draft-ietf-bridge-8021x-00.txt   draft-ietf-bridge-8021x-01.txt 
Bridge Working Group K.C. Norseth Bridge Working Group K.C. Norseth
INTERNET-DRAFT Consultant INTERNET-DRAFT L-3 Communications
Expires November 2002 Expires August 2003
Definitions for Port Access Control (IEEE 802.1X) MIB Definitions for Port Access Control (IEEE 802.1X) MIB
draft-ietf-bridge-8021x-00.txt draft-ietf-bridge-8021x-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
IESG Note IESG Note
This document is not the product of an IETF Working Group. The IETF This document is not the product of an IETF Working Group. The IETF
currently has no effort underway to standardize the Port Access currently has no effort underway to standardize the Port Access
Control (IEEE 802.1X) MIB Control (IEEE 802.1X) MIB
Abstract Abstract
This document defines a portion of the Management Information Base This document defines a portion of the Management Information Base
skipping to change at page 2, line 15 skipping to change at page 2, line 14
authorization process fails. authorization process fails.
This standard is part of a family of standards for local and This standard is part of a family of standards for local and
metropolitan area networks. metropolitan area networks.
This draft is written within the IEEE 802.1X working group and is This draft is written within the IEEE 802.1X working group and is
being presented to the IETF for informational purposes. being presented to the IETF for informational purposes.
Table of Contents Table of Contents
1. Introduction ............................................ 2 1. Introduction 2
2. Overview ................................................ 3 2. Overview 3
2.1 Scope ................................................... 3 2.1. Scope 4
3. Structure of MIB ........................................ 3 3. Structure of MIB 4
3.1 Relationship to the managed objects defined in Clause 9 . 4 3.1 Relationship to the managed objects defined in IEEE 802.1X 4
3.2 The PAE System Group .................................... 5 3.2 The PAE System Group 6
3.3 The PAE Authenticator Group ............................. 5 3.3 The PAE Authenticator Group 6
3.4 The PAE Supplicant Group ................................ 5 3.4 The PAE Supplicant Group 6
3.5 Relationship to other MIBs .............................. 5 3.5 Relationship to other MIBs 6
3.5.11 Relationship to the Interfaces MIB ................... 6 3.6 Relationship to the Interfaces MIB 6
4. Definitions for the 802.1X-MIB .......................... 6 4 Definitions for the 802.1X-MIB 7
5. Intellectual Property ................................... 37 5. Intellectual Property 37
6. Acknowledgements ........................................ 38 6. Acknowledgements 38
7. References .............................................. 38 7. References 38
8. Security Considerations ................................. 40 7.1 Normative References 38
9. Author's Address ........................................ 40 7.2 Informative References 39
A. Change Log .............................................. 40 8. Security Considerations 40
B. Full Copyright Statement ................................ 40 9. Author's Address 40
A. Change Log 40
B. Full Copyright Statement 41
1. Introduction 1. Introduction
The SNMP Management Framework The SNMP Management Framework
The SNMP Management Framework presently consists of five major The SNMP Management Framework presently consists of five major
components: components:
o An overall architecture, described in RFC 2571 [RFC2571]. o An overall architecture, described in RFC 2571 [RFC2571].
skipping to change at page 3, line 39 skipping to change at page 3, line 39
translations. The resulting translated MIB must be semantically translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the readable information is not considered to change the semantics of the
MIB. MIB.
2. Overview 2. Overview
A common device present in many networks is the Bridge. This device Local Area Networks (or LANs; see 3.4 in IEEE Std 802.1D, 1998
is used to connect Local Area Network segments below the network Edition) are often deployed in environments that permit unauthorized
layer. These devices are often known as 'layer 2 switches'. devices to be physically attached to the LAN infrastructure, or
permit unauthorized users to attempt to access the LAN through
There are two major modes defined for this bridging: Source-Route and equipment already attached. Examples of such environments include
transparent. Source-Route bridging is described by IEEE 802.5 corporate LANs that provide LAN connectivity in areas of a building
[802.5] and is not discussed further in this document. that are accessible to the general public, and LANs that are deployed
by one organization in order to offer connectivity services to other
organizations (for example, as may occur in a business park or a
serviced office building). In such environments, it is desirable to
restrict access to the services offered by the LAN to those users and
devices that are permitted to make use of those services.
The transparent method of bridging is defined by IEEE 802.1D-1998 Port-based network access control makes use of the physical access
[802.1D] Managed objects for that original specification of characteristics of IEEE 802 LAN infrastructures in order to provide a
transparent bridging were defined in RFC 1493 [BRIDGEMIB]. means of authenticating and authorizing devices attached to a LAN
port that has point-to-point connection characteristics, and of
preventing access to that port in cases in which the authentication
and authorization process fails. A port in this context is a single
point of attachment to the LAN infrastructure. Examples of ports in
which the use of authentication can be desirable Include the Ports of
MAC Bridges (as specified in IEEE 802.1D), the ports used to attach
servers or routers to the LAN infrastructure, and associations
between stations and access points in IEEE 802.11 Wireless LANs.
2.1. Scope 2.1. Scope
The purpose of this document is to specify how the management
operations are made available to a remote manager using the protocol
and architectural description provided by the Simple Network
Management Protocol (SNMP).
This MIB is the republishing of the IEEE Definitions for Port This MIB is the republishing of the IEEE Definitions for Port
Access Control MIB (802.1X) defined in the 802.1X specification Access Control MIB (802.1X) defined in the 802.1X specification
document. document.
3. Structure of MIB 3. Structure of MIB
A single MIB module is defined in this clause. Objects in the MIB A single MIB module is defined in this clause. Objects in the MIB
are arranged into groups. Each group is organized as a set of related are arranged into groups. Each group is organized as a set of related
objects. The overall structure and assignment of objects to their objects. The overall structure and assignment of objects to their
groups is shown in the following subclauses..IEEE Std 802.1X-2001 groups is shown in the following subclauses. IEEE Std 802.1X-2001
LOCAL AND METROPOLITAN AREA NETWORKS 10.4.1 Relationship to the LOCAL AND METROPOLITAN AREA NETWORKS 10.4.1 Relationship to the
managed objects defined in IEEE 802.1X Clause 9. The following table managed objects defined in IEEE 802.1X Clause 9. The following table
contains cross-references between the objects defined in IEEE 802.1X contains cross-references between the objects defined in IEEE 802.1X
Clause 9 and the MIB objects defined in this clause. Clause 9 and the MIB objects defined in this clause.
3.1 Relationship to the managed objects defined in IEEE 802.1X Clause 9 3.1 Relationship to the managed objects defined in IEEE 802.1X
Note: The relationship sections (9.4.3 Authenticator Diagnostics,
9.4.4 Authenticator Session Statistics, etc.) defined related to
sections in the 801.1X document specification, not this document.
Definition in IEEE 802.1X Clause 9 MIB object(s) Definition in IEEE 802.1X Clause 9 MIB object(s)
--------------------------------- -------------------------------
EAPOL Logoff frames received dot1xAuthEapolLogoffFramesRx EAPOL Logoff frames received dot1xAuthEapolLogoffFramesRx
EAP Resp/Id frames received dot1xAuthEapolRespIdFramesRx EAP Resp/Id frames received dot1xAuthEapolRespIdFramesRx
EAP Response frames received dot1xAuthEapolRespFramesRx EAP Response frames received dot1xAuthEapolRespFramesRx
EAP Req/Id frames transmitted dot1xAuthEapolReqIdFramesTx EAP Req/Id frames transmitted dot1xAuthEapolReqIdFramesTx
EAP Request frames transmitted dot1xAuthEapolReqFramesTx EAP Request frames transmitted dot1xAuthEapolReqFramesTx
Invalid EAPOL frames received dot1xAuthInvalidEapolFramesRx Invalid EAPOL frames received dot1xAuthInvalidEapolFramesRx
EAP length error frames received dot1xAuthEapLengthErrorFramesRx EAP length error frames received dot1xAuthEapLengthErrorFramesRx
Last EAPOL frame version dot1xAuthLastEapolFrameVersion Last EAPOL frame version dot1xAuthLastEapolFrameVersion
Last EAPOL frame source dot1xAuthLastEapolFrameSource Last EAPOL frame source dot1xAuthLastEapolFrameSource
skipping to change at page 5, line 4 skipping to change at page 5, line 29
backendResponses dot1xAuthBackendResponses backendResponses dot1xAuthBackendResponses
backendAccessChallenges dot1xAuthBackendAccessChallenges backendAccessChallenges dot1xAuthBackendAccessChallenges
backendOtherRequestsToSupplicant backendOtherRequestsToSupplicant
dot1xAuthBackendOtherRequestsToSupplicant dot1xAuthBackendOtherRequestsToSupplicant
backendNonNakResponsesFromSupplicant backendNonNakResponsesFromSupplicant
dot1xAuthBackendNonNakResponsesFromSupplicant dot1xAuthBackendNonNakResponsesFromSupplicant
backendAuthSuccesses dot1xAuthBackendAuthSuccesses backendAuthSuccesses dot1xAuthBackendAuthSuccesses
backendAuthFails dot1xAuthBackendAuthFails backendAuthFails dot1xAuthBackendAuthFails
9.4.4 Authenticator Session Statistics dot1xAuthSessionStatsTable 9.4.4 Authenticator Session Statistics dot1xAuthSessionStatsTable
Port number dot1xPaePortNumber (table index) Port number dot1xPaePortNumber (table index)
Session Octets Received dot1xAuthSessionOctetsRx Session Octets Received dot1xAuthSessionOctetsRx
Definition in IEEE 802.1X Clause 9 MIB object(s)
Session Octets Transmitted dot1xAuthSessionOctetsTx Session Octets Transmitted dot1xAuthSessionOctetsTx
Session Frames Received dot1xAuthSessionFramesRx Session Frames Received dot1xAuthSessionFramesRx
Session Frames Transmitted dot1xAuthSessionFramesTx Session Frames Transmitted dot1xAuthSessionFramesTx
Session Identifier dot1xAuthSessionId Session Identifier dot1xAuthSessionId
Session Authentication Method dot1xAuthSessionAuthenticMethod Session Authentication Method dot1xAuthSessionAuthenticMethod
Session Time dot1xAuthSessionTime Session Time dot1xAuthSessionTime
Session Terminate Cause dot1xAuthSessionTerminateCause Session Terminate Cause dot1xAuthSessionTerminateCause
Session User Name dot1xAuthSessionUserName Session User Name dot1xAuthSessionUserName
9.5.1 Supplicant Configuration dot1xSuppConfigTable 9.5.1 Supplicant Configuration dot1xSuppConfigTable
Port number dot1xPaePortNumber (table index) Port number dot1xPaePortNumber (table index)
Supplicant PAE State dot1xSuppPaeState Supplicant PAE State dot1xSuppPaeState
heldPeriod dot1xSuppHeldPeriod heldPeriod dot1xSuppHeldPeriod
skipping to change at page 5, line 55 skipping to change at page 6, line 24
and Authenticator). A means of enabling and disabling the operation and Authenticator). A means of enabling and disabling the operation
of Port Access Control for the entire system is provided, plus a of Port Access Control for the entire system is provided, plus a
per-Port indication of the protocol version supported and the PAE per-Port indication of the protocol version supported and the PAE
roles supported by the port. As it is not mandatory for all Ports of roles supported by the port. As it is not mandatory for all Ports of
a System to support PAE functionality, there may be Port entries a System to support PAE functionality, there may be Port entries
that indicate Ports that support neither Supplicant nor that indicate Ports that support neither Supplicant nor
Authenticator functionality. Authenticator functionality.
3.3 The PAE Authenticator Group 3.3 The PAE Authenticator Group
This group of objects provides, for each Port of a System, the This group of objects provides, for each Port of an Authenticator
functionality necessary to allow configuration of the operation of [8021XAUTH], the functionality necessary to allow configuration of
the Authenticator PAE, recording and retrieving statistical the operation of the Authenticator PAE, recording and retrieving
information relating to the operation of the Authenticator PAE, and statistical information relating to the operation of the
recording and retrieving information relating to a session (i.e., Authenticator PAE, and recording and retrieving information relating
the period of time between consecutive authentications on the Port). to a session (i.e., the period of time between consecutive
authentications on the Port).
3.4 The PAE Supplicant Group 3.4 The PAE Supplicant Group
This group of objects provides, for each Port of a System, the This group of objects provides, for each Port of a Supplicant
functionality necessary to allow configuration of the operation of [8021XSUPP], the functionality necessary to allow configuration of
the Supplicant PAE, and recording and retrieving statistical the operation of the Supplicant PAE, and recording and retrieving
information relating to the operation of the Authenticator PAE. statistical information relating to the operation of the
Authenticator PAE.
3.5 Relationship to other MIBs 3.5 Relationship to other MIBs
It is assumed that a system implementing this MIB will also implement It is assumed that a system implementing this MIB will also implement
(at least) the ihsystemli group defined in MIB-II defined in IETF RFC (at least) the system group defined in MIB-II defined in IETF RFC
1213 and the ihinterfacesln group defined in IETF RFC 2863. 1213 and the interfaces group defined in IETF RFC 2863.
3.6 Relationship to the Interfaces MIB 3.6 Relationship to the Interfaces MIB
IETF RFC 2863, the Interface MIB Evolution, requires that any MIB IETF RFC 2863, the Interface MIB Evolution, requires that any MIB
that is an adjunct of the Interface MIB clarify specific areas within that is an adjunct of the Interface MIB clarify specific areas within
the Interface MIB. These areas were intentionally left vague in IETF the Interface MIB. These areas were intentionally left vague in IETF
RFC 2863 to avoid overconstraining the MIB, thereby precluding RFC 2863 to avoid overconstraining the MIB, thereby precluding
management of certain media types. management of certain media types.
Section 3.3 of IETF RFC 2863 enumerates several areas that a Section 3.3 of IETF RFC 2863 enumerates several areas that a
media-specific MIB must clarify. Each of these areas is addressed in media-specific MIB must clarify. Each of these areas is addressed in
a following subsection. The implementor is referred to IETF RFC 2863 a following subsection. The implementor is referred to IETF RFC 2863
in order to understand the general intent of these areas. in order to understand the general intent of these areas.
In IETF RFC 2863, the ihinterfaceslc group is defined as being In IETF RFC 2863, the interfaces group is defined as being
mandatory for all systems and contains information on an entity(tm)s mandatory for all systems and contains information on an entity's
interfaces, where each interface is thought of as being attached to interfaces, where each interface is thought of as being attached to
a subnetwork. a subnetwork.
(Note that this term is not to be confused with subnet, which refers (Note that this term is not to be confused with subnet, which refers
to an addressing partitioning scheme used in the Internet suite of to an addressing partitioning scheme used in the Internet suite of
protocols.) The term segment is sometimes used to refer to such a protocols.) The term segment is sometimes used to refer to such a
subnetwork. subnetwork.
Where Port numbers are used in this standard to identify Ports of a Where Port numbers are used in this standard to identify Ports of a
System, these numbers are equal to the ifIndex value for the System, these numbers are equal to the ifIndex value for the
skipping to change at page 7, line 13 skipping to change at page 7, line 34
precedence. precedence.
Noted changes between this draft and the IEEE draft are in the Noted changes between this draft and the IEEE draft are in the
MODULE-IDENTITY section. Also dot1xPaePortReauthenticate and MODULE-IDENTITY section. Also dot1xPaePortReauthenticate and
dot1xAuthSessionUserName were added to conformance groups. dot1xAuthSessionUserName were added to conformance groups.
IEEE8021-PAE-MIB DEFINITIONS ::= BEGIN IEEE8021-PAE-MIB DEFINITIONS ::= BEGIN
-- ---------------------------------------------------------- -- -- ---------------------------------------------------------- --
-- IEEE 802.1X MIB -- IEEE 802.1X MIB
-- http://www.ieee802.org/1/files/public/MIBs/802-1x-2001-mib.txt
-- ---------------------------------------------------------- -- -- ---------------------------------------------------------- --
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64, MODULE-IDENTITY, OBJECT-TYPE, Counter32, Counter64,
Unsigned32, TimeTicks Unsigned32, TimeTicks
FROM SNMPv2-SMI FROM SNMPv2-SMI
MacAddress, TEXTUAL-CONVENTION, TruthValue MacAddress, TEXTUAL-CONVENTION, TruthValue
FROM SNMPv2-TC FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
skipping to change at page 38, line 26 skipping to change at page 38, line 22
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
6. Acknowledgements 6. Acknowledgements
This document was reproduced by the IETF Bridge MIB Working Group This document was reproduced by the IETF Bridge MIB Working Group
from the IEEE IEEE Std 802.1X-2001 IEEE Standard for Local and from the IEEE Std 802.1X-2001 IEEE Standard for Local and
metropolitan area networksS Port-Based Network Access Control. metropolitan area networks Port-Based Network Access Control.
7. References
[1] IEEE, IEEE Std 802.1, 2001 "Edition: IEEE Standard for Local and
metropolitan area networks Port-Based Network Access Control"
[2] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for
Describing SNMP Management Frameworks", RFC 2571, May 1999.
[3] Rose, M. and K. McCloghrie, "Structure and Identification of A Special thanks to Les Bell for his help in getting this document
Management Information for TCP/IP-based Internets", STD 16, ready for publication and providing his insight
RFC 1155, May 1990.
[4] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, 7. References
RFC 1212, March 1991.
[5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, 7.1 Normative References
M. and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, [IEEESTD8021] IEEE, IEEE Std 802.1, 2001 "Edition: IEEE Standard for
M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, Local and metropolitan area networks Port-Based Network
RFC 2579, April 1999. Access Control"
[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, [RFC2571] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture
M. and S. Waldbusser, "Conformance Statements for SMIv2", STD for Describing SNMP Management Frameworks", RFC 2571,
58, RFC 2580, April 1999. May 1999.
[8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Network Management Protocol", STD 15, RFC 1157, May 1990. Rose, M. and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578,
April 1999.
[9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
"Introduction to Community-based SNMPv2", RFC 1901, January Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2",
1996. STD 58, RFC 2579, April 1999.
[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Mappings for Version 2 of the Simple Network Management Protocol Rose, M. and S. Waldbusser, "Conformance Statements for
(SNMPv2)", RFC 1906, January 1996. SMIv2", STD 58, RFC 2580, April 1999.
[11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message [8021XAUTH] IEEE, 802.1x - Port Based Network Access Control,
Processing and Dispatching for the Simple Network Management definition of Authenticator, clause 3.1.1
Protocol (SNMP)", RFC 2572, May 1999.
[12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) [8021XSUPP] IEEE, 802.1x - Port Based Network Access Control,
for version 3 of the Simple Network Management Protocol definition of Supplicant, clause 3.1.5
(SNMPv3)", RFC 2574, May 1999.
[13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol 7.2 Informative References
Operations for Version 2 of the Simple Network Management
Protocol (SNMPv2)", RFC 1905, January 1996.
[14] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC [RFC1157] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
2573, May 1999. Network Management Protocol", STD 15, RFC 1157, May 1990.
[15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access [RFC1212] Rose, M. and K. McCloghrie, "Concise MIB Definitions",
Control Model (VACM) for the Simple Network Management Protocol STD 16, RFC 1212, March 1991.
(SNMP)", RFC 2575, May 1999.
[16] Case, J., Mundy, R., Partain, D. and B. Stewart, [RFC1213] McCloghrie, K. and M. Rose, Editors, "Management Information
"Introduction to Version 3 of the Internet-Standard Network Base for Network Management of TCP/IP-based internets:
Management Framework", RFC 2570, April 1999. MIB-II", STD 17, RFC 1213, March 1991.
[17] Cook, J., "Definitions of Managed Objects for Ethernet-Like [RFC1284] Cook, J., "Definitions of Managed Objects for Ethernet-Like
Interface Types", RFC 1284, December 1991. Interface Types", RFC 1284, December 1991.
[18] Kastenholz, F., "Implementation Notes and Experience for The [RFC1369] Kastenholz, F., "Implementation Notes and Experience for The
Internet Ethernet MIB", RFC 1369, October 1992. Internet Ethernet MIB", RFC 1369, October 1992.
[19] Kastenholz, F., "Definitions of Managed Objects for the [RFC1398] Kastenholz, F., "Definitions of Managed Objects for the
Ethernet-like Interface Types", RFC 1398, January 1993. Ethernet-like Interface Types", RFC 1398, January 1993.
[20] Kastenholz, F., "Definitions of Managed Objects for the [RFC1643] Kastenholz, F., "Definitions of Managed Objects for the
Ethernet-like Interface Types", STD 50, RFC 1643, July 1994. Ethernet-like Interface Types", STD 50, RFC 1643, July 1994.
[21] Kastenholz, F., "Definitions of Managed Objects for the [RFC1650] Kastenholz, F., "Definitions of Managed Objects for the
Ethernet-like Interface Types using SMIv2", RFC 1650, August Ethernet-like Interface Types using SMIv2", RFC 1650, August
1994. 1994.
[22] McCloghrie, K. and M. Rose, Editors, "Management Information [RFC1901] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
Base for Network Management of TCP/IP-based internets: MIB-II", "Introduction to Community-based SNMPv2", RFC 1901, January
STD 17, RFC 1213, March 1991. 1996.
[23] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB [RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
using SMIv2", RFC 2863, June 2000. "Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
[24] Bradner, S., "Key words for use in RFCs to Indicate [RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirements Levels", BCP 14, RFC 2119, March 1997. Requirements Levels", BCP 14, RFC 2119, March 1997.
[RFC2570] Case, J., Mundy, R., Partain, D. and B. Stewart,
"Introduction to Version 3 of the Internet-Standard Network
Management Framework", RFC 2570, April 1999.
[RFC2572] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, May 1999.
[RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2574, May 1999.
[RFC2573] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications",
RFC 2573, May 1999.
[RFC2575] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management
Protocol (SNMP)", RFC 2575, May 1999.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB
using SMIv2", RFC 2863, June 2000.
8. Security Considerations 8. Security Considerations
A number of management objects are defined in this MIB that have a The Port Access Entity defined in this MIB is integral to the
MAX-ACCESS clause of read-write or read-create. Such objects may be security of the network accessed through the Authenticator. The
considered sensitive or vulnerable in some network environments. The managed objects in this MIB that have a MAX-ACCESS clause of
support for SET operations in a nonsecure environment without proper read-write or read-create must be considered sensitive in a secure
protection can have a negative effect on network operations. environment. The support of SET operations in a non-secure
environment without proper protection can have a negative effect on
the security of access to the network, for both the Authenticator and
the Supplicant. The managed objects in this MIB that have a
MAX-ACCESS clause of anything other than not-accessible may allow
users, including authenticated users that have authorised access to
the secured network, to discover information that may help to
compromise the access and security of others. Therefore the support
of GET operations must also be considered sensitive in a secure
environment.
SNMPv1 by itself is not a secure environment. Even if the network is SNMPv1 by itself is not a secure environment. Even if the network is
secure (for example, by using IPSec), there is no control as to who secure (for example, by using IPSec), there is no control as to who
on the secure network is allowed to access (read / change / create on the secure network is allowed to access (read / change / create
/ delete) the objects in this MIB. / delete) the objects in this MIB.
It is recommended that the implementors consider the security It is recommended that the implementors consider the security
features as provided by the SNMPv3 framework. Specifically, the use features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model, IETF RFC 2574, and the View-based of the User-based Security Model, IETF RFC 2574, and the View-based
Access Control Model, IETF RFC 2575, is recommended. It then becomes Access Control Model, IETF RFC 2575, is recommended. It then becomes
a user responsibility to ensure that the SNMP entity giving access to a user responsibility to ensure that the SNMP entity giving access to
an instance of this MIB is properly configured to give access only to an instance of this MIB is properly configured to give access only to
those principals (users) that have legitimate rights to access those principals (users) that have legitimate rights to access
change / create / delete) them, as appropriate. change / create / delete) them, as appropriate.
9. Author's Address 9. Author's Address
K.C. Norseth K.C. Norseth
Consultant L-3 Communications
934 S. Palos Verdes Dr. 640 N. 2200 West.
Kaysville, Utah 84037 Salt Lake City, Utah 84116-0850
Phone: +1 801 546 3316 Email: kenyon.c.norseth@L-3com.com
Email: kcn@norseth.com kcn@norseth.com
A. Change Log A. Change Log
This is the initial draft copied from the IEEE 802.1X specification. The following changes were made to <draft-ietf-bridge-8021x-00.txt>
to produce <draft-ietf-bridge-8021x-01.txt>:
1) Redefined the overview to more reflect the IEEE 802.1x document.
1) Clarification of the security section
2) Splitting references into Normative and Informative
B. Full Copyright Statement B. Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/