFilterProfileEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table is used to select management targets which
            should receive notifications, as well as the type of
            notification which should be sent to each selected
            management target."
       ::= { snmpNotifyObjects 2 }

   snmpNotifyFilterProfileEntry OBJECT-TYPE
       SYNTAX      SnmpV3NotifyFilterProfileEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       INDEX { snmpTargetName }
       ::= { snmpNotifyFilterProfileTable 1 }

   SnmpV3NotifyFilterProfileEntry ::= SEQUENCE {
       snmpNotifyFilterProfileName    SnmpAdminString
   }

   snmpNotifyFilterProfileName OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpNotifyFilterProfileEntry 1 }

   snmpNotifyFilterTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SnmpV3NotifyFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "This table is used to select management targets which
            should receive notifications."
       ::= { snmpNotifyObjects 3 }





Expires January 1998                                     [Page 40]


Internet-Draft            SNMPv3 Applications                  July 1997


   snmpNotifyFilterEntry OBJECT-TYPE
       SYNTAX      SnmpV3NotifyFilterEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       INDEX {         snmpNotifyFilterProfileName,
               IMPLIED snmpNotifyFilterSubtree }
       ::= { snmpNotifyFilterTable 1 }

   SnmpV3NotifyFilterEntry ::= SEQUENCE {
       snmpNotifyFilterSubtree           OBJECT IDENTIFIER,
       snmpNotifyFilterMask              OCTET STRING,
       snmpNotifyFilterType              INTEGER,
       snmpNotifyFilterStorageType       StorageType,
       snmpNotifyFilterRowStatus         RowStatus
   }

   snmpNotifyFilterSubtree OBJECT-TYPE
       SYNTAX      OBJECT IDENTIFIER
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpNotifyFilterEntry 1 }

   snmpNotifyFilterMask OBJECT-TYPE
       SYNTAX      OCTET STRING (SIZE(0..16))
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpNotifyFilterEntry 2 }

   snmpNotifyFilterType OBJECT-TYPE
       SYNTAX      INTEGER {
                       included(1),
                       excluded(2)
                   }
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpNotifyFilterEntry 3 }

   snmpNotifyFilterStorageType OBJECT-TYPE
       SYNTAX      StorageType





Expires January 1998                                     [Page 41]


Internet-Draft            SNMPv3 Applications                  July 1997


       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpNotifyFilterEntry 4 }

   snmpNotifyFilterRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpNotifyFilterEntry 5 }

   -- ------------------------------------------------------------------
   --
   -- Conformance information
   --
   -- ------------------------------------------------------------------

   snmpNotifyCompliances OBJECT IDENTIFIER ::=
                                           { snmpNotifyConformance 1 }
   snmpNotifyGroups      OBJECT IDENTIFIER ::=
                                           { snmpNotifyConformance 2 }

   -- ------------------------------------------------------------------
   --
   -- Compliance statements
   --
   -- ------------------------------------------------------------------

   snmpNotifyMinimalCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for minimal SNMP entities which
            implement only SNMP Traps and read-create operations on
            only the snmpTargetAddrTable."
       MODULE SNMPV3-TARGET-MIB
           MANDATORY-GROUPS { snmpTargetBasicGroup }

           OBJECT snmpTargetAddrName
           MIN-ACCESS    read-only
           DESCRIPTION
               "Read-write and read-create access are not required."

           OBJECT snmpTargetMessageProcessingModel
           MIN-ACCESS    read-only





Expires January 1998                                     [Page 42]


Internet-Draft            SNMPv3 Applications                  July 1997


           DESCRIPTION
               "Read-write and read-create access are not required."

           OBJECT snmpTargetSecurityModel
           MIN-ACCESS    read-only
           DESCRIPTION
               "Read-write and read-create access are not required."

           OBJECT snmpTargetSecurityName
           MIN-ACCESS    read-only
           DESCRIPTION
               "Read-write and read-create access are not required."

           OBJECT snmpTargetLoS
           MIN-ACCESS    read-only
           DESCRIPTION
               "Read-write and read-create access are not required."

           OBJECT snmpTargetStorageType
           SYNTAX INTEGER {
               readOnly(5)
           }
           MIN-ACCESS    read-only
           DESCRIPTION
               "Read-write and read-create access are not required.
                Support of the values other(1), volatile(2),
                nonVolatile(3), and permanent(4) is not required."

           OBJECT snmpTargetRowStatus
           SYNTAX INTEGER {
               active(1)
           }
           MIN-ACCESS    read-only
           DESCRIPTION
               "Read-write and read-create access are not required.
                Support of the values notInService(2), notReady(3),
                createAndGo(4), createAndWait(5), and destroy(6) is
                not required."

       ::= { snmpNotifyCompliances 1 }

   snmpNotifyBasicCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities which implement
            SNMP Traps with filtering, and read-create operations on
            all related tables."





Expires January 1998                                     [Page 43]


Internet-Draft            SNMPv3 Applications                  July 1997


       MODULE SNMPV3-TARGET-MIB
           MANDATORY-GROUPS { snmpTargetBasicGroup }
       MODULE -- This Module
           MANDATORY-GROUPS { snmpNotifyFilterGroup }
       ::= { snmpNotifyCompliances 2 }

   snmpNotifyCompleteCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities which either
            implement only SNMP Informs, or both SNMP Traps and SNMP
            Informs, plus filtering and read-create operations on
            all related tables."
       MODULE SNMPV3-TARGET-MIB
           MANDATORY-GROUPS { snmpTargetBasicGroup,
                              snmpTargetResponseGroup }
       MODULE -- This Module
           MANDATORY-GROUPS { snmpNotifyTypeGroup,
                              snmpNotifyFilterGroup }
       ::= { snmpNotifyCompliances 3 }

   snmpNotifyTypeGroup OBJECT-GROUP
       OBJECTS {
           snmpNotifyTargetType
       }
       STATUS      current
       DESCRIPTION
           "An object for selecting which management targets are used
            for generating notifications, and the type of notification
            to be generated for each selected management target."
       ::= { snmpNotifyGroups 1 }

   snmpNotifyFilterGroup OBJECT-GROUP
       OBJECTS {
           snmpNotifyFilterProfileName,
           snmpNotifyFilterMask,
           snmpNotifyFilterType,
           snmpNotifyFilterStorageType,
           snmpNotifyFilterRowStatus
       }
       STATUS      current
       DESCRIPTION
           "A collection of objects providing remote configuration of
            management targets, including row creation in the
            snmpTargetTable."
       ::= { snmpNotifyGroups 3 }





Expires January 1998                                     [Page 44]


Internet-Draft            SNMPv3 Applications                  July 1997


   END


















































Expires January 1998                                     [Page 45]


Internet-Draft            SNMPv3 Applications                  July 1997


5.3.  The Proxy MIB

   The MIB contains a single scalar and a single table.  The scalar
   object, snmpProxyNextIndex, is used by managers when creating new
   entries in the table.  The table, snmpProxyTable, is used to define
   translations between management targets for use when forwarding
   messages.


5.3.1.  Definitions

   SNMPV3-PROXY-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-IDENTITY,
       OBJECT-TYPE,
       OBJECT-IDENTITY,
       Integer32
           FROM SNMPv2-SMI

       TDomain,
       TAddress,
       TruthValue,
       TimeInterval,
       RowStatus,
       StorageType
           FROM SNMPv2-TC

       SnmpEngineID,
       SnmpSecurityModel,
       SnmpLoS,
       SnmpAdminString
           FROM SNMP-FRAMEWORK-MIB

       MODULE-COMPLIANCE,
       OBJECT-GROUP
           FROM SNMPv2-CONF;

   snmpProxyMIB MODULE-IDENTITY
       LAST-UPDATED "9706140000Z"
       ORGANIZATION "IETF SNMPv3 Working Group"
       CONTACT-INFO
           "David B. Levi
            SNMP Research, Inc.
            3001 Kimberlin Heights Road
            Knoxville, TN 37920-9716
            Tel: +1 423 573 1434





Expires January 1998                                     [Page 46]


Internet-Draft            SNMPv3 Applications                  July 1997


            E-mail: levi@snmp.com

            Paul Meyer
            Secure Computing Corporation
            2675 Long Lake Road
            Roseville, MN 55113
            Tel: +1 612 628 1592
            E-mail: paul_meyer@securecomputing.com

            Bob Stewart
            Cisco Systems
            ????
            ????
            Tel: +1 603 654 6923
            E-mail: bstewart@cisco.com"
       DESCRIPTION
           "This MIB module defines a MIB which provides mechanisms to
            remotely configure the parameters used by an SNMPv3 entity
            for the generation of notifications."
       REVISION    "9707140000Z"
       DESCRIPTION
           "The initial revision."
       ::= { snmpModules 13 }      -- TBD

   snmpProxyObjects        OBJECT IDENTIFIER ::= { snmpProxyMIB 1 }
   snmpProxyConformance    OBJECT IDENTIFIER ::= { snmpProxyMIB 2 }

   -- ------------------------------------------------------------------
   --
   -- The snmpProxyObjects group
   --
   -- ------------------------------------------------------------------

   snmpProxyNextIndex OBJECT-TYPE
       SYNTAX      Integer32  (1..2147483647)
       MAX-ACCESS  read-write
       STATUS      current
       DESCRIPTION
           "This object is used to facilitate creation of rows in the
            snmpProxyTable.  Its value when read is equal to an unused
            value of snmpProxyIndex.  When a manager wishes to create
            a row in the snmpProxyTable, it should first retrieve the
            value of this object, and then set the instance of
            snmpProxyRowStatus whose snmpProxyIndex value is
            equal to the retrieved value to either createAndWait or
            createAndGo."
       ::= { snmpProxyObjects 1 }





Expires January 1998                                     [Page 47]


Internet-Draft            SNMPv3 Applications                  July 1997


   snmpProxyTable OBJECT-TYPE
       SYNTAX      SEQUENCE OF SnmpV3ProxyEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpProxyObjects 2 }

   snmpProxyEntry OBJECT-TYPE
       SYNTAX      SnmpV3ProxyEntry
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           ""
       INDEX { snmpProxyIndex }
       ::= { snmpProxyTable 1 }

   SnmpV3ProxyEntry ::= SEQUENCE {
       snmpProxyIndex              Integer32,
       snmpProxyType               INTEGER,
       snmpProxyContextEngineID    SnmpEngineID,
       snmpProxyContextName        SnmpAdminString,
       snmpProxyTargetIn           Integer32,
       snmpProxyTargetOut          Integer32,
       snmpProxyStorageType        StorageType,
       snmpProxyRowStatus          RowStatus
   }

   snmpProxyIndex OBJECT-TYPE
       SYNTAX      Integer32  (1..2147483647)
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION
           "The locally arbitrary, but unique identifier associated
            with this snmpProxyEntry."
       ::= { snmpProxyEntry 1 }

   snmpProxyType OBJECT-TYPE
       SYNTAX      INTEGER {
                       read(1),
                       write(2),
                       trap(3),
                       inform(4)
                   }
       MAX-ACCESS  not-accessible
       STATUS      current
       DESCRIPTION





Expires January 1998                                     [Page 48]


Internet-Draft            SNMPv3 Applications                  July 1997


           ""
       ::= { snmpProxyEntry 2 }

   snmpProxyContextEngineID OBJECT-TYPE
       SYNTAX      SnmpEngineID
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpProxyEntry 3 }

   snmpProxyContextName OBJECT-TYPE
       SYNTAX      SnmpAdminString
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpProxyEntry 4 }

   snmpProxyTargetIn OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object selects a set of management targets defined
            in the snmpTargetTable (in the SNMPV3-TARGET-MIB)."
       ::= { snmpProxyEntry 5 }

   snmpProxyTargetOut OBJECT-TYPE
       SYNTAX      Integer32
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           "This object selects a management target defined in the
            snmpTargetTable (in the SNMPV3-TARGET-MIB).  Only the
            first transport address/domain as selected by the
            snmpTargetAddrName object is identified by
            snmpProxyTargetOut (i.e. the lexicographically smallest
            instance in the snmpTargetAddrTable whose
            snmpTargetAddrName is equal to the snmpTargetAddrName
            object is used for proxy forwarding)."
       ::= { snmpProxyEntry 6 }

   snmpProxyStorageType OBJECT-TYPE
       SYNTAX      StorageType
       MAX-ACCESS  read-create
       STATUS      current





Expires January 1998                                     [Page 49]


Internet-Draft            SNMPv3 Applications                  July 1997


       DESCRIPTION
           ""
       ::= { snmpProxyEntry 7 }

   snmpProxyRowStatus OBJECT-TYPE
       SYNTAX      RowStatus
       MAX-ACCESS  read-create
       STATUS      current
       DESCRIPTION
           ""
       ::= { snmpProxyEntry 8 }

   -- ------------------------------------------------------------------
   --
   -- Conformance information
   --
   -- ------------------------------------------------------------------

   snmpProxyCompliances OBJECT IDENTIFIER ::=
                                            { snmpProxyConformance 1 }
   snmpProxyGroups      OBJECT IDENTIFIER ::=
                                            { snmpProxyConformance 2 }

   -- ------------------------------------------------------------------
   --
   -- Compliance statements
   --
   -- ------------------------------------------------------------------

   snmpProxyCompliance MODULE-COMPLIANCE
       STATUS      current
       DESCRIPTION
           "The compliance statement for SNMP entities which include
            a proxy forwarding application."
       MODULE SNMPV3-TARGET-MIB
           MANDATORY-GROUPS { snmpTargetBasicGroup,
                              snmpTargetResponseGroup }
       MODULE -- This Module
           MANDATORY-GROUPS { snmpProxyGroup }
       ::= { snmpProxyCompliances 1 }

   snmpProxyGroup OBJECT-GROUP
       OBJECTS {
           snmpProxyNextIndex,
           snmpProxyType,
           snmpProxyContextEngineID,
           snmpProxyContextName,





Expires January 1998                                     [Page 50]


Internet-Draft            SNMPv3 Applications                  July 1997


           snmpProxyTargetIn,
           snmpProxyTargetOut,
           snmpProxyStorageType,
           snmpProxyRowStatus
       }
       STATUS      current
       DESCRIPTION
           "A collection of objects providing remote configuration of
            management targets, including row creation in the
            snmpTargetTable."
       ::= { snmpProxyGroups 3 }

   END






































Expires January 1998                                     [Page 51]


Internet-Draft            SNMPv3 Applications                  July 1997


6.  Identification of Management Targets in Notification Originators

   This section describes the mechanisms used by a notification
   originator application when using the MIB described in this document
   to determine the set of management targets to be used when generating
   a notification.

   A notification originator uses the snmpTargetTable to find the groups
   of management targets to be used for generating notifications.  Each
   active entry in this table, for which the corresponding value of
   snmpNotifyTargetType is trap(1) or inform(2), identifies a group of
   management targets to be used for notification generation.  Note that
   if an SNMP Entity's only use of the snmpTargetTable is for generation
   of messages containing SNMPv2-Trap PDUs, the snmpNotifyTargetType
   object is not required to be implemented.  In this case, the value of
   snmpNotifyTargetType is always assumed to be trap(1).

   Each such entry contains a pointer to the snmpTargetAddrTable
   (snmpTargetAddrName).  This pointer identifies zero or more transport
   endpoints, defined in the snmpTargetAddrTable.  If there are zero
   transport endpoints identified, the group of management targets is
   empty, and should be ignored.  Otherwise, each transport endpoint,
   paired with the SNMP information from the snmpTargetTable, identifies
   a single management target within the group.

   The decision as to whether a notification should contain an SNMPv2-
   Trap or Inform PDU is determined by the value of the
   snmpNotifyTargetType object.  If the value of this object is trap(1),
   the notification should contain an SNMPv2-Trap PDU.  If the value of
   this object is inform(2), then the notification should contain an
   Inform PDU, and the number of retries for the Inform is the value of
   snmpTargetRetryCount.  Note that the exception to these rules is when
   the snmpTargetMessageProcessingModel object indicates SNMPv1.  In
   this case, the notification is sent as a Trap if the value of
   snmpNotifyTargetType is either trap(1) or inform(2).
















Expires January 1998                                     [Page 52]


Internet-Draft            SNMPv3 Applications                  July 1997


7.  Notification Filtering

   This section describes the mechanisms used by a notification
   originator application when using the MIB described in this document
   to filter generation of notifications.

   A notification originator uses the snmpNotifyFilterTable to filter
   notifications.  When generating notifications for a group of
   management targets, all active entries in the snmpNotifyFilterTable,
   for which the value of the snmpNotifyFilterProfileName index is equal
   to the value of the snmpNotifyFilterProfileName object of the
   management target group, are used for filtering the notification.  If
   no such entries exist, no filtering is performed, and the
   notification may be sent to all management targets in the group.

   Otherwise, if matching entries do exist, the notification may be sent
   if the NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this
   is the value of the element of the variable bindings whose name is
   snmpTrapOID.0, i.e. the second variable binding), and all of the
   object instances to be included in the variable-bindings of the
   notification, are not specifically excluded by the matching entries.

   Each set of snmpNotifyFilterTable entries is divided into two
   collections of filter subtrees:  the included filter subtrees, and
   the excluded filter subtrees.  The snmpNotifyFilterType object
   defines the collection to which each matching entry belongs.

   To determine whether a particular object instance is excluded by the
   set of matching entries, compare the object instance's OBJECT
   IDENTIFIER with each of the matching entries.  If none match, then
   the object instance is considered excluded, and the notification
   should not be sent to this group of management targets.  If one or
   more match, then the object instance is included or excluded,
   according to the value of snmpNotifyFilterType in the entry whose
   value of snmpNotifyFilterSubtree has the most sub-identifiers.  If
   multiple entries match and have the same number of sub-identifiers,
   then the lexicographically greatest instance of snmpNotifyFilterType
   among those which match determines the inclusion or exclusion.

   An object instance's OBJECT IDENTIFIER X matches an entry in the
   snmpNotifyFilterTable when the number of sub-identifiers in X is at
   least as many as in the value of snmpNotifyFilterSubtree for the
   entry, and each sub-identifier in the value of
   snmpNotifyFilterSubtree matches its corresponding sub-identifier in
   X.  Two sub-identifiers match either if the corresponding bit of
   snmpNotifyFilterMask is zero (the 'wild card' value), or if the two
   sub-identifiers are equal.





Expires January 1998                                     [Page 53]


Internet-Draft            SNMPv3 Applications                  July 1997


8.  Management Target Translation in Proxy Forwarder Applications

   This section describes the mechanisms used by a proxy forwarder
   application when using the MIB described in this document to
   translate incoming management target information into outgoing
   management target information for the purpose of forwarding messages.
   There are actually two mechanisms a proxy forwarder may use, one for
   forwarding request messages, and one for forwarding notification
   messages.


8.1.  Management Target Translation for Request Forwarding

   When forwarding request messages, the proxy forwarder will select a
   single entry in the snmpProxyTable.  To select this entry, it will
   perform the following comparisons:

       -  The snmpProxyType must be read(1) if the request is a Get,
          GetNext, or GetBulk request.  The snmpProxyType must be
          write(2) if the request is a Set request.

       -  The contextEngineId and contextName must equal the
          snmpProxyContextEngineID and snmpProxyContextName objects.

       -  The snmpProxyTargetIn object identifies an entry in the
          snmpTargetTable.  The snmp version, LoS, security model, and
          securityName must match the values of
          snmpTargetMessageProcessingModel, snmpTargetSecurityModel,
          snmpTargetSecurityName, and snmpTargetLoS of the identified
          entry in the snmpTargetTable.

       -  The identified entry in the snmpTargetTable contains a pointer
          to the snmpTargetAddrTable.  This pointer refers to zero or
          more entries in the snmpTargetAddrTable.  If there are no such
          entries, this comparison need not succeed.  If there is at
          least one such entry, the transport domain and address from
          which the request was received must match the
          snmpTargetAddrTDomain and snmpTargetAddrTAddress values of at
          least one of these entries.

   There may be multiple entries in the snmpProxyTable for which these
   comparisons succeed.  The entry whose snmpProxyIndex has the smallest
   value and for which the comparisons succeed will be selected by the
   proxy forwarder.

   The outgoing management information is identified by the value of the
   snmpProxyTargetOut object of the selected entry.  This object





Expires January 1998                                     [Page 54]


Internet-Draft            SNMPv3 Applications                  July 1997


   identifies an entry in the snmpTargetTable.  The
   snmpTargetMessageProcessingModel, snmpTargetSecurityModel,
   snmpTargetSecurityName, and snmpTargetLoS of this entry are used as
   one part of the management target.  The other part of the management
   target is a transport endpoint, which is identified by the value of
   the snmpTargetAddrName member of the snmpTargetTable entry.  This
   value may identify zero or more entries in the snmpTargetAddrTable.
   If there are no entries identified, the selected snmpProxyTable entry
   is invalid, and the proxy forwarder should look for another
   snmpProxyTable entry to use.  Otherwise, the snmpTargetAddrTable
   entry with the smallest value of snmpTargetAddrSubIndex is used as
   the transport endpoint.


8.2.  Management Target Translation for Notification Forwarding

   When forwarding notification messages, the proxy forwarder will
   select multiple entries in the snmpProxyTable.  To select these
   entries, it will perform the following comparisons:

       -  The snmpProxyType must be trap(3) if the notification is a
          Trap.  The snmpProxyType must be inform(4) if the request is
          an Inform.

       -  The contextEngineId and contextName must equal the
          snmpProxyContextEngineID and snmpProxyContextName objects.

       -  The snmpProxyTargetIn object identifies an entry in the
          snmpTargetTable.  The snmp version, LoS, security model, and
          securityName must match the values of
          snmpTargetMessageProcessingModel, snmpTargetSecurityModel,
          snmpTargetSecurityName, and snmpTargetLoS of the identified
          entry in the snmpTargetTable.

       -  The identified entry in the snmpTargetTable contains a pointer
          to the snmpTargetAddrTable.  This pointer refers to zero or
          more entries in the snmpTargetAddrTable.  If there are no such
          entries, this comparison need not succeed.  If there is at
          least one such entry, the transport domain and address from
          which the request was received must match the
          snmpTargetAddrTDomain and snmpTargetAddrTAddress values of at
          least one of these entries.

   All entries for which these comparisons succeed are selected.  The
   set of outgoing management targets to be used for generating
   forwarded notifications is identified by the value of the
   snmpProxyTargetOut object of all selected entries.  These values





Expires January 1998                                     [Page 55]


Internet-Draft            SNMPv3 Applications                  July 1997


   identify entries in the snmpTargetTable.  All such entries are used
   for generating forwarded notifications.  The snmpTargetNotification
   object is ignored when generating forwarded notifications in a proxy
   forwarder application.















































Expires January 1998                                     [Page 56]


Internet-Draft            SNMPv3 Applications                  July 1997


9.  Security Considerations

   Should have some discussion about notification generation
   applications which provide variable bindings when generating a
   notification, rather than omitting them and letting the engine get
   them from the LPM.  Applications that do this should be careful not
   to disclose anything that they shouldn't.



10.  Acknowledgments

   This document was produced by the IETF SNMPv3 working group.






































Expires January 1998                                     [Page 57]


Internet-Draft            SNMPv3 Applications                  July 1997


11.  References

[RFC1157]
     Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network
     Management Protocol", RFC 1157, SNMP Research, Performance Systems
     International, Performance Systems International, MIT Laboratory
     for Computer Science, May 1990.

[RFC1213]
     McCloghrie, K., and M. Rose, Editors, "Management Information Base
     for Network Management of TCP/IP-based internets: MIB-II", STD 17,
     RFC 1213, Hughes LAN Systems, Performance Systems International,
     March 1991.

[RFC1902]
     SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Structure of Management Information for Version 2 of
     the Simple Network Management Protocol (SNMPv2)", RFC1902, SNMP
     Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc.,
     International Network Services, January 1996.

[RFC1903]
     SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Textual Conventions for Version 2 of the Simple
     Network Management Protocol (SNMPv2)", RFC1903, SNMP Research,Inc.,
     Cisco Systems, Inc., Dover Beach Consulting, Inc., International
     Network Services, January 1996.

[RFC1905]
     SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Protocol Operations for Version 2 of the Simple
     Network Management Protocol (SNMPv2)", RFC1905, SNMP Research,Inc.,
     Cisco Systems, Inc., Dover Beach Consulting, Inc., International
     Network Services, January 1996.

[RFC1907]
     SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Management Information Base for Version 2 of the
     Simple Network Management Protocol (SNMPv2)", RFC1905, SNMP
     Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc.,
     International Network Services, January 1996.

[RFC1908]
     SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S.
     Waldbusser, "Coexistence between Version 1 and Version 2 of the
     Internet-standard Network Management Framework", RFC1905, SNMP
     Research,Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc.,





Expires January 1998                                     [Page 58]


Internet-Draft            SNMPv3 Applications                  July 1997


     International Network Services, January 1996.

[SNMPV3-ARCH]
     SNMPv3 Working Group, Harrington, D., Wijnen, B., "An Architecture
     for Describing Internet Management Frameworks", draft-ietf-snmpv3-
     next-gen-arch-02.txt, June 1997.

[SNMPV3-MPC]
     SNMPv3 Working Group, Case, J., Harrington, D., Wijnen, B.,
     "Message Processing and Control Model for version 3 of the Simple
     Network Management Protocol (SNMPv3)", draft-ietf-snmpv3-next-gen-
     arch-02.txt, June 1997.

[SNMPV3-ACM]
     SNMPv3 Working Group, Wijnen, B., Presuhn, R., McClogrie, K.,
     "Access Control Model for version 3 of the Simple Network
     Management Protocol (SNMPv3)", draft-ietf-snmpv3-next-gen-arch-
     02.txt, June 1997.



12.  Author's Address

     David B. Levi
     SNMP Research, Inc.
     3001 Kimberlin Heights Road
     Knoxville, TN 37920-9716
     U.S.A.
     Phone: +1 423 573 1434
     EMail: levi@snmp.com

     Paul Meyer
     Secure Computing Corporation
     2675 Long Lake Road
     Roseville, MN 55113
     U.S.A.
     Phone: +1 612 628 1592
     EMail: paul_meyer@securecomputing.com

     Bob Stewart
     Cisco Systems
     ????
     ????
     U.S.A.
     Phone: +1 603 654 6923
     EMail: bstewart@cisco.com





Expires January 1998                                     [Page 59]


Internet-Draft            SNMPv3 Applications                  July 1997


   APPENDIX A - Trap Configuration Example

   This section describes an example configuration for a Notification
   Generator application which implements the
   snmpNotifyMinimalCompliance level.  The example configuration
   specifies that the Notification Generator should send notifications
   to 3 separate managers, using authentication and no privacy for the
   first 2 managers, and using both authentication and privacy for the
   third manager.

   The configuration consists of three rows in the snmpTargetAddrTable,
   and two rows in the snmpTargetTable.

        * snmpTargetAddrName        = "AuthNoPrivTargetAddresses"
        * snmpTargetAddrSubIndex    = 1
          snmpTargetAddrTDomain     = snmpUDPDomain
          snmpTargetAddrTAddress    = 128.1.2.3:162
          snmpTargetAddrStorageType = readOnly(5)
          snmpTargetAddrRowStatus   = active(1)

        * snmpTargetAddrName        = "AuthNoPrivTargetAddresses"
        * snmpTargetAddrSubIndex    = 2
          snmpTargetAddrTDomain     = snmpUDPDomain
          snmpTargetAddrTAddress    = 128.2.4.6:162
          snmpTargetAddrStorageType = readOnly(5)
          snmpTargetAddrRowStatus   = active(1)

        * snmpTargetAddrName        = "AuthPrivTargetAddresses"
        * snmpTargetAddrSubIndex    = 1
          snmpTargetAddrTDomain     = snmpUDPDomain
          snmpTargetAddrTAddress    = 128.1.5.9:162
          snmpTargetAddrStorageType = readOnly(5)
          snmpTargetAddrRowStatus   = active(1)

        * snmpTargetName                   = "AuthNoPrivTarget"
          snmpTargetAddrName               = "AuthNoPrivTargetAddresses"
          snmpTargetMessageProcessingModel = 3
          snmpTargetSecurityModel          = 3 (USM)
          snmpTargetSecurityName           = "joe"
          snmpTargetLoS                    = auth(2)
          snmpTargetStorageType            = readOnly(5)
          snmpTargetRowStatus              = active(1)

        * snmpTargetName                   = "AuthPrivTarget"
          snmpTargetAddrName               = "AuthPrivTargetAddresses"
          snmpTargetMessageProcessingModel = 3
          snmpTargetSecurityModel          = 3 (USM)





Expires January 1998                                     [Page 60]


Internet-Draft            SNMPv3 Applications                  July 1997


          snmpTargetSecurityName           = "bob"
          snmpTargetLoS                    = priv(3)
          snmpTargetStorageType            = readOnly(5)
          snmpTargetRowStatus              = active(1)

   These entries define two separate management target groups.  The
   first group contains two management targets:

                          first target      second target
                          ------------      -------------
            snmpVersion   SNMPv3            SNMPv3
          securityModel   3 (USM)           3 (USM)
           securityName   "joe"             "joe"
                    LoS   auth(2)           auth(2)
        transportDomain   snmpUDPDomain     snmpUDPDomain
       transportAddress   128.1.2.3:162     128.2.4.6:162

   And the second group contains a single management target:

            snmpVersion   SNMPv3
                    LoS   priv(3)
          securityModel   3 (USM)
           securityName   "bob"
        transportDomain   snmpUDPDomain
       transportAddress   128.1.5.9:162


























Expires January 1998                                     [Page 61]


Internet-Draft            SNMPv3 Applications                  July 1997


   Table of Contents


   1 Abstract .....................................................    2
   2 Overview .....................................................    3
   2.1 Command Generators .........................................    3
   2.2 Command Responders .........................................    3
   2.3 Notification Originators ...................................    4
   2.4 Notification Receivers .....................................    4
   2.5 Proxy Forwarder ............................................    4
   3 Management Targets ...........................................    5
   4 Elements Of Procedure ........................................    6
   4.1 Command Generators .........................................    7
   4.2 Command Responders .........................................    9
   4.3 Notification Originators ...................................   14
   4.4 Notification Receivers .....................................   17
   4.5 Proxy Forwarders ...........................................   19
   4.5.1 Request Forwarding .......................................   19
   4.5.1.1 Processing an Incoming Request .........................   19
   4.5.1.2 Processing an Incoming Response ........................   22
   4.5.2 Notification Forwarding ..................................   23
   5 The Structure of the MIBs ....................................   26
   5.1 The Management Target MIB ..................................   26
   5.1.1 Definitions ..............................................   26
   5.2 The Notification MIB .......................................   37
   5.2.1 Definitions ..............................................   37
   5.3 The Proxy MIB ..............................................   46
   5.3.1 Definitions ..............................................   46
   6 Identification of Management Targets in Notification Origi-
        nators ....................................................   52
   7 Notification Filtering .......................................   53
   8 Management Target Translation in Proxy  Forwarder  Applica-
        tions .....................................................   54
   8.1 Management Target Translation for Request Forwarding .......   54
   8.2 Management Target Translation for Notification Forwarding
        ...........................................................   55
   9 Security Considerations ......................................   57
   10 Acknowledgments .............................................   57
   11 References ..................................................   58
   12 Author's Address ............................................   59
   Appendix A Trap Configuration Example ..........................   60










Expires January 1998                                     [Page 62]