Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 2573

SNMP Applications

Pages: 72
Obsoletes:  2273
Obsoleted by:  3413
Part 1 of 3 – Pages 1 to 28
None   None   Next

ToP   noToC   RFC2573 - Page 1
Network Working Group                                            D. Levi
Request for Comments: 2573                           SNMP Research, Inc.
Obsoletes: 2273                                                 P. Meyer
Category: Standards Track                   Secure Computing Corporation
                                                              B. Stewart
                                                           Cisco Systems
                                                              April 1999


                           SNMP Applications

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

This memo describes five types of SNMP applications which make use of an SNMP engine as described in [RFC2571]. The types of application described are Command Generators, Command Responders, Notification Originators, Notification Receivers, and Proxy Forwarders. This memo also defines MIB modules for specifying targets of management operations, for notification filtering, and for proxy forwarding.

Table Of Contents

1 Overview ..................................................... 2 1.1 Command Generator Applications ............................. 3 1.2 Command Responder Applications ............................. 3 1.3 Notification Originator Applications ....................... 3 1.4 Notification Receiver Applications ......................... 3 1.5 Proxy Forwarder Applications ............................... 4 2 Management Targets ........................................... 5 3 Elements Of Procedure ........................................ 6 3.1 Command Generator Applications ............................. 6 3.2 Command Responder Applications ............................. 9 3.3 Notification Originator Applications ....................... 14 3.4 Notification Receiver Applications ......................... 17
ToP   noToC   RFC2573 - Page 2
   3.5 Proxy Forwarder Applications ...............................   19
   3.5.1 Request Forwarding .......................................   20
   3.5.1.1 Processing an Incoming Request .........................   20
   3.5.1.2 Processing an Incoming Response ........................   23
   3.5.1.3 Processing an Incoming Internal-Class PDU ..............   24
   3.5.2 Notification Forwarding ..................................   25
   4 The Structure of the MIB Modules .............................   28
   4.1 The Management Target MIB Module ...........................   28
   4.1.1 Tag Lists ................................................   29
   4.1.2 Definitions ..............................................   30
   4.2 The Notification MIB Module ................................   43
   4.2.1 Definitions ..............................................   43
   4.3 The Proxy MIB Module .......................................   55
   4.3.1 Definitions ..............................................   55
   5 Identification of Management Targets in Notification
        Originators ...............................................   61
   6 Notification Filtering .......................................   62
   7 Management Target Translation in Proxy  Forwarder  Applica-
        tions .....................................................   63
   7.1 Management Target Translation for Request Forwarding .......   63
   7.2 Management Target Translation for Notification Forwarding
        ...........................................................   64
   8 Intellectual Property ........................................   65
   9 Acknowledgments ..............................................   66
   10 Security Considerations .....................................   67
   11 References ..................................................   67
   12 Editors' Addresses...........................................   69
   A. Trap Configuration Example ..................................   70
   B. Full Copyright Statement ....................................   72


1. Overview

This document describes five types of SNMP applications: - Applications which initiate SNMP Read-Class, and/or Write-Class requests, called 'command generators.' - Applications which respond to SNMP Read-Class, and/or Write-Class requests, called 'command responders.' - Applications which generate SNMP Notification-Class PDUs, called 'notification originators.' - Applications which receive SNMP Notification-Class PDUs, called 'notification receivers.' - Applications which forward SNMP messages, called 'proxy forwarders.'
ToP   noToC   RFC2573 - Page 3
   Note that there are no restrictions on which types of applications
   may be associated with a particular SNMP engine.  For example, a
   single SNMP engine may, in fact, be associated with both command
   generator and command responder applications.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.1. Command Generator Applications

A command generator application initiates SNMP Read-Class and/or Write-Class requests, as well as processing the response to a request which it generated.

1.2. Command Responder Applications

A command responder application receives SNMP Read-Class and/or Write-Class requests destined for the local system as indicated by the fact that the contextEngineID in the received request is equal to that of the local engine through which the request was received. The command responder application will perform the appropriate protocol operation, using access control, and will generate a response message to be sent to the request's originator.

1.3. Notification Originator Applications

A notification originator application conceptually monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. A notification originator must have a mechanism for determining where to send messages, and what SNMP version and security parameters to use when sending messages. A mechanism and MIB module for this purpose is provided in this document. Note that Notification-Class PDUs generated by a notification originator may be either Confirmed-Class or Unconfirmed-Class PDU types.

1.4. Notification Receiver Applications

A notification receiver application listens for notification messages, and generates response messages when a message containing a Confirmed-Class PDU is received.
ToP   noToC   RFC2573 - Page 4

1.5. Proxy Forwarder Applications

A proxy forwarder application forwards SNMP messages. Note that implementation of a proxy forwarder application is optional. The sections describing proxy (4.5, 5.3, and 8) may be skipped for implementations that do not include a proxy forwarder application. The term "proxy" has historically been used very loosely, with multiple different meanings. These different meanings include (among others): (1) the forwarding of SNMP requests to other SNMP entities without regard for what managed object types are being accessed; for example, in order to forward an SNMP request from one transport domain to another, or to translate SNMP requests of one version into SNMP requests of another version; (2) the translation of SNMP requests into operations of some non- SNMP management protocol; and (3) support for aggregated managed objects where the value of one managed object instance depends upon the values of multiple other (remote) items of management information. Each of these scenarios can be advantageous; for example, support for aggregation of management information can significantly reduce the bandwidth requirements of large-scale management activities. However, using a single term to cover multiple different scenarios causes confusion. To avoid such confusion, this document uses the term "proxy" with a much more tightly defined meaning. The term "proxy" is used in this document to refer to a proxy forwarder application which forwards either SNMP messages without regard for what managed objects are contained within those messages. This definition is most closely related to the first definition above. Note, however, that in the SNMP architecture [RFC2571], a proxy forwarder is actually an application, and need not be associated with what is traditionally thought of as an SNMP agent. Specifically, the distinction between a traditional SNMP agent and a proxy forwarder application is simple:
ToP   noToC   RFC2573 - Page 5
     -  a proxy forwarder application forwards SNMP messages to other
        SNMP engines according to the context, and irrespective of the
        specific managed object types being accessed, and forwards the
        response to such previously forwarded messages back to the SNMP
        engine from which the original message was received;

     -  in contrast, the command responder application that is part of
        what is traditionally thought of as an SNMP agent, and which
        processes SNMP requests according to the (names of the)
        individual managed object types and instances being accessed, is
        NOT a proxy forwarder application from the perspective of this
        document.

   Thus, when a proxy forwarder application forwards a request or
   notification for a particular contextEngineID / contextName pair, not
   only is the information on how to forward the request specifically
   associated with that context, but the proxy forwarder application has
   no need of a detailed definition of a MIB view (since the proxy
   forwarder application forwards the request irrespective of the
   managed object types).

   In contrast, a command responder application must have the detailed
   definition of the MIB view, and even if it needs to issue requests to
   other entities, via SNMP or otherwise, that need is dependent on the
   individual managed object instances being accessed (i.e., not only on
   the context).

   Note that it is a design goal of a proxy forwarder application to act
   as an intermediary between the endpoints of a transaction.  In
   particular, when forwarding Confirmed Notification-Class messages,
   the associated response is forwarded when it is received from the
   target to which the Notification-Class message was forwarded, rather
   than generating a response immediately when the Notification-Class
   message is received.

2. Management Targets

Some types of applications (notification generators and proxy forwarders in particular) require a mechanism for determining where and how to send generated messages. This document provides a mechanism and MIB module for this purpose. The set of information that describes where and how to send a message is called a ' Management Target', and consists of two kinds of information: - Destination information, consisting of a transport domain and a transport address. This is also termed a transport endpoint.
ToP   noToC   RFC2573 - Page 6
     -  SNMP parameters, consisting of message processing model,
        security model, security level, and security name information.

   The SNMP-TARGET-MIB module described later in this document contains
   one table for each of these types of information.  There can be a
   many-to-many relationship in the MIB between these two types of
   information.  That is, there may be multiple transport endpoints
   associated with a particular set of SNMP parameters, or a particular
   transport endpoint may be associated with several sets of SNMP
   parameters.

3. Elements Of Procedure

The following sections describe the procedures followed by each type of application when generating messages for transmission or when processing received messages. Applications communicate with the Dispatcher using the abstract service interfaces defined in [RFC2571].

3.1. Command Generator Applications

A command generator initiates an SNMP request by calling the Dispatcher using the following abstract service interface: statusInformation = -- sendPduHandle if success -- errorIndication if failure sendPdu( IN transportDomain -- transport domain to be used IN transportAddress -- destination network address IN messageProcessingModel -- typically, SNMP version IN securityModel -- Security Model to use IN securityName -- on behalf of this principal IN securityLevel -- Level of Security requested IN contextEngineID -- data from/at this entity IN contextName -- data from/in this context IN pduVersion -- the version of the PDU IN PDU -- SNMP Protocol Data Unit IN expectResponse -- TRUE or FALSE ) Where: - The transportDomain is that of the destination of the message. - The transportAddress is that of the destination of the message.
ToP   noToC   RFC2573 - Page 7
     -  The messageProcessingModel indicates which Message Processing
        Model the application wishes to use.

     -  The securityModel is the security model that the application
        wishes to use.

     -  The securityName is the security model independent name for the
        principal on whose behalf the application wishes the message is
        to be generated.

     -  The securityLevel is the security level that the application
        wishes to use.

     -  The contextEngineID is provided by the command generator if it
        wishes to explicitly specify the location of the management
        information it is requesting.

     -  The contextName is provided by the command generator if it
        wishes to explicitly specify the local context name for the
        management information it is requesting.

     -  The pduVersion indicates the version of the PDU to be sent.

     -  The PDU is a value constructed by the command generator
        containing the management operation that the command generator
        wishes to perform.

     -  The expectResponse argument indicates that a response is
        expected.

   The result of the sendPdu interface indicates whether the PDU was
   successfully sent.  If it was successfully sent, the returned value
   will be a sendPduHandle.  The command generator should store the
   sendPduHandle so that it can correlate a response to the original
   request.

   The Dispatcher is responsible for delivering the response to a
   particular request to the correct command generator application.  The
   abstract service interface used is:

       processResponsePdu(              -- process Response PDU
         IN   messageProcessingModel    -- typically, SNMP version
         IN   securityModel             -- Security Model in use
         IN   securityName              -- on behalf of this principal
         IN   securityLevel             -- Level of Security
         IN   contextEngineID           -- data from/at this SNMP entity
         IN   contextName               -- data from/in this context
         IN   pduVersion                -- the version of the PDU
ToP   noToC   RFC2573 - Page 8
         IN   PDU                       -- SNMP Protocol Data Unit
         IN   statusInformation         -- success or errorIndication
         IN   sendPduHandle             -- handle from sendPdu
              )

   Where:

     -  The messageProcessingModel is the value from the received
        response.

     -  The securityModel is the value from the received response.

     -  The securityName is the value from the received response.

     -  The securityLevel is the value from the received response.

     -  The contextEngineID is the value from the received response.

     -  The contextName is the value from the received response.

     -  The pduVersion indicates the version of the PDU in the received
        response.

     -  The PDU is the value from the received response.

     -  The statusInformation indicates success or failure in receiving
        the response.

     -  The sendPduHandle is the value returned by the sendPdu call
        which generated the original request to which this is a
        response.

   The procedure when a command generator receives a message is as
   follows:

   (1)  If the received values of messageProcessingModel, securityModel,
        securityName, contextEngineID, contextName, and pduVersion are
        not all equal to the values used in the original request, the
        response is discarded.

   (2)  The operation type, request-id, error-status, error-index, and
        variable-bindings are extracted from the PDU and saved.  If the
        request-id is not equal to the value used in the original
        request, the response is discarded.

   (3)  At this point, it is up to the application to take an
        appropriate action.  The specific action is implementation
        dependent.  If the statusInformation indicates that the request
ToP   noToC   RFC2573 - Page 9
        failed, an appropriate action might be to attempt to transmit
        the request again, or to notify the person operating the
        application that a failure occurred.

3.2. Command Responder Applications

Before a command responder application can process messages, it must first associate itself with an SNMP engine. The abstract service interface used for this purpose is: statusInformation = -- success or errorIndication registerContextEngineID( IN contextEngineID -- take responsibility for this one IN pduType -- the pduType(s) to be registered ) Where: - The statusInformation indicates success or failure of the registration attempt. - The contextEngineID is equal to the snmpEngineID of the SNMP engine with which the command responder is registering. - The pduType indicates a Read-Class and/or Write-Class PDU. Note that if another command responder application is already registered with an SNMP engine, any further attempts to register with the same contextEngineID and pduType will be denied. This implies that separate command responder applications could register separately for the various pdu types. However, in practice this is undesirable, and only a single command responder application should be registered with an SNMP engine at any given time. A command responder application can disassociate with an SNMP engine using the following abstract service interface: unregisterContextEngineID( IN contextEngineID -- give up responsibility for this one IN pduType -- the pduType(s) to be unregistered ) Where: - The contextEngineID is equal to the snmpEngineID of the SNMP engine with which the command responder is cancelling the registration.
ToP   noToC   RFC2573 - Page 10
     -  The pduType indicates a Read-Class and/or Write-Class PDU.

   Once the command responder has registered with the SNMP engine, it
   waits to receive SNMP messages.  The abstract service interface used
   for receiving messages is:

   processPdu(                     -- process Request/Notification PDU
     IN   messageProcessingModel   -- typically, SNMP version
     IN   securityModel            -- Security Model in use
     IN   securityName             -- on behalf of this principal
     IN   securityLevel            -- Level of Security
     IN   contextEngineID          -- data from/at this SNMP entity
     IN   contextName              -- data from/in this context
     IN   pduVersion               -- the version of the PDU
     IN   PDU                      -- SNMP Protocol Data Unit
     IN   maxSizeResponseScopedPDU -- maximum size of the Response PDU
     IN   stateReference           -- reference to state information
          )                        -- needed when sending a response

   Where:

     -  The messageProcessingModel indicates which Message Processing
        Model received and processed the message.

     -  The securityModel is the value from the received message.

     -  The securityName is the value from the received message.

     -  The securityLevel is the value from the received message.

     -  The contextEngineID is the value from the received message.

     -  The contextName is the value from the received message.

     -  The pduVersion indicates the version of the PDU in the received
        message.

     -  The PDU is the value from the received message.

     -  The maxSizeResponseScopedPDU is the maximum allowable size of a
        ScopedPDU containing a Response PDU (based on the maximum
        message size that the originator of the message can accept).

     -  The stateReference is a value which references cached
        information about each received request message.  This value
        must be returned to the Dispatcher in order to generate a
        response.
ToP   noToC   RFC2573 - Page 11
   The procedure when a message is received is as follows.

   (1)  The operation type is determined from the ASN.1 tag value
        associated with the PDU parameter.  The operation type should
        always be one of the types previously registered by the
        application.

   (2)  The request-id is extracted from the PDU and saved.

   (3)  Any PDU type specific parameters are extracted from the PDU and
        saved (for example, if the PDU type is an SNMPv2 GetBulk PDU,
        the non-repeaters and max-repetitions values are extracted).

   (4)  The variable-bindings are extracted from the PDU and saved.

   (5)  The management operation represented by the PDU type is
        performed with respect to the relevant MIB view within the
        context named by the contextName (for an SNMPv2 PDU type, the
        operation is performed according to the procedures set forth in
        [RFC1905]).  The relevant MIB view is determined by the
        securityLevel, securityModel, contextName, securityName, and the
        class of the PDU type.  To determine whether a particular object
        instance is within the relevant MIB view, the following abstract
        service interface is called:

       statusInformation =      -- success or errorIndication
         isAccessAllowed(
         IN   securityModel     -- Security Model in use
         IN   securityName      -- principal who wants to access
         IN   securityLevel     -- Level of Security
         IN   viewType          -- read, write, or notify view
         IN   contextName       -- context containing variableName
         IN   variableName      -- OID for the managed object
              )

   Where:

     -  The securityModel is the value from the received message.

     -  The securityName is the value from the received message.

     -  The securityLevel is the value from the received message.

     -  The viewType indicates whether the PDU type is a Read-Class or
        Write-Class operation.

     -  The contextName is the value from the received message.
ToP   noToC   RFC2573 - Page 12
     -  The variableName is the object instance of the variable for
        which access rights are to be checked.

   Normally, the result of the management operation will be a new PDU
   value, and processing will continue in step (6) below.  However, at
   any time during the processing of the management operation:

     -  If the isAccessAllowed ASI returns a noSuchView, noAccessEntry,
        or noGroupName error, processing of the management operation is
        halted, a PDU value is constructed using the values from the
        originally received PDU, but replacing the error_status with an
        authorizationError code, and error_index value of 0, and control
        is passed to step (6) below.

     -  If the isAccessAllowed ASI returns an otherError, processing of
        the management operation is halted, a different PDU value is
        constructed using the values from the originally received PDU,
        but replacing the error_status with a genError code, and control
        is passed to step (6) below.

     -  If the isAccessAllowed ASI returns a noSuchContext error,
        processing of the management operation is halted, no result PDU
        is generated, the snmpUnknownContexts counter is incremented,
        and control is passed to step (6) below.

     -  If the context named by the contextName parameter is
        unavailable, processing of the management operation is halted,
        no result PDU is generated, the snmpUnavailableContexts counter
        is incremented, and control is passed to step (6) below.

   (6)  The Dispatcher is called to generate a response or report
        message.  The abstract service interface is:

   returnResponsePdu(
     IN   messageProcessingModel   -- typically, SNMP version
     IN   securityModel            -- Security Model in use
     IN   securityName             -- on behalf of this principal
     IN   securityLevel            -- same as on incoming request
     IN   contextEngineID          -- data from/at this SNMP entity
     IN   contextName              -- data from/in this context
     IN   pduVersion               -- the version of the PDU
     IN   PDU                      -- SNMP Protocol Data Unit
     IN   maxSizeResponseScopedPDU -- maximum size of the Response PDU
     IN   stateReference           -- reference to state information
                                   -- as presented with the request
     IN   statusInformation        -- success or errorIndication
          )                        -- error counter OID/value if error
ToP   noToC   RFC2573 - Page 13
   Where:

     -  The messageProcessingModel is the value from the processPdu
        call.

     -  The securityModel is the value from the processPdu call.

     -  The securityName is the value from the processPdu call.

     -  The securityLevel is the value from the processPdu call.

     -  The contextEngineID is the value from the processPdu call.

     -  The contextName is the value from the processPdu call.

     -  The pduVersion indicates the version of the PDU to be returned.
        If no result PDU was generated, the pduVersion is an undefined
        value.

     -  The PDU is the result generated in step (5) above.  If no result
        PDU was generated, the PDU is an undefined value.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the value from the processPdu call.

     -  The statusInformation either contains an indication that no
        error occurred and that a response should be generated, or
        contains an indication that an error occurred along with the OID
        and counter value of the appropriate error counter object.

   Note that a command responder application should always call the
   returnResponsePdu abstract service interface, even in the event of an
   error such as a resource allocation error.  In the event of such an
   error, the PDU value passed to returnResponsePdu should contain
   appropriate values for errorStatus and errorIndex.

   Note that the text above describes situations where the
   snmpUnknownContexts counter is incremented, and where the
   snmpUnavailableContexts counter is incremented.  The difference
   between these is that the snmpUnknownContexts counter is incremented
   when a request is received for a context which unknown to the SNMP
   entity.  The snmpUnavailableContexts counter is incremented when a
   request is received for a context which is known to the SNMP entity,
   but is currently unavailable.  Determining when a context is
ToP   noToC   RFC2573 - Page 14
   unavailable is implementation specific, and some implementations may
   never encounter this situation, and so may never increment the
   snmpUnavailableContexts counter.

3.3. Notification Originator Applications

A notification originator application generates SNMP messages containing Notification-Class PDUs (for example, SNMPv2-Trap PDUs or Inform PDUs). There is no requirement as to what specific types of Notification-Class PDUs a particular implementation must be capable of generating. Notification originator applications require a mechanism for identifying the management targets to which notifications should be sent. The particular mechanism used is implementation dependent. However, if an implementation makes the configuration of management targets SNMP manageable, it MUST use the SNMP-TARGET-MIB module described in this document. When a notification originator wishes to generate a notification, it must first determine in which context the information to be conveyed in the notification exists, i.e., it must determine the contextEngineID and contextName. It must then determine the set of management targets to which the notification should be sent. The application must also determine, for each management target, what specific PDU type the notification message should contain, and if it is to contain a Confirmed-Class PDU, the number of retries and retransmission algorithm. The mechanism by which a notification originator determines this information is implementation dependent. Once the application has determined this information, the following procedure is performed for each management target: (1) Any appropriate filtering mechanisms are applied to determine whether the notification should be sent to the management target. If such filtering mechanisms determine that the notification should not be sent, processing continues with the next management target. Otherwise, (2) The appropriate set of variable-bindings is retrieved from local MIB instrumentation within the relevant MIB view. The relevant MIB view is determined by the securityLevel, securityModel, contextName, and securityName of the management target. To determine whether a particular object instance is within the relevant MIB view, the isAccessAllowed abstract service interface is used, in the same manner as described in the
ToP   noToC   RFC2573 - Page 15
        preceding section.  If the statusInformation returned by
        isAccessAllowed does not indicate accessAllowed, the
        notification is not sent to the management target.

   (3)  The NOTIFICATION-TYPE OBJECT IDENTIFIER of the notification
        (this is the value of the element of the variable bindings whose
        name is snmpTrapOID.0, i.e., the second variable binding) is
        checked using the isAccessAllowed abstract service interface,
        using the same parameters used in the preceding step.  If the
        statusInformation returned by isAccessAllowed does not indicate
        accessAllowed, the notification is not sent to the management
        target.

   (4)  A PDU is constructed using a locally unique request-id value, a
        PDU type as determined by the implementation, an error-status
        and error-index value of 0, and the variable-bindings supplied
        previously in step (2).

   (5)  If the notification contains an Unconfirmed-Class PDU, the
        Dispatcher is called using the following abstract service
        interface:

       statusInformation =              -- sendPduHandle if success
                                        -- errorIndication if failure
         sendPdu(
         IN   transportDomain           -- transport domain to be used
         IN   transportAddress          -- destination network address
         IN   messageProcessingModel    -- typically, SNMP version
         IN   securityModel             -- Security Model to use
         IN   securityName              -- on behalf of this principal
         IN   securityLevel             -- Level of Security requested
         IN   contextEngineID           -- data from/at this entity
         IN   contextName               -- data from/in this context
         IN   pduVersion                -- the version of the PDU
         IN   PDU                       -- SNMP Protocol Data Unit
         IN   expectResponse            -- TRUE or FALSE
              )

   Where:

     -  The transportDomain is that of the management target.

     -  The transportAddress is that of the management target.

     -  The messageProcessingModel is that of the management target.

     -  The securityModel is that of the management target.
ToP   noToC   RFC2573 - Page 16
     -  The securityName is that of the management target.

     -  The securityLevel is that of the management target.

     -  The contextEngineID is the value originally determined for the
        notification.

     -  The contextName is the value originally determined for the
        notification.

     -  The pduVersion is the version of the PDU to be sent.

     -  The PDU is the value constructed in step (3) above.

     -  The expectResponse argument indicates that no response is
        expected.

   Otherwise,

   (6)  If the notification contains a Confirmed-Class PDU, then:

        a)  The Dispatcher is called using the sendPdu abstract service
            interface as described in step (4) above, except that the
            expectResponse argument indicates that a response is
            expected.

        b)  The application caches information about the management
            target.

        c)  If a response is received within an appropriate time
            interval from the transport endpoint of the management
            target, the notification is considered acknowledged and the
            cached information is deleted.  Otherwise,

        d)  If a response is not received within an appropriate time
            period, or if a report indication is received, information
            about the management target is retrieved from the cache, and
            steps a) through d) are repeated.  The number of times these
            steps are repeated is equal to the previously determined
            retry count.  If this retry count is exceeded, the
            acknowledgement of the notification is considered to have
            failed, and processing of the notification for this
            management target is halted.  Note that some report
            indications might be considered a failure.  Such report
            indications should be interpreted to mean that the
            acknowledgement of the notification has failed.
ToP   noToC   RFC2573 - Page 17
   Responses to Confirmed-Class PDU notifications will be received via
   the processResponsePdu abstract service interface.

   To summarize, the steps that a notification originator follows when
   determining where to send a notification are:

     -  Determine the targets to which the notification should be sent.

     -  Apply any required filtering to the list of targets.

     -  Determine which targets are authorized to receive the
        notification.

3.4. Notification Receiver Applications

Notification receiver applications receive SNMP Notification messages from the Dispatcher. Before any messages can be received, the notification receiver must register with the Dispatcher using the registerContextEngineID abstract service interface. The parameters used are: - The contextEngineID is an undefined 'wildcard' value. Notifications are delivered to a registered notification receiver regardless of the contextEngineID contained in the notification message. - The pduType indicates the type of notifications that the application wishes to receive (for example, SNMPv2-Trap PDUs or Inform PDUs). Once the notification receiver has registered with the Dispatcher, messages are received using the processPdu abstract service interface. Parameters are: - The messageProcessingModel indicates which Message Processing Model received and processed the message. - The securityModel is the value from the received message. - The securityName is the value from the received message. - The securityLevel is the value from the received message. - The contextEngineID is the value from the received message. - The contextName is the value from the received message.
ToP   noToC   RFC2573 - Page 18
     -  The pduVersion indicates the version of the PDU in the received
        message.

     -  The PDU is the value from the received message.

     -  The maxSizeResponseScopedPDU is the maximum allowable size of a
        ScopedPDU containing a Response PDU (based on the maximum
        message size that the originator of the message can accept).

     -  If the message contains an Unconfirmed-Class PDU, the
        stateReference is undefined and unused.  Otherwise, the
        stateReference is a value which references cached information
        about the notification.  This value must be returned to the
        Dispatcher in order to generate a response.

   When an Unconfirmed-Class PDU is delivered to a notification receiver
   application, it first extracts the SNMP operation type, request-id,
   error-status, error-index, and variable-bindings from the PDU.  After
   this, processing depends on the particular implementation.

   When a Confirmed-Class PDU is received, the notification receiver
   application follows the following procedure:

   (1)  The PDU type, request-id, error-status, error-index, and
        variable-bindings are extracted from the PDU.

   (2)  A Response-Class PDU is constructed using the extracted
        request-id and variable-bindings, and with error-status and
        error-index both set to 0.

   (3)  The Dispatcher is called to generate a response message using
        the returnResponsePdu abstract service interface.  Parameters
        are:

     -  The messageProcessingModel is the value from the processPdu
        call.

     -  The securityModel is the value from the processPdu call.

     -  The securityName is the value from the processPdu call.

     -  The securityLevel is the value from the processPdu call.

     -  The contextEngineID is the value from the processPdu call.

     -  The contextName is the value from the processPdu call.

     -  The pduVersion indicates the version of the PDU to be returned.
ToP   noToC   RFC2573 - Page 19
     -  The PDU is the result generated in step (2) above.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the value from the processPdu call.

     -  The statusInformation indicates that no error occurred and that
        a response should be generated.

3.5. Proxy Forwarder Applications

A proxy forwarder application deals with forwarding SNMP messages. There are four basic types of messages which a proxy forwarder application may need to forward. These are grouped according to the class of PDU type contained in a message. The four basic types of messages are: - Those containing Read-Class or Write-Class PDU types (for example, Get, GetNext, GetBulk, and Set PDU types). These deal with requesting or modifying information located within a particular context. - Those containing Notification-Class PDU types (for example, SNMPv2-Trap and Inform PDU types). These deal with notifications concerning information located within a particular context. - Those containing a Response-Class PDU type. Forwarding of Response PDUs always occurs as a result of receiving a response to a previously forwarded message. - Those containing Internal-Class PDU types (for example, a Report PDU). Forwarding of Internal-Class PDU types always occurs as a result of receiving an Internal-Class PDU in response to a previously forwarded message. For the first type, the proxy forwarder's role is to deliver a request for management information to an SNMP engine which is "closer" or "downstream in the path" to the SNMP engine which has access to that information, and to deliver the response containing the information back to the SNMP engine from which the request was received. The context information in a request is used to determine which SNMP engine has access to the requested information, and this is used to determine where and how to forward the request.
ToP   noToC   RFC2573 - Page 20
   For the second type, the proxy forwarder's role is to determine which
   SNMP engines should receive notifications about management
   information from a particular location.  The context information in a
   notification message determines the location to which the information
   contained in the notification applies.  This is used to determine
   which SNMP engines should receive notification about this
   information.

   For the third type, the proxy forwarder's role is to determine which
   previously forwarded request or notification (if any) the response
   matches, and to forward the response back to the initiator of the
   request or notification.

   For the fourth type, the proxy forwarder's role is to determine which
   previously forwarded request or notification (if any) the Internal-
   Class PDU matches, and to forward the Internal-Class PDU back to the
   initiator of the request or notification.

   When forwarding messages, a proxy forwarder application must perform
   a translation of incoming management target information into outgoing
   management target information.  How this translation is performed is
   implementation specific.  In many cases, this will be driven by a
   preconfigured translation table.  If a proxy forwarder application
   makes the contents of this table SNMP manageable, it MUST use the
   SNMP-PROXY-MIB module defined in this document.

3.5.1. Request Forwarding

There are two phases for request forwarding. First, the incoming request needs to be passed through the proxy application. Then, the resulting response needs to be passed back. These phases are described in the following two sections.
3.5.1.1. Processing an Incoming Request
A proxy forwarder application that wishes to forward request messages must first register with the Dispatcher using the registerContextEngineID abstract service interface. The proxy forwarder must register each contextEngineID for which it wishes to forward messages, as well as for each pduType. Note that as the configuration of a proxy forwarder is changed, the particular contextEngineID values for which it is forwarding may change. The proxy forwarder should call the registerContextEngineID and unregisterContextEngineID abstract service interfaces as needed to reflect its current configuration.
ToP   noToC   RFC2573 - Page 21
   A proxy forwarder application should never attempt to register a
   value of contextEngineID which is equal to the snmpEngineID of the
   SNMP engine to which the proxy forwarder is associated.

   Once the proxy forwarder has registered for the appropriate
   contextEngineID values, it can start processing messages.  The
   following procedure is used:

   (1)  A message is received using the processPdu abstract service
        interface.  The incoming management target information received
        from the processPdu interface is translated into outgoing
        management target information.  Note that this translation may
        vary for different values of contextEngineID and/or contextName.
        The translation should result in a single management target.

   (2)  If appropriate outgoing management target information cannot be
        found, the proxy forwarder increments the snmpProxyDrops counter
        [RFC1907], and then calls the Dispatcher using the
        returnResponsePdu abstract service interface.  Parameters are:

     -  The messageProcessingModel is the value from the processPdu
        call.

     -  The securityModel is the value from the processPdu call.

     -  The securityName is the value from the processPdu call.

     -  The securityLevel is the value from the processPdu call.

     -  The contextEngineID is the value from the processPdu call.

     -  The contextName is the value from the processPdu call.

     -  The pduVersion is the value from the processPdu call.

     -  The PDU is an undefined value.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the value from the processPdu call.

     -  The statusInformation indicates that an error occurred and
        includes the OID and value of the snmpProxyDrops object.

        Processing of the message stops at this point.  Otherwise,
ToP   noToC   RFC2573 - Page 22
   (3)  A new PDU is constructed.  A unique value of request-id should
        be used in the new PDU (this value will enable a subsequent
        response message to be correlated with this request).  The
        remainder of the new PDU is identical to the received PDU,
        unless the incoming SNMP version and the outgoing SNMP version
        support different PDU versions, in which case the proxy
        forwarder may need to perform a translation on the PDU (A method
        for performing such a translation is described in [COEX].)

   (4)  The proxy forwarder calls the Dispatcher to generate the
        forwarded message, using the sendPdu abstract service interface.
        The parameters are:

     -  The transportDomain is that of the outgoing management target.

     -  The transportAddress is that of the outgoing management target.

     -  The messageProcessingModel is that of the outgoing management
        target.

     -  The securityModel is that of the outgoing management target.

     -  The securityName is that of the outgoing management target.

     -  The securityLevel is that of the outgoing management target.

     -  The contextEngineID is the value originally received.

     -  The contextName is the value originally received.

     -  The pduVersion is the version of the PDU to be sent.

     -  The PDU is the value constructed in step (3) above.

     -  The expectResponse argument indicates that a response is
        expected.  If the sendPdu call is unsuccessful, the proxy
        forwarder performs the steps described in (2) above.  Otherwise:

   (5)  The proxy forwarder caches the following information in order to
        match an incoming response to the forwarded request:

     -  The sendPduHandle returned from the call to sendPdu,

     -  The request-id from the received PDU.

     -  the contextEngineID,

     -  the contextName,
ToP   noToC   RFC2573 - Page 23
     -  the stateReference,

     -  the incoming management target information,

     -  the outgoing management information,

     -  any other information needed to match an incoming response to
        the forwarded request.

        If this information cannot be cached (possibly due to a lack of
        resources), the proxy forwarder performs the steps described in
        (2) above.  Otherwise:

   (6)  Processing of the request stops until a response to the
        forwarded request is received, or until an appropriate time
        interval has expired.  If this time interval expires before a
        response has been received, the cached information about this
        request is removed.

3.5.1.2. Processing an Incoming Response
A proxy forwarder follows the following procedure when an incoming response is received: (1) The incoming response is received using the processResponsePdu interface. The proxy forwarder uses the received parameters to locate an entry in its cache of pending forwarded requests. This is done by matching the received parameters with the cached values of sendPduHandle, contextEngineID, contextName, outgoing management target information, and the request-id contained in the received PDU (the proxy forwarder must extract the request- id for this purpose). If an appropriate cache entry cannot be found, processing of the response is halted. Otherwise: (2) The cache information is extracted, and removed from the cache. (3) A new Response-Class PDU is constructed, using the request-id value from the original forwarded request (as extracted from the cache). All other values are identical to those in the received Response-Class PDU, unless the incoming SNMP version and the outgoing SNMP version support different PDU versions, in which case the proxy forwarder may need to perform a translation on the PDU. (A method for performing such a translation is described in [COEX].) (4) The proxy forwarder calls the Dispatcher using the returnResponsePdu abstract service interface. Parameters are:
ToP   noToC   RFC2573 - Page 24
     -  The messageProcessingModel indicates the Message Processing
        Model by which the original incoming message was processed.

     -  The securityModel is that of the original incoming management
        target extracted from the cache.

     -  The securityName is that of the original incoming management
        target extracted from the cache.

     -  The securityLevel is that of the original incoming management
        target extracted from the cache.

     -  The contextEngineID is the value extracted from the cache.

     -  The contextName is the value extracted from the cache.

     -  The pduVersion indicates the version of the PDU to be returned.

     -  The PDU is the (possibly translated) Response PDU.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the value extracted from the cache.

     -  The statusInformation indicates that no error occurred and that
        a Response PDU message should be generated.

3.5.1.3. Processing an Incoming Internal-Class PDU
A proxy forwarder follows the following procedure when an incoming Internal-Class PDU is received: (1) The incoming Internal-Class PDU is received using the processResponsePdu interface. The proxy forwarder uses the received parameters to locate an entry in its cache of pending forwarded requests. This is done by matching the received parameters with the cached values of sendPduHandle. If an appropriate cache entry cannot be found, processing of the Internal-Class PDU is halted. Otherwise: (2) The cache information is extracted, and removed from the cache. (3) If the original incoming management target information indicates an SNMP version which does not support Report PDUs, processing of the Internal-Class PDU is halted.
ToP   noToC   RFC2573 - Page 25
   (4)  The proxy forwarder calls the Dispatcher using the
        returnResponsePdu abstract service interface.  Parameters are:

     -  The messageProcessingModel indicates the Message Processing
        Model by which the original incoming message was processed.

     -  The securityModel is that of the original incoming management
        target extracted from the cache.

     -  The securityName is that of the original incoming management
        target extracted from the cache.

     -  The securityLevel is that of the original incoming management
        target extracted from the cache.

     -  The contextEngineID is the value extracted from the cache.

     -  The contextName is the value extracted from the cache.

     -  The pduVersion indicates the version of the PDU to be returned.

     -  The PDU is unused.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the value extracted from the cache.

     -  The statusInformation contains values specific to the Internal-
        Class PDU type (for example, for a Report PDU, the
        statusInformation contains the contextEngineID, contextName,
        counter OID, and counter value received in the incoming Report
        PDU).

3.5.2. Notification Forwarding

A proxy forwarder receives notifications in the same manner as a notification receiver application, using the processPdu abstract service interface. The following procedure is used when a notification is received: (1) The incoming management target information received from the processPdu interface is translated into outgoing management target information. Note that this translation may vary for different values of contextEngineID and/or contextName. The translation may result in multiple management targets.
ToP   noToC   RFC2573 - Page 26
   (2)  If appropriate outgoing management target information cannot be
        found and the notification was an Unconfirmed-Class PDU,
        processing of the notification is halted.  If appropriate
        outgoing management target information cannot be found and the
        notification was a Confirmed-Class PDU, the proxy forwarder
        increments the snmpProxyDrops object, and calls the Dispatcher
        using the returnResponsePdu abstract service interface.  The
        parameters are:

     -  The messageProcessingModel is the received value.

     -  The securityModel is the received value.

     -  The securityName is the received value.

     -  The securityLevel is the received value.

     -  The contextEngineID is the received value.

     -  The contextName is the received value.

     -  The pduVersion is the received value.

     -  The PDU is an undefined and unused value.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the received value.

     -  The statusInformation indicates that an error occurred and that
        a Report message should be generated.

   Processing of the message stops at this point.  Otherwise,

   (3)  The proxy forwarder generates a notification using the
        procedures described in the preceding section on Notification
        Originators, with the following exceptions:

     -  The contextEngineID and contextName values from the original
        received notification are used.

     -  The outgoing management targets previously determined are used.

     -  No filtering mechanisms are applied.
ToP   noToC   RFC2573 - Page 27
     -  The variable-bindings from the original received notification
        are used, rather than retrieving variable-bindings from local
        MIB instrumentation.  In particular, no access-control is
        applied to these variable-bindings.

     -  If the original notification contains a Confirmed-Class PDU,
        then any outgoing management targets, for which the outgoing
        SNMP version does not support and PDU types which are both
        Notification-Class and Confirmed-Class PDUs, will not be used
        when generating the forwarded notifications.

     -  If, for any of the outgoing management targets, the incoming
        SNMP version and the outgoing SNMP version support different PDU
        versions, the proxy forwarder may need to perform a translation
        on the PDU.  (A method for performing such a translation is
        described in [COEX].)

   (4)  If the original received notification contains an Unconfirmed-
        Class PDU, processing of the notification is now completed.
        Otherwise, the original received notification must contain a
        Confirmed-Class PDU, and processing continues.

   (5)  If the forwarded notifications included any Confirmed-Class
        PDUs, processing continues when the procedures described in the
        section for Notification Originators determine that either:

     -  None of the generated notifications containing Confirmed-Class
        PDUs have been successfully acknowledged within the longest of
        the time intervals, in which case processing of the original
        notification is halted, or,

     -  At least one of the generated notifications containing
        Confirmed-Class PDUs is successfully acknowledged, in which case
        a response to the original received notification containing an
        Confirmed-Class PDU is generated as described in the following
        steps.

   (6)  A Response-Class PDU is constructed, using the values of
        request-id and variable-bindings from the original received
        Notification-Class PDU, and error-status and error-index values
        of 0.

   (7)  The Dispatcher is called using the returnResponsePdu abstract
        service interface.  Parameters are:

     -  The messageProcessingModel is the originally received value.

     -  The securityModel is the originally received value.
ToP   noToC   RFC2573 - Page 28
     -  The securityName is the originally received value.

     -  The securityLevel is the originally received value.

     -  The contextEngineID is the originally received value.

     -  The contextName is the originally received value.

     -  The pduVersion indicates the version of the PDU constructed in
        step (6) above.

     -  The PDU is the value constructed in step (6) above.

     -  The maxSizeResponseScopedPDU is a local value indicating the
        maximum size of a ScopedPDU that the application can accept.

     -  The stateReference is the originally received value.

     -  The statusInformation indicates that no error occurred and that
        a Response-Class PDU message should be generated.



(page 28 continued on part 2)

Next Section