draft-ietf-ips-auth-mib-06.txt   draft-ietf-ips-auth-mib-07.txt 
Internet Draft Mark Bakke Internet Draft Mark Bakke
<draft-ietf-ips-auth-mib-06.txt> Cisco Systems <draft-ietf-ips-auth-mib-07.txt> Cisco Systems
Expires July 2005 Expires April 2006
James Muchow James Muchow
Qlogic Corp. Qlogic Corp.
January 2005 October 2005
Definitions of Managed Objects for User Identity Authorization Definitions of Managed Objects for User Identity Authorization
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, each author represents that any
patent or other IPR claims of which I am aware have been disclosed, applicable patent or other IPR claims of which he or she is aware
or will be disclosed, and any of which I become aware will be have been or will be disclosed, and any of which he or she becomes
disclosed, in accordance with RFC 3668. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.html. http://www.ietf.org/ietf/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved. Copyright (C) The Internet Society (2005).
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP based internets. for use with network management protocols in TCP/IP based internets.
In particular it defines objects for managing user identities and the In particular it defines objects for managing user identities and the
names, addresses, and credentials required manage access control, for names, addresses, and credentials required manage access control, for
use with various protocols. This draft was motivated by the need for use with various protocols. This draft was motivated by the need for
the configuration of authorized user identities for the iSCSI the configuration of authorized user identities for the iSCSI
protocol, but has been extended to be useful for other protocols that protocol, but has been extended to be useful for other protocols that
have similar requirements. It is important to note that this MIB have similar requirements. It is important to note that this MIB
module provides only the set of identities to be used within access module provides only the set of identities to be used within access
lists; it is the responsibility of other MIB modules making use of lists; it is the responsibility of other MIB modules making use of
this one to tie them to their own access lists or other authorization this one to tie them to their own access lists or other authorization
control methods. control methods.
Acknowledgments
In addition to the authors, several people contributed to the
development of this MIB module through discussions of authentication,
authorization, and access within the iSCSI MIB module and security
teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie,
Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill
Studenmund (Wasabi Systems) for adding the Kerberos method, and to
Ayman Ghanem for finding and suggesting changes to several problems
found in the MIB module.
Thanks especially to Keith McCloghrie for serving as advisor for this
MIB module.
Table of Contents Table of Contents
1. Introduction..............................................3 1. Introduction..............................................2
2. The Internet-Standard Management Framework................3 2. Specification of Requirements.............................3
3. Relationship to Other MIB Modules.........................3 3. The Internet-Standard Management Framework................3
4. Discussion................................................4 4. Relationship to Other MIB Modules.........................3
4.1. Authorization MIB Object Model..........................4 5. Relationship to the USM MIB Module........................4
4.2. ipsAuthInstance.........................................5 6. Relationship SNMP Contexts................................4
4.3. ipsAuthIdentity.........................................6 7. Discussion................................................5
4.4. ipsAuthIdentityName.....................................6 7.1. Authorization MIB Object Model..........................5
4.5. ipsAuthIdentityAddress..................................6 7.2. ipsAuthInstance.........................................6
4.6. ipsAuthCredential.......................................7 7.3. ipsAuthIdentity.........................................7
4.7. IP, Fibre Channel, and Other Addresses..................8 7.4. ipsAuthIdentityName.....................................7
4.8. Descriptors: Using OIDs in Place of Enumerated Types....8 7.5. ipsAuthIdentityAddress..................................8
4.9. Notifications...........................................8 7.6. ipsAuthCredential.......................................8
5. MIB Definitions...........................................9 7.7. IP, Fibre Channel, and Other Addresses..................9
6. Security Considerations..................................30 7.8. Descriptors: Using OIDs in Place of Enumerated Types....9
7. IANA Considerations......................................31 7.9. Notifications..........................................10
7.1. OID Assignment.........................................31 8. MIB Definitions..........................................11
8. Normative References.....................................31 9. Security Considerations..................................33
9. Informative References...................................32 10. IANA Considerations.....................................34
10. Authors' Addresses......................................32 10.1. OID Assignment........................................34
11. IPR Notice..............................................32 10. Normative References....................................34
12. Full Copyright Notice...................................33 11. Informative References..................................35
Authors' Addresses......................................35
IPR Notice..............................................36
Full Copyright Notice...................................36
1. Introduction 1. Introduction
This MIB module will be used to configure and/or look at the This MIB module will be used to configure and/or look at the
configuration of user identities and their credential information. configuration of user identities and their credential information.
For the purposes of this MIB module, a "user" identity does not need For the purposes of this MIB module, a "user" identity does not need
to be an actual person; a user can also be a host, an application, a to be an actual person; a user can also be a host, an application, a
cluster of hosts, or any other identifiable entity that can be cluster of hosts, or any other identifiable entity that can be
authorized to access a resource. authorized to access a resource.
Most objects in this MIB module have a MAX-ACCESS of read-create; Most objects in this MIB module have a MAX-ACCESS of read-create;
this module is intended to allow configuration of user identities and this module is intended to allow configuration of user identities and
their names, addresses, and credentials. MIN-ACCESS for all objects their names, addresses, and credentials. MIN-ACCESS for all objects
is read-only for those implementations that configure through other is read-only for those implementations that configure through other
means, but require the ability to monitor user identities. means, but require the ability to monitor user identities.
2. The Internet-Standard Management Framework 2. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]. RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP). accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
3. Relationship to Other MIB Modules 4. Relationship to Other MIB Modules
The identity authorization MIB module does not directly address The IPS-AUTH-MIB module does not directly address objects within
objects within other modules. The identity address objects contain other modules. The identity address objects contain IPv4, IPv6, or
IPv4, IPv6, or other address types, and as such may be indirectly other address types, and as such may be indirectly related to objects
related to objects within the IPv4 [RFC1213] [RFC2011] or IPv6 within the IPv4 [RFC2011] or IPv6 [RFC2465] MIB modules.
[RFC2465] MIB modules.
This MIB module does not provide actual authorization or access This MIB module does not provide actual authorization or access
control lists; it provides a means to identify entities that can be control lists; it provides a means to identify entities that can be
included in other authorization lists. This should generally be done included in other authorization lists. This should generally be done
in MIB modules that reference identities in this one. It also does in MIB modules that reference identities in this one. It also does
not cover login or authentication failure statistics or not cover login or authentication failure statistics or
notifications, as these are all fairly application-specific, and are notifications, as these are all fairly application-specific, and are
not generic enough to include here. not generic enough to include here.
The user identity objects within this module are typically referenced The user identity objects within this module are typically referenced
from other modules by a RowPointer within that module. A module from other modules by a RowPointer within that module. A module
containing resources for which it requires a list of authorized user containing resources for which it requires a list of authorized user
identities may create such a list, with a single RowPointer within identities may create such a list, with a single RowPointer within
each list element pointing to a user identity within this module. each list element pointing to a user identity within this module.
This is neither required nor restricted by this MIB module. This is neither required nor restricted by this MIB module.
4. Discussion 5. Relationship to the USM MIB Module
The User-based Security Model (USM) [RFC3414] also defines the
concept of a user, defining authentication and privacy protocols and
their credentials. The definition of USM includes the SNMP-USER-
BASED-SM-MIB module which allows configuration of SNMPv3 user
credentials to protect SNMPv3 messages. Although USM's users are not
related to the user identities managed by the IPS-AUTH-MIB module
defined in this document, USM will often be implemented on the same
system as the IPS-AUTH-MIB module, with the SNMP-USER-BASED-SM-MIB
module used to manage the security protecting SNMPv3 messages,
including those which access the IPS-AUTH-MIB module.
The term "user" in this document is distinct from an SNMPv3 user, and
is intended to include, but is not limited to, users of IP storage
devices. A "user" in this document is a collection of user names
(unique identifiers), user addresses, and credentials that can be
used together to determine whether an entity should be allowed access
to a resource. Each user can have multiple names, addresses, and
credentials. As a result, this MIB module is particularly suited to
managing users of storage resources, which are typically given access
control lists consisting of potentially multiple identifiers,
addresses, and credentials. This MIB module provides for
authorization lists only, and does not include setting of data
privacy parameters.
In contrast, an SNMPv3 user as defined in [RFC3414] has exactly one
user-name, one authentication protocol, and one privacy protocol,
along with their associated information and SNMP-specific
information, such as an engine ID. These objects are defined to
support exactly the information needed for SNMPv3 security.
For the remainder of this document, the term "user" means an IPS-
AUTH-MIB user identity.
6. Relationship to SNMP Contexts
Each non-scalar object in the IPS-AUTH-MIB module is indexed first by
an Instance. Each instance is a collection of identities that can be
used to authorize access to a resource. The use of an instance works
well with partitionable or hierarchical devices and fits in logically
with other management schemes. Instances do not replace SNMP
contexts, however they do provide a very simple way to assign a
collection of identities within a device to one or more SNMP
contexts, without having to do so for each identity's row.
7. Discussion
This MIB module structure is intended to allow the configuration of a This MIB module structure is intended to allow the configuration of a
list of user identities, each with a list of names, addresses, list of user identities, each with a list of names, addresses,
credentials, and certificates which when combined will distinguish credentials, and certificates which when combined will distinguish
that identity. that identity.
The authorization MIB module is structured around two primary The IPS-AUTH-MIB module is structured around two primary "objects",
"objects", the authorization instance, and the identity, which serve the authorization instance, and the identity, which serve as
as containers for the remainder of the objects. This section containers for the remainder of the objects. This section contains a
contains a brief description of the "object" hierarchy and a brief description of the "object" hierarchy and a description of each
description of each object, followed by a discussion of the actual object, followed by a discussion of the actual SNMP table structure
SNMP table structure within the objects. within the objects.
4.1. Authorization MIB Object Model 7.1. Authorization MIB Object Model
The top-level object in this structure is the authorization instance, The top-level object in this structure is the authorization instance,
which "contains" all of the other objects. The indexing hierarchy of which "contains" all of the other objects. The indexing hierarchy of
this module looks like: this module looks like:
ipsAuthInstance ipsAuthInstance
-- A distinct authorization entity within the managed system. -- A distinct authorization entity within the managed system.
-- Most implementations will have just one of these. -- Most implementations will have just one of these.
ipsAuthIdentity ipsAuthIdentity
-- A user identity, consisting of a set of identity names, -- A user identity, consisting of a set of identity names,
skipping to change at page 5, line 13 skipping to change at page 6, line 6
-- CHAP-specific attributes for an ipsAuthCredential -- CHAP-specific attributes for an ipsAuthCredential
ipsAuthCredSrp ipsAuthCredSrp
-- SRP-specific attributes -- SRP-specific attributes
ipsAuthCredKerberos ipsAuthCredKerberos
-- Kerberos-specific attributes -- Kerberos-specific attributes
Each identity contains the information necessary to identify a Each identity contains the information necessary to identify a
particular end-point that wishes to access a service, such as iSCSI. particular end-point that wishes to access a service, such as iSCSI.
An identity can contain multiple names, addresses, and credentials. An identity can contain multiple names, addresses, and credentials.
Each of these names, addresses, and credentials exists in its own
row. If multiple rows of one of these three types are present, they
are treated in an "OR" fashion; an entity to be authorized need only
match one of the rows. If rows of different types are present (e.g.
a name and an address), these are treated in an "AND" fashion; an
entity to be authorized must match at least one row from each
category. If there are no rows present of a category, this category
is ignored.
4.2. ipsAuthInstance For example, if an ipsAuthIdentity contains two rows of
ipsAuthIdentityAddress, one row of ipsAuthCredential, and no rows of
ipsAuthIdentityName, an entity must match the Credential row and at
least one of the two Address rows to match the identity.
The ipsAuthInstanceAttributesTable is the primary table of the Index values such as ipsAuthInstIndex and ipsAuthIdentIndex are
authorization MIB module. Every other table entry in this module referenced in multiple tables, and rows can be added and deleted. An
includes the index of an ipsAuthInstanceAttributesEntry as its implementation should therefore attempt to keep all index values
primary index. An authorization instance is basically a managed set persistent across reboots; index values for rows that have been
of identities. deleted must not be reused before a reboot.
7.2. ipsAuthInstance
The ipsAuthInstanceAttributesTable is the primary table of the IPS-
AUTH-MIB module. Every other table entry in this module includes the
index of an ipsAuthInstanceAttributesEntry as its primary index. An
authorization instance is basically a managed set of identities.
Many implementations will include just one authorization instance row Many implementations will include just one authorization instance row
in this table. However, there will be cases where multiple rows in in this table. However, there will be cases where multiple rows in
this table may be used: this table may be used:
- A large system may be "partitioned" into multiple, distinct virtual - A large system may be "partitioned" into multiple, distinct virtual
systems, perhaps sharing the SNMP agent but not their lists of systems, perhaps sharing the SNMP agent but not their lists of
identities. Each virtual system would have its own authorization identities. Each virtual system would have its own authorization
instance. instance.
- A set of stackable systems, each with their own set of identities, - A set of stackable systems, each with their own set of identities,
may be represented by a common SNMP agent. Each individual system may be represented by a common SNMP agent. Each individual system
would have its own authorization instance. would have its own authorization instance.
- Multiple protocols, each with their own set of identities, may - Multiple protocols, each with their own set of identities, may
exist within a single system and be represented by a single SNMP exist within a single system and be represented by a single SNMP
agent. In this case, each protocol may have its own authorization agent. In this case, each protocol may have its own authorization
instance. instance.
An entry in this table is typically referenced by its name An entry in this table is often referenced by its name
(ipsAuthInstDescr), which should be displayed to the user by the (ipsAuthInstDescr), which should be displayed to the user by the
management station. When an implementation supports only one entry management station. When an implementation supports only one entry
in this table, the description may be returned as a zero-length in this table, the description may be returned as a zero-length
string. string.
An end user will generally use name and description fields in 7.3. ipsAuthIdentity
identifying rows within this and other tables. Therefore,
persistence of index values across reboots is not required in this
MIB module. However, index values for rows that have been deleted
must not be reused before a reboot.
4.3. ipsAuthIdentity
The ipsAuthIdentAttributesTable contains one entry for each The ipsAuthIdentAttributesTable contains one entry for each
configured user identity. The identity contains only a description configured user identity. The identity contains only a description
of what the identity is used for; its attributes are all contained in of what the identity is used for; its attributes are all contained in
other tables, since they can each have multiple values. other tables, since they can each have multiple values.
Other MIB modules containing lists of users authorized to access a Other MIB modules containing lists of users authorized to access a
particular resource should generally contain a RowPointer to the particular resource should generally contain a RowPointer to the
ipsAuthIdentAttributesEntry which will, if authenticated, be allowed ipsAuthIdentAttributesEntry which will, if authenticated, be allowed
access to the resource. access to the resource.
All other table entries make use of the indices to this table as All other table entries make use of the indices to this table as
their primary indices. their primary indices.
4.4. ipsAuthIdentityName 7.4. ipsAuthIdentityName
The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
each of which belong to, and may be used to identify, a particular each of which belong to, and may be used to identify, a particular
identity in the authIdentity table. identity in the authIdentity table.
Implementations making use of the authorization MIB module may Implementations making use of the IPS-AUTH-MIB module may identify
identify their resources by names, addresses, or both. A name is their resources by names, addresses, or both. A name is typically a
typically a unique (within the required scope), unchanging identifier unique (within the required scope), unchanging identifier for a
for a resource. It will normally meet some or all of the requirements resource. It will normally meet some or all of the requirements for a
for a Uniform Resource Name [RFC1737], although a name in the context Uniform Resource Name [RFC1737], although a name in the context of
of this MIB module does not need to be a URN. Identifiers that this MIB module does not need to be a URN. Identifiers that
typically change over time should generally be placed into the typically change over time should generally be placed into the
ipsAuthIdentityAddress table; names that have no uniqueness ipsAuthIdentityAddress table; names that have no uniqueness
properties should usually be placed into the description attribute properties should usually be placed into the description attribute
for the identity. for the identity.
An example of an identity name is the iSCSI Name, defined in An example of an identity name is the iSCSI Name, defined in
[RFC3720]. [RFC3720]. Any other MIB module defining names to be used as
ipsAuthIdentityName objects should specify how its names are unique,
and the domain within which they are unique.
If this table contains no entries associated with a particular user If this table contains no entries associated with a particular user
identity, the implementation does not need to check any name identity, the implementation does not need to check any name
parameters when verifying that identity. If the table contains parameters when verifying that identity. If the table contains
multiple entries associated with a particular user identity, the multiple entries associated with a particular user identity, the
implementation should consider a match with any one of these entries implementation should consider a match with any one of these entries
to be valid. to be valid.
4.5. ipsAuthIdentityAddress 7.5. ipsAuthIdentityAddress
The ipsAuthIdentAddrAttributesTable contains a list of addresses at The ipsAuthIdentAddrAttributesTable contains a list of addresses at
which the identity may reside. For example, an identity may be which the identity may reside. For example, an identity may be
allowed access to a resource only from a certain IP address, or only allowed access to a resource only from a certain IP address, or only
if its address is in a certain range or set of ranges. if its address is in a certain range or set of ranges.
Each entry contains a starting and ending address. If a single Each entry contains a starting and ending address. If a single
address is desired in the list, both starting and ending addresses address is desired in the list, both starting and ending addresses
must be identical. must be identical.
skipping to change at page 7, line 25 skipping to change at page 8, line 32
Matching any address within any range within the list associated with Matching any address within any range within the list associated with
a particular identity is considered to be a valid match. If no a particular identity is considered to be a valid match. If no
entries are present in this list for a given identity, its address is entries are present in this list for a given identity, its address is
automatically assumed to match the identity. automatically assumed to match the identity.
Netmasks are not supported, since an address range can express the Netmasks are not supported, since an address range can express the
same thing with more flexibility. An application specifying same thing with more flexibility. An application specifying
addresses using network masks may do so, and convert to and from addresses using network masks may do so, and convert to and from
address ranges when reading or writing this MIB module. address ranges when reading or writing this MIB module.
4.6. ipsAuthCredential 7.6. ipsAuthCredential
The ipsAuthCredentialAttributesTable contains a list of credentials, The ipsAuthCredentialAttributesTable contains a list of credentials,
each of which may be used to verify a particular identity. each of which may be used to verify a particular identity.
Each credential contains an authentication method to be used, such as Each credential contains an authentication method to be used, such as
CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute
contains an object identifier instead of an enumerated type, allowing contains an object identifier instead of an enumerated type, allowing
other MIB modules to add their own authentication methods, without other MIB modules to add their own authentication methods, without
modifying this MIB module. modifying this MIB module.
skipping to change at page 8, line 11 skipping to change at page 9, line 17
the same indices as the ipsAuthCredential will exist in the the same indices as the ipsAuthCredential will exist in the
ipsAuthCredKerberos table, which contains the Kerberos ipsAuthCredKerberos table, which contains the Kerberos
principal. principal.
Other If the AuthMethod is set to any OID not defined in this Other If the AuthMethod is set to any OID not defined in this
module, an entry using the same indices as the module, an entry using the same indices as the
ipsAuthCredential entry should be placed in the other module ipsAuthCredential entry should be placed in the other module
that define whatever attributes are needed for that type of that define whatever attributes are needed for that type of
credential. credential.
4.7. IP, Fibre Channel, and Other Addresses 7.7. IP, Fibre Channel, and Other Addresses
The IP addresses in this MIB module are represented by two The IP addresses in this MIB module are represented by two
attributes, one of type AddressFamilyNumbers, and the other of type attributes, one of type AddressFamilyNumbers, and the other of type
AuthAddress. Each address can take on any of the types within the AuthAddress. Each address can take on any of the types within the
list of address family numbers; the most likely being IPv4, IPv6, or list of address family numbers; the most likely being IPv4, IPv6, or
one of the Fibre Channel address types. one of the Fibre Channel address types.
The type AuthAddress is an octet string. If the address family is The type AuthAddress is an octet string. If the address family is
IPv4 or IPv6, the format is taken from the InetAddress specified in IPv4 or IPv6, the format is taken from the InetAddress specified in
[RFC3291]. If the address family is one of the Fibre Channel types, [RFC4001]. If the address family is one of the Fibre Channel types,
the format is identical to the FcNameIdOrZero type defined in the format is identical to the FcNameIdOrZero type defined in
[FCMGMT]. [RFC4044].
4.8. Descriptors: Using OIDs in Place of Enumerated Types 7.8. Descriptors: Using OIDs in Place of Enumerated Types
Some attributes, particularly the authentication method attribute, Some attributes, particularly the authentication method attribute,
would normally require an enumerated type. However, implementations would normally require an enumerated type. However, implementations
will likely need to add new authentication method types of their own, will likely need to add new authentication method types of their own,
without extending this MIB module. To make this work, this module without extending this MIB module. To make this work, this module
defines a set of object identities within ipsAuthDescriptors. Each defines a set of object identities within ipsAuthDescriptors. Each
of these object identities is basically an enumerated type. of these object identities is basically an enumerated type.
Attributes that make use of these object identities have a value Attributes that make use of these object identities have a value
which is an OID instead of an enumerated type. These OIDs can either which is an OID instead of an enumerated type. These OIDs can either
indicate the object identities defined in this module, or object indicate the object identities defined in this module, or object
identities defined elsewhere, such as in an enterprise MIB module. identities defined elsewhere, such as in an enterprise MIB module.
Those implementations that add their own authentication methods Those implementations that add their own authentication methods
should also define a corresponding object identity for each of these should also define a corresponding object identity for each of these
methods within their own enterprise MIB module, and return its OID methods within their own enterprise MIB module, and return its OID
whenever one of these attributes is using that method. whenever one of these attributes is using that method.
4.9. Notifications 7.9. Notifications
Monitoring of authentication failures and other notification events Monitoring of authentication failures and other notification events
are outside the scope of this MIB module, as they are generally are outside the scope of this MIB module, as they are generally
application-specific. No notifications are provided or required. application-specific. No notifications are provided or required.
5. MIB Definitions 8. MIB Definitions
IPS-AUTH-MIB DEFINITIONS ::= BEGIN IPS-AUTH-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32,
experimental mib-2
FROM SNMPv2-SMI FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, AutonomousType, StorageType TEXTUAL-CONVENTION, RowStatus, AutonomousType, StorageType
FROM SNMPv2-TC FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 2571 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
AddressFamilyNumbers AddressFamilyNumbers
FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
; ;
ipsAuthModule MODULE-IDENTITY ipsAuthMibModule MODULE-IDENTITY
LAST-UPDATED "200501250000Z" -- January 25, 2005 LAST-UPDATED "200510180000Z" -- October 18, 2005
ORGANIZATION "IETF IPS Working Group" ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO CONTACT-INFO
" "
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
7900 International Drive, Suite 400 7900 International Drive, Suite 400
Bloomington, MN Bloomington, MN
USA 55425 USA 55425
E-mail: mbakke@cisco.com E-mail: mbakke@cisco.com
skipping to change at page 10, line 7 skipping to change at page 12, line 7
USA 55346 USA 55346
E-Mail: james.muchow@qlogic.com" E-Mail: james.muchow@qlogic.com"
DESCRIPTION DESCRIPTION
"The IP Storage Authorization MIB module. "The IP Storage Authorization MIB module.
Copyright (C) The Internet Society (2005). This version of Copyright (C) The Internet Society (2005). This version of
this MIB module is part of RFC yyyy; see the RFC itself for this MIB module is part of RFC yyyy; see the RFC itself for
full legal notices." full legal notices."
-- RFC Ed.: replace yyyy with actual RFC number & remove this note -- RFC Ed.: replace yyyy with actual RFC number & remove this note
REVISION "200501250000Z" -- January 25, 2005 REVISION "200510180000Z" -- October 18, 2005
DESCRIPTION DESCRIPTION
"Initial version of the IP Storage Authentication MIB module" "Initial version of the IP Storage Authentication MIB module"
::= { mib-2 xx } ::= { mib-2 xx } -- xx to be assigned by IANA
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 0 } ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 2 } ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 }
-- Textual Conventions -- Textual Conventions
IpsAuthAddress ::= TEXTUAL-CONVENTION IpsAuthAddress ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IP Storage requires the use of address information "IP Storage requires the use of address information
that uses not only the InetAddress type defined in the that uses not only the InetAddress type defined in the
INET-ADDRESS-MIB, but also Fibre Channel type defined INET-ADDRESS-MIB, but also Fibre Channel type defined
in the Fibre Channel Management MIB. Although these in the Fibre Channel Management MIB. Although these
address types are recognized in the IANA Address Family address types are recognized in the IANA Address Family
Numbers MIB, the addressing mechanisms have not been Numbers MIB, the addressing mechanisms have not been
merged into a well-known, common type. This data type, merged into a well-known, common type. This data type,
the IpsAuthAddress, performs this function for this MIB the IpsAuthAddress, performs this function for this MIB
module." module."
REFERENCE REFERENCE
"IANA-ADDRESS-FAMILY-NUMBERS-MIB; "IANA-ADDRESS-FAMILY-NUMBERS-MIB;
INET-ADDRESS-MIB (RFC 2851); INET-ADDRESS-MIB (RFC 2851);
Fibre Channel Management MIB (presently defined in FC-MGMT-MIB (RFC 4044)."
draft-ietf-ips-fcmgmt-mib-01.txt)."
SYNTAX OCTET STRING (SIZE(0..255)) SYNTAX OCTET STRING (SIZE(0..255))
--******************************************************************
ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 }
ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } ipsAuthMethodTypes OBJECT-IDENTITY
STATUS current
DESCRIPTION
"Registration point for Authentication Method Types."
REFERENCE "RFC 3720, iSCSI Protocol Specification."
::= { ipsAuthDescriptors 1 }
ipsAuthMethodNone OBJECT-IDENTITY ipsAuthMethodNone OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The authoritative identifier when no authentication "The authoritative identifier when no authentication
method is used." method is used."
REFERENCE "iSCSI Protocol Specification." REFERENCE "RFC 3720, iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 1 } ::= { ipsAuthMethodTypes 1 }
ipsAuthMethodSrp OBJECT-IDENTITY ipsAuthMethodSrp OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The authoritative identifier when the authentication "The authoritative identifier when the authentication
method is SRP." method is SRP."
REFERENCE "iSCSI Protocol Specification." REFERENCE "RFC 3720, iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 2 } ::= { ipsAuthMethodTypes 2 }
ipsAuthMethodChap OBJECT-IDENTITY ipsAuthMethodChap OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The authoritative identifier when the authentication "The authoritative identifier when the authentication
method is CHAP." method is CHAP."
REFERENCE "iSCSI Protocol Specification." REFERENCE "RFC 3720, iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 3 } ::= { ipsAuthMethodTypes 3 }
ipsAuthMethodKerberos OBJECT-IDENTITY ipsAuthMethodKerberos OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The authoritative identifier when the authentication "The authoritative identifier when the authentication
method is Kerberos." method is Kerberos."
REFERENCE "iSCSI Protocol Specification." REFERENCE "RFC 3720, iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 4 } ::= { ipsAuthMethodTypes 4 }
--******************************************************************
ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 }
-- Instance Attributes Table -- Instance Attributes Table
ipsAuthInstanceAttributesTable OBJECT-TYPE ipsAuthInstanceAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 12, line 4 skipping to change at page 14, line 6
::= { ipsAuthInstance 2 } ::= { ipsAuthInstance 2 }
ipsAuthInstanceAttributesEntry OBJECT-TYPE ipsAuthInstanceAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthInstanceAttributesEntry SYNTAX IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a particular Authorization instance." applicable to a particular Authorization instance."
INDEX { ipsAuthInstIndex } INDEX { ipsAuthInstIndex }
::= { ipsAuthInstanceAttributesTable 1 } ::= { ipsAuthInstanceAttributesTable 1 }
IpsAuthInstanceAttributesEntry ::= SEQUENCE { IpsAuthInstanceAttributesEntry ::= SEQUENCE {
ipsAuthInstIndex Unsigned32, ipsAuthInstIndex Unsigned32,
ipsAuthInstDescr SnmpAdminString ipsAuthInstDescr SnmpAdminString,
ipsAuthInstStorageType StorageType
} }
ipsAuthInstIndex OBJECT-TYPE ipsAuthInstIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular authorization instance. This value does particular authorization instance. This index value
not need to be preserved across reboots, and must must not be modified or reused by an agent unless
not be reused for a new row before a reboot." a reboot has occurred. An agent should attempt to
keep this value persistent across reboots."
::= { ipsAuthInstanceAttributesEntry 1 } ::= { ipsAuthInstanceAttributesEntry 1 }
ipsAuthInstDescr OBJECT-TYPE ipsAuthInstDescr OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-write MAX-ACCESS read-write
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string, determined by the implementation to "A character string, determined by the implementation to
describe the authorization instance. When only a single describe the authorization instance. When only a single
instance is present, this object may be set to the instance is present, this object may be set to the
zero-length string; with multiple authorization zero-length string; with multiple authorization
instances, it may be set in an implementation-dependent instances, it must be set to a unique value in an
manner to describe the purpose of the respective instance." implementation-dependent manner to describe the purpose
of the respective instance. If this is deployed in a
master agent with more than one subagent implementing
this MIB module, the master agent is responsible for
ensuring that this object is unique across all
subagents."
::= { ipsAuthInstanceAttributesEntry 2 } ::= { ipsAuthInstanceAttributesEntry 2 }
ipsAuthInstStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The storage type for all read-write objects within this
row. Rows in this table are always created via an
external process, and may have a storage type of readOnly
or permanent. Conceptual rows having the value 'permanent'
need not allow write access to any columnar objects in
the row.
If this object has the value 'volatile', modifications
to read-write objects in this row are not persistent
across reboots. If this object has the value
'nonVolatile', modifications to objects in this row
are persistent.
An implementation may choose to allow this object
to be set to either 'nonVolatile' or 'volatile',
allowing the management application to choose this
behavior."
DEFVAL { volatile }
::= { ipsAuthInstanceAttributesEntry 3 }
ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 }
-- User Identity Attributes Table -- User Identity Attributes Table
ipsAuthIdentAttributesTable OBJECT-TYPE ipsAuthIdentAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of user identities, each belonging to a "A list of user identities, each belonging to a
skipping to change at page 13, line 25 skipping to change at page 16, line 12
ipsAuthIdentStorageType StorageType ipsAuthIdentStorageType StorageType
} }
ipsAuthIdentIndex OBJECT-TYPE ipsAuthIdentIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular identity instance within an authorization particular identity instance within an authorization
instance present on the node. This value does not instance present on the node. This index value
need to be preserved across reboots, and must not must not be modified or reused by an agent unless
be used for a new row before a reboot." a reboot has occurred. An agent should attempt to
keep this value persistent across reboots."
::= { ipsAuthIdentAttributesEntry 1 } ::= { ipsAuthIdentAttributesEntry 1 }
ipsAuthIdentDescription OBJECT-TYPE ipsAuthIdentDescription OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string describing this particular identity." "A character string describing this particular identity."
::= { ipsAuthIdentAttributesEntry 2 } ::= { ipsAuthIdentAttributesEntry 2 }
ipsAuthIdentRowStatus OBJECT-TYPE ipsAuthIdentRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthIdentAttributesEntry 3 } ::= { ipsAuthIdentAttributesEntry 3 }
ipsAuthIdentStorageType OBJECT-TYPE ipsAuthIdentStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthIdentAttributesEntry 4 } ::= { ipsAuthIdentAttributesEntry 4 }
ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }
-- User Initiator Name Attributes Table -- User Initiator Name Attributes Table
ipsAuthIdentNameAttributesTable OBJECT-TYPE ipsAuthIdentNameAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 15, line 4 skipping to change at page 17, line 39
ipsAuthIdentNameStorageType StorageType ipsAuthIdentNameStorageType StorageType
} }
ipsAuthIdentNameIndex OBJECT-TYPE ipsAuthIdentNameIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular identity name instance within an particular identity name instance within an
ipsAuthIdentity within an authorization instance. This ipsAuthIdentity within an authorization instance.
value does not need to be preserved across reboots, This index value must not be modified or reused by
and must not be used for a new row before a reboot." an agent unless a reboot has occurred. An agent
should attempt to keep this value persistent across
reboots."
::= { ipsAuthIdentNameAttributesEntry 1 } ::= { ipsAuthIdentNameAttributesEntry 1 }
ipsAuthIdentName OBJECT-TYPE ipsAuthIdentName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A character string which is the unique name of an "A character string which is the unique name of an
identity that may be used to identify this ipsAuthIdent identity that may be used to identify this ipsAuthIdent
entry." entry."
skipping to change at page 15, line 35 skipping to change at page 18, line 24
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthIdentNameAttributesEntry 3 } ::= { ipsAuthIdentNameAttributesEntry 3 }
ipsAuthIdentNameStorageType OBJECT-TYPE ipsAuthIdentNameStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthIdentNameAttributesEntry 4 } ::= { ipsAuthIdentNameAttributesEntry 4 }
ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 }
-- User Initiator Address Attributes Table -- User Initiator Address Attributes Table
ipsAuthIdentAddrAttributesTable OBJECT-TYPE ipsAuthIdentAddrAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 16, line 41 skipping to change at page 19, line 29
} }
ipsAuthIdentAddrIndex OBJECT-TYPE ipsAuthIdentAddrIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular ipsAuthIdentAddress instance within an particular ipsAuthIdentAddress instance within an
ipsAuthIdentity within an authorization instance ipsAuthIdentity within an authorization instance
present on the node. This value does not need to present on the node.
be preserved across reboots, and must not be used This index value must not be modified or reused by
for a new row before a reboot." an agent unless a reboot has occurred. An agent
should attempt to keep this value persistent across
reboots."
::= { ipsAuthIdentAddrAttributesEntry 1 } ::= { ipsAuthIdentAddrAttributesEntry 1 }
ipsAuthIdentAddrType OBJECT-TYPE ipsAuthIdentAddrType OBJECT-TYPE
SYNTAX AddressFamilyNumbers SYNTAX AddressFamilyNumbers
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The type of Address in the ipsAuthIdentAddress "The type of Address in the ipsAuthIdentAddress
start, end, and mask fields. This type is taken start, end, and mask fields. This type is taken
from the IANA address family types; more types may from the IANA address family types; more types may
skipping to change at page 17, line 42 skipping to change at page 20, line 33
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthIdentAddrAttributesEntry 5 } ::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthIdentAddrStorageType OBJECT-TYPE ipsAuthIdentAddrStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthIdentAddrAttributesEntry 6 } ::= { ipsAuthIdentAddrAttributesEntry 6 }
ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 }
-- Credential Attributes Table -- Credential Attributes Table
ipsAuthCredentialAttributesTable OBJECT-TYPE ipsAuthCredentialAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 18, line 40 skipping to change at page 21, line 30
ipsAuthCredStorageType StorageType ipsAuthCredStorageType StorageType
} }
ipsAuthCredIndex OBJECT-TYPE ipsAuthCredIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An arbitrary integer used to uniquely identify a "An arbitrary integer used to uniquely identify a
particular Credential instance within an instance particular Credential instance within an instance
present on the node. This value does not need to present on the node.
be preserved across reboots, and must not be used This index value must not be modified or reused by
for a new row before a reboot." an agent unless a reboot has occurred. An agent
should attempt to keep this value persistent across
reboots."
::= { ipsAuthCredentialAttributesEntry 1 } ::= { ipsAuthCredentialAttributesEntry 1 }
ipsAuthCredAuthMethod OBJECT-TYPE ipsAuthCredAuthMethod OBJECT-TYPE
SYNTAX AutonomousType SYNTAX AutonomousType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object contains an OBJECT IDENTIFIER "This object contains an OBJECT IDENTIFIER
which identifies the authentication method which identifies the authentication method
used with this credential. used with this credential.
skipping to change at page 19, line 25 skipping to change at page 22, line 17
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthCredentialAttributesEntry 3 } ::= { ipsAuthCredentialAttributesEntry 3 }
ipsAuthCredStorageType OBJECT-TYPE ipsAuthCredStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredentialAttributesEntry 4 } ::= { ipsAuthCredentialAttributesEntry 4 }
ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 }
-- Credential Chap-Specific Attributes Table -- Credential Chap-Specific Attributes Table
ipsAuthCredChapAttributesTable OBJECT-TYPE ipsAuthCredChapAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 20, line 18 skipping to change at page 23, line 10
ipsAuthCredChapUserName SnmpAdminString, ipsAuthCredChapUserName SnmpAdminString,
ipsAuthCredChapRowStatus RowStatus, ipsAuthCredChapRowStatus RowStatus,
ipsAuthCredChapStorageType StorageType ipsAuthCredChapStorageType StorageType
} }
ipsAuthCredChapUserName OBJECT-TYPE ipsAuthCredChapUserName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing the CHAP user name for this "A character string containing the CHAP user name for this
credential." credential."
REFERENCE REFERENCE
"W. Simpson, RFC 1994: PPP Challenge Handshake "W. Simpson, RFC 1994: PPP Challenge Handshake
Authentication Protocol (CHAP), August 1996" Authentication Protocol (CHAP), August 1996"
::= { ipsAuthCredChapAttributesEntry 1 } ::= { ipsAuthCredChapAttributesEntry 1 }
ipsAuthCredChapRowStatus OBJECT-TYPE ipsAuthCredChapRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthCredChapAttributesEntry 3 } ::= { ipsAuthCredChapAttributesEntry 2 }
ipsAuthCredChapStorageType OBJECT-TYPE ipsAuthCredChapStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredChapAttributesEntry 4 } ::= { ipsAuthCredChapAttributesEntry 3 }
ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 }
-- Credential Srp-Specific Attributes Table -- Credential Srp-Specific Attributes Table
ipsAuthCredSrpAttributesTable OBJECT-TYPE ipsAuthCredSrpAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 21, line 36 skipping to change at page 24, line 25
ipsAuthCredSrpUserName SnmpAdminString, ipsAuthCredSrpUserName SnmpAdminString,
ipsAuthCredSrpRowStatus RowStatus, ipsAuthCredSrpRowStatus RowStatus,
ipsAuthCredSrpStorageType StorageType ipsAuthCredSrpStorageType StorageType
} }
ipsAuthCredSrpUserName OBJECT-TYPE ipsAuthCredSrpUserName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing the SRP user name for this "A character string containing the SRP user name for this
credential." credential."
REFERENCE REFERENCE
"T. Wu, RFC 2945: The SRP Authentication and Key "T. Wu, RFC 2945: The SRP Authentication and Key
Exchange System, September 2000" Exchange System, September 2000"
::= { ipsAuthCredSrpAttributesEntry 1 } ::= { ipsAuthCredSrpAttributesEntry 1 }
ipsAuthCredSrpRowStatus OBJECT-TYPE ipsAuthCredSrpRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthCredSrpAttributesEntry 3 } ::= { ipsAuthCredSrpAttributesEntry 2 }
ipsAuthCredSrpStorageType OBJECT-TYPE ipsAuthCredSrpStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredSrpAttributesEntry 4 }
::= { ipsAuthCredSrpAttributesEntry 3 }
ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 }
-- Credential Kerberos-Specific Attributes Table -- Credential Kerberos-Specific Attributes Table
ipsAuthCredKerbAttributesTable OBJECT-TYPE ipsAuthCredKerbAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 23, line 5 skipping to change at page 25, line 42
ipsAuthCredKerbPrincipal SnmpAdminString, ipsAuthCredKerbPrincipal SnmpAdminString,
ipsAuthCredKerbRowStatus RowStatus, ipsAuthCredKerbRowStatus RowStatus,
ipsAuthCredKerbStorageType StorageType ipsAuthCredKerbStorageType StorageType
} }
ipsAuthCredKerbPrincipal OBJECT-TYPE ipsAuthCredKerbPrincipal OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An octet string containing a Kerberos principal "A character string containing a Kerberos principal
for this credential." for this credential."
REFERENCE REFERENCE
"J. Kohl, C. Neuman, RFC 1510: The Kerberos Network "J. Kohl, C. Neuman, RFC 1510: The Kerberos Network
Authentication Service (V5), September 1993" Authentication Service (V5), September 1993"
::= { ipsAuthCredKerbAttributesEntry 1 } ::= { ipsAuthCredKerbAttributesEntry 1 }
ipsAuthCredKerbRowStatus OBJECT-TYPE ipsAuthCredKerbRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
skipping to change at page 23, line 28 skipping to change at page 26, line 16
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus."
::= { ipsAuthCredKerbAttributesEntry 2 } ::= { ipsAuthCredKerbAttributesEntry 2 }
ipsAuthCredKerbStorageType OBJECT-TYPE ipsAuthCredKerbStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for this row. Rows in this table that were "The storage type for all read-create objects in this row.
created through an external process may have a storage type of Rows in this table that were created through an external
readOnly or permanent." process may have a storage type of readOnly or permanent."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredKerbAttributesEntry 3 } ::= { ipsAuthCredKerbAttributesEntry 3 }
--******************************************************************
-- Notifications -- Notifications
-- There are no notifications necessary in this MIB module. -- There are no notifications necessary in this MIB module.
--******************************************************************
-- Conformance Statements -- Conformance Statements
ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 1 }
ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 2 }
ipsAuthInstanceAttributesGroup OBJECT-GROUP ipsAuthInstanceAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthInstDescr ipsAuthInstDescr,
ipsAuthInstStorageType
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
authorization instances." authorization instances."
::= { ipsAuthGroups 1 } ::= { ipsAuthGroups 1 }
ipsAuthIdentAttributesGroup OBJECT-GROUP ipsAuthIdentAttributesGroup OBJECT-GROUP
OBJECTS { OBJECTS {
ipsAuthIdentDescription, ipsAuthIdentDescription,
skipping to change at page 26, line 5 skipping to change at page 28, line 41
ipsAuthCredKerbRowStatus, ipsAuthCredKerbRowStatus,
ipsAuthCredKerbStorageType ipsAuthCredKerbStorageType
} }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A collection of objects providing information about "A collection of objects providing information about
Kerberos credentials within user identities within an Kerberos credentials within user identities within an
authorization instance." authorization instance."
::= { ipsAuthGroups 8 } ::= { ipsAuthGroups 8 }
--******************************************************************
ipsAuthComplianceV1 MODULE-COMPLIANCE ipsAuthComplianceV1 MODULE-COMPLIANCE
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"Initial version of compliance statement based on "Initial version of compliance statement based on
initial version of this MIB module. initial version of this MIB module.
The Instance and Identity groups are mandatory; The Instance and Identity groups are mandatory;
at least one of the other groups (Name, Address, at least one of the other groups (Name, Address,
Credential, Certificate) is also mandatory for Credential, Certificate) is also mandatory for
skipping to change at page 27, line 15 skipping to change at page 30, line 4
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
GROUP ipsAuthIdentKerberosAttrGroup GROUP ipsAuthIdentKerberosAttrGroup
DESCRIPTION DESCRIPTION
"This group is mandatory for all implementations "This group is mandatory for all implementations
that use Kerberos to help verify identities. that use Kerberos to help verify identities.
The ipsAuthIdentCredAttributesGroup must be The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented." implemented if this group is implemented."
OBJECT ipsAuthInstDescr OBJECT ipsAuthInstDescr
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT ipsAuthInstStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentDescription OBJECT ipsAuthIdentDescription
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT ipsAuthIdentRowStatus OBJECT ipsAuthIdentRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required, and only one of the "Write access is not required, and only one of the
skipping to change at page 30, line 5 skipping to change at page 33, line 5
DESCRIPTION DESCRIPTION
"Write access is not required, and only one of the "Write access is not required, and only one of the
six enumerated values for the RowStatus textual six enumerated values for the RowStatus textual
convention need be supported, specifically: convention need be supported, specifically:
active(1)." active(1)."
::= { ipsAuthCompliances 1 } ::= { ipsAuthCompliances 1 }
END END
6. Security Considerations 9. Security Considerations
There are a number of management objects defined in this MIB module There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their network operations. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
All tables provide the ability to set up which credentials may be All tables provide the ability to set up which credentials may be
skipping to change at page 31, line 8 skipping to change at page 34, line 8
authentication and privacy). authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
7. IANA Considerations In many implementations, the objects in this MIB module can be read
and modified via other mechanisms or protocols in addition to this
MIB module. For the system to be secure, other mechanisms that can
read and modify the contents of this MIB module must also address the
above issues, and handle the threats outlined in [RFC3411], section
1.4.
7.1. OID Assignment 10. IANA Considerations
10.1. OID Assignment
IANA is requested to make a MIB OID assignment under the mib-2 IANA is requested to make a MIB OID assignment under the mib-2
branch. branch.
8. Normative References 11. Normative References
[RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Rose, and S. Waldbusser, "Structure of Management Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J. ,
Rose, M., and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April Information Version 2 (SMIv2)", STD 58, RFC 2578, April
1999. 1999.
[RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, and S. Waldbusser, "Textual Conventions for SMIv2", Rose, M., and S. Waldbusser, "Textual Conventions for
STD 58, RFC 2579, April 1999. SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, and S. Waldbusser, "Conformance Statements for SMIv2", Rose, M., and S. Waldbusser, "Conformance Statements for
STD 58, RFC 2580, April 1999. SMIv2", STD 58, RFC 2580, April 1999.
[RFC3291] M. Daniele, et. al., "Textual Conventions for Internet [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
Network Addresses", RFC 3291, May 2002. for Describing Simple Network Management Protocol (SNMP)
Management Frameworks", RFC 3411, December 2002.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
[IANA-AF] IANA, "IANA Address Family Numbers MIB", [IANA-AF] IANA, "IANA Address Family Numbers MIB",
http://www.iana.org/assignments/ianaaddressfamilynumbers-mib http://www.iana.org/assignments/ianaaddressfamilynumbers-mib
[RFC1213] K. McCloghrie, M. Rose, "Management Information Base for [RFC2011] McCloghrie, K., "SNMPv2 Management Information Base for the
Network Management of TCP/IP-based internets:MIB-II", March
1991.
[RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the
Internet Protocol using SMIv2", November 1996. Internet Protocol using SMIv2", November 1996.
[RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP [RFC2465] Haskin, D., and S. Onishi, "Management Information Base for
Version 6: Textual Conventions and General Group", December IP Version 6: Textual Conventions and General Group",
1998. December 1998.
[RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication
(CHAP)", August 1996. Protocol (CHAP)", August 1996.
[RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication [RFC1510] Kohl, J., and C. Neuman, "The Kerberos Network
Service (V5)", September 1993. Authentication Service (V5)", September 1993.
[RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System",
September 2000. September 2000.
9. Informative References 12. Informative References
[RFC3410] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
and Applicability Statements for Internet-Standard "Introduction and Applicability Statements for Internet-
Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC3720] Satran, J., et. al., "Internet Small Computer Systems [RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security Model
Interface (iSCSI)", RFC 3720, April 2004. (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", RFC 3414, December 2002.
[RFC1737] K. Sollins, L. Masinter, "Functional Requirements for [RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and
Uniform Resource Names", December 1994. E. Zeidner, "Internet Small Computer Systems Interface
(iSCSI)", RFC 3720, March 2004.
[FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", Work in [RFC1737] Sollins, K., and L. Masinter, "Functional Requirements for
Progress, draft-ietf-ips-fcmgmt-mib-06, December 2004. Uniform Resource Names", RFC 1737, December 1994.
10. Authors' Addresses [RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044,
May 2005.
Acknowledgments
In addition to the authors, several people contributed to the
development of this MIB module through discussions of authentication,
authorization, and access within the iSCSI MIB module and security
teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie,
Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill
Studenmund (Wasabi Systems) for adding the Kerberos method, and to
Ayman Ghanem for finding and suggesting changes to several problems
found in the MIB module.
Thanks especially to Keith McCloghrie for serving as advisor for this
MIB module.
Authors' Addresses
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
7900 International Drive, Suite 400 7900 International Drive, Suite 400
Bloomington, MN Bloomington, MN
USA 55425 USA 55425
Email: mbakke@cisco.com Email: mbakke@cisco.com
James Muchow James Muchow
Postal: Qlogic Corp. Postal: Qlogic Corp.
6321 Bury Drive 6321 Bury Drive
Eden Prairie, MN Eden Prairie, MN
USA 55346 USA 55346
Email: james.muchow@qlogic.com Email: james.muchow@qlogic.com
11. IPR Notice IPR Notice
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668.
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 33, line 22 skipping to change at page 36, line 47
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at ietf-
ipr@ietf.org. ipr@ietf.org.
12. Full Copyright Notice Full Copyright Notice
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 98 change blocks. 
219 lines changed or deleted 333 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/