idnits 2.17.1 draft-ietf-ips-auth-mib-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1958. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1931. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1938. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1944. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** The document seems to lack an RFC 3978 Section 5.4 Reference to BCP 78. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 516 has weird spacing: '...Numbers this...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 2006) is 6436 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 1510 (Obsoleted by RFC 4120, RFC 6649) -- Obsolete informational reference (is this intentional?): RFC 3720 (Obsoleted by RFC 7143) Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Cisco Systems 4 Expires August 2006 5 James Muchow 6 Qlogic Corp. 8 February 2006 10 Definitions of Managed Objects for 11 IP Storage User Identity Authorization 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.html. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 This memo defines a portion of the Management Information Base (MIB) 43 for use with network management protocols in TCP/IP based internets. 44 In particular it defines objects for managing user identities and the 45 names, addresses, and credentials required manage access control, for 46 use with various protocols. This draft was motivated by the need for 47 the configuration of authorized user identities for the iSCSI 48 protocol, but has been extended to be useful for other protocols that 49 have similar requirements. It is important to note that this MIB 50 module provides only the set of identities to be used within access 51 lists; it is the responsibility of other MIB modules making use of 52 this one to tie them to their own access lists or other authorization 53 control methods. 55 Table of Contents 57 1. Introduction..............................................2 58 2. Specification of Requirements.............................3 59 3. The Internet-Standard Management Framework................3 60 4. Relationship to Other MIB Modules.........................3 61 5. Relationship to the USM MIB Module........................4 62 6. Relationship SNMP Contexts................................4 63 7. Discussion................................................5 64 7.1. Authorization MIB Object Model..........................5 65 7.2. ipsAuthInstance.........................................6 66 7.3. ipsAuthIdentity.........................................7 67 7.4. ipsAuthIdentityName.....................................7 68 7.5. ipsAuthIdentityAddress..................................8 69 7.6. ipsAuthCredential.......................................8 70 7.7. IP, Fibre Channel, and Other Addresses..................9 71 7.8. Descriptors: Using OIDs in Place of Enumerated Types....9 72 7.9. Notifications..........................................10 73 8. MIB Definitions..........................................11 74 9. Security Considerations..................................36 75 10. IANA Considerations.....................................41 76 10.1. OID Assignment........................................41 77 11. Normative References....................................41 78 12. Informative References..................................42 79 Acknowledgments.........................................42 80 Authors' Addresses......................................42 81 IPR Notice..............................................43 82 Full Copyright Notice...................................43 84 1. Introduction 86 This MIB module will be used to configure and/or look at the 87 configuration of user identities and their credential information. 88 For the purposes of this MIB module, a "user" identity does not need 89 to be an actual person; a user can also be a host, an application, a 90 cluster of hosts, or any other identifiable entity that can be 91 authorized to access a resource. 93 Most objects in this MIB module have a MAX-ACCESS of read-create; 94 this module is intended to allow configuration of user identities and 95 their names, addresses, and credentials. MIN-ACCESS for all objects 96 is read-only for those implementations that configure through other 97 means, but require the ability to monitor user identities. 99 2. Specification of Requirements 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 3. The Internet-Standard Management Framework 107 For a detailed overview of the documents that describe the current 108 Internet-Standard Management Framework, please refer to section 7 of 109 RFC 3410 [RFC3410]. 111 Managed objects are accessed via a virtual information store, termed 112 the Management Information Base or MIB. MIB objects are generally 113 accessed through the Simple Network Management Protocol (SNMP). 114 Objects in the MIB are defined using the mechanisms defined in the 115 Structure of Management Information (SMI). This memo specifies a MIB 116 module that is compliant to the SMIv2, which is described in STD 58, 117 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 118 [RFC2580]. 120 4. Relationship to Other MIB Modules 122 The IPS-AUTH-MIB module does not directly address objects within 123 other modules. The identity address objects contain IPv4, IPv6, or 124 other address types, and as such may be indirectly related to objects 125 within the IP [RFC2011bis] MIB module. 127 This MIB module does not provide actual authorization or access 128 control lists; it provides a means to identify entities that can be 129 included in other authorization lists. This should generally be done 130 in MIB modules that reference identities in this one. It also does 131 not cover login or authentication failure statistics or 132 notifications, as these are all fairly application-specific, and are 133 not generic enough to include here. 135 The user identity objects within this module are typically referenced 136 from other modules by a RowPointer within that module. A module 137 containing resources for which it requires a list of authorized user 138 identities may create such a list, with a single RowPointer within 139 each list element pointing to a user identity within this module. 141 This is neither required nor restricted by this MIB module. 143 5. Relationship to the USM MIB Module 145 The User-based Security Model (USM) [RFC3414] also defines the 146 concept of a user, defining authentication and privacy protocols and 147 their credentials. The definition of USM includes the SNMP-USER- 148 BASED-SM-MIB module which allows configuration of SNMPv3 user 149 credentials to protect SNMPv3 messages. Although USM's users are not 150 related to the user identities managed by the IPS-AUTH-MIB module 151 defined in this document, USM will often be implemented on the same 152 system as the IPS-AUTH-MIB module, with the SNMP-USER-BASED-SM-MIB 153 module used to manage the security protecting SNMPv3 messages, 154 including those which access the IPS-AUTH-MIB module. 156 The term "user" in this document is distinct from an SNMPv3 user, and 157 is intended to include, but is not limited to, users of IP storage 158 devices. A "user" in this document is a collection of user names 159 (unique identifiers), user addresses, and credentials that can be 160 used together to determine whether an entity should be allowed access 161 to a resource. Each user can have multiple names, addresses, and 162 credentials. As a result, this MIB module is particularly suited to 163 managing users of storage resources, which are typically given access 164 control lists consisting of potentially multiple identifiers, 165 addresses, and credentials. This MIB module provides for 166 authorization lists only, and does not include setting of data 167 privacy parameters. 169 In contrast, an SNMPv3 user as defined in [RFC3414] has exactly one 170 user-name, one authentication protocol, and one privacy protocol, 171 along with their associated information and SNMP-specific 172 information, such as an engine ID. These objects are defined to 173 support exactly the information needed for SNMPv3 security. 175 For the remainder of this document, the term "user" means an IPS- 176 AUTH-MIB user identity. 178 6. Relationship to SNMP Contexts 180 Each non-scalar object in the IPS-AUTH-MIB module is indexed first by 181 an Instance. Each instance is a collection of identities that can be 182 used to authorize access to a resource. The use of an instance works 183 well with partitionable or hierarchical devices and fits in logically 184 with other management schemes. Instances do not replace SNMP 185 contexts, however they do provide a very simple way to assign a 186 collection of identities within a device to one or more SNMP 187 contexts, without having to do so for each identity's row. 189 7. Discussion 191 This MIB module structure is intended to allow the configuration of a 192 list of user identities, each with a list of names, addresses, 193 credentials, and certificates which when combined will distinguish 194 that identity. 196 The IPS-AUTH-MIB module is structured around two primary "objects", 197 the authorization instance, and the identity, which serve as 198 containers for the remainder of the objects. This section contains a 199 brief description of the "object" hierarchy and a description of each 200 object, followed by a discussion of the actual SNMP table structure 201 within the objects. 203 7.1. Authorization MIB Object Model 205 The top-level object in this structure is the authorization instance, 206 which "contains" all of the other objects. The indexing hierarchy of 207 this module looks like: 209 ipsAuthInstance 210 -- A distinct authorization entity within the managed system. 211 -- Most implementations will have just one of these. 212 ipsAuthIdentity 213 -- A user identity, consisting of a set of identity names, 214 -- addresses, and credentials reflected in the following 215 -- objects: 216 ipsAuthIdentityName 217 -- A name for a user identity. A name should be globally 218 -- unique, and unchanging over time. Some protocols may 219 -- not require this one. 220 ipsAuthIdentityAddress 221 -- An address range, typically but not necessarily an 222 -- IPv4, IPv6, or Fibre Channel address range, at which 223 -- the identity is allowed to reside. 224 ipsAuthCredential 225 -- A single credential, such as a CHAP username, 226 -- which can be used to verify the identity. 227 ipsAuthCredChap 228 -- CHAP-specific attributes for an ipsAuthCredential 229 ipsAuthCredSrp 230 -- SRP-specific attributes 231 ipsAuthCredKerberos 232 -- Kerberos-specific attributes 234 Each identity contains the information necessary to identify a 235 particular end-point that wishes to access a service, such as iSCSI. 237 An identity can contain multiple names, addresses, and credentials. 238 Each of these names, addresses, and credentials exists in its own 239 row. If multiple rows of one of these three types are present, they 240 are treated in an "OR" fashion; an entity to be authorized need only 241 match one of the rows. If rows of different types are present (e.g. 242 a name and an address), these are treated in an "AND" fashion; an 243 entity to be authorized must match at least one row from each 244 category. If there are no rows present of a category, this category 245 is ignored. 247 For example, if an ipsAuthIdentity contains two rows of 248 ipsAuthIdentityAddress, one row of ipsAuthCredential, and no rows of 249 ipsAuthIdentityName, an entity must match the Credential row and at 250 least one of the two Address rows to match the identity. 252 Index values such as ipsAuthInstIndex and ipsAuthIdentIndex are 253 referenced in multiple tables, and rows can be added and deleted. An 254 implementation should therefore attempt to keep all index values 255 persistent across reboots; index values for rows that have been 256 deleted must not be reused before a reboot. 258 7.2. ipsAuthInstance 260 The ipsAuthInstanceAttributesTable is the primary table of the IPS- 261 AUTH-MIB module. Every other table entry in this module includes the 262 index of an ipsAuthInstanceAttributesEntry as its primary index. An 263 authorization instance is basically a managed set of identities. 265 Many implementations will include just one authorization instance row 266 in this table. However, there will be cases where multiple rows in 267 this table may be used: 269 - A large system may be "partitioned" into multiple, distinct virtual 270 systems, perhaps sharing the SNMP agent but not their lists of 271 identities. Each virtual system would have its own authorization 272 instance. 274 - A set of stackable systems, each with their own set of identities, 275 may be represented by a common SNMP agent. Each individual system 276 would have its own authorization instance. 278 - Multiple protocols, each with their own set of identities, may 279 exist within a single system and be represented by a single SNMP 280 agent. In this case, each protocol may have its own authorization 281 instance. 283 An entry in this table is often referenced by its name 284 (ipsAuthInstDescr), which should be displayed to the user by the 285 management station. When an implementation supports only one entry 286 in this table, the description may be returned as a zero-length 287 string. 289 7.3. ipsAuthIdentity 291 The ipsAuthIdentAttributesTable contains one entry for each 292 configured user identity. The identity contains only a description 293 of what the identity is used for; its attributes are all contained in 294 other tables, since they can each have multiple values. 296 Other MIB modules containing lists of users authorized to access a 297 particular resource should generally contain a RowPointer to the 298 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 299 access to the resource. 301 All other table entries make use of the indices to this table as 302 their primary indices. 304 7.4. ipsAuthIdentityName 306 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 307 each of which belong to, and may be used to identify, a particular 308 identity in the authIdentity table. 310 Implementations making use of the IPS-AUTH-MIB module may identify 311 their resources by names, addresses, or both. A name is typically a 312 unique (within the required scope), unchanging identifier for a 313 resource. It will normally meet some or all of the requirements for a 314 Uniform Resource Name [RFC1737], although a name in the context of 315 this MIB module does not need to be a URN. Identifiers that 316 typically change over time should generally be placed into the 317 ipsAuthIdentityAddress table; names that have no uniqueness 318 properties should usually be placed into the description attribute 319 for the identity. 321 An example of an identity name is the iSCSI Name, defined in 322 [RFC3720]. Any other MIB module defining names to be used as 323 ipsAuthIdentityName objects should specify how its names are unique, 324 and the domain within which they are unique. 326 If this table contains no entries associated with a particular user 327 identity, the implementation does not need to check any name 328 parameters when verifying that identity. If the table contains 329 multiple entries associated with a particular user identity, the 330 implementation should consider a match with any one of these entries 331 to be valid. 333 7.5. ipsAuthIdentityAddress 335 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 336 which the identity may reside. For example, an identity may be 337 allowed access to a resource only from a certain IP address, or only 338 if its address is in a certain range or set of ranges. 340 Each entry contains a starting and ending address. If a single 341 address is desired in the list, both starting and ending addresses 342 must be identical. 344 Each entry contains an AddrType attribute. This attribute contains 345 an enumeration registered as an IANA Address Family type [IANA-AF]. 346 Although many implementations will use IPv4 or IPv6 address types for 347 these entries, any IANA-registered type may be used, as long as it 348 makes sense to the application. 350 Matching any address within any range within the list associated with 351 a particular identity is considered to be a valid match. If no 352 entries are present in this list for a given identity, its address is 353 automatically assumed to match the identity. 355 Netmasks are not supported, since an address range can express the 356 same thing with more flexibility. An application specifying 357 addresses using network masks may do so, and convert to and from 358 address ranges when reading or writing this MIB module. 360 7.6. ipsAuthCredential 362 The ipsAuthCredentialAttributesTable contains a list of credentials, 363 each of which may be used to verify a particular identity. 365 Each credential contains an authentication method to be used, such as 366 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 367 contains an object identifier instead of an enumerated type, allowing 368 other MIB modules to add their own authentication methods, without 369 modifying this MIB module. 371 For each entry in this table, there will exist an entry in another 372 table containing its attributes. The table in which to place the 373 entry depends on the AuthMethod attribute: 375 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 376 same indices as the ipsAuthCredential will exist in the 377 ipsAuthCredChap table, which contains the CHAP username. 379 SRP If the AuthMethod is set to the SRP OID, an entry using the 380 same indices as the ipsAuthCredential will exist in the 381 ipsAuthCredSrp table, which contains the SRP username. 383 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 384 the same indices as the ipsAuthCredential will exist in the 385 ipsAuthCredKerberos table, which contains the Kerberos 386 principal. 388 Other If the AuthMethod is set to any OID not defined in this 389 module, an entry using the same indices as the 390 ipsAuthCredential entry should be placed in the other module 391 that define whatever attributes are needed for that type of 392 credential. 394 7.7. IP, Fibre Channel, and Other Addresses 396 The IP addresses in this MIB module are represented by two 397 attributes, one of type AddressFamilyNumbers, and the other of type 398 AuthAddress. Each address can take on any of the types within the 399 list of address family numbers; the most likely being IPv4, IPv6, or 400 one of the Fibre Channel address types. 402 The type AuthAddress is an octet string. If the address family is 403 IPv4 or IPv6, the format is taken from the InetAddress specified in 404 [RFC4001]. If the address family is one of the Fibre Channel types, 405 the format is identical to the FcNameIdOrZero type defined in 406 [RFC4044]. 408 7.8. Descriptors: Using OIDs in Place of Enumerated Types 410 Some attributes, particularly the authentication method attribute, 411 would normally require an enumerated type. However, implementations 412 will likely need to add new authentication method types of their own, 413 without extending this MIB module. To make this work, this module 414 defines a set of object identities within ipsAuthDescriptors. Each 415 of these object identities is basically an enumerated type. 417 Attributes that make use of these object identities have a value 418 which is an OID instead of an enumerated type. These OIDs can either 419 indicate the object identities defined in this module, or object 420 identities defined elsewhere, such as in an enterprise MIB module. 421 Those implementations that add their own authentication methods 422 should also define a corresponding object identity for each of these 423 methods within their own enterprise MIB module, and return its OID 424 whenever one of these attributes is using that method. 426 7.9. Notifications 428 Monitoring of authentication failures and other notification events 429 are outside the scope of this MIB module, as they are generally 430 application-specific. No notifications are provided or required. 432 8. MIB Definitions 434 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 436 IMPORTS 437 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 438 mib-2 439 FROM SNMPv2-SMI 441 TEXTUAL-CONVENTION, RowStatus, AutonomousType, StorageType 442 FROM SNMPv2-TC 444 MODULE-COMPLIANCE, OBJECT-GROUP 445 FROM SNMPv2-CONF 447 SnmpAdminString 448 FROM SNMP-FRAMEWORK-MIB -- RFC 3411 450 AddressFamilyNumbers 451 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 452 ; 454 ipsAuthMibModule MODULE-IDENTITY 455 LAST-UPDATED "200602240000Z" -- February 24, 2006 456 ORGANIZATION "IETF IPS Working Group" 457 CONTACT-INFO 458 " 459 Mark Bakke 460 Postal: Cisco Systems, Inc 461 7900 International Drive, Suite 400 462 Bloomington, MN 463 USA 55425 465 E-mail: mbakke@cisco.com 467 James Muchow 468 Postal: Qlogic Corp. 469 6321 Bury Dr. 470 Eden Prairie, MN 471 USA 55346 473 E-Mail: james.muchow@qlogic.com" 475 DESCRIPTION 476 "The IP Storage Authorization MIB module. 477 Copyright (C) The Internet Society (2006). This version of 478 this MIB module is part of RFC yyyy; see the RFC itself for 479 full legal notices." 480 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 481 REVISION "200602240000Z" -- February 24, 2006 482 DESCRIPTION 483 "Initial version of the IP Storage Authentication MIB module, 484 published as RFC yyyy" -- RFC Ed.: fill in yyyy 486 ::= { mib-2 xx } -- xx to be assigned by IANA 488 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 } 489 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 } 490 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 } 492 -- Textual Conventions 494 IpsAuthAddress ::= TEXTUAL-CONVENTION 495 STATUS current 496 DESCRIPTION 497 "IP Storage requires the use of address information 498 that uses not only the InetAddress type defined in the 499 INET-ADDRESS-MIB, but also Fibre Channel type defined 500 in the Fibre Channel Management MIB. Although these 501 address types are recognized in the IANA Address Family 502 Numbers MIB, the addressing mechanisms have not been 503 merged into a well-known, common type. This data type, 504 the IpsAuthAddress, performs the merging for this MIB 505 module. 507 The formats of objects of this type are determined by 508 a corresponding object with syntax AddressFamilyNumbers 509 and thus, every object defined using this TC must 510 identify the object with syntax AddressFamilyNumbers 511 which specifies its type. 513 The syntax and semantics of this object depends on the 514 identified AddressFamilyNumbers object as follows: 516 AddressFamilyNumbers this object 517 ==================== =========== 518 ipV4(1) restricted to the same syntax and 519 semantics as the InetAddressIPv4 TC. 521 ipV6(2) restricted to the same syntax and 522 semantics as the InetAddressIPv6 TC. 524 fibreChannelWWPN (22) 525 & fibreChannelWWNN(23) restricted to the same syntax and 526 semantics as the FcNameIdOrZero TC. 528 Using types other than the above should not be used unless 529 the corresponding format of the IpsAuthAddress object is 530 further specified (e.g., in a future revision of this TC)." 531 REFERENCE 532 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 533 INET-ADDRESS-MIB (RFC 4001); 534 FC-MGMT-MIB (RFC 4044)." 535 SYNTAX OCTET STRING (SIZE(0..255)) 537 --****************************************************************** 539 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 541 ipsAuthMethodTypes OBJECT-IDENTITY 542 STATUS current 543 DESCRIPTION 544 "Registration point for Authentication Method Types." 545 REFERENCE "RFC 3720, iSCSI Protocol Specification." 546 ::= { ipsAuthDescriptors 1 } 548 ipsAuthMethodNone OBJECT-IDENTITY 549 STATUS current 550 DESCRIPTION 551 "The authoritative identifier when no authentication 552 method is used." 553 REFERENCE "RFC 3720, iSCSI Protocol Specification." 554 ::= { ipsAuthMethodTypes 1 } 556 ipsAuthMethodSrp OBJECT-IDENTITY 557 STATUS current 558 DESCRIPTION 559 "The authoritative identifier when the authentication 560 method is SRP." 561 REFERENCE "RFC 3720, iSCSI Protocol Specification." 562 ::= { ipsAuthMethodTypes 2 } 564 ipsAuthMethodChap OBJECT-IDENTITY 565 STATUS current 566 DESCRIPTION 567 "The authoritative identifier when the authentication 568 method is CHAP." 569 REFERENCE "RFC 3720, iSCSI Protocol Specification." 570 ::= { ipsAuthMethodTypes 3 } 572 ipsAuthMethodKerberos OBJECT-IDENTITY 573 STATUS current 574 DESCRIPTION 575 "The authoritative identifier when the authentication 576 method is Kerberos." 577 REFERENCE "RFC 3720, iSCSI Protocol Specification." 578 ::= { ipsAuthMethodTypes 4 } 580 --****************************************************************** 582 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 584 -- Instance Attributes Table 586 ipsAuthInstanceAttributesTable OBJECT-TYPE 587 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 588 MAX-ACCESS not-accessible 589 STATUS current 590 DESCRIPTION 591 "A list of Authorization instances present on the system." 592 ::= { ipsAuthInstance 2 } 594 ipsAuthInstanceAttributesEntry OBJECT-TYPE 595 SYNTAX IpsAuthInstanceAttributesEntry 596 MAX-ACCESS not-accessible 597 STATUS current 598 DESCRIPTION 599 "An entry (row) containing management information 600 applicable to a particular Authorization instance." 601 INDEX { ipsAuthInstIndex } 602 ::= { ipsAuthInstanceAttributesTable 1 } 604 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 605 ipsAuthInstIndex Unsigned32, 606 ipsAuthInstDescr SnmpAdminString, 607 ipsAuthInstStorageType StorageType 608 } 610 ipsAuthInstIndex OBJECT-TYPE 611 SYNTAX Unsigned32 (1..4294967295) 612 MAX-ACCESS not-accessible 613 STATUS current 614 DESCRIPTION 615 "An arbitrary integer used to uniquely identify a 616 particular authorization instance. This index value 617 must not be modified or reused by an agent unless 618 a reboot has occurred. An agent should attempt to 619 keep this value persistent across reboots." 620 ::= { ipsAuthInstanceAttributesEntry 1 } 621 ipsAuthInstDescr OBJECT-TYPE 622 SYNTAX SnmpAdminString 623 MAX-ACCESS read-write 624 STATUS current 625 DESCRIPTION 626 "A character string, determined by the implementation to 627 describe the authorization instance. When only a single 628 instance is present, this object may be set to the 629 zero-length string; with multiple authorization 630 instances, it must be set to a unique value in an 631 implementation-dependent manner to describe the purpose 632 of the respective instance. If this is deployed in a 633 master agent with more than one subagent implementing 634 this MIB module, the master agent is responsible for 635 ensuring that this object is unique across all 636 subagents." 637 ::= { ipsAuthInstanceAttributesEntry 2 } 639 ipsAuthInstStorageType OBJECT-TYPE 640 SYNTAX StorageType 641 MAX-ACCESS read-write 642 STATUS current 643 DESCRIPTION 644 "The storage type for all read-write objects within this 645 row. Rows in this table are always created via an 646 external process, and may have a storage type of readOnly 647 or permanent. Conceptual rows having the value 'permanent' 648 need not allow write access to any columnar objects in 649 the row. 651 If this object has the value 'volatile', modifications 652 to read-write objects in this row are not persistent 653 across reboots. If this object has the value 654 'nonVolatile', modifications to objects in this row 655 are persistent. 657 An implementation may choose to allow this object 658 to be set to either 'nonVolatile' or 'volatile', 659 allowing the management application to choose this 660 behavior." 661 DEFVAL { volatile } 662 ::= { ipsAuthInstanceAttributesEntry 3 } 664 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 666 -- User Identity Attributes Table 668 ipsAuthIdentAttributesTable OBJECT-TYPE 669 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 670 MAX-ACCESS not-accessible 671 STATUS current 672 DESCRIPTION 673 "A list of user identities, each belonging to a 674 particular ipsAuthInstance." 675 ::= { ipsAuthIdentity 1 } 677 ipsAuthIdentAttributesEntry OBJECT-TYPE 678 SYNTAX IpsAuthIdentAttributesEntry 679 MAX-ACCESS not-accessible 680 STATUS current 681 DESCRIPTION 682 "An entry (row) containing management information 683 describing a user identity within an authorization 684 instance on this node." 685 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 686 ::= { ipsAuthIdentAttributesTable 1 } 688 IpsAuthIdentAttributesEntry ::= SEQUENCE { 689 ipsAuthIdentIndex Unsigned32, 690 ipsAuthIdentDescription SnmpAdminString, 691 ipsAuthIdentRowStatus RowStatus, 692 ipsAuthIdentStorageType StorageType 693 } 695 ipsAuthIdentIndex OBJECT-TYPE 696 SYNTAX Unsigned32 (1..4294967295) 697 MAX-ACCESS not-accessible 698 STATUS current 699 DESCRIPTION 700 "An arbitrary integer used to uniquely identify a 701 particular identity instance within an authorization 702 instance present on the node. This index value 703 must not be modified or reused by an agent unless 704 a reboot has occurred. An agent should attempt to 705 keep this value persistent across reboots." 706 ::= { ipsAuthIdentAttributesEntry 1 } 708 ipsAuthIdentDescription OBJECT-TYPE 709 SYNTAX SnmpAdminString 710 MAX-ACCESS read-create 711 STATUS current 712 DESCRIPTION 713 "A character string describing this particular identity." 714 ::= { ipsAuthIdentAttributesEntry 2 } 716 ipsAuthIdentRowStatus OBJECT-TYPE 717 SYNTAX RowStatus 718 MAX-ACCESS read-create 719 STATUS current 720 DESCRIPTION 721 "This field allows entries to be dynamically added and 722 removed from this table via SNMP. When adding a row to 723 this table, all non-Index/RowStatus objects must be set. 724 Rows may be discarded using RowStatus. The value of 725 ipsAuthIdentDescription may be set while 726 ipsAuthIdentRowStatus is 'active'." 727 ::= { ipsAuthIdentAttributesEntry 3 } 729 ipsAuthIdentStorageType OBJECT-TYPE 730 SYNTAX StorageType 731 MAX-ACCESS read-create 732 STATUS current 733 DESCRIPTION 734 "The storage type for all read-create objects in this row. 735 Rows in this table that were created through an external 736 process may have a storage type of readOnly or permanent. 737 Conceptual rows having the value 'permanent' need not 738 allow write access to any columnar objects in the row." 739 DEFVAL { nonVolatile } 740 ::= { ipsAuthIdentAttributesEntry 4 } 742 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 744 -- User Initiator Name Attributes Table 746 ipsAuthIdentNameAttributesTable OBJECT-TYPE 747 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 748 MAX-ACCESS not-accessible 749 STATUS current 750 DESCRIPTION 751 "A list of unique names that can be used to positively 752 identify a particular user identity." 753 ::= { ipsAuthIdentityName 1 } 755 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 756 SYNTAX IpsAuthIdentNameAttributesEntry 757 MAX-ACCESS not-accessible 758 STATUS current 759 DESCRIPTION 760 "An entry (row) containing management information 761 applicable to a unique identity name which can be used 762 to identify a user identity within a particular 763 authorization instance." 764 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 765 ipsAuthIdentNameIndex } 766 ::= { ipsAuthIdentNameAttributesTable 1 } 768 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 769 ipsAuthIdentNameIndex Unsigned32, 770 ipsAuthIdentName SnmpAdminString, 771 ipsAuthIdentNameRowStatus RowStatus, 772 ipsAuthIdentNameStorageType StorageType 773 } 775 ipsAuthIdentNameIndex OBJECT-TYPE 776 SYNTAX Unsigned32 (1..4294967295) 777 MAX-ACCESS not-accessible 778 STATUS current 779 DESCRIPTION 780 "An arbitrary integer used to uniquely identify a 781 particular identity name instance within an 782 ipsAuthIdentity within an authorization instance. 783 This index value must not be modified or reused by 784 an agent unless a reboot has occurred. An agent 785 should attempt to keep this value persistent across 786 reboots." 787 ::= { ipsAuthIdentNameAttributesEntry 1 } 789 ipsAuthIdentName OBJECT-TYPE 790 SYNTAX SnmpAdminString 791 MAX-ACCESS read-create 792 STATUS current 793 DESCRIPTION 794 "A character string which is the unique name of an 795 identity that may be used to identify this ipsAuthIdent 796 entry." 797 ::= { ipsAuthIdentNameAttributesEntry 2 } 799 ipsAuthIdentNameRowStatus OBJECT-TYPE 800 SYNTAX RowStatus 801 MAX-ACCESS read-create 802 STATUS current 803 DESCRIPTION 804 "This field allows entries to be dynamically added and 805 removed from this table via SNMP. When adding a row to 806 this table, all non-Index/RowStatus objects must be set. 807 Rows may be discarded using RowStatus. The value of 808 ipsAuthIdentName may be set when this value is 'active'." 809 ::= { ipsAuthIdentNameAttributesEntry 3 } 811 ipsAuthIdentNameStorageType OBJECT-TYPE 812 SYNTAX StorageType 813 MAX-ACCESS read-create 814 STATUS current 815 DESCRIPTION 816 "The storage type for all read-create objects in this row. 817 Rows in this table that were created through an external 818 process may have a storage type of readOnly or permanent. 819 Conceptual rows having the value 'permanent' need not 820 allow write access to any columnar objects in the row." 821 DEFVAL { nonVolatile } 822 ::= { ipsAuthIdentNameAttributesEntry 4 } 824 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 826 -- User Initiator Address Attributes Table 828 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 829 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 830 MAX-ACCESS not-accessible 831 STATUS current 832 DESCRIPTION 833 "A list of address ranges that are allowed to serve 834 as the endpoint addresses of a particular identity. 835 An address range includes a starting and ending address 836 and an optional netmask, and an address type indicator, 837 which can specify whether the address is IPv4, IPv6, 838 FC-WWPN, or FC-WWNN." 839 ::= { ipsAuthIdentityAddress 1 } 841 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 842 SYNTAX IpsAuthIdentAddrAttributesEntry 843 MAX-ACCESS not-accessible 844 STATUS current 845 DESCRIPTION 846 "An entry (row) containing management information 847 applicable to an address range which is used as part 848 of the authorization of an identity 849 within an authorization instance on this node." 850 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 851 ipsAuthIdentAddrIndex } 852 ::= { ipsAuthIdentAddrAttributesTable 1 } 854 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 855 ipsAuthIdentAddrIndex Unsigned32, 856 ipsAuthIdentAddrType AddressFamilyNumbers, 857 ipsAuthIdentAddrStart IpsAuthAddress, 858 ipsAuthIdentAddrEnd IpsAuthAddress, 859 ipsAuthIdentAddrRowStatus RowStatus, 860 ipsAuthIdentAddrStorageType StorageType 862 } 864 ipsAuthIdentAddrIndex OBJECT-TYPE 865 SYNTAX Unsigned32 (1..4294967295) 866 MAX-ACCESS not-accessible 867 STATUS current 868 DESCRIPTION 869 "An arbitrary integer used to uniquely identify a 870 particular ipsAuthIdentAddress instance within an 871 ipsAuthIdentity within an authorization instance 872 present on the node. 873 This index value must not be modified or reused by 874 an agent unless a reboot has occurred. An agent 875 should attempt to keep this value persistent across 876 reboots." 877 ::= { ipsAuthIdentAddrAttributesEntry 1 } 879 ipsAuthIdentAddrType OBJECT-TYPE 880 SYNTAX AddressFamilyNumbers 881 MAX-ACCESS read-create 882 STATUS current 883 DESCRIPTION 884 "The address types used in the ipsAuthIdentAddrStart 885 and ipsAuthAddrEnd objects. This type is taken 886 from the IANA address family types." 887 ::= { ipsAuthIdentAddrAttributesEntry 2 } 889 ipsAuthIdentAddrStart OBJECT-TYPE 890 SYNTAX IpsAuthAddress 891 MAX-ACCESS read-create 892 STATUS current 893 DESCRIPTION 894 "The starting address of the allowed address range. 895 The format of this object is determined by 896 ipsAuthIdentAddrType." 897 ::= { ipsAuthIdentAddrAttributesEntry 3 } 899 ipsAuthIdentAddrEnd OBJECT-TYPE 900 SYNTAX IpsAuthAddress 901 MAX-ACCESS read-create 902 STATUS current 903 DESCRIPTION 904 "The ending address of the allowed address range. 905 If the ipsAuthIdentAddrEntry specifies a single 906 address, this shall match the ipsAuthIdentAddrStart. 907 The format of this object is determined by 908 ipsAuthIdentAddrType." 909 ::= { ipsAuthIdentAddrAttributesEntry 4 } 910 ipsAuthIdentAddrRowStatus OBJECT-TYPE 911 SYNTAX RowStatus 912 MAX-ACCESS read-create 913 STATUS current 914 DESCRIPTION 915 "This field allows entries to be dynamically added and 916 removed from this table via SNMP. When adding a row to 917 this table, all non-Index/RowStatus objects must be set. 918 Rows may be discarded using RowStatus. The values of 919 ipsAuthIdentAddrStart, ipsAuthIdentAddrEnd may be set 920 when this value is 'active'. The value of 921 ipsAuthIdentAddrType may not be set when this value is 922 'active'." 923 ::= { ipsAuthIdentAddrAttributesEntry 5 } 925 ipsAuthIdentAddrStorageType OBJECT-TYPE 926 SYNTAX StorageType 927 MAX-ACCESS read-create 928 STATUS current 929 DESCRIPTION 930 "The storage type for all read-create objects in this row. 931 Rows in this table that were created through an external 932 process may have a storage type of readOnly or permanent. 933 Conceptual rows having the value 'permanent' need not 934 allow write access to any columnar objects in the row." 935 DEFVAL { nonVolatile } 936 ::= { ipsAuthIdentAddrAttributesEntry 6 } 938 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 940 -- Credential Attributes Table 942 ipsAuthCredentialAttributesTable OBJECT-TYPE 943 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 944 MAX-ACCESS not-accessible 945 STATUS current 946 DESCRIPTION 947 "A list of credentials related to user identities 948 that are allowed as valid authenticators of the 949 particular identity." 950 ::= { ipsAuthCredential 1 } 952 ipsAuthCredentialAttributesEntry OBJECT-TYPE 953 SYNTAX IpsAuthCredentialAttributesEntry 954 MAX-ACCESS not-accessible 955 STATUS current 956 DESCRIPTION 957 "An entry (row) containing management information 958 applicable to a credential which verifies a user 959 identity within an authorization instance. 961 To provide complete information in this MIB for a credential, 962 the management station must not only create the row in this 963 table but must also create a row in another table, where the 964 other table is determined by the value of ipsAuthCredAuthMethod, 965 e.g, if ipsAuthCredAuthMethod has the value ipsAuthMethodChap, 966 a row must be created in the ipsAuthCredChapAttributesTable." 967 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 968 ::= { ipsAuthCredentialAttributesTable 1 } 970 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 971 ipsAuthCredIndex Unsigned32, 972 ipsAuthCredAuthMethod AutonomousType, 973 ipsAuthCredRowStatus RowStatus, 974 ipsAuthCredStorageType StorageType 975 } 977 ipsAuthCredIndex OBJECT-TYPE 978 SYNTAX Unsigned32 (1..4294967295) 979 MAX-ACCESS not-accessible 980 STATUS current 981 DESCRIPTION 982 "An arbitrary integer used to uniquely identify a 983 particular Credential instance within an instance 984 present on the node. 985 This index value must not be modified or reused by 986 an agent unless a reboot has occurred. An agent 987 should attempt to keep this value persistent across 988 reboots." 989 ::= { ipsAuthCredentialAttributesEntry 1 } 991 ipsAuthCredAuthMethod OBJECT-TYPE 992 SYNTAX AutonomousType 993 MAX-ACCESS read-create 994 STATUS current 995 DESCRIPTION 996 "This object contains an OBJECT IDENTIFIER 997 which identifies the authentication method 998 used with this credential. 1000 When a row is created in this table, a corresponding 1001 row must be created by the management station 1002 in a corresponding table specified by this value. 1004 When a row is deleted from this table, the corresponding 1005 row must be automatically deleted by the agent in 1006 the corresponding table specified by this value. 1008 If the value of this object is ipsAuthMethodNone, no 1009 corresponding rows are created or deleted from other 1010 tables. 1012 Some standardized values for this object are defined 1013 within the ipsAuthMethodTypes subtree." 1014 ::= { ipsAuthCredentialAttributesEntry 2 } 1016 ipsAuthCredRowStatus OBJECT-TYPE 1017 SYNTAX RowStatus 1018 MAX-ACCESS read-create 1019 STATUS current 1020 DESCRIPTION 1021 "This field allows entries to be dynamically added and 1022 removed from this table via SNMP. When adding a row to 1023 this table, all non-Index/RowStatus objects must be set. 1024 Rows may be discarded using RowStatus. The value of 1025 ipsAuthCredAuthMethod must not be changed while this row 1026 is 'active'." 1027 ::= { ipsAuthCredentialAttributesEntry 3 } 1029 ipsAuthCredStorageType OBJECT-TYPE 1030 SYNTAX StorageType 1031 MAX-ACCESS read-create 1032 STATUS current 1033 DESCRIPTION 1034 "The storage type for all read-create objects in this row. 1035 Rows in this table that were created through an external 1036 process may have a storage type of readOnly or permanent. 1037 Conceptual rows having the value 'permanent' need not 1038 allow write access to any columnar objects in the row." 1039 DEFVAL { nonVolatile } 1040 ::= { ipsAuthCredentialAttributesEntry 4 } 1042 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 1044 -- Credential Chap-Specific Attributes Table 1046 ipsAuthCredChapAttributesTable OBJECT-TYPE 1047 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 1048 MAX-ACCESS not-accessible 1049 STATUS current 1050 DESCRIPTION 1051 "A list of CHAP attributes for credentials that 1052 use ipsAuthMethodChap as its ipsAuthCredAuthMethod. 1054 A row in this table can only exist when an instance of 1055 the ipsAuthCredAuthMethod object exists (or is created 1056 simultaneously) having the same instance identifiers 1057 and a value of 'ipsAuthMethodChap'." 1058 ::= { ipsAuthCredChap 1 } 1060 ipsAuthCredChapAttributesEntry OBJECT-TYPE 1061 SYNTAX IpsAuthCredChapAttributesEntry 1062 MAX-ACCESS not-accessible 1063 STATUS current 1064 DESCRIPTION 1065 "An entry (row) containing management information 1066 applicable to a credential which uses 1067 ipsAuthMethodChap as its ipsAuthCredAuthMethod. 1069 When a row is created in ipsAuthCredentialAttributesTable 1070 with ipsAuthCredAuthMethod = ipsAuthCredChap, the 1071 management station must create a corresponding row 1072 in this table. 1074 When a row is deleted from ipsAuthCredentialAttributesTable 1075 with ipsAuthCredAuthMethod = ipsAuthCredChap, the 1076 agent must delete the corresponding row (if any) in 1077 this table." 1078 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1079 ::= { ipsAuthCredChapAttributesTable 1 } 1081 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 1082 ipsAuthCredChapUserName SnmpAdminString, 1083 ipsAuthCredChapRowStatus RowStatus, 1084 ipsAuthCredChapStorageType StorageType 1085 } 1087 ipsAuthCredChapUserName OBJECT-TYPE 1088 SYNTAX SnmpAdminString 1089 MAX-ACCESS read-create 1090 STATUS current 1091 DESCRIPTION 1092 "A character string containing the CHAP user name for this 1093 credential." 1094 REFERENCE 1095 "W. Simpson, RFC 1994: PPP Challenge Handshake 1096 Authentication Protocol (CHAP), August 1996" 1097 ::= { ipsAuthCredChapAttributesEntry 1 } 1099 ipsAuthCredChapRowStatus OBJECT-TYPE 1100 SYNTAX RowStatus 1101 MAX-ACCESS read-create 1102 STATUS current 1103 DESCRIPTION 1104 "This field allows entries to be dynamically added and 1105 removed from this table via SNMP. When adding a row to 1106 this table, all non-Index/RowStatus objects must be set. 1107 Rows may be discarded using RowStatus. The value of 1108 ipsAuthCredChapUserName may be changed while this row 1109 is 'active'." 1110 ::= { ipsAuthCredChapAttributesEntry 2 } 1112 ipsAuthCredChapStorageType OBJECT-TYPE 1113 SYNTAX StorageType 1114 MAX-ACCESS read-create 1115 STATUS current 1116 DESCRIPTION 1117 "The storage type for all read-create objects in this row. 1118 Rows in this table that were created through an external 1119 process may have a storage type of readOnly or permanent. 1120 Conceptual rows having the value 'permanent' need not 1121 allow write access to any columnar objects in the row." 1122 DEFVAL { nonVolatile } 1123 ::= { ipsAuthCredChapAttributesEntry 3 } 1125 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 1127 -- Credential Srp-Specific Attributes Table 1129 ipsAuthCredSrpAttributesTable OBJECT-TYPE 1130 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 1131 MAX-ACCESS not-accessible 1132 STATUS current 1133 DESCRIPTION 1134 "A list of SRP attributes for credentials that 1135 use ipsAuthMethodSrp as its ipsAuthCredAuthMethod. 1137 A row in this table can only exist when an instance of 1138 the ipsAuthCredAuthMethod object exists (or is created 1139 simultaneously) having the same instance identifiers 1140 and a value of 'ipsAuthMethodSrp'." 1141 ::= { ipsAuthCredSrp 1 } 1143 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 1144 SYNTAX IpsAuthCredSrpAttributesEntry 1145 MAX-ACCESS not-accessible 1146 STATUS current 1147 DESCRIPTION 1148 "An entry (row) containing management information 1149 applicable to a credential which uses 1150 ipsAuthMethodSrp as its ipsAuthCredAuthMethod. 1152 When a row is created in ipsAuthCredentialAttributesTable 1153 with ipsAuthCredAuthMethod = ipsAuthCredSrp, the 1154 management station must create a corresponding row 1155 in this table. 1157 When a row is deleted from ipsAuthCredentialAttributesTable 1158 with ipsAuthCredAuthMethod = ipsAuthCredSrp, the 1159 agent must delete the corresponding row (if any) in 1160 this table." 1161 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1162 ::= { ipsAuthCredSrpAttributesTable 1 } 1164 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 1165 ipsAuthCredSrpUserName SnmpAdminString, 1166 ipsAuthCredSrpRowStatus RowStatus, 1167 ipsAuthCredSrpStorageType StorageType 1168 } 1170 ipsAuthCredSrpUserName OBJECT-TYPE 1171 SYNTAX SnmpAdminString 1172 MAX-ACCESS read-create 1173 STATUS current 1174 DESCRIPTION 1175 "A character string containing the SRP user name for this 1176 credential." 1177 REFERENCE 1178 "T. Wu, RFC 2945: The SRP Authentication and Key 1179 Exchange System, September 2000" 1180 ::= { ipsAuthCredSrpAttributesEntry 1 } 1182 ipsAuthCredSrpRowStatus OBJECT-TYPE 1183 SYNTAX RowStatus 1184 MAX-ACCESS read-create 1185 STATUS current 1186 DESCRIPTION 1187 "This field allows entries to be dynamically added and 1188 removed from this table via SNMP. When adding a row to 1189 this table, all non-Index/RowStatus objects must be set. 1190 Rows may be discarded using RowStatus. The value of 1191 ipsAuthCredSrpUserName may be changed while the status 1192 of this row is 'active'." 1193 ::= { ipsAuthCredSrpAttributesEntry 2 } 1195 ipsAuthCredSrpStorageType OBJECT-TYPE 1196 SYNTAX StorageType 1197 MAX-ACCESS read-create 1198 STATUS current 1199 DESCRIPTION 1200 "The storage type for all read-create objects in this row. 1201 Rows in this table that were created through an external 1202 process may have a storage type of readOnly or permanent. 1203 Conceptual rows having the value 'permanent' need not 1204 allow write access to any columnar objects in the row." 1205 DEFVAL { nonVolatile } 1206 ::= { ipsAuthCredSrpAttributesEntry 3 } 1208 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 1210 -- Credential Kerberos-Specific Attributes Table 1212 ipsAuthCredKerbAttributesTable OBJECT-TYPE 1213 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 1214 MAX-ACCESS not-accessible 1215 STATUS current 1216 DESCRIPTION 1217 "A list of Kerberos attributes for credentials that 1218 use ipsAuthMethodKerberos as its ipsAuthCredAuthMethod. 1220 A row in this table can only exist when an instance of 1221 the ipsAuthCredAuthMethod object exists (or is created 1222 simultaneously) having the same instance identifiers 1223 and a value of 'ipsAuthMethodKerb'." 1224 ::= { ipsAuthCredKerberos 1 } 1226 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 1227 SYNTAX IpsAuthCredKerbAttributesEntry 1228 MAX-ACCESS not-accessible 1229 STATUS current 1230 DESCRIPTION 1231 "An entry (row) containing management information 1232 applicable to a credential which uses 1233 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod. 1235 When a row is created in ipsAuthCredentialAttributesTable 1236 with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the 1237 management station must create a corresponding row 1238 in this table. 1240 When a row is deleted from ipsAuthCredentialAttributesTable 1241 with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the 1242 agent must delete the corresponding row (if any) in 1243 this table." 1244 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1245 ::= { ipsAuthCredKerbAttributesTable 1 } 1246 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 1247 ipsAuthCredKerbPrincipal SnmpAdminString, 1248 ipsAuthCredKerbRowStatus RowStatus, 1249 ipsAuthCredKerbStorageType StorageType 1250 } 1252 ipsAuthCredKerbPrincipal OBJECT-TYPE 1253 SYNTAX SnmpAdminString 1254 MAX-ACCESS read-create 1255 STATUS current 1256 DESCRIPTION 1257 "A character string containing a Kerberos principal 1258 for this credential." 1259 REFERENCE 1260 "J. Kohl, C. Neuman, RFC 1510: The Kerberos Network 1261 Authentication Service (V5), September 1993" 1262 ::= { ipsAuthCredKerbAttributesEntry 1 } 1264 ipsAuthCredKerbRowStatus OBJECT-TYPE 1265 SYNTAX RowStatus 1266 MAX-ACCESS read-create 1267 STATUS current 1268 DESCRIPTION 1269 "This field allows entries to be dynamically added and 1270 removed from this table via SNMP. When adding a row to 1271 this table, all non-Index/RowStatus objects must be set. 1272 Rows may be discarded using RowStatus. The value of 1273 ipsAuthCredKerbPrincipal may be changed while this row 1274 is 'active'." 1275 ::= { ipsAuthCredKerbAttributesEntry 2 } 1277 ipsAuthCredKerbStorageType OBJECT-TYPE 1278 SYNTAX StorageType 1279 MAX-ACCESS read-create 1280 STATUS current 1281 DESCRIPTION 1282 "The storage type for all read-create objects in this row. 1283 Rows in this table that were created through an external 1284 process may have a storage type of readOnly or permanent. 1285 Conceptual rows having the value 'permanent' need not 1286 allow write access to any columnar objects in the row." 1287 DEFVAL { nonVolatile } 1288 ::= { ipsAuthCredKerbAttributesEntry 3 } 1290 --****************************************************************** 1291 -- Notifications 1293 -- There are no notifications necessary in this MIB module. 1295 --****************************************************************** 1297 -- Conformance Statements 1299 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 1300 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1302 ipsAuthInstanceAttributesGroup OBJECT-GROUP 1303 OBJECTS { 1304 ipsAuthInstDescr, 1305 ipsAuthInstStorageType 1306 } 1307 STATUS current 1308 DESCRIPTION 1309 "A collection of objects providing information about 1310 authorization instances." 1311 ::= { ipsAuthGroups 1 } 1313 ipsAuthIdentAttributesGroup OBJECT-GROUP 1314 OBJECTS { 1315 ipsAuthIdentDescription, 1316 ipsAuthIdentRowStatus, 1317 ipsAuthIdentStorageType 1318 } 1319 STATUS current 1320 DESCRIPTION 1321 "A collection of objects providing information about 1322 user identities within an authorization instance." 1323 ::= { ipsAuthGroups 2 } 1325 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 1326 OBJECTS { 1327 ipsAuthIdentName, 1328 ipsAuthIdentNameRowStatus, 1329 ipsAuthIdentNameStorageType 1330 } 1331 STATUS current 1332 DESCRIPTION 1333 "A collection of objects providing information about 1334 user names within user identities within an authorization 1335 instance." 1336 ::= { ipsAuthGroups 3 } 1338 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1339 OBJECTS { 1340 ipsAuthIdentAddrType, 1341 ipsAuthIdentAddrStart, 1342 ipsAuthIdentAddrEnd, 1343 ipsAuthIdentAddrRowStatus, 1344 ipsAuthIdentAddrStorageType 1345 } 1346 STATUS current 1347 DESCRIPTION 1348 "A collection of objects providing information about 1349 address ranges within user identities within an 1350 authorization instance." 1351 ::= { ipsAuthGroups 4 } 1353 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1354 OBJECTS { 1355 ipsAuthCredAuthMethod, 1356 ipsAuthCredRowStatus, 1357 ipsAuthCredStorageType 1358 } 1359 STATUS current 1360 DESCRIPTION 1361 "A collection of objects providing information about 1362 credentials within user identities within an authorization 1363 instance." 1364 ::= { ipsAuthGroups 5 } 1366 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1367 OBJECTS { 1368 ipsAuthCredChapUserName, 1369 ipsAuthCredChapRowStatus, 1370 ipsAuthCredChapStorageType 1371 } 1372 STATUS current 1373 DESCRIPTION 1374 "A collection of objects providing information about 1375 CHAP credentials within user identities within an 1376 authorization instance." 1377 ::= { ipsAuthGroups 6 } 1379 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1380 OBJECTS { 1381 ipsAuthCredSrpUserName, 1382 ipsAuthCredSrpRowStatus, 1383 ipsAuthCredSrpStorageType 1384 } 1385 STATUS current 1386 DESCRIPTION 1387 "A collection of objects providing information about 1388 SRP credentials within user identities within an 1389 authorization instance." 1390 ::= { ipsAuthGroups 7 } 1391 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1392 OBJECTS { 1393 ipsAuthCredKerbPrincipal, 1394 ipsAuthCredKerbRowStatus, 1395 ipsAuthCredKerbStorageType 1396 } 1397 STATUS current 1398 DESCRIPTION 1399 "A collection of objects providing information about 1400 Kerberos credentials within user identities within an 1401 authorization instance." 1402 ::= { ipsAuthGroups 8 } 1404 --****************************************************************** 1406 ipsAuthComplianceV1 MODULE-COMPLIANCE 1407 STATUS current 1408 DESCRIPTION 1409 "Initial version of compliance statement based on 1410 initial version of this MIB module. 1412 The Instance and Identity groups are mandatory; 1413 at least one of the other groups (Name, Address, 1414 Credential, Certificate) is also mandatory for 1415 any given implementation." 1416 MODULE -- this module 1417 MANDATORY-GROUPS { 1418 ipsAuthInstanceAttributesGroup, 1419 ipsAuthIdentAttributesGroup 1420 } 1422 -- Conditionally mandatory groups to be included with 1423 -- the mandatory groups when necessary. 1425 GROUP ipsAuthIdentNameAttributesGroup 1426 DESCRIPTION 1427 "This group is mandatory for all implementations 1428 that make use of unique identity names." 1430 GROUP ipsAuthIdentAddrAttributesGroup 1431 DESCRIPTION 1432 "This group is mandatory for all implementations 1433 that use addresses to help verify identities." 1435 GROUP ipsAuthIdentCredAttributesGroup 1436 DESCRIPTION 1437 "This group is mandatory for all implementations 1438 that use credentials to help verify identities." 1440 GROUP ipsAuthIdentChapAttrGroup 1441 DESCRIPTION 1442 "This group is mandatory for all implementations 1443 that use CHAP to help verify identities. 1445 The ipsAuthIdentCredAttributesGroup must be 1446 implemented if this group is implemented." 1448 GROUP ipsAuthIdentSrpAttrGroup 1449 DESCRIPTION 1450 "This group is mandatory for all implementations 1451 that use SRP to help verify identities. 1453 The ipsAuthIdentCredAttributesGroup must be 1454 implemented if this group is implemented." 1456 GROUP ipsAuthIdentKerberosAttrGroup 1457 DESCRIPTION 1458 "This group is mandatory for all implementations 1459 that use Kerberos to help verify identities. 1461 The ipsAuthIdentCredAttributesGroup must be 1462 implemented if this group is implemented." 1464 OBJECT ipsAuthInstDescr 1465 MIN-ACCESS read-only 1466 DESCRIPTION 1467 "Write access is not required." 1469 OBJECT ipsAuthInstStorageType 1470 MIN-ACCESS read-only 1471 DESCRIPTION 1472 "Write access is not required." 1474 OBJECT ipsAuthIdentDescription 1475 MIN-ACCESS read-only 1476 DESCRIPTION 1477 "Write access is not required." 1479 OBJECT ipsAuthIdentRowStatus 1480 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1481 MIN-ACCESS read-only 1482 DESCRIPTION 1483 "Write access is not required, and only one of the 1484 six enumerated values for the RowStatus textual 1485 convention need be supported, specifically: 1486 active(1)." 1488 OBJECT ipsAuthIdentName 1489 MIN-ACCESS read-only 1490 DESCRIPTION 1491 "Write access is not required." 1493 OBJECT ipsAuthIdentNameRowStatus 1494 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1495 MIN-ACCESS read-only 1496 DESCRIPTION 1497 "Write access is not required, and only one of the 1498 six enumerated values for the RowStatus textual 1499 convention need be supported, specifically: 1500 active(1)." 1502 OBJECT ipsAuthIdentAddrType 1503 MIN-ACCESS read-only 1504 DESCRIPTION 1505 "Write access is not required." 1507 OBJECT ipsAuthIdentAddrStart 1508 MIN-ACCESS read-only 1509 DESCRIPTION 1510 "Write access is not required." 1512 OBJECT ipsAuthIdentAddrEnd 1513 MIN-ACCESS read-only 1514 DESCRIPTION 1515 "Write access is not required." 1517 OBJECT ipsAuthIdentAddrRowStatus 1518 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1519 MIN-ACCESS read-only 1520 DESCRIPTION 1521 "Write access is not required, and only one of the 1522 six enumerated values for the RowStatus textual 1523 convention need be supported, specifically: 1524 active(1)." 1526 OBJECT ipsAuthCredAuthMethod 1527 MIN-ACCESS read-only 1528 DESCRIPTION 1529 "Write access is not required." 1531 OBJECT ipsAuthCredRowStatus 1532 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1533 MIN-ACCESS read-only 1534 DESCRIPTION 1535 "Write access is not required, and only one of the 1536 six enumerated values for the RowStatus textual 1537 convention need be supported, specifically: 1538 active(1)." 1540 OBJECT ipsAuthCredChapUserName 1541 MIN-ACCESS read-only 1542 DESCRIPTION 1543 "Write access is not required." 1545 OBJECT ipsAuthCredChapRowStatus 1546 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1547 MIN-ACCESS read-only 1548 DESCRIPTION 1549 "Write access is not required, and only one of the 1550 six enumerated values for the RowStatus textual 1551 convention need be supported, specifically: 1552 active(1)." 1554 OBJECT ipsAuthCredSrpUserName 1555 MIN-ACCESS read-only 1556 DESCRIPTION 1557 "Write access is not required." 1559 OBJECT ipsAuthCredSrpRowStatus 1560 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1561 MIN-ACCESS read-only 1562 DESCRIPTION 1563 "Write access is not required, and only one of the 1564 six enumerated values for the RowStatus textual 1565 convention need be supported, specifically: 1566 active(1)." 1568 OBJECT ipsAuthCredKerbPrincipal 1569 MIN-ACCESS read-only 1570 DESCRIPTION 1571 "Write access is not required." 1573 OBJECT ipsAuthCredKerbRowStatus 1574 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1575 MIN-ACCESS read-only 1576 DESCRIPTION 1577 "Write access is not required, and only one of the 1578 six enumerated values for the RowStatus textual 1579 convention need be supported, specifically: 1580 active(1)." 1582 ::= { ipsAuthCompliances 1 } 1583 END 1584 9. Security Considerations 1586 9.1. MIB Security Considerations 1588 There are a number of management objects defined in this MIB module 1589 with a MAX-ACCESS clause of read-write and/or read-create. Such 1590 objects may be considered sensitive or vulnerable in some network 1591 environments. The support for SET operations in a non-secure 1592 environment without proper protection can have a negative effect on 1593 network operations. These are the tables and objects and their 1594 sensitivity/vulnerability: 1596 o in the ipsAuthInstanceAttributesTable: 1598 - ipsAuthInstDescr could be modified to camouflage the existence 1599 of a rogue authorization instance; 1601 o in the ipsAuthIdentAttributesTable: 1603 - ipsAuthIdentDescription could be modified to camouflage the 1604 existence of a rogue identity; 1606 - ipsAuthIdentRowStatus could be modified to add or delete a rogue 1607 identity; 1609 - ipsAuthIdentStorageType could be modified to make temporary rows 1610 permanent, or permanent rows temporary; 1612 o in the ipsAuthIdentNameAttributesTable: 1614 - ipsAuthIdentName could be modified to change the name of an 1615 existing identity; 1617 - ipsAuthIdentNameRowStatus could be modified to add or delete a 1618 name of an existing identity; 1620 - ipsAuthIdentNameStorageType could be modified to make temporary 1621 rows permanent, or permanent rows temporary; 1623 o in the ipsAuthIdentAddrAttributesTable: 1625 - ipsAuthIdentAddrType could be modified to change the type of 1626 address checking performed; 1628 - ipsAuthIdentAddrStart could be modified to change the start of 1629 the allowed range; 1631 - ipsAuthIdentAddrEnd could be modified to change the end of the 1632 allowed range; 1634 - ipsAuthIdentAddrRowStatus could be modified to add or delete the 1635 checking of an address range; 1637 - ipsAuthIdentAddrStorageType could be modified to make temporary 1638 rows permanent, or permanent rows temporary; 1640 o in the ipsAuthCredentialAttributesTable: 1642 - ipsAuthCredAuthMethod could be modified to change the type of 1643 authentication to be used; 1645 - ipsAuthCredRowStatus could be modified to add or delete checking 1646 of credentials; 1648 - ipsAuthCredStorageType could be modified to make temporary rows 1649 permanent, or permanent rows temporary; 1651 o in the ipsAuthCredChapAttributesTable: 1653 - ipsAuthCredChapUserName could be modified to change the CHAP 1654 user name for a credential; 1656 - ipsAuthCredChapRowStatus could be modified to add or delete CHAP 1657 attributes for credentials; 1659 - ipsAuthCredChapStorageType could be modified to make temporary 1660 rows permanent, or permanent rows temporary; 1662 o in the ipsAuthCredSrpAttributesTable: 1664 - ipsAuthCredSrpUserName could be modified to change the SRP user 1665 name for a credential; 1667 - ipsAuthCredSrpRowStatus could be modified to add or delete SRP 1668 attributes for credentials; 1670 - ipsAuthCredSrpStorageType could be modified to make temporary 1671 rows permanent, or permanent rows temporary; 1673 o in the ipsAuthCredKerbAttributesTable: 1675 - ipsAuthCredKerbPrincipal could be modified to change the 1676 Kerberos principal for a credential; 1678 - ipsAuthCredKerbRowStatus could be modified to add or delete 1679 Kerberos attributes for credentials; 1681 - ipsAuthCredKerbStorageType could be modified to make temporary 1682 rows permanent, or permanent rows temporary; 1684 Note that removal of legitimate credentials can result in either 1685 denial of service or can weaken the requirements for access of a 1686 particular service. Note also that some types of credentials, such 1687 as CHAP or SRP, also require passwords or verifiers to be associated 1688 with the credential. These are managed outside this MIB module. 1690 Some of the readable objects in this MIB module (i.e., objects with a 1691 MAX-ACCESS other than not-accessible) may be considered sensitive or 1692 vulnerable in some network environments. It is thus important to 1693 control even GET and/or NOTIFY access to these objects and possibly 1694 to even encrypt the values of these objects when sending them over 1695 the network via SNMP. These are the tables and objects and their 1696 sensitivity/vulnerability: 1698 o All tables (specifically: ipsAuthInstanceAttributesTable, 1699 ipsAuthIdentAttributesTable, ipsAuthIdentNameAttributesTable, 1700 ipsAuthIdentAddrAttributesTable, ipsAuthCredentialAttributesTable, 1701 ipsAuthCredChapAttributesTable, ipsAuthCredSrpAttributesTable and 1702 ipsAuthCredKerbAttributesTable) provide the ability to find out 1703 which names, addresses, and credentials would be required to 1704 access services on the managed system. If these credentials are 1705 easily spoofed (particularly the name or address), read access to 1706 this MIB module must be tightly controlled. When used with 1707 pointers from another MIB module to rows in the 1708 ipsAuthIdentAttributesTable, this MIB module provides information 1709 about which entities are authorized to connect to which. 1711 SNMP versions prior to SNMPv3 did not include adequate security. 1712 Even if the network itself is secure (for example by using IPsec), 1713 even then, there is no control as to who on the secure network is 1714 allowed to access and GET/SET (read/change/create/delete) the objects 1715 in this MIB module. 1717 It is RECOMMENDED that implementors consider the security features as 1718 provided by the SNMPv3 framework (see [RFC3410], section 8), 1719 including full support for the SNMPv3 cryptographic mechanisms (for 1720 authentication and privacy). 1722 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1723 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1724 enable cryptographic security. It is then a customer/operator 1725 responsibility to ensure that the SNMP entity giving access to an 1726 instance of this MIB module is properly configured to give access to 1727 the objects only to those principals (users) that have legitimate 1728 rights to indeed GET or SET (change/create/delete) them. 1730 In many implementations, the objects in this MIB module can be read 1731 and modified via other mechanisms or protocols in addition to this 1732 MIB module. For the system to be secure, other mechanisms that can 1733 read and modify the contents of this MIB module must also address the 1734 above issues, and handle the threats outlined in [RFC3411], section 1735 1.4. 1737 Given the sensitivity of information contained in this MIB module, it 1738 is strongly recommended that encryption (SNMPv3 with a securityLevel 1739 of authPriv [RFC3411]) be used for all access to objects in this MIB 1740 module. 1742 9.2. Other Security Considerations 1744 An identity consists of a set of names (e.g., an iSCSI Initiator 1745 Name), addresses (e.g., an IP address or Fibre Channel WWN), and 1746 credentials (e.g., a CHAP user name). 1748 To match an identity, one must match: 1750 o One of the IdentNames belonging to the IdentIndex, unless there 1751 are no IdentNames for the IdentIndex, and 1753 o One of the IdentAddrs belonging to the IdentIndex, unless there 1754 are no IdentAddrs for the IdentIndex, and 1756 o One of the IdentCreds belonging to the IdentIndex, unless there 1757 are no Creds for the IdentIndex. 1759 Note that if any of the above lists are empty for a given IdentIndex, 1760 any identifier of that type is considered to match the identity. The 1761 non-empty lists will still be checked. For example, if the IdentAddrs 1762 list is empty for the IndentIndex, but there are entries in 1763 IdentNames and IdentCreds, any address will be considered a match, as 1764 long as the offered name and credential match one of the IdentNames 1765 and IdentCreds respectively. 1767 This leaves a possible security window while adding and removing 1768 entries from one of these lists. For example, an identity could 1769 consist of no IdentNames, no IdentAddrs, and exactly one IdentCred. 1770 If that IdentCred was to be updated, several methods could be used: 1772 o The UserName or Principal could be simply written in the 1773 appropriate table, if the credential's type remained the same 1774 (recommended). 1776 o The new credential could be added, then the old deleted 1777 (recommended). 1779 o The new credential could be added, and the old deleted in the same 1780 SNMP request (recommended, but do the add first). 1782 o The old credential could be deleted, then the new added (Don't 1783 Use!). 1785 Of the above methods, the last leaves a window in which the list is 1786 empty, possibly allowing unconstrained access to the resource making 1787 use of this MIB. This method should never be used for Names, Addrs, 1788 or Creds. 1790 The use of the third method, adding and deleting within the same 1791 request, should be used with care. It is recommended that within the 1792 request, the add be done first. Otherwise, an implementation may 1793 attempt to perform these operations in order, potentially leaving a 1794 window. 1796 The first two methods are recommended. 1798 Care must also be taken when updating the IdentAddrs for an identity. 1799 Each IdentAddr specifies a range of addresses that match the 1800 identity, and has an address type, starting address, and ending 1801 address. Modifying these one at a time can open a temporary window 1802 where a larger range of addresses are allowed. For example, a single 1803 address is specified using IdentAddrType = ipv4, IdentAddrStart = 1804 IdentAddrEnd = 192.0.2.5. We want to update this to specify the 1805 single address 192.0.2.34. If the end address is updated first, we 1806 temporarily allow the range 192.0.2.5 .. 192.0.2.34, which is not 1807 what we want. Similarly, if we change from 192.0.2.34 back to 1808 192.0.2.5, and we update IdentAddrStart first, we end up with the 1809 range again. To handle this, an application must either: 1811 o update both IdentAddrStart and IdentAddrEnd in the same SNMP set 1812 request, or 1814 o add the new IdentAddrStart and IdentAddrEnd with a new 1815 IdentAddrIndex, then delete the old one, using the methods shown 1816 before. 1818 Since the value of IdentAddrType specifies the formats of 1819 IdentAddrStart and IdentAddrEnd, modification of IdentAddrType is not 1820 allowed for an existing row. 1822 10. IANA Considerations 1824 10.1. OID Assignment 1825 IANA is requested to make a MIB OID assignment under the mib-2 1826 branch. 1828 11. Normative References 1830 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1831 Requirement Levels", BCP 14, RFC 2119, March 1997. 1833 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J. , 1834 Rose, M., and S. Waldbusser, "Structure of Management 1835 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1836 1999. 1838 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1839 Rose, M., and S. Waldbusser, "Textual Conventions for 1840 SMIv2", STD 58, RFC 2579, April 1999. 1842 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1843 Rose, M., and S. Waldbusser, "Conformance Statements for 1844 SMIv2", STD 58, RFC 2580, April 1999. 1846 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture 1847 for Describing Simple Network Management Protocol (SNMP) 1848 Management Frameworks", RFC 3411, December 2002. 1850 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1851 Schoenwaelder, "Textual Conventions for Internet Network 1852 Addresses", RFC 4001, February 2005. 1854 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1855 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1857 [RFC2011bis] 1858 Routhier, S., "Management Information Base for the Internet 1859 Protocol (IP)", draft-ietf-ipv6-rfc2011-update-10.txt, May 1860 2004. 1862 [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication 1863 Protocol (CHAP)", August 1996. 1865 [RFC1510] Kohl, J., and C. Neuman, "The Kerberos Network 1866 Authentication Service (V5)", September 1993. 1868 [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System", 1869 September 2000. 1871 12. Informative References 1873 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1874 "Introduction and Applicability Statements for Internet- 1875 Standard Management Framework", RFC 3410, December 2002. 1877 [RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security Model 1878 (USM) for version 3 of the Simple Network Management 1879 Protocol (SNMPv3)", RFC 3414, December 2002. 1881 [RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and 1882 E. Zeidner, "Internet Small Computer Systems Interface 1883 (iSCSI)", RFC 3720, March 2004. 1885 [RFC1737] Sollins, K., and L. Masinter, "Functional Requirements for 1886 Uniform Resource Names", RFC 1737, December 1994. 1888 [RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044, 1889 May 2005. 1891 Acknowledgments 1893 In addition to the authors, several people contributed to the 1894 development of this MIB module through discussions of authentication, 1895 authorization, and access within the iSCSI MIB module and security 1896 teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie, 1897 Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 1898 Studenmund (Wasabi Systems) for adding the Kerberos method, and to 1899 Ayman Ghanem for finding and suggesting changes to several problems 1900 found in the MIB module. 1902 Thanks especially to Keith McCloghrie for serving as advisor for this 1903 MIB module. 1905 Authors' Addresses 1907 Mark Bakke 1908 Postal: Cisco Systems, Inc 1909 7900 International Drive, Suite 400 1910 Bloomington, MN 1911 USA 55425 1913 Email: mbakke@cisco.com 1914 James Muchow 1915 Postal: Qlogic Corp. 1916 6321 Bury Drive 1917 Eden Prairie, MN 1918 USA 55346 1920 Email: james.muchow@qlogic.com 1922 IPR Notice 1924 The IETF takes no position regarding the validity or scope of any 1925 Intellectual Property Rights or other rights that might be claimed to 1926 pertain to the implementation or use of the technology described in 1927 this document or the extent to which any license under such rights 1928 might or might not be available; nor does it represent that it has 1929 made any independent effort to identify any such rights. Information 1930 on the procedures with respect to rights in RFC documents can be 1931 found in BCP 78 and BCP 79. 1933 Copies of IPR disclosures made to the IETF Secretariat and any 1934 assurances of licenses to be made available, or the result of an 1935 attempt made to obtain a general license or permission for the use of 1936 such proprietary rights by implementers or users of this 1937 specification can be obtained from the IETF on-line IPR repository at 1938 http://www.ietf.org/ipr. 1940 The IETF invites any interested party to bring to its attention any 1941 copyrights, patents or patent applications, or other proprietary 1942 rights that may cover technology that may be required to implement 1943 this standard. Please address the information to the IETF at ietf- 1944 ipr@ietf.org. 1946 Full Copyright Notice 1948 Copyright (C) The Internet Society (2006). This document is subject 1949 to the rights, licenses and restrictions contained in BCP 78, and 1950 except as set forth therein, the authors retain all their rights. 1952 This document and the information contained herein are provided on an 1953 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1954 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1955 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1956 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1957 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1958 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.