isms C. Li Internet-Draft Y. Li Intended status: Informational Huawei Technologies Expires: May 5, 2009 Nov. 2008 Simplified View-based Access Control Model (SVACM) for the Simple Network Management Protocol (SNMP) draft-li-isms-svacm-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 5, 2009. Abstract This document introduces a Simplified View-based Access Control Model (SVACM) for the Simple Network Management Protocol (SNMP), which is useful for the access control application of SNMP protocol. This document describes the procedure of access control in SVACM with Remote Authentication Dial In User Service (RADIUS) server for authorization. This document also includes a Management Information Base (MIB) for remotely managing the configuration parameters for SVACM. Li & Li Expires May 5, 2009 [Page 1] Internet-Draft SVACM for the SNMP Nov. 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Simplified View-based Access Control Model (SVACM) . . . . . . 3 2.1. Elements of SVACM . . . . . . . . . . . . . . . . . . . . 4 2.1.1. Groups . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.2. securityLevel . . . . . . . . . . . . . . . . . . . . 5 2.1.3. MIB Views . . . . . . . . . . . . . . . . . . . . . . 5 2.1.4. Access Policy . . . . . . . . . . . . . . . . . . . . 6 2.2. Elements of Procedure . . . . . . . . . . . . . . . . . . 6 2.2.1. Overview of isAccessAllowed Process . . . . . . . . . 7 2.2.2. Processing the isAccessAllowed Service Request . . . . 7 3. RADIUS authorization for SNMP . . . . . . . . . . . . . . . . 9 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 5.1. Recommended Practices . . . . . . . . . . . . . . . . . . 18 5.2. Defining Groups . . . . . . . . . . . . . . . . . . . . . 18 5.3. Conformance . . . . . . . . . . . . . . . . . . . . . . . 19 5.4. Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB . . . . . 19 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 7. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. Normative References . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 Intellectual Property and Copyright Statements . . . . . . . . . . 22 Li & Li Expires May 5, 2009 [Page 2] Internet-Draft SVACM for the SNMP Nov. 2008 1. Introduction 1.1. Motivation View-based Access Control Model (VACM) of SNMP [RFC3415] is a specific model of the Access Control Subsystem (ACS). VACM is elaborate, comprehensive and agile, but it is difficult to understand and configure, and it is not easy for administrators to deploy correctly. The complexity of VACM and lack of support for RADIUS impact its adoption. Simplified View-based Access Control Model (SVACM) makes the Access Control Model more intuitive and operable. 1.2. General This document defines another specific model of ACS, designated SVACM, which simplifies VACM. SVACM inherits the basic thinking of VACM, but simplifies some parameters, and confines the granularity of a view to MIB module level. SVACM is less flexible than VACM, but is simpler and easier to deploy. SVACM covers most common scenarios which do not need fine granularity of MIB views. SVACM supports RADIUS for the process of authorization. There is a parallel relationship between VACM and SVACM. SVACM is not a replacement of VACM. When administrators need the fine granularity of access control, the VACM should be adopted. This document also describes the procedure of access control in SVACM with a RADIUS [RFC2865] server for authorization, using the attribute of RADIUS protocol which is defined in [radman] to carry the access policies. It is important to understand the SNMP architecture and the terminology of the architecture to understand where the Access Control Model described in this memo fits into the architecture and interacts with other subsystems and models within the architecture. The reader is expected to have read and understood the description and terminology of the SNMP architecture, as defined in [RFC3411]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Simplified View-based Access Control Model (SVACM) VACM determines the access rights of a group, representing zero or more securityNames which have the same access rights. For a particular context, identified by contextName, to which a group, identified by groupName, has access using a particular securityModel Li & Li Expires May 5, 2009 [Page 3] Internet-Draft SVACM for the SNMP Nov. 2008 and securityLevel, that group's access rights are given by a read- view, a write-view and a notify-view. VACM defines the vacmContextTable that lists the locally available contexts by contextName. A SNMP context is a collection of management information accessible by a SNMP engine, but in a majority of use cases, there is not multiple contexts in a single agent. Moreover, administrators do not understand well what the concept of context represents, so the configuration of context is difficult. To be more practical, SVACM does not consider the context parameter any more in access control process. SVACM just considers most common situations, if several contexts are required in one agent, VACM is still needed. SVACM does not use the securityModel parameter like VACM. SecurityModel is an identifier that uniquely identifies a Security Model of the Security Subsystem within this SNMP Management Architecture. In VACM the parameter securityModel is checked in vacmSecurityToGroupTable and vacmAccessTable. SVACM removes the securityModel from these two steps, the reasons are described in the following sections. SVACM inherits the same basic mechanism of groups and views as VACM, but changes some details in them, to be simpler and easier for the deployment. 2.1. Elements of SVACM 2.1.1. Groups In VACM a group is a set of zero or more (securityModel, securityName) tuples on whose behalf SNMP management objects can be accessed. SVACM also uses the group mechanism, but it uses the securityName as an only index for the mapping of groupName. The parameter securityModel is not a mapping parameter any more in the group mechanism. In VACM, a user using different securityModel could be mapped into different groups, and different users using different securityModel respectively could be mapped into the same group. Thus introducing securityModel in group mapping method makes people confused about the meaning of a group. In general, a group is a set of users. Removing securityModel parameter from vacmSecurityToGroupTable would make the concept of group clear. Furthermore, one index in vacmSecurityToGroupTable is more straightforward than two indexes. The securityModel and securityLevel should indeed be taken into account by access control process. They may influence access rights of a group via the mapping from group into views, thereby it Li & Li Expires May 5, 2009 [Page 4] Internet-Draft SVACM for the SNMP Nov. 2008 indirectly influence access rights of a user. So SVACM does not consider securityModel parameter in the group mapping step. In SVACM, a securityName will be mapped into only one group. Whether this mapping occurs in local database of SNMP engine or in an outer server depends on the deployment. In the latter case, the outer server such as a RADIUS server will transport the mapped groupName information to the SNMP engine. The procedure of access control in SVACM with a RADIUS server is described in Section 3. 2.1.2. securityLevel SVACM uses the same securityLevel parameter as VACM. SecurityLevel identifies the level of security that will be assumed when checking for access rights. Different access rights for members of a group can be defined for different levels of security, i.e., noAuthNoPriv, authNoPriv, and authPriv. 2.1.3. MIB Views In VACM, a "MIB view" details a specific set of managed object types (and optionally, the specific instances of object types). The definition of MIB views in VACM is agile, but configuring the vacmViewTreeFamilyTable is complicated. To configure each MIB view in the whole MIB tree, a network administrator must know clearly about the MIB tree structure and exactly where a certain managed object locates. It is too difficult for network administrators to know all these details and to calculate the subtree mask. SVACM also uses the definition of a "MIB view" to detail the managed object types, but SVACM simplifies MIB Views by eliminating include/ exclude, subtree masks, and ViewTreeFamilies. SVACM defines a "MIB view" in a coarse granularity. Each MIB module is defined as a MIB view. These MIB views are built in the svacmViewTable and do not need to be configured by network administrators. For example, OSPF-MIB is a MIB module which has a definite OID, SVACM defines OSPF-MIB as a MIB view whose viewname is OSPF-MIB. This view definition method omits the steps of configuring the subtree OID and subtree mask. Administrators who know only the MIB-module name are able to distribute each view the types of access (read, write or notify). It improves human readability. Moreover, ignoring subtree mask and remove of excluding a subtree would result in that the examination of whether a variableName is in specific MIB views is much faster than before. There SHOULD be a built-in MIB view in the svacmViewTable, which represents the whole MIB tree. Its name could be ALL-MIB or others. Li & Li Expires May 5, 2009 [Page 5] Internet-Draft SVACM for the SNMP Nov. 2008 2.1.4. Access Policy In SVACM, the svacmAccessTable makes use of only the groupname and securityLevel as indexes, the securityModel is discarded. The securityModel is just an identifier of a security model, which does not indicate the completeness of a protection measure. For instances, the User-based Security Model(USM) [RFC3414] could be with securityLevel of authNoPriv or authPriv. The Transport Security Model (TSM) [TSM for SNMP] could also be with securityLevel of authNoPriv or authPriv. No one can assert that a securityModel is more secure than another one. For a given group, assigning different access control rights for different securityModels with the same securityLevel is meaningless. So the securityLevel is the key factor in the access control process, the securityModel is not significant. In vacmAccessTable of VACM, the group's access rights are given by a read-view, a write-view or a notify-view. In SVACM, each view includes a MIB-module subtree. Several views are distributed with one type of access (read, write or notify). So one group could access more than one read-view, more than one write-view or more than one notify-view, which are configured in svacmAccessTable. This configuration method of svacmAccessTable reuses each built-in view. So it is more convenient and easy to configure. Most MIB module names end in -MIB, so it could be simpler for an agent to just list "BGP4, OSPF, MPLS, ..." in svacmAccessTable and svacmViewTable, and it is useful in the length limitation of SnmpAdminString. 2.2. Elements of Procedure This section describes the procedures followed by an Access Control Module that deploys SVACM, when checking access rights as requested by an application. The abstract service primitive is: statusInformation = -- success or errorIndication isAccessAllowed( securityModel -- Security Model in use, unused in SVACM. securityName -- principal who wants access securityLevel -- Level of Security viewType -- read, write, or notify view contextName -- context containing variableName, unused in SVACM variableName -- OID for the managed object ) Li & Li Expires May 5, 2009 [Page 6] Internet-Draft SVACM for the SNMP Nov. 2008 The abstract data elements are: statusInformation - one of the following: accessAllowed - MIB views were found and access is granted. notInAllViews - MIB views were found but access is denied. The variableName is not in any MIB views for the specified viewType (e.g.,in the relevant entry of svacmAccessTable). noSuchViews - no MIB view found because no view has been configured for specified viewType (e.g., in the relevant entry in svacmAccessTable). noGroupName - no MIB view found because no entry has been configured in svacmSecurityToGroupTable for the specified securityName. noAccessEntry - no MIB view found because no entry has been configured in svacmAccessTable for the specified groupName (from svacmSecurityToGroupTable). otherError - failure, an undefined error occurred. 2.2.1. Overview of isAccessAllowed Process The following picture shows how the decision for access control is made by SVACM. This process will not check the parameters contextName and securityModel which are unused in SVACM. +-----------------------------------------------------------+ | | | securityName ---> groupName --+ | | | | | securityLevel ----------------+-> viewNames -+-> yes/no | | | | decision | | viewType (read/write/notify)--+ | | | | | | variableName (OID) --------------------------+ | | | +-----------------------------------------------------------+ 2.2.2. Processing the isAccessAllowed Service Request This section describes the procedure followed by an Access Control module that deploys SVACM whenever it receives an isAccessAllowed request. Li & Li Expires May 5, 2009 [Page 7] Internet-Draft SVACM for the SNMP Nov. 2008 1) The svacmSecurityToGroupTable is consulted for mapping the securityName into a groupName. If the information about this securityName is absent from the table, then an errorIndication (noGroupName) is returned to the calling module, and the processing of the request stops. 2) The svacmAccessTable is consulted for information about the groupName and securityLevel. If information about this combination is absent from the table, then an errorIndication (noAccessEntry) is returned to the calling module, and the processing of the request stops. 3) a) If the viewType is "read", then the read views are used for checking access rights. b) If the viewType is "write", then the write views are used for checking access rights. c) If the viewType is "notify", then the notify views are used for checking access rights. If the viewtype is a zero length string, then an errorIndication (noSuchViews) is returned to the calling module, and the processing of the request stops. 4) a) If one view in the read-view (write-view or notify-view) list is not built in the svacmViewTable, ignore this result and go on match other views in the list. If none view configured for the specified viewType is found in svacmViewTable, then an errorIndication (noSuchViews) is returned to the calling module, and the processing of the request stops. b) If the specified variableName (object instance) is not in the MIB views then an errorIndication (notInAllViews) is returned to the calling module, and the processing of the request stops. Otherwise, c) The specified variableName is in the MIB views. A statusInformation of success (accessAllowed) is returned to the calling module. Li & Li Expires May 5, 2009 [Page 8] Internet-Draft SVACM for the SNMP Nov. 2008 3. RADIUS authorization for SNMP SVACM is easy to be integrated with RADIUS. When a SNMP engine using a RADIUS server to complete the authorization of access control, the SNMP engine takes the role of NAS according to the RADIUS server. The mapping from securityName into groupName is done by the RADIUS server, instead of svacmSecurityToGroupTable of SVACM in the SNMP engine. [radman] defines a RADIUS attribute Management-Policy-Id which is transported in an Access-Accept message, and it indicates the name of the management access policy for users. When SVACM is integrated with RADIUS, the Management-Policy-Id attribute indicates the groupName which a user belongs to. [draft-ietf-isms-radius-usage] also provides hint attributes in the Access-Request messages. When attempting to use RADIUS to provide SNMP service, it is important to use the hint attributes to signal to the RADIUS server the type of service being requested over the transport session. It is also important for the NAS to know that the RADIUS server is authorizing the use of SNMP service by the user. So the process of RADIUS authorization for SNMP is detailed as follows. RADIUS Clients, within the agent, initiate a transaction by sending a RADIUS Access-Request message to the RADIUS server. RADIUS server authenticates the client user according to the identity and credentials of the user. Then the RADIUS server will indicate a successful authentication by returning an Access-Accept message, or indicate an unsuccessful authenticationan by returning an Access- Reject message. The Access-Accept message and Access-Accept message both utilize the Service-Type Attribute with a value of Framed- Management, the RADIUS Framed-Management-Protocol Attribute with a value of SNMP, and the Management-Transport-Protection Attribute with a value of Integrity- Confidentiality-Protection. The Access-Accept message will also include Management-Policy-Id attribute to indicate which groupName should the user be related to. The mapping from user to usergroup is done in the back-end authentication database of RADIUS server, which contains credentials of many classes of users. The methods of authenticating the user in RADIUS server are implementation specific. If the agent rceives a Management-Policy-Id attribute with an unknown groupName, or the policy rules are incorrectly formatted, the agent MUST treat the packet as if it had been an Access-Reject. In SVACM, the information about access rights and policies is part of the SNMP engine's Local Configuration Datastore (LCD) in agent. When the agent get the Access-Accept message, during the general process Li & Li Expires May 5, 2009 [Page 9] Internet-Draft SVACM for the SNMP Nov. 2008 of the message, the data object access control authorization in SNMP is handled by the Access Control Subsystem (ACS). If the Access Control Model is SVACM, the next steps are to check the vacmContextTable, the svacmAccessTable, the svacmViewTable and check the variableName whether in the specific MIB views. 4. Definitions SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-COMPLIANCE FROM SNMPv2-CONF MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI RowStatus, StorageType FROM SNMPv2-TC SnmpAdminString FROM SNMP-FRAMEWORK-MIB; snmpSvacmMIB MODULE-IDENTITY LAST-UPDATED "" ORGANIZATION "" CONTACT-INFO " " DESCRIPTION "The management information definitions for the Simplified View-based Access Control Model for SNMP. " ::= { snmpModules x } -- Administrative assignments ************************************* svacmMIBObjects OBJECT IDENTIFIER ::= { snmpSvacmMIB 1 } svacmMIBConformance OBJECT IDENTIFIER ::= { snmpSvacmMIB 2 } -- Information about Groups *************************************** svacmSecurityToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF SvacmSecurityToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table maps a securityName into a groupName which is used to define an access control policy for a group of principals. " ::= { svacmMIBObjects 1 } svacmSecurityToGroupEntry OBJECT-TYPE SYNTAX SvacmSecurityToGroupEntry Li & Li Expires May 5, 2009 [Page 10] Internet-Draft SVACM for the SNMP Nov. 2008 MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in this table maps a securityName into a groupName. " INDEX { svacmSecurityName } ::= { svacmSecurityToGroupTable 1 } SvacmSecurityToGroupEntry ::= SEQUENCE { svacmSecurityName SnmpAdminString, svacmGroupName SnmpAdminString, svacmSecurityToGroupStorageType StorageType, svacmSecurityToGroupStatus RowStatus } svacmSecurityName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The securityName for the principal which is mapped by this entry into a groupName. " ::= { svacmSecurityToGroupEntry 1 } svacmGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the group which this entry (the securityName) belongs to. This groupName is used as an index in the svacmAccessTable to select an access control policy. However, a value in this table does not imply that an instance with the value exists in svacmAccesTable. " ::= { svacmSecurityToGroupEntry 2 } svacmSecurityToGroupStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need Li & Li Expires May 5, 2009 [Page 11] Internet-Draft SVACM for the SNMP Nov. 2008 not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { svacmSecurityToGroupEntry 3 } svacmSecurityToGroupStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. Until instances of all corresponding columns are appropriately configured, the value of the corresponding instance of the svacmSecurityToGroupStatus column is 'notReady'. In particular, a newly created row cannot be made active until a value has been set for svacmGroupName. The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified: The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { svacmSecurityToGroupEntry 4 } -- Information about Access Rights ******************************** svacmAccessTable OBJECT-TYPE SYNTAX SEQUENCE OF SvacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of access rights for groups. Each entry is indexed by a groupName and a svacmSecurityLevel. To determine whether access is allowed, one entry from this table needs to be selected and the proper viewNames from that entry must be used for access control checking. " ::= { svacmMIBObjects 2 } svacmAccessEntry OBJECT-TYPE Li & Li Expires May 5, 2009 [Page 12] Internet-Draft SVACM for the SNMP Nov. 2008 SYNTAX SvacmAccessEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An access right configured in Local Configuration Datastore(LCD) authorizing access to an SNMP engine. Entries in this table can use an instance value for object svacmGroupName even if no entry in table svacmAccessSecurityToGroupTable has a corresponding value for object svacmGroupName. " INDEX { svacmGroupName, svacmSecurityLevel } ::= { svacmAccessTable 1 } SvacmAccessEntry ::= SEQUENCE { svacmSecurityLevel SnmpAdminString, svacmAccessReadViewNames SnmpAdminString, svacmAccessWriteViewNames SnmpAdminString, svacmAccessNotifyViewNames SnmpAdminString, svacmAccessStorageType StorageType, svacmAccessStatus RowStatus } svacmSecurityLevel OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The minimum level of security required in order to gain the access rights allowed by this conceptual row. A securityLevel of noAuthNoPriv is less than authNoPriv which in turn is less than authPriv." ::= { svacmAccessEntry 1 } svacmAccessReadViewNames OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB views of the SNMP engine to which this conceptual row authorizes read access. One SnmpAdminString carries a list of Read view names separated by comma. The identified MIB views are that ones for which the Li & Li Expires May 5, 2009 [Page 13] Internet-Draft SVACM for the SNMP Nov. 2008 svacmViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of svacmViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { svacmAccessEntry 2 } svacmAccessWriteViewNames OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP engine to which this conceptual row authorizes write access. One SnmpAdminString carries a list of Write view names separated by comma. The identified MIB views are that ones for which the svacmViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of svacmViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { svacmAccessEntry 3 } svacmAccessNotifyViewNames OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The value of an instance of this object identifies the MIB view of the SNMP engine to which this conceptual row authorizes access for notifications. One SnmpAdminString carries a list of Notify view names separated by comma. The identified MIB views are that ones for which the svacmViewName has the same value as the instance of this object; if the value is the empty string or if there is no active MIB view having this value of svacmViewName, then no access is granted. " DEFVAL { ''H } -- the empty string ::= { svacmAccessEntry 4 } Li & Li Expires May 5, 2009 [Page 14] Internet-Draft SVACM for the SNMP Nov. 2008 svacmAccessStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this conceptual row. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " DEFVAL { nonVolatile } ::= { svacmAccessEntry 5 } svacmAccessStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The status of this conceptual row. The RowStatus TC [RFC2579] requires that this DESCRIPTION clause states under which circumstances other objects in this row can be modified: The value of this object has no effect on whether other objects in this conceptual row can be modified. " ::= { svacmAccessEntry 6 } -- Information about MIB views ************************************ -- Support for MIB-module-granularity is compulsory. svacmMIBViews OBJECT IDENTIFIER ::= { svacmMIBObjects 3 } svacmViewTable OBJECT-TYPE SYNTAX SEQUENCE OF SvacmViewEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Locally held information about MIB views. This table is built in by the agent, and can not be altered or deleted by any administrator. Each MIB view is a included subtree in the unit of MIB module with definite OID value. So the definition of each view based on each MIB module could be built in this table. Li & Li Expires May 5, 2009 [Page 15] Internet-Draft SVACM for the SNMP Nov. 2008 To determine whether a particular object instance is in a particular MIB view, compare the object instance's OBJECT IDENTIFIER with the MIB view's active entry in this table. If none match, then the object instance is not in the MIB view. If one matches, then the object instance is included in. If a administrator want to create/delete an entry in the svacmViewTable, then an operation error must be returned. " ::= { svacmMIBViews 1 } svacmViewEntry OBJECT-TYPE SYNTAX SvacmViewEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information on a particular view subtree included in a particular SNMP engine's MIB view. If no conceptual rows exist in this table for a given MIB view (viewName), then an errorIndication (noSuchView) is returned. " INDEX { svacmViewName } ::= { svacmViewTable 1 } SvacmViewEntry ::= SEQUENCE { svacmViewName SnmpAdminString, svacmViewSubtree OBJECT IDENTIFIER } svacmViewName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-only STATUS current DESCRIPTION "The human readable name for a MIB-module-granularity view. " ::= { svacmViewEntry 1 } svacmViewSubtree OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current Li & Li Expires May 5, 2009 [Page 16] Internet-Draft SVACM for the SNMP Nov. 2008 DESCRIPTION "The MIB subtree which defines a MIB-module- granularity view. Corresponding to each svacmViewName, its OID value is definite and built in svacmViewTable. It does not need to be configured by administrators. " ::= { svacmViewEntry 2 } -- Conformance information **************************************** svacmMIBCompliances OBJECT IDENTIFIER ::= { svacmMIBConformance 1 } svacmMIBGroups OBJECT IDENTIFIER ::= { svacmMIBConformance 2 } -- Compliance statements ****************************************** svacmMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP engines which deploy the SNMP simplified View-based Access Control Model configuration MIB. " MODULE -- this module MANDATORY-GROUPS { svacmBasicGroup } OBJECT svacmAccessReadViewNames MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT svacmAccessWriteViewNames MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT svacmAccessNotifyViewNames MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT svacmAccessStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT svacmAccessStatus MIN-ACCESS read-only DESCRIPTION "Create/delete/modify access to the svacmAccessTable is not required. " ::= { svacmMIBCompliances 1 } -- Units of conformance *********************************** Li & Li Expires May 5, 2009 [Page 17] Internet-Draft SVACM for the SNMP Nov. 2008 svacmBasicGroup OBJECT-GROUP OBJECTS { svacmGroupName, svacmSecurityLevel, svacmSecurityToGroupStorageType, svacmSecurityToGroupStatus, svacmAccessReadViewNames, svacmAccessWriteViewNames, svacmAccessNotifyViewNames, svacmAccessStorageType, svacmAccessStatus } STATUS current DESCRIPTION "A collection of objects providing for remote configuration of an SNMP engine which deploys the SNMP simplified View-based Access Control Model. " ::= { svacmMIBGroups 1 } END 5. Security Considerations 5.1. Recommended Practices This document is meant for use in the SNMP architecture. The Simplified View-based Access Control Model described in this document checks access rights to management information based on: - groupName, representing a set of zero or more securityNames. The securityName is mapped into a group in the Simplified View-based Access Control Model. - securityLevel under which access is requested. - operation performed on the management information. - MIB views for read, write or notify access. When the User-based Security Module or transport security model is called for checking access rights, it is assumed that the calling module has ensured the authentication and privacy aspects as specified by the securityLevel that is being passed. 5.2. Defining Groups The groupNames are used to give access to a group of zero or more securityNames. Within the Simplified View-Based Access Control Li & Li Expires May 5, 2009 [Page 18] Internet-Draft SVACM for the SNMP Nov. 2008 Model, a groupName is considered to exist if that groupName is listed in the svacmSecurityToGroupTable. By mapping the securityName into a groupName, an SNMP Command Generator application can add/delete securityNames to/from a group, if proper access is allowed. Further it is important to realize that the grouping of securityName in the svacmSecurityToGroupTable does not take securityLevel into account. It is therefore important that the security administrator uses the securityLevel index in the svacmAccessTable to separate noAuthNoPriv from authPriv and/or authNoPriv access. There is a parallel relationship between the View-based Access Control Model and the Simplified View-based Access Control Model. An application need to decide which ACM should be used (VACM or SVACM). The Simplified View-based Access Control Model is used in scenarios which do not consider the context parameter and with coarse granularity of MIB views in MIB module level. When administrators need the fine granularity of access control, or several contexts in one agent, the View-based Access Control Model is still needed. 5.3. Conformance For an implementation of the View-based Access Control Model to be conformant, it MUST implement the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB according to the svacmMIBCompliance. 5.4. Access to the SNMP-SIMPLIFIED-VIEW-BASED-ACM-MIB The objects in this MIB control the access to all MIB data that is accessible via the SNMP engine and they may be considered sensitive in many environments. It is important to closely control (both read and write) access to these MIB objects by using appropriately configured Access Control models (for example the Simplified View- based Access Control Model as specified in this document). 6. IANA Considerations None. 7. Notation None. Li & Li Expires May 5, 2009 [Page 19] Internet-Draft SVACM for the SNMP Nov. 2008 8. Normative References [RFC2119] Bradner, s., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2579] McCloghrie, K., "Textual Conventions for SMIv2", February 2008, . [RFC2865] Rigney, C., "Remote Authentication Dial In User Service (RADIUS)", rfc 2865, June 2000, . [RFC3411] Harrington, D., "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", rfc 3411, std 62, December 2002, . [RFC3414] Blumenthal, U., "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", February 2008, . [RFC3415] Wijnen, B., "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", rfc 3415, December 2002, . [TSM for SNMP] Harrington, D., "Transport Security Model for SNMP draft-ietf-isms-transport-security-model-07", February 2008, . [draft-ietf-isms-radius-usage] Narayan, K., "Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models", June 2008, . [radman] Nelson, D., "Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management", February 2008, . Li & Li Expires May 5, 2009 [Page 20] Internet-Draft SVACM for the SNMP Nov. 2008 Authors' Addresses Chunxiu Li Huawei Technologies HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base Beijing 100085 China Phone: +86 010 82836081 Email: lichunxiu@huawei.com URI: http://www.huawei.com Yan Li Huawei Technologies HuaWei Building, No.3 Xinxi Rd.,Shang-Di Information Industry Base Beijing 100085 China Phone: +86 010 82836074 Email: liyan_77@huawei.com URI: http://www.huawei.com Li & Li Expires May 5, 2009 [Page 21] Internet-Draft SVACM for the SNMP Nov. 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Li & Li Expires May 5, 2009 [Page 22]