[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 RFC 4545

Internet Draft                                              Mark Bakke
<draft-ietf-ips-auth-mib-01.txt>                            Jim Muchow
Expires December 2002                                    Cisco Systems

                                                             June 2002


    Definitions of Managed Objects for User Identity Authentication



1.  Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


1.1.  Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.


2.  Abstract

   This memo defines a portion of the Management Information Base (MIB)
   for use with network management protocols in TCP/IP based internets.
   In particular it defines objects for managing user identities and the
   names, addresses, and credentials required to authenticate them, for
   use with various protocols.  This draft was motivated by the need for
   the configuration of authenticated user identities for the iSCSI
   protocol [ISCSI], but has been extended to be useful for other
   protocols that have similar requirements.  It is important to note



Bakke, Muchow             Expires December 2002                 [Page 1]

Internet Draft           IPS Authentication MIB                June 2002


   that this MIB provides only the set of identities and the means to
   authenticate them; it is the responsibility of other MIBs making use
   of this one to tie them to authorization lists.


3.  Acknowledgments

   In addition to the authors, several people contributed to the
   development of this MIB through discussions of authentication,
   authorization, and access within the iSCSI MIB and security teams,
   including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom
   McSweeney, Steve Senum, and Josh Tseng.

   Thanks especially to Keith McCloghrie for serving as advisor for this
   MIB.


4.  The SNMP Management Framework

   The SNMP Management Framework presently consists of five major
   components:

    o   An overall architecture, described in RFC 2571 [RFC2571].

    o   Mechanisms for describing and naming objects and events for the
        purpose of management.  The first version of this Structure of
        Management Information (SMI) is called SMIv1 and described in
        STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC
        1215 [RFC1215].  The second version, called SMIv2, is described
        in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and
        STD 58, RFC 2580 [RFC2580].

    o   Message protocols for transferring management information.  The
        first version of the SNMP message protocol is called SNMPv1 and
        described in STD 15, RFC 1157 [RFC1157].  A second version of
        the SNMP message protocol, which is not an Internet standards
        track protocol, is called SNMPv2c and described in RFC 1901
        [RFC1901] and RFC 1906 [RFC1906].  The third version of the
        message protocol is called SNMPv3 and described in RFC 1906
        [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574].

    o   Protocol operations for accessing management information.  The
        first set of protocol operations and associated PDU formats is
        described in STD 15, RFC 1157 [RFC1157].  A second set of
        protocol operations and associated PDU formats is described in
        RFC 1905 [RFC1905].





Bakke, Muchow             Expires December 2002                 [Page 2]

Internet Draft           IPS Authentication MIB                June 2002


    o   A set of fundamental applications described in RFC 2573
        [RFC2573] and the view-based access control mechanism described
        in RFC 2575 [RFC2575].

   A more detailed introduction to the current SNMP Management Framework
   can be found in RFC 2570 [RFC2570].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  Objects in the MIB are
   defined using the mechanisms defined in the SMI.

   This memo specifies a MIB module that is compliant to the SMIv2.  A
   MIB conforming to the SMIv1 can be produced through the appropriate
   translations.  The resulting translated MIB must be semantically
   equivalent, except where objects or events are omitted because no
   translation is possible (use of Counter64).  Some machine readable
   information in SMIv2 will be converted into textual descriptions in
   SMIv1 during the translation process.  However, this loss of machine
   readable information is not considered to change the semantics of the
   MIB.

   This MIB will be used to configure and/or look at the configuration
   of user identities and their authentication information.  For the
   purposes of this MIB, a "user" identity does not need to be an actual
   person; a user can also be a host, an application, a cluster of
   hosts, or any other identifiable entity that can be authenticated and
   granted access to a resource.

   Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is
   intended to allow configuration of user identities and their names,
   addresses, and credentials.  MIN-ACCESS for all objects is read-only
   for those implementations that configure through other means, but
   require the ability to monitor user identities.


4.1.  Revision History

   The following modifications were made from draft-00 to draft-01
   - The Kerberos and SPKM (public key certificate) authentication
     methods were removed.  - Added the capability to include Fibre
   Channel addresses.


5.  Relationship to Other MIBs

   The identity authentication MIB does not directly address objects
   within other MIBs.  The identity address objects contain IPv4, IPv6,
   or other address types, and as such may be indirectly related to



Bakke, Muchow             Expires December 2002                 [Page 3]

Internet Draft           IPS Authentication MIB                June 2002


   objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB.

   This MIB does not cover authorization.  This should generally be done
   in MIBs that reference identities in this one.  It also does not
   cover login or authentication failure statistics or notifications, as
   these are all fairly application-specific, and not generic enough to
   include here.

   The user identity objects within this MIB are typically referenced
   from other MIBs by a RowPointer within that MIB.  A MIB containing
   resources for which it requires a list of authorized user identities
   may create such a list, with a single RowPointer within each list
   element pointing to a user identity within this MIB.  This is neither
   required nor restricted by this MIB.


6.  Discussion

   This MIB structure is intended to allow the configuration of a list
   of user identities, each with a list of names, addresses,
   credentials, and certificates which when combined will authenticate
   that identity.

   The authentication MIB is structured around two primary "objects",
   the authentication instance, and the identity, which serve as
   containers for the remainder of the objects.  This section contains a
   brief description of the "object" hierarchy and a description of each
   object, followed by a discussion of the actual SNMP table structure
   within the objects.

6.1.  Authentication MIB Object Model

   The top-level object in this structure is the authentication
   instance, which "contains" all of the other objects.  The indexing
   hierarchy of this MIB looks like:

   ipsAuthInstance
      -- A distinct authentication entity within the managed system.
      -- Most implementations will have just one of these.
      ipsAuthIdentity
         -- A user identity, consisting of a set of identity names,
         -- addresses, and credentials reflected in the following
         -- objects, as well as a RowPointer to an ipsAuthCertificate.
         ipsAuthIdentityName
            -- A name for a user identity.  A name should be globally
            -- unique, and unchanging over time.  Some protocols may
            -- not require this one.
         ipsAuthIdentityAddress



Bakke, Muchow             Expires December 2002                 [Page 4]

Internet Draft           IPS Authentication MIB                June 2002


            -- An address range, typically but not necessarily an
            -- IPv4, IPv6, or Fibre Channel address range, at which
            -- the identity is allowed to reside.
         ipsAuthCredential
            -- A single credential, such as a CHAP username/password,
            -- which can ipsAuthenticate the identity.
            ipsAuthCredChap
               -- CHAP-specific attributes for an ipsAuthCredential
            ipsAuthCredSrp
               -- SRP-specific attributes

   Each identity contains the information necessary to authenticate a
   particular end-point that wishes to access a service, such as iSCSI.

   An identity can contain multiple names, addresses, and credentials.

   Work - Add some examples here.

   Work - need examples showing how this can work on a client and a
   server, for mutual authentication.

6.2.  ipsAuthInstance

   The ipsAuthInstanceAttributesTable is the primary table of the
   authentication MIB.  Every other table entry in this MIB includes the
   index of an ipsAuthInstanceAttributesEntry as its primary index.  An
   authentication instance is basically a managed set of identities.

   Many implementations will include just one authentication instance
   row in this table.  However, there will be cases where multiple rows
   in this table may be used:

   - A large system may be "partitioned" into multiple, distinct virtual
     systems, perhaps sharing the SNMP agent but not their lists of
     identities.  Each virtual system would have its own authentication
     instance.

   - A set of stackable systems, each with their own set of identities,
     may be managed by a common SNMP agent.  Each individual system
     would have its own authentication instance.

   - Multiple protocols, each with their own set of identities, may
     exist within a single system and be managed by a single SNMP agent.
     In this case, each protocol may have its own authentication
     instance.






Bakke, Muchow             Expires December 2002                 [Page 5]

Internet Draft           IPS Authentication MIB                June 2002


6.3.  ipsAuthIdentity

   The ipsAuthIdentAttributesTable contains one entry for each
   configured user identity.  The identity contains only a description
   of what the identity is used for; its attributes are all contained in
   other tables, since they can have multiple values.

   Other MIBs containing lists of users authorized to access a
   particular resource should generally contain a RowPointer to the
   ipsAuthIdentAttributesEntry which will, if authenticated, be allowed
   access.

   All other table entries make use of the indices to this table as
   their primary indices.

6.4.  ipsAuthIdentityName

   The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
   each of which belong to, and may be used to identify, a particular
   identity in the authIdentity table.

   Implementations making use of the authentication MIB may identify
   their resources by names, addresses, or both.  A name is typically a
   unique (within the required scope), unchanging identifier for a
   resource. It will normally meet some or all of the requirements for a
   Uniform Resource Name [RFC1737], although a name in the context of
   this MIB does not need to be a URN.  Identifiers that typically
   change over time should generally be placed into the
   ipsAuthIdentityAddress table; names that have no uniqueness
   properties should usually be placed into the description attribute
   for the identity.

   An example of an identity name is the iSCSI Name, defined in [ISCSI].

   If this table contains no entries associated with a particular user
   identity, the implementation does not need to check any name
   paramenters when authenticating that identity.  If the table contains
   multiple entries associated with a particular user identity, the
   implementation should consider a match with any one of these entries
   to be valid.

6.5.  ipsAuthIdentityAddress

   The ipsAuthIdentAddrAttributesTable contains a list of addresses at
   which the identity may be authenticated.  For example, an identity
   may be allowed access to a resource only from a certain IP address,
   or only if its address is in a certain range or set of ranges.




Bakke, Muchow             Expires December 2002                 [Page 6]

Internet Draft           IPS Authentication MIB                June 2002


   Each entry contains a starting and ending address.  If a single
   address is desired in the list, both starting and ending addresses
   must be identical.

   Each entry contains an AddrType attribute.  This attribute contains
   an enumeration registered as an IANA Address Family type [IANA-AF].
   Although many implementations will use IPv4 or IPv6 address types for
   these entries, any IANA-registered type may be used, as long as it
   makes sense to the application.

   Matching any address within any range within the list associated with
   a particular identity is considered to be a valid match.  If no
   entries are present in this list for a given identity, its address is
   not checked during authentication.

   Netmasks are not supported, since an address range can express the
   same thing with more flexibility.  An application specifying
   addresses using network masks may do so, and convert to and from
   address ranges when reading or writing this MIB.

6.6.  ipsAuthCredential

   The ipsAuthCredentialAttributesTable contains a list of credentials,
   each of which may authenticate a particular identity.

   Each credential contains an authentication method to be used, such as
   CHAP [RFC1994], or SRP [RFC2945].  This attribute contains an object
   identifier instead of an enumerated type, allowing other MIBs to add
   their own authentication methods, without modifying this MIB.

   For each entry in this table, there will exist an entry in another
   table containing its attributes.  The table in which to place the
   entry depends on the AuthMethod attribute:

   CHAP     If the AuthMethod is set to the CHAP OID, an entry using the
            same indices as the ipsAuthCredential will exist in the
            ipsAuthCredChap table, which contains the CHAP username and
            password expected.

   SRP      If the AuthMethod is set to the SRP OID, an entry using the
            same indices as the ipsAuthCredential will exist in the
            ipsAuthCredSrp table, which contains the SRP username,
            password verifier, and salt.

   Other    If the AuthMethod is set to any OID not defined in this MIB,
            an entry using the same indices as the ipsAuthCredential
            entry should be placed in the other MIB that define whatever
            attributes are needed for that type of credential.



Bakke, Muchow             Expires December 2002                 [Page 7]

Internet Draft           IPS Authentication MIB                June 2002


6.7.  IP, Fibre Channel, and Other Addresses

   The IP addresses in this MIB are represented by two attributes, one
   of type AddressFamilyNumbers, and the other of type AuthAddress.
   Each address can take on any of the types within the list of address
   family numbers; the most likely being IPv4, IPv6, or one of the Fibre
   Channel address types.

   The type AuthAddress is an octet string.  If the address family is
   IPv4 or IPv6, the format is taken from the InetAddress specified in
   [RFC3291].  If the address family is one of the Fibre Channel types,
   the format is identical to the FcNameIdOrZero type defined in
   [FCMGMT].

6.8.  Descriptors: Using OIDs in Place of Enumerated Types

   Some attributes, particularly the authentication method attribute,
   would normally require an enumerated type.  However, implementations
   will likely need to add new authentication method types of their own,
   without extending this MIB.  To make this work, the MIB defines a set
   of object identities within ipsAuthDescriptors.  Each of these object
   identities is basically an enumerated type.

   Attributes that make use of these object identities have a value
   which is an OID instead of an enumerated type.  These OIDs can either
   indicate the object identities defined in this MIB, or object
   identities defined elsewhere, such as in an enterprise MIB.  Those
   implementations that add their own authentication methods should also
   define a corresponding object identity for each of these methods
   within their own enterprise MIB, and return its OID whenever one of
   these attributes is using that method.

6.9.  Notifications

   Monitoring of authentication failures and other notification events
   are outside the scope of this MIB, as they are generally application-
   specific.  No notifications are provided or required.














Bakke, Muchow             Expires December 2002                 [Page 8]

Internet Draft           IPS Authentication MIB                June 2002


7.  MIB Definitions



IPS-AUTH-MIB DEFINITIONS  ::= BEGIN

    IMPORTS
    MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32,
    experimental
    FROM SNMPv2-SMI

    TEXTUAL-CONVENTION,
    RowStatus,
    AutonomousType
    FROM SNMPv2-TC

    MODULE-COMPLIANCE,
    OBJECT-GROUP
    FROM SNMPv2-CONF

    SnmpAdminString
    FROM SNMP-FRAMEWORK-MIB -- RFC 2571

    AddressFamilyNumbers
    FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
    ;

ipsAuthModule MODULE-IDENTITY
    LAST-UPDATED  "200206260000Z"
    ORGANIZATION  "IETF IPS Working Group"
    CONTACT-INFO
    "
    Mark Bakke
    Postal: Cisco Systems, Inc
    6450 Wedgwood Road, Suite 130
    Maple Grove, MN
    USA 55311

    Tel: +1 763-398-1000
    Fax: +1 763-398-1001

    E-mail: mbakke@cisco.com"

    DESCRIPTION
        "The IP Storage Authorization MIB module."

    REVISION "200206260000Z" -- June 26, 2002
    DESCRIPTION



Bakke, Muchow             Expires December 2002                 [Page 9]

Internet Draft           IPS Authentication MIB                June 2002


        "Initial revision published as RFC xxxx."

--::= { mib-2 xx }
-- in case you want to COMPILE
::= { experimental 99999 }

ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 }
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 }

-- Textual Conventions

IpsAuthAddress ::= TEXTUAL-CONVENTION
    STATUS        current
    DESCRIPTION
        "IP Storage requires the use of address information
        that uses not only the InetAddress type defined in the
     INET-ADDRESS-MIB, but also Fibre Channel type defined
        in the Fibre Channel Management MIB. Although these
        address types are recognized in the IANA Address Family
        Numbers MIB, the addressing mechanisms have not been
        merged into a well-known, common type. This data type,
        the IpsAuthAddress, performs this function for this MIB."
    REFERENCE
        "IANA-ADDRESS-FAMILY-NUMBERS-MIB;
         INET-ADDRESS-MIB (RFC 2851);
         Fibre Channel Management MIB (presently defined in
         draft-ietf-ips-fcmgmt-mib-01.txt)."
    SYNTAX        OCTET STRING (SIZE(0..255))

------------------------------------------------------------------------

ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 }

ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 }

ipsAuthMethodNone OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
     "The authoritative identifier when no authentication
     method is used."
    REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 1 }

ipsAuthMethodSrp OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
     "The authoritative identifier when the authentication



Bakke, Muchow             Expires December 2002                [Page 10]

Internet Draft           IPS Authentication MIB                June 2002


     method is SRP."
    REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 2 }

ipsAuthMethodChap OBJECT-IDENTITY
    STATUS      current
    DESCRIPTION
     "The authoritative identifier when the authentication
     method is CHAP."
    REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 3 }

----------------------------------------------------------------------

ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 }

-- Instance Attributes Table

ipsAuthInstanceAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthInstanceAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A list of iSCSI instances present on the system."
::= { ipsAuthInstance 2 }

ipsAuthInstanceAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthInstanceAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An entry (row) containing managment information applicable
        to a particular iSCSI instance."
    INDEX { ipsAuthInstIndex }
::= { ipsAuthInstanceAttributesTable 1 }

IpsAuthInstanceAttributesEntry ::= SEQUENCE {
    ipsAuthInstIndex                 Unsigned32,
    ipsAuthInstDescr                 SnmpAdminString
}

ipsAuthInstIndex OBJECT-TYPE
    SYNTAX        Unsigned32 (1..4294967295)
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An arbitrary integer used to uniquely identify a particular
        authentication instance."



Bakke, Muchow             Expires December 2002                [Page 11]

Internet Draft           IPS Authentication MIB                June 2002


::= { ipsAuthInstanceAttributesEntry 1 }

ipsAuthInstDescr OBJECT-TYPE
    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-write
    STATUS        current
    DESCRIPTION
        "An octet string, determined by the implementation to describe
     the authentication instance.  When only a single instance is present,
     this object may be set to the zero-length string; with multiple
     authentication instances, it may be used in an implementation-dependent
     manner to describe the purpose of the respective instance."
::= { ipsAuthInstanceAttributesEntry 2 }


ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 }

-- iSCSI User Identity Attributes Table

ipsAuthIdentAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthIdentAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
     "A list of user identities, each belonging to a particular
     ipsAuthInstance."
::= { ipsAuthIdentity 1 }

ipsAuthIdentAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthIdentAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An entry (row) containing management information
        describing a user identity
        within an authentication instance on this node."
    INDEX { ipsAuthInstIndex, ipsAuthIdentIndex }
::= { ipsAuthIdentAttributesTable  1 }

IpsAuthIdentAttributesEntry ::= SEQUENCE {
    ipsAuthIdentIndex                   Unsigned32,
    ipsAuthIdentDescription             SnmpAdminString,
    ipsAuthIdentRowStatus               RowStatus
}

ipsAuthIdentIndex OBJECT-TYPE
    SYNTAX        Unsigned32 (1..4294967295)
    MAX-ACCESS    not-accessible



Bakke, Muchow             Expires December 2002                [Page 12]

Internet Draft           IPS Authentication MIB                June 2002


    STATUS        current
    DESCRIPTION
        "An arbitrary integer used to uniquely identify a particular
        identity instance within an authentication instance present
     on the node."
::= { ipsAuthIdentAttributesEntry 1 }

ipsAuthIdentDescription OBJECT-TYPE
    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "An octet string describing this particular identity."
::= { ipsAuthIdentAttributesEntry 2 }

ipsAuthIdentRowStatus OBJECT-TYPE
    SYNTAX        RowStatus
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "This field allows entries to be dynamically added and
     removed from this table via SNMP."
::= { ipsAuthIdentAttributesEntry 3 }


ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }

-- iSCSI User Initiator Name Attributes Table

ipsAuthIdentNameAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthIdentNameAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A list of unique names that can be used to positively
     identify a particular user identity."
::= { ipsAuthIdentityName 1 }

ipsAuthIdentNameAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthIdentNameAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An entry (row) containing management information
        applicable to a unique identity name which can be used
     to uniquely identify a user identity within a particular
     authentication instance."
    INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentNameIndex }



Bakke, Muchow             Expires December 2002                [Page 13]

Internet Draft           IPS Authentication MIB                June 2002


::= { ipsAuthIdentNameAttributesTable  1 }

IpsAuthIdentNameAttributesEntry ::= SEQUENCE {
    ipsAuthIdentNameIndex                   Unsigned32,
    ipsAuthIdentName                        SnmpAdminString,
    ipsAuthIdentNameRowStatus               RowStatus
}

ipsAuthIdentNameIndex OBJECT-TYPE
    SYNTAX        Unsigned32 (1..4294967295)
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An arbitrary integer used to uniquely identify a particular
        identity name instance within an ipsAuthIdentity within an
     authentication instance."
::= { ipsAuthIdentNameAttributesEntry 1 }

ipsAuthIdentName OBJECT-TYPE
    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "A character string which is the unique name of an
     identity that may be used to identify this
     ipsAuthIdent entry."
::= { ipsAuthIdentNameAttributesEntry 2 }

ipsAuthIdentNameRowStatus OBJECT-TYPE
    SYNTAX        RowStatus
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "This field allows entries to be dynamically added and
     removed from this table via SNMP."
::= { ipsAuthIdentNameAttributesEntry 3 }


ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 }

-- iSCSI User Initiator Address Attributes Table

ipsAuthIdentAddrAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthIdentAddrAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A list of address ranges that are allowed to serve



Bakke, Muchow             Expires December 2002                [Page 14]

Internet Draft           IPS Authentication MIB                June 2002


     as the endpoint addresses of a particular identity.
     An address range includes a starting and ending address
     and an optional netmask, and an address type indicator,
     which can specify whether the address is IPv4, IPv6,
     FC-WWPN, or FC-WWNN."
::= { ipsAuthIdentityAddress 1 }

ipsAuthIdentAddrAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthIdentAddrAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An entry (row) containing management information
        applicable to an address range which is used as part
     of the authentication of an identity
        within an authentication instance on this node."
    INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthIdentAddrIndex }
::= { ipsAuthIdentAddrAttributesTable  1 }

IpsAuthIdentAddrAttributesEntry ::= SEQUENCE {
    ipsAuthIdentAddrIndex                   Unsigned32,
    ipsAuthIdentAddrType                    AddressFamilyNumbers,
    ipsAuthIdentAddrStart                   IpsAuthAddress,
    ipsAuthIdentAddrEnd                     IpsAuthAddress,
    ipsAuthIdentAddrRowStatus               RowStatus
}

ipsAuthIdentAddrIndex OBJECT-TYPE
    SYNTAX        Unsigned32 (1..4294967295)
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An arbitrary integer used to uniquely identify a particular
        ipsAuthIdentAddress instance within an ipsAuthIdentity within an
     authentication instance present on the node."
::= { ipsAuthIdentAddrAttributesEntry 1 }

ipsAuthIdentAddrType OBJECT-TYPE
    SYNTAX        AddressFamilyNumbers
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "The type of Address in the ipsAuthIdentAddress start, end,
     and mask fields.  This type is taken from the IANA address
     family types; more types may be registered independently
     of this MIB."
::= { ipsAuthIdentAddrAttributesEntry 2 }




Bakke, Muchow             Expires December 2002                [Page 15]

Internet Draft           IPS Authentication MIB                June 2002


ipsAuthIdentAddrStart OBJECT-TYPE
    SYNTAX        IpsAuthAddress
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "The starting address of the allowed address range."
::= { ipsAuthIdentAddrAttributesEntry 3 }

ipsAuthIdentAddrEnd OBJECT-TYPE
    SYNTAX        IpsAuthAddress
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "The ending address of the allowed address range.  If the
         ipsAuthIdentAddrEntry specifies a single address, this shall
         match the ipsAuthIdentAddrStart."
::= { ipsAuthIdentAddrAttributesEntry 4 }


ipsAuthIdentAddrRowStatus OBJECT-TYPE
    SYNTAX        RowStatus
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "This field allows entries to be dynamically added and
     removed from this table via SNMP."
::= { ipsAuthIdentAddrAttributesEntry 5 }


ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 }

-- Identity Credential Attributes Table

ipsAuthCredentialAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthCredentialAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A list of credentials related to user identities
     that are allowed as valid authenticators of the
     particular identity."
::= { ipsAuthCredential 1 }

ipsAuthCredentialAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthCredentialAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION



Bakke, Muchow             Expires December 2002                [Page 16]

Internet Draft           IPS Authentication MIB                June 2002


        "An entry (row) containing management information
        applicable to a credential which authenticates a user
        identity within an authentication instance."
    INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredentialAttributesTable  1 }

IpsAuthCredentialAttributesEntry ::= SEQUENCE {
    ipsAuthCredIndex                   Unsigned32,
    ipsAuthCredAuthMethod              AutonomousType,
    ipsAuthCredRowStatus               RowStatus
}

ipsAuthCredIndex OBJECT-TYPE
    SYNTAX        Unsigned32 (1..4294967295)
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An arbitrary integer used to uniquely identify a particular
        iSCSI Credential instance within an iSCSI instance present on the
        node."
::= { ipsAuthCredentialAttributesEntry 1 }

ipsAuthCredAuthMethod OBJECT-TYPE
    SYNTAX        AutonomousType
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
     "This object contains an OBJECT IDENTIFIER
     which identifies the authentication method
     used with this credential.

     Some standardized values for this object are defined
     within the ipsAuthMethods subtree."
::= { ipsAuthCredentialAttributesEntry 2 }

ipsAuthCredRowStatus OBJECT-TYPE
    SYNTAX        RowStatus
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "This field allows entries to be dynamically added and
     removed from this table via SNMP."
::= { ipsAuthCredentialAttributesEntry 3 }

ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 }

-- Credential Chap-Specific Attributes Table




Bakke, Muchow             Expires December 2002                [Page 17]

Internet Draft           IPS Authentication MIB                June 2002


ipsAuthCredChapAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthCredChapAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A list of CHAP attributes for credentials that
     have their ipsAuthCredAuthMethod == ipsAuthMethodChap."
::= { ipsAuthCredChap 1 }

ipsAuthCredChapAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthCredChapAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An entry (row) containing management information
        applicable to a credential which has the ipsAuthCredAuthMethod
     set to the OID of ipsAuthMethodChap."
    INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredChapAttributesTable  1 }

IpsAuthCredChapAttributesEntry ::= SEQUENCE {
    ipsAuthCredChapUserName            SnmpAdminString,
    ipsAuthCredChapPassword            SnmpAdminString,
    ipsAuthCredChapRowStatus           RowStatus
}

ipsAuthCredChapUserName OBJECT-TYPE
    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "An octet string containing the CHAP user name for this
     credential."
::= { ipsAuthCredChapAttributesEntry 1 }

ipsAuthCredChapPassword OBJECT-TYPE
    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "An octet string containing the password for this
     credential.  If written, it changes the password for
     the credential.  If read, it returns a zero-length
     string."
::= { ipsAuthCredChapAttributesEntry 2 }

ipsAuthCredChapRowStatus OBJECT-TYPE
    SYNTAX        RowStatus



Bakke, Muchow             Expires December 2002                [Page 18]

Internet Draft           IPS Authentication MIB                June 2002


    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "This field allows entries to be dynamically added and
     removed from this table via SNMP."
::= { ipsAuthCredChapAttributesEntry 3 }


ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 }

-- Credential Srp-Specific Attributes Table

ipsAuthCredSrpAttributesTable OBJECT-TYPE
    SYNTAX        SEQUENCE OF IpsAuthCredSrpAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "A list of SRP-specific attributes for credentials that
     have their ipsAuthCredAuthMethod == ipsAuthMethodSrp."
::= { ipsAuthCredSrp 1 }

ipsAuthCredSrpAttributesEntry OBJECT-TYPE
    SYNTAX        IpsAuthCredSrpAttributesEntry
    MAX-ACCESS    not-accessible
    STATUS        current
    DESCRIPTION
        "An entry (row) containing management information
        applicable to a credential which has the ipsAuthCredAuthMethod
     set to the OID of ipsAuthMethodSrp."
    INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredSrpAttributesTable  1 }

IpsAuthCredSrpAttributesEntry ::= SEQUENCE {
    ipsAuthCredSrpUserName            SnmpAdminString,
    ipsAuthCredSrpPassword            SnmpAdminString,
    ipsAuthCredSrpRowStatus           RowStatus
}

ipsAuthCredSrpUserName OBJECT-TYPE
    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "An octet string containing the CHAP user name for this
     credential."
::= { ipsAuthCredSrpAttributesEntry 1 }

ipsAuthCredSrpPassword OBJECT-TYPE



Bakke, Muchow             Expires December 2002                [Page 19]

Internet Draft           IPS Authentication MIB                June 2002


    SYNTAX        SnmpAdminString
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "An octet string containing the password for this
     credential.  If written, it changes the password for
     the credential.  If read, it returns a zero-length
     string."
::= { ipsAuthCredSrpAttributesEntry 2 }

ipsAuthCredSrpRowStatus OBJECT-TYPE
    SYNTAX        RowStatus
    MAX-ACCESS    read-create
    STATUS        current
    DESCRIPTION
        "This field allows entries to be dynamically added and
     removed from this table via SNMP."
::= { ipsAuthCredSrpAttributesEntry 3 }

------------------------------------------------------------------------
-- Notifications

-- There are no notifications necessary in this MIB.

------------------------------------------------------------------------

-- Conformance Statements

ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 }

ipsAuthInstanceAttributesGroup OBJECT-GROUP
    OBJECTS {
        ipsAuthInstDescr
    }
    STATUS current
    DESCRIPTION
        "A collection of objects providing information about
     authentication instances."
::= { ipsAuthGroups 1 }

ipsAuthIdentAttributesGroup OBJECT-GROUP
    OBJECTS {
        ipsAuthIdentDescription,
    ipsAuthIdentRowStatus
    }
    STATUS current
    DESCRIPTION
        "A collection of objects providing information about



Bakke, Muchow             Expires December 2002                [Page 20]

Internet Draft           IPS Authentication MIB                June 2002


     user identities within an authentication instance."
::= { ipsAuthGroups 2 }

ipsAuthIdentNameAttributesGroup OBJECT-GROUP
    OBJECTS {
    ipsAuthIdentName,
    ipsAuthIdentNameRowStatus
    }
    STATUS current
    DESCRIPTION
        "A collection of objects providing information about
     user names within user identities within an authentication
     instance."
::= { ipsAuthGroups 3 }

ipsAuthIdentAddrAttributesGroup OBJECT-GROUP
    OBJECTS {
    ipsAuthIdentAddrType,
    ipsAuthIdentAddrStart,
    ipsAuthIdentAddrEnd,
    ipsAuthIdentAddrRowStatus
    }
    STATUS current
    DESCRIPTION
        "A collection of objects providing information about
     address ranges within user identities within an authentication
     instance."
::= { ipsAuthGroups 4 }

ipsAuthIdentCredAttributesGroup OBJECT-GROUP
    OBJECTS {
    ipsAuthCredAuthMethod,
    ipsAuthCredRowStatus
    }
    STATUS current
    DESCRIPTION
        "A collection of objects providing information about
     credentials within user identities within an authentication
     instance."
::= { ipsAuthGroups 5 }

ipsAuthIdentChapAttrGroup OBJECT-GROUP
    OBJECTS {
    ipsAuthCredChapUserName,
    ipsAuthCredChapPassword,
    ipsAuthCredChapRowStatus
    }
    STATUS current



Bakke, Muchow             Expires December 2002                [Page 21]

Internet Draft           IPS Authentication MIB                June 2002


    DESCRIPTION
        "A collection of objects providing information about CHAP
     credentials within user identities within an authentication
     instance."
::= { ipsAuthGroups 6 }

ipsAuthIdentSrpAttrGroup OBJECT-GROUP
    OBJECTS {
    ipsAuthCredSrpUserName,
    ipsAuthCredSrpPassword,
    ipsAuthCredSrpRowStatus
    }
    STATUS current
    DESCRIPTION
        "A collection of objects providing information about SRP
     credentials within user identities within an authentication
     instance."
::= { ipsAuthGroups 7 }

------------------------------------------------------------------------

ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 }

ipsAuthComplianceV1 MODULE-COMPLIANCE
    STATUS current
    DESCRIPTION
        "Initial version of compliance statement based on
        initial version of MIB.

     The Instance and Identity groups are mandatory;
     at least one of the other groups (Name, Address,
     Credential, Certificate) is also mandatory for
     any given implementation."
    MODULE       -- this module
    MANDATORY-GROUPS {
        ipsAuthInstanceAttributesGroup,
        ipsAuthIdentAttributesGroup
    }

    -- Conditionally mandatory groups to be included with
    -- the mandatory groups when necessary.

    GROUP ipsAuthIdentNameAttributesGroup
    DESCRIPTION
        "This group is mandatory for all implementations
     that make use of unique identity names."

    GROUP ipsAuthIdentAddrAttributesGroup



Bakke, Muchow             Expires December 2002                [Page 22]

Internet Draft           IPS Authentication MIB                June 2002


    DESCRIPTION
        "This group is mandatory for all implementations
     that use addresses to help authenticate identities."

    GROUP ipsAuthIdentCredAttributesGroup
    DESCRIPTION
        "This group is mandatory for all implementations
     that use credentials to help authenticate identities."

::= { ipsAuthCompliances 1 }

END



8.  Security Considerations

   SNMPv1 by itself is not a secure environment.  Even if the network
   itself is secure (for example by using IPSec), even then, there is no
   control as to who on the secure network is allowed to access and
   GET/SET (read/change/create/delete) the objects in this MIB.

   It is recommended that the implementers consider the security
   features as provided by the SNMPv3 framework.  Specifically, the use
   of the User-based Security Model RFC 2574 [RFC2574] and the View-
   based Access Control Model RFC 2575 [RFC2575] is recommended.

   It is then a customer/user responsibility to ensure that the SNMP
   entity giving access to an instance of this MIB, is properly
   configured to give access to the objects only to those principals
   (users) that have legitimate rights to indeed GET or SET
   (change/create/delete) them.

   Read access to this MIB provides the ability to find out which names,
   addresses, and credentials would be required to access services on
   the managed system.  If these credentials are easily spoofed
   (particularly the name or address), read access to the MIB must be
   tightly controlled.

   Write access to the MIB provides the ability to set up which
   credentials may be used to access services on the managed system, to
   remove legitimate credentials (a denial of service), or to remove
   individual credentials to weaken the requirements for access of a
   particular service.  Write access must always be tightly controlled.







Bakke, Muchow             Expires December 2002                [Page 23]

Internet Draft           IPS Authentication MIB                June 2002


9.  Normative References

[ISCSI]     Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-13, June
            2002.

[RFC2571]   Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
            for Describing SNMP Management Frameworks", RFC 2571, April
            1999.

[RFC1155]   Rose, M., and K. McCloghrie, "Structure and Identification
            of Management Information for TCP/IP-based Internets", STD
            16, RFC 1155, May 1990.

[RFC1212]   Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD
            16, RFC 1212, March 1991.

[RFC1215]   M. Rose, "A Convention for Defining Traps for use with the
            SNMP", RFC 1215, March 1991.

[RFC2578]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
            Rose, M., and S. Waldbusser, "Structure of Management
            Information Version 2 (SMIv2)", STD 58, RFC 2578, April
            1999.

[RFC2579]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
            Rose, M., and S. Waldbusser, "Textual Conventions for
            SMIv2", STD 58, RFC 2579, April 1999.

[RFC2580]   McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
            Rose, M., and S. Waldbusser, "Conformance Statements for
            SMIv2", STD 58, RFC 2580, April 1999.

[RFC1157]   Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
            Network Management Protocol", STD 15, RFC 1157, May 1990.

[RFC1901]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
            "Introduction to Community-based SNMPv2", RFC 1901, January
            1996.

[RFC1906]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
            "Transport Mappings for Version 2 of the Simple Network
            Management Protocol (SNMPv2)", RFC 1906, January 1996.

[RFC2572]   Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
            Processing and Dispatching for the Simple Network Management
            Protocol (SNMP)", RFC 2572, April 1999.





Bakke, Muchow             Expires December 2002                [Page 24]

Internet Draft           IPS Authentication MIB                June 2002


[RFC2574]   Blumenthal, U., and B. Wijnen, "User-based Security Model
            (USM) for version 3 of the Simple Network Management
            Protocol (SNMPv3)", RFC 2574, April 1999.

[RFC1905]   Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
            "Protocol Operations for Version 2 of the Simple Network
            Management Protocol (SNMPv2)", RFC 1905, January 1996.

[RFC2573]   Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications",
            RFC 2573, April 1999.

[RFC2575]   Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
            Access Control Model (VACM) for the Simple Network
            Management Protocol (SNMP)", RFC 2575, April 1999.

[RFC2570]   Case, J., Mundy, R., Partain, D., and B. Stewart,
            "Introduction to Version 3 of the Internet-standard Network
            Management Framework", RFC 2570, April 1999.

[RFC2012]   McCloghrie, K., "SNMPv2 Management Information Base for the
            Transmission Control Protocol using SMIv2", RFC 2012,
            November 1996.

[RFC3291]   Daniele, M., et. al., "Textual Conventions for Internet
            Network Addresses", draft-ietf-ops-rfc2851-update-06.txt,
            February 2001

[IANA-AF]   IANA, "IANA Address Family Numbers MIB",
            http://www.iana.org/assignments/ianaaddressfamilynumbers-mib

[RFC1213]   K. McCloghrie, M.T. Rose, "Management Information Base for
            Network Management of TCP/IP-based internets:MIB-II", March
            1991.

[RFC2011]   K. McCloghrie, "SNMPv2 Management Information Base for the
            Internet Protocol using SMIv2", November 1996.

[RFC2465]   D. Haskin, S. Onishi, "Management Information Base for IP
            Version 6: Textual Conventions and General Group", December
            1998.

[X.509]     ITU-T Recommendation X.509 (1997 E), "Information Technology
            - Open Systems Interconnection - The Directory:
            Authentication Framework", June 1997.

[FCMGMT]    K. McCloghrie, "Fibre Channel Management MIB", draft-ietf-
            ips-fcmgmt-mib-01, February 2002.




Bakke, Muchow             Expires December 2002                [Page 25]

Internet Draft           IPS Authentication MIB                June 2002


10.  Informative References

[RFC1737]   K. Sollins, L. Masinter, "Functional Requirements for
            Uniform Resource Names", December 1994.

[RFC1994]   W. Simpson, "PPP Challenge Handshake Authentication Protocol
            (CHAP)", August 1996.

[RFC2945]   T. Wu, "The SRP Authentication and Key Exchange System",
            September 2000.

11.  Authors' Addresses

       Mark Bakke
       Postal: Cisco Systems, Inc
       6450 Wedgwood Road, Suite 130
       Maple Grove, MN
       USA 55311

       Tel: +1 763-398-1000
       Fax: +1 763-398-1001

       E-mail: mbakke@cisco.com

       Jim Muchow
       Postal: Cisco Systems, Inc
       6450 Wedgwood Road, Suite 130
       Maple Grove, MN
       USA 55311

       Tel: +1 763-398-1000
       Fax: +1 763-398-1001

       E-mail: jmuchow@cisco.com"

















Bakke, Muchow             Expires December 2002                [Page 26]


Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/