4.4.1. Foreign Proxy Configuration

This section presents an example configuration by which a SNMPv2 management station may manage network elements that do not themselves support the SNMPv2. This configuration centers on a SNMPv2 proxy agent that realizes SNMPv2 management operations by interacting with a non-SNMPv2 device using a proprietary protocol.

Table 9 presents information about SNMPv2 parties that is recorded in the SNMPv2 proxy agent's local database of party information. Table 10 presents information about proxy relationships that is recorded in the SNMPv2 proxy agent's local database of context information. Table 11 presents information about SNMPv2 parties that is recorded in the SNMPv2 management station's local database of party information. Table 12 presents information about the database of access policy information specified by the local administration.

Identity        groucho             chico               harpo
                (manager)           (proxy agent)       (proxy dst)
Domain          snmpUDPDomain       snmpUDPDomain       acmeMgmtPrtcl
Address         1.2.3.4, 2002       1.2.3.5, 161        0x98765432
Auth Prot       v2md5AuthProtocol   v2md5AuthProtocol   noAuth
Auth Priv Key   "0123456789ABCDEF"  "GHIJKL0123456789"  ""
Auth Pub Key    ""                  ""                  ""
Auth Clock      0                   0                   0
Auth Lifetime   300                 300                 0
Priv Prot       noPriv              noPriv              noPriv
Priv Priv Key   ""                  ""                  ""
Priv Pub Key    ""                  ""                  ""

          Table 9: Party Information for Proxy Agent

   Context     Proxy Destination    Proxy Source    Proxy Context
   ducksoup    harpo                n/a             n/a

           Table 10: Proxy Relationships for Proxy Agent

        Identity          groucho              chico
                          (manager)            (proxy agent)
        Domain            snmpUDPDomain        snmpUDPDomain
        Address           1.2.3.4, 2002        1.2.3.5, 161
        Auth Prot         v2md5AuthProtocol    v2md5AuthProtocol
        Auth Priv Key     "0123456789ABCDEF"   "GHIJKL0123456789"
        Auth Pub Key      ""                   ""
        Auth Clock        0                    0
        Auth Lifetime     300                  300
        Priv Prot         noPriv               noPriv
        Priv Priv Key     ""                   ""
        Priv Pub Key      ""                   ""

         Table 11: Party Information for Management Station

   Target     Subject    Context     Privileges
   chico      groucho    ducksoup     35 (Get, GetNext & GetBulk)
   groucho    chico      ducksoup    132 (Response & SNMPv2-Trap)

           Table 12: Access Information for Foreign Proxy

As represented in Table 9, the proxy agent party operates at UDP port 161 at IP address 1.2.3.5 using the party identity chico; and, the example manager operates at UDP port 2002 at IP address 1.2.3.4 using the identity groucho. Both groucho and chico authenticate all messages that they generate by using the protocol v2md5AuthProtocol and their distinct, private authentication keys. Although these private authentication key values ("0123456789ABCDEF" and "GHIJKL0123456789") are presented here for expository purposes, knowledge of private keys is not normally afforded to human beings and is confined to those portions of the protocol implementation that require it.

The party harpo does not send or receive SNMPv2 protocol messages; rather, all communication with that party proceeds via a hypothetical proprietary protocol identified by the value acmeMgmtPrtcl. Because the party harpo does not participate in the SNMPv2, many of the attributes recorded for that party in the local database of party information are ignored.

Table 10 shows the proxy relationships known to the proxy agent. In particular, the SNMPv2 context ducksoup refers to a relationship that is satisfied by the party harpo. (The transport domain of the proxy destination party determines the interpretation of the proxy source and proxy context identities - in this case, use of the acmeMgmtPrtcl indicates that the proxy source and context identities are ignored.)

In order to interrogate the proprietary device associated with the party harpo, the management station groucho constructs a SNMPv2 GetNext request contained within a SnmpMgmtCom value which references the SNMPv2 context ducksoup, and transmits it to the party chico operating (see Table 11) at UDP port 161, and IP address 1.2.3.5. This request is authenticated using the private authentication key "0123456789ABCDEF".

When that request is received by the party chico, the originator of the message is verified as being the party groucho by using local knowledge (see Table 9) of the private authentication key "0123456789ABCDEF". Because party groucho is authorized to issue GetNext (as well as Get and GetBulk) requests with respect to party chico and the SNMPv2 context ducksoup by the relevant access control policy (Table 12), the request is accepted. Because the local database of context information indicates that the SNMPv2 context ducksoup refers to a proxy relationship, the request is satisfied by its translation into appropriate operations of the acmeMgmtPrtcl directed at party harpo. These new operations are transmitted to the party harpo at the address 0x98765432 in the acmeMgmtPrtcl domain.

When and if the proprietary protocol exchange between the proxy agent and the proprietary device concludes, a SNMPv2 Response management operation is constructed by the SNMPv2 party chico to relay the results to party groucho again referring to the SNMPv2 context ducksoup. This response communication is authenticated as to origin and integrity using the authentication protocol v2md5AuthProtocol and private authentication key "GHIJKL0123456789" specified for transmissions from party chico. It is then transmitted to the SNMPv2 party groucho operating at the management station at IP address 1.2.3.4 and UDP port 2002 (the source address for the corresponding request).

When this response is received by the party groucho, the originator of the message is verified as being the party chico by using local knowledge (see Table 11) of the private authentication key "GHIJKL0123456789". Because party chico is authorized to issue Response communications with respect to party groucho and SNMPv2 context ducksoup by the relevant access control policy (Table 12), the response is accepted, and the interrogation of the proprietary device is complete.

It is especially useful to observe that the local database of party information recorded at the proxy agent (Table 9) need be neither static nor configured exclusively by the management station. For instance, suppose that, in this example, the acmeMgmtPrtcl was a proprietary, MAC-layer mechanism for managing stations attached to a local area network. In such an environment, the SNMPv2 party chico would reside at a SNMPv2 proxy agent attached to such a LAN and could, by participating in the LAN protocols, detect the attachment and disconnection of various stations on the LAN. In this scenario, the SNMPv2 proxy agent could easily adjust its local database of party information to support indirect management of the LAN stations by the SNMPv2 management station. For each new LAN station detected, the SNMPv2 proxy agent would add to its local database of party information an entry analogous to that for party harpo (representing the new LAN station itself), and also add to its local database of context information an entry analogous to that for SNMPv2 context ducksoup (representing a proxy relationship for that new station in the SNMPv2 domain).

By using the SNMPv2 to interrogate the local database of party information held by the SNMPv2 proxy agent, a SNMPv2 management station can discover and interact with new stations as they are attached to the LAN.