idnits 2.17.1 draft-ietf-radius-acc-servmib-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 77 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 2 instances of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 12 has weird spacing: '...This document...' == Line 18 has weird spacing: '...Drafts are dr...' == Line 19 has weird spacing: '...e. It is...' == Line 20 has weird spacing: '...opriate to u...' == Line 23 has weird spacing: '...To view th...' == (72 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (2 February 1999) is 9214 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Missing reference section? '1' on line 524 looks like a reference -- Missing reference section? '2' on line 529 looks like a reference -- Missing reference section? '3' on line 533 looks like a reference -- Missing reference section? '4' on line 536 looks like a reference -- Missing reference section? '5' on line 539 looks like a reference -- Missing reference section? '6' on line 545 looks like a reference -- Missing reference section? '7' on line 551 looks like a reference -- Missing reference section? '8' on line 557 looks like a reference -- Missing reference section? '9' on line 562 looks like a reference -- Missing reference section? '10' on line 567 looks like a reference -- Missing reference section? '11' on line 573 looks like a reference -- Missing reference section? '12' on line 633 looks like a reference -- Missing reference section? '13' on line 582 looks like a reference -- Missing reference section? '14' on line 588 looks like a reference -- Missing reference section? '15' on line 634 looks like a reference -- Missing reference section? '16' on line 597 looks like a reference Summary: 10 errors (**), 0 flaws (~~), 7 warnings (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADIUS Working Group Glen Zorn 3 INTERNET-DRAFT Microsoft 4 Category: Informational Bernard Aboba 5 Microsoft 6 2 February 1999 8 RADIUS Accounting Server MIB 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with all 13 provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering Task 16 Force (IETF), its areas, and its working groups. Note that other groups 17 may also distribute working documents as Internet-Drafts. Internet- 18 Drafts are draft documents valid for a maximum of six months and may be 19 updated, replaced, or obsoleted by other documents at any time. It is 20 inappropriate to use Internet- Drafts as reference material or to cite 21 them other than as "work in progress." 23 To view the list Internet-Draft Shadow Directories, see 24 http://www.ietf.org/shadow.html. 26 The distribution of this memo is unlimited. It is filed as , and expires August 1, 1999. Please send 28 comments to the authors. 30 2. Copyright Notice 32 Copyright (C) The Internet Society (1999). All Rights Reserved. 34 3. Abstract 36 This memo defines a set of extensions which instrument RADIUS accounting 37 server functions. These extensions represent a portion of the Management 38 Information Base (MIB) for use with network management protocols in the 39 Internet community. Using these extensions IP-based management stations 40 can manage RADIUS accounting servers. 42 4. Introduction 44 This memo defines a portion of the Management Information Base (MIB) for 45 use with network management protocols in the Internet community. In 46 particular, it describes managed objects used for managing RADIUS 47 accounting servers. 49 RADIUS accounting servers are today widely deployed by dialup Internet 50 Service Providers, in order to provide accounting services. As a result, 51 the effective management of RADIUS accounting servers is of considerable 52 importance. 54 5. The SNMP Management Framework 56 The SNMP Management Framework presently consists of five major 57 components: 59 o An overall architecture, described in RFC 2271 [1]. 61 o Mechanisms for describing and naming objects and events for the 62 purpose of management. The first version of this Structure of 63 Management Information (SMI) is called SMIv1 and described in 64 RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, 65 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 66 1904 [7]. 68 o Message protocols for transferring management information. The 69 first version of the SNMP message protocol is called SNMPv1 and 70 described in RFC 1157 [8]. A second version of the SNMP message 71 protocol, which is not an Internet standards track protocol, is 72 called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. 73 The third version of the message protocol is called SNMPv3 and 74 described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12]. 76 o Protocol operations for accessing management information. The 77 first set of protocol operations and associated PDU formats is 78 described in RFC 1157 [8]. A second set of protocol operations 79 and associated PDU formats is described in RFC 1905 [13]. 81 o A set of fundamental applications described in RFC 2273 [14] and 82 the view-based access control mechanism described in RFC 2275 83 [15]. 85 Managed objects are accessed via a virtual information store, termed the 86 Management Information Base or MIB. Objects in the MIB are defined 87 using the mechanisms defined in the SMI. 89 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 90 conforming to the SMIv1 can be produced through the appropriate 91 translations. The resulting translated MIB must be semantically 92 equivalent, except where objects or events are omitted because no 93 translation is possible (use of Counter64). Some machine readable 94 information in SMIv2 will be converted into textual descriptions in 95 SMIv1 during the translation process. However, this loss of machine 96 readable information is not considered to change the semantics of the 97 MIB. 99 6. Overview 101 The RADIUS accounting protocol, described in [16], distinguishes between 102 the client function and the server function. In RADIUS accounting, 103 clients send Accounting-Requests, and servers reply with Accounting- 104 Responses. Typically NAS devices implement the client function, and 105 thus would be expected to implement the RADIUS accounting client MIB, 106 while RADIUS accounting servers implement the server function, and thus 107 would be expected to implement the RADIUS accounting server MIB. 109 However, it is possible for a RADIUS accounting entity to perform both 110 client and server functions. For example, a RADIUS proxy may act as a 111 server to one or more RADIUS accounting clients, while simultaneously 112 acting as an accounting client to one or more accounting servers. In 113 such situations, it is expected that RADIUS entities combining client 114 and server functionality will support both the client and server MIBs. 116 6.1. Selected objects 118 This MIB module contains thirteen scalars as well as a single table: 120 (1) the RADIUS Accounting Client Table contains one row for each 121 RADIUS accounting client that the server shares a secret with. 123 Each entry in the RADIUS Accounting Client Table includes eleven columns 124 presenting a view of the activity of the RADIUS accounting server. 126 7. Definitions 128 RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN 130 IMPORTS 131 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 132 Counter32, Integer32, 133 IpAddress, TimeTicks FROM SNMPv2-SMI 134 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 135 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 136 mib-2 FROM RFC1213-MIB; 138 radiusAccServMIB MODULE-IDENTITY 139 LAST-UPDATED "9901290000Z" -- 29 Jan 1999 140 ORGANIZATION "IETF RADIUS Working Group." 141 CONTACT-INFO 142 " Bernard Aboba 143 Microsoft 144 One Microsoft Way 145 Redmond, WA 98052 146 US 148 Phone: +1 425 936 6605 149 EMail: bernarda@microsoft.com" 150 DESCRIPTION 151 "The MIB module for entities implementing the server 152 side of the Remote Access Dialin User Service (RADIUS) 153 accounting protocol." 154 REVISION "9901290000Z" -- 29 Jan 1999 155 DESCRIPTION "Initial version as published in RFC xxxx" 156 -- RCC xxxx to be assigned by IANA 157 ::= { radiusAccounting 1 } 159 radiusMIB OBJECT-IDENTITY 160 STATUS current 161 DESCRIPTION 162 "The OID assigned to RADIUS MIB work by the IANA." 163 ::= { mib-2 xxx } -- To be assigned by IANA 165 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 167 radiusAccServMIBObjects OBJECT IDENTIFIER ::= { radiusAccServMIB 1 } 169 radiusAccServ OBJECT IDENTIFIER ::= { radiusAccServMIBObjects 1 } 171 radiusAccServIdent OBJECT-TYPE 172 SYNTAX SnmpAdminString 173 MAX-ACCESS read-only 174 STATUS current 175 DESCRIPTION 176 "The implementation identification string for the 177 RADIUS accounting server software in use on the 178 system, for example; `FNS-2.1'" 179 ::= {radiusAccServ 1} 181 radiusAccServUpTime OBJECT-TYPE 182 SYNTAX TimeTicks 183 MAX-ACCESS read-only 184 STATUS current 185 DESCRIPTION 186 "If the server has a persistent state (e.g., a process), 187 this value will be the time elapsed (in hundredths of a 188 second) since the server process was started. 189 For software without persistent state, this value will 190 be zero." 191 ::= {radiusAccServ 2} 193 radiusAccServResetTime OBJECT-TYPE 194 SYNTAX TimeTicks 195 MAX-ACCESS read-only 196 STATUS current 197 DESCRIPTION 198 "If the server has a persistent state (e.g., a process) 199 and supports a `reset' operation (e.g., can be told to 200 re-read configuration files), this value will be the 201 time elapsed (in hundredths of a second) since the 202 server was `reset.' For software that does not 203 have persistence or does not support a `reset' operation, 204 this value will be zero." 205 ::= {radiusAccServ 3} 207 radiusAccServConfigReset OBJECT-TYPE 208 SYNTAX INTEGER { other(1), 209 reset(2), 210 initializing(3), 211 running(4)} 212 MAX-ACCESS read-write 213 STATUS current 214 DESCRIPTION 215 "Status/action object to reinitialize any persistent 216 server state. When set to reset(2), any persistent 217 server state (such as a process) is reinitialized as if 218 the server had just been started. This value will 219 never be returned by a read operation. When read, one of 220 the following values will be returned: 221 other(1) - server in some unknown state; 222 initializing(3) - server (re)initializing; 223 running(4) - server currently running." 224 ::= {radiusAccServ 4} 226 -- New Stats proposed by Dale E. Reed Jr (daler@iea.com) 228 radiusAccServTotalRequests OBJECT-TYPE 229 SYNTAX Counter32 230 MAX-ACCESS read-only 231 STATUS current 232 DESCRIPTION 233 "The number of packets received on the 234 accounting port." 235 ::= { radiusAccServ 5 } 237 radiusAccServTotalInvalidRequests OBJECT-TYPE 238 SYNTAX Counter32 239 MAX-ACCESS read-only 240 STATUS current 241 DESCRIPTION 242 "The number of RADIUS Accounting-Request packets 243 received from unknown addresses." 244 ::= { radiusAccServ 6 } 246 radiusAccServTotalDupRequests OBJECT-TYPE 247 SYNTAX Counter32 248 MAX-ACCESS read-only 249 STATUS current 250 DESCRIPTION 251 "The number of duplicate RADIUS Accounting-Request 252 packets received." 253 ::= { radiusAccServ 7 } 255 radiusAccServTotalResponses OBJECT-TYPE 256 SYNTAX Counter32 257 MAX-ACCESS read-only 258 STATUS current 259 DESCRIPTION 260 "The number of RADIUS Accounting-Response packets sent." 261 ::= { radiusAccServ 8 } 263 radiusAccServTotalMalformedRequests OBJECT-TYPE 264 SYNTAX Counter32 265 MAX-ACCESS read-only 266 STATUS current 267 DESCRIPTION 268 "The number of malformed RADIUS Accounting-Request 269 packets received. Bad authenticators or unknown 270 types are not included as malformed Access-Requests." 271 ::= { radiusAccServ 9 } 273 radiusAccServTotalBadAuthenticators OBJECT-TYPE 274 SYNTAX Counter32 275 MAX-ACCESS read-only 276 STATUS current 277 DESCRIPTION 278 "The number of RADIUS Accounting-Request packets 279 which contained invalid Signature attributes." 280 ::= { radiusAccServ 10 } 282 radiusAccServTotalPacketsDropped OBJECT-TYPE 283 SYNTAX Counter32 284 MAX-ACCESS read-only 285 STATUS current 286 DESCRIPTION 287 "The number of incoming packets silently discarded 288 for a reason other than malformed, bad authenticators, 289 or unknown types." 290 ::= { radiusAccServ 11 } 292 radiusAccServTotalNoRecords OBJECT-TYPE 293 SYNTAX Counter32 294 MAX-ACCESS read-only 295 STATUS current 296 DESCRIPTION 297 "The number of RADIUS Accounting-Request packets 298 which were received and responded to but not 299 recorded." 300 ::= { radiusAccServ 12 } 302 radiusAccServTotalUnknownTypes OBJECT-TYPE 303 SYNTAX Counter32 304 MAX-ACCESS read-only 305 STATUS current 306 DESCRIPTION 307 "The number of RADIUS packets of unknowntype which 308 were received." 309 ::= { radiusAccServ 13 } 311 -- End of new 313 radiusAccClientTable OBJECT-TYPE 314 SYNTAX SEQUENCE OF RadiusAccClientEntry 315 MAX-ACCESS not-accessible 317 STATUS current 318 DESCRIPTION 319 "The (conceptual) table listing the RADIUS accounting 320 clients with which the server shares a secret." 321 ::= { radiusAccServ 14 } 323 radiusAccClientEntry OBJECT-TYPE 324 SYNTAX RadiusAccClientEntry 325 MAX-ACCESS not-accessible 326 STATUS current 327 DESCRIPTION 328 "An entry (conceptual row) representing a RADIUS 329 accounting client with which the server shares a secret." 330 INDEX { radiusAccClientIndex } 331 ::= { radiusAccClientTable 1 } 333 RadiusAccClientEntry ::= SEQUENCE { 334 radiusAccClientIndex Integer32, 335 radiusAccClientAddress IpAddress, 336 radiusAccClientID SnmpAdminString, 337 radiusAccServPacketsDropped Counter32, 338 radiusAccServRequests Counter32, 339 radiusAccServDupRequests Counter32, 340 radiusAccServResponses Counter32, 341 radiusAccServBadAuthenticators Counter32, 342 radiusAccServMalformedRequests Counter32, 343 radiusAccServNoRecords Counter32, 344 radiusAccServUnknownTypes Counter32 345 } 347 radiusAccClientIndex OBJECT-TYPE 348 SYNTAX Integer32 (1..MAX) 349 MAX-ACCESS not-accessible 350 STATUS current 351 DESCRIPTION 352 "A number uniquely identifying each RADIUS accounting 353 client with which this server communicates." 354 ::= { radiusAccClientEntry 1 } 356 radiusAccClientAddress OBJECT-TYPE 357 SYNTAX IpAddress 358 MAX-ACCESS read-only 359 STATUS current 360 DESCRIPTION 361 "The NAS-IP-Address of the RADIUS accounting client 362 referred to in this table entry." 363 ::= { radiusAccClientEntry 2 } 365 radiusAccClientID OBJECT-TYPE 366 SYNTAX SnmpAdminString 367 MAX-ACCESS read-only 368 STATUS current 369 DESCRIPTION 370 "The NAS-Identifier of the RADIUS accounting client 371 referred to in this table entry. This is not necessarily 372 the same as sysName in MIB II." 373 ::= { radiusAccClientEntry 3 } 375 -- Server Counters 376 -- 377 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 378 -- UnknownTypes - PacketsDropped - Responses = Pending 379 -- 380 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 381 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 383 radiusAccServPacketsDropped OBJECT-TYPE 384 SYNTAX Counter32 385 MAX-ACCESS read-only 386 STATUS current 387 DESCRIPTION 388 "The number of incoming packets received 389 from this client and silently discarded 390 for a reason other than malformed, bad 391 authenticators, or unknown types." 392 ::= { radiusAccClientEntry 4 } 394 radiusAccServRequests OBJECT-TYPE 395 SYNTAX Counter32 396 MAX-ACCESS read-only 397 STATUS current 398 DESCRIPTION 399 "The number of packets received from this 400 client on the accounting port." 401 ::= { radiusAccClientEntry 5 } 403 radiusAccServDupRequests OBJECT-TYPE 404 SYNTAX Counter32 405 MAX-ACCESS read-only 406 STATUS current 407 DESCRIPTION 408 "The number of duplicate RADIUS Accounting-Request 409 packets received from this client." 410 ::= { radiusAccClientEntry 6 } 412 radiusAccServResponses OBJECT-TYPE 413 SYNTAX Counter32 414 MAX-ACCESS read-only 415 STATUS current 416 DESCRIPTION 417 "The number of RADIUS Accounting-Response packets 418 sent to this client." 419 ::= { radiusAccClientEntry 7 } 421 radiusAccServBadAuthenticators OBJECT-TYPE 422 SYNTAX Counter32 423 MAX-ACCESS read-only 424 STATUS current 425 DESCRIPTION 426 "The number of RADIUS Accounting-Request packets 427 which contained invalid authenticators received 428 from this client." 429 ::= { radiusAccClientEntry 8 } 431 radiusAccServMalformedRequests OBJECT-TYPE 432 SYNTAX Counter32 433 MAX-ACCESS read-only 434 STATUS current 435 DESCRIPTION 436 "The number of malformed RADIUS Accounting-Request 437 packets which were received from this client. 438 Bad authenticators and unknown types 439 are not included as malformed Accounting-Requests." 440 ::= { radiusAccClientEntry 9 } 442 radiusAccServNoRecords OBJECT-TYPE 443 SYNTAX Counter32 444 MAX-ACCESS read-only 445 STATUS current 446 DESCRIPTION 447 "The number of RADIUS Accounting-Request packets 448 which were received and responded to but not 449 recorded." 450 ::= { radiusAccClientEntry 10 } 452 radiusAccServUnknownTypes OBJECT-TYPE 453 SYNTAX Counter32 454 MAX-ACCESS read-only 455 STATUS current 456 DESCRIPTION 457 "The number of RADIUS packets of unknown type which 458 were received from this client." 459 ::= { radiusAccClientEntry 11 } 461 -- conformance information 463 radiusAccServMIBConformance 464 OBJECT IDENTIFIER ::= { radiusAccServMIB 2 } 465 radiusAccServMIBCompliances 466 OBJECT IDENTIFIER ::= { radiusAccServMIBConformance 1 } 467 radiusAccServMIBGroups 468 OBJECT IDENTIFIER ::= { radiusAccServMIBConformance 2 } 470 -- compliance statements 472 radiusAccServMIBCompliance MODULE-COMPLIANCE 473 STATUS current 474 DESCRIPTION 475 "The compliance statement for accounting servers 476 implementing the RADIUS Accounting Server MIB." 477 MODULE -- this module 478 MANDATORY-GROUPS { radiusAccServMIBGroup } 480 OBJECT radiusAccServConfigReset 481 WRITE-SYNTAX INTEGER { reset(2) } 482 DESCRIPTION "The only SETable value is 'reset' (2)." 484 ::= { radiusAccServMIBCompliances 1 } 486 -- units of conformance 488 radiusAccServMIBGroup OBJECT-GROUP 489 OBJECTS {radiusAccServIdent, 490 radiusAccServUpTime, 491 radiusAccServResetTime, 492 radiusAccServConfigReset, 493 radiusAccServTotalRequests, 494 radiusAccServTotalInvalidRequests, 495 radiusAccServTotalDupRequests, 496 radiusAccServTotalResponses, 497 radiusAccServTotalMalformedRequests, 498 radiusAccServTotalBadAuthenticators, 499 radiusAccServTotalPacketsDropped, 500 radiusAccServTotalNoRecords, 501 radiusAccServTotalUnknownTypes, 502 radiusAccClientAddress, 503 radiusAccClientID, 504 radiusAccServPacketsDropped, 505 radiusAccServRequests, 506 radiusAccServDupRequests, 507 radiusAccServResponses, 508 radiusAccServBadAuthenticators, 509 radiusAccServMalformedRequests, 510 radiusAccServNoRecords, 511 radiusAccServUnknownTypes 512 } 513 STATUS current 514 DESCRIPTION 515 "The collection of objects providing management of 516 a RADIUS Accounting Server." 518 ::= { radiusAccServMIBGroups 1 } 520 END 522 8. References 524 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 525 Describing SNMP Management Frameworks", RFC 2271, Cabletron 526 Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research, 527 January 1998. 529 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 530 Management Information for TCP/IP-based Internets", RFC 1155, 531 Performance Systems International, Hughes LAN Systems, May 1990. 533 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 534 Performance Systems International, Hughes LAN Systems, March 1991. 536 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 537 RFC 1215, Performance Systems International, March 1991. 539 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 540 of Management Information for Version 2 of the Simple Network 541 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco 542 Systems, Inc., Dover Beach Consulting, Inc., International Network 543 Services, January 1996. 545 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 546 Conventions for Version 2 of the Simple Network Management Protocol 547 (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., 548 Dover Beach Consulting, Inc., International Network Services, 549 January 1996. 551 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance 552 Statements for Version 2 of the Simple Network Management Protocol 553 (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc., 554 Dover Beach Consulting, Inc., International Network Services, 555 January 1996. 557 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 558 Management Protocol", RFC 1157, SNMP Research, Performance Systems 559 International, Performance Systems International, MIT Laboratory 560 for Computer Science, May 1990. 562 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 563 "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research, 564 Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 565 International Network Services, January 1996. 567 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 568 Mappings for Version 2 of the Simple Network Management Protocol 569 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 570 Dover Beach Consulting, Inc., International Network Services, 571 January 1996. 573 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 574 Processing and Dispatching for the Simple Network Management 575 Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 576 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998. 578 [12] Blumenthal, U., and B. Wijnen, "User-based Securi Model (USM) for 579 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 580 2274, IBM T. J. Watson Research, January 1998. 582 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 583 Operations for Version 2 of the Simple Network Management Protocol 584 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc., 585 Dover Beach Consulting, Inc., International Network Services, 586 January 196. 588 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 589 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 590 Systems, January 1998 592 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 593 Control Model (VACM) for the Simple Network Management Protocol 594 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 595 Cisco Systems, Inc., January 1998 597 [16] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. 599 9. Security considerations 601 There are management objects (radiusAccServConfigReset) defined in this 602 MIB that have a MAX-ACCESS clause of read-write and/or read-create. 603 Such objects may be considered sensitive or vulnerable in some network 604 environments. The support for SET operations in a non-secure 605 environment without proper protection can have a negative effect on 606 network operations. 608 There are a number of managed objects in this MIB that may contain 609 sensitive information. These are: 611 radiusAccClientAddress 612 This can be used to determine the address of the RADIUS 613 accounting client with which the server is communicating. 614 This information could be useful in impersonating the client. 616 radiusAccClientID 617 This can be used to determine the client ID for the accounting 618 client with which the server is communicating. This 619 information could be useful in impersonating the client. 621 It is thus important to control even GET access to these objects and 622 possibly to even encrypt the values of these object when sending them 623 over the network via SNMP. Not all versions of SNMP provide features 624 for such a secure environment. 626 SNMPv1 by itself is not a secure environment. Even if the network itself 627 is secure (for example by using IPSec), there is no control as to who on 628 the secure network is allowed to access and GET/SET 629 (read/change/create/delete) the objects in this MIB. 631 It is recommended that the implementers consider the security features 632 as provided by the SNMPv3 framework. Specifically, the use of the User- 633 based Security Model RFC 2274 [12] and the View-based Access Control 634 Model RFC 2275 [15] is recommended. Using these security features, 635 customer/users can give access to the objects only to those principals 636 (users) that have legitimate rights to GET or SET (change/create/delete) 637 them. 639 10. Acknowledgments 641 Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Carl 642 Rigney of Livingston and Peter Heitman of American Internet Corporation 643 for useful discussions of this problem space. 645 11. Authors' Addresses 647 Bernard Aboba 648 Microsoft Corporation 649 One Microsoft Way 650 Redmond, WA 98052 652 Phone: 425-936-6605 653 EMail: bernarda@microsoft.com 655 Glen Zorn 656 Microsoft Corporation 657 One Microsoft Way 658 Redmond, WA 98052 660 Phone: 425-703-1559 661 EMail: glennz@microsoft.com 663 12. Full Copyright Statement 665 Copyright (C) The Internet Society (1999). All Rights Reserved. 666 This document and translations of it may be copied and furnished to 667 others, and derivative works that comment on or otherwise explain it or 668 assist in its implmentation may be prepared, copied, published and 669 distributed, in whole or in part, without restriction of any kind, 670 provided that the above copyright notice and this paragraph are included 671 on all such copies and derivative works. However, this document itself 672 may not be modified in any way, such as by removing the copyright notice 673 or references to the Internet Society or other Internet organizations, 674 except as needed for the purpose of developing Internet standards in 675 which case the procedures for copyrights defined in the Internet 676 Standards process must be followed, or as required to translate it into 677 languages other than English. The limited permissions granted above are 678 perpetual and will not be revoked by the Internet Society or its 679 successors or assigns. This document and the information contained 680 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 681 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 682 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 683 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 684 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 686 13. Expiration Date 688 This memo is filed as , and 689 expires August 1, 1999.