idnits 2.17.1 draft-ietf-ips-auth-mib-00.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 3 instances of too long lines in the document, the longest one being 4 characters in excess of 72. ** The abstract seems to contain references ([ISCSI]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 614: '...is not empty, it MUST match value of t...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 2002) is 8107 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2012' is defined on line 1451, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2571 (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2572 (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2573 (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Obsolete normative reference: RFC 2570 (Obsoleted by RFC 3410) ** Obsolete normative reference: RFC 2012 (Obsoleted by RFC 4022) ** Obsolete normative reference: RFC 2851 (Obsoleted by RFC 3291) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 1510 (Obsoleted by RFC 4120, RFC 6649) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) -- No information found for draft-ietf-ips-iSCSI - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'ISCSI' ** Downref: Normative reference to an Informational RFC: RFC 1737 Summary: 27 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Jim Muchow 4 Expires August 2002 Cisco Systems 6 February 2002 8 Definitions of Managed Objects for User Identity Authentication 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet- Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 1.1. Copyright Notice 33 Copyright (C) The Internet Society (2001). All Rights Reserved. 35 2. Abstract 37 This memo defines a portion of the Management Information Base (MIB) 38 for use with network management protocols in TCP/IP based internets. 39 In particular it defines objects for managing user identities and the 40 names, addresses, and credentials required to authenticate them, for 41 use with various protocols. This draft was motivated by the need for 42 the configuration of authenticated user identities for the iSCSI 43 protocol [ISCSI], but has been extended to be useful for other 44 protocols that have similar requirements. It is important to note 45 that this MIB provides only the set of identities and the means to 46 authenticate them; it is the responsibility of other MIBs making use 47 of this one to tie them to authorization lists. 49 3. Acknowledgments 51 In addition to the authors, several people contributed to the 52 development of this MIB through discussions of authentication, 53 authorization, and access within the iSCSI MIB and security teams, 54 including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom 55 McSweeney, Steve Senum, and Josh Tseng. 57 Thanks especially to Keith McCloghrie for serving as advisor for this 58 MIB. 60 4. The SNMP Management Framework 62 The SNMP Management Framework presently consists of five major 63 components: 65 o An overall architecture, described in RFC 2571 [RFC2571]. 67 o Mechanisms for describing and naming objects and events for the 68 purpose of management. The first version of this Structure of 69 Management Information (SMI) is called SMIv1 and described in 70 STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 71 1215 [RFC1215]. The second version, called SMIv2, is described 72 in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and 73 STD 58, RFC 2580 [RFC2580]. 75 o Message protocols for transferring management information. The 76 first version of the SNMP message protocol is called SNMPv1 and 77 described in STD 15, RFC 1157 [RFC1157]. A second version of 78 the SNMP message protocol, which is not an Internet standards 79 track protocol, is called SNMPv2c and described in RFC 1901 80 [RFC1901] and RFC 1906 [RFC1906]. The third version of the 81 message protocol is called SNMPv3 and described in RFC 1906 82 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. 84 o Protocol operations for accessing management information. The 85 first set of protocol operations and associated PDU formats is 86 described in STD 15, RFC 1157 [RFC1157]. A second set of 87 protocol operations and associated PDU formats is described in 88 RFC 1905 [RFC1905]. 90 o A set of fundamental applications described in RFC 2573 91 [RFC2573] and the view-based access control mechanism described 92 in RFC 2575 [RFC2575]. 94 A more detailed introduction to the current SNMP Management Framework 95 can be found in RFC 2570 [RFC2570]. 97 Managed objects are accessed via a virtual information store, termed 98 the Management Information Base or MIB. Objects in the MIB are 99 defined using the mechanisms defined in the SMI. 101 This memo specifies a MIB module that is compliant to the SMIv2. A 102 MIB conforming to the SMIv1 can be produced through the appropriate 103 translations. The resulting translated MIB must be semantically 104 equivalent, except where objects or events are omitted because no 105 translation is possible (use of Counter64). Some machine readable 106 information in SMIv2 will be converted into textual descriptions in 107 SMIv1 during the translation process. However, this loss of machine 108 readable information is not considered to change the semantics of the 109 MIB. 111 This MIB will be used to configure and/or look at the configuration 112 of user identities and their authentication information. For the 113 purposes of this MIB, a "user" identity does not need to be an actual 114 person; a user can also be a host, an application, a cluster of 115 hosts, or any other identifiable entity that can be authenticated and 116 granted access to a resource. 118 Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is 119 intended to allow configuration of user identities and their names, 120 addresses, and credentials. MIN-ACCESS for all objects is read-only 121 for those implementations that configure through other means, but 122 require the ability to monitor user identities. 124 5. Relationship to Other MIBs 126 The identity authentication MIB does not directly address objects 127 within other MIBs. The identity address objects contain IPv4, IPv6, 128 or other address types, and as such may be indirectly related to 129 objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB. 131 This MIB does not cover authorization. This should generally be done 132 in MIBs that reference identities in this one. It also does not 133 cover login or authentication failure statistics or notifications, as 134 these are all fairly application-specific, and not generic enough to 135 include here. 137 The user identity objects within this MIB are typically referenced 138 from other MIBs by a RowPointer within that MIB. A MIB containing 139 resources for which it requires a list of authorized user identities 140 may create such a list, with a single RowPointer within each list 141 element pointing to a user identity within this MIB. This is neither 142 required nor restricted by this MIB. 144 6. Discussion 146 This MIB structure is intended to allow the configuration of a list 147 of user identities, each with a list of names, addresses, 148 credentials, and certificates which when combined will authenticate 149 that identity. 151 The authentication MIB is structured around two primary "objects", 152 the authentication instance, and the identity, which serve as 153 containers for the remainder of the objects. This section contains a 154 brief description of the "object" hierarchy and a description of each 155 object, followed by a discussion of the actual SNMP table structure 156 within the objects. 158 6.1. Identity Authentication MIB Object Model 160 The top-level object in this structure is the authentication 161 instance, which "contains" all of the other objects. The indexing 162 hierarchy of this MIB looks like: 164 ipsAuthInstance 165 -- A distinct authentication entity within the managed system. 166 -- Most implementations will have just one of these. 167 ipsAuthCertificate 168 -- A public key certificate, which can be pointed to by 169 -- an ipsAuthIdentity. 170 ipsAuthIdentity 171 -- A user identity, consisting of a set of identity names, 172 -- addresses, and credentials reflected in the following 173 -- objects, as well as a RowPointer to an ipsAuthCertificate. 174 ipsAuthIdentityName 175 -- A name for a user identity. A name should be globally 176 -- unique, and unchanging over time. Some protocols may 177 -- not require this one. 178 ipsAuthIdentityAddress 179 -- An address range, typically but not necessarily an 180 -- IPv4 or IPv6 address range, at which the identity is 181 -- allowed to reside. 182 ipsAuthCredential 183 -- A single credential, such as a CHAP username/password, 184 -- which can ipsAuthenticate the identity. 185 ipsAuthCredChap 186 -- CHAP-specific attributes for an ipsAuthCredential 187 ipsAuthCredSrp 188 -- SRP-specific attributes 189 ipsAuthCredSpkm 190 -- SPKM-specific attributes 191 ipsAuthCredKerberos 192 -- Kerberos-specific attributes 194 An identity can contain multiple names, addresses, and credentials. 196 Work - Add some examples here. 198 Work - need examples showing how this can work on a client and a 199 server, for mutual authentication. 201 6.2. ipsAuthInstance 203 The ipsAuthInstanceAttributesTable is the primary table of the 204 authentication MIB. Every other table entry in this MIB includes the 205 index of an ipsAuthInstanceAttributesEntry as its primary index. An 206 authentication instance is basically a managed set of identities. 208 Many implementations will include just one authentication instance 209 row in this table. However, there will be cases where multiple rows 210 in this table may be used: 212 - A large system may be "partitioned" into multiple, distinct virtual 213 systems, perhaps sharing the SNMP agent but not their lists of 214 identities. Each virtual system would have its own authentication 215 instance. 217 - A set of stackable systems, each with their own set of identities, 218 may be managed by a common SNMP agent. Each individual system 219 would have its own authentication instance. 221 - Multiple protocols, each with their own set of identities, may 222 exist within a single system and be managed by a single SNMP agent. 223 In this case, each protocol may have its own authentication 224 instance. 226 6.3. ipsAuthCertificate 228 The ipsAuthCertAttributesTable contains a list of certificates which 229 can be used to authenticate user identities within the 230 ipsAuthIdentAttributesTable. Rather than copying each certificate 231 for each of its uses within the identities, the certificates are 232 instead kept in their own list, and may be pointed to by individual 233 identities. This avoids duplication of certificates that may be used 234 by more than one identity, as well as providing a way to keep track 235 of certificates that are not currently in use by any given identity. 237 The attribute ipsAuthCert contains the binary certificate, in X.509 238 format [X.509]. 240 WORK - Need to say which attribute matches the identifier. 242 WORK - some other references that may be helpful (remove if not): 244 RFC2538 - Storing Certificates in the Domain Name System 246 RFC2693 - SPKI Certificate Theory 248 RFC2797 - Certificate Management Messages over CMS 250 If the implementation making use of this MIB does not require the use 251 of public key certificates, this table will be empty. 253 6.4. ipsAuthIdentity 255 The ipsAuthIdentAttributesTable contains one entry for each 256 configured user identity. The identity contains only a description 257 of what the identity is used for; its attributes are all contained in 258 other tables, since they can have multiple values. 260 Other MIBs containing lists of users authorized to access a 261 particular resource should generally contain a RowPointer to the 262 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 263 access. 265 All other table entries make use of the indices to this table as 266 their primary indices. 268 6.5. ipsAuthIdentityName 270 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 271 each of which belong to, and may be used to identify, a particular 272 identity in the authIdentity table. 274 Implementations making use of the authentication MIB may identify 275 their resources by names, addresses, or both. A name is typically a 276 unique (within the required scope), unchanging identifier for a 277 resource. It will normally meet some or all of the requirements for a 278 Uniform Resource Name [RFC1737], although a name in the context of 279 this MIB does not need to be a URN. Identifiers that typically 280 change over time should generally be placed into the 281 ipsAuthIdentityAddress table; names that have no uniqueness 282 properties should usually be placed into the description attribute 283 for the identity. 285 An example of an identity name is the iSCSI Name, defined in [ISCSI]. 287 If this table contains no entries associated with a particular user 288 identity, the implementation does not need to check any name 289 paramenters when authenticating that identity. If the table contains 290 multiple entries associated with a particular user identity, the 291 implementation should consider a match with any one of these entries 292 to be valid. 294 6.6. ipsAuthIdentityAddress 296 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 297 which the identity may be authenticated. For example, an identity 298 may be allowed access to a resource only from a certain IP address, 299 or only if its address is in a certain range or set of ranges. 301 Each entry contains a starting and ending address. If a single 302 address is desired in the list, both starting and ending addresses 303 should be identical. 305 Each entry contains an AddrType attribute. This attribute contains 306 an enumeration registered as an IANA Address Family type [IANA-AF]. 307 Although many implementations will use IPv4 or IPv6 address types for 308 these entries, any IANA-registered type may be used, as long as it 309 makes sense to the application. 311 Matching any address within any range within the list associated with 312 a particular identity is considered to be a valid match. If no 313 entries are present in this list for a given identity, its address is 314 not checked during authentication. 316 WORK: Is it better to make ending == starting for a single address, 317 or should the attribute simply not be returned? 319 WORK: Is there any point to having a netmask if we have a range? 321 6.7. ipsAuthCredential 323 The ipsAuthCredentialAttributesTable contains a list of credentials, 324 each of which may authenticate a particular identity. 326 Each credential contains an authentication method to be used, such as 327 CHAP [RFC1994], SRP [RFC2945], Kerberos [RFC1510], or SPKM [RFC2025]. 328 This attribute contains an object identifier instead of an enumerated 329 type, allowing other MIBs to add their own authentication methods, 330 without modifying this MIB. 332 For each entry in this table, there will exist an entry in another 333 table containing its attributes. The table in which to place the 334 entry depends on the AuthMethod attribute: 336 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 337 same indices as the ipsAuthCredential will exist in the 338 ipsAuthCredChap table, which contains the CHAP username and 339 password expected. 341 SRP If the AuthMethod is set to the SRP OID, an entry using the 342 same indices as the ipsAuthCredential will exist in the 343 ipsAuthCredSrp table, which contains the SRP username, 344 password verifier, and salt. 346 SPKM If the AuthMethod is set to the SPKM OID, an entry using the 347 same indices as the ipsAuthCredential will exist in the 348 ipsAuthCredSpkm table, which contains the indices of the 349 authCertificate entries that are expected. 351 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 352 the same indices as the ipsAuthCredential will exist in the 353 ipsAuthCredKerberos table. Contents are TBD. 355 Other If the AuthMethod is set to any OID not defined in this MIB, 356 an entry using the same indices as the ipsAuthCredential 357 entry should be placed in the other MIB that define whatever 358 attributes are needed for that type of credential. 360 6.8. IP and Other Addresses 362 WORK: Re-write based on address family types. 364 The IP addresses in this MIB are represented by two attributes, one 365 of type InetAddressType, and the other of type InetAddress. These 366 are taken from [IPV6MIB], which is an update to [RFC2851] specifying 367 how to support addresses that may be either IPv4 or IPv6. 369 6.9. Descriptors: Using OIDs in Place of Enumerated Types 371 Some attributes, particularly the authentication method attribute, 372 would normally require an enumerated type. However, implementations 373 will likely need to add new authentication method types of their own, 374 without extending this MIB. To make this work, the MIB defines a set 375 of object identities within ipsAuthDescriptors. Each of these object 376 identities is basically an enumerated type. 378 Attributes that make use of these object identities have a value 379 which is an OID instead of an enumerated type. These OIDs can either 380 indicate the object identities defined in this MIB, or object 381 identities defined elsewhere, such as in an enterprise MIB. Those 382 implementations that add their own authentication methods should also 383 define a corresponding object identity for each of these methods 384 within their own enterprise MIB, and return its OID whenever one of 385 these attributes is using that method. 387 6.10. Notifications 389 Monitoring of authentication failures and other notification events 390 are outside the scope of this MIB, as they are generally application- 391 specific. No notifications are provided or required. 393 7. MIB Definitions 395 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 396 -- 2/21-2002 Initial version 398 -- still some work to do (editor search for "Work") 400 IMPORTS 401 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, NOTIFICATION-TYPE, 402 Unsigned32, 403 experimental 404 FROM SNMPv2-SMI 406 TEXTUAL-CONVENTION, RowStatus, 407 AutonomousType 408 FROM SNMPv2-TC 410 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 411 FROM SNMPv2-CONF 413 SnmpAdminString 414 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 416 -- These are from draft-ietf-ops-rfc2851-update-06.txt 417 -- You will have to work out the details with your own 418 -- compiler being because they are so new. 419 InetAddressType, InetAddress 420 FROM INET-ADDRESS-MIB 421 ; 423 ipsAuthModule MODULE-IDENTITY 424 LAST-UPDATED "200202210000Z" 425 ORGANIZATION "IETF IPS Working Group" 426 CONTACT-INFO 427 " 428 Mark Bakke 429 Postal: Cisco Systems, Inc 430 6450 Wedgwood Road, Suite 130 431 Maple Grove, MN 432 USA 55311 434 Tel: +1 763-398-1000 435 Fax: +1 763-398-1001 437 E-mail: mbakke@cisco.com" 438 DESCRIPTION 439 "The IP Storage Authorization MIB module." 441 REVISION "200202210000Z" -- February 21, 2001 442 DESCRIPTION 443 "Initial revision published as RFC xxxx." 445 --::= { mib-2 xx } -- to be assigned by IANA. 446 ::= { experimental 99999 } -- in case you want to COMPILE 448 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 449 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 450 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } 452 -- Textual Conventions 454 ------------------------------------------------------------------------ 456 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 458 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 460 ipsAuthMethodNone OBJECT-IDENTITY 461 STATUS current 462 DESCRIPTION 463 "The authoritative identifier when no authentication 464 method is used." 465 REFERENCE "iSCSI Protocol Specification." 466 ::= { ipsAuthMethodTypes 1 } 468 ipsAuthMethodSrp OBJECT-IDENTITY 469 STATUS current 470 DESCRIPTION 471 "The authoritative identifier when the authentication 472 method is SRP." 473 REFERENCE "iSCSI Protocol Specification." 474 ::= { ipsAuthMethodTypes 2 } 476 ipsAuthMethodChap OBJECT-IDENTITY 477 STATUS current 478 DESCRIPTION 479 "The authoritative identifier when the authentication 480 method is CHAP." 481 REFERENCE "iSCSI Protocol Specification." 482 ::= { ipsAuthMethodTypes 3 } 484 ipsAuthMethodKrb5 OBJECT-IDENTITY 485 STATUS current 486 DESCRIPTION 487 "The authoritative identifier when the authentication 488 method is KRB-5." 489 REFERENCE "iSCSI Protocol Specification." 490 ::= { ipsAuthMethodTypes 4 } 492 ipsAuthMethodSpkm1 OBJECT-IDENTITY 493 STATUS current 494 DESCRIPTION 495 "The authoritative identifier when the authentication 496 method is SPKM-1." 497 REFERENCE "iSCSI Protocol Specification." 498 ::= { ipsAuthMethodTypes 5 } 500 ipsAuthMethodSpkm2 OBJECT-IDENTITY 501 STATUS current 502 DESCRIPTION 503 "The authoritative identifier when the authentication 504 method is SPKM-2." 505 REFERENCE "iSCSI Protocol Specification." 506 ::= { ipsAuthMethodTypes 6 } 508 ---------------------------------------------------------------------- 510 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 512 -- Instance Attributes Table 514 ipsAuthInstanceAttributesTable OBJECT-TYPE 515 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 516 MAX-ACCESS not-accessible 517 STATUS current 518 DESCRIPTION 519 "A list of iSCSI instances present on the system." 520 ::= { ipsAuthInstance 2 } 522 ipsAuthInstanceAttributesEntry OBJECT-TYPE 523 SYNTAX IpsAuthInstanceAttributesEntry 524 MAX-ACCESS not-accessible 525 STATUS current 526 DESCRIPTION 527 "An entry (row) containing managment information applicable 528 to a particular iSCSI instance." 529 INDEX { ipsAuthInstIndex } 530 ::= { ipsAuthInstanceAttributesTable 1 } 532 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 533 ipsAuthInstIndex Unsigned32, 534 ipsAuthInstDescr SnmpAdminString 535 } 537 ipsAuthInstIndex OBJECT-TYPE 538 SYNTAX Unsigned32 (1..4294967295) 539 MAX-ACCESS not-accessible 540 STATUS current 541 DESCRIPTION 542 "An arbitrary integer used to uniquely identify a particular 543 authentication instance." 544 ::= { ipsAuthInstanceAttributesEntry 1 } 546 ipsAuthInstDescr OBJECT-TYPE 547 SYNTAX SnmpAdminString 548 MAX-ACCESS read-write 549 STATUS current 550 DESCRIPTION 551 "An octet string, determined by the implementation to describe 552 the authentication instance. When only a single instance is present, 553 this object may be set to the zero-length string; with multiple 554 authentication instances, it may be used in an implementation-dependent 555 manner to describe the purpose of the respective instance." 556 ::= { ipsAuthInstanceAttributesEntry 2 } 558 ipsAuthCertificate OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 560 -- Authorized Certificate Attributes Table 562 ipsAuthCertAttributesTable OBJECT-TYPE 563 SYNTAX SEQUENCE OF IpsAuthCertAttributesEntry 564 MAX-ACCESS not-accessible 565 STATUS current 566 DESCRIPTION 567 "A list of certificates that may be used to authenticate 568 user identities." 569 ::= { ipsAuthCertificate 1 } 571 ipsAuthCertAttributesEntry OBJECT-TYPE 572 SYNTAX IpsAuthCertAttributesEntry 573 MAX-ACCESS not-accessible 574 STATUS current 575 DESCRIPTION 576 "An entry (row) containing management information 577 applicable to a certificate which may be used to authenticate 578 a user identity within an authentication instance." 579 INDEX { ipsAuthInstIndex, ipsAuthCertIndex } 580 ::= { ipsAuthCertAttributesTable 1 } 581 IpsAuthCertAttributesEntry ::= SEQUENCE { 582 ipsAuthCertIndex Unsigned32, 583 ipsAuthCertDescription SnmpAdminString, 584 ipsAuthCertIdentity OCTET STRING, 585 ipsAuthCert OCTET STRING, 586 ipsAuthCertRowStatus RowStatus 587 } 589 ipsAuthCertIndex OBJECT-TYPE 590 SYNTAX Unsigned32 (1..4294967295) 591 MAX-ACCESS not-accessible 592 STATUS current 593 DESCRIPTION 594 "An arbitrary integer used to uniquely identify a particular 595 certificate instance within an authentication instance present 596 on the node." 597 ::= { ipsAuthCertAttributesEntry 1 } 599 ipsAuthCertDescription OBJECT-TYPE 600 SYNTAX SnmpAdminString 601 MAX-ACCESS read-create 602 STATUS current 603 DESCRIPTION 604 "An octet string describing this certificate." 605 ::= { ipsAuthCertAttributesEntry 2 } 607 ipsAuthCertIdentity OBJECT-TYPE 608 SYNTAX OCTET STRING 609 MAX-ACCESS read-create 610 STATUS current 611 DESCRIPTION 612 "An octet string, which is either a copy of the XXX attribute 613 from the certificate, or an empty string. If this attribute 614 is not empty, it MUST match value of the XXX attribute from 615 the certificate." 616 ::= { ipsAuthCertAttributesEntry 3 } 618 ipsAuthCert OBJECT-TYPE 619 SYNTAX OCTET STRING 620 MAX-ACCESS read-create 621 STATUS current 622 DESCRIPTION 623 "The certificate, encoded in X.509 format." 624 ::= { ipsAuthCertAttributesEntry 4 } 626 ipsAuthCertRowStatus OBJECT-TYPE 627 SYNTAX RowStatus 628 MAX-ACCESS read-create 629 STATUS current 630 DESCRIPTION 631 "This field allows entries to be dynamically added and 632 removed from this table via SNMP." 633 ::= { ipsAuthCertAttributesEntry 5 } 635 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 637 -- iSCSI User Identity Attributes Table 639 ipsAuthIdentAttributesTable OBJECT-TYPE 640 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 641 MAX-ACCESS not-accessible 642 STATUS current 643 DESCRIPTION 644 "A list of user identities, each belonging to a particular 645 ipsAuthInstance." 646 ::= { ipsAuthIdentity 1 } 648 ipsAuthIdentAttributesEntry OBJECT-TYPE 649 SYNTAX IpsAuthIdentAttributesEntry 650 MAX-ACCESS not-accessible 651 STATUS current 652 DESCRIPTION 653 "An entry (row) containing management information 654 describing a user identity 655 within an authentication instance on this node." 656 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 657 ::= { ipsAuthIdentAttributesTable 1 } 659 IpsAuthIdentAttributesEntry ::= SEQUENCE { 660 ipsAuthIdentIndex Unsigned32, 661 ipsAuthIdentDescription SnmpAdminString, 662 ipsAuthIdentRowStatus RowStatus 663 } 665 ipsAuthIdentIndex OBJECT-TYPE 666 SYNTAX Unsigned32 (1..4294967295) 667 MAX-ACCESS not-accessible 668 STATUS current 669 DESCRIPTION 670 "An arbitrary integer used to uniquely identify a particular 671 identity instance within an authentication instance present 672 on the node." 673 ::= { ipsAuthIdentAttributesEntry 1 } 674 ipsAuthIdentDescription OBJECT-TYPE 675 SYNTAX SnmpAdminString 676 MAX-ACCESS read-create 677 STATUS current 678 DESCRIPTION 679 "An octet string describing this particular identity." 680 ::= { ipsAuthIdentAttributesEntry 2 } 682 ipsAuthIdentRowStatus OBJECT-TYPE 683 SYNTAX RowStatus 684 MAX-ACCESS read-create 685 STATUS current 686 DESCRIPTION 687 "This field allows entries to be dynamically added and 688 removed from this table via SNMP." 689 ::= { ipsAuthIdentAttributesEntry 3 } 691 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 693 -- iSCSI User Initiator Name Attributes Table 695 ipsAuthIdentNameAttributesTable OBJECT-TYPE 696 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 697 MAX-ACCESS not-accessible 698 STATUS current 699 DESCRIPTION 700 "A list of unique names that can be used to positively 701 identify a particular user identity." 702 ::= { ipsAuthIdentityName 1 } 704 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 705 SYNTAX IpsAuthIdentNameAttributesEntry 706 MAX-ACCESS not-accessible 707 STATUS current 708 DESCRIPTION 709 "An entry (row) containing management information 710 applicable to a unique identity name which can be used 711 to uniquely identify a user identity within a particular 712 authentication instance." 713 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentNameIndex } 714 ::= { ipsAuthIdentNameAttributesTable 1 } 716 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 717 ipsAuthIdentNameIndex Unsigned32, 718 ipsAuthIdentName SnmpAdminString, 719 ipsAuthIdentNameRowStatus RowStatus 720 } 721 ipsAuthIdentNameIndex OBJECT-TYPE 722 SYNTAX Unsigned32 (1..4294967295) 723 MAX-ACCESS not-accessible 724 STATUS current 725 DESCRIPTION 726 "An arbitrary integer used to uniquely identify a particular 727 identity name instance within an ipsAuthIdentity within an 728 authentication instance." 729 ::= { ipsAuthIdentNameAttributesEntry 1 } 731 ipsAuthIdentName OBJECT-TYPE 732 SYNTAX SnmpAdminString 733 MAX-ACCESS read-create 734 STATUS current 735 DESCRIPTION 736 "A character string which is the unique name of an 737 identity that may be used to identify this 738 ipsAuthIdent entry." 739 ::= { ipsAuthIdentNameAttributesEntry 2 } 741 ipsAuthIdentNameRowStatus OBJECT-TYPE 742 SYNTAX RowStatus 743 MAX-ACCESS read-create 744 STATUS current 745 DESCRIPTION 746 "This field allows entries to be dynamically added and 747 removed from this table via SNMP." 748 ::= { ipsAuthIdentNameAttributesEntry 3 } 750 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 752 -- iSCSI User Initiator Address Attributes Table 754 -- Work: Add the FC stuff here and IANA Address family 755 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 756 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 757 MAX-ACCESS not-accessible 758 STATUS current 759 DESCRIPTION 760 "A list of address ranges that are allowed to serve 761 as the endpoint addresses of a particular identity. 762 An address range includes a starting and ending address 763 and an optional netmask, and an address type indicator, 764 which can specify whether the address is IPv4, IPv6, 765 FC-WWPN, or FC-WWNN." 766 ::= { ipsAuthIdentityAddress 1 } 767 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 768 SYNTAX IpsAuthIdentAddrAttributesEntry 769 MAX-ACCESS not-accessible 770 STATUS current 771 DESCRIPTION 772 "An entry (row) containing management information 773 applicable to an address range which is used as part 774 of the authentication of an identity 775 within an authentication instance on this node." 776 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentAddrIndex } 777 ::= { ipsAuthIdentAddrAttributesTable 1 } 779 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 780 ipsAuthIdentAddrIndex Unsigned32, 781 ipsAuthIdentAddrType InetAddressType, 782 ipsAuthIdentAddrStart InetAddress, 783 ipsAuthIdentAddrEnd InetAddress, 784 ipsAuthIdentAddrMask InetAddress, 785 ipsAuthIdentAddrRowStatus RowStatus 786 } 788 ipsAuthIdentAddrIndex OBJECT-TYPE 789 SYNTAX Unsigned32 (1..4294967295) 790 MAX-ACCESS not-accessible 791 STATUS current 792 DESCRIPTION 793 "An arbitrary integer used to uniquely identify a particular 794 ipsAuthIdentAddress instance within an ipsAuthIdentity within an 795 authentication instance present on the node." 796 ::= { ipsAuthIdentAddrAttributesEntry 1 } 798 ipsAuthIdentAddrType OBJECT-TYPE 799 SYNTAX InetAddressType 800 MAX-ACCESS read-create 801 STATUS current 802 DESCRIPTION 803 "The type of Address in the ipsAuthIdentAddress start, end, 804 and mask fields. This type is taken from the IANA address 805 family types; more types may be registered independently 806 of this MIB." 807 ::= { ipsAuthIdentAddrAttributesEntry 2 } 809 ipsAuthIdentAddrStart OBJECT-TYPE 810 SYNTAX InetAddress 811 MAX-ACCESS read-create 812 STATUS current 813 DESCRIPTION 814 "The starting address of the allowed address range." 816 ::= { ipsAuthIdentAddrAttributesEntry 3 } 818 ipsAuthIdentAddrEnd OBJECT-TYPE 819 SYNTAX InetAddress 820 MAX-ACCESS read-create 821 STATUS current 822 DESCRIPTION 823 "The ending address of the allowed address range. If the 824 ipsAuthIdentAddrEntry specifies a single address, this shall 825 match the ipsAuthIdentAddrStart." 826 ::= { ipsAuthIdentAddrAttributesEntry 4 } 828 -- Work: Need to think through whether we need a mask. 830 ipsAuthIdentAddrMask OBJECT-TYPE 831 SYNTAX InetAddress 832 MAX-ACCESS read-create 833 STATUS current 834 DESCRIPTION 835 "The Address mask. -- NEED TO SPECIFY EXACTLY HOW USED W/RANGE" 836 ::= { ipsAuthIdentAddrAttributesEntry 5 } 838 ipsAuthIdentAddrRowStatus OBJECT-TYPE 839 SYNTAX RowStatus 840 MAX-ACCESS read-create 841 STATUS current 842 DESCRIPTION 843 "This field allows entries to be dynamically added and 844 removed from this table via SNMP." 845 ::= { ipsAuthIdentAddrAttributesEntry 6 } 847 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 849 -- Identity Credential Attributes Table 851 ipsAuthCredentialAttributesTable OBJECT-TYPE 852 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 853 MAX-ACCESS not-accessible 854 STATUS current 855 DESCRIPTION 856 "A list of credentials related to user identities 857 that are allowed as valid authenticators of the 858 particular identity." 859 ::= { ipsAuthCredential 1 } 861 ipsAuthCredentialAttributesEntry OBJECT-TYPE 862 SYNTAX IpsAuthCredentialAttributesEntry 863 MAX-ACCESS not-accessible 864 STATUS current 865 DESCRIPTION 866 "An entry (row) containing management information 867 applicable to a credential which authenticates a user 868 identity within an authentication instance." 869 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 870 ::= { ipsAuthCredentialAttributesTable 1 } 872 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 873 ipsAuthCredIndex Unsigned32, 874 ipsAuthCredAuthMethod AutonomousType, 875 ipsAuthCredUserName SnmpAdminString, 876 ipsAuthCredRowStatus RowStatus 877 } 879 ipsAuthCredIndex OBJECT-TYPE 880 SYNTAX Unsigned32 (1..4294967295) 881 MAX-ACCESS not-accessible 882 STATUS current 883 DESCRIPTION 884 "An arbitrary integer used to uniquely identify a particular 885 iSCSI Credential instance within an iSCSI instance present on the 886 node." 887 ::= { ipsAuthCredentialAttributesEntry 1 } 889 ipsAuthCredAuthMethod OBJECT-TYPE 890 SYNTAX AutonomousType 891 MAX-ACCESS read-create 892 STATUS current 893 DESCRIPTION 894 "This object contains an OBJECT IDENTIFIER 895 which identifies the authentication method 896 used with this credential. 898 Some standardized values for this object are defined 899 within the ipsAuthMethods subtree." 900 ::= { ipsAuthCredentialAttributesEntry 2 } 902 ipsAuthCredUserName OBJECT-TYPE 903 SYNTAX SnmpAdminString 904 MAX-ACCESS read-create 905 STATUS current 906 DESCRIPTION 907 "An octet string containing the user name for this credential, 908 if it is applicable to the ipsAuthCredAuthMethod." 909 ::= { ipsAuthCredentialAttributesEntry 3 } 910 ipsAuthCredRowStatus OBJECT-TYPE 911 SYNTAX RowStatus 912 MAX-ACCESS read-create 913 STATUS current 914 DESCRIPTION 915 "This field allows entries to be dynamically added and 916 removed from this table via SNMP." 917 ::= { ipsAuthCredentialAttributesEntry 4 } 919 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 921 -- Credential Chap-Specific Attributes Table 923 ipsAuthCredChapAttributesTable OBJECT-TYPE 924 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 925 MAX-ACCESS not-accessible 926 STATUS current 927 DESCRIPTION 928 "A list of CHAP attributes for credentials that 929 have their ipsAuthCredAuthMethod == ipsAuthMethodChap." 930 ::= { ipsAuthCredChap 1 } 932 ipsAuthCredChapAttributesEntry OBJECT-TYPE 933 SYNTAX IpsAuthCredChapAttributesEntry 934 MAX-ACCESS not-accessible 935 STATUS current 936 DESCRIPTION 937 "An entry (row) containing management information 938 applicable to a credential which has the ipsAuthCredAuthMethod 939 set to the OID of ipsAuthMethodChap." 940 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 941 ::= { ipsAuthCredChapAttributesTable 1 } 943 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 944 ipsAuthCredChapUserName SnmpAdminString, 945 ipsAuthCredChapPassword SnmpAdminString, 946 ipsAuthCredChapRowStatus RowStatus 947 } 949 ipsAuthCredChapUserName OBJECT-TYPE 950 SYNTAX SnmpAdminString 951 MAX-ACCESS read-create 952 STATUS current 953 DESCRIPTION 954 "An octet string containing the CHAP user name for this 955 credential." 957 ::= { ipsAuthCredChapAttributesEntry 1 } 959 ipsAuthCredChapPassword OBJECT-TYPE 960 SYNTAX SnmpAdminString 961 MAX-ACCESS read-create 962 STATUS current 963 DESCRIPTION 964 "An octet string containing the password for this 965 credential. If written, it changes the password for 966 the credential. If read, it returns a zero-length 967 string." 968 ::= { ipsAuthCredChapAttributesEntry 2 } 970 ipsAuthCredChapRowStatus OBJECT-TYPE 971 SYNTAX RowStatus 972 MAX-ACCESS read-create 973 STATUS current 974 DESCRIPTION 975 "This field allows entries to be dynamically added and 976 removed from this table via SNMP." 977 ::= { ipsAuthCredChapAttributesEntry 3 } 979 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 981 -- Credential Srp-Specific Attributes Table 983 ipsAuthCredSrpAttributesTable OBJECT-TYPE 984 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 985 MAX-ACCESS not-accessible 986 STATUS current 987 DESCRIPTION 988 "A list of SRP-specific attributes for credentials that 989 have their ipsAuthCredAuthMethod == ipsAuthMethodSrp." 990 ::= { ipsAuthCredSrp 1 } 992 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 993 SYNTAX IpsAuthCredSrpAttributesEntry 994 MAX-ACCESS not-accessible 995 STATUS current 996 DESCRIPTION 997 "An entry (row) containing management information 998 applicable to a credential which has the ipsAuthCredAuthMethod 999 set to the OID of ipsAuthMethodSrp." 1000 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1001 ::= { ipsAuthCredSrpAttributesTable 1 } 1003 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 1004 ipsAuthCredSrpUserName SnmpAdminString, 1005 ipsAuthCredSrpPasswordVerifier SnmpAdminString, 1006 ipsAuthCredSrpSalt SnmpAdminString, 1007 ipsAuthCredSrpRowStatus RowStatus 1008 } 1010 ipsAuthCredSrpUserName OBJECT-TYPE 1011 SYNTAX SnmpAdminString 1012 MAX-ACCESS read-create 1013 STATUS current 1014 DESCRIPTION 1015 "An octet string containing the CHAP user name for this 1016 credential." 1017 ::= { ipsAuthCredSrpAttributesEntry 1 } 1019 ipsAuthCredSrpPasswordVerifier OBJECT-TYPE 1020 SYNTAX SnmpAdminString 1021 MAX-ACCESS read-create 1022 STATUS current 1023 DESCRIPTION 1024 "An octet string containing the SRP password verifier 1025 for this credential." 1026 ::= { ipsAuthCredSrpAttributesEntry 2 } 1028 -- Work: what is the size of Salt? Should it be an integer? 1030 ipsAuthCredSrpSalt OBJECT-TYPE 1031 SYNTAX SnmpAdminString 1032 MAX-ACCESS read-create 1033 STATUS current 1034 DESCRIPTION 1035 "An octet string containing the salt value related to 1036 this credential." 1037 ::= { ipsAuthCredSrpAttributesEntry 3 } 1039 ipsAuthCredSrpRowStatus OBJECT-TYPE 1040 SYNTAX RowStatus 1041 MAX-ACCESS read-create 1042 STATUS current 1043 DESCRIPTION 1044 "This field allows entries to be dynamically added and 1045 removed from this table via SNMP." 1046 ::= { ipsAuthCredSrpAttributesEntry 4 } 1048 ipsAuthCredSpkm OBJECT IDENTIFIER ::= { ipsAuthObjects 10 } 1049 -- Credential Spkm-Specific Attributes Table 1051 ipsAuthCredSpkmAttributesTable OBJECT-TYPE 1052 SYNTAX SEQUENCE OF IpsAuthCredSpkmAttributesEntry 1053 MAX-ACCESS not-accessible 1054 STATUS current 1055 DESCRIPTION 1056 "A list of SPKM-specific attributes for credentials that 1057 have their ipsAuthCredAuthMethod == ipsAuthMethodSpkm." 1058 ::= { ipsAuthCredSpkm 1 } 1060 ipsAuthCredSpkmAttributesEntry OBJECT-TYPE 1061 SYNTAX IpsAuthCredSpkmAttributesEntry 1062 MAX-ACCESS not-accessible 1063 STATUS current 1064 DESCRIPTION 1065 "An entry (row) containing management information 1066 applicable to a credential which has the ipsAuthCredAuthMethod 1067 set to the OID of ipsAuthMethodSpkm." 1068 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1069 ::= { ipsAuthCredSpkmAttributesTable 1 } 1071 -- Work: Do we need to split out the cert identity here, or in 1072 -- the certificate object? 1074 IpsAuthCredSpkmAttributesEntry ::= SEQUENCE { 1075 ipsAuthCredSpkmPeerIdentity OCTET STRING, 1076 ipsAuthCredSpkmPeerCert Unsigned32, 1077 ipsAuthCredSpkmMyCert Unsigned32, 1078 ipsAuthCredSpkmRowStatus RowStatus 1079 } 1081 -- Work: Should this go here, or with the cert, or both? 1083 ipsAuthCredSpkmPeerIdentity OBJECT-TYPE 1084 SYNTAX OCTET STRING 1085 MAX-ACCESS read-create 1086 STATUS current 1087 DESCRIPTION 1088 "The identity to be authenticated by the public 1089 key certificate. If ipsAuthCredSpkmPeerCert is not 1090 zero, this identity much match the XXXXXXX attribute 1091 within the certificate referenced by PeerCert." 1092 ::= { ipsAuthCredSpkmAttributesEntry 1 } 1094 ipsAuthCredSpkmPeerCert OBJECT-TYPE 1095 SYNTAX Unsigned32 (1..4294967295) 1096 MAX-ACCESS read-create 1097 STATUS current 1098 DESCRIPTION 1099 "The index of the ipsAuthCertificateEntry that contains 1100 the certificate for the peer that is expected for 1101 this credential to be authenticated, or zero if this 1102 attribute is not used." 1103 ::= { ipsAuthCredSpkmAttributesEntry 2 } 1105 -- Work: I'm not sure that the following belongs here, yet. 1107 ipsAuthCredSpkmMyCert OBJECT-TYPE 1108 SYNTAX Unsigned32 (1..4294967295) 1109 MAX-ACCESS read-create 1110 STATUS current 1111 DESCRIPTION 1112 "The index of the ipsAuthCertificateEntry that contains 1113 the certificate that will be provided to the other 1114 system when this this credential to be authenticated, 1115 or zero if this attribute is not used." 1116 ::= { ipsAuthCredSpkmAttributesEntry 3 } 1118 ipsAuthCredSpkmRowStatus OBJECT-TYPE 1119 SYNTAX RowStatus 1120 MAX-ACCESS read-create 1121 STATUS current 1122 DESCRIPTION 1123 "This field allows entries to be dynamically added and 1124 removed from this table via SNMP." 1125 ::= { ipsAuthCredSpkmAttributesEntry 4 } 1127 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 11 } 1129 -- Credential Kerberos-Specific Attributes Table 1131 ipsAuthCredKerbAttributesTable OBJECT-TYPE 1132 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 1133 MAX-ACCESS not-accessible 1134 STATUS current 1135 DESCRIPTION 1136 "A list of SRP-specific attributes for credentials that 1137 have their ipsAuthCredAuthMethod == ipsAuthMethodKerberos." 1138 ::= { ipsAuthCredKerberos 1 } 1140 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 1141 SYNTAX IpsAuthCredKerbAttributesEntry 1142 MAX-ACCESS not-accessible 1143 STATUS current 1144 DESCRIPTION 1145 "An entry (row) containing management information 1146 applicable to a credential which has the ipsAuthCredAuthMethod 1147 set to the OID of ipsAuthMethodKerberos." 1148 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1149 ::= { ipsAuthCredKerbAttributesTable 1 } 1151 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 1152 ipsAuthCredKerbAttribute SnmpAdminString, 1153 ipsAuthCredKerbRowStatus RowStatus 1154 } 1156 -- Work: The following is a placeholder attribute, since I 1157 -- haven't figured out what to configure for Kerberos. 1159 ipsAuthCredKerbAttribute OBJECT-TYPE 1160 SYNTAX SnmpAdminString 1161 MAX-ACCESS read-create 1162 STATUS current 1163 DESCRIPTION 1164 "An octet string containing a Kerberos attribute 1165 for this credential." 1166 ::= { ipsAuthCredKerbAttributesEntry 1 } 1168 ipsAuthCredKerbRowStatus OBJECT-TYPE 1169 SYNTAX RowStatus 1170 MAX-ACCESS read-create 1171 STATUS current 1172 DESCRIPTION 1173 "This field allows entries to be dynamically added and 1174 removed from this table via SNMP." 1175 ::= { ipsAuthCredKerbAttributesEntry 2 } 1177 ------------------------------------------------------------------------ 1178 -- Notifications 1180 -- There are no notifications necessary in this MIB. 1182 ------------------------------------------------------------------------ 1184 -- Conformance Statements 1186 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 1188 ipsAuthInstanceAttributesGroup OBJECT-GROUP 1189 OBJECTS { 1190 ipsAuthInstDescr 1191 } 1192 STATUS current 1193 DESCRIPTION 1194 "A collection of objects providing information about 1195 authentication instances." 1196 ::= { ipsAuthGroups 1 } 1198 ipsAuthIdentCertAttributesGroup OBJECT-GROUP 1199 OBJECTS { 1200 ipsAuthCertDescription, 1201 ipsAuthCert, 1202 ipsAuthCertIdentity, 1203 ipsAuthCertRowStatus 1204 } 1205 STATUS current 1206 DESCRIPTION 1207 "A collection of objects providing information about 1208 certicates within an authentication instance." 1209 ::= { ipsAuthGroups 2 } 1211 ipsAuthIdentAttributesGroup OBJECT-GROUP 1212 OBJECTS { 1213 ipsAuthIdentDescription, 1214 ipsAuthIdentRowStatus 1215 } 1216 STATUS current 1217 DESCRIPTION 1218 "A collection of objects providing information about 1219 user identities within an authentication instance." 1220 ::= { ipsAuthGroups 3 } 1222 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 1223 OBJECTS { 1224 ipsAuthIdentName, 1225 ipsAuthIdentNameRowStatus 1226 } 1227 STATUS current 1228 DESCRIPTION 1229 "A collection of objects providing information about 1230 user names within user identities within an authentication 1231 instance." 1232 ::= { ipsAuthGroups 4 } 1234 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1235 OBJECTS { 1236 ipsAuthIdentAddrType, 1237 ipsAuthIdentAddrStart, 1238 ipsAuthIdentAddrEnd, 1239 ipsAuthIdentAddrMask, 1240 ipsAuthIdentAddrRowStatus 1241 } 1242 STATUS current 1243 DESCRIPTION 1244 "A collection of objects providing information about 1245 address ranges within user identities within an authentication 1246 instance." 1247 ::= { ipsAuthGroups 5 } 1249 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1250 OBJECTS { 1251 ipsAuthCredAuthMethod, 1252 ipsAuthCredUserName, 1253 ipsAuthCredRowStatus 1254 } 1255 STATUS current 1256 DESCRIPTION 1257 "A collection of objects providing information about 1258 credentials within user identities within an authentication 1259 instance." 1260 ::= { ipsAuthGroups 6 } 1262 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1263 OBJECTS { 1264 ipsAuthCredChapUserName, 1265 ipsAuthCredChapPassword, 1266 ipsAuthCredChapRowStatus 1267 } 1268 STATUS current 1269 DESCRIPTION 1270 "A collection of objects providing information about CHAP 1271 credentials within user identities within an authentication 1272 instance." 1273 ::= { ipsAuthGroups 7 } 1275 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1276 OBJECTS { 1277 ipsAuthCredSrpUserName, 1278 ipsAuthCredSrpPasswordVerifier, 1279 ipsAuthCredSrpSalt, 1280 ipsAuthCredSrpRowStatus 1281 } 1282 STATUS current 1283 DESCRIPTION 1284 "A collection of objects providing information about SRP 1286 credentials within user identities within an authentication 1287 instance." 1288 ::= { ipsAuthGroups 8 } 1290 ipsAuthIdentSpkmAttrGroup OBJECT-GROUP 1291 OBJECTS { 1292 ipsAuthCredSpkmPeerIdentity, 1293 ipsAuthCredSpkmPeerCert, 1294 ipsAuthCredSpkmMyCert, 1295 ipsAuthCredSpkmRowStatus 1296 } 1297 STATUS current 1298 DESCRIPTION 1299 "A collection of objects providing information about SPKM 1300 credentials within user identities within an authentication 1301 instance." 1302 ::= { ipsAuthGroups 9 } 1304 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1305 OBJECTS { 1306 ipsAuthCredKerbAttribute, 1307 ipsAuthCredKerbRowStatus 1308 } 1309 STATUS current 1310 DESCRIPTION 1311 "A collection of objects providing information about Kerberos 1312 credentials within user identities within an authentication 1313 instance." 1314 ::= { ipsAuthGroups 10 } 1316 -- Work need to add the rest of the groups 1318 ------------------------------------------------------------------------ 1320 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1322 ipsAuthComplianceV1 MODULE-COMPLIANCE 1323 STATUS current 1324 DESCRIPTION 1325 "Initial version of compliance statement based on 1326 initial version of MIB. 1328 The Instance and Identity groups are mandatory; 1329 at least one of the other groups (Name, Address, 1330 Credential, Certificate) is also mandatory for 1331 any given implementation." 1332 MODULE -- this module 1333 MANDATORY-GROUPS { 1334 ipsAuthInstanceAttributesGroup, 1335 ipsAuthIdentAttributesGroup 1336 } 1338 -- Conditionally mandatory groups to be included with 1339 -- the mandatory groups when necessary. 1341 GROUP ipsAuthIdentNameAttributesGroup 1342 DESCRIPTION 1343 "This group is mandatory for all implementations 1344 that make use of unique identity names." 1346 GROUP ipsAuthIdentAddrAttributesGroup 1347 DESCRIPTION 1348 "This group is mandatory for all implementations 1349 that use addresses to help authenticate identities." 1351 GROUP ipsAuthIdentCredAttributesGroup 1352 DESCRIPTION 1353 "This group is mandatory for all implementations 1354 that use credentials to help authenticate identities." 1356 GROUP ipsAuthIdentCertAttributesGroup 1357 DESCRIPTION 1358 "This group is mandatory for all implementations 1359 that make use of public key certificates." 1361 ::= { ipsAuthCompliances 1 } 1363 END 1365 8. Security Considerations 1367 WORK: Need some text about all the bad things that can happen when 1368 someone gains write access to this MIB. 1370 WORK: Considerations for read only. 1372 SNMPv1 by itself is not a secure environment. Even if the network 1373 itself is secure (for example by using IPSec), even then, there is no 1374 control as to who on the secure network is allowed to access and 1375 GET/SET (read/change/create/delete) the objects in this MIB. 1377 It is recommended that the implementers consider the security 1378 features as provided by the SNMPv3 framework. Specifically, the use 1379 of the User-based Security Model RFC 2574 [RFC2574] and the View- 1380 based Access Control Model RFC 2575 [RFC2575] is recommended. 1382 It is then a customer/user responsibility to ensure that the SNMP 1383 entity giving access to an instance of this MIB, is properly 1384 configured to give access to the objects only to those principals 1385 (users) that have legitimate rights to indeed GET or SET 1386 (change/create/delete) them. 1388 9. References 1390 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture 1391 for Describing SNMP Management Frameworks", RFC 2571, April 1392 1999. 1394 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification 1395 of Management Information for TCP/IP-based Internets", STD 1396 16, RFC 1155, May 1990. 1398 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 1399 16, RFC 1212, March 1991. 1401 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the 1402 SNMP", RFC 1215, March 1991. 1404 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1405 Rose, M., and S. Waldbusser, "Structure of Management 1406 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1407 1999. 1409 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1410 Rose, M., and S. Waldbusser, "Textual Conventions for 1411 SMIv2", STD 58, RFC 2579, April 1999. 1413 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1414 Rose, M., and S. Waldbusser, "Conformance Statements for 1415 SMIv2", STD 58, RFC 2580, April 1999. 1417 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple 1418 Network Management Protocol", STD 15, RFC 1157, May 1990. 1420 [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1421 "Introduction to Community-based SNMPv2", RFC 1901, January 1422 1996. 1424 [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1425 "Transport Mappings for Version 2 of the Simple Network 1426 Management Protocol (SNMPv2)", RFC 1906, January 1996. 1428 [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 1429 Processing and Dispatching for the Simple Network Management 1430 Protocol (SNMP)", RFC 2572, April 1999. 1432 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model 1433 (USM) for version 3 of the Simple Network Management 1434 Protocol (SNMPv3)", RFC 2574, April 1999. 1436 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1437 "Protocol Operations for Version 2 of the Simple Network 1438 Management Protocol (SNMPv2)", RFC 1905, January 1996. 1440 [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", 1441 RFC 2573, April 1999. 1443 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 1444 Access Control Model (VACM) for the Simple Network 1445 Management Protocol (SNMP)", RFC 2575, April 1999. 1447 [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, 1448 "Introduction to Version 3 of the Internet-standard Network 1449 Management Framework", RFC 2570, April 1999. 1451 [RFC2012] McCloghrie, K., "SNMPv2 Management Information Base for the 1452 Transmission Control Protocol using SMIv2", RFC 2012, 1453 November 1996. 1455 [RFC2851] Daniele, M., et. al., "Textual Conventions for Internet 1456 Network Addresses", RFC 2851, June 2000. 1458 [IPV6MIB] Daniele, M., et. al., "Textual Conventions for Internet 1459 Network Addresses", draft-ietf-ops-rfc2851-update-06.txt, 1460 February 2001 1462 [IANA-AF] IANA, "WORK: something about assigned enum types for address 1463 families", http://www.iana.org/something. 1465 [RFC1213] K. McCloghrie, M.T. Rose, "Management Information Base for 1466 Network Management of TCP/IP-based internets:MIB-II", March 1467 1991. 1469 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1470 Internet Protocol using SMIv2", November 1996. 1472 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1473 (CHAP)", August 1996. 1475 [RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication 1476 Service (V5)", September 1993. 1478 [RFC2025] C. Adams, "The Simple Public-Key GSS-API Mechanism (SPKM)", 1479 October 1996. 1481 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1482 September 2000. 1484 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1485 Version 6: Textual Conventions and General Group", December 1486 1998. 1488 [ISCSI] Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-10, 1489 Febrary 2002. 1491 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1492 Uniform Resource Names", December 1994. 1494 [X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology 1495 - Open Systems Interconnection - The Directory: 1496 Authentication Framework", June 1997. 1498 10. Authors' Addresses 1500 Mark Bakke 1501 Postal: Cisco Systems, Inc 1502 6450 Wedgwood Road, Suite 130 1503 Maple Grove, MN 1504 USA 55311 1506 Tel: +1 763-398-1000 1507 Fax: +1 763-398-1001 1509 E-mail: mbakke@cisco.com 1511 Jim Muchow 1512 Postal: Cisco Systems, Inc 1513 6450 Wedgwood Road, Suite 130 1514 Maple Grove, MN 1515 USA 55311 1517 Tel: +1 763-398-1000 1518 Fax: +1 763-398-1001 1520 E-mail: jmuchow@cisco.com"