idnits 2.17.1 draft-ietf-radius-auth-servmib-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 92 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 3 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 12 has weird spacing: '...This document...' == Line 18 has weird spacing: '...Drafts are dr...' == Line 19 has weird spacing: '...e. It is...' == Line 20 has weird spacing: '...opriate to u...' == Line 23 has weird spacing: '...To view th...' == (87 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (2 February 1999) is 9214 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 549 looks like a reference -- Missing reference section? '2' on line 554 looks like a reference -- Missing reference section? '3' on line 558 looks like a reference -- Missing reference section? '4' on line 561 looks like a reference -- Missing reference section? '5' on line 564 looks like a reference -- Missing reference section? '6' on line 570 looks like a reference -- Missing reference section? '7' on line 576 looks like a reference -- Missing reference section? '8' on line 582 looks like a reference -- Missing reference section? '9' on line 587 looks like a reference -- Missing reference section? '10' on line 592 looks like a reference -- Missing reference section? '11' on line 598 looks like a reference -- Missing reference section? '12' on line 659 looks like a reference -- Missing reference section? '13' on line 607 looks like a reference -- Missing reference section? '14' on line 613 looks like a reference -- Missing reference section? '15' on line 660 looks like a reference -- Missing reference section? '16' on line 622 looks like a reference Summary: 10 errors (**), 0 flaws (~~), 7 warnings (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADIUS Working Group Glen Zorn 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Bernard Aboba 5 Microsoft 6 2 February 1999 8 RADIUS Authentication Server MIB 10 1. Status of this Memo 12 This document is an Internet-Draft and is in full conformance with all 13 provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering Task 16 Force (IETF), its areas, and its working groups. Note that other groups 17 may also distribute working documents as Internet-Drafts. Internet- 18 Drafts are draft documents valid for a maximum of six months and may be 19 updated, replaced, or obsoleted by other documents at any time. It is 20 inappropriate to use Internet- Drafts as reference material or to cite 21 them other than as "work in progress." 23 To view the list Internet-Draft Shadow Directories, see 24 http://www.ietf.org/shadow.html. 26 The distribution of this memo is unlimited. It is filed as , and expires August 1, 1999. Please send 28 comments to the authors. 30 2. Copyright Notice 32 Copyright (C) The Internet Society (1999). All Rights Reserved. 34 3. Abstract 36 This memo defines a set of extensions which instrument RADIUS 37 authentication server functions. These extensions represent a portion of 38 the Management Information Base (MIB) for use with network management 39 protocols in the Internet community. Using these extensions IP-based 40 management stations can manage RADIUS authentication servers. 42 4. Introduction 44 This memo defines a portion of the Management Information Base (MIB) for 45 use with network management protocols in the Internet community. In 46 particular, it describes managed objects used for managing RADIUS 47 authentication servers. 49 RADIUS authentication servers are today widely deployed by dialup 50 Internet Service Providers, in order to provide authentication services. 51 As a result, the effective management of RADIUS authentication servers 52 is of considerable importance. 54 5. The SNMP Management Framework 56 The SNMP Management Framework presently consists of five major 57 components: 59 o An overall architecture, described in RFC 2271 [1]. 61 o Mechanisms for describing and naming objects and events for the 62 purpose of management. The first version of this Structure of 63 Management Information (SMI) is called SMIv1 and described in 64 RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, 65 called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 66 1904 [7]. 68 o Message protocols for transferring management information. The 69 first version of the SNMP message protocol is called SNMPv1 and 70 described in RFC 1157 [8]. A second version of the SNMP message 71 protocol, which is not an Internet standards track protocol, is 72 called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. 73 The third version of the message protocol is called SNMPv3 and 74 described in RFC 1906 [10], RFC 2272 [11] and RFC 2274 [12]. 76 o Protocol operations for accessing management information. The 77 first set of protocol operations and associated PDU formats is 78 described in RFC 1157 [8]. A second set of protocol operations 79 and associated PDU formats is described in RFC 1905 [13]. 81 o A set of fundamental applications described in RFC 2273 [14] and 82 the view-based access control mechanism described in RFC 2275 83 [15]. 85 Managed objects are accessed via a virtual information store, termed the 86 Management Information Base or MIB. Objects in the MIB are defined 87 using the mechanisms defined in the SMI. 89 This memo specifies a MIB module that is compliant to the SMIv2. A MIB 90 conforming to the SMIv1 can be produced through the appropriate 91 translations. The resulting translated MIB must be semantically 92 equivalent, except where objects or events are omitted because no 93 translation is possible (use of Counter64). Some machine readable 94 information in SMIv2 will be converted into textual descriptions in 95 SMIv1 during the translation process. However, this loss of machine 96 readable information is not considered to change the semantics of the 97 MIB. 99 6. Overview 101 The RADIUS authentication protocol, described in [16], distinguishes 102 between the client function and the server function. In RADIUS 103 authentication, clients send Access-Requests, and servers reply with 104 Access-Accepts, Access-Rejects, and Access-Challenges. Typically NAS 105 devices implement the client function, and thus would be expected to 106 implement the RADIUS authentication client MIB, while RADIUS 107 authentication servers implement the server function, and thus would be 108 expected to implement the RADIUS authentication server MIB. 110 However, it is possible for a RADIUS authentication entity to perform 111 both client and server functions. For example, a RADIUS proxy may act as 112 a server to one or more RADIUS authentication clients, while 113 simultaneously acting as an authentication client to one or more 114 authentication servers. In such situations, it is expected that RADIUS 115 entities combining client and server functionality will support both the 116 client and server MIBs. 118 6.1. Selected objects 120 This MIB module contains fourteen scalars as well as a single table: 122 (1) the RADIUS Authentication Client Table contains one row for each 123 RADIUS authentication client that the server shares a secret with. 125 Each entry in the RADIUS Authentication Client Table includes twelve 126 columns presenting a view of the activity of the RADIUS authentication 127 server. 129 7. Definitions 131 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 133 IMPORTS 134 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 135 Counter32, Integer32, 136 IpAddress, TimeTicks FROM SNMPv2-SMI 137 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 138 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 139 mib-2 FROM RFC1213-MIB; 141 radiusAuthServMIB MODULE-IDENTITY 142 LAST-UPDATED "9901290000Z" 143 ORGANIZATION "IETF RADIUS Working Group." 144 CONTACT-INFO 145 " Bernard Aboba 146 Microsoft 147 One Microsoft Way 148 Redmond, WA 98052 149 US 151 Phone: +1 425 936 6605 152 EMail: bernarda@microsoft.com" 153 DESCRIPTION 154 "The MIB module for entities implementing the server 155 side of the Remote Access Dialin User Service (RADIUS) 156 authentication protocol." 157 REVISION "9901290000Z" -- 29 Jan 1999 158 DESCRIPTION "Initial version as published in RFC xxxx" 159 -- RCC xxx to be assigned by IANA 160 ::= { radiusAuthentication 1 } 162 radiusMIB OBJECT-IDENTITY 163 STATUS current 164 DESCRIPTION 165 "The OID assigned to RADIUS MIB work by the IANA." 166 ::= { mib-2 xxx } -- To be assigned by IANA 168 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 170 radiusAuthServMIBObjects OBJECT IDENTIFIER ::= { radiusAuthServMIB 1 } 172 radiusAuthServ OBJECT IDENTIFIER ::= { radiusAuthServMIBObjects 1 } 174 radiusAuthServIdent OBJECT-TYPE 175 SYNTAX SnmpAdminString 176 MAX-ACCESS read-only 177 STATUS current 178 DESCRIPTION 179 "The implementation identification string for the 180 RADIUS authentication server software in use on the 181 system, for example; `FNS-2.1'" 183 ::= {radiusAuthServ 1} 185 radiusAuthServUpTime OBJECT-TYPE 186 SYNTAX TimeTicks 187 MAX-ACCESS read-only 188 STATUS current 189 DESCRIPTION 190 "If the server has a persistent state (e.g., a process), 191 this value will be the time elapsed (in hundredths of a 192 seco) since the server process was started. 193 For software without persistent state, this value will 194 be zero." 195 ::= {radiusAuthServ 2} 197 radiusAuthServResetTime OBJECT-TYPE 198 SYNTAX TimeTicks 199 MAX-ACCESS read-only 200 STATUS current 201 DESCRIPTION 202 "If the server has a persistent state (e.g., a process) 203 and supports a `reset' operation (e.g., can be told to 204 re-read configuration files), this value will be the 205 time elapsed (in hundredths of a second) since the 206 server was `reset.' For software that does not 207 have persistence or does not support a `reset' operation, 208 this value will be zero." 209 ::= {radiusAuthServ 3} 211 radiusAuthServConfigReset OBJECT-TYPE 212 SYNTAX INTEGER { other(1), 213 reset(2), 214 initializing(3), 215 running(4)} 216 MAX-ACCESS read-write 217 STATUS current 218 DESCRIPTION 219 "Status/action object to reinitialize any persistent 220 server state. When set to reset(2), any persistent 221 server state (such as a process) is reinitialized as if 222 the server had just been started. This value will 223 never be returned by a read operation. When read, one of 224 the following values will be returned: 225 other(1) - server in some unknown state; 226 initializing(3) - server (re)initializing; 227 running(4) - server currently running." 228 ::= {radiusAuthServ 4} 230 -- New Stats proposed by Dale E. Reed Jr (daler@iea-software.com) 231 radiusAuthServTotalAccessRequests OBJECT-TYPE 232 SYNTAX Counter32 233 MAX-ACCESS read-only 234 STATUS current 235 DESCRIPTION 236 "The number of packets received on the 237 authentication port." 238 ::= { radiusAuthServ 5} 240 radiusAuthServTotalInvalidRequests OBJECT-TYPE 241 SYNTAX Counter32 242 MAX-ACCESS read-only 243 STATUS current 244 DESCRIPTION 245 "The number of RADIUS Access-Request packets 246 received from unknown addresses." 247 ::= { radiusAuthServ 6 } 249 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 250 SYNTAX Counter32 251 MAX-ACCESS read-only 252 STATUS current 253 DESCRIPTION 254 "The number of duplicate RADIUS Access-Request 255 packets received." 256 ::= { radiusAuthServ 7 } 258 radiusAuthServTotalAccessAccepts OBJECT-TYPE 259 SYNTAX Counter32 260 MAX-ACCESS read-only 261 STATUS current 262 DESCRIPTION 263 "The number of RADIUS Access-Accept packets sent." 264 ::= { radiusAuthServ 8 } 266 radiusAuthServTotalAccessRejects OBJECT-TYPE 267 SYNTAX Counter32 268 MAX-ACCESS read-only 269 STATUS current 270 DESCRIPTION 271 "The number of RADIUS Access-Reject packets sent." 272 ::= { radiusAuthServ 9 } 274 radiusAuthServTotalAccessChallenges OBJECT-TYPE 275 SYNTAX Counter32 276 MAX-ACCESS read-only 277 STATUS current 278 DESCRIPTION 279 "The number of RADIUS Access-Challenge packets sent." 280 ::= { radiusAuthServ 10 } 282 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 283 SYNTAX Counter32 284 MAX-ACCESS read-only 285 STATUS current 286 DESCRIPTION 287 "The number of malformed RADIUS Access-Request 288 packets received. Bad authenticators 289 and unknown types are not included as 290 malformed Access-Requests." 291 ::= { radiusAuthServ 11 } 293 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 294 SYNTAX Counter32 295 MAX-ACCESS read-only 296 STATUS current 297 DESCRIPTION 298 "The number of RADIUS Authentication-Request packets 299 which contained invalid Signature attributes received." 300 ::= { radiusAuthServ 12 } 302 radiusAuthServTotalPacketsDropped OBJECT-TYPE 303 SYNTAX Counter32 304 MAX-ACCESS read-only 305 STATUS current 306 DESCRIPTION 307 "The number of incoming packets 308 silently discarded for some reason other 309 than malformed, bad authenticators or 310 unknown types." 311 ::= { radiusAuthServ 13 } 313 radiusAuthServTotalUnknownTypes OBJECT-TYPE 314 SYNTAX Counter32 315 MAX-ACCESS read-only 316 STATUS current 318 DESCRIPTION 319 "The number of RADIUS packets of unknown type which 320 were received." 321 ::= { radiusAuthServ 14 } 323 -- End of new 325 radiusAuthClientTable OBJECT-TYPE 326 SYNTAX SEQUENCE OF RadiusAuthClientEntry 327 MAX-ACCESS not-accessible 328 STATUS current 329 DESCRIPTION 330 "The (conceptual) table listing the RADIUS authentication 331 clients with which the server shares a secret." 332 ::= { radiusAuthServ 15 } 334 radiusAuthClientEntry OBJECT-TYPE 335 SYNTAX RadiusAuthClientEntry 336 MAX-ACCESS not-accessible 337 STATUS current 338 DESCRIPTION 339 "An entry (conceptual row) representing a RADIUS 340 authentication client with which the server shares a secret." 341 INDEX { radiusAuthClientIndex } 342 ::= { radiusAuthClientTable 1 } 344 RadiusAuthClientEntry ::= SEQUENCE { 345 radiusAuthClientIndex Integer32, 346 radiusAuthClientAddress IpAddress, 347 radiusAuthClientID SnmpAdminString, 348 radiusAuthServAccessRequests Counter32, 349 radiusAuthServDupAccessRequests Counter32, 350 radiusAuthServAccessAccepts Counter32, 351 radiusAuthServAccessRejects Counter32, 352 radiusAuthServAccessChallenges Counter32, 353 radiusAuthServMalformedAccessRequests Counter32, 354 radiusAuthServBadAuthenticators Counter32, 355 radiusAuthServPacketsDropped Counter32, 356 radiusAuthServUnknownTypes Counter32 357 } 359 radiusAuthClientIndex OBJECT-TYPE 360 SYNTAX Integer32 (1..MAX) 361 MAX-ACCESS not-accessible 362 STATUS current 363 DESCRIPTION 364 "A number uniquely identifying each RADIUS 365 authentication client with which this server 366 communicates." 367 ::= { radiusAuthClientEntry 1 } 369 radiusAuthClientAddress OBJECT-TYPE 370 SYNTAX IpAddress 371 MAX-ACCESS read-only 372 STATUS current 373 DESCRIPTION 374 "The NAS-IP-Address of the RADIUS authentication client 375 referred to in this table entry." 376 ::= { radiusAuthClientEntry 2 } 378 radiusAuthClientID OBJECT-TYPE 379 SYNTAX SnmpAdminString 380 MAX-ACCESS read-only 381 STATUS current 382 DESCRIPTION 383 "The NAS-Identifier of the RADIUS authentication client 384 referred to in this table entry. This is not necessarily 385 the same as sysName in MIB II." 386 ::= { radiusAuthClientEntry 3 } 388 -- Server Counters 389 -- 390 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 391 -- 392 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 393 -- UnknownTypes - PacketsDropped - Responses = Pending 394 -- 395 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 396 -- UnknownTypes - PacketsDropped = entries logged 398 radiusAuthServAccessRequests OBJECT-TYPE 399 SYNTAX Counter32 400 MAX-ACCESS read-only 401 STATUS current 402 DESCRIPTION 403 "The number of packets received on the authentication 404 port from this client." 405 ::= { radiusAuthClientEntry 4 } 407 radiusAuthServDupAccessRequests OBJECT-TYPE 408 SYNTAX Counter32 409 MAX-ACCESS read-only 410 STATUS current 411 DESCRIPTION 412 "The number of duplicate RADIUS Access-Request 413 packets received from this client." 414 ::= { radiusAuthClientEntry 5 } 416 radiusAuthServAccessAccepts OBJECT-TYPE 417 SYNTAX Counter32 418 MAX-ACCESS read-only 419 STATUS current 420 DESCRIPTION 421 "The number of RADIUS Access-Accept packets 422 sent to this client." 424 ::= { radiusAuthClientEntry 6 } 426 radiusAuthServAccessRejects OBJECT-TYPE 427 SYNTAX Counter32 428 MAX-ACCESS read-only 429 STATUS current 430 DESCRIPTION 431 "The number of RADIUS Access-Reject packets 432 sent to this client." 433 ::= { radiusAuthClientEntry 7 } 435 radiusAuthServAccessChallenges OBJECT-TYPE 436 SYNTAX Counter32 437 MAX-ACCESS read-only 438 STATUS current 439 DESCRIPTION 440 "The number of RADIUS Access-Challenge packets 441 sent to this client." 442 ::= { radiusAuthClientEntry 8 } 444 radiusAuthServMalformedAccessRequests OBJECT-TYPE 445 SYNTAX Counter32 446 MAX-ACCESS read-only 447 STATUS current 448 DESCRIPTION 449 "The number of malformed RADIUS Access-Request 450 packets received from this client. 451 Bad authenticators and unknown types are not included as 452 malformed Access-Requests." 453 ::= { radiusAuthClientEntry 9 } 455 radiusAuthServBadAuthenticators OBJECT-TYPE 456 SYNTAX Counter32 457 MAX-ACCESS read-only 458 STATUS current 459 DESCRIPTION 460 "The number of RADIUS Authentication-Request packets 461 which contained invalid Signature attributes received 462 from this client." 463 ::= { radiusAuthClientEntry 10 } 465 radiusAuthServPacketsDropped OBJECT-TYPE 466 SYNTAX Counter32 467 MAX-ACCESS read-only 468 STATUS current 469 DESCRIPTION 470 "The number of incoming packets from this 471 client silently discarded for some reason other 472 than malformed, bad authenticators or 473 unknown types." 474 ::= { radiusAuthClientEntry 11 } 476 radiusAuthServUnknownTypes OBJECT-TYPE 477 SYNTAX Counter32 478 MAX-ACCESS read-only 479 STATUS current 480 DESCRIPTION 481 "The number of RADIUS packets of unknown type which 482 were received from this client." 483 ::= { radiusAuthClientEntry 12 } 485 -- conformance information 487 radiusAuthServMIBConformance 488 OBJECT IDENTIFIER ::= { radiusAuthServMIB 2 } 489 radiusAuthServMIBCompliances 490 OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 1 } 491 radiusAuthServMIBGroups 492 OBJECT IDENTIFIER ::= { radiusAuthServMIBConformance 2 } 494 -- compliance statements 496 radiusAuthServMIBCompliance MODULE-COMPLIANCE 497 STATUS current 498 DESCRIPTION 499 "The compliance statement for authentication servers 500 implementing the RADIUS Authentication Server MIB." 501 MODULE -- this module 502 MANDATORY-GROUPS { radiusAuthServMIBGroup } 504 OBJECT radiusAuthServConfigReset 505 WRITE-SYNTAX INTEGER { reset(2) } 506 DESCRIPTION "The only SETable value is 'reset' (2)." 508 ::= { radiusAuthServMIBCompliances 1 } 510 -- units of conformance 512 radiusAuthServMIBGroup OBJECT-GROUP 513 OBJECTS {radiusAuthServIdent, 514 radiusAuthServUpTime, 515 radiusAuthServResetTime, 516 radiusAuthServConfigReset, 517 radiusAuthServTotalAccessRequests, 518 radiusAuthServTotalInvalidRequests, 519 radiusAuthServTotalDupAccessRequests, 520 radiusAuthServTotalAccessAccepts, 521 radiusAuthServTotalAccessRejects, 522 radiusAuthServTotalAccessChallenges, 523 radiusAuthServTotalMalformedAccessRequests, 524 radiusAuthServTotalBadAuthenticators, 525 radiusAuthServTotalPacketsDropped, 526 radiusAuthServTotalUnknownTypes, 527 radiusAuthClientAddress, 528 radiusAuthClientID, 529 radiusAuthServAccessRequests, 530 radiusAuthServDupAccessRequests, 531 radiusAuthServAccessAccepts, 532 radiusAuthServAccessRejects, 533 radiusAuthServAccessChallenges, 534 radiusAuthServMalformedAccessRequests, 535 radiusAuthServBadAuthenticators, 536 radiusAuthServPacketsDropped, 537 radiusAuthServUnknownTypes 538 } 539 STATUS current 540 DESCRIPTION 541 "The collection of objects providing management of 542 a RADIUS Authentication Server." 543 ::= { radiusAuthServMIBGroups 1 } 545 END 547 8. References 549 [1] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for 550 Describing SNMP Management Frameworks", RFC 2271, Cabletron 551 Systems, Inc., BMC Software, Inc., IBM T. J. Watson Research, 552 January 1998. 554 [2] Rose, M., and K. McCloghrie, "Structure and Identification of 555 Management Information for TCP/IP-based Internets", RFC 1155, 556 Performance Systems International, Hughes LAN Systems, May 1990. 558 [3] Rose, M., and K. McCloghrie, "Concise MIB Definitions", RFC 1212, 559 Performance Systems International, Hughes LAN Systems, March 1991. 561 [4] M. Rose, "A Convention for Defining Traps for use with the SNMP", 562 RFC 1215, Performance Systems International, March 1991. 564 [5] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure 565 of Management Information for Version 2 of the Simple Network 566 Management Protocol (SNMPv2)", RFC 1902, SNMP Research,Inc., Cisco 567 Systems, Inc., Dover Beach Consulting, Inc., International Network 568 Services, January 1996. 570 [6] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual 571 Conventions for Version 2 of the Simple Network Management Protocol 572 (SNMPv2)", RFC 1903, SNMP Research, Inc., Cisco Systems, Inc., 573 Dover Beach Consulting, Inc., International Network Services, 574 January 1996. 576 [7] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Conformance 577 Statements for Version 2 of the Simple Network Management Protocol 578 (SNMPv2)", RFC 1904, SNMP Research, Inc., Cisco Systems, Inc., 579 Dover Beach Consulting, Inc., International Network Services, 580 January 1996. 582 [8] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network 583 Management Protocol", RFC 1157, SNMP Research, Performance Systems 584 International, Performance Systems International, MIT Laboratory 585 for Computer Science, May 1990. 587 [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 588 "Introduction to Community-based SNMPv2", RFC 1901, SNMP Research, 589 Inc., Cisco Systems, Inc., Dover Beach Consulting, Inc., 590 International Network Services, January 1996. 592 [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport 593 Mappings for Version 2 of the Simple Network Management Protocol 594 (SNMPv2)", RFC 1906, SNMP Research, Inc., Cisco Systems, Inc., 595 Dover Beach Consulting, Inc., International Network Services, 596 January 1996. 598 [11] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message 599 Processing and Dispatching for the Simple Network Management 600 Protocol (SNMP)", RFC 2272, SNMP Research, Inc., Cabletron Systems, 601 Inc., BMC Software, Inc., IBM T. J. Watson Research, January 1998. 603 [12] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for 604 version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 605 2274, IBM T. J. Watson Research, January 1998. 607 [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol 608 Operations for Version 2 of the Simple Network Management Protocol 609 (SNMPv2)", RFC 1905, SNMP Research, Inc., Cisco Systems, Inc., 610 Dover Beach Consulting, Inc., International Network Services, 611 January 196. 613 [14] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 614 2273, SNMP Research, Inc., Secure Computing Corporation, Cisco 615 Systems, January 1998 617 [15] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access 618 Control Model (VACM) for the Simple Network Management Protocol 619 (SNMP)", RFC 2275, IBM T. J. Watson Research, BMC Software, Inc., 620 Cisco Systems, Inc., January 1998 622 [16] Rigney, C., Rubens, A., Simpson W., and S. Willens, "Remote 623 Authentication Dial In User Service (RADIUS)", RFC 2138, April 624 1997. 626 9. Security considerations 628 There are a number of management objects defined in this MIB that have a 629 MAX-ACCESS clause of read-write and/or read-create. Such objects may be 630 considered sensitive or vulnerable in some network environments. The 631 support for SET operations in a non-secure environment without proper 632 protection can have a negative effect on network operations. 634 There are a number of managed objects in this MIB that may contain 635 sensitive information. These are: 637 radiusAuthClientAddress 638 This can be used to determine the address of the RADIUS 639 authentication client with which the server is communicating. 640 This information could be useful in impersonating the client. 642 radiusAuthClientID 643 This can be used to determine the client ID of the 644 authentication client with which the server is communicating. 645 This information could be useful in impersonating the client. 647 It is thus important to control even GET access to these objects and 648 possibly to even encrypt the values of these object when sending them 649 over the network via SNMP. Not all versions of SNMP provide features 650 for such a secure environment. 652 SNMPv1 by itself is not a secure environment. Even if the network itself 653 is secure (for example by using IPSec), there is no control as to who on 654 the secure network is allowed to access and GET/SET 655 (read/change/create/delete) the objects in this MIB. 657 It is recommended that the implementers consider the security features 658 as provided by the SNMPv3 framework. Specifically, the use of the User- 659 based Security Model RFC 2274 [12] and the View-based Access Control 660 Model RFC 2275 [15] is recommended. Using these security features, 661 customer/users can give access to the objects only to those principals 662 (users) that have legitimate rights to GET or SET (change/create/delete) 663 them. 665 10. Acknowledgments 667 Thanks to Narendra Gidwani of Microsoft, Allan C. Rubens of MERIT, Carl 668 Rigney of Livingston and Peter Heitman of American Internet Corporation 669 for useful discussions of this problem space. 671 11. Authors' Addresses 673 Bernard Aboba 674 Microsoft Corporation 675 One Microsoft Way 676 Redmond, WA 98052 678 Phone: 425-936-6605 679 EMail: bernarda@microsoft.com 681 Glen Zorn 682 Microsoft Corporation 683 One Microsoft Way 684 Redmond, WA 98052 686 Phone: 425-703-1559 687 EMail: glennz@microsoft.com 689 12. Intellectural Property Statement 691 The IETF takes no position regarding the validity or scope of any 692 intellectual property or other rights that might be claimed to pertain 693 to the implementation or use of the technology described in this 694 document or the extent to which any license under such rights might or 695 might not be available; neither does it represent that it has made any 696 effort to identify any such rights. Information on the IETF's 697 procedures with respect to rights in standards-track and standards- 698 related documentation can be found in BCP-11. Copies of claims of 699 rights made available for publication and any assurances of licenses to 700 be made available, or the result of an attempt made to obtain a general 701 license or permission for the use of such proprietary rights by 702 implementors or users of this specification can be obtained from the 703 IETF Secretariat. 705 The IETF invites any interested party to bring to its attention any 706 copyrights, patents or patent applications, or other proprietary rights 707 which may cover technology that may be required to practice this 708 standard. Please address the information to the IETF Executive 709 Director. 711 13. Full Copyright Statement 713 Copyright (C) The Internet Society (1999). All Rights Reserved. 714 This document and translations of it may be copied and furnished to 715 others, and derivative works that comment on or otherwise explain it or 716 assist in its implmentation may be prepared, copied, published and 717 distributed, in whole or in part, without restriction of any kind, 718 provided that the above copyright notice and this paragraph are included 719 on all such copies and derivative works. However, this document itself 720 may not be modified in any way, such as by removing the copyright notice 721 or references to the Internet Society or other Internet organizations, 722 except as needed for the purpose of developing Internet standards in 723 which case the procedures for copyrights defined in the Internet 724 Standards process must be followed, or as required to translate it into 725 languages other than English. The limited permissions granted above are 726 perpetual and will not be revoked by the Internet Society or its 727 successors or assigns. This document and the information contained 728 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 729 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 730 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 731 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 732 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 734 14. Expiration Date 736 This memo is filed as , and 737 expires August 1, 1999.