idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 837. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 814. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 821. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 827. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 7, 2005) is 6868 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-client-mib-01 -- Possible downref: Normative reference to a draft: ref. 'DYNCLNT' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: January 8, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 July 7, 2005 9 Dynamic Authorization Server MIB 10 draft-ietf-radext-dynauth-server-mib-01.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on January 8, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2005). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the RADIUS dynamic authorization server 46 (DAS) functions that support the dynamic authorization extensions as 47 defined in RFC 3576. 49 Table of Contents 51 1. Requirements notation . . . . . . . . . . . . . . . . . . . 3 52 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. The Internet-Standard Management Framework . . . . . . . . . 5 54 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 6 55 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 56 6. RADIUS Dynamic Authorization Server MIB Definitions . . . . 9 57 7. Security Considerations . . . . . . . . . . . . . . . . . . 19 58 8. IANA considerations . . . . . . . . . . . . . . . . . . . . 21 59 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 60 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 61 10.1 Normative References . . . . . . . . . . . . . . . . . . 23 62 10.2 Informative References . . . . . . . . . . . . . . . . . 23 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 24 64 Intellectual Property and Copyright Statements . . . . . . . 25 66 1. Requirements notation 68 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 69 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 70 document are to be interpreted as described in [RFC2119]. 72 2. Introduction 74 This memo defines a portion of the Management Information Base (MIB) 75 for use with network management protocols in the Internet community. 76 It is becoming increasingly important to support Dynamic 77 Authorization extensions on the network access server (NAS) devices 78 to handle the Disconnect and Change-of-Authorization (CoA) messages 79 as described in [RFC3576] . As a result, the effective management of 80 RADIUS Dynamic Authorization entities is of considerable importance. 81 It complements the managed objects used for managing RADIUS 82 authentication and accounting clients as described in [RFC2618] and 83 [RFC2620], respectively. 85 3. The Internet-Standard Management Framework 87 For a detailed overview of the documents that describe the current 88 Internet-Standard Management Framework, please refer to section 7 of 89 [RFC3410]. 91 Managed objects are accessed via a virtual information store, termed 92 the Management Information Base or MIB. MIB objects are generally 93 accessed through the Simple Network Management Protocol (SNMP). 94 Objects in the MIB are defined using the mechanisms defined in the 95 Structure of Management Information (SMI). This memo specifies a MIB 96 module that is compliant to the SMIv2, which is described in STD 58, 97 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 98 [RFC2580]. 100 4. Terminology 102 Dynamic Authorization Server (DAS) 104 The component that resides on the NAS which processes the Disconnect 105 and CoA requests sent by the Dynamic Authorization Client as 106 described in [RFC3576]. 108 Dynamic Authorization Client (DAC) 110 The component which sends the Disconnect and CoA requests to the 111 Dynamic Authorization Server as described in [RFC3576]. This is 112 typically a RADIUS Server, but is not limited to it and may, for 113 example, be a Rating Engine used for Prepaid Billing. 115 Dynamic Authorization Server Port 117 The UDP port on which the Dynamic Authorization server listens for 118 the Disconnect and CoA requests sent by the Dynamic Authorization 119 Client. 121 5. Overview 123 The RADIUS dynamic authorization extensions defined in [RFC3576], 124 distinguish between the client function and the server function. In 125 RADIUS dynamic authorization, clients send Disconnect-Requests and 126 CoA-Requests, and servers reply with Disconnect-Acks, CoA-Acks, and 127 CoA-NAKs. Typically NAS devices implement the DAS function, and thus 128 would be expected to implement the RADIUS dynamic authorization 129 server MIB, while DACs implement the client function, and thus would 130 be expected to implement the RADIUS dynamic authorization client MIB. 132 However, it is possible for a RADIUS dynamic authorization entity to 133 perform both client and server functions. For example, a RADIUS 134 proxy may act as a DAS to one or more DACs, while simultaneously 135 acting as a DAC to one or more DASs. In such situations, it is 136 expected that RADIUS entities combining client and server 137 functionality will support both the client and server MIBs. 139 This memo describes the MIB for dynamic authorization servers and 140 relates to the following documents as follows: 142 [RFC2618] describes the MIB for a RADIUS authentication client. 144 [RFC2619] describes the MIB for a RADIUS authentication server. 146 [RFC2620] describes the MIB for a RADIUS accounting client. 148 [RFC2621] describes the MIB for a RADIUS accounting server. 150 [DYNCLNT] describes the MIB for a RADIUS dynamic authorization 151 client. 153 A NAS typically implements the MIBs for a RADIUS authentication 154 client, a RADIUS accounting client, and a RADIUS dynamic 155 authorization server. However, there is not strict relationship 156 between these three MIBs, i.e. one MIB can be implemented without 157 implementing the other MIBs. Similarly, for the other 3 MIBs 158 mentioned above, a typical case would be where the MIBs for a RADIUS 159 authentication server, a RADIUS accounting server, and a RADIUS 160 dynamic authorization client are implemented by the same device. 161 However, also for these 3 MIBs, they can be implemented independent 162 from each other. A RADIUS proxy might implement any of these 6 MIBs, 163 but can also implement any subset of these MIBs. 165 +---------------+ +---------------+ 166 User 1----| | Disconnect-Request | | 167 | Dynamic | CoA-Request | Dynamic | 168 User 2----| Authorization |<---------------------| Authorization | 169 | Server |--------------------->| Client | 170 User 3----| (DAS) | Disconnect-Ack | (DAC) | 171 | | Disconnect-NAK | | 172 +---------------+ CoA-Ack/CoA-NAK +---------------+ 174 Figure 1: Mapping of clients and servers. 176 This MIB module for the dynamic authorization server contains the 177 following: 179 1. Two scalar objects 181 2. One Dynamic Authorization Client Table. This table contains one 182 row for each DAC with which the DAS shares a secret. 184 6. RADIUS Dynamic Authorization Server MIB Definitions 186 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 188 IMPORTS 189 MODULE-IDENTITY, OBJECT-TYPE, 190 Counter32, Integer32, mib-2 FROM SNMPv2-SMI 191 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 192 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 193 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 195 radiusDynAuthServerMIB MODULE-IDENTITY 196 LAST-UPDATED "200507020000Z" -- 2 July 2005 197 ORGANIZATION "IETF RADEXT Working Group" 198 CONTACT-INFO 199 " Stefaan De Cnodder 200 Alcatel 201 Francis Wellesplein 1 202 B-2018 Antwerp 203 Belgium 205 Phone: +32 3 240 85 15 206 EMail: stefaan.de_cnodder@alcatel.be 208 Nagi Reddy Jonnala 209 Cisco Systems, Inc. 210 Divyasree Chambers, B Wing, 211 O'Shaugnessy Road, 212 Bangalore-560027, India. 214 Phone: +91 98456 99445 215 EMail: njonnala@cisco.com 217 Murtaza Chiba 218 Cisco Systems, Inc. 219 170 West Tasman Dr. 220 San Jose CA, 95134 222 Phone: +1 408 525 7198 223 EMail: mchiba@cisco.com " 224 DESCRIPTION 225 "The MIB module for entities implementing the server 226 side of the Dynamic Authorization extensions Remote 227 Access Dialin User Service (RADIUS) protocol. 229 Copyright (C) The Internet Society (2005). This initial 230 version of this MIB module was published in RFC yyyy; 231 for full legal notices see the RFC itself. Supplementary 232 information may be available on 233 http://www.ietf.org/copyrights/ianamib.html." 234 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 236 REVISION "200507020000Z" -- 2 July 2005 237 DESCRIPTION "Initial version as published in RFC yyyy." 238 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 239 ::= { radiusDynamicAuthorization 1 } 241 radiusDynamicAuthorization OBJECT IDENTIFIER ::= { mib-2 xxx } 242 -- The value xxx to be assigned by IANA. 244 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 245 { radiusDynAuthServerMIB 1 } 247 radiusDynAuthServer OBJECT IDENTIFIER ::= 248 { radiusDynAuthServerMIBObjects 1 } 250 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE 251 SYNTAX Counter32 252 MAX-ACCESS read-only 253 STATUS current 254 DESCRIPTION 255 "The number of Disconnect messages received from unknown 256 addresses." 257 ::= { radiusDynAuthServer 1 } 259 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE 260 SYNTAX Counter32 261 MAX-ACCESS read-only 262 STATUS current 263 DESCRIPTION 264 "The number of CoA messages received from unknown 265 addresses." 266 ::= { radiusDynAuthServer 2 } 268 radiusDynAuthServerIdentifier OBJECT-TYPE 269 SYNTAX SnmpAdminString 270 MAX-ACCESS read-only 271 STATUS current 272 DESCRIPTION 273 "The NAS-Identifier of the RADIUS dynamic authorization 274 server." 275 REFERENCE 276 "RFC 2865, Section 5.32, NAS-Identifier." 277 ::= { radiusDynAuthServer 3 } 279 radiusDynAuthClientTable OBJECT-TYPE 280 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 281 MAX-ACCESS not-accessible 282 STATUS current 283 DESCRIPTION 284 "The (conceptual) table listing the RADIUS dynamic 285 authorization clients with which the server shares a 286 secret." 287 ::= { radiusDynAuthServer 4 } 289 radiusDynAuthClientEntry OBJECT-TYPE 290 SYNTAX RadiusDynAuthClientEntry 291 MAX-ACCESS not-accessible 292 STATUS current 293 DESCRIPTION 294 "An entry (conceptual row) representing one Dynamic 295 Authorization Client with which the server shares a 296 secret." 297 INDEX { radiusDynAuthClientIndex } 298 ::= { radiusDynAuthClientTable 1 } 300 RadiusDynAuthClientEntry ::= SEQUENCE { 301 radiusDynAuthClientIndex Integer32, 302 radiusDynAuthClientAddressType InetAddressType, 303 radiusDynAuthClientAddress InetAddress, 304 radiusDynAuthServDisconRequests Counter32, 305 radiusDynAuthServDupDisconRequests Counter32, 306 radiusDynAuthServDisconAcks Counter32, 307 radiusDynAuthServDisconNaks Counter32, 308 radiusDynAuthServDisconUserSessRemoved Counter32, 309 radiusDynAuthServMalformedDisconRequests Counter32, 310 radiusDynAuthServDisconBadAuthenticators Counter32, 311 radiusDynAuthServDisconPacketsDropped Counter32, 312 radiusDynAuthServCoARequests Counter32, 313 radiusDynAuthServDupCoARequests Counter32, 314 radiusDynAuthServCoAAcks Counter32, 315 radiusDynAuthServCoANaks Counter32, 316 radiusDynAuthServCoAUserSessChanged Counter32, 317 radiusDynAuthServMalformedCoARequests Counter32, 318 radiusDynAuthServCoABadAuthenticators Counter32, 319 radiusDynAuthServCoAPacketsDropped Counter32, 320 radiusDynAuthServUnknownTypes Counter32 321 } 323 radiusDynAuthClientIndex OBJECT-TYPE 324 SYNTAX Integer32 (1..2147483647) 325 MAX-ACCESS not-accessible 326 STATUS current 327 DESCRIPTION 328 "A number uniquely identifying each RADIUS dynamic 329 authorization client with which this Dynamic 330 Authorization Server communicates. This number is 331 allocated by the agent implementing this MIB module, 332 and is unique in this context." 333 ::= { radiusDynAuthClientEntry 1 } 335 radiusDynAuthClientAddressType OBJECT-TYPE 336 SYNTAX InetAddressType 337 MAX-ACCESS read-only 338 STATUS current 339 DESCRIPTION 340 "The type of IP-Address of the RADIUS Dynamic 341 Authorization Client referred to in this table entry." 342 ::= { radiusDynAuthClientEntry 2 } 344 radiusDynAuthClientAddress OBJECT-TYPE 345 SYNTAX InetAddress 346 MAX-ACCESS read-only 347 STATUS current 348 DESCRIPTION 349 "The IP-Address value of the RADIUS Dynamic 350 Authorization Client referred to in this table entry." 351 ::= { radiusDynAuthClientEntry 3 } 353 radiusDynAuthServDisconRequests OBJECT-TYPE 354 SYNTAX Counter32 355 UNITS "requests" 356 MAX-ACCESS read-only 357 STATUS current 358 DESCRIPTION 359 "The number of RADIUS Disconnect-Requests received 360 from this Dynamic Authorization Client." 361 REFERENCE 362 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 363 ::= { radiusDynAuthClientEntry 4 } 365 radiusDynAuthServDupDisconRequests OBJECT-TYPE 366 SYNTAX Counter32 367 UNITS "requests" 368 MAX-ACCESS read-only 369 STATUS current 370 DESCRIPTION 371 "The number of duplicate RADIUS Disconnect-Request 372 packets received from this Dynamic Authorization 373 Client." 374 REFERENCE 375 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 376 ::= { radiusDynAuthClientEntry 5 } 378 radiusDynAuthServDisconAcks OBJECT-TYPE 379 SYNTAX Counter32 380 UNITS "replies" 381 MAX-ACCESS read-only 382 STATUS current 383 DESCRIPTION 384 "The number of RADIUS Disconnect-ACK packets 385 sent to this Dynamic Authorization Client" 386 REFERENCE 387 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 388 ::= { radiusDynAuthClientEntry 6 } 390 radiusDynAuthServDisconNaks OBJECT-TYPE 391 SYNTAX Counter32 392 UNITS "replies" 393 MAX-ACCESS read-only 394 STATUS current 395 DESCRIPTION 396 "The number of RADIUS Disconnect-NAK packets 397 sent to this Dynamic Authorization Client." 398 REFERENCE 399 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 400 ::= { radiusDynAuthClientEntry 7 } 402 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 403 SYNTAX Counter32 404 UNITS "sessions" 405 MAX-ACCESS read-only 406 STATUS current 407 DESCRIPTION 408 "The number of user sessions removed for the 409 Disconnect-Requests received from this 410 Dynamic Authorization Client. Depending on site 411 specific policies, a single Disconnect request 412 can remove multiple user sessions. In the case this 413 Dynamic Autorization Server has no knowledge of 414 the number of user sessions that are affected, then 415 it counts a single user session for each such 416 Disconnect-Request." 417 REFERENCE 418 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 419 ::= { radiusDynAuthClientEntry 8 } 421 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 422 SYNTAX Counter32 423 UNITS "requests" 424 MAX-ACCESS read-only 425 STATUS current 426 DESCRIPTION 427 "The number of malformed RADIUS Disconnect-Request 428 packets received from this Dynamic Authorization 429 client. Bad authenticators and unknown types are not 430 included as malformed Disconnect-Requests." 431 REFERENCE 432 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 433 Section 2.3, Packet Format." 434 ::= { radiusDynAuthClientEntry 9 } 436 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 437 SYNTAX Counter32 438 UNITS "requests" 439 MAX-ACCESS read-only 440 STATUS current 441 DESCRIPTION 442 "The number of RADIUS Disconnect-Request packets 443 which contained invalid Authenticator field 444 received from this Dynamic Authorization Client." 445 REFERENCE 446 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 447 Section 2.3, Packet Format." 448 ::= { radiusDynAuthClientEntry 10 } 450 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 451 SYNTAX Counter32 452 UNITS "requests" 453 MAX-ACCESS read-only 454 STATUS current 455 DESCRIPTION 456 "The number of incoming Disconnect-Requests 457 from this Dynamic Authorization Client silently 458 discarded by the server application for some reason 459 other than malformed, bad authenticators or unknown 460 types." 461 REFERENCE 462 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 463 Section 2.3, Packet Format." 464 ::= { radiusDynAuthClientEntry 11 } 466 radiusDynAuthServCoARequests OBJECT-TYPE 467 SYNTAX Counter32 468 UNITS "requests" 469 MAX-ACCESS read-only 470 STATUS current 471 DESCRIPTION 472 "The number of CoA requests received from this 473 Dynamic Authorization Client." 474 REFERENCE 475 "RFC 3576, Section 2.2, Change-of-Authorization 476 Messages (CoA)." 477 ::= { radiusDynAuthClientEntry 12 } 479 radiusDynAuthServDupCoARequests OBJECT-TYPE 480 SYNTAX Counter32 481 UNITS "requests" 482 MAX-ACCESS read-only 483 STATUS current 484 DESCRIPTION 485 "The number of duplicate RADIUS CoA-Request 486 packets received from this Dynamic Authorization 487 client." 488 REFERENCE 489 "RFC 3576, Section 2.2, Change-of-Authorization 490 Messages (CoA)." 491 ::= { radiusDynAuthClientEntry 13 } 493 radiusDynAuthServCoAAcks OBJECT-TYPE 494 SYNTAX Counter32 495 UNITS "replies" 496 MAX-ACCESS read-only 497 STATUS current 498 DESCRIPTION 499 "The number of RADIUS CoA-ACK packets 500 sent to this Dynamic Authorization Client." 501 REFERENCE 502 "RFC 3576, Section 2.2, Change-of-Authorization 503 Messages (CoA)." 504 ::= { radiusDynAuthClientEntry 14 } 506 radiusDynAuthServCoANaks OBJECT-TYPE 507 SYNTAX Counter32 508 UNITS "replies" 509 MAX-ACCESS read-only 510 STATUS current 511 DESCRIPTION 512 "The number of RADIUS CoA-NAK packets 513 sent to this Dynamic Authorization Client." 514 REFERENCE 515 "RFC 3576, Section 2.2, Change-of-Authorization 516 Messages (CoA)." 517 ::= { radiusDynAuthClientEntry 15 } 519 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 520 SYNTAX Counter32 521 UNITS "sessions" 522 MAX-ACCESS read-only 523 STATUS current 524 DESCRIPTION 525 "The number of user sessions authorization 526 changed for the CoA-Requests received from this 527 Dynamic Authorization Client. Depending on site 528 specific policies, a single CoA request can change 529 multiple user sessions' authorization. In the case 530 this Dynamic Autorization Server has no knowledge of 531 the number of user sessions that are affected, then 532 it counts a single user session for each such 533 CoA-Request." 534 REFERENCE 535 "RFC 3576, Section 2.2, Change-of-Authorization 536 Messages (CoA)." 537 ::= { radiusDynAuthClientEntry 16 } 539 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 540 SYNTAX Counter32 541 UNITS "requests" 542 MAX-ACCESS read-only 543 STATUS current 544 DESCRIPTION 545 "The number of malformed RADIUS CoA-Request 546 packets received from this Dynamic Authorization 547 Client. Bad authenticators and unknown types are not 548 included as malformed CoA-Requests." 549 REFERENCE 550 "RFC 3576, Section 2.2, Change-of-Authorization 551 Messages (CoA), and Section 2.3, Packet Format." 552 ::= { radiusDynAuthClientEntry 17 } 554 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 555 SYNTAX Counter32 556 UNITS "requests" 557 MAX-ACCESS read-only 558 STATUS current 559 DESCRIPTION 560 "The number of RADIUS CoA-Request packets which 561 contained invalid Authenticator field received 562 from this Dynamic Authorization client." 563 REFERENCE 564 "RFC 3576, Section 2.2, Change-of-Authorization 565 Messages (CoA), and Section 2.3, Packet Format." 566 ::= { radiusDynAuthClientEntry 18 } 568 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 569 SYNTAX Counter32 570 UNITS "requests" 571 MAX-ACCESS read-only 572 STATUS current 573 DESCRIPTION 574 "The number of incoming CoA packets from this 575 Dynamic Authorization Client silently discarded 576 by the server application for some reason other than 577 malformed, bad authenticators or unknown types." 578 REFERENCE 579 "RFC 3576, Section 2.2, Change-of-Authorization 580 Messages (CoA), and Section 2.3, Packet Format." 581 ::= { radiusDynAuthClientEntry 19 } 583 radiusDynAuthServUnknownTypes OBJECT-TYPE 584 SYNTAX Counter32 585 UNITS "requests" 586 MAX-ACCESS read-only 587 STATUS current 588 DESCRIPTION 589 "The number of incoming packets of unknown types 590 which were received on the Dynamic Authorization port." 591 REFERENCE 592 "RFC 3576, Section 2.3, Packet Format." 593 ::= { radiusDynAuthClientEntry 20 } 595 -- conformance information 597 radiusDynAuthServerMIBConformance 598 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 599 radiusDynAuthServerMIBCompliances 600 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 601 radiusDynAuthServerMIBGroups 602 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 604 -- compliance statements 606 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 607 STATUS current 608 DESCRIPTION 609 "The compliance statement for entities implementing 610 the RADIUS Dynamic Authorization Server." 611 MODULE -- this module 612 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 613 ::= { radiusDynAuthServerMIBCompliances 1 } 615 -- units of conformance 616 radiusDynAuthServerMIBGroup OBJECT-GROUP 617 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, 618 radiusDynAuthServerCoAInvalidClientAddresses, 619 radiusDynAuthServerIdentifier, 620 radiusDynAuthClientAddressType, 621 radiusDynAuthClientAddress, 622 radiusDynAuthServDisconRequests, 623 radiusDynAuthServDupDisconRequests, 624 radiusDynAuthServDisconAcks, 625 radiusDynAuthServDisconNaks, 626 radiusDynAuthServDisconUserSessRemoved, 627 radiusDynAuthServMalformedDisconRequests, 628 radiusDynAuthServDisconBadAuthenticators, 629 radiusDynAuthServDisconPacketsDropped, 630 radiusDynAuthServCoARequests, 631 radiusDynAuthServDupCoARequests, 632 radiusDynAuthServCoAAcks, 633 radiusDynAuthServCoANaks, 634 radiusDynAuthServCoAUserSessChanged, 635 radiusDynAuthServMalformedCoARequests, 636 radiusDynAuthServCoABadAuthenticators, 637 radiusDynAuthServCoAPacketsDropped, 638 radiusDynAuthServUnknownTypes 639 } 640 STATUS current 641 DESCRIPTION 642 "The collection of objects providing management of 643 a RADIUS Dynamic Authorization Server." 644 ::= { radiusDynAuthServerMIBGroups 1 } 646 END 648 7. Security Considerations 650 There are no management objects defined in this MIB module that have 651 a MAX-ACCESS clause of read-write and/or read-create. So, if this 652 MIB module is implemented correctly, then there is no risk that an 653 intruder can alter or create any management objects of this MIB 654 module via direct SNMP SET operations 656 Some of the readable objects in this MIB module (i.e., objects with a 657 MAX-ACCESS other than not-accessible) may be considered sensitive or 658 vulnerable in some network environments. It is thus important to 659 control even GET and/or NOTIFY access to these objects and possibly 660 to even encrypt the values of these objects when sending them over 661 the network via SNMP. These are the tables and objects and their 662 sensitivity/vulnerability: 664 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 666 These can be used to determine the address of the DAC with which the 667 DAS is communicating. This information could be useful in mounting 668 an attack on the DAC. 670 radiusDynAuthServerIdentifier 672 This can be used to determine the Identifier of the DAS. This 673 information could be useful in impersonating the DAS. 675 The other readable objects are not really considered as being 676 sensitive or vulnerable. These objects are: 678 radiusDynAuthServerDisconInvalidClientAddresses, 679 radiusDynAuthServerCoAInvalidClientAddresses, 680 radiusDynAuthServDisconRequests, 681 radiusDynAuthServDupDisconRequests, 682 radiusDynAuthServDisconAcks, 683 radiusDynAuthServDisconNaks, 684 radiusDynAuthServDisconUserSessRemoved, 685 radiusDynAuthServMalformedDisconRequests, 686 radiusDynAuthServDisconBadAuthenticators, 687 radiusDynAuthServDisconPacketsDropped, 688 radiusDynAuthServCoARequests, 689 radiusDynAuthServDupCoARequests, 690 radiusDynAuthServCoAAcks, 691 radiusDynAuthServCoANaks, 692 radiusDynAuthServCoAUserSessChanged, 693 radiusDynAuthServMalformedCoARequests, 694 radiusDynAuthServCoABadAuthenticators, 695 radiusDynAuthServCoAPacketsDropped, and 696 radiusDynAuthServUnknownTypes. 698 SNMP versions prior to SNMPv3 did not include adequate security. 699 Even if the network itself is secure (for example by using IPSec), 700 even then, there is no control as to who on the secure network is 701 allowed to access and GET/SET (read/change/create/delete) the objects 702 in this MIB module. 704 It is RECOMMENDED that implementers consider the security features as 705 provided by the SNMPv3 framework (see [RFC3410], section 8), 706 including full support for the SNMPv3 cryptographic mechanisms (for 707 authentication and privacy). 709 Further, deployment of SNMP versions prior to SNMPv3 is NOT 710 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 711 enable cryptographic security. It is then a customer/operator 712 responsibility to ensure that the SNMP entity giving access to an 713 instance of this MIB module is properly configured to give access to 714 the objects only to those principals (users) that have legitimate 715 rights to indeed GET or SET (change/create/delete) them. 717 8. IANA considerations 719 IANA is requested to assign an OID xxx under mib-2. 721 9. Acknowledgements 723 This document reuses some of the work done in earlier RADIUS MIB 724 specifications [RFC2618] and [RFC2620]. 726 The authors would also like to acknowledge the following people for 727 their comments to this document: Anjaneyulu Pata, Dan Romascanu, and 728 Bert Wijnen. 730 10. References 732 10.1 Normative References 734 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 735 Authorization Client MIB", 736 draft-decnodder-radext-dynauth-client-mib-01.txt, work in 737 progress, June 2004. 739 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 740 Requirement Levels", RFC 2119, March 1997. 742 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 743 Rose, M., and S. Waldbusser, "Structure of Management 744 Information Version 2 (SMIv2)", STD 58, RFC 2578, 745 April 1999. 747 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 748 Rose, M., and S. Waldbusser, "Textual Conventions for 749 SMIv2", STD 58, RFC 2579, April 1999. 751 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 752 Rose, M., and S. Waldbusser, "Conformance Statements for 753 SMIv2", STD 58, RFC 2580, April 1999. 755 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 756 Aboba, "Dynamic Authorization Extensions to Remote 757 Authentication Dial In User Service (RADIUS)", RFC 3576, 758 July 2003. 760 10.2 Informative References 762 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 763 RFC 2618, June 1999. 765 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 766 RFC 2619, June 1999. 768 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 769 RFC 2620, June 1999. 771 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 772 RFC 2621, June 1999. 774 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 775 "Introduction and Applicability Statements for Internet 776 Standard Management Framework", RFC 3410, December 2002. 778 Authors' Addresses 780 Stefaan De Cnodder 781 Alcatel 782 Francis Wellesplein 1 783 B-2018 Antwerp 784 Belgium 786 Phone: +32 3 240 85 15 787 Email: stefaan.de_cnodder@alcatel.be 789 Nagi Reddy Jonnala 790 Cisco Systems, Inc. 791 Divyasree Chambers, B Wing, O'Shaugnessy Road 792 Bangalore-560027, India 794 Phone: +91 98456 99445 795 Email: njonnala@cisco.com 797 Murtaza Chiba 798 Cisco Systems, Inc. 799 170 West Tasman Dr. 800 San Jose CA, 95134 802 Phone: +1 408 525 7198 803 Email: mchiba@cisco.com 805 Intellectual Property Statement 807 The IETF takes no position regarding the validity or scope of any 808 Intellectual Property Rights or other rights that might be claimed to 809 pertain to the implementation or use of the technology described in 810 this document or the extent to which any license under such rights 811 might or might not be available; nor does it represent that it has 812 made any independent effort to identify any such rights. Information 813 on the procedures with respect to rights in RFC documents can be 814 found in BCP 78 and BCP 79. 816 Copies of IPR disclosures made to the IETF Secretariat and any 817 assurances of licenses to be made available, or the result of an 818 attempt made to obtain a general license or permission for the use of 819 such proprietary rights by implementers or users of this 820 specification can be obtained from the IETF on-line IPR repository at 821 http://www.ietf.org/ipr. 823 The IETF invites any interested party to bring to its attention any 824 copyrights, patents or patent applications, or other proprietary 825 rights that may cover technology that may be required to implement 826 this standard. Please address the information to the IETF at 827 ietf-ipr@ietf.org. 829 Disclaimer of Validity 831 This document and the information contained herein are provided on an 832 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 833 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 834 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 835 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 836 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 837 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 839 Copyright Statement 841 Copyright (C) The Internet Society (2005). This document is subject 842 to the rights, licenses and restrictions contained in BCP 78, and 843 except as set forth therein, the authors retain all their rights. 845 Acknowledgment 847 Funding for the RFC Editor function is currently provided by the 848 Internet Society.