idnits 2.17.1 draft-ietf-ips-auth-mib-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 1290: '... It is RECOMMENDED that implementors...' RFC 2119 keyword, line 1296: '... RECOMMENDED. Instead, it is RECOMM...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1418 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 2003) is 7712 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3291 (Obsoleted by RFC 4001) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) -- Obsolete informational reference (is this intentional?): RFC 1510 (Obsoleted by RFC 4120, RFC 6649) == Outdated reference: A later version (-06) exists of draft-ietf-ips-fcmgmt-mib-03 Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Jim Muchow 4 Expires September 2003 Cisco Systems 6 March 2003 8 Definitions of Managed Objects for User Identity Authentication 10 Status of this Memo 12 This document is an Internet-Draft and is subject to all provisions 13 of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.html. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Copyright Notice 33 Copyright (C) The Internet Society (2003). All Rights Reserved. 35 Abstract 37 This memo defines a portion of the Management Information Base (MIB) 38 for use with network management protocols in TCP/IP based internets. 39 In particular it defines objects for managing user identities and the 40 names, addresses, and credentials required to authenticate them, for 41 use with various protocols. This draft was motivated by the need for 42 the configuration of authenticated user identities for the iSCSI 43 protocol, but has been extended to be useful for other protocols that 44 have similar requirements. It is important to note that this MIB 45 provides only the set of identities and the means to authenticate 46 them; it is the responsibility of other MIBs making use of this one 47 to tie them to authorization lists. 49 Acknowledgments 51 In addition to the authors, several people contributed to the 52 development of this MIB through discussions of authentication, 53 authorization, and access within the iSCSI MIB and security teams, 54 including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom 55 McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 56 Studenmund (Wasabi Systems) for adding the Kerberos method, and to 57 Ayman Ghanem for finding and suggesting changes to several problems 58 found in the MIB. 60 Thanks especially to Keith McCloghrie for serving as advisor for this 61 MIB. 63 Table of Contents 65 1. Introduction..............................................2 66 2. The Internet-Standard Management Framework................3 67 3. Relationship to Other MIBs................................3 68 4. Discussion................................................3 69 4.1. Authentication MIB Object Model.........................4 70 4.2. ipsAuthInstance.........................................5 71 4.3. ipsAuthIdentity.........................................5 72 4.4. ipsAuthIdentityName.....................................5 73 4.5. ipsAuthIdentityAddress..................................6 74 4.6. ipsAuthCredential.......................................7 75 4.7. IP, Fibre Channel, and Other Addresses..................7 76 4.8. Descriptors: Using OIDs in Place of Enumerated Types....8 77 4.9. Notifications...........................................8 78 5. MIB Definitions...........................................9 79 6. Security Considerations..................................28 80 7. Normative References.....................................29 81 8. Informative References...................................29 82 9. Authors' Addresses.......................................30 83 10. IPR Notice..............................................30 84 11. Full Copyright Notice...................................31 86 1. Introduction 88 This MIB will be used to configure and/or look at the configuration 89 of user identities and their authentication information. For the 90 purposes of this MIB, a "user" identity does not need to be an actual 91 person; a user can also be a host, an application, a cluster of 92 hosts, or any other identifiable entity that can be authenticated and 93 granted access to a resource. 95 Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is 96 intended to allow configuration of user identities and their names, 97 addresses, and credentials. MIN-ACCESS for all objects is read-only 98 for those implementations that configure through other means, but 99 require the ability to monitor user identities. 101 2. The Internet-Standard Management Framework 103 For a detailed overview of the documents that describe the current 104 Internet-Standard Management Framework, please refer to section 7 of 105 RFC 3410 [RFC3410]. 107 Managed objects are accessed via a virtual information store, termed 108 the Management Information Base or MIB. MIB objects are generally 109 accessed through the Simple Network Management Protocol (SNMP). 110 Objects in the MIB are defined using the mechanisms defined in the 111 Structure of Management Information (SMI). This memo specifies a MIB 112 module that is compliant to the SMIv2, which is described in STD 58, 113 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 114 [RFC2580]. 116 3. Relationship to Other MIBs 118 The identity authentication MIB does not directly address objects 119 within other MIBs. The identity address objects contain IPv4, IPv6, 120 or other address types, and as such may be indirectly related to 121 objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465] 122 MIB. 124 This MIB does not cover authorization. This should generally be done 125 in MIBs that reference identities in this one. It also does not 126 cover login or authentication failure statistics or notifications, as 127 these are all fairly application-specific, and not generic enough to 128 include here. 130 The user identity objects within this MIB are typically referenced 131 from other MIBs by a RowPointer within that MIB. A MIB containing 132 resources for which it requires a list of authorized user identities 133 may create such a list, with a single RowPointer within each list 134 element pointing to a user identity within this MIB. This is neither 135 required nor restricted by this MIB. 137 4. Discussion 139 This MIB structure is intended to allow the configuration of a list 140 of user identities, each with a list of names, addresses, 141 credentials, and certificates which when combined will authenticate 142 that identity. 144 The authentication MIB is structured around two primary "objects", 145 the authentication instance, and the identity, which serve as 146 containers for the remainder of the objects. This section contains a 147 brief description of the "object" hierarchy and a description of each 148 object, followed by a discussion of the actual SNMP table structure 149 within the objects. 151 4.1. Authentication MIB Object Model 153 The top-level object in this structure is the authentication 154 instance, which "contains" all of the other objects. The indexing 155 hierarchy of this MIB looks like: 157 ipsAuthInstance 158 -- A distinct authentication entity within the managed system. 159 -- Most implementations will have just one of these. 160 ipsAuthIdentity 161 -- A user identity, consisting of a set of identity names, 162 -- addresses, and credentials reflected in the following 163 -- objects, as well as a RowPointer to an ipsAuthCertificate. 164 ipsAuthIdentityName 165 -- A name for a user identity. A name should be globally 166 -- unique, and unchanging over time. Some protocols may 167 -- not require this one. 168 ipsAuthIdentityAddress 169 -- An address range, typically but not necessarily an 170 -- IPv4, IPv6, or Fibre Channel address range, at which 171 -- the identity is allowed to reside. 172 ipsAuthCredential 173 -- A single credential, such as a CHAP username/password, 174 -- which can ipsAuthenticate the identity. 175 ipsAuthCredChap 176 -- CHAP-specific attributes for an ipsAuthCredential 177 ipsAuthCredSrp 178 -- SRP-specific attributes 179 ipsAuthCredKerberos 180 -- Kerberos-specific attributes 182 Each identity contains the information necessary to authenticate a 183 particular end-point that wishes to access a service, such as iSCSI. 185 An identity can contain multiple names, addresses, and credentials. 187 4.2. ipsAuthInstance 189 The ipsAuthInstanceAttributesTable is the primary table of the 190 authentication MIB. Every other table entry in this MIB includes the 191 index of an ipsAuthInstanceAttributesEntry as its primary index. An 192 authentication instance is basically a managed set of identities. 194 Many implementations will include just one authentication instance 195 row in this table. However, there will be cases where multiple rows 196 in this table may be used: 198 - A large system may be "partitioned" into multiple, distinct virtual 199 systems, perhaps sharing the SNMP agent but not their lists of 200 identities. Each virtual system would have its own authentication 201 instance. 203 - A set of stackable systems, each with their own set of identities, 204 may be managed by a common SNMP agent. Each individual system 205 would have its own authentication instance. 207 - Multiple protocols, each with their own set of identities, may 208 exist within a single system and be managed by a single SNMP agent. 209 In this case, each protocol may have its own authentication 210 instance. 212 4.3. ipsAuthIdentity 214 The ipsAuthIdentAttributesTable contains one entry for each 215 configured user identity. The identity contains only a description 216 of what the identity is used for; its attributes are all contained in 217 other tables, since they can have multiple values. 219 Other MIBs containing lists of users authorized to access a 220 particular resource should generally contain a RowPointer to the 221 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 222 access. 224 All other table entries make use of the indices to this table as 225 their primary indices. 227 4.4. ipsAuthIdentityName 229 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 230 each of which belong to, and may be used to identify, a particular 231 identity in the authIdentity table. 233 Implementations making use of the authentication MIB may identify 234 their resources by names, addresses, or both. A name is typically a 235 unique (within the required scope), unchanging identifier for a 236 resource. It will normally meet some or all of the requirements for a 237 Uniform Resource Name [RFC1737], although a name in the context of 238 this MIB does not need to be a URN. Identifiers that typically 239 change over time should generally be placed into the 240 ipsAuthIdentityAddress table; names that have no uniqueness 241 properties should usually be placed into the description attribute 242 for the identity. 244 An example of an identity name is the iSCSI Name, defined in [ISCSI]. 246 If this table contains no entries associated with a particular user 247 identity, the implementation does not need to check any name 248 parameters when authenticating that identity. If the table contains 249 multiple entries associated with a particular user identity, the 250 implementation should consider a match with any one of these entries 251 to be valid. 253 4.5. ipsAuthIdentityAddress 255 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 256 which the identity may be authenticated. For example, an identity 257 may be allowed access to a resource only from a certain IP address, 258 or only if its address is in a certain range or set of ranges. 260 Each entry contains a starting and ending address. If a single 261 address is desired in the list, both starting and ending addresses 262 must be identical. 264 Each entry contains an AddrType attribute. This attribute contains 265 an enumeration registered as an IANA Address Family type [IANA-AF]. 266 Although many implementations will use IPv4 or IPv6 address types for 267 these entries, any IANA-registered type may be used, as long as it 268 makes sense to the application. 270 Matching any address within any range within the list associated with 271 a particular identity is considered to be a valid match. If no 272 entries are present in this list for a given identity, its address is 273 not checked during authentication. 275 Netmasks are not supported, since an address range can express the 276 same thing with more flexibility. An application specifying 277 addresses using network masks may do so, and convert to and from 278 address ranges when reading or writing this MIB. 280 4.6. ipsAuthCredential 282 The ipsAuthCredentialAttributesTable contains a list of credentials, 283 each of which may authenticate a particular identity. 285 Each credential contains an authentication method to be used, such as 286 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 287 contains an object identifier instead of an enumerated type, allowing 288 other MIBs to add their own authentication methods, without modifying 289 this MIB. 291 For each entry in this table, there will exist an entry in another 292 table containing its attributes. The table in which to place the 293 entry depends on the AuthMethod attribute: 295 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 296 same indices as the ipsAuthCredential will exist in the 297 ipsAuthCredChap table, which contains the CHAP username. 299 SRP If the AuthMethod is set to the SRP OID, an entry using the 300 same indices as the ipsAuthCredential will exist in the 301 ipsAuthCredSrp table, which contains the SRP username. 303 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 304 the same indices as the ipsAuthCredential will exist in the 305 ipsAuthCredKerberos table, which contains the Kerberos 306 principal. 308 Other If the AuthMethod is set to any OID not defined in this MIB, 309 an entry using the same indices as the ipsAuthCredential 310 entry should be placed in the other MIB that define whatever 311 attributes are needed for that type of credential. 313 4.7. IP, Fibre Channel, and Other Addresses 315 The IP addresses in this MIB are represented by two attributes, one 316 of type AddressFamilyNumbers, and the other of type AuthAddress. 317 Each address can take on any of the types within the list of address 318 family numbers; the most likely being IPv4, IPv6, or one of the Fibre 319 Channel address types. 321 The type AuthAddress is an octet string. If the address family is 322 IPv4 or IPv6, the format is taken from the InetAddress specified in 323 [RFC3291]. If the address family is one of the Fibre Channel types, 324 the format is identical to the FcNameIdOrZero type defined in 325 [FCMGMT]. 327 4.8. Descriptors: Using OIDs in Place of Enumerated Types 329 Some attributes, particularly the authentication method attribute, 330 would normally require an enumerated type. However, implementations 331 will likely need to add new authentication method types of their own, 332 without extending this MIB. To make this work, the MIB defines a set 333 of object identities within ipsAuthDescriptors. Each of these object 334 identities is basically an enumerated type. 336 Attributes that make use of these object identities have a value 337 which is an OID instead of an enumerated type. These OIDs can either 338 indicate the object identities defined in this MIB, or object 339 identities defined elsewhere, such as in an enterprise MIB. Those 340 implementations that add their own authentication methods should also 341 define a corresponding object identity for each of these methods 342 within their own enterprise MIB, and return its OID whenever one of 343 these attributes is using that method. 345 4.9. Notifications 347 Monitoring of authentication failures and other notification events 348 are outside the scope of this MIB, as they are generally application- 349 specific. No notifications are provided or required. 351 5. MIB Definitions 353 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 355 IMPORTS 356 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 357 experimental 358 FROM SNMPv2-SMI 360 TEXTUAL-CONVENTION, RowStatus, AutonomousType 361 FROM SNMPv2-TC 363 MODULE-COMPLIANCE, OBJECT-GROUP 364 FROM SNMPv2-CONF 366 SnmpAdminString 367 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 369 AddressFamilyNumbers 370 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 371 ; 373 ipsAuthModule MODULE-IDENTITY 374 LAST-UPDATED "200211010000Z" -- November 1, 2002 375 ORGANIZATION "IETF IPS Working Group" 376 CONTACT-INFO 377 " 378 Mark Bakke 379 Postal: Cisco Systems, Inc 380 6450 Wedgwood Road, Suite 130 381 Maple Grove, MN 382 USA 55311 384 Tel: +1 763-398-1000 385 Fax: +1 763-398-1001 387 E-mail: mbakke@cisco.com 389 Jim Muchow 390 Postal: Cisco Systems, Inc 391 6450 Wedgwood Road, Suite 130 392 Maple Grove, MN 393 USA 55311 395 Tel: +1 763-398-1000 396 Fax: +1 763-398-1001 397 E-mail: jmuchow@cisco.com" 399 DESCRIPTION 400 "The IP Storage Authentication MIB module." 401 REVISION "200211010000Z" -- November 1, 2002 402 DESCRIPTION 403 "Initial revision published as RFC xxxx." 405 --::= { mib-2 xx } 406 -- in case you want to COMPILE 407 ::= { experimental 99999 } 409 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 410 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 411 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } 413 -- Textual Conventions 415 IpsAuthAddress ::= TEXTUAL-CONVENTION 416 STATUS current 417 DESCRIPTION 418 "IP Storage requires the use of address information 419 that uses not only the InetAddress type defined in the 420 INET-ADDRESS-MIB, but also Fibre Channel type defined 421 in the Fibre Channel Management MIB. Although these 422 address types are recognized in the IANA Address Family 423 Numbers MIB, the addressing mechanisms have not been 424 merged into a well-known, common type. This data type, 425 the IpsAuthAddress, performs this function for this MIB." 426 REFERENCE 427 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 428 INET-ADDRESS-MIB (RFC 2851); 429 Fibre Channel Management MIB (presently defined in 430 draft-ietf-ips-fcmgmt-mib-01.txt)." 431 SYNTAX OCTET STRING (SIZE(0..255)) 433 ------------------------------------------------------------------------ 435 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 437 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 439 ipsAuthMethodNone OBJECT-IDENTITY 440 STATUS current 441 DESCRIPTION 442 "The authoritative identifier when no authentication 443 method is used." 444 REFERENCE "iSCSI Protocol Specification." 446 ::= { ipsAuthMethodTypes 1 } 448 ipsAuthMethodSrp OBJECT-IDENTITY 449 STATUS current 450 DESCRIPTION 451 "The authoritative identifier when the authentication 452 method is SRP." 453 REFERENCE "iSCSI Protocol Specification." 454 ::= { ipsAuthMethodTypes 2 } 456 ipsAuthMethodChap OBJECT-IDENTITY 457 STATUS current 458 DESCRIPTION 459 "The authoritative identifier when the authentication 460 method is CHAP." 461 REFERENCE "iSCSI Protocol Specification." 462 ::= { ipsAuthMethodTypes 3 } 464 ipsAuthMethodKerberos OBJECT-IDENTITY 465 STATUS current 466 DESCRIPTION 467 "The authoritative identifier when the authentication 468 method is Kerberos." 469 REFERENCE "iSCSI Protocol Specification." 470 ::= { ipsAuthMethodTypes 4 } 472 ---------------------------------------------------------------------- 474 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 476 -- Instance Attributes Table 478 ipsAuthInstanceAttributesTable OBJECT-TYPE 479 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 480 MAX-ACCESS not-accessible 481 STATUS current 482 DESCRIPTION 483 "A list of Authentication instances present on the system." 484 ::= { ipsAuthInstance 2 } 486 ipsAuthInstanceAttributesEntry OBJECT-TYPE 487 SYNTAX IpsAuthInstanceAttributesEntry 488 MAX-ACCESS not-accessible 489 STATUS current 490 DESCRIPTION 491 "An entry (row) containing management information 492 applicable to a particular Authentication instance." 493 INDEX { ipsAuthInstIndex } 495 ::= { ipsAuthInstanceAttributesTable 1 } 497 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 498 ipsAuthInstIndex Unsigned32, 499 ipsAuthInstDescr SnmpAdminString 500 } 502 ipsAuthInstIndex OBJECT-TYPE 503 SYNTAX Unsigned32 (1..4294967295) 504 MAX-ACCESS not-accessible 505 STATUS current 506 DESCRIPTION 507 "An arbitrary integer used to uniquely identify a 508 particular authentication instance." 509 ::= { ipsAuthInstanceAttributesEntry 1 } 511 ipsAuthInstDescr OBJECT-TYPE 512 SYNTAX SnmpAdminString 513 MAX-ACCESS read-write 514 STATUS current 515 DESCRIPTION 516 "An octet string, determined by the implementation to 517 describe the authentication instance. When only a single 518 instance is present, this object may be set to the 519 zero-length string; with multiple authentication 520 instances, it may be used in an implementation-dependent 521 manner to describe the purpose of the respective instance." 522 ::= { ipsAuthInstanceAttributesEntry 2 } 524 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 526 -- User Identity Attributes Table 528 ipsAuthIdentAttributesTable OBJECT-TYPE 529 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 530 MAX-ACCESS not-accessible 531 STATUS current 532 DESCRIPTION 533 "A list of user identities, each belonging to a 534 particular ipsAuthInstance." 535 ::= { ipsAuthIdentity 1 } 537 ipsAuthIdentAttributesEntry OBJECT-TYPE 538 SYNTAX IpsAuthIdentAttributesEntry 539 MAX-ACCESS not-accessible 540 STATUS current 541 DESCRIPTION 542 "An entry (row) containing management information 543 describing a user identity within an authentication 544 instance on this node." 545 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 546 ::= { ipsAuthIdentAttributesTable 1 } 548 IpsAuthIdentAttributesEntry ::= SEQUENCE { 549 ipsAuthIdentIndex Unsigned32, 550 ipsAuthIdentDescription SnmpAdminString, 551 ipsAuthIdentRowStatus RowStatus 552 } 554 ipsAuthIdentIndex OBJECT-TYPE 555 SYNTAX Unsigned32 (1..4294967295) 556 MAX-ACCESS not-accessible 557 STATUS current 558 DESCRIPTION 559 "An arbitrary integer used to uniquely identify a 560 particular identity instance within an authentication 561 instance present on the node." 562 ::= { ipsAuthIdentAttributesEntry 1 } 564 ipsAuthIdentDescription OBJECT-TYPE 565 SYNTAX SnmpAdminString 566 MAX-ACCESS read-create 567 STATUS current 568 DESCRIPTION 569 "An octet string describing this particular identity." 570 ::= { ipsAuthIdentAttributesEntry 2 } 572 ipsAuthIdentRowStatus OBJECT-TYPE 573 SYNTAX RowStatus 574 MAX-ACCESS read-create 575 STATUS current 576 DESCRIPTION 577 "This field allows entries to be dynamically added and 578 removed from this table via SNMP." 579 ::= { ipsAuthIdentAttributesEntry 3 } 581 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 583 -- User Initiator Name Attributes Table 585 ipsAuthIdentNameAttributesTable OBJECT-TYPE 586 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 587 MAX-ACCESS not-accessible 588 STATUS current 589 DESCRIPTION 590 "A list of unique names that can be used to positively 591 identify a particular user identity." 592 ::= { ipsAuthIdentityName 1 } 594 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 595 SYNTAX IpsAuthIdentNameAttributesEntry 596 MAX-ACCESS not-accessible 597 STATUS current 598 DESCRIPTION 599 "An entry (row) containing management information 600 applicable to a unique identity name which can be used 601 to identify a user identity within a particular 602 authentication instance." 603 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 604 ipsAuthIdentNameIndex } 605 ::= { ipsAuthIdentNameAttributesTable 1 } 607 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 608 ipsAuthIdentNameIndex Unsigned32, 609 ipsAuthIdentName SnmpAdminString, 610 ipsAuthIdentNameRowStatus RowStatus 611 } 613 ipsAuthIdentNameIndex OBJECT-TYPE 614 SYNTAX Unsigned32 (1..4294967295) 615 MAX-ACCESS not-accessible 616 STATUS current 617 DESCRIPTION 618 "An arbitrary integer used to uniquely identify a 619 particular identity name instance within an 620 ipsAuthIdentity within an authentication instance." 621 ::= { ipsAuthIdentNameAttributesEntry 1 } 623 ipsAuthIdentName OBJECT-TYPE 624 SYNTAX SnmpAdminString 625 MAX-ACCESS read-create 626 STATUS current 627 DESCRIPTION 628 "A character string which is the unique name of an 629 identity that may be used to identify this ipsAuthIdent 630 entry." 631 ::= { ipsAuthIdentNameAttributesEntry 2 } 633 ipsAuthIdentNameRowStatus OBJECT-TYPE 634 SYNTAX RowStatus 635 MAX-ACCESS read-create 636 STATUS current 637 DESCRIPTION 638 "This field allows entries to be dynamically added and 639 removed from this table via SNMP." 640 ::= { ipsAuthIdentNameAttributesEntry 3 } 642 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 644 -- User Initiator Address Attributes Table 646 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 647 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 648 MAX-ACCESS not-accessible 649 STATUS current 650 DESCRIPTION 651 "A list of address ranges that are allowed to serve 652 as the endpoint addresses of a particular identity. 653 An address range includes a starting and ending address 654 and an optional netmask, and an address type indicator, 655 which can specify whether the address is IPv4, IPv6, 656 FC-WWPN, or FC-WWNN." 657 ::= { ipsAuthIdentityAddress 1 } 659 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 660 SYNTAX IpsAuthIdentAddrAttributesEntry 661 MAX-ACCESS not-accessible 662 STATUS current 663 DESCRIPTION 664 "An entry (row) containing management information 665 applicable to an address range which is used as part 666 of the authentication of an identity 667 within an authentication instance on this node." 668 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 669 ipsAuthIdentAddrIndex } 670 ::= { ipsAuthIdentAddrAttributesTable 1 } 672 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 673 ipsAuthIdentAddrIndex Unsigned32, 674 ipsAuthIdentAddrType AddressFamilyNumbers, 675 ipsAuthIdentAddrStart IpsAuthAddress, 676 ipsAuthIdentAddrEnd IpsAuthAddress, 677 ipsAuthIdentAddrRowStatus RowStatus 678 } 680 ipsAuthIdentAddrIndex OBJECT-TYPE 681 SYNTAX Unsigned32 (1..4294967295) 682 MAX-ACCESS not-accessible 683 STATUS current 684 DESCRIPTION 685 "An arbitrary integer used to uniquely identify a 686 particular ipsAuthIdentAddress instance within an 687 ipsAuthIdentity within an authentication instance 688 present on the node." 689 ::= { ipsAuthIdentAddrAttributesEntry 1 } 691 ipsAuthIdentAddrType OBJECT-TYPE 692 SYNTAX AddressFamilyNumbers 693 MAX-ACCESS read-create 694 STATUS current 695 DESCRIPTION 696 "The type of Address in the ipsAuthIdentAddress 697 start, end, and mask fields. This type is taken 698 from the IANA address family types; more types may 699 be registered independently of this MIB." 700 ::= { ipsAuthIdentAddrAttributesEntry 2 } 702 ipsAuthIdentAddrStart OBJECT-TYPE 703 SYNTAX IpsAuthAddress 704 MAX-ACCESS read-create 705 STATUS current 706 DESCRIPTION 707 "The starting address of the allowed address range." 708 ::= { ipsAuthIdentAddrAttributesEntry 3 } 710 ipsAuthIdentAddrEnd OBJECT-TYPE 711 SYNTAX IpsAuthAddress 712 MAX-ACCESS read-create 713 STATUS current 714 DESCRIPTION 715 "The ending address of the allowed address range. 716 If the ipsAuthIdentAddrEntry specifies a single 717 address, this shall match the ipsAuthIdentAddrStart." 718 ::= { ipsAuthIdentAddrAttributesEntry 4 } 720 ipsAuthIdentAddrRowStatus OBJECT-TYPE 721 SYNTAX RowStatus 722 MAX-ACCESS read-create 723 STATUS current 724 DESCRIPTION 725 "This field allows entries to be dynamically added and 726 removed from this table via SNMP." 727 ::= { ipsAuthIdentAddrAttributesEntry 5 } 729 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 731 -- Credential Attributes Table 733 ipsAuthCredentialAttributesTable OBJECT-TYPE 734 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 735 MAX-ACCESS not-accessible 736 STATUS current 737 DESCRIPTION 738 "A list of credentials related to user identities 739 that are allowed as valid authenticators of the 740 particular identity." 741 ::= { ipsAuthCredential 1 } 743 ipsAuthCredentialAttributesEntry OBJECT-TYPE 744 SYNTAX IpsAuthCredentialAttributesEntry 745 MAX-ACCESS not-accessible 746 STATUS current 747 DESCRIPTION 748 "An entry (row) containing management information 749 applicable to a credential which authenticates a user 750 identity within an authentication instance." 751 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 752 ::= { ipsAuthCredentialAttributesTable 1 } 754 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 755 ipsAuthCredIndex Unsigned32, 756 ipsAuthCredAuthMethod AutonomousType, 757 ipsAuthCredRowStatus RowStatus 758 } 760 ipsAuthCredIndex OBJECT-TYPE 761 SYNTAX Unsigned32 (1..4294967295) 762 MAX-ACCESS not-accessible 763 STATUS current 764 DESCRIPTION 765 "An arbitrary integer used to uniquely identify a 766 particular Credential instance within an instance 767 present on the node." 768 ::= { ipsAuthCredentialAttributesEntry 1 } 770 ipsAuthCredAuthMethod OBJECT-TYPE 771 SYNTAX AutonomousType 772 MAX-ACCESS read-create 773 STATUS current 774 DESCRIPTION 775 "This object contains an OBJECT IDENTIFIER 776 which identifies the authentication method 777 used with this credential. 779 Some standardized values for this object are defined 780 within the ipsAuthMethods subtree." 781 ::= { ipsAuthCredentialAttributesEntry 2 } 782 ipsAuthCredRowStatus OBJECT-TYPE 783 SYNTAX RowStatus 784 MAX-ACCESS read-create 785 STATUS current 786 DESCRIPTION 787 "This field allows entries to be dynamically added and 788 removed from this table via SNMP." 789 ::= { ipsAuthCredentialAttributesEntry 3 } 791 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 793 -- Credential Chap-Specific Attributes Table 795 ipsAuthCredChapAttributesTable OBJECT-TYPE 796 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 797 MAX-ACCESS not-accessible 798 STATUS current 799 DESCRIPTION 800 "A list of CHAP attributes for credentials that 801 use ipsAuthMethodChap as its ipsAuthCredAuthMethod." 802 ::= { ipsAuthCredChap 1 } 804 ipsAuthCredChapAttributesEntry OBJECT-TYPE 805 SYNTAX IpsAuthCredChapAttributesEntry 806 MAX-ACCESS not-accessible 807 STATUS current 808 DESCRIPTION 809 "An entry (row) containing management information 810 applicable to a credential which uses 811 ipsAuthMethodChap as their ipsAuthCredAuthMethod." 812 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 813 ::= { ipsAuthCredChapAttributesTable 1 } 815 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 816 ipsAuthCredChapUserName SnmpAdminString, 817 ipsAuthCredChapPassword SnmpAdminString, 818 ipsAuthCredChapRowStatus RowStatus 819 } 821 ipsAuthCredChapUserName OBJECT-TYPE 822 SYNTAX SnmpAdminString 823 MAX-ACCESS read-create 824 STATUS current 825 DESCRIPTION 826 "An octet string containing the CHAP user name for this 827 credential." 828 ::= { ipsAuthCredChapAttributesEntry 1 } 829 ipsAuthCredChapPassword OBJECT-TYPE 830 SYNTAX SnmpAdminString 831 MAX-ACCESS read-create 832 STATUS current 833 DESCRIPTION 834 "An octet string containing the password for this 835 credential. If written, it changes the password for 836 the credential. If read, it returns a zero-length 837 string." 838 ::= { ipsAuthCredChapAttributesEntry 2 } 840 ipsAuthCredChapRowStatus OBJECT-TYPE 841 SYNTAX RowStatus 842 MAX-ACCESS read-create 843 STATUS current 844 DESCRIPTION 845 "This field allows entries to be dynamically added and 846 removed from this table via SNMP." 847 ::= { ipsAuthCredChapAttributesEntry 3 } 849 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 851 -- Credential Srp-Specific Attributes Table 853 ipsAuthCredSrpAttributesTable OBJECT-TYPE 854 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 855 MAX-ACCESS not-accessible 856 STATUS current 857 DESCRIPTION 858 "A list of SRP attributes for credentials that 859 use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." 860 ::= { ipsAuthCredSrp 1 } 862 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 863 SYNTAX IpsAuthCredSrpAttributesEntry 864 MAX-ACCESS not-accessible 865 STATUS current 866 DESCRIPTION 867 "An entry (row) containing management information 868 applicable to a credential which uses 869 ipsAuthMethodSrp as its ipsAuthCredAuthMethod." 870 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 871 ::= { ipsAuthCredSrpAttributesTable 1 } 873 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 874 ipsAuthCredSrpUserName SnmpAdminString, 875 ipsAuthCredSrpPassword SnmpAdminString, 876 ipsAuthCredSrpRowStatus RowStatus 877 } 879 ipsAuthCredSrpUserName OBJECT-TYPE 880 SYNTAX SnmpAdminString 881 MAX-ACCESS read-create 882 STATUS current 883 DESCRIPTION 884 "An octet string containing the CHAP user name for this 885 credential." 886 ::= { ipsAuthCredSrpAttributesEntry 1 } 888 ipsAuthCredSrpPassword OBJECT-TYPE 889 SYNTAX SnmpAdminString 890 MAX-ACCESS read-create 891 STATUS current 892 DESCRIPTION 893 "An octet string containing the password for this 894 credential. If written, it changes the password for 895 the credential. If read, it returns a zero-length 896 string." 897 ::= { ipsAuthCredSrpAttributesEntry 2 } 899 ipsAuthCredSrpRowStatus OBJECT-TYPE 900 SYNTAX RowStatus 901 MAX-ACCESS read-create 902 STATUS current 903 DESCRIPTION 904 "This field allows entries to be dynamically added and 905 removed from this table via SNMP." 906 ::= { ipsAuthCredSrpAttributesEntry 3 } 908 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 910 -- Credential Kerberos-Specific Attributes Table 912 ipsAuthCredKerbAttributesTable OBJECT-TYPE 913 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 914 MAX-ACCESS not-accessible 915 STATUS current 916 DESCRIPTION 917 "A list of Kerberos attributes for credentials that 918 use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." 919 ::= { ipsAuthCredKerberos 1 } 921 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 922 SYNTAX IpsAuthCredKerbAttributesEntry 923 MAX-ACCESS not-accessible 924 STATUS current 925 DESCRIPTION 926 "An entry (row) containing management information 927 applicable to a credential which uses 928 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." 929 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 930 ::= { ipsAuthCredKerbAttributesTable 1 } 932 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 933 ipsAuthCredKerbPrincipal SnmpAdminString, 934 ipsAuthCredKerbRowStatus RowStatus 935 } 937 ipsAuthCredKerbPrincipal OBJECT-TYPE 938 SYNTAX SnmpAdminString 939 MAX-ACCESS read-create 940 STATUS current 941 DESCRIPTION 942 "An octet string containing a Kerberos principal 943 for this credential." 944 ::= { ipsAuthCredKerbAttributesEntry 1 } 946 ipsAuthCredKerbRowStatus OBJECT-TYPE 947 SYNTAX RowStatus 948 MAX-ACCESS read-create 949 STATUS current 950 DESCRIPTION 951 "This field allows entries to be dynamically added and 952 removed from this table via SNMP." 953 ::= { ipsAuthCredKerbAttributesEntry 2 } 955 ------------------------------------------------------------------------ 956 -- Notifications 958 -- There are no notifications necessary in this MIB. 960 ------------------------------------------------------------------------ 962 -- Conformance Statements 964 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 966 ipsAuthInstanceAttributesGroup OBJECT-GROUP 967 OBJECTS { 968 ipsAuthInstDescr 969 } 970 STATUS current 971 DESCRIPTION 972 "A collection of objects providing information about 973 authentication instances." 974 ::= { ipsAuthGroups 1 } 976 ipsAuthIdentAttributesGroup OBJECT-GROUP 977 OBJECTS { 978 ipsAuthIdentDescription, 979 ipsAuthIdentRowStatus 980 } 981 STATUS current 982 DESCRIPTION 983 "A collection of objects providing information about 984 user identities within an authentication instance." 985 ::= { ipsAuthGroups 2 } 987 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 988 OBJECTS { 989 ipsAuthIdentName, 990 ipsAuthIdentNameRowStatus 991 } 992 STATUS current 993 DESCRIPTION 994 "A collection of objects providing information about 995 user names within user identities within an authentication 996 instance." 997 ::= { ipsAuthGroups 3 } 999 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1000 OBJECTS { 1001 ipsAuthIdentAddrType, 1002 ipsAuthIdentAddrStart, 1003 ipsAuthIdentAddrEnd, 1004 ipsAuthIdentAddrRowStatus 1005 } 1006 STATUS current 1007 DESCRIPTION 1008 "A collection of objects providing information about 1009 address ranges within user identities within an 1010 authentication instance." 1011 ::= { ipsAuthGroups 4 } 1013 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1014 OBJECTS { 1015 ipsAuthCredAuthMethod, 1016 ipsAuthCredRowStatus 1017 } 1018 STATUS current 1019 DESCRIPTION 1020 "A collection of objects providing information about 1021 credentials within user identities within an authentication 1022 instance." 1023 ::= { ipsAuthGroups 5 } 1025 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1026 OBJECTS { 1027 ipsAuthCredChapUserName, 1028 ipsAuthCredChapPassword, 1029 ipsAuthCredChapRowStatus 1030 } 1031 STATUS current 1032 DESCRIPTION 1033 "A collection of objects providing information about 1034 CHAP credentials within user identities within an 1035 authentication instance." 1036 ::= { ipsAuthGroups 6 } 1038 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1039 OBJECTS { 1040 ipsAuthCredSrpUserName, 1041 ipsAuthCredSrpPassword, 1042 ipsAuthCredSrpRowStatus 1043 } 1044 STATUS current 1045 DESCRIPTION 1046 "A collection of objects providing information about 1047 SRP credentials within user identities within an 1048 authentication instance." 1049 ::= { ipsAuthGroups 7 } 1051 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1052 OBJECTS { 1053 ipsAuthCredKerbPrincipal, 1054 ipsAuthCredKerbRowStatus 1055 } 1056 STATUS current 1057 DESCRIPTION 1058 "A collection of objects providing information about 1059 Kerberos credentials within user identities within an 1060 authentication instance." 1061 ::= { ipsAuthGroups 8 } 1063 ------------------------------------------------------------------------ 1065 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1067 ipsAuthComplianceV1 MODULE-COMPLIANCE 1068 STATUS current 1069 DESCRIPTION 1070 "Initial version of compliance statement based on 1071 initial version of MIB. 1073 The Instance and Identity groups are mandatory; 1074 at least one of the other groups (Name, Address, 1075 Credential, Certificate) is also mandatory for 1076 any given implementation." 1077 MODULE -- this module 1078 MANDATORY-GROUPS { 1079 ipsAuthInstanceAttributesGroup, 1080 ipsAuthIdentAttributesGroup 1081 } 1083 -- Conditionally mandatory groups to be included with 1084 -- the mandatory groups when necessary. 1086 GROUP ipsAuthIdentNameAttributesGroup 1087 DESCRIPTION 1088 "This group is mandatory for all implementations 1089 that make use of unique identity names." 1091 GROUP ipsAuthIdentAddrAttributesGroup 1092 DESCRIPTION 1093 "This group is mandatory for all implementations 1094 that use addresses to help authenticate identities." 1096 GROUP ipsAuthIdentCredAttributesGroup 1097 DESCRIPTION 1098 "This group is mandatory for all implementations 1099 that use credentials to help authenticate identities." 1101 GROUP ipsAuthIdentChapAttrGroup 1102 DESCRIPTION 1103 "This group is mandatory for all implementations 1104 that use CHAP to help authenticate identities. 1106 The ipsAuthIdentCredAttributesGroup must be 1107 implemented if this group is implemented." 1109 GROUP ipsAuthIdentSrpAttrGroup 1110 DESCRIPTION 1111 "This group is mandatory for all implementations 1112 that use SRP to help authenticate identities. 1114 The ipsAuthIdentCredAttributesGroup must be 1115 implemented if this group is implemented." 1117 GROUP ipsAuthIdentKerberosAttrGroup 1118 DESCRIPTION 1119 "This group is mandatory for all implementations 1120 that use Kerberos to help authenticate identities. 1122 The ipsAuthIdentCredAttributesGroup must be 1123 implemented if this group is implemented." 1125 OBJECT ipsAuthInstDescr 1126 MIN-ACCESS read-only 1127 DESCRIPTION 1128 "Write access is not required." 1130 OBJECT ipsAuthIdentDescription 1131 MIN-ACCESS read-only 1132 DESCRIPTION 1133 "Write access is not required." 1135 OBJECT ipsAuthIdentRowStatus 1136 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1137 MIN-ACCESS read-only 1138 DESCRIPTION 1139 "Write access is not required, and only one of the 1140 six enumerated values for the RowStatus textual 1141 convention need be supported, specifically: 1142 active(1)." 1144 OBJECT ipsAuthIdentName 1145 MIN-ACCESS read-only 1146 DESCRIPTION 1147 "Write access is not required." 1149 OBJECT ipsAuthIdentNameRowStatus 1150 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1151 MIN-ACCESS read-only 1152 DESCRIPTION 1153 "Write access is not required, and only one of the 1154 six enumerated values for the RowStatus textual 1155 convention need be supported, specifically: 1156 active(1)." 1158 OBJECT ipsAuthIdentAddrType 1159 MIN-ACCESS read-only 1160 DESCRIPTION 1161 "Write access is not required." 1163 OBJECT ipsAuthIdentAddrStart 1164 MIN-ACCESS read-only 1165 DESCRIPTION 1166 "Write access is not required." 1168 OBJECT ipsAuthIdentAddrEnd 1169 MIN-ACCESS read-only 1170 DESCRIPTION 1171 "Write access is not required." 1173 OBJECT ipsAuthIdentAddrRowStatus 1174 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1175 MIN-ACCESS read-only 1176 DESCRIPTION 1177 "Write access is not required, and only one of the 1178 six enumerated values for the RowStatus textual 1179 convention need be supported, specifically: 1180 active(1)." 1182 OBJECT ipsAuthCredAuthMethod 1183 MIN-ACCESS read-only 1184 DESCRIPTION 1185 "Write access is not required." 1187 OBJECT ipsAuthCredRowStatus 1188 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1189 MIN-ACCESS read-only 1190 DESCRIPTION 1191 "Write access is not required, and only one of the 1192 six enumerated values for the RowStatus textual 1193 convention need be supported, specifically: 1194 active(1)." 1196 OBJECT ipsAuthCredChapUserName 1197 MIN-ACCESS read-only 1198 DESCRIPTION 1199 "Write access is not required." 1201 OBJECT ipsAuthCredChapPassword 1202 MIN-ACCESS read-only 1203 DESCRIPTION 1204 "Write access is not required." 1206 OBJECT ipsAuthCredChapRowStatus 1207 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1208 MIN-ACCESS read-only 1209 DESCRIPTION 1210 "Write access is not required, and only one of the 1211 six enumerated values for the RowStatus textual 1212 convention need be supported, specifically: 1214 active(1)." 1216 OBJECT ipsAuthCredSrpUserName 1217 MIN-ACCESS read-only 1218 DESCRIPTION 1219 "Write access is not required." 1221 OBJECT ipsAuthCredSrpPassword 1222 MIN-ACCESS read-only 1223 DESCRIPTION 1224 "Write access is not required." 1226 OBJECT ipsAuthCredSrpRowStatus 1227 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1228 MIN-ACCESS read-only 1229 DESCRIPTION 1230 "Write access is not required, and only one of the 1231 six enumerated values for the RowStatus textual 1232 convention need be supported, specifically: 1233 active(1)." 1235 OBJECT ipsAuthCredKerbPrincipal 1236 MIN-ACCESS read-only 1237 DESCRIPTION 1238 "Write access is not required." 1240 OBJECT ipsAuthCredKerbRowStatus 1241 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1242 MIN-ACCESS read-only 1243 DESCRIPTION 1244 "Write access is not required, and only one of the 1245 six enumerated values for the RowStatus textual 1246 convention need be supported, specifically: 1247 active(1)." 1249 ::= { ipsAuthCompliances 1 } 1251 END 1252 6. Security Considerations 1254 There are a number of management objects defined in this MIB module 1255 with a MAX-ACCESS clause of read-write and/or read-create. Such 1256 objects may be considered sensitive or vulnerable in some network 1257 environments. The support for SET operations in a non-secure 1258 environment without proper protection can have a negative effect on 1259 network operations. These are the tables and objects and their 1260 sensitivity/vulnerability: 1262 All tables provide the ability to set up which credentials may be 1263 used to access services on the managed system, to remove 1264 legitimate credentials (a denial of service), or to remove 1265 individual credentials to weaken the requirements for access of a 1266 particular service. In addition, write access may be used to 1267 change CHAP or SRP passwords to a known value. Write access must 1268 always be tightly controlled. 1270 Some of the readable objects in this MIB module (i.e., objects with a 1271 MAX-ACCESS other than not-accessible) may be considered sensitive or 1272 vulnerable in some network environments. It is thus important to 1273 control even GET and/or NOTIFY access to these objects and possibly 1274 to even encrypt the values of these objects when sending them over 1275 the network via SNMP. These are the tables and objects and their 1276 sensitivity/vulnerability: 1278 All tables provide the ability to find out which names, addresses, 1279 and credentials would be required to access services on the 1280 managed system. If these credentials are easily spoofed 1281 (particularly the name or address), read access to the MIB must be 1282 tightly controlled. 1284 SNMP versions prior to SNMPv3 did not include adequate security. 1285 Even if the network itself is secure (for example by using IPsec), 1286 even then, there is no control as to who on the secure network is 1287 allowed to access and GET/SET (read/change/create/delete) the objects 1288 in this MIB module. 1290 It is RECOMMENDED that implementors consider the security features as 1291 provided by the SNMPv3 framework (see [RFC3410], section 8), 1292 including full support for the SNMPv3 cryptographic mechanisms (for 1293 authentication and privacy). 1295 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1296 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1297 enable cryptographic security. It is then a customer/operator 1298 responsibility to ensure that the SNMP entity giving access to an 1299 instance of this MIB module is properly configured to give access to 1300 the objects only to those principals (users) that have legitimate 1301 rights to indeed GET or SET (change/create/delete) them. 1303 7. Normative References 1305 [RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1306 Rose, and S. Waldbusser, "Structure of Management 1307 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1308 1999. 1310 [RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1311 Rose, and S. Waldbusser, "Textual Conventions for SMIv2", 1312 STD 58, RFC 2579, April 1999. 1314 [RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1315 Rose, and S. Waldbusser, "Conformance Statements for SMIv2", 1316 STD 58, RFC 2580, April 1999. 1318 [RFC3291] M. Daniele, et. al., "Textual Conventions for Internet 1319 Network Addresses", RFC 3291, May 2002. 1321 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1322 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1324 [RFC1213] K. McCloghrie, M. Rose, "Management Information Base for 1325 Network Management of TCP/IP-based internets:MIB-II", March 1326 1991. 1328 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1329 Internet Protocol using SMIv2", November 1996. 1331 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1332 Version 6: Textual Conventions and General Group", December 1333 1998. 1335 8. Informative References 1337 [RFC3410] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction 1338 and Applicability Statements for Internet-Standard 1339 Management Framework", RFC 3410, December 2002. 1341 [ISCSI] Satran, J., et. al., "iSCSI", Work in Progress, draft-ietf- 1342 ips-iscsi-20, January 2003. 1344 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1345 Uniform Resource Names", December 1994. 1347 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1348 (CHAP)", August 1996. 1350 [RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication 1351 Service (V5)", September 1993. 1353 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1354 September 2000. 1356 [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", Work in 1357 Progress, draft-ietf-ips-fcmgmt-mib-03, October 2002. 1359 9. Authors' Addresses 1361 Mark Bakke 1362 Postal: Cisco Systems, Inc 1363 6450 Wedgwood Road, Suite 130 1364 Maple Grove, MN 1365 USA 55311 1367 Tel: +1 763-398-1000 1368 Fax: +1 763-398-1001 1370 E-mail: mbakke@cisco.com 1372 Jim Muchow 1373 Postal: Cisco Systems, Inc 1374 6450 Wedgwood Road, Suite 130 1375 Maple Grove, MN 1376 USA 55311 1378 Tel: +1 763-398-1000 1379 Fax: +1 763-398-1001 1381 E-mail: jamesdmuchow@yahoo.com" 1383 10. IPR Notice 1385 The IETF takes no position regarding the validity or scope of any 1386 intellectual property or other rights that might be claimed to 1387 pertain to the implementation or use of the technology described in 1388 this document or the extent to which any license under such rights 1389 might or might not be available; neither does it represent that it 1390 has made any effort to identify any such rights. Information on the 1391 IETF's procedures with respect to rights in standards-track and 1392 standards-related documentation can be found in BCP-11. Copies of 1393 claims of rights made 1394 available for publication and any assurances of licenses to be made 1395 available, or the result of an attempt made to obtain a general 1396 license or permission for the use of such proprietary rights by 1397 implementors or users of this specification can be obtained from the 1398 IETF Secretariat. 1400 The IETF invites any interested party to bring to its attention any 1401 copyrights, patents or patent applications, or other proprietary 1402 rights which may cover technology that may be required to practice 1403 this standard. Please address the information to the IETF Executive 1404 Director. 1406 11. Full Copyright Notice 1408 Copyright (C) The Internet Society (2003). All Rights Reserved. 1410 This document and translations of it may be copied and furnished to 1411 others, and derivative works that comment on or otherwise explain it 1412 or assist in its implementation may be prepared, copied, published 1413 and distributed, in whole or in part, without restriction of any 1414 kind, provided that the above copyright notice and this paragraph are 1415 included on all such copies and derivative works. However, this 1416 document itself may not be modified in any way, such as by removing 1417 the copyright notice or references to the Internet Society or other 1418 Internet organizations, except as needed for the purpose of 1419 developing Internet standards in which case the procedures for 1420 copyrights defined in the Internet Standards process must be 1421 followed, or as required to translate it into languages other than 1422 English. 1424 The limited permissions granted above are perpetual and will not be 1425 revoked by the Internet Society or its successors or assigns. 1427 This document and the information contained herein is provided on an 1428 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1429 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1430 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1431 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1432 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."