--- 1/draft-ietf-hubmib-etherif-mib-05.txt 2006-02-04 23:26:02.000000000 +0100 +++ 2/draft-ietf-hubmib-etherif-mib-06.txt 2006-02-04 23:26:02.000000000 +0100 @@ -1,21 +1,21 @@ Hub MIB Working Group J. Flick INTERNET DRAFT Hewlett-Packard Company J. Johnson RedBack Networks May 1998 Definitions of Managed Objects for the Ethernet-like Interface Types - + Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any @@ -59,23 +59,23 @@ 4.2.4. ifRcvAddressTable ...................................... 6 4.2.5. ifPhysAddress .......................................... 6 4.2.6. ifType ................................................. 7 4.2.7. Specific Interface MIB Objects ......................... 8 4.3. Relation to the 802.3 MAU MIB ............................ 11 4.4. Mapping of IEEE 802.3 Managed Objects .................... 11 5. Definitions ................................................ 12 6. Intellectual Property ...................................... 35 7. Acknowledgements ........................................... 35 8. References ................................................. 36 - 9. Security Considerations .................................... 37 + 9. Security Considerations .................................... 38 10. Author's Addresses ........................................ 38 - 11. Full Copyright Statement .................................. 38 + 11. Full Copyright Statement .................................. 39 1. Introduction This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines objects for managing ethernet-like interfaces. This memo also includes a MIB module. This MIB module extends the list of managed objects specified in the earlier version of this MIB: @@ -1635,27 +1635,27 @@ copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 7. Acknowledgements This document was produced by the 802.3 Hub MIB Working Group. This document is almost completely based on both the Standard - Ethernet MIB, RFC 1623 [10], and the Proposed Standard Ethernet MIB + Ethernet MIB, RFC 1643 [10], and the Proposed Standard Ethernet MIB using the SNMPv2 SMI, RFC 1650 [11], both of which were edited by Frank Kastenholz of FTP Software and produced by the Ethernet MIB Working Group. This document extends those documents by providing support for 100 Mb/sec ethernet interfaces as outlined in [6]. - RFC 1623 and RFC 1650, in turn, are based on the Draft Standard + RFC 1643 and RFC 1650, in turn, are based on the Draft Standard Ethernet MIB, RFC 1398 [9], also edited by Frank Kastenholz and produced by the Ethernet MIB Working Group. RFC 1398, in turn, is based on the Proposed Standard Ethernet MIB, RFC 1284 [8], which was edited by John Cook of Chipcom and produced by the Transmission MIB Working Group. The Ethernet MIB Working Group gathered implementation experience of the variables specified in RFC 1284 and used that information to develop this revised MIB. RFC 1284, in turn, is based on a document written by Frank @@ -1703,22 +1703,22 @@ wg@nnsc.nsf.net, 9 June 1989. [8] Cook, J., "Definitions of Managed Objects for Ethernet-Like Interface Types", RFC 1284, Chipcom Corporation, December 1991. [9] Kastenholz, F., "Definitions of Managed Objects for the Ethernet-like Interface Types", RFC 1398, FTP Software, Inc., January 1993. [10] Kastenholz, F., "Definitions of Managed Objects for the - Ethernet-like Interface Types", RFC 1623, FTP Software, Inc., - May 1994. + Ethernet-like Interface Types", RFC 1643, FTP Software, Inc., + July 1994. [11] Kastenholz, F., "Definitions of Managed Objects for the Ethernet-like Interface Types using SMIv2", RFC 1650, FTP Software, Inc., August 1994. [12] McCloghrie, K., and F. Kastenholz, "The Interfaces Group MIB using SMIv2", RFC 2233, Cisco Systems, FTP Software, November 1997. [13] Bradner, S., "Key words for use in RFCs to Indicate @@ -1732,27 +1732,59 @@ 1997. [15] Kastenholz, F., "Implementation Notes and Experience for The Internet Ethernet MIB", RFC 1369, FTP Software, October 1992. [16] McCloghrie, K., and M. Rose, Editors, "Management Information Base for Network Management of TCP/IP-based internets: MIB-II", STD 17, RFC 1213, Hughes LAN Systems, Performance Systems International, March 1991. + [17] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) + for version 3 of the Simple Network Management Protocol + (SNMPv3)", RFC 2274, January 1998. + + [18] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access + Control Model for the Simple Network Management Protocol + (SNMP)", RFC 2275, January 1998. + 9. Security Considerations - Certain management information defined in this MIB may be considered - sensitive in some network environments. Therefore, authentication of - received SNMP requests and controlled access to management - information should be employed in such environments. The method for - this authentication is a function of the SNMP Administrative - Framework, and has not been expanded by this MIB. + + There are no management objects defined in this MIB that have a MAX- + ACCESS clause of read-write and/or read-create. So, if this MIB is + implemented correctly, then there is no risk that an intruder can + alter or create any management objects of this MIB via direct SNMP + SET operations. + + There are a number of managed objects in this MIB that may be + considered to contain sensitive information. None of them however + are more sensitive than any other generic MIB objects. + + Therefore, it may be important in some environments to control read + access to these objects and possibly to even encrypt the values of + these object when sending them over the network via SNMP. Not all + versions of SNMP provide features for such a secure environment. + + SNMPv1 by itself is such an insecure environment. Even if the + network itself is secure (for example by using IPSec), even then, + there is no control as to who on the secure network is allowed to + access and GET (read) the objects in this MIB. + + It is recommended that the implementors consider the security + features as provided by the SNMPv3 framework. Specifically, the use + of the User-based Security Model RFC 2274 [17] and the View-based + Access Control Model RFC 2275 [18] is recommended. + + It is then a customer/user responsibility to ensure that the SNMP + entity giving access to an instance of this MIB, is properly + configured to give access to those objects only to those principals + (users) that have legitimate rights to access them. 10. Author's Addresses John Flick Hewlett-Packard Company 8000 Foothills Blvd. M/S 5556 Roseville, CA 95747-5556 Phone: +1 916 785 4018 Email: johnf@hprnd.rose.hp.com