idnits 2.17.1 draft-ietf-ips-auth-mib-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1659. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1632. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1639. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1645. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** The document seems to lack an RFC 3978 Section 5.4 Reference to BCP 78. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 2006) is 6583 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) ** Obsolete normative reference: RFC 1510 (Obsoleted by RFC 4120, RFC 6649) -- Obsolete informational reference (is this intentional?): RFC 3720 (Obsoleted by RFC 7143) Summary: 7 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Cisco Systems 4 Expires April 2006 5 James Muchow 6 Qlogic Corp. 8 October 2005 10 Definitions of Managed Objects for User Identity Authorization 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.html. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo defines a portion of the Management Information Base (MIB) 42 for use with network management protocols in TCP/IP based internets. 43 In particular it defines objects for managing user identities and the 44 names, addresses, and credentials required manage access control, for 45 use with various protocols. This draft was motivated by the need for 46 the configuration of authorized user identities for the iSCSI 47 protocol, but has been extended to be useful for other protocols that 48 have similar requirements. It is important to note that this MIB 49 module provides only the set of identities to be used within access 50 lists; it is the responsibility of other MIB modules making use of 51 this one to tie them to their own access lists or other authorization 52 control methods. 54 Table of Contents 56 1. Introduction..............................................2 57 2. Specification of Requirements.............................3 58 3. The Internet-Standard Management Framework................3 59 4. Relationship to Other MIB Modules.........................3 60 5. Relationship to the USM MIB Module........................4 61 6. Relationship SNMP Contexts................................4 62 7. Discussion................................................5 63 7.1. Authorization MIB Object Model..........................5 64 7.2. ipsAuthInstance.........................................6 65 7.3. ipsAuthIdentity.........................................7 66 7.4. ipsAuthIdentityName.....................................7 67 7.5. ipsAuthIdentityAddress..................................8 68 7.6. ipsAuthCredential.......................................8 69 7.7. IP, Fibre Channel, and Other Addresses..................9 70 7.8. Descriptors: Using OIDs in Place of Enumerated Types....9 71 7.9. Notifications..........................................10 72 8. MIB Definitions..........................................11 73 9. Security Considerations..................................33 74 10. IANA Considerations.....................................34 75 10.1. OID Assignment........................................34 76 10. Normative References....................................34 77 11. Informative References..................................35 78 Authors' Addresses......................................35 79 IPR Notice..............................................36 80 Full Copyright Notice...................................36 82 1. Introduction 84 This MIB module will be used to configure and/or look at the 85 configuration of user identities and their credential information. 86 For the purposes of this MIB module, a "user" identity does not need 87 to be an actual person; a user can also be a host, an application, a 88 cluster of hosts, or any other identifiable entity that can be 89 authorized to access a resource. 91 Most objects in this MIB module have a MAX-ACCESS of read-create; 92 this module is intended to allow configuration of user identities and 93 their names, addresses, and credentials. MIN-ACCESS for all objects 94 is read-only for those implementations that configure through other 95 means, but require the ability to monitor user identities. 97 2. Specification of Requirements 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 101 document are to be interpreted as described in RFC 2119 [RFC2119]. 103 3. The Internet-Standard Management Framework 105 For a detailed overview of the documents that describe the current 106 Internet-Standard Management Framework, please refer to section 7 of 107 RFC 3410 [RFC3410]. 109 Managed objects are accessed via a virtual information store, termed 110 the Management Information Base or MIB. MIB objects are generally 111 accessed through the Simple Network Management Protocol (SNMP). 112 Objects in the MIB are defined using the mechanisms defined in the 113 Structure of Management Information (SMI). This memo specifies a MIB 114 module that is compliant to the SMIv2, which is described in STD 58, 115 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 116 [RFC2580]. 118 4. Relationship to Other MIB Modules 120 The IPS-AUTH-MIB module does not directly address objects within 121 other modules. The identity address objects contain IPv4, IPv6, or 122 other address types, and as such may be indirectly related to objects 123 within the IPv4 [RFC2011] or IPv6 [RFC2465] MIB modules. 125 This MIB module does not provide actual authorization or access 126 control lists; it provides a means to identify entities that can be 127 included in other authorization lists. This should generally be done 128 in MIB modules that reference identities in this one. It also does 129 not cover login or authentication failure statistics or 130 notifications, as these are all fairly application-specific, and are 131 not generic enough to include here. 133 The user identity objects within this module are typically referenced 134 from other modules by a RowPointer within that module. A module 135 containing resources for which it requires a list of authorized user 136 identities may create such a list, with a single RowPointer within 137 each list element pointing to a user identity within this module. 138 This is neither required nor restricted by this MIB module. 140 5. Relationship to the USM MIB Module 142 The User-based Security Model (USM) [RFC3414] also defines the 143 concept of a user, defining authentication and privacy protocols and 144 their credentials. The definition of USM includes the SNMP-USER- 145 BASED-SM-MIB module which allows configuration of SNMPv3 user 146 credentials to protect SNMPv3 messages. Although USM's users are not 147 related to the user identities managed by the IPS-AUTH-MIB module 148 defined in this document, USM will often be implemented on the same 149 system as the IPS-AUTH-MIB module, with the SNMP-USER-BASED-SM-MIB 150 module used to manage the security protecting SNMPv3 messages, 151 including those which access the IPS-AUTH-MIB module. 153 The term "user" in this document is distinct from an SNMPv3 user, and 154 is intended to include, but is not limited to, users of IP storage 155 devices. A "user" in this document is a collection of user names 156 (unique identifiers), user addresses, and credentials that can be 157 used together to determine whether an entity should be allowed access 158 to a resource. Each user can have multiple names, addresses, and 159 credentials. As a result, this MIB module is particularly suited to 160 managing users of storage resources, which are typically given access 161 control lists consisting of potentially multiple identifiers, 162 addresses, and credentials. This MIB module provides for 163 authorization lists only, and does not include setting of data 164 privacy parameters. 166 In contrast, an SNMPv3 user as defined in [RFC3414] has exactly one 167 user-name, one authentication protocol, and one privacy protocol, 168 along with their associated information and SNMP-specific 169 information, such as an engine ID. These objects are defined to 170 support exactly the information needed for SNMPv3 security. 172 For the remainder of this document, the term "user" means an IPS- 173 AUTH-MIB user identity. 175 6. Relationship to SNMP Contexts 177 Each non-scalar object in the IPS-AUTH-MIB module is indexed first by 178 an Instance. Each instance is a collection of identities that can be 179 used to authorize access to a resource. The use of an instance works 180 well with partitionable or hierarchical devices and fits in logically 181 with other management schemes. Instances do not replace SNMP 182 contexts, however they do provide a very simple way to assign a 183 collection of identities within a device to one or more SNMP 184 contexts, without having to do so for each identity's row. 186 7. Discussion 188 This MIB module structure is intended to allow the configuration of a 189 list of user identities, each with a list of names, addresses, 190 credentials, and certificates which when combined will distinguish 191 that identity. 193 The IPS-AUTH-MIB module is structured around two primary "objects", 194 the authorization instance, and the identity, which serve as 195 containers for the remainder of the objects. This section contains a 196 brief description of the "object" hierarchy and a description of each 197 object, followed by a discussion of the actual SNMP table structure 198 within the objects. 200 7.1. Authorization MIB Object Model 202 The top-level object in this structure is the authorization instance, 203 which "contains" all of the other objects. The indexing hierarchy of 204 this module looks like: 206 ipsAuthInstance 207 -- A distinct authorization entity within the managed system. 208 -- Most implementations will have just one of these. 209 ipsAuthIdentity 210 -- A user identity, consisting of a set of identity names, 211 -- addresses, and credentials reflected in the following 212 -- objects: 213 ipsAuthIdentityName 214 -- A name for a user identity. A name should be globally 215 -- unique, and unchanging over time. Some protocols may 216 -- not require this one. 217 ipsAuthIdentityAddress 218 -- An address range, typically but not necessarily an 219 -- IPv4, IPv6, or Fibre Channel address range, at which 220 -- the identity is allowed to reside. 221 ipsAuthCredential 222 -- A single credential, such as a CHAP username, 223 -- which can be used to verify the identity. 224 ipsAuthCredChap 225 -- CHAP-specific attributes for an ipsAuthCredential 226 ipsAuthCredSrp 227 -- SRP-specific attributes 228 ipsAuthCredKerberos 229 -- Kerberos-specific attributes 231 Each identity contains the information necessary to identify a 232 particular end-point that wishes to access a service, such as iSCSI. 234 An identity can contain multiple names, addresses, and credentials. 235 Each of these names, addresses, and credentials exists in its own 236 row. If multiple rows of one of these three types are present, they 237 are treated in an "OR" fashion; an entity to be authorized need only 238 match one of the rows. If rows of different types are present (e.g. 239 a name and an address), these are treated in an "AND" fashion; an 240 entity to be authorized must match at least one row from each 241 category. If there are no rows present of a category, this category 242 is ignored. 244 For example, if an ipsAuthIdentity contains two rows of 245 ipsAuthIdentityAddress, one row of ipsAuthCredential, and no rows of 246 ipsAuthIdentityName, an entity must match the Credential row and at 247 least one of the two Address rows to match the identity. 249 Index values such as ipsAuthInstIndex and ipsAuthIdentIndex are 250 referenced in multiple tables, and rows can be added and deleted. An 251 implementation should therefore attempt to keep all index values 252 persistent across reboots; index values for rows that have been 253 deleted must not be reused before a reboot. 255 7.2. ipsAuthInstance 257 The ipsAuthInstanceAttributesTable is the primary table of the IPS- 258 AUTH-MIB module. Every other table entry in this module includes the 259 index of an ipsAuthInstanceAttributesEntry as its primary index. An 260 authorization instance is basically a managed set of identities. 262 Many implementations will include just one authorization instance row 263 in this table. However, there will be cases where multiple rows in 264 this table may be used: 266 - A large system may be "partitioned" into multiple, distinct virtual 267 systems, perhaps sharing the SNMP agent but not their lists of 268 identities. Each virtual system would have its own authorization 269 instance. 271 - A set of stackable systems, each with their own set of identities, 272 may be represented by a common SNMP agent. Each individual system 273 would have its own authorization instance. 275 - Multiple protocols, each with their own set of identities, may 276 exist within a single system and be represented by a single SNMP 277 agent. In this case, each protocol may have its own authorization 278 instance. 280 An entry in this table is often referenced by its name 281 (ipsAuthInstDescr), which should be displayed to the user by the 282 management station. When an implementation supports only one entry 283 in this table, the description may be returned as a zero-length 284 string. 286 7.3. ipsAuthIdentity 288 The ipsAuthIdentAttributesTable contains one entry for each 289 configured user identity. The identity contains only a description 290 of what the identity is used for; its attributes are all contained in 291 other tables, since they can each have multiple values. 293 Other MIB modules containing lists of users authorized to access a 294 particular resource should generally contain a RowPointer to the 295 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 296 access to the resource. 298 All other table entries make use of the indices to this table as 299 their primary indices. 301 7.4. ipsAuthIdentityName 303 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 304 each of which belong to, and may be used to identify, a particular 305 identity in the authIdentity table. 307 Implementations making use of the IPS-AUTH-MIB module may identify 308 their resources by names, addresses, or both. A name is typically a 309 unique (within the required scope), unchanging identifier for a 310 resource. It will normally meet some or all of the requirements for a 311 Uniform Resource Name [RFC1737], although a name in the context of 312 this MIB module does not need to be a URN. Identifiers that 313 typically change over time should generally be placed into the 314 ipsAuthIdentityAddress table; names that have no uniqueness 315 properties should usually be placed into the description attribute 316 for the identity. 318 An example of an identity name is the iSCSI Name, defined in 319 [RFC3720]. Any other MIB module defining names to be used as 320 ipsAuthIdentityName objects should specify how its names are unique, 321 and the domain within which they are unique. 323 If this table contains no entries associated with a particular user 324 identity, the implementation does not need to check any name 325 parameters when verifying that identity. If the table contains 326 multiple entries associated with a particular user identity, the 327 implementation should consider a match with any one of these entries 328 to be valid. 330 7.5. ipsAuthIdentityAddress 332 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 333 which the identity may reside. For example, an identity may be 334 allowed access to a resource only from a certain IP address, or only 335 if its address is in a certain range or set of ranges. 337 Each entry contains a starting and ending address. If a single 338 address is desired in the list, both starting and ending addresses 339 must be identical. 341 Each entry contains an AddrType attribute. This attribute contains 342 an enumeration registered as an IANA Address Family type [IANA-AF]. 343 Although many implementations will use IPv4 or IPv6 address types for 344 these entries, any IANA-registered type may be used, as long as it 345 makes sense to the application. 347 Matching any address within any range within the list associated with 348 a particular identity is considered to be a valid match. If no 349 entries are present in this list for a given identity, its address is 350 automatically assumed to match the identity. 352 Netmasks are not supported, since an address range can express the 353 same thing with more flexibility. An application specifying 354 addresses using network masks may do so, and convert to and from 355 address ranges when reading or writing this MIB module. 357 7.6. ipsAuthCredential 359 The ipsAuthCredentialAttributesTable contains a list of credentials, 360 each of which may be used to verify a particular identity. 362 Each credential contains an authentication method to be used, such as 363 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 364 contains an object identifier instead of an enumerated type, allowing 365 other MIB modules to add their own authentication methods, without 366 modifying this MIB module. 368 For each entry in this table, there will exist an entry in another 369 table containing its attributes. The table in which to place the 370 entry depends on the AuthMethod attribute: 372 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 373 same indices as the ipsAuthCredential will exist in the 374 ipsAuthCredChap table, which contains the CHAP username. 376 SRP If the AuthMethod is set to the SRP OID, an entry using the 377 same indices as the ipsAuthCredential will exist in the 378 ipsAuthCredSrp table, which contains the SRP username. 380 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 381 the same indices as the ipsAuthCredential will exist in the 382 ipsAuthCredKerberos table, which contains the Kerberos 383 principal. 385 Other If the AuthMethod is set to any OID not defined in this 386 module, an entry using the same indices as the 387 ipsAuthCredential entry should be placed in the other module 388 that define whatever attributes are needed for that type of 389 credential. 391 7.7. IP, Fibre Channel, and Other Addresses 393 The IP addresses in this MIB module are represented by two 394 attributes, one of type AddressFamilyNumbers, and the other of type 395 AuthAddress. Each address can take on any of the types within the 396 list of address family numbers; the most likely being IPv4, IPv6, or 397 one of the Fibre Channel address types. 399 The type AuthAddress is an octet string. If the address family is 400 IPv4 or IPv6, the format is taken from the InetAddress specified in 401 [RFC4001]. If the address family is one of the Fibre Channel types, 402 the format is identical to the FcNameIdOrZero type defined in 403 [RFC4044]. 405 7.8. Descriptors: Using OIDs in Place of Enumerated Types 407 Some attributes, particularly the authentication method attribute, 408 would normally require an enumerated type. However, implementations 409 will likely need to add new authentication method types of their own, 410 without extending this MIB module. To make this work, this module 411 defines a set of object identities within ipsAuthDescriptors. Each 412 of these object identities is basically an enumerated type. 414 Attributes that make use of these object identities have a value 415 which is an OID instead of an enumerated type. These OIDs can either 416 indicate the object identities defined in this module, or object 417 identities defined elsewhere, such as in an enterprise MIB module. 418 Those implementations that add their own authentication methods 419 should also define a corresponding object identity for each of these 420 methods within their own enterprise MIB module, and return its OID 421 whenever one of these attributes is using that method. 423 7.9. Notifications 425 Monitoring of authentication failures and other notification events 426 are outside the scope of this MIB module, as they are generally 427 application-specific. No notifications are provided or required. 429 8. MIB Definitions 431 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 433 IMPORTS 434 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 435 mib-2 436 FROM SNMPv2-SMI 438 TEXTUAL-CONVENTION, RowStatus, AutonomousType, StorageType 439 FROM SNMPv2-TC 441 MODULE-COMPLIANCE, OBJECT-GROUP 442 FROM SNMPv2-CONF 444 SnmpAdminString 445 FROM SNMP-FRAMEWORK-MIB -- RFC 3411 447 AddressFamilyNumbers 448 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 449 ; 451 ipsAuthMibModule MODULE-IDENTITY 452 LAST-UPDATED "200510180000Z" -- October 18, 2005 453 ORGANIZATION "IETF IPS Working Group" 454 CONTACT-INFO 455 " 456 Mark Bakke 457 Postal: Cisco Systems, Inc 458 7900 International Drive, Suite 400 459 Bloomington, MN 460 USA 55425 462 E-mail: mbakke@cisco.com 464 James Muchow 465 Postal: Qlogic Corp. 466 6321 Bury Dr. 467 Eden Prairie, MN 468 USA 55346 470 E-Mail: james.muchow@qlogic.com" 472 DESCRIPTION 473 "The IP Storage Authorization MIB module. 474 Copyright (C) The Internet Society (2005). This version of 475 this MIB module is part of RFC yyyy; see the RFC itself for 476 full legal notices." 477 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 478 REVISION "200510180000Z" -- October 18, 2005 479 DESCRIPTION 480 "Initial version of the IP Storage Authentication MIB module" 482 ::= { mib-2 xx } -- xx to be assigned by IANA 484 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 } 485 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 } 486 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 } 488 -- Textual Conventions 490 IpsAuthAddress ::= TEXTUAL-CONVENTION 491 STATUS current 492 DESCRIPTION 493 "IP Storage requires the use of address information 494 that uses not only the InetAddress type defined in the 495 INET-ADDRESS-MIB, but also Fibre Channel type defined 496 in the Fibre Channel Management MIB. Although these 497 address types are recognized in the IANA Address Family 498 Numbers MIB, the addressing mechanisms have not been 499 merged into a well-known, common type. This data type, 500 the IpsAuthAddress, performs this function for this MIB 501 module." 502 REFERENCE 503 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 504 INET-ADDRESS-MIB (RFC 2851); 505 FC-MGMT-MIB (RFC 4044)." 506 SYNTAX OCTET STRING (SIZE(0..255)) 508 --****************************************************************** 510 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 512 ipsAuthMethodTypes OBJECT-IDENTITY 513 STATUS current 514 DESCRIPTION 515 "Registration point for Authentication Method Types." 516 REFERENCE "RFC 3720, iSCSI Protocol Specification." 517 ::= { ipsAuthDescriptors 1 } 519 ipsAuthMethodNone OBJECT-IDENTITY 520 STATUS current 521 DESCRIPTION 522 "The authoritative identifier when no authentication 523 method is used." 524 REFERENCE "RFC 3720, iSCSI Protocol Specification." 525 ::= { ipsAuthMethodTypes 1 } 527 ipsAuthMethodSrp OBJECT-IDENTITY 528 STATUS current 529 DESCRIPTION 530 "The authoritative identifier when the authentication 531 method is SRP." 532 REFERENCE "RFC 3720, iSCSI Protocol Specification." 533 ::= { ipsAuthMethodTypes 2 } 535 ipsAuthMethodChap OBJECT-IDENTITY 536 STATUS current 537 DESCRIPTION 538 "The authoritative identifier when the authentication 539 method is CHAP." 540 REFERENCE "RFC 3720, iSCSI Protocol Specification." 541 ::= { ipsAuthMethodTypes 3 } 543 ipsAuthMethodKerberos OBJECT-IDENTITY 544 STATUS current 545 DESCRIPTION 546 "The authoritative identifier when the authentication 547 method is Kerberos." 548 REFERENCE "RFC 3720, iSCSI Protocol Specification." 549 ::= { ipsAuthMethodTypes 4 } 551 --****************************************************************** 553 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 555 -- Instance Attributes Table 557 ipsAuthInstanceAttributesTable OBJECT-TYPE 558 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 559 MAX-ACCESS not-accessible 560 STATUS current 561 DESCRIPTION 562 "A list of Authorization instances present on the system." 563 ::= { ipsAuthInstance 2 } 565 ipsAuthInstanceAttributesEntry OBJECT-TYPE 566 SYNTAX IpsAuthInstanceAttributesEntry 567 MAX-ACCESS not-accessible 568 STATUS current 569 DESCRIPTION 570 "An entry (row) containing management information 571 applicable to a particular Authorization instance." 572 INDEX { ipsAuthInstIndex } 573 ::= { ipsAuthInstanceAttributesTable 1 } 575 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 576 ipsAuthInstIndex Unsigned32, 577 ipsAuthInstDescr SnmpAdminString, 578 ipsAuthInstStorageType StorageType 579 } 581 ipsAuthInstIndex OBJECT-TYPE 582 SYNTAX Unsigned32 (1..4294967295) 583 MAX-ACCESS not-accessible 584 STATUS current 585 DESCRIPTION 586 "An arbitrary integer used to uniquely identify a 587 particular authorization instance. This index value 588 must not be modified or reused by an agent unless 589 a reboot has occurred. An agent should attempt to 590 keep this value persistent across reboots." 591 ::= { ipsAuthInstanceAttributesEntry 1 } 593 ipsAuthInstDescr OBJECT-TYPE 594 SYNTAX SnmpAdminString 595 MAX-ACCESS read-write 596 STATUS current 597 DESCRIPTION 598 "A character string, determined by the implementation to 599 describe the authorization instance. When only a single 600 instance is present, this object may be set to the 601 zero-length string; with multiple authorization 602 instances, it must be set to a unique value in an 603 implementation-dependent manner to describe the purpose 604 of the respective instance. If this is deployed in a 605 master agent with more than one subagent implementing 606 this MIB module, the master agent is responsible for 607 ensuring that this object is unique across all 608 subagents." 609 ::= { ipsAuthInstanceAttributesEntry 2 } 611 ipsAuthInstStorageType OBJECT-TYPE 612 SYNTAX StorageType 613 MAX-ACCESS read-write 614 STATUS current 615 DESCRIPTION 616 "The storage type for all read-write objects within this 617 row. Rows in this table are always created via an 618 external process, and may have a storage type of readOnly 619 or permanent. Conceptual rows having the value 'permanent' 620 need not allow write access to any columnar objects in 621 the row. 623 If this object has the value 'volatile', modifications 624 to read-write objects in this row are not persistent 625 across reboots. If this object has the value 626 'nonVolatile', modifications to objects in this row 627 are persistent. 629 An implementation may choose to allow this object 630 to be set to either 'nonVolatile' or 'volatile', 631 allowing the management application to choose this 632 behavior." 633 DEFVAL { volatile } 634 ::= { ipsAuthInstanceAttributesEntry 3 } 636 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 638 -- User Identity Attributes Table 640 ipsAuthIdentAttributesTable OBJECT-TYPE 641 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 642 MAX-ACCESS not-accessible 643 STATUS current 644 DESCRIPTION 645 "A list of user identities, each belonging to a 646 particular ipsAuthInstance." 647 ::= { ipsAuthIdentity 1 } 649 ipsAuthIdentAttributesEntry OBJECT-TYPE 650 SYNTAX IpsAuthIdentAttributesEntry 651 MAX-ACCESS not-accessible 652 STATUS current 653 DESCRIPTION 654 "An entry (row) containing management information 655 describing a user identity within an authorization 656 instance on this node." 657 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 658 ::= { ipsAuthIdentAttributesTable 1 } 660 IpsAuthIdentAttributesEntry ::= SEQUENCE { 661 ipsAuthIdentIndex Unsigned32, 662 ipsAuthIdentDescription SnmpAdminString, 663 ipsAuthIdentRowStatus RowStatus, 664 ipsAuthIdentStorageType StorageType 665 } 666 ipsAuthIdentIndex OBJECT-TYPE 667 SYNTAX Unsigned32 (1..4294967295) 668 MAX-ACCESS not-accessible 669 STATUS current 670 DESCRIPTION 671 "An arbitrary integer used to uniquely identify a 672 particular identity instance within an authorization 673 instance present on the node. This index value 674 must not be modified or reused by an agent unless 675 a reboot has occurred. An agent should attempt to 676 keep this value persistent across reboots." 677 ::= { ipsAuthIdentAttributesEntry 1 } 679 ipsAuthIdentDescription OBJECT-TYPE 680 SYNTAX SnmpAdminString 681 MAX-ACCESS read-create 682 STATUS current 683 DESCRIPTION 684 "A character string describing this particular identity." 685 ::= { ipsAuthIdentAttributesEntry 2 } 687 ipsAuthIdentRowStatus OBJECT-TYPE 688 SYNTAX RowStatus 689 MAX-ACCESS read-create 690 STATUS current 691 DESCRIPTION 692 "This field allows entries to be dynamically added and 693 removed from this table via SNMP. When adding a row to 694 this table, all non-Index/RowStatus objects must be set. 695 Rows may be discarded using RowStatus." 696 ::= { ipsAuthIdentAttributesEntry 3 } 698 ipsAuthIdentStorageType OBJECT-TYPE 699 SYNTAX StorageType 700 MAX-ACCESS read-create 701 STATUS current 702 DESCRIPTION 703 "The storage type for all read-create objects in this row. 704 Rows in this table that were created through an external 705 process may have a storage type of readOnly or permanent." 706 DEFVAL { nonVolatile } 707 ::= { ipsAuthIdentAttributesEntry 4 } 709 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 711 -- User Initiator Name Attributes Table 713 ipsAuthIdentNameAttributesTable OBJECT-TYPE 714 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 715 MAX-ACCESS not-accessible 716 STATUS current 717 DESCRIPTION 718 "A list of unique names that can be used to positively 719 identify a particular user identity." 720 ::= { ipsAuthIdentityName 1 } 722 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 723 SYNTAX IpsAuthIdentNameAttributesEntry 724 MAX-ACCESS not-accessible 725 STATUS current 726 DESCRIPTION 727 "An entry (row) containing management information 728 applicable to a unique identity name which can be used 729 to identify a user identity within a particular 730 authorization instance." 731 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 732 ipsAuthIdentNameIndex } 733 ::= { ipsAuthIdentNameAttributesTable 1 } 735 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 736 ipsAuthIdentNameIndex Unsigned32, 737 ipsAuthIdentName SnmpAdminString, 738 ipsAuthIdentNameRowStatus RowStatus, 739 ipsAuthIdentNameStorageType StorageType 740 } 742 ipsAuthIdentNameIndex OBJECT-TYPE 743 SYNTAX Unsigned32 (1..4294967295) 744 MAX-ACCESS not-accessible 745 STATUS current 746 DESCRIPTION 747 "An arbitrary integer used to uniquely identify a 748 particular identity name instance within an 749 ipsAuthIdentity within an authorization instance. 750 This index value must not be modified or reused by 751 an agent unless a reboot has occurred. An agent 752 should attempt to keep this value persistent across 753 reboots." 754 ::= { ipsAuthIdentNameAttributesEntry 1 } 756 ipsAuthIdentName OBJECT-TYPE 757 SYNTAX SnmpAdminString 758 MAX-ACCESS read-create 759 STATUS current 760 DESCRIPTION 761 "A character string which is the unique name of an 762 identity that may be used to identify this ipsAuthIdent 763 entry." 764 ::= { ipsAuthIdentNameAttributesEntry 2 } 766 ipsAuthIdentNameRowStatus OBJECT-TYPE 767 SYNTAX RowStatus 768 MAX-ACCESS read-create 769 STATUS current 770 DESCRIPTION 771 "This field allows entries to be dynamically added and 772 removed from this table via SNMP. When adding a row to 773 this table, all non-Index/RowStatus objects must be set. 774 Rows may be discarded using RowStatus." 775 ::= { ipsAuthIdentNameAttributesEntry 3 } 777 ipsAuthIdentNameStorageType OBJECT-TYPE 778 SYNTAX StorageType 779 MAX-ACCESS read-create 780 STATUS current 781 DESCRIPTION 782 "The storage type for all read-create objects in this row. 783 Rows in this table that were created through an external 784 process may have a storage type of readOnly or permanent." 785 DEFVAL { nonVolatile } 786 ::= { ipsAuthIdentNameAttributesEntry 4 } 788 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 790 -- User Initiator Address Attributes Table 792 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 793 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 794 MAX-ACCESS not-accessible 795 STATUS current 796 DESCRIPTION 797 "A list of address ranges that are allowed to serve 798 as the endpoint addresses of a particular identity. 799 An address range includes a starting and ending address 800 and an optional netmask, and an address type indicator, 801 which can specify whether the address is IPv4, IPv6, 802 FC-WWPN, or FC-WWNN." 803 ::= { ipsAuthIdentityAddress 1 } 805 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 806 SYNTAX IpsAuthIdentAddrAttributesEntry 807 MAX-ACCESS not-accessible 808 STATUS current 809 DESCRIPTION 810 "An entry (row) containing management information 811 applicable to an address range which is used as part 812 of the authorization of an identity 813 within an authorization instance on this node." 814 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 815 ipsAuthIdentAddrIndex } 816 ::= { ipsAuthIdentAddrAttributesTable 1 } 818 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 819 ipsAuthIdentAddrIndex Unsigned32, 820 ipsAuthIdentAddrType AddressFamilyNumbers, 821 ipsAuthIdentAddrStart IpsAuthAddress, 822 ipsAuthIdentAddrEnd IpsAuthAddress, 823 ipsAuthIdentAddrRowStatus RowStatus, 824 ipsAuthIdentAddrStorageType StorageType 825 } 827 ipsAuthIdentAddrIndex OBJECT-TYPE 828 SYNTAX Unsigned32 (1..4294967295) 829 MAX-ACCESS not-accessible 830 STATUS current 831 DESCRIPTION 832 "An arbitrary integer used to uniquely identify a 833 particular ipsAuthIdentAddress instance within an 834 ipsAuthIdentity within an authorization instance 835 present on the node. 836 This index value must not be modified or reused by 837 an agent unless a reboot has occurred. An agent 838 should attempt to keep this value persistent across 839 reboots." 840 ::= { ipsAuthIdentAddrAttributesEntry 1 } 842 ipsAuthIdentAddrType OBJECT-TYPE 843 SYNTAX AddressFamilyNumbers 844 MAX-ACCESS read-create 845 STATUS current 846 DESCRIPTION 847 "The type of Address in the ipsAuthIdentAddress 848 start, end, and mask fields. This type is taken 849 from the IANA address family types; more types may 850 be registered independently of this MIB module." 851 ::= { ipsAuthIdentAddrAttributesEntry 2 } 853 ipsAuthIdentAddrStart OBJECT-TYPE 854 SYNTAX IpsAuthAddress 855 MAX-ACCESS read-create 856 STATUS current 857 DESCRIPTION 858 "The starting address of the allowed address range." 859 ::= { ipsAuthIdentAddrAttributesEntry 3 } 861 ipsAuthIdentAddrEnd OBJECT-TYPE 862 SYNTAX IpsAuthAddress 863 MAX-ACCESS read-create 864 STATUS current 865 DESCRIPTION 866 "The ending address of the allowed address range. 867 If the ipsAuthIdentAddrEntry specifies a single 868 address, this shall match the ipsAuthIdentAddrStart." 869 ::= { ipsAuthIdentAddrAttributesEntry 4 } 871 ipsAuthIdentAddrRowStatus OBJECT-TYPE 872 SYNTAX RowStatus 873 MAX-ACCESS read-create 874 STATUS current 875 DESCRIPTION 876 "This field allows entries to be dynamically added and 877 removed from this table via SNMP. When adding a row to 878 this table, all non-Index/RowStatus objects must be set. 879 Rows may be discarded using RowStatus." 880 ::= { ipsAuthIdentAddrAttributesEntry 5 } 882 ipsAuthIdentAddrStorageType OBJECT-TYPE 883 SYNTAX StorageType 884 MAX-ACCESS read-create 885 STATUS current 886 DESCRIPTION 887 "The storage type for all read-create objects in this row. 888 Rows in this table that were created through an external 889 process may have a storage type of readOnly or permanent." 890 DEFVAL { nonVolatile } 891 ::= { ipsAuthIdentAddrAttributesEntry 6 } 893 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 895 -- Credential Attributes Table 897 ipsAuthCredentialAttributesTable OBJECT-TYPE 898 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 899 MAX-ACCESS not-accessible 900 STATUS current 901 DESCRIPTION 902 "A list of credentials related to user identities 903 that are allowed as valid authenticators of the 904 particular identity." 905 ::= { ipsAuthCredential 1 } 906 ipsAuthCredentialAttributesEntry OBJECT-TYPE 907 SYNTAX IpsAuthCredentialAttributesEntry 908 MAX-ACCESS not-accessible 909 STATUS current 910 DESCRIPTION 911 "An entry (row) containing management information 912 applicable to a credential which verifies a user 913 identity within an authorization instance." 914 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 915 ::= { ipsAuthCredentialAttributesTable 1 } 917 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 918 ipsAuthCredIndex Unsigned32, 919 ipsAuthCredAuthMethod AutonomousType, 920 ipsAuthCredRowStatus RowStatus, 921 ipsAuthCredStorageType StorageType 922 } 924 ipsAuthCredIndex OBJECT-TYPE 925 SYNTAX Unsigned32 (1..4294967295) 926 MAX-ACCESS not-accessible 927 STATUS current 928 DESCRIPTION 929 "An arbitrary integer used to uniquely identify a 930 particular Credential instance within an instance 931 present on the node. 932 This index value must not be modified or reused by 933 an agent unless a reboot has occurred. An agent 934 should attempt to keep this value persistent across 935 reboots." 936 ::= { ipsAuthCredentialAttributesEntry 1 } 938 ipsAuthCredAuthMethod OBJECT-TYPE 939 SYNTAX AutonomousType 940 MAX-ACCESS read-create 941 STATUS current 942 DESCRIPTION 943 "This object contains an OBJECT IDENTIFIER 944 which identifies the authentication method 945 used with this credential. 947 Some standardized values for this object are defined 948 within the ipsAuthMethods subtree." 949 ::= { ipsAuthCredentialAttributesEntry 2 } 951 ipsAuthCredRowStatus OBJECT-TYPE 952 SYNTAX RowStatus 953 MAX-ACCESS read-create 954 STATUS current 955 DESCRIPTION 956 "This field allows entries to be dynamically added and 957 removed from this table via SNMP. When adding a row to 958 this table, all non-Index/RowStatus objects must be set. 959 Rows may be discarded using RowStatus." 960 ::= { ipsAuthCredentialAttributesEntry 3 } 962 ipsAuthCredStorageType OBJECT-TYPE 963 SYNTAX StorageType 964 MAX-ACCESS read-create 965 STATUS current 966 DESCRIPTION 967 "The storage type for all read-create objects in this row. 968 Rows in this table that were created through an external 969 process may have a storage type of readOnly or permanent." 970 DEFVAL { nonVolatile } 971 ::= { ipsAuthCredentialAttributesEntry 4 } 973 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 975 -- Credential Chap-Specific Attributes Table 977 ipsAuthCredChapAttributesTable OBJECT-TYPE 978 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 979 MAX-ACCESS not-accessible 980 STATUS current 981 DESCRIPTION 982 "A list of CHAP attributes for credentials that 983 use ipsAuthMethodChap as its ipsAuthCredAuthMethod." 984 ::= { ipsAuthCredChap 1 } 986 ipsAuthCredChapAttributesEntry OBJECT-TYPE 987 SYNTAX IpsAuthCredChapAttributesEntry 988 MAX-ACCESS not-accessible 989 STATUS current 990 DESCRIPTION 991 "An entry (row) containing management information 992 applicable to a credential which uses 993 ipsAuthMethodChap as their ipsAuthCredAuthMethod." 994 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 995 ::= { ipsAuthCredChapAttributesTable 1 } 997 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 998 ipsAuthCredChapUserName SnmpAdminString, 999 ipsAuthCredChapRowStatus RowStatus, 1000 ipsAuthCredChapStorageType StorageType 1001 } 1002 ipsAuthCredChapUserName OBJECT-TYPE 1003 SYNTAX SnmpAdminString 1004 MAX-ACCESS read-create 1005 STATUS current 1006 DESCRIPTION 1007 "A character string containing the CHAP user name for this 1008 credential." 1009 REFERENCE 1010 "W. Simpson, RFC 1994: PPP Challenge Handshake 1011 Authentication Protocol (CHAP), August 1996" 1012 ::= { ipsAuthCredChapAttributesEntry 1 } 1014 ipsAuthCredChapRowStatus OBJECT-TYPE 1015 SYNTAX RowStatus 1016 MAX-ACCESS read-create 1017 STATUS current 1018 DESCRIPTION 1019 "This field allows entries to be dynamically added and 1020 removed from this table via SNMP. When adding a row to 1021 this table, all non-Index/RowStatus objects must be set. 1022 Rows may be discarded using RowStatus." 1023 ::= { ipsAuthCredChapAttributesEntry 2 } 1025 ipsAuthCredChapStorageType OBJECT-TYPE 1026 SYNTAX StorageType 1027 MAX-ACCESS read-create 1028 STATUS current 1029 DESCRIPTION 1030 "The storage type for all read-create objects in this row. 1031 Rows in this table that were created through an external 1032 process may have a storage type of readOnly or permanent." 1033 DEFVAL { nonVolatile } 1034 ::= { ipsAuthCredChapAttributesEntry 3 } 1036 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 1038 -- Credential Srp-Specific Attributes Table 1040 ipsAuthCredSrpAttributesTable OBJECT-TYPE 1041 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 1042 MAX-ACCESS not-accessible 1043 STATUS current 1044 DESCRIPTION 1045 "A list of SRP attributes for credentials that 1046 use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." 1047 ::= { ipsAuthCredSrp 1 } 1049 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 1050 SYNTAX IpsAuthCredSrpAttributesEntry 1051 MAX-ACCESS not-accessible 1052 STATUS current 1053 DESCRIPTION 1054 "An entry (row) containing management information 1055 applicable to a credential which uses 1056 ipsAuthMethodSrp as its ipsAuthCredAuthMethod." 1057 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1058 ::= { ipsAuthCredSrpAttributesTable 1 } 1060 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 1061 ipsAuthCredSrpUserName SnmpAdminString, 1062 ipsAuthCredSrpRowStatus RowStatus, 1063 ipsAuthCredSrpStorageType StorageType 1064 } 1066 ipsAuthCredSrpUserName OBJECT-TYPE 1067 SYNTAX SnmpAdminString 1068 MAX-ACCESS read-create 1069 STATUS current 1070 DESCRIPTION 1071 "A character string containing the SRP user name for this 1072 credential." 1073 REFERENCE 1074 "T. Wu, RFC 2945: The SRP Authentication and Key 1075 Exchange System, September 2000" 1076 ::= { ipsAuthCredSrpAttributesEntry 1 } 1078 ipsAuthCredSrpRowStatus OBJECT-TYPE 1079 SYNTAX RowStatus 1080 MAX-ACCESS read-create 1081 STATUS current 1082 DESCRIPTION 1083 "This field allows entries to be dynamically added and 1084 removed from this table via SNMP. When adding a row to 1085 this table, all non-Index/RowStatus objects must be set. 1086 Rows may be discarded using RowStatus." 1087 ::= { ipsAuthCredSrpAttributesEntry 2 } 1089 ipsAuthCredSrpStorageType OBJECT-TYPE 1090 SYNTAX StorageType 1091 MAX-ACCESS read-create 1092 STATUS current 1093 DESCRIPTION 1094 "The storage type for all read-create objects in this row. 1095 Rows in this table that were created through an external 1096 process may have a storage type of readOnly or permanent." 1097 DEFVAL { nonVolatile } 1099 ::= { ipsAuthCredSrpAttributesEntry 3 } 1101 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 1103 -- Credential Kerberos-Specific Attributes Table 1105 ipsAuthCredKerbAttributesTable OBJECT-TYPE 1106 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 1107 MAX-ACCESS not-accessible 1108 STATUS current 1109 DESCRIPTION 1110 "A list of Kerberos attributes for credentials that 1111 use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." 1112 ::= { ipsAuthCredKerberos 1 } 1114 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 1115 SYNTAX IpsAuthCredKerbAttributesEntry 1116 MAX-ACCESS not-accessible 1117 STATUS current 1118 DESCRIPTION 1119 "An entry (row) containing management information 1120 applicable to a credential which uses 1121 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." 1122 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 1123 ::= { ipsAuthCredKerbAttributesTable 1 } 1125 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 1126 ipsAuthCredKerbPrincipal SnmpAdminString, 1127 ipsAuthCredKerbRowStatus RowStatus, 1128 ipsAuthCredKerbStorageType StorageType 1129 } 1131 ipsAuthCredKerbPrincipal OBJECT-TYPE 1132 SYNTAX SnmpAdminString 1133 MAX-ACCESS read-create 1134 STATUS current 1135 DESCRIPTION 1136 "A character string containing a Kerberos principal 1137 for this credential." 1138 REFERENCE 1139 "J. Kohl, C. Neuman, RFC 1510: The Kerberos Network 1140 Authentication Service (V5), September 1993" 1141 ::= { ipsAuthCredKerbAttributesEntry 1 } 1143 ipsAuthCredKerbRowStatus OBJECT-TYPE 1144 SYNTAX RowStatus 1145 MAX-ACCESS read-create 1146 STATUS current 1147 DESCRIPTION 1148 "This field allows entries to be dynamically added and 1149 removed from this table via SNMP. When adding a row to 1150 this table, all non-Index/RowStatus objects must be set. 1151 Rows may be discarded using RowStatus." 1152 ::= { ipsAuthCredKerbAttributesEntry 2 } 1154 ipsAuthCredKerbStorageType OBJECT-TYPE 1155 SYNTAX StorageType 1156 MAX-ACCESS read-create 1157 STATUS current 1158 DESCRIPTION 1159 "The storage type for all read-create objects in this row. 1160 Rows in this table that were created through an external 1161 process may have a storage type of readOnly or permanent." 1162 DEFVAL { nonVolatile } 1163 ::= { ipsAuthCredKerbAttributesEntry 3 } 1165 --****************************************************************** 1166 -- Notifications 1168 -- There are no notifications necessary in this MIB module. 1170 --****************************************************************** 1172 -- Conformance Statements 1174 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 1175 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1177 ipsAuthInstanceAttributesGroup OBJECT-GROUP 1178 OBJECTS { 1179 ipsAuthInstDescr, 1180 ipsAuthInstStorageType 1181 } 1182 STATUS current 1183 DESCRIPTION 1184 "A collection of objects providing information about 1185 authorization instances." 1186 ::= { ipsAuthGroups 1 } 1188 ipsAuthIdentAttributesGroup OBJECT-GROUP 1189 OBJECTS { 1190 ipsAuthIdentDescription, 1191 ipsAuthIdentRowStatus, 1192 ipsAuthIdentStorageType 1193 } 1194 STATUS current 1195 DESCRIPTION 1196 "A collection of objects providing information about 1197 user identities within an authorization instance." 1198 ::= { ipsAuthGroups 2 } 1200 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 1201 OBJECTS { 1202 ipsAuthIdentName, 1203 ipsAuthIdentNameRowStatus, 1204 ipsAuthIdentNameStorageType 1205 } 1206 STATUS current 1207 DESCRIPTION 1208 "A collection of objects providing information about 1209 user names within user identities within an authorization 1210 instance." 1211 ::= { ipsAuthGroups 3 } 1213 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1214 OBJECTS { 1215 ipsAuthIdentAddrType, 1216 ipsAuthIdentAddrStart, 1217 ipsAuthIdentAddrEnd, 1218 ipsAuthIdentAddrRowStatus, 1219 ipsAuthIdentAddrStorageType 1220 } 1221 STATUS current 1222 DESCRIPTION 1223 "A collection of objects providing information about 1224 address ranges within user identities within an 1225 authorization instance." 1226 ::= { ipsAuthGroups 4 } 1228 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1229 OBJECTS { 1230 ipsAuthCredAuthMethod, 1231 ipsAuthCredRowStatus, 1232 ipsAuthCredStorageType 1233 } 1234 STATUS current 1235 DESCRIPTION 1236 "A collection of objects providing information about 1237 credentials within user identities within an authorization 1238 instance." 1239 ::= { ipsAuthGroups 5 } 1241 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1242 OBJECTS { 1243 ipsAuthCredChapUserName, 1244 ipsAuthCredChapRowStatus, 1245 ipsAuthCredChapStorageType 1246 } 1247 STATUS current 1248 DESCRIPTION 1249 "A collection of objects providing information about 1250 CHAP credentials within user identities within an 1251 authorization instance." 1252 ::= { ipsAuthGroups 6 } 1254 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1255 OBJECTS { 1256 ipsAuthCredSrpUserName, 1257 ipsAuthCredSrpRowStatus, 1258 ipsAuthCredSrpStorageType 1259 } 1260 STATUS current 1261 DESCRIPTION 1262 "A collection of objects providing information about 1263 SRP credentials within user identities within an 1264 authorization instance." 1265 ::= { ipsAuthGroups 7 } 1267 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1268 OBJECTS { 1269 ipsAuthCredKerbPrincipal, 1270 ipsAuthCredKerbRowStatus, 1271 ipsAuthCredKerbStorageType 1272 } 1273 STATUS current 1274 DESCRIPTION 1275 "A collection of objects providing information about 1276 Kerberos credentials within user identities within an 1277 authorization instance." 1278 ::= { ipsAuthGroups 8 } 1280 --****************************************************************** 1282 ipsAuthComplianceV1 MODULE-COMPLIANCE 1283 STATUS current 1284 DESCRIPTION 1285 "Initial version of compliance statement based on 1286 initial version of this MIB module. 1288 The Instance and Identity groups are mandatory; 1289 at least one of the other groups (Name, Address, 1290 Credential, Certificate) is also mandatory for 1291 any given implementation." 1292 MODULE -- this module 1293 MANDATORY-GROUPS { 1294 ipsAuthInstanceAttributesGroup, 1295 ipsAuthIdentAttributesGroup 1296 } 1298 -- Conditionally mandatory groups to be included with 1299 -- the mandatory groups when necessary. 1301 GROUP ipsAuthIdentNameAttributesGroup 1302 DESCRIPTION 1303 "This group is mandatory for all implementations 1304 that make use of unique identity names." 1306 GROUP ipsAuthIdentAddrAttributesGroup 1307 DESCRIPTION 1308 "This group is mandatory for all implementations 1309 that use addresses to help verify identities." 1311 GROUP ipsAuthIdentCredAttributesGroup 1312 DESCRIPTION 1313 "This group is mandatory for all implementations 1314 that use credentials to help verify identities." 1316 GROUP ipsAuthIdentChapAttrGroup 1317 DESCRIPTION 1318 "This group is mandatory for all implementations 1319 that use CHAP to help verify identities. 1321 The ipsAuthIdentCredAttributesGroup must be 1322 implemented if this group is implemented." 1324 GROUP ipsAuthIdentSrpAttrGroup 1325 DESCRIPTION 1326 "This group is mandatory for all implementations 1327 that use SRP to help verify identities. 1329 The ipsAuthIdentCredAttributesGroup must be 1330 implemented if this group is implemented." 1332 GROUP ipsAuthIdentKerberosAttrGroup 1333 DESCRIPTION 1334 "This group is mandatory for all implementations 1335 that use Kerberos to help verify identities. 1337 The ipsAuthIdentCredAttributesGroup must be 1338 implemented if this group is implemented." 1340 OBJECT ipsAuthInstDescr 1341 MIN-ACCESS read-only 1342 DESCRIPTION 1343 "Write access is not required." 1345 OBJECT ipsAuthInstStorageType 1346 MIN-ACCESS read-only 1347 DESCRIPTION 1348 "Write access is not required." 1350 OBJECT ipsAuthIdentDescription 1351 MIN-ACCESS read-only 1352 DESCRIPTION 1353 "Write access is not required." 1355 OBJECT ipsAuthIdentRowStatus 1356 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1357 MIN-ACCESS read-only 1358 DESCRIPTION 1359 "Write access is not required, and only one of the 1360 six enumerated values for the RowStatus textual 1361 convention need be supported, specifically: 1362 active(1)." 1364 OBJECT ipsAuthIdentName 1365 MIN-ACCESS read-only 1366 DESCRIPTION 1367 "Write access is not required." 1369 OBJECT ipsAuthIdentNameRowStatus 1370 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1371 MIN-ACCESS read-only 1372 DESCRIPTION 1373 "Write access is not required, and only one of the 1374 six enumerated values for the RowStatus textual 1375 convention need be supported, specifically: 1376 active(1)." 1378 OBJECT ipsAuthIdentAddrType 1379 MIN-ACCESS read-only 1380 DESCRIPTION 1381 "Write access is not required." 1383 OBJECT ipsAuthIdentAddrStart 1384 MIN-ACCESS read-only 1385 DESCRIPTION 1386 "Write access is not required." 1388 OBJECT ipsAuthIdentAddrEnd 1389 MIN-ACCESS read-only 1390 DESCRIPTION 1391 "Write access is not required." 1393 OBJECT ipsAuthIdentAddrRowStatus 1394 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1395 MIN-ACCESS read-only 1396 DESCRIPTION 1397 "Write access is not required, and only one of the 1398 six enumerated values for the RowStatus textual 1399 convention need be supported, specifically: 1400 active(1)." 1402 OBJECT ipsAuthCredAuthMethod 1403 MIN-ACCESS read-only 1404 DESCRIPTION 1405 "Write access is not required." 1407 OBJECT ipsAuthCredRowStatus 1408 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1409 MIN-ACCESS read-only 1410 DESCRIPTION 1411 "Write access is not required, and only one of the 1412 six enumerated values for the RowStatus textual 1413 convention need be supported, specifically: 1414 active(1)." 1416 OBJECT ipsAuthCredChapUserName 1417 MIN-ACCESS read-only 1418 DESCRIPTION 1419 "Write access is not required." 1421 OBJECT ipsAuthCredChapRowStatus 1422 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1423 MIN-ACCESS read-only 1424 DESCRIPTION 1425 "Write access is not required, and only one of the 1426 six enumerated values for the RowStatus textual 1427 convention need be supported, specifically: 1428 active(1)." 1430 OBJECT ipsAuthCredSrpUserName 1431 MIN-ACCESS read-only 1432 DESCRIPTION 1433 "Write access is not required." 1435 OBJECT ipsAuthCredSrpRowStatus 1436 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1437 MIN-ACCESS read-only 1438 DESCRIPTION 1439 "Write access is not required, and only one of the 1440 six enumerated values for the RowStatus textual 1441 convention need be supported, specifically: 1442 active(1)." 1444 OBJECT ipsAuthCredKerbPrincipal 1445 MIN-ACCESS read-only 1446 DESCRIPTION 1447 "Write access is not required." 1449 OBJECT ipsAuthCredKerbRowStatus 1450 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1451 MIN-ACCESS read-only 1452 DESCRIPTION 1453 "Write access is not required, and only one of the 1454 six enumerated values for the RowStatus textual 1455 convention need be supported, specifically: 1456 active(1)." 1458 ::= { ipsAuthCompliances 1 } 1460 END 1461 9. Security Considerations 1463 There are a number of management objects defined in this MIB module 1464 with a MAX-ACCESS clause of read-write and/or read-create. Such 1465 objects may be considered sensitive or vulnerable in some network 1466 environments. The support for SET operations in a non-secure 1467 environment without proper protection can have a negative effect on 1468 network operations. These are the tables and objects and their 1469 sensitivity/vulnerability: 1471 All tables provide the ability to set up which credentials may be 1472 used to access services on the managed system, to remove 1473 legitimate credentials (a denial of service), or to remove 1474 individual credentials to weaken the requirements for access of a 1475 particular service. Write access must always be tightly 1476 controlled. Note that some types of credentials, such as CHAP or 1477 SRP, also require passwords or verifiers to be associated with the 1478 credential. These are managed outside this MIB module. 1480 Some of the readable objects in this MIB module (i.e., objects with a 1481 MAX-ACCESS other than not-accessible) may be considered sensitive or 1482 vulnerable in some network environments. It is thus important to 1483 control even GET and/or NOTIFY access to these objects and possibly 1484 to even encrypt the values of these objects when sending them over 1485 the network via SNMP. These are the tables and objects and their 1486 sensitivity/vulnerability: 1488 All tables provide the ability to find out which names, addresses, 1489 and credentials would be required to access services on the 1490 managed system. If these credentials are easily spoofed 1491 (particularly the name or address), read access to this MIB module 1492 must be tightly controlled. 1494 SNMP versions prior to SNMPv3 did not include adequate security. 1495 Even if the network itself is secure (for example by using IPsec), 1496 even then, there is no control as to who on the secure network is 1497 allowed to access and GET/SET (read/change/create/delete) the objects 1498 in this MIB module. 1500 It is RECOMMENDED that implementors consider the security features as 1501 provided by the SNMPv3 framework (see [RFC3410], section 8), 1502 including full support for the SNMPv3 cryptographic mechanisms (for 1503 authentication and privacy). 1505 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1506 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1507 enable cryptographic security. It is then a customer/operator 1508 responsibility to ensure that the SNMP entity giving access to an 1509 instance of this MIB module is properly configured to give access to 1510 the objects only to those principals (users) that have legitimate 1511 rights to indeed GET or SET (change/create/delete) them. 1513 In many implementations, the objects in this MIB module can be read 1514 and modified via other mechanisms or protocols in addition to this 1515 MIB module. For the system to be secure, other mechanisms that can 1516 read and modify the contents of this MIB module must also address the 1517 above issues, and handle the threats outlined in [RFC3411], section 1518 1.4. 1520 10. IANA Considerations 1522 10.1. OID Assignment 1523 IANA is requested to make a MIB OID assignment under the mib-2 1524 branch. 1526 11. Normative References 1528 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1529 Requirement Levels", BCP 14, RFC 2119, March 1997. 1531 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J. , 1532 Rose, M., and S. Waldbusser, "Structure of Management 1533 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1534 1999. 1536 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1537 Rose, M., and S. Waldbusser, "Textual Conventions for 1538 SMIv2", STD 58, RFC 2579, April 1999. 1540 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 1541 Rose, M., and S. Waldbusser, "Conformance Statements for 1542 SMIv2", STD 58, RFC 2580, April 1999. 1544 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture 1545 for Describing Simple Network Management Protocol (SNMP) 1546 Management Frameworks", RFC 3411, December 2002. 1548 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1549 Schoenwaelder, "Textual Conventions for Internet Network 1550 Addresses", RFC 4001, February 2005. 1552 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1553 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1555 [RFC2011] McCloghrie, K., "SNMPv2 Management Information Base for the 1556 Internet Protocol using SMIv2", November 1996. 1558 [RFC2465] Haskin, D., and S. Onishi, "Management Information Base for 1559 IP Version 6: Textual Conventions and General Group", 1560 December 1998. 1562 [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication 1563 Protocol (CHAP)", August 1996. 1565 [RFC1510] Kohl, J., and C. Neuman, "The Kerberos Network 1566 Authentication Service (V5)", September 1993. 1568 [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System", 1569 September 2000. 1571 12. Informative References 1573 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1574 "Introduction and Applicability Statements for Internet- 1575 Standard Management Framework", RFC 3410, December 2002. 1577 [RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security Model 1578 (USM) for version 3 of the Simple Network Management 1579 Protocol (SNMPv3)", RFC 3414, December 2002. 1581 [RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and 1582 E. Zeidner, "Internet Small Computer Systems Interface 1583 (iSCSI)", RFC 3720, March 2004. 1585 [RFC1737] Sollins, K., and L. Masinter, "Functional Requirements for 1586 Uniform Resource Names", RFC 1737, December 1994. 1588 [RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044, 1589 May 2005. 1591 Acknowledgments 1593 In addition to the authors, several people contributed to the 1594 development of this MIB module through discussions of authentication, 1595 authorization, and access within the iSCSI MIB module and security 1596 teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie, 1597 Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 1598 Studenmund (Wasabi Systems) for adding the Kerberos method, and to 1599 Ayman Ghanem for finding and suggesting changes to several problems 1600 found in the MIB module. 1602 Thanks especially to Keith McCloghrie for serving as advisor for this 1603 MIB module. 1605 Authors' Addresses 1607 Mark Bakke 1608 Postal: Cisco Systems, Inc 1609 7900 International Drive, Suite 400 1610 Bloomington, MN 1611 USA 55425 1613 Email: mbakke@cisco.com 1615 James Muchow 1616 Postal: Qlogic Corp. 1617 6321 Bury Drive 1618 Eden Prairie, MN 1619 USA 55346 1621 Email: james.muchow@qlogic.com 1623 IPR Notice 1625 The IETF takes no position regarding the validity or scope of any 1626 Intellectual Property Rights or other rights that might be claimed to 1627 pertain to the implementation or use of the technology described in 1628 this document or the extent to which any license under such rights 1629 might or might not be available; nor does it represent that it has 1630 made any independent effort to identify any such rights. Information 1631 on the procedures with respect to rights in RFC documents can be 1632 found in BCP 78 and BCP 79. 1634 Copies of IPR disclosures made to the IETF Secretariat and any 1635 assurances of licenses to be made available, or the result of an 1636 attempt made to obtain a general license or permission for the use of 1637 such proprietary rights by implementers or users of this 1638 specification can be obtained from the IETF on-line IPR repository at 1639 http://www.ietf.org/ipr. 1641 The IETF invites any interested party to bring to its attention any 1642 copyrights, patents or patent applications, or other proprietary 1643 rights that may cover technology that may be required to implement 1644 this standard. Please address the information to the IETF at ietf- 1645 ipr@ietf.org. 1647 Full Copyright Notice 1649 Copyright (C) The Internet Society (2005). This document is subject 1650 to the rights, licenses and restrictions contained in BCP 78, and 1651 except as set forth therein, the authors retain all their rights. 1653 This document and the information contained herein are provided on an 1654 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1655 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1656 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1657 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1658 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1659 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.