This is a summary of information regarding objects below the snmpUsmDHObjectsMIB MIB object, which is defined within the SNMP-USM-DH-OBJECTS-MIB MIB document as .1.3.6.1.3.101.
Name | Type | Access | Description |
---|---|---|---|
1
usmUserEngineID |
OCTETSTR
Legal Lengths: 5 .. 32 SnmpEngineID | NoAccess |
Note: this object is based on the SnmpEngineID TEXTUAL-CONVENTION. An SNMP engine's administratively-unique identifier. In a simple agent, this value is always that agent's own snmpEngineID value. The value can also take the value of the snmpEngineID of a remote SNMP engine with which this user can communicate. |
2
usmUserName |
OCTETSTR
Legal Lengths: 1 .. 32 SnmpAdminString | NoAccess |
Note: this object is based on the SnmpAdminString TEXTUAL-CONVENTION. A human readable string representing the name of the user. This is the (User-based Security) Model dependent security ID. |
Name | Type | Access | Description |
---|---|---|---|
1
usmDHUserAuthKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change any given user's Authentication Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserAuthProtocol, are installed as the operational authentication key for this row after a successful SET. |
2
usmDHUserOwnAuthKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change the agents own Authentication Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserAuthProtocol, are installed as the operational authentication key for this row after a successful SET. |
3
usmDHUserPrivKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change any given user's Privacy Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserPrivProtocol, are installed as the operational privacy key for this row after a successful SET. |
4
usmDHUserOwnPrivKeyChange |
OCTETSTR
DHKeyChange | Create |
Note: this object is based on the DHKeyChange TEXTUAL-CONVENTION. The object used to change the agent's own Privacy Key using a Diffie-Hellman key exchange. The right-most n bits of the shared secret 'sk', where 'n' is the number of bits required for the protocol defined by usmUserPrivProtocol, are installed as the operational privacy key for this row after a successful SET. |
Name | Type | Access | Description |
---|---|---|---|
1
usmDHKickstartIndex |
INTEGER32
Legal values: 1 .. 2147483647 | NoAccess |
Index value for this row. |
Name | Type | Access | Description |
---|---|---|---|
2
usmDHKickstartMyPublic | OCTETSTR | ReadOnly |
The agent's Diffie-Hellman public value for this row. At initialization, the agent generates a random number and derives its public value from that number. This public value is published here. This public value 'y' equals g^r MOD p where g is the from the set of Diffie-Hellman parameters, p is the prime from those parameters, and r is a random integer selected by the agent in the interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is a random integer selected in the interval 0 <= r < p-1 The public value is expressed as an OCTET STRING 'PV' of length 'k' which satisfies k y = SUM 2^(8(k-i)) PV'i i = 1 where PV1,...,PVk are the octets of PV from first to last, and where PV1 != 0. The following DH parameters (Oakley group #2, RFC 2409, sec 6.1, 6.2) are used for this object: g = 2 p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 FFFFFFFF FFFFFFFF l=1024 Also see Reference:
|
3
usmDHKickstartMgrPublic | OCTETSTR | ReadOnly |
The manager's Diffie-Hellman public value for this row. Note that this value is not set via the SNMP agent, but may be set via some out of band method, such as the device's configuration file. The manager calculates this value in the same manner and using the same parameter set as the agent does. E.g. it selects a random number 'r', calculates y = g^r mod p and provides 'y' as the public number expressed as an OCTET STRING. See usmDHKickstartMyPublic for details. When this object is set with a valid value during initialization, a row is created in the usmUserTable with the following values: usmUserEngineID localEngineID usmUserName [value of usmDHKickstartSecurityName] usmUserSecurityName [value of usmDHKickstartSecurityName] usmUserCloneFrom ZeroDotZero usmUserAuthProtocol usmHMACMD5AuthProtocol usmUserAuthKeyChange -- derived from set value usmUserOwnAuthKeyChange -- derived from set value usmUserPrivProtocol usmDESPrivProtocol usmUserPrivKeyChange -- derived from set value usmUserOwnPrivKeyChange -- derived from set value usmUserPublic '' usmUserStorageType permanent usmUserStatus active A shared secret 'sk' is calculated at the agent as sk = mgrPublic^r mod p where r is the agents random number and p is the DH prime from the common parameters. The underlying privacy key for this row is derived from sk by applying the key derivation function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, and iterationCount of 500, a keyLength of 16 (for usmDESPrivProtocol), and a prf (pseudo random function) of 'id-hmacWithSHA1'. The underlying authentication key for this row is derived from sk by applying the key derivation function PBKDF2 with a salt of 0x98dfb5ac , an interation count of 500, a keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of 'id-hmacWithSHA1'. Note: The salts are the first two words in the ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied Cryptography' by Bruce Schnier - they could be any relatively random string of bits. The manager can use its knowledge of its own random number and the agent's public value to kickstart its access to the agent in a secure manner. Note that the security of this approach is directly related to the strength of the authorization security of the out of band provisioning of the managers public value (e.g. the configuration file), but is not dependent at all on the strength of the confidentiality of the out of band provisioning data. Also see Reference:
|
4
usmDHKickstartSecurityName |
OCTETSTR
Legal Lengths: 0 .. 255 SnmpAdminString | ReadOnly |
Note: this object is based on the SnmpAdminString TEXTUAL-CONVENTION. The usmUserName and usmUserSecurityName in the usmUserTable associated with this row. This is provided in the same manner and at the same time as the usmDHKickstartMgrPublic value - e.g. possibly manually, or via the device's configuration file. |
SCALAR OBJECTS
TABLE OBJECTS |
These TEXTUAL-CONVENTIONS are used in other parts of the document above. They are SNMP's way of defining a datatype that is used repeatedly by other MIB objects. Any implementation implementing objects that use one of these definitions must follow its DESCRIPTION clause as well as the DESCRIPTION clause of the object itself.
Name | Type | Description |
---|---|---|
DHKeyChange | OCTETSTR | Upon initialization, or upon creation of a row containing an object of this type, and after any successful SET of this value, a GET of this value returns 'y' where y = g^xa MOD p, and where g is the base from usmDHParameters, p is the prime from usmDHParameters, and xa is a new random integer selected by the agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the optional privateValueLength from usmDHParameters in bits. If 'l' is omitted, then xa (and xr below) is selected in the interval 0 <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k' which satisfies k y = SUM 2^(8(k-i)) PV'i i=1 where PV1,...,PVk are the octets of PV from first to last, and where PV1 <> 0. A successful SET consists of the value 'y' expressed as an OCTET STRING as above concatenated with the value 'z'(expressed as an OCTET STRING in the same manner as y) where z = g^xr MOD p, where g, p and l are as above, and where xr is a new random integer selected by the manager in the interval 2^(l-1) <= xr < 2^l < p-1. A SET to an object of this type will fail with the error wrongValue if the current 'y' does not match the 'y' portion of the value of the varbind for the object. (E.g. GET yout, SET concat(yin, z), yout <> yin). Note that the private values xa and xr are never transmitted from manager to device or vice versa, only the values y and z. Obviously, these values must be retained until a successful SET on the associated object. The shared secret 'sk' is calculated at the agent as sk = z^xa MOD p, and at the manager as sk = y^xr MOD p. Each object definition of this type MUST describe how to map from the shared secret 'sk' to the operational key value used by the protocols and operations related to the object. In general, if n bits of key are required, the author suggests using the n right-most bits of the shared secret as the operational key value. |
SnmpEngineID | OCTETSTR | An SNMP engine's administratively-unique identifier. Objects of this type are for identification, not for addressing, even though it is possible that an address may have been used in the generation of a specific value. The value for this object may not be all zeros or all 'ff'H or the empty (zero length) string. The initial value for this object may be configured via an operator console entry or via an algorithmic function. In the latter case, the following example algorithm is recommended. In cases where there are multiple engines on the same system, the use of this algorithm is NOT appropriate, as it would result in all of those engines ending up with the same ID value. 1) The very first bit is used to indicate how the rest of the data is composed. 0 - as defined by enterprise using former methods that existed before SNMPv3. See item 2 below. 1 - as defined by this architecture, see item 3 below. Note that this allows existing uses of the engineID (also known as AgentID [RFC1910]) to co-exist with any new uses. 2) The snmpEngineID has a length of 12 octets. The first four octets are set to the binary equivalent of the agent's SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority (IANA). For example, if Acme Networks has been assigned { enterprises 696 }, the first four octets would be assigned '000002b8'H. The remaining eight octets are determined via one or more enterprise-specific methods. Such methods must be designed so as to maximize the possibility that the value of this object will be unique in the agent's administrative domain. For example, it may be the IP address of the SNMP entity, or the MAC address of one of the interfaces, with each address suitably padded with random octets. If multiple methods are defined, then it is recommended that the first octet indicate the method being used and the remaining octets be a function of the method. 3) The length of the octet string varies. The first four octets are set to the binary equivalent of the agent's SNMP management private enterprise number as assigned by the Internet Assigned Numbers Authority (IANA). For example, if Acme Networks has been assigned { enterprises 696 }, the first four octets would be assigned '000002b8'H. The very first bit is set to 1. For example, the above value for Acme Networks now changes to be '800002b8'H. The fifth octet indicates how the rest (6th and following octets) are formatted. The values for the fifth octet are: 0 - reserved, unused. 1 - IPv4 address (4 octets) lowest non-special IP address 2 - IPv6 address (16 octets) lowest non-special IP address 3 - MAC address (6 octets) lowest IEEE MAC address, canonical order 4 - Text, administratively a |
SnmpAdminString | OCTETSTR | An octet string containing administrative information, preferably in human-readable form. To facilitate internationalization, this information is represented using the ISO/IEC IS 10646-1 character set, encoded as an octet string using the UTF-8 transformation format described in [RFC2279]. Since additional code points are added by amendments to the 10646 standard from time to time, implementations must be prepared to encounter any code point from 0x00000000 to 0x7fffffff. Byte sequences that do not correspond to the valid UTF-8 encoding of a code point or are outside this range are prohibited. The use of control codes should be avoided. When it is necessary to represent a newline, the control code sequence CR LF should be used. The use of leading or trailing white space should be avoided. For code points not directly supported by user interface hardware or software, an alternative means of entry and display, such as hexadecimal, may be provided. For information encoded in 7-bit US-ASCII, the UTF-8 encoding is identical to the US-ASCII encoding. UTF-8 may require multiple bytes to represent a single character / code point; thus the length of this object in octets may be different from the number of characters encoded. Similarly, size constraints refer to the number of encoded octets, not the number of characters represented by an encoding. Note that when this TC is used for an object that is used or envisioned to be used as an index, then a SIZE restriction MUST be specified so that the number of sub-identifiers for any object instance does not exceed the limit of 128, as defined by [RFC3416]. Note that the size of an SnmpAdminString object is measured in octets, not characters. |
Tree view generated by running: snmptranslate -Tp SNMP-USM-DH-OBJECTS-MIB::snmpUsmDHObjectsMIB
+--snmpUsmDHObjectsMIB(101) | +--usmDHKeyObjects(1) | | | +--usmDHPublicObjects(1) | | | | | +-- -RW- String usmDHParameters(1) | | | | | +--usmDHUserKeyTable(2) | | | | | +--usmDHUserKeyEntry(1) | | | | | +-- CR-- String usmDHUserAuthKeyChange(1) | | | Textual Convention: DHKeyChange | | +-- CR-- String usmDHUserOwnAuthKeyChange(2) | | | Textual Convention: DHKeyChange | | +-- CR-- String usmDHUserPrivKeyChange(3) | | | Textual Convention: DHKeyChange | | +-- CR-- String usmDHUserOwnPrivKeyChange(4) | | Textual Convention: DHKeyChange | | | +--usmDHKickstartGroup(2) | | | +--usmDHKickstartTable(1) | | | +--usmDHKickstartEntry(1) | | Index: usmDHKickstartIndex | | | +-- ---- Integer32 usmDHKickstartIndex(1) | | Range: 1..2147483647 | +-- -R-- String usmDHKickstartMyPublic(2) | +-- -R-- String usmDHKickstartMgrPublic(3) | +-- -R-- String usmDHKickstartSecurityName(4) | Textual Convention: SnmpAdminString | Size: 0..255 | +--usmDHKeyConformance(2) | +--usmDHKeyMIBCompliances(1) | | | +--usmDHKeyMIBCompliance(1) | +--usmDHKeyMIBGroups(2) | +--usmDHKeyMIBBasicGroup(1) +--usmDHKeyParamGroup(2) +--usmDHKeyKickstartGroup(3)
Last modified: Wednesday, 01-Aug-2018 04:41:28 UTC
For questions regarding web content and site functionality, please write to the net-snmp-users mail list.