idnits 2.17.1 draft-ietf-ips-auth-mib-01.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 3 instances of too long lines in the document, the longest one being 4 characters in excess of 72. ** The abstract seems to contain references ([ISCSI]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2002) is 7985 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2012' is defined on line 1139, but no explicit reference was found in the text -- No information found for draft-ietf-ips-iSCSI - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'ISCSI' ** Obsolete normative reference: RFC 2571 (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Downref: Normative reference to an Historic RFC: RFC 1901 ** Obsolete normative reference: RFC 1906 (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2572 (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 1905 (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2573 (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Obsolete normative reference: RFC 2570 (Obsoleted by RFC 3410) ** Obsolete normative reference: RFC 2012 (Obsoleted by RFC 4022) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) == Outdated reference: A later version (-06) exists of draft-ietf-ips-fcmgmt-mib-01 Summary: 22 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Jim Muchow 4 Expires December 2002 Cisco Systems 6 June 2002 8 Definitions of Managed Objects for User Identity Authentication 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet- Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 1.1. Copyright Notice 33 Copyright (C) The Internet Society (2001). All Rights Reserved. 35 2. Abstract 37 This memo defines a portion of the Management Information Base (MIB) 38 for use with network management protocols in TCP/IP based internets. 39 In particular it defines objects for managing user identities and the 40 names, addresses, and credentials required to authenticate them, for 41 use with various protocols. This draft was motivated by the need for 42 the configuration of authenticated user identities for the iSCSI 43 protocol [ISCSI], but has been extended to be useful for other 44 protocols that have similar requirements. It is important to note 45 that this MIB provides only the set of identities and the means to 46 authenticate them; it is the responsibility of other MIBs making use 47 of this one to tie them to authorization lists. 49 3. Acknowledgments 51 In addition to the authors, several people contributed to the 52 development of this MIB through discussions of authentication, 53 authorization, and access within the iSCSI MIB and security teams, 54 including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom 55 McSweeney, Steve Senum, and Josh Tseng. 57 Thanks especially to Keith McCloghrie for serving as advisor for this 58 MIB. 60 4. The SNMP Management Framework 62 The SNMP Management Framework presently consists of five major 63 components: 65 o An overall architecture, described in RFC 2571 [RFC2571]. 67 o Mechanisms for describing and naming objects and events for the 68 purpose of management. The first version of this Structure of 69 Management Information (SMI) is called SMIv1 and described in 70 STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 71 1215 [RFC1215]. The second version, called SMIv2, is described 72 in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and 73 STD 58, RFC 2580 [RFC2580]. 75 o Message protocols for transferring management information. The 76 first version of the SNMP message protocol is called SNMPv1 and 77 described in STD 15, RFC 1157 [RFC1157]. A second version of 78 the SNMP message protocol, which is not an Internet standards 79 track protocol, is called SNMPv2c and described in RFC 1901 80 [RFC1901] and RFC 1906 [RFC1906]. The third version of the 81 message protocol is called SNMPv3 and described in RFC 1906 82 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. 84 o Protocol operations for accessing management information. The 85 first set of protocol operations and associated PDU formats is 86 described in STD 15, RFC 1157 [RFC1157]. A second set of 87 protocol operations and associated PDU formats is described in 88 RFC 1905 [RFC1905]. 90 o A set of fundamental applications described in RFC 2573 91 [RFC2573] and the view-based access control mechanism described 92 in RFC 2575 [RFC2575]. 94 A more detailed introduction to the current SNMP Management Framework 95 can be found in RFC 2570 [RFC2570]. 97 Managed objects are accessed via a virtual information store, termed 98 the Management Information Base or MIB. Objects in the MIB are 99 defined using the mechanisms defined in the SMI. 101 This memo specifies a MIB module that is compliant to the SMIv2. A 102 MIB conforming to the SMIv1 can be produced through the appropriate 103 translations. The resulting translated MIB must be semantically 104 equivalent, except where objects or events are omitted because no 105 translation is possible (use of Counter64). Some machine readable 106 information in SMIv2 will be converted into textual descriptions in 107 SMIv1 during the translation process. However, this loss of machine 108 readable information is not considered to change the semantics of the 109 MIB. 111 This MIB will be used to configure and/or look at the configuration 112 of user identities and their authentication information. For the 113 purposes of this MIB, a "user" identity does not need to be an actual 114 person; a user can also be a host, an application, a cluster of 115 hosts, or any other identifiable entity that can be authenticated and 116 granted access to a resource. 118 Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is 119 intended to allow configuration of user identities and their names, 120 addresses, and credentials. MIN-ACCESS for all objects is read-only 121 for those implementations that configure through other means, but 122 require the ability to monitor user identities. 124 4.1. Revision History 126 The following modifications were made from draft-00 to draft-01 127 - The Kerberos and SPKM (public key certificate) authentication 128 methods were removed. - Added the capability to include Fibre 129 Channel addresses. 131 5. Relationship to Other MIBs 133 The identity authentication MIB does not directly address objects 134 within other MIBs. The identity address objects contain IPv4, IPv6, 135 or other address types, and as such may be indirectly related to 136 objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB. 138 This MIB does not cover authorization. This should generally be done 139 in MIBs that reference identities in this one. It also does not 140 cover login or authentication failure statistics or notifications, as 141 these are all fairly application-specific, and not generic enough to 142 include here. 144 The user identity objects within this MIB are typically referenced 145 from other MIBs by a RowPointer within that MIB. A MIB containing 146 resources for which it requires a list of authorized user identities 147 may create such a list, with a single RowPointer within each list 148 element pointing to a user identity within this MIB. This is neither 149 required nor restricted by this MIB. 151 6. Discussion 153 This MIB structure is intended to allow the configuration of a list 154 of user identities, each with a list of names, addresses, 155 credentials, and certificates which when combined will authenticate 156 that identity. 158 The authentication MIB is structured around two primary "objects", 159 the authentication instance, and the identity, which serve as 160 containers for the remainder of the objects. This section contains a 161 brief description of the "object" hierarchy and a description of each 162 object, followed by a discussion of the actual SNMP table structure 163 within the objects. 165 6.1. Authentication MIB Object Model 167 The top-level object in this structure is the authentication 168 instance, which "contains" all of the other objects. The indexing 169 hierarchy of this MIB looks like: 171 ipsAuthInstance 172 -- A distinct authentication entity within the managed system. 173 -- Most implementations will have just one of these. 174 ipsAuthIdentity 175 -- A user identity, consisting of a set of identity names, 176 -- addresses, and credentials reflected in the following 177 -- objects, as well as a RowPointer to an ipsAuthCertificate. 178 ipsAuthIdentityName 179 -- A name for a user identity. A name should be globally 180 -- unique, and unchanging over time. Some protocols may 181 -- not require this one. 182 ipsAuthIdentityAddress 183 -- An address range, typically but not necessarily an 184 -- IPv4, IPv6, or Fibre Channel address range, at which 185 -- the identity is allowed to reside. 186 ipsAuthCredential 187 -- A single credential, such as a CHAP username/password, 188 -- which can ipsAuthenticate the identity. 189 ipsAuthCredChap 190 -- CHAP-specific attributes for an ipsAuthCredential 191 ipsAuthCredSrp 192 -- SRP-specific attributes 194 Each identity contains the information necessary to authenticate a 195 particular end-point that wishes to access a service, such as iSCSI. 197 An identity can contain multiple names, addresses, and credentials. 199 Work - Add some examples here. 201 Work - need examples showing how this can work on a client and a 202 server, for mutual authentication. 204 6.2. ipsAuthInstance 206 The ipsAuthInstanceAttributesTable is the primary table of the 207 authentication MIB. Every other table entry in this MIB includes the 208 index of an ipsAuthInstanceAttributesEntry as its primary index. An 209 authentication instance is basically a managed set of identities. 211 Many implementations will include just one authentication instance 212 row in this table. However, there will be cases where multiple rows 213 in this table may be used: 215 - A large system may be "partitioned" into multiple, distinct virtual 216 systems, perhaps sharing the SNMP agent but not their lists of 217 identities. Each virtual system would have its own authentication 218 instance. 220 - A set of stackable systems, each with their own set of identities, 221 may be managed by a common SNMP agent. Each individual system 222 would have its own authentication instance. 224 - Multiple protocols, each with their own set of identities, may 225 exist within a single system and be managed by a single SNMP agent. 226 In this case, each protocol may have its own authentication 227 instance. 229 6.3. ipsAuthIdentity 231 The ipsAuthIdentAttributesTable contains one entry for each 232 configured user identity. The identity contains only a description 233 of what the identity is used for; its attributes are all contained in 234 other tables, since they can have multiple values. 236 Other MIBs containing lists of users authorized to access a 237 particular resource should generally contain a RowPointer to the 238 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 239 access. 241 All other table entries make use of the indices to this table as 242 their primary indices. 244 6.4. ipsAuthIdentityName 246 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 247 each of which belong to, and may be used to identify, a particular 248 identity in the authIdentity table. 250 Implementations making use of the authentication MIB may identify 251 their resources by names, addresses, or both. A name is typically a 252 unique (within the required scope), unchanging identifier for a 253 resource. It will normally meet some or all of the requirements for a 254 Uniform Resource Name [RFC1737], although a name in the context of 255 this MIB does not need to be a URN. Identifiers that typically 256 change over time should generally be placed into the 257 ipsAuthIdentityAddress table; names that have no uniqueness 258 properties should usually be placed into the description attribute 259 for the identity. 261 An example of an identity name is the iSCSI Name, defined in [ISCSI]. 263 If this table contains no entries associated with a particular user 264 identity, the implementation does not need to check any name 265 paramenters when authenticating that identity. If the table contains 266 multiple entries associated with a particular user identity, the 267 implementation should consider a match with any one of these entries 268 to be valid. 270 6.5. ipsAuthIdentityAddress 272 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 273 which the identity may be authenticated. For example, an identity 274 may be allowed access to a resource only from a certain IP address, 275 or only if its address is in a certain range or set of ranges. 277 Each entry contains a starting and ending address. If a single 278 address is desired in the list, both starting and ending addresses 279 must be identical. 281 Each entry contains an AddrType attribute. This attribute contains 282 an enumeration registered as an IANA Address Family type [IANA-AF]. 283 Although many implementations will use IPv4 or IPv6 address types for 284 these entries, any IANA-registered type may be used, as long as it 285 makes sense to the application. 287 Matching any address within any range within the list associated with 288 a particular identity is considered to be a valid match. If no 289 entries are present in this list for a given identity, its address is 290 not checked during authentication. 292 Netmasks are not supported, since an address range can express the 293 same thing with more flexibility. An application specifying 294 addresses using network masks may do so, and convert to and from 295 address ranges when reading or writing this MIB. 297 6.6. ipsAuthCredential 299 The ipsAuthCredentialAttributesTable contains a list of credentials, 300 each of which may authenticate a particular identity. 302 Each credential contains an authentication method to be used, such as 303 CHAP [RFC1994], or SRP [RFC2945]. This attribute contains an object 304 identifier instead of an enumerated type, allowing other MIBs to add 305 their own authentication methods, without modifying this MIB. 307 For each entry in this table, there will exist an entry in another 308 table containing its attributes. The table in which to place the 309 entry depends on the AuthMethod attribute: 311 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 312 same indices as the ipsAuthCredential will exist in the 313 ipsAuthCredChap table, which contains the CHAP username and 314 password expected. 316 SRP If the AuthMethod is set to the SRP OID, an entry using the 317 same indices as the ipsAuthCredential will exist in the 318 ipsAuthCredSrp table, which contains the SRP username, 319 password verifier, and salt. 321 Other If the AuthMethod is set to any OID not defined in this MIB, 322 an entry using the same indices as the ipsAuthCredential 323 entry should be placed in the other MIB that define whatever 324 attributes are needed for that type of credential. 326 6.7. IP, Fibre Channel, and Other Addresses 328 The IP addresses in this MIB are represented by two attributes, one 329 of type AddressFamilyNumbers, and the other of type AuthAddress. 330 Each address can take on any of the types within the list of address 331 family numbers; the most likely being IPv4, IPv6, or one of the Fibre 332 Channel address types. 334 The type AuthAddress is an octet string. If the address family is 335 IPv4 or IPv6, the format is taken from the InetAddress specified in 336 [RFC3291]. If the address family is one of the Fibre Channel types, 337 the format is identical to the FcNameIdOrZero type defined in 338 [FCMGMT]. 340 6.8. Descriptors: Using OIDs in Place of Enumerated Types 342 Some attributes, particularly the authentication method attribute, 343 would normally require an enumerated type. However, implementations 344 will likely need to add new authentication method types of their own, 345 without extending this MIB. To make this work, the MIB defines a set 346 of object identities within ipsAuthDescriptors. Each of these object 347 identities is basically an enumerated type. 349 Attributes that make use of these object identities have a value 350 which is an OID instead of an enumerated type. These OIDs can either 351 indicate the object identities defined in this MIB, or object 352 identities defined elsewhere, such as in an enterprise MIB. Those 353 implementations that add their own authentication methods should also 354 define a corresponding object identity for each of these methods 355 within their own enterprise MIB, and return its OID whenever one of 356 these attributes is using that method. 358 6.9. Notifications 360 Monitoring of authentication failures and other notification events 361 are outside the scope of this MIB, as they are generally application- 362 specific. No notifications are provided or required. 364 7. MIB Definitions 366 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 368 IMPORTS 369 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 370 experimental 371 FROM SNMPv2-SMI 373 TEXTUAL-CONVENTION, 374 RowStatus, 375 AutonomousType 376 FROM SNMPv2-TC 378 MODULE-COMPLIANCE, 379 OBJECT-GROUP 380 FROM SNMPv2-CONF 382 SnmpAdminString 383 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 385 AddressFamilyNumbers 386 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 387 ; 389 ipsAuthModule MODULE-IDENTITY 390 LAST-UPDATED "200206260000Z" 391 ORGANIZATION "IETF IPS Working Group" 392 CONTACT-INFO 393 " 394 Mark Bakke 395 Postal: Cisco Systems, Inc 396 6450 Wedgwood Road, Suite 130 397 Maple Grove, MN 398 USA 55311 400 Tel: +1 763-398-1000 401 Fax: +1 763-398-1001 403 E-mail: mbakke@cisco.com" 405 DESCRIPTION 406 "The IP Storage Authorization MIB module." 408 REVISION "200206260000Z" -- June 26, 2002 409 DESCRIPTION 410 "Initial revision published as RFC xxxx." 412 --::= { mib-2 xx } 413 -- in case you want to COMPILE 414 ::= { experimental 99999 } 416 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 417 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 418 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } 420 -- Textual Conventions 422 IpsAuthAddress ::= TEXTUAL-CONVENTION 423 STATUS current 424 DESCRIPTION 425 "IP Storage requires the use of address information 426 that uses not only the InetAddress type defined in the 427 INET-ADDRESS-MIB, but also Fibre Channel type defined 428 in the Fibre Channel Management MIB. Although these 429 address types are recognized in the IANA Address Family 430 Numbers MIB, the addressing mechanisms have not been 431 merged into a well-known, common type. This data type, 432 the IpsAuthAddress, performs this function for this MIB." 433 REFERENCE 434 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 435 INET-ADDRESS-MIB (RFC 2851); 436 Fibre Channel Management MIB (presently defined in 437 draft-ietf-ips-fcmgmt-mib-01.txt)." 438 SYNTAX OCTET STRING (SIZE(0..255)) 440 ------------------------------------------------------------------------ 442 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 444 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 446 ipsAuthMethodNone OBJECT-IDENTITY 447 STATUS current 448 DESCRIPTION 449 "The authoritative identifier when no authentication 450 method is used." 451 REFERENCE "iSCSI Protocol Specification." 452 ::= { ipsAuthMethodTypes 1 } 454 ipsAuthMethodSrp OBJECT-IDENTITY 455 STATUS current 456 DESCRIPTION 457 "The authoritative identifier when the authentication 458 method is SRP." 459 REFERENCE "iSCSI Protocol Specification." 460 ::= { ipsAuthMethodTypes 2 } 462 ipsAuthMethodChap OBJECT-IDENTITY 463 STATUS current 464 DESCRIPTION 465 "The authoritative identifier when the authentication 466 method is CHAP." 467 REFERENCE "iSCSI Protocol Specification." 468 ::= { ipsAuthMethodTypes 3 } 470 ---------------------------------------------------------------------- 472 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 474 -- Instance Attributes Table 476 ipsAuthInstanceAttributesTable OBJECT-TYPE 477 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 478 MAX-ACCESS not-accessible 479 STATUS current 480 DESCRIPTION 481 "A list of iSCSI instances present on the system." 482 ::= { ipsAuthInstance 2 } 484 ipsAuthInstanceAttributesEntry OBJECT-TYPE 485 SYNTAX IpsAuthInstanceAttributesEntry 486 MAX-ACCESS not-accessible 487 STATUS current 488 DESCRIPTION 489 "An entry (row) containing managment information applicable 490 to a particular iSCSI instance." 491 INDEX { ipsAuthInstIndex } 492 ::= { ipsAuthInstanceAttributesTable 1 } 494 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 495 ipsAuthInstIndex Unsigned32, 496 ipsAuthInstDescr SnmpAdminString 497 } 499 ipsAuthInstIndex OBJECT-TYPE 500 SYNTAX Unsigned32 (1..4294967295) 501 MAX-ACCESS not-accessible 502 STATUS current 503 DESCRIPTION 504 "An arbitrary integer used to uniquely identify a particular 505 authentication instance." 507 ::= { ipsAuthInstanceAttributesEntry 1 } 509 ipsAuthInstDescr OBJECT-TYPE 510 SYNTAX SnmpAdminString 511 MAX-ACCESS read-write 512 STATUS current 513 DESCRIPTION 514 "An octet string, determined by the implementation to describe 515 the authentication instance. When only a single instance is present, 516 this object may be set to the zero-length string; with multiple 517 authentication instances, it may be used in an implementation-dependent 518 manner to describe the purpose of the respective instance." 519 ::= { ipsAuthInstanceAttributesEntry 2 } 521 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 523 -- iSCSI User Identity Attributes Table 525 ipsAuthIdentAttributesTable OBJECT-TYPE 526 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 527 MAX-ACCESS not-accessible 528 STATUS current 529 DESCRIPTION 530 "A list of user identities, each belonging to a particular 531 ipsAuthInstance." 532 ::= { ipsAuthIdentity 1 } 534 ipsAuthIdentAttributesEntry OBJECT-TYPE 535 SYNTAX IpsAuthIdentAttributesEntry 536 MAX-ACCESS not-accessible 537 STATUS current 538 DESCRIPTION 539 "An entry (row) containing management information 540 describing a user identity 541 within an authentication instance on this node." 542 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 543 ::= { ipsAuthIdentAttributesTable 1 } 545 IpsAuthIdentAttributesEntry ::= SEQUENCE { 546 ipsAuthIdentIndex Unsigned32, 547 ipsAuthIdentDescription SnmpAdminString, 548 ipsAuthIdentRowStatus RowStatus 549 } 551 ipsAuthIdentIndex OBJECT-TYPE 552 SYNTAX Unsigned32 (1..4294967295) 553 MAX-ACCESS not-accessible 554 STATUS current 555 DESCRIPTION 556 "An arbitrary integer used to uniquely identify a particular 557 identity instance within an authentication instance present 558 on the node." 559 ::= { ipsAuthIdentAttributesEntry 1 } 561 ipsAuthIdentDescription OBJECT-TYPE 562 SYNTAX SnmpAdminString 563 MAX-ACCESS read-create 564 STATUS current 565 DESCRIPTION 566 "An octet string describing this particular identity." 567 ::= { ipsAuthIdentAttributesEntry 2 } 569 ipsAuthIdentRowStatus OBJECT-TYPE 570 SYNTAX RowStatus 571 MAX-ACCESS read-create 572 STATUS current 573 DESCRIPTION 574 "This field allows entries to be dynamically added and 575 removed from this table via SNMP." 576 ::= { ipsAuthIdentAttributesEntry 3 } 578 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 580 -- iSCSI User Initiator Name Attributes Table 582 ipsAuthIdentNameAttributesTable OBJECT-TYPE 583 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 584 MAX-ACCESS not-accessible 585 STATUS current 586 DESCRIPTION 587 "A list of unique names that can be used to positively 588 identify a particular user identity." 589 ::= { ipsAuthIdentityName 1 } 591 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 592 SYNTAX IpsAuthIdentNameAttributesEntry 593 MAX-ACCESS not-accessible 594 STATUS current 595 DESCRIPTION 596 "An entry (row) containing management information 597 applicable to a unique identity name which can be used 598 to uniquely identify a user identity within a particular 599 authentication instance." 600 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentNameIndex } 602 ::= { ipsAuthIdentNameAttributesTable 1 } 604 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 605 ipsAuthIdentNameIndex Unsigned32, 606 ipsAuthIdentName SnmpAdminString, 607 ipsAuthIdentNameRowStatus RowStatus 608 } 610 ipsAuthIdentNameIndex OBJECT-TYPE 611 SYNTAX Unsigned32 (1..4294967295) 612 MAX-ACCESS not-accessible 613 STATUS current 614 DESCRIPTION 615 "An arbitrary integer used to uniquely identify a particular 616 identity name instance within an ipsAuthIdentity within an 617 authentication instance." 618 ::= { ipsAuthIdentNameAttributesEntry 1 } 620 ipsAuthIdentName OBJECT-TYPE 621 SYNTAX SnmpAdminString 622 MAX-ACCESS read-create 623 STATUS current 624 DESCRIPTION 625 "A character string which is the unique name of an 626 identity that may be used to identify this 627 ipsAuthIdent entry." 628 ::= { ipsAuthIdentNameAttributesEntry 2 } 630 ipsAuthIdentNameRowStatus OBJECT-TYPE 631 SYNTAX RowStatus 632 MAX-ACCESS read-create 633 STATUS current 634 DESCRIPTION 635 "This field allows entries to be dynamically added and 636 removed from this table via SNMP." 637 ::= { ipsAuthIdentNameAttributesEntry 3 } 639 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 641 -- iSCSI User Initiator Address Attributes Table 643 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 644 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 645 MAX-ACCESS not-accessible 646 STATUS current 647 DESCRIPTION 648 "A list of address ranges that are allowed to serve 650 as the endpoint addresses of a particular identity. 651 An address range includes a starting and ending address 652 and an optional netmask, and an address type indicator, 653 which can specify whether the address is IPv4, IPv6, 654 FC-WWPN, or FC-WWNN." 655 ::= { ipsAuthIdentityAddress 1 } 657 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 658 SYNTAX IpsAuthIdentAddrAttributesEntry 659 MAX-ACCESS not-accessible 660 STATUS current 661 DESCRIPTION 662 "An entry (row) containing management information 663 applicable to an address range which is used as part 664 of the authentication of an identity 665 within an authentication instance on this node." 666 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentAddrIndex } 667 ::= { ipsAuthIdentAddrAttributesTable 1 } 669 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 670 ipsAuthIdentAddrIndex Unsigned32, 671 ipsAuthIdentAddrType AddressFamilyNumbers, 672 ipsAuthIdentAddrStart IpsAuthAddress, 673 ipsAuthIdentAddrEnd IpsAuthAddress, 674 ipsAuthIdentAddrRowStatus RowStatus 675 } 677 ipsAuthIdentAddrIndex OBJECT-TYPE 678 SYNTAX Unsigned32 (1..4294967295) 679 MAX-ACCESS not-accessible 680 STATUS current 681 DESCRIPTION 682 "An arbitrary integer used to uniquely identify a particular 683 ipsAuthIdentAddress instance within an ipsAuthIdentity within an 684 authentication instance present on the node." 685 ::= { ipsAuthIdentAddrAttributesEntry 1 } 687 ipsAuthIdentAddrType OBJECT-TYPE 688 SYNTAX AddressFamilyNumbers 689 MAX-ACCESS read-create 690 STATUS current 691 DESCRIPTION 692 "The type of Address in the ipsAuthIdentAddress start, end, 693 and mask fields. This type is taken from the IANA address 694 family types; more types may be registered independently 695 of this MIB." 696 ::= { ipsAuthIdentAddrAttributesEntry 2 } 697 ipsAuthIdentAddrStart OBJECT-TYPE 698 SYNTAX IpsAuthAddress 699 MAX-ACCESS read-create 700 STATUS current 701 DESCRIPTION 702 "The starting address of the allowed address range." 703 ::= { ipsAuthIdentAddrAttributesEntry 3 } 705 ipsAuthIdentAddrEnd OBJECT-TYPE 706 SYNTAX IpsAuthAddress 707 MAX-ACCESS read-create 708 STATUS current 709 DESCRIPTION 710 "The ending address of the allowed address range. If the 711 ipsAuthIdentAddrEntry specifies a single address, this shall 712 match the ipsAuthIdentAddrStart." 713 ::= { ipsAuthIdentAddrAttributesEntry 4 } 715 ipsAuthIdentAddrRowStatus OBJECT-TYPE 716 SYNTAX RowStatus 717 MAX-ACCESS read-create 718 STATUS current 719 DESCRIPTION 720 "This field allows entries to be dynamically added and 721 removed from this table via SNMP." 722 ::= { ipsAuthIdentAddrAttributesEntry 5 } 724 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 726 -- Identity Credential Attributes Table 728 ipsAuthCredentialAttributesTable OBJECT-TYPE 729 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 730 MAX-ACCESS not-accessible 731 STATUS current 732 DESCRIPTION 733 "A list of credentials related to user identities 734 that are allowed as valid authenticators of the 735 particular identity." 736 ::= { ipsAuthCredential 1 } 738 ipsAuthCredentialAttributesEntry OBJECT-TYPE 739 SYNTAX IpsAuthCredentialAttributesEntry 740 MAX-ACCESS not-accessible 741 STATUS current 742 DESCRIPTION 743 "An entry (row) containing management information 744 applicable to a credential which authenticates a user 745 identity within an authentication instance." 746 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 747 ::= { ipsAuthCredentialAttributesTable 1 } 749 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 750 ipsAuthCredIndex Unsigned32, 751 ipsAuthCredAuthMethod AutonomousType, 752 ipsAuthCredRowStatus RowStatus 753 } 755 ipsAuthCredIndex OBJECT-TYPE 756 SYNTAX Unsigned32 (1..4294967295) 757 MAX-ACCESS not-accessible 758 STATUS current 759 DESCRIPTION 760 "An arbitrary integer used to uniquely identify a particular 761 iSCSI Credential instance within an iSCSI instance present on the 762 node." 763 ::= { ipsAuthCredentialAttributesEntry 1 } 765 ipsAuthCredAuthMethod OBJECT-TYPE 766 SYNTAX AutonomousType 767 MAX-ACCESS read-create 768 STATUS current 769 DESCRIPTION 770 "This object contains an OBJECT IDENTIFIER 771 which identifies the authentication method 772 used with this credential. 774 Some standardized values for this object are defined 775 within the ipsAuthMethods subtree." 776 ::= { ipsAuthCredentialAttributesEntry 2 } 778 ipsAuthCredRowStatus OBJECT-TYPE 779 SYNTAX RowStatus 780 MAX-ACCESS read-create 781 STATUS current 782 DESCRIPTION 783 "This field allows entries to be dynamically added and 784 removed from this table via SNMP." 785 ::= { ipsAuthCredentialAttributesEntry 3 } 787 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 789 -- Credential Chap-Specific Attributes Table 790 ipsAuthCredChapAttributesTable OBJECT-TYPE 791 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 792 MAX-ACCESS not-accessible 793 STATUS current 794 DESCRIPTION 795 "A list of CHAP attributes for credentials that 796 have their ipsAuthCredAuthMethod == ipsAuthMethodChap." 797 ::= { ipsAuthCredChap 1 } 799 ipsAuthCredChapAttributesEntry OBJECT-TYPE 800 SYNTAX IpsAuthCredChapAttributesEntry 801 MAX-ACCESS not-accessible 802 STATUS current 803 DESCRIPTION 804 "An entry (row) containing management information 805 applicable to a credential which has the ipsAuthCredAuthMethod 806 set to the OID of ipsAuthMethodChap." 807 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 808 ::= { ipsAuthCredChapAttributesTable 1 } 810 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 811 ipsAuthCredChapUserName SnmpAdminString, 812 ipsAuthCredChapPassword SnmpAdminString, 813 ipsAuthCredChapRowStatus RowStatus 814 } 816 ipsAuthCredChapUserName OBJECT-TYPE 817 SYNTAX SnmpAdminString 818 MAX-ACCESS read-create 819 STATUS current 820 DESCRIPTION 821 "An octet string containing the CHAP user name for this 822 credential." 823 ::= { ipsAuthCredChapAttributesEntry 1 } 825 ipsAuthCredChapPassword OBJECT-TYPE 826 SYNTAX SnmpAdminString 827 MAX-ACCESS read-create 828 STATUS current 829 DESCRIPTION 830 "An octet string containing the password for this 831 credential. If written, it changes the password for 832 the credential. If read, it returns a zero-length 833 string." 834 ::= { ipsAuthCredChapAttributesEntry 2 } 836 ipsAuthCredChapRowStatus OBJECT-TYPE 837 SYNTAX RowStatus 838 MAX-ACCESS read-create 839 STATUS current 840 DESCRIPTION 841 "This field allows entries to be dynamically added and 842 removed from this table via SNMP." 843 ::= { ipsAuthCredChapAttributesEntry 3 } 845 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 847 -- Credential Srp-Specific Attributes Table 849 ipsAuthCredSrpAttributesTable OBJECT-TYPE 850 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 851 MAX-ACCESS not-accessible 852 STATUS current 853 DESCRIPTION 854 "A list of SRP-specific attributes for credentials that 855 have their ipsAuthCredAuthMethod == ipsAuthMethodSrp." 856 ::= { ipsAuthCredSrp 1 } 858 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 859 SYNTAX IpsAuthCredSrpAttributesEntry 860 MAX-ACCESS not-accessible 861 STATUS current 862 DESCRIPTION 863 "An entry (row) containing management information 864 applicable to a credential which has the ipsAuthCredAuthMethod 865 set to the OID of ipsAuthMethodSrp." 866 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 867 ::= { ipsAuthCredSrpAttributesTable 1 } 869 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 870 ipsAuthCredSrpUserName SnmpAdminString, 871 ipsAuthCredSrpPassword SnmpAdminString, 872 ipsAuthCredSrpRowStatus RowStatus 873 } 875 ipsAuthCredSrpUserName OBJECT-TYPE 876 SYNTAX SnmpAdminString 877 MAX-ACCESS read-create 878 STATUS current 879 DESCRIPTION 880 "An octet string containing the CHAP user name for this 881 credential." 882 ::= { ipsAuthCredSrpAttributesEntry 1 } 884 ipsAuthCredSrpPassword OBJECT-TYPE 885 SYNTAX SnmpAdminString 886 MAX-ACCESS read-create 887 STATUS current 888 DESCRIPTION 889 "An octet string containing the password for this 890 credential. If written, it changes the password for 891 the credential. If read, it returns a zero-length 892 string." 893 ::= { ipsAuthCredSrpAttributesEntry 2 } 895 ipsAuthCredSrpRowStatus OBJECT-TYPE 896 SYNTAX RowStatus 897 MAX-ACCESS read-create 898 STATUS current 899 DESCRIPTION 900 "This field allows entries to be dynamically added and 901 removed from this table via SNMP." 902 ::= { ipsAuthCredSrpAttributesEntry 3 } 904 ------------------------------------------------------------------------ 905 -- Notifications 907 -- There are no notifications necessary in this MIB. 909 ------------------------------------------------------------------------ 911 -- Conformance Statements 913 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 915 ipsAuthInstanceAttributesGroup OBJECT-GROUP 916 OBJECTS { 917 ipsAuthInstDescr 918 } 919 STATUS current 920 DESCRIPTION 921 "A collection of objects providing information about 922 authentication instances." 923 ::= { ipsAuthGroups 1 } 925 ipsAuthIdentAttributesGroup OBJECT-GROUP 926 OBJECTS { 927 ipsAuthIdentDescription, 928 ipsAuthIdentRowStatus 929 } 930 STATUS current 931 DESCRIPTION 932 "A collection of objects providing information about 934 user identities within an authentication instance." 935 ::= { ipsAuthGroups 2 } 937 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 938 OBJECTS { 939 ipsAuthIdentName, 940 ipsAuthIdentNameRowStatus 941 } 942 STATUS current 943 DESCRIPTION 944 "A collection of objects providing information about 945 user names within user identities within an authentication 946 instance." 947 ::= { ipsAuthGroups 3 } 949 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 950 OBJECTS { 951 ipsAuthIdentAddrType, 952 ipsAuthIdentAddrStart, 953 ipsAuthIdentAddrEnd, 954 ipsAuthIdentAddrRowStatus 955 } 956 STATUS current 957 DESCRIPTION 958 "A collection of objects providing information about 959 address ranges within user identities within an authentication 960 instance." 961 ::= { ipsAuthGroups 4 } 963 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 964 OBJECTS { 965 ipsAuthCredAuthMethod, 966 ipsAuthCredRowStatus 967 } 968 STATUS current 969 DESCRIPTION 970 "A collection of objects providing information about 971 credentials within user identities within an authentication 972 instance." 973 ::= { ipsAuthGroups 5 } 975 ipsAuthIdentChapAttrGroup OBJECT-GROUP 976 OBJECTS { 977 ipsAuthCredChapUserName, 978 ipsAuthCredChapPassword, 979 ipsAuthCredChapRowStatus 980 } 981 STATUS current 982 DESCRIPTION 983 "A collection of objects providing information about CHAP 984 credentials within user identities within an authentication 985 instance." 986 ::= { ipsAuthGroups 6 } 988 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 989 OBJECTS { 990 ipsAuthCredSrpUserName, 991 ipsAuthCredSrpPassword, 992 ipsAuthCredSrpRowStatus 993 } 994 STATUS current 995 DESCRIPTION 996 "A collection of objects providing information about SRP 997 credentials within user identities within an authentication 998 instance." 999 ::= { ipsAuthGroups 7 } 1001 ------------------------------------------------------------------------ 1003 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1005 ipsAuthComplianceV1 MODULE-COMPLIANCE 1006 STATUS current 1007 DESCRIPTION 1008 "Initial version of compliance statement based on 1009 initial version of MIB. 1011 The Instance and Identity groups are mandatory; 1012 at least one of the other groups (Name, Address, 1013 Credential, Certificate) is also mandatory for 1014 any given implementation." 1015 MODULE -- this module 1016 MANDATORY-GROUPS { 1017 ipsAuthInstanceAttributesGroup, 1018 ipsAuthIdentAttributesGroup 1019 } 1021 -- Conditionally mandatory groups to be included with 1022 -- the mandatory groups when necessary. 1024 GROUP ipsAuthIdentNameAttributesGroup 1025 DESCRIPTION 1026 "This group is mandatory for all implementations 1027 that make use of unique identity names." 1029 GROUP ipsAuthIdentAddrAttributesGroup 1030 DESCRIPTION 1031 "This group is mandatory for all implementations 1032 that use addresses to help authenticate identities." 1034 GROUP ipsAuthIdentCredAttributesGroup 1035 DESCRIPTION 1036 "This group is mandatory for all implementations 1037 that use credentials to help authenticate identities." 1039 ::= { ipsAuthCompliances 1 } 1041 END 1043 8. Security Considerations 1045 SNMPv1 by itself is not a secure environment. Even if the network 1046 itself is secure (for example by using IPSec), even then, there is no 1047 control as to who on the secure network is allowed to access and 1048 GET/SET (read/change/create/delete) the objects in this MIB. 1050 It is recommended that the implementers consider the security 1051 features as provided by the SNMPv3 framework. Specifically, the use 1052 of the User-based Security Model RFC 2574 [RFC2574] and the View- 1053 based Access Control Model RFC 2575 [RFC2575] is recommended. 1055 It is then a customer/user responsibility to ensure that the SNMP 1056 entity giving access to an instance of this MIB, is properly 1057 configured to give access to the objects only to those principals 1058 (users) that have legitimate rights to indeed GET or SET 1059 (change/create/delete) them. 1061 Read access to this MIB provides the ability to find out which names, 1062 addresses, and credentials would be required to access services on 1063 the managed system. If these credentials are easily spoofed 1064 (particularly the name or address), read access to the MIB must be 1065 tightly controlled. 1067 Write access to the MIB provides the ability to set up which 1068 credentials may be used to access services on the managed system, to 1069 remove legitimate credentials (a denial of service), or to remove 1070 individual credentials to weaken the requirements for access of a 1071 particular service. Write access must always be tightly controlled. 1073 9. Normative References 1075 [ISCSI] Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-13, June 1076 2002. 1078 [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture 1079 for Describing SNMP Management Frameworks", RFC 2571, April 1080 1999. 1082 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification 1083 of Management Information for TCP/IP-based Internets", STD 1084 16, RFC 1155, May 1990. 1086 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 1087 16, RFC 1212, March 1991. 1089 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the 1090 SNMP", RFC 1215, March 1991. 1092 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1093 Rose, M., and S. Waldbusser, "Structure of Management 1094 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1095 1999. 1097 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1098 Rose, M., and S. Waldbusser, "Textual Conventions for 1099 SMIv2", STD 58, RFC 2579, April 1999. 1101 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1102 Rose, M., and S. Waldbusser, "Conformance Statements for 1103 SMIv2", STD 58, RFC 2580, April 1999. 1105 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple 1106 Network Management Protocol", STD 15, RFC 1157, May 1990. 1108 [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1109 "Introduction to Community-based SNMPv2", RFC 1901, January 1110 1996. 1112 [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1113 "Transport Mappings for Version 2 of the Simple Network 1114 Management Protocol (SNMPv2)", RFC 1906, January 1996. 1116 [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 1117 Processing and Dispatching for the Simple Network Management 1118 Protocol (SNMP)", RFC 2572, April 1999. 1120 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model 1121 (USM) for version 3 of the Simple Network Management 1122 Protocol (SNMPv3)", RFC 2574, April 1999. 1124 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 1125 "Protocol Operations for Version 2 of the Simple Network 1126 Management Protocol (SNMPv2)", RFC 1905, January 1996. 1128 [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", 1129 RFC 2573, April 1999. 1131 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 1132 Access Control Model (VACM) for the Simple Network 1133 Management Protocol (SNMP)", RFC 2575, April 1999. 1135 [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, 1136 "Introduction to Version 3 of the Internet-standard Network 1137 Management Framework", RFC 2570, April 1999. 1139 [RFC2012] McCloghrie, K., "SNMPv2 Management Information Base for the 1140 Transmission Control Protocol using SMIv2", RFC 2012, 1141 November 1996. 1143 [RFC3291] Daniele, M., et. al., "Textual Conventions for Internet 1144 Network Addresses", draft-ietf-ops-rfc2851-update-06.txt, 1145 February 2001 1147 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1148 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1150 [RFC1213] K. McCloghrie, M.T. Rose, "Management Information Base for 1151 Network Management of TCP/IP-based internets:MIB-II", March 1152 1991. 1154 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1155 Internet Protocol using SMIv2", November 1996. 1157 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1158 Version 6: Textual Conventions and General Group", December 1159 1998. 1161 [X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology 1162 - Open Systems Interconnection - The Directory: 1163 Authentication Framework", June 1997. 1165 [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", draft-ietf- 1166 ips-fcmgmt-mib-01, February 2002. 1168 10. Informative References 1170 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1171 Uniform Resource Names", December 1994. 1173 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1174 (CHAP)", August 1996. 1176 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1177 September 2000. 1179 11. Authors' Addresses 1181 Mark Bakke 1182 Postal: Cisco Systems, Inc 1183 6450 Wedgwood Road, Suite 130 1184 Maple Grove, MN 1185 USA 55311 1187 Tel: +1 763-398-1000 1188 Fax: +1 763-398-1001 1190 E-mail: mbakke@cisco.com 1192 Jim Muchow 1193 Postal: Cisco Systems, Inc 1194 6450 Wedgwood Road, Suite 130 1195 Maple Grove, MN 1196 USA 55311 1198 Tel: +1 763-398-1000 1199 Fax: +1 763-398-1001 1201 E-mail: jmuchow@cisco.com"