[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01                                                         
isms                                                               C. Li
Internet-Draft                                                     Y. Li
Expires: November 27, 2008                           Huawei Technologies
                                                            May 26, 2008


   Simplified View-based Access Control Model (SVACM) for the Simple
                   Network Management Protocol (SNMP)
                         draft-li-isms-svacm-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on November 27, 2008.

Copyright Notice

   Copyright (C) The Internet Society (2008).

Abstract

   This document introduces a Simplified View-based Access Control Model
   (SVACM) for the Simple Network Management Protocol (SNMP), which is
   useful for the access control application of SNMP protocol.

   This document describes the procedure of access control in SVACM with
   Remote Authentication Dial In User Service (RADIUS) server for
   authorization.



Li & Li                 Expires November 27, 2008               [Page 1]


Internet-Draft             SVACM for the SNMP                   May 2008


   This document also includes a Management Information Base (MIB) for
   remotely managing the configuration parameters for SVACM.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Motivation . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.2.  General  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Simplified View-based Access Control Model (SVACM) . . . . . .  4
     2.1.  Elements of SVACM  . . . . . . . . . . . . . . . . . . . .  4
       2.1.1.  Groups . . . . . . . . . . . . . . . . . . . . . . . .  4
       2.1.2.  securityLevel  . . . . . . . . . . . . . . . . . . . .  5
       2.1.3.  MIB Views  . . . . . . . . . . . . . . . . . . . . . .  5
       2.1.4.  Access Policy  . . . . . . . . . . . . . . . . . . . .  6
     2.2.  Elements of Procedure  . . . . . . . . . . . . . . . . . .  6
       2.2.1.  Overview of isAccessAllowed Process  . . . . . . . . .  8
       2.2.2.  Processing the isAccessAllowed Service Request . . . .  8
   3.  RADIUS authorization for SNMP  . . . . . . . . . . . . . . . . 10
   4.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . . 11
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 20
     5.1.  Recommended Practices  . . . . . . . . . . . . . . . . . . 20
     5.2.  Defining Groups  . . . . . . . . . . . . . . . . . . . . . 20
     5.3.  Conformance  . . . . . . . . . . . . . . . . . . . . . . . 21
     5.4.  Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB . . . . . 21
   6.  Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
   7.  Normative References . . . . . . . . . . . . . . . . . . . . . 22
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23
   Intellectual Property and Copyright Statements . . . . . . . . . . 24






















Li & Li                 Expires November 27, 2008               [Page 2]


Internet-Draft             SVACM for the SNMP                   May 2008


1.  Introduction

1.1.  Motivation

   View-based Access Control Model (VACM) of SNMP [RFC3415] is a
   specific model of the Access Control Subsystem (ACS).  VACM is
   elaborate, comprehensive and agile, but it is difficult to understand
   and configure, and it is not easy for administrators to deploy
   correctly.  The complexity of VACM and lack of support for RADIUS
   impact its adoption.  Simplified View-based Access Control Model
   (SVACM) makes the Access Control Model more intuitive and operable.

1.2.  General

   This document defines another specific model of ACS, designated
   SVACM, which simplifies VACM.  SVACM inherits the basic thinking of
   VACM, but simplifies some parameters, and confines the granularity of
   a view to MIB module level.  SVACM is less flexible than VACM, but is
   simpler and easier to deploy.  SVACM covers most common scenarios
   which do not need fine granularity of MIB views.  SVACM supports
   RADIUS for the process of authorization.  There is a parallel
   relationship between VACM and SVACM.  SVACM is not a replacement of
   VACM.  When administrators need the fine granularity of access
   control, the VACM should be adopted.

   This document also describes the procedure of access control in SVACM
   with a RADIUS [RFC2865] server for authorization, using the attribute
   of RADIUS protocol which is defined in [radman] to carry the access
   policies.

   It is important to understand the SNMP architecture and the
   terminology of the architecture to understand where the Access
   Control Model described in this memo fits into the architecture and
   interacts with other subsystems and models within the architecture.
   The reader is expected to have read and understood the description
   and terminology of the SNMP architecture, as defined in [RFC3411].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].











Li & Li                 Expires November 27, 2008               [Page 3]


Internet-Draft             SVACM for the SNMP                   May 2008


2.  Simplified View-based Access Control Model (SVACM)

   VACM determines the access rights of a group, representing zero or
   more securityNames which have the same access rights.  For a
   particular context, identified by contextName, to which a group,
   identified by groupName, has access using a particular securityModel
   and securityLevel, that group's access rights are given by a read-
   view, a write-view and a notify-view.

   VACM defines the vacmContextTable that lists the locally available
   contexts by contextName.  A SNMP context is a collection of
   management information accessible by a SNMP engine, but in a majority
   of use cases, there is not multiple contexts in a single agent.
   Moreover, administrators do not understand well what the concept of
   context represents, so the configuration of context is difficult.  To
   be more practical, SVACM does not consider the context parameter any
   more in access control process.  SVACM just considers most common
   situations, if several contexts are required in one agent, VACM is
   still needed.

   SVACM does not use the securityModel parameter like VACM.
   SecurityModel is an identifier that uniquely identifies a Security
   Model of the Security Subsystem within this SNMP Management
   Architecture.  In VACM the parameter securityModel is checked in
   vacmSecurityToGroupTable and vacmAccessTable.  SVACM removes the
   securityModel from these two steps, the reasons are described in the
   following sections.

   SVACM inherits the same basic mechanism of groups and views as VACM,
   but changes some details in them, to be simpler and easier for the
   deployment.

2.1.  Elements of SVACM

2.1.1.  Groups

   In VACM a group is a set of zero or more (securityModel,
   securityName) tuples on whose behalf SNMP management objects can be
   accessed.  SVACM also uses the group mechanism, but it uses the
   securityName as an only index for the mapping of groupName.  The
   parameter securityModel is not a mapping parameter any more in the
   group mechanism.

   In VACM, a user using different securityModel could be mapped into
   different groups, and different users using different securityModel
   respectively could be mapped into the same group.  Thus introducing
   securityModel in group mapping method makes people confused about the
   meaning of a group.  In general, a group is a set of users.  Removing



Li & Li                 Expires November 27, 2008               [Page 4]


Internet-Draft             SVACM for the SNMP                   May 2008


   securityModel parameter from vacmSecurityToGroupTable would make the
   concept of group clear.  Furthermore, one index in
   vacmSecurityToGroupTable is more straightforward than two indexes.
   The securityModel and securityLevel should indeed be taken into
   account by access control process.  They may influence access rights
   of a group via the mapping from group into views, thereby it
   indirectly influence access rights of a user.  So SVACM does not
   consider securityModel parameter in the group mapping step.

   In SVACM, a securityName will be mapped into only one group.  Whether
   this mapping occurs in local database of SNMP engine or in an outer
   server depends on the deployment.  In the latter case, the outer
   server such as a RADIUS server will transport the mapped groupName
   information to the SNMP engine.  The procedure of access control in
   SVACM with a RADIUS server is described in Section 3.

2.1.2.  securityLevel

   SVACM uses the same securityLevel parameter as VACM.  SecurityLevel
   identifies the level of security that will be assumed when checking
   for access rights.  Different access rights for members of a group
   can be defined for different levels of security, i.e., noAuthNoPriv,
   authNoPriv, and authPriv.

2.1.3.  MIB Views

   In VACM, a "MIB view" details a specific set of managed object types
   (and optionally, the specific instances of object types).  The
   definition of MIB views in VACM is agile, but configuring the
   vacmViewTreeFamilyTable is complicated.  To configure each MIB view
   in the whole MIB tree, a network administrator must know clearly
   about the MIB tree structure and exactly where a certain managed
   object locates.  It is too difficult for network administrators to
   know all these details and to calculate the subtree mask.

   SVACM also uses the definition of a "MIB view" to detail the managed
   object types, but SVACM simplifies MIB Views by eliminating include/
   exclude, subtree masks, and ViewTreeFamilies.

   SVACM defines a "MIB view" in a coarse granularity.  Each MIB module
   is defined as a MIB view.  These MIB views are built in the
   svacmViewTable and do not need to be configured by network
   administrators.  For example, OSPF-MIB is a MIB module which has a
   definite OID, SVACM defines OSPF-MIB as a MIB view whose viewname is
   OSPF-MIB.  This view definition method omits the steps of configuring
   the subtree OID and subtree mask.  Administrators who know only the
   MIB-module name are able to distribute each view the types of access
   (read, write or notify).  It improves human readability.  Moreover,



Li & Li                 Expires November 27, 2008               [Page 5]


Internet-Draft             SVACM for the SNMP                   May 2008


   ignoring subtree mask and remove of excluding a subtree would result
   in that the examination of whether a variableName is in specific MIB
   views is much faster than before.

   There SHOULD be a built-in MIB view in the svacmViewTable, which
   represents the whole MIB tree.  Its name could be ALL-MIB or others.

2.1.4.  Access Policy

   In SVACM, the svacmAccessTable makes use of only the groupname and
   securityLevel as indexes, the securityModel is discarded.  The
   securityModel is just an identifier of a security model, which does
   not indicate the completeness of a protection measure.  For
   instances, the User-based Security Model(USM) [RFC3414] could be with
   securityLevel of authNoPriv or authPriv.  The Transport Security
   Model (TSM) [TSM for SNMP] could also be with securityLevel of
   authNoPriv or authPriv.  No one can assert that a securityModel is
   more secure than another one.  For a given group, assigning different
   access control rights for different securityModels with the same
   securityLevel is meaningless.  So the securityLevel is the key factor
   in the access control process, the securityModel is not significant.

   In vacmAccessTable of VACM, the group's access rights are given by a
   read-view, a write-view or a notify-view.  In SVACM, each view
   includes a MIB-module subtree.  Several views are distributed with
   one type of access (read, write or notify).  So one group could
   access more than one read-view, more than one write-view or more than
   one notify-view, which are configured in svacmAccessTable.  This
   configuration method of svacmAccessTable reuses each built-in view.
   So it is more convenient and easy to configure.

   Most MIB module names end in -MIB, so it could be simpler for an
   agent to just list "BGP4, OSPF, MPLS, ..." in svacmAccessTable and
   svacmViewTable, and it is useful in the length limitation of
   SnmpAdminString.

2.2.  Elements of Procedure

   This section describes the procedures followed by an Access Control
   Module that deploys SVACM, when checking access rights as requested
   by an application.  The abstract service primitive is:










Li & Li                 Expires November 27, 2008               [Page 6]


Internet-Draft             SVACM for the SNMP                   May 2008


   statusInformation =     -- success or errorIndication
      isAccessAllowed(
         securityModel     -- Security Model in use,
                              unused in SVACM.
         securityName      -- principal who wants access
         securityLevel     -- Level of Security
         viewType          -- read, write, or notify view
         contextName       -- context containing variableName,
                              unused in SVACM
         variableName      -- OID for the managed object
         )

   The abstract data elements are:


      statusInformation    - one of the following:
            accessAllowed  - MIB views were found and access is granted.
            notInAllViews  - MIB views were found but access is denied.
                             The variableName is not in any MIB views
                             for the specified viewType (e.g.,in the
                             relevant entry of svacmAccessTable).
            noSuchViews    - no MIB view found because no view has been
                             configured for specified viewType (e.g., in
                             the relevant entry in svacmAccessTable).
            noGroupName    - no MIB view found because no entry has been
                             configured in svacmSecurityToGroupTable
                             for the specified securityName.
            noAccessEntry  - no MIB view found because no entry has been
                             configured in svacmAccessTable for the
                             specified groupName (from
                             svacmSecurityToGroupTable).
            otherError     - failure, an undefined error occurred.



















Li & Li                 Expires November 27, 2008               [Page 7]


Internet-Draft             SVACM for the SNMP                   May 2008


2.2.1.  Overview of isAccessAllowed Process

   The following picture shows how the decision for access control is
   made by SVACM.  This process will not check the parameters
   contextName and securityModel which are unused in SVACM.


   +-----------------------------------------------------------+
   |                                                           |
   |  securityName ---> groupName --+                          |
   |                                |                          |
   |  securityLevel ----------------+-> viewNames -+-> yes/no  |
   |                                |              |  decision |
   |  viewType (read/write/notify)--+              |           |
   |                                               |           |
   |  variableName (OID) --------------------------+           |
   |                                                           |
   +-----------------------------------------------------------+

2.2.2.  Processing the isAccessAllowed Service Request

   This section describes the procedure followed by an Access Control
   module that deploys SVACM whenever it receives an isAccessAllowed
   request.



























Li & Li                 Expires November 27, 2008               [Page 8]


Internet-Draft             SVACM for the SNMP                   May 2008


       1) The svacmSecurityToGroupTable is consulted for mapping the
          securityName into a groupName. If the information about this
          securityName is absent from the table, then an
          errorIndication (noGroupName) is returned to the calling
          module, and the processing of the request stops.

       2) The svacmAccessTable is consulted for information about the
          groupName and securityLevel. If information about this
          combination is absent from the table, then an
          errorIndication (noAccessEntry) is returned to the calling
          module, and the processing of the request stops.

       3) a) If the viewType is "read", then the read views are used for
             checking access rights.

          b) If the viewType is "write", then the write views are used
             for checking access rights.

          c) If the viewType is "notify", then the notify views are used
             for checking access rights.

          If the viewtype is a zero length string, then an
          errorIndication (noSuchViews) is returned to the calling
          module, and the processing of the request stops.

       4) a) If one view in the read-view (write-view or notify-view)
             list is not built in the svacmViewTable, ignore this result
             and go on match other views in the list. If none view
             configured for the specified viewType is found in
             svacmViewTable, then an errorIndication (noSuchViews) is
             returned to the calling module, and the processing of the
             request stops.

          b) If the specified variableName (object instance) is not in
             the MIB views then an errorIndication (notInAllViews) is
             returned to the calling module, and the processing of the
             request stops.

          Otherwise,

          c) The specified variableName is in the MIB views. A
             statusInformation of success (accessAllowed) is returned
             to the calling module.








Li & Li                 Expires November 27, 2008               [Page 9]


Internet-Draft             SVACM for the SNMP                   May 2008


3.  RADIUS authorization for SNMP

   SVACM is easy to be integrated with RADIUS.  When a SNMP engine using
   a RADIUS server to complete the authorization of access control, the
   SNMP engine takes the role of NAS according to the RADIUS server.
   The mapping from securityName into groupName is done by the RADIUS
   server, instead of svacmSecurityToGroupTable of SVACM in the SNMP
   engine.

   [radman] defines a RADIUS attribute Management-Policy-Id which is
   transported in an Access-Accept message, and it indicates the name of
   the management access policy for users.  When SVACM is integrated
   with RADIUS, the Management-Policy-Id attribute indicates the
   groupName which a user belongs to.





































Li & Li                 Expires November 27, 2008              [Page 10]


Internet-Draft             SVACM for the SNMP                   May 2008


4.  Definitions

   SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN

   IMPORTS
       MODULE-COMPLIANCE                  FROM SNMPv2-CONF
       MODULE-IDENTITY, OBJECT-TYPE,
       snmpModules                        FROM SNMPv2-SMI
       RowStatus, StorageType             FROM SNMPv2-TC
       SnmpAdminString                    FROM SNMP-FRAMEWORK-MIB;

   snmpSvacmMIB       MODULE-IDENTITY
       LAST-UPDATED ""
       ORGANIZATION ""
       CONTACT-INFO "
                    "
       DESCRIPTION  "The management information definitions for the
                     Simplified View-based Access Control Model for
                     SNMP.
                    "
       ::= { snmpModules x }

   -- Administrative assignments *************************************

   svacmMIBObjects      OBJECT IDENTIFIER ::= { snmpSvacmMIB 1 }
   svacmMIBConformance  OBJECT IDENTIFIER ::= { snmpSvacmMIB 2 }

   -- Information about Groups ***************************************

   svacmSecurityToGroupTable OBJECT-TYPE
       SYNTAX       SEQUENCE OF SvacmSecurityToGroupEntry
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "This table maps a securityName into a groupName
                    which is used to define an access control policy
                    for a group of principals.
                   "
       ::= { svacmMIBObjects 1 }

   svacmSecurityToGroupEntry OBJECT-TYPE
       SYNTAX       SvacmSecurityToGroupEntry
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "An entry in this table maps a securityName into a
                    groupName.
                   "
       INDEX       {
                     svacmSecurityName



Li & Li                 Expires November 27, 2008              [Page 11]


Internet-Draft             SVACM for the SNMP                   May 2008


                   }
       ::= { svacmSecurityToGroupTable 1 }

   SvacmSecurityToGroupEntry ::= SEQUENCE
       {
           svacmSecurityName                SnmpAdminString,
           svacmGroupName                   SnmpAdminString,
           svacmSecurityToGroupStorageType  StorageType,
           svacmSecurityToGroupStatus       RowStatus
       }

   svacmSecurityName OBJECT-TYPE
       SYNTAX       SnmpAdminString (SIZE(1..32))
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "The securityName for the principal which is
                    mapped by this entry into a groupName.
                   "
       ::= { svacmSecurityToGroupEntry 1 }

   svacmGroupName    OBJECT-TYPE
       SYNTAX       SnmpAdminString (SIZE(1..32))
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The name of the group which this entry (the
                    securityName) belongs to.

                    This groupName is used as an index in the
                    svacmAccessTable to select an access control
                    policy. However, a value in this table does not
                    imply that an instance with the value exists in
                    svacmAccesTable.
                   "
       ::= { svacmSecurityToGroupEntry 2 }

   svacmSecurityToGroupStorageType OBJECT-TYPE
       SYNTAX       StorageType
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The storage type for this conceptual row.
                    Conceptual rows having the value 'permanent' need
                    not allow write-access to any columnar objects in
                    the row.
                   "
       DEFVAL      { nonVolatile }
       ::= { svacmSecurityToGroupEntry 3 }

   svacmSecurityToGroupStatus OBJECT-TYPE



Li & Li                 Expires November 27, 2008              [Page 12]


Internet-Draft             SVACM for the SNMP                   May 2008


       SYNTAX       RowStatus
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The status of this conceptual row.

                    Until instances of all corresponding columns are
                    appropriately configured, the value of the
                    corresponding instance of the
                    svacmSecurityToGroupStatus column is 'notReady'.

                    In particular, a newly created row cannot be made
                    active until a value has been set for
                    svacmGroupName.

                    The RowStatus TC [RFC2579] requires that this
                    DESCRIPTION clause states under which circumstances
                    other objects in this row can be modified:

                    The value of this object has no effect on whether
                    other objects in this conceptual row can be
                    modified.
                   "
       ::= { svacmSecurityToGroupEntry 4 }

   -- Information about Access Rights ********************************

   svacmAccessTable  OBJECT-TYPE
       SYNTAX       SEQUENCE OF SvacmAccessEntry
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "The table of access rights for groups.

                    Each entry is indexed by a groupName and a
                    svacmSecurityLevel. To determine whether access
                    is allowed, one entry from this table needs to
                    be selected and the proper viewNames from that
                    entry must be used for access control checking.
                    "
       ::= { svacmMIBObjects 2 }

   svacmAccessEntry  OBJECT-TYPE
       SYNTAX       SvacmAccessEntry
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "An access right configured in Local Configuration
                   Datastore(LCD) authorizing access to an SNMP engine.

                    Entries in this table can use an instance value for



Li & Li                 Expires November 27, 2008              [Page 13]


Internet-Draft             SVACM for the SNMP                   May 2008


                    object svacmGroupName even if no entry in table
                    svacmAccessSecurityToGroupTable has a corresponding
                    value for object svacmGroupName.
                   "
       INDEX       { svacmGroupName,
                     svacmSecurityLevel
                   }
       ::= { svacmAccessTable 1 }

   SvacmAccessEntry ::= SEQUENCE
       {
           svacmSecurityLevel          SnmpAdminString,
           svacmAccessReadViewNames    SnmpAdminString,
           svacmAccessWriteViewNames   SnmpAdminString,
           svacmAccessNotifyViewNames  SnmpAdminString,
           svacmAccessStorageType      StorageType,
           svacmAccessStatus           RowStatus
       }

   svacmSecurityLevel OBJECT-TYPE
       SYNTAX       SnmpAdminString (SIZE(0..32))
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "The minimum level of security required in order to
                    gain the access rights allowed by this conceptual
                    row.  A securityLevel of noAuthNoPriv is less than
                    authNoPriv which in turn is less than authPriv."
       ::= { svacmAccessEntry 1 }

   svacmAccessReadViewNames OBJECT-TYPE
       SYNTAX       SnmpAdminString
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The value of an instance of this object identifies
                    the MIB views of the SNMP engine to which this
                    conceptual row authorizes read access.

                    One SnmpAdminString carries a list of Read view
                    names separated by comma.

                    The identified MIB views are that ones for which the
                    svacmViewName has the same value as the instance of
                    this object; if the value is the empty string or if
                    there is no active MIB view having this value of
                    svacmViewName, then no access is granted.
                   "
       DEFVAL      { ''H }   -- the empty string
       ::= { svacmAccessEntry 2 }



Li & Li                 Expires November 27, 2008              [Page 14]


Internet-Draft             SVACM for the SNMP                   May 2008


   svacmAccessWriteViewNames OBJECT-TYPE
       SYNTAX       SnmpAdminString
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The value of an instance of this object identifies
                    the MIB view of the SNMP engine to which this
                    conceptual row authorizes write access.

                    One SnmpAdminString carries a list of Write view
                    names separated by comma.

                    The identified MIB views are that ones for which the
                    svacmViewName has the same value as the instance of
                    this object; if the value is the empty string or if
                    there is no active MIB view having this value of
                    svacmViewName, then no access is granted.
                   "
       DEFVAL      { ''H }   -- the empty string
       ::= { svacmAccessEntry 3 }

   svacmAccessNotifyViewNames OBJECT-TYPE
       SYNTAX       SnmpAdminString
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The value of an instance of this object identifies
                    the MIB view of the SNMP engine to which this
                    conceptual row authorizes access for notifications.

                    One SnmpAdminString carries a list of Notify view
                    names separated by comma.

                    The identified MIB views are that ones for which the
                    svacmViewName has the same value as the instance of
                    this object; if the value is the empty string or if
                    there is no active MIB view having this value of
                    svacmViewName, then no access is granted.
                   "
       DEFVAL      { ''H }   -- the empty string
       ::= { svacmAccessEntry 4 }

   svacmAccessStorageType OBJECT-TYPE
       SYNTAX       StorageType
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The storage type for this conceptual row.

                    Conceptual rows having the value 'permanent' need
                    not allow write-access to any columnar objects in



Li & Li                 Expires November 27, 2008              [Page 15]


Internet-Draft             SVACM for the SNMP                   May 2008


                    the row.
                   "
       DEFVAL      { nonVolatile }
       ::= { svacmAccessEntry 5 }

   svacmAccessStatus OBJECT-TYPE
       SYNTAX       RowStatus
       MAX-ACCESS   read-create
       STATUS       current
       DESCRIPTION "The status of this conceptual row.

                    The RowStatus TC [RFC2579] requires that this
                    DESCRIPTION clause states under which circumstances
                    other objects in this row can be modified:

                    The value of this object has no effect on whether
                    other objects in this conceptual row can be
                    modified.
                   "
       ::= { svacmAccessEntry 6 }

   -- Information about MIB views ************************************

   -- Support for MIB-module-granularity is compulsory.


   svacmMIBViews     OBJECT IDENTIFIER ::= { svacmMIBObjects 3 }

   svacmViewTable OBJECT-TYPE
       SYNTAX       SEQUENCE OF SvacmViewEntry
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "Locally held information about MIB views. This table
                    is built in by the agent, and can not be altered or
                    deleted by any administrator.

                    Each MIB view is a included subtree in the unit of
                    MIB module with definite OID value. So the
                    definition of each view based on each MIB module
                    could be built in this table.

                    To determine whether a particular object instance is
                    in a particular MIB view, compare the object
                    instance's OBJECT IDENTIFIER with the MIB view's
                    active entry in this table. If none match, then the
                    object instance is not in the MIB view. If one
                    matches, then the object instance is included in.




Li & Li                 Expires November 27, 2008              [Page 16]


Internet-Draft             SVACM for the SNMP                   May 2008


                    If a administrator want to create/delete an entry in
                    the svacmViewTable, then an operation error must be
                    returned.
                   "
       ::= { svacmMIBViews 1 }

   svacmViewEntry OBJECT-TYPE
       SYNTAX       SvacmViewEntry
       MAX-ACCESS   not-accessible
       STATUS       current
       DESCRIPTION "Information on a particular view subtree included
                    in a particular SNMP engine's MIB view.

                    If no conceptual rows exist in this table for a
                    given MIB view (viewName), then an errorIndication
                    (noSuchView) is returned.
                   "
       INDEX       {
                     svacmViewName
                   }
       ::= { svacmViewTable 1 }

   SvacmViewEntry ::= SEQUENCE
       {
           svacmViewName         SnmpAdminString,
           svacmViewSubtree      OBJECT IDENTIFIER
       }

   svacmViewName OBJECT-TYPE
       SYNTAX       SnmpAdminString (SIZE(1..32))
       MAX-ACCESS   read-only
       STATUS       current
       DESCRIPTION "The human readable name for a MIB-module-granularity
                    view.
                   "
       ::= { svacmViewEntry 1 }

   svacmViewSubtree OBJECT-TYPE
       SYNTAX       OBJECT IDENTIFIER
       MAX-ACCESS   read-only
       STATUS       current
       DESCRIPTION "The MIB subtree which defines a MIB-module-
                    granularity view. Corresponding to each
                    svacmViewName, its OID value is definite and built
                    in svacmViewTable. It does not need to be configured
                    by administrators.
                   "
       ::= { svacmViewEntry 2 }



Li & Li                 Expires November 27, 2008              [Page 17]


Internet-Draft             SVACM for the SNMP                   May 2008


   -- Conformance information ****************************************

   svacmMIBCompliances  OBJECT IDENTIFIER ::= { svacmMIBConformance 1 }
   svacmMIBGroups       OBJECT IDENTIFIER ::= { svacmMIBConformance 2 }

   -- Compliance statements ******************************************

   svacmMIBCompliance MODULE-COMPLIANCE
       STATUS       current
       DESCRIPTION "The compliance statement for SNMP engines which
                    deploy the SNMP simplified View-based Access
                    Control Model configuration MIB.
                   "
       MODULE -- this module
           MANDATORY-GROUPS { svacmBasicGroup }

           OBJECT        svacmAccessReadViewNames
           MIN-ACCESS    read-only
           DESCRIPTION  "Write access is not required."

           OBJECT        svacmAccessWriteViewNames
           MIN-ACCESS    read-only
           DESCRIPTION  "Write access is not required."

           OBJECT        svacmAccessNotifyViewNames
           MIN-ACCESS    read-only
           DESCRIPTION  "Write access is not required."

           OBJECT        svacmAccessStorageType
           MIN-ACCESS    read-only
           DESCRIPTION  "Write access is not required."

           OBJECT        svacmAccessStatus
           MIN-ACCESS    read-only
           DESCRIPTION  "Create/delete/modify access to the
                         svacmAccessTable is not required.
                        "
       ::= { svacmMIBCompliances 1 }

   -- Units of conformance ***********************************

   svacmBasicGroup OBJECT-GROUP
       OBJECTS {
                 svacmGroupName,
                 svacmSecurityLevel,
                 svacmSecurityToGroupStorageType,
                 svacmSecurityToGroupStatus,
                 svacmAccessReadViewNames,



Li & Li                 Expires November 27, 2008              [Page 18]


Internet-Draft             SVACM for the SNMP                   May 2008


                 svacmAccessWriteViewNames,
                 svacmAccessNotifyViewNames,
                 svacmAccessStorageType,
                 svacmAccessStatus
               }
       STATUS       current
       DESCRIPTION "A collection of objects providing for remote
                    configuration of an SNMP engine which deploys
                    the SNMP simplified View-based Access Control Model.
                   "
       ::= { svacmMIBGroups 1 }
   END







































Li & Li                 Expires November 27, 2008              [Page 19]


Internet-Draft             SVACM for the SNMP                   May 2008


5.  Security Considerations

5.1.  Recommended Practices

   This document is meant for use in the SNMP architecture.  The
   Simplified View-based Access Control Model described in this document
   checks access rights to management information based on:

       -  groupName, representing a set of zero or more
          securityNames. The securityName is mapped into a group in the
          Simplified View-based Access Control Model.

       -  securityLevel under which access is requested.

       -  operation performed on the management information.

       -  MIB views for read, write or notify access.

   When the User-based Security Module or transport security model is
   called for checking access rights, it is assumed that the calling
   module has ensured the authentication and privacy aspects as
   specified by the securityLevel that is being passed.

5.2.  Defining Groups

   The groupNames are used to give access to a group of zero or more
   securityNames.  Within the Simplified View-Based Access Control
   Model, a groupName is considered to exist if that groupName is listed
   in the svacmSecurityToGroupTable.

   By mapping the securityName into a groupName, an SNMP Command
   Generator application can add/delete securityNames to/from a group,
   if proper access is allowed.

   Further it is important to realize that the grouping of securityName
   in the svacmSecurityToGroupTable does not take securityLevel into
   account.  It is therefore important that the security administrator
   uses the securityLevel index in the svacmAccessTable to separate
   noAuthNoPriv from authPriv and/or authNoPriv access.

   There is a parallel relationship between the View-based Access
   Control Model and the Simplified View-based Access Control Model.  An
   application need to decide which ACM should be used (VACM or SVACM).
   The Simplified View-based Access Control Model is used in scenarios
   which do not consider the context parameter and with coarse
   granularity of MIB views in MIB module level.  When administrators
   need the fine granularity of access control, or several contexts in
   one agent, the View-based Access Control Model is still needed.



Li & Li                 Expires November 27, 2008              [Page 20]


Internet-Draft             SVACM for the SNMP                   May 2008


5.3.  Conformance

   For an implementation of the View-based Access Control Model to be
   conformant, it MUST implement the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB
   according to the svacmMIBCompliance.

5.4.  Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB

   The objects in this MIB control the access to all MIB data that is
   accessible via the SNMP engine and they may be considered sensitive
   in many environments.  It is important to closely control (both read
   and write) access to these MIB objects by using appropriately
   configured Access Control models (for example the Simplified View-
   based Access Control Model as specified in this document).





































Li & Li                 Expires November 27, 2008              [Page 21]


Internet-Draft             SVACM for the SNMP                   May 2008


6.  Notation

   None.

7.  Normative References

   [RFC2119]  Bradner, s., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2865]  Rigney, C., "Remote Authentication Dial In User Service
              (RADIUS)", rfc 2865, June 2000,
              <http://www.ietf.org/rfc/rfc2865.txt?number=2865>.

   [RFC3411]  Harrington, D., "An Architecture for Describing Simple
              Network Management Protocol (SNMP) Management Frameworks",
              rfc 3411, std 62, December 2002,
              <http://www.ietf.org/rfc/rfc3411.txt>.

   [RFC3414]  Blumenthal, U., "User-based Security Model (USM) for
              version 3 of the Simple Network Management Protocol
              (SNMPv3)", February 2008,
              <http://www.ietf.org/rfc/rfc3414.txt>.

   [RFC3415]  Wijnen, B., "View-based Access Control Model (VACM) for
              the Simple Network Management Protocol (SNMP)", rfc 3415,
              December 2002, <http://www.ietf.org/rfc/rfc3415.txt>.

   [TSM for SNMP]
              Harrington, D., "Transport Security Model for SNMP
              draft-ietf-isms-transport-security-model-07",
              February 2008, <http://www.ietf.org/internet-drafts/
              draft-ietf-isms-transport-security-model-07.txt>.

   [radman]   Nelson, D., "Remote Authentication Dial-In User Service
              (RADIUS) Authorization for Network Access Server (NAS)
              Management", February 2008, <http://www.ietf.org/
              internet-drafts/
              draft-ietf-radext-management-authorization-02.txt>.













Li & Li                 Expires November 27, 2008              [Page 22]


Internet-Draft             SVACM for the SNMP                   May 2008


Authors' Addresses

   Chunxiu Li
   Huawei Technologies
   HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base
   Beijing  100085
   China

   Phone: +86 010 82836081
   Email: lichunxiu@huawei.com
   URI:   http://www.huawei.com


   Yan Li
   Huawei Technologies
   HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base
   Beijing  100085
   China

   Phone: +86 010 82836074
   Email: liyan_77@huawei.com
   URI:   http://www.huawei.com





























Li & Li                 Expires November 27, 2008              [Page 23]


Internet-Draft             SVACM for the SNMP                   May 2008


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2008).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Li & Li                 Expires November 27, 2008              [Page 24]