idnits 2.17.1 draft-decnodder-radext-dynauth-client-mib-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 19. -- Found old boilerplate from RFC 3978, Section 5.5 on line 846. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 823. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 830. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 836. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 17, 2005) is 7001 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2618' is defined on line 771, but no explicit reference was found in the text == Unused Reference: 'RFC2620' is defined on line 777, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-server-mib-01 -- Possible downref: Normative reference to a draft: ref. 'DYNSERV' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 6 errors (**), 0 flaws (~~), 6 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group S. De Cnodder 2 Internet-Draft Alcatel 3 Expires: August 21, 2005 N. Jonnala 4 Future Soft 5 M. Chiba 6 Cisco Systems, Inc. 7 February 17, 2005 9 Dynamic Authorization Client MIB 10 draft-decnodder-radext-dynauth-client-mib-03.txt 12 Status of this Memo 14 This document is an Internet-Draft and is subject to all provisions 15 of Section 3 of RFC 3667. By submitting this Internet-Draft, each 16 author represents that any applicable patent or other IPR claims of 17 which he or she is aware have been or will be disclosed, and any of 18 which he or she become aware will be disclosed, in accordance with 19 RFC 3668. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as 24 Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on August 21, 2005. 39 Copyright Notice 41 Copyright (C) The Internet Society (2005). 43 Abstract 45 This memo defines a portion of the Management Information Base (MIB) 46 for use with network management protocols in the Internet community. 47 In particular, it describes the RADIUS dynamic authorization client 48 (DAC) functions that support the dynamic authorization extensions as 49 defined in RFC3576. 51 Table of Contents 53 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 54 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3. The Internet-Standard Management Framework . . . . . . . . . 5 56 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 6 57 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 6. RADIUS Dynamic Authorization Client MIB Definitions . . . . 8 59 7. Security Considerations . . . . . . . . . . . . . . . . . . 19 60 8. IANA considerations . . . . . . . . . . . . . . . . . . . . 21 61 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 62 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 63 10.1 Normative References . . . . . . . . . . . . . . . . . . 23 64 10.2 Informative References . . . . . . . . . . . . . . . . . 23 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 66 Intellectual Property and Copyright Statements . . . . . . . 25 68 1. Requirements notation 70 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 71 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 72 document are to be interpreted as described in [RFC2119]. 74 2. Introduction 76 This memo defines a portion of the Management Information Base (MIB) 77 for use with network management protocols in the Internet community. 78 It is becoming increasingly important to support Dynamic 79 Authorization extensions on the network access server (NAS) devices 80 to handle the Disconnect and Change-of-Authorization (CoA) messages 81 as described in [RFC3576] . As a result, the effective management of 82 RADIUS Dynamic Authorization entities is of considerable importance. 83 It complements the managed objects used for managing RADIUS 84 authentication and accounting servers as described in [RFC2619] and 85 [RFC2621], respectively. 87 3. The Internet-Standard Management Framework 89 For a detailed overview of the documents that describe the current 90 Internet-Standard Management Framework, please refer to section 7 of 91 [RFC3410]. 93 Managed objects are accessed via a virtual information store, termed 94 the Management Information Base or MIB. MIB objects are generally 95 accessed through the Simple Network Management Protocol (SNMP). 96 Objects in the MIB are defined using the mechanisms defined in the 97 Structure of Management Information (SMI). This memo specifies a MIB 98 module that is compliant to the SMIv2, which is described in STD 58, 99 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 100 [RFC2580]. 102 4. Terminology 104 Dynamic Authorization Server (DAS) 106 The component that resides on the NAS which processes the Disconnect 107 and CoA requests sent by the Dynamic Authorization Client as 108 described in [RFC3576]. 110 Dynamic Authorization Client (DAC) 112 The component which sends the Disconnect and CoA requests to the 113 Dynamic Authorization Server as described in [RFC3576]. 115 Dynamic Authorization Server Port 117 The UDP port on which the Dynamic Authorization server listens for 118 the Disconnect and CoA requests sent by the Dynamic Authorization 119 Client. 121 5. Overview 123 The RADIUS dynamic authorization extensions defined in [RFC3576], 124 distinguish between the client function and the server function. 125 [DYNSERV] defines the terms Dynamic Authorization Server (DAS) and 126 Dynamic Authorization Client (DAC), the MIB for the DAS, and the 127 relationship with other MIB modules. This MIB module for the dynamic 128 authorization client contains the following: 130 1. one scalar object 132 2. One Dynamic Authorization Server Table. This table contains one 133 row for each DAS that the DAC shares a secret with. 135 6. RADIUS Dynamic Authorization Client MIB Definitions 137 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 139 IMPORTS 140 MODULE-IDENTITY, OBJECT-TYPE, 141 Counter32, Gauge32, Integer32, 142 mib-2, TimeTicks FROM SNMPv2-SMI 143 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 144 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 145 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 147 radiusDynAuthClientMIB MODULE-IDENTITY 148 LAST-UPDATED "200502070000Z" -- 7 February 2005 149 ORGANIZATION "IETF RADEXT Working Group" 150 CONTACT-INFO 151 " Stefaan De Cnodder 152 Alcatel 153 Francis Wellesplein 1 154 B-2018 Antwerp 155 Belgium 157 Phone: +32 3 240 85 15 158 EMail: stefaan.de_cnodder@alcatel.be 160 Nagi Reddy Jonnala 161 Future Soft 162 480 - 481, Anna Salai 163 Nandanam, Chennai 164 India 166 EMail: nagi_reddy.jonnala@alcatel.be 168 Murtaza Chiba 169 Cisco Systems, Inc. 170 170 West Tasman Dr. 171 San Jose CA, 95134 173 Phone: +1 408 525 7198 174 EMail: mchiba@cisco.com " 175 DESCRIPTION 176 "The MIB module for entities implementing the client 177 side of the Dynamic Authorization extensions Remote 178 Access Dialin User Service (RADIUS) protocol. 180 Copyright (C) The Internet Society (2005). This initial 181 version of this MIB module was published in RFC yyyy; 182 for full legal notices see the RFC itself. Supplementary 183 information may be available on 184 http://www.ietf.org/copyrights/ianamib.html." 185 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 187 REVISION "200502070000Z" -- 7 February 2005 188 DESCRIPTION "Initial version as published in RFC yyyy" 189 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 190 ::= { radiusDynamicAuthorization 2 } 192 radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } 193 -- The value xxx to be assigned by IANA. 195 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::= 196 { radiusDynAuthClientMIB 1 } 198 radiusDynAuthClient OBJECT IDENTIFIER ::= 199 { radiusDynAuthClientMIBObjects 1 } 201 radiusDynAuthClientInvalidServerAddresses OBJECT-TYPE 202 SYNTAX Counter32 203 MAX-ACCESS read-only 204 STATUS current 205 DESCRIPTION 206 "The number of RADIUS Dynamic Authorization messages 207 (both Disconnect and CoA) received from unknown 208 addresses." 209 ::= { radiusDynAuthClient 1 } 211 radiusDynAuthServerTable OBJECT-TYPE 212 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry 213 MAX-ACCESS not-accessible 214 STATUS current 215 DESCRIPTION 216 "The (conceptual) table listing the RADIUS Dynamic 217 Authorization servers with which the client shares a 218 secret." 219 ::= { radiusDynAuthClient 2 } 221 radiusDynAuthServerEntry OBJECT-TYPE 222 SYNTAX RadiusDynAuthServerEntry 223 MAX-ACCESS not-accessible 224 STATUS current 225 DESCRIPTION 226 "An entry (conceptual row) representing one Dynamic 227 Authorization Server with which the client shares a 228 secret." 229 INDEX { radiusDynAuthServerIndex } 230 ::= { radiusDynAuthServerTable 1 } 232 RadiusDynAuthServerEntry ::= SEQUENCE { 233 radiusDynAuthServerIndex Integer32, 234 radiusDynAuthServerAddressType InetAddressType, 235 radiusDynAuthServerAddress InetAddress, 236 radiusDynAuthServerClientPortNumber Integer32, 237 radiusDynAuthServerID SnmpAdminString, 238 radiusDynAuthClientRoundTripTime TimeTicks, 239 radiusDynAuthClientDisconRequests Counter32, 240 radiusDynAuthClientDisconRetransmissions Counter32, 241 radiusDynAuthClientDisconAcks Counter32, 242 radiusDynAuthClientDisconNaks Counter32, 243 radiusDynAuthClientMalformedDisconResponses Counter32, 244 radiusDynAuthClientDisconBadAuthenticators Counter32, 245 radiusDynAuthClientDisconPendingRequests Gauge32, 246 radiusDynAuthClientDisconTimeouts Counter32, 247 radiusDynAuthClientDisconPacketsDropped Counter32, 248 radiusDynAuthClientCoARequests Counter32, 249 radiusDynAuthClientCoARetransmissions Counter32, 250 radiusDynAuthClientCoAAcks Counter32, 251 radiusDynAuthClientCoANaks Counter32, 252 radiusDynAuthClientMalformedCoAResponses Counter32, 253 radiusDynAuthClientCoABadAuthenticators Counter32, 254 radiusDynAuthClientCoAPendingRequests Gauge32, 255 radiusDynAuthClientCoATimeouts Counter32, 256 radiusDynAuthClientCoAPacketsDropped Counter32, 257 radiusDynAuthClientUnknownTypes Counter32 258 } 260 radiusDynAuthServerIndex OBJECT-TYPE 261 SYNTAX Integer32 (1..2147483647) 262 MAX-ACCESS not-accessible 263 STATUS current 264 DESCRIPTION 265 "A number uniquely identifying each RADIUS Dynamic 266 Authorization server with which this Dynamic 267 Authorization client communicates. This number is 268 allocated by the agent implementing this MIB module, 269 and is unique in this context." 270 ::= { radiusDynAuthServerEntry 1 } 272 radiusDynAuthServerAddressType OBJECT-TYPE 273 SYNTAX InetAddressType 274 MAX-ACCESS read-only 275 STATUS current 276 DESCRIPTION 277 "The type of IP-Address of the RADIUS Dynamic 278 Authorization server referred to in this table entry." 280 ::= { radiusDynAuthServerEntry 2 } 282 radiusDynAuthServerAddress OBJECT-TYPE 283 SYNTAX InetAddress 284 MAX-ACCESS read-only 285 STATUS current 286 DESCRIPTION 287 "The IP-Address value of the RADIUS Dynamic 288 Authorization server referred to in this table entry." 289 ::= { radiusDynAuthServerEntry 3 } 291 radiusDynAuthServerClientPortNumber OBJECT-TYPE 292 SYNTAX Integer32 (0..65535) 293 MAX-ACCESS read-only 294 STATUS current 295 DESCRIPTION 296 "The UDP port the RADIUS Dynamic Authorization client is 297 using to send requests to this server." 298 ::= { radiusDynAuthServerEntry 4 } 300 radiusDynAuthServerID OBJECT-TYPE 301 SYNTAX SnmpAdminString 302 MAX-ACCESS read-only 303 STATUS current 304 DESCRIPTION 305 "The NAS-Identifier of the RADIUS Dynamic 306 Authorization server referred to in this table 307 entry." 308 REFERENCE 309 "RFC 2865, Section 5.32, NAS-Identifier." 310 ::= { radiusDynAuthServerEntry 5 } 312 radiusDynAuthClientRoundTripTime OBJECT-TYPE 313 SYNTAX TimeTicks 314 UNITS "hundredths of a second" 315 MAX-ACCESS read-only 316 STATUS current 317 DESCRIPTION 318 "The time interval (in hundredths of a second) between 319 the most recent Disconnect or CoA request and the 320 reception of the correponding Disconnect or CoA reply. 321 A value of zero is returned in case no reply has been 322 received yet from this server." 323 ::= { radiusDynAuthServerEntry 6 } 325 radiusDynAuthClientDisconRequests OBJECT-TYPE 326 SYNTAX Counter32 327 UNITS "requests" 328 MAX-ACCESS read-only 329 STATUS current 330 DESCRIPTION 331 "The number of RADIUS Disconnect-Requests sent 332 to this Dynamic Authorization server." 333 REFERENCE 334 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 335 ::= { radiusDynAuthServerEntry 7 } 337 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE 338 SYNTAX Counter32 339 UNITS "retransmissions" 340 MAX-ACCESS read-only 341 STATUS current 342 DESCRIPTION 343 "The number of RADIUS Disconnect-request packets 344 retransmitted to this RADIUS Dynamic authorization 345 server." 346 REFERENCE 347 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 348 ::= { radiusDynAuthServerEntry 8 } 350 radiusDynAuthClientDisconAcks OBJECT-TYPE 351 SYNTAX Counter32 352 UNITS "replies" 353 MAX-ACCESS read-only 354 STATUS current 355 DESCRIPTION 356 "The number of RADIUS Disconnect-ACK packets 357 received from this Dynamic Authorization server" 358 REFERENCE 359 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 360 ::= { radiusDynAuthServerEntry 9 } 362 radiusDynAuthClientDisconNaks OBJECT-TYPE 363 SYNTAX Counter32 364 UNITS "replies" 365 MAX-ACCESS read-only 366 STATUS current 367 DESCRIPTION 368 "The number of RADIUS Disconnect-NAK packets 369 received from this Dynamic Authorization server." 370 REFERENCE 371 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 372 ::= { radiusDynAuthServerEntry 10 } 374 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE 375 SYNTAX Counter32 376 UNITS "replies" 377 MAX-ACCESS read-only 378 STATUS current 379 DESCRIPTION 380 "The number of malformed RADIUS Disconnect-Response 381 packets received from this Dynamic Authorization 382 server. Bad authenticators and unknown types are not 383 included as malformed Disconnect-Responses." 384 REFERENCE 385 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 386 Section 2.3, Packet Format." 387 ::= { radiusDynAuthServerEntry 11 } 389 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE 390 SYNTAX Counter32 391 UNITS "replies" 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "The number of RADIUS Disconnect-Response packets 396 which contained invalid Signature attributes 397 received from this Dynamic Authorization server." 398 REFERENCE 399 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 400 Section 2.3, Packet Format." 401 ::= { radiusDynAuthServerEntry 12 } 403 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE 404 SYNTAX Gauge32 405 UNITS "requests" 406 MAX-ACCESS read-only 407 STATUS current 408 DESCRIPTION 409 "The number of RADIUS Disconnect-request packets 410 destined for this server that have not yet timed out 411 or received a response. This variable is incremented 412 when an Disconnect-Request is sent and decremented 413 due to receipt of an Disconnect-Ack, Disconnect-NAK 414 or a timeout or a retransmission." 415 REFERENCE 416 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 417 ::= { radiusDynAuthServerEntry 13 } 419 radiusDynAuthClientDisconTimeouts OBJECT-TYPE 420 SYNTAX Counter32 421 UNITS "timeouts" 422 MAX-ACCESS read-only 423 STATUS current 424 DESCRIPTION 425 "The number of Disconnect request timeouts to this 426 server. After a timeout the client may retry to the 427 same server or give up. A retry to the same server is 428 counted as a retransmit as well as a timeout. A send 429 to a different server is counted as a 430 Disconnect-Request as well as a timeout." 431 REFERENCE 432 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 433 ::= { radiusDynAuthServerEntry 14 } 435 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE 436 SYNTAX Counter32 437 UNITS "replies" 438 MAX-ACCESS read-only 439 STATUS current 440 DESCRIPTION 441 "The number of incoming Disconnect-Responses 442 from this Dynamic Authorization server silently 443 discarded by the client application for some reason 444 other than malformed, bad authenticators or unknown 445 types." 446 REFERENCE 447 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 448 Section 2.3, Packet Format." 449 ::= { radiusDynAuthServerEntry 15 } 451 radiusDynAuthClientCoARequests OBJECT-TYPE 452 SYNTAX Counter32 453 UNITS "requests" 454 MAX-ACCESS read-only 455 STATUS current 456 DESCRIPTION 457 "The number of RADIUS CoA-Requests sent to this 458 Dynamic Authorization server." 459 REFERENCE 460 "RFC 3576, Section 2.2, Change-of-Authorization 461 Messages (CoA)." 462 ::= { radiusDynAuthServerEntry 16 } 464 radiusDynAuthClientCoARetransmissions OBJECT-TYPE 465 SYNTAX Counter32 466 UNITS "retransmissions" 467 MAX-ACCESS read-only 468 STATUS current 469 DESCRIPTION 470 "The number of RADIUS CoA-request packets 471 retransmitted to this RADIUS Dynamic authorization 472 server." 473 REFERENCE 474 "RFC 3576, Section 2.2, Change-of-Authorization 475 Messages (CoA)." 476 ::= { radiusDynAuthServerEntry 17 } 478 radiusDynAuthClientCoAAcks OBJECT-TYPE 479 SYNTAX Counter32 480 UNITS "replies" 481 MAX-ACCESS read-only 482 STATUS current 483 DESCRIPTION 484 "The number of RADIUS CoA-ACK packets 485 received from this Dynamic Authorization server" 486 REFERENCE 487 "RFC 3576, Section 2.2, Change-of-Authorization 488 Messages (CoA)." 489 ::= { radiusDynAuthServerEntry 18 } 491 radiusDynAuthClientCoANaks OBJECT-TYPE 492 SYNTAX Counter32 493 UNITS "replies" 494 MAX-ACCESS read-only 495 STATUS current 496 DESCRIPTION 497 "The number of RADIUS CoA-NAK packets 498 received from this Dynamic Authorization server." 499 REFERENCE 500 "RFC 3576, Section 2.2, Change-of-Authorization 501 Messages (CoA)." 502 ::= { radiusDynAuthServerEntry 19 } 504 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE 505 SYNTAX Counter32 506 UNITS "replies" 507 MAX-ACCESS read-only 508 STATUS current 509 DESCRIPTION 510 "The number of malformed RADIUS CoA-Response 511 packets received from this Dynamic Authorization 512 server. Bad authenticators and unknown types are 513 not included as malformed CoA-Responses." 514 REFERENCE 515 "RFC 3576, Section 2.2, Change-of-Authorization 516 Messages (CoA), and Section 2.3, Packet Format." 517 ::= { radiusDynAuthServerEntry 20 } 519 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE 520 SYNTAX Counter32 521 UNITS "replies" 522 MAX-ACCESS read-only 523 STATUS current 524 DESCRIPTION 525 "The number of RADIUS CoA-Response packets 526 which contained invalid Signature attributes 527 received from this Dynamic Authorization server." 528 REFERENCE 529 "RFC 3576, Section 2.2, Change-of-Authorization 530 Messages (CoA), and Section 2.3, Packet Format." 531 ::= { radiusDynAuthServerEntry 21 } 533 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE 534 SYNTAX Gauge32 535 UNITS "requests" 536 MAX-ACCESS read-only 537 STATUS current 538 DESCRIPTION 539 "The number of RADIUS CoA-request packets destined for 540 this server that have not yet timed out or received a 541 response. This variable is incremented when an 542 CoA-Request is sent and decremented due to receipt of 543 a CoA-Ack, CoA -NAK or a timeout or a retransmission." 544 REFERENCE 545 "RFC 3576, Section 2.2, Change-of-Authorization 546 Messages (CoA)." 547 ::= { radiusDynAuthServerEntry 22 } 549 radiusDynAuthClientCoATimeouts OBJECT-TYPE 550 SYNTAX Counter32 551 UNITS "timeouts" 552 MAX-ACCESS read-only 553 STATUS current 554 DESCRIPTION 555 "The number of CoA request timeouts to this server. 556 After a timeout the client may retry to the same 557 server or give up. A retry to the same server is 558 counted as a retransmit as well as a timeout. A send to 559 a different server is counted as a CoA-Request as well 560 as a timeout." 561 REFERENCE 562 "RFC 3576, Section 2.2, Change-of-Authorization 563 Messages (CoA)." 564 ::= { radiusDynAuthServerEntry 23 } 566 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE 567 SYNTAX Counter32 568 UNITS "replies" 569 MAX-ACCESS read-only 570 STATUS current 571 DESCRIPTION 572 "The number of incoming CoA-Responses from this Dynamic 573 Authorization server silently discarded by the client 574 application for some reason other than malformed, bad 575 authenticators or unknown types." 576 REFERENCE 577 "RFC 3576, Section 2.2, Change-of-Authorization 578 Messages (CoA), and Section 2.3, Packet Format." 579 ::= { radiusDynAuthServerEntry 24 } 581 radiusDynAuthClientUnknownTypes OBJECT-TYPE 582 SYNTAX Counter32 583 UNITS "replies" 584 MAX-ACCESS read-only 585 STATUS current 586 DESCRIPTION 587 "The number of incoming packets of unknown types 588 which were received on the Dynamic Authorization port." 589 REFERENCE 590 "RFC 3576, Section 2.3, Packet Format." 591 ::= { radiusDynAuthServerEntry 25} 593 -- conformance information 595 radiusDynAuthClientMIBConformance 596 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 } 597 radiusDynAuthClientMIBCompliances 598 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 } 599 radiusDynAuthClientMIBGroups 600 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 } 602 -- compliance statements 604 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE 605 STATUS current 606 DESCRIPTION 607 "The compliance statement for entities implementing 608 the RADIUS Dynamic Authorization Client." 609 MODULE -- this module 610 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup } 611 ::= { radiusDynAuthClientMIBCompliances 1 } 613 -- units of conformance 614 radiusDynAuthClientMIBGroup OBJECT-GROUP 615 OBJECTS { radiusDynAuthClientInvalidServerAddresses, 616 radiusDynAuthServerAddressType, 617 radiusDynAuthServerAddress, 618 radiusDynAuthServerClientPortNumber, 619 radiusDynAuthServerID, 620 radiusDynAuthClientRoundTripTime, 621 radiusDynAuthClientDisconRequests, 622 radiusDynAuthClientDisconRetransmissions, 623 radiusDynAuthClientDisconAcks, 624 radiusDynAuthClientDisconNaks, 625 radiusDynAuthClientMalformedDisconResponses, 626 radiusDynAuthClientDisconBadAuthenticators, 627 radiusDynAuthClientDisconPendingRequests, 628 radiusDynAuthClientDisconTimeouts, 629 radiusDynAuthClientDisconPacketsDropped, 630 radiusDynAuthClientCoARequests, 631 radiusDynAuthClientCoARetransmissions, 632 radiusDynAuthClientCoAAcks, 633 radiusDynAuthClientCoANaks, 634 radiusDynAuthClientMalformedCoAResponses, 635 radiusDynAuthClientCoABadAuthenticators, 636 radiusDynAuthClientCoAPendingRequests, 637 radiusDynAuthClientCoATimeouts, 638 radiusDynAuthClientCoAPacketsDropped, 639 radiusDynAuthClientUnknownTypes 640 } 641 STATUS current 642 DESCRIPTION 643 "The collection of objects providing management of 644 a RADIUS Dynamic Authorization Client." 645 ::= { radiusDynAuthClientMIBGroups 1 } 647 END 649 7. Security Considerations 651 There are no management objects defined in this MIB module that have 652 a MAX-ACCESS clause of read-write and/or read-create. So, if this 653 MIB module is implemented correctly, then there is no risk that an 654 intruder can alter or create any management objects of this MIB 655 module via direct SNMP SET operations 657 Some of the readable objects in this MIB module (i.e., objects with a 658 MAX-ACCESS other than not-accessible) may be considered sensitive or 659 vulnerable in some network environments. It is thus important to 660 control even GET and/or NOTIFY access to these objects and possibly 661 to even encrypt the values of these objects when sending them over 662 the network via SNMP. These are the tables and objects and their 663 sensitivity/vulnerability: 665 radiusDynAuthServerAddress and radiusDynAuthServerAddressType 667 These can be used to determine the address of the DAS with which the 668 DAC is communicating. This information could be useful in mounting 669 an attack on the DAS. 671 radiusDynAuthServerID 673 This can be used to determine the Identifier of the DAS. This 674 information could be useful in impersonating the DAS. 676 radiusDynAuthServerClientPortNumber 678 This can be used to determine the port number on which the DAC is 679 sending. This information could be useful in mounting an attack on 680 the DAS. 682 The other readable objects are not really considered as being 683 sensitive or vulnerable. These objects are: 685 radiusDynAuthClientInvalidServerAddresses, 686 radiusDynAuthClientRoundTripTime, 687 radiusDynAuthClientDisconRequests, 688 radiusDynAuthClientDisconRetransmissions, 689 radiusDynAuthClientDisconAcks, 690 radiusDynAuthClientDisconNaks, 691 radiusDynAuthClientMalformedDisconResponses, 692 radiusDynAuthClientDisconBadAuthenticators, 693 radiusDynAuthClientDisconPendingRequests, 694 radiusDynAuthClientDisconTimeouts, 695 radiusDynAuthClientDisconPacketsDropped, 696 radiusDynAuthClientCoARequests, 697 radiusDynAuthClientCoARetransmissions, 698 radiusDynAuthClientCoAAcks, 699 radiusDynAuthClientCoANaks, 700 radiusDynAuthClientMalformedCoAResponses, 701 radiusDynAuthClientCoABadAuthenticators, 702 radiusDynAuthClientCoAPendingRequests, 703 radiusDynAuthClientCoATimeouts, 704 radiusDynAuthClientCoAPacketsDropped, and 705 radiusDynAuthClientUnknownTypes. 707 SNMP versions prior to SNMPv3 did not include adequate security. 708 Even if the network itself is secure (for example by using IPSec), 709 even then, there is no control as to who on the secure network is 710 allowed to access and GET/SET (read/change/create/delete) the objects 711 in this MIB module. 713 It is RECOMMENDED that implementers consider the security features as 714 provided by the SNMPv3 framework (see [RFC3410], section 8), 715 including full support for the SNMPv3 cryptographic mechanisms (for 716 authentication and privacy). 718 Further, deployment of SNMP versions prior to SNMPv3 is NOT 719 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 720 enable cryptographic security. It is then a customer/operator 721 responsibility to ensure that the SNMP entity giving access to an 722 instance of this MIB module is properly configured to give access to 723 the objects only to those principals (users) that have legitimate 724 rights to indeed GET or SET (change/create/delete) them. 726 8. IANA considerations 728 IANA is requested to assign an OID under mib-2. 730 9. Acknowledgements 732 This document reuses some of the work done in earlier RADIUS MIB 733 specifications [RFC2619] and [RFC2621]. 735 The authors would also like to acknowledge the following people for 736 their comments to this document: Anjaneyulu Pata, Dan Romascanu, and 737 Bert Wijnen. 739 10. References 741 10.1 Normative References 743 [DYNSERV] De Cnodder, S., Jonnala, N. and M. Chiba, "RADIUS Dynamic 744 Auhtorization Server MIB", 745 draft-decnodder-radext-dynauth-server-mib-01.txt, work in 746 progress, June 2004. 748 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 749 Requirement Levels", RFC 2119, March 1997. 751 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 752 Rose, M. and S. Waldbusser, "Structure of Management 753 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 754 1999. 756 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 757 Rose, M. and S. Waldbusser, "Textual Conventions for 758 SMIv2", STD 58, RFC 2579, April 1999. 760 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 761 Rose, M. and S. Waldbusser, "Conformance Statements for 762 SMIv2", STD 58, RFC 2580, April 1999. 764 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. 765 Aboba, "Dynamic Authorization Extensions to Remote 766 Authentication Dial In User Service (RADIUS)", RFC 3576, 767 July 2003. 769 10.2 Informative References 771 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 772 RFC 2618, June 1999. 774 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 775 RFC 2619, June 1999. 777 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 778 RFC 2620, June 1999. 780 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 781 RFC 2621, June 1999. 783 [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, 784 "Introduction and Applicability Statements for Internet 785 Standard Management Framework", RFC 3410, December 2002. 787 Authors' Addresses 789 Stefaan De Cnodder 790 Alcatel 791 Francis Wellesplein 1 792 B-2018 Antwerp 793 Belgium 795 Phone: +32 3 240 85 15 796 Email: stefaan.de_cnodder@alcatel.be 798 Nagi Reddy Jonnala 799 Future Soft 800 480 - 481, Anna Salai 801 Nandanam, Chennai 802 India 804 Email: nagi_reddy.jonnala@alcatel.be 806 Murtaza Chiba 807 Cisco Systems, Inc. 808 170 West Tasman Dr. 809 San Jose CA, 95134 811 Phone: +1 408 525 7198 812 Email: mchiba@cisco.com 814 Intellectual Property Statement 816 The IETF takes no position regarding the validity or scope of any 817 Intellectual Property Rights or other rights that might be claimed to 818 pertain to the implementation or use of the technology described in 819 this document or the extent to which any license under such rights 820 might or might not be available; nor does it represent that it has 821 made any independent effort to identify any such rights. Information 822 on the procedures with respect to rights in RFC documents can be 823 found in BCP 78 and BCP 79. 825 Copies of IPR disclosures made to the IETF Secretariat and any 826 assurances of licenses to be made available, or the result of an 827 attempt made to obtain a general license or permission for the use of 828 such proprietary rights by implementers or users of this 829 specification can be obtained from the IETF on-line IPR repository at 830 http://www.ietf.org/ipr. 832 The IETF invites any interested party to bring to its attention any 833 copyrights, patents or patent applications, or other proprietary 834 rights that may cover technology that may be required to implement 835 this standard. Please address the information to the IETF at 836 ietf-ipr@ietf.org. 838 Disclaimer of Validity 840 This document and the information contained herein are provided on an 841 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 842 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 843 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 844 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 845 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 846 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 848 Copyright Statement 850 Copyright (C) The Internet Society (2005). This document is subject 851 to the rights, licenses and restrictions contained in BCP 78, and 852 except as set forth therein, the authors retain all their rights. 854 Acknowledgment 856 Funding for the RFC Editor function is currently provided by the 857 Internet Society.