isms C. Li
Internet-Draft Y. Li
Expires: November 27, 2008 Huawei Technologies
May 26, 2008
Simplified View-based Access Control Model (SVACM) for the Simple
Network Management Protocol (SNMP)
draft-li-isms-svacm-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 27, 2008.
Copyright Notice
Copyright (C) The Internet Society (2008).
Abstract
This document introduces a Simplified View-based Access Control Model
(SVACM) for the Simple Network Management Protocol (SNMP), which is
useful for the access control application of SNMP protocol.
This document describes the procedure of access control in SVACM with
Remote Authentication Dial In User Service (RADIUS) server for
authorization.
Li & Li Expires November 27, 2008 [Page 1]
Internet-Draft SVACM for the SNMP May 2008
This document also includes a Management Information Base (MIB) for
remotely managing the configuration parameters for SVACM.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. General . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Simplified View-based Access Control Model (SVACM) . . . . . . 4
2.1. Elements of SVACM . . . . . . . . . . . . . . . . . . . . 4
2.1.1. Groups . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2. securityLevel . . . . . . . . . . . . . . . . . . . . 5
2.1.3. MIB Views . . . . . . . . . . . . . . . . . . . . . . 5
2.1.4. Access Policy . . . . . . . . . . . . . . . . . . . . 6
2.2. Elements of Procedure . . . . . . . . . . . . . . . . . . 6
2.2.1. Overview of isAccessAllowed Process . . . . . . . . . 8
2.2.2. Processing the isAccessAllowed Service Request . . . . 8
3. RADIUS authorization for SNMP . . . . . . . . . . . . . . . . 10
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 20
5.1. Recommended Practices . . . . . . . . . . . . . . . . . . 20
5.2. Defining Groups . . . . . . . . . . . . . . . . . . . . . 20
5.3. Conformance . . . . . . . . . . . . . . . . . . . . . . . 21
5.4. Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB . . . . . 21
6. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
7. Normative References . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23
Intellectual Property and Copyright Statements . . . . . . . . . . 24
Li & Li Expires November 27, 2008 [Page 2]
Internet-Draft SVACM for the SNMP May 2008
1. Introduction
1.1. Motivation
View-based Access Control Model (VACM) of SNMP [RFC3415] is a
specific model of the Access Control Subsystem (ACS). VACM is
elaborate, comprehensive and agile, but it is difficult to understand
and configure, and it is not easy for administrators to deploy
correctly. The complexity of VACM and lack of support for RADIUS
impact its adoption. Simplified View-based Access Control Model
(SVACM) makes the Access Control Model more intuitive and operable.
1.2. General
This document defines another specific model of ACS, designated
SVACM, which simplifies VACM. SVACM inherits the basic thinking of
VACM, but simplifies some parameters, and confines the granularity of
a view to MIB module level. SVACM is less flexible than VACM, but is
simpler and easier to deploy. SVACM covers most common scenarios
which do not need fine granularity of MIB views. SVACM supports
RADIUS for the process of authorization. There is a parallel
relationship between VACM and SVACM. SVACM is not a replacement of
VACM. When administrators need the fine granularity of access
control, the VACM should be adopted.
This document also describes the procedure of access control in SVACM
with a RADIUS [RFC2865] server for authorization, using the attribute
of RADIUS protocol which is defined in [radman] to carry the access
policies.
It is important to understand the SNMP architecture and the
terminology of the architecture to understand where the Access
Control Model described in this memo fits into the architecture and
interacts with other subsystems and models within the architecture.
The reader is expected to have read and understood the description
and terminology of the SNMP architecture, as defined in [RFC3411].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Li & Li Expires November 27, 2008 [Page 3]
Internet-Draft SVACM for the SNMP May 2008
2. Simplified View-based Access Control Model (SVACM)
VACM determines the access rights of a group, representing zero or
more securityNames which have the same access rights. For a
particular context, identified by contextName, to which a group,
identified by groupName, has access using a particular securityModel
and securityLevel, that group's access rights are given by a read-
view, a write-view and a notify-view.
VACM defines the vacmContextTable that lists the locally available
contexts by contextName. A SNMP context is a collection of
management information accessible by a SNMP engine, but in a majority
of use cases, there is not multiple contexts in a single agent.
Moreover, administrators do not understand well what the concept of
context represents, so the configuration of context is difficult. To
be more practical, SVACM does not consider the context parameter any
more in access control process. SVACM just considers most common
situations, if several contexts are required in one agent, VACM is
still needed.
SVACM does not use the securityModel parameter like VACM.
SecurityModel is an identifier that uniquely identifies a Security
Model of the Security Subsystem within this SNMP Management
Architecture. In VACM the parameter securityModel is checked in
vacmSecurityToGroupTable and vacmAccessTable. SVACM removes the
securityModel from these two steps, the reasons are described in the
following sections.
SVACM inherits the same basic mechanism of groups and views as VACM,
but changes some details in them, to be simpler and easier for the
deployment.
2.1. Elements of SVACM
2.1.1. Groups
In VACM a group is a set of zero or more (securityModel,
securityName) tuples on whose behalf SNMP management objects can be
accessed. SVACM also uses the group mechanism, but it uses the
securityName as an only index for the mapping of groupName. The
parameter securityModel is not a mapping parameter any more in the
group mechanism.
In VACM, a user using different securityModel could be mapped into
different groups, and different users using different securityModel
respectively could be mapped into the same group. Thus introducing
securityModel in group mapping method makes people confused about the
meaning of a group. In general, a group is a set of users. Removing
Li & Li Expires November 27, 2008 [Page 4]
Internet-Draft SVACM for the SNMP May 2008
securityModel parameter from vacmSecurityToGroupTable would make the
concept of group clear. Furthermore, one index in
vacmSecurityToGroupTable is more straightforward than two indexes.
The securityModel and securityLevel should indeed be taken into
account by access control process. They may influence access rights
of a group via the mapping from group into views, thereby it
indirectly influence access rights of a user. So SVACM does not
consider securityModel parameter in the group mapping step.
In SVACM, a securityName will be mapped into only one group. Whether
this mapping occurs in local database of SNMP engine or in an outer
server depends on the deployment. In the latter case, the outer
server such as a RADIUS server will transport the mapped groupName
information to the SNMP engine. The procedure of access control in
SVACM with a RADIUS server is described in Section 3.
2.1.2. securityLevel
SVACM uses the same securityLevel parameter as VACM. SecurityLevel
identifies the level of security that will be assumed when checking
for access rights. Different access rights for members of a group
can be defined for different levels of security, i.e., noAuthNoPriv,
authNoPriv, and authPriv.
2.1.3. MIB Views
In VACM, a "MIB view" details a specific set of managed object types
(and optionally, the specific instances of object types). The
definition of MIB views in VACM is agile, but configuring the
vacmViewTreeFamilyTable is complicated. To configure each MIB view
in the whole MIB tree, a network administrator must know clearly
about the MIB tree structure and exactly where a certain managed
object locates. It is too difficult for network administrators to
know all these details and to calculate the subtree mask.
SVACM also uses the definition of a "MIB view" to detail the managed
object types, but SVACM simplifies MIB Views by eliminating include/
exclude, subtree masks, and ViewTreeFamilies.
SVACM defines a "MIB view" in a coarse granularity. Each MIB module
is defined as a MIB view. These MIB views are built in the
svacmViewTable and do not need to be configured by network
administrators. For example, OSPF-MIB is a MIB module which has a
definite OID, SVACM defines OSPF-MIB as a MIB view whose viewname is
OSPF-MIB. This view definition method omits the steps of configuring
the subtree OID and subtree mask. Administrators who know only the
MIB-module name are able to distribute each view the types of access
(read, write or notify). It improves human readability. Moreover,
Li & Li Expires November 27, 2008 [Page 5]
Internet-Draft SVACM for the SNMP May 2008
ignoring subtree mask and remove of excluding a subtree would result
in that the examination of whether a variableName is in specific MIB
views is much faster than before.
There SHOULD be a built-in MIB view in the svacmViewTable, which
represents the whole MIB tree. Its name could be ALL-MIB or others.
2.1.4. Access Policy
In SVACM, the svacmAccessTable makes use of only the groupname and
securityLevel as indexes, the securityModel is discarded. The
securityModel is just an identifier of a security model, which does
not indicate the completeness of a protection measure. For
instances, the User-based Security Model(USM) [RFC3414] could be with
securityLevel of authNoPriv or authPriv. The Transport Security
Model (TSM) [TSM for SNMP] could also be with securityLevel of
authNoPriv or authPriv. No one can assert that a securityModel is
more secure than another one. For a given group, assigning different
access control rights for different securityModels with the same
securityLevel is meaningless. So the securityLevel is the key factor
in the access control process, the securityModel is not significant.
In vacmAccessTable of VACM, the group's access rights are given by a
read-view, a write-view or a notify-view. In SVACM, each view
includes a MIB-module subtree. Several views are distributed with
one type of access (read, write or notify). So one group could
access more than one read-view, more than one write-view or more than
one notify-view, which are configured in svacmAccessTable. This
configuration method of svacmAccessTable reuses each built-in view.
So it is more convenient and easy to configure.
Most MIB module names end in -MIB, so it could be simpler for an
agent to just list "BGP4, OSPF, MPLS, ..." in svacmAccessTable and
svacmViewTable, and it is useful in the length limitation of
SnmpAdminString.
2.2. Elements of Procedure
This section describes the procedures followed by an Access Control
Module that deploys SVACM, when checking access rights as requested
by an application. The abstract service primitive is:
Li & Li Expires November 27, 2008 [Page 6]
Internet-Draft SVACM for the SNMP May 2008
statusInformation = -- success or errorIndication
isAccessAllowed(
securityModel -- Security Model in use,
unused in SVACM.
securityName -- principal who wants access
securityLevel -- Level of Security
viewType -- read, write, or notify view
contextName -- context containing variableName,
unused in SVACM
variableName -- OID for the managed object
)
The abstract data elements are:
statusInformation - one of the following:
accessAllowed - MIB views were found and access is granted.
notInAllViews - MIB views were found but access is denied.
The variableName is not in any MIB views
for the specified viewType (e.g.,in the
relevant entry of svacmAccessTable).
noSuchViews - no MIB view found because no view has been
configured for specified viewType (e.g., in
the relevant entry in svacmAccessTable).
noGroupName - no MIB view found because no entry has been
configured in svacmSecurityToGroupTable
for the specified securityName.
noAccessEntry - no MIB view found because no entry has been
configured in svacmAccessTable for the
specified groupName (from
svacmSecurityToGroupTable).
otherError - failure, an undefined error occurred.
Li & Li Expires November 27, 2008 [Page 7]
Internet-Draft SVACM for the SNMP May 2008
2.2.1. Overview of isAccessAllowed Process
The following picture shows how the decision for access control is
made by SVACM. This process will not check the parameters
contextName and securityModel which are unused in SVACM.
+-----------------------------------------------------------+
| |
| securityName ---> groupName --+ |
| | |
| securityLevel ----------------+-> viewNames -+-> yes/no |
| | | decision |
| viewType (read/write/notify)--+ | |
| | |
| variableName (OID) --------------------------+ |
| |
+-----------------------------------------------------------+
2.2.2. Processing the isAccessAllowed Service Request
This section describes the procedure followed by an Access Control
module that deploys SVACM whenever it receives an isAccessAllowed
request.
Li & Li Expires November 27, 2008 [Page 8]
Internet-Draft SVACM for the SNMP May 2008
1) The svacmSecurityToGroupTable is consulted for mapping the
securityName into a groupName. If the information about this
securityName is absent from the table, then an
errorIndication (noGroupName) is returned to the calling
module, and the processing of the request stops.
2) The svacmAccessTable is consulted for information about the
groupName and securityLevel. If information about this
combination is absent from the table, then an
errorIndication (noAccessEntry) is returned to the calling
module, and the processing of the request stops.
3) a) If the viewType is "read", then the read views are used for
checking access rights.
b) If the viewType is "write", then the write views are used
for checking access rights.
c) If the viewType is "notify", then the notify views are used
for checking access rights.
If the viewtype is a zero length string, then an
errorIndication (noSuchViews) is returned to the calling
module, and the processing of the request stops.
4) a) If one view in the read-view (write-view or notify-view)
list is not built in the svacmViewTable, ignore this result
and go on match other views in the list. If none view
configured for the specified viewType is found in
svacmViewTable, then an errorIndication (noSuchViews) is
returned to the calling module, and the processing of the
request stops.
b) If the specified variableName (object instance) is not in
the MIB views then an errorIndication (notInAllViews) is
returned to the calling module, and the processing of the
request stops.
Otherwise,
c) The specified variableName is in the MIB views. A
statusInformation of success (accessAllowed) is returned
to the calling module.
Li & Li Expires November 27, 2008 [Page 9]
Internet-Draft SVACM for the SNMP May 2008
3. RADIUS authorization for SNMP
SVACM is easy to be integrated with RADIUS. When a SNMP engine using
a RADIUS server to complete the authorization of access control, the
SNMP engine takes the role of NAS according to the RADIUS server.
The mapping from securityName into groupName is done by the RADIUS
server, instead of svacmSecurityToGroupTable of SVACM in the SNMP
engine.
[radman] defines a RADIUS attribute Management-Policy-Id which is
transported in an Access-Accept message, and it indicates the name of
the management access policy for users. When SVACM is integrated
with RADIUS, the Management-Policy-Id attribute indicates the
groupName which a user belongs to.
Li & Li Expires November 27, 2008 [Page 10]
Internet-Draft SVACM for the SNMP May 2008
4. Definitions
SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-COMPLIANCE FROM SNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE,
snmpModules FROM SNMPv2-SMI
RowStatus, StorageType FROM SNMPv2-TC
SnmpAdminString FROM SNMP-FRAMEWORK-MIB;
snmpSvacmMIB MODULE-IDENTITY
LAST-UPDATED ""
ORGANIZATION ""
CONTACT-INFO "
"
DESCRIPTION "The management information definitions for the
Simplified View-based Access Control Model for
SNMP.
"
::= { snmpModules x }
-- Administrative assignments *************************************
svacmMIBObjects OBJECT IDENTIFIER ::= { snmpSvacmMIB 1 }
svacmMIBConformance OBJECT IDENTIFIER ::= { snmpSvacmMIB 2 }
-- Information about Groups ***************************************
svacmSecurityToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SvacmSecurityToGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "This table maps a securityName into a groupName
which is used to define an access control policy
for a group of principals.
"
::= { svacmMIBObjects 1 }
svacmSecurityToGroupEntry OBJECT-TYPE
SYNTAX SvacmSecurityToGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An entry in this table maps a securityName into a
groupName.
"
INDEX {
svacmSecurityName
Li & Li Expires November 27, 2008 [Page 11]
Internet-Draft SVACM for the SNMP May 2008
}
::= { svacmSecurityToGroupTable 1 }
SvacmSecurityToGroupEntry ::= SEQUENCE
{
svacmSecurityName SnmpAdminString,
svacmGroupName SnmpAdminString,
svacmSecurityToGroupStorageType StorageType,
svacmSecurityToGroupStatus RowStatus
}
svacmSecurityName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The securityName for the principal which is
mapped by this entry into a groupName.
"
::= { svacmSecurityToGroupEntry 1 }
svacmGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The name of the group which this entry (the
securityName) belongs to.
This groupName is used as an index in the
svacmAccessTable to select an access control
policy. However, a value in this table does not
imply that an instance with the value exists in
svacmAccesTable.
"
::= { svacmSecurityToGroupEntry 2 }
svacmSecurityToGroupStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Conceptual rows having the value 'permanent' need
not allow write-access to any columnar objects in
the row.
"
DEFVAL { nonVolatile }
::= { svacmSecurityToGroupEntry 3 }
svacmSecurityToGroupStatus OBJECT-TYPE
Li & Li Expires November 27, 2008 [Page 12]
Internet-Draft SVACM for the SNMP May 2008
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The status of this conceptual row.
Until instances of all corresponding columns are
appropriately configured, the value of the
corresponding instance of the
svacmSecurityToGroupStatus column is 'notReady'.
In particular, a newly created row cannot be made
active until a value has been set for
svacmGroupName.
The RowStatus TC [RFC2579] requires that this
DESCRIPTION clause states under which circumstances
other objects in this row can be modified:
The value of this object has no effect on whether
other objects in this conceptual row can be
modified.
"
::= { svacmSecurityToGroupEntry 4 }
-- Information about Access Rights ********************************
svacmAccessTable OBJECT-TYPE
SYNTAX SEQUENCE OF SvacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The table of access rights for groups.
Each entry is indexed by a groupName and a
svacmSecurityLevel. To determine whether access
is allowed, one entry from this table needs to
be selected and the proper viewNames from that
entry must be used for access control checking.
"
::= { svacmMIBObjects 2 }
svacmAccessEntry OBJECT-TYPE
SYNTAX SvacmAccessEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An access right configured in Local Configuration
Datastore(LCD) authorizing access to an SNMP engine.
Entries in this table can use an instance value for
Li & Li Expires November 27, 2008 [Page 13]
Internet-Draft SVACM for the SNMP May 2008
object svacmGroupName even if no entry in table
svacmAccessSecurityToGroupTable has a corresponding
value for object svacmGroupName.
"
INDEX { svacmGroupName,
svacmSecurityLevel
}
::= { svacmAccessTable 1 }
SvacmAccessEntry ::= SEQUENCE
{
svacmSecurityLevel SnmpAdminString,
svacmAccessReadViewNames SnmpAdminString,
svacmAccessWriteViewNames SnmpAdminString,
svacmAccessNotifyViewNames SnmpAdminString,
svacmAccessStorageType StorageType,
svacmAccessStatus RowStatus
}
svacmSecurityLevel OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The minimum level of security required in order to
gain the access rights allowed by this conceptual
row. A securityLevel of noAuthNoPriv is less than
authNoPriv which in turn is less than authPriv."
::= { svacmAccessEntry 1 }
svacmAccessReadViewNames OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB views of the SNMP engine to which this
conceptual row authorizes read access.
One SnmpAdminString carries a list of Read view
names separated by comma.
The identified MIB views are that ones for which the
svacmViewName has the same value as the instance of
this object; if the value is the empty string or if
there is no active MIB view having this value of
svacmViewName, then no access is granted.
"
DEFVAL { ''H } -- the empty string
::= { svacmAccessEntry 2 }
Li & Li Expires November 27, 2008 [Page 14]
Internet-Draft SVACM for the SNMP May 2008
svacmAccessWriteViewNames OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP engine to which this
conceptual row authorizes write access.
One SnmpAdminString carries a list of Write view
names separated by comma.
The identified MIB views are that ones for which the
svacmViewName has the same value as the instance of
this object; if the value is the empty string or if
there is no active MIB view having this value of
svacmViewName, then no access is granted.
"
DEFVAL { ''H } -- the empty string
::= { svacmAccessEntry 3 }
svacmAccessNotifyViewNames OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP engine to which this
conceptual row authorizes access for notifications.
One SnmpAdminString carries a list of Notify view
names separated by comma.
The identified MIB views are that ones for which the
svacmViewName has the same value as the instance of
this object; if the value is the empty string or if
there is no active MIB view having this value of
svacmViewName, then no access is granted.
"
DEFVAL { ''H } -- the empty string
::= { svacmAccessEntry 4 }
svacmAccessStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Conceptual rows having the value 'permanent' need
not allow write-access to any columnar objects in
Li & Li Expires November 27, 2008 [Page 15]
Internet-Draft SVACM for the SNMP May 2008
the row.
"
DEFVAL { nonVolatile }
::= { svacmAccessEntry 5 }
svacmAccessStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The status of this conceptual row.
The RowStatus TC [RFC2579] requires that this
DESCRIPTION clause states under which circumstances
other objects in this row can be modified:
The value of this object has no effect on whether
other objects in this conceptual row can be
modified.
"
::= { svacmAccessEntry 6 }
-- Information about MIB views ************************************
-- Support for MIB-module-granularity is compulsory.
svacmMIBViews OBJECT IDENTIFIER ::= { svacmMIBObjects 3 }
svacmViewTable OBJECT-TYPE
SYNTAX SEQUENCE OF SvacmViewEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Locally held information about MIB views. This table
is built in by the agent, and can not be altered or
deleted by any administrator.
Each MIB view is a included subtree in the unit of
MIB module with definite OID value. So the
definition of each view based on each MIB module
could be built in this table.
To determine whether a particular object instance is
in a particular MIB view, compare the object
instance's OBJECT IDENTIFIER with the MIB view's
active entry in this table. If none match, then the
object instance is not in the MIB view. If one
matches, then the object instance is included in.
Li & Li Expires November 27, 2008 [Page 16]
Internet-Draft SVACM for the SNMP May 2008
If a administrator want to create/delete an entry in
the svacmViewTable, then an operation error must be
returned.
"
::= { svacmMIBViews 1 }
svacmViewEntry OBJECT-TYPE
SYNTAX SvacmViewEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Information on a particular view subtree included
in a particular SNMP engine's MIB view.
If no conceptual rows exist in this table for a
given MIB view (viewName), then an errorIndication
(noSuchView) is returned.
"
INDEX {
svacmViewName
}
::= { svacmViewTable 1 }
SvacmViewEntry ::= SEQUENCE
{
svacmViewName SnmpAdminString,
svacmViewSubtree OBJECT IDENTIFIER
}
svacmViewName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION "The human readable name for a MIB-module-granularity
view.
"
::= { svacmViewEntry 1 }
svacmViewSubtree OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION "The MIB subtree which defines a MIB-module-
granularity view. Corresponding to each
svacmViewName, its OID value is definite and built
in svacmViewTable. It does not need to be configured
by administrators.
"
::= { svacmViewEntry 2 }
Li & Li Expires November 27, 2008 [Page 17]
Internet-Draft SVACM for the SNMP May 2008
-- Conformance information ****************************************
svacmMIBCompliances OBJECT IDENTIFIER ::= { svacmMIBConformance 1 }
svacmMIBGroups OBJECT IDENTIFIER ::= { svacmMIBConformance 2 }
-- Compliance statements ******************************************
svacmMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION "The compliance statement for SNMP engines which
deploy the SNMP simplified View-based Access
Control Model configuration MIB.
"
MODULE -- this module
MANDATORY-GROUPS { svacmBasicGroup }
OBJECT svacmAccessReadViewNames
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT svacmAccessWriteViewNames
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT svacmAccessNotifyViewNames
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT svacmAccessStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT svacmAccessStatus
MIN-ACCESS read-only
DESCRIPTION "Create/delete/modify access to the
svacmAccessTable is not required.
"
::= { svacmMIBCompliances 1 }
-- Units of conformance ***********************************
svacmBasicGroup OBJECT-GROUP
OBJECTS {
svacmGroupName,
svacmSecurityLevel,
svacmSecurityToGroupStorageType,
svacmSecurityToGroupStatus,
svacmAccessReadViewNames,
Li & Li Expires November 27, 2008 [Page 18]
Internet-Draft SVACM for the SNMP May 2008
svacmAccessWriteViewNames,
svacmAccessNotifyViewNames,
svacmAccessStorageType,
svacmAccessStatus
}
STATUS current
DESCRIPTION "A collection of objects providing for remote
configuration of an SNMP engine which deploys
the SNMP simplified View-based Access Control Model.
"
::= { svacmMIBGroups 1 }
END
Li & Li Expires November 27, 2008 [Page 19]
Internet-Draft SVACM for the SNMP May 2008
5. Security Considerations
5.1. Recommended Practices
This document is meant for use in the SNMP architecture. The
Simplified View-based Access Control Model described in this document
checks access rights to management information based on:
- groupName, representing a set of zero or more
securityNames. The securityName is mapped into a group in the
Simplified View-based Access Control Model.
- securityLevel under which access is requested.
- operation performed on the management information.
- MIB views for read, write or notify access.
When the User-based Security Module or transport security model is
called for checking access rights, it is assumed that the calling
module has ensured the authentication and privacy aspects as
specified by the securityLevel that is being passed.
5.2. Defining Groups
The groupNames are used to give access to a group of zero or more
securityNames. Within the Simplified View-Based Access Control
Model, a groupName is considered to exist if that groupName is listed
in the svacmSecurityToGroupTable.
By mapping the securityName into a groupName, an SNMP Command
Generator application can add/delete securityNames to/from a group,
if proper access is allowed.
Further it is important to realize that the grouping of securityName
in the svacmSecurityToGroupTable does not take securityLevel into
account. It is therefore important that the security administrator
uses the securityLevel index in the svacmAccessTable to separate
noAuthNoPriv from authPriv and/or authNoPriv access.
There is a parallel relationship between the View-based Access
Control Model and the Simplified View-based Access Control Model. An
application need to decide which ACM should be used (VACM or SVACM).
The Simplified View-based Access Control Model is used in scenarios
which do not consider the context parameter and with coarse
granularity of MIB views in MIB module level. When administrators
need the fine granularity of access control, or several contexts in
one agent, the View-based Access Control Model is still needed.
Li & Li Expires November 27, 2008 [Page 20]
Internet-Draft SVACM for the SNMP May 2008
5.3. Conformance
For an implementation of the View-based Access Control Model to be
conformant, it MUST implement the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB
according to the svacmMIBCompliance.
5.4. Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB
The objects in this MIB control the access to all MIB data that is
accessible via the SNMP engine and they may be considered sensitive
in many environments. It is important to closely control (both read
and write) access to these MIB objects by using appropriately
configured Access Control models (for example the Simplified View-
based Access Control Model as specified in this document).
Li & Li Expires November 27, 2008 [Page 21]
Internet-Draft SVACM for the SNMP May 2008
6. Notation
None.
7. Normative References
[RFC2119] Bradner, s., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., "Remote Authentication Dial In User Service
(RADIUS)", rfc 2865, June 2000,
<http://www.ietf.org/rfc/rfc2865.txt?number=2865>.
[RFC3411] Harrington, D., "An Architecture for Describing Simple
Network Management Protocol (SNMP) Management Frameworks",
rfc 3411, std 62, December 2002,
<http://www.ietf.org/rfc/rfc3411.txt>.
[RFC3414] Blumenthal, U., "User-based Security Model (USM) for
version 3 of the Simple Network Management Protocol
(SNMPv3)", February 2008,
<http://www.ietf.org/rfc/rfc3414.txt>.
[RFC3415] Wijnen, B., "View-based Access Control Model (VACM) for
the Simple Network Management Protocol (SNMP)", rfc 3415,
December 2002, <http://www.ietf.org/rfc/rfc3415.txt>.
[TSM for SNMP]
Harrington, D., "Transport Security Model for SNMP
draft-ietf-isms-transport-security-model-07",
February 2008, <http://www.ietf.org/internet-drafts/
draft-ietf-isms-transport-security-model-07.txt>.
[radman] Nelson, D., "Remote Authentication Dial-In User Service
(RADIUS) Authorization for Network Access Server (NAS)
Management", February 2008, <http://www.ietf.org/
internet-drafts/
draft-ietf-radext-management-authorization-02.txt>.
Li & Li Expires November 27, 2008 [Page 22]
Internet-Draft SVACM for the SNMP May 2008
Authors' Addresses
Chunxiu Li
Huawei Technologies
HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base
Beijing 100085
China
Phone: +86 010 82836081
Email: lichunxiu@huawei.com
URI: http://www.huawei.com
Yan Li
Huawei Technologies
HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base
Beijing 100085
China
Phone: +86 010 82836074
Email: liyan_77@huawei.com
URI: http://www.huawei.com
Li & Li Expires November 27, 2008 [Page 23]
Internet-Draft SVACM for the SNMP May 2008
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2008). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Li & Li Expires November 27, 2008 [Page 24]