idnits 2.17.1 draft-ietf-radext-rfc2620bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 842. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 819. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 826. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 832. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 18, 2005) is 6765 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 112, but not defined == Unused Reference: 'RFC3418' is defined on line 778, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2620 (if approved) October 18, 2005 5 Expires: April 21, 2006 7 RADIUS Acct Client MIB (IPv6) 8 draft-ietf-radext-rfc2620bis-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on April 21, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo obsoletes RFC 2620 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. The remaining MIB objects from 44 RFC 2620 are carried forward into this document. 46 Table of Contents 48 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 3. The Internet-Standard Management Framework . . . . . . . . . . 3 51 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 52 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 53 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 54 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 56 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 57 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 58 10.1. Normative References . . . . . . . . . . . . . . . . . . 17 59 10.2. Informative References . . . . . . . . . . . . . . . . . 18 60 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 18 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19 62 Intellectual Property and Copyright Statements . . . . . . . . . . 20 64 1. Terminology 66 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 67 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 68 document are to be interpreted as described in RFC 2119 [RFC2119]. 70 This document uses terminology from RFC 2866 [RFC2866]. 72 2. Introduction 74 This memo defines a portion of the Management Information Base (MIB) 75 for use with network management protocols in the Internet community. 76 The objects defined within this memo relate to the Remote 77 Authentication Dial-In User Service (RADIUS) Accounting Client as 78 defined in RFC 2866 [RFC2866]. 80 3. The Internet-Standard Management Framework 82 For a detailed overview of the documents that describe the current 83 Internet-Standard Management Framework, please refer to section 7 of 84 RFC 3410 [RFC3410]. 86 Managed objects are accessed via a virtual information store, termed 87 the Management Information Base or MIB. MIB objects are generally 88 accessed through the Simple Network Management Protocol (SNMP). 89 Objects in the MIB are defined using the mechanisms defined in the 90 Structure of Management Information (SMI). This memo specifies a MIB 91 module that is compliant to the SMIv2, which is described in STD 58, 92 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 93 [RFC2580]. 95 4. Scope of Changes 97 This document obsoletes RFC 2620 [RFC2620], RADIUS Authentication 98 Client MIB, by deprecating the radiusAuthServerTable table and adding 99 a new table, radiusAuthServerExtTable, containing 100 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 101 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 102 objects is to support version neutral IP addressing formats. The 103 existing table containing radiusAuthServerAddress and 104 radiusAuthClientServerPortNumber is deprecated. The remaining MIB 105 objects from RFC 2620 are carried forward into this document. 107 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 108 IPv6 addresses, contains the following recommendation. 110 'In particular, when revising a MIB module that contains IPv4 111 specific tables, it is suggested to define new tables using the 112 textual conventions defined in this memo [RFC 4001] that support all 113 versions of IP. The status of the new tables SHOULD be "current", 114 whereas the status of the old IP version specific tables SHOULD be 115 changed to "deprecated". The other approach, of having multiple 116 similar tables for different IP versions, is strongly discouraged.' 118 5. Structure of the MIB Module 120 The RADIUS accounting protocol, described in RFC 2866 [RFC2866], 121 distinguishes between the client function and the server function. 122 In RADIUS accounting, clients send Accounting-Requests, and servers 123 reply with Accounting-Responses. Typically NAS devices implement the 124 client function, and thus would be expected to implement the RADIUS 125 accounting client MIB, while RADIUS accounting servers implement the 126 server function, and thus would be expected to implement the RADIUS 127 accounting server MIB. 129 However, it is possible for a RADIUS accounting entity to perform 130 both client and server functions. For example, a RADIUS proxy may 131 act as a server to one or more RADIUS accounting clients, while 132 simultaneously acting as an accounting client to one or more 133 accounting servers. In such situations, it is expected that RADIUS 134 entities combining client and server functionality will support both 135 the client and server MIBs. 137 This MIB module contains two scalars as well as a single table, the 138 RADIUS Accounting Server Table, which contains one row for each 139 RADIUS server with which the client shares a secret. Each entry in 140 the RADIUS Accounting Server Table includes fifteen columns 141 presenting a view of the activity of the RADIUS client. 143 6. Deprecated Objects 145 The deprecated table in this MIB is carried forward from RFC 2620 146 [RFC2620]. There are two conditions under which it MAY be desirable 147 for managed entities to continue to support the deprecated table: 149 1. The managed entity only supports IPv4 address formats. 150 2. The managed entity supports both IPv4 and IPv6 address formats, 151 and the deprecated table is supported for backwards compatibility 152 with older management stations. This option SHOULD only be used 153 when the IP addresses in the new table are in IPv4 format and can 154 accurately be represented in both the new table and the 155 deprecated table. 157 Managed entities SHOULD NOT instantiate the deprecated table 158 containing IPv4-only address objects when the RADIUS server address 159 represented in the table row is not an IPv4 address. Managed 160 entities SHOULD NOT return inaccurate values of IP address or SNMP 161 object access errors for IPv4-only address objects in otherwise 162 populated tables. 164 7. Definitions 166 RADIUS-ACCT-CLIENT-MIB DEFINITIONS ::= BEGIN 168 IMPORTS 169 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 170 Counter32, Integer32, Gauge32, 171 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 172 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 173 InetAddressType, InetAddress, 174 InetPortNumber FROM INET-ADDRESS-MIB 175 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 177 radiusAccClientMIB MODULE-IDENTITY 178 LAST-UPDATED "200510170000Z" -- 17 Oct 2005 179 ORGANIZATION "IETF RADIUS Extensions Working Group." 180 CONTACT-INFO 181 " Bernard Aboba 182 Microsoft 183 One Microsoft Way 184 Redmond, WA 98052 185 US 186 Phone: +1 425 936 6605 187 EMail: bernarda@microsoft.com" 188 DESCRIPTION 189 "The MIB module for entities implementing the client 190 side of the Remote Authentication Dial-In User Service 191 (RADIUS) accounting protocol." 192 REVISION "200510170000Z" -- 17 Oct 2005 193 DESCRIPTION "Revised version as published in RFC xxxx. 194 This version obsoletes that of RFC 2620 by deprecating the 195 MIB table containing IPv4-only address formats and defining a 196 new table to add support for version neutral IP address 197 formats. The remaining MIB objects from RFC 2620 are carried 198 forward into this version." 199 REVISION "9906110000Z" -- 11 Jun 1999 200 DESCRIPTION "Initial version as published in RFC 2620" 202 -- RFC Editor: replace xxxx with actual RFC number at the time of 203 -- publication, and remove this note. 205 ::= { radiusAccounting 2 } 207 radiusMIB OBJECT-IDENTITY 208 STATUS current 209 DESCRIPTION 210 "The OID assigned to RADIUS MIB work by the IANA." 211 ::= { mib-2 67 } 213 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 215 radiusAccClientMIBObjects OBJECT IDENTIFIER 216 ::= { radiusAccClientMIB 1 } 218 radiusAccClient OBJECT IDENTIFIER 219 ::= { radiusAccClientMIBObjects 1 } 221 radiusAccClientInvalidServerAddresses OBJECT-TYPE 222 SYNTAX Counter32 223 MAX-ACCESS read-only 224 STATUS current 225 DESCRIPTION 226 "The number of RADIUS Accounting-Response packets 227 received from unknown addresses." 228 ::= { radiusAccClient 1 } 230 radiusAccClientIdentifier OBJECT-TYPE 231 SYNTAX SnmpAdminString 232 MAX-ACCESS read-only 233 STATUS current 234 DESCRIPTION 235 "The NAS-Identifier of the RADIUS accounting client. 236 This is not necessarily the same as sysName in MIB 237 II." 238 ::= { radiusAccClient 2 } 240 radiusAccServerTable OBJECT-TYPE 241 SYNTAX SEQUENCE OF RadiusAccServerEntry 242 MAX-ACCESS not-accessible 243 STATUS deprecated 244 DESCRIPTION 245 "The (conceptual) table listing the RADIUS accounting 246 servers with which the client shares a secret." 247 ::= { radiusAccClient 3 } 249 radiusAccServerEntry OBJECT-TYPE 250 SYNTAX RadiusAccServerEntry 251 MAX-ACCESS not-accessible 252 STATUS deprecated 253 DESCRIPTION 254 "An entry (conceptual row) representing a RADIUS 255 accounting server with which the client shares a 256 secret." 257 INDEX { radiusAccServerIndex } 258 ::= { radiusAccServerTable 1 } 260 RadiusAccServerEntry ::= SEQUENCE { 261 radiusAccServerIndex Integer32, 262 radiusAccServerAddress IpAddress, 263 radiusAccClientServerPortNumber Integer32, 264 radiusAccClientRoundTripTime TimeTicks, 265 radiusAccClientRequests Counter32, 266 radiusAccClientRetransmissions Counter32, 267 radiusAccClientResponses Counter32, 268 radiusAccClientMalformedResponses Counter32, 269 radiusAccClientBadAuthenticators Counter32, 270 radiusAccClientPendingRequests Gauge32, 271 radiusAccClientTimeouts Counter32, 272 radiusAccClientUnknownTypes Counter32, 273 radiusAccClientPacketsDropped Counter32 274 } 276 radiusAccServerIndex OBJECT-TYPE 277 SYNTAX Integer32 (1..2147483647) 278 MAX-ACCESS not-accessible 279 STATUS deprecated 280 DESCRIPTION 281 "A number uniquely identifying each RADIUS 282 Accounting server with which this client 283 communicates." 284 ::= { radiusAccServerEntry 1 } 286 radiusAccServerAddress OBJECT-TYPE 287 SYNTAX IpAddress 288 MAX-ACCESS read-only 289 STATUS deprecated 290 DESCRIPTION 291 "The IP address of the RADIUS accounting server 292 referred to in this table entry." 293 ::= { radiusAccServerEntry 2 } 295 radiusAccClientServerPortNumber OBJECT-TYPE 296 SYNTAX Integer32 (0..65535) 297 MAX-ACCESS read-only 298 STATUS deprecated 299 DESCRIPTION 300 "The UDP port the client is using to send requests to 301 this server." 302 ::= { radiusAccServerEntry 3 } 304 radiusAccClientRoundTripTime OBJECT-TYPE 305 SYNTAX TimeTicks 306 MAX-ACCESS read-only 307 STATUS deprecated 308 DESCRIPTION 309 "The time interval between the most recent 310 Accounting-Response and the Accounting-Request that 311 matched it from this RADIUS accounting server." 312 ::= { radiusAccServerEntry 4 } 314 -- Request/Response statistics 315 -- 316 -- Requests = Responses + PendingRequests + ClientTimeouts 317 -- 318 -- Responses - MalformedResponses - BadAuthenticators - 319 -- UnknownTypes - PacketsDropped = Successfully received 321 radiusAccClientRequests OBJECT-TYPE 322 SYNTAX Counter32 323 MAX-ACCESS read-only 324 STATUS deprecated 325 DESCRIPTION 326 "The number of RADIUS Accounting-Request packets 327 sent. This does not include retransmissions." 328 ::= { radiusAccServerEntry 5 } 330 radiusAccClientRetransmissions OBJECT-TYPE 331 SYNTAX Counter32 332 MAX-ACCESS read-only 333 STATUS deprecated 334 DESCRIPTION 335 "The number of RADIUS Accounting-Request packets 336 retransmitted to this RADIUS accounting server. 337 Retransmissions include retries where the 338 Identifier and Acct-Delay have been updated, as 339 well as those in which they remain the same." 340 ::= { radiusAccServerEntry 6 } 342 radiusAccClientResponses OBJECT-TYPE 343 SYNTAX Counter32 344 MAX-ACCESS read-only 345 STATUS deprecated 346 DESCRIPTION 347 "The number of RADIUS packets received on the 348 accounting port from this server." 349 ::= { radiusAccServerEntry 7 } 351 radiusAccClientMalformedResponses OBJECT-TYPE 352 SYNTAX Counter32 353 MAX-ACCESS read-only 354 STATUS deprecated 355 DESCRIPTION 356 "The number of malformed RADIUS Accounting-Response 357 packets received from this server. Malformed packets 358 include packets with an invalid length. Bad 359 authenticators and unknown types are not included as 360 malformed accounting responses." 361 ::= { radiusAccServerEntry 8 } 363 radiusAccClientBadAuthenticators OBJECT-TYPE 364 SYNTAX Counter32 365 MAX-ACCESS read-only 366 STATUS deprecated 367 DESCRIPTION 368 "The number of RADIUS Accounting-Response 369 packets which contained invalid authenticators 370 received from this server." 371 ::= { radiusAccServerEntry 9 } 373 radiusAccClientPendingRequests OBJECT-TYPE 374 SYNTAX Gauge32 375 MAX-ACCESS read-only 376 STATUS deprecated 377 DESCRIPTION 378 "The number of RADIUS Accounting-Request packets 379 sent to this server that have not yet timed out or 380 received a response. This variable is incremented 381 when an Accounting-Request is sent and decremented 382 due to receipt of an Accounting-Response, a timeout 383 or a retransmission." 384 ::= { radiusAccServerEntry 10 } 386 radiusAccClientTimeouts OBJECT-TYPE 387 SYNTAX Counter32 388 MAX-ACCESS read-only 389 STATUS deprecated 390 DESCRIPTION 391 "The number of accounting timeouts to this server. 392 After a timeout the client may retry to the same 393 server, send to a different server, or give up. 394 A retry to the same server is counted as a 395 retransmit as well as a timeout. A send to a different 396 server is counted as an Accounting-Request as well as 397 a timeout." 398 ::= { radiusAccServerEntry 11 } 400 radiusAccClientUnknownTypes OBJECT-TYPE 401 SYNTAX Counter32 402 MAX-ACCESS read-only 403 STATUS deprecated 404 DESCRIPTION 405 "The number of RADIUS packets of unknown type which 406 were received from this server on the accounting port." 407 ::= { radiusAccServerEntry 12 } 409 radiusAccClientPacketsDropped OBJECT-TYPE 410 SYNTAX Counter32 411 MAX-ACCESS read-only 412 STATUS deprecated 413 DESCRIPTION 414 "The number of RADIUS packets which were received from 415 this server on the accounting port and dropped for some 416 other reason." 417 ::= { radiusAccServerEntry 13 } 419 -- New MIB objects added in this revision 421 radiusAccServerExtTable OBJECT-TYPE 422 SYNTAX SEQUENCE OF RadiusAccServerExtEntry 423 MAX-ACCESS not-accessible 424 STATUS current 425 DESCRIPTION 426 "The (conceptual) table listing the RADIUS accounting 427 servers with which the client shares a secret." 428 ::= { radiusAccClient 4 } 430 radiusAccServerExtEntry OBJECT-TYPE 431 SYNTAX RadiusAccServerExtEntry 432 MAX-ACCESS not-accessible 433 STATUS current 434 DESCRIPTION 435 "An entry (conceptual row) representing a RADIUS 436 accounting server with which the client shares a 437 secret." 438 INDEX { radiusAccServerExtIndex } 439 ::= { radiusAccServerExtTable 1 } 441 RadiusAccServerExtEntry ::= SEQUENCE { 442 radiusAccServerExtIndex Integer32, 443 radiusAccServerInetAddressType InetAddressType, 444 radiusAccServerInetAddress InetAddress, 445 radiusAccClientServerInetPortNumber InetPortNumber, 446 radiusAccClientExtRoundTripTime TimeTicks, 447 radiusAccClientExtRequests Counter32, 448 radiusAccClientExtRetransmissions Counter32, 449 radiusAccClientExtResponses Counter32, 450 radiusAccClientExtMalformedResponses Counter32, 451 radiusAccClientExtBadAuthenticators Counter32, 452 radiusAccClientExtPendingRequests Gauge32, 453 radiusAccClientExtTimeouts Counter32, 454 radiusAccClientExtUnknownTypes Counter32, 455 radiusAccClientExtPacketsDropped Counter32 456 } 458 radiusAccServerExtIndex OBJECT-TYPE 459 SYNTAX Integer32 (1..2147483647) 460 MAX-ACCESS not-accessible 461 STATUS current 462 DESCRIPTION 463 "A number uniquely identifying each RADIUS 464 Accounting server with which this client 465 communicates." 466 ::= { radiusAccServerExtEntry 1 } 468 radiusAccServerInetAddressType OBJECT-TYPE 469 SYNTAX InetAddressType 470 MAX-ACCESS read-only 471 STATUS current 472 DESCRIPTION 473 "The type of address format used for the 474 radiusAccServerInetAddress object." 475 ::= { radiusAccServerExtEntry 2 } 477 radiusAccServerInetAddress OBJECT-TYPE 478 SYNTAX InetAddress 479 MAX-ACCESS read-only 480 STATUS current 481 DESCRIPTION 482 "The IP address of the RADIUS accounting 483 server referred to in this table entry, using 484 the version neutral IP adddess format." 485 ::= { radiusAccServerExtEntry 3 } 487 radiusAccClientServerInetPortNumber OBJECT-TYPE 488 SYNTAX InetPortNumber 489 MAX-ACCESS read-only 490 STATUS current 491 DESCRIPTION 492 "The UDP port the client is using to send requests 493 to this accounting server." 494 ::= { radiusAccServerExtEntry 4 } 496 radiusAccClientExtRoundTripTime OBJECT-TYPE 497 SYNTAX TimeTicks 498 MAX-ACCESS read-only 499 STATUS current 500 DESCRIPTION 501 "The time interval between the most recent 502 Accounting-Response and the Accounting-Request that 503 matched it from this RADIUS accounting server." 504 ::= { radiusAccServerExtEntry 5 } 506 -- Request/Response statistics 507 -- 508 -- Requests = Responses + PendingRequests + ClientTimeouts 509 -- 510 -- Responses - MalformedResponses - BadAuthenticators - 511 -- UnknownTypes - PacketsDropped = Successfully received 513 radiusAccClientExtRequests OBJECT-TYPE 514 SYNTAX Counter32 515 MAX-ACCESS read-only 516 STATUS current 517 DESCRIPTION 518 "The number of RADIUS Accounting-Request packets 519 sent. This does not include retransmissions." 520 ::= { radiusAccServerExtEntry 6 } 522 radiusAccClientExtRetransmissions OBJECT-TYPE 523 SYNTAX Counter32 524 MAX-ACCESS read-only 525 STATUS current 526 DESCRIPTION 527 "The number of RADIUS Accounting-Request packets 528 retransmitted to this RADIUS accounting server. 529 Retransmissions include retries where the 530 Identifier and Acct-Delay have been updated, as 531 well as those in which they remain the same." 532 ::= { radiusAccServerExtEntry 7 } 534 radiusAccClientExtResponses OBJECT-TYPE 535 SYNTAX Counter32 536 MAX-ACCESS read-only 537 STATUS current 538 DESCRIPTION 539 "The number of RADIUS packets received on the 540 accounting port from this server." 541 ::= { radiusAccServerExtEntry 8 } 543 radiusAccClientExtMalformedResponses OBJECT-TYPE 544 SYNTAX Counter32 545 MAX-ACCESS read-only 546 STATUS current 547 DESCRIPTION 548 "The number of malformed RADIUS Accounting-Response 549 packets received from this server. Malformed packets 550 include packets with an invalid length. Bad 551 authenticators and unknown types are not included as 552 malformed accounting responses." 553 ::= { radiusAccServerExtEntry 9 } 555 radiusAccClientExtBadAuthenticators OBJECT-TYPE 556 SYNTAX Counter32 557 MAX-ACCESS read-only 558 STATUS current 559 DESCRIPTION 560 "The number of RADIUS Accounting-Response 561 packets which contained invalid authenticators 562 received from this server." 563 ::= { radiusAccServerExtEntry 10 } 565 radiusAccClientExtPendingRequests OBJECT-TYPE 566 SYNTAX Gauge32 567 MAX-ACCESS read-only 568 STATUS current 569 DESCRIPTION 570 "The number of RADIUS Accounting-Request packets 571 sent to this server that have not yet timed out or 572 received a response. This variable is incremented 573 when an Accounting-Request is sent and decremented 574 due to receipt of an Accounting-Response, a timeout 575 or a retransmission." 576 ::= { radiusAccServerExtEntry 11 } 578 radiusAccClientExtTimeouts OBJECT-TYPE 579 SYNTAX Counter32 580 MAX-ACCESS read-only 581 STATUS current 582 DESCRIPTION 583 "The number of accounting timeouts to this server. 584 After a timeout the client may retry to the same 585 server, send to a different server, or give up. 586 A retry to the same server is counted as a 587 retransmit as well as a timeout. A send to a different 588 server is counted as an Accounting-Request as well as 589 a timeout." 590 ::= { radiusAccServerExtEntry 12 } 592 radiusAccClientExtUnknownTypes OBJECT-TYPE 593 SYNTAX Counter32 594 MAX-ACCESS read-only 595 STATUS current 596 DESCRIPTION 597 "The number of RADIUS packets of unknown type which 598 were received from this server on the accounting port." 599 ::= { radiusAccServerExtEntry 13 } 601 radiusAccClientExtPacketsDropped OBJECT-TYPE 602 SYNTAX Counter32 603 MAX-ACCESS read-only 604 STATUS current 605 DESCRIPTION 606 "The number of RADIUS packets which were received from 607 this server on the accounting port and dropped for some 608 other reason." 609 ::= { radiusAccServerExtEntry 14 } 611 -- conformance information 613 radiusAccClientMIBConformance OBJECT IDENTIFIER 614 ::= { radiusAccClientMIB 2 } 616 radiusAccClientMIBCompliances OBJECT IDENTIFIER 617 ::= { radiusAccClientMIBConformance 1 } 619 radiusAccClientMIBGroups OBJECT IDENTIFIER 620 ::= { radiusAccClientMIBConformance 2 } 622 -- units of conformance 624 radiusAccClientMIBCompliance MODULE-COMPLIANCE 625 STATUS deprecated 626 DESCRIPTION 627 "The compliance statement for accounting clients 628 implementing the RADIUS Accounting Client MIB." 629 MODULE -- this module 630 MANDATORY-GROUPS { radiusAccClientMIBGroup } 632 ::= { radiusAccClientMIBCompliances 1 } 634 radiusAccClientExtMIBCompliance MODULE-COMPLIANCE 635 STATUS current 636 DESCRIPTION 637 "The compliance statement for accounting clients 638 implementing the RADIUS Accounting Client MIB." 639 MODULE -- this module 640 MANDATORY-GROUPS { radiusAccClientExtMIBGroup } 642 ::= { radiusAccClientMIBCompliances 2 } 644 -- units of conformance 646 radiusAccClientMIBGroup OBJECT-GROUP 647 OBJECTS { radiusAccClientIdentifier, 648 radiusAccClientInvalidServerAddresses, 649 radiusAccServerAddress, 650 radiusAccClientServerPortNumber, 651 radiusAccClientRoundTripTime, 652 radiusAccClientRequests, 653 radiusAccClientRetransmissions, 654 radiusAccClientResponses, 655 radiusAccClientMalformedResponses, 656 radiusAccClientBadAuthenticators, 657 radiusAccClientPendingRequests, 658 radiusAccClientTimeouts, 659 radiusAccClientUnknownTypes, 660 radiusAccClientPacketsDropped 661 } 662 STATUS deprecated 663 DESCRIPTION 664 "The basic collection of objects providing management of 665 RADIUS Accounting Clients." 666 ::= { radiusAccClientMIBGroups 1 } 668 radiusAccClientExtMIBGroup OBJECT-GROUP 669 OBJECTS { radiusAccClientIdentifier, 670 radiusAccClientInvalidServerAddresses, 671 radiusAccServerInetAddressType, 672 radiusAccServerInetAddress, 673 radiusAccClientServerInetPortNumber, 674 radiusAccClientExtRoundTripTime, 675 radiusAccClientExtRequests, 676 radiusAccClientExtRetransmissions, 677 radiusAccClientExtResponses, 678 radiusAccClientExtMalformedResponses, 679 radiusAccClientExtBadAuthenticators, 680 radiusAccClientExtPendingRequests, 681 radiusAccClientExtTimeouts, 682 radiusAccClientExtUnknownTypes, 683 radiusAccClientExtPacketsDropped 684 } 685 STATUS current 686 DESCRIPTION 687 "The basic collection of objects providing management of 688 RADIUS Accounting Clients." 689 ::= { radiusAccClientMIBGroups 2 } 691 END 693 8. IANA Considerations 695 This document requires no new IANA assignments. 697 9. Security Considerations 699 There are no management objects defined in this MIB that have a MAX- 700 ACCESS clause of read-write and/or read-create. So, if this MIB is 701 implemented correctly, then there is no risk that an intruder can 702 alter or create any management objects of this MIB via direct SNMP 703 SET operations. 705 There are a number of managed objects in this MIB that may contain 706 sensitive information. These are: 708 radiusAcctServerIPAddress This can be used to determine the address 709 of the RADIUS accounting server with which the client is 710 communicating. This information could be useful in mounting an 711 attack on the accounting server. 713 radiusAcctServerInetAddress This can be used to determine the address 714 of the RADIUS accounting server with which the client is 715 communicating. This information could be useful in mounting an 716 attack on the accounting server. 718 radiusAcctClientServerPortNumber This can be used to determine the 719 port number on which the RADIUS accounting client is sending. 720 This information could be useful in impersonating the client in 721 order to send data to the accounting server. 723 radiusAcctClientServerInetPortNumber This can be used to determine 724 the port number on which the RADIUS accounting client is sending. 725 This information could be useful in impersonating the client in 726 order to send data to the accounting server. 728 It is thus important to control even GET access to these objects and 729 possibly to even encrypt the values of these object when sending them 730 over the network via SNMP. Not all versions of SNMP provide features 731 for such a secure environment. 733 SNMP versions prior to SNMPv3 do not provide a secure environment. 734 Even if the network itself is secure (for example by using IPSec), 735 there is no control as to who on the secure network is allowed to 736 access and GET/SET (read/change/create/delete) the objects in this 737 MIB. 739 It is recommended that the implementers consider the security 740 features as provided by the SNMPv3 framework. Specifically, the use 741 of the User-based Security Model [RFC2574] and the View-based Access 742 Control Model [RFC2575] is recommended. Using these security 743 features, customer/users can give access to the objects only to those 744 principals (users) that have legitimate rights to GET or SET (change/ 745 create/delete) them. 747 10. References 749 10.1. Normative References 751 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 752 Requirement Levels", BCP 14, RFC 2119, March 1997. 754 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 755 (USM) for version 3 of the Simple Network Management 756 Protocol (SNMPv3)", RFC 2574, April 1999. 758 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 759 Access Control Model (VACM) for the Simple Network 760 Management Protocol (SNMP)", RFC 2575, April 1999. 762 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 763 Schoenwaelder, Ed., "Structure of Management Information 764 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 766 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 767 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 768 STD 58, RFC 2579, April 1999. 770 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 771 "Conformance Statements for SMIv2", STD 58, RFC 2580, 772 April 1999. 774 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 775 "Introduction and Applicability Statements for Internet- 776 Standard Management Framework", RFC 3410, December 2002. 778 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 779 Simple Network Management Protocol (SNMP)", STD 62, 780 RFC 3418, December 2002. 782 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 783 Schoenwaelder, "Textual Conventions for Internet Network 784 Addresses", RFC 4001, February 2005. 786 10.2. Informative References 788 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 789 RFC 2620, June 1999. 791 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 793 Appendix A. Acknowledgments 795 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 797 Many thanks to all reviewers, especially to Dave Harrington, Dan 798 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 800 Author's Address 802 David B. Nelson 803 Enterasys Networks 804 50 Minuteman Road 805 Andover, MA 01810 806 USA 808 Email: dnelson@enterasys.com 810 Intellectual Property Statement 812 The IETF takes no position regarding the validity or scope of any 813 Intellectual Property Rights or other rights that might be claimed to 814 pertain to the implementation or use of the technology described in 815 this document or the extent to which any license under such rights 816 might or might not be available; nor does it represent that it has 817 made any independent effort to identify any such rights. Information 818 on the procedures with respect to rights in RFC documents can be 819 found in BCP 78 and BCP 79. 821 Copies of IPR disclosures made to the IETF Secretariat and any 822 assurances of licenses to be made available, or the result of an 823 attempt made to obtain a general license or permission for the use of 824 such proprietary rights by implementers or users of this 825 specification can be obtained from the IETF on-line IPR repository at 826 http://www.ietf.org/ipr. 828 The IETF invites any interested party to bring to its attention any 829 copyrights, patents or patent applications, or other proprietary 830 rights that may cover technology that may be required to implement 831 this standard. Please address the information to the IETF at 832 ietf-ipr@ietf.org. 834 Disclaimer of Validity 836 This document and the information contained herein are provided on an 837 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 838 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 839 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 840 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 841 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 842 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 844 Copyright Statement 846 Copyright (C) The Internet Society (2005). This document is subject 847 to the rights, licenses and restrictions contained in BCP 78, and 848 except as set forth therein, the authors retain all their rights. 850 Acknowledgment 852 Funding for the RFC Editor function is currently provided by the 853 Internet Society.