idnits 2.17.1 draft-ietf-ips-auth-mib-02.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([ISCSI]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 2002) is 7866 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2012' is defined on line 1252, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2571 (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Obsolete normative reference: RFC 3291 (Obsoleted by RFC 4001) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) -- Obsolete informational reference (is this intentional?): RFC 1906 (Obsoleted by RFC 3417) -- Obsolete informational reference (is this intentional?): RFC 2572 (Obsoleted by RFC 3412) -- Obsolete informational reference (is this intentional?): RFC 2574 (Obsoleted by RFC 3414) -- Obsolete informational reference (is this intentional?): RFC 1905 (Obsoleted by RFC 3416) -- Obsolete informational reference (is this intentional?): RFC 2573 (Obsoleted by RFC 3413) -- Obsolete informational reference (is this intentional?): RFC 2575 (Obsoleted by RFC 3415) -- Obsolete informational reference (is this intentional?): RFC 2570 (Obsoleted by RFC 3410) -- Obsolete informational reference (is this intentional?): RFC 2012 (Obsoleted by RFC 4022) -- No information found for draft-ietf-ips-iSCSI - is the name correct? -- Obsolete informational reference (is this intentional?): RFC 1510 (Obsoleted by RFC 4120, RFC 6649) == Outdated reference: A later version (-06) exists of draft-ietf-ips-fcmgmt-mib-01 Summary: 13 errors (**), 0 flaws (~~), 4 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Jim Muchow 4 Expires March 2003 Cisco Systems 6 September 2002 8 Definitions of Managed Objects for User Identity Authentication 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet- Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 1.1. Copyright Notice 33 Copyright (C) The Internet Society (2001). All Rights Reserved. 35 2. Abstract 37 This memo defines a portion of the Management Information Base (MIB) 38 for use with network management protocols in TCP/IP based internets. 39 In particular it defines objects for managing user identities and the 40 names, addresses, and credentials required to authenticate them, for 41 use with various protocols. This draft was motivated by the need for 42 the configuration of authenticated user identities for the iSCSI 43 protocol [ISCSI], but has been extended to be useful for other 44 protocols that have similar requirements. It is important to note 45 that this MIB provides only the set of identities and the means to 46 authenticate them; it is the responsibility of other MIBs making use 47 of this one to tie them to authorization lists. 49 3. Acknowledgments 51 In addition to the authors, several people contributed to the 52 development of this MIB through discussions of authentication, 53 authorization, and access within the iSCSI MIB and security teams, 54 including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom 55 McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 56 Studenmund (Wasabi Systems) for adding the Kerberos method. 58 Thanks especially to Keith McCloghrie for serving as advisor for this 59 MIB. 61 4. The SNMP Management Framework 63 The SNMP Management Framework presently consists of five major 64 components: 66 o An overall architecture, described in RFC 2571 [RFC2571]. 68 o Mechanisms for describing and naming objects and events for the 69 purpose of management. The first version of this Structure of 70 Management Information (SMI) is called SMIv1 and described in 71 STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 72 1215 [RFC1215]. The second version, called SMIv2, is described 73 in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and 74 STD 58, RFC 2580 [RFC2580]. 76 o Message protocols for transferring management information. The 77 first version of the SNMP message protocol is called SNMPv1 and 78 described in STD 15, RFC 1157 [RFC1157]. A second version of 79 the SNMP message protocol, which is not an Internet standards 80 track protocol, is called SNMPv2c and described in RFC 1901 81 [RFC1901] and RFC 1906 [RFC1906]. The third version of the 82 message protocol is called SNMPv3 and described in RFC 1906 83 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. 85 o Protocol operations for accessing management information. The 86 first set of protocol operations and associated PDU formats is 87 described in STD 15, RFC 1157 [RFC1157]. A second set of 88 protocol operations and associated PDU formats is described in 89 RFC 1905 [RFC1905]. 91 o A set of fundamental applications described in RFC 2573 92 [RFC2573] and the view-based access control mechanism described 93 in RFC 2575 [RFC2575]. 95 A more detailed introduction to the current SNMP Management Framework 96 can be found in RFC 2570 [RFC2570]. 98 Managed objects are accessed via a virtual information store, termed 99 the Management Information Base or MIB. Objects in the MIB are 100 defined using the mechanisms defined in the SMI. 102 This memo specifies a MIB module that is compliant to the SMIv2. A 103 MIB conforming to the SMIv1 can be produced through the appropriate 104 translations. The resulting translated MIB must be semantically 105 equivalent, except where objects or events are omitted because no 106 translation is possible (use of Counter64). Some machine readable 107 information in SMIv2 will be converted into textual descriptions in 108 SMIv1 during the translation process. However, this loss of machine 109 readable information is not considered to change the semantics of the 110 MIB. 112 This MIB will be used to configure and/or look at the configuration 113 of user identities and their authentication information. For the 114 purposes of this MIB, a "user" identity does not need to be an actual 115 person; a user can also be a host, an application, a cluster of 116 hosts, or any other identifiable entity that can be authenticated and 117 granted access to a resource. 119 Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is 120 intended to allow configuration of user identities and their names, 121 addresses, and credentials. MIN-ACCESS for all objects is read-only 122 for those implementations that configure through other means, but 123 require the ability to monitor user identities. 125 5. Relationship to Other MIBs 127 The identity authentication MIB does not directly address objects 128 within other MIBs. The identity address objects contain IPv4, IPv6, 129 or other address types, and as such may be indirectly related to 130 objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB. 132 This MIB does not cover authorization. This should generally be done 133 in MIBs that reference identities in this one. It also does not 134 cover login or authentication failure statistics or notifications, as 135 these are all fairly application-specific, and not generic enough to 136 include here. 138 The user identity objects within this MIB are typically referenced 139 from other MIBs by a RowPointer within that MIB. A MIB containing 140 resources for which it requires a list of authorized user identities 141 may create such a list, with a single RowPointer within each list 142 element pointing to a user identity within this MIB. This is neither 143 required nor restricted by this MIB. 145 6. Discussion 147 This MIB structure is intended to allow the configuration of a list 148 of user identities, each with a list of names, addresses, 149 credentials, and certificates which when combined will authenticate 150 that identity. 152 The authentication MIB is structured around two primary "objects", 153 the authentication instance, and the identity, which serve as 154 containers for the remainder of the objects. This section contains a 155 brief description of the "object" hierarchy and a description of each 156 object, followed by a discussion of the actual SNMP table structure 157 within the objects. 159 6.1. Authentication MIB Object Model 161 The top-level object in this structure is the authentication 162 instance, which "contains" all of the other objects. The indexing 163 hierarchy of this MIB looks like: 165 ipsAuthInstance 166 -- A distinct authentication entity within the managed system. 167 -- Most implementations will have just one of these. 168 ipsAuthIdentity 169 -- A user identity, consisting of a set of identity names, 170 -- addresses, and credentials reflected in the following 171 -- objects, as well as a RowPointer to an ipsAuthCertificate. 172 ipsAuthIdentityName 173 -- A name for a user identity. A name should be globally 174 -- unique, and unchanging over time. Some protocols may 175 -- not require this one. 176 ipsAuthIdentityAddress 177 -- An address range, typically but not necessarily an 178 -- IPv4, IPv6, or Fibre Channel address range, at which 179 -- the identity is allowed to reside. 180 ipsAuthCredential 181 -- A single credential, such as a CHAP username/password, 182 -- which can ipsAuthenticate the identity. 183 ipsAuthCredChap 184 -- CHAP-specific attributes for an ipsAuthCredential 186 ipsAuthCredSrp 187 -- SRP-specific attributes 188 ipsAuthCredKerberos 189 -- Kerberos-specific attributes 191 Each identity contains the information necessary to authenticate a 192 particular end-point that wishes to access a service, such as iSCSI. 194 An identity can contain multiple names, addresses, and credentials. 196 6.2. ipsAuthInstance 198 The ipsAuthInstanceAttributesTable is the primary table of the 199 authentication MIB. Every other table entry in this MIB includes the 200 index of an ipsAuthInstanceAttributesEntry as its primary index. An 201 authentication instance is basically a managed set of identities. 203 Many implementations will include just one authentication instance 204 row in this table. However, there will be cases where multiple rows 205 in this table may be used: 207 - A large system may be "partitioned" into multiple, distinct virtual 208 systems, perhaps sharing the SNMP agent but not their lists of 209 identities. Each virtual system would have its own authentication 210 instance. 212 - A set of stackable systems, each with their own set of identities, 213 may be managed by a common SNMP agent. Each individual system 214 would have its own authentication instance. 216 - Multiple protocols, each with their own set of identities, may 217 exist within a single system and be managed by a single SNMP agent. 218 In this case, each protocol may have its own authentication 219 instance. 221 6.3. ipsAuthIdentity 223 The ipsAuthIdentAttributesTable contains one entry for each 224 configured user identity. The identity contains only a description 225 of what the identity is used for; its attributes are all contained in 226 other tables, since they can have multiple values. 228 Other MIBs containing lists of users authorized to access a 229 particular resource should generally contain a RowPointer to the 230 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 231 access. 233 All other table entries make use of the indices to this table as 234 their primary indices. 236 6.4. ipsAuthIdentityName 238 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 239 each of which belong to, and may be used to identify, a particular 240 identity in the authIdentity table. 242 Implementations making use of the authentication MIB may identify 243 their resources by names, addresses, or both. A name is typically a 244 unique (within the required scope), unchanging identifier for a 245 resource. It will normally meet some or all of the requirements for a 246 Uniform Resource Name [RFC1737], although a name in the context of 247 this MIB does not need to be a URN. Identifiers that typically 248 change over time should generally be placed into the 249 ipsAuthIdentityAddress table; names that have no uniqueness 250 properties should usually be placed into the description attribute 251 for the identity. 253 An example of an identity name is the iSCSI Name, defined in [ISCSI]. 255 If this table contains no entries associated with a particular user 256 identity, the implementation does not need to check any name 257 paramenters when authenticating that identity. If the table contains 258 multiple entries associated with a particular user identity, the 259 implementation should consider a match with any one of these entries 260 to be valid. 262 6.5. ipsAuthIdentityAddress 264 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 265 which the identity may be authenticated. For example, an identity 266 may be allowed access to a resource only from a certain IP address, 267 or only if its address is in a certain range or set of ranges. 269 Each entry contains a starting and ending address. If a single 270 address is desired in the list, both starting and ending addresses 271 must be identical. 273 Each entry contains an AddrType attribute. This attribute contains 274 an enumeration registered as an IANA Address Family type [IANA-AF]. 275 Although many implementations will use IPv4 or IPv6 address types for 276 these entries, any IANA-registered type may be used, as long as it 277 makes sense to the application. 279 Matching any address within any range within the list associated with 280 a particular identity is considered to be a valid match. If no 281 entries are present in this list for a given identity, its address is 282 not checked during authentication. 284 Netmasks are not supported, since an address range can express the 285 same thing with more flexibility. An application specifying 286 addresses using network masks may do so, and convert to and from 287 address ranges when reading or writing this MIB. 289 6.6. ipsAuthCredential 291 The ipsAuthCredentialAttributesTable contains a list of credentials, 292 each of which may authenticate a particular identity. 294 Each credential contains an authentication method to be used, such as 295 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 296 contains an object identifier instead of an enumerated type, allowing 297 other MIBs to add their own authentication methods, without modifying 298 this MIB. 300 For each entry in this table, there will exist an entry in another 301 table containing its attributes. The table in which to place the 302 entry depends on the AuthMethod attribute: 304 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 305 same indices as the ipsAuthCredential will exist in the 306 ipsAuthCredChap table, which contains the CHAP username. 308 SRP If the AuthMethod is set to the SRP OID, an entry using the 309 same indices as the ipsAuthCredential will exist in the 310 ipsAuthCredSrp table, which contains the SRP username. 312 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 313 the same indices as the ipsAuthCredential will exist in the 314 ipsAuthCredKerberos table, which contains the Kerberos 315 principal. 317 Other If the AuthMethod is set to any OID not defined in this MIB, 318 an entry using the same indices as the ipsAuthCredential 319 entry should be placed in the other MIB that define whatever 320 attributes are needed for that type of credential. 322 6.7. IP, Fibre Channel, and Other Addresses 324 The IP addresses in this MIB are represented by two attributes, one 325 of type AddressFamilyNumbers, and the other of type AuthAddress. 326 Each address can take on any of the types within the list of address 327 family numbers; the most likely being IPv4, IPv6, or one of the Fibre 328 Channel address types. 330 The type AuthAddress is an octet string. If the address family is 331 IPv4 or IPv6, the format is taken from the InetAddress specified in 332 [RFC3291]. If the address family is one of the Fibre Channel types, 333 the format is identical to the FcNameIdOrZero type defined in 334 [FCMGMT]. 336 6.8. Descriptors: Using OIDs in Place of Enumerated Types 338 Some attributes, particularly the authentication method attribute, 339 would normally require an enumerated type. However, implementations 340 will likely need to add new authentication method types of their own, 341 without extending this MIB. To make this work, the MIB defines a set 342 of object identities within ipsAuthDescriptors. Each of these object 343 identities is basically an enumerated type. 345 Attributes that make use of these object identities have a value 346 which is an OID instead of an enumerated type. These OIDs can either 347 indicate the object identities defined in this MIB, or object 348 identities defined elsewhere, such as in an enterprise MIB. Those 349 implementations that add their own authentication methods should also 350 define a corresponding object identity for each of these methods 351 within their own enterprise MIB, and return its OID whenever one of 352 these attributes is using that method. 354 6.9. Notifications 356 Monitoring of authentication failures and other notification events 357 are outside the scope of this MIB, as they are generally application- 358 specific. No notifications are provided or required. 360 7. MIB Definitions 362 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 364 IMPORTS 365 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 366 experimental 367 FROM SNMPv2-SMI 369 TEXTUAL-CONVENTION, RowStatus, AutonomousType 370 FROM SNMPv2-TC 372 MODULE-COMPLIANCE, OBJECT-GROUP 373 FROM SNMPv2-CONF 375 SnmpAdminString 376 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 378 AddressFamilyNumbers 379 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 380 ; 382 ipsAuthModule MODULE-IDENTITY 383 LAST-UPDATED "200209250000Z" -- September 25, 2002 384 ORGANIZATION "IETF IPS Working Group" 385 CONTACT-INFO 386 " 387 Mark Bakke 388 Postal: Cisco Systems, Inc 389 6450 Wedgwood Road, Suite 130 390 Maple Grove, MN 391 USA 55311 393 Tel: +1 763-398-1000 394 Fax: +1 763-398-1001 396 E-mail: mbakke@cisco.com 398 Jim Muchow 399 Postal: Cisco Systems, Inc 400 6450 Wedgwood Road, Suite 130 401 Maple Grove, MN 402 USA 55311 404 Tel: +1 763-398-1000 405 Fax: +1 763-398-1001 406 E-mail: jmuchow@cisco.com" 408 DESCRIPTION 409 "The IP Storage Authentication MIB module." 410 REVISION "200209250000Z" -- September 25, 2002 411 DESCRIPTION 412 "Initial revision published as RFC xxxx." 414 --::= { mib-2 xx } 415 -- in case you want to COMPILE 416 ::= { experimental 99999 } 418 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 419 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 420 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } 422 -- Textual Conventions 424 IpsAuthAddress ::= TEXTUAL-CONVENTION 425 STATUS current 426 DESCRIPTION 427 "IP Storage requires the use of address information 428 that uses not only the InetAddress type defined in the 429 INET-ADDRESS-MIB, but also Fibre Channel type defined 430 in the Fibre Channel Management MIB. Although these 431 address types are recognized in the IANA Address Family 432 Numbers MIB, the addressing mechanisms have not been 433 merged into a well-known, common type. This data type, 434 the IpsAuthAddress, performs this function for this MIB." 435 REFERENCE 436 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 437 INET-ADDRESS-MIB (RFC 2851); 438 Fibre Channel Management MIB (presently defined in 439 draft-ietf-ips-fcmgmt-mib-01.txt)." 440 SYNTAX OCTET STRING (SIZE(0..255)) 442 ------------------------------------------------------------------------ 444 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 446 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 448 ipsAuthMethodNone OBJECT-IDENTITY 449 STATUS current 450 DESCRIPTION 451 "The authoritative identifier when no authentication 452 method is used." 453 REFERENCE "iSCSI Protocol Specification." 455 ::= { ipsAuthMethodTypes 1 } 457 ipsAuthMethodSrp OBJECT-IDENTITY 458 STATUS current 459 DESCRIPTION 460 "The authoritative identifier when the authentication 461 method is SRP." 462 REFERENCE "iSCSI Protocol Specification." 463 ::= { ipsAuthMethodTypes 2 } 465 ipsAuthMethodChap OBJECT-IDENTITY 466 STATUS current 467 DESCRIPTION 468 "The authoritative identifier when the authentication 469 method is CHAP." 470 REFERENCE "iSCSI Protocol Specification." 471 ::= { ipsAuthMethodTypes 3 } 473 ipsAuthMethodKerberos OBJECT-IDENTITY 474 STATUS current 475 DESCRIPTION 476 "The authoritative identifier when the authentication 477 method is Kerberos." 478 REFERENCE "iSCSI Protocol Specification." 479 ::= { ipsAuthMethodTypes 4 } 481 ---------------------------------------------------------------------- 483 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 485 -- Instance Attributes Table 487 ipsAuthInstanceAttributesTable OBJECT-TYPE 488 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 489 MAX-ACCESS not-accessible 490 STATUS current 491 DESCRIPTION 492 "A list of Authentication instances present on the system." 493 ::= { ipsAuthInstance 2 } 495 ipsAuthInstanceAttributesEntry OBJECT-TYPE 496 SYNTAX IpsAuthInstanceAttributesEntry 497 MAX-ACCESS not-accessible 498 STATUS current 499 DESCRIPTION 500 "An entry (row) containing managment information 501 applicable to a particular Authentication instance." 502 INDEX { ipsAuthInstIndex } 504 ::= { ipsAuthInstanceAttributesTable 1 } 506 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 507 ipsAuthInstIndex Unsigned32, 508 ipsAuthInstDescr SnmpAdminString 509 } 511 ipsAuthInstIndex OBJECT-TYPE 512 SYNTAX Unsigned32 (1..4294967295) 513 MAX-ACCESS not-accessible 514 STATUS current 515 DESCRIPTION 516 "An arbitrary integer used to uniquely identify a 517 particular authentication instance." 518 ::= { ipsAuthInstanceAttributesEntry 1 } 520 ipsAuthInstDescr OBJECT-TYPE 521 SYNTAX SnmpAdminString 522 MAX-ACCESS read-write 523 STATUS current 524 DESCRIPTION 525 "An octet string, determined by the implementation to 526 describe the authentication instance. When only a single 527 instance is present, this object may be set to the 528 zero-length string; with multiple authentication 529 instances, it may be used in an implementation-dependent 530 manner to describe the purpose of the respective instance." 531 ::= { ipsAuthInstanceAttributesEntry 2 } 533 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 535 -- iSCSI User Identity Attributes Table 537 ipsAuthIdentAttributesTable OBJECT-TYPE 538 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 539 MAX-ACCESS not-accessible 540 STATUS current 541 DESCRIPTION 542 "A list of user identities, each belonging to a 543 particular ipsAuthInstance." 544 ::= { ipsAuthIdentity 1 } 546 ipsAuthIdentAttributesEntry OBJECT-TYPE 547 SYNTAX IpsAuthIdentAttributesEntry 548 MAX-ACCESS not-accessible 549 STATUS current 550 DESCRIPTION 551 "An entry (row) containing management information 552 describing a user identity within an authentication 553 instance on this node." 554 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 555 ::= { ipsAuthIdentAttributesTable 1 } 557 IpsAuthIdentAttributesEntry ::= SEQUENCE { 558 ipsAuthIdentIndex Unsigned32, 559 ipsAuthIdentDescription SnmpAdminString, 560 ipsAuthIdentRowStatus RowStatus 561 } 563 ipsAuthIdentIndex OBJECT-TYPE 564 SYNTAX Unsigned32 (1..4294967295) 565 MAX-ACCESS not-accessible 566 STATUS current 567 DESCRIPTION 568 "An arbitrary integer used to uniquely identify a 569 particular identity instance within an authentication 570 instance present on the node." 571 ::= { ipsAuthIdentAttributesEntry 1 } 573 ipsAuthIdentDescription OBJECT-TYPE 574 SYNTAX SnmpAdminString 575 MAX-ACCESS read-create 576 STATUS current 577 DESCRIPTION 578 "An octet string describing this particular identity." 579 ::= { ipsAuthIdentAttributesEntry 2 } 581 ipsAuthIdentRowStatus OBJECT-TYPE 582 SYNTAX RowStatus 583 MAX-ACCESS read-create 584 STATUS current 585 DESCRIPTION 586 "This field allows entries to be dynamically added and 587 removed from this table via SNMP." 588 ::= { ipsAuthIdentAttributesEntry 3 } 590 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 592 -- iSCSI User Initiator Name Attributes Table 594 ipsAuthIdentNameAttributesTable OBJECT-TYPE 595 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 596 MAX-ACCESS not-accessible 597 STATUS current 598 DESCRIPTION 599 "A list of unique names that can be used to positively 600 identify a particular user identity." 601 ::= { ipsAuthIdentityName 1 } 603 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 604 SYNTAX IpsAuthIdentNameAttributesEntry 605 MAX-ACCESS not-accessible 606 STATUS current 607 DESCRIPTION 608 "An entry (row) containing management information 609 applicable to a unique identity name which can be used 610 to identify a user identity within a particular 611 authentication instance." 612 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 613 ipsAuthIdentNameIndex } 614 ::= { ipsAuthIdentNameAttributesTable 1 } 616 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 617 ipsAuthIdentNameIndex Unsigned32, 618 ipsAuthIdentName SnmpAdminString, 619 ipsAuthIdentNameRowStatus RowStatus 620 } 622 ipsAuthIdentNameIndex OBJECT-TYPE 623 SYNTAX Unsigned32 (1..4294967295) 624 MAX-ACCESS not-accessible 625 STATUS current 626 DESCRIPTION 627 "An arbitrary integer used to uniquely identify a 628 particular identity name instance within an 629 ipsAuthIdentity within an authentication instance." 630 ::= { ipsAuthIdentNameAttributesEntry 1 } 632 ipsAuthIdentName OBJECT-TYPE 633 SYNTAX SnmpAdminString 634 MAX-ACCESS read-create 635 STATUS current 636 DESCRIPTION 637 "A character string which is the unique name of an 638 identity that may be used to identify this ipsAuthIdent 639 entry." 640 ::= { ipsAuthIdentNameAttributesEntry 2 } 642 ipsAuthIdentNameRowStatus OBJECT-TYPE 643 SYNTAX RowStatus 644 MAX-ACCESS read-create 645 STATUS current 646 DESCRIPTION 647 "This field allows entries to be dynamically added and 648 removed from this table via SNMP." 649 ::= { ipsAuthIdentNameAttributesEntry 3 } 651 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 653 -- iSCSI User Initiator Address Attributes Table 655 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 656 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 657 MAX-ACCESS not-accessible 658 STATUS current 659 DESCRIPTION 660 "A list of address ranges that are allowed to serve 661 as the endpoint addresses of a particular identity. 662 An address range includes a starting and ending address 663 and an optional netmask, and an address type indicator, 664 which can specify whether the address is IPv4, IPv6, 665 FC-WWPN, or FC-WWNN." 666 ::= { ipsAuthIdentityAddress 1 } 668 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 669 SYNTAX IpsAuthIdentAddrAttributesEntry 670 MAX-ACCESS not-accessible 671 STATUS current 672 DESCRIPTION 673 "An entry (row) containing management information 674 applicable to an address range which is used as part 675 of the authentication of an identity 676 within an authentication instance on this node." 677 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 678 ipsAuthIdentAddrIndex } 679 ::= { ipsAuthIdentAddrAttributesTable 1 } 681 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 682 ipsAuthIdentAddrIndex Unsigned32, 683 ipsAuthIdentAddrType AddressFamilyNumbers, 684 ipsAuthIdentAddrStart IpsAuthAddress, 685 ipsAuthIdentAddrEnd IpsAuthAddress, 686 ipsAuthIdentAddrRowStatus RowStatus 687 } 689 ipsAuthIdentAddrIndex OBJECT-TYPE 690 SYNTAX Unsigned32 (1..4294967295) 691 MAX-ACCESS not-accessible 692 STATUS current 693 DESCRIPTION 694 "An arbitrary integer used to uniquely identify a 695 particular ipsAuthIdentAddress instance within an 696 ipsAuthIdentity within an authentication instance 697 present on the node." 698 ::= { ipsAuthIdentAddrAttributesEntry 1 } 700 ipsAuthIdentAddrType OBJECT-TYPE 701 SYNTAX AddressFamilyNumbers 702 MAX-ACCESS read-create 703 STATUS current 704 DESCRIPTION 705 "The type of Address in the ipsAuthIdentAddress 706 start, end, and mask fields. This type is taken 707 from the IANA address family types; more types may 708 be registered independently of this MIB." 709 ::= { ipsAuthIdentAddrAttributesEntry 2 } 711 ipsAuthIdentAddrStart OBJECT-TYPE 712 SYNTAX IpsAuthAddress 713 MAX-ACCESS read-create 714 STATUS current 715 DESCRIPTION 716 "The starting address of the allowed address range." 717 ::= { ipsAuthIdentAddrAttributesEntry 3 } 719 ipsAuthIdentAddrEnd OBJECT-TYPE 720 SYNTAX IpsAuthAddress 721 MAX-ACCESS read-create 722 STATUS current 723 DESCRIPTION 724 "The ending address of the allowed address range. 725 If the ipsAuthIdentAddrEntry specifies a single 726 address, this shall match the ipsAuthIdentAddrStart." 727 ::= { ipsAuthIdentAddrAttributesEntry 4 } 729 ipsAuthIdentAddrRowStatus OBJECT-TYPE 730 SYNTAX RowStatus 731 MAX-ACCESS read-create 732 STATUS current 733 DESCRIPTION 734 "This field allows entries to be dynamically added and 735 removed from this table via SNMP." 736 ::= { ipsAuthIdentAddrAttributesEntry 5 } 738 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 740 -- Identity Credential Attributes Table 742 ipsAuthCredentialAttributesTable OBJECT-TYPE 743 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 744 MAX-ACCESS not-accessible 745 STATUS current 746 DESCRIPTION 747 "A list of credentials related to user identities 748 that are allowed as valid authenticators of the 749 particular identity." 750 ::= { ipsAuthCredential 1 } 752 ipsAuthCredentialAttributesEntry OBJECT-TYPE 753 SYNTAX IpsAuthCredentialAttributesEntry 754 MAX-ACCESS not-accessible 755 STATUS current 756 DESCRIPTION 757 "An entry (row) containing management information 758 applicable to a credential which authenticates a user 759 identity within an authentication instance." 760 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 761 ::= { ipsAuthCredentialAttributesTable 1 } 763 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 764 ipsAuthCredIndex Unsigned32, 765 ipsAuthCredAuthMethod AutonomousType, 766 ipsAuthCredRowStatus RowStatus 767 } 769 ipsAuthCredIndex OBJECT-TYPE 770 SYNTAX Unsigned32 (1..4294967295) 771 MAX-ACCESS not-accessible 772 STATUS current 773 DESCRIPTION 774 "An arbitrary integer used to uniquely identify a 775 particular iSCSI Credential instance within an 776 iSCSI instance present on the node." 777 ::= { ipsAuthCredentialAttributesEntry 1 } 779 ipsAuthCredAuthMethod OBJECT-TYPE 780 SYNTAX AutonomousType 781 MAX-ACCESS read-create 782 STATUS current 783 DESCRIPTION 784 "This object contains an OBJECT IDENTIFIER 785 which identifies the authentication method 786 used with this credential. 788 Some standardized values for this object are defined 789 within the ipsAuthMethods subtree." 790 ::= { ipsAuthCredentialAttributesEntry 2 } 791 ipsAuthCredRowStatus OBJECT-TYPE 792 SYNTAX RowStatus 793 MAX-ACCESS read-create 794 STATUS current 795 DESCRIPTION 796 "This field allows entries to be dynamically added and 797 removed from this table via SNMP." 798 ::= { ipsAuthCredentialAttributesEntry 3 } 800 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 802 -- Credential Chap-Specific Attributes Table 804 ipsAuthCredChapAttributesTable OBJECT-TYPE 805 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 806 MAX-ACCESS not-accessible 807 STATUS current 808 DESCRIPTION 809 "A list of CHAP attributes for credentials that 810 use ipsAuthMethodChap as its ipsAuthCredAuthMethod." 811 ::= { ipsAuthCredChap 1 } 813 ipsAuthCredChapAttributesEntry OBJECT-TYPE 814 SYNTAX IpsAuthCredChapAttributesEntry 815 MAX-ACCESS not-accessible 816 STATUS current 817 DESCRIPTION 818 "An entry (row) containing management information 819 applicable to a credential which uses 820 ipsAuthMethodChap as their ipsAuthCredAuthMethod." 821 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 822 ::= { ipsAuthCredChapAttributesTable 1 } 824 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 825 ipsAuthCredChapUserName SnmpAdminString, 826 ipsAuthCredChapPassword SnmpAdminString, 827 ipsAuthCredChapRowStatus RowStatus 828 } 830 ipsAuthCredChapUserName OBJECT-TYPE 831 SYNTAX SnmpAdminString 832 MAX-ACCESS read-create 833 STATUS current 834 DESCRIPTION 835 "An octet string containing the CHAP user name for this 836 credential." 837 ::= { ipsAuthCredChapAttributesEntry 1 } 838 ipsAuthCredChapPassword OBJECT-TYPE 839 SYNTAX SnmpAdminString 840 MAX-ACCESS read-create 841 STATUS current 842 DESCRIPTION 843 "An octet string containing the password for this 844 credential. If written, it changes the password for 845 the credential. If read, it returns a zero-length 846 string." 847 ::= { ipsAuthCredChapAttributesEntry 2 } 849 ipsAuthCredChapRowStatus OBJECT-TYPE 850 SYNTAX RowStatus 851 MAX-ACCESS read-create 852 STATUS current 853 DESCRIPTION 854 "This field allows entries to be dynamically added and 855 removed from this table via SNMP." 856 ::= { ipsAuthCredChapAttributesEntry 3 } 858 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 860 -- Credential Srp-Specific Attributes Table 862 ipsAuthCredSrpAttributesTable OBJECT-TYPE 863 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 864 MAX-ACCESS not-accessible 865 STATUS current 866 DESCRIPTION 867 "A list of SRP attributes for credentials that 868 use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." 869 ::= { ipsAuthCredSrp 1 } 871 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 872 SYNTAX IpsAuthCredSrpAttributesEntry 873 MAX-ACCESS not-accessible 874 STATUS current 875 DESCRIPTION 876 "An entry (row) containing management information 877 applicable to a credential which uses 878 ipsAuthMethodSrp as its ipsAuthCredAuthMethod." 879 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 880 ::= { ipsAuthCredSrpAttributesTable 1 } 882 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 883 ipsAuthCredSrpUserName SnmpAdminString, 884 ipsAuthCredSrpPassword SnmpAdminString, 885 ipsAuthCredSrpRowStatus RowStatus 886 } 888 ipsAuthCredSrpUserName OBJECT-TYPE 889 SYNTAX SnmpAdminString 890 MAX-ACCESS read-create 891 STATUS current 892 DESCRIPTION 893 "An octet string containing the CHAP user name for this 894 credential." 895 ::= { ipsAuthCredSrpAttributesEntry 1 } 897 ipsAuthCredSrpPassword OBJECT-TYPE 898 SYNTAX SnmpAdminString 899 MAX-ACCESS read-create 900 STATUS current 901 DESCRIPTION 902 "An octet string containing the password for this 903 credential. If written, it changes the password for 904 the credential. If read, it returns a zero-length 905 string." 906 ::= { ipsAuthCredSrpAttributesEntry 2 } 908 ipsAuthCredSrpRowStatus OBJECT-TYPE 909 SYNTAX RowStatus 910 MAX-ACCESS read-create 911 STATUS current 912 DESCRIPTION 913 "This field allows entries to be dynamically added and 914 removed from this table via SNMP." 915 ::= { ipsAuthCredSrpAttributesEntry 3 } 917 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 919 -- Credential Kerberos-Specific Attributes Table 921 ipsAuthCredKerbAttributesTable OBJECT-TYPE 922 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 923 MAX-ACCESS not-accessible 924 STATUS current 925 DESCRIPTION 926 "A list of Kerberos attributes for credentials that 927 use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." 928 ::= { ipsAuthCredKerberos 1 } 930 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 931 SYNTAX IpsAuthCredKerbAttributesEntry 932 MAX-ACCESS not-accessible 933 STATUS current 934 DESCRIPTION 935 "An entry (row) containing management information 936 applicable to a credential which uses 937 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." 938 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 939 ::= { ipsAuthCredKerbAttributesTable 1 } 941 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 942 ipsAuthCredKerbPrincipal SnmpAdminString, 943 ipsAuthCredKerbRowStatus RowStatus 944 } 946 ipsAuthCredKerbPrincipal OBJECT-TYPE 947 SYNTAX SnmpAdminString 948 MAX-ACCESS read-create 949 STATUS current 950 DESCRIPTION 951 "An octet string containing a Kerberos principal 952 for this credential." 953 ::= { ipsAuthCredKerbAttributesEntry 1 } 955 ipsAuthCredKerbRowStatus OBJECT-TYPE 956 SYNTAX RowStatus 957 MAX-ACCESS read-create 958 STATUS current 959 DESCRIPTION 960 "This field allows entries to be dynamically added and 961 removed from this table via SNMP." 962 ::= { ipsAuthCredKerbAttributesEntry 2 } 964 ------------------------------------------------------------------------ 965 -- Notifications 967 -- There are no notifications necessary in this MIB. 969 ------------------------------------------------------------------------ 971 -- Conformance Statements 973 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 975 ipsAuthInstanceAttributesGroup OBJECT-GROUP 976 OBJECTS { 977 ipsAuthInstDescr 978 } 979 STATUS current 980 DESCRIPTION 981 "A collection of objects providing information about 982 authentication instances." 983 ::= { ipsAuthGroups 1 } 985 ipsAuthIdentAttributesGroup OBJECT-GROUP 986 OBJECTS { 987 ipsAuthIdentDescription, 988 ipsAuthIdentRowStatus 989 } 990 STATUS current 991 DESCRIPTION 992 "A collection of objects providing information about 993 user identities within an authentication instance." 994 ::= { ipsAuthGroups 2 } 996 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 997 OBJECTS { 998 ipsAuthIdentName, 999 ipsAuthIdentNameRowStatus 1000 } 1001 STATUS current 1002 DESCRIPTION 1003 "A collection of objects providing information about 1004 user names within user identities within an authentication 1005 instance." 1006 ::= { ipsAuthGroups 3 } 1008 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1009 OBJECTS { 1010 ipsAuthIdentAddrType, 1011 ipsAuthIdentAddrStart, 1012 ipsAuthIdentAddrEnd, 1013 ipsAuthIdentAddrRowStatus 1014 } 1015 STATUS current 1016 DESCRIPTION 1017 "A collection of objects providing information about 1018 address ranges within user identities within an 1019 authentication instance." 1020 ::= { ipsAuthGroups 4 } 1022 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1023 OBJECTS { 1024 ipsAuthCredAuthMethod, 1025 ipsAuthCredRowStatus 1026 } 1027 STATUS current 1028 DESCRIPTION 1029 "A collection of objects providing information about 1030 credentials within user identities within an authentication 1031 instance." 1032 ::= { ipsAuthGroups 5 } 1034 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1035 OBJECTS { 1036 ipsAuthCredChapUserName, 1037 ipsAuthCredChapPassword, 1038 ipsAuthCredChapRowStatus 1039 } 1040 STATUS current 1041 DESCRIPTION 1042 "A collection of objects providing information about 1043 CHAP credentials within user identities within an 1044 authentication instance." 1045 ::= { ipsAuthGroups 6 } 1047 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1048 OBJECTS { 1049 ipsAuthCredSrpUserName, 1050 ipsAuthCredSrpPassword, 1051 ipsAuthCredSrpRowStatus 1052 } 1053 STATUS current 1054 DESCRIPTION 1055 "A collection of objects providing information about 1056 SRP credentials within user identities within an 1057 authentication instance." 1058 ::= { ipsAuthGroups 7 } 1060 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1061 OBJECTS { 1062 ipsAuthCredKerbPrincipal, 1063 ipsAuthCredKerbRowStatus 1064 } 1065 STATUS current 1066 DESCRIPTION 1067 "A collection of objects providing information about 1068 Kerberos credentials within user identities within an 1069 authentication instance." 1070 ::= { ipsAuthGroups 8 } 1072 ------------------------------------------------------------------------ 1074 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1076 ipsAuthComplianceV1 MODULE-COMPLIANCE 1077 STATUS current 1078 DESCRIPTION 1079 "Initial version of compliance statement based on 1080 initial version of MIB. 1082 The Instance and Identity groups are mandatory; 1083 at least one of the other groups (Name, Address, 1084 Credential, Certificate) is also mandatory for 1085 any given implementation." 1086 MODULE -- this module 1087 MANDATORY-GROUPS { 1088 ipsAuthInstanceAttributesGroup, 1089 ipsAuthIdentAttributesGroup 1090 } 1092 -- Conditionally mandatory groups to be included with 1093 -- the mandatory groups when necessary. 1095 GROUP ipsAuthIdentNameAttributesGroup 1096 DESCRIPTION 1097 "This group is mandatory for all implementations 1098 that make use of unique identity names." 1100 GROUP ipsAuthIdentAddrAttributesGroup 1101 DESCRIPTION 1102 "This group is mandatory for all implementations 1103 that use addresses to help authenticate identities." 1105 GROUP ipsAuthIdentCredAttributesGroup 1106 DESCRIPTION 1107 "This group is mandatory for all implementations 1108 that use credentials to help authenticate identities." 1110 GROUP ipsAuthIdentChapAttrGroup 1111 DESCRIPTION 1112 "This group is mandatory for all implementations 1113 that use CHAP to help authenticate identities. 1115 The ipsAuthIdentCredAttributesGroup must be 1116 implemented if this group is implemented." 1118 GROUP ipsAuthIdentSrpAttrGroup 1119 DESCRIPTION 1120 "This group is mandatory for all implementations 1121 that use SRP to help authenticate identities. 1123 The ipsAuthIdentCredAttributesGroup must be 1124 implemented if this group is implemented." 1126 GROUP ipsAuthIdentKerberosAttrGroup 1127 DESCRIPTION 1128 "This group is mandatory for all implementations 1129 that use Kerberos to help authenticate identities. 1131 The ipsAuthIdentCredAttributesGroup must be 1132 implemented if this group is implemented." 1134 ::= { ipsAuthCompliances 1 } 1136 END 1138 8. Security Considerations 1140 SNMPv1 by itself is not a secure environment. Even if the network 1141 itself is secure (for example by using IPSec), even then, there is no 1142 control as to who on the secure network is allowed to access and 1143 GET/SET (read/change/create/delete) the objects in this MIB. 1145 It is recommended that the implementers consider the security 1146 features as provided by the SNMPv3 framework. Specifically, the use 1147 of the User-based Security Model RFC 2574 [RFC2574] and the View- 1148 based Access Control Model RFC 2575 [RFC2575] is recommended. 1150 It is then a customer/user responsibility to ensure that the SNMP 1151 entity giving access to an instance of this MIB, is properly 1152 configured to give access to the objects only to those principals 1153 (users) that have legitimate rights to indeed GET or SET 1154 (change/create/delete) them. 1156 Read access to this MIB provides the ability to find out which names, 1157 addresses, and credentials would be required to access services on 1158 the managed system. If these credentials are easily spoofed 1159 (particularly the name or address), read access to the MIB must be 1160 tightly controlled. 1162 Write access to the MIB provides the ability to set up which 1163 credentials may be used to access services on the managed system, to 1164 remove legitimate credentials (a denial of service), or to remove 1165 individual credentials to weaken the requirements for access of a 1166 particular service. In addition, write access may be used to change 1167 CHAP or SRP passwords to a known value. Write access must always be 1168 tightly controlled. 1170 9. Normative References 1172 [RFC2571] D. Harrington, R. Presuhn, and B. Wijnen, "An Architecture 1173 for Describing SNMP Management Frameworks", RFC 2571, April 1174 1999. 1176 [RFC1155] M. Rose and K. McCloghrie, "Structure and Identification of 1177 Management Information for TCP/IP-based Internets", STD 16, 1178 RFC 1155, May 1990. 1180 [RFC1212] M. Rose and K. McCloghrie, "Concise MIB Definitions", STD 1181 16, RFC 1212, March 1991. 1183 [RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1184 Rose, and S. Waldbusser, "Structure of Management 1185 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1186 1999. 1188 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the 1189 SNMP", RFC 1215, March 1991. 1191 [RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1192 Rose, and S. Waldbusser, "Textual Conventions for SMIv2", 1193 STD 58, RFC 2579, April 1999. 1195 [RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1196 Rose, and S. Waldbusser, "Conformance Statements for SMIv2", 1197 STD 58, RFC 2580, April 1999. 1199 [RFC1157] J. Case, M. Fedor, M. Schoffstall, and J. Davin, "Simple 1200 Network Management Protocol", STD 15, RFC 1157, May 1990. 1202 [RFC3291] M. Daniele, et. al., "Textual Conventions for Internet 1203 Network Addresses", RFC 3291, May 2002. 1205 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1206 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1208 [RFC1213] K. McCloghrie, M. Rose, "Management Information Base for 1209 Network Management of TCP/IP-based internets:MIB-II", March 1210 1991. 1212 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1213 Internet Protocol using SMIv2", November 1996. 1215 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1216 Version 6: Textual Conventions and General Group", December 1217 1998. 1219 10. Informative References 1221 [RFC1901] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, 1222 "Introduction to Community-based SNMPv2", RFC 1901, January 1223 1996. 1225 [RFC1906] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, 1226 "Transport Mappings for Version 2 of the Simple Network 1227 Management Protocol (SNMPv2)", RFC 1906, January 1996. 1229 [RFC2572] J. Case, D. Harrington, R. Presuhn, and B. Wijnen, "Message 1230 Processing and Dispatching for the Simple Network Management 1231 Protocol (SNMP)", RFC 2572, April 1999. 1233 [RFC2574] U. Blumenthal, and B. Wijnen, "User-based Security Model 1234 (USM) for version 3 of the Simple Network Management 1235 Protocol (SNMPv3)", RFC 2574, April 1999. 1237 [RFC1905] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, 1238 "Protocol Operations for Version 2 of the Simple Network 1239 Management Protocol (SNMPv2)", RFC 1905, January 1996. 1241 [RFC2573] D. Levi, P. Meyer, and B. Stewart, "SNMPv3 Applications", 1242 RFC 2573, April 1999. 1244 [RFC2575] B. Wijnen, R. Presuhn, and K. McCloghrie, "View-based Access 1245 Control Model (VACM) for the Simple Network Management 1246 Protocol (SNMP)", RFC 2575, April 1999. 1248 [RFC2570] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction 1249 to Version 3 of the Internet-standard Network Management 1250 Framework", RFC 2570, April 1999. 1252 [RFC2012] K. McCloghrie, "SNMPv2 Management Information Base for the 1253 Transmission Control Protocol using SMIv2", RFC 2012, 1254 November 1996. 1256 [ISCSI] Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-17, 1257 September 2002. 1259 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1260 Uniform Resource Names", December 1994. 1262 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1263 (CHAP)", August 1996. 1265 [RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication 1266 Service (V5)", September 1993. 1268 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1269 September 2000. 1271 [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", draft-ietf- 1272 ips-fcmgmt-mib-01, February 2002. 1274 [X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology 1275 - Open Systems Interconnection - The Directory: 1276 Authentication Framework", June 1997. 1278 11. Authors' Addresses 1280 Mark Bakke 1281 Postal: Cisco Systems, Inc 1282 6450 Wedgwood Road, Suite 130 1283 Maple Grove, MN 1284 USA 55311 1286 Tel: +1 763-398-1000 1287 Fax: +1 763-398-1001 1289 E-mail: mbakke@cisco.com 1291 Jim Muchow 1292 Postal: Cisco Systems, Inc 1293 6450 Wedgwood Road, Suite 130 1294 Maple Grove, MN 1295 USA 55311 1297 Tel: +1 763-398-1000 1298 Fax: +1 763-398-1001 1300 E-mail: jmuchow@cisco.com"