telemetry-snmp 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.github/workflows/rspec.yml +44 -0
- data/.github/workflows/rubocop.yml +28 -0
- data/.github/workflows/sourcehawk-scan.yml +20 -0
- data/.gitignore +14 -0
- data/.rspec +4 -0
- data/.rubocop.yml +26 -0
- data/CHANGELOG.md +4 -0
- data/CODE_OF_CONDUCT.md +75 -0
- data/CONTRIBUTING.md +54 -0
- data/Gemfile +10 -0
- data/INDIVIDUAL_CONTRIBUTOR_LICENSE.md +30 -0
- data/LICENSE +201 -0
- data/NOTICE.txt +9 -0
- data/README.md +54 -0
- data/attribution.txt +1 -0
- data/config.ru +15 -0
- data/exe/snmp_collector +55 -0
- data/lib/telemetry/snmp.rb +23 -0
- data/lib/telemetry/snmp/api.rb +55 -0
- data/lib/telemetry/snmp/auth.rb +54 -0
- data/lib/telemetry/snmp/auth/defaults.rb +41 -0
- data/lib/telemetry/snmp/client.rb +104 -0
- data/lib/telemetry/snmp/controllers/device_creds.rb +105 -0
- data/lib/telemetry/snmp/controllers/devices.rb +94 -0
- data/lib/telemetry/snmp/controllers/oid_groups.rb +71 -0
- data/lib/telemetry/snmp/controllers/oids.rb +80 -0
- data/lib/telemetry/snmp/controllers/users.rb +81 -0
- data/lib/telemetry/snmp/controllers/walks.rb +89 -0
- data/lib/telemetry/snmp/data.rb +69 -0
- data/lib/telemetry/snmp/data/default_opts.rb +73 -0
- data/lib/telemetry/snmp/data/migrations/001_device_creds.rb +19 -0
- data/lib/telemetry/snmp/data/migrations/002_create_devices_table.rb +31 -0
- data/lib/telemetry/snmp/data/migrations/003_create_oids_tables.rb +16 -0
- data/lib/telemetry/snmp/data/migrations/004_create_oid_groups.rb +15 -0
- data/lib/telemetry/snmp/data/migrations/005_create_oids_oid_groups.rb +17 -0
- data/lib/telemetry/snmp/data/migrations/006_device_to_oid_group.rb +15 -0
- data/lib/telemetry/snmp/data/migrations/007_create_users.rb +20 -0
- data/lib/telemetry/snmp/data/migrations/008_create_walks_table.rb +14 -0
- data/lib/telemetry/snmp/data/migrations/009_create_tag_name_column.rb +7 -0
- data/lib/telemetry/snmp/data/migrations/010_create_user_audit_table.rb +18 -0
- data/lib/telemetry/snmp/data/models/device.rb +11 -0
- data/lib/telemetry/snmp/data/models/device_cred.rb +11 -0
- data/lib/telemetry/snmp/data/models/oid.rb +10 -0
- data/lib/telemetry/snmp/data/models/oid_group.rb +10 -0
- data/lib/telemetry/snmp/data/models/oid_oid_groups.rb +10 -0
- data/lib/telemetry/snmp/data/models/oid_walk.rb +10 -0
- data/lib/telemetry/snmp/data/models/user.rb +10 -0
- data/lib/telemetry/snmp/data/models/user_audit_log.rb +19 -0
- data/lib/telemetry/snmp/mibs/AGENTX-MIB.txt +527 -0
- data/lib/telemetry/snmp/mibs/AIRPORT-BASESTATION-3-MIB.txt +461 -0
- data/lib/telemetry/snmp/mibs/BRIDGE-MIB.txt +1472 -0
- data/lib/telemetry/snmp/mibs/DISMAN-EVENT-MIB.txt +1882 -0
- data/lib/telemetry/snmp/mibs/DISMAN-SCHEDULE-MIB.txt +699 -0
- data/lib/telemetry/snmp/mibs/DISMAN-SCRIPT-MIB.txt +1764 -0
- data/lib/telemetry/snmp/mibs/EtherLike-MIB.txt +1862 -0
- data/lib/telemetry/snmp/mibs/HCNUM-TC.txt +118 -0
- data/lib/telemetry/snmp/mibs/HOST-RESOURCES-MIB.txt +1540 -0
- data/lib/telemetry/snmp/mibs/HOST-RESOURCES-TYPES.txt +389 -0
- data/lib/telemetry/snmp/mibs/IANA-ADDRESS-FAMILY-NUMBERS-MIB.txt +123 -0
- data/lib/telemetry/snmp/mibs/IANA-LANGUAGE-MIB.txt +123 -0
- data/lib/telemetry/snmp/mibs/IANA-RTPROTO-MIB.txt +91 -0
- data/lib/telemetry/snmp/mibs/IANAifType-MIB.txt +619 -0
- data/lib/telemetry/snmp/mibs/IF-INVERTED-STACK-MIB.txt +149 -0
- data/lib/telemetry/snmp/mibs/IF-MIB.txt +1814 -0
- data/lib/telemetry/snmp/mibs/INET-ADDRESS-MIB.txt +402 -0
- data/lib/telemetry/snmp/mibs/IP-FORWARD-MIB.txt +1277 -0
- data/lib/telemetry/snmp/mibs/IP-MIB.txt +4993 -0
- data/lib/telemetry/snmp/mibs/IPV6-FLOW-LABEL-MIB.txt +58 -0
- data/lib/telemetry/snmp/mibs/IPV6-ICMP-MIB.txt +529 -0
- data/lib/telemetry/snmp/mibs/IPV6-MIB.txt +1443 -0
- data/lib/telemetry/snmp/mibs/IPV6-TC.txt +67 -0
- data/lib/telemetry/snmp/mibs/IPV6-TCP-MIB.txt +211 -0
- data/lib/telemetry/snmp/mibs/IPV6-UDP-MIB.txt +141 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-AGENT-MIB.txt +554 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-EXAMPLES-MIB.txt +285 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-EXTEND-MIB.txt +325 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-MIB.txt +67 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-PASS-MIB.txt +124 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-TC.txt +128 -0
- data/lib/telemetry/snmp/mibs/NET-SNMP-VACM-MIB.txt +154 -0
- data/lib/telemetry/snmp/mibs/NOTIFICATION-LOG-MIB.txt +753 -0
- data/lib/telemetry/snmp/mibs/PAN-COMMON-MIB.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-COMMON-MIB.my +2293 -0
- data/lib/telemetry/snmp/mibs/PAN-ENTITY-EXT-MIB.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-ENTITY-EXT-MIB.my +293 -0
- data/lib/telemetry/snmp/mibs/PAN-GLOBAL-REG-MIB.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-GLOBAL-REG-MIB.my +84 -0
- data/lib/telemetry/snmp/mibs/PAN-GLOBAL-TC-MIB.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-GLOBAL-TC-MIB.my +68 -0
- data/lib/telemetry/snmp/mibs/PAN-LC-MIB.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-LC-MIB.my +204 -0
- data/lib/telemetry/snmp/mibs/PAN-PRODUCT-MIB.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-PRODUCT-MIB.my +305 -0
- data/lib/telemetry/snmp/mibs/PAN-TRAPS.md5 +1 -0
- data/lib/telemetry/snmp/mibs/PAN-TRAPS.my +7809 -0
- data/lib/telemetry/snmp/mibs/RFC-1215.txt +38 -0
- data/lib/telemetry/snmp/mibs/RFC1155-SMI.txt +119 -0
- data/lib/telemetry/snmp/mibs/RFC1213-MIB.txt +2613 -0
- data/lib/telemetry/snmp/mibs/RMON-MIB.txt +3980 -0
- data/lib/telemetry/snmp/mibs/SCTP-MIB.txt +1342 -0
- data/lib/telemetry/snmp/mibs/SMUX-MIB.txt +160 -0
- data/lib/telemetry/snmp/mibs/SNMP-COMMUNITY-MIB.txt +429 -0
- data/lib/telemetry/snmp/mibs/SNMP-FRAMEWORK-MIB.txt +526 -0
- data/lib/telemetry/snmp/mibs/SNMP-MPD-MIB.txt +145 -0
- data/lib/telemetry/snmp/mibs/SNMP-NOTIFICATION-MIB.txt +589 -0
- data/lib/telemetry/snmp/mibs/SNMP-PROXY-MIB.txt +294 -0
- data/lib/telemetry/snmp/mibs/SNMP-TARGET-MIB.txt +660 -0
- data/lib/telemetry/snmp/mibs/SNMP-USER-BASED-SM-MIB.txt +912 -0
- data/lib/telemetry/snmp/mibs/SNMP-USM-AES-MIB.txt +62 -0
- data/lib/telemetry/snmp/mibs/SNMP-USM-DH-OBJECTS-MIB.txt +532 -0
- data/lib/telemetry/snmp/mibs/SNMP-VIEW-BASED-ACM-MIB.txt +830 -0
- data/lib/telemetry/snmp/mibs/SNMPv2-CONF.txt +322 -0
- data/lib/telemetry/snmp/mibs/SNMPv2-MIB.txt +854 -0
- data/lib/telemetry/snmp/mibs/SNMPv2-SMI.txt +344 -0
- data/lib/telemetry/snmp/mibs/SNMPv2-TC.txt +772 -0
- data/lib/telemetry/snmp/mibs/SNMPv2-TM.txt +176 -0
- data/lib/telemetry/snmp/mibs/TCP-MIB.txt +785 -0
- data/lib/telemetry/snmp/mibs/TRANSPORT-ADDRESS-MIB.txt +421 -0
- data/lib/telemetry/snmp/mibs/TUNNEL-MIB.txt +738 -0
- data/lib/telemetry/snmp/mibs/UCD-DEMO-MIB.txt +74 -0
- data/lib/telemetry/snmp/mibs/UCD-DISKIO-MIB.txt +171 -0
- data/lib/telemetry/snmp/mibs/UCD-DLMOD-MIB.txt +124 -0
- data/lib/telemetry/snmp/mibs/UCD-IPFWACC-MIB.txt +327 -0
- data/lib/telemetry/snmp/mibs/UCD-SNMP-MIB.txt +1712 -0
- data/lib/telemetry/snmp/mibs/UDP-MIB.txt +549 -0
- data/lib/telemetry/snmp/publisher.rb +130 -0
- data/lib/telemetry/snmp/version.rb +7 -0
- data/sourcehawk.yml +4 -0
- data/telemetry-snmp.gemspec +48 -0
- metadata +456 -0
@@ -0,0 +1,62 @@
|
|
1
|
+
SNMP-USM-AES-MIB DEFINITIONS ::= BEGIN
|
2
|
+
IMPORTS
|
3
|
+
MODULE-IDENTITY, OBJECT-IDENTITY,
|
4
|
+
snmpModules FROM SNMPv2-SMI -- [RFC2578]
|
5
|
+
snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB; -- [RFC3411]
|
6
|
+
|
7
|
+
snmpUsmAesMIB MODULE-IDENTITY
|
8
|
+
LAST-UPDATED "200406140000Z"
|
9
|
+
ORGANIZATION "IETF"
|
10
|
+
CONTACT-INFO "Uri Blumenthal
|
11
|
+
Lucent Technologies / Bell Labs
|
12
|
+
67 Whippany Rd.
|
13
|
+
14D-318
|
14
|
+
Whippany, NJ 07981, USA
|
15
|
+
973-386-2163
|
16
|
+
uri@bell-labs.com
|
17
|
+
|
18
|
+
Fabio Maino
|
19
|
+
Andiamo Systems, Inc.
|
20
|
+
375 East Tasman Drive
|
21
|
+
San Jose, CA 95134, USA
|
22
|
+
408-853-7530
|
23
|
+
fmaino@andiamo.com
|
24
|
+
|
25
|
+
Keith McCloghrie
|
26
|
+
Cisco Systems, Inc.
|
27
|
+
170 West Tasman Drive
|
28
|
+
San Jose, CA 95134-1706, USA
|
29
|
+
|
30
|
+
408-526-5260
|
31
|
+
kzm@cisco.com"
|
32
|
+
DESCRIPTION "Definitions of Object Identities needed for
|
33
|
+
the use of AES by SNMP's User-based Security
|
34
|
+
Model.
|
35
|
+
|
36
|
+
Copyright (C) The Internet Society (2004).
|
37
|
+
|
38
|
+
This version of this MIB module is part of RFC 3826;
|
39
|
+
see the RFC itself for full legal notices.
|
40
|
+
Supplementary information may be available on
|
41
|
+
http://www.ietf.org/copyrights/ianamib.html."
|
42
|
+
|
43
|
+
REVISION "200406140000Z"
|
44
|
+
DESCRIPTION "Initial version, published as RFC3826"
|
45
|
+
::= { snmpModules 20 }
|
46
|
+
|
47
|
+
usmAesCfb128Protocol OBJECT-IDENTITY
|
48
|
+
STATUS current
|
49
|
+
DESCRIPTION "The CFB128-AES-128 Privacy Protocol."
|
50
|
+
REFERENCE "- Specification for the ADVANCED ENCRYPTION
|
51
|
+
STANDARD. Federal Information Processing
|
52
|
+
Standard (FIPS) Publication 197.
|
53
|
+
(November 2001).
|
54
|
+
|
55
|
+
- Dworkin, M., NIST Recommendation for Block
|
56
|
+
Cipher Modes of Operation, Methods and
|
57
|
+
Techniques. NIST Special Publication 800-38A
|
58
|
+
(December 2001).
|
59
|
+
"
|
60
|
+
::= { snmpPrivProtocols 4 }
|
61
|
+
|
62
|
+
END
|
@@ -0,0 +1,532 @@
|
|
1
|
+
SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN
|
2
|
+
|
3
|
+
IMPORTS
|
4
|
+
MODULE-IDENTITY, OBJECT-TYPE,
|
5
|
+
-- OBJECT-IDENTITY,
|
6
|
+
experimental, Integer32
|
7
|
+
FROM SNMPv2-SMI
|
8
|
+
TEXTUAL-CONVENTION
|
9
|
+
FROM SNMPv2-TC
|
10
|
+
MODULE-COMPLIANCE, OBJECT-GROUP
|
11
|
+
FROM SNMPv2-CONF
|
12
|
+
usmUserEntry
|
13
|
+
FROM SNMP-USER-BASED-SM-MIB
|
14
|
+
SnmpAdminString
|
15
|
+
FROM SNMP-FRAMEWORK-MIB;
|
16
|
+
|
17
|
+
snmpUsmDHObjectsMIB MODULE-IDENTITY
|
18
|
+
LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight
|
19
|
+
ORGANIZATION "Excite@Home"
|
20
|
+
CONTACT-INFO "Author: Mike StJohns
|
21
|
+
Postal: Excite@Home
|
22
|
+
450 Broadway
|
23
|
+
Redwood City, CA 94063
|
24
|
+
Email: stjohns@corp.home.net
|
25
|
+
Phone: +1-650-556-5368"
|
26
|
+
DESCRIPTION
|
27
|
+
"The management information definitions for providing forward
|
28
|
+
secrecy for key changes for the usmUserTable, and for providing a
|
29
|
+
method for 'kickstarting' access to the agent via a Diffie-Helman
|
30
|
+
key agreement."
|
31
|
+
|
32
|
+
REVISION "200003060000Z"
|
33
|
+
DESCRIPTION
|
34
|
+
"Initial version published as RFC 2786."
|
35
|
+
::= { experimental 101 } -- IANA DHKEY-CHANGE 101
|
36
|
+
|
37
|
+
-- Administrative assignments
|
38
|
+
|
39
|
+
usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 }
|
40
|
+
usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 }
|
41
|
+
|
42
|
+
-- Textual conventions
|
43
|
+
|
44
|
+
DHKeyChange ::= TEXTUAL-CONVENTION
|
45
|
+
STATUS current
|
46
|
+
DESCRIPTION
|
47
|
+
"Upon initialization, or upon creation of a row containing an
|
48
|
+
object of this type, and after any successful SET of this value, a
|
49
|
+
GET of this value returns 'y' where y = g^xa MOD p, and where g is
|
50
|
+
the base from usmDHParameters, p is the prime from
|
51
|
+
usmDHParameters, and xa is a new random integer selected by the
|
52
|
+
agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the
|
53
|
+
optional privateValueLength from usmDHParameters in bits. If 'l'
|
54
|
+
is omitted, then xa (and xr below) is selected in the interval 0
|
55
|
+
<= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k'
|
56
|
+
which satisfies
|
57
|
+
|
58
|
+
k
|
59
|
+
y = SUM 2^(8(k-i)) PV'i
|
60
|
+
i=1
|
61
|
+
|
62
|
+
where PV1,...,PVk are the octets of PV from first to last, and
|
63
|
+
where PV1 <> 0.
|
64
|
+
|
65
|
+
A successful SET consists of the value 'y' expressed as an OCTET
|
66
|
+
STRING as above concatenated with the value 'z'(expressed as an
|
67
|
+
OCTET STRING in the same manner as y) where z = g^xr MOD p, where
|
68
|
+
g, p and l are as above, and where xr is a new random integer
|
69
|
+
selected by the manager in the interval 2^(l-1) <= xr < 2^l <
|
70
|
+
p-1. A SET to an object of this type will fail with the error
|
71
|
+
wrongValue if the current 'y' does not match the 'y' portion of
|
72
|
+
the value of the varbind for the object. (E.g. GET yout, SET
|
73
|
+
concat(yin, z), yout <> yin).
|
74
|
+
|
75
|
+
Note that the private values xa and xr are never transmitted from
|
76
|
+
manager to device or vice versa, only the values y and z.
|
77
|
+
Obviously, these values must be retained until a successful SET on
|
78
|
+
the associated object.
|
79
|
+
|
80
|
+
The shared secret 'sk' is calculated at the agent as sk = z^xa MOD
|
81
|
+
p, and at the manager as sk = y^xr MOD p.
|
82
|
+
|
83
|
+
Each object definition of this type MUST describe how to map from
|
84
|
+
the shared secret 'sk' to the operational key value used by the
|
85
|
+
protocols and operations related to the object. In general, if n
|
86
|
+
bits of key are required, the author suggests using the n
|
87
|
+
right-most bits of the shared secret as the operational key value."
|
88
|
+
REFERENCE
|
89
|
+
"-- Diffie-Hellman Key-Agreement Standard, PKCS #3;
|
90
|
+
RSA Laboratories, November 1993"
|
91
|
+
SYNTAX OCTET STRING
|
92
|
+
|
93
|
+
-- Diffie Hellman public values
|
94
|
+
|
95
|
+
usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 }
|
96
|
+
|
97
|
+
usmDHParameters OBJECT-TYPE
|
98
|
+
SYNTAX OCTET STRING
|
99
|
+
MAX-ACCESS read-write
|
100
|
+
STATUS current
|
101
|
+
DESCRIPTION
|
102
|
+
"The public Diffie-Hellman parameters for doing a Diffie-Hellman
|
103
|
+
key agreement for this device. This is encoded as an ASN.1
|
104
|
+
DHParameter per PKCS #3, section 9. E.g.
|
105
|
+
|
106
|
+
DHParameter ::= SEQUENCE {
|
107
|
+
prime INTEGER, -- p
|
108
|
+
base INTEGER, -- g
|
109
|
+
privateValueLength INTEGER OPTIONAL }
|
110
|
+
|
111
|
+
Implementors are encouraged to use either the values from
|
112
|
+
Oakley Group 1 or the values of from Oakley Group 2 as specified
|
113
|
+
in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the
|
114
|
+
default for this object. Other values may be used, but the
|
115
|
+
security properties of those values MUST be well understood and
|
116
|
+
MUST meet the requirements of PKCS #3 for the selection of
|
117
|
+
Diffie-Hellman primes.
|
118
|
+
|
119
|
+
In addition, any time usmDHParameters changes, all values of
|
120
|
+
type DHKeyChange will change and new random numbers MUST be
|
121
|
+
generated by the agent for each DHKeyChange object."
|
122
|
+
REFERENCE
|
123
|
+
"-- Diffie-Hellman Key-Agreement Standard, PKCS #3,
|
124
|
+
RSA Laboratories, November 1993
|
125
|
+
-- The Internet Key Exchange, RFC 2409, November 1998,
|
126
|
+
Sec 6.1, 6.2"
|
127
|
+
::= { usmDHPublicObjects 1 }
|
128
|
+
|
129
|
+
usmDHUserKeyTable OBJECT-TYPE
|
130
|
+
SYNTAX SEQUENCE OF UsmDHUserKeyEntry
|
131
|
+
MAX-ACCESS not-accessible
|
132
|
+
STATUS current
|
133
|
+
DESCRIPTION
|
134
|
+
"This table augments and extends the usmUserTable and provides
|
135
|
+
4 objects which exactly mirror the objects in that table with the
|
136
|
+
textual convention of 'KeyChange'. This extension allows key
|
137
|
+
changes to be done in a manner where the knowledge of the current
|
138
|
+
secret plus knowledge of the key change data exchanges (e.g. via
|
139
|
+
wiretapping) will not reveal the new key."
|
140
|
+
::= { usmDHPublicObjects 2 }
|
141
|
+
|
142
|
+
usmDHUserKeyEntry OBJECT-TYPE
|
143
|
+
SYNTAX UsmDHUserKeyEntry
|
144
|
+
MAX-ACCESS not-accessible
|
145
|
+
STATUS current
|
146
|
+
DESCRIPTION
|
147
|
+
"A row of DHKeyChange objects which augment or replace the
|
148
|
+
functionality of the KeyChange objects in the base table row."
|
149
|
+
AUGMENTS { usmUserEntry }
|
150
|
+
::= {usmDHUserKeyTable 1 }
|
151
|
+
|
152
|
+
UsmDHUserKeyEntry ::= SEQUENCE {
|
153
|
+
usmDHUserAuthKeyChange DHKeyChange,
|
154
|
+
usmDHUserOwnAuthKeyChange DHKeyChange,
|
155
|
+
usmDHUserPrivKeyChange DHKeyChange,
|
156
|
+
usmDHUserOwnPrivKeyChange DHKeyChange
|
157
|
+
}
|
158
|
+
|
159
|
+
usmDHUserAuthKeyChange OBJECT-TYPE
|
160
|
+
SYNTAX DHKeyChange
|
161
|
+
MAX-ACCESS read-create
|
162
|
+
STATUS current
|
163
|
+
DESCRIPTION
|
164
|
+
"The object used to change any given user's Authentication Key
|
165
|
+
using a Diffie-Hellman key exchange.
|
166
|
+
|
167
|
+
The right-most n bits of the shared secret 'sk', where 'n' is the
|
168
|
+
number of bits required for the protocol defined by
|
169
|
+
usmUserAuthProtocol, are installed as the operational
|
170
|
+
authentication key for this row after a successful SET."
|
171
|
+
::= { usmDHUserKeyEntry 1 }
|
172
|
+
|
173
|
+
usmDHUserOwnAuthKeyChange OBJECT-TYPE
|
174
|
+
SYNTAX DHKeyChange
|
175
|
+
MAX-ACCESS read-create
|
176
|
+
STATUS current
|
177
|
+
DESCRIPTION
|
178
|
+
"The object used to change the agents own Authentication Key
|
179
|
+
using a Diffie-Hellman key exchange.
|
180
|
+
|
181
|
+
The right-most n bits of the shared secret 'sk', where 'n' is the
|
182
|
+
number of bits required for the protocol defined by
|
183
|
+
usmUserAuthProtocol, are installed as the operational
|
184
|
+
authentication key for this row after a successful SET."
|
185
|
+
::= { usmDHUserKeyEntry 2 }
|
186
|
+
|
187
|
+
usmDHUserPrivKeyChange OBJECT-TYPE
|
188
|
+
SYNTAX DHKeyChange
|
189
|
+
MAX-ACCESS read-create
|
190
|
+
STATUS current
|
191
|
+
DESCRIPTION
|
192
|
+
"The object used to change any given user's Privacy Key using
|
193
|
+
a Diffie-Hellman key exchange.
|
194
|
+
|
195
|
+
The right-most n bits of the shared secret 'sk', where 'n' is the
|
196
|
+
number of bits required for the protocol defined by
|
197
|
+
usmUserPrivProtocol, are installed as the operational privacy key
|
198
|
+
for this row after a successful SET."
|
199
|
+
::= { usmDHUserKeyEntry 3 }
|
200
|
+
|
201
|
+
usmDHUserOwnPrivKeyChange OBJECT-TYPE
|
202
|
+
SYNTAX DHKeyChange
|
203
|
+
MAX-ACCESS read-create
|
204
|
+
STATUS current
|
205
|
+
DESCRIPTION
|
206
|
+
"The object used to change the agent's own Privacy Key using a
|
207
|
+
Diffie-Hellman key exchange.
|
208
|
+
|
209
|
+
The right-most n bits of the shared secret 'sk', where 'n' is the
|
210
|
+
number of bits required for the protocol defined by
|
211
|
+
usmUserPrivProtocol, are installed as the operational privacy key
|
212
|
+
for this row after a successful SET."
|
213
|
+
::= { usmDHUserKeyEntry 4 }
|
214
|
+
|
215
|
+
usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 }
|
216
|
+
|
217
|
+
usmDHKickstartTable OBJECT-TYPE
|
218
|
+
SYNTAX SEQUENCE OF UsmDHKickstartEntry
|
219
|
+
MAX-ACCESS not-accessible
|
220
|
+
STATUS current
|
221
|
+
DESCRIPTION
|
222
|
+
"A table of mappings between zero or more Diffie-Helman key
|
223
|
+
agreement values and entries in the usmUserTable. Entries in this
|
224
|
+
table are created by providing the associated device with a
|
225
|
+
Diffie-Helman public value and a usmUserName/usmUserSecurityName
|
226
|
+
pair during initialization. How these values are provided is
|
227
|
+
outside the scope of this MIB, but could be provided manually, or
|
228
|
+
through a configuration file. Valid public value/name pairs
|
229
|
+
result in the creation of a row in this table as well as the
|
230
|
+
creation of an associated row (with keys derived as indicated) in
|
231
|
+
the usmUserTable. The actual access the related usmSecurityName
|
232
|
+
has is dependent on the entries in the VACM tables. In general,
|
233
|
+
an implementor will specify one or more standard security names
|
234
|
+
and will provide entries in the VACM tables granting various
|
235
|
+
levels of access to those names. The actual content of the VACM
|
236
|
+
|
237
|
+
table is beyond the scope of this MIB.
|
238
|
+
|
239
|
+
Note: This table is expected to be readable without authentication
|
240
|
+
using the usmUserSecurityName 'dhKickstart'. See the conformance
|
241
|
+
statements for details."
|
242
|
+
::= { usmDHKickstartGroup 1 }
|
243
|
+
|
244
|
+
usmDHKickstartEntry OBJECT-TYPE
|
245
|
+
SYNTAX UsmDHKickstartEntry
|
246
|
+
MAX-ACCESS not-accessible
|
247
|
+
STATUS current
|
248
|
+
DESCRIPTION
|
249
|
+
"An entry in the usmDHKickstartTable. The agent SHOULD either
|
250
|
+
delete this entry or mark it as inactive upon a successful SET of
|
251
|
+
any of the KeyChange-typed objects in the usmUserEntry or upon a
|
252
|
+
successful SET of any of the DHKeyChange-typed objects in the
|
253
|
+
usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of
|
254
|
+
usmUserTable or row of ushDhKeyChangeTable) equals this entry's
|
255
|
+
usmDhKickstartSecurityName. In otherwords, once you've changed
|
256
|
+
one or more of the keys for a row in usmUserTable with a
|
257
|
+
particular security name, the row in this table with that same
|
258
|
+
security name is no longer useful or meaningful."
|
259
|
+
INDEX { usmDHKickstartIndex }
|
260
|
+
::= {usmDHKickstartTable 1 }
|
261
|
+
|
262
|
+
UsmDHKickstartEntry ::= SEQUENCE {
|
263
|
+
usmDHKickstartIndex Integer32,
|
264
|
+
usmDHKickstartMyPublic OCTET STRING,
|
265
|
+
usmDHKickstartMgrPublic OCTET STRING,
|
266
|
+
usmDHKickstartSecurityName SnmpAdminString
|
267
|
+
}
|
268
|
+
|
269
|
+
usmDHKickstartIndex OBJECT-TYPE
|
270
|
+
SYNTAX Integer32 (1..2147483647)
|
271
|
+
MAX-ACCESS not-accessible
|
272
|
+
STATUS current
|
273
|
+
DESCRIPTION
|
274
|
+
"Index value for this row."
|
275
|
+
::= { usmDHKickstartEntry 1 }
|
276
|
+
|
277
|
+
usmDHKickstartMyPublic OBJECT-TYPE
|
278
|
+
SYNTAX OCTET STRING
|
279
|
+
MAX-ACCESS read-only
|
280
|
+
STATUS current
|
281
|
+
DESCRIPTION
|
282
|
+
"The agent's Diffie-Hellman public value for this row. At
|
283
|
+
|
284
|
+
initialization, the agent generates a random number and derives
|
285
|
+
its public value from that number. This public value is published
|
286
|
+
here. This public value 'y' equals g^r MOD p where g is the from
|
287
|
+
the set of Diffie-Hellman parameters, p is the prime from those
|
288
|
+
parameters, and r is a random integer selected by the agent in the
|
289
|
+
interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is
|
290
|
+
a random integer selected in the interval 0 <= r < p-1
|
291
|
+
|
292
|
+
The public value is expressed as an OCTET STRING 'PV' of length
|
293
|
+
'k' which satisfies
|
294
|
+
|
295
|
+
k
|
296
|
+
y = SUM 2^(8(k-i)) PV'i
|
297
|
+
i = 1
|
298
|
+
|
299
|
+
where PV1,...,PVk are the octets of PV from first to last, and
|
300
|
+
where PV1 != 0.
|
301
|
+
|
302
|
+
The following DH parameters (Oakley group #2, RFC 2409, sec 6.1,
|
303
|
+
6.2) are used for this object:
|
304
|
+
|
305
|
+
g = 2
|
306
|
+
p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
|
307
|
+
29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
|
308
|
+
EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
|
309
|
+
E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
|
310
|
+
EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
|
311
|
+
FFFFFFFF FFFFFFFF
|
312
|
+
l=1024
|
313
|
+
"
|
314
|
+
REFERENCE
|
315
|
+
"-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4;
|
316
|
+
RSA Laboratories, November 1993
|
317
|
+
-- The Internet Key Exchange, RFC2409;
|
318
|
+
Harkins, D., Carrel, D.; November 1998"
|
319
|
+
::= { usmDHKickstartEntry 2 }
|
320
|
+
|
321
|
+
usmDHKickstartMgrPublic OBJECT-TYPE
|
322
|
+
SYNTAX OCTET STRING
|
323
|
+
MAX-ACCESS read-only
|
324
|
+
STATUS current
|
325
|
+
DESCRIPTION
|
326
|
+
"The manager's Diffie-Hellman public value for this row. Note
|
327
|
+
that this value is not set via the SNMP agent, but may be set via
|
328
|
+
some out of band method, such as the device's configuration file.
|
329
|
+
|
330
|
+
The manager calculates this value in the same manner and using the
|
331
|
+
same parameter set as the agent does. E.g. it selects a random
|
332
|
+
number 'r', calculates y = g^r mod p and provides 'y' as the
|
333
|
+
public number expressed as an OCTET STRING. See
|
334
|
+
usmDHKickstartMyPublic for details.
|
335
|
+
|
336
|
+
When this object is set with a valid value during initialization,
|
337
|
+
a row is created in the usmUserTable with the following values:
|
338
|
+
|
339
|
+
usmUserEngineID localEngineID
|
340
|
+
usmUserName [value of usmDHKickstartSecurityName]
|
341
|
+
usmUserSecurityName [value of usmDHKickstartSecurityName]
|
342
|
+
usmUserCloneFrom ZeroDotZero
|
343
|
+
usmUserAuthProtocol usmHMACMD5AuthProtocol
|
344
|
+
usmUserAuthKeyChange -- derived from set value
|
345
|
+
usmUserOwnAuthKeyChange -- derived from set value
|
346
|
+
usmUserPrivProtocol usmDESPrivProtocol
|
347
|
+
usmUserPrivKeyChange -- derived from set value
|
348
|
+
usmUserOwnPrivKeyChange -- derived from set value
|
349
|
+
usmUserPublic ''
|
350
|
+
usmUserStorageType permanent
|
351
|
+
usmUserStatus active
|
352
|
+
|
353
|
+
A shared secret 'sk' is calculated at the agent as sk =
|
354
|
+
mgrPublic^r mod p where r is the agents random number and p is the
|
355
|
+
DH prime from the common parameters. The underlying privacy key
|
356
|
+
for this row is derived from sk by applying the key derivation
|
357
|
+
function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6,
|
358
|
+
and iterationCount of 500, a keyLength of 16 (for
|
359
|
+
usmDESPrivProtocol), and a prf (pseudo random function) of
|
360
|
+
'id-hmacWithSHA1'. The underlying authentication key for this row
|
361
|
+
is derived from sk by applying the key derivation function PBKDF2
|
362
|
+
with a salt of 0x98dfb5ac , an interation count of 500, a
|
363
|
+
keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of
|
364
|
+
'id-hmacWithSHA1'. Note: The salts are the first two words in the
|
365
|
+
ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied
|
366
|
+
Cryptography' by Bruce Schnier - they could be any relatively
|
367
|
+
random string of bits.
|
368
|
+
|
369
|
+
The manager can use its knowledge of its own random number and the
|
370
|
+
agent's public value to kickstart its access to the agent in a
|
371
|
+
secure manner. Note that the security of this approach is
|
372
|
+
directly related to the strength of the authorization security of
|
373
|
+
the out of band provisioning of the managers public value
|
374
|
+
(e.g. the configuration file), but is not dependent at all on the
|
375
|
+
strength of the confidentiality of the out of band provisioning
|
376
|
+
data."
|
377
|
+
REFERENCE
|
378
|
+
"-- Password-Based Cryptography Standard, PKCS#5v2.0;
|
379
|
+
RSA Laboratories, March 1999
|
380
|
+
-- Applied Cryptography, 2nd Ed.; B. Schneier,
|
381
|
+
Counterpane Systems; John Wiley & Sons, 1996"
|
382
|
+
::= { usmDHKickstartEntry 3 }
|
383
|
+
|
384
|
+
usmDHKickstartSecurityName OBJECT-TYPE
|
385
|
+
SYNTAX SnmpAdminString
|
386
|
+
MAX-ACCESS read-only
|
387
|
+
STATUS current
|
388
|
+
DESCRIPTION
|
389
|
+
"The usmUserName and usmUserSecurityName in the usmUserTable
|
390
|
+
associated with this row. This is provided in the same manner and
|
391
|
+
at the same time as the usmDHKickstartMgrPublic value -
|
392
|
+
e.g. possibly manually, or via the device's configuration file."
|
393
|
+
::= { usmDHKickstartEntry 4 }
|
394
|
+
|
395
|
+
-- Conformance Information
|
396
|
+
|
397
|
+
usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 }
|
398
|
+
usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 }
|
399
|
+
|
400
|
+
-- Compliance statements
|
401
|
+
|
402
|
+
usmDHKeyMIBCompliance MODULE-COMPLIANCE
|
403
|
+
STATUS current
|
404
|
+
DESCRIPTION
|
405
|
+
"The compliance statement for this module."
|
406
|
+
MODULE
|
407
|
+
GROUP usmDHKeyMIBBasicGroup
|
408
|
+
DESCRIPTION
|
409
|
+
"This group MAY be implemented by any agent which
|
410
|
+
implements the usmUserTable and which wishes to provide the
|
411
|
+
ability to change user and agent authentication and privacy
|
412
|
+
keys via Diffie-Hellman key exchanges."
|
413
|
+
|
414
|
+
GROUP usmDHKeyParamGroup
|
415
|
+
DESCRIPTION
|
416
|
+
"This group MUST be implemented by any agent which
|
417
|
+
implements a MIB containing the DHKeyChange Textual
|
418
|
+
Convention defined in this module."
|
419
|
+
|
420
|
+
GROUP usmDHKeyKickstartGroup
|
421
|
+
DESCRIPTION
|
422
|
+
"This group MAY be implemented by any agent which
|
423
|
+
implements the usmUserTable and which wishes the ability to
|
424
|
+
populate the USM table based on out-of-band provided DH
|
425
|
+
ignition values.
|
426
|
+
|
427
|
+
Any agent implementing this group is expected to provide
|
428
|
+
preinstalled entries in the vacm tables as follows:
|
429
|
+
|
430
|
+
In the usmUserTable: This entry allows access to the
|
431
|
+
system and dhKickstart groups
|
432
|
+
|
433
|
+
usmUserEngineID localEngineID
|
434
|
+
usmUserName 'dhKickstart'
|
435
|
+
usmUserSecurityName 'dhKickstart'
|
436
|
+
usmUserCloneFrom ZeroDotZero
|
437
|
+
usmUserAuthProtocol none
|
438
|
+
usmUserAuthKeyChange ''
|
439
|
+
usmUserOwnAuthKeyChange ''
|
440
|
+
usmUserPrivProtocol none
|
441
|
+
usmUserPrivKeyChange ''
|
442
|
+
usmUserOwnPrivKeyChange ''
|
443
|
+
usmUserPublic ''
|
444
|
+
usmUserStorageType permanent
|
445
|
+
usmUserStatus active
|
446
|
+
|
447
|
+
In the vacmSecurityToGroupTable: This maps the initial
|
448
|
+
user into the accessible objects.
|
449
|
+
|
450
|
+
vacmSecurityModel 3 (USM)
|
451
|
+
vacmSecurityName 'dhKickstart'
|
452
|
+
vacmGroupName 'dhKickstart'
|
453
|
+
vacmSecurityToGroupStorageType permanent
|
454
|
+
vacmSecurityToGroupStatus active
|
455
|
+
|
456
|
+
In the vacmAccessTable: Group name to view name translation.
|
457
|
+
|
458
|
+
vacmGroupName 'dhKickstart'
|
459
|
+
vacmAccessContextPrefix ''
|
460
|
+
vacmAccessSecurityModel 3 (USM)
|
461
|
+
vacmAccessSecurityLevel noAuthNoPriv
|
462
|
+
vacmAccessContextMatch exact
|
463
|
+
vacmAccessReadViewName 'dhKickRestricted'
|
464
|
+
vacmAccessWriteViewName ''
|
465
|
+
vacmAccessNotifyViewName 'dhKickRestricted'
|
466
|
+
vacmAccessStorageType permanent
|
467
|
+
vacmAccessStatus active
|
468
|
+
|
469
|
+
In the vacmViewTreeFamilyTable: Two entries to allow the
|
470
|
+
initial entry to access the system and kickstart groups.
|
471
|
+
|
472
|
+
vacmViewTreeFamilyViewName 'dhKickRestricted'
|
473
|
+
vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system)
|
474
|
+
vacmViewTreeFamilyMask ''
|
475
|
+
|
476
|
+
vacmViewTreeFamilyType 1
|
477
|
+
vacmViewTreeFamilyStorageType permanent
|
478
|
+
vacmViewTreeFamilyStatus active
|
479
|
+
|
480
|
+
vacmViewTreeFamilyViewName 'dhKickRestricted'
|
481
|
+
vacmViewTreeFamilySubtree (usmDHKickstartTable OID)
|
482
|
+
vacmViewTreeFamilyMask ''
|
483
|
+
vacmViewTreeFamilyType 1
|
484
|
+
vacmViewTreeFamilyStorageType permanent
|
485
|
+
vacmViewTreeFamilyStatus active
|
486
|
+
"
|
487
|
+
|
488
|
+
OBJECT usmDHParameters
|
489
|
+
MIN-ACCESS read-only
|
490
|
+
DESCRIPTION
|
491
|
+
"It is compliant to implement this object as read-only for
|
492
|
+
any device."
|
493
|
+
::= { usmDHKeyMIBCompliances 1 }
|
494
|
+
|
495
|
+
-- Units of Compliance
|
496
|
+
|
497
|
+
usmDHKeyMIBBasicGroup OBJECT-GROUP
|
498
|
+
OBJECTS {
|
499
|
+
usmDHUserAuthKeyChange,
|
500
|
+
usmDHUserOwnAuthKeyChange,
|
501
|
+
usmDHUserPrivKeyChange,
|
502
|
+
usmDHUserOwnPrivKeyChange
|
503
|
+
}
|
504
|
+
STATUS current
|
505
|
+
DESCRIPTION
|
506
|
+
""
|
507
|
+
::= { usmDHKeyMIBGroups 1 }
|
508
|
+
|
509
|
+
usmDHKeyParamGroup OBJECT-GROUP
|
510
|
+
OBJECTS {
|
511
|
+
usmDHParameters
|
512
|
+
}
|
513
|
+
STATUS current
|
514
|
+
DESCRIPTION
|
515
|
+
"The mandatory object for all MIBs which use the DHKeyChange
|
516
|
+
textual convention."
|
517
|
+
::= { usmDHKeyMIBGroups 2 }
|
518
|
+
|
519
|
+
usmDHKeyKickstartGroup OBJECT-GROUP
|
520
|
+
OBJECTS {
|
521
|
+
usmDHKickstartMyPublic,
|
522
|
+
usmDHKickstartMgrPublic,
|
523
|
+
usmDHKickstartSecurityName
|
524
|
+
}
|
525
|
+
STATUS current
|
526
|
+
DESCRIPTION
|
527
|
+
"The objects used for kickstarting one or more SNMPv3 USM
|
528
|
+
associations via a configuration file or other out of band,
|
529
|
+
non-confidential access."
|
530
|
+
::= { usmDHKeyMIBGroups 3 }
|
531
|
+
|
532
|
+
END
|