Skip to main content

Appendix A - Installation

Appendix A - Installation

A.1. Installation Parameters

During installation, an authoritative SNMP engine which supports this View-based Access Control Model SHOULD be configured with several initial parameters. These include for the View-based Access Control Model:

  1. A security configuration

    The choice of security configuration determines if initial configuration is implemented and if so how. One of three possible choices is selected:

    • initial-minimum-security-configuration
    • initial-semi-security-configuration
    • initial-no-access-configuration

    In the case of a initial-no-access-configuration, there is no initial configuration, and so the following steps are irrelevant.

  2. A default context

    One entry in the vacmContextTable with a contextName of "" (the empty string), representing the default context. Note that this table gets created automatically if a default context exists.

    vacmContextName ""

  3. An initial group

    One entry in the vacmSecurityToGroupTable to allow access to group "initial".

    vacmSecurityModel 3 (USM) vacmSecurityName "initial" vacmGroupName "initial" vacmSecurityToGroupStorageType anyValidStorageType vacmSecurityToGroupStatus active

  4. Initial access rights

    Three entries in the vacmAccessTable as follows:

    • read-notify access for securityModel USM, securityLevel "noAuthNoPriv" on behalf of securityNames that belong to the group "initial" to the <restricted> MIB view in the default context with contextName "".

    • read-write-notify access for securityModel USM, securityLevel "authNoPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".

    • if privacy is supported, read-write-notify access for securityModel USM, securityLevel "authPriv" on behalf of securityNames that belong to the group "initial" to the <internet> MIB view in the default context with contextName "".

    That translates into the following entries in the vacmAccessTable.

    • One entry to be used for unauthenticated access (noAuthNoPriv):

      vacmGroupName "initial" vacmAccessContextPrefix "" vacmAccessSecurityModel 3 (USM) vacmAccessSecurityLevel noAuthNoPriv vacmAccessContextMatch exact vacmAccessReadViewName "restricted" vacmAccessWriteViewName "" vacmAccessNotifyViewName "restricted" vacmAccessStorageType anyValidStorageType vacmAccessStatus active

    • One entry to be used for authenticated access (authNoPriv) with optional privacy (authPriv):

      vacmGroupName "initial" vacmAccessContextPrefix "" vacmAccessSecurityModel 3 (USM) vacmAccessSecurityLevel authNoPriv vacmAccessContextMatch exact vacmAccessReadViewName "internet" vacmAccessWriteViewName "internet" vacmAccessNotifyViewName "internet" vacmAccessStorageType anyValidStorageType vacmAccessStatus active

  5. Two MIB views, of which the second one depends on the security configuration.

    • One view, the &lt;internet> view, for authenticated access:

      • the &lt;internet> MIB view is the following subtree: "internet" (subtree 1.3.6.1)

    • A second view, the <restricted> view, for unauthenticated access. This view is configured according to the selected security configuration:

    • For the initial-no-access-configuration there is no default initial configuration, so no MIB views are pre-scribed.

    • For the initial-semi-secure-configuration:

      the &lt;restricted> MIB view is the union of these subtrees: (a) "system" (subtree 1.3.6.1.2.1.1) [RFC3918] (b) "snmp" (subtree 1.3.6.1.2.1.11) [RFC3918] (c) "snmpEngine" (subtree 1.3.6.1.6.3.10.2.1) [RFC3411] (d) "snmpMPDStats" (subtree 1.3.6.1.6.3.11.2.1) [RFC3412] (e) "usmStats" (subtree 1.3.6.1.6.3.15.1.1) [RFC3414]

    • For the initial-minimum-secure-configuration:

      the &lt;restricted> MIB view is the following subtree. "internet" (subtree 1.3.6.1)

This translates into the following "internet" entry in the vacmViewTreeFamilyTable:

                             minimum-secure      semi-secure
                             ----------------    ---------------

vacmViewTreeFamilyViewName "internet" "internet" vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1 vacmViewTreeFamilyMask "" "" vacmViewTreeFamilyType 1 (included) 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active

In addition it translates into the following "restricted" entries in the vacmViewTreeFamilyTable:

                             minimum-secure      semi-secure
                             ----------------    ---------------

vacmViewTreeFamilyViewName "restricted" "restricted" vacmViewTreeFamilySubtree 1.3.6.1 1.3.6.1.2.1.1 vacmViewTreeFamilyMask "" "" vacmViewTreeFamilyType 1 (included) 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType anyValidStorageType vacmViewTreeFamilyStatus active active

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.2.1.11 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.10.2.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.11.2.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

vacmViewTreeFamilyViewName "restricted" vacmViewTreeFamilySubtree 1.3.6.1.6.3.15.1.1 vacmViewTreeFamilyMask "" vacmViewTreeFamilyType 1 (included) vacmViewTreeFamilyStorageType anyValidStorageType vacmViewTreeFamilyStatus active

Last updated on