4.4.2. Native Proxy Configuration

This section presents an example configuration that supports SNMPv2 native proxy operations - indirect interaction between a SNMPv2 agent and a management station that is mediated by a second SNMPv2 (proxy) agent.

This example configuration is similar to that presented in the discussion of SNMPv2 foreign proxy above. In this example, however, the party associated with the identity harpo receives messages via the SNMPv2, and, accordingly interacts with the SNMPv2 proxy agent chico using authenticated SNMPv2 communications.

Table 13 presents information about SNMPv2 parties that is recorded in the SNMPv2 proxy agent's local database of party information. Table 14 presents information about proxy relationships that is recorded in the SNMPv2 proxy agent's local database of context information. Table 11 presents information about SNMPv2 parties that is recorded in the SNMPv2 management station's local database of party information. Table 15 presents information about the database of access policy information specified by the local administration.

        Identity          groucho              chico
                          (manager)            (proxy agent)
        Domain            snmpUDPDomain        snmpUDPDomain
        Address           1.2.3.4, 2002        1.2.3.5, 161
        Auth Prot         v2md5AuthProtocol    v2md5AuthProtocol
        Auth Priv Key     "0123456789ABCDEF"   "GHIJKL0123456789"
        Auth Pub Key      ""                   ""
        Auth Clock        0                    0
        Auth Lifetime     300                  300
        Priv Prot         noPriv               noPriv
        Priv Priv Key     ""                   ""
        Priv Pub Key      ""                   ""

        Identity          harpo                   zeppo
                          (proxy dst)          (proxy src)
        Domain            snmpUDPDomain        snmpUDPDomain
        Address           1.2.3.6, 161         1.2.3.5, 161
        Auth Prot         v2md5AuthProtocol    v2md5AuthProtocol
        Auth Priv Key     "MNOPQR0123456789"   "STUVWX0123456789"
        Auth Pub Key      ""                   ""
        Auth Clock        0                    0
        Auth Lifetime     300                  300
        Priv Prot         noPriv               noPriv
        Priv Priv Key     ""                   ""
        Priv Pub Key      ""                   ""

            Table 13: Party Information for Proxy Agent

   Context     Proxy Destination    Proxy Source    Proxy Context
   ducksoup    harpo                zeppo           bigstore
   bigstore    groucho              chico           ducksoup

           Table 14: Proxy Relationships for Proxy Agent

   Target     Subject    Context     Privileges
   chico      groucho    ducksoup     35 (Get, GetNext & GetBulk)
   groucho    chico      ducksoup    132 (Response & SNMPv2-Trap)
   harpo      zeppo      bigstore     35 (Get, GetNext & GetBulk)
   zeppo      harpo      bigstore    132 (Response & SNMPv2-Trap)

           Table 15: Access Information for Native Proxy

As represented in Table 13, the proxy agent party operates at UDP port 161 at IP address 1.2.3.5 using the party identity chico; the example manager operates at UDP port 2002 at IP address 1.2.3.4 using the identity groucho; the proxy source party operates at UDP port 161 at IP address 1.2.3.5 using the party identity zeppo; and, the proxy destination party operates at UDP port 161 at IP address 1.2.3.6 using the party identity harpo. Messages generated by all four SNMPv2 parties are authenticated as to origin and integrity by using the authentication protocol v2md5AuthProtocol and distinct, private authentication keys. Although these private authentication key values ("0123456789ABCDEF", "GHIJKL0123456789", "MNOPQR0123456789", and "STUVWX0123456789") are presented here for expository purposes, knowledge of private keys is not normally afforded to human beings and is confined to those portions of the protocol implementation that require it.

Table 14 shows the proxy relationships known to the proxy agent. In particular, the SNMPv2 context ducksoup refers to a relationship that is satisfied when the SNMPv2 party zeppo communicates with the SNMPv2 party harpo and references the SNMPv2 context bigstore.

In order to interrogate the proxied device associated with the party harpo, the management station groucho constructs a SNMPv2 GetNext request contained with a SnmpMgmtCom value which references the SNMPv2 context ducksoup, and transmits it to the party chico operating (see Table 11) at UDP port 161 and IP address 1.2.3.5. This request is authenticated using the private authentication key "0123456789ABCDEF".

When that request is received by the party chico, the originator of the message is verified as being the party groucho by using local knowledge (see Table 13) of the private authentication key "0123456789ABCDEF". Because party groucho is authorized to issue GetNext (as well as Get and GetBulk) requests with respect to party chico and the SNMPv2 context ducksoup by the relevant access control policy (Table 15), the request is accepted. Because the local database of context information indicates that the SNMPv2 context ducksoup refers to a proxy relationship, the request is satisfied by its translation into a corresponding SNMPv2 GetNext request directed from party zeppo to party harpo referencing SNMPv2 context bigstore. This new communication is authenticated using the private authentication key "STUVWX0123456789" and transmitted to party harpo at the IP address 1.2.3.6.

When this new request is received by the party harpo, the originator of the message is verified as being the party zeppo by using local knowledge of the private authentication key "STUVWX0123456789". Because party zeppo is authorized to issue GetNext (as well as Get and GetBulk) requests with respect to party harpo and the SNMPv2 context bigstore by the relevant access control policy (Table 15), the request is accepted. A SNMPv2 Response message representing the results of the query is then generated by party harpo to party zeppo referencing SNMPv2 context bigstore. This response communication is authenticated as to origin and integrity using the private authentication key "MNOPQR0123456789" and transmitted to party zeppo at IP address 1.2.3.5 (the source address for the corresponding request).

When this response is received by party zeppo, the originator of the message is verified as being the party harpo by using local knowledge (see Table 13) of the private authentication key "MNOPQR0123456789". Because party harpo is authorized to issue Response communications with respect to party zeppo and SNMPv2 context bigstore by the relevant access control policy (Table 15), the response is accepted, and is used to construct a response to the original GetNext request, indicating a SNMPv2 context of ducksoup. This response, from party chico to party groucho, is authenticated as to origin and integrity using the private authentication key "GHIJKL0123456789" and is transmitted to the party groucho at IP address 1.2.3.4 (the source address for the original request).

When this response is received by the party groucho, the originator of the message is verified as being the party chico by using local knowledge (see Table 13) of the private authentication key "GHIJKL0123456789". Because party chico is authorized to issue Response communications with respect to party groucho and SNMPv2 context ducksoup by the relevant access control policy (Table 15), the response is accepted, and the interrogation is complete.