idnits 2.17.1 draft-ietf-radext-dynauth-client-mib-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 859. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 836. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 843. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 849. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 7, 2005) is 6869 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2618' is defined on line 784, but no explicit reference was found in the text == Unused Reference: 'RFC2620' is defined on line 790, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-server-mib-01 -- Possible downref: Normative reference to a draft: ref. 'DYNSERV' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: January 8, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 July 7, 2005 9 Dynamic Authorization Client MIB 10 draft-ietf-radext-dynauth-client-mib-01.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on January 8, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2005). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the RADIUS dynamic authorization client 46 (DAC) functions that support the dynamic authorization extensions as 47 defined in RFC3576. 49 Table of Contents 51 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 52 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. The Internet-Standard Management Framework . . . . . . . . . 5 54 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 6 55 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 56 6. RADIUS Dynamic Authorization Client MIB Definitions . . . . 8 57 7. Security Considerations . . . . . . . . . . . . . . . . . . 19 58 8. IANA considerations . . . . . . . . . . . . . . . . . . . . 21 59 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 60 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 61 10.1 Normative References . . . . . . . . . . . . . . . . . . 23 62 10.2 Informative References . . . . . . . . . . . . . . . . . 23 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 64 Intellectual Property and Copyright Statements . . . . . . . 25 66 1. Requirements notation 68 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 69 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 70 document are to be interpreted as described in [RFC2119]. 72 2. Introduction 74 This memo defines a portion of the Management Information Base (MIB) 75 for use with network management protocols in the Internet community. 76 It is becoming increasingly important to support Dynamic 77 Authorization extensions on the network access server (NAS) devices 78 to handle the Disconnect and Change-of-Authorization (CoA) messages 79 as described in [RFC3576] . As a result, the effective management of 80 RADIUS Dynamic Authorization entities is of considerable importance. 81 It complements the managed objects used for managing RADIUS 82 authentication and accounting servers as described in [RFC2619] and 83 [RFC2621], respectively. 85 3. The Internet-Standard Management Framework 87 For a detailed overview of the documents that describe the current 88 Internet-Standard Management Framework, please refer to section 7 of 89 [RFC3410]. 91 Managed objects are accessed via a virtual information store, termed 92 the Management Information Base or MIB. MIB objects are generally 93 accessed through the Simple Network Management Protocol (SNMP). 94 Objects in the MIB are defined using the mechanisms defined in the 95 Structure of Management Information (SMI). This memo specifies a MIB 96 module that is compliant to the SMIv2, which is described in STD 58, 97 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 98 [RFC2580]. 100 4. Terminology 102 Dynamic Authorization Server (DAS) 104 The component that resides on the NAS which processes the Disconnect 105 and CoA requests sent by the Dynamic Authorization Client as 106 described in [RFC3576]. 108 Dynamic Authorization Client (DAC) 110 The component which sends the Disconnect and CoA requests to the 111 Dynamic Authorization Server as described in [RFC3576]. This is 112 typically a RADIUS Server, but is not limited to itand may, for 113 example, be a Rating Engine used for Prepaid Billing. 115 Dynamic Authorization Server Port 117 The UDP port on which the Dynamic Authorization server listens for 118 the Disconnect and CoA requests sent by the Dynamic Authorization 119 Client. 121 5. Overview 123 The RADIUS dynamic authorization extensions defined in [RFC3576], 124 distinguish between the client function and the server function. 125 [DYNSERV] defines the terms Dynamic Authorization Server (DAS) and 126 Dynamic Authorization Client (DAC), the MIB for the DAS, and the 127 relationship with other MIB modules. This MIB module for the dynamic 128 authorization client contains the following: 130 1. One scalar object 132 2. One Dynamic Authorization Server Table. This table contains one 133 row for each DAS that the DAC shares a secret with. 135 6. RADIUS Dynamic Authorization Client MIB Definitions 137 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 139 IMPORTS 140 MODULE-IDENTITY, OBJECT-TYPE, 141 Counter32, Gauge32, Integer32, 142 mib-2, TimeTicks FROM SNMPv2-SMI 143 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 144 InetAddressType, InetAddress, 145 InetPortNumber FROM INET-ADDRESS-MIB 146 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 148 radiusDynAuthClientMIB MODULE-IDENTITY 149 LAST-UPDATED "200507020000Z" -- 2 July 2005 150 ORGANIZATION "IETF RADEXT Working Group" 151 CONTACT-INFO 152 " Stefaan De Cnodder 153 Alcatel 154 Francis Wellesplein 1 155 B-2018 Antwerp 156 Belgium 158 Phone: +32 3 240 85 15 159 EMail: stefaan.de_cnodder@alcatel.be 161 Nagi Reddy Jonnala 162 Cisco Systems, Inc. 163 Divyasree Chambers, B Wing, 164 O'Shaugnessy Road, 165 Bangalore-560027, India. 167 Phone: +91 98456 99445 168 EMail: njonnala@cisco.com 170 Murtaza Chiba 171 Cisco Systems, Inc. 172 170 West Tasman Dr. 173 San Jose CA, 95134 175 Phone: +1 408 525 7198 176 EMail: mchiba@cisco.com " 177 DESCRIPTION 178 "The MIB module for entities implementing the client 179 side of the Dynamic Authorization extensions Remote 180 Authentication Dial In User Service (RADIUS) protocol. 182 Copyright (C) The Internet Society (2005). This initial 183 version of this MIB module was published in RFC yyyy; 184 for full legal notices see the RFC itself. Supplementary 185 information may be available on 186 http://www.ietf.org/copyrights/ianamib.html." 187 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 189 REVISION "200507020000Z" -- 2 July 2005 190 DESCRIPTION "Initial version as published in RFC yyyy" 191 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 192 ::= { radiusDynamicAuthorization 2 } 194 radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } 195 -- The value xxx to be assigned by IANA. 197 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::= 198 { radiusDynAuthClientMIB 1 } 200 radiusDynAuthClient OBJECT IDENTIFIER ::= 201 { radiusDynAuthClientMIBObjects 1 } 203 radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE 204 SYNTAX Counter32 205 MAX-ACCESS read-only 206 STATUS current 207 DESCRIPTION 208 "The number of Disconnect messages received from unknown 209 addresses." 210 ::= { radiusDynAuthClient 1 } 212 radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE 213 SYNTAX Counter32 214 MAX-ACCESS read-only 215 STATUS current 216 DESCRIPTION 217 "The number of CoA messages received from unknown 218 addresses." 219 ::= { radiusDynAuthClient 2 } 221 radiusDynAuthServerTable OBJECT-TYPE 222 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry 223 MAX-ACCESS not-accessible 224 STATUS current 225 DESCRIPTION 226 "The (conceptual) table listing the RADIUS Dynamic 227 Authorization servers with which the client shares a 228 secret." 229 ::= { radiusDynAuthClient 3 } 231 radiusDynAuthServerEntry OBJECT-TYPE 232 SYNTAX RadiusDynAuthServerEntry 233 MAX-ACCESS not-accessible 234 STATUS current 235 DESCRIPTION 236 "An entry (conceptual row) representing one Dynamic 237 Authorization Server with which the client shares a 238 secret." 239 INDEX { radiusDynAuthServerIndex } 240 ::= { radiusDynAuthServerTable 1 } 242 RadiusDynAuthServerEntry ::= SEQUENCE { 243 radiusDynAuthServerIndex Integer32, 244 radiusDynAuthServerAddressType InetAddressType, 245 radiusDynAuthServerAddress InetAddress, 246 radiusDynAuthServerClientPortNumber InetPortNumber, 247 radiusDynAuthServerID SnmpAdminString, 248 radiusDynAuthClientRoundTripTime TimeTicks, 249 radiusDynAuthClientDisconRequests Counter32, 250 radiusDynAuthClientDisconRetransmissions Counter32, 251 radiusDynAuthClientDisconAcks Counter32, 252 radiusDynAuthClientDisconNaks Counter32, 253 radiusDynAuthClientMalformedDisconResponses Counter32, 254 radiusDynAuthClientDisconBadAuthenticators Counter32, 255 radiusDynAuthClientDisconPendingRequests Gauge32, 256 radiusDynAuthClientDisconTimeouts Counter32, 257 radiusDynAuthClientDisconPacketsDropped Counter32, 258 radiusDynAuthClientCoARequests Counter32, 259 radiusDynAuthClientCoARetransmissions Counter32, 260 radiusDynAuthClientCoAAcks Counter32, 261 radiusDynAuthClientCoANaks Counter32, 262 radiusDynAuthClientMalformedCoAResponses Counter32, 263 radiusDynAuthClientCoABadAuthenticators Counter32, 264 radiusDynAuthClientCoAPendingRequests Gauge32, 265 radiusDynAuthClientCoATimeouts Counter32, 266 radiusDynAuthClientCoAPacketsDropped Counter32, 267 radiusDynAuthClientUnknownTypes Counter32 268 } 270 radiusDynAuthServerIndex OBJECT-TYPE 271 SYNTAX Integer32 (1..2147483647) 272 MAX-ACCESS not-accessible 273 STATUS current 274 DESCRIPTION 275 "A number uniquely identifying each RADIUS Dynamic 276 Authorization server with which this Dynamic 277 Authorization client communicates. This number is 278 allocated by the agent implementing this MIB module, 279 and is unique in this context." 280 ::= { radiusDynAuthServerEntry 1 } 282 radiusDynAuthServerAddressType OBJECT-TYPE 283 SYNTAX InetAddressType 284 MAX-ACCESS read-only 285 STATUS current 286 DESCRIPTION 287 "The type of IP-Address of the RADIUS Dynamic 288 Authorization server referred to in this table entry." 289 ::= { radiusDynAuthServerEntry 2 } 291 radiusDynAuthServerAddress OBJECT-TYPE 292 SYNTAX InetAddress 293 MAX-ACCESS read-only 294 STATUS current 295 DESCRIPTION 296 "The IP-Address value of the RADIUS Dynamic 297 Authorization server referred to in this table entry." 298 ::= { radiusDynAuthServerEntry 3 } 300 radiusDynAuthServerClientPortNumber OBJECT-TYPE 301 SYNTAX InetPortNumber 302 MAX-ACCESS read-only 303 STATUS current 304 DESCRIPTION 305 "The UDP destination port that the RADIUS Dynamic 306 Authorization client is using to send requests to this 307 server." 308 ::= { radiusDynAuthServerEntry 4 } 310 radiusDynAuthServerID OBJECT-TYPE 311 SYNTAX SnmpAdminString 312 MAX-ACCESS read-only 313 STATUS current 314 DESCRIPTION 315 "The NAS-Identifier of the RADIUS Dynamic 316 Authorization server referred to in this table 317 entry." 318 REFERENCE 319 "RFC 2865, Section 5.32, NAS-Identifier." 320 ::= { radiusDynAuthServerEntry 5 } 322 radiusDynAuthClientRoundTripTime OBJECT-TYPE 323 SYNTAX TimeTicks 324 UNITS "hundredths of a second" 325 MAX-ACCESS read-only 326 STATUS current 327 DESCRIPTION 328 "The time interval (in hundredths of a second) between 329 the most recent Disconnect or CoA request and the 330 reception of the corresponding Disconnect or CoA reply. 331 A value of zero is returned in case no reply has been 332 received yet from this server." 333 ::= { radiusDynAuthServerEntry 6 } 335 radiusDynAuthClientDisconRequests OBJECT-TYPE 336 SYNTAX Counter32 337 UNITS "requests" 338 MAX-ACCESS read-only 339 STATUS current 340 DESCRIPTION 341 "The number of RADIUS Disconnect-Requests sent 342 to this Dynamic Authorization server." 343 REFERENCE 344 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 345 ::= { radiusDynAuthServerEntry 7 } 347 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE 348 SYNTAX Counter32 349 UNITS "retransmissions" 350 MAX-ACCESS read-only 351 STATUS current 352 DESCRIPTION 353 "The number of RADIUS Disconnect-request packets 354 retransmitted to this RADIUS Dynamic authorization 355 server." 356 REFERENCE 357 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 358 ::= { radiusDynAuthServerEntry 8 } 360 radiusDynAuthClientDisconAcks OBJECT-TYPE 361 SYNTAX Counter32 362 UNITS "replies" 363 MAX-ACCESS read-only 364 STATUS current 365 DESCRIPTION 366 "The number of RADIUS Disconnect-ACK packets 367 received from this Dynamic Authorization server" 368 REFERENCE 369 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 370 ::= { radiusDynAuthServerEntry 9 } 372 radiusDynAuthClientDisconNaks OBJECT-TYPE 373 SYNTAX Counter32 374 UNITS "replies" 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "The number of RADIUS Disconnect-NAK packets 379 received from this Dynamic Authorization server." 380 REFERENCE 381 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 382 ::= { radiusDynAuthServerEntry 10 } 384 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE 385 SYNTAX Counter32 386 UNITS "replies" 387 MAX-ACCESS read-only 388 STATUS current 389 DESCRIPTION 390 "The number of malformed RADIUS Disconnect-Response 391 packets received from this Dynamic Authorization 392 server. Bad authenticators and unknown types are not 393 included as malformed Disconnect-Responses." 394 REFERENCE 395 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 396 Section 2.3, Packet Format." 397 ::= { radiusDynAuthServerEntry 11 } 399 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE 400 SYNTAX Counter32 401 UNITS "replies" 402 MAX-ACCESS read-only 403 STATUS current 404 DESCRIPTION 405 "The number of RADIUS Disconnect-Response packets 406 which contained invalid Authenticator field 407 received from this Dynamic Authorization server." 408 REFERENCE 409 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 410 Section 2.3, Packet Format." 411 ::= { radiusDynAuthServerEntry 12 } 413 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE 414 SYNTAX Gauge32 415 UNITS "requests" 416 MAX-ACCESS read-only 417 STATUS current 418 DESCRIPTION 419 "The number of RADIUS Disconnect-request packets 420 destined for this server that have not yet timed out 421 or received a response. This variable is incremented 422 when an Disconnect-Request is sent and decremented 423 due to receipt of an Disconnect-Ack, Disconnect-NAK 424 or a timeout or a retransmission." 425 REFERENCE 426 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 427 ::= { radiusDynAuthServerEntry 13 } 429 radiusDynAuthClientDisconTimeouts OBJECT-TYPE 430 SYNTAX Counter32 431 UNITS "timeouts" 432 MAX-ACCESS read-only 433 STATUS current 434 DESCRIPTION 435 "The number of Disconnect request timeouts to this 436 server. After a timeout the client may retry to the 437 same server or give up. A retry to the same server is 438 counted as a retransmit as well as a timeout. A send 439 to a different server is counted as a 440 Disconnect-Request as well as a timeout." 441 REFERENCE 442 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 443 ::= { radiusDynAuthServerEntry 14 } 445 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE 446 SYNTAX Counter32 447 UNITS "replies" 448 MAX-ACCESS read-only 449 STATUS current 450 DESCRIPTION 451 "The number of incoming Disconnect-Responses 452 from this Dynamic Authorization server silently 453 discarded by the client application for some reason 454 other than malformed, bad authenticators or unknown 455 types." 456 REFERENCE 457 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 458 Section 2.3, Packet Format." 459 ::= { radiusDynAuthServerEntry 15 } 461 radiusDynAuthClientCoARequests OBJECT-TYPE 462 SYNTAX Counter32 463 UNITS "requests" 464 MAX-ACCESS read-only 465 STATUS current 466 DESCRIPTION 467 "The number of RADIUS CoA-Requests sent to this 468 Dynamic Authorization server." 470 REFERENCE 471 "RFC 3576, Section 2.2, Change-of-Authorization 472 Messages (CoA)." 473 ::= { radiusDynAuthServerEntry 16 } 475 radiusDynAuthClientCoARetransmissions OBJECT-TYPE 476 SYNTAX Counter32 477 UNITS "retransmissions" 478 MAX-ACCESS read-only 479 STATUS current 480 DESCRIPTION 481 "The number of RADIUS CoA-request packets 482 retransmitted to this RADIUS Dynamic authorization 483 server." 484 REFERENCE 485 "RFC 3576, Section 2.2, Change-of-Authorization 486 Messages (CoA)." 487 ::= { radiusDynAuthServerEntry 17 } 489 radiusDynAuthClientCoAAcks OBJECT-TYPE 490 SYNTAX Counter32 491 UNITS "replies" 492 MAX-ACCESS read-only 493 STATUS current 494 DESCRIPTION 495 "The number of RADIUS CoA-ACK packets 496 received from this Dynamic Authorization server" 497 REFERENCE 498 "RFC 3576, Section 2.2, Change-of-Authorization 499 Messages (CoA)." 500 ::= { radiusDynAuthServerEntry 18 } 502 radiusDynAuthClientCoANaks OBJECT-TYPE 503 SYNTAX Counter32 504 UNITS "replies" 505 MAX-ACCESS read-only 506 STATUS current 507 DESCRIPTION 508 "The number of RADIUS CoA-NAK packets 509 received from this Dynamic Authorization server." 510 REFERENCE 511 "RFC 3576, Section 2.2, Change-of-Authorization 512 Messages (CoA)." 513 ::= { radiusDynAuthServerEntry 19 } 515 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE 516 SYNTAX Counter32 517 UNITS "replies" 518 MAX-ACCESS read-only 519 STATUS current 520 DESCRIPTION 521 "The number of malformed RADIUS CoA-Response 522 packets received from this Dynamic Authorization 523 server. Bad authenticators and unknown types are 524 not included as malformed CoA-Responses." 525 REFERENCE 526 "RFC 3576, Section 2.2, Change-of-Authorization 527 Messages (CoA), and Section 2.3, Packet Format." 528 ::= { radiusDynAuthServerEntry 20 } 530 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE 531 SYNTAX Counter32 532 UNITS "replies" 533 MAX-ACCESS read-only 534 STATUS current 535 DESCRIPTION 536 "The number of RADIUS CoA-Response packets 537 which contained invalid Authenticator field 538 received from this Dynamic Authorization server." 539 REFERENCE 540 "RFC 3576, Section 2.2, Change-of-Authorization 541 Messages (CoA), and Section 2.3, Packet Format." 542 ::= { radiusDynAuthServerEntry 21 } 544 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE 545 SYNTAX Gauge32 546 UNITS "requests" 547 MAX-ACCESS read-only 548 STATUS current 549 DESCRIPTION 550 "The number of RADIUS CoA-request packets destined for 551 this server that have not yet timed out or received a 552 response. This variable is incremented when an 553 CoA-Request is sent and decremented due to receipt of 554 a CoA-Ack, CoA -NAK or a timeout or a retransmission." 555 REFERENCE 556 "RFC 3576, Section 2.2, Change-of-Authorization 557 Messages (CoA)." 558 ::= { radiusDynAuthServerEntry 22 } 560 radiusDynAuthClientCoATimeouts OBJECT-TYPE 561 SYNTAX Counter32 562 UNITS "timeouts" 563 MAX-ACCESS read-only 564 STATUS current 565 DESCRIPTION 566 "The number of CoA request timeouts to this server. 567 After a timeout the client may retry to the same 568 server or give up. A retry to the same server is 569 counted as a retransmit as well as a timeout. A send to 570 a different server is counted as a CoA-Request as well 571 as a timeout." 572 REFERENCE 573 "RFC 3576, Section 2.2, Change-of-Authorization 574 Messages (CoA)." 575 ::= { radiusDynAuthServerEntry 23 } 577 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE 578 SYNTAX Counter32 579 UNITS "replies" 580 MAX-ACCESS read-only 581 STATUS current 582 DESCRIPTION 583 "The number of incoming CoA-Responses from this Dynamic 584 Authorization server silently discarded by the client 585 application for some reason other than malformed, bad 586 authenticators or unknown types." 587 REFERENCE 588 "RFC 3576, Section 2.2, Change-of-Authorization 589 Messages (CoA), and Section 2.3, Packet Format." 590 ::= { radiusDynAuthServerEntry 24 } 592 radiusDynAuthClientUnknownTypes OBJECT-TYPE 593 SYNTAX Counter32 594 UNITS "replies" 595 MAX-ACCESS read-only 596 STATUS current 597 DESCRIPTION 598 "The number of incoming packets of unknown types 599 which were received on the Dynamic Authorization port." 600 REFERENCE 601 "RFC 3576, Section 2.3, Packet Format." 602 ::= { radiusDynAuthServerEntry 25} 604 -- conformance information 606 radiusDynAuthClientMIBConformance 607 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 } 608 radiusDynAuthClientMIBCompliances 609 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 } 610 radiusDynAuthClientMIBGroups 611 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 } 613 -- compliance statements 614 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE 615 STATUS current 616 DESCRIPTION 617 "The compliance statement for entities implementing 618 the RADIUS Dynamic Authorization Client." 619 MODULE -- this module 620 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup } 621 ::= { radiusDynAuthClientMIBCompliances 1 } 623 -- units of conformance 625 radiusDynAuthClientMIBGroup OBJECT-GROUP 626 OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses, 627 radiusDynAuthClientCoAInvalidServerAddresses, 628 radiusDynAuthServerAddressType, 629 radiusDynAuthServerAddress, 630 radiusDynAuthServerClientPortNumber, 631 radiusDynAuthServerID, 632 radiusDynAuthClientRoundTripTime, 633 radiusDynAuthClientDisconRequests, 634 radiusDynAuthClientDisconRetransmissions, 635 radiusDynAuthClientDisconAcks, 636 radiusDynAuthClientDisconNaks, 637 radiusDynAuthClientMalformedDisconResponses, 638 radiusDynAuthClientDisconBadAuthenticators, 639 radiusDynAuthClientDisconPendingRequests, 640 radiusDynAuthClientDisconTimeouts, 641 radiusDynAuthClientDisconPacketsDropped, 642 radiusDynAuthClientCoARequests, 643 radiusDynAuthClientCoARetransmissions, 644 radiusDynAuthClientCoAAcks, 645 radiusDynAuthClientCoANaks, 646 radiusDynAuthClientMalformedCoAResponses, 647 radiusDynAuthClientCoABadAuthenticators, 648 radiusDynAuthClientCoAPendingRequests, 649 radiusDynAuthClientCoATimeouts, 650 radiusDynAuthClientCoAPacketsDropped, 651 radiusDynAuthClientUnknownTypes 652 } 653 STATUS current 654 DESCRIPTION 655 "The collection of objects providing management of 656 a RADIUS Dynamic Authorization Client." 657 ::= { radiusDynAuthClientMIBGroups 1 } 659 END 661 7. Security Considerations 663 There are no management objects defined in this MIB module that have 664 a MAX-ACCESS clause of read-write and/or read-create. So, if this 665 MIB module is implemented correctly, then there is no risk that an 666 intruder can alter or create any management objects of this MIB 667 module via direct SNMP SET operations 669 Some of the readable objects in this MIB module (i.e., objects with a 670 MAX-ACCESS other than not-accessible) may be considered sensitive or 671 vulnerable in some network environments. It is thus important to 672 control even GET and/or NOTIFY access to these objects and possibly 673 to even encrypt the values of these objects when sending them over 674 the network via SNMP. These are the tables and objects and their 675 sensitivity/vulnerability: 677 radiusDynAuthServerAddress and radiusDynAuthServerAddressType 679 These can be used to determine the address of the DAS with which the 680 DAC is communicating. This information could be useful in mounting 681 an attack on the DAS. 683 radiusDynAuthServerID 685 This can be used to determine the Identifier of the DAS. This 686 information could be useful in impersonating the DAS. 688 radiusDynAuthServerClientPortNumber 690 This can be used to determine the destination port number to which 691 the DAC is sending. This information could be useful in mounting an 692 attack on the DAS. 694 The other readable objects are not really considered as being 695 sensitive or vulnerable. These objects are: 697 radiusDynAuthClientDisconInvalidServerAddresses, 698 radiusDynAuthClientCoAInvalidServerAddresses, 699 radiusDynAuthClientRoundTripTime, 700 radiusDynAuthClientDisconRequests, 701 radiusDynAuthClientDisconRetransmissions, 702 radiusDynAuthClientDisconAcks, 703 radiusDynAuthClientDisconNaks, 704 radiusDynAuthClientMalformedDisconResponses, 705 radiusDynAuthClientDisconBadAuthenticators, 706 radiusDynAuthClientDisconPendingRequests, 707 radiusDynAuthClientDisconTimeouts, 708 radiusDynAuthClientDisconPacketsDropped, 709 radiusDynAuthClientCoARequests, 710 radiusDynAuthClientCoARetransmissions, 711 radiusDynAuthClientCoAAcks, 712 radiusDynAuthClientCoANaks, 713 radiusDynAuthClientMalformedCoAResponses, 714 radiusDynAuthClientCoABadAuthenticators, 715 radiusDynAuthClientCoAPendingRequests, 716 radiusDynAuthClientCoATimeouts, 717 radiusDynAuthClientCoAPacketsDropped, and 718 radiusDynAuthClientUnknownTypes. 720 SNMP versions prior to SNMPv3 did not include adequate security. 721 Even if the network itself is secure (for example by using IPSec), 722 even then, there is no control as to who on the secure network is 723 allowed to access and GET/SET (read/change/create/delete) the objects 724 in this MIB module. 726 It is RECOMMENDED that implementers consider the security features as 727 provided by the SNMPv3 framework (see [RFC3410], section 8), 728 including full support for the SNMPv3 cryptographic mechanisms (for 729 authentication and privacy). 731 Further, deployment of SNMP versions prior to SNMPv3 is NOT 732 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 733 enable cryptographic security. It is then a customer/operator 734 responsibility to ensure that the SNMP entity giving access to an 735 instance of this MIB module is properly configured to give access to 736 the objects only to those principals (users) that have legitimate 737 rights to indeed GET or SET (change/create/delete) them. 739 8. IANA considerations 741 IANA is requested to assign an OID under mib-2. 743 9. Acknowledgements 745 This document reuses some of the work done in earlier RADIUS MIB 746 specifications [RFC2619] and [RFC2621]. 748 The authors would also like to acknowledge the following people for 749 their comments to this document: Anjaneyulu Pata, Dan Romascanu, and 750 Bert Wijnen. 752 10. References 754 10.1 Normative References 756 [DYNSERV] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 757 Authorization Server MIB", 758 draft-decnodder-radext-dynauth-server-mib-01.txt, work in 759 progress, June 2004. 761 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 762 Requirement Levels", RFC 2119, March 1997. 764 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 765 Rose, M., and S. Waldbusser, "Structure of Management 766 Information Version 2 (SMIv2)", STD 58, RFC 2578, 767 April 1999. 769 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 770 Rose, M., and S. Waldbusser, "Textual Conventions for 771 SMIv2", STD 58, RFC 2579, April 1999. 773 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 774 Rose, M., and S. Waldbusser, "Conformance Statements for 775 SMIv2", STD 58, RFC 2580, April 1999. 777 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 778 Aboba, "Dynamic Authorization Extensions to Remote 779 Authentication Dial In User Service (RADIUS)", RFC 3576, 780 July 2003. 782 10.2 Informative References 784 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 785 RFC 2618, June 1999. 787 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 788 RFC 2619, June 1999. 790 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 791 RFC 2620, June 1999. 793 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 794 RFC 2621, June 1999. 796 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 797 "Introduction and Applicability Statements for Internet 798 Standard Management Framework", RFC 3410, December 2002. 800 Authors' Addresses 802 Stefaan De Cnodder 803 Alcatel 804 Francis Wellesplein 1 805 B-2018 Antwerp 806 Belgium 808 Phone: +32 3 240 85 15 809 Email: stefaan.de_cnodder@alcatel.be 811 Nagi Reddy Jonnala 812 Cisco Systems, Inc. 813 Divyasree Chambers, B Wing, O'Shaugnessy Road 814 Bangalore-560027, India 816 Phone: +91 98456 99445 817 Email: njonnala@cisco.com 819 Murtaza Chiba 820 Cisco Systems, Inc. 821 170 West Tasman Dr. 822 San Jose CA, 95134 824 Phone: +1 408 525 7198 825 Email: mchiba@cisco.com 827 Intellectual Property Statement 829 The IETF takes no position regarding the validity or scope of any 830 Intellectual Property Rights or other rights that might be claimed to 831 pertain to the implementation or use of the technology described in 832 this document or the extent to which any license under such rights 833 might or might not be available; nor does it represent that it has 834 made any independent effort to identify any such rights. Information 835 on the procedures with respect to rights in RFC documents can be 836 found in BCP 78 and BCP 79. 838 Copies of IPR disclosures made to the IETF Secretariat and any 839 assurances of licenses to be made available, or the result of an 840 attempt made to obtain a general license or permission for the use of 841 such proprietary rights by implementers or users of this 842 specification can be obtained from the IETF on-line IPR repository at 843 http://www.ietf.org/ipr. 845 The IETF invites any interested party to bring to its attention any 846 copyrights, patents or patent applications, or other proprietary 847 rights that may cover technology that may be required to implement 848 this standard. Please address the information to the IETF at 849 ietf-ipr@ietf.org. 851 Disclaimer of Validity 853 This document and the information contained herein are provided on an 854 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 855 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 856 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 857 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 858 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 859 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 861 Copyright Statement 863 Copyright (C) The Internet Society (2005). This document is subject 864 to the rights, licenses and restrictions contained in BCP 78, and 865 except as set forth therein, the authors retain all their rights. 867 Acknowledgment 869 Funding for the RFC Editor function is currently provided by the 870 Internet Society.