[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
snmpconf Protocol Action: 'Policy Based Management MIB' to Proposed Standard
The IESG has approved the following document:
- 'Policy Based Management MIB '
<draft-ietf-snmpconf-pm-15.txt> as a Proposed Standard
This document is the product of the Configuration Management with SNMP Working
The IESG contact persons are Bert Wijnen and David Kessens.
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP-based internets.
In particular, this MIB defines objects that enable policy-based
monitoring and management of SNMP infrastructures as well as a
scripting language and a script execution environment.
Working Group Summary
The Working Group took a long time to discuss this document. There
was also discussion about the fact that this document combines both
a MIB module and a Scripting language specification, and some WG
members proposed to split the document in two. However, in the end
there was rough consensus to go forward with the combined
specification and the WG supports this document as a standards track
The document has been reviewed for the IESG by Bert Wijnen.
Patrik Faltstrom has reviewed the document for UTF-8 and for
David Harrington did extensive review of revisions 9, 10 and 11 at
the request of the Area Director back in mid 2002.
pls add the following text to the end of sect 13 "Security Considerations",
so that is on page 126:
This MIB allows the delegation of access rights so that a user
("Joe") can instruct a Policy MIB agent to execute remote operations
on his behalf that are authorized by keys stored by "Joe" into the
usmUserTable. Care needs to be taken to ensure that unauthorized users
are unable to configure their policies to use Joe's keys. While
there are theoretically many ways to configure SNMP security, users
are advised to follow the most straightforward way outlined below to
minimize complexity and the resulting opportunity for errors.
Assume that Joe has credentials that give him authority to manage
agents A, B, and C, as well as the Policy MIB agent "P". Joe will
store credentials for Joe@A, Joe@B, Joe@C in the usmUserTable of
the Policy MIB agent. Then the following VACM configuration will
will be used:
A single entry mapping user Joe@P to group JoesGroup
A single entry mapping group JoesGroup to write view JoesView
ViewName Subtree Type
JoesView points to Joe@A in usmUserTable included
JoesView points to Joe@B in usmUserTable included
JoesView points to Joe@C in usmUserTable included
In the preceding examples, the notation Joe@A represents the entry
indexed by usmUserEngineID and usmUserName, where the SnmpEngineID
is that of system A and the usmUserName is "Joe".