RFC 2273
SNMPv3 Applications
4.2. The Notification MIB Module The SNMP-NOTIFICATION-MIB module contains objects for the remote configuration of the parameters used by an SNMP entity for the generation of notifications. It consists of three tables and conformance/compliance statements. The first table, the snmpNotifyTable, contains entries which select which entries in the snmpTargetAddrTable should be used for generating notifications, and the type of notifications to be generated. The second table sparsely augments the snmpTargetAddrTable with an object which is used to associate a set of filters with a particular management target. The third table defines filters which are used to limit the number of notifications which are generated using particular management targets.
4.2.1. Definitions SNMP-NOTIFICATION-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI RowStatus, StorageType FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB SnmpTagValue, snmpTargetParamsName FROM SNMP-TARGET-MIB MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; snmpNotificationMIB MODULE-IDENTITY LAST-UPDATED "9711210000Z" ORGANIZATION "IETF SNMPv3 Working Group" CONTACT-INFO "WG-email: snmpv3@tis.com Subscribe: majordomo@tis.com In message body: subscribe snmpv3 Chair: Russ Mundy Trusted Information Systems Postal: 3060 Washington Rd Glenwood MD 21738 USA Email: mundy@tis.com Phone: +1-301-854-6889 Co-editor: David B. Levi SNMP Research, Inc. Postal: 3001 Kimberlin Heights Road Knoxville, TN 37920-9716 E-mail: levi@snmp.com Phone: +1 423 573 1434
Co-editor: Paul Meyer
Secure Computing Corporation
Postal: 2675 Long Lake Road
Roseville, MN 55113
E-mail: paul_meyer@securecomputing.com
Phone: +1 612 628 1592
Co-editor: Bob Stewart
Cisco Systems, Inc.
Postal: 170 West Tasman Drive
San Jose, CA 95134-1706
E-mail: bstewart@cisco.com
Phone: +1 603 654 6923"
DESCRIPTION
"This MIB module defines MIB objects which provide
mechanisms to remotely configure the parameters
used by an SNMP entity for the generation of
notifications."
REVISION "9707140000Z"
DESCRIPTION
"The initial revision."
::= { snmpModules 13 }
snmpNotifyObjects OBJECT IDENTIFIER ::=
{ snmpNotificationMIB 1 }
snmpNotifyConformance OBJECT IDENTIFIER ::=
{ snmpNotificationMIB 3 }
--
--
-- The snmpNotifyObjects group
--
--
snmpNotifyTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpNotifyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is used to select management targets which should
receive notifications, as well as the type of notification
which should be sent to each selected management target."
::= { snmpNotifyObjects 1 }
snmpNotifyEntry OBJECT-TYPE
SYNTAX SnmpNotifyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in this table selects a set of management targets
which should receive notifications, as well as the type of
notification which should be sent to each selected
management target.
Entries in the snmpNotifyTable are created and
deleted using the snmpNotifyRowStatus object."
INDEX { IMPLIED snmpNotifyName }
::= { snmpNotifyTable 1 }
SnmpNotifyEntry ::= SEQUENCE {
snmpNotifyName SnmpAdminString,
snmpNotifyTag SnmpTagValue,
snmpNotifyType INTEGER,
snmpNotifyStorageType StorageType,
snmpNotifyRowStatus RowStatus
}
snmpNotifyName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The locally arbitrary, but unique identifier associated
with this snmpNotifyEntry."
::= { snmpNotifyEntry 1 }
snmpNotifyTag OBJECT-TYPE
SYNTAX SnmpTagValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains a single tag value which is used
to select entries in the snmpTargetAddrTable. Any entry
in the snmpTargetAddrTable which contains a tag value
which is equal to the value of an instance of this
object is selected. If this object contains a value
of zero length, no entries are selected."
::= { snmpNotifyEntry 2 }
snmpNotifyType OBJECT-TYPE
SYNTAX INTEGER {
trap(1),
inform(2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object determines the type of notification to
be generated for entries in the snmpTargetAddrTable
selected by the corresponding instance of
snmpNotifyTag.
If the value of this object is trap(1), then any
messages generated for selected rows will contain
SNMPv2-Trap PDUs.
If the value of this object is inform(2), then any
messages generated for selected rows will contain
Inform PDUs.
Note that if an SNMP entity only supports
generation of traps (and not informs), then this
object may be read-only."
DEFVAL { trap }
::= { snmpNotifyEntry 3 }
snmpNotifyStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this conceptual row."
::= { snmpNotifyEntry 4 }
snmpNotifyRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
To create a row in this table, a manager must
set this object to either createAndGo(4) or
createAndWait(5).
Until instances of all corresponding columns are
appropriately configured, the value of the
corresponding instance of the snmpNotifyRowStatus
column is 'notReady'.
In particular, a newly created row cannot be made
active until the corresponding snmpNotifyTag has
been set."
::= { snmpNotifyEntry 5 }
snmpNotifyFilterProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpNotifyFilterProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is used to associate a notification filter
profile with a particular set of target parameters."
::= { snmpNotifyObjects 2 }
snmpNotifyFilterProfileEntry OBJECT-TYPE
SYNTAX SnmpNotifyFilterProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in this table indicates the name of the filter
profile to be used when generating notifications using
the corresponding entry in the snmpTargetParamsTable.
Entries in the snmpNotifyFilterProfileTable are created
and deleted using the snmpNotifyFilterProfileRowStatus
object."
INDEX { IMPLIED snmpTargetParamsName }
::= { snmpNotifyFilterProfileTable 1 }
SnmpNotifyFilterProfileEntry ::= SEQUENCE {
snmpNotifyFilterProfileName SnmpAdminString,
snmpNotifyFilterProfileStorType StorageType,
snmpNotifyFilterProfileRowStatus RowStatus
}
snmpNotifyFilterProfileName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name of the filter profile to be used when generating
notifications using the corresponding entry in the
snmpTargetAddrTable."
::= { snmpNotifyFilterProfileEntry 1 }
snmpNotifyFilterProfileStorType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type of this conceptual row."
::= { snmpNotifyFilterProfileEntry 2 }
snmpNotifyFilterProfileRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
To create a row in this table, a manager must
set this object to either createAndGo(4) or
createAndWait(5)."
::= { snmpNotifyFilterProfileEntry 3 }
snmpNotifyFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpNotifyFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table of filter profiles. Filter profiles are used
to determine whether particular management targets should
receive particular notifications.
When a notification is generated, it must be compared
with the filters associated with each management target
which is configured to receive notifications. If the
notification is matched by a filter, it is not sent to
the management target with which the filter is
associated."
::= { snmpNotifyObjects 3 }
snmpNotifyFilterEntry OBJECT-TYPE
SYNTAX SnmpNotifyFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An element of a filter profile.
Entries in the snmpNotifyFilterTable are created and
deleted using the snmpNotifyFilterRowStatus object."
INDEX { snmpNotifyFilterProfileName,
IMPLIED snmpNotifyFilterSubtree }
::= { snmpNotifyFilterTable 1 }
SnmpNotifyFilterEntry ::= SEQUENCE {
snmpNotifyFilterSubtree OBJECT IDENTIFIER,
snmpNotifyFilterMask OCTET STRING,
snmpNotifyFilterType INTEGER,
snmpNotifyFilterStorageType StorageType,
snmpNotifyFilterRowStatus RowStatus
}
snmpNotifyFilterSubtree OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The MIB subtree which, when combined with the corresponding
instance of snmpNotifyFilterMask, defines a family of
subtrees which are included in or excluded from the
filter profile."
::= { snmpNotifyFilterEntry 1 }
snmpNotifyFilterMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The bit mask which, in combination with the corresponding
instance of snmpNotifyFilterSubtree, defines a family of
subtrees which are included in or excluded from the
filter profile.
Each bit of this bit mask corresponds to a
sub-identifier of snmpNotifyFilterSubtree, with the
most significant bit of the i-th octet of this octet
string value (extended if necessary, see below)
corresponding to the (8*i - 7)-th sub-identifier, and
the least significant bit of the i-th octet of this
octet string corresponding to the (8*i)-th
sub-identifier, where i is in the range 1 through 16.
Each bit of this bit mask specifies whether or not
the corresponding sub-identifiers must match when
determining if an OBJECT IDENTIFIER matches this
family of filter subtrees; a '1' indicates that an
exact match must occur; a '0' indicates 'wild card',
i.e., any sub-identifier value matches.
Thus, the OBJECT IDENTIFIER X of an object instance
is contained in a family of filter subtrees if, for
each sub-identifier of the value of
snmpNotifyFilterSubtree, either:
the i-th bit of snmpNotifyFilterMask is 0, or
the i-th sub-identifier of X is equal to the i-th
sub-identifier of the value of
snmpNotifyFilterSubtree.
If the value of this bit mask is M bits long and
there are more than M sub-identifiers in the
corresponding instance of snmpNotifyFilterSubtree,
then the bit mask is extended with 1's to be the
required length.
Note that when the value of this object is the
zero-length string, this extension rule results in
a mask of all-1's being used (i.e., no 'wild card'),
and the family of filter subtrees is the one
subtree uniquely identified by the corresponding
instance of snmpNotifyFilterSubtree."
DEFVAL { ''H }
::= { snmpNotifyFilterEntry 2 }
snmpNotifyFilterType OBJECT-TYPE
SYNTAX INTEGER {
included(1),
excluded(2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object indicates whether the family of filter subtrees
defined by this entry are included in or excluded from a
filter."
DEFVAL { included }
::= { snmpNotifyFilterEntry 3 }
snmpNotifyFilterStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type of this conceptual row."
::= { snmpNotifyFilterEntry 4 }
snmpNotifyFilterRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
To create a row in this table, a manager must
set this object to either createAndGo(4) or
createAndWait(5)."
::= { snmpNotifyFilterEntry 5 }
--
--
-- Conformance information
--
--
snmpNotifyCompliances OBJECT IDENTIFIER ::=
{ snmpNotifyConformance 1 }
snmpNotifyGroups OBJECT IDENTIFIER ::=
{ snmpNotifyConformance 2 }
--
--
-- Compliance statements
--
--
snmpNotifyBasicCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for minimal SNMP entities which
implement only SNMP Traps and read-create operations on
only the snmpTargetAddrTable."
MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup }
OBJECT snmpTargetParamsMPModel
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required."
OBJECT snmpTargetParamsSecurityModel
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required."
OBJECT snmpTargetParamsSecurityName
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required."
OBJECT snmpTargetParamsSecurityLevel
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required."
OBJECT snmpTargetParamsStorageType
SYNTAX INTEGER {
readOnly(5)
}
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required.
Support of the values other(1), volatile(2),
nonVolatile(3), and permanent(4) is not required."
OBJECT snmpTargetParamsRowStatus
SYNTAX INTEGER {
active(1)
}
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access to the
snmpTargetParamsTable is not required.
Support of the values notInService(2), notReady(3),
createAndGo(4), createAndWait(5), and destroy(6) is
not required."
MODULE -- This Module
MANDATORY-GROUPS { snmpNotifyGroup }
OBJECT snmpNotifyTag
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required."
OBJECT snmpNotifyType
SYNTAX INTEGER {
trap(1)
}
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required.
Support of the value notify(2) is not required."
OBJECT snmpNotifyStorageType
SYNTAX INTEGER {
readOnly(5)
}
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access is not required.
Support of the values other(1), volatile(2),
nonVolatile(3), and permanent(4) is not required."
OBJECT snmpNotifyRowStatus
SYNTAX INTEGER {
active(1)
}
MIN-ACCESS read-only
DESCRIPTION
"Create/delete/modify access to the
snmpNotifyTable is not required.
Support of the values notInService(2), notReady(3),
createAndGo(4), createAndWait(5), and destroy(6) is
not required."
::= { snmpNotifyCompliances 1 }
snmpNotifyBasicFiltersCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities which implement
SNMP Traps with filtering, and read-create operations on
all related tables."
MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup }
MODULE -- This Module
MANDATORY-GROUPS { snmpNotifyGroup,
snmpNotifyFilterGroup }
::= { snmpNotifyCompliances 2 }
snmpNotifyFullCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities which either
implement only SNMP Informs, or both SNMP Traps and SNMP
Informs, plus filtering and read-create operations on
all related tables."
MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup,
snmpTargetResponseGroup }
MODULE -- This Module
MANDATORY-GROUPS { snmpNotifyGroup,
snmpNotifyFilterGroup }
::= { snmpNotifyCompliances 3 }
snmpNotifyGroup OBJECT-GROUP
OBJECTS {
snmpNotifyTag,
snmpNotifyType,
snmpNotifyStorageType,
snmpNotifyRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects for selecting which management
targets are used for generating notifications, and the
type of notification to be generated for each selected
management target."
::= { snmpNotifyGroups 1 }
snmpNotifyFilterGroup OBJECT-GROUP
OBJECTS {
snmpNotifyFilterProfileName,
snmpNotifyFilterProfileStorType,
snmpNotifyFilterProfileRowStatus,
snmpNotifyFilterMask,
snmpNotifyFilterType,
snmpNotifyFilterStorageType,
snmpNotifyFilterRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing remote configuration
of notification filters."
::= { snmpNotifyGroups 2 }
END
4.3. The Proxy MIB Module
The SNMP-PROXY-MIB module, which defines MIB objects that provide
mechanisms to remotely configure the parameters used by an SNMP
entity for proxy forwarding operations, contains a single table.
This table, snmpProxyTable, is used to define translations between
management targets for use when forwarding messages.
4.3.1. Definitions
SNMP-PROXY-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
snmpModules
FROM SNMPv2-SMI
RowStatus,
StorageType
FROM SNMPv2-TC
SnmpEngineID,
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
SnmpTagValue,
FROM SNMP-TARGET-MIB
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF;
snmpProxyMIB MODULE-IDENTITY
LAST-UPDATED "9711210000Z"
ORGANIZATION "IETF SNMPv3 Working Group"
CONTACT-INFO
"WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com
In message body: subscribe snmpv3
Chair: Russ Mundy
Trusted Information Systems
Postal: 3060 Washington Rd
Glenwood MD 21738
USA
Email: mundy@tis.com
Phone: +1-301-854-6889
Co-editor: David B. Levi
SNMP Research, Inc.
Postal: 3001 Kimberlin Heights Road
Knoxville, TN 37920-9716
E-mail: levi@snmp.com
Phone: +1 423 573 1434
Co-editor: Paul Meyer
Secure Computing Corporation
Postal: 2675 Long Lake Road
Roseville, MN 55113
E-mail: paul_meyer@securecomputing.com
Phone: +1 612 628 1592
Co-editor: Bob Stewart
Cisco Systems, Inc.
Postal: 170 West Tasman Drive
San Jose, CA 95134-1706
E-mail: bstewart@cisco.com
Phone: +1 603 654 6923"
DESCRIPTION
"This MIB module defines MIB objects which provide
mechanisms to remotely configure the parameters
used by a proxy forwarding application."
REVISION "9707140000Z"
DESCRIPTION
"The initial revision."
::= { snmpModules 14 }
snmpProxyObjects OBJECT IDENTIFIER ::= { snmpProxyMIB 1 }
snmpProxyConformance OBJECT IDENTIFIER ::= { snmpProxyMIB 3 }
--
--
-- The snmpProxyObjects group
--
--
snmpProxyTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpProxyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table of translation parameters used by proxy forwarder
applications for forwarding SNMP messages."
::= { snmpProxyObjects 2 }
snmpProxyEntry OBJECT-TYPE
SYNTAX SnmpProxyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A set of translation parameters used by a proxy forwarder
application for forwarding SNMP messages.
Entries in the snmpProxyTable are created and deleted
using the snmpProxyRowStatus object."
INDEX { IMPLIED snmpProxyName }
::= { snmpProxyTable 1 }
SnmpProxyEntry ::= SEQUENCE {
snmpProxyName SnmpAdminString,
snmpProxyType INTEGER,
snmpProxyContextEngineID SnmpEngineID,
snmpProxyContextName SnmpAdminString,
snmpProxyTargetParamsIn SnmpAdminString,
snmpProxySingleTargetOut SnmpAdminString,
snmpProxyMultipleTargetOut SnmpTagValue,
snmpProxyStorageType StorageType,
snmpProxyRowStatus RowStatus
}
snmpProxyName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The locally arbitrary, but unique identifier associated
with this snmpProxyEntry."
::= { snmpProxyEntry 1 }
snmpProxyType OBJECT-TYPE
SYNTAX INTEGER {
read(1),
write(2),
trap(3),
inform(4)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of message that may be forwarded using
the translation parameters defined by this entry."
::= { snmpProxyEntry 2 }
snmpProxyContextEngineID OBJECT-TYPE
SYNTAX SnmpEngineID
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The contextEngineID contained in messages that
may be forwarded using the translation parameters
defined by this entry."
::= { snmpProxyEntry 3 }
snmpProxyContextName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The contextName contained in messages that may be
forwarded using the translation parameters defined
by this entry.
This object is optional, and if not supported, the
contextName contained in a message is ignored when
selecting an entry in the snmpProxyTable."
::= { snmpProxyEntry 4 }
snmpProxyTargetParamsIn OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object selects an entry in the snmpTargetParamsTable.
The selected entry is used to determine which row of the
snmpProxyTable to use for forwarding received messages."
::= { snmpProxyEntry 5 }
snmpProxySingleTargetOut OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object selects a management target defined in the
snmpTargetAddrTable (in the SNMP-TARGET-MIB). The
selected target is defined by an entry in the
snmpTargetAddrTable whose index value (snmpTargetAddrName)
is equal to this object.
This object is only used when selection of a single
target is required (i.e. when forwarding an incoming
read or write request)."
::= { snmpProxyEntry 6 }
snmpProxyMultipleTargetOut OBJECT-TYPE
SYNTAX SnmpTagValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object selects a set of management targets defined
in the snmpTargetAddrTable (in the SNMP-TARGET-MIB).
This object is only used when selection of multiple
targets is required (i.e. when forwarding an incoming
notification)."
::= { snmpProxyEntry 7 }
snmpProxyStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type of this conceptual row."
::= { snmpProxyEntry 8 }
snmpProxyRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
To create a row in this table, a manager must
set this object to either createAndGo(4) or
createAndWait(5).
The following objects may not be modified while the
value of this object is active(1):
- snmpProxyType
- snmpProxyContextEngineID
- snmpProxyContextName
- snmpProxyTargetParamsIn
- snmpProxySingleTargetOut
- snmpProxyMultipleTargetOut"
::= { snmpProxyEntry 9 }
--
--
-- Conformance information
--
--
snmpProxyCompliances OBJECT IDENTIFIER ::=
{ snmpProxyConformance 1 }
snmpProxyGroups OBJECT IDENTIFIER ::=
{ snmpProxyConformance 2 }
--
--
-- Compliance statements
--
--
snmpProxyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities which include
a proxy forwarding application."
MODULE SNMP-TARGET-MIB
MANDATORY-GROUPS { snmpTargetBasicGroup,
snmpTargetResponseGroup }
MODULE -- This Module
MANDATORY-GROUPS { snmpProxyGroup }
::= { snmpProxyCompliances 1 }
snmpProxyGroup OBJECT-GROUP
OBJECTS {
snmpProxyType,
snmpProxyContextEngineID,
snmpProxyContextName,
snmpProxyTargetParamsIn,
snmpProxySingleTargetOut,
snmpProxyMultipleTargetOut,
snmpProxyStorageType,
snmpProxyRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing remote configuration of
management target translation parameters for use by
proxy forwarder applications."
::= { snmpProxyGroups 3 }
END
5. Identification of Management Targets in Notification Originators
This section describes the mechanisms used by a notification
originator application when using the MIB module described in this
document to determine the set of management targets to be used when
generating a notification.
A notification originator uses the snmpNotifyTable to find the
management targets to be used for generating notifications. Each
active entry in this table identifies zero or more entries in the
snmpTargetAddrTable. Any entry in the snmpTargetAddrTable whose
snmpTargetAddrTagList object contains a tag value which is equal to a
value of snmpNotifyTag is selected by the snmpNotifyEntry which
contains that instance of snmpNotifyTag. Note that a particular
snmpTargetAddrEntry may be selected by multiple entries in the
snmpNotifyTable, resulting in multiple notifications being generated
using that snmpTargetAddrEntry.
Each snmpTargetAddrEntry contains a pointer to the snmpTargetParamsTable (snmpTargetAddrParams). This pointer selects a set of SNMP parameters to be used for generating notifications. If the selected entry in the snmpTargetParamsTable does not exist, the management target is not used to generate notifications. The decision as to whether a notification should contain an SNMPv2- Trap or Inform PDU is determined by the value of the snmpNotifyType object. If the value of this object is trap(1), the notification should contain an SNMPv2-Trap PDU. If the value of this object is inform(2), then the notification should contain an Inform PDU, and the timeout time and number of retries for the Inform are the value of snmpTargetAddrTimeout and snmpTargetAddrRetryCount. Note that the exception to these rules is when the snmpTargetParamsMPModel object indicates SNMPv1. In this case, the notification is sent as a Trap if the value of snmpNotifyTargetType is either trap(1) or inform(2). 6. Notification Filtering This section describes the mechanisms used by a notification originator application when using the MIB module described in this document to filter generation of notifications. A notification originator uses the snmpNotifyFilterTable to filter notifications. A notification filter profile may be associated with a particular entry in the snmpTargetParamsTable. The associated filter profile is identified by an entry in the snmpNotifyFilterProfileTable whose index is equal to the index of the entry in the snmpTargetParamsTable. If no such entry exists in the snmpNotifyFilterProfileTable, no filtering is performed for that management target. If such an entry does exist, the value of snmpNotifyFilterProfileName of the entry is compared with the corresponding portion of the index of all active entries in the snmpNotifyFilterTable. All such entries for which this comparison results in an exact match are used for filtering a notification generated using the associated snmpTargetParamsEntry. If no such entries exist, no filtering is performed, and a notification may be sent to the management target. Otherwise, if matching entries do exist, a notification may be sent if the NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification (this is the value of the element of the variable bindings whose name is snmpTrapOID.0, i.e., the second variable binding), and all of the object instances to be included in the variable-bindings of the notification, are not specifically excluded by the matching entries.
Each set of snmpNotifyFilterTable entries is divided into two collections of filter subtrees: the included filter subtrees, and the excluded filter subtrees. The snmpNotifyFilterType object defines the collection to which each matching entry belongs. To determine whether a particular notification name or object instance is excluded by the set of matching entries, compare the notification name's or object instance's OBJECT IDENTIFIER with each of the matching entries. If none match, then the notification name or object instance is considered excluded, and the notification should not be sent to this management target. If one or more match, then the notification name or object instance is included or excluded, according to the value of snmpNotifyFilterType in the entry whose value of snmpNotifyFilterSubtree has the most sub-identifiers. If multiple entries match and have the same number of sub- identifiers, then the lexicographically greatest instance of snmpNotifyFilterType among those which match determines the inclusion or exclusion. A notification name's or object instance's OBJECT IDENTIFIER X matches an entry in the snmpNotifyFilterTable when the number of sub-identifiers in X is at least as many as in the value of snmpNotifyFilterSubtree for the entry, and each sub-identifier in the value of snmpNotifyFilterSubtree matches its corresponding sub- identifier in X. Two sub-identifiers match either if the corresponding bit of snmpNotifyFilterMask is zero (the 'wild card' value), or if the two sub-identifiers are equal. 7. Management Target Translation in Proxy Forwarder Applications This section describes the mechanisms used by a proxy forwarder application when using the MIB module described in this document to translate incoming management target information into outgoing management target information for the purpose of forwarding messages. There are actually two mechanisms a proxy forwarder may use, one for forwarding request messages, and one for forwarding notification messages. 7.1. Management Target Translation for Request Forwarding When forwarding request messages, the proxy forwarder will select a single entry in the snmpProxyTable. To select this entry, it will perform the following comparisons: - The snmpProxyType must be read(1) if the request is a Get, GetNext, or GetBulk request. The snmpProxyType must be write(2) if the request is a Set request.
- The contextEngineId must equal the snmpProxyContextEngineID
object.
- If the snmpProxyContextName object is supported, it must equal
the contextName.
- The snmpProxyTargetParamsIn object identifies an entry in the
snmpTargetParamsTable. The messageProcessingModel,
securityLevel, security model, and securityName must match the
values of snmpTargetParamsMPModel,
snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName,
and snmpTargetParamsSecurityLevel of the identified entry in
the snmpTargetParamsTable.
There may be multiple entries in the snmpProxyTable for which these
comparisons succeed. The entry whose snmpProxyName has the
lexicographically smallest value and for which the comparisons
succeed will be selected by the proxy forwarder.
The outgoing management target information is identified by the value
of the snmpProxySingleTargetOut object of the selected entry. This
object identifies an entry in the snmpTargetAddrTable. The
identified entry in the snmpTargetAddrTable also contains a reference
to the snmpTargetParamsTable (snmpTargetAddrParams). If either the
identified entry in the snmpTargetAddrTable does not exist, or the
identified entry in the snmpTargetParamsTable does not exist, then
this snmpProxyEntry does not identify valid forwarding information,
and the proxy forwarder should attempt to identify another row.
If there is no entry in the snmpProxyTable for which all of the
conditions above may be met, then there is no appropriate forwarding
information, and the proxy forwarder should take appropriate actions.
Otherwise, The snmpTargetAddrTDomain, snmpTargetAddrTAddress,
snmpTargetAddrTimeout, and snmpTargetRetryCount of the identified
snmpTargetAddrEntry, and the snmpTargetParamsMPModel,
snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName, and
snmpTargetParamsSecurityLevel of the identified snmpTargetParamsEntry
are used as the destination management target.
7.2. Management Target Translation for Notification Forwarding
When forwarding notification messages, the proxy forwarder will
select multiple entries in the snmpProxyTable. To select these
entries, it will perform the following comparisons:
- The snmpProxyType must be trap(3) if the notification is a
Trap. The snmpProxyType must be inform(4) if the request is
an Inform.
- The contextEngineId must equal the snmpProxyContextEngineID
object.
- If the snmpProxyContextName object is supported, it must equal
the contextName.
- The snmpProxyTargetParamsIn object identifies an entry in the
snmpTargetParamsTable. The messageProcessingModel,
securityLevel, security model, and securityName must match the
values of snmpTargetParamsMPModel,
snmpTargetParamsSecurityModel, snmpTargetParamsSecurityName,
and snmpTargetParamsSecurityLevel of the identified entry in
the snmpTargetParamsTable.
All entries for which these conditions are met are selected. The
snmpProxyMultipleTargetOut object of each such entry is used to
select a set of entries in the snmpTargetAddrTable. Any
snmpTargetAddrEntry whose snmpTargetAddrTagList object contains a tag
value equal to the value of snmpProxyMultipleTargetOut, and whose
snmpTargetAddrParams object references an existing entry in the
snmpTargetParamsTable, is selected as a destination for the forwarded
notification.
8. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
9. Acknowledgments This document is the result of the efforts of the SNMPv3 Working Group. Some special thanks are in order to the following SNMPv3 WG members: Dave Battle (SNMP Research, Inc.) Uri Blumenthal (IBM T.J. Watson Research Center) Jeff Case (SNMP Research, Inc.) John Curran (BBN) T. Max Devlin (Hi-TECH Connections) John Flick (Hewlett Packard) David Harrington (Cabletron Systems Inc.) N.C. Hien (IBM T.J. Watson Research Center) Dave Levi (SNMP Research, Inc.) Louis A Mamakos (UUNET Technologies Inc.) Paul Meyer (Secure Computing Corporation) Keith McCloghrie (Cisco Systems) Russ Mundy (Trusted Information Systems, Inc.) Bob Natale (ACE*COMM Corporation) Mike O'Dell (UUNET Technologies Inc.) Dave Perkins (DeskTalk) Peter Polkinghorne (Brunel University) Randy Presuhn (BMC Software, Inc.) David Reid (SNMP Research, Inc.) Shawn Routhier (Epilogue) Juergen Schoenwaelder (TU Braunschweig) Bob Stewart (Cisco Systems) Bert Wijnen (IBM T.J. Watson Research Center) The document is based on recommendations of the IETF Security and Administrative Framework Evolution for SNMP Advisory Team. Members of that Advisory Team were: David Harrington (Cabletron Systems Inc.) Jeff Johnson (Cisco Systems) David Levi (SNMP Research Inc.) John Linn (Openvision) Russ Mundy (Trusted Information Systems) chair Shawn Routhier (Epilogue) Glenn Waters (Nortel) Bert Wijnen (IBM T. J. Watson Research Center) As recommended by the Advisory Team and the SNMPv3 Working Group Charter, the design incorporates as much as practical from previous RFCs and drafts. As a result, special thanks are due to the authors of previous designs known as SNMPv2u and SNMPv2*:
Jeff Case (SNMP Research, Inc.)
David Harrington (Cabletron Systems Inc.)
David Levi (SNMP Research, Inc.)
Keith McCloghrie (Cisco Systems)
Brian O'Keefe (Hewlett Packard)
Marshall T. Rose (Dover Beach Consulting)
Jon Saperia (BGS Systems Inc.)
Steve Waldbusser (International Network Services)
Glenn W. Waters (Bell-Northern Research Ltd.)
10. Security Considerations
The SNMP applications described in this document typically have
direct access to MIB instrumentation. Thus, it is very important
that these applications be strict in their application of access
control as described in this document.
In addition, there may be some types of notification generator
applications which, rather than accessing MIB instrumentation using
access control, will obtain MIB information through other means (such
as from a command line). The implementors and users of such
applications must be responsible for not divulging MIB information
that normally would be inaccessible due to access control.
11. References
[RFC1157]
Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network
Management Protocol", RFC 1157, May 1990.
[RFC1213]
McCloghrie, K. and M. Rose, Editors, "Management Information Base
for Network Management of TCP/IP-based internets: MIB-II", STD 17,
RFC 1213, March 1991.
[RFC1902]
Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of
Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1902, January 1996.
[RFC1903]
Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Textual
Conventions for Version 2 of the Simple Network Management Protocol
(SNMPv2)", RFC 1903, January 1996.
[RFC1905] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [RFC1907] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1907, January 1996. [RFC1908] SNMPv2 Working Group, Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Coexistence between Version 1 and Version 2 of the Internet-standard Network Management Framework", RFC 1908, January 1996. [RFC2271] Harrington, D., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2271, January 1998. [RFC2272] Case, J., Harrington, D., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2272, January 1998. [RFC2275] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model for the Simple Network Management Protocol (SNMP)", RFC 2275, January 1998.
12. Editors' Addresses David B. Levi SNMP Research, Inc. 3001 Kimberlin Heights Road Knoxville, TN 37920-9716 U.S.A. Phone: +1 423 573 1434 EMail: levi@snmp.com Paul Meyer Secure Computing Corporation 2675 Long Lake Road Roseville, MN 55113 U.S.A. Phone: +1 612 628 1592 EMail: paul_meyer@securecomputing.com Bob Stewart Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 U.S.A. Phone: +1 603 654 6923 EMail: bstewart@cisco.com
APPENDIX A - Trap Configuration Example This section describes an example configuration for a Notification Generator application which implements the snmpNotifyBasicCompliance level. The example configuration specifies that the Notification Generator should send notifications to 3 separate managers, using authentication and no privacy for the first 2 managers, and using both authentication and privacy for the third manager. The configuration consists of three rows in the snmpTargetAddrTable, and two rows in the snmpTargetTable. snmpTargetAddrName SnmpAdminString, snmpTargetAddrTDomain TDomain, snmpTargetAddrTAddress TAddress, snmpTargetAddrTimeout TimeInterval, snmpTargetAddrRetryCount Integer32, snmpTargetAddrTagList SnmpAdminString, snmpTargetAddrParams SnmpAdminString, snmpTargetAddrStorageType StorageType, snmpTargetAddrRowStatus RowStatus * snmpTargetAddrName = "addr1" snmpTargetAddrTDomain = snmpUDPDomain snmpTargetAddrTAddress = 128.1.2.3:162 snmpTargetAddrTagList = "group1" snmpTargetAddrParams = "AuthNoPriv joe" snmpTargetAddrStorageType = readOnly(5) snmpTargetAddrRowStatus = active(1) * snmpTargetAddrName = "addr2" snmpTargetAddrTDomain = snmpUDPDomain snmpTargetAddrTAddress = 128.2.4.6:162 snmpTargetAddrTagList = "group1" snmpTargetAddrParams = "AuthNoPriv-joe" snmpTargetAddrStorageType = readOnly(5) snmpTargetAddrRowStatus = active(1) * snmpTargetAddrName = "addr3" snmpTargetAddrTDomain = snmpUDPDomain snmpTargetAddrTAddress = 128.1.2.3:162 snmpTargetAddrTagList = "group2" snmpTargetAddrParams = "AuthPriv-bob" snmpTargetAddrStorageType = readOnly(5) snmpTargetAddrRowStatus = active(1) * snmpTargetParamsName = "AuthNoPriv-joe" snmpTargetParamsMPModel = 3
snmpTargetParamsSecurityModel = 3 (USM)
snmpTargetParamsSecurityName = "joe"
snmpTargetParamsSecurityLevel = authNoPriv(2)
snmpTargetParamsStorageType = readOnly(5)
snmpTargetParamsRowStatus = active(1)
* snmpTargetParamsName = "AuthPriv-bob"
snmpTargetParamsMPModel = 3
snmpTargetParamsSecurityModel = 3 (USM)
snmpTargetParamsSecurityName = "bob"
snmpTargetParamsSecurityLevel = authPriv(3)
snmpTargetParamsStorageType = readOnly(5)
snmpTargetParamsRowStatus = active(1)
* snmpNotifyName = "group1"
snmpNotifyTag = "group1"
snmpNotifyType = trap(1)
snmpNotifyStorageType = readOnly(5)
snmpNotifyRowStatus = active(1)
* snmpNotifyName = "group2"
snmpNotifyTag = "group2"
snmpNotifyType = trap(1)
snmpNotifyStorageType = readOnly(5)
snmpNotifyRowStatus = active(1)
These entries define two groups of management targets. The first
group contains two management targets:
first target second target
------------ -------------
messageProcessingModel SNMPv3 SNMPv3
securityModel 3 (USM) 3 (USM)
securityName "joe" "joe"
securityLevel authNoPriv(2) authNoPriv(2)
transportDomain snmpUDPDomain snmpUDPDomain
transportAddress 128.1.2.3:162 128.2.4.6:162
And the second group contains a single management target:
messageProcessingModel SNMPv3
securityLevel authPriv(3)
securityModel 3 (USM)
securityName "bob"
transportDomain snmpUDPDomain
transportAddress 128.1.5.9:162
B. Full Copyright Statement Copyright (C) The Internet Society (1998). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.