| < draft-ietf-isis-wg-mib-25.txt | draft-ietf-isis-wg-mib-26.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force Jeff Parker, Editor | Internet Engineering Task Force Jeff Parker, Editor | |||
| INTERNET DRAFT Axiowave Networks | INTERNET DRAFT Axiowave Networks | |||
| Expiration date: June, 2006 Dec 23, 2005 | Expiration date: June, 2006 Dec 26, 2005 | |||
| Management Information Base for IS-IS | Management Information Base for IS-IS | |||
| <draft-ietf-isis-wg-mib-25.txt> | <draft-ietf-isis-wg-mib-26.txt> | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 7, line 18 ¶ | skipping to change at page 7, line 18 ¶ | |||
| SnmpAdminString | SnmpAdminString | |||
| FROM SNMP-FRAMEWORK-MIB -- RFC2571 | FROM SNMP-FRAMEWORK-MIB -- RFC2571 | |||
| IndexInteger, IndexIntegerNextFree | IndexInteger, IndexIntegerNextFree | |||
| FROM DIFFSERV-MIB -- RFC3289 | FROM DIFFSERV-MIB -- RFC3289 | |||
| InterfaceIndex | InterfaceIndex | |||
| FROM IF-MIB -- RFC2863 | FROM IF-MIB -- RFC2863 | |||
| InetAddressType, InetAddress, InetAddressPrefixLength | InetAddressType, InetAddress, InetAddressPrefixLength | |||
| FROM INET-ADDRESS-MIB; -- RFC3291 | FROM INET-ADDRESS-MIB; -- RFC3291 | |||
| isisMIB MODULE-IDENTITY | isisMIB MODULE-IDENTITY | |||
| LAST-UPDATED "200512231200Z" -- December 23, 2005, noon | LAST-UPDATED "200512261200Z" -- December 26, 2005, noon | |||
| ORGANIZATION "IETF IS-IS for IP Internets Working Group" | ORGANIZATION "IETF IS-IS for IP Internets Working Group" | |||
| CONTACT-INFO | CONTACT-INFO | |||
| "IS-IS for IP Internets working Group | "IS-IS for IP Internets working Group | |||
| http://www.ietf.org/html.charters/isis-charter.html | http://www.ietf.org/html.charters/isis-charter.html | |||
| isis-wg@ietf.org | isis-wg@ietf.org | |||
| Jeff Parker | Jeff Parker | |||
| Department of Computer Science | Department of Computer Science | |||
| Middlebury College, | Middlebury College, | |||
| Middlebury, Vermont 05753 | Middlebury, Vermont 05753 | |||
| skipping to change at page 7, line 47 ¶ | skipping to change at page 7, line 47 ¶ | |||
| This document is based on a 1994 IETF draft by Chris | This document is based on a 1994 IETF draft by Chris | |||
| Gunner. This version has been modified to include | Gunner. This version has been modified to include | |||
| current syntax, to exclude portions of the protocol that | current syntax, to exclude portions of the protocol that | |||
| are not relevant to IP, and to add management support for | are not relevant to IP, and to add management support for | |||
| current practice. | current practice. | |||
| Copyright (C) The Internet Society (2005). This version | Copyright (C) The Internet Society (2005). This version | |||
| of this MIB module is part of RFC 0DDD; see the RFC | of this MIB module is part of RFC 0DDD; see the RFC | |||
| itself for full legal notices." | itself for full legal notices." | |||
| REVISION "200512231200Z" -- December 23, 2005, noon | REVISION "200512261200Z" -- December 26, 2005, noon | |||
| DESCRIPTION | DESCRIPTION | |||
| "Initial version, published as RFC 0DDD." | "Initial version, published as RFC 0DDD." | |||
| ::= { mib-2 XXX } | ::= { mib-2 XXX } | |||
| -- RFC Editor - please Replace with proper IANA Value | -- RFC Editor - please Replace with proper IANA Value | |||
| -- Top-level structure of the MIB | -- Top-level structure of the MIB | |||
| skipping to change at page 98, line 37 ¶ | skipping to change at page 98, line 37 ¶ | |||
| - Avoid Detection | - Avoid Detection | |||
| - Prevent Updates | - Prevent Updates | |||
| - Hijack LAN | - Hijack LAN | |||
| - Create problems for CLNS networks | - Create problems for CLNS networks | |||
| 7.2.1 Drop an Adjacency | 7.2.1 Drop an Adjacency | |||
| By changing attributes that are used to peer, we can disrupt an | By changing attributes that are used to peer, we can disrupt an | |||
| adjacency and bring a link down. | adjacency and bring a link down. | |||
| isisCirc3WayEnabled OBJECT-TYPE | isisCirc3WayEnabled | |||
| isisCircAdminState OBJECT-TYPE | isisCircAdminState | |||
| isisCircExistState OBJECT-TYPE | isisCircExistState | |||
| isisCircLevelDRHelloTimer OBJECT-TYPE | isisCircLevelDRHelloTimer | |||
| isisCircLevelHelloTimer OBJECT-TYPE | isisCircLevelHelloTimer | |||
| isisCircLevelType OBJECT-TYPE | isisCircLevelType | |||
| isisCircSmallHellos OBJECT-TYPE | isisCircSmallHellos | |||
| 7.2.2 Drop All Adjacencies | 7.2.2 Drop All Adjacencies | |||
| These attributes can be used to break some or all of a router's | These attributes can be used to break some or all of a router's | |||
| adjacencies. In the case of System ID, the adjacency may be | adjacencies. In the case of System ID, the adjacency may be | |||
| restored. However, it will subject the network to additional stress. | restored. However, it will subject the network to additional stress. | |||
| isisSysLevelType OBJECT-TYPE | isisSysLevelType | |||
| isisManAreaAddrExistState OBJECT-TYPE | isisManAreaAddrExistState | |||
| isisSysAdminState OBJECT-TYPE | isisSysAdminState | |||
| isisSysID OBJECT-TYPE | isisSysID | |||
| 7.2.3 Drop Subnetwork | 7.2.3 Drop Subnetwork | |||
| This attribute can be used to stop advertisement of a subnetwork | This attribute can be used to stop advertisement of a subnetwork | |||
| reachable through a single interface. | reachable through a single interface. | |||
| isisCircPassiveCircuit OBJECT-TYPE | isisCircPassiveCircuit | |||
| 7.2.4 Split the Network | 7.2.4 Split the Network | |||
| If the network design depends upon Wide Metrics or TE, we can use | If the network design depends upon Wide Metrics or TE, we can use | |||
| these attributes to prevent traffic from passing through a router. | these attributes to prevent traffic from passing through a router. | |||
| isisSysLevelMetricStyle OBJECT-TYPE | isisSysLevelMetricStyle | |||
| isisSysLevelOrigLSPBuffSize OBJECT-TYPE | isisSysLevelOrigLSPBuffSize | |||
| isisSysLevelSPFConsiders OBJECT-TYPE | isisSysLevelSPFConsiders | |||
| isisSysLevelTEEnabled OBJECT-TYPE | isisSysLevelTEEnabled | |||
| isisSysReceiveLSPBufferSize OBJECT-TYPE | isisSysReceiveLSPBufferSize | |||
| 7.2.5 Intermittent Outages | 7.2.5 Intermittent Outages | |||
| We can use these attributes to subject the network to a series of | We can use these attributes to subject the network to a series of | |||
| topology changes, or otherwise force extensive recomputations of | topology changes, or otherwise force extensive recomputations of | |||
| routes. | routes. | |||
| isisSysLevelMinLSPGenInt OBJECT-TYPE | isisSysLevelMinLSPGenInt | |||
| isisSysLevelSetOverload OBJECT-TYPE | isisSysLevelSetOverload | |||
| isisSysLevelSetOverloadUntil OBJECT-TYPE | isisSysLevelSetOverloadUntil | |||
| isisSysMaxAge OBJECT-TYPE | isisSysMaxAge | |||
| isisSysMaxLSPGenInt OBJECT-TYPE | isisSysMaxLSPGenInt | |||
| isisSysL2toL1Leaking OBJECT-TYPE | isisSysL2toL1Leaking | |||
| isisSysID OBJECT-TYPE | isisSysID | |||
| 7.2.6 Redirect Traffic | 7.2.6 Redirect Traffic | |||
| By changing attributes such as metrics, we can push traffic to | By changing attributes such as metrics, we can push traffic to | |||
| different parts of the network. This may allow an intruder to | different parts of the network. This may allow an intruder to | |||
| observe data traffic from otherwise remote parts of the network. | observe data traffic from otherwise remote parts of the network. | |||
| We may also use these attributes to deny service to parts of the | We may also use these attributes to deny service to parts of the | |||
| network. | network. | |||
| isisSysMaxPathSplits OBJECT-TYPE | isisSysMaxPathSplits | |||
| isisCircLevelMetric OBJECT-TYPE | isisCircLevelMetric | |||
| isisCircLevelWideMetric OBJECT-TYPE | isisCircLevelWideMetric | |||
| isisIPRAAdminState OBJECT-TYPE | isisIPRAAdminState | |||
| isisIPRAExistState OBJECT-TYPE | isisIPRAExistState | |||
| isisIPRAFullMetric OBJECT-TYPE | isisIPRAFullMetric | |||
| isisIPRAMetric OBJECT-TYPE | isisIPRAMetric | |||
| isisIPRAMetricType OBJECT-TYPE | isisIPRAMetricType | |||
| isisIPRANextHop OBJECT-TYPE | isisIPRANextHop | |||
| isisIPRANextHopType OBJECT-TYPE | isisIPRANextHopType | |||
| isisIPRASNPAAddress OBJECT-TYPE | isisIPRASNPAAddress | |||
| isisIPRAType OBJECT-TYPE | isisIPRAType | |||
| isisRedistributeAddrExistState OBJECT-TYPE | isisRedistributeAddrExistState | |||
| isisSummAddrExistState OBJECT-TYPE | isisSummAddrExistState | |||
| isisSummAddrFullMetric OBJECT-TYPE | isisSummAddrFullMetric | |||
| isisSummAddrMetric OBJECT-TYPE | isisSummAddrMetric | |||
| isisSysL2toL1Leaking OBJECT-TYPE | isisSysL2toL1Leaking | |||
| 7.2.7 Delay Convergence | 7.2.7 Delay Convergence | |||
| These attributes can be used to slow convergence by increasing the | These attributes can be used to slow convergence by increasing the | |||
| minimal interval required to update a packet. | minimal interval required to update a packet. | |||
| isisCircLevelCSNPInterval OBJECT-TYPE | isisCircLevelCSNPInterval | |||
| isisCircLevelLSPThrottle OBJECT-TYPE | isisCircLevelLSPThrottle | |||
| isisCircLevelMinLSPRetransInt OBJECT-TYPE | isisCircLevelMinLSPRetransInt | |||
| isisCircLevelPartSNPInterval OBJECT-TYPE | isisCircLevelPartSNPInterval | |||
| isisSysWaitTime OBJECT-TYPE | isisSysWaitTime | |||
| isisCircPassiveCircuit OBJECT-TYPE | isisCircPassiveCircuit | |||
| 7.2.8 Avoid Detection | 7.2.8 Avoid Detection | |||
| By turning off traps, we can prevent a Network Management station | By turning off traps, we can prevent a Network Management station | |||
| from observing problems in the network caused by other aspects of an | from observing problems in the network caused by other aspects of an | |||
| attack. | attack. | |||
| isisSysNotificationEnable OBJECT-TYPE | isisSysNotificationEnable | |||
| 7.2.9 Prevent Updates | 7.2.9 Prevent Updates | |||
| Mesh Groups can be used to prevent the transmission of Link State | Mesh Groups can be used to prevent the transmission of Link State | |||
| PDUs on certain interfaces, delaying or preventing the propagation of | PDUs on certain interfaces, delaying or preventing the propagation of | |||
| updates. | updates. | |||
| isisCircMeshGroup OBJECT-TYPE | isisCircMeshGroup | |||
| isisCircMeshGroupEnabled OBJECT-TYPE | isisCircMeshGroupEnabled | |||
| 7.2.10 Hijack LAN | 7.2.10 Hijack LAN | |||
| If we have compromised a router, we can use this attribute to become | If we have compromised a router, we can use this attribute to become | |||
| the designated router and lie about the topology of a LAN. | the designated router and lie about the topology of a LAN. | |||
| isisCircLevelISPriority OBJECT-TYPE | isisCircLevelISPriority | |||
| 7.2.11 Create problems for CLNS networks | 7.2.11 Create problems for CLNS networks | |||
| This attribute can be used to modify the handling of CLNS traffic. | This attribute can be used to modify the handling of CLNS traffic. | |||
| isisRAAddrPrefix OBJECT-TYPE | isisRAAddrPrefix | |||
| isisRAAdminState OBJECT-TYPE | isisRAAdminState | |||
| isisRAExistState OBJECT-TYPE | isisRAExistState | |||
| isisRAMapType OBJECT-TYPE | isisRAMapType | |||
| isisRAMetric OBJECT-TYPE | isisRAMetric | |||
| isisRAMetricType OBJECT-TYPE | isisRAMetricType | |||
| isisRASNPAAddress OBJECT-TYPE | isisRASNPAAddress | |||
| isisRASNPAMask OBJECT-TYPE | isisRASNPAMask | |||
| isisRASNPAPrefix OBJECT-TYPE | isisRASNPAPrefix | |||
| isisRAType OBJECT-TYPE | isisRAType | |||
| isisSysPollESHelloRate OBJECT-TYPE | isisSysPollESHelloRate | |||
| 7.2.12 Mostly Harmless | 7.2.12 Mostly Harmless | |||
| The following writable attributes do not pose a known security risk. | The following writable attributes do not pose a known security risk. | |||
| isisCircExtDomain OBJECT-TYPE | isisCircExtDomain | |||
| isisCircIfIndex OBJECT-TYPE | isisCircExtendedCircID | |||
| isisCircLevelHelloMultiplier OBJECT-TYPE | isisCircIfIndex | |||
| isisCircType OBJECT-TYPE | isisCircLevelHelloMultiplier | |||
| isisCircType | ||||
| 7.2.13 Recommendations | 7.2.13 Recommendations | |||
| Much of the MIB is used to set or read attributes which are readily | Much of the MIB is used to set or read attributes which are readily | |||
| visible to any intruder who has access to traffic. None of the | visible to any intruder who has access to traffic. None of the | |||
| security attributes are setable or visible through the MIB. Read | security attributes are setable or visible through the MIB. Read | |||
| access to the MIB does not pose additional risks or vulnerabilities. | access to the MIB does not pose additional risks or vulnerabilities. | |||
| If write access is to be provided, it is RECOMMENDED that | If write access is to be provided, it is RECOMMENDED that | |||
| implementers consider the security features as provided by the SNMPv3 | implementers consider the security features as provided by the SNMPv3 | |||
| End of changes. 16 change blocks. | ||||
| 70 lines changed or deleted | 71 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||