idnits 2.17.1 draft-ietf-ips-auth-mib-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 1250: '... It is RECOMMENDED that implementors...' RFC 2119 keyword, line 1256: '... RECOMMENDED. Instead, it is RECOMM...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1372 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 2003) is 7432 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3291 (Obsoleted by RFC 4001) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) -- Obsolete informational reference (is this intentional?): RFC 1510 (Obsoleted by RFC 4120, RFC 6649) == Outdated reference: A later version (-06) exists of draft-ietf-ips-fcmgmt-mib-03 Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Mark Bakke 2 Cisco Systems 3 Expires June 2004 Jim Muchow 5 December 2003 7 Definitions of Managed Objects for User Identity Authorization 9 Status of this Memo 11 This document is an Internet-Draft and is subject to all provisions 12 of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.html. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 Copyright Notice 32 Copyright (C) The Internet Society (2003). All Rights Reserved. 34 Abstract 36 This memo defines a portion of the Management Information Base (MIB) 37 for use with network management protocols in TCP/IP based internets. 38 In particular it defines objects for managing user identities and the 39 names, addresses, and credentials required manage access control, for 40 use with various protocols. This draft was motivated by the need for 41 the configuration of authorized user identities for the iSCSI 42 protocol, but has been extended to be useful for other protocols that 43 have similar requirements. It is important to note that this MIB 44 provides only the set of identities to be used within access lists; 45 it is the responsibility of other MIBs making use of this one to tie 46 them to their own access lists or other authorization control 47 methods. 49 Acknowledgments 51 In addition to the authors, several people contributed to the 52 development of this MIB through discussions of authentication, 53 authorization, and access within the iSCSI MIB and security teams, 54 including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom 55 McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 56 Studenmund (Wasabi Systems) for adding the Kerberos method, and to 57 Ayman Ghanem for finding and suggesting changes to several problems 58 found in the MIB. 60 Thanks especially to Keith McCloghrie for serving as advisor for this 61 MIB. 63 Table of Contents 65 1. Introduction..............................................2 66 2. The Internet-Standard Management Framework................3 67 3. Relationship to Other MIBs................................3 68 4. Discussion................................................4 69 4.1. Authorization MIB Object Model..........................4 70 4.2. ipsAuthInstance.........................................5 71 4.3. ipsAuthIdentity.........................................5 72 4.4. ipsAuthIdentityName.....................................5 73 4.5. ipsAuthIdentityAddress..................................6 74 4.6. ipsAuthCredential.......................................7 75 4.7. IP, Fibre Channel, and Other Addresses..................7 76 4.8. Descriptors: Using OIDs in Place of Enumerated Types....8 77 4.9. Notifications...........................................8 78 5. MIB Definitions...........................................9 79 6. Security Considerations..................................27 80 7. Normative References.....................................28 81 8. Informative References...................................28 82 9. Authors' Addresses.......................................29 83 10. IPR Notice..............................................29 84 11. Full Copyright Notice...................................30 86 1. Introduction 88 This MIB will be used to configure and/or look at the configuration 89 of user identities and their credential information. For the 90 purposes of this MIB, a "user" identity does not need to be an actual 91 person; a user can also be a host, an application, a cluster of 92 hosts, or any other identifiable entity that can be authorized to 93 access a resource. 95 Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is 96 intended to allow configuration of user identities and their names, 97 addresses, and credentials. MIN-ACCESS for all objects is read-only 98 for those implementations that configure through other means, but 99 require the ability to monitor user identities. 101 2. The Internet-Standard Management Framework 103 For a detailed overview of the documents that describe the current 104 Internet-Standard Management Framework, please refer to section 7 of 105 RFC 3410 [RFC3410]. 107 Managed objects are accessed via a virtual information store, termed 108 the Management Information Base or MIB. MIB objects are generally 109 accessed through the Simple Network Management Protocol (SNMP). 110 Objects in the MIB are defined using the mechanisms defined in the 111 Structure of Management Information (SMI). This memo specifies a MIB 112 module that is compliant to the SMIv2, which is described in STD 58, 113 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 114 [RFC2580]. 116 3. Relationship to Other MIBs 118 The identity authorization MIB does not directly address objects 119 within other MIBs. The identity address objects contain IPv4, IPv6, 120 or other address types, and as such may be indirectly related to 121 objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465] 122 MIB. 124 This MIB does not provide actual authorization or access control 125 lists; it provides a means to identify entities that can be included 126 in other authorization lists. This should generally be done in MIBs 127 that reference identities in this one. It also does not cover login 128 or authentication failure statistics or notifications, as these are 129 all fairly application-specific, and are not generic enough to 130 include here. 132 The user identity objects within this MIB are typically referenced 133 from other MIBs by a RowPointer within that MIB. A MIB containing 134 resources for which it requires a list of authorized user identities 135 may create such a list, with a single RowPointer within each list 136 element pointing to a user identity within this MIB. This is neither 137 required nor restricted by this MIB. 139 4. Discussion 141 This MIB structure is intended to allow the configuration of a list 142 of user identities, each with a list of names, addresses, 143 credentials, and certificates which when combined will distinguish 144 that identity. 146 The authorization MIB is structured around two primary "objects", the 147 authorization instance, and the identity, which serve as containers 148 for the remainder of the objects. This section contains a brief 149 description of the "object" hierarchy and a description of each 150 object, followed by a discussion of the actual SNMP table structure 151 within the objects. 153 4.1. Authorization MIB Object Model 155 The top-level object in this structure is the authorization instance, 156 which "contains" all of the other objects. The indexing hierarchy of 157 this MIB looks like: 159 ipsAuthInstance 160 -- A distinct authorization entity within the managed system. 161 -- Most implementations will have just one of these. 162 ipsAuthIdentity 163 -- A user identity, consisting of a set of identity names, 164 -- addresses, and credentials reflected in the following 165 -- objects: 166 ipsAuthIdentityName 167 -- A name for a user identity. A name should be globally 168 -- unique, and unchanging over time. Some protocols may 169 -- not require this one. 170 ipsAuthIdentityAddress 171 -- An address range, typically but not necessarily an 172 -- IPv4, IPv6, or Fibre Channel address range, at which 173 -- the identity is allowed to reside. 174 ipsAuthCredential 175 -- A single credential, such as a CHAP username, 176 -- which can be used to verify the identity. 177 ipsAuthCredChap 178 -- CHAP-specific attributes for an ipsAuthCredential 179 ipsAuthCredSrp 180 -- SRP-specific attributes 181 ipsAuthCredKerberos 182 -- Kerberos-specific attributes 184 Each identity contains the information necessary to identify a 185 particular end-point that wishes to access a service, such as iSCSI. 187 An identity can contain multiple names, addresses, and credentials. 189 4.2. ipsAuthInstance 191 The ipsAuthInstanceAttributesTable is the primary table of the 192 authorization MIB. Every other table entry in this MIB includes the 193 index of an ipsAuthInstanceAttributesEntry as its primary index. An 194 authorization instance is basically a managed set of identities. 196 Many implementations will include just one authorization instance row 197 in this table. However, there will be cases where multiple rows in 198 this table may be used: 200 - A large system may be "partitioned" into multiple, distinct virtual 201 systems, perhaps sharing the SNMP agent but not their lists of 202 identities. Each virtual system would have its own authorization 203 instance. 205 - A set of stackable systems, each with their own set of identities, 206 may be represented by a common SNMP agent. Each individual system 207 would have its own authorization instance. 209 - Multiple protocols, each with their own set of identities, may 210 exist within a single system and be represented by a single SNMP 211 agent. In this case, each protocol may have its own authorization 212 instance. 214 4.3. ipsAuthIdentity 216 The ipsAuthIdentAttributesTable contains one entry for each 217 configured user identity. The identity contains only a description 218 of what the identity is used for; its attributes are all contained in 219 other tables, since they can each have multiple values. 221 Other MIBs containing lists of users authorized to access a 222 particular resource should generally contain a RowPointer to the 223 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 224 access to the resource. 226 All other table entries make use of the indices to this table as 227 their primary indices. 229 4.4. ipsAuthIdentityName 231 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 232 each of which belong to, and may be used to identify, a particular 233 identity in the authIdentity table. 235 Implementations making use of the authorization MIB may identify 236 their resources by names, addresses, or both. A name is typically a 237 unique (within the required scope), unchanging identifier for a 238 resource. It will normally meet some or all of the requirements for a 239 Uniform Resource Name [RFC1737], although a name in the context of 240 this MIB does not need to be a URN. Identifiers that typically 241 change over time should generally be placed into the 242 ipsAuthIdentityAddress table; names that have no uniqueness 243 properties should usually be placed into the description attribute 244 for the identity. 246 An example of an identity name is the iSCSI Name, defined in [ISCSI]. 248 If this table contains no entries associated with a particular user 249 identity, the implementation does not need to check any name 250 parameters when verifying that identity. If the table contains 251 multiple entries associated with a particular user identity, the 252 implementation should consider a match with any one of these entries 253 to be valid. 255 4.5. ipsAuthIdentityAddress 257 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 258 which the identity may reside. For example, an identity may be 259 allowed access to a resource only from a certain IP address, or only 260 if its address is in a certain range or set of ranges. 262 Each entry contains a starting and ending address. If a single 263 address is desired in the list, both starting and ending addresses 264 must be identical. 266 Each entry contains an AddrType attribute. This attribute contains 267 an enumeration registered as an IANA Address Family type [IANA-AF]. 268 Although many implementations will use IPv4 or IPv6 address types for 269 these entries, any IANA-registered type may be used, as long as it 270 makes sense to the application. 272 Matching any address within any range within the list associated with 273 a particular identity is considered to be a valid match. If no 274 entries are present in this list for a given identity, its address is 275 automatically assumed to match the identity. 277 Netmasks are not supported, since an address range can express the 278 same thing with more flexibility. An application specifying 279 addresses using network masks may do so, and convert to and from 280 address ranges when reading or writing this MIB. 282 4.6. ipsAuthCredential 284 The ipsAuthCredentialAttributesTable contains a list of credentials, 285 each of which may be used to verify a particular identity. 287 Each credential contains an authentication method to be used, such as 288 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 289 contains an object identifier instead of an enumerated type, allowing 290 other MIBs to add their own authentication methods, without modifying 291 this MIB. 293 For each entry in this table, there will exist an entry in another 294 table containing its attributes. The table in which to place the 295 entry depends on the AuthMethod attribute: 297 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 298 same indices as the ipsAuthCredential will exist in the 299 ipsAuthCredChap table, which contains the CHAP username. 301 SRP If the AuthMethod is set to the SRP OID, an entry using the 302 same indices as the ipsAuthCredential will exist in the 303 ipsAuthCredSrp table, which contains the SRP username. 305 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 306 the same indices as the ipsAuthCredential will exist in the 307 ipsAuthCredKerberos table, which contains the Kerberos 308 principal. 310 Other If the AuthMethod is set to any OID not defined in this MIB, 311 an entry using the same indices as the ipsAuthCredential 312 entry should be placed in the other MIB that define whatever 313 attributes are needed for that type of credential. 315 4.7. IP, Fibre Channel, and Other Addresses 317 The IP addresses in this MIB are represented by two attributes, one 318 of type AddressFamilyNumbers, and the other of type AuthAddress. 319 Each address can take on any of the types within the list of address 320 family numbers; the most likely being IPv4, IPv6, or one of the Fibre 321 Channel address types. 323 The type AuthAddress is an octet string. If the address family is 324 IPv4 or IPv6, the format is taken from the InetAddress specified in 325 [RFC3291]. If the address family is one of the Fibre Channel types, 326 the format is identical to the FcNameIdOrZero type defined in 327 [FCMGMT]. 329 4.8. Descriptors: Using OIDs in Place of Enumerated Types 331 Some attributes, particularly the authentication method attribute, 332 would normally require an enumerated type. However, implementations 333 will likely need to add new authentication method types of their own, 334 without extending this MIB. To make this work, the MIB defines a set 335 of object identities within ipsAuthDescriptors. Each of these object 336 identities is basically an enumerated type. 338 Attributes that make use of these object identities have a value 339 which is an OID instead of an enumerated type. These OIDs can either 340 indicate the object identities defined in this MIB, or object 341 identities defined elsewhere, such as in an enterprise MIB. Those 342 implementations that add their own authentication methods should also 343 define a corresponding object identity for each of these methods 344 within their own enterprise MIB, and return its OID whenever one of 345 these attributes is using that method. 347 4.9. Notifications 349 Monitoring of authentication failures and other notification events 350 are outside the scope of this MIB, as they are generally application- 351 specific. No notifications are provided or required. 353 5. MIB Definitions 355 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 357 IMPORTS 358 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 359 experimental 360 FROM SNMPv2-SMI 362 TEXTUAL-CONVENTION, RowStatus, AutonomousType 363 FROM SNMPv2-TC 365 MODULE-COMPLIANCE, OBJECT-GROUP 366 FROM SNMPv2-CONF 368 SnmpAdminString 369 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 371 AddressFamilyNumbers 372 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 373 ; 375 ipsAuthModule MODULE-IDENTITY 376 LAST-UPDATED "200312090000Z" -- December 9, 2003 377 ORGANIZATION "IETF IPS Working Group" 378 CONTACT-INFO 379 " 380 Mark Bakke 381 Postal: Cisco Systems, Inc 382 6450 Wedgwood Road, Suite 130 383 Maple Grove, MN 384 USA 55311 386 Tel: +1 763-398-1000 387 Fax: +1 763-398-1001 389 E-mail: mbakke@cisco.com 391 Jim Muchow 392 E-mail: jamesdmuchow@yahoo.com" 394 DESCRIPTION 395 "The IP Storage Authorization MIB module." 396 REVISION "200312090000Z" -- December 9, 2003 397 DESCRIPTION 398 "Initial revision published as RFC xxxx." 400 --::= { mib-2 xx } 401 -- in case you want to COMPILE 402 ::= { experimental 99999 } 404 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 405 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 406 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } 408 -- Textual Conventions 410 IpsAuthAddress ::= TEXTUAL-CONVENTION 411 STATUS current 412 DESCRIPTION 413 "IP Storage requires the use of address information 414 that uses not only the InetAddress type defined in the 415 INET-ADDRESS-MIB, but also Fibre Channel type defined 416 in the Fibre Channel Management MIB. Although these 417 address types are recognized in the IANA Address Family 418 Numbers MIB, the addressing mechanisms have not been 419 merged into a well-known, common type. This data type, 420 the IpsAuthAddress, performs this function for this MIB." 421 REFERENCE 422 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 423 INET-ADDRESS-MIB (RFC 2851); 424 Fibre Channel Management MIB (presently defined in 425 draft-ietf-ips-fcmgmt-mib-01.txt)." 426 SYNTAX OCTET STRING (SIZE(0..255)) 428 ------------------------------------------------------------------------ 430 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 432 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 434 ipsAuthMethodNone OBJECT-IDENTITY 435 STATUS current 436 DESCRIPTION 437 "The authoritative identifier when no authentication 438 method is used." 439 REFERENCE "iSCSI Protocol Specification." 440 ::= { ipsAuthMethodTypes 1 } 442 ipsAuthMethodSrp OBJECT-IDENTITY 443 STATUS current 444 DESCRIPTION 445 "The authoritative identifier when the authentication 446 method is SRP." 447 REFERENCE "iSCSI Protocol Specification." 449 ::= { ipsAuthMethodTypes 2 } 451 ipsAuthMethodChap OBJECT-IDENTITY 452 STATUS current 453 DESCRIPTION 454 "The authoritative identifier when the authentication 455 method is CHAP." 456 REFERENCE "iSCSI Protocol Specification." 457 ::= { ipsAuthMethodTypes 3 } 459 ipsAuthMethodKerberos OBJECT-IDENTITY 460 STATUS current 461 DESCRIPTION 462 "The authoritative identifier when the authentication 463 method is Kerberos." 464 REFERENCE "iSCSI Protocol Specification." 465 ::= { ipsAuthMethodTypes 4 } 467 ---------------------------------------------------------------------- 469 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 471 -- Instance Attributes Table 473 ipsAuthInstanceAttributesTable OBJECT-TYPE 474 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 475 MAX-ACCESS not-accessible 476 STATUS current 477 DESCRIPTION 478 "A list of Authorization instances present on the system." 479 ::= { ipsAuthInstance 2 } 481 ipsAuthInstanceAttributesEntry OBJECT-TYPE 482 SYNTAX IpsAuthInstanceAttributesEntry 483 MAX-ACCESS not-accessible 484 STATUS current 485 DESCRIPTION 486 "An entry (row) containing management information 487 applicable to a particular Authorization instance." 488 INDEX { ipsAuthInstIndex } 489 ::= { ipsAuthInstanceAttributesTable 1 } 491 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 492 ipsAuthInstIndex Unsigned32, 493 ipsAuthInstDescr SnmpAdminString 494 } 496 ipsAuthInstIndex OBJECT-TYPE 497 SYNTAX Unsigned32 (1..4294967295) 498 MAX-ACCESS not-accessible 499 STATUS current 500 DESCRIPTION 501 "An arbitrary integer used to uniquely identify a 502 particular authorization instance." 503 ::= { ipsAuthInstanceAttributesEntry 1 } 505 ipsAuthInstDescr OBJECT-TYPE 506 SYNTAX SnmpAdminString 507 MAX-ACCESS read-write 508 STATUS current 509 DESCRIPTION 510 "An octet string, determined by the implementation to 511 describe the authorization instance. When only a single 512 instance is present, this object may be set to the 513 zero-length string; with multiple authorization 514 instances, it may be used in an implementation-dependent 515 manner to describe the purpose of the respective instance." 516 ::= { ipsAuthInstanceAttributesEntry 2 } 518 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 520 -- User Identity Attributes Table 522 ipsAuthIdentAttributesTable OBJECT-TYPE 523 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 524 MAX-ACCESS not-accessible 525 STATUS current 526 DESCRIPTION 527 "A list of user identities, each belonging to a 528 particular ipsAuthInstance." 529 ::= { ipsAuthIdentity 1 } 531 ipsAuthIdentAttributesEntry OBJECT-TYPE 532 SYNTAX IpsAuthIdentAttributesEntry 533 MAX-ACCESS not-accessible 534 STATUS current 535 DESCRIPTION 536 "An entry (row) containing management information 537 describing a user identity within an authorization 538 instance on this node." 539 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 540 ::= { ipsAuthIdentAttributesTable 1 } 542 IpsAuthIdentAttributesEntry ::= SEQUENCE { 543 ipsAuthIdentIndex Unsigned32, 544 ipsAuthIdentDescription SnmpAdminString, 545 ipsAuthIdentRowStatus RowStatus 546 } 548 ipsAuthIdentIndex OBJECT-TYPE 549 SYNTAX Unsigned32 (1..4294967295) 550 MAX-ACCESS not-accessible 551 STATUS current 552 DESCRIPTION 553 "An arbitrary integer used to uniquely identify a 554 particular identity instance within an authorization 555 instance present on the node." 556 ::= { ipsAuthIdentAttributesEntry 1 } 558 ipsAuthIdentDescription OBJECT-TYPE 559 SYNTAX SnmpAdminString 560 MAX-ACCESS read-create 561 STATUS current 562 DESCRIPTION 563 "An octet string describing this particular identity." 564 ::= { ipsAuthIdentAttributesEntry 2 } 566 ipsAuthIdentRowStatus OBJECT-TYPE 567 SYNTAX RowStatus 568 MAX-ACCESS read-create 569 STATUS current 570 DESCRIPTION 571 "This field allows entries to be dynamically added and 572 removed from this table via SNMP." 573 ::= { ipsAuthIdentAttributesEntry 3 } 575 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 577 -- User Initiator Name Attributes Table 579 ipsAuthIdentNameAttributesTable OBJECT-TYPE 580 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 581 MAX-ACCESS not-accessible 582 STATUS current 583 DESCRIPTION 584 "A list of unique names that can be used to positively 585 identify a particular user identity." 586 ::= { ipsAuthIdentityName 1 } 588 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 589 SYNTAX IpsAuthIdentNameAttributesEntry 590 MAX-ACCESS not-accessible 591 STATUS current 592 DESCRIPTION 593 "An entry (row) containing management information 594 applicable to a unique identity name which can be used 595 to identify a user identity within a particular 596 authorization instance." 597 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 598 ipsAuthIdentNameIndex } 599 ::= { ipsAuthIdentNameAttributesTable 1 } 601 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 602 ipsAuthIdentNameIndex Unsigned32, 603 ipsAuthIdentName SnmpAdminString, 604 ipsAuthIdentNameRowStatus RowStatus 605 } 607 ipsAuthIdentNameIndex OBJECT-TYPE 608 SYNTAX Unsigned32 (1..4294967295) 609 MAX-ACCESS not-accessible 610 STATUS current 611 DESCRIPTION 612 "An arbitrary integer used to uniquely identify a 613 particular identity name instance within an 614 ipsAuthIdentity within an authorization instance." 615 ::= { ipsAuthIdentNameAttributesEntry 1 } 617 ipsAuthIdentName OBJECT-TYPE 618 SYNTAX SnmpAdminString 619 MAX-ACCESS read-create 620 STATUS current 621 DESCRIPTION 622 "A character string which is the unique name of an 623 identity that may be used to identify this ipsAuthIdent 624 entry." 625 ::= { ipsAuthIdentNameAttributesEntry 2 } 627 ipsAuthIdentNameRowStatus OBJECT-TYPE 628 SYNTAX RowStatus 629 MAX-ACCESS read-create 630 STATUS current 631 DESCRIPTION 632 "This field allows entries to be dynamically added and 633 removed from this table via SNMP." 634 ::= { ipsAuthIdentNameAttributesEntry 3 } 636 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 638 -- User Initiator Address Attributes Table 640 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 641 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 642 MAX-ACCESS not-accessible 643 STATUS current 644 DESCRIPTION 645 "A list of address ranges that are allowed to serve 646 as the endpoint addresses of a particular identity. 647 An address range includes a starting and ending address 648 and an optional netmask, and an address type indicator, 649 which can specify whether the address is IPv4, IPv6, 650 FC-WWPN, or FC-WWNN." 651 ::= { ipsAuthIdentityAddress 1 } 653 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 654 SYNTAX IpsAuthIdentAddrAttributesEntry 655 MAX-ACCESS not-accessible 656 STATUS current 657 DESCRIPTION 658 "An entry (row) containing management information 659 applicable to an address range which is used as part 660 of the authorization of an identity 661 within an authorization instance on this node." 662 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 663 ipsAuthIdentAddrIndex } 664 ::= { ipsAuthIdentAddrAttributesTable 1 } 666 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 667 ipsAuthIdentAddrIndex Unsigned32, 668 ipsAuthIdentAddrType AddressFamilyNumbers, 669 ipsAuthIdentAddrStart IpsAuthAddress, 670 ipsAuthIdentAddrEnd IpsAuthAddress, 671 ipsAuthIdentAddrRowStatus RowStatus 672 } 674 ipsAuthIdentAddrIndex OBJECT-TYPE 675 SYNTAX Unsigned32 (1..4294967295) 676 MAX-ACCESS not-accessible 677 STATUS current 678 DESCRIPTION 679 "An arbitrary integer used to uniquely identify a 680 particular ipsAuthIdentAddress instance within an 681 ipsAuthIdentity within an authorization instance 682 present on the node." 683 ::= { ipsAuthIdentAddrAttributesEntry 1 } 685 ipsAuthIdentAddrType OBJECT-TYPE 686 SYNTAX AddressFamilyNumbers 687 MAX-ACCESS read-create 688 STATUS current 689 DESCRIPTION 690 "The type of Address in the ipsAuthIdentAddress 691 start, end, and mask fields. This type is taken 692 from the IANA address family types; more types may 693 be registered independently of this MIB." 694 ::= { ipsAuthIdentAddrAttributesEntry 2 } 696 ipsAuthIdentAddrStart OBJECT-TYPE 697 SYNTAX IpsAuthAddress 698 MAX-ACCESS read-create 699 STATUS current 700 DESCRIPTION 701 "The starting address of the allowed address range." 702 ::= { ipsAuthIdentAddrAttributesEntry 3 } 704 ipsAuthIdentAddrEnd OBJECT-TYPE 705 SYNTAX IpsAuthAddress 706 MAX-ACCESS read-create 707 STATUS current 708 DESCRIPTION 709 "The ending address of the allowed address range. 710 If the ipsAuthIdentAddrEntry specifies a single 711 address, this shall match the ipsAuthIdentAddrStart." 712 ::= { ipsAuthIdentAddrAttributesEntry 4 } 714 ipsAuthIdentAddrRowStatus OBJECT-TYPE 715 SYNTAX RowStatus 716 MAX-ACCESS read-create 717 STATUS current 718 DESCRIPTION 719 "This field allows entries to be dynamically added and 720 removed from this table via SNMP." 721 ::= { ipsAuthIdentAddrAttributesEntry 5 } 723 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 725 -- Credential Attributes Table 727 ipsAuthCredentialAttributesTable OBJECT-TYPE 728 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 729 MAX-ACCESS not-accessible 730 STATUS current 731 DESCRIPTION 732 "A list of credentials related to user identities 733 that are allowed as valid authenticators of the 734 particular identity." 735 ::= { ipsAuthCredential 1 } 736 ipsAuthCredentialAttributesEntry OBJECT-TYPE 737 SYNTAX IpsAuthCredentialAttributesEntry 738 MAX-ACCESS not-accessible 739 STATUS current 740 DESCRIPTION 741 "An entry (row) containing management information 742 applicable to a credential which verifies a user 743 identity within an authorization instance." 744 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 745 ::= { ipsAuthCredentialAttributesTable 1 } 747 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 748 ipsAuthCredIndex Unsigned32, 749 ipsAuthCredAuthMethod AutonomousType, 750 ipsAuthCredRowStatus RowStatus 751 } 753 ipsAuthCredIndex OBJECT-TYPE 754 SYNTAX Unsigned32 (1..4294967295) 755 MAX-ACCESS not-accessible 756 STATUS current 757 DESCRIPTION 758 "An arbitrary integer used to uniquely identify a 759 particular Credential instance within an instance 760 present on the node." 761 ::= { ipsAuthCredentialAttributesEntry 1 } 763 ipsAuthCredAuthMethod OBJECT-TYPE 764 SYNTAX AutonomousType 765 MAX-ACCESS read-create 766 STATUS current 767 DESCRIPTION 768 "This object contains an OBJECT IDENTIFIER 769 which identifies the authentication method 770 used with this credential. 772 Some standardized values for this object are defined 773 within the ipsAuthMethods subtree." 774 ::= { ipsAuthCredentialAttributesEntry 2 } 776 ipsAuthCredRowStatus OBJECT-TYPE 777 SYNTAX RowStatus 778 MAX-ACCESS read-create 779 STATUS current 780 DESCRIPTION 781 "This field allows entries to be dynamically added and 782 removed from this table via SNMP." 783 ::= { ipsAuthCredentialAttributesEntry 3 } 784 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 786 -- Credential Chap-Specific Attributes Table 788 ipsAuthCredChapAttributesTable OBJECT-TYPE 789 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 790 MAX-ACCESS not-accessible 791 STATUS current 792 DESCRIPTION 793 "A list of CHAP attributes for credentials that 794 use ipsAuthMethodChap as its ipsAuthCredAuthMethod." 795 ::= { ipsAuthCredChap 1 } 797 ipsAuthCredChapAttributesEntry OBJECT-TYPE 798 SYNTAX IpsAuthCredChapAttributesEntry 799 MAX-ACCESS not-accessible 800 STATUS current 801 DESCRIPTION 802 "An entry (row) containing management information 803 applicable to a credential which uses 804 ipsAuthMethodChap as their ipsAuthCredAuthMethod." 805 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 806 ::= { ipsAuthCredChapAttributesTable 1 } 808 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 809 ipsAuthCredChapUserName SnmpAdminString, 810 ipsAuthCredChapRowStatus RowStatus 811 } 813 ipsAuthCredChapUserName OBJECT-TYPE 814 SYNTAX SnmpAdminString 815 MAX-ACCESS read-create 816 STATUS current 817 DESCRIPTION 818 "An octet string containing the CHAP user name for this 819 credential." 820 ::= { ipsAuthCredChapAttributesEntry 1 } 822 -- ipsAuthCredChapPassword (2) deleted 824 ipsAuthCredChapRowStatus OBJECT-TYPE 825 SYNTAX RowStatus 826 MAX-ACCESS read-create 827 STATUS current 828 DESCRIPTION 829 "This field allows entries to be dynamically added and 830 removed from this table via SNMP." 831 ::= { ipsAuthCredChapAttributesEntry 3 } 832 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 834 -- Credential Srp-Specific Attributes Table 836 ipsAuthCredSrpAttributesTable OBJECT-TYPE 837 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 838 MAX-ACCESS not-accessible 839 STATUS current 840 DESCRIPTION 841 "A list of SRP attributes for credentials that 842 use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." 843 ::= { ipsAuthCredSrp 1 } 845 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 846 SYNTAX IpsAuthCredSrpAttributesEntry 847 MAX-ACCESS not-accessible 848 STATUS current 849 DESCRIPTION 850 "An entry (row) containing management information 851 applicable to a credential which uses 852 ipsAuthMethodSrp as its ipsAuthCredAuthMethod." 853 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 854 ::= { ipsAuthCredSrpAttributesTable 1 } 856 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 857 ipsAuthCredSrpUserName SnmpAdminString, 858 ipsAuthCredSrpRowStatus RowStatus 859 } 861 ipsAuthCredSrpUserName OBJECT-TYPE 862 SYNTAX SnmpAdminString 863 MAX-ACCESS read-create 864 STATUS current 865 DESCRIPTION 866 "An octet string containing the CHAP user name for this 867 credential." 868 ::= { ipsAuthCredSrpAttributesEntry 1 } 870 -- ipsAuthCredSrpPassword (2) deleted 872 ipsAuthCredSrpRowStatus OBJECT-TYPE 873 SYNTAX RowStatus 874 MAX-ACCESS read-create 875 STATUS current 876 DESCRIPTION 877 "This field allows entries to be dynamically added and 878 removed from this table via SNMP." 879 ::= { ipsAuthCredSrpAttributesEntry 3 } 880 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 882 -- Credential Kerberos-Specific Attributes Table 884 ipsAuthCredKerbAttributesTable OBJECT-TYPE 885 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 886 MAX-ACCESS not-accessible 887 STATUS current 888 DESCRIPTION 889 "A list of Kerberos attributes for credentials that 890 use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." 891 ::= { ipsAuthCredKerberos 1 } 893 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 894 SYNTAX IpsAuthCredKerbAttributesEntry 895 MAX-ACCESS not-accessible 896 STATUS current 897 DESCRIPTION 898 "An entry (row) containing management information 899 applicable to a credential which uses 900 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." 901 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 902 ::= { ipsAuthCredKerbAttributesTable 1 } 904 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 905 ipsAuthCredKerbPrincipal SnmpAdminString, 906 ipsAuthCredKerbRowStatus RowStatus 907 } 909 ipsAuthCredKerbPrincipal OBJECT-TYPE 910 SYNTAX SnmpAdminString 911 MAX-ACCESS read-create 912 STATUS current 913 DESCRIPTION 914 "An octet string containing a Kerberos principal 915 for this credential." 916 ::= { ipsAuthCredKerbAttributesEntry 1 } 918 ipsAuthCredKerbRowStatus OBJECT-TYPE 919 SYNTAX RowStatus 920 MAX-ACCESS read-create 921 STATUS current 922 DESCRIPTION 923 "This field allows entries to be dynamically added and 924 removed from this table via SNMP." 925 ::= { ipsAuthCredKerbAttributesEntry 2 } 927 ------------------------------------------------------------------------ 928 -- Notifications 930 -- There are no notifications necessary in this MIB. 932 ------------------------------------------------------------------------ 934 -- Conformance Statements 936 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 938 ipsAuthInstanceAttributesGroup OBJECT-GROUP 939 OBJECTS { 940 ipsAuthInstDescr 941 } 942 STATUS current 943 DESCRIPTION 944 "A collection of objects providing information about 945 authorization instances." 946 ::= { ipsAuthGroups 1 } 948 ipsAuthIdentAttributesGroup OBJECT-GROUP 949 OBJECTS { 950 ipsAuthIdentDescription, 951 ipsAuthIdentRowStatus 952 } 953 STATUS current 954 DESCRIPTION 955 "A collection of objects providing information about 956 user identities within an authorization instance." 957 ::= { ipsAuthGroups 2 } 959 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 960 OBJECTS { 961 ipsAuthIdentName, 962 ipsAuthIdentNameRowStatus 963 } 964 STATUS current 965 DESCRIPTION 966 "A collection of objects providing information about 967 user names within user identities within an authorization 968 instance." 969 ::= { ipsAuthGroups 3 } 971 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 972 OBJECTS { 973 ipsAuthIdentAddrType, 974 ipsAuthIdentAddrStart, 975 ipsAuthIdentAddrEnd, 976 ipsAuthIdentAddrRowStatus 977 } 978 STATUS current 979 DESCRIPTION 980 "A collection of objects providing information about 981 address ranges within user identities within an 982 authorization instance." 983 ::= { ipsAuthGroups 4 } 985 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 986 OBJECTS { 987 ipsAuthCredAuthMethod, 988 ipsAuthCredRowStatus 989 } 990 STATUS current 991 DESCRIPTION 992 "A collection of objects providing information about 993 credentials within user identities within an authorization 994 instance." 995 ::= { ipsAuthGroups 5 } 997 ipsAuthIdentChapAttrGroup OBJECT-GROUP 998 OBJECTS { 999 ipsAuthCredChapUserName, 1000 ipsAuthCredChapRowStatus 1001 } 1002 STATUS current 1003 DESCRIPTION 1004 "A collection of objects providing information about 1005 CHAP credentials within user identities within an 1006 authorization instance." 1007 ::= { ipsAuthGroups 6 } 1009 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1010 OBJECTS { 1011 ipsAuthCredSrpUserName, 1012 ipsAuthCredSrpRowStatus 1013 } 1014 STATUS current 1015 DESCRIPTION 1016 "A collection of objects providing information about 1017 SRP credentials within user identities within an 1018 authorization instance." 1019 ::= { ipsAuthGroups 7 } 1021 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1022 OBJECTS { 1023 ipsAuthCredKerbPrincipal, 1024 ipsAuthCredKerbRowStatus 1025 } 1026 STATUS current 1027 DESCRIPTION 1028 "A collection of objects providing information about 1029 Kerberos credentials within user identities within an 1030 authorization instance." 1031 ::= { ipsAuthGroups 8 } 1033 ------------------------------------------------------------------------ 1035 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1037 ipsAuthComplianceV1 MODULE-COMPLIANCE 1038 STATUS current 1039 DESCRIPTION 1040 "Initial version of compliance statement based on 1041 initial version of MIB. 1043 The Instance and Identity groups are mandatory; 1044 at least one of the other groups (Name, Address, 1045 Credential, Certificate) is also mandatory for 1046 any given implementation." 1047 MODULE -- this module 1048 MANDATORY-GROUPS { 1049 ipsAuthInstanceAttributesGroup, 1050 ipsAuthIdentAttributesGroup 1051 } 1053 -- Conditionally mandatory groups to be included with 1054 -- the mandatory groups when necessary. 1056 GROUP ipsAuthIdentNameAttributesGroup 1057 DESCRIPTION 1058 "This group is mandatory for all implementations 1059 that make use of unique identity names." 1061 GROUP ipsAuthIdentAddrAttributesGroup 1062 DESCRIPTION 1063 "This group is mandatory for all implementations 1064 that use addresses to help verify identities." 1066 GROUP ipsAuthIdentCredAttributesGroup 1067 DESCRIPTION 1068 "This group is mandatory for all implementations 1069 that use credentials to help verify identities." 1071 GROUP ipsAuthIdentChapAttrGroup 1072 DESCRIPTION 1073 "This group is mandatory for all implementations 1074 that use CHAP to help verify identities. 1076 The ipsAuthIdentCredAttributesGroup must be 1077 implemented if this group is implemented." 1079 GROUP ipsAuthIdentSrpAttrGroup 1080 DESCRIPTION 1081 "This group is mandatory for all implementations 1082 that use SRP to help verify identities. 1084 The ipsAuthIdentCredAttributesGroup must be 1085 implemented if this group is implemented." 1087 GROUP ipsAuthIdentKerberosAttrGroup 1088 DESCRIPTION 1089 "This group is mandatory for all implementations 1090 that use Kerberos to help verify identities. 1092 The ipsAuthIdentCredAttributesGroup must be 1093 implemented if this group is implemented." 1095 OBJECT ipsAuthInstDescr 1096 MIN-ACCESS read-only 1097 DESCRIPTION 1098 "Write access is not required." 1100 OBJECT ipsAuthIdentDescription 1101 MIN-ACCESS read-only 1102 DESCRIPTION 1103 "Write access is not required." 1105 OBJECT ipsAuthIdentRowStatus 1106 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1107 MIN-ACCESS read-only 1108 DESCRIPTION 1109 "Write access is not required, and only one of the 1110 six enumerated values for the RowStatus textual 1111 convention need be supported, specifically: 1112 active(1)." 1114 OBJECT ipsAuthIdentName 1115 MIN-ACCESS read-only 1116 DESCRIPTION 1117 "Write access is not required." 1119 OBJECT ipsAuthIdentNameRowStatus 1120 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1121 MIN-ACCESS read-only 1122 DESCRIPTION 1123 "Write access is not required, and only one of the 1124 six enumerated values for the RowStatus textual 1125 convention need be supported, specifically: 1126 active(1)." 1128 OBJECT ipsAuthIdentAddrType 1129 MIN-ACCESS read-only 1130 DESCRIPTION 1131 "Write access is not required." 1133 OBJECT ipsAuthIdentAddrStart 1134 MIN-ACCESS read-only 1135 DESCRIPTION 1136 "Write access is not required." 1138 OBJECT ipsAuthIdentAddrEnd 1139 MIN-ACCESS read-only 1140 DESCRIPTION 1141 "Write access is not required." 1143 OBJECT ipsAuthIdentAddrRowStatus 1144 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1145 MIN-ACCESS read-only 1146 DESCRIPTION 1147 "Write access is not required, and only one of the 1148 six enumerated values for the RowStatus textual 1149 convention need be supported, specifically: 1150 active(1)." 1152 OBJECT ipsAuthCredAuthMethod 1153 MIN-ACCESS read-only 1154 DESCRIPTION 1155 "Write access is not required." 1157 OBJECT ipsAuthCredRowStatus 1158 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1159 MIN-ACCESS read-only 1160 DESCRIPTION 1161 "Write access is not required, and only one of the 1162 six enumerated values for the RowStatus textual 1163 convention need be supported, specifically: 1164 active(1)." 1166 OBJECT ipsAuthCredChapUserName 1167 MIN-ACCESS read-only 1168 DESCRIPTION 1169 "Write access is not required." 1171 OBJECT ipsAuthCredChapRowStatus 1172 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1173 MIN-ACCESS read-only 1174 DESCRIPTION 1175 "Write access is not required, and only one of the 1176 six enumerated values for the RowStatus textual 1177 convention need be supported, specifically: 1178 active(1)." 1180 OBJECT ipsAuthCredSrpUserName 1181 MIN-ACCESS read-only 1182 DESCRIPTION 1183 "Write access is not required." 1185 OBJECT ipsAuthCredSrpRowStatus 1186 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1187 MIN-ACCESS read-only 1188 DESCRIPTION 1189 "Write access is not required, and only one of the 1190 six enumerated values for the RowStatus textual 1191 convention need be supported, specifically: 1192 active(1)." 1194 OBJECT ipsAuthCredKerbPrincipal 1195 MIN-ACCESS read-only 1196 DESCRIPTION 1197 "Write access is not required." 1199 OBJECT ipsAuthCredKerbRowStatus 1200 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1201 MIN-ACCESS read-only 1202 DESCRIPTION 1203 "Write access is not required, and only one of the 1204 six enumerated values for the RowStatus textual 1205 convention need be supported, specifically: 1206 active(1)." 1208 ::= { ipsAuthCompliances 1 } 1210 END 1211 6. Security Considerations 1213 There are a number of management objects defined in this MIB module 1214 with a MAX-ACCESS clause of read-write and/or read-create. Such 1215 objects may be considered sensitive or vulnerable in some network 1216 environments. The support for SET operations in a non-secure 1217 environment without proper protection can have a negative effect on 1218 network operations. These are the tables and objects and their 1219 sensitivity/vulnerability: 1221 All tables provide the ability to set up which credentials may be 1222 used to access services on the managed system, to remove 1223 legitimate credentials (a denial of service), or to remove 1224 individual credentials to weaken the requirements for access of a 1225 particular service. Write access must always be tightly 1226 controlled. Note that some types of credentials, such as CHAP or 1227 SRP, also require passwords or verifiers to be associated with the 1228 credential. These are managed outside this MIB. 1230 Some of the readable objects in this MIB module (i.e., objects with a 1231 MAX-ACCESS other than not-accessible) may be considered sensitive or 1232 vulnerable in some network environments. It is thus important to 1233 control even GET and/or NOTIFY access to these objects and possibly 1234 to even encrypt the values of these objects when sending them over 1235 the network via SNMP. These are the tables and objects and their 1236 sensitivity/vulnerability: 1238 All tables provide the ability to find out which names, addresses, 1239 and credentials would be required to access services on the 1240 managed system. If these credentials are easily spoofed 1241 (particularly the name or address), read access to the MIB must be 1242 tightly controlled. 1244 SNMP versions prior to SNMPv3 did not include adequate security. 1245 Even if the network itself is secure (for example by using IPsec), 1246 even then, there is no control as to who on the secure network is 1247 allowed to access and GET/SET (read/change/create/delete) the objects 1248 in this MIB module. 1250 It is RECOMMENDED that implementors consider the security features as 1251 provided by the SNMPv3 framework (see [RFC3410], section 8), 1252 including full support for the SNMPv3 cryptographic mechanisms (for 1253 authentication and privacy). 1255 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1256 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1257 enable cryptographic security. It is then a customer/operator 1258 responsibility to ensure that the SNMP entity giving access to an 1259 instance of this MIB module is properly configured to give access to 1260 the objects only to those principals (users) that have legitimate 1261 rights to indeed GET or SET (change/create/delete) them. 1263 7. Normative References 1265 [RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1266 Rose, and S. Waldbusser, "Structure of Management 1267 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1268 1999. 1270 [RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1271 Rose, and S. Waldbusser, "Textual Conventions for SMIv2", 1272 STD 58, RFC 2579, April 1999. 1274 [RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1275 Rose, and S. Waldbusser, "Conformance Statements for SMIv2", 1276 STD 58, RFC 2580, April 1999. 1278 [RFC3291] M. Daniele, et. al., "Textual Conventions for Internet 1279 Network Addresses", RFC 3291, May 2002. 1281 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1282 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1284 [RFC1213] K. McCloghrie, M. Rose, "Management Information Base for 1285 Network Management of TCP/IP-based internets:MIB-II", March 1286 1991. 1288 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1289 Internet Protocol using SMIv2", November 1996. 1291 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1292 Version 6: Textual Conventions and General Group", December 1293 1998. 1295 8. Informative References 1297 [RFC3410] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction 1298 and Applicability Statements for Internet-Standard 1299 Management Framework", RFC 3410, December 2002. 1301 [ISCSI] Satran, J., et. al., "iSCSI", Work in Progress, draft-ietf- 1302 ips-iscsi-20, January 2003. 1304 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1305 Uniform Resource Names", December 1994. 1307 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1308 (CHAP)", August 1996. 1310 [RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication 1311 Service (V5)", September 1993. 1313 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1314 September 2000. 1316 [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", Work in 1317 Progress, draft-ietf-ips-fcmgmt-mib-03, October 2002. 1319 9. Authors' Addresses 1321 Mark Bakke 1322 Postal: Cisco Systems, Inc 1323 6450 Wedgwood Road, Suite 130 1324 Maple Grove, MN 1325 USA 55311 1327 Tel: +1 763-398-1000 1328 Fax: +1 763-398-1001 1330 E-mail: mbakke@cisco.com 1332 Jim Muchow 1334 E-mail: jamesdmuchow@yahoo.com" 1336 10. IPR Notice 1338 The IETF takes no position regarding the validity or scope of any 1339 intellectual property or other rights that might be claimed to 1340 pertain to the implementation or use of the technology described in 1341 this document or the extent to which any license under such rights 1342 might or might not be available; neither does it represent that it 1343 has made any effort to identify any such rights. Information on the 1344 IETF's procedures with respect to rights in standards-track and 1345 standards-related documentation can be found in BCP-11. Copies of 1346 claims of rights made 1348 available for publication and any assurances of licenses to be made 1349 available, or the result of an attempt made to obtain a general 1350 license or permission for the use of such proprietary rights by 1351 implementors or users of this specification can be obtained from the 1352 IETF Secretariat. 1354 The IETF invites any interested party to bring to its attention any 1355 copyrights, patents or patent applications, or other proprietary 1356 rights which may cover technology that may be required to practice 1357 this standard. Please address the information to the IETF Executive 1358 Director. 1360 11. Full Copyright Notice 1362 Copyright (C) The Internet Society (2003). All Rights Reserved. 1364 This document and translations of it may be copied and furnished to 1365 others, and derivative works that comment on or otherwise explain it 1366 or assist in its implementation may be prepared, copied, published 1367 and distributed, in whole or in part, without restriction of any 1368 kind, provided that the above copyright notice and this paragraph are 1369 included on all such copies and derivative works. However, this 1370 document itself may not be modified in any way, such as by removing 1371 the copyright notice or references to the Internet Society or other 1372 Internet organizations, except as needed for the purpose of 1373 developing Internet standards in which case the procedures for 1374 copyrights defined in the Internet Standards process must be 1375 followed, or as required to translate it into languages other than 1376 English. 1378 The limited permissions granted above are perpetual and will not be 1379 revoked by the Internet Society or its successors or assigns. 1381 This document and the information contained herein is provided on an 1382 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1383 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1384 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1385 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1386 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."