View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 2275
| Document | Type |
RFC - Proposed Standard
(January 1998; No errata)
Obsoleted by RFC 2575
Obsoletes RFC 2265
|
|
|---|---|---|---|
| Authors | |||
| Last updated | 2013-03-02 | ||
| Stream | Legacy stream | ||
| Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
| Stream | Legacy state | (None) | |
| Consensus Boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | RFC 2275 (Proposed Standard) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group B. Wijnen
Request for Comments: 2275 IBM T. J. Watson Research
Obsoletes: 2265 R. Presuhn
Category: Standards Track BMC Software, Inc.
K. McCloghrie
Cisco Systems, Inc.
January 1998
View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
IANA Note
Due to a clerical error in the assignment of the snmpModules in this
memo, this RFC provides the corrected number assignment for this
protocol. This memo obsoletes RFC 2265.
Abstract
This document describes the View-based Access Control Model for use
in the SNMP architecture [RFC2271]. It defines the Elements of
Procedure for controlling access to management information. This
document also includes a MIB for remotely managing the configuration
parameters for the View-based Access Control Model.
Table of Contents
1. Introduction 2
1.2. Access Control 3
1.3. Local Configuration Datastore 3
2. Elements of the Model 3
2.1. Groups 3
2.2. securityLevel 4
2.3. Contexts 4
2.4. MIB Views and View Families 4
2.4.1. View Subtree 5
Wijnen, et. al. Standards Track [Page 1]
RFC 2275 VACM for SNMPv3 January 1998
2.4.2. ViewTreeFamily 5
2.5. Access Policy 6
3. Elements of Procedure 6
3.1. Overview of isAccessAllowed Process 8
3.2. Processing the isAccessAllowed Service Request 9
4. Definitions 10
5. Intellectual Property 26
6. Acknowledgements 27
7. Security Considerations 28
7.1. Recommended Practices 28
7.2. Defining Groups 29
7.3. Conformance 29
8. References 29
9. Editors' Addresses 30
A.1. Installation Parameters 31
B. Full Copyright Statement 36
1. Introduction
The Architecture for describing Internet Management Frameworks
[RFC2271] describes that an SNMP engine is composed of:
1) a Dispatcher
2) a Message Processing Subsystem,
3) a Security Subsystem, and
4) an Access Control Subsystem.
Applications make use of the services of these subsystems.
It is important to understand the SNMP architecture and its
terminology to understand where the View-based Access Control Model
described in this document fits into the architecture and interacts
with other subsystems within the architecture. The reader is
expected to have read and understood the description and terminology
of the SNMP architecture, as defined in [RFC2271].
The Access Control Subsystem of an SNMP engine has the responsibility
for checking whether a specific type of access (read, write, notify)
to a particular object (instance) is allowed.
It is the purpose of this document to define a specific model of the
Access Control Subsystem, designated the View-based Access Control
Model. Note that this is not necessarily the only Access Control
Model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Wijnen, et. al. Standards Track [Page 2]
RFC 2275 VACM for SNMPv3 January 1998
1.2. Access Control
Access Control occurs (either implicitly or explicitly) in an SNMP
Show full document text