idnits 2.17.1 draft-ietf-ips-auth-mib-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 1506. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1556. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1515. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1522. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1528. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 37), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 37. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** The document seems to lack an RFC 3978 Section 5.4 Reference to BCP 78. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 1408: '... It is RECOMMENDED that implementors...' RFC 2119 keyword, line 1414: '... RECOMMENDED. Instead, it is RECOMM...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1544 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2005) is 6857 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3291 (Obsoleted by RFC 4001) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) ** Obsolete normative reference: RFC 1510 (Obsoleted by RFC 4120, RFC 6649) -- Obsolete informational reference (is this intentional?): RFC 3720 (Obsoleted by RFC 7143) Summary: 12 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Cisco Systems 4 Expires July 2005 5 James Muchow 6 Qlogic Corp. 8 January 2005 10 Definitions of Managed Objects for User Identity Authorization 12 Status of this Memo 14 By submitting this Internet-Draft, I certify that any applicable 15 patent or other IPR claims of which I am aware have been disclosed, 16 or will be disclosed, and any of which I become aware will be 17 disclosed, in accordance with RFC 3668. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.html. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). All Rights Reserved. 39 Abstract 41 This memo defines a portion of the Management Information Base (MIB) 42 for use with network management protocols in TCP/IP based internets. 43 In particular it defines objects for managing user identities and the 44 names, addresses, and credentials required manage access control, for 45 use with various protocols. This draft was motivated by the need for 46 the configuration of authorized user identities for the iSCSI 47 protocol, but has been extended to be useful for other protocols that 48 have similar requirements. It is important to note that this MIB 49 module provides only the set of identities to be used within access 50 lists; it is the responsibility of other MIB modules making use of 51 this one to tie them to their own access lists or other authorization 52 control methods. 54 Acknowledgments 56 In addition to the authors, several people contributed to the 57 development of this MIB module through discussions of authentication, 58 authorization, and access within the iSCSI MIB module and security 59 teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie, 60 Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 61 Studenmund (Wasabi Systems) for adding the Kerberos method, and to 62 Ayman Ghanem for finding and suggesting changes to several problems 63 found in the MIB module. 65 Thanks especially to Keith McCloghrie for serving as advisor for this 66 MIB module. 68 Table of Contents 70 1. Introduction..............................................3 71 2. The Internet-Standard Management Framework................3 72 3. Relationship to Other MIB Modules.........................3 73 4. Discussion................................................4 74 4.1. Authorization MIB Object Model..........................4 75 4.2. ipsAuthInstance.........................................5 76 4.3. ipsAuthIdentity.........................................6 77 4.4. ipsAuthIdentityName.....................................6 78 4.5. ipsAuthIdentityAddress..................................6 79 4.6. ipsAuthCredential.......................................7 80 4.7. IP, Fibre Channel, and Other Addresses..................8 81 4.8. Descriptors: Using OIDs in Place of Enumerated Types....8 82 4.9. Notifications...........................................8 83 5. MIB Definitions...........................................9 84 6. Security Considerations..................................30 85 7. IANA Considerations......................................31 86 7.1. OID Assignment.........................................31 87 8. Normative References.....................................31 88 9. Informative References...................................32 89 10. Authors' Addresses......................................32 90 11. IPR Notice..............................................32 91 12. Full Copyright Notice...................................33 93 1. Introduction 95 This MIB module will be used to configure and/or look at the 96 configuration of user identities and their credential information. 97 For the purposes of this MIB module, a "user" identity does not need 98 to be an actual person; a user can also be a host, an application, a 99 cluster of hosts, or any other identifiable entity that can be 100 authorized to access a resource. 102 Most objects in this MIB module have a MAX-ACCESS of read-create; 103 this module is intended to allow configuration of user identities and 104 their names, addresses, and credentials. MIN-ACCESS for all objects 105 is read-only for those implementations that configure through other 106 means, but require the ability to monitor user identities. 108 2. The Internet-Standard Management Framework 110 For a detailed overview of the documents that describe the current 111 Internet-Standard Management Framework, please refer to section 7 of 112 RFC 3410 [RFC3410]. 114 Managed objects are accessed via a virtual information store, termed 115 the Management Information Base or MIB. MIB objects are generally 116 accessed through the Simple Network Management Protocol (SNMP). 117 Objects in the MIB are defined using the mechanisms defined in the 118 Structure of Management Information (SMI). This memo specifies a MIB 119 module that is compliant to the SMIv2, which is described in STD 58, 120 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 121 [RFC2580]. 123 3. Relationship to Other MIB Modules 125 The identity authorization MIB module does not directly address 126 objects within other modules. The identity address objects contain 127 IPv4, IPv6, or other address types, and as such may be indirectly 128 related to objects within the IPv4 [RFC1213] [RFC2011] or IPv6 129 [RFC2465] MIB modules. 131 This MIB module does not provide actual authorization or access 132 control lists; it provides a means to identify entities that can be 133 included in other authorization lists. This should generally be done 134 in MIB modules that reference identities in this one. It also does 135 not cover login or authentication failure statistics or 136 notifications, as these are all fairly application-specific, and are 137 not generic enough to include here. 139 The user identity objects within this module are typically referenced 140 from other modules by a RowPointer within that module. A module 141 containing resources for which it requires a list of authorized user 142 identities may create such a list, with a single RowPointer within 143 each list element pointing to a user identity within this module. 144 This is neither required nor restricted by this MIB module. 146 4. Discussion 148 This MIB module structure is intended to allow the configuration of a 149 list of user identities, each with a list of names, addresses, 150 credentials, and certificates which when combined will distinguish 151 that identity. 153 The authorization MIB module is structured around two primary 154 "objects", the authorization instance, and the identity, which serve 155 as containers for the remainder of the objects. This section 156 contains a brief description of the "object" hierarchy and a 157 description of each object, followed by a discussion of the actual 158 SNMP table structure within the objects. 160 4.1. Authorization MIB Object Model 162 The top-level object in this structure is the authorization instance, 163 which "contains" all of the other objects. The indexing hierarchy of 164 this module looks like: 166 ipsAuthInstance 167 -- A distinct authorization entity within the managed system. 168 -- Most implementations will have just one of these. 169 ipsAuthIdentity 170 -- A user identity, consisting of a set of identity names, 171 -- addresses, and credentials reflected in the following 172 -- objects: 173 ipsAuthIdentityName 174 -- A name for a user identity. A name should be globally 175 -- unique, and unchanging over time. Some protocols may 176 -- not require this one. 177 ipsAuthIdentityAddress 178 -- An address range, typically but not necessarily an 179 -- IPv4, IPv6, or Fibre Channel address range, at which 180 -- the identity is allowed to reside. 181 ipsAuthCredential 182 -- A single credential, such as a CHAP username, 183 -- which can be used to verify the identity. 184 ipsAuthCredChap 185 -- CHAP-specific attributes for an ipsAuthCredential 187 ipsAuthCredSrp 188 -- SRP-specific attributes 189 ipsAuthCredKerberos 190 -- Kerberos-specific attributes 192 Each identity contains the information necessary to identify a 193 particular end-point that wishes to access a service, such as iSCSI. 195 An identity can contain multiple names, addresses, and credentials. 197 4.2. ipsAuthInstance 199 The ipsAuthInstanceAttributesTable is the primary table of the 200 authorization MIB module. Every other table entry in this module 201 includes the index of an ipsAuthInstanceAttributesEntry as its 202 primary index. An authorization instance is basically a managed set 203 of identities. 205 Many implementations will include just one authorization instance row 206 in this table. However, there will be cases where multiple rows in 207 this table may be used: 209 - A large system may be "partitioned" into multiple, distinct virtual 210 systems, perhaps sharing the SNMP agent but not their lists of 211 identities. Each virtual system would have its own authorization 212 instance. 214 - A set of stackable systems, each with their own set of identities, 215 may be represented by a common SNMP agent. Each individual system 216 would have its own authorization instance. 218 - Multiple protocols, each with their own set of identities, may 219 exist within a single system and be represented by a single SNMP 220 agent. In this case, each protocol may have its own authorization 221 instance. 223 An entry in this table is typically referenced by its name 224 (ipsAuthInstDescr), which should be displayed to the user by the 225 management station. When an implementation supports only one entry 226 in this table, the description may be returned as a zero-length 227 string. 229 An end user will generally use name and description fields in 230 identifying rows within this and other tables. Therefore, 231 persistence of index values across reboots is not required in this 232 MIB module. However, index values for rows that have been deleted 233 must not be reused before a reboot. 235 4.3. ipsAuthIdentity 237 The ipsAuthIdentAttributesTable contains one entry for each 238 configured user identity. The identity contains only a description 239 of what the identity is used for; its attributes are all contained in 240 other tables, since they can each have multiple values. 242 Other MIB modules containing lists of users authorized to access a 243 particular resource should generally contain a RowPointer to the 244 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 245 access to the resource. 247 All other table entries make use of the indices to this table as 248 their primary indices. 250 4.4. ipsAuthIdentityName 252 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 253 each of which belong to, and may be used to identify, a particular 254 identity in the authIdentity table. 256 Implementations making use of the authorization MIB module may 257 identify their resources by names, addresses, or both. A name is 258 typically a unique (within the required scope), unchanging identifier 259 for a resource. It will normally meet some or all of the requirements 260 for a Uniform Resource Name [RFC1737], although a name in the context 261 of this MIB module does not need to be a URN. Identifiers that 262 typically change over time should generally be placed into the 263 ipsAuthIdentityAddress table; names that have no uniqueness 264 properties should usually be placed into the description attribute 265 for the identity. 267 An example of an identity name is the iSCSI Name, defined in 268 [RFC3720]. 270 If this table contains no entries associated with a particular user 271 identity, the implementation does not need to check any name 272 parameters when verifying that identity. If the table contains 273 multiple entries associated with a particular user identity, the 274 implementation should consider a match with any one of these entries 275 to be valid. 277 4.5. ipsAuthIdentityAddress 279 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 280 which the identity may reside. For example, an identity may be 281 allowed access to a resource only from a certain IP address, or only 282 if its address is in a certain range or set of ranges. 284 Each entry contains a starting and ending address. If a single 285 address is desired in the list, both starting and ending addresses 286 must be identical. 288 Each entry contains an AddrType attribute. This attribute contains 289 an enumeration registered as an IANA Address Family type [IANA-AF]. 290 Although many implementations will use IPv4 or IPv6 address types for 291 these entries, any IANA-registered type may be used, as long as it 292 makes sense to the application. 294 Matching any address within any range within the list associated with 295 a particular identity is considered to be a valid match. If no 296 entries are present in this list for a given identity, its address is 297 automatically assumed to match the identity. 299 Netmasks are not supported, since an address range can express the 300 same thing with more flexibility. An application specifying 301 addresses using network masks may do so, and convert to and from 302 address ranges when reading or writing this MIB module. 304 4.6. ipsAuthCredential 306 The ipsAuthCredentialAttributesTable contains a list of credentials, 307 each of which may be used to verify a particular identity. 309 Each credential contains an authentication method to be used, such as 310 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 311 contains an object identifier instead of an enumerated type, allowing 312 other MIB modules to add their own authentication methods, without 313 modifying this MIB module. 315 For each entry in this table, there will exist an entry in another 316 table containing its attributes. The table in which to place the 317 entry depends on the AuthMethod attribute: 319 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 320 same indices as the ipsAuthCredential will exist in the 321 ipsAuthCredChap table, which contains the CHAP username. 323 SRP If the AuthMethod is set to the SRP OID, an entry using the 324 same indices as the ipsAuthCredential will exist in the 325 ipsAuthCredSrp table, which contains the SRP username. 327 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 328 the same indices as the ipsAuthCredential will exist in the 329 ipsAuthCredKerberos table, which contains the Kerberos 330 principal. 332 Other If the AuthMethod is set to any OID not defined in this 333 module, an entry using the same indices as the 334 ipsAuthCredential entry should be placed in the other module 335 that define whatever attributes are needed for that type of 336 credential. 338 4.7. IP, Fibre Channel, and Other Addresses 340 The IP addresses in this MIB module are represented by two 341 attributes, one of type AddressFamilyNumbers, and the other of type 342 AuthAddress. Each address can take on any of the types within the 343 list of address family numbers; the most likely being IPv4, IPv6, or 344 one of the Fibre Channel address types. 346 The type AuthAddress is an octet string. If the address family is 347 IPv4 or IPv6, the format is taken from the InetAddress specified in 348 [RFC3291]. If the address family is one of the Fibre Channel types, 349 the format is identical to the FcNameIdOrZero type defined in 350 [FCMGMT]. 352 4.8. Descriptors: Using OIDs in Place of Enumerated Types 354 Some attributes, particularly the authentication method attribute, 355 would normally require an enumerated type. However, implementations 356 will likely need to add new authentication method types of their own, 357 without extending this MIB module. To make this work, this module 358 defines a set of object identities within ipsAuthDescriptors. Each 359 of these object identities is basically an enumerated type. 361 Attributes that make use of these object identities have a value 362 which is an OID instead of an enumerated type. These OIDs can either 363 indicate the object identities defined in this module, or object 364 identities defined elsewhere, such as in an enterprise MIB module. 365 Those implementations that add their own authentication methods 366 should also define a corresponding object identity for each of these 367 methods within their own enterprise MIB module, and return its OID 368 whenever one of these attributes is using that method. 370 4.9. Notifications 372 Monitoring of authentication failures and other notification events 373 are outside the scope of this MIB module, as they are generally 374 application-specific. No notifications are provided or required. 376 5. MIB Definitions 378 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 380 IMPORTS 381 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 382 experimental 383 FROM SNMPv2-SMI 385 TEXTUAL-CONVENTION, RowStatus, AutonomousType, StorageType 386 FROM SNMPv2-TC 388 MODULE-COMPLIANCE, OBJECT-GROUP 389 FROM SNMPv2-CONF 391 SnmpAdminString 392 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 394 AddressFamilyNumbers 395 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 396 ; 398 ipsAuthModule MODULE-IDENTITY 399 LAST-UPDATED "200501250000Z" -- January 25, 2005 400 ORGANIZATION "IETF IPS Working Group" 401 CONTACT-INFO 402 " 403 Mark Bakke 404 Postal: Cisco Systems, Inc 405 7900 International Drive, Suite 400 406 Bloomington, MN 407 USA 55425 409 E-mail: mbakke@cisco.com 411 James Muchow 412 Postal: Qlogic Corp. 413 6321 Bury Dr. 414 Eden Prairie, MN 415 USA 55346 417 E-Mail: james.muchow@qlogic.com" 419 DESCRIPTION 420 "The IP Storage Authorization MIB module. 421 Copyright (C) The Internet Society (2005). This version of 422 this MIB module is part of RFC yyyy; see the RFC itself for 423 full legal notices." 424 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 425 REVISION "200501250000Z" -- January 25, 2005 426 DESCRIPTION 427 "Initial version of the IP Storage Authentication MIB module" 429 ::= { mib-2 xx } 430 -- in case you want to COMPILE 431 --::= { experimental 99999 } 433 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 0 } 434 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 435 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 437 -- Textual Conventions 439 IpsAuthAddress ::= TEXTUAL-CONVENTION 440 STATUS current 441 DESCRIPTION 442 "IP Storage requires the use of address information 443 that uses not only the InetAddress type defined in the 444 INET-ADDRESS-MIB, but also Fibre Channel type defined 445 in the Fibre Channel Management MIB. Although these 446 address types are recognized in the IANA Address Family 447 Numbers MIB, the addressing mechanisms have not been 448 merged into a well-known, common type. This data type, 449 the IpsAuthAddress, performs this function for this MIB 450 module." 451 REFERENCE 452 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 453 INET-ADDRESS-MIB (RFC 2851); 454 Fibre Channel Management MIB (presently defined in 455 draft-ietf-ips-fcmgmt-mib-01.txt)." 456 SYNTAX OCTET STRING (SIZE(0..255)) 458 ------------------------------------------------------------------------ 460 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 462 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 464 ipsAuthMethodNone OBJECT-IDENTITY 465 STATUS current 466 DESCRIPTION 467 "The authoritative identifier when no authentication 468 method is used." 469 REFERENCE "iSCSI Protocol Specification." 471 ::= { ipsAuthMethodTypes 1 } 473 ipsAuthMethodSrp OBJECT-IDENTITY 474 STATUS current 475 DESCRIPTION 476 "The authoritative identifier when the authentication 477 method is SRP." 478 REFERENCE "iSCSI Protocol Specification." 479 ::= { ipsAuthMethodTypes 2 } 481 ipsAuthMethodChap OBJECT-IDENTITY 482 STATUS current 483 DESCRIPTION 484 "The authoritative identifier when the authentication 485 method is CHAP." 486 REFERENCE "iSCSI Protocol Specification." 487 ::= { ipsAuthMethodTypes 3 } 489 ipsAuthMethodKerberos OBJECT-IDENTITY 490 STATUS current 491 DESCRIPTION 492 "The authoritative identifier when the authentication 493 method is Kerberos." 494 REFERENCE "iSCSI Protocol Specification." 495 ::= { ipsAuthMethodTypes 4 } 497 ---------------------------------------------------------------------- 499 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 501 -- Instance Attributes Table 503 ipsAuthInstanceAttributesTable OBJECT-TYPE 504 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 505 MAX-ACCESS not-accessible 506 STATUS current 507 DESCRIPTION 508 "A list of Authorization instances present on the system." 509 ::= { ipsAuthInstance 2 } 511 ipsAuthInstanceAttributesEntry OBJECT-TYPE 512 SYNTAX IpsAuthInstanceAttributesEntry 513 MAX-ACCESS not-accessible 514 STATUS current 515 DESCRIPTION 516 "An entry (row) containing management information 517 applicable to a particular Authorization instance." 518 INDEX { ipsAuthInstIndex } 520 ::= { ipsAuthInstanceAttributesTable 1 } 522 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 523 ipsAuthInstIndex Unsigned32, 524 ipsAuthInstDescr SnmpAdminString 525 } 527 ipsAuthInstIndex OBJECT-TYPE 528 SYNTAX Unsigned32 (1..4294967295) 529 MAX-ACCESS not-accessible 530 STATUS current 531 DESCRIPTION 532 "An arbitrary integer used to uniquely identify a 533 particular authorization instance. This value does 534 not need to be preserved across reboots, and must 535 not be reused for a new row before a reboot." 536 ::= { ipsAuthInstanceAttributesEntry 1 } 538 ipsAuthInstDescr OBJECT-TYPE 539 SYNTAX SnmpAdminString 540 MAX-ACCESS read-write 541 STATUS current 542 DESCRIPTION 543 "An octet string, determined by the implementation to 544 describe the authorization instance. When only a single 545 instance is present, this object may be set to the 546 zero-length string; with multiple authorization 547 instances, it may be set in an implementation-dependent 548 manner to describe the purpose of the respective instance." 549 ::= { ipsAuthInstanceAttributesEntry 2 } 551 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 553 -- User Identity Attributes Table 555 ipsAuthIdentAttributesTable OBJECT-TYPE 556 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 557 MAX-ACCESS not-accessible 558 STATUS current 559 DESCRIPTION 560 "A list of user identities, each belonging to a 561 particular ipsAuthInstance." 562 ::= { ipsAuthIdentity 1 } 564 ipsAuthIdentAttributesEntry OBJECT-TYPE 565 SYNTAX IpsAuthIdentAttributesEntry 566 MAX-ACCESS not-accessible 567 STATUS current 568 DESCRIPTION 569 "An entry (row) containing management information 570 describing a user identity within an authorization 571 instance on this node." 572 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 573 ::= { ipsAuthIdentAttributesTable 1 } 575 IpsAuthIdentAttributesEntry ::= SEQUENCE { 576 ipsAuthIdentIndex Unsigned32, 577 ipsAuthIdentDescription SnmpAdminString, 578 ipsAuthIdentRowStatus RowStatus, 579 ipsAuthIdentStorageType StorageType 580 } 582 ipsAuthIdentIndex OBJECT-TYPE 583 SYNTAX Unsigned32 (1..4294967295) 584 MAX-ACCESS not-accessible 585 STATUS current 586 DESCRIPTION 587 "An arbitrary integer used to uniquely identify a 588 particular identity instance within an authorization 589 instance present on the node. This value does not 590 need to be preserved across reboots, and must not 591 be used for a new row before a reboot." 592 ::= { ipsAuthIdentAttributesEntry 1 } 594 ipsAuthIdentDescription OBJECT-TYPE 595 SYNTAX SnmpAdminString 596 MAX-ACCESS read-create 597 STATUS current 598 DESCRIPTION 599 "An octet string describing this particular identity." 600 ::= { ipsAuthIdentAttributesEntry 2 } 602 ipsAuthIdentRowStatus OBJECT-TYPE 603 SYNTAX RowStatus 604 MAX-ACCESS read-create 605 STATUS current 606 DESCRIPTION 607 "This field allows entries to be dynamically added and 608 removed from this table via SNMP. When adding a row to 609 this table, all non-Index/RowStatus objects must be set. 610 Rows may be discarded using RowStatus." 611 ::= { ipsAuthIdentAttributesEntry 3 } 613 ipsAuthIdentStorageType OBJECT-TYPE 614 SYNTAX StorageType 615 MAX-ACCESS read-create 616 STATUS current 617 DESCRIPTION 618 "The storage type for this row. Rows in this table that were 619 created through an external process may have a storage type of 620 readOnly or permanent." 621 DEFVAL { nonVolatile } 622 ::= { ipsAuthIdentAttributesEntry 4 } 624 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 626 -- User Initiator Name Attributes Table 628 ipsAuthIdentNameAttributesTable OBJECT-TYPE 629 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 630 MAX-ACCESS not-accessible 631 STATUS current 632 DESCRIPTION 633 "A list of unique names that can be used to positively 634 identify a particular user identity." 635 ::= { ipsAuthIdentityName 1 } 637 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 638 SYNTAX IpsAuthIdentNameAttributesEntry 639 MAX-ACCESS not-accessible 640 STATUS current 641 DESCRIPTION 642 "An entry (row) containing management information 643 applicable to a unique identity name which can be used 644 to identify a user identity within a particular 645 authorization instance." 646 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 647 ipsAuthIdentNameIndex } 648 ::= { ipsAuthIdentNameAttributesTable 1 } 650 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 651 ipsAuthIdentNameIndex Unsigned32, 652 ipsAuthIdentName SnmpAdminString, 653 ipsAuthIdentNameRowStatus RowStatus, 654 ipsAuthIdentNameStorageType StorageType 655 } 657 ipsAuthIdentNameIndex OBJECT-TYPE 658 SYNTAX Unsigned32 (1..4294967295) 659 MAX-ACCESS not-accessible 660 STATUS current 661 DESCRIPTION 662 "An arbitrary integer used to uniquely identify a 663 particular identity name instance within an 664 ipsAuthIdentity within an authorization instance. This 665 value does not need to be preserved across reboots, 666 and must not be used for a new row before a reboot." 667 ::= { ipsAuthIdentNameAttributesEntry 1 } 669 ipsAuthIdentName OBJECT-TYPE 670 SYNTAX SnmpAdminString 671 MAX-ACCESS read-create 672 STATUS current 673 DESCRIPTION 674 "A character string which is the unique name of an 675 identity that may be used to identify this ipsAuthIdent 676 entry." 677 ::= { ipsAuthIdentNameAttributesEntry 2 } 679 ipsAuthIdentNameRowStatus OBJECT-TYPE 680 SYNTAX RowStatus 681 MAX-ACCESS read-create 682 STATUS current 683 DESCRIPTION 684 "This field allows entries to be dynamically added and 685 removed from this table via SNMP. When adding a row to 686 this table, all non-Index/RowStatus objects must be set. 687 Rows may be discarded using RowStatus." 688 ::= { ipsAuthIdentNameAttributesEntry 3 } 690 ipsAuthIdentNameStorageType OBJECT-TYPE 691 SYNTAX StorageType 692 MAX-ACCESS read-create 693 STATUS current 694 DESCRIPTION 695 "The storage type for this row. Rows in this table that were 696 created through an external process may have a storage type of 697 readOnly or permanent." 698 DEFVAL { nonVolatile } 699 ::= { ipsAuthIdentNameAttributesEntry 4 } 701 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 703 -- User Initiator Address Attributes Table 705 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 706 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 707 MAX-ACCESS not-accessible 708 STATUS current 709 DESCRIPTION 710 "A list of address ranges that are allowed to serve 711 as the endpoint addresses of a particular identity. 713 An address range includes a starting and ending address 714 and an optional netmask, and an address type indicator, 715 which can specify whether the address is IPv4, IPv6, 716 FC-WWPN, or FC-WWNN." 717 ::= { ipsAuthIdentityAddress 1 } 719 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 720 SYNTAX IpsAuthIdentAddrAttributesEntry 721 MAX-ACCESS not-accessible 722 STATUS current 723 DESCRIPTION 724 "An entry (row) containing management information 725 applicable to an address range which is used as part 726 of the authorization of an identity 727 within an authorization instance on this node." 728 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 729 ipsAuthIdentAddrIndex } 730 ::= { ipsAuthIdentAddrAttributesTable 1 } 732 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 733 ipsAuthIdentAddrIndex Unsigned32, 734 ipsAuthIdentAddrType AddressFamilyNumbers, 735 ipsAuthIdentAddrStart IpsAuthAddress, 736 ipsAuthIdentAddrEnd IpsAuthAddress, 737 ipsAuthIdentAddrRowStatus RowStatus, 738 ipsAuthIdentAddrStorageType StorageType 739 } 741 ipsAuthIdentAddrIndex OBJECT-TYPE 742 SYNTAX Unsigned32 (1..4294967295) 743 MAX-ACCESS not-accessible 744 STATUS current 745 DESCRIPTION 746 "An arbitrary integer used to uniquely identify a 747 particular ipsAuthIdentAddress instance within an 748 ipsAuthIdentity within an authorization instance 749 present on the node. This value does not need to 750 be preserved across reboots, and must not be used 751 for a new row before a reboot." 752 ::= { ipsAuthIdentAddrAttributesEntry 1 } 754 ipsAuthIdentAddrType OBJECT-TYPE 755 SYNTAX AddressFamilyNumbers 756 MAX-ACCESS read-create 757 STATUS current 758 DESCRIPTION 759 "The type of Address in the ipsAuthIdentAddress 760 start, end, and mask fields. This type is taken 761 from the IANA address family types; more types may 762 be registered independently of this MIB module." 763 ::= { ipsAuthIdentAddrAttributesEntry 2 } 765 ipsAuthIdentAddrStart OBJECT-TYPE 766 SYNTAX IpsAuthAddress 767 MAX-ACCESS read-create 768 STATUS current 769 DESCRIPTION 770 "The starting address of the allowed address range." 771 ::= { ipsAuthIdentAddrAttributesEntry 3 } 773 ipsAuthIdentAddrEnd OBJECT-TYPE 774 SYNTAX IpsAuthAddress 775 MAX-ACCESS read-create 776 STATUS current 777 DESCRIPTION 778 "The ending address of the allowed address range. 779 If the ipsAuthIdentAddrEntry specifies a single 780 address, this shall match the ipsAuthIdentAddrStart." 781 ::= { ipsAuthIdentAddrAttributesEntry 4 } 783 ipsAuthIdentAddrRowStatus OBJECT-TYPE 784 SYNTAX RowStatus 785 MAX-ACCESS read-create 786 STATUS current 787 DESCRIPTION 788 "This field allows entries to be dynamically added and 789 removed from this table via SNMP. When adding a row to 790 this table, all non-Index/RowStatus objects must be set. 791 Rows may be discarded using RowStatus." 792 ::= { ipsAuthIdentAddrAttributesEntry 5 } 794 ipsAuthIdentAddrStorageType OBJECT-TYPE 795 SYNTAX StorageType 796 MAX-ACCESS read-create 797 STATUS current 798 DESCRIPTION 799 "The storage type for this row. Rows in this table that were 800 created through an external process may have a storage type of 801 readOnly or permanent." 802 DEFVAL { nonVolatile } 803 ::= { ipsAuthIdentAddrAttributesEntry 6 } 805 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 807 -- Credential Attributes Table 808 ipsAuthCredentialAttributesTable OBJECT-TYPE 809 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 810 MAX-ACCESS not-accessible 811 STATUS current 812 DESCRIPTION 813 "A list of credentials related to user identities 814 that are allowed as valid authenticators of the 815 particular identity." 816 ::= { ipsAuthCredential 1 } 818 ipsAuthCredentialAttributesEntry OBJECT-TYPE 819 SYNTAX IpsAuthCredentialAttributesEntry 820 MAX-ACCESS not-accessible 821 STATUS current 822 DESCRIPTION 823 "An entry (row) containing management information 824 applicable to a credential which verifies a user 825 identity within an authorization instance." 826 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 827 ::= { ipsAuthCredentialAttributesTable 1 } 829 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 830 ipsAuthCredIndex Unsigned32, 831 ipsAuthCredAuthMethod AutonomousType, 832 ipsAuthCredRowStatus RowStatus, 833 ipsAuthCredStorageType StorageType 834 } 836 ipsAuthCredIndex OBJECT-TYPE 837 SYNTAX Unsigned32 (1..4294967295) 838 MAX-ACCESS not-accessible 839 STATUS current 840 DESCRIPTION 841 "An arbitrary integer used to uniquely identify a 842 particular Credential instance within an instance 843 present on the node. This value does not need to 844 be preserved across reboots, and must not be used 845 for a new row before a reboot." 846 ::= { ipsAuthCredentialAttributesEntry 1 } 848 ipsAuthCredAuthMethod OBJECT-TYPE 849 SYNTAX AutonomousType 850 MAX-ACCESS read-create 851 STATUS current 852 DESCRIPTION 853 "This object contains an OBJECT IDENTIFIER 854 which identifies the authentication method 855 used with this credential. 857 Some standardized values for this object are defined 858 within the ipsAuthMethods subtree." 859 ::= { ipsAuthCredentialAttributesEntry 2 } 861 ipsAuthCredRowStatus OBJECT-TYPE 862 SYNTAX RowStatus 863 MAX-ACCESS read-create 864 STATUS current 865 DESCRIPTION 866 "This field allows entries to be dynamically added and 867 removed from this table via SNMP. When adding a row to 868 this table, all non-Index/RowStatus objects must be set. 869 Rows may be discarded using RowStatus." 870 ::= { ipsAuthCredentialAttributesEntry 3 } 872 ipsAuthCredStorageType OBJECT-TYPE 873 SYNTAX StorageType 874 MAX-ACCESS read-create 875 STATUS current 876 DESCRIPTION 877 "The storage type for this row. Rows in this table that were 878 created through an external process may have a storage type of 879 readOnly or permanent." 880 DEFVAL { nonVolatile } 881 ::= { ipsAuthCredentialAttributesEntry 4 } 883 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 885 -- Credential Chap-Specific Attributes Table 887 ipsAuthCredChapAttributesTable OBJECT-TYPE 888 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 889 MAX-ACCESS not-accessible 890 STATUS current 891 DESCRIPTION 892 "A list of CHAP attributes for credentials that 893 use ipsAuthMethodChap as its ipsAuthCredAuthMethod." 894 ::= { ipsAuthCredChap 1 } 896 ipsAuthCredChapAttributesEntry OBJECT-TYPE 897 SYNTAX IpsAuthCredChapAttributesEntry 898 MAX-ACCESS not-accessible 899 STATUS current 900 DESCRIPTION 901 "An entry (row) containing management information 902 applicable to a credential which uses 903 ipsAuthMethodChap as their ipsAuthCredAuthMethod." 904 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 906 ::= { ipsAuthCredChapAttributesTable 1 } 908 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 909 ipsAuthCredChapUserName SnmpAdminString, 910 ipsAuthCredChapRowStatus RowStatus, 911 ipsAuthCredChapStorageType StorageType 912 } 914 ipsAuthCredChapUserName OBJECT-TYPE 915 SYNTAX SnmpAdminString 916 MAX-ACCESS read-create 917 STATUS current 918 DESCRIPTION 919 "An octet string containing the CHAP user name for this 920 credential." 921 REFERENCE 922 "W. Simpson, RFC 1994: PPP Challenge Handshake 923 Authentication Protocol (CHAP), August 1996" 924 ::= { ipsAuthCredChapAttributesEntry 1 } 926 -- ipsAuthCredChapPassword (2) deleted 928 ipsAuthCredChapRowStatus OBJECT-TYPE 929 SYNTAX RowStatus 930 MAX-ACCESS read-create 931 STATUS current 932 DESCRIPTION 933 "This field allows entries to be dynamically added and 934 removed from this table via SNMP. When adding a row to 935 this table, all non-Index/RowStatus objects must be set. 936 Rows may be discarded using RowStatus." 937 ::= { ipsAuthCredChapAttributesEntry 3 } 939 ipsAuthCredChapStorageType OBJECT-TYPE 940 SYNTAX StorageType 941 MAX-ACCESS read-create 942 STATUS current 943 DESCRIPTION 944 "The storage type for this row. Rows in this table that were 945 created through an external process may have a storage type of 946 readOnly or permanent." 947 DEFVAL { nonVolatile } 948 ::= { ipsAuthCredChapAttributesEntry 4 } 950 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 952 -- Credential Srp-Specific Attributes Table 953 ipsAuthCredSrpAttributesTable OBJECT-TYPE 954 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 955 MAX-ACCESS not-accessible 956 STATUS current 957 DESCRIPTION 958 "A list of SRP attributes for credentials that 959 use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." 960 ::= { ipsAuthCredSrp 1 } 962 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 963 SYNTAX IpsAuthCredSrpAttributesEntry 964 MAX-ACCESS not-accessible 965 STATUS current 966 DESCRIPTION 967 "An entry (row) containing management information 968 applicable to a credential which uses 969 ipsAuthMethodSrp as its ipsAuthCredAuthMethod." 970 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 971 ::= { ipsAuthCredSrpAttributesTable 1 } 973 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 974 ipsAuthCredSrpUserName SnmpAdminString, 975 ipsAuthCredSrpRowStatus RowStatus, 976 ipsAuthCredSrpStorageType StorageType 977 } 979 ipsAuthCredSrpUserName OBJECT-TYPE 980 SYNTAX SnmpAdminString 981 MAX-ACCESS read-create 982 STATUS current 983 DESCRIPTION 984 "An octet string containing the SRP user name for this 985 credential." 986 REFERENCE 987 "T. Wu, RFC 2945: The SRP Authentication and Key 988 Exchange System, September 2000" 989 ::= { ipsAuthCredSrpAttributesEntry 1 } 991 -- ipsAuthCredSrpPassword (2) deleted 993 ipsAuthCredSrpRowStatus OBJECT-TYPE 994 SYNTAX RowStatus 995 MAX-ACCESS read-create 996 STATUS current 997 DESCRIPTION 998 "This field allows entries to be dynamically added and 999 removed from this table via SNMP. When adding a row to 1000 this table, all non-Index/RowStatus objects must be set. 1002 Rows may be discarded using RowStatus." 1003 ::= { ipsAuthCredSrpAttributesEntry 3 } 1005 ipsAuthCredSrpStorageType OBJECT-TYPE 1006 SYNTAX StorageType 1007 MAX-ACCESS read-create 1008 STATUS current 1009 DESCRIPTION 1010 "The storage type for this row. Rows in this table that were 1011 created through an external process may have a storage type of 1012 readOnly or permanent." 1013 DEFVAL { nonVolatile } 1014 ::= { ipsAuthCredSrpAttributesEntry 4 } 1016 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 1018 -- Credential Kerberos-Specific Attributes Table 1020 ipsAuthCredKerbAttributesTable OBJECT-TYPE 1021 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 1022 MAX-ACCESS not-accessible 1023 STATUS current 1024 DESCRIPTION 1025 "A list of Kerberos attributes for credentials that 1026 use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." 1027 ::= { ipsAuthCredKerberos 1 } 1029 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 1030 SYNTAX IpsAuthCredKerbAttributesEntry 1031 MAX-ACCESS not-accessible 1032 STATUS current 1033 DESCRIPTION 1034 "An entry (row) containing management information 1035 applicable to a credential which uses 1036 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." 1037 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1038 ::= { ipsAuthCredKerbAttributesTable 1 } 1040 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 1041 ipsAuthCredKerbPrincipal SnmpAdminString, 1042 ipsAuthCredKerbRowStatus RowStatus, 1043 ipsAuthCredKerbStorageType StorageType 1044 } 1046 ipsAuthCredKerbPrincipal OBJECT-TYPE 1047 SYNTAX SnmpAdminString 1048 MAX-ACCESS read-create 1049 STATUS current 1050 DESCRIPTION 1051 "An octet string containing a Kerberos principal 1052 for this credential." 1053 REFERENCE 1054 "J. Kohl, C. Neuman, RFC 1510: The Kerberos Network 1055 Authentication Service (V5), September 1993" 1056 ::= { ipsAuthCredKerbAttributesEntry 1 } 1058 ipsAuthCredKerbRowStatus OBJECT-TYPE 1059 SYNTAX RowStatus 1060 MAX-ACCESS read-create 1061 STATUS current 1062 DESCRIPTION 1063 "This field allows entries to be dynamically added and 1064 removed from this table via SNMP. When adding a row to 1065 this table, all non-Index/RowStatus objects must be set. 1066 Rows may be discarded using RowStatus." 1067 ::= { ipsAuthCredKerbAttributesEntry 2 } 1069 ipsAuthCredKerbStorageType OBJECT-TYPE 1070 SYNTAX StorageType 1071 MAX-ACCESS read-create 1072 STATUS current 1073 DESCRIPTION 1074 "The storage type for this row. Rows in this table that were 1075 created through an external process may have a storage type of 1076 readOnly or permanent." 1077 DEFVAL { nonVolatile } 1078 ::= { ipsAuthCredKerbAttributesEntry 3 } 1080 ------------------------------------------------------------------------ 1081 -- Notifications 1083 -- There are no notifications necessary in this MIB module. 1085 ------------------------------------------------------------------------ 1087 -- Conformance Statements 1089 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 1090 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1092 ipsAuthInstanceAttributesGroup OBJECT-GROUP 1093 OBJECTS { 1094 ipsAuthInstDescr 1095 } 1096 STATUS current 1097 DESCRIPTION 1098 "A collection of objects providing information about 1099 authorization instances." 1100 ::= { ipsAuthGroups 1 } 1102 ipsAuthIdentAttributesGroup OBJECT-GROUP 1103 OBJECTS { 1104 ipsAuthIdentDescription, 1105 ipsAuthIdentRowStatus, 1106 ipsAuthIdentStorageType 1107 } 1108 STATUS current 1109 DESCRIPTION 1110 "A collection of objects providing information about 1111 user identities within an authorization instance." 1112 ::= { ipsAuthGroups 2 } 1114 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 1115 OBJECTS { 1116 ipsAuthIdentName, 1117 ipsAuthIdentNameRowStatus, 1118 ipsAuthIdentNameStorageType 1119 } 1120 STATUS current 1121 DESCRIPTION 1122 "A collection of objects providing information about 1123 user names within user identities within an authorization 1124 instance." 1125 ::= { ipsAuthGroups 3 } 1127 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1128 OBJECTS { 1129 ipsAuthIdentAddrType, 1130 ipsAuthIdentAddrStart, 1131 ipsAuthIdentAddrEnd, 1132 ipsAuthIdentAddrRowStatus, 1133 ipsAuthIdentAddrStorageType 1134 } 1135 STATUS current 1136 DESCRIPTION 1137 "A collection of objects providing information about 1138 address ranges within user identities within an 1139 authorization instance." 1140 ::= { ipsAuthGroups 4 } 1142 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1143 OBJECTS { 1144 ipsAuthCredAuthMethod, 1145 ipsAuthCredRowStatus, 1146 ipsAuthCredStorageType 1147 } 1148 STATUS current 1149 DESCRIPTION 1150 "A collection of objects providing information about 1151 credentials within user identities within an authorization 1152 instance." 1153 ::= { ipsAuthGroups 5 } 1155 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1156 OBJECTS { 1157 ipsAuthCredChapUserName, 1158 ipsAuthCredChapRowStatus, 1159 ipsAuthCredChapStorageType 1160 } 1161 STATUS current 1162 DESCRIPTION 1163 "A collection of objects providing information about 1164 CHAP credentials within user identities within an 1165 authorization instance." 1166 ::= { ipsAuthGroups 6 } 1168 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1169 OBJECTS { 1170 ipsAuthCredSrpUserName, 1171 ipsAuthCredSrpRowStatus, 1172 ipsAuthCredSrpStorageType 1173 } 1174 STATUS current 1175 DESCRIPTION 1176 "A collection of objects providing information about 1177 SRP credentials within user identities within an 1178 authorization instance." 1179 ::= { ipsAuthGroups 7 } 1181 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1182 OBJECTS { 1183 ipsAuthCredKerbPrincipal, 1184 ipsAuthCredKerbRowStatus, 1185 ipsAuthCredKerbStorageType 1186 } 1187 STATUS current 1188 DESCRIPTION 1189 "A collection of objects providing information about 1190 Kerberos credentials within user identities within an 1191 authorization instance." 1192 ::= { ipsAuthGroups 8 } 1193 ------------------------------------------------------------------------ 1195 ipsAuthComplianceV1 MODULE-COMPLIANCE 1196 STATUS current 1197 DESCRIPTION 1198 "Initial version of compliance statement based on 1199 initial version of this MIB module. 1201 The Instance and Identity groups are mandatory; 1202 at least one of the other groups (Name, Address, 1203 Credential, Certificate) is also mandatory for 1204 any given implementation." 1205 MODULE -- this module 1206 MANDATORY-GROUPS { 1207 ipsAuthInstanceAttributesGroup, 1208 ipsAuthIdentAttributesGroup 1209 } 1211 -- Conditionally mandatory groups to be included with 1212 -- the mandatory groups when necessary. 1214 GROUP ipsAuthIdentNameAttributesGroup 1215 DESCRIPTION 1216 "This group is mandatory for all implementations 1217 that make use of unique identity names." 1219 GROUP ipsAuthIdentAddrAttributesGroup 1220 DESCRIPTION 1221 "This group is mandatory for all implementations 1222 that use addresses to help verify identities." 1224 GROUP ipsAuthIdentCredAttributesGroup 1225 DESCRIPTION 1226 "This group is mandatory for all implementations 1227 that use credentials to help verify identities." 1229 GROUP ipsAuthIdentChapAttrGroup 1230 DESCRIPTION 1231 "This group is mandatory for all implementations 1232 that use CHAP to help verify identities. 1234 The ipsAuthIdentCredAttributesGroup must be 1235 implemented if this group is implemented." 1237 GROUP ipsAuthIdentSrpAttrGroup 1238 DESCRIPTION 1239 "This group is mandatory for all implementations 1240 that use SRP to help verify identities. 1242 The ipsAuthIdentCredAttributesGroup must be 1243 implemented if this group is implemented." 1245 GROUP ipsAuthIdentKerberosAttrGroup 1246 DESCRIPTION 1247 "This group is mandatory for all implementations 1248 that use Kerberos to help verify identities. 1250 The ipsAuthIdentCredAttributesGroup must be 1251 implemented if this group is implemented." 1253 OBJECT ipsAuthInstDescr 1254 MIN-ACCESS read-only 1255 DESCRIPTION 1256 "Write access is not required." 1258 OBJECT ipsAuthIdentDescription 1259 MIN-ACCESS read-only 1260 DESCRIPTION 1261 "Write access is not required." 1263 OBJECT ipsAuthIdentRowStatus 1264 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1265 MIN-ACCESS read-only 1266 DESCRIPTION 1267 "Write access is not required, and only one of the 1268 six enumerated values for the RowStatus textual 1269 convention need be supported, specifically: 1270 active(1)." 1272 OBJECT ipsAuthIdentName 1273 MIN-ACCESS read-only 1274 DESCRIPTION 1275 "Write access is not required." 1277 OBJECT ipsAuthIdentNameRowStatus 1278 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1279 MIN-ACCESS read-only 1280 DESCRIPTION 1281 "Write access is not required, and only one of the 1282 six enumerated values for the RowStatus textual 1283 convention need be supported, specifically: 1284 active(1)." 1286 OBJECT ipsAuthIdentAddrType 1287 MIN-ACCESS read-only 1288 DESCRIPTION 1289 "Write access is not required." 1291 OBJECT ipsAuthIdentAddrStart 1292 MIN-ACCESS read-only 1293 DESCRIPTION 1294 "Write access is not required." 1296 OBJECT ipsAuthIdentAddrEnd 1297 MIN-ACCESS read-only 1298 DESCRIPTION 1299 "Write access is not required." 1301 OBJECT ipsAuthIdentAddrRowStatus 1302 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1303 MIN-ACCESS read-only 1304 DESCRIPTION 1305 "Write access is not required, and only one of the 1306 six enumerated values for the RowStatus textual 1307 convention need be supported, specifically: 1308 active(1)." 1310 OBJECT ipsAuthCredAuthMethod 1311 MIN-ACCESS read-only 1312 DESCRIPTION 1313 "Write access is not required." 1315 OBJECT ipsAuthCredRowStatus 1316 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1317 MIN-ACCESS read-only 1318 DESCRIPTION 1319 "Write access is not required, and only one of the 1320 six enumerated values for the RowStatus textual 1321 convention need be supported, specifically: 1322 active(1)." 1324 OBJECT ipsAuthCredChapUserName 1325 MIN-ACCESS read-only 1326 DESCRIPTION 1327 "Write access is not required." 1329 OBJECT ipsAuthCredChapRowStatus 1330 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1331 MIN-ACCESS read-only 1332 DESCRIPTION 1333 "Write access is not required, and only one of the 1334 six enumerated values for the RowStatus textual 1335 convention need be supported, specifically: 1336 active(1)." 1338 OBJECT ipsAuthCredSrpUserName 1339 MIN-ACCESS read-only 1340 DESCRIPTION 1341 "Write access is not required." 1343 OBJECT ipsAuthCredSrpRowStatus 1344 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1345 MIN-ACCESS read-only 1346 DESCRIPTION 1347 "Write access is not required, and only one of the 1348 six enumerated values for the RowStatus textual 1349 convention need be supported, specifically: 1350 active(1)." 1352 OBJECT ipsAuthCredKerbPrincipal 1353 MIN-ACCESS read-only 1354 DESCRIPTION 1355 "Write access is not required." 1357 OBJECT ipsAuthCredKerbRowStatus 1358 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1359 MIN-ACCESS read-only 1360 DESCRIPTION 1361 "Write access is not required, and only one of the 1362 six enumerated values for the RowStatus textual 1363 convention need be supported, specifically: 1364 active(1)." 1366 ::= { ipsAuthCompliances 1 } 1368 END 1369 6. Security Considerations 1371 There are a number of management objects defined in this MIB module 1372 with a MAX-ACCESS clause of read-write and/or read-create. Such 1373 objects may be considered sensitive or vulnerable in some network 1374 environments. The support for SET operations in a non-secure 1375 environment without proper protection can have a negative effect on 1376 network operations. These are the tables and objects and their 1377 sensitivity/vulnerability: 1379 All tables provide the ability to set up which credentials may be 1380 used to access services on the managed system, to remove 1381 legitimate credentials (a denial of service), or to remove 1382 individual credentials to weaken the requirements for access of a 1383 particular service. Write access must always be tightly 1384 controlled. Note that some types of credentials, such as CHAP or 1385 SRP, also require passwords or verifiers to be associated with the 1386 credential. These are managed outside this MIB module. 1388 Some of the readable objects in this MIB module (i.e., objects with a 1389 MAX-ACCESS other than not-accessible) may be considered sensitive or 1390 vulnerable in some network environments. It is thus important to 1391 control even GET and/or NOTIFY access to these objects and possibly 1392 to even encrypt the values of these objects when sending them over 1393 the network via SNMP. These are the tables and objects and their 1394 sensitivity/vulnerability: 1396 All tables provide the ability to find out which names, addresses, 1397 and credentials would be required to access services on the 1398 managed system. If these credentials are easily spoofed 1399 (particularly the name or address), read access to this MIB module 1400 must be tightly controlled. 1402 SNMP versions prior to SNMPv3 did not include adequate security. 1403 Even if the network itself is secure (for example by using IPsec), 1404 even then, there is no control as to who on the secure network is 1405 allowed to access and GET/SET (read/change/create/delete) the objects 1406 in this MIB module. 1408 It is RECOMMENDED that implementors consider the security features as 1409 provided by the SNMPv3 framework (see [RFC3410], section 8), 1410 including full support for the SNMPv3 cryptographic mechanisms (for 1411 authentication and privacy). 1413 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1414 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1415 enable cryptographic security. It is then a customer/operator 1416 responsibility to ensure that the SNMP entity giving access to an 1417 instance of this MIB module is properly configured to give access to 1418 the objects only to those principals (users) that have legitimate 1419 rights to indeed GET or SET (change/create/delete) them. 1421 7. IANA Considerations 1423 7.1. OID Assignment 1424 IANA is requested to make a MIB OID assignment under the mib-2 1425 branch. 1427 8. Normative References 1429 [RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1430 Rose, and S. Waldbusser, "Structure of Management 1431 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1432 1999. 1434 [RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1435 Rose, and S. Waldbusser, "Textual Conventions for SMIv2", 1436 STD 58, RFC 2579, April 1999. 1438 [RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1439 Rose, and S. Waldbusser, "Conformance Statements for SMIv2", 1440 STD 58, RFC 2580, April 1999. 1442 [RFC3291] M. Daniele, et. al., "Textual Conventions for Internet 1443 Network Addresses", RFC 3291, May 2002. 1445 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1446 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1448 [RFC1213] K. McCloghrie, M. Rose, "Management Information Base for 1449 Network Management of TCP/IP-based internets:MIB-II", March 1450 1991. 1452 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1453 Internet Protocol using SMIv2", November 1996. 1455 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1456 Version 6: Textual Conventions and General Group", December 1457 1998. 1459 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1460 (CHAP)", August 1996. 1462 [RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication 1463 Service (V5)", September 1993. 1465 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1466 September 2000. 1468 9. Informative References 1470 [RFC3410] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction 1471 and Applicability Statements for Internet-Standard 1472 Management Framework", RFC 3410, December 2002. 1474 [RFC3720] Satran, J., et. al., "Internet Small Computer Systems 1475 Interface (iSCSI)", RFC 3720, April 2004. 1477 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1478 Uniform Resource Names", December 1994. 1480 [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", Work in 1481 Progress, draft-ietf-ips-fcmgmt-mib-06, December 2004. 1483 10. Authors' Addresses 1485 Mark Bakke 1486 Postal: Cisco Systems, Inc 1487 7900 International Drive, Suite 400 1488 Bloomington, MN 1489 USA 55425 1491 Email: mbakke@cisco.com 1493 James Muchow 1494 Postal: Qlogic Corp. 1495 6321 Bury Drive 1496 Eden Prairie, MN 1497 USA 55346 1499 Email: james.muchow@qlogic.com 1501 11. IPR Notice 1503 By submitting this Internet-Draft, I certify that any applicable 1504 patent or other IPR claims of which I am aware have been disclosed, 1505 or will be disclosed, and any of which I become aware will be 1506 disclosed, in accordance with RFC 3668. 1508 The IETF takes no position regarding the validity or scope of any 1509 Intellectual Property Rights or other rights that might be claimed to 1510 pertain to the implementation or use of the technology described in 1511 this document or the extent to which any license under such rights 1512 might or might not be available; nor does it represent that it has 1513 made any independent effort to identify any such rights. Information 1514 on the procedures with respect to rights in RFC documents can be 1515 found in BCP 78 and BCP 79. 1517 Copies of IPR disclosures made to the IETF Secretariat and any 1518 assurances of licenses to be made available, or the result of an 1519 attempt made to obtain a general license or permission for the use of 1520 such proprietary rights by implementers or users of this 1521 specification can be obtained from the IETF on-line IPR repository at 1522 http://www.ietf.org/ipr. 1524 The IETF invites any interested party to bring to its attention any 1525 copyrights, patents or patent applications, or other proprietary 1526 rights that may cover technology that may be required to implement 1527 this standard. Please address the information to the IETF at ietf- 1528 ipr@ietf.org. 1530 12. Full Copyright Notice 1532 Copyright (C) The Internet Society (2005). This document is subject 1533 to the rights, licenses and restrictions contained in BCP 78, and 1534 except as set forth therein, the authors retain all their rights. 1536 This document and translations of it may be copied and furnished to 1537 others, and derivative works that comment on or otherwise explain it 1538 or assist in its implementation may be prepared, copied, published 1539 and distributed, in whole or in part, without restriction of any 1540 kind, provided that the above copyright notice and this paragraph are 1541 included on all such copies and derivative works. However, this 1542 document itself may not be modified in any way, such as by removing 1543 the copyright notice or references to the Internet Society or other 1544 Internet organizations, except as needed for the purpose of 1545 developing Internet standards in which case the procedures for 1546 copyrights defined in the Internet Standards process must be 1547 followed, or as required to translate it into languages other than 1548 English. 1550 This document and the information contained herein are provided on an 1551 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1552 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1553 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1554 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1555 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1556 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.