Management Information Base for Virtual Machines Controlled by a Hypervisor
draft-ietf-opsawg-vmm-mib-01
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7666.
|
|
---|---|---|---|
Authors | Hirochika Asai , Michael MacFaden , Jürgen Schönwälder , Keiichi Shima , Tina Tsou (Ting ZOU) | ||
Last updated | 2014-07-04 | ||
Replaces | draft-asai-vmm-mib | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Telechat review
(of
-03)
by Paul Kyzivat
Ready w/nits
GENART Last Call review
(of
-02)
by Paul Kyzivat
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 7666 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-opsawg-vmm-mib-01
Transport Layer Security D. Harkins, Ed. Internet-Draft HP Enterprise Intended status: Informational August 28, 2017 Expires: March 1, 2018 Secure Password Ciphersuites for Transport Layer Security (TLS) draft-harkins-tls-dragonfly-02 Abstract This memo defines several new ciphersuites for the Transport Layer Security (TLS) protocol to support certificate-less, secure authentication using only a simple, low-entropy, password. The exchange is called TLS-PWD. The ciphersuites are all based on an authentication and key exchange protocol, named "dragonfly", that is resistant to off-line dictionary attack. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 1, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Harkins Expires March 1, 2018 [Page 1] vmUUID, vmOperState } STATUS current DESCRIPTION "This notification is generated when a virtual machine has been crashed. The previos state of the virtual machine is indicated by the included value of vmOperState." ::= { vmNotifications 9 } vmBlocked NOTIFICATION-TYPE OBJECTS { vmName, vmUUID, vmOperState } STATUS current DESCRIPTION "This notification is generated when the operational state of a virtual machine has been changed to blocked(5). The previos state of the virtual machine is indicated by the included value of vmOperState." ::= { vmNotifications 10 } vmDeleted NOTIFICATION-TYPE OBJECTS { vmName, vmUUID, vmOperState, vmPersistent } STATUS current DESCRIPTION "This notification is generated when a virtual machine has been deleted. The prior state of the virtual machine is indicated by the included value of vmOperState." ::= { vmNotifications 11 } vmBulkRunning NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machine has been changed to Asai, et al. Expires January 5, 2015 [Page 39] Internet-Draft Virtual Machine Monitoring MIB July 2014 running(4) from a all prior states except for running(4). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 12 } vmBulkShuttingdown NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machine has been changed to shuttingdown(11) from a state other than shuttingdown(11). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 13 } vmBulkShutdown NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machine has been changed to shutdown(12) from a state other than shutdown(12). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 14 } vmBulkPaused NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machines have been changed to paused(9) from a state other than paused(9). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 15 } Asai, et al. Expires January 5, 2015 [Page 40] Internet-Draft Virtual Machine Monitoring MIB July 2014 vmBulkSuspending NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machines have been changed to suspending(6) from a state other than suspending(6). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 16 } vmBulkSuspended NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machines have been changed to suspended(7) from a state other than suspended(7). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 17 } vmBulkResuming NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machines have been changed to resuming(8) from a state other than resuming(8). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 18 } vmBulkMigrating NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION Asai, et al. Expires January 5, 2015 [Page 41] Internet-Draft Virtual Machine Monitoring MIB July 2014 "This notification is generated when the operational state of one or more virtual machines have been changed to migrating(10) from a state other than migrating(10). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 19 } vmBulkCrashed NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when one or more virtual machines have been crashed. Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 20 } vmBulkBlocked NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when the operational state of one or more virtual machines have been changed to blocked(5) from a state other than blocked(5). Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 21 } vmBulkDeleted NOTIFICATION-TYPE OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "This notification is generated when one or more virtual machines have been deleted. Management stations are encouraged to subsequently poll the subset of virtual machines of interest for vmOperState." ::= { vmNotifications 22 } -- Compliance definitions: vmCompliances OBJECT IDENTIFIER ::= { vmConformance 1 } Asai, et al. Expires January 5, 2015 [Page 42] Internet-Draft Virtual Machine Monitoring MIB July 2014 vmGroups OBJECT IDENTIFIER ::= { vmConformance 2 } vmFullCompliances MODULE-COMPLIANCE STATUS current DESCRIPTION "Compliance statement for implementations supporting read/write access, according to the object definitions." MODULE -- this module MANDATORY-GROUPS { vmHypervisorGroup, vmVirtualMachineGroup, vmCpuGroup, vmCpuAffinityGroup, vmStorageGroup, vmNetworkGroup } GROUP vmPerVMNotificationOptionalGroup DESCRIPTION "Support for per-VM notifications is optional. If not implemented then vmPerVMNotificationsEnabled must report false(2)." GROUP vmBulkNotificationsVariablesGroup DESCRIPTION "Necessary only if vmPerVMNotificationOptionalGroup is implemented." GROUP vmBulkNotificationOptionalGroup DESCRIPTION "Support for bulk notifications is optional. If not implemented then vmBulkNotificationsEnabled must report false(2)." ::= { vmCompliances 1 } vmReadOnlyCompliances MODULE-COMPLIANCE STATUS current DESCRIPTION "Compliance statement for implementations supporting only readonly access." MODULE -- this module MANDATORY-GROUPS { vmHypervisorGroup, vmVirtualMachineGroup, vmCpuGroup, vmCpuAffinityGroup, vmStorageGroup, vmNetworkGroup } Asai, et al. Expires January 5, 2015 [Page 43] Internet-Draft Virtual Machine Monitoring MIB July 2014 OBJECT vmPerVMNotificationsEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT vmBulkNotificationsEnabled MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { vmCompliances 2 } vmHypervisorGroup OBJECT-GROUP OBJECTS { vmHvSoftware, vmHvVersion, vmHvObjectID, vmHvUpTime, vmNumber, vmTableLastChange, vmPerVMNotificationsEnabled, vmBulkNotificationsEnabled } STATUS current DESCRIPTION "A collection of objects providing insight into the hypervisor itself." ::= { vmGroups 1 } vmVirtualMachineGroup OBJECT-GROUP OBJECTS { -- vmIndex vmName, vmUUID, vmOSType, vmAdminState, vmOperState, vmAutoStart, vmPersistent, vmCurCpuNumber, vmMinCpuNumber, vmMaxCpuNumber, vmMemUnit, vmCurMem, vmMinMem, vmMaxMem, vmUpTime, vmCpuTime } Asai, et al. Expires January 5, 2015 [Page 44] Internet-Draft Virtual Machine Monitoring MIB July 2014 STATUS current DESCRIPTION &Internet-Draft TLS Password August 2017 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. The Case for Certificate-less Authentication . . . . . . 3 1.2. Resistance to Dictionary Attack . . . . . . . . . . . . . 3 2. Keyword Definitions . . . . . . . . . . . . . . . . . . . . . 4 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Discrete Logarithm Cryptography . . . . . . . . . . . . . 5 3.2.1. Elliptic Curve Cryptography . . . . . . . . . . . . . 5 3.2.2. Finite Field Cryptography . . . . . . . . . . . . . . 6 3.3. Instantiating the Random Function . . . . . . . . . . . . 8 3.4. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 8 3.5. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 8 4. Specification of the TLS-PWD Handshake . . . . . . . . . . . 9 4.1. Protecting the Username . . . . . . . . . . . . . . . . . 10 4.1.1. Construction of a Protected Username . . . . . . . . 11 4.1.2. Recovery of a Protected Username . . . . . . . . . . 12 4.2. Fixing the Password Element . . . . . . . . . . . . . . . 13 4.2.1. Computing an ECC Password Element . . . . . . . . . . 14 4.2.2. Computing an FFC Password Element . . . . . . . . . . 16 4.3. Changes to Handshake Message Contents . . . . . . . . . . 17 4.3.1. Client Hello Changes . . . . . . . . . . . . . . . . 17 4.3.2. Server Key Exchange Changes . . . . . . . . . . . . . 18 4.3.2.1. Generation of ServerKeyExchange . . . . . . . . . 19 4.3.2.2. Processing of ServerKeyExchange . . . . . . . . . 20 4.3.3. Client Key Exchange Changes . . . . . . . . . . . . . 21 4.3.3.1. Generation of Client Key Exchange . . . . . . . . 21 4.3.3.2. Processing of Client Key Exchange . . . . . . . . 21 4.4. Computing the Premaster Secret . . . . . . . . . . . . . 22 5. Ciphersuite Definition . . . . . . . . . . . . . . . . . . . 22 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 9. Human Rights Considerations . . . . . . . . . . . . . . . . . 27 10. Implementation Considerations . . . . . . . . . . . . . . . . 27 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 11.1. Normative References . . . . . . . . . . . . . . . . . . 28 11.2. Informative References . . . . . . . . . . . . . . . . . 29 Appendix A. Example Exchange . . . . . . . . . . . . . . . . . . 30 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 35 Harkins Expires March 1, 2018 [Page 2] Internet-Draft TLS Password August 2017 1. Background 1.1. The Case for Certificate-less Authentication TLS usually uses public key certificates for authentication [RFC5246]. This is problematic in some cases: o Frequently, TLS [RFC5246] is used in devices owned, operated, and provisioned by people who lack competency to properly use certificates and merely want to establish a secure connection using a more natural credential like a simple password. The proliferation of deployments that use a self-signed server certificate in TLS [RFC5246] followed by a basic password exchange over the unauthenticated channel underscores this case. o The alternatives to TLS-PWD for employing certificate-less TLS authentication-- using pre-shared keys in an exchange that is susceptible to dictionary attack, or using an SRP exchange that requires users to, a priori, be fixed to a specific finite field cryptorgraphy group for all subsequent connections-- are not acceptable for modern applications that require both security and cryptographic agility. o A password is a more natural credential than a certificate (from early childhood people learn the semantics of a shared secret), so a password-based TLS ciphersuite can be used to protect an HTTP- based certificate enrollment scheme like EST [RFC7030] to parlay a simple password into a certificate for subsequent use with any certificate-based authentication protocol. This addresses a significant "chicken-and-egg" dilemma found with certificate-only use of [RFC5246]. o Some PIN-code readers will transfer the entered PIN to a smart card in clear text. Assuming a hostile environment, this is a bad practice. A password-based TLS ciphersuite can enable the establishment of an authenticated connection between reader and card based on the PIN. 1.2. Resistance to Dictionary Attack It is a common misconception that a protocol that authenticates with a shared and secret credential is resistent to dictionary attack if the credential is assumed to be an N-bit uniformly random secret, where N is sufficiently large. The concept of resistence to dictionary attack really has nothing to do with whether that secret can be found in a standard collection of a language's defined words (i.e. a dictionary). It has to do with how an adversary gains an advantage in attacking the protocol. Harkins Expires March 1, 2018 [Page 3] Internet-Draft TLS Password August 2017 For a protocol to be resistant to dictionary attack any advantage an adversary can gain must be a function of the amount of interactions she makes with an honest protocol participant and not a function of the amount of computation she uses. This means that the adversary will not be able to obtain any information about the password except whether a single guess from a single protocol run which she took part in is correct or incorrect. It is assumed that the attacker has access to a pool of data from which the secret was drawn-- it could be all numbers between 1 and 2^N, it could be all defined words in a dictionary. The key is that the attacker cannot do a an attack and then go off-line and enumerate through the pool trying potential secrets (computation) to see if one is correct. She must do an active attack for each secret she wishes to try (interaction) and the only information she can glean from that attack is whether the secret used with that particular attack is correct or not. 2. Keyword Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Introduction 3.1. Notation The following notation is used in this memo: password a secret, and potentially low-entropy word, phrase, code or key used as a credential for authentication. The password is shared between the TLS client and TLS server. y = H(x) a binary string of arbitrary length, x, is given to a function H which produces a fixed-length output, y. a | b denotes concatenation of string a with string b. [a]b indicates a string consisting of the single bit "a" repeated "b" times. x mod y Harkins Expires March 1, 2018 [Page 4] Internet-Draft TLS Password August 2017 indicates the remainder of division of x by y. The result will be between 0 and y. len(x) indicates the length in bits of the string x. lgr(a,b) takes "a" and a prime, b and returns the legendre symbol (a/b). LSB(x) returns the least-significant bit of the bitstring "x". G.x indicates the x-coordinate of a point, G, on an elliptic curve. 3.2. Discrete Logarithm Cryptography The ciphersuites defined in this memo use discrete logarithm cryptography (see [SP800-56A]) to produce an authenticated and shared secret value that is an element in a group defined by a set of domain parameters. The domain parameters can be based on either Finite Field Cryptography (FFC) or Elliptic Curve Cryptography (ECC). Elements in a group, either an FFC or ECC group, are indicated using upper-case while scalar values are indicated using lower-case. 3.2.1. Elliptic Curve Cryptography The authenticated key exchange defined in this memo uses fundamental algorithms of elliptic curves defined over GF(p) as described in [RFC6090]. Ciphersuites defined in this memo SHALL only use ECC curves based on the Weierstrass equation y^2 = x^3 + a*x + b. Domain parameters for the ECC groups used by this memo are: o A prime, p, determining a prime field GF(p). The cryptographic group will be a subgroup of the full elliptic curve group which consists points on an elliptic curve-- elements from GF(p) that satisfy the curve's equation-- together with the "point at infinity" that serves as the identity element. o Elements a and b from GF(p) that define the curve's equation. The point (x,y) in GF(p) x GF(p) is on the elliptic curve if and only if (y^2 - x^3 - a*x - b) mod p equals zero (0). o A point, G, on the elliptic curve, which serves as a generator for the ECC group. G is chosen such that its order, with respect to elliptic curve addition, is a sufficiently large prime. Harkins Expires March 1, 2018 [Page 5] quot;A collection of objects providing insight into the virtual machines) controlled by a hypervisor." ::= { vmGroups 2 } vmCpuGroup OBJECT-GROUP OBJECTS { -- vmCpuIndex, vmCpuCoreTime } STATUS current DESCRIPTION "A collection of objects providing insight into the virtual machines) controlled by a hypervisor." ::= { vmGroups 3 } vmCpuAffinityGroup OBJECT-GROUP OBJECTS { -- vmCpuPhysIndex, vmCpuAffinity } STATUS current DESCRIPTION "A collection of objects providing insight into the virtual machines) controlled by a hypervisor." ::= { vmGroups 4 } vmStorageGroup OBJECT-GROUP OBJECTS { -- vmStorageVmIndex, -- vmStorageIndex, vmStorageParent, vmStorageSourceType, vmStorageSourceTypeString, vmStorageResourceID, vmStorageAccess, vmStorageMediaType, vmStorageMediaTypeString, vmStorageSizeUnit, vmStorageDefinedSize, vmStorageAllocatedSize, vmStorageReadIOs, vmStorageWriteIOs } STATUS current DESCRIPTION "A collection of objects providing insight into the Asai, et al. Expires January 5, 2015 [Page 45] Internet-Draft Virtual Machine Monitoring MIB July 2014 virtual storage devices controlled by a hypervisor." ::= { vmGroups 5 } vmNetworkGroup OBJECT-GROUP OBJECTS { -- vmNetworkIndex, vmNetworkIfIndex, vmNetworkParent, vmNetworkModel, vmNetworkPhysAddress } STATUS current DESCRIPTION "A collection of objects providing insight into the virtual network interfaces controlled by a hypervisor." ::= { vmGroups 6 } vmPerVMNotificationOptionalGroup NOTIFICATION-GROUP NOTIFICATIONS { vmRunning, vmShuttingdown, vmShutdown, vmPaused, vmSuspending, vmSuspended, vmResuming, vmMigrating, vmCrashed, vmBlocked, vmDeleted } STATUS current DESCRIPTION "A collection of notifications for per-VM notification of changes to virtual machine state (vmOperState) as reported by a hypervisor." ::= { vmGroups 7 } vmBulkNotificationsVariablesGroup OBJECT-GROUP OBJECTS { vmAffectedVMs } STATUS current DESCRIPTION "The variables used in vmBulkNotificationOptionalGroup virtual network interfaces controlled by a hypervisor." ::= { vmGroups 8 } Asai, et al. Expires January 5, 2015 [Page 46] Internet-Draft Virtual Machine Monitoring MIB July 2014 vmBulkNotificationOptionalGroup NOTIFICATION-GROUP NOTIFICATIONS { vmBulkRunning, vmBulkShuttingdown, vmBulkShutdown, vmBulkPaused, vmBulkSuspending, vmBulkSuspended, vmBulkResuming, vmBulkMigrating, vmBulkCrashed, vmBulkBlocked, vmBulkDeleted } STATUS current DESCRIPTION "A collection of notifications for bulk notification of changes to virtual machine state (vmOperState) as reported by a given hypervisor." ::= { vmGroups 9 } END Asai, et al. Expires January 5, 2015 [Page 47] Internet-Draft Virtual Machine Monitoring MIB July 2014 7. IANA Considerations The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- vmMIB { mib-2 TBD } Asai, et al. Expires January 5, 2015 [Page 48] Internet-Draft Virtual Machine Monitoring MIB July 2014 8. Security Considerations There are two objects defined in this MIB, vmPerVMNotificationsEnabled and vmBulkNotificationsEnabled, that have a MAX-ACCESS clause of read-write. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on the management system. It is recommended that attention be given to these objects in scenarios that DO NOT use SNMPv3 strong security, i.e. authentication and encryption. When SNMPv3 strong security is not used, these objects should have access of read-only, not read-write. There are a number of managed objects in this MIB that may contain sensitive information. The objects in the vmHvSoftware and vmHvVersion list information about the hypervisor's software and version. Some may wish not to disclose to others which software they are running. Further, an inventory of the running software and versions may be helpful to an attacker who hopes to exploit software bugs in certain applications. Moreover, the objects in the vmTable, vmCpuTable, vmCpuAffinityTable, vmStorageTable and vmNetworkTable list information about the virtual machines and their virtual resource allocation. Some may wish not to disclose to others how many and what virtual machines they are operating. It is thus important to control even GET access to these objects and possibly to even encrypt the values of these object when sending them over the network via SNMP. Not all versions of SNMP provide features for such a secure environment. SNMPv1 by itself is not a secure environment. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/ SET (read/change/create/delete) the objects in this MIB. It is recommended that the implementers consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model [RFC3414] and the View-based Access Control Model [RFC3415] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/ create/delete) them. Asai, et al. Expires January 5, 2015 [Page 49] Internet-Draft Virtual Machine Monitoring MIB July 2014 9. Acknowledgements The authors like to thank Joe Marcus Clarke, Randy Presuhn, David Black, Joel Jaeggli, Tom Petch, Andy Bierman, and C. M. Heard for providing helpful comments during the development of this specification. Juergen Schoenwaelder was partly funded by Flamingo, a Network of Excellence project (ICT-318488) supported by the European Commission under its Seventh Framework Programme. Asai, et al. Expires January 5, 2015 [Page 50] Internet-Draft Virtual Machine Monitoring MIB July 2014 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2790] Waldbusser, S. and P. Grillo, "Host Resources MIB", RFC 2790, March 2000. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002. [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [RFC3418] Presuhn, R., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2005. [RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M. Chandramouli, "Entity MIB (Version 4)", RFC 6933, Asai, et al. Expires January 5, 2015 [Page 51] Internet-Draft Virtual Machine Monitoring MIB July 2014 May 2013. 10.2. Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [IEEE8021-BRIDGE-MIB] IEEE, "IEEE8021-BRIDGE-MIB", <http://www.ieee802.org/1/ files/public/MIBs/IEEE8021-BRIDGE-MIB-200810150000Z.txt>. [IEEE8021-Q-BRIDGE-MIB] IEEE, "IEEE8021-BRIDGE-MIB", <http://www.ieee802.org/1/ files/public/MIBs/ IEEE8021-Q-BRIDGE-MIB-200810150000Z.txt>. Asai, et al. Expires January 5, 2015 [Page 52] Internet-Draft Virtual Machine Monitoring MIB July 2014 Appendix A. State Transition Table +--------------+----------------+--------------+--------------------+ | State | Change to | Next state | Notification | | | vmAdminState | | | | | at the | | | | | hypervisor or | | | | | (Event) | | | +--------------+----------------+--------------+--------------------+ | suspended | running | resuming | vmResuming | | | | | | vmBulkResuming | | | | | | | suspending | (suspend | suspended | vmSuspended | | | | operation | | vmBulkSuspended | | | completed) | | | | | | | | | running | suspended | suspending | vmSuspending | | | | | | vmBulkSuspending | | | | | | | | shutdown | shuttingdown | vmShuttingdown | | | | | | vmBulkShuttingdown | | | | | | | | destroy | shutdown | vmShutdown | | | | | | vmBulkShutdown | | | | | | | | (migration to | migrating | vmMigrating | | | | other | | vmBulkMingrating | | | hypervisor | | | | | initiated) | | | | | | | | | resuming | (resume | running | vmRunning | | | | opeartion | | vmBulkRunning | | | completed) | | | | | | | | | paused | running | running | vmRunning | | | | | | vmBulkRunning | | | | | | | shuttingdown | (shutdown | shutdown | vmShutdown | | | | operation | | vmBulkShutdown | | | completed) | | | | | | | | | shutdown | running | running | vmRunning | | | | | | vmBulkRunning | | | | | | Asai, et al. Expires January 5, 2015 [Page 53] Internet-Draft Virtual Machine Monitoring MIB July 2014 | | (if this state | migrating | vmMigrating | | | | entry is | | vmBulkMigrating | | | created by a | | | | | migration | | | | | operation (*) | | | | | | | | | | (deletion | (no state) | vmDeleted | | | | operation | | vmBulkDeleted | | | completed) | | | | | | | | | migrating | (migration | running | vmRunning | | | | from other | | vmBulkRunning | | | hypervisor | | | | | completed) | | | | | | | | | | (migration to | shutdown | vmShutdown | | | | other | | vmBulkShutdown | | | hypervisor | | | | | completed) | | | | | | | | | preparing | (preparation | shutdown | vmShutdown | | | | completed) | | vmBulkShutdown | | | | | | | blocked | (blocking | (previous | - | | | operation | state) | | | | completed) | | | | | | | | | crashed | - | - | - | | | | | | | (any) | (blocking | blocked | vmBlocked | | | | operation | | vmBulkBlocked | | | initiated) | | | | | | | | | | (crashed) | crashed | vmCrashed | | | | | | vmBulkCrashed | | | | | | | (no state) | (preparation | preparing | - | | | initiated) | | | | | | | | | | (migrate from | shutdown (*) | vmShutdown | | | | other | | vmBulkShutdown | | | hypervisor | | | | | initiated) | | | +--------------+----------------+--------------+--------------------+ State transition table for vmOperState Asai, et al. Expires January 5, 2015 [Page 54] Internet-Draft Virtual Machine Monitoring MIB July 2014 Authors' Addresses Hirochika Asai The University of Tokyo 7-3-1 Hongo Bunkyo-ku, Tokyo 113-8656 JP Phone: +81 3 5841 6748 Email: panda@hongo.wide.ad.jp Michael MacFaden VMware Inc. Email: mrm@vmware.com Juergen Schoenwaelder Jacobs University Campus Ring 1 Bremen 28759 Germany Email: j.schoenwaelder@jacobs-university.de Keiichi Shima IIJ Innovation Institute Inc. 3-13 Kanda-Nishikicho Chiyoda-ku, Tokyo 101-0054 JP Email: keiichi@iijlab.net Tina Tsou Huawei Technologies (USA) 2330 Central Expressway Santa Clara CA 95050 USA Email: tina.tsou.zouting@huawei.com Asai, et al. Expires January 5, 2015 [Page 55] Internet-Draft Virtual Machine Monitoring MIB July 2014 Yuji Sekiya The University of Tokyo 2-11-16 Yayoi Bunkyo-ku, Tokyo 113-8658 JP Email: sekiya@wide.ad.jp Cathy Zhou Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Email: cathyzhou@huawei.com Hiroshi Esaki The University of Tokyo 7-3-1 Hongo Bunkyo-ku, Tokyo 113-8656 JP Phone: +81 3 5841 6748 Email: hiroshi@wide.ad.jp Asai, et al. Expires January 5, 2015 [Page 56]