idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 826. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 803. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 810. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 816. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 18, 2005) is 6918 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-client-mib-01 -- Possible downref: Normative reference to a draft: ref. 'DYNCLNT' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: November 19, 2005 N. Jonnala 5 Consult 6 M. Chiba 7 Cisco Systems, Inc. 8 May 18, 2005 10 Dynamic Authorization Server MIB 11 draft-ietf-radext-dynauth-server-mib-00.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on November 19, 2005. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 This memo defines a portion of the Management Information Base (MIB) 45 for use with network management protocols in the Internet community. 46 In particular, it describes the RADIUS dynamic authorization server 47 (DAS) functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 53 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3. The Internet-Standard Management Framework . . . . . . . . . 5 55 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 6 56 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 57 6. RADIUS Dynamic Authorization Server MIB Definitions . . . . 9 58 7. Security Considerations . . . . . . . . . . . . . . . . . . 19 59 8. IANA considerations . . . . . . . . . . . . . . . . . . . . 21 60 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 61 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 62 10.1 Normative References . . . . . . . . . . . . . . . . . . 23 63 10.2 Informative References . . . . . . . . . . . . . . . . . 23 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 65 Intellectual Property and Copyright Statements . . . . . . . 25 67 1. Requirements notation 69 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 70 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 71 document are to be interpreted as described in [RFC2119]. 73 2. Introduction 75 This memo defines a portion of the Management Information Base (MIB) 76 for use with network management protocols in the Internet community. 77 It is becoming increasingly important to support Dynamic 78 Authorization extensions on the network access server (NAS) devices 79 to handle the Disconnect and Change-of-Authorization (CoA) messages 80 as described in [RFC3576] . As a result, the effective management of 81 RADIUS Dynamic Authorization entities is of considerable importance. 82 It complements the managed objects used for managing RADIUS 83 authentication and accounting clients as described in [RFC2618] and 84 [RFC2620], respectively. 86 3. The Internet-Standard Management Framework 88 For a detailed overview of the documents that describe the current 89 Internet-Standard Management Framework, please refer to section 7 of 90 [RFC3410]. 92 Managed objects are accessed via a virtual information store, termed 93 the Management Information Base or MIB. MIB objects are generally 94 accessed through the Simple Network Management Protocol (SNMP). 95 Objects in the MIB are defined using the mechanisms defined in the 96 Structure of Management Information (SMI). This memo specifies a MIB 97 module that is compliant to the SMIv2, which is described in STD 58, 98 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 99 [RFC2580]. 101 4. Terminology 103 Dynamic Authorization Server (DAS) 105 The component that resides on the NAS which processes the Disconnect 106 and CoA requests sent by the Dynamic Authorization Client as 107 described in [RFC3576]. 109 Dynamic Authorization Client (DAC) 111 The component which sends the Disconnect and CoA requests to the 112 Dynamic Authorization Server as described in [RFC3576]. 114 Dynamic Authorization Server Port 116 The UDP port on which the Dynamic Authorization server listens for 117 the Disconnect and CoA requests sent by the Dynamic Authorization 118 Client. 120 5. Overview 122 The RADIUS dynamic authorization extensions defined in [RFC3576], 123 distinguish between the client function and the server function. In 124 RADIUS dynamic authorization, clients send Disconnect-Requests and 125 CoA-Requests, and servers reply with Disconnect-Acks, CoA-Acks, and 126 CoA-NAKs. Typically NAS devices implement the DAS function, and thus 127 would be expected to implement the RADIUS dynamic authorization 128 server MIB, while DACs implement the client function, and thus would 129 be expected to implement the RADIUS dynamic authorization client MIB. 131 However, it is possible for a RADIUS dynamic authorization entity to 132 perform both client and server functions. For example, a RADIUS 133 proxy may act as a DAS to one or more DACs, while simultaneously 134 acting as a DAC to one or more DASs. In such situations, it is 135 expected that RADIUS entities combining client and server 136 functionality will support both the client and server MIBs. 138 This memo describes the MIB for dynamic authorization servers and 139 relates to the following documents as follows: 141 [RFC2618] describes the MIB for a RADIUS authentication client. 143 [RFC2619] describes the MIB for a RADIUS authentication server. 145 [RFC2620] describes the MIB for a RADIUS accounting client. 147 [RFC2621] describes the MIB for a RADIUS accounting server. 149 [DYNCLNT] describes the MIB for a RADIUS dynamic authorization 150 client. 152 A NAS typically implements the MIBs for a RADIUS authentication 153 client, a RADIUS accounting client, and a RADIUS dynamic 154 authorization server. However, there is not strict relationship 155 between these three MIBs, i.e. one MIB can be implemented without 156 implementing the other MIBs. Similarly, for the other 3 MIBs 157 mentioned above, a typical case would be where the MIBs for a RADIUS 158 authentication server, a RADIUS accounting server, and a RADIUS 159 dynamic authorization client are implemented by the same device. 160 However, also for these 3 MIBs, they can be implemented independent 161 from each other. A RADIUS proxy might implement any of these 6 MIBs, 162 but can also implement any subset of these MIBs. 164 +---------------+ +---------------+ 165 User 1----| | Disconnect-Request | | 166 | Dynamic | CoA-Request | Dynamic | 167 user 2----| Authorization |<---------------------| Authorization | 168 | Server |--------------------->| Client | 169 User 3----| (DAS) | Disconnect-Ack | (DAC) | 170 | | Disconnect-NAK | | 171 +---------------+ CoA-Ack/CoA-NAK +---------------+ 173 Figure 1: Mapping of clients and servers. 175 This MIB module for the dynamic authorization server contains the 176 following: 178 1. Two scalar objects 180 2. One Dynamic Authorization Client Table. This table contains one 181 row for each DAC that the DAS shares a secret with. 183 6. RADIUS Dynamic Authorization Server MIB Definitions 185 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 187 IMPORTS 188 MODULE-IDENTITY, OBJECT-TYPE, 189 Counter32, Integer32, mib-2 FROM SNMPv2-SMI 190 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 191 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 192 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 194 radiusDynAuthServerMIB MODULE-IDENTITY 195 LAST-UPDATED "200505160000Z" -- 16 May 2005 196 ORGANIZATION "IETF RADEXT Working Group" 197 CONTACT-INFO 198 " Stefaan De Cnodder 199 Alcatel 200 Francis Wellesplein 1 201 B-2018 Antwerp 202 Belgium 204 Phone: +32 3 240 85 15 205 EMail: stefaan.de_cnodder@alcatel.be 207 Nagi Reddy Jonnala 208 Consult 209 4-486, Nutakki 210 AP, India, PIN: 522303 212 Phone: +91 8645 275314 213 EMail: nagireddyj@yahoo.com 215 Murtaza Chiba 216 Cisco Systems, Inc. 217 170 West Tasman Dr. 218 San Jose CA, 95134 220 Phone: +1 408 525 7198 221 EMail: mchiba@cisco.com " 222 DESCRIPTION 223 "The MIB module for entities implementing the server 224 side of the Dynamic Authorization extensions Remote 225 Access Dialin User Service (RADIUS) protocol. 227 Copyright (C) The Internet Society (2005). This initial 228 version of this MIB module was published in RFC yyyy; 229 for full legal notices see the RFC itself. Supplementary 230 information may be available on 231 http://www.ietf.org/copyrights/ianamib.html." 232 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 234 REVISION "200505160000Z" -- 16 May 2005 235 DESCRIPTION "Initial version as published in RFC yyyy." 236 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 237 ::= { radiusDynamicAuthorization 1 } 239 radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } 240 -- The value xxx to be assigned by IANA. 242 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 243 { radiusDynAuthServerMIB 1 } 245 radiusDynAuthServer OBJECT IDENTIFIER ::= 246 { radiusDynAuthServerMIBObjects 1 } 248 radiusDynAuthServerInvalidClientAddresses OBJECT-TYPE 249 SYNTAX Counter32 250 MAX-ACCESS read-only 251 STATUS current 252 DESCRIPTION 253 "The number of RADIUS dynamic authorization messages 254 (both Disconnect and CoA) received from unknown 255 addresses." 256 ::= { radiusDynAuthServer 1 } 258 radiusDynAuthServerIdentifier OBJECT-TYPE 259 SYNTAX SnmpAdminString 260 MAX-ACCESS read-only 261 STATUS current 262 DESCRIPTION 263 "The NAS-Identifier of the RADIUS dynamic authorization 264 server." 265 REFERENCE 266 "RFC 2865, Section 5.32, NAS-Identifier." 267 ::= { radiusDynAuthServer 2 } 269 radiusDynAuthClientTable OBJECT-TYPE 270 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 271 MAX-ACCESS not-accessible 272 STATUS current 273 DESCRIPTION 274 "The (conceptual) table listing the RADIUS dynamic 275 authorization clients with which the server shares a 276 secret." 277 ::= { radiusDynAuthServer 3 } 279 radiusDynAuthClientEntry OBJECT-TYPE 280 SYNTAX RadiusDynAuthClientEntry 281 MAX-ACCESS not-accessible 282 STATUS current 283 DESCRIPTION 284 "An entry (conceptual row) representing one Dynamic 285 Authorization Client with which the server shares a 286 secret." 287 INDEX { radiusDynAuthClientIndex } 288 ::= { radiusDynAuthClientTable 1 } 290 RadiusDynAuthClientEntry ::= SEQUENCE { 291 radiusDynAuthClientIndex Integer32, 292 radiusDynAuthClientAddressType InetAddressType, 293 radiusDynAuthClientAddress InetAddress, 294 radiusDynAuthServDisconRequests Counter32, 295 radiusDynAuthServDupDisconRequests Counter32, 296 radiusDynAuthServDisconAcks Counter32, 297 radiusDynAuthServDisconNaks Counter32, 298 radiusDynAuthServDisconUserSessRemoved Counter32, 299 radiusDynAuthServMalformedDisconRequests Counter32, 300 radiusDynAuthServDisconBadAuthenticators Counter32, 301 radiusDynAuthServDisconPacketsDropped Counter32, 302 radiusDynAuthServCoARequests Counter32, 303 radiusDynAuthServDupCoARequests Counter32, 304 radiusDynAuthServCoAAcks Counter32, 305 radiusDynAuthServCoANaks Counter32, 306 radiusDynAuthServCoAUserSessChanged Counter32, 307 radiusDynAuthServMalformedCoARequests Counter32, 308 radiusDynAuthServCoABadAuthenticators Counter32, 309 radiusDynAuthServCoAPacketsDropped Counter32, 310 radiusDynAuthServUnknownTypes Counter32 311 } 313 radiusDynAuthClientIndex OBJECT-TYPE 314 SYNTAX Integer32 (1..2147483647) 315 MAX-ACCESS not-accessible 316 STATUS current 317 DESCRIPTION 318 "A number uniquely identifying each RADIUS dynamic 319 authorization client with which this Dynamic 320 Authorization Server communicates. This number is 321 allocated by the agent implementing this MIB module, 322 and is unique in this context." 323 ::= { radiusDynAuthClientEntry 1 } 325 radiusDynAuthClientAddressType OBJECT-TYPE 326 SYNTAX InetAddressType 327 MAX-ACCESS read-only 328 STATUS current 329 DESCRIPTION 330 "The type of IP-Address of the RADIUS Dynamic 331 Authorization Client referred to in this table entry." 332 ::= { radiusDynAuthClientEntry 2 } 334 radiusDynAuthClientAddress OBJECT-TYPE 335 SYNTAX InetAddress 336 MAX-ACCESS read-only 337 STATUS current 338 DESCRIPTION 339 "The IP-Address value of the RADIUS Dynamic 340 Authorization Client referred to in this table entry." 341 ::= { radiusDynAuthClientEntry 3 } 343 radiusDynAuthServDisconRequests OBJECT-TYPE 344 SYNTAX Counter32 345 UNITS "requests" 346 MAX-ACCESS read-only 347 STATUS current 348 DESCRIPTION 349 "The number of RADIUS Disconnect-Requests received 350 from this Dynamic Authorization Client." 351 REFERENCE 352 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 353 ::= { radiusDynAuthClientEntry 4 } 355 radiusDynAuthServDupDisconRequests OBJECT-TYPE 356 SYNTAX Counter32 357 UNITS "requests" 358 MAX-ACCESS read-only 359 STATUS current 360 DESCRIPTION 361 "The number of duplicate RADIUS Disconnect-Request 362 packets received from this Dynamic Authorization 363 Client." 364 REFERENCE 365 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 366 ::= { radiusDynAuthClientEntry 5 } 368 radiusDynAuthServDisconAcks OBJECT-TYPE 369 SYNTAX Counter32 370 UNITS "replies" 371 MAX-ACCESS read-only 372 STATUS current 373 DESCRIPTION 374 "The number of RADIUS Disconnect-ACK packets 375 sent to this Dynamic Authorization Client" 376 REFERENCE 377 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 378 ::= { radiusDynAuthClientEntry 6 } 380 radiusDynAuthServDisconNaks OBJECT-TYPE 381 SYNTAX Counter32 382 UNITS "replies" 383 MAX-ACCESS read-only 384 STATUS current 385 DESCRIPTION 386 "The number of RADIUS Disconnect-NAK packets 387 sent to this Dynamic Authorization Client." 388 REFERENCE 389 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 390 ::= { radiusDynAuthClientEntry 7 } 392 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 393 SYNTAX Counter32 394 UNITS "sessions" 395 MAX-ACCESS read-only 396 STATUS current 397 DESCRIPTION 398 "The number of user sessions removed for the 399 Disconnect-Requests received from this 400 Dynamic Authorization Client. Depending on site 401 specific policies, a single Disconnect request 402 can remove multiple user sessions. In the case this 403 Dynamic Autorization Server has no knowledge on 404 the number of user sessions that are affected, then 405 it counts a single user session for each such 406 Disconnect-Request." 407 REFERENCE 408 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 409 ::= { radiusDynAuthClientEntry 8 } 411 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 412 SYNTAX Counter32 413 UNITS "requests" 414 MAX-ACCESS read-only 415 STATUS current 416 DESCRIPTION 417 "The number of malformed RADIUS Disconnect-Request 418 packets received from this Dynamic Authorization 419 client. Bad authenticators and unknown types are not 420 included as malformed Disconnect-Requests." 421 REFERENCE 422 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 423 Section 2.3, Packet Format." 424 ::= { radiusDynAuthClientEntry 9 } 426 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 427 SYNTAX Counter32 428 UNITS "requests" 429 MAX-ACCESS read-only 430 STATUS current 431 DESCRIPTION 432 "The number of RADIUS Disconnect-Request packets 433 which contained invalid Signature attributes 434 received from this Dynamic Authorization Client." 435 REFERENCE 436 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 437 Section 2.3, Packet Format." 438 ::= { radiusDynAuthClientEntry 10 } 440 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 441 SYNTAX Counter32 442 UNITS "requests" 443 MAX-ACCESS read-only 444 STATUS current 445 DESCRIPTION 446 "The number of incoming Disconnect-Requests 447 from this Dynamic Authorization Client silently 448 discarded by the server application for some reason 449 other than malformed, bad authenticators or unknown 450 types." 451 REFERENCE 452 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 453 Section 2.3, Packet Format." 454 ::= { radiusDynAuthClientEntry 11 } 456 radiusDynAuthServCoARequests OBJECT-TYPE 457 SYNTAX Counter32 458 UNITS "requests" 459 MAX-ACCESS read-only 460 STATUS current 461 DESCRIPTION 462 "The number of CoA requests received from this 463 Dynamic Authorization Client." 464 REFERENCE 465 "RFC 3576, Section 2.2, Change-of-Authorization 466 Messages (CoA)." 467 ::= { radiusDynAuthClientEntry 12 } 469 radiusDynAuthServDupCoARequests OBJECT-TYPE 470 SYNTAX Counter32 471 UNITS "requests" 472 MAX-ACCESS read-only 473 STATUS current 474 DESCRIPTION 475 "The number of duplicate RADIUS CoA-Request 476 packets received from this Dynamic Authorization 477 client." 478 REFERENCE 479 "RFC 3576, Section 2.2, Change-of-Authorization 480 Messages (CoA)." 481 ::= { radiusDynAuthClientEntry 13 } 483 radiusDynAuthServCoAAcks OBJECT-TYPE 484 SYNTAX Counter32 485 UNITS "replies" 486 MAX-ACCESS read-only 487 STATUS current 488 DESCRIPTION 489 "The number of RADIUS CoA-ACK packets 490 sent to this Dynamic Authorization Client." 491 REFERENCE 492 "RFC 3576, Section 2.2, Change-of-Authorization 493 Messages (CoA)." 494 ::= { radiusDynAuthClientEntry 14 } 496 radiusDynAuthServCoANaks OBJECT-TYPE 497 SYNTAX Counter32 498 UNITS "replies" 499 MAX-ACCESS read-only 500 STATUS current 501 DESCRIPTION 502 "The number of RADIUS CoA-NAK packets 503 sent to this Dynamic Authorization Client." 504 REFERENCE 505 "RFC 3576, Section 2.2, Change-of-Authorization 506 Messages (CoA)." 507 ::= { radiusDynAuthClientEntry 15 } 509 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 510 SYNTAX Counter32 511 UNITS "sessions" 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "The number of user sessions authorization 516 changed for the CoA-Requests received from this 517 Dynamic Authorization Cient. Depending on site 518 specific policies, a single CoA request can change 519 multiple user sessions authorization. In the case 520 this Dynamic Autorization Server has no knowledge on 521 the number of user sessions that are affected, then 522 it counts a single user session for each such 523 CoA-Request." 524 REFERENCE 525 "RFC 3576, Section 2.2, Change-of-Authorization 526 Messages (CoA)." 527 ::= { radiusDynAuthClientEntry 16 } 529 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 530 SYNTAX Counter32 531 UNITS "requests" 532 MAX-ACCESS read-only 533 STATUS current 534 DESCRIPTION 535 "The number of malformed RADIUS CoA-Request 536 packets received from this Dynamic Authorization 537 Client. Bad authenticators and unknown types are not 538 included as malformed CoA-Requests." 539 REFERENCE 540 "RFC 3576, Section 2.2, Change-of-Authorization 541 Messages (CoA), and Section 2.3, Packet Format." 542 ::= { radiusDynAuthClientEntry 17 } 544 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 545 SYNTAX Counter32 546 UNITS "requests" 547 MAX-ACCESS read-only 548 STATUS current 549 DESCRIPTION 550 "The number of RADIUS CoA-Request packets which 551 contained invalid Signature attributes received 552 from this Dynamic Authorization client." 553 REFERENCE 554 "RFC 3576, Section 2.2, Change-of-Authorization 555 Messages (CoA), and Section 2.3, Packet Format." 556 ::= { radiusDynAuthClientEntry 18 } 558 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 559 SYNTAX Counter32 560 UNITS "requests" 561 MAX-ACCESS read-only 562 STATUS current 563 DESCRIPTION 564 "The number of incoming CoA packets from this 565 Dynamic Authorization Client silently discarded 566 by the server application for some reason other than 567 malformed, bad clisdfauthenticators or unknown types." 568 REFERENCE 569 "RFC 3576, Section 2.2, Change-of-Authorization 570 Messages (CoA), and Section 2.3, Packet Format." 571 ::= { radiusDynAuthClientEntry 19 } 573 radiusDynAuthServUnknownTypes OBJECT-TYPE 574 SYNTAX Counter32 575 UNITS "requests" 576 MAX-ACCESS read-only 577 STATUS current 578 DESCRIPTION 579 "The number of incoming packets of unknown types 580 which were received on the Dynamic Authorization port." 581 REFERENCE 582 "RFC 3576, Section 2.3, Packet Format." 583 ::= { radiusDynAuthClientEntry 20 } 585 -- conformance information 587 radiusDynAuthServerMIBConformance 588 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 589 radiusDynAuthServerMIBCompliances 590 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 591 radiusDynAuthServerMIBGroups 592 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 594 -- compliance statements 596 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 597 STATUS current 598 DESCRIPTION 599 "The compliance statement for entities implementing 600 the RADIUS Dynamic Authorization Server." 601 MODULE -- this module 602 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 603 ::= { radiusDynAuthServerMIBCompliances 1 } 605 -- units of conformance 607 radiusDynAuthServerMIBGroup OBJECT-GROUP 608 OBJECTS { radiusDynAuthServerInvalidClientAddresses, 609 radiusDynAuthServerIdentifier, 610 radiusDynAuthClientAddressType, 611 radiusDynAuthClientAddress, 612 radiusDynAuthServDisconRequests, 613 radiusDynAuthServDupDisconRequests, 614 radiusDynAuthServDisconAcks, 615 radiusDynAuthServDisconNaks, 616 radiusDynAuthServDisconUserSessRemoved, 617 radiusDynAuthServMalformedDisconRequests, 618 radiusDynAuthServDisconBadAuthenticators, 619 radiusDynAuthServDisconPacketsDropped, 620 radiusDynAuthServCoARequests, 621 radiusDynAuthServDupCoARequests, 622 radiusDynAuthServCoAAcks, 623 radiusDynAuthServCoANaks, 624 radiusDynAuthServCoAUserSessChanged, 625 radiusDynAuthServMalformedCoARequests, 626 radiusDynAuthServCoABadAuthenticators, 627 radiusDynAuthServCoAPacketsDropped, 628 radiusDynAuthServUnknownTypes 629 } 630 STATUS current 631 DESCRIPTION 632 "The collection of objects providing management of 633 a RADIUS Dynamic Authorization Server." 634 ::= { radiusDynAuthServerMIBGroups 1 } 636 END 638 7. Security Considerations 640 There are no management objects defined in this MIB module that have 641 a MAX-ACCESS clause of read-write and/or read-create. So, if this 642 MIB module is implemented correctly, then there is no risk that an 643 intruder can alter or create any management objects of this MIB 644 module via direct SNMP SET operations 646 Some of the readable objects in this MIB module (i.e., objects with a 647 MAX-ACCESS other than not-accessible) may be considered sensitive or 648 vulnerable in some network environments. It is thus important to 649 control even GET and/or NOTIFY access to these objects and possibly 650 to even encrypt the values of these objects when sending them over 651 the network via SNMP. These are the tables and objects and their 652 sensitivity/vulnerability: 654 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 656 These can be used to determine the address of the DAC with which the 657 DAS is communicating. This information could be useful in mounting 658 an attack on the DAC. 660 radiusDynAuthServerIdentifier 662 This can be used to determine the Identifier of the DAS. This 663 information could be useful in impersonating the DAS. 665 The other readable objects are not really considered as being 666 sensitive or vulnerable. These objects are: 668 radiusDynAuthServerInvalidClientAddresses, 669 radiusDynAuthServDisconRequests, 670 radiusDynAuthServDupDisconRequests, 671 radiusDynAuthServDisconAcks, 672 radiusDynAuthServDisconNaks, 673 radiusDynAuthServDisconUserSessRemoved, 674 radiusDynAuthServMalformedDisconRequests, 675 radiusDynAuthServDisconBadAuthenticators, 676 radiusDynAuthServDisconPacketsDropped, 677 radiusDynAuthServCoARequests, 678 radiusDynAuthServDupCoARequests, 679 radiusDynAuthServCoAAcks, 680 radiusDynAuthServCoANaks, 681 radiusDynAuthServCoAUserSessChanged, 682 radiusDynAuthServMalformedCoARequests, 683 radiusDynAuthServCoABadAuthenticators, 684 radiusDynAuthServCoAPacketsDropped, and 685 radiusDynAuthServUnknownTypes. 687 SNMP versions prior to SNMPv3 did not include adequate security. 688 Even if the network itself is secure (for example by using IPSec), 689 even then, there is no control as to who on the secure network is 690 allowed to access and GET/SET (read/change/create/delete) the objects 691 in this MIB module. 693 It is RECOMMENDED that implementers consider the security features as 694 provided by the SNMPv3 framework (see [RFC3410], section 8), 695 including full support for the SNMPv3 cryptographic mechanisms (for 696 authentication and privacy). 698 Further, deployment of SNMP versions prior to SNMPv3 is NOT 699 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 700 enable cryptographic security. It is then a customer/operator 701 responsibility to ensure that the SNMP entity giving access to an 702 instance of this MIB module is properly configured to give access to 703 the objects only to those principals (users) that have legitimate 704 rights to indeed GET or SET (change/create/delete) them. 706 8. IANA considerations 708 IANA is requested to assign an OID xxx under mib-2. 710 9. Acknowledgements 712 This document reuses some of the work done in earlier RADIUS MIB 713 specifications [RFC2618] and [RFC2620]. 715 The authors would also like to acknowledge the following people for 716 their comments to this document: Anjaneyulu Pata, Dan Romascanu, and 717 Bert Wijnen. 719 10. References 721 10.1 Normative References 723 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 724 Auhtorization Client MIB", 725 draft-decnodder-radext-dynauth-client-mib-01.txt, work in 726 progress, June 2004. 728 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 729 Requirement Levels", RFC 2119, March 1997. 731 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 732 Rose, M., and S. Waldbusser, "Structure of Management 733 Information Version 2 (SMIv2)", STD 58, RFC 2578, 734 April 1999. 736 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 737 Rose, M., and S. Waldbusser, "Textual Conventions for 738 SMIv2", STD 58, RFC 2579, April 1999. 740 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 741 Rose, M., and S. Waldbusser, "Conformance Statements for 742 SMIv2", STD 58, RFC 2580, April 1999. 744 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 745 Aboba, "Dynamic Authorization Extensions to Remote 746 Authentication Dial In User Service (RADIUS)", RFC 3576, 747 July 2003. 749 10.2 Informative References 751 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 752 RFC 2618, June 1999. 754 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 755 RFC 2619, June 1999. 757 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 758 RFC 2620, June 1999. 760 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 761 RFC 2621, June 1999. 763 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 764 "Introduction and Applicability Statements for Internet 765 Standard Management Framework", RFC 3410, December 2002. 767 Authors' Addresses 769 Stefaan De Cnodder 770 Alcatel 771 Francis Wellesplein 1 772 B-2018 Antwerp 773 Belgium 775 Phone: +32 3 240 85 15 776 Email: stefaan.de_cnodder@alcatel.be 778 Nagi Reddy Jonnala 779 Consult 780 4-486, Nutakki 781 AP, India, PIN: 522303 783 Phone: +91 8645 275314 784 Email: nagireddyj@yahoo.com 786 Murtaza Chiba 787 Cisco Systems, Inc. 788 170 West Tasman Dr. 789 San Jose CA, 95134 791 Phone: +1 408 525 7198 792 Email: mchiba@cisco.com 794 Intellectual Property Statement 796 The IETF takes no position regarding the validity or scope of any 797 Intellectual Property Rights or other rights that might be claimed to 798 pertain to the implementation or use of the technology described in 799 this document or the extent to which any license under such rights 800 might or might not be available; nor does it represent that it has 801 made any independent effort to identify any such rights. Information 802 on the procedures with respect to rights in RFC documents can be 803 found in BCP 78 and BCP 79. 805 Copies of IPR disclosures made to the IETF Secretariat and any 806 assurances of licenses to be made available, or the result of an 807 attempt made to obtain a general license or permission for the use of 808 such proprietary rights by implementers or users of this 809 specification can be obtained from the IETF on-line IPR repository at 810 http://www.ietf.org/ipr. 812 The IETF invites any interested party to bring to its attention any 813 copyrights, patents or patent applications, or other proprietary 814 rights that may cover technology that may be required to implement 815 this standard. Please address the information to the IETF at 816 ietf-ipr@ietf.org. 818 Disclaimer of Validity 820 This document and the information contained herein are provided on an 821 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 822 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 823 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 824 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 825 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 826 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 828 Copyright Statement 830 Copyright (C) The Internet Society (2005). This document is subject 831 to the rights, licenses and restrictions contained in BCP 78, and 832 except as set forth therein, the authors retain all their rights. 834 Acknowledgment 836 Funding for the RFC Editor function is currently provided by the 837 Internet Society.