View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 3415
| Document | Type |
RFC - Internet Standard
(December 2002; Errata)
Obsoletes RFC 2575
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text pdf htmlized with errata bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 3415 (Internet Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Randy Bush | ||
| IESG note |
Approved Responsible: RFC Editor |
||
| Send notices to | (None) | ||
Network Working Group B. Wijnen
Request for Comments: 3415 Lucent Technologies
STD: 62 R. Presuhn
Obsoletes: 2575 BMC Software, Inc.
Category: Standards Track K. McCloghrie
Cisco Systems, Inc.
December 2002
View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document describes the View-based Access Control Model (VACM)
for use in the Simple Network Management Protocol (SNMP)
architecture. It defines the Elements of Procedure for controlling
access to management information. This document also includes a
Management Information Base (MIB) for remotely managing the
configuration parameters for the View-based Access Control Model.
This document obsoletes RFC 2575.
Wijnen, et al. Standards Track [Page 1]
RFC 3415 VACM for the SNMP December 2002
Table of Contents
1. Introduction ................................................. 2
1.2. Access Control ............................................. 3
1.3. Local Configuration Datastore .............................. 3
2. Elements of the Model ........................................ 4
2.1. Groups ..................................................... 4
2.2. securityLevel .............................................. 4
2.3. Contexts ................................................... 4
2.4. MIB Views and View Families ................................ 5
2.4.1. View Subtree ............................................. 5
2.4.2. ViewTreeFamily ........................................... 6
2.5. Access Policy .............................................. 6
3. Elements of Procedure ........................................ 7
3.1. Overview of isAccessAllowed Process ....................... 8
3.2. Processing the isAccessAllowed Service Request ............. 9
4. Definitions .................................................. 11
5. Intellectual Property ........................................ 28
6. Acknowledgements ............................................. 28
7. Security Considerations ...................................... 30
7.1. Recommended Practices ...................................... 30
7.2. Defining Groups ............................................ 30
7.3. Conformance ................................................ 31
7.4. Access to the SNMP-VIEW-BASED-ACM-MIB ...................... 31
8. References ................................................... 31
A. Installation ................................................. 33
B. Change Log ................................................... 36
Editors' Addresses ............................................... 38
Full Copyright Statement ......................................... 39
1. Introduction
The Architecture for describing Internet Management Frameworks
[RFC3411] describes that an SNMP engine is composed of:
1) a Dispatcher
2) a Message Processing Subsystem,
3) a Security Subsystem, and
4) an Access Control Subsystem.
Applications make use of the services of these subsystems.
It is important to understand the SNMP architecture and its
terminology to understand where the View-based Access Control Model
described in this document fits into the architecture and interacts
with other subsystems within the architecture. The reader is
expected to have read and understood the description and terminology
of the SNMP architecture, as defined in [RFC3411].
Wijnen, et al. Standards Track [Page 2]
RFC 3415 VACM for the SNMP December 2002
The Access Control Subsystem of an SNMP engine has the responsibility
for checking whether a specific type of access (read, write, notify)
to a particular object (instance) is allowed.
It is the purpose of this document to define a specific model of the
Access Control Subsystem, designated the View-based Access Control
Model. Note that this is not necessarily the only Access Control
Show full document text