idnits 2.17.1 draft-ietf-radius-auth-clientmib-05.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 6 instances of too long lines in the document, the longest one being 6 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 29 has weird spacing: '...t>, and expir...' == Line 592 has weird spacing: '...imed to perta...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (31 March 1999) is 9148 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 445 looks like a reference -- Missing reference section? '2' on line 450 looks like a reference -- Missing reference section? '3' on line 454 looks like a reference -- Missing reference section? '4' on line 457 looks like a reference -- Missing reference section? '5' on line 460 looks like a reference -- Missing reference section? '6' on line 466 looks like a reference -- Missing reference section? '7' on line 472 looks like a reference -- Missing reference section? '8' on line 478 looks like a reference -- Missing reference section? '9' on line 483 looks like a reference -- Missing reference section? '10' on line 488 looks like a reference -- Missing reference section? '11' on line 494 looks like a reference -- Missing reference section? '12' on line 557 looks like a reference -- Missing reference section? '13' on line 503 looks like a reference -- Missing reference section? '14' on line 509 looks like a reference -- Missing reference section? '15' on line 558 looks like a reference -- Missing reference section? '16' on line 518 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 RADIUS Working Group Bernard Aboba 2 INTERNET-DRAFT Microsoft 3 Category: Standards Track Glen Zorn 4 Microsoft 5 31 March 1999 7 RADIUS Authentication Client MIB 9 1. Status of this Memo 11 This document is an Internet-Draft and is in full conformance with all 12 provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering Task 15 Force (IETF), its areas, and its working groups. Note that other groups 16 may also distribute working documents as Internet-Drafts. Internet- 17 Drafts are draft documents valid for a maximum of six months and may be 18 updated, replaced, or obsoleted by other documents at any time. It is 19 inappropriate to use Internet-Drafts as reference material or to cite 20 them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 The distribution of this memo is unlimited. It is filed as , and expires October 1, 1999. Please send 30 comments to the authors. 32 2. Copyright Notice 34 Copyright (C) The Internet Society (1999). All Rights Reserved. 36 3. Abstract 38 This memo defines a set of extensions which instrument RADIUS 39 authentication client functions. These extensions represent a portion of 40 the Management Information Base (MIB) for use with network management 41 protocols in the Internet community. Using these extensions IP-based 42 management stations can manage RADIUS authentication clients. 44 4. Introduction 46 This memo defines a portion of the Management Information Base (MIB) for 47 use with network management protocols in the Internet community. In 48 particular, it describes managed objects used for managing RADIUS 49 authentication clients. 51 Today a wide range of network devices, including routers and NASes, act 52 as RADIUS authentication clients in order to provide authentication and 53 authorization services. As a result, the effective management of RADIUS 54 authentication clients is of considerable importance. 56 5. The SNMP Management Framework 58 The SNMP Management Framework presently consists of five major 59 components: 61 o An overall architecture, described in RFC 2271 [1]. 63 o Mechanisms for describing and naming objects and events for the 64 purpose of management. The first version of this Structure of 65 Management Information (SMI) is called SMIv1 and described in 66 RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, 67 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 68 1904 [7]. 70 o Message protocols for transferring management information. The 71 first version of the SNMP message protocol is called SNMPv1 and 72 described in RFC 1157 [8]. A second version of the SNMP message 73 protocol, which is not an Internet standards track protocol, is 74 called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. 75 The third version of the message protocol is called SNMPv3 and 76 described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12]. 78 o Protocol operations for accessing management information. The 79 first set of protocol operations and associated PDU formats is 80 described in RFC 1157 [8]. A second set of protocol operations 81 and associated PDU formats is described in RFC 1905 [13]. 83 o A set of fundamental applications described in RFC 2273 [14] and 84 the view-based access control mechanism described in RFC 2275 85 [15]. 87 Managed objects are accessed via a virtual information store, termed the 88 Management Information Base or MIB. Objects in the MIB are defined 89 using the mechanisms defined in the SMI. 91 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 92 conforming to the SMIv1 can be produced through the appropriate 93 translations. The resulting translated MIB must be semantically 94 equivalent, except where objects or events are omitted because no 95 translation is possible (use of Counter64). Some machine readable 96 information in SMIv2 will be converted into textual descriptions in 97 SMIv1 during the translation process. However, this loss of machine 98 readable information is not considered to change the semantics of the 99 MIB. 101 6. Overview 103 The RADIUS authentication protocol, described in [16], distinguishes 104 between the client function and the server function. In RADIUS 105 authentication, clients send Access-Requests, and servers reply with 106 Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS 107 devices implement the client function, and thus would be expected to 108 implement the RADIUS authentication client MIB, while RADIUS 109 authentication servers implement the server function, and thus would be 110 expected to implement the RADIUS authentication server MIB. 112 However, it is possible for a RADIUS authentication entity to perform 113 both client and server functions. For example, a RADIUS proxy may act as 114 a server to one or more RADIUS authentication clients, while 115 simultaneously acting as an authentication client to one or more 116 authentication servers. In such situations, it is expected that RADIUS 117 entities combining client and server functionality will support both the 118 client and server MIBs. 120 6.1. Selected objects 121 This MIB module contains two scalars as well as a single table: 123 (1) the RADIUS Authentication Server Table contains one row for each 124 RADIUS authentication server that the client shares a secret with. 126 Each entry in the RADIUS Authentication Server Table includes fifteen 127 columns presenting a view of the activity of the RADIUS authentication 128 client. 130 7. Definitions 132 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 134 IMPORTS 135 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 136 Counter32, Integer32, Gauge32, 137 IpAddress, TimeTicks FROM SNMPv2-SMI 138 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 139 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 140 mib-2 FROM RFC1213-MIB; 142 radiusAuthClientMIB MODULE-IDENTITY 143 LAST-UPDATED "9903290000Z" -- 29 Mar 1999 144 ORGANIZATION "IETF RADIUS Working Group." 145 CONTACT-INFO 146 " Bernard Aboba 147 Microsoft 148 One Microsoft Way 149 Redmond, WA 98052 150 US 152 Phone: +1 425 936 6605 153 EMail: bernarda@microsoft.com" 154 DESCRIPTION 155 "The MIB module for entities implementing the client side of 156 the Remote Access Dialin User Service (RADIUS) authentication 157 protocol." 158 REVISION "9903290000Z" -- 29 Mar 1999 159 DESCRIPTION "Initial version as published in RFC xxxx" 160 -- RCC xxxx to be assigned by IANA 161 ::= { radiusAuthentication 2 } 163 radiusMIB OBJECT-IDENTITY 164 STATUS current 165 DESCRIPTION 166 "The OID assigned to RADIUS MIB work by the IANA." 167 ::= { mib-2 xxx } -- To be assigned by IANA 169 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 171 radiusAuthClientMIBObjects OBJECT IDENTIFIER ::= { radiusAuthClientMIB 1 } 173 radiusAuthClient OBJECT IDENTIFIER ::= { radiusAuthClientMIBObjects 1 } 175 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 176 SYNTAX Counter32 177 MAX-ACCESS read-only 178 STATUS current 179 DESCRIPTION 180 "The number of RADIUS Access-Response packets 181 received from unknown addresses." 182 ::= { radiusAuthClient 1 } 184 radiusAuthClientIdentifier OBJECT-TYPE 185 SYNTAX SnmpAdminString 186 MAX-ACCESS read-only 187 STATUS current 188 DESCRIPTION 189 "The NAS-Identifier of the RADIUS authentication client. 190 This is not necessarily the same as sysName in MIB II." 191 ::= { radiusAuthClient 2 } 193 radiusAuthServerTable OBJECT-TYPE 194 SYNTAX SEQUENCE OF RadiusAuthServerEntry 195 MAX-ACCESS not-accessible 196 STATUS current 197 DESCRIPTION 198 "The (conceptual) table listing the RADIUS authentication 199 servers with which the client shares a secret." 200 ::= { radiusAuthClient 3 } 202 radiusAuthServerEntry OBJECT-TYPE 203 SYNTAX RadiusAuthServerEntry 204 MAX-ACCESS not-accessible 205 STATUS current 206 DESCRIPTION 207 "An entry (conceptual row) representing a RADIUS 208 authentication server with which the client shares a secret." 209 INDEX { radiusAuthServerIndex } 210 ::= { radiusAuthServerTable 1 } 212 RadiusAuthServerEntry ::= SEQUENCE { 213 radiusAuthServerIndex Integer32, 214 radiusAuthServerAddress IpAddress, 215 radiusAuthClientServerPortNumber Integer32, 216 radiusAuthClientRoundTripTime TimeTicks, 217 radiusAuthClientAccessRequests Counter32, 218 radiusAuthClientAccessRetransmissions Counter32, 219 radiusAuthClientAccessAccepts Counter32, 220 radiusAuthClientAccessRejects Counter32, 221 radiusAuthClientAccessChallenges Counter32, 222 radiusAuthClientMalformedAccessResponses Counter32, 223 radiusAuthClientBadAuthenticators Counter32, 224 radiusAuthClientPendingRequests Gauge32, 225 radiusAuthClientTimeouts Counter32, 226 radiusAuthClientUnknownTypes Counter32, 227 radiusAuthClientPacketsDropped Counter32 228 } 230 radiusAuthServerIndex OBJECT-TYPE 231 SYNTAX Integer32 232 MAX-ACCESS not-accessible 233 STATUS current 234 DESCRIPTION 235 "A number uniquely identifying each RADIUS 236 Authentication server with which this client 237 communicates." 238 ::= { radiusAuthServerEntry 1 } 240 radiusAuthServerAddress OBJECT-TYPE 241 SYNTAX IpAddress 242 MAX-ACCESS read-only 243 STATUS current 244 DESCRIPTION 245 "The IP address of the RADIUS authentication server 246 referred to in this table entry." 247 ::= { radiusAuthServerEntry 2 } 249 radiusAuthClientServerPortNumber OBJECT-TYPE 250 SYNTAX Integer32 (0..65535) 251 MAX-ACCESS read-only 252 STATUS current 253 DESCRIPTION 254 "The UDP port the client is using to send requests to 255 this server." 256 ::= { radiusAuthServerEntry 3 } 258 radiusAuthClientRoundTripTime OBJECT-TYPE 259 SYNTAX TimeTicks 260 MAX-ACCESS read-only 261 STATUS current 262 DESCRIPTION 263 "The time interval (in hundredths of a second) between 264 the most recent Access-Reply/Access-Challenge and the 265 Access-Request that matched it from this RADIUS 266 authentication server." 267 ::= { radiusAuthServerEntry 4 } 269 -- Request/Response statistics 270 -- 271 -- TotalIncomingPackets = Accepts + Rejects + Challenges + UnknownTypes 272 -- 273 -- TotalIncomingPackets - MalformedResponses - BadAuthenticators - 274 -- UnknownTypes - PacketsDropped = Successfully received 275 -- 276 -- AccessRequests + PendingRequests + ClientTimeouts = Successfully Received 277 -- 278 -- 279 radiusAuthClientAccessRequests OBJECT-TYPE 280 SYNTAX Counter32 281 MAX-ACCESS read-only 282 STATUS current 283 DESCRIPTION 284 "The number of RADIUS Access-Request packets sent 285 to this server. This does not include retransmissions." 286 ::= { radiusAuthServerEntry 5 } 288 radiusAuthClientAccessRetransmissions OBJECT-TYPE 289 SYNTAX Counter32 290 MAX-ACCESS read-only 291 STATUS current 292 DESCRIPTION 293 "The number of RADIUS Access-Request packets 294 retransmitted to this RADIUS authentication server." 295 ::= { radiusAuthServerEntry 6 } 297 radiusAuthClientAccessAccepts OBJECT-TYPE 298 SYNTAX Counter32 299 MAX-ACCESS read-only 300 STATUS current 301 DESCRIPTION 302 "The number of RADIUS Access-Accept packets 303 (valid or invalid) received from this server." 304 ::= { radiusAuthServerEntry 7 } 306 radiusAuthClientAccessRejects OBJECT-TYPE 307 SYNTAX Counter32 308 MAX-ACCESS read-only 309 STATUS current 310 DESCRIPTION 311 "The number of RADIUS Access-Reject packets 312 (valid or invalid) received from this server." 313 ::= { radiusAuthServerEntry 8 } 315 radiusAuthClientAccessChallenges OBJECT-TYPE 316 SYNTAX Counter32 317 MAX-ACCESS read-only 318 STATUS current 319 DESCRIPTION 320 "The number of RADIUS Access-Challenge packets 321 (valid or invalid) received from this server." 322 ::= { radiusAuthServerEntry 9 } 324 -- "Access-Response" includes an Access-Accept, Access-Challenge 325 -- or Access-Reject 326 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 327 SYNTAX Counter32 328 MAX-ACCESS read-only 329 STATUS current 330 DESCRIPTION 331 "The number of malformed RADIUS Access-Response 332 packets received from this server. 333 Malformed packets include packets with 334 an invalid length. Bad authenticators or 335 Signature attributes or unknown types are not 336 included as malformed access responses." 337 ::= { radiusAuthServerEntry 10 } 339 radiusAuthClientBadAuthenticators OBJECT-TYPE 340 SYNTAX Counter32 341 MAX-ACCESS read-only 342 STATUS current 343 DESCRIPTION 344 "The number of RADIUS Access-Response packets 345 containing invalid authenticators or Signature 346 attributes received from this server." 347 ::= { radiusAuthServerEntry 11 } 349 radiusAuthClientPendingRequests OBJECT-TYPE 350 SYNTAX Gauge32 351 MAX-ACCESS read-only 352 STATUS current 353 DESCRIPTION 354 "The number of RADIUS Access-Request packets 355 destined for this server that have not yet timed out 356 or received a response. This variable is incremented 357 when an Access-Request is sent and decremented due to 358 receipt of an Acess-Accept, Access-Reject or Access-Challenge, 359 a timeout or retransmission." 360 ::= { radiusAuthServerEntry 12 } 362 radiusAuthClientTimeouts OBJECT-TYPE 363 SYNTAX Counter32 364 MAX-ACCESS read-only 365 STATUS current 366 DESCRIPTION 367 "The number of authentication timeouts to this server. 368 After a timeout the client may retry to the same 369 server, send to a different server, or 370 give up. A retry to the same server is counted as a 371 retransmit as well as a timeout. A send to a different 372 server is counted as a Request as well as a timeout." 373 ::= { radiusAuthServerEntry 13 } 375 radiusAuthClientUnknownTypes OBJECT-TYPE 376 SYNTAX Counter32 377 MAX-ACCESS read-only 378 STATUS current 379 DESCRIPTION 380 "The number of RADIUS packets of unknown type which 381 were received from this server on the authentication port." 382 ::= { radiusAuthServerEntry 14 } 384 radiusAuthClientPacketsDropped OBJECT-TYPE 385 SYNTAX Counter32 386 MAX-ACCESS read-only 387 STATUS current 388 DESCRIPTION 389 "The number of RADIUS packets of which were 390 received from this server on the authentication port 391 and dropped for some other reason." 392 ::= { radiusAuthServerEntry 15 } 394 -- conformance information 396 radiusAuthClientMIBConformance 397 OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 } 398 radiusAuthClientMIBCompliances 399 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 } 400 radiusAuthClientMIBGroups 401 OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 } 403 -- compliance statements 405 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 406 STATUS current 407 DESCRIPTION 408 "The compliance statement for authentication clients 409 implementing the RADIUS Authentication Client MIB." 410 MODULE -- this module 411 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 413 ::= { radiusAuthClientMIBCompliances 1 } 415 -- units of conformance 417 radiusAuthClientMIBGroup OBJECT-GROUP 418 OBJECTS { radiusAuthClientIdentifier, 419 radiusAuthClientInvalidServerAddresses, 420 radiusAuthServerAddress, 421 radiusAuthClientServerPortNumber, 422 radiusAuthClientRoundTripTime, 423 radiusAuthClientAccessRequests, 424 radiusAuthClientAccessRetransmissions, 425 radiusAuthClientAccessAccepts, 426 radiusAuthClientAccessRejects, 427 radiusAuthClientAccessChallenges, 428 radiusAuthClientMalformedAccessResponses, 429 radiusAuthClientBadAuthenticators, 430 radiusAuthClientPendingRequests, 431 radiusAuthClientTimeouts, 432 radiusAuthClientUnknownTypes, 433 radiusAuthClientPacketsDropped 434 } 435 STATUS current 436 DESCRIPTION 437 "The basic collection of objects providing management of 438 RADIUS Authentication Clients." 439 ::= { radiusAuthClientMIBGroups 1 } 441 END 443 8. References 445 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 446 Describing SNMP Management Frameworks", RFC 2271, Cabletron 447 Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research, 448 January 1998. 450 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 451 Management Information for TCP/IP-based Internets", RFC 1155, 452 Performance Systems International, Hughes LAN Systems, May 1990. 454 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 455 Performance Systems International, Hughes LAN Systems, March 1991. 457 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 458 RFC 1215, Performance Systems International, March 1991. 460 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 461 of Management Information for Version 2 of the Simple Network 462 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco 463 Systems, Inc., Dover Beach Consulting, Inc., International Network 464 Services, January 1996. 466 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 467 Conventions for Version 2 of the Simple Network Management Protocol 468 (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., 469 Dover Beach Consulting, Inc., International Network Services, 470 January 1996. 472 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance 473 Statements for Version 2 of the Simple Network Management Protocol 474 (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc., 475 Dover Beach Consulting, Inc., International Network Services, 476 January 1996. 478 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 479 Management Protocol", RFC 1157, SNMP Research, Performance Systems 480 International, Performance Systems International, MIT Laboratory 481 for Computer Science, May 1990. 483 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 484 "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research, 485 Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 486 International Network Services, January 1996. 488 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 489 Mappings for Version 2 of the Simple Network Management Protocol 490 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 491 Dover Beach Consulting, Inc., International Network Services, 492 January 1996. 494 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 495 Processing and Dispatching for the Simple Network Management 496 Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 497 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998. 499 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for 500 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 501 2274, IBM T. J. Watson Research, January 1998. 503 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 504 Operations for Version 2 of the Simple Network Management Protocol 505 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc., 506 Dover Beach Consulting, Inc., International Network Services, 507 January 196. 509 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 510 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 511 Systems, January 1998 513 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 514 Control Model (VACM) for the Simple Network Management Protocol 515 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 516 Cisco Systems, Inc., January 1998 518 [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote 519 Authentication Dial In User Service (RADIUS)", RFC 2138, April 520 1997. 522 9. Security considerations 524 There are no management objects defined in this MIB that have a MAX- 525 ACCESS clause of read-write and/or read-create. So, if this MIB is 526 implemented correctly, then there is no risk that an intruder can alter 527 or create any management objects of this MIB via direct SNMP SET 528 operations. 530 There are a number of managed objects in this MIB that may contain 531 sensitive information. These are: 533 radiusAuthServerAddress 534 This can be used to determine the address of the RADIUS 535 authentication server with which the client is communicating. 536 This information could be useful in mounting an attack on the 537 authentication server. 539 radiusAuthClientServerPortNumber 540 This can be used to determine the port number on which the 541 RADIUS authentication client is sending. This information 542 could be useful in impersonating the client in order to send 543 data to the authentication server. 545 It is thus important to control even GET access to these objects and 546 possibly to even encrypt the values of these object when sending them 547 over the network via SNMP. Not all versions of SNMP provide features 548 for such a secure environment. 550 SNMPv1 by itself is not a secure environment. Even if the network itself 551 is secure (for example by using IPSec), there is no control as to who on 552 the secure network is allowed to access and GET/SET 553 (read/change/create/delete) the objects in this MIB. 555 It is recommended that the implementers consider the security features 556 as provided by the SNMPv3 framework. Specifically, the use of the User- 557 based Security Model RFC 2274 [12] and the View-based Access Control 558 Model RFC 2275 [15] is recommended. Using these security features, 559 customer/users can give access to the objects only to those principals 560 (users) that have legitimate rights to GET or SET (change/create/delete) 561 them. 563 10. Acknowledgments 565 The authors acknowledge the contributions of the RADIUS Working Group in 566 the development of this MIB. Thanks to Narendra Gidwani of Microsoft, 567 Allan C. Rubens of MERIT, Carl Rigney of Livingston and Peter Heitman of 568 American Internet Corporation for useful discussions of this problem 569 space. 571 11. Authors' Addresses 573 Bernard Aboba 574 Microsoft Corporation 575 One Microsoft Wy 576 Redmond, WA 98052 578 Phone: 425-936-6605 579 EMail: bernarda@microsoft.com 581 Glen Zorn 582 Microsoft Corporation 583 One Microsoft Way 584 Redmond, WA 98052 586 Phone: 425-703-1559 587 EMail: glennz@microsoft.com 589 12. Intellectural Property Statement 591 The IETF takes no position regarding the validity or scope of any 592 intellectual property or other rights that might be claimed to pertain 593 to the implementation or use of the technology described in this 594 document or the extent to which any license under such rights might or 595 might not be available; neither does it represent that it has made any 596 effort to identify any such rights. Information on the IETF's 597 procedures with respect to rights in standards-track and standards- 598 related documentation can be found in BCP-11. Copies of claims of 599 rights made available for publication and any assurances of licenses to 600 be made available, or the result of an attempt made to obtain a general 601 license or permission for the use of such proprietary rights by 602 implementors or users of this specification can be obtained from the 603 IETF Secretariat. 605 The IETF invites any interested party to bring to its attention any 606 copyrights, patents or patent applications, or other proprietary rights 607 which may cover technology that may be required to practice this 608 standard. Please address the information to the IETF Executive 609 Director. 611 13. Full Copyright Statement 613 Copyright (C) The Internet Society (1999). All Rights Reserved. 614 This document and translations of it may be copied and furnished to 615 others, and derivative works that comment on or otherwise explain it or 616 assist in its implmentation may be prepared, copied, published and 617 distributed, in whole or in part, without restriction of any kind, 618 provided that the above copyright notice and this paragraph are included 619 on all such copies and derivative works. However, this document itself 620 may not be modified in any way, such as by removing the copyright notice 621 or references to the Internet Society or other Internet organizations, 622 except as needed for the purpose of developing Internet standards in 623 which case the procedures for copyrights defined in the Internet 624 Standards process must be followed, or as required to translate it into 625 languages other than English. The limited permissions granted above are 626 perpetual and will not be revoked by the Internet Society or its 627 successors or assigns. This document and the information contained 628 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 629 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 630 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 631 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 632 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 634 14. Expiration Date 636 This memo is filed as , and 637 expires October 1, 1999.