Internet Draft
Access Control Model for version 3 of the
Simple Network Management Protocol (SNMPv3)
18 June 1997
Bert Wijnen
IBM T. J. Watson Research
wijnen@vnet.ibm.com
Randy Presuhn
BMC Software, Inc.
rpresuhn@bmc.com
Keith McCloghrie
Cisco Systems, Inc.
kzm@cisco.com
<draft-ietf-snmpv3-acm-00.txt>
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
Abstract
This document describes the Access Control Model (ACM) for SNMP
version 3 for use in the SNMP architecture [SNMP-ARCH]. This
document defines the Elements of Procedure for applying access
control to management information. This document also includes
a MIB for remotely monitoring/managing the configuration parameters
for this ACM.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 1]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
0.1 Issues
- Where do we do the miId to groupName mapping
- Should we use UTF-8 for human readable names like
contextName, viewName, groupName etc.
We now use a SnmpAdminString TC which still needs to be defined.
- acknowledgements needs expansion
- Do we want to mandate a standard out-of-the-box configuration.
- How do we return a proper indication of the error-counter
to be used in a possible reportPDU.
- Do we keep the statistics (error counters) here or in MPC
0.2 Change Log
[version 3.1] - This is the June 18 version.
- remove old (resolved) issues
- list new issues
- corrections/additions by myself (bert)
- corrections based on dbh comments
- removed change log of before 1st interim meeting.
[version 3.0] - this is the first ACM doc (June 12 version).
- Modifications as agreed at 1st Interim Meeting
- Make Access Control Module a separate document
- Use viewName as index instead of an integer
- add notify_view
- use SnmpAdminString
- Other Modification
- use miId and secModel
- add groupTable
- add/rename Stats counters
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 2]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
1. Introduction
The Architecture for describing Internet Management Frameworks
is composed of multiple subsystems:
1) a message processing and control subsystem,
2) a security subsystem,
3) an access control subsystem, and
4) orangelets.
It is important to understand the SNMP architecture and the
terminology of the architecture to understand where the model
described in this document fits into the architecture and interacts
with other subsystems within the architecture. The reader is
expected to have read and understood the description of the SNMP
architecture, as defined in [SNMP-ARCH].
The Access Control subsystem of an SNMP engine provides services
to orangelets so that these orangelets can check if access to an
object is allowed or not.
An Access Control model has the responsibility for checking if
a specific type of access (read, write, notify) to a particular
object (instance) is allowed.
It is the purpose of this document to define a specific model of
the Access Control subsystem, designated the SNMP version 3 Access
Control model.
1.2 Access Control
Access Control occurs (either implicit or explicit) in an SNMP
engine acting in an agent role when processing SNMP request
messages from an SNMP engine acting in a manager role. These
request messages include these types of operations: GetRequest,
GetNextRequest, GetBulkRequest, and SetRequest operations.
Access Control also occurs in an SNMP engine when an SNMP
notification message is generated. These notification messages
include these types of operations: InformRequest and SNMPv2-trap
operations.
Access Control via the Access Control module only occurs if the
orangelet that processes or generates the operation explicitly
calls upon the access control service for checking of access
rights. So it is the responsibility of an orangelet to make
the proper calls for access checking.
1.3 Local Configuration Datastore
To implement the model described in this document, each SNMP
engine needs to retain its own set of information about access
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 3]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
rights and policies, and the like. This set of information is
called the SNMP engine's Local Configuration Datastore (LCD)
because it is locally-stored information.
In order to allow an SNMP engine's LCD to be remotely configured,
portions of the LCD need to be accessible as managed objects.
A MIB module, the SNMPv3 Access Control Model Configuration MIB,
which defines these managed object types is included in this
document.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 4]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
2. Elements of the Model
This section contains definitions to realize the access control
applied by this Access Control Model.
2.1 Groups
A groupName identifies a group (set) of zero or more
securityIdentities on whose behalf SNMP management objects can be
accessed. The Access Control module assumes the securityIdentity
has already been authenticated as needed and provides no
authentication by itself.
This SNMPv3 Access Control model requires the securityModel and the
securityIdentity to be passed as input to the Access Control module
when a request is made to check for access rights.
2.2 Level of Security (LoS)
Different access rights can be defined for different Levels of
Security. The LoS identifies the Level of Security that will be
assumed when checking for access rights.
This Access Control Model requires the LoS to be passed as input
to the Access Control module when a request is made to check access
rights.
2.3 Contexts
An SNMP context is a collection of management information
accessible by an SNMP agent. An item of management information
may exist in more than one context. An SNMP agent potentially
has access to many contexts.
2.4 Access Policy
This Access Control model determines the access rights of groups
(representing zero, one or more securityIdentities
which have the same access rights). For a particular context
(contextName) to which a group (groupName) has access using
a particular Level of Security (LoS), that group's access rights
are given by a read-view, a write-view and a notify-view.
The read-view is the set of object instances authorized
for the group when reading objects. Reading objects occurs
when processing a retrieval (Get, GetNext, GetBulk) operation.
The write-view is the set of object instances authorized for
the group when writing objects. Writing objects occurs when
processing a Set operation.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 5]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
The notify-view is the set of object instances authorized for
the group when sending objects in a notification. Such occurs
when sending a notification (Inform or Trap).
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 6]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
3. Elements of Procedure
This section describes the procedures followed by the Access Control
module that implements this Access Control Model when checking access
rights as requested by an orangelet.
The abstract service interface into the access control service is:
Boolean is_access_allowed ( secModel, miId, LoS,
viewType, contextName,
variableName
)
Where:
Boolean - FALSE if no access is allowed.
TRUE if access is allowed.
secModel - security model to which the miId belongs.
miId - security model independent ID (securityIdentity).
LoS - Level of Security
viewType - view to be checked (read, write or notify).
contextName - context in which the variable_name is accessed.
variableName - variable that is accessed.
3.1 Processing the is_access_allowed service request
This section describes the procedure followed by the Access Control
module whenever it receives a request to check if access is allowed.
(1) The LCD (snmpV3AcContextTable) is consulted for information about
the SNMP context identified by the contextName. If information
about this SNMP context is absent from the LCD, then the
snmpV3AcStatsUnknownContexts counter is incremented, and FALSE
is returned to the caller.
(2) The LCD (snmpV3AcGroupTable) is consulted for information about
the security model (secModel) and securityIdentity (miId). If
information about this combination is absent from the LCD, then
the snmpV3AcStatsNoGroups counter is incremented, and FALSE is
returned to the caller.
(3) The LCD (snmpV3AcTable) is consulted for information about
the contextName, groupName and LoS. If information about this
combination is absent from the LCD, then the snmpV3AcStatsNoViews
counter is incremented, and FALSE is returned to the caller.
(4) If the SNMPv2 viewType is the read, then the read-view is used
for checking if the variableName is accessible.
If access is allowed, then TRUE is returned to the caller.
Otherwise the snmpV3AcStatsUnauthorizedAccesses counter is
incremented and FALSE is returned to the caller.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 7]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
(5) If the SNMPv2 viewType is the write, then the write-view is used
for checking if the variableName is accessible.
If access is allowed, then TRUE is returned to the caller.
Otherwise the snmpV3AcStatsUnauthorizedAccesses counter is
incremented and FALSE is returned to the caller.
(6) If the SNMPv2 viewType is the notify, then the notify-view is
used for checking if the variableName is accessible.
If access is allowed, then TRUE is returned to the caller.
Otherwise the snmpV3AcStatsUnauthorizedAccesses counter is
incremented and FALSE is returned to the caller.
Editor's note:
We decided that a boolean would be returned. Maybe it is better
to return a status_code which can have one of these values:
otherError
accessAllowed
unknownContext
noGroup
noView
accessNotAllowed
Then the caller can generate the appropriate reportPDU (or tell the
MPC to generate the appropriate reportPDU).
End Editor's note
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 8]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
4. Definitions
SNMPV3-AC-MIB DEFINITIONS ::= BEGIN
IMPORTS
Counter32, Unsigned32, BITS,
MODULE-IDENTITY, OBJECT-TYPE, snmpModules FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TestAndIncr,
RowStatus, StorageType, FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
SnmpAdminString,
SnmpLoS,
SnmpSecurityModel FROM SNMPv3-MIB;
snmpV3AcMIB MODULE-IDENTITY
LAST-UPDATED "9706180000Z" -- 18 June 1997, midnight
ORGANIZATION "SNMPv3 Working Group"
CONTACT-INFO "WG-email: snmpv3@tis.com
Subscribe: majordomo@tis.com
In msg body: subscribe snmpv3
Chair: Russ Mundy
Trusted Information Systems
postal: 3060 Washington Rd
Glenwood MD 21738
email: mundy@tis.com
phone: 301-854-6889
Co-editor: Bert Wijnen
IBM T.J. Watson Research
postal: Schagen 33
3461 GL Linschoten
Netherlands
email: wijnen@vnet.ibm.com
phone: +31-348-412-498
Co-editor: Randy Presuhn
BMC Software, Inc
postal: 1190 Saratoga Avenue, Suite 130
San Jose, CA 95129-3433
USA
email: rpresuhn@bmc.com
phone: +1-408-556-0720
Co-editor: Keith McCloghrie
Cisco Systems, Inc.
postal: 170 West Tasman Drive
San Jose, CA 95134-1706
USA
email: kzm@cisco.com
phone: +1-408-526-5260
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 9]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
"
DESCRIPTION "The management information definitions for the
SNMPv3 Access Control Model.
"
::= { snmpModules 99 }
-- Administrative assignments ****************************************
snmpV3AcMIBObjects OBJECT IDENTIFIER ::= { snmpV3AcMIB 1 }
snmpV3AcMIBConformance OBJECT IDENTIFIER ::= { snmpV3AcMIB 2 }
-- Statistics for Access Control Checking ****************************
snmpV3AcStats OBJECT IDENTIFIER ::= { snmpV3AcMIBObjects 1 }
snmpV3AcStatsUnknownContexts OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION "The total number of packets received by the SNMP
engine which were dropped because they referenced a
context that was not known to the engine.
"
::= { snmpV3AcStats 1 }
snmpV3AcStatsNoGroups OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION "The total number of packets received by the SNMP
engine which were dropped because the security model
independent ID (securityIdentity, miId) did not map
a group in the snmpV3AcGroupTable.
"
::= { snmpV3AcStats 2 }
snmpV3AcStatsNoViews OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION "The total number of packets received by the SNMP
engine which were dropped because the combination
of contextName, groupName and LoS does not have
an entry in the snmpV3AcTable at all.
"
::= { snmpV3AcStats 3 }
snmpV3AcStatsUnauthorizedAccesses OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 10]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
STATUS current
DESCRIPTION "The total number of packets received by the SNMP
engine which were dropped because the type of access
requested is invalid or not authorized.
"
::= { snmpV3AcStats 4 }
-- Information about Mapping of miId into a group ********************
-- Editor's question:
-- I have included the mapping table for the miId into a
-- groupName into this MIB. I think that keeps the acces
-- control nicely grouped together. Comments?
-- End Editor's question.
snmpV3AcGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpV3AcGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The table that maps the Security Model Independent ID
into a groupName which defines an acces control
policy for a group of security identities.
"
::= { snmpV3AcMIBObjects 2 }
snmpV3AcGroupEntry OBJECT-TYPE
SYNTAX SnmpV3AcGroupEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An entry in this table maps a miId into a groupName."
INDEX { snmpV3AcSecModel,
snmpV3AcMiId
}
::= { snmpV3AcGroupTable 1 }
SnmpV3AcGroupEntry ::= SEQUENCE
{
snmpV3AcSecModel SnmpV3SecurityModel,
snmpV3AcMiId SnmpV3AdminString,
snmpV3AcGroupName SnmpV3AdminString,
snmpV3AcGroupStorageType StorageType,
snmpV3AcGroupStatus RowStatus
}
snmpV3AcSecModel OBJECT-TYPE
SYNTAX SnmpV3SecurityModel
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The security model, which is the first index in this
table.
"
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 11]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
::= { snmpV3AcGroupEntry 1 }
snmpV3AcMiId OBJECT-TYPE
SYNTAX SnmpV3AdminString
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The Security Model Independent ID (miId) for a
particular security identity. It is used as a second
index in this table.
"
::= { snmpV3AcGroupEntry 2 }
snmpV3AcGroupName OBJECT-TYPE
SYNTAX SnmpV3AdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The groupName to which this miId belongs. This
groupName represents a access control policy and is
used as an index in the snmpV3AcTable.
"
::= { snmpV3AcGroupEntry 3 }
snmpV3AcGroupStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Conceptual rows having the value 'permanent'
need not allow write-access to any columnar
objects in the row.
"
DEFVAL { nonVolatile }
::= { snmpV3AcGroupEntry 6 }
snmpV3AcGroupStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The status of this conceptual row.
For those columnar objects which permit write-access,
their value in an existing conceptual row can be
changed irrespective of the value of
snmpV3AcGroupStatus for that row.
"
::= { snmpV3AcGroupEntry 7 }
-- Information about Local Contexts **********************************
snmpV3AcContextTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpV3AcContextEntry
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 12]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The table of locally available contexts. If a context
is listed in this table that does not mean that
access to this context has been defined in the
snmpV3AcTable. It just means that the context exists
and that MIB objects may exist in this context.
This table must be made accessible via the default
context.
This table is read-only meaning that SNMP engines
in a manager role cannot configure contexts.
Instead the table is meant to provide input to SNMP
engines in a manager role such that they can
properly configure the snmpV3AcTable to control
access to all contexts in an SNMP engine operating
in an agent role.
"
::= { snmpV3AcMIBObjects 3 }
snmpV3AcContextEntry OBJECT-TYPE
SYNTAX SnmpV3AcContextEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Information about a particular context."
INDEX { snmpV3AcContextName }
::= { snmpV3AcContextTable 1 }
SnmpV3AcContextEntry ::= SEQUENCE
{
snmpV3AcContextName SnmpV3AdminString
}
snmpV3AcContextName OBJECT-TYPE
SYNTAX SnmpV3AdminString (SIZE(0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION "A textual name uniquely identifying a particular
context on a particular agent.
"
::= { snmpV3AcContextEntry 1 }
-- Information about Access Rights ***********************************
snmpV3AcTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpV3AcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The table of group access rights configured in the
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 13]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
local configuration datastore (LCD).
Each entry is indexed by a contextName, a GroupName
and a Level of Security (LoS). When checking if access
is allowed, then one entry from this table needs to
be selected and the proper viewName from that entry
must be used for access control checking.
To select the proper entry, first a match must be
found for the contextName. The procedure for this
process depends on the value of snmpV3AcContextMatch:
- exact
In this case, the snmpV3AcContextName represents
an exact contextName, and so the name must match
exactly.
- prefix
In this case, the snmpV3AcContextName represents
a prefix of a contextName, so that (a limited from
of) wildcarding is possible. The value of
snmpV3AcContextName must match with the first part
of the contextName to which access is requested.
For example, if we use a prefix contextName
'repeater', then both contexts named 'repeater1'
and 'repeater2' are accessible.
In case multiple entries match, then the entry with
the longest snmpV3AcContextName wins.
The second match to make is for the groupName. Here
an exact match must be found.
The 3rd match to make is for the LoS. Here an exact
match must be found.
"
-- Editors Question to Keith:
-- I have removed snmpV3AcContextName from the AcTable.... I was
-- thinking that it has the same semantics as snmpV3AcContextName
-- in the SnmpV3AcContextTable above. But now that we also allow
-- for wildcarding here, now I am not so sure that the semantics
-- are indeed the same. Should I define a snmpV2AcContextPrefix
-- instead?
-- End Editors Question
::= { snmpV3AcMIBObjects 4 }
snmpV3AcEntry OBJECT-TYPE
SYNTAX SnmpV3AcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An access right configured in the local configuration
datastore (LCD) authorizing access to an SNMP context.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 14]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
"
INDEX { snmpV3AcContextName,
snmpV3AcGroupName,
snmpV3AcLoS
}
::= { snmpV3AcTable 1 }
SnmpV3AcEntry ::= SEQUENCE
{
snmpV3AcLoS SnmpV3LoS,
snmpV3AcContextMatch INTEGER,
snmpV3AcReadViewName SnmpV3AdminString,
snmpV3AcWriteViewName SnmpV3AdminString,
snmpV3AcNotifyViewName SnmpV3AdminString,
snmpV3AcStorageType StorageType,
snmpV3AcStatus RowStatus
}
snmpV3AcLoS OBJECT-TYPE
SYNTAX SnmpV3LoS
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The minimum level of security required in order to
gain the access rights allowed by this conceptual
row.
"
::= { snmpV3AcEntry 1 }
snmpV3AcContextMatch OBJECT-TYPE
SYNTAX INTEGER
{ exact (0), -- exact match of context Name
prefix (1) -- Only match to this prefix
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION "If exact is set, then the contextName of the
index part snmpV3AcContextName of this entry in this
table represents a full contextName.
If prefix is set, then the contextName of the
index part snmpV3AcContextName of this entry in this
table represents a partial contextName which acts
as a prefix so that a simple form of wildcarding
is possible.
"
::= { snmpV3AcEntry 2 }
snmpV3AcReadViewName OBJECT-TYPE
SYNTAX SnmpV3AdminString
MAX-ACCESS read-create
STATUS current
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 15]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes read access.
The identified MIB view is that for which
snmpV3AcViewName has the same value as the instance
of this object; if the value is the empty string or
if there is no active MIB view having this value of
snmpV3AcViewName, then no access is granted.
Otherwise, this object is ignored and can take any
value at the Access Control module's discretion,
e.g., the empty string.
"
DEFVAL { ''H } -- the empty string
::= { snmpV3AcEntry 3 }
snmpV3AcWriteViewName OBJECT-TYPE
SYNTAX SnmpV3AdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes write access.
The identified MIB view is that for which
snmpV3AcViewName has the same value as the instance
of this object; if the value is the empty string or
if there is no active MIB view having this value of
snmpV3AcViewName, then no access is granted.
Otherwise, this object is ignored and can take any
value at the Access Control module's discretion,
e.g., the empty string.
"
DEFVAL { ''H } -- the empty string
::= { snmpV3AcEntry 4 }
snmpV3AcNotifyViewName OBJECT-TYPE
SYNTAX SnmpV3AdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The value of an instance of this object identifies
the MIB view of the SNMP context to which this
conceptual row authorizes access for notifications.
The identified MIB view is that for which
snmpV3AcViewName has the same value as the instance
of this object; if the value is the empty string or
if there is no active MIB view having this value of
snmpV3AcViewName, then no access is granted.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 16]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
Otherwise, this object is ignored and can take any
value at the Access Control module's discretion,
e.g., the empty string.
"
DEFVAL { ''H } -- the empty string
::= { snmpV3AcEntry 5 }
snmpV3AcStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Conceptual rows having the value 'permanent'
need not allow write-access to any columnar
objects in the row.
"
DEFVAL { nonVolatile }
::= { snmpV3AcEntry 6 }
snmpV3AcStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The status of this conceptual row.
For those columnar objects which permit write-access,
their value in an existing conceptual row can be
changed irrespective of the value of snmpV3AcStatus
for that row.
"
::= { snmpV3AcEntry 7 }
-- Information about MIB views ***************************************
-- Support for views having instance-level granularity is optional
snmpV3AcViewTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpV3AcViewEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The table of locally defined MIB views.
When an SNMP engine in the manager role wants to
create a new MIB view, then it must first create
an entry in the snmpV3AcViewTable, using a
non-existing index-value for snmpV3AcViewName.
If the creation of such an entry is successful,
the SNMP engine in the manager role can then start
creating entries in the snmpV3AcSubtreeFamiliyTable.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 17]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
When deleting MIB views, it is strongly advised that
first the related snmpV3AcSubtreeFamilityEntries are
deleted from the snmpV3AcSubtreeFamiliyTable and that
only upon completion of that deletion process the
snmpV3AcViewEntry is deleted from the
snmpV3AcViewTable.
Furthermore, a manager should take great care to
delete all the 'included' family entries before
deleting any of the 'excluded' ones.
Following these procedures there should be no
collisions when multiple managers try to update
the MIB views at an SNMP engine in an agent role.
If managers do not follow these procedures then it is
agent-implementation dependent as to what the result
of possible collisions will be.
"
::= { snmpV3AcMIBObjects 5 }
snmpV3AcViewEntry OBJECT-TYPE
SYNTAX SnmpV3AcViewEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Information on a particular local MIB view."
INDEX { snmpV3AcViewName }
::= { snmpV3AcViewTable 1 }
SnmpV3AcViewEntry ::= SEQUENCE
{
snmpV3AcViewName SnmpV3AdminString,
snmpV3AcViewStorageType StorageType,
snmpV3AcViewStatus RowStatus
}
snmpV3AcViewName OBJECT-TYPE
SYNTAX SnmpV3AdminString (SIZE(1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "An unique viewName that uniquely identifies a MIB
viewEntry in this table.
"
::= { snmpV3AcViewEntry 1 }
snmpV3AcViewStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 18]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
Conceptual rows having the value 'permanent' need
not allow write-access to any columnar objects in
the row.
"
DEFVAL { nonVolatile }
::= { snmpV3AcViewEntry 2 }
snmpV3AcViewStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The status of this conceptual row.
For those columnar objects which permit write-access,
their value in an existing conceptual row can be
changed irrespective of the value of
snmpV3AcViewStatus for that row.
"
::= { snmpV3AcViewEntry 3 }
-- Subtree families of MIB views *************************************
snmpV3AcSubtreeFamilyTable OBJECT-TYPE
SYNTAX SEQUENCE OF SnmpV3AcSubtreeFamilyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Locally held information about families of subtrees
within MIB views.
Each MIB view is defined by two collections of view
subtrees: the included view subtrees, and the
excluded view subtrees.
Every such subtree, both included and excluded,
is defined in this table.
To determine if a particular object instance is in
a particular MIB view, compare the object instance's
OBJECT IDENTIFIER with each of the MIB view's active
entries in this table. If none match, then the
object instance is not in the MIB view. If one or
more match, then the object instance is included in,
or excluded from, the MIB view according to the
value of snmpV3AcSubtreeFamilyType in the entry
whose value of snmpV3AcSubtreeFamilySubtree has the
most sub-identifiers. If multiple entries match
and have the same number of sub-identifiers, then
the lexicographically greatest instance of
snmpV3AcSubtreeFamilyType determines the inclusion
or exclusion.
An object instance's OBJECT IDENTIFIER X matches an
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 19]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
active entry in this table when the number of
sub-identifiers in X is at least as many as in the
value of snmpV3AcSubtreeFamilySubtree for the entry,
and each sub-identifier in the value of
snmpV3AcSubtreeFamilySubtree matches its
corresponding sub-identifier in X.
Two sub-identifiers match either if the
corresponding bit of snmpV3AcSubtreeFamilyMask is
zero (the 'wild card' value), or if they are equal.
A 'family' of view subtrees is the set of subtrees
defined by a particular combination of values of
snmpV3AcSubtreeFamilySubtree and
snmpV3AcSubtreeFamilyMask.
In the case where no 'wild card' is defined in
snmpV3AcSubtreeFamilyMask, the family of view
subtrees reduces to a single view subtree.
When an SNMP engine in the manager role wants to
create a new MIB view, then it should first create
an entry in the snmpV3AcViewTable, using a
non-existing index-value for snmpV3AcViewName.
If the creation of such an entry is successful,
the SNMP engine in the manager role can then start
creating entries in the snmpV3AcSubtreeFamiliyTable.
When deleting MIB views, it is strongly advised that
first the related snmpV3AcSubtreeFamilityEntries are
deleted from the snmpV3AcSubtreeFamiliyTable and that
only upon completion of that deletion process the
snmpV3AcViewEntry is deleted from the
snmpV3AcViewTable.
Following these procedures there should be no
collisions when multiple managers try to update
the MIB views at an SNMP engine in an agent role.
"
::= { snmpV3AcMIBObjects 6 }
snmpV3AcSubtreeFamilyEntry OBJECT-TYPE
SYNTAX SnmpV3AcSubtreeFamilyEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "Information on a particular family of view subtrees
included in or excluded from a particular SNMP
context's MIB view. The MIB view must exist
(i.e., be represented by a conceptual row in the
snmpV3AcViewTable) before any subtree families can
be defined for it.
Implementations must not restrict the number of
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 20]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
families of view subtrees for a given MIB view,
except as dictated by resource constraints on the
overall number of entries in the
snmpV3AcSubtreeFamilyTable.
The value of snmpV3AcViewName in this INDEX clause
of this table identifies the MIB view in which this
subtree family exists.
A MIB view for which there are no conceptual rows
in this table is the empty set of view subtrees.
"
INDEX { snmpV3AcViewName,
IMPLIED snmpV3AcSubtreeFamilySubtree
}
::= { snmpV3AcSubtreeFamilyTable 1 }
SnmpV3AcSubtreeFamilyEntry ::= SEQUENCE
{
snmpV3AcSubtreeFamilySubtree OBJECT IDENTIFIER,
snmpV3AcSubtreeFamilyMask OCTET STRING,
snmpV3AcSubtreeFamilyType INTEGER,
snmpV3AcSubtreeFamilyStorageType StorageType,
snmpV3AcSubtreeFamilyStatus RowStatus
}
snmpV3AcSubtreeFamilySubtree OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION "The MIB subtree which when combined with the
corresponding instance of snmpV3AcSubtreeFamilyMask
defines a family of view subtrees.
"
::= { snmpV3AcSubtreeFamilyEntry 1 }
snmpV3AcSubtreeFamilyMask OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The bit mask which,
in combination with the corresponding instance of
snmpV3AcSubtreeFamilySubtree, defines a family of
view subtrees.
Each bit of this bit mask corresponds to a
sub-identifier of snmpV3AcSubtreeFamilySubtree,
with the most significant bit of the i-th octet
of this octet string value (extended if necessary,
see below) corresponding to the (8*i - 7)-th
sub-identifier, and the least significant bit of
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 21]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
the i-th octet of this octet string corresponding
to the (8*i)-th sub-identifier, where i is in the
range 1 through 16.
Each bit of this bit mask specifies whether or not
the corresponding sub-identifiers must match when
determining if an OBJECT IDENTIFIER is in this
family of view subtrees; a '1' indicates that an
exact match must occur; a '0' indicates 'wild card',
i.e., any sub-identifier value matches.
Thus, the OBJECT IDENTIFIER X of an object instance
is contained in a family of view subtrees if, for
each sub-identifier of the value of
snmpV3AcSubtreeFamilySubtree, either:
the i-th bit of snmpV3AcSubtreeFamilyMask is 0, or
the i-th sub-identifier of X is equal to the
i-th sub-identifier of the value of
snmpV3AcSubtreeFamilySubtree.
If the value of this bit mask is M bits long
and there are more than M sub-identifiers in
the corresponding instance of
snmpV3AcSubtreeFamilySubtree, then the bit mask
is extended with 1's to be the required length.
Note that when the value of this object is the
zero-length string, this extension rule results in
a mask of all-1's being used (i.e., no 'wild card'),
and the family of view subtrees is the one view
subtree uniquely identified by the corresponding
instance of snmpV3AcSubtreeFamilySubtree.
"
DEFVAL { ''H }
::= { snmpV3AcSubtreeFamilyEntry 2 }
snmpV3AcSubtreeFamilyType OBJECT-TYPE
SYNTAX INTEGER { included(1), excluded(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The indication of whether the corresponding instances
of snmpV3AcSubtreeFamilySubtree and
snmpV3AcSubtreeFamilyMask define a family of view
subtrees which is included in or excluded from the
MIB view.
"
DEFVAL { included }
::= { snmpV3AcSubtreeFamilyEntry 3 }
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 22]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
snmpV3AcSubtreeFamilyStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The storage type for this conceptual row.
Conceptual rows having the value 'permanent' need
not allow write-access to any columnar objects in
the row.
An SNMP engine in the manager role is advised to
use the same value for this row as the value used
in the corresponding row in the snmpV3AcViewTable.
"
DEFVAL { nonVolatile }
::= { snmpV3AcSubtreeFamilyEntry 4 }
snmpV3AcSubtreeFamilyStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION "The status of this conceptual row.
For those columnar objects which permit write-access,
their value in an existing conceptual row can be
changed irrespective of the value of
snmpV3AcSubtreeFamilyStatus for that row.
An SNMP engine in the manager role is advised to
use the same value for this row as the value used
in the corresponding row in the snmpV3AcViewTable.
"
::= { snmpV3AcSubtreeFamilyEntry 5 }
-- Conformance information *******************************************
snmpV3AcMIBCompliances
OBJECT IDENTIFIER ::= { snmpV3AcMIBConformance 1 }
snmpV3AcMIBGroups
OBJECT IDENTIFIER ::= { snmpV3AcMIBConformance 2 }
-- Compliance statements *********************************************
snmpV3AcMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION "The compliance statement for SNMP engines which
implement the SNMPv3 ACM configuration MIB.
"
MODULE -- this module
MANDATORY-GROUPS { snmpV3AcBasicGroup }
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 23]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
OBJECT snmpV3AcContextMatch
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcReadViewName
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcWriteViewName
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcNotifyViewName
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcStatus
MIN-ACCESS read-only
DESCRIPTION "Create access to the snmpV3AcViewTable
is not required.
"
OBJECT snmpV3AcViewStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcViewStatus
MIN-ACCESS read-only
DESCRIPTION "Create access to the snmpV3AcViewTable
is not required.
"
OBJECT snmpV3AcSubtreeFamilyMask
WRITE-SYNTAX OCTET STRING (SIZE (0))
MIN-ACCESS read-only
DESCRIPTION "Support for configuration via SNMP of
subtree families defined using wild-cards
is not required.
"
OBJECT snmpV3AcSubtreeFamilyType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
OBJECT snmpV3AcSubtreeFamilyStorageType
MIN-ACCESS read-only
DESCRIPTION "Write access is not required."
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 24]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
OBJECT snmpV3AcSubtreeFamilyStatus
MIN-ACCESS read-only
DESCRIPTION "Create access to the snmpV3AcSubtreeFamilyTable
is not required.
"
::= { snmpV3AcMIBCompliances 1 }
-- Units of conformance **********************************************
snmpV3AcBasicGroup OBJECT-GROUP
OBJECTS { snmpV3AcStatsUnknownContexts,
snmpV3AcStatsNoGroups,
snmpV3AcStatsNoViews,
snmpV3AcStatsUnauthorizedAccesses, -- length 33
snmpV3AcGroupName,
snmpV3AcGroupStorageType,
snmpV3AcGroupStatus,
snmpV3AcContextName,
snmpV3AcReadViewName,
snmpV3AcWriteViewName,
snmpV3AcNotifyViewName,
snmpV3AcStorageType,
snmpV3AcStatus,
snmpV3AcViewStorageType,
snmpV3AcViewStatus,
snmpV3AcSubtreeFamilyMask,
snmpV3AcSubtreeFamilyType,
snmpV3AcSubtreeFamilyStorageType, -- length 32
snmpV3AcSubtreeFamilyStatus
}
STATUS current
DESCRIPTION "A collection of objects providing for remote
configuration of an SNMP engine which implements
the SNMPv3 Access Control Model (ACM).
"
::= { snmpV3AcMIBGroups 1 }
END
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 25]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
5. Security Considerations
5.1 Recommended Practices
This document is meant for use in the SNMP architecture. The
Access Control Model (ACM) described in this document controls
access rights to management information based on:
- contextName, representing a set of management information at the
managed system where the Access Control module is running.
- groupName, representing a group or set of zero, one or more
securityIdentities. These securityIdentities are mapped into
one or more groups in the SNMPv3 Access Control subsystem.
- Level of Security (LoS) used for the transmission of an SNMP
message.
When the Access Control module (ACM) is called for checking access
rights, it is assumed that the calling module has ensured the
authentication and privacy aspects as specified by the Level of
Security (LoS) that is being passed.
5.2 Defining Groups
GroupNames are used to give access to a group of zero, one or more
securityIdentities. Within the ACM, a groupName is considered to
exist if that groupName is used (as an index) in a row in the
snmpV3AcTable.
By mapping a securityIdentity into a group, a Management System can
add/delete securityIdentities to/from a group.
5.3 Conformance
Conformance rules are described in the SNMP architecture document
[SNMP-ARCH].
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 26]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
6. Editor's Addresses
Co-editor: Bert Wijnen
IBM T. J. Watson Research
postal: Schagen 33
3461 GL Linschoten
Netherlands
email: wijnen@vnet.ibm.com
phone: +31-348-432-794
Co-editor: Randy Presuhn
BMC Software, Inc
postal: 1190 Saratoga Avenue, Suite 130
San Jose, CA 95129-3433
USA
email: rpresuhn@bmc.com
phone: +1-408-556-0720
Co-editor: Keith McCloghrie
Cisco Systems, Inc.
postal: 170 West Tasman Drive
San Jose, CA 95134-1706
USA
email: kzm@cisco.com
phone: +1-408-526-5260
7. Acknowledgements
This document describes the work of the SNMP Security and
Administrative Framework Evolution team, comprised of
David Harrington (Cabletron Systems Inc.)
Jeff Johnson (Cisco)
David Levi (SNMP Research Inc.)
John Linn (Openvision)
Russ Mundy (Trusted Information Systems) chair
Shawn Routhier (Epilogue)
Glenn Waters (Nortel)
Bert Wijnen (IBM T. J. Watson Research)
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 27]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
8. References
[RFC1902] The SNMPv2 Working Group, Case, J., McCloghrie, K.,
Rose, M., and S., Waldbusser, "Structure of Management
Information for Version 2 of the Simple Network Management
Protocol (SNMPv2)", RFC 1905, January 1996.
[RFC1905] The SNMPv2 Working Group, Case, J., McCloghrie, K.,
Rose, M., and S., Waldbusser, "Protocol Operations for
Version 2 of the Simple Network Management Protocol (SNMPv2)",
RFC 1905, January 1996.
[RFC1906] The SNMPv2 Working Group, Case, J., McCloghrie, K.,
Rose, M., and S. Waldbusser, "Transport Mappings for
Version 2 of the Simple Network Management Protocol (SNMPv2)",
RFC 1906, January 1996.
[RFC1907] The SNMPv2 Working Group, Case, J., McCloghrie, K.,
Rose, M., and S. Waldbusser, "Management Information Base for
Version 2 of the Simple Network Management Protocol (SNMPv2)",
RFC 1907, January 1996.
[RFC1908] The SNMPv2 Working Group, Case, J., McCloghrie, K.,
Rose, M., and S. Waldbusser, "Coexistence between Version 1
and Version 2 of the Internet-standard Network Management
Framework", RFC 1908, January 1996.
[SNMP-ARCH] The SNMPv3 Working Group, Harrington, D., Wijnen, B.,
"An Architecture for describing Internet Management Frameworks",
draft-ietf-snmpv3-next-gen-arch-02.txt, June 1997.
[SNMPv3-ACM] The SNMPv3 Working Group, Wijnen, B., Harrington, D.,
"Access Control Model for Version 3 of the Simple Network
Management Protocol (SNMPv3)", draft-ietf-snmpv3-acm-00.txt,
June 1997.
[SNMPv3-MPC] The SNMPv3 Working Group, Wijnen, B., Harrington, D.,
"Message Processing and Control Model for version 3 of the Simple
Network Management Protocol (SNMPv3)",
draft-ietf-snmpv3-mpc-00.txt,
March 1997.
[SNMPv3-USEC] The SNMPv3 Working Group, Blumenthal, U., Wijnen, B.,
"The User-Based Security Model for Version 3 of the Simple
Network Management Protocol (SNMPv3)",
draft-ietf-snmpv3-usec-01.txt, June 1997.
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 28]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
APPENDIX A - Installation
A.1. Installation Parameters
During installation, an SNMPv3 engine acting in an authoritative role
is configured with several parameters. These include for the Access
Control module:
(1) A security posture
The choice of security posture determines the extent of the view
configured for unauthenticated access. One of three possible
choices is selected:
minimum-secure,
semi-secure, or
very-secure.
(2) A default context
One entry in the snmpV3AcContextTable with a contextName of
"" (the empty string, representing the default context.
Editor's note:
If we do keep the groupTable, then we also need an entry in
the groupTable for group public. It should have a miId of
"public" for USEC that maps into groupName "public"
End Editor's note.
(3) Three entries in the snmpV3AcTable as follows:
- One entry to be used for unauthenticated access:
no privacy support privacy support
------------------ ---------------
snmpV3AcContextName "" ""
snmpV3AcGroupName "public" "public"
snmpV3AcLoS noAuth/noPriv noAuth/noPriv
snmpV3AcReadViewName "restricted" "restricted"
snmpV3AcWriteViewName "" ""
snmpV3AcNotifyViewName "restricted" "restricted"
snmpV3AcStorageType permanent permanent
snmpV3AcStatus active active
- One entry to be used for authenticated access but without
privacy:
no privacy support privacy support
------------------ ---------------
snmpV3AcContextName "" ""
snmpV3AcGroupName "public" "public"
snmpV3AcLoS Auth/noPriv Auth/noPriv
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 29]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
snmpV3AcReadViewName "all" "all"
snmpV3AcWriteViewName "all" "all"
snmpV3AcNotifyViewName "all" "all"
snmpV3AcStorageType permanent permanent
snmpV3AcStatus active active
- One entry to be used for authenticated access with privacy:
no privacy support privacy support
------------------ ---------------
snmpV3AcContextName ""
snmpV3AcGroupName "public"
snmpV3AcLoS Auth/Priv
snmpV3AcReadViewName "all"
snmpV3AcWriteViewName "all"
snmpV3AcNotifyViewName "all"
snmpV3AcStorageType permanent
snmpV3AcStatus active
(4) Two views depending on the security posture.
- One view (the view) for authenticated access:
- the MIB view is the following subtree:
"internet" [RFC1902]
Editor's note:
I picked this up from the RFC1910.
I have experience myself that MIBs were defined outside the
internet subtree, so maybe this should just be
"iso"
End Editor's note.
- A second view (the view) for unauthenticated
access. This view is configured according to the selected
security posture:
- For the "very-secure" posture:
the MIB view is the union of these subtrees:
"snmp" [RFC1907]
"snmpEngine" [SNMPv3-USEC]
"snmpV3Stats" [SNMPv3-MPC]
"snmpV3AcStats" [SNMPv3-ACM]
- For the "semi-secure" posture:
the MIB view is the union of these subtrees:
"snmp" [RFC1907]
"snmpEngine" [SNMPv3-USEC]
"snmpV3Stats" [SNMPv3-MPC]
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 30]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
"snmpV3AcStats" [SNMPv3-ACM]
"system" [RFC1907]
- For the "minimum-secure" posture:
the MIB view is the following subtree.
"internet" [RFC1902]
- Access rights to allow:
- read-notify access for LoS "noAuth" on behalf of security
entities that belong to the group "public" to the
MIB view in the context with contextName "".
- read-write-notify access for LoS "auth" on behalf of security
entities that belong to the group "public" to the
MIB view in the context with contextName "".
- if privacy is supported,
read-write-notify access for LoS "auth" on behalf of security
entities that belong to the group "public" to the
MIB view in the context with contextName "".
-- Editor's note:
If we find it useful (I do) then I will also work out
the entries in the viewTable and viewSubtreeFamilyTable
so that we have the above views defined.
-- End Editor's note
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 31]
�
Draft Access Control Model (ACM) for SNMPv3 June 1997
Table of Contents
0.1 Issues 2
0.2 Change Log 2
1. Introduction 3
1.2 Access Control 3
1.3 Local Configuration Datastore 3
2. Elements of the Model 5
2.1 Groups 5
2.2 Level of Security (LoS) 5
2.3 Contexts 5
2.4 Access Policy 5
3. Elements of Procedure 7
3.1 Processing the is_access_allowed service request 7
4. Definitions 9
5. Security Considerations 26
5.1 Recommended Practices 26
5.2 Defining Groups 26
5.3 Conformance 26
6. Editor's Addresses 27
7. Acknowledgements 27
8. References 28
A.1. Installation Parameters 29
Wijnen/Presuhn/McCloghrie Expires December 1997 [Page 32]