diff options
Diffstat (limited to 'mibs/SNMP-TLS-TM-MIB.txt')
| -rw-r--r-- | mibs/SNMP-TLS-TM-MIB.txt | 1065 |
1 files changed, 1065 insertions, 0 deletions
diff --git a/mibs/SNMP-TLS-TM-MIB.txt b/mibs/SNMP-TLS-TM-MIB.txt new file mode 100644 index 0000000..848dff1 --- /dev/null +++ b/mibs/SNMP-TLS-TM-MIB.txt @@ -0,0 +1,1065 @@ +SNMP-TLS-TM-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + OBJECT-IDENTITY, mib-2, snmpDomains, + Counter32, Unsigned32, Gauge32, NOTIFICATION-TYPE + FROM SNMPv2-SMI -- RFC 2578 or any update thereof + TEXTUAL-CONVENTION, TimeStamp, RowStatus, StorageType, + AutonomousType + FROM SNMPv2-TC -- RFC 2579 or any update thereof + MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP + FROM SNMPv2-CONF -- RFC 2580 or any update thereof + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB -- RFC 3411 or any update thereof + snmpTargetParamsName, snmpTargetAddrName + FROM SNMP-TARGET-MIB -- RFC 3413 or any update thereof + ; + +snmpTlstmMIB MODULE-IDENTITY + LAST-UPDATED "201107190000Z" + + ORGANIZATION "ISMS Working Group" + CONTACT-INFO "WG-EMail: isms@lists.ietf.org + Subscribe: isms-request@lists.ietf.org + + Chairs: + Juergen Schoenwaelder + Jacobs University Bremen + Campus Ring 1 + 28725 Bremen + Germany + +49 421 200-3587 + j.schoenwaelder@jacobs-university.de + + Russ Mundy + SPARTA, Inc. + 7110 Samuel Morse Drive + Columbia, MD 21046 + USA + + Editor: + Wes Hardaker + SPARTA, Inc. + P.O. Box 382 + Davis, CA 95617 + USA + ietf@hardakers.net + " + DESCRIPTION " + The TLS Transport Model MIB + + Copyright (c) 2010-2011 IETF Trust and the persons identified + as authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info)." + + REVISION "201107190000Z" + DESCRIPTION "This version of this MIB module is part of + RFC 6353; see the RFC itself for full legal + notices. The only change was to introduce + new wording to reflect require changes for + IDNA addresses in the SnmpTLSAddress TC." + + REVISION "201005070000Z" + DESCRIPTION "This version of this MIB module is part of + RFC 5953; see the RFC itself for full legal + notices." + ::= { mib-2 198 } + +-- ************************************************ +-- subtrees of the SNMP-TLS-TM-MIB +-- ************************************************ + +snmpTlstmNotifications OBJECT IDENTIFIER ::= { snmpTlstmMIB 0 } +snmpTlstmIdentities OBJECT IDENTIFIER ::= { snmpTlstmMIB 1 } +snmpTlstmObjects OBJECT IDENTIFIER ::= { snmpTlstmMIB 2 } +snmpTlstmConformance OBJECT IDENTIFIER ::= { snmpTlstmMIB 3 } + +-- ************************************************ +-- snmpTlstmObjects - Objects +-- ************************************************ + +snmpTLSTCPDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over TLS via TCP transport domain. The + corresponding transport address is of type SnmpTLSAddress. + + The securityName prefix to be associated with the + snmpTLSTCPDomain is 'tls'. This prefix may be used by + security models or other components to identify which secure + transport infrastructure authenticated a securityName." + REFERENCE + "RFC 2579: Textual Conventions for SMIv2" + ::= { snmpDomains 8 } + +snmpDTLSUDPDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over DTLS via UDP transport domain. The + corresponding transport address is of type SnmpTLSAddress. + + The securityName prefix to be associated with the + snmpDTLSUDPDomain is 'dtls'. This prefix may be used by + security models or other components to identify which secure + transport infrastructure authenticated a securityName." + REFERENCE + "RFC 2579: Textual Conventions for SMIv2" + ::= { snmpDomains 9 } + +SnmpTLSAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1a" + STATUS current + DESCRIPTION + "Represents an IPv4 address, an IPv6 address, or a + US-ASCII-encoded hostname and port number. + + An IPv4 address must be in dotted decimal format followed by a + colon ':' (US-ASCII character 0x3A) and a decimal port number + in US-ASCII. + + An IPv6 address must be a colon-separated format (as described + in RFC 5952), surrounded by square brackets ('[', US-ASCII + character 0x5B, and ']', US-ASCII character 0x5D), followed by + a colon ':' (US-ASCII character 0x3A) and a decimal port number + in US-ASCII. + + A hostname is always in US-ASCII (as per RFC 1123); + internationalized hostnames are encoded as A-labels as specified + in RFC 5890. The hostname is followed by a + colon ':' (US-ASCII character 0x3A) and a decimal port number + in US-ASCII. The name SHOULD be fully qualified whenever + possible. + + Values of this textual convention may not be directly usable + as transport-layer addressing information, and may require + run-time resolution. As such, applications that write them + must be prepared for handling errors if such values are not + supported, or cannot be resolved (if resolution occurs at the + time of the management operation). + + The DESCRIPTION clause of TransportAddress objects that may + have SnmpTLSAddress values must fully describe how (and + when) such names are to be resolved to IP addresses and vice + versa. + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific + format. However, if it is used, it MAY be used either on its + own or in conjunction with TransportAddressType or + TransportDomain as a pair. + + When this textual convention is used as a syntax of an index + object, there may be issues with the limit of 128 + sub-identifiers specified in SMIv2 (STD 58). It is RECOMMENDED + that all MIB documents using this textual convention make + explicit any limitations on index component lengths that + management software must observe. This may be done either by + + including SIZE constraints on the index components or by + specifying applicable constraints in the conceptual row + DESCRIPTION clause or in the surrounding documentation." + REFERENCE + "RFC 1123: Requirements for Internet Hosts - Application and + Support + RFC 5890: Internationalized Domain Names for Applications (IDNA): + Definitions and Document Framework + RFC 5952: A Recommendation for IPv6 Address Text Representation + " + SYNTAX OCTET STRING (SIZE (1..255)) + +SnmpTLSFingerprint ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1x:1x" + STATUS current + DESCRIPTION + "A fingerprint value that can be used to uniquely reference + other data of potentially arbitrary length. + + An SnmpTLSFingerprint value is composed of a 1-octet hashing + algorithm identifier followed by the fingerprint value. The + octet value encoded is taken from the IANA TLS HashAlgorithm + Registry (RFC 5246). The remaining octets are filled using the + results of the hashing algorithm. + + This TEXTUAL-CONVENTION allows for a zero-length (blank) + SnmpTLSFingerprint value for use in tables where the + fingerprint value may be optional. MIB definitions or + implementations may refuse to accept a zero-length value as + appropriate." + REFERENCE "RFC 5246: The Transport Layer + Security (TLS) Protocol Version 1.2 + http://www.iana.org/assignments/tls-parameters/ + " + SYNTAX OCTET STRING (SIZE (0..255)) + +-- Identities for use in the snmpTlstmCertToTSNTable + +snmpTlstmCertToTSNMIdentities OBJECT IDENTIFIER + ::= { snmpTlstmIdentities 1 } + +snmpTlstmCertSpecified OBJECT-IDENTITY + STATUS current + DESCRIPTION "Directly specifies the tmSecurityName to be used for + this certificate. The value of the tmSecurityName + to use is specified in the snmpTlstmCertToTSNData + column. The snmpTlstmCertToTSNData column must + contain a non-zero length SnmpAdminString compliant + + value or the mapping described in this row must be + considered a failure." + ::= { snmpTlstmCertToTSNMIdentities 1 } + +snmpTlstmCertSANRFC822Name OBJECT-IDENTITY + STATUS current + DESCRIPTION "Maps a subjectAltName's rfc822Name to a + tmSecurityName. The local part of the rfc822Name is + passed unaltered but the host-part of the name must + be passed in lowercase. This mapping results in a + 1:1 correspondence between equivalent subjectAltName + rfc822Name values and tmSecurityName values except + that the host-part of the name MUST be passed in + lowercase. + + Example rfc822Name Field: FooBar@Example.COM + is mapped to tmSecurityName: FooBar@example.com." + ::= { snmpTlstmCertToTSNMIdentities 2 } + +snmpTlstmCertSANDNSName OBJECT-IDENTITY + STATUS current + DESCRIPTION "Maps a subjectAltName's dNSName to a + tmSecurityName after first converting it to all + lowercase (RFC 5280 does not specify converting to + lowercase so this involves an extra step). This + mapping results in a 1:1 correspondence between + subjectAltName dNSName values and the tmSecurityName + values." + REFERENCE "RFC 5280 - Internet X.509 Public Key Infrastructure + Certificate and Certificate Revocation + List (CRL) Profile." + ::= { snmpTlstmCertToTSNMIdentities 3 } + +snmpTlstmCertSANIpAddress OBJECT-IDENTITY + STATUS current + DESCRIPTION "Maps a subjectAltName's iPAddress to a + tmSecurityName by transforming the binary encoded + address as follows: + + 1) for IPv4, the value is converted into a + decimal-dotted quad address (e.g., '192.0.2.1'). + + 2) for IPv6 addresses, the value is converted into a + 32-character all lowercase hexadecimal string + without any colon separators. + + This mapping results in a 1:1 correspondence between + subjectAltName iPAddress values and the + tmSecurityName values. + + The resulting length of an encoded IPv6 address is + the maximum length supported by the View-Based + Access Control Model (VACM). Using both the + Transport Security Model's support for transport + prefixes (see the SNMP-TSM-MIB's + snmpTsmConfigurationUsePrefix object for details) + will result in securityName lengths that exceed what + VACM can handle." + ::= { snmpTlstmCertToTSNMIdentities 4 } + +snmpTlstmCertSANAny OBJECT-IDENTITY + STATUS current + DESCRIPTION "Maps any of the following fields using the + corresponding mapping algorithms: + + |------------+----------------------------| + | Type | Algorithm | + |------------+----------------------------| + | rfc822Name | snmpTlstmCertSANRFC822Name | + | dNSName | snmpTlstmCertSANDNSName | + | iPAddress | snmpTlstmCertSANIpAddress | + |------------+----------------------------| + + The first matching subjectAltName value found in the + certificate of the above types MUST be used when + deriving the tmSecurityName. The mapping algorithm + specified in the 'Algorithm' column MUST be used to + derive the tmSecurityName. + + This mapping results in a 1:1 correspondence between + subjectAltName values and tmSecurityName values. The + three sub-mapping algorithms produced by this + combined algorithm cannot produce conflicting + results between themselves." + ::= { snmpTlstmCertToTSNMIdentities 5 } + +snmpTlstmCertCommonName OBJECT-IDENTITY + STATUS current + DESCRIPTION "Maps a certificate's CommonName to a tmSecurityName + after converting it to a UTF-8 encoding. The usage + of CommonNames is deprecated and users are + encouraged to use subjectAltName mapping methods + instead. This mapping results in a 1:1 + + correspondence between certificate CommonName values + and tmSecurityName values." + ::= { snmpTlstmCertToTSNMIdentities 6 } + +-- The snmpTlstmSession Group + +snmpTlstmSession OBJECT IDENTIFIER ::= { snmpTlstmObjects 1 } + +snmpTlstmSessionOpens OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an openSession() request has been executed + as a (D)TLS client, regardless of whether it succeeded or + failed." + ::= { snmpTlstmSession 1 } + +snmpTlstmSessionClientCloses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times a closeSession() request has been + executed as a (D)TLS client, regardless of whether it + succeeded or failed." + ::= { snmpTlstmSession 2 } + +snmpTlstmSessionOpenErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an openSession() request failed to open a + session as a (D)TLS client, for any reason." + ::= { snmpTlstmSession 3 } + +snmpTlstmSessionAccepts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times a (D)TLS server has accepted a new + connection from a client and has received at least one SNMP + message through it." + ::= { snmpTlstmSession 4 } + +snmpTlstmSessionServerCloses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times a closeSession() request has been + executed as a (D)TLS server, regardless of whether it + succeeded or failed." + ::= { snmpTlstmSession 5 } + +snmpTlstmSessionNoSessions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an outgoing message was dropped because + the session associated with the passed tmStateReference was no + longer (or was never) available." + ::= { snmpTlstmSession 6 } + +snmpTlstmSessionInvalidClientCertificates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an incoming session was not established + on a (D)TLS server because the presented client certificate + was invalid. Reasons for invalidation include, but are not + limited to, cryptographic validation failures or lack of a + suitable mapping row in the snmpTlstmCertToTSNTable." + ::= { snmpTlstmSession 7 } + +snmpTlstmSessionUnknownServerCertificate OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an outgoing session was not established + on a (D)TLS client because the server certificate presented + by an SNMP over (D)TLS server was invalid because no + configured fingerprint or Certification Authority (CA) was + acceptable to validate it. + This may result because there was no entry in the + snmpTlstmAddrTable or because no path could be found to a + known CA." + ::= { snmpTlstmSession 8 } + +snmpTlstmSessionInvalidServerCertificates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an outgoing session was not established + on a (D)TLS client because the server certificate presented + by an SNMP over (D)TLS server could not be validated even if + the fingerprint or expected validation path was known. That + is, a cryptographic validation error occurred during + certificate validation processing. + + Reasons for invalidation include, but are not + limited to, cryptographic validation failures." + ::= { snmpTlstmSession 9 } + +snmpTlstmSessionInvalidCaches OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of outgoing messages dropped because the + tmStateReference referred to an invalid cache." + ::= { snmpTlstmSession 10 } + +-- Configuration Objects + +snmpTlstmConfig OBJECT IDENTIFIER ::= { snmpTlstmObjects 2 } + +-- Certificate mapping + +snmpTlstmCertificateMapping OBJECT IDENTIFIER ::= { snmpTlstmConfig 1 } + +snmpTlstmCertToTSNCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A count of the number of entries in the + snmpTlstmCertToTSNTable." + ::= { snmpTlstmCertificateMapping 1 } + +snmpTlstmCertToTSNTableLastChanged OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime.0 when the snmpTlstmCertToTSNTable was + last modified through any means, or 0 if it has not been + modified since the command responder was started." + ::= { snmpTlstmCertificateMapping 2 } + +snmpTlstmCertToTSNTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTlstmCertToTSNEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is used by a (D)TLS server to map the (D)TLS + client's presented X.509 certificate to a tmSecurityName. + + On an incoming (D)TLS/SNMP connection, the client's presented + certificate must either be validated based on an established + trust anchor, or it must directly match a fingerprint in this + table. This table does not provide any mechanisms for + configuring the trust anchors; the transfer of any needed + trusted certificates for path validation is expected to occur + through an out-of-band transfer. + + Once the certificate has been found acceptable (either by path + validation or directly matching a fingerprint in this table), + this table is consulted to determine the appropriate + tmSecurityName to identify with the remote connection. This + is done by considering each active row from this table in + prioritized order according to its snmpTlstmCertToTSNID value. + Each row's snmpTlstmCertToTSNFingerprint value determines + whether the row is a match for the incoming connection: + + 1) If the row's snmpTlstmCertToTSNFingerprint value + identifies the presented certificate, then consider the + row as a successful match. + + 2) If the row's snmpTlstmCertToTSNFingerprint value + identifies a locally held copy of a trusted CA + certificate and that CA certificate was used to + validate the path to the presented certificate, then + consider the row as a successful match. + + Once a matching row has been found, the + snmpTlstmCertToTSNMapType value can be used to determine how + the tmSecurityName to associate with the session should be + determined. See the snmpTlstmCertToTSNMapType column's + DESCRIPTION for details on determining the tmSecurityName + value. If it is impossible to determine a tmSecurityName from + the row's data combined with the data presented in the + + certificate, then additional rows MUST be searched looking for + another potential match. If a resulting tmSecurityName mapped + from a given row is not compatible with the needed + requirements of a tmSecurityName (e.g., VACM imposes a + 32-octet-maximum length and the certificate derived + securityName could be longer), then it must be considered an + invalid match and additional rows MUST be searched looking for + another potential match. + + If no matching and valid row can be found, the connection MUST + be closed and SNMP messages MUST NOT be accepted over it. + + Missing values of snmpTlstmCertToTSNID are acceptable and + implementations should continue to the next highest numbered + row. It is recommended that administrators skip index values + to leave room for the insertion of future rows (for example, + use values of 10 and 20 when creating initial rows). + + Users are encouraged to make use of certificates with + subjectAltName fields that can be used as tmSecurityNames so + that a single root CA certificate can allow all child + certificate's subjectAltName to map directly to a + tmSecurityName via a 1:1 transformation. However, this table + is flexible to allow for situations where existing deployed + certificate infrastructures do not provide adequate + subjectAltName values for use as tmSecurityNames. + Certificates may also be mapped to tmSecurityNames using the + CommonName portion of the Subject field. However, the usage + of the CommonName field is deprecated and thus this usage is + NOT RECOMMENDED. Direct mapping from each individual + certificate fingerprint to a tmSecurityName is also possible + but requires one entry in the table per tmSecurityName and + requires more management operations to completely configure a + device." + ::= { snmpTlstmCertificateMapping 3 } + +snmpTlstmCertToTSNEntry OBJECT-TYPE + SYNTAX SnmpTlstmCertToTSNEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A row in the snmpTlstmCertToTSNTable that specifies a mapping + for an incoming (D)TLS certificate to a tmSecurityName to use + for a connection." + INDEX { snmpTlstmCertToTSNID } + ::= { snmpTlstmCertToTSNTable 1 } + +SnmpTlstmCertToTSNEntry ::= SEQUENCE { + snmpTlstmCertToTSNID Unsigned32, + snmpTlstmCertToTSNFingerprint SnmpTLSFingerprint, + snmpTlstmCertToTSNMapType AutonomousType, + snmpTlstmCertToTSNData OCTET STRING, + snmpTlstmCertToTSNStorageType StorageType, + snmpTlstmCertToTSNRowStatus RowStatus +} + +snmpTlstmCertToTSNID OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A unique, prioritized index for the given entry. Lower + numbers indicate a higher priority." + ::= { snmpTlstmCertToTSNEntry 1 } + +snmpTlstmCertToTSNFingerprint OBJECT-TYPE + SYNTAX SnmpTLSFingerprint (SIZE(1..255)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A cryptographic hash of an X.509 certificate. The results of + a successful matching fingerprint to either the trusted CA in + the certificate validation path or to the certificate itself + is dictated by the snmpTlstmCertToTSNMapType column." + ::= { snmpTlstmCertToTSNEntry 2 } + +snmpTlstmCertToTSNMapType OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the mapping type for deriving a tmSecurityName from + a certificate. Details for mapping of a particular type SHALL + be specified in the DESCRIPTION clause of the OBJECT-IDENTITY + that describes the mapping. If a mapping succeeds it will + return a tmSecurityName for use by the TLSTM model and + processing stops. + + If the resulting mapped value is not compatible with the + needed requirements of a tmSecurityName (e.g., VACM imposes a + 32-octet-maximum length and the certificate derived + securityName could be longer), then future rows MUST be + searched for additional snmpTlstmCertToTSNFingerprint matches + to look for a mapping that succeeds. + + Suitable values for assigning to this object that are defined + within the SNMP-TLS-TM-MIB can be found in the + snmpTlstmCertToTSNMIdentities portion of the MIB tree." + DEFVAL { snmpTlstmCertSpecified } + ::= { snmpTlstmCertToTSNEntry 3 } + +snmpTlstmCertToTSNData OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..1024)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Auxiliary data used as optional configuration information for + a given mapping specified by the snmpTlstmCertToTSNMapType + column. Only some mapping systems will make use of this + column. The value in this column MUST be ignored for any + mapping type that does not require data present in this + column." + DEFVAL { "" } + ::= { snmpTlstmCertToTSNEntry 4 } + +snmpTlstmCertToTSNStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. Conceptual rows + having the value 'permanent' need not allow write-access to + any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpTlstmCertToTSNEntry 5 } + +snmpTlstmCertToTSNRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. This object may be used + to create or remove rows from this table. + + To create a row in this table, an administrator must set this + object to either createAndGo(4) or createAndWait(5). + + Until instances of all corresponding columns are appropriately + configured, the value of the corresponding instance of the + snmpTlstmParamsRowStatus column is notReady(3). + + In particular, a newly created row cannot be made active until + the corresponding snmpTlstmCertToTSNFingerprint, + snmpTlstmCertToTSNMapType, and snmpTlstmCertToTSNData columns + have been set. + + The following objects may not be modified while the + value of this object is active(1): + - snmpTlstmCertToTSNFingerprint + - snmpTlstmCertToTSNMapType + - snmpTlstmCertToTSNData + An attempt to set these objects while the value of + snmpTlstmParamsRowStatus is active(1) will result in + an inconsistentValue error." + ::= { snmpTlstmCertToTSNEntry 6 } + +-- Maps tmSecurityNames to certificates for use by the SNMP-TARGET-MIB + +snmpTlstmParamsCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A count of the number of entries in the snmpTlstmParamsTable." + ::= { snmpTlstmCertificateMapping 4 } + +snmpTlstmParamsTableLastChanged OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime.0 when the snmpTlstmParamsTable + was last modified through any means, or 0 if it has not been + modified since the command responder was started." + ::= { snmpTlstmCertificateMapping 5 } + +snmpTlstmParamsTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTlstmParamsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is used by a (D)TLS client when a (D)TLS + connection is being set up using an entry in the + SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's + snmpTargetParamsTable with a fingerprint of a certificate to + use when establishing such a (D)TLS connection." + ::= { snmpTlstmCertificateMapping 6 } + +snmpTlstmParamsEntry OBJECT-TYPE + SYNTAX SnmpTlstmParamsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row containing a fingerprint hash of a locally + held certificate for a given snmpTargetParamsEntry. The + values in this row should be ignored if the connection that + needs to be established, as indicated by the SNMP-TARGET-MIB + infrastructure, is not a certificate and (D)TLS based + connection. The connection SHOULD NOT be established if the + certificate fingerprint stored in this entry does not point to + a valid locally held certificate or if it points to an + unusable certificate (such as might happen when the + certificate's expiration date has been reached)." + INDEX { IMPLIED snmpTargetParamsName } + ::= { snmpTlstmParamsTable 1 } + +SnmpTlstmParamsEntry ::= SEQUENCE { + snmpTlstmParamsClientFingerprint SnmpTLSFingerprint, + snmpTlstmParamsStorageType StorageType, + snmpTlstmParamsRowStatus RowStatus +} + +snmpTlstmParamsClientFingerprint OBJECT-TYPE + SYNTAX SnmpTLSFingerprint + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object stores the hash of the public portion of a + locally held X.509 certificate. The X.509 certificate, its + public key, and the corresponding private key will be used + when initiating a (D)TLS connection as a (D)TLS client." + ::= { snmpTlstmParamsEntry 1 } + +snmpTlstmParamsStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. Conceptual rows + having the value 'permanent' need not allow write-access to + any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpTlstmParamsEntry 2 } + +snmpTlstmParamsRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. This object may be used + to create or remove rows from this table. + + To create a row in this table, an administrator must set this + object to either createAndGo(4) or createAndWait(5). + + Until instances of all corresponding columns are appropriately + configured, the value of the corresponding instance of the + snmpTlstmParamsRowStatus column is notReady(3). + + In particular, a newly created row cannot be made active until + the corresponding snmpTlstmParamsClientFingerprint column has + been set. + + The snmpTlstmParamsClientFingerprint object may not be modified + while the value of this object is active(1). + + An attempt to set these objects while the value of + snmpTlstmParamsRowStatus is active(1) will result in + an inconsistentValue error." + ::= { snmpTlstmParamsEntry 3 } + +snmpTlstmAddrCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A count of the number of entries in the snmpTlstmAddrTable." + ::= { snmpTlstmCertificateMapping 7 } + +snmpTlstmAddrTableLastChanged OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime.0 when the snmpTlstmAddrTable + was last modified through any means, or 0 if it has not been + modified since the command responder was started." + ::= { snmpTlstmCertificateMapping 8 } + +snmpTlstmAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTlstmAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is used by a (D)TLS client when a (D)TLS + connection is being set up using an entry in the + SNMP-TARGET-MIB. It extends the SNMP-TARGET-MIB's + + snmpTargetAddrTable so that the client can verify that the + correct server has been reached. This verification can use + either a certificate fingerprint, or an identity + authenticated via certification path validation. + + If there is an active row in this table corresponding to the + entry in the SNMP-TARGET-MIB that was used to establish the + connection, and the row's snmpTlstmAddrServerFingerprint + column has non-empty value, then the server's presented + certificate is compared with the + snmpTlstmAddrServerFingerprint value (and the + snmpTlstmAddrServerIdentity column is ignored). If the + fingerprint matches, the verification has succeeded. If the + fingerprint does not match, then the connection MUST be + closed. + + If the server's presented certificate has passed + certification path validation [RFC5280] to a configured + trust anchor, and an active row exists with a zero-length + snmpTlstmAddrServerFingerprint value, then the + snmpTlstmAddrServerIdentity column contains the expected + host name. This expected host name is then compared against + the server's certificate as follows: + + - Implementations MUST support matching the expected host + name against a dNSName in the subjectAltName extension + field and MAY support checking the name against the + CommonName portion of the subject distinguished name. + + - The '*' (ASCII 0x2a) wildcard character is allowed in the + dNSName of the subjectAltName extension (and in common + name, if used to store the host name), but only as the + left-most (least significant) DNS label in that value. + This wildcard matches any left-most DNS label in the + server name. That is, the subject *.example.com matches + the server names a.example.com and b.example.com, but does + not match example.com or a.b.example.com. Implementations + MUST support wildcards in certificates as specified above, + but MAY provide a configuration option to disable them. + + - If the locally configured name is an internationalized + domain name, conforming implementations MUST convert it to + the ASCII Compatible Encoding (ACE) format for performing + comparisons, as specified in Section 7 of [RFC5280]. + + If the expected host name fails these conditions then the + connection MUST be closed. + + If there is no row in this table corresponding to the entry + in the SNMP-TARGET-MIB and the server can be authorized by + another, implementation-dependent means, then the connection + MAY still proceed." + ::= { snmpTlstmCertificateMapping 9 } + +snmpTlstmAddrEntry OBJECT-TYPE + SYNTAX SnmpTlstmAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row containing a copy of a certificate's + fingerprint for a given snmpTargetAddrEntry. The values in + this row should be ignored if the connection that needs to be + established, as indicated by the SNMP-TARGET-MIB + infrastructure, is not a (D)TLS based connection. If an + snmpTlstmAddrEntry exists for a given snmpTargetAddrEntry, then + the presented server certificate MUST match or the connection + MUST NOT be established. If a row in this table does not + exist to match an snmpTargetAddrEntry row, then the connection + SHOULD still proceed if some other certificate validation path + algorithm (e.g., RFC 5280) can be used." + INDEX { IMPLIED snmpTargetAddrName } + ::= { snmpTlstmAddrTable 1 } + +SnmpTlstmAddrEntry ::= SEQUENCE { + snmpTlstmAddrServerFingerprint SnmpTLSFingerprint, + snmpTlstmAddrServerIdentity SnmpAdminString, + snmpTlstmAddrStorageType StorageType, + snmpTlstmAddrRowStatus RowStatus +} + +snmpTlstmAddrServerFingerprint OBJECT-TYPE + SYNTAX SnmpTLSFingerprint + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A cryptographic hash of a public X.509 certificate. This + object should store the hash of the public X.509 certificate + that the remote server should present during the (D)TLS + connection setup. The fingerprint of the presented + certificate and this hash value MUST match exactly or the + connection MUST NOT be established." + DEFVAL { "" } + ::= { snmpTlstmAddrEntry 1 } + +snmpTlstmAddrServerIdentity OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The reference identity to check against the identity + presented by the remote system." + DEFVAL { "" } + ::= { snmpTlstmAddrEntry 2 } + +snmpTlstmAddrStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. Conceptual rows + having the value 'permanent' need not allow write-access to + any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpTlstmAddrEntry 3 } + +snmpTlstmAddrRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. This object may be used + to create or remove rows from this table. + + To create a row in this table, an administrator must set this + object to either createAndGo(4) or createAndWait(5). + + Until instances of all corresponding columns are + appropriately configured, the value of the + corresponding instance of the snmpTlstmAddrRowStatus + column is notReady(3). + + In particular, a newly created row cannot be made active until + the corresponding snmpTlstmAddrServerFingerprint column has been + set. + + Rows MUST NOT be active if the snmpTlstmAddrServerFingerprint + column is blank and the snmpTlstmAddrServerIdentity is set to + '*' since this would insecurely accept any presented + certificate. + + The snmpTlstmAddrServerFingerprint object may not be modified + while the value of this object is active(1). + + An attempt to set these objects while the value of + snmpTlstmAddrRowStatus is active(1) will result in + an inconsistentValue error." + ::= { snmpTlstmAddrEntry 4 } + +-- ************************************************ +-- snmpTlstmNotifications - Notifications Information +-- ************************************************ + +snmpTlstmServerCertificateUnknown NOTIFICATION-TYPE + OBJECTS { snmpTlstmSessionUnknownServerCertificate } + STATUS current + DESCRIPTION + "Notification that the server certificate presented by an SNMP + over (D)TLS server was invalid because no configured + fingerprint or CA was acceptable to validate it. This may be + because there was no entry in the snmpTlstmAddrTable or + because no path could be found to known Certification + Authority. + + To avoid notification loops, this notification MUST NOT be + sent to servers that themselves have triggered the + notification." + ::= { snmpTlstmNotifications 1 } + +snmpTlstmServerInvalidCertificate NOTIFICATION-TYPE + OBJECTS { snmpTlstmAddrServerFingerprint, + snmpTlstmSessionInvalidServerCertificates} + STATUS current + DESCRIPTION + "Notification that the server certificate presented by an SNMP + over (D)TLS server could not be validated even if the + fingerprint or expected validation path was known. That is, a + cryptographic validation error occurred during certificate + validation processing. + + To avoid notification loops, this notification MUST NOT be + sent to servers that themselves have triggered the + notification." + ::= { snmpTlstmNotifications 2 } + +-- ************************************************ +-- snmpTlstmCompliances - Conformance Information +-- ************************************************ + +snmpTlstmCompliances OBJECT IDENTIFIER ::= { snmpTlstmConformance 1 } + +snmpTlstmGroups OBJECT IDENTIFIER ::= { snmpTlstmConformance 2 } + +-- ************************************************ +-- Compliance statements +-- ************************************************ + +snmpTlstmCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP engines that support the + SNMP-TLS-TM-MIB" + MODULE + MANDATORY-GROUPS { snmpTlstmStatsGroup, + snmpTlstmIncomingGroup, + snmpTlstmOutgoingGroup, + snmpTlstmNotificationGroup } + ::= { snmpTlstmCompliances 1 } + +-- ************************************************ +-- Units of conformance +-- ************************************************ +snmpTlstmStatsGroup OBJECT-GROUP + OBJECTS { + snmpTlstmSessionOpens, + snmpTlstmSessionClientCloses, + snmpTlstmSessionOpenErrors, + snmpTlstmSessionAccepts, + snmpTlstmSessionServerCloses, + snmpTlstmSessionNoSessions, + snmpTlstmSessionInvalidClientCertificates, + snmpTlstmSessionUnknownServerCertificate, + snmpTlstmSessionInvalidServerCertificates, + snmpTlstmSessionInvalidCaches + } + STATUS current + DESCRIPTION + "A collection of objects for maintaining + statistical information of an SNMP engine that + implements the SNMP TLS Transport Model." + ::= { snmpTlstmGroups 1 } + +snmpTlstmIncomingGroup OBJECT-GROUP + OBJECTS { + snmpTlstmCertToTSNCount, + snmpTlstmCertToTSNTableLastChanged, + snmpTlstmCertToTSNFingerprint, + snmpTlstmCertToTSNMapType, + snmpTlstmCertToTSNData, + snmpTlstmCertToTSNStorageType, + snmpTlstmCertToTSNRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects for maintaining + incoming connection certificate mappings to + tmSecurityNames of an SNMP engine that implements the + SNMP TLS Transport Model." + ::= { snmpTlstmGroups 2 } + +snmpTlstmOutgoingGroup OBJECT-GROUP + OBJECTS { + snmpTlstmParamsCount, + snmpTlstmParamsTableLastChanged, + snmpTlstmParamsClientFingerprint, + snmpTlstmParamsStorageType, + snmpTlstmParamsRowStatus, + snmpTlstmAddrCount, + snmpTlstmAddrTableLastChanged, + snmpTlstmAddrServerFingerprint, + snmpTlstmAddrServerIdentity, + snmpTlstmAddrStorageType, + snmpTlstmAddrRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects for maintaining + outgoing connection certificates to use when opening + connections as a result of SNMP-TARGET-MIB settings." + ::= { snmpTlstmGroups 3 } + +snmpTlstmNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { + snmpTlstmServerCertificateUnknown, + snmpTlstmServerInvalidCertificate + } + STATUS current + DESCRIPTION + "Notifications" + ::= { snmpTlstmGroups 4 } + +END |