draft-ietf-ips-auth-mib-02.txt   draft-ietf-ips-auth-mib-03.txt 
Internet Draft Mark Bakke Internet Draft Mark Bakke
<draft-ietf-ips-auth-mib-02.txt> Jim Muchow <draft-ietf-ips-auth-mib-03.txt> Jim Muchow
Expires March 2003 Cisco Systems Expires May 2003 Cisco Systems
September 2002 November 2002
Definitions of Managed Objects for User Identity Authentication Definitions of Managed Objects for User Identity Authentication
1. Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
1.1. Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
2. Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP based internets. for use with network management protocols in TCP/IP based internets.
In particular it defines objects for managing user identities and the In particular it defines objects for managing user identities and the
names, addresses, and credentials required to authenticate them, for names, addresses, and credentials required to authenticate them, for
use with various protocols. This draft was motivated by the need for use with various protocols. This draft was motivated by the need for
the configuration of authenticated user identities for the iSCSI the configuration of authenticated user identities for the iSCSI
protocol [ISCSI], but has been extended to be useful for other protocol, but has been extended to be useful for other protocols that
protocols that have similar requirements. It is important to note have similar requirements. It is important to note that this MIB
that this MIB provides only the set of identities and the means to provides only the set of identities and the means to authenticate
authenticate them; it is the responsibility of other MIBs making use them; it is the responsibility of other MIBs making use of this one
of this one to tie them to authorization lists. to tie them to authorization lists.
3. Acknowledgments Acknowledgments
In addition to the authors, several people contributed to the In addition to the authors, several people contributed to the
development of this MIB through discussions of authentication, development of this MIB through discussions of authentication,
authorization, and access within the iSCSI MIB and security teams, authorization, and access within the iSCSI MIB and security teams,
including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom
McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill
Studenmund (Wasabi Systems) for adding the Kerberos method. Studenmund (Wasabi Systems) for adding the Kerberos method.
Thanks especially to Keith McCloghrie for serving as advisor for this Thanks especially to Keith McCloghrie for serving as advisor for this
MIB. MIB.
4. The SNMP Management Framework Table of Contents
1. The SNMP Management Framework.............................2
2. Relationship to Other MIBs................................4
3. Discussion................................................4
3.1. Authentication MIB Object Model.........................4
3.2. ipsAuthInstance.........................................5
3.3. ipsAuthIdentity.........................................6
3.4. ipsAuthIdentityName.....................................6
3.5. ipsAuthIdentityAddress..................................6
3.6. ipsAuthCredential.......................................7
3.7. IP, Fibre Channel, and Other Addresses..................8
3.8. Descriptors: Using OIDs in Place of Enumerated Types....8
3.9. Notifications...........................................8
4. MIB Definitions...........................................9
5. Security Considerations..................................27
6. Normative References.....................................28
7. Informative References...................................29
8. Authors' Addresses.......................................31
9. Full Copyright Notice....................................31
1. The SNMP Management Framework
The SNMP Management Framework presently consists of five major The SNMP Management Framework presently consists of five major
components: components:
o An overall architecture, described in RFC 2571 [RFC2571]. o An overall architecture, described in RFC 2571 [RFC2571].
o Mechanisms for describing and naming objects and events for the o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in Management Information (SMI) is called SMIv1 and described in
STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC
skipping to change at page 3, line 39 skipping to change at page 4, line 5
person; a user can also be a host, an application, a cluster of person; a user can also be a host, an application, a cluster of
hosts, or any other identifiable entity that can be authenticated and hosts, or any other identifiable entity that can be authenticated and
granted access to a resource. granted access to a resource.
Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is
intended to allow configuration of user identities and their names, intended to allow configuration of user identities and their names,
addresses, and credentials. MIN-ACCESS for all objects is read-only addresses, and credentials. MIN-ACCESS for all objects is read-only
for those implementations that configure through other means, but for those implementations that configure through other means, but
require the ability to monitor user identities. require the ability to monitor user identities.
5. Relationship to Other MIBs 2. Relationship to Other MIBs
The identity authentication MIB does not directly address objects The identity authentication MIB does not directly address objects
within other MIBs. The identity address objects contain IPv4, IPv6, within other MIBs. The identity address objects contain IPv4, IPv6,
or other address types, and as such may be indirectly related to or other address types, and as such may be indirectly related to
objects within the IPv4 MIB [RFC1213, RFC2011] or IPv6 [RFC2465] MIB. objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465]
MIB.
This MIB does not cover authorization. This should generally be done This MIB does not cover authorization. This should generally be done
in MIBs that reference identities in this one. It also does not in MIBs that reference identities in this one. It also does not
cover login or authentication failure statistics or notifications, as cover login or authentication failure statistics or notifications, as
these are all fairly application-specific, and not generic enough to these are all fairly application-specific, and not generic enough to
include here. include here.
The user identity objects within this MIB are typically referenced The user identity objects within this MIB are typically referenced
from other MIBs by a RowPointer within that MIB. A MIB containing from other MIBs by a RowPointer within that MIB. A MIB containing
resources for which it requires a list of authorized user identities resources for which it requires a list of authorized user identities
may create such a list, with a single RowPointer within each list may create such a list, with a single RowPointer within each list
element pointing to a user identity within this MIB. This is neither element pointing to a user identity within this MIB. This is neither
required nor restricted by this MIB. required nor restricted by this MIB.
6. Discussion 3. Discussion
This MIB structure is intended to allow the configuration of a list This MIB structure is intended to allow the configuration of a list
of user identities, each with a list of names, addresses, of user identities, each with a list of names, addresses,
credentials, and certificates which when combined will authenticate credentials, and certificates which when combined will authenticate
that identity. that identity.
The authentication MIB is structured around two primary "objects", The authentication MIB is structured around two primary "objects",
the authentication instance, and the identity, which serve as the authentication instance, and the identity, which serve as
containers for the remainder of the objects. This section contains a containers for the remainder of the objects. This section contains a
brief description of the "object" hierarchy and a description of each brief description of the "object" hierarchy and a description of each
object, followed by a discussion of the actual SNMP table structure object, followed by a discussion of the actual SNMP table structure
within the objects. within the objects.
6.1. Authentication MIB Object Model 3.1. Authentication MIB Object Model
The top-level object in this structure is the authentication The top-level object in this structure is the authentication
instance, which "contains" all of the other objects. The indexing instance, which "contains" all of the other objects. The indexing
hierarchy of this MIB looks like: hierarchy of this MIB looks like:
ipsAuthInstance ipsAuthInstance
-- A distinct authentication entity within the managed system. -- A distinct authentication entity within the managed system.
-- Most implementations will have just one of these. -- Most implementations will have just one of these.
ipsAuthIdentity ipsAuthIdentity
-- A user identity, consisting of a set of identity names, -- A user identity, consisting of a set of identity names,
skipping to change at page 5, line 14 skipping to change at page 5, line 28
ipsAuthCredSrp ipsAuthCredSrp
-- SRP-specific attributes -- SRP-specific attributes
ipsAuthCredKerberos ipsAuthCredKerberos
-- Kerberos-specific attributes -- Kerberos-specific attributes
Each identity contains the information necessary to authenticate a Each identity contains the information necessary to authenticate a
particular end-point that wishes to access a service, such as iSCSI. particular end-point that wishes to access a service, such as iSCSI.
An identity can contain multiple names, addresses, and credentials. An identity can contain multiple names, addresses, and credentials.
6.2. ipsAuthInstance 3.2. ipsAuthInstance
The ipsAuthInstanceAttributesTable is the primary table of the The ipsAuthInstanceAttributesTable is the primary table of the
authentication MIB. Every other table entry in this MIB includes the authentication MIB. Every other table entry in this MIB includes the
index of an ipsAuthInstanceAttributesEntry as its primary index. An index of an ipsAuthInstanceAttributesEntry as its primary index. An
authentication instance is basically a managed set of identities. authentication instance is basically a managed set of identities.
Many implementations will include just one authentication instance Many implementations will include just one authentication instance
row in this table. However, there will be cases where multiple rows row in this table. However, there will be cases where multiple rows
in this table may be used: in this table may be used:
skipping to change at page 5, line 39 skipping to change at page 6, line 5
- A set of stackable systems, each with their own set of identities, - A set of stackable systems, each with their own set of identities,
may be managed by a common SNMP agent. Each individual system may be managed by a common SNMP agent. Each individual system
would have its own authentication instance. would have its own authentication instance.
- Multiple protocols, each with their own set of identities, may - Multiple protocols, each with their own set of identities, may
exist within a single system and be managed by a single SNMP agent. exist within a single system and be managed by a single SNMP agent.
In this case, each protocol may have its own authentication In this case, each protocol may have its own authentication
instance. instance.
6.3. ipsAuthIdentity 3.3. ipsAuthIdentity
The ipsAuthIdentAttributesTable contains one entry for each The ipsAuthIdentAttributesTable contains one entry for each
configured user identity. The identity contains only a description configured user identity. The identity contains only a description
of what the identity is used for; its attributes are all contained in of what the identity is used for; its attributes are all contained in
other tables, since they can have multiple values. other tables, since they can have multiple values.
Other MIBs containing lists of users authorized to access a Other MIBs containing lists of users authorized to access a
particular resource should generally contain a RowPointer to the particular resource should generally contain a RowPointer to the
ipsAuthIdentAttributesEntry which will, if authenticated, be allowed ipsAuthIdentAttributesEntry which will, if authenticated, be allowed
access. access.
All other table entries make use of the indices to this table as All other table entries make use of the indices to this table as
their primary indices. their primary indices.
6.4. ipsAuthIdentityName 3.4. ipsAuthIdentityName
The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
each of which belong to, and may be used to identify, a particular each of which belong to, and may be used to identify, a particular
identity in the authIdentity table. identity in the authIdentity table.
Implementations making use of the authentication MIB may identify Implementations making use of the authentication MIB may identify
their resources by names, addresses, or both. A name is typically a their resources by names, addresses, or both. A name is typically a
unique (within the required scope), unchanging identifier for a unique (within the required scope), unchanging identifier for a
resource. It will normally meet some or all of the requirements for a resource. It will normally meet some or all of the requirements for a
Uniform Resource Name [RFC1737], although a name in the context of Uniform Resource Name [RFC1737], although a name in the context of
this MIB does not need to be a URN. Identifiers that typically this MIB does not need to be a URN. Identifiers that typically
change over time should generally be placed into the change over time should generally be placed into the
ipsAuthIdentityAddress table; names that have no uniqueness ipsAuthIdentityAddress table; names that have no uniqueness
properties should usually be placed into the description attribute properties should usually be placed into the description attribute
for the identity. for the identity.
An example of an identity name is the iSCSI Name, defined in [ISCSI]. An example of an identity name is the iSCSI Name, defined in [ISCSI].
If this table contains no entries associated with a particular user If this table contains no entries associated with a particular user
identity, the implementation does not need to check any name identity, the implementation does not need to check any name
paramenters when authenticating that identity. If the table contains parameters when authenticating that identity. If the table contains
multiple entries associated with a particular user identity, the multiple entries associated with a particular user identity, the
implementation should consider a match with any one of these entries implementation should consider a match with any one of these entries
to be valid. to be valid.
6.5. ipsAuthIdentityAddress 3.5. ipsAuthIdentityAddress
The ipsAuthIdentAddrAttributesTable contains a list of addresses at The ipsAuthIdentAddrAttributesTable contains a list of addresses at
which the identity may be authenticated. For example, an identity which the identity may be authenticated. For example, an identity
may be allowed access to a resource only from a certain IP address, may be allowed access to a resource only from a certain IP address,
or only if its address is in a certain range or set of ranges. or only if its address is in a certain range or set of ranges.
Each entry contains a starting and ending address. If a single Each entry contains a starting and ending address. If a single
address is desired in the list, both starting and ending addresses address is desired in the list, both starting and ending addresses
must be identical. must be identical.
skipping to change at page 7, line 12 skipping to change at page 7, line 25
Matching any address within any range within the list associated with Matching any address within any range within the list associated with
a particular identity is considered to be a valid match. If no a particular identity is considered to be a valid match. If no
entries are present in this list for a given identity, its address is entries are present in this list for a given identity, its address is
not checked during authentication. not checked during authentication.
Netmasks are not supported, since an address range can express the Netmasks are not supported, since an address range can express the
same thing with more flexibility. An application specifying same thing with more flexibility. An application specifying
addresses using network masks may do so, and convert to and from addresses using network masks may do so, and convert to and from
address ranges when reading or writing this MIB. address ranges when reading or writing this MIB.
6.6. ipsAuthCredential 3.6. ipsAuthCredential
The ipsAuthCredentialAttributesTable contains a list of credentials, The ipsAuthCredentialAttributesTable contains a list of credentials,
each of which may authenticate a particular identity. each of which may authenticate a particular identity.
Each credential contains an authentication method to be used, such as Each credential contains an authentication method to be used, such as
CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute
contains an object identifier instead of an enumerated type, allowing contains an object identifier instead of an enumerated type, allowing
other MIBs to add their own authentication methods, without modifying other MIBs to add their own authentication methods, without modifying
this MIB. this MIB.
skipping to change at page 7, line 45 skipping to change at page 8, line 10
Kerberos If the AuthMethod is set to the Kerberos OID, an entry using Kerberos If the AuthMethod is set to the Kerberos OID, an entry using
the same indices as the ipsAuthCredential will exist in the the same indices as the ipsAuthCredential will exist in the
ipsAuthCredKerberos table, which contains the Kerberos ipsAuthCredKerberos table, which contains the Kerberos
principal. principal.
Other If the AuthMethod is set to any OID not defined in this MIB, Other If the AuthMethod is set to any OID not defined in this MIB,
an entry using the same indices as the ipsAuthCredential an entry using the same indices as the ipsAuthCredential
entry should be placed in the other MIB that define whatever entry should be placed in the other MIB that define whatever
attributes are needed for that type of credential. attributes are needed for that type of credential.
6.7. IP, Fibre Channel, and Other Addresses 3.7. IP, Fibre Channel, and Other Addresses
The IP addresses in this MIB are represented by two attributes, one The IP addresses in this MIB are represented by two attributes, one
of type AddressFamilyNumbers, and the other of type AuthAddress. of type AddressFamilyNumbers, and the other of type AuthAddress.
Each address can take on any of the types within the list of address Each address can take on any of the types within the list of address
family numbers; the most likely being IPv4, IPv6, or one of the Fibre family numbers; the most likely being IPv4, IPv6, or one of the Fibre
Channel address types. Channel address types.
The type AuthAddress is an octet string. If the address family is The type AuthAddress is an octet string. If the address family is
IPv4 or IPv6, the format is taken from the InetAddress specified in IPv4 or IPv6, the format is taken from the InetAddress specified in
[RFC3291]. If the address family is one of the Fibre Channel types, [RFC3291]. If the address family is one of the Fibre Channel types,
the format is identical to the FcNameIdOrZero type defined in the format is identical to the FcNameIdOrZero type defined in
[FCMGMT]. [FCMGMT].
6.8. Descriptors: Using OIDs in Place of Enumerated Types 3.8. Descriptors: Using OIDs in Place of Enumerated Types
Some attributes, particularly the authentication method attribute, Some attributes, particularly the authentication method attribute,
would normally require an enumerated type. However, implementations would normally require an enumerated type. However, implementations
will likely need to add new authentication method types of their own, will likely need to add new authentication method types of their own,
without extending this MIB. To make this work, the MIB defines a set without extending this MIB. To make this work, the MIB defines a set
of object identities within ipsAuthDescriptors. Each of these object of object identities within ipsAuthDescriptors. Each of these object
identities is basically an enumerated type. identities is basically an enumerated type.
Attributes that make use of these object identities have a value Attributes that make use of these object identities have a value
which is an OID instead of an enumerated type. These OIDs can either which is an OID instead of an enumerated type. These OIDs can either
indicate the object identities defined in this MIB, or object indicate the object identities defined in this MIB, or object
identities defined elsewhere, such as in an enterprise MIB. Those identities defined elsewhere, such as in an enterprise MIB. Those
implementations that add their own authentication methods should also implementations that add their own authentication methods should also
define a corresponding object identity for each of these methods define a corresponding object identity for each of these methods
within their own enterprise MIB, and return its OID whenever one of within their own enterprise MIB, and return its OID whenever one of
these attributes is using that method. these attributes is using that method.
6.9. Notifications 3.9. Notifications
Monitoring of authentication failures and other notification events Monitoring of authentication failures and other notification events
are outside the scope of this MIB, as they are generally application- are outside the scope of this MIB, as they are generally application-
specific. No notifications are provided or required. specific. No notifications are provided or required.
7. MIB Definitions 4. MIB Definitions
IPS-AUTH-MIB DEFINITIONS ::= BEGIN IPS-AUTH-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32,
experimental experimental
FROM SNMPv2-SMI FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, AutonomousType TEXTUAL-CONVENTION, RowStatus, AutonomousType
FROM SNMPv2-TC FROM SNMPv2-TC
skipping to change at page 9, line 28 skipping to change at page 9, line 28
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 2571 FROM SNMP-FRAMEWORK-MIB -- RFC 2571
AddressFamilyNumbers AddressFamilyNumbers
FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
; ;
ipsAuthModule MODULE-IDENTITY ipsAuthModule MODULE-IDENTITY
LAST-UPDATED "200209250000Z" -- September 25, 2002 LAST-UPDATED "200211010000Z" -- November 1, 2002
ORGANIZATION "IETF IPS Working Group" ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO CONTACT-INFO
" "
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
skipping to change at page 10, line 8 skipping to change at page 10, line 8
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
E-mail: jmuchow@cisco.com" E-mail: jmuchow@cisco.com"
DESCRIPTION DESCRIPTION
"The IP Storage Authentication MIB module." "The IP Storage Authentication MIB module."
REVISION "200209250000Z" -- September 25, 2002 REVISION "200211010000Z" -- November 1, 2002
DESCRIPTION DESCRIPTION
"Initial revision published as RFC xxxx." "Initial revision published as RFC xxxx."
--::= { mib-2 xx } --::= { mib-2 xx }
-- in case you want to COMPILE -- in case you want to COMPILE
::= { experimental 99999 } ::= { experimental 99999 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 }
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 }
skipping to change at page 11, line 50 skipping to change at page 11, line 50
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of Authentication instances present on the system." "A list of Authentication instances present on the system."
::= { ipsAuthInstance 2 } ::= { ipsAuthInstance 2 }
ipsAuthInstanceAttributesEntry OBJECT-TYPE ipsAuthInstanceAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthInstanceAttributesEntry SYNTAX IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing managment information "An entry (row) containing management information
applicable to a particular Authentication instance." applicable to a particular Authentication instance."
INDEX { ipsAuthInstIndex } INDEX { ipsAuthInstIndex }
::= { ipsAuthInstanceAttributesTable 1 } ::= { ipsAuthInstanceAttributesTable 1 }
IpsAuthInstanceAttributesEntry ::= SEQUENCE { IpsAuthInstanceAttributesEntry ::= SEQUENCE {
ipsAuthInstIndex Unsigned32, ipsAuthInstIndex Unsigned32,
ipsAuthInstDescr SnmpAdminString ipsAuthInstDescr SnmpAdminString
} }
skipping to change at page 12, line 36 skipping to change at page 12, line 36
"An octet string, determined by the implementation to "An octet string, determined by the implementation to
describe the authentication instance. When only a single describe the authentication instance. When only a single
instance is present, this object may be set to the instance is present, this object may be set to the
zero-length string; with multiple authentication zero-length string; with multiple authentication
instances, it may be used in an implementation-dependent instances, it may be used in an implementation-dependent
manner to describe the purpose of the respective instance." manner to describe the purpose of the respective instance."
::= { ipsAuthInstanceAttributesEntry 2 } ::= { ipsAuthInstanceAttributesEntry 2 }
ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 }
-- User Identity Attributes Table
ipsAuthIdentAttributesTable OBJECT-TYPE ipsAuthIdentAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of user identities, each belonging to a "A list of user identities, each belonging to a
particular ipsAuthInstance." particular ipsAuthInstance."
::= { ipsAuthIdentity 1 } ::= { ipsAuthIdentity 1 }
skipping to change at page 13, line 44 skipping to change at page 13, line 44
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthIdentAttributesEntry 3 } ::= { ipsAuthIdentAttributesEntry 3 }
ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }
-- User Initiator Name Attributes Table
ipsAuthIdentNameAttributesTable OBJECT-TYPE ipsAuthIdentNameAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of unique names that can be used to positively "A list of unique names that can be used to positively
identify a particular user identity." identify a particular user identity."
::= { ipsAuthIdentityName 1 } ::= { ipsAuthIdentityName 1 }
skipping to change at page 15, line 9 skipping to change at page 15, line 9
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthIdentNameAttributesEntry 3 } ::= { ipsAuthIdentNameAttributesEntry 3 }
ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 }
-- User Initiator Address Attributes Table
ipsAuthIdentAddrAttributesTable OBJECT-TYPE ipsAuthIdentAddrAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of address ranges that are allowed to serve "A list of address ranges that are allowed to serve
as the endpoint addresses of a particular identity. as the endpoint addresses of a particular identity.
An address range includes a starting and ending address An address range includes a starting and ending address
and an optional netmask, and an address type indicator, and an optional netmask, and an address type indicator,
skipping to change at page 16, line 48 skipping to change at page 16, line 48
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP." removed from this table via SNMP."
::= { ipsAuthIdentAddrAttributesEntry 5 } ::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 }
-- Credential Attributes Table
ipsAuthCredentialAttributesTable OBJECT-TYPE ipsAuthCredentialAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of credentials related to user identities "A list of credentials related to user identities
that are allowed as valid authenticators of the that are allowed as valid authenticators of the
particular identity." particular identity."
::= { ipsAuthCredential 1 } ::= { ipsAuthCredential 1 }
skipping to change at page 17, line 35 skipping to change at page 17, line 35
ipsAuthCredAuthMethod AutonomousType, ipsAuthCredAuthMethod AutonomousType,
ipsAuthCredRowStatus RowStatus ipsAuthCredRowStatus RowStatus
} }
ipsAuthCredIndex OBJECT-TYPE ipsAuthCredIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular iSCSI Credential instance within an particular Credential instance within an instance
iSCSI instance present on the node." present on the node."
::= { ipsAuthCredentialAttributesEntry 1 } ::= { ipsAuthCredentialAttributesEntry 1 }
ipsAuthCredAuthMethod OBJECT-TYPE ipsAuthCredAuthMethod OBJECT-TYPE
SYNTAX AutonomousType SYNTAX AutonomousType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object contains an OBJECT IDENTIFIER "This object contains an OBJECT IDENTIFIER
which identifies the authentication method which identifies the authentication method
used with this credential. used with this credential.
skipping to change at page 25, line 12 skipping to change at page 25, line 12
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
GROUP ipsAuthIdentKerberosAttrGroup GROUP ipsAuthIdentKerberosAttrGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use Kerberos to help authenticate identities. that use Kerberos to help authenticate identities.
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
OBJECT ipsAuthInstDescr
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentDescription
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthIdentName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentNameRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthIdentAddrType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentAddrStart
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentAddrEnd
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentAddrRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredAuthMethod
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredChapUserName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredChapPassword
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredChapRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredSrpUserName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredSrpPassword
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredSrpRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredKerbPrincipal
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredKerbRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
::= { ipsAuthCompliances 1 } ::= { ipsAuthCompliances 1 }
END END
8. Security Considerations 5. Security Considerations
SNMPv1 by itself is not a secure environment. Even if the network SNMPv1 by itself is not a secure environment. Even if the network
itself is secure (for example by using IPSec), even then, there is no itself is secure (for example by using IPsec), even then, there is no
control as to who on the secure network is allowed to access and control as to who on the secure network is allowed to access and
GET/SET (read/change/create/delete) the objects in this MIB. GET/SET (read/change/create/delete) the objects in this MIB.
It is recommended that the implementers consider the security It is recommended that the implementors consider the security
features as provided by the SNMPv3 framework. Specifically, the use features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2574 [RFC2574] and the View- of the User-based Security Model RFC 2574 [RFC2574] and the View-
based Access Control Model RFC 2575 [RFC2575] is recommended. based Access Control Model RFC 2575 [RFC2575] is recommended.
It is then a customer/user responsibility to ensure that the SNMP It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly entity giving access to an instance of this MIB, is properly
configured to give access to the objects only to those principals configured to give access to the objects only to those principals
(users) that have legitimate rights to indeed GET or SET (users) that have legitimate rights to indeed GET or SET
(change/create/delete) them. (change/create/delete) them.
skipping to change at page 26, line 5 skipping to change at page 28, line 30
tightly controlled. tightly controlled.
Write access to the MIB provides the ability to set up which Write access to the MIB provides the ability to set up which
credentials may be used to access services on the managed system, to credentials may be used to access services on the managed system, to
remove legitimate credentials (a denial of service), or to remove remove legitimate credentials (a denial of service), or to remove
individual credentials to weaken the requirements for access of a individual credentials to weaken the requirements for access of a
particular service. In addition, write access may be used to change particular service. In addition, write access may be used to change
CHAP or SRP passwords to a known value. Write access must always be CHAP or SRP passwords to a known value. Write access must always be
tightly controlled. tightly controlled.
9. Normative References 6. Normative References
[RFC2571] D. Harrington, R. Presuhn, and B. Wijnen, "An Architecture [RFC2571] D. Harrington, R. Presuhn, and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2571, April for Describing SNMP Management Frameworks", RFC 2571, April
1999. 1999.
[RFC1155] M. Rose and K. McCloghrie, "Structure and Identification of [RFC1155] M. Rose and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", STD 16, Management Information for TCP/IP-based Internets", STD 16,
RFC 1155, May 1990. RFC 1155, May 1990.
[RFC1212] M. Rose and K. McCloghrie, "Concise MIB Definitions", STD [RFC1212] M. Rose and K. McCloghrie, "Concise MIB Definitions", STD
skipping to change at page 27, line 5 skipping to change at page 29, line 30
Network Management of TCP/IP-based internets:MIB-II", March Network Management of TCP/IP-based internets:MIB-II", March
1991. 1991.
[RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the
Internet Protocol using SMIv2", November 1996. Internet Protocol using SMIv2", November 1996.
[RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP
Version 6: Textual Conventions and General Group", December Version 6: Textual Conventions and General Group", December
1998. 1998.
10. Informative References 7. Informative References
[RFC1901] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, [RFC1901] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January "Introduction to Community-based SNMPv2", RFC 1901, January
1996. 1996.
[RFC1906] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, [RFC1906] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network "Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996. Management Protocol (SNMPv2)", RFC 1906, January 1996.
[RFC2572] J. Case, D. Harrington, R. Presuhn, and B. Wijnen, "Message [RFC2572] J. Case, D. Harrington, R. Presuhn, and B. Wijnen, "Message
skipping to change at page 28, line 15 skipping to change at page 31, line 5
[RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System",
September 2000. September 2000.
[FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", draft-ietf- [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", draft-ietf-
ips-fcmgmt-mib-01, February 2002. ips-fcmgmt-mib-01, February 2002.
[X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology [X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology
- Open Systems Interconnection - The Directory: - Open Systems Interconnection - The Directory:
Authentication Framework", June 1997. Authentication Framework", June 1997.
11. Authors' Addresses 8. Authors' Addresses
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
skipping to change at line 1301 skipping to change at page 31, line 28
Jim Muchow Jim Muchow
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130 6450 Wedgwood Road, Suite 130
Maple Grove, MN Maple Grove, MN
USA 55311 USA 55311
Tel: +1 763-398-1000 Tel: +1 763-398-1000
Fax: +1 763-398-1001 Fax: +1 763-398-1001
E-mail: jmuchow@cisco.com" E-mail: jmuchow@cisco.com"
9. Full Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/