idnits 2.17.1 draft-decnodder-radext-dynauth-server-mib-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 20. -- Found old boilerplate from RFC 3978, Section 5.5 on line 820. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 797. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 804. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 810. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 17, 2005) is 7009 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-client-mib-01 -- Possible downref: Normative reference to a draft: ref. 'DYNCLNT' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: August 21, 2005 N. Jonnala 5 Future Soft 6 M. Chiba 7 Cisco Systems, Inc. 8 February 17, 2005 10 RADIUS Dynamic Authorization Server MIB 11 draft-decnodder-radext-dynauth-server-mib-03.txt 13 Status of this Memo 15 This document is an Internet-Draft and is subject to all provisions 16 of Section 3 of RFC 3667. By submitting this Internet-Draft, each 17 author represents that any applicable patent or other IPR claims of 18 which he or she is aware have been or will be disclosed, and any of 19 which he or she become aware will be disclosed, in accordance with 20 RFC 3668. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that 24 other groups may also distribute working documents as 25 Internet-Drafts. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 The list of current Internet-Drafts can be accessed at 33 http://www.ietf.org/ietf/1id-abstracts.txt. 35 The list of Internet-Draft Shadow Directories can be accessed at 36 http://www.ietf.org/shadow.html. 38 This Internet-Draft will expire on August 21, 2005. 40 Copyright Notice 42 Copyright (C) The Internet Society (2005). 44 Abstract 46 This memo defines a portion of the Management Information Base (MIB) 47 for use with network management protocols in the Internet community. 48 In particular, it describes the RADIUS dynamic authorization server 49 (DAS) functions that support the dynamic authorization extensions as 50 defined in RFC 3576. 52 Table of Contents 54 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 55 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3. The Internet-Standard Management Framework . . . . . . . . . 5 57 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 6 58 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 59 6. RADIUS Dynamic Authorization Server MIB Definitions . . . . 9 60 7. Security Considerations . . . . . . . . . . . . . . . . . . 19 61 8. IANA considerations . . . . . . . . . . . . . . . . . . . . 21 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 63 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 64 10.1 Normative References . . . . . . . . . . . . . . . . . . 23 65 10.2 Informative References . . . . . . . . . . . . . . . . . 23 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 67 Intellectual Property and Copyright Statements . . . . . . . 25 69 1. Requirements notation 71 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 72 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 73 document are to be interpreted as described in [RFC2119]. 75 2. Introduction 77 This memo defines a portion of the Management Information Base (MIB) 78 for use with network management protocols in the Internet community. 79 It is becoming increasingly important to support Dynamic 80 Authorization extensions on the network access server (NAS) devices 81 to handle the Disconnect and Change-of-Authorization (CoA) messages 82 as described in [RFC3576] . As a result, the effective management of 83 RADIUS Dynamic Authorization entities is of considerable importance. 84 It complements the managed objects used for managing RADIUS 85 authentication and accounting clients as described in [RFC2618] and 86 [RFC2620], respectively. 88 3. The Internet-Standard Management Framework 90 For a detailed overview of the documents that describe the current 91 Internet-Standard Management Framework, please refer to section 7 of 92 [RFC3410]. 94 Managed objects are accessed via a virtual information store, termed 95 the Management Information Base or MIB. MIB objects are generally 96 accessed through the Simple Network Management Protocol (SNMP). 97 Objects in the MIB are defined using the mechanisms defined in the 98 Structure of Management Information (SMI). This memo specifies a MIB 99 module that is compliant to the SMIv2, which is described in STD 58, 100 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 101 [RFC2580]. 103 4. Terminology 105 Dynamic Authorization Server (DAS) 107 The component that resides on the NAS which processes the Disconnect 108 and CoA requests sent by the Dynamic Authorization Client as 109 described in [RFC3576]. 111 Dynamic Authorization Client (DAC) 113 The component which sends the Disconnect and CoA requests to the 114 Dynamic Authorization Server as described in [RFC3576]. 116 Dynamic Authorization Server Port 118 The UDP port on which the Dynamic Authorization server listens for 119 the Disconnect and CoA requests sent by the Dynamic Authorization 120 Client. 122 5. Overview 124 The RADIUS dynamic authorization extensions defined in [RFC3576], 125 distinguish between the client function and the server function. In 126 RADIUS dynamic authorization, clients send Disconnect-Requests and 127 CoA-Requests, and servers reply with Disconnect-Acks, CoA-Acks, and 128 CoA-NAKs. Typically NAS devices implement the DAS function, and thus 129 would be expected to implement the RADIUS dynamic authorization 130 server MIB, while DACs implement the client function, and thus would 131 be expected to implement the RADIUS dynamic authorization client MIB. 133 However, it is possible for a RADIUS dynamic authorization entity to 134 perform both client and server functions. For example, a RADIUS 135 proxy may act as a DAS to one or more DACs, while simultaneously 136 acting as a DAC to one or more DASs. In such situations, it is 137 expected that RADIUS entities combining client and server 138 functionality will support both the client and server MIBs. 140 This memo describes the MIB for dynamic authorization servers and 141 relates to the following documents as follows: 143 [RFC2618] describes the MIB for a RADIUS authentication client. 145 [RFC2619] describes the MIB for a RADIUS authentication server. 147 [RFC2620] describes the MIB for a RADIUS accounting client. 149 [RFC2621] describes the MIB for a RADIUS accounting server. 151 [DYNCLNT] describes the MIB for a RADIUS dynamic authorization 152 client. 154 A NAS typically implements the MIBs for a RADIUS authentication 155 client, a RADIUS accounting client, and a RADIUS dynamic 156 authorization server. However, there is not strict relationship 157 between these three MIBs, i.e. one MIB can be implemented without 158 implementing the other MIBs. Similarly, for the other 3 MIBs 159 mentioned above, a typical case would be where the MIBs for a RADIUS 160 authentication server, a RADIUS accounting server, and a RADIUS 161 dynamic authorization client are implemented by the same device. 162 However, also for these 3 MIBs, they can be implemented independent 163 from each other. A RADIUS proxy might implement any of these 6 MIBs, 164 but can also implement any subset of these MIBs. 166 +---------------+ +---------------+ 167 User 1----| | Disconnect-Request | | 168 | Dynamic | CoA-Request | Dynamic | 169 user 2----| Authorization |<---------------------| Authorization | 170 | Server |--------------------->| Client | 171 User 3----| (DAS) | Disconnect-Ack | (DAC) | 172 | | Disconnect-NAK | | 173 +---------------+ CoA-Ack/CoA-NAK +---------------+ 175 Figure 1: Mapping of clients and servers. 177 This MIB module for the dynamic authorization server contains the 178 following: 180 1. Two scalar objects 182 2. One Dynamic Authorization Client Table. This table contains one 183 row for each DAC that the DAS shares a secret with. 185 6. RADIUS Dynamic Authorization Server MIB Definitions 187 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 189 IMPORTS 190 MODULE-IDENTITY, OBJECT-TYPE, 191 Counter32, Integer32, mib-2 FROM SNMPv2-SMI 192 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 193 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 194 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 196 radiusDynAuthServerMIB MODULE-IDENTITY 197 LAST-UPDATED "200502070000Z" -- 7 February 2005 198 ORGANIZATION "IETF RADEXT Working Group" 199 CONTACT-INFO 200 " Stefaan De Cnodder 201 Alcatel 202 Francis Wellesplein 1 203 B-2018 Antwerp 204 Belgium 206 Phone: +32 3 240 85 15 207 EMail: stefaan.de_cnodder@alcatel.be 209 Nagi Reddy Jonnala 210 Future Soft 211 480 - 481, Anna Salai 212 Nandanam, Chennai 213 India 215 EMail: nagi_reddy.jonnala@alcatel.be 217 Murtaza Chiba 218 Cisco Systems, Inc. 219 170 West Tasman Dr. 220 San Jose CA, 95134 222 Phone: +1 408 525 7198 223 EMail: mchiba@cisco.com " 224 DESCRIPTION 225 "The MIB module for entities implementing the server 226 side of the Dynamic Authorization extensions Remote 227 Access Dialin User Service (RADIUS) protocol. 229 Copyright (C) The Internet Society (2005). This initial 230 version of this MIB module was published in RFC yyyy; 231 for full legal notices see the RFC itself. Supplementary 232 information may be available on 233 http://www.ietf.org/copyrights/ianamib.html." 234 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 236 REVISION "200502070000Z" -- 7 February 2005 237 DESCRIPTION "Initial version as published in RFC yyyy." 238 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 239 ::= { radiusDynamicAuthorization 1 } 241 radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } 242 -- The value xxx to be assigned by IANA. 244 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 245 { radiusDynAuthServerMIB 1 } 247 radiusDynAuthServer OBJECT IDENTIFIER ::= 248 { radiusDynAuthServerMIBObjects 1 } 250 radiusDynAuthServerInvalidClientAddresses OBJECT-TYPE 251 SYNTAX Counter32 252 MAX-ACCESS read-only 253 STATUS current 254 DESCRIPTION 255 "The number of RADIUS dynamic authorization messages 256 (both Disconnect and CoA) received from unknown 257 addresses." 258 ::= { radiusDynAuthServer 1 } 260 radiusDynAuthServerIdentifier OBJECT-TYPE 261 SYNTAX SnmpAdminString 262 MAX-ACCESS read-only 263 STATUS current 264 DESCRIPTION 265 "The NAS-Identifier of the RADIUS dynamic authorization 266 server." 267 REFERENCE 268 "RFC 2865, Section 5.32, NAS-Identifier." 269 ::= { radiusDynAuthServer 2 } 271 radiusDynAuthClientTable OBJECT-TYPE 272 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 273 MAX-ACCESS not-accessible 274 STATUS current 275 DESCRIPTION 276 "The (conceptual) table listing the RADIUS dynamic 277 authorization clients with which the server shares a 278 secret." 279 ::= { radiusDynAuthServer 3 } 281 radiusDynAuthClientEntry OBJECT-TYPE 282 SYNTAX RadiusDynAuthClientEntry 283 MAX-ACCESS not-accessible 284 STATUS current 285 DESCRIPTION 286 "An entry (conceptual row) representing one Dynamic 287 Authorization Client with which the server shares a 288 secret." 289 INDEX { radiusDynAuthClientIndex } 290 ::= { radiusDynAuthClientTable 1 } 292 RadiusDynAuthClientEntry ::= SEQUENCE { 293 radiusDynAuthClientIndex Integer32, 294 radiusDynAuthClientAddressType InetAddressType, 295 radiusDynAuthClientAddress InetAddress, 296 radiusDynAuthServDisconRequests Counter32, 297 radiusDynAuthServDupDisconRequests Counter32, 298 radiusDynAuthServDisconAcks Counter32, 299 radiusDynAuthServDisconNaks Counter32, 300 radiusDynAuthServDisconUserSessRemoved Counter32, 301 radiusDynAuthServMalformedDisconRequests Counter32, 302 radiusDynAuthServDisconBadAuthenticators Counter32, 303 radiusDynAuthServDisconPacketsDropped Counter32, 304 radiusDynAuthServCoARequests Counter32, 305 radiusDynAuthServDupCoARequests Counter32, 306 radiusDynAuthServCoAAcks Counter32, 307 radiusDynAuthServCoANaks Counter32, 308 radiusDynAuthServCoAUserSessChanged Counter32, 309 radiusDynAuthServMalformedCoARequests Counter32, 310 radiusDynAuthServCoABadAuthenticators Counter32, 311 radiusDynAuthServCoAPacketsDropped Counter32, 312 radiusDynAuthServUnknownTypes Counter32 313 } 315 radiusDynAuthClientIndex OBJECT-TYPE 316 SYNTAX Integer32 (1..2147483647) 317 MAX-ACCESS not-accessible 318 STATUS current 319 DESCRIPTION 320 "A number uniquely identifying each RADIUS dynamic 321 authorization client with which this Dynamic 322 Authorization Server communicates. This number is 323 allocated by the agent implementing this MIB module, 324 and is unique in this context." 325 ::= { radiusDynAuthClientEntry 1 } 327 radiusDynAuthClientAddressType OBJECT-TYPE 328 SYNTAX InetAddressType 329 MAX-ACCESS read-only 330 STATUS current 331 DESCRIPTION 332 "The type of IP-Address of the RADIUS Dynamic 333 Authorization Client referred to in this table entry." 334 ::= { radiusDynAuthClientEntry 2 } 336 radiusDynAuthClientAddress OBJECT-TYPE 337 SYNTAX InetAddress 338 MAX-ACCESS read-only 339 STATUS current 340 DESCRIPTION 341 "The IP-Address value of the RADIUS Dynamic 342 Authorization Client referred to in this table entry." 343 ::= { radiusDynAuthClientEntry 3 } 345 radiusDynAuthServDisconRequests OBJECT-TYPE 346 SYNTAX Counter32 347 UNITS "requests" 348 MAX-ACCESS read-only 349 STATUS current 350 DESCRIPTION 351 "The number of RADIUS Disconnect-Requests received 352 from this Dynamic Authorization Client." 353 REFERENCE 354 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 355 ::= { radiusDynAuthClientEntry 4 } 357 radiusDynAuthServDupDisconRequests OBJECT-TYPE 358 SYNTAX Counter32 359 UNITS "requests" 360 MAX-ACCESS read-only 361 STATUS current 362 DESCRIPTION 363 "The number of duplicate RADIUS Disconnect-Request 364 packets received from this Dynamic Authorization 365 Client." 366 REFERENCE 367 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 368 ::= { radiusDynAuthClientEntry 5 } 370 radiusDynAuthServDisconAcks OBJECT-TYPE 371 SYNTAX Counter32 372 UNITS "replies" 373 MAX-ACCESS read-only 374 STATUS current 375 DESCRIPTION 376 "The number of RADIUS Disconnect-ACK packets 377 sent to this Dynamic Authorization Client" 378 REFERENCE 379 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 380 ::= { radiusDynAuthClientEntry 6 } 382 radiusDynAuthServDisconNaks OBJECT-TYPE 383 SYNTAX Counter32 384 UNITS "replies" 385 MAX-ACCESS read-only 386 STATUS current 387 DESCRIPTION 388 "The number of RADIUS Disconnect-NAK packets 389 sent to this Dynamic Authorization Client." 390 REFERENCE 391 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 392 ::= { radiusDynAuthClientEntry 7 } 394 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 395 SYNTAX Counter32 396 UNITS "sessions" 397 MAX-ACCESS read-only 398 STATUS current 399 DESCRIPTION 400 "The number of user sessions removed for the 401 Disconnect-Requests received from this 402 Dynamic Authorization Client. Depending on site 403 specific policies, a single Disconnect request 404 can remove multiple user sessions." 405 REFERENCE 406 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 407 ::= { radiusDynAuthClientEntry 8 } 409 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 410 SYNTAX Counter32 411 UNITS "requests" 412 MAX-ACCESS read-only 413 STATUS current 414 DESCRIPTION 415 "The number of malformed RADIUS Disconnect-Request 416 packets received from this Dynamic Authorization 417 client. Bad authenticators and unknown types are not 418 included as malformed Disconnect-Requests." 419 REFERENCE 420 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 421 Section 2.3, Packet Format." 422 ::= { radiusDynAuthClientEntry 9 } 424 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 425 SYNTAX Counter32 426 UNITS "requests" 427 MAX-ACCESS read-only 428 STATUS current 429 DESCRIPTION 430 "The number of RADIUS Disconnect-Request packets 431 which contained invalid Signature attributes 432 received from this Dynamic Authorization Client." 433 REFERENCE 434 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 435 Section 2.3, Packet Format." 436 ::= { radiusDynAuthClientEntry 10 } 438 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 439 SYNTAX Counter32 440 UNITS "requests" 441 MAX-ACCESS read-only 442 STATUS current 443 DESCRIPTION 444 "The number of incoming Disconnect-Requests 445 from this Dynamic Authorization Client silently 446 discarded by the server application for some reason 447 other than malformed, bad authenticators or unknown 448 types." 449 REFERENCE 450 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 451 Section 2.3, Packet Format." 452 ::= { radiusDynAuthClientEntry 11 } 454 radiusDynAuthServCoARequests OBJECT-TYPE 455 SYNTAX Counter32 456 UNITS "requests" 457 MAX-ACCESS read-only 458 STATUS current 459 DESCRIPTION 460 "The number of CoA requests received from this 461 Dynamic Authorization Client." 462 REFERENCE 463 "RFC 3576, Section 2.2, Change-of-Authorization 464 Messages (CoA)." 465 ::= { radiusDynAuthClientEntry 12 } 467 radiusDynAuthServDupCoARequests OBJECT-TYPE 468 SYNTAX Counter32 469 UNITS "requests" 470 MAX-ACCESS read-only 471 STATUS current 472 DESCRIPTION 473 "The number of duplicate RADIUS CoA-Request 474 packets received from this Dynamic Authorization 475 client." 476 REFERENCE 477 "RFC 3576, Section 2.2, Change-of-Authorization 478 Messages (CoA)." 479 ::= { radiusDynAuthClientEntry 13 } 481 radiusDynAuthServCoAAcks OBJECT-TYPE 482 SYNTAX Counter32 483 UNITS "replies" 484 MAX-ACCESS read-only 485 STATUS current 486 DESCRIPTION 487 "The number of RADIUS CoA-ACK packets 488 sent to this Dynamic Authorization Client." 489 REFERENCE 490 "RFC 3576, Section 2.2, Change-of-Authorization 491 Messages (CoA)." 492 ::= { radiusDynAuthClientEntry 14 } 494 radiusDynAuthServCoANaks OBJECT-TYPE 495 SYNTAX Counter32 496 UNITS "replies" 497 MAX-ACCESS read-only 498 STATUS current 499 DESCRIPTION 500 "The number of RADIUS CoA-NAK packets 501 sent to this Dynamic Authorization Client." 502 REFERENCE 503 "RFC 3576, Section 2.2, Change-of-Authorization 504 Messages (CoA)." 505 ::= { radiusDynAuthClientEntry 15 } 507 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 508 SYNTAX Counter32 509 UNITS "sessions" 510 MAX-ACCESS read-only 511 STATUS current 512 DESCRIPTION 513 "The number of user sessions authorization 514 changed for the CoA-Requests received from this 515 Dynamic Authorization Cient. Depending on site 516 specific policies, a single CoA request can change 517 multiple user sessions authorization" 518 REFERENCE 519 "RFC 3576, Section 2.2, Change-of-Authorization 520 Messages (CoA)." 521 ::= { radiusDynAuthClientEntry 16 } 523 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 524 SYNTAX Counter32 525 UNITS "requests" 526 MAX-ACCESS read-only 527 STATUS current 528 DESCRIPTION 529 "The number of malformed RADIUS CoA-Request 530 packets received from this Dynamic Authorization 531 Client. Bad authenticators and unknown types are not 532 included as malformed CoA-Requests." 533 REFERENCE 534 "RFC 3576, Section 2.2, Change-of-Authorization 535 Messages (CoA), and Section 2.3, Packet Format." 536 ::= { radiusDynAuthClientEntry 17 } 538 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 539 SYNTAX Counter32 540 UNITS "requests" 541 MAX-ACCESS read-only 542 STATUS current 543 DESCRIPTION 544 "The number of RADIUS CoA-Request packets which 545 contained invalid Signature attributes received 546 from this Dynamic Authorization client." 547 REFERENCE 548 "RFC 3576, Section 2.2, Change-of-Authorization 549 Messages (CoA), and Section 2.3, Packet Format." 550 ::= { radiusDynAuthClientEntry 18 } 552 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 553 SYNTAX Counter32 554 UNITS "requests" 555 MAX-ACCESS read-only 556 STATUS current 557 DESCRIPTION 558 "The number of incoming CoA packets from this 559 Dynamic Authorization Client silently discarded 560 by the server application for some reason other than 561 malformed, bad clisdfauthenticators or unknown types." 562 REFERENCE 563 "RFC 3576, Section 2.2, Change-of-Authorization 564 Messages (CoA), and Section 2.3, Packet Format." 565 ::= { radiusDynAuthClientEntry 19 } 567 radiusDynAuthServUnknownTypes OBJECT-TYPE 568 SYNTAX Counter32 569 UNITS "requests" 570 MAX-ACCESS read-only 571 STATUS current 572 DESCRIPTION 573 "The number of incoming packets of unknown types 574 which were received on the Dynamic Authorization port." 575 REFERENCE 576 "RFC 3576, Section 2.3, Packet Format." 577 ::= { radiusDynAuthClientEntry 20 } 579 -- conformance information 581 radiusDynAuthServerMIBConformance 582 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 583 radiusDynAuthServerMIBCompliances 584 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 585 radiusDynAuthServerMIBGroups 586 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 588 -- compliance statements 590 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 591 STATUS current 592 DESCRIPTION 593 "The compliance statement for entities implementing 594 the RADIUS Dynamic Authorization Server." 595 MODULE -- this module 596 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 597 ::= { radiusDynAuthServerMIBCompliances 1 } 599 -- units of conformance 601 radiusDynAuthServerMIBGroup OBJECT-GROUP 602 OBJECTS { radiusDynAuthServerInvalidClientAddresses, 603 radiusDynAuthServerIdentifier, 604 radiusDynAuthClientAddressType, 605 radiusDynAuthClientAddress, 606 radiusDynAuthServDisconRequests, 607 radiusDynAuthServDupDisconRequests, 608 radiusDynAuthServDisconAcks, 609 radiusDynAuthServDisconNaks, 610 radiusDynAuthServDisconUserSessRemoved, 611 radiusDynAuthServMalformedDisconRequests, 612 radiusDynAuthServDisconBadAuthenticators, 613 radiusDynAuthServDisconPacketsDropped, 614 radiusDynAuthServCoARequests, 615 radiusDynAuthServDupCoARequests, 616 radiusDynAuthServCoAAcks, 617 radiusDynAuthServCoANaks, 618 radiusDynAuthServCoAUserSessChanged, 619 radiusDynAuthServMalformedCoARequests, 620 radiusDynAuthServCoABadAuthenticators, 621 radiusDynAuthServCoAPacketsDropped, 622 radiusDynAuthServUnknownTypes 623 } 624 STATUS current 625 DESCRIPTION 626 "The collection of objects providing management of 627 a RADIUS Dynamic Authorization Server." 628 ::= { radiusDynAuthServerMIBGroups 1 } 630 END 632 7. Security Considerations 634 There are no management objects defined in this MIB module that have 635 a MAX-ACCESS clause of read-write and/or read-create. So, if this 636 MIB module is implemented correctly, then there is no risk that an 637 intruder can alter or create any management objects of this MIB 638 module via direct SNMP SET operations 640 Some of the readable objects in this MIB module (i.e., objects with a 641 MAX-ACCESS other than not-accessible) may be considered sensitive or 642 vulnerable in some network environments. It is thus important to 643 control even GET and/or NOTIFY access to these objects and possibly 644 to even encrypt the values of these objects when sending them over 645 the network via SNMP. These are the tables and objects and their 646 sensitivity/vulnerability: 648 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 650 These can be used to determine the address of the DAC with which the 651 DAS is communicating. This information could be useful in mounting 652 an attack on the DAC. 654 radiusDynAuthServerIdentifier 656 This can be used to determine the Identifier of the DAS. This 657 information could be useful in impersonating the DAS. 659 The other readable objects are not really considered as being 660 sensitive or vulnerable. These objects are: 662 radiusDynAuthServerInvalidClientAddresses, 663 radiusDynAuthServDisconRequests, 664 radiusDynAuthServDupDisconRequests, 665 radiusDynAuthServDisconAcks, 666 radiusDynAuthServDisconNaks, 667 radiusDynAuthServDisconUserSessRemoved, 668 radiusDynAuthServMalformedDisconRequests, 669 radiusDynAuthServDisconBadAuthenticators, 670 radiusDynAuthServDisconPacketsDropped, 671 radiusDynAuthServCoARequests, 672 radiusDynAuthServDupCoARequests, 673 radiusDynAuthServCoAAcks, 674 radiusDynAuthServCoANaks, 675 radiusDynAuthServCoAUserSessChanged, 676 radiusDynAuthServMalformedCoARequests, 677 radiusDynAuthServCoABadAuthenticators, 678 radiusDynAuthServCoAPacketsDropped, and 679 radiusDynAuthServUnknownTypes. 681 SNMP versions prior to SNMPv3 did not include adequate security. 682 Even if the network itself is secure (for example by using IPSec), 683 even then, there is no control as to who on the secure network is 684 allowed to access and GET/SET (read/change/create/delete) the objects 685 in this MIB module. 687 It is RECOMMENDED that implementers consider the security features as 688 provided by the SNMPv3 framework (see [RFC3410], section 8), 689 including full support for the SNMPv3 cryptographic mechanisms (for 690 authentication and privacy). 692 Further, deployment of SNMP versions prior to SNMPv3 is NOT 693 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 694 enable cryptographic security. It is then a customer/operator 695 responsibility to ensure that the SNMP entity giving access to an 696 instance of this MIB module is properly configured to give access to 697 the objects only to those principals (users) that have legitimate 698 rights to indeed GET or SET (change/create/delete) them. 700 8. IANA considerations 702 IANA is requested to assign an OID xxx under mib-2. 704 9. Acknowledgements 706 This document reuses some of the work done in earlier RADIUS MIB 707 specifications [RFC2618] and [RFC2620]. 709 The authors would also like to acknowledge the following people for 710 their comments to this document: Anjaneyulu Pata, Dan Romascanu, and 711 Bert Wijnen. 713 10. References 715 10.1 Normative References 717 [DYNCLNT] De Cnodder, S., Jonnala, N. and M. Chiba, "RADIUS Dynamic 718 Auhtorization Client MIB", 719 draft-decnodder-radext-dynauth-client-mib-01.txt, work in 720 progress, June 2004. 722 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 723 Requirement Levels", RFC 2119, March 1997. 725 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 726 Rose, M. and S. Waldbusser, "Structure of Management 727 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 728 1999. 730 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 731 Rose, M. and S. Waldbusser, "Textual Conventions for 732 SMIv2", STD 58, RFC 2579, April 1999. 734 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 735 Rose, M. and S. Waldbusser, "Conformance Statements for 736 SMIv2", STD 58, RFC 2580, April 1999. 738 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. 739 Aboba, "Dynamic Authorization Extensions to Remote 740 Authentication Dial In User Service (RADIUS)", RFC 3576, 741 July 2003. 743 10.2 Informative References 745 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 746 RFC 2618, June 1999. 748 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 749 RFC 2619, June 1999. 751 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 752 RFC 2620, June 1999. 754 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 755 RFC 2621, June 1999. 757 [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, 758 "Introduction and Applicability Statements for Internet 759 Standard Management Framework", RFC 3410, December 2002. 761 Authors' Addresses 763 Stefaan De Cnodder 764 Alcatel 765 Francis Wellesplein 1 766 B-2018 Antwerp 767 Belgium 769 Phone: +32 3 240 85 15 770 Email: stefaan.de_cnodder@alcatel.be 772 Nagi Reddy Jonnala 773 Future Soft 774 480 - 481, Anna Salai 775 Nandanam, Chennai 776 India 778 Email: nagi_reddy.jonnala@alcatel.be 780 Murtaza Chiba 781 Cisco Systems, Inc. 782 170 West Tasman Dr. 783 San Jose CA, 95134 785 Phone: +1 408 525 7198 786 Email: mchiba@cisco.com 788 Intellectual Property Statement 790 The IETF takes no position regarding the validity or scope of any 791 Intellectual Property Rights or other rights that might be claimed to 792 pertain to the implementation or use of the technology described in 793 this document or the extent to which any license under such rights 794 might or might not be available; nor does it represent that it has 795 made any independent effort to identify any such rights. Information 796 on the procedures with respect to rights in RFC documents can be 797 found in BCP 78 and BCP 79. 799 Copies of IPR disclosures made to the IETF Secretariat and any 800 assurances of licenses to be made available, or the result of an 801 attempt made to obtain a general license or permission for the use of 802 such proprietary rights by implementers or users of this 803 specification can be obtained from the IETF on-line IPR repository at 804 http://www.ietf.org/ipr. 806 The IETF invites any interested party to bring to its attention any 807 copyrights, patents or patent applications, or other proprietary 808 rights that may cover technology that may be required to implement 809 this standard. Please address the information to the IETF at 810 ietf-ipr@ietf.org. 812 Disclaimer of Validity 814 This document and the information contained herein are provided on an 815 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 816 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 817 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 818 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 819 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 820 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 822 Copyright Statement 824 Copyright (C) The Internet Society (2005). This document is subject 825 to the rights, licenses and restrictions contained in BCP 78, and 826 except as set forth therein, the authors retain all their rights. 828 Acknowledgment 830 Funding for the RFC Editor function is currently provided by the 831 Internet Society.