[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 01 02 03 RFC 1472

           Internet Draft
          
                     The Definitions of Managed Objects for
                            the Security Protocols of
                           the Point-to-Point Protocol
          
                                   27 July 1992
          
          
                                 Frank Kastenholz
                                FTP Software, Inc
                                26 Princess Street
                            Wakefield, Mass 01880 USA
          
                                  kasten@ftp.com
          
          
          
          
          
          
          Status of this Memo
          
          This document is an Internet Draft.  Internet Drafts are
          working documents of the Internet Engineering Task Force
          (IETF), its Areas, and its Working Groups.  Note that other
          groups may also distribute working documents as Internet
          Drafts.
          
          Internet Drafts are draft documents valid for a maximum of six
          months.  Internet Drafts may be updated, replaced, or
          obsoleted by other documents at any time.  It is not
          appropriate to use Internet Drafts as reference material or to
          cite them other than as a ``working draft'' or ``work in
          progress.'' Please check the 1id-abstracts.txt listing
          contained in the internet-drafts Shadow Directories on
          nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or
          munnari.oz.au to learn the current status of any Internet
          Draft.
          
          
          
          
          
          
          
          
          
          
          
          
          Internet Draft         PPP/Security MIB              July 1992
          
          
          This document will be submitted to the Internet Activities
          Board as a Draft Standard. This document defines an
          experimental extension to the SNMP MIB. Upon publication as a
          Draft Standard, a new MIB number will be assigned.  This is a
          working document only, it should neither be cited nor quoted
          in any formal document.
          
          This document will expire before 1 Feb. 1993.
          
          Distribution of this document is unlimited.
          
          Please send comments to the author.
          
          
          1.  Abstract
          
          This memo defines an experimental portion of the Management
          Information Base (MIB) for use with network management
          protocols in TCP/IP-based internets.  In particular, it
          describes managed objects used for managing the Security
          Protocols on subnetwork interfaces using the family of
          Point-to-Point Protocols[8, 9, 10, 11, & 12].
          
          This memo does not specify a standard for the Internet
          community.
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 2]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          2.  The Network Management Framework
          
          The Internet-standard Network Management Framework consists of
          three components.  They are:
          
               RFC 1155 which defines the SMI, the mechanisms used for
               describing and naming objects for the purpose of
               management.  RFC 1212 defines a more concise description
               mechanism, which is wholly consistent with the SMI.
          
               RFC 1156 which defines MIB-I, the core set of managed
               objects for the Internet suite of protocols.  RFC 1213,
               defines MIB-II, an evolution of MIB-I based on
               implementation experience and new operational
               requirements.
          
               RFC 1157 which defines the SNMP, the protocol used for
               network access to managed objects.
          
          The Framework permits new objects to be defined for the
          purpose of experimentation and evaluation.
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 3]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          3.  Objects
          
          Managed objects are accessed via a virtual information store,
          termed the Management Information Base or MIB.  Objects in the
          MIB are defined using the subset of Abstract Syntax Notation
          One (ASN.1) [3] defined in the SMI.  In particular, each
          object has a name, a syntax, and an encoding.  The name is an
          object identifier, an administratively assigned name, which
          specifies an object type.  The object type together with an
          object instance serves to uniquely identify a specific
          instantiation of the object.  For human convenience, we often
          use a textual string, termed the OBJECT DESCRIPTOR, to also
          refer to the object type.
          
          The syntax of an object type defines the abstract data
          structure corresponding to that object type.  The ASN.1
          language is used for this purpose.  However, the SMI [1]
          purposely restricts the ASN.1 constructs which may be used.
          These restrictions are explicitly made for simplicity.
          
          The encoding of an object type is simply how that object type
          is represented using the object type's syntax.  Implicitly
          tied to the notion of an object type's syntax and encoding is
          how the object type is represented when being transmitted on
          the network.
          
          The SMI specifies the use of the basic encoding rules of ASN.1
          [4], subject to the additional requirements imposed by the
          SNMP.
          
          
          3.1.  Format of Definitions
          
          Section 5 contains the specification of all object types
          contained in this MIB module.  The object types are defined
          using the conventions defined in the SMI, as amended by the
          extensions specified in [5,6].
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 4]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          4.  Overview
          
          4.1.  Object Selection Criteria
          
          To be consistent with IAB directives and good engineering
          practice, an explicit attempt was made to keep this MIB as
          simple as possible.  This was accomplished by applying the
          following criteria to objects proposed for inclusion:
          
          (1)  Require objects be essential for either fault or
               configuration management.  In particular, objects for
               which the sole purpose was to debug implementations were
               explicitly excluded from the MIB.
          
          (2)  Consider evidence of current use and/or utility.
          
          (3)  Limit the total number of objects.
          
          (4)  Exclude objects which are simply derivable from others in
               this or other MIBs.
          
          
          4.2.  Structure of the PPP
          
          This section describes the basic model of PPP used in
          developing the PPP MIB. This information should be useful to
          the implementor in understanding some of the basic design
          decisions of the MIB.
          
          The PPP is not one single protocol but a large family of
          protocols.  Each of these is, in itself, a fairly complex
          protocol.  The PPP protocols may be divided into three rough
          categories:
          
          Control Protocols
               The Control Protocols are used to control the operation
               of the PPP. The Control Protocols include the Link
               Control Protocol (LCP), the Password Authentication
               Protocol (PAP), the Link Quality Report (LQR), and the
               Challenge Handshake Authentication Protocol (CHAP).
          
          Network Protocols
               The Network Protocols are used to move the network
               traffic over the PPP interface.  A Network Protocol
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 5]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               encapsulates the datagrams of a specific higher-layer
               protocol that is using the PPP as a data link.  Note that
               within the context of PPP, the term "Network Protocol"
               does not imply an OSI Layer-3 protocol; for instance,
               there is a Bridging network protocol.
          
          Network Control Protocols (NCPs)
               The NCPs are used to control the operation of the Network
               Protocols. Generally, each Network Protocol has its own
               Network Control Protocol; thus, the IP Network Protocol
               has its IP Control Protocol, the Bridging Network
               Protocol has its Bridging Network Control Protocol and so
               on.
          
          This document specifies the objects used in managing one of
          these protocols, namely the Link Control Protocol.
          
          
          4.3.  MIB Groups
          
          Objects in this MIB are arranged into several MIB groups.
          Each group is organized as a set of related objects.
          
          These groups are the basic unit of conformance: if the
          semantics of a group is applicable to an implementation then
          all objects in the group must be implemented.
          
          The PPP MIB is organized into several MIB Groups, including,
          but not limited to, the following groups:
          o The PPP Link Group
          o The PPP LQR Group
          o The PPP LQR Extensions Group
          o The PPP IP Group
          o The PPP Bridge Group
          o The PPP Security Configuration Group
          o The PPP CHAP Group
          o The PPP PAP Group
          
          This document specifies the following group:
          
          PPP Security Configuration Group
               The PPP Security Configuration Group contains overall
               configuration and control variables that apply to PPP
               security.
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 6]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               Implementation of this group is optional for all
               implementations of PPP that support any of the PPP
               security protocols (currently only PAP and CHAP).
          
          The PPP CHAP Group
               The PPP CHAP Group contains configuration, status, and
               control variables that apply to the PPP Challange
               Handshake Authentication Protocol.
          
               Implementation of this group is optional for all
               implementations of PPP that support the PPP CHAP.
          
          The PPP PAP Group
               The PPP PAP Group contains configuration, status, and
               control variables that apply to the PPP Password
               Authentication Protocol.
          
               Implementation of this group is optional for all
               implementations of PPP that support the PPP PAP.
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 7]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          5.  Definitions
          
          
          
          RFCpppsec-MIB DEFINITIONS ::= BEGIN
          
          IMPORTS
               experimental, Counter
                    FROM RFC1155-SMI
               OBJECT-TYPE
                    FROM RFC-1212
               pppSecurity
                    FROM RFC-ppp
               TRAP-TYPE
                    FROM RFC-1215;
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 8]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          5.1.
          PPP Security Configuration Group
          
          
          --
          -- The PPP Security Configuration Group
          -- Implementation of this group is optional for all
          -- PPP implementations that support a PPP security
          -- protocol.
          --
          -- The table in this group allows the network manager
          -- to configure which security protocols are to be
          -- used on which link and in what order of preference
          -- each protocol is to be tried.
          --
          
          pppSecurityConfigTable   OBJECT-TYPE
               SYNTAX    SEQUENCE OF PppSecurityConfigEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Table containing the configuration and
                         preference parameters for PPP Security."
               ::= { pppSecurity 1 }
          
          
          pppSecurityConfigEntry   OBJECT-TYPE
               SYNTAX    PppSecurityConfigEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Security configuration information for a
                         particular PPP link."
               INDEX     { pppSecurityConfigLink,
                         pppSecurityConfigPreference }
               ::= { pppSecurityConfigTable 1 }
          
          
          
          PppSecurityConfigEntry ::= SEQUENCE {
               pppSecurityConfigLink
                    INTEGER,
               pppSecurityConfigPreference
                    INTEGER,
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993               [Page 9]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               pppSecurityConfigProtocol
                    INTEGER
               }
          
          pppSecurityConfigLink   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The value of ifIndex that identifies the entry
                         in the interface table that is associated with
                         the local PPP entity's link for which this
                         particular security algorithm shall be
                         attempted. A value of 0 indicates the default
                         algorithm - i.e., this entry applies to all
                         links for which explicit entries in the table
                         do not exist."
               ::= { pppSecurityConfigEntry 1 }
          
          
          pppSecurityConfigPreference   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The relative preference of the security
                         protocol identified by
                         pppSecurityConfigProtocol. Security protocols
                         with lower values of
                         pppSecurityConfigPreference are tried before
                         protocols with higher values of
                         pppSecurityConfigPreference."
               ::= { pppSecurityConfigEntry 2 }
          
          
          pppSecurityConfigProtocol   OBJECT-TYPE
               SYNTAX    OBJECT IDENTIFIER
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "Identifies the security protocol to be
                         attempted on the link identified by
                         pppSecurityConfigLink at the preference level
                         identified by pppSecurityConfigPreference.
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 10]


          Internet Draft         PPP/Security MIB              July 1992
          
          
                         Setting this object to the OBJECT IDENTIFIER {
                         0 0 }, which is a syntatically valid object
                         identifier, has the effect of invalidating the
                         corresponding  entry in this table.  It is an
                         implementation-specific matter as to whether
                         the agent removes an invalidated entry from the
                         table. Accordingly, management stations must be
                         prepared to receive tabular information from
                         agents that corresponds to entries not
                         currently in use."
               ::= { pppSecurityConfigEntry 3 }
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 11]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          5.2.  PPP CHAP Group
          
          
          --
          -- The PPP CHAP Group.
          -- Implementation of this group is optional for all
          -- PPP implementations that support the CHAP protocol.
          --
          -- pppSecurityConfigProtocol takes the OBJECT IDENTIFIER
          -- pppChap to indicate that the Challenge Handshake
          -- Authentication Protocol is to be used.
          --
               pppChap        OBJECT IDENTIFIER ::= { pppSecurity 2 }
          
          pppChapTable   OBJECT-TYPE
               SYNTAX    SEQUENCE OF PppChapEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Table containing the Chap parameters local PPP
                         entity's links."
               ::= { pppChap 1 }
          
          
          pppChapEntry   OBJECT-TYPE
               SYNTAX    PppChapEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "CHAP information for a particular PPP link and
                         preference level."
               INDEX     { pppChapLink, pppChapPreference }
               ::= { pppChapTable 1 }
          
          
          PppChapEntry ::= SEQUENCE {
               pppChapLink
                    INTEGER,
               pppChapPreference
                    INTEGER,
               pppChapDigestType
                    INTEGER
               }
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 12]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          pppChapLink   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The value of pppSecurityConfigLink that
                         identifies the entry in the pppSecurityConfig
                         table to which this entry in the pppChapTable
                         applies."
               ::= { pppChapEntry 1 }
          
          
          pppChapPreference   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The value of pppSecurityConfigPreference that
                         identifies the entry in the pppSecurityConfig
                         table to which this entry in the pppChapTable
                         applies."
               ::= { pppChapEntry 2 }
          
          
          pppChapDigestType   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         invalid(1),
                         md5-chap-digest(2)
                    }
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The CHAP Digest format  to use in attempting
                         the CHAP authentication as defined by the
                         corresponding entry in the pppSecurityConfig
                         table. Setting this object to the value
                         invalid(1) has the effect of invalidating the
                         corresponding entry in the pppChapTable. It is
                         an implementation-specific matter as to whether
                         the agent removes an invalidated entry from the
                         table.  Accordingly, management stations must
                         be prepared to receive tabular information from
                         agents that corresponds to entries not
                         currently in use.  Proper interpretation of
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 13]


          Internet Draft         PPP/Security MIB              July 1992
          
          
                         such entries requires examination of the
                         relevant pppChapDigestType object."
               REFERENCE
                         "Section 4.1, Configuration Option Format, of
                         RFC-PPPSEC"
               DEFVAL    { md5-chap-digest }
               ::= { pppChapEntry 3 }
          
          
          
          pppChapSecretsTable   OBJECT-TYPE
               SYNTAX    SEQUENCE OF PppChapSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Table containing the secret CHAP parameters
                         for the local PPP entity. As this table
                         contains secret information, it is expected
                         that access to this table be limited to those
                         SNMP Party-Pairs for which a privacy protocol
                         is in use for all SNMP messages that the
                         parties exchange. This table contains a Name
                         and its associated Digest secret. The
                         parameters in this table are used by the local
                         entity when generating CHAP Response packets.
                         The table allows for multiple name/secret pairs
                         to be specified for a particular link by using
                         the pppChapSecretIdIndex object. These
                         parameters are used by a node when it attempts
                         to authenticate itself."
               ::= { pppChap 2 }
          
          
          pppChapSecretsEntry   OBJECT-TYPE
               SYNTAX    PppChapSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Secret CHAP information to generate a single
                         response."
               INDEX     { pppChapSecretsLinkIndex,
                         pppChapSecretsIdIndex }
               ::= { pppChapSecretsTable 1 }
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 14]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          
          PppChapSecretsEntry ::= SEQUENCE {
               pppChapSecretsLinkIndex
                    INTEGER,
               pppChapSecretsIdIndex
                    INTEGER,
               pppChapSecretsName
                    OCTET STRING,
               pppChapSecretsSecret
                    OCTET STRING,
               pppChapSecretsStatus
                    INTEGER
          }
          
          pppChapSecretsLinkIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-only
               STATUS    mandatory
               DESCRIPTION
                         "The value of ifIndex that identifies the entry
                         in the interface table that is associated with
                         the local PPP CHAP Entity. If the value of this
                         object is 0 then the name/secret pair applies
                         to all links."
               ::= { pppChapSecretsEntry 1 }
          
          
          pppChapSecretsIdIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-only
               STATUS    mandatory
               DESCRIPTION
                         "A unique value for each Name/Secret pair that
                         has been defined for use on this link. This
                         allows multiple Name/Secret pairs to be defined
                         for each link. How the local entity selects
                         which pair to use is a local implementation
                         decision."
               ::= { pppChapSecretsEntry 2 }
          
          
          pppChapSecretsName   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 15]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               STATUS    mandatory
               DESCRIPTION
                         "A name."
               ::= { pppChapSecretsEntry 3 }
          
          
          pppChapSecretsSecret   OBJECT-TYPE
               SYNTAX    OCTET STRING -- (SIZE(16)) when MD5
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The digest secret to be associated with the
                         name."
               ::= { pppChapSecretsEntry 4 }
          
          
          pppChapSecretsStatus   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         invalid(1),
                         valid(2)
                    }
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "Setting this object to the value invalid(1)
                         has the effect of invalidating the
                         corresponding entry in the pppChapSecretsTable.
                         It is an implementation-specific matter as to
                         whether the agent removes an invalidated entry
                         from the table.  Accordingly, management
                         stations must be prepared to receive tabular
                         information from agents that corresponds to
                         entries not currently in use.  Proper
                         interpretation of such entries requires
                         examination of the relevant
                         pppChapSecretsStatus object."
               DEFVAL    { valid }
               ::= { pppChapSecretsEntry 5 }
          
          
          
          pppChapPeerSecretsTable   OBJECT-TYPE
               SYNTAX    SEQUENCE OF PppChapPeerSecretsEntry
               ACCESS    not-accessible
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 16]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               STATUS    mandatory
               DESCRIPTION
                         "Table containing the secret PAP parameters
                         that are expected of remotes that may attempt
                         to authenticate themselves to the local PPP
                         entity. Received CHAP Responses are expected to
                         match one of the entries in this table. As this
                         table contains secret information, it is
                         expected that access to this table be limited
                         to those SNMP Party-Pairs for which a privacy
                         protocol is in use for all SNMP messages that
                         the parties exchange."
               ::= { pppChap 3 }
          
          
          pppChapPeerSecretsEntry   OBJECT-TYPE
               SYNTAX    PppChapPeerSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Secret remote CHAP information for a
                         particular Peer Name/Secret and link."
               INDEX     { pppChapPeerSecretsLink,
                         pppChapPeerSecretsIndex }
               ::= { pppChapPeerSecretsTable 1 }
          
          
          PppChapPeerSecretsEntry ::= SEQUENCE {
               pppChapPeerSecretsLink
                    INTEGER,
               pppChapPeerSecretsIndex
                    INTEGER,
               pppChapPeerSecretsName
                    OCTET STRING,
               pppChapPeerSecretsSecret
                    OCTET STRING,
               pppChapPeerSecretsStatus
                    INTEGER
          }
          
          pppChapPeerSecretsLink   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 17]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               DESCRIPTION
                         "The value of ifIndex that identifies the entry
                         in the interface table that is associated with
                         the local PPP Link for which this Name/Secret
                         pair will be evaluated as valid. A particular
                         Name/Secret pair is valid only for the link(s)
                         for which there is a pppChapPeerSecretsTable
                         entry containing said Name/Secret pair. By
                         convention, a value of 0 for this object
                         indicates all links on the local PPP entity."
               ::= { pppChapPeerSecretsEntry 1 }
          
          
          pppChapPeerSecretsIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "A unique value for each Name/Secret pair that
                         has been defined for use on this link. This
                         allows multiple Name/Secret pairs to be defined
                         for each link."
               ::= { pppChapPeerSecretsEntry 2 }
          
          
          pppChapPeerSecretsName   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "A Peer-Name which may attempt to connect over
                         the link identified by pppChapPeerSecretsLink."
               ::= { pppChapPeerSecretsEntry 3 }
          
          
          pppChapPeerSecretsSecret   OBJECT-TYPE
               SYNTAX    OCTET STRING -- (SIZE(16)) when using MD5
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The Secret associated with the Peer-Name
                         identified in pppChapPeerSecretsName."
               ::= { pppChapPeerSecretsEntry 4 }
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 18]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          
          pppChapPeerSecretsStatus   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         invalid(1),
                         valid(2)
                    }
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "Setting this object to the value invalid(1)
                         has the effect of invalidating the
                         corresponding entry in the
                         pppChapPeerSecretsTable. It is an
                         implementation-specific matter as to whether
                         the agent removes an invalidated entry from the
                         table.  Accordingly, management stations must
                         be prepared to receive tabular information from
                         agents that corresponds to entries not
                         currently in use.  Proper interpretation of
                         such entries requires examination of the
                         relevant pppChapPeerSecretsStatus object."
               DEFVAL    { valid }
               ::= { pppChapPeerSecretsEntry 5 }
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 19]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          5.3.  PPP PAP Group
          
          
          --
          -- The PPP PAP Group.
          -- Implementation of this group is optional for all
          -- PPP implementations that support the PAP protocol.
          --
          -- pppSecurityConfigProtocol takes the OBJECT IDENTIFIER
          -- pppPap to indicate that the Password
          -- Authentication Protocol is to be used.
          --
          --
               pppPap              OBJECT IDENTIFIER ::= { pppSecurity 3 }
          
          
          pppPapSecretsTable   OBJECT-TYPE
               SYNTAX    SEQUENCE OF PppPapSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Table containing the secret PAP parameters for
                         the local PPP entity. As this table contains
                         secret information, it is expected that access
                         to this table be limited to those SNMP Party-
                         Pairs for which a privacy protocol is in use
                         for all SNMP messages that the parties
                         exchange. This table contains the Peer-ID and
                         Password that this PPP entity will advertise to
                         the remote entity when sending PAP Authenticate
                         Request packets. The table allows for multiple
                         id/password pairs to be specified for a
                         particular link by using the
                         pppPapSecretIdIndex object."
               ::= { pppPap 1 }
          
          
          pppPapSecretsEntry   OBJECT-TYPE
               SYNTAX    PppPapSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Secret PAP information."
               INDEX     { pppPapSecretsIndex, pppPapSecretsIdIndex }
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 20]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               ::= { pppPapSecretsTable 1 }
          
          
          PppPapSecretsEntry ::= SEQUENCE {
               pppPapSecretsIndex
                    INTEGER,
               pppPapSecretsIdIndex
                    INTEGER,
               pppPapSecretsId
                    OCTET STRING,
               pppPapSecretsPassword
                    OCTET STRING,
               pppPapSecretsStatus
                    INTEGER
          }
          
          pppPapSecretsIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-only
               STATUS    mandatory
               DESCRIPTION
                         "The value of ifIndex that identifies the entry
                         in the interface table that is associated with
                         the local PPP Password Authentication Protocol
                         Entity. If the value of this object is 0 then
                         the ID/Password pair applies to all links."
               ::= { pppPapSecretsEntry 1 }
          
          
          pppPapSecretsIdIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-only
               STATUS    mandatory
               DESCRIPTION
                         "A unique value for each ID/Password pair that
                         has been defined for use on this link. This
                         allows multiple ID/Password pairs to be defined
                         for each link. How the local entity selects
                         which pair to use is a local implementation
                         decision."
               ::= { pppPapSecretsEntry 2 }
          
          
          pppPapSecretsId   OBJECT-TYPE
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 21]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "A Peer ID."
               ::= { pppPapSecretsEntry 3 }
          
          
          pppPapSecretsPassword   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The password to be associated with the Peer
                         ID."
               ::= { pppPapSecretsEntry 4 }
          
          
          pppPapSecretsStatus   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         invalid(1),
                         valid(2)
                    }
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "Setting this object to the value invalid(1)
                         has the effect of invalidating the
                         corresponding entry in the pppPapSecretsTable.
                         It is an implementation-specific matter as to
                         whether the agent removes an invalidated entry
                         from the table.  Accordingly, management
                         stations must be prepared to receive tabular
                         information from agents that corresponds to
                         entries not currently in use.  Proper
                         interpretation of such entries requires
                         examination of the relevant pppPapSecretsStatus
                         object."
               DEFVAL    { valid }
               ::= { pppPapSecretsEntry 5 }
          
          
          
          pppPapPeerSecretsTable   OBJECT-TYPE
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 22]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               SYNTAX    SEQUENCE OF PppPapPeerSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Table containing the secret PAP parameters
                         that are expected of remotes that may attempt
                         to authenticate themselves to the local PPP
                         entity. As this table contains secret
                         information, it is expected that access to this
                         table be limited to those SNMP Party-Pairs for
                         which a privacy protocol is in use for all SNMP
                         messages that the parties exchange."
               ::= { pppPap 3 }
          
          
          pppPapPeerSecretsEntry   OBJECT-TYPE
               SYNTAX    PppPapPeerSecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Secret remote PAP information for a particular
                         remote ID/password and link."
               INDEX     { pppPapPeerSecretsLink, pppPapPeerSecretsIndex
                         }
               ::= { pppPapPeerSecretsTable 1 }
          
          
          PppPapPeerSecretsEntry ::= SEQUENCE {
               pppPapPeerSecretsLink
                    INTEGER,
               pppPapPeerSecretsIndex
                    INTEGER,
               pppPapPeerSecretsId
                    OCTET STRING,
               pppPapPeerSecretsPassword
                    OCTET STRING,
               pppPapPeerSecretsStatus
                    INTEGER
          }
          
          pppPapPeerSecretsLink   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 23]


          Internet Draft         PPP/Security MIB              July 1992
          
          
               DESCRIPTION
                         "The value of ifIndex that identifies the entry
                         in the interface table that is associated with
                         the local PPP Link for which this ID/Password
                         pair will be evaluated as valid. A particular
                         ID/Password pair is valid only for the link(s)
                         for which there is a pppPapPeerSecretsTable
                         entry containing said ID/Password pair. By
                         convention, a value of 0 for this object
                         indicates all links on the local PPP entity."
               ::= { pppPapPeerSecretsEntry 1 }
          
          
          pppPapPeerSecretsIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483648)
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "A unique value for each ID/Password pair that
                         has been defined for use on this link. This
                         allows multiple ID/Password pairs to be defined
                         for each link."
               ::= { pppPapPeerSecretsEntry 2 }
          
          
          pppPapPeerSecretsId   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "A Peer-ID which may attempt to connect over
                         the link identified by pppPapPeerSecretsLink."
               ::= { pppPapPeerSecretsEntry 3 }
          
          
          pppPapPeerSecretsPassword   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The Password associated with the Peer-ID
                         identified in pppPapPeerSecretsId."
               ::= { pppPapPeerSecretsEntry 4 }
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 24]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          
          pppPapPeerSecretsStatus   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         invalid(1),
                         valid(2)
                    }
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "Setting this object to the value invalid(1)
                         has the effect of invalidating the
                         corresponding entry in the
                         pppPapPeerSecretsTable. It is an
                         implementation-specific matter as to whether
                         the agent removes an invalidated entry from the
                         table.  Accordingly, management stations must
                         be prepared to receive tabular information from
                         agents that corresponds to entries not
                         currently in use.  Proper interpretation of
                         such entries requires examination of the
                         relevant pppPapPeerSecretsStatus object."
               DEFVAL    { valid }
               ::= { pppPapPeerSecretsEntry 5 }
          
          
          END
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 25]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          6.  Acknowledgements
          
          This document was produced by the PPP working group.  In
          addition to the working group, the author wishes to thank the
          following individuals for their comments and contributions:
          
          Bill Simpson -- Daydreamer
          Glenn McGregor -- Merit
          Jesse Walker -- DEC
          Chris Gunner -- DEC
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 26]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          7.  Security Considerations
          
          The PPP MIB affords the network operator the ability to
          configure and control the PPP links of a particular system,
          including the PPP authentication protocols. This represents a
          security risk.
          
          These risks are addressed in the following manners:
          
          (1)  All variables which represent a significant security risk
               are placed in separate, optional, MIB Groups. As the MIB
               Group is the quantum of implementation within a MIB, the
               implementor of the MIB may elect not to implement these
               groups.
          
          (2)  The implementor may choose to implement the variables
               which present a security risk so that they may not be
               written, i.e., the variables are READ-ONLY. This method
               still presents a security risk, and is not recommended,
               in that the variables, specifically the PPP
               Authentication Protocols' variables, may be easily read.
          
          (3)  Using the new SNMP administrative framework[13,14], the
               operator can place the variables into MIB views which are
               protected in that the parties which have access to those
               MIB views use authentication and privacy protocols, or
               the operator may elect to make these views not accessible
               to any party.  In order to facilitate this placement, all
               security-related variables are placed in separate MIB
               Tables. This eases the identification of the necessary
               MIB View Subtree.
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 27]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          8.  References
          
          [1]  M.T. Rose and K. McCloghrie, Structure and Identification
               of Management Information for TCP/IP-based internets,
               Internet Working Group Request for Comments 1155.
               Network Information Center, SRI International, Menlo
               Park, California, (May, 1990).
          
          [2]  K. McCloghrie and M.T. Rose, Management Information Base
               for Network Management of TCP/IP-based internets - MIB-2,
               Internet Working Group Request for Comments 1213.
               Network Information Center, SRI International, Menlo
               Park, California, (March, 1991).
          
          [3]  Information processing systems - Open Systems
               Interconnection - Specification of Abstract Syntax
               Notation One (ASN.1), International Organization for
               Standardization.  International Standard 8824, (December,
               1987).
          
          [4]  Information processing systems - Open Systems
               Interconnection - Specification of Basic Encoding Rules
               for Abstract Notation One (ASN.1), International
               Organization for Standardization.  International Standard
               8825, (December, 1987).
          
          [5]  Rose, M., and K. McCloghrie, Editors, Concise MIB
               Definitions, RFC 1212, Performance Systems International,
               Hughes LAN Systems, March 1991.
          
          [6]  Rose, M., Editor, A Convention for Defining Traps for use
               with the SNMP, RFC 1215, Performance Systems
               International, March 1991.
          
          [7]  K. McCloghrie, Extensions to the Generic-Interface MIB,
               RFC1229, Hughes LAN Systems, May 1991.
          
          [8]  W. Simpson, The Point-to-Point Protocol for the
               Transmission of Multi-protocol Datagrams over Point-to-
               Point Links, RFC 1331, May 1992.
          
          [9]  G. McGregor, The PPP Internet Protocol Control Protocol,
               RFC 1332, Merit, May 1992.
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 28]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          [10] F. Baker, Point-to-Point Protocol Extensions for
               Bridging, RFC1220, ACC, April 1991.
          
          [11] PPP Authentication Protocols, Work In Progress
          
          [12] W. Simpson, PPP Link Quality Monitoring, RFC 1333, May
               1992.
          
          [13] New SNMP Administrative Model, Work In Progress.
          
          [14] SNMP Security Protocols, Work In Progress.
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 29]


          Internet Draft         PPP/Security MIB              July 1992
          
          
          Table of Contents
          
          
           Status of this Memo ....................................    1
          1 Abstract ..............................................    2
          2 The Network Management Framework ......................    3
          3 Objects ...............................................    4
          3.1 Format of Definitions ...............................    4
          4 Overview ..............................................    5
          4.1 Object Selection Criteria ...........................    5
          4.2 Structure of the PPP ................................    5
          4.3 MIB Groups ..........................................    6
          5 Definitions ...........................................    8
          5.1 PPP Security Configuration Group ....................    9
          5.2 PPP CHAP Group ......................................   12
          5.3 PPP PAP Group .......................................   20
          6 Acknowledgements ......................................   26
          7 Security Considerations ...............................   27
          8 References ............................................   28
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          Frank J. Kastenholz    Exp. 1 Feb. 1993              [Page 30]
          

Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/