idnits 2.17.1 draft-ietf-radius-auth-clientmib-02.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Found some kind of copyright notice around line 603 but it does not match any copyright boilerplate known by this tool. Expected boilerplate is as follows today (2024-04-23) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 13 longer pages, the longest (page 2) being 61 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 78 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 182 instances of too long lines in the document, the longest one being 11 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 13 has weird spacing: '...), its areas...' == Line 14 has weird spacing: '... its worki...' == Line 18 has weird spacing: '... and may ...' == Line 19 has weird spacing: '...afts as refer...' == Line 22 has weird spacing: '... To learn...' == (73 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (11 November 1998) is 9295 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 452 looks like a reference -- Missing reference section? '2' on line 457 looks like a reference -- Missing reference section? '3' on line 461 looks like a reference -- Missing reference section? '4' on line 465 looks like a reference -- Missing reference section? '5' on line 468 looks like a reference -- Missing reference section? '6' on line 474 looks like a reference -- Missing reference section? '7' on line 480 looks like a reference -- Missing reference section? '8' on line 486 looks like a reference -- Missing reference section? '9' on line 491 looks like a reference -- Missing reference section? '10' on line 496 looks like a reference -- Missing reference section? '11' on line 502 looks like a reference -- Missing reference section? '12' on line 571 looks like a reference -- Missing reference section? '13' on line 512 looks like a reference -- Missing reference section? '14' on line 518 looks like a reference -- Missing reference section? '15' on line 572 looks like a reference -- Missing reference section? '16' on line 527 looks like a reference -- Missing reference section? '17' on line 531 looks like a reference Summary: 11 errors (**), 0 flaws (~~), 8 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADIUS Working Group Bernard Aboba 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Glen Zorn 5 Microsoft 6 11 November 1998 8 RADIUS Authentication Client MIB 10 1. Status of this Memo 12 This document is an Internet-Draft. Internet-Drafts are working docu- 13 ments of the Internet Engineering Task Force (IETF), its areas, and 14 its working groups. Note that other groups may also distribute work- 15 ing documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference mate- 20 rial or to cite them other than as ``work in progress.'' 22 To learn the current status of any Internet-Draft, please check the 23 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 24 Directories on ftp.ietf.org (US East Coast), nic.nordu.net 25 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 27 The distribution of this memo is unlimited. It is filed as , and expires May 1, 1999. Please 29 send comments to the authors. 31 2. Copyright Notice 33 Copyright (C) The Internet Society (1998). All Rights Reserved. 35 3. Abstract 37 This memo defines a set of extensions which instrument RADIUS authen- 38 tication client functions. These extensions represent a portion of the 39 Management Information Base (MIB) for use with network management pro- 40 tocols in the Internet community. Using these extensions IP-based 41 management stations can manage RADIUS authentication clients. 43 4. Introduction 45 This memo defines a portion of the Management Information Base (MIB) 46 for use with network management protocols in the Internet community. 47 In particular, it describes managed objects used for managing RADIUS 48 authentication clients. 50 Today a wide range of network devices, including routers and NASes, 51 act as RADIUS authentication clients in order to provide authentica- 52 tion and authorization services. As a result, the effective management 53 of RADIUS authentication clients is of considerable importance. 55 5. The SNMP Management Framework 57 The SNMP Management Framework presently consists of five major compo- 58 nents: 60 o An overall architecture, described in RFC 2271 [1]. 62 o Mechanisms for describing and naming objects and events for 63 the purpose of management. The first version of this Structure 64 of Management Information (SMI) is called SMIv1 and described 65 in RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second 66 version, called SMIv2, is described in RFC 1902 [5], RFC 1903 67 [6] and RFC 1904 [7]. 69 o Message protocols for transferring management information. The 70 first version of the SNMP message protocol is called SNMPv1 71 and described in RFC 1157 [8]. A second version of the SNMP 72 message protocol, which is not an Internet standards track 73 protocol, is called SNMPv2c and described in RFC 1901 [9] and 74 RFC 1906 [10]. The third version of the message protocol is 75 called SNMPv3 and described in RFC 1906 [10], RFC 2272 [11] 76 and RFC 2274 [12]. 78 o Protocol operations for accessing management information. The 79 first set of protocol operations and associated PDU formats is 80 described in RFC 1157 [8]. A second set of protocol operations 81 and associated PDU formats is described in RFC 1905 [13]. 83 o A set of fundamental applications described in RFC 2273 [14] 84 and the view-based access control mechanism described in RFC 85 2275 [15]. 87 Managed objects are accessed via a virtual information store, termed 88 the Management Information Base or MIB. Objects in the MIB are 89 defined using the mechanisms defined in the SMI. 91 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 92 conforming to the SMIv1 can be produced through the appropriate trans- 93 lations. The resulting translated MIB must be semantically equivalent, 94 except where objects or events are omitted because no translation is 95 possible (use of Counter64). Some machine readable information in 96 SMIv2 will be converted into textual descriptions in SMIv1 during the 97 translation process. However, this loss of machine readable informa- 98 tion is not considered to change the semantics of the MIB. 100 6. Overview 102 The RADIUS authentication protocol, described in [16], distinguishes 103 between the client function and the server function. In RADIUS authen- 104 tication, clients send Access-Requests, and servers reply with Access- 105 Accepts, Access-Rejects, and Access-Challenges. Typically NAS devices 106 implement the client function, and thus would be expected to implement 107 the RADIUS authentication client MIB, while RADIUS authentication 108 servers implement the server function, and thus would be expected to 109 implement the RADIUS authentication server MIB. 111 However, it is possible for a RADIUS authentication entity to perform 112 both client and server functions. For example, a RADIUS proxy may act 113 as a server to one or more RADIUS authentication clients, while simul- 114 taneously acting as an authentication client to one or more authenti- 115 cation servers. In such situations, it is expected that RADIUS enti- 116 ties combining client and server functionality will support both the 117 client and server MIBs. 119 6.1. Selected objects 120 This MIB module contains two scalars as well as a single table: 122 (1) the RADIUS Authentication Server Table contains one row for each 123 RADIUS authentication server that the client shares a secret with. 125 Each entry in the RADIUS Authentication Server Table includes fifteen 126 columns presenting a view of the activity of the RADIUS authentication 127 client. 129 7. Definitions 131 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 133 IMPORTS 134 MODULE-IDENTITY, OBJECT-TYPE, 135 OBJECT-IDENTITY, experimental, 136 Counter32, Integer32, Gauge32, 137 IpAddress, TimeTicks FROM SNMPv2-SMI 138 DisplayString FROM SNMPv2-TC 139 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 141 radius OBJECT-IDENTITY 142 STATUS current 143 DESCRIPTION 144 "The OID assigned to RADIUS MIB work by the IANA." 145 ::= { experimental 79 } 147 radiusAuthentication OBJECT IDENTIFIER ::= {radius 1} 149 radiusAuthClientMIB MODULE-IDENTITY 150 LAST-UPDATED "9811161659Z" 151 ORGANIZATION "IETF RADIUS Working Group." 152 CONTACT-INFO 153 " Bernard Aboba 154 Microsoft 155 One Microsoft Way 156 Redmond, WA 98052 157 US 159 Phone: +1 425 936 6605 160 EMail: bernarda@microsoft.com" 161 DESCRIPTION 162 "The MIB dule for entities implementing the client side of 163 the Remote Access Dialin User Service (RADIUS) authentication 164 protocol." 165 ::= { radiusAuthentication 2 } 167 radiusAuthClientMIBObjects OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 } 169 radiusAuthClient OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 } 171 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 172 SYNTAX Counter32 173 MAX-ACCESS read-only 174 STATUS current 175 DESCRIPTION 176 "The total number of RADIUS Access-Response packets 177 received from unknown addresses since client start-up." 178 ::= { radiusAuthClient 1 } 180 radiusAuthClientIdentifier OBJECT-TYPE 181 SYNTAX DisplayString 182 MAX-ACCESS read-only 183 STATUS current 184 DESCRIPTION 185 "The NAS-Identifier of the RADIUS authentication client. 186 This is not necessarily the same as sysName in MIB II." 187 ::= { radiusAuthClient 2 } 189 radiusAuthServerTable OBJECT-TYPE 190 SYNTAX SEQUENCE OF RadiusAuthServerEntry 191 MAX-ACCESS not-accessible 192 STATUS current 193 DESCRIPTION 194 "The (conceptual) table listing the RADIUS authentication 195 servers with which the client shares a secret." 196 ::= { radiusAuthClient 3 } 198 radiusAuthServerEntry OBJECT-TYPE 199 SYNTAX RadiusAuthServerEntry 200 MAX-ACCESS not-accessible 201 STATUS current 202 DESCRIPTION 203 "An entry (conceptual row) representing a RADIUS 204 authentication server with which the client shares a secret." 206 INDEX { radiusAuthServerIndex } 207 ::= { radiusAuthServerTable 1 } 209 RadiusAuthServerEntry ::= SEQUENCE { 210 radiusAuthServerIndex Integer32, 211 radiusAuthServerAddress IpAddress, 212 radiusAuthClientServerPortNumber Integer32, 213 radiusAuthClientRoundTripTime TimeTicks, 214 radiusAuthClientAccessRequests Counter32, 215 radiusAuthClientAccessRetransmissions Counter32, 216 radiusAuthClientAccessAccepts Counter32, 217 radiusAuthClientAccessRejects Counter32, 218 radiusAuthClientAccessChallenges Counter32, 219 radiusAuthClientMalformedAccessResponses Counter32, 220 radiusAuthClientBadAuthenticators Counter32, 221 radiusAuthClientPendingRequests Gauge32, 222 radiusAuthClientTimeouts Counter32, 223 radiusAuthClientUnknownTypes Counter32, 224 radiusAuthClientPacketsDropped Counter32 225 } 227 radiusAuthServerIndex OBJECT-TYPE 228 SYNTAX Integer32 (0..MAX) 229 MAX-ACCESS not-accessible 230 STATUS current 231 DESCRIPTION 232 "A number uniquely identifying each RADIUS 233 Authentication server with which this client 234 communicates." 235 ::= { radiusAuthServerEntry 1 } 237 radiusAuthServerAddress OBJECT-TYPE 238 SYNTAX IpAddress 239 MAX-ACCESS read-only 240 STATUS current 241 DESCRIPTION 242 "The IP address of the RADIUS authentication server 243 referred to in this table entry." 244 ::= { radiusAuthServerEntry 2 } 246 radiusAuthClientServerPortNumber OBJECT-TYPE 247 SYNTAX Integer32 248 MAX-ACCESS read-only 249 STATUS current 250 DESCRIPTION 251 "The UDP port the client is using to send requests to 252 this server." 253 ::= { radiusAuthServerEntry 3 } 255 radiusAuthClientRoundTripTime OBJECT-TYPE 256 SYNTAX TimeTicks 257 MAX-ACCESS read-only 258 STATUS current 259 DESCRIPTION 260 "The time interval between the most recent 261 Access-Reply/Access-Challenge and the Access-Request that 262 matched it from this RADIUS authentication server." 263 ::= { radiusAuthServerEntry 4 } 265 -- Request/Response statistics 266 -- 267 -- TotalIncomingPackets = Accepts + Rejects + Challenges + UnknownTypes 268 -- 269 -- TotalIncomingPackets - MalformedResponses - BadAuthenticators - 270 -- UnknownTypes - PacketsDropped = Successfully received 271 -- 272 -- AccessRequests + PendingRequests + ClientTimeouts = Successfully Received 273 -- 274 -- 276 radiusAuthClientAccessRequests OBJECT-TYPE 277 SYNTAX Counter32 278 MAX-ACCESS read-only 279 STATUS current 280 DESCRIPTION 281 "The total number of RADIUS Access-Request packets sent 282 to this server since client start-up. This does not 283 include retransmissions." 284 ::= { radiusAuthServerEntry 5 } 286 radiusAuthClientAccessRetransmissions OBJECT-TYPE 287 SYNTAX Counter32 288 MAX-ACCESS read-only 289 STATUS current 290 DESCRIPTION 291 "The total number of RADIUS Access-Request packets 292 retransmitted to this RADIUS authentication server 293 since client start-up." 294 ::= { radiusAuthServerEntry 6 } 296 radiusAuthClientAccessAccepts OBJECT-TYPE 297 SYNTAX Counter32 298 MAX-ACCESS read-only 299 STATUS current 300 DESCRIPTION 301 "The total number of RADIUS Access-Accept packets 302 (valid or invalid) received from this server 303 since client start-up." 304 ::= { radiusAuthServerEntry 7 } 306 radiusAuthClientAccessRejects OBJECT-TYPE 307 SYNTAX Counter32 308 MAX-ACCESS read-only 309 STATUS current 310 DESCRIPTION 311 "The total number of RADIUS Access-Reject packets 312 (valid or invalid) received from this server 313 since client start-up." 315 ::= { radiusAuthServerEntry 8 } 317 radiusAuthClientAccessChallenges OBJECT-TYPE 318 SYNTAX Counter32 319 MAX-ACCESS read-only 320 STATUS current 321 DESCRIPTION 322 "The total number of RADIUS Access-Challenge packets 323 (valid or invalid) received from this server since 324 client start-up." 325 ::= { radiusAuthServerEntry 9 } 327 -- "Access-Response" includes an Access-Accept, Access-Challenge 328 -- or Access-Reject 330 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 331 SYNTAX Counter32 332 MAX-ACCESS read-only 333 STATUS current 334 DESCRIPTION 335 "The total number of malformed RADIUS Access-Response 336 packets received from this server since client 337 start-up. Malformed packets include packets with 338 an invalid length. Bad authenticators or 339 Signature attributes or unknown types are not 340 included as malformed access responses." 341 ::= { radiusAuthServerEntry 10 } 343 radiusAuthClientBadAuthenticators OBJECT-TYPE 344 SYNTAX Counter32 345 MAX-ACCESS read-only 346 STATUS current 347 DESCRIPTION 348 "The total number of RADIUS Access-Response packets 349 containing invalid authenticators or Signature 350 attributes received from this server since client 351 start-up." 352 ::= { radiusAuthServerEntry 11 } 354 radiusAuthClientPendingRequests OBJECT-TYPE 355 SYNTAX Gauge32 356 MAX-ACCESS read-only 357 STATUS current 358 DESCRIPTION 359 "The total number of RADIUS Access-Request packets 360 destined for this server that have not yet timed out 361 or received a response. This variable is incremented 362 when an Access-Request is sent and decremented due to 363 receipt of an Acess-Accept, Access-Reject or Access-Challenge, 364 a timeout or retransmission." 365 ::= { radiusAuthServerEntry 12 } 367 radiusAuthClientTimeouts OBJECT-TYPE 368 SYNTAX Counter32 369 MAX-ACCESS read-only 370 STATUS current 371 DESCRIPTION 372 "The total number of authentication timeouts to this server 373 since client startup. After a timeout the client may 374 retry to the same server, send to a different server, or 375 give up. A retry to the same server is counted as a 376 retransmit as well as a timeout. A send to a different 377 server is counted as a Request as well as a timeout." 378 ::= { radiusAuthServerEntry 13 } 380 radiusAuthClientUnknownTypes OBJECT-TYPE 381 SYNTAX Counter32 382 MAX-ACCESS read-only 383 STATUS current 384 DESCRIPTION 385 "The total number of RADIUS packets of unknown type which 386 were received from this server on the authentication port 387 since client start-up." 388 ::= { radiusAuthServerEntry 14 } 390 radiusAuthClientPacketsDropped OBJECT-TYPE 391 SYNTAX Counter32 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "The total number of RADIUS packets of which were 396 received from this server on the authentication port 397 and dropped for some other reason since client 398 start-up." 399 ::= { radiusAuthServerEntry 15 } 401 -- conformance information 403 radiusAuthClientMIBConformance 404 OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 } 405 radiusAuthClientMIBCompliances 406 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 } 407 radiusAuthClientMIBGroups 408 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 } 410 -- compliance statements 412 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 413 STATUS current 414 DESCRIPTION 415 "The compliance statement for authentication clients 416 implementing the RADIUS Authentication Client MIB." 417 MODULE -- this module 418 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 420 ::= { radiusAuthClientMIBCompliances 1 } 422 -- units of conformance 424 radiusAuthClientMIBGroup OBJECT-GROUP 425 OBJECTS { radiusAuthClientIdentifier, 426 radiusAuthClientInvalidServerAddresses, 427 radiusAuthServerAddress, 428 radiusAuthClientServerPortNumber, 429 radiusAuthClientRoundTripTime, 430 radiusAuthClientAccessRequests, 431 radiusAuthClientAccessRetransmissions, 432 radiusAuthClientAccessAccepts, 433 radiusAuthClientAccessRejects, 434 radiusAuthClientAccessChallenges, 435 radiusAuthClientMalformedAccessResponses, 436 radiusAuthClientBadAuthenticators, 437 radiusAuthClientPendingRequests, 438 radiusAuthClientTimeouts, 439 radiusAuthClientUnknownTypes, 440 radiusAuthClientPacketsDropped 441 } 442 STATUS current 443 DESCRIPTION 444 "The basic collection of objects providing management of 445 RADIUS Authentication Clients." 446 ::= { radiusAuthClientMIBGroups 1 } 448 END 450 8. References 452 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 453 Describing SNMP Management Frameworks", RFC 2271, Cabletron Sys- 454 tems, Inc., BMC Software, Inc., IBM T. J. Watson Research, Jan- 455 uary 1998. 457 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 458 Management Information for TCP/IP-based Internets", RFC 1155, 459 Performance Systems International, Hughes LAN Systems, May 1990. 461 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 462 Performance Systems International, Hughes LAN Systems, March 463 1991. 465 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 466 RFC 1215, Performance Systems International, March 1991. 468 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 469 of Management Information for Version 2 of the Simple Network 470 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., 471 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 472 Network Services, January 1996. 474 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 475 Conventions for Version 2 of the Simple Network Management Proto- 476 col (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, 477 Inc., Dover Beach Consulting, Inc., International Network Ser- 478 vices, January 1996. 480 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Confor- 481 mance Statements for Version 2 of the Simple Network Management 482 Protocol (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, 483 Inc., Dover Beach Consulting, Inc., International Network Ser- 484 vices, January 1996. 486 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Net- 487 work Management Protocol", RFC 1157, SNMP Research, Performance 488 Systems International, Performance Systems International, MIT 489 Laboratory for Computer Science, May 1990. 491 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduc- 492 tion to Community-based SNMPv2", RFC 1901, SNMP Research, Inc., 493 Cisco Systems, Inc., Dover Beach Consulting, Inc., International 494 Network Services, January 1996. 496 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 497 Mappings for Version 2 of the Simple Network Management Protocol 498 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 499 Dover Beach Consulting, Inc., International Network Services, 500 January 1996. 502 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Pro- 503 cessing and Dispatching for the Simple Network Management Proto- 504 col (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 505 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 506 1998. 508 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) 509 for version 3 of the Simple Network Management Protocol 510 (SNMPv3)", RFC 2274, IBM T. J. Watson Research, January 1998. 512 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 513 Operations for Version 2 of the Simple Network Management Proto- 514 col (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, 515 Inc., Dover Beach Consulting, Inc., International Network Ser- 516 vices, January 196. 518 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 519 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 520 Systems, January 1998 522 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 523 Control Model (VACM) for the Simple Network Management Protocol 524 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 525 Cisco Systems, Inc., January 1998 527 [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote 528 Authentication Dial In User Service (RADIUS)", RFC 2138, April 529 1997. 531 [17] "Information processing systems - Open Systems Interconnection - 532 Specification of Abstract Syntax Notation One (ASN.1)", Interna- 533 tional Organization for Standardization, International Standard 534 8824, December 1987. 536 9. Security considerations 538 There are no management objects defined in this MIB that have a MAX- 539 ACCESS clause of read-write and/or read-create. So, if this MIB is 540 implemented correctly, then there is no risk that an intruder can 541 alter or create any management objects of this MIB via direct SNMP SET 542 operations. 544 There are a number of managed objects in this MIB that may contain 545 sensitive information. These are: 547 radiusAuthServerAddress 548 This can be used to determine the address of the RADIUS 549 authentication server with which the client is communicat- 550 ing. This information could be useful in mounting an attack 551 on the authentication server. 553 radiusAuthClientServerPortNumber 554 This can be used to determine the port number on which the 555 RADIUS authentication client is sending. This information 556 could be useful in impersonating the client in order to send 557 data to the authentication server. 559 It is thus important to control even GET access to these objects and 560 possibly to even encrypt the values of these object when sending them 561 over the network via SNMP. Not all versions of SNMP provide features 562 for such a secure environment. 564 SNMPv1 by itself is not a secure environment. Even if the network 565 itself is secure (for example by using IPSec), there is no control as 566 to who on the secure network is allowed to access and GET/SET 567 (read/change/create/delete) the objects in this MIB. 569 It is recommended that the implementers consider the security features 570 as provided by the SNMPv3 framework. Specifically, the use of the 571 User-based Security Model RFC 2274 [12] and the View-based Access Con- 572 trol Model RFC 2275 [15] is recommended. Using these security fea- 573 tures, customer/users can give access to the objects only to those 574 principals (users) that have legitimate rights to GET or SET 575 (change/create/delete) them. 577 10. Acknowledgments 579 Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, 580 Carl Rigney of Livingston and Peter Heitman of American Internet Cor- 581 poration for useful discussions of this problem space. 583 11. Authors' Addresses 585 Bernard Aboba 586 Microsoft Corporation 587 One Microsoft Way 588 Redmond, WA 98052 590 Phone: 425-936-6605 591 EMail: bernarda@microsoft.com 593 Glen Zorn 594 Microsoft Corporation 595 One Microsoft Way 596 Redmond, WA 98052 598 Phone: 425-703-1559 599 EMail: glennz@microsoft.com 601 12. Full Copyright Statement 603 Copyright (C) The Internet Society (1997). All Rights Reserved. 604 This document and translations of it may be copied and furnished to 605 others, and derivative works that comment on or otherwise explain it 606 or assist in its implmentation may be prepared, copied, published and 607 distributed, in whole or in part, without restriction of any kind, 608 provided that the above copyright notice and this paragraph are 609 included on all such copies and derivative works. However, this docu- 610 ment itself may not be modified in any way, such as by removing the 611 copyright notice or references to the Internet Society or other Inter- 612 net organizations, except as needed for the purpose of developing 613 Internet standards in which case the procedures for copyrights defined 614 in the Internet Standards process must be followed, or as required to 615 translate it into languages other than English. The limited permis- 616 sions granted above are perpetual and will not be revoked by the 617 Internet Society or its successors or assigns. This document and the 618 information contained herein is provided on an "AS IS" basis and THE 619 INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL 620 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- 621 RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 622 RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 623 PARTICULAR PURPOSE." 624 13. Expiration Date 626 This memo is filed as , and 627 expires May 1, 1999. 629 m o