idnits 2.17.1 draft-ietf-radext-dynauth-client-mib-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 845. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 822. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 829. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 835. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 18, 2005) is 6911 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2618' is defined on line 770, but no explicit reference was found in the text == Unused Reference: 'RFC2620' is defined on line 776, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-server-mib-01 -- Possible downref: Normative reference to a draft: ref. 'DYNSERV' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: November 19, 2005 N. Jonnala 5 Consult 6 M. Chiba 7 Cisco Systems, Inc. 8 May 18, 2005 10 Dynamic Authorization Client MIB 11 draft-ietf-radext-dynauth-client-mib-00.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on November 19, 2005. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 This memo defines a portion of the Management Information Base (MIB) 45 for use with network management protocols in the Internet community. 46 In particular, it describes the RADIUS dynamic authorization client 47 (DAC) functions that support the dynamic authorization extensions as 48 defined in RFC3576. 50 Table of Contents 52 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 53 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3. The Internet-Standard Management Framework . . . . . . . . . 5 55 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 6 56 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 57 6. RADIUS Dynamic Authorization Client MIB Definitions . . . . 8 58 7. Security Considerations . . . . . . . . . . . . . . . . . . 19 59 8. IANA considerations . . . . . . . . . . . . . . . . . . . . 21 60 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 61 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 62 10.1 Normative References . . . . . . . . . . . . . . . . . . 23 63 10.2 Informative References . . . . . . . . . . . . . . . . . 23 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 65 Intellectual Property and Copyright Statements . . . . . . . 25 67 1. Requirements notation 69 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 70 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 71 document are to be interpreted as described in [RFC2119]. 73 2. Introduction 75 This memo defines a portion of the Management Information Base (MIB) 76 for use with network management protocols in the Internet community. 77 It is becoming increasingly important to support Dynamic 78 Authorization extensions on the network access server (NAS) devices 79 to handle the Disconnect and Change-of-Authorization (CoA) messages 80 as described in [RFC3576] . As a result, the effective management of 81 RADIUS Dynamic Authorization entities is of considerable importance. 82 It complements the managed objects used for managing RADIUS 83 authentication and accounting servers as described in [RFC2619] and 84 [RFC2621], respectively. 86 3. The Internet-Standard Management Framework 88 For a detailed overview of the documents that describe the current 89 Internet-Standard Management Framework, please refer to section 7 of 90 [RFC3410]. 92 Managed objects are accessed via a virtual information store, termed 93 the Management Information Base or MIB. MIB objects are generally 94 accessed through the Simple Network Management Protocol (SNMP). 95 Objects in the MIB are defined using the mechanisms defined in the 96 Structure of Management Information (SMI). This memo specifies a MIB 97 module that is compliant to the SMIv2, which is described in STD 58, 98 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 99 [RFC2580]. 101 4. Terminology 103 Dynamic Authorization Server (DAS) 105 The component that resides on the NAS which processes the Disconnect 106 and CoA requests sent by the Dynamic Authorization Client as 107 described in [RFC3576]. 109 Dynamic Authorization Client (DAC) 111 The component which sends the Disconnect and CoA requests to the 112 Dynamic Authorization Server as described in [RFC3576]. 114 Dynamic Authorization Server Port 116 The UDP port on which the Dynamic Authorization server listens for 117 the Disconnect and CoA requests sent by the Dynamic Authorization 118 Client. 120 5. Overview 122 The RADIUS dynamic authorization extensions defined in [RFC3576], 123 distinguish between the client function and the server function. 124 [DYNSERV] defines the terms Dynamic Authorization Server (DAS) and 125 Dynamic Authorization Client (DAC), the MIB for the DAS, and the 126 relationship with other MIB modules. This MIB module for the dynamic 127 authorization client contains the following: 129 1. One scalar object 131 2. One Dynamic Authorization Server Table. This table contains one 132 row for each DAS that the DAC shares a secret with. 134 6. RADIUS Dynamic Authorization Client MIB Definitions 136 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 138 IMPORTS 139 MODULE-IDENTITY, OBJECT-TYPE, 140 Counter32, Gauge32, Integer32, 141 mib-2, TimeTicks FROM SNMPv2-SMI 142 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 143 InetAddressType, InetAddress, 144 InetPortNumber FROM INET-ADDRESS-MIB 145 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 147 radiusDynAuthClientMIB MODULE-IDENTITY 148 LAST-UPDATED "200505160000Z" -- 16 May 2005 149 ORGANIZATION "IETF RADEXT Working Group" 150 CONTACT-INFO 151 " Stefaan De Cnodder 152 Alcatel 153 Francis Wellesplein 1 154 B-2018 Antwerp 155 Belgium 157 Phone: +32 3 240 85 15 158 EMail: stefaan.de_cnodder@alcatel.be 160 Nagi Reddy Jonnala 161 Consult 162 4-486, Nutakki 163 AP, India, PIN: 522303 165 Phone: +91 8645 275314 166 EMail: nagireddyj@yahoo.com 168 Murtaza Chiba 169 Cisco Systems, Inc. 170 170 West Tasman Dr. 171 San Jose CA, 95134 173 Phone: +1 408 525 7198 174 EMail: mchiba@cisco.com " 175 DESCRIPTION 176 "The MIB module for entities implementing the client 177 side of the Dynamic Authorization extensions Remote 178 Access Dialin User Service (RADIUS) protocol. 180 Copyright (C) The Internet Society (2005). This initial 181 version of this MIB module was published in RFC yyyy; 182 for full legal notices see the RFC itself. Supplementary 183 information may be available on 184 http://www.ietf.org/copyrights/ianamib.html." 185 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 187 REVISION "200505160000Z" -- 16 May 2005 188 DESCRIPTION "Initial version as published in RFC yyyy" 189 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 190 ::= { radiusDynamicAuthorization 2 } 192 radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } 193 -- The value xxx to be assigned by IANA. 195 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::= 196 { radiusDynAuthClientMIB 1 } 198 radiusDynAuthClient OBJECT IDENTIFIER ::= 199 { radiusDynAuthClientMIBObjects 1 } 201 radiusDynAuthClientInvalidServerAddresses OBJECT-TYPE 202 SYNTAX Counter32 203 MAX-ACCESS read-only 204 STATUS current 205 DESCRIPTION 206 "The number of RADIUS Dynamic Authorization messages 207 (both Disconnect and CoA) received from unknown 208 addresses." 209 ::= { radiusDynAuthClient 1 } 211 radiusDynAuthServerTable OBJECT-TYPE 212 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry 213 MAX-ACCESS not-accessible 214 STATUS current 215 DESCRIPTION 216 "The (conceptual) table listing the RADIUS Dynamic 217 Authorization servers with which the client shares a 218 secret." 219 ::= { radiusDynAuthClient 2 } 221 radiusDynAuthServerEntry OBJECT-TYPE 222 SYNTAX RadiusDynAuthServerEntry 223 MAX-ACCESS not-accessible 224 STATUS current 225 DESCRIPTION 226 "An entry (conceptual row) representing one Dynamic 227 Authorization Server with which the client shares a 228 secret." 229 INDEX { radiusDynAuthServerIndex } 230 ::= { radiusDynAuthServerTable 1 } 232 RadiusDynAuthServerEntry ::= SEQUENCE { 233 radiusDynAuthServerIndex Integer32, 234 radiusDynAuthServerAddressType InetAddressType, 235 radiusDynAuthServerAddress InetAddress, 236 radiusDynAuthServerClientPortNumber InetPortNumber, 237 radiusDynAuthServerID SnmpAdminString, 238 radiusDynAuthClientRoundTripTime TimeTicks, 239 radiusDynAuthClientDisconRequests Counter32, 240 radiusDynAuthClientDisconRetransmissions Counter32, 241 radiusDynAuthClientDisconAcks Counter32, 242 radiusDynAuthClientDisconNaks Counter32, 243 radiusDynAuthClientMalformedDisconResponses Counter32, 244 radiusDynAuthClientDisconBadAuthenticators Counter32, 245 radiusDynAuthClientDisconPendingRequests Gauge32, 246 radiusDynAuthClientDisconTimeouts Counter32, 247 radiusDynAuthClientDisconPacketsDropped Counter32, 248 radiusDynAuthClientCoARequests Counter32, 249 radiusDynAuthClientCoARetransmissions Counter32, 250 radiusDynAuthClientCoAAcks Counter32, 251 radiusDynAuthClientCoANaks Counter32, 252 radiusDynAuthClientMalformedCoAResponses Counter32, 253 radiusDynAuthClientCoABadAuthenticators Counter32, 254 radiusDynAuthClientCoAPendingRequests Gauge32, 255 radiusDynAuthClientCoATimeouts Counter32, 256 radiusDynAuthClientCoAPacketsDropped Counter32, 257 radiusDynAuthClientUnknownTypes Counter32 258 } 260 radiusDynAuthServerIndex OBJECT-TYPE 261 SYNTAX Integer32 (1..2147483647) 262 MAX-ACCESS not-accessible 263 STATUS current 264 DESCRIPTION 265 "A number uniquely identifying each RADIUS Dynamic 266 Authorization server with which this Dynamic 267 Authorization client communicates. This number is 268 allocated by the agent implementing this MIB module, 269 and is unique in this context." 270 ::= { radiusDynAuthServerEntry 1 } 272 radiusDynAuthServerAddressType OBJECT-TYPE 273 SYNTAX InetAddressType 274 MAX-ACCESS read-only 275 STATUS current 276 DESCRIPTION 277 "The type of IP-Address of the RADIUS Dynamic 278 Authorization server referred to in this table entry." 279 ::= { radiusDynAuthServerEntry 2 } 281 radiusDynAuthServerAddress OBJECT-TYPE 282 SYNTAX InetAddress 283 MAX-ACCESS read-only 284 STATUS current 285 DESCRIPTION 286 "The IP-Address value of the RADIUS Dynamic 287 Authorization server referred to in this table entry." 288 ::= { radiusDynAuthServerEntry 3 } 290 radiusDynAuthServerClientPortNumber OBJECT-TYPE 291 SYNTAX InetPortNumber 292 MAX-ACCESS read-only 293 STATUS current 294 DESCRIPTION 295 "The UDP port the RADIUS Dynamic Authorization client is 296 using to send requests to this server." 297 ::= { radiusDynAuthServerEntry 4 } 299 radiusDynAuthServerID OBJECT-TYPE 300 SYNTAX SnmpAdminString 301 MAX-ACCESS read-only 302 STATUS current 303 DESCRIPTION 304 "The NAS-Identifier of the RADIUS Dynamic 305 Authorization server referred to in this table 306 entry." 307 REFERENCE 308 "RFC 2865, Section 5.32, NAS-Identifier." 309 ::= { radiusDynAuthServerEntry 5 } 311 radiusDynAuthClientRoundTripTime OBJECT-TYPE 312 SYNTAX TimeTicks 313 UNITS "hundredths of a second" 314 MAX-ACCESS read-only 315 STATUS current 316 DESCRIPTION 317 "The time interval (in hundredths of a second) between 318 the most recent Disconnect or CoA request and the 319 reception of the correponding Disconnect or CoA reply. 320 A value of zero is returned in case no reply has been 321 received yet from this server." 322 ::= { radiusDynAuthServerEntry 6 } 324 radiusDynAuthClientDisconRequests OBJECT-TYPE 325 SYNTAX Counter32 326 UNITS "requests" 327 MAX-ACCESS read-only 328 STATUS current 329 DESCRIPTION 330 "The number of RADIUS Disconnect-Requests sent 331 to this Dynamic Authorization server." 332 REFERENCE 333 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 334 ::= { radiusDynAuthServerEntry 7 } 336 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE 337 SYNTAX Counter32 338 UNITS "retransmissions" 339 MAX-ACCESS read-only 340 STATUS current 341 DESCRIPTION 342 "The number of RADIUS Disconnect-request packets 343 retransmitted to this RADIUS Dynamic authorization 344 server." 345 REFERENCE 346 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 347 ::= { radiusDynAuthServerEntry 8 } 349 radiusDynAuthClientDisconAcks OBJECT-TYPE 350 SYNTAX Counter32 351 UNITS "replies" 352 MAX-ACCESS read-only 353 STATUS current 354 DESCRIPTION 355 "The number of RADIUS Disconnect-ACK packets 356 received from this Dynamic Authorization server" 357 REFERENCE 358 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 359 ::= { radiusDynAuthServerEntry 9 } 361 radiusDynAuthClientDisconNaks OBJECT-TYPE 362 SYNTAX Counter32 363 UNITS "replies" 364 MAX-ACCESS read-only 365 STATUS current 366 DESCRIPTION 367 "The number of RADIUS Disconnect-NAK packets 368 received from this Dynamic Authorization server." 369 REFERENCE 370 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 371 ::= { radiusDynAuthServerEntry 10 } 373 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE 374 SYNTAX Counter32 375 UNITS "replies" 376 MAX-ACCESS read-only 377 STATUS current 378 DESCRIPTION 379 "The number of malformed RADIUS Disconnect-Response 380 packets received from this Dynamic Authorization 381 server. Bad authenticators and unknown types are not 382 included as malformed Disconnect-Responses." 383 REFERENCE 384 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 385 Section 2.3, Packet Format." 386 ::= { radiusDynAuthServerEntry 11 } 388 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE 389 SYNTAX Counter32 390 UNITS "replies" 391 MAX-ACCESS read-only 392 STATUS current 393 DESCRIPTION 394 "The number of RADIUS Disconnect-Response packets 395 which contained invalid Signature attributes 396 received from this Dynamic Authorization server." 397 REFERENCE 398 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 399 Section 2.3, Packet Format." 400 ::= { radiusDynAuthServerEntry 12 } 402 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE 403 SYNTAX Gauge32 404 UNITS "requests" 405 MAX-ACCESS read-only 406 STATUS current 407 DESCRIPTION 408 "The number of RADIUS Disconnect-request packets 409 destined for this server that have not yet timed out 410 or received a response. This variable is incremented 411 when an Disconnect-Request is sent and decremented 412 due to receipt of an Disconnect-Ack, Disconnect-NAK 413 or a timeout or a retransmission." 414 REFERENCE 415 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 416 ::= { radiusDynAuthServerEntry 13 } 418 radiusDynAuthClientDisconTimeouts OBJECT-TYPE 419 SYNTAX Counter32 420 UNITS "timeouts" 421 MAX-ACCESS read-only 422 STATUS current 423 DESCRIPTION 424 "The number of Disconnect request timeouts to this 425 server. After a timeout the client may retry to the 426 same server or give up. A retry to the same server is 427 counted as a retransmit as well as a timeout. A send 428 to a different server is counted as a 429 Disconnect-Request as well as a timeout." 430 REFERENCE 431 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 432 ::= { radiusDynAuthServerEntry 14 } 434 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE 435 SYNTAX Counter32 436 UNITS "replies" 437 MAX-ACCESS read-only 438 STATUS current 439 DESCRIPTION 440 "The number of incoming Disconnect-Responses 441 from this Dynamic Authorization server silently 442 discarded by the client application for some reason 443 other than malformed, bad authenticators or unknown 444 types." 445 REFERENCE 446 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 447 Section 2.3, Packet Format." 448 ::= { radiusDynAuthServerEntry 15 } 450 radiusDynAuthClientCoARequests OBJECT-TYPE 451 SYNTAX Counter32 452 UNITS "requests" 453 MAX-ACCESS read-only 454 STATUS current 455 DESCRIPTION 456 "The number of RADIUS CoA-Requests sent to this 457 Dynamic Authorization server." 458 REFERENCE 459 "RFC 3576, Section 2.2, Change-of-Authorization 460 Messages (CoA)." 461 ::= { radiusDynAuthServerEntry 16 } 463 radiusDynAuthClientCoARetransmissions OBJECT-TYPE 464 SYNTAX Counter32 465 UNITS "retransmissions" 466 MAX-ACCESS read-only 467 STATUS current 468 DESCRIPTION 469 "The number of RADIUS CoA-request packets 470 retransmitted to this RADIUS Dynamic authorization 471 server." 472 REFERENCE 473 "RFC 3576, Section 2.2, Change-of-Authorization 474 Messages (CoA)." 475 ::= { radiusDynAuthServerEntry 17 } 477 radiusDynAuthClientCoAAcks OBJECT-TYPE 478 SYNTAX Counter32 479 UNITS "replies" 480 MAX-ACCESS read-only 481 STATUS current 482 DESCRIPTION 483 "The number of RADIUS CoA-ACK packets 484 received from this Dynamic Authorization server" 485 REFERENCE 486 "RFC 3576, Section 2.2, Change-of-Authorization 487 Messages (CoA)." 488 ::= { radiusDynAuthServerEntry 18 } 490 radiusDynAuthClientCoANaks OBJECT-TYPE 491 SYNTAX Counter32 492 UNITS "replies" 493 MAX-ACCESS read-only 494 STATUS current 495 DESCRIPTION 496 "The number of RADIUS CoA-NAK packets 497 received from this Dynamic Authorization server." 498 REFERENCE 499 "RFC 3576, Section 2.2, Change-of-Authorization 500 Messages (CoA)." 501 ::= { radiusDynAuthServerEntry 19 } 503 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE 504 SYNTAX Counter32 505 UNITS "replies" 506 MAX-ACCESS read-only 507 STATUS current 508 DESCRIPTION 509 "The number of malformed RADIUS CoA-Response 510 packets received from this Dynamic Authorization 511 server. Bad authenticators and unknown types are 512 not included as malformed CoA-Responses." 513 REFERENCE 514 "RFC 3576, Section 2.2, Change-of-Authorization 515 Messages (CoA), and Section 2.3, Packet Format." 516 ::= { radiusDynAuthServerEntry 20 } 518 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE 519 SYNTAX Counter32 520 UNITS "replies" 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The number of RADIUS CoA-Response packets 525 which contained invalid Signature attributes 526 received from this Dynamic Authorization server." 527 REFERENCE 528 "RFC 3576, Section 2.2, Change-of-Authorization 529 Messages (CoA), and Section 2.3, Packet Format." 530 ::= { radiusDynAuthServerEntry 21 } 532 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE 533 SYNTAX Gauge32 534 UNITS "requests" 535 MAX-ACCESS read-only 536 STATUS current 537 DESCRIPTION 538 "The number of RADIUS CoA-request packets destined for 539 this server that have not yet timed out or received a 540 response. This variable is incremented when an 541 CoA-Request is sent and decremented due to receipt of 542 a CoA-Ack, CoA -NAK or a timeout or a retransmission." 543 REFERENCE 544 "RFC 3576, Section 2.2, Change-of-Authorization 545 Messages (CoA)." 546 ::= { radiusDynAuthServerEntry 22 } 548 radiusDynAuthClientCoATimeouts OBJECT-TYPE 549 SYNTAX Counter32 550 UNITS "timeouts" 551 MAX-ACCESS read-only 552 STATUS current 553 DESCRIPTION 554 "The number of CoA request timeouts to this server. 555 After a timeout the client may retry to the same 556 server or give up. A retry to the same server is 557 counted as a retransmit as well as a timeout. A send to 558 a different server is counted as a CoA-Request as well 559 as a timeout." 560 REFERENCE 561 "RFC 3576, Section 2.2, Change-of-Authorization 562 Messages (CoA)." 563 ::= { radiusDynAuthServerEntry 23 } 565 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE 566 SYNTAX Counter32 567 UNITS "replies" 568 MAX-ACCESS read-only 569 STATUS current 570 DESCRIPTION 571 "The number of incoming CoA-Responses from this Dynamic 572 Authorization server silently discarded by the client 573 application for some reason other than malformed, bad 574 authenticators or unknown types." 575 REFERENCE 576 "RFC 3576, Section 2.2, Change-of-Authorization 577 Messages (CoA), and Section 2.3, Packet Format." 578 ::= { radiusDynAuthServerEntry 24 } 580 radiusDynAuthClientUnknownTypes OBJECT-TYPE 581 SYNTAX Counter32 582 UNITS "replies" 583 MAX-ACCESS read-only 584 STATUS current 585 DESCRIPTION 586 "The number of incoming packets of unknown types 587 which were received on the Dynamic Authorization port." 588 REFERENCE 589 "RFC 3576, Section 2.3, Packet Format." 590 ::= { radiusDynAuthServerEntry 25} 592 -- conformance information 594 radiusDynAuthClientMIBConformance 595 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 } 596 radiusDynAuthClientMIBCompliances 597 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 } 598 radiusDynAuthClientMIBGroups 599 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 } 601 -- compliance statements 603 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE 604 STATUS current 605 DESCRIPTION 606 "The compliance statement for entities implementing 607 the RADIUS Dynamic Authorization Client." 608 MODULE -- this module 609 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup } 610 ::= { radiusDynAuthClientMIBCompliances 1 } 612 -- units of conformance 613 radiusDynAuthClientMIBGroup OBJECT-GROUP 614 OBJECTS { radiusDynAuthClientInvalidServerAddresses, 615 radiusDynAuthServerAddressType, 616 radiusDynAuthServerAddress, 617 radiusDynAuthServerClientPortNumber, 618 radiusDynAuthServerID, 619 radiusDynAuthClientRoundTripTime, 620 radiusDynAuthClientDisconRequests, 621 radiusDynAuthClientDisconRetransmissions, 622 radiusDynAuthClientDisconAcks, 623 radiusDynAuthClientDisconNaks, 624 radiusDynAuthClientMalformedDisconResponses, 625 radiusDynAuthClientDisconBadAuthenticators, 626 radiusDynAuthClientDisconPendingRequests, 627 radiusDynAuthClientDisconTimeouts, 628 radiusDynAuthClientDisconPacketsDropped, 629 radiusDynAuthClientCoARequests, 630 radiusDynAuthClientCoARetransmissions, 631 radiusDynAuthClientCoAAcks, 632 radiusDynAuthClientCoANaks, 633 radiusDynAuthClientMalformedCoAResponses, 634 radiusDynAuthClientCoABadAuthenticators, 635 radiusDynAuthClientCoAPendingRequests, 636 radiusDynAuthClientCoATimeouts, 637 radiusDynAuthClientCoAPacketsDropped, 638 radiusDynAuthClientUnknownTypes 639 } 640 STATUS current 641 DESCRIPTION 642 "The collection of objects providing management of 643 a RADIUS Dynamic Authorization Client." 644 ::= { radiusDynAuthClientMIBGroups 1 } 646 END 648 7. Security Considerations 650 There are no management objects defined in this MIB module that have 651 a MAX-ACCESS clause of read-write and/or read-create. So, if this 652 MIB module is implemented correctly, then there is no risk that an 653 intruder can alter or create any management objects of this MIB 654 module via direct SNMP SET operations 656 Some of the readable objects in this MIB module (i.e., objects with a 657 MAX-ACCESS other than not-accessible) may be considered sensitive or 658 vulnerable in some network environments. It is thus important to 659 control even GET and/or NOTIFY access to these objects and possibly 660 to even encrypt the values of these objects when sending them over 661 the network via SNMP. These are the tables and objects and their 662 sensitivity/vulnerability: 664 radiusDynAuthServerAddress and radiusDynAuthServerAddressType 666 These can be used to determine the address of the DAS with which the 667 DAC is communicating. This information could be useful in mounting 668 an attack on the DAS. 670 radiusDynAuthServerID 672 This can be used to determine the Identifier of the DAS. This 673 information could be useful in impersonating the DAS. 675 radiusDynAuthServerClientPortNumber 677 This can be used to determine the port number on which the DAC is 678 sending. This information could be useful in mounting an attack on 679 the DAS. 681 The other readable objects are not really considered as being 682 sensitive or vulnerable. These objects are: 684 radiusDynAuthClientInvalidServerAddresses, 685 radiusDynAuthClientRoundTripTime, 686 radiusDynAuthClientDisconRequests, 687 radiusDynAuthClientDisconRetransmissions, 688 radiusDynAuthClientDisconAcks, 689 radiusDynAuthClientDisconNaks, 690 radiusDynAuthClientMalformedDisconResponses, 691 radiusDynAuthClientDisconBadAuthenticators, 692 radiusDynAuthClientDisconPendingRequests, 693 radiusDynAuthClientDisconTimeouts, 694 radiusDynAuthClientDisconPacketsDropped, 695 radiusDynAuthClientCoARequests, 696 radiusDynAuthClientCoARetransmissions, 697 radiusDynAuthClientCoAAcks, 698 radiusDynAuthClientCoANaks, 699 radiusDynAuthClientMalformedCoAResponses, 700 radiusDynAuthClientCoABadAuthenticators, 701 radiusDynAuthClientCoAPendingRequests, 702 radiusDynAuthClientCoATimeouts, 703 radiusDynAuthClientCoAPacketsDropped, and 704 radiusDynAuthClientUnknownTypes. 706 SNMP versions prior to SNMPv3 did not include adequate security. 707 Even if the network itself is secure (for example by using IPSec), 708 even then, there is no control as to who on the secure network is 709 allowed to access and GET/SET (read/change/create/delete) the objects 710 in this MIB module. 712 It is RECOMMENDED that implementers consider the security features as 713 provided by the SNMPv3 framework (see [RFC3410], section 8), 714 including full support for the SNMPv3 cryptographic mechanisms (for 715 authentication and privacy). 717 Further, deployment of SNMP versions prior to SNMPv3 is NOT 718 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 719 enable cryptographic security. It is then a customer/operator 720 responsibility to ensure that the SNMP entity giving access to an 721 instance of this MIB module is properly configured to give access to 722 the objects only to those principals (users) that have legitimate 723 rights to indeed GET or SET (change/create/delete) them. 725 8. IANA considerations 727 IANA is requested to assign an OID under mib-2. 729 9. Acknowledgements 731 This document reuses some of the work done in earlier RADIUS MIB 732 specifications [RFC2619] and [RFC2621]. 734 The authors would also like to acknowledge the following people for 735 their comments to this document: Anjaneyulu Pata, Dan Romascanu, and 736 Bert Wijnen. 738 10. References 740 10.1 Normative References 742 [DYNSERV] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 743 Auhtorization Server MIB", 744 draft-decnodder-radext-dynauth-server-mib-01.txt, work in 745 progress, June 2004. 747 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 748 Requirement Levels", RFC 2119, March 1997. 750 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 751 Rose, M., and S. Waldbusser, "Structure of Management 752 Information Version 2 (SMIv2)", STD 58, RFC 2578, 753 April 1999. 755 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 756 Rose, M., and S. Waldbusser, "Textual Conventions for 757 SMIv2", STD 58, RFC 2579, April 1999. 759 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 760 Rose, M., and S. Waldbusser, "Conformance Statements for 761 SMIv2", STD 58, RFC 2580, April 1999. 763 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 764 Aboba, "Dynamic Authorization Extensions to Remote 765 Authentication Dial In User Service (RADIUS)", RFC 3576, 766 July 2003. 768 10.2 Informative References 770 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 771 RFC 2618, June 1999. 773 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 774 RFC 2619, June 1999. 776 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 777 RFC 2620, June 1999. 779 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 780 RFC 2621, June 1999. 782 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 783 "Introduction and Applicability Statements for Internet 784 Standard Management Framework", RFC 3410, December 2002. 786 Authors' Addresses 788 Stefaan De Cnodder 789 Alcatel 790 Francis Wellesplein 1 791 B-2018 Antwerp 792 Belgium 794 Phone: +32 3 240 85 15 795 Email: stefaan.de_cnodder@alcatel.be 797 Nagi Reddy Jonnala 798 Consult 799 4-486, Nutakki 800 AP, India, PIN: 522303 802 Phone: +91 8645 275314 803 Email: nagireddyj@yahoo.com 805 Murtaza Chiba 806 Cisco Systems, Inc. 807 170 West Tasman Dr. 808 San Jose CA, 95134 810 Phone: +1 408 525 7198 811 Email: mchiba@cisco.com 813 Intellectual Property Statement 815 The IETF takes no position regarding the validity or scope of any 816 Intellectual Property Rights or other rights that might be claimed to 817 pertain to the implementation or use of the technology described in 818 this document or the extent to which any license under such rights 819 might or might not be available; nor does it represent that it has 820 made any independent effort to identify any such rights. Information 821 on the procedures with respect to rights in RFC documents can be 822 found in BCP 78 and BCP 79. 824 Copies of IPR disclosures made to the IETF Secretariat and any 825 assurances of licenses to be made available, or the result of an 826 attempt made to obtain a general license or permission for the use of 827 such proprietary rights by implementers or users of this 828 specification can be obtained from the IETF on-line IPR repository at 829 http://www.ietf.org/ipr. 831 The IETF invites any interested party to bring to its attention any 832 copyrights, patents or patent applications, or other proprietary 833 rights that may cover technology that may be required to implement 834 this standard. Please address the information to the IETF at 835 ietf-ipr@ietf.org. 837 Disclaimer of Validity 839 This document and the information contained herein are provided on an 840 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 841 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 842 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 843 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 844 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 845 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 847 Copyright Statement 849 Copyright (C) The Internet Society (2005). This document is subject 850 to the rights, licenses and restrictions contained in BCP 78, and 851 except as set forth therein, the authors retain all their rights. 853 Acknowledgment 855 Funding for the RFC Editor function is currently provided by the 856 Internet Society.