draft-ietf-ips-auth-mib-07.txt   draft-ietf-ips-auth-mib-08.txt 
Internet Draft Mark Bakke Internet Draft Mark Bakke
<draft-ietf-ips-auth-mib-07.txt> Cisco Systems <draft-ietf-ips-auth-mib-08.txt> Cisco Systems
Expires April 2006 Expires August 2006
James Muchow James Muchow
Qlogic Corp. Qlogic Corp.
October 2005 February 2006
Definitions of Managed Objects for User Identity Authorization Definitions of Managed Objects for
IP Storage User Identity Authorization
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 39
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.html. http://www.ietf.org/ietf/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP based internets. for use with network management protocols in TCP/IP based internets.
In particular it defines objects for managing user identities and the In particular it defines objects for managing user identities and the
names, addresses, and credentials required manage access control, for names, addresses, and credentials required manage access control, for
use with various protocols. This draft was motivated by the need for use with various protocols. This draft was motivated by the need for
the configuration of authorized user identities for the iSCSI the configuration of authorized user identities for the iSCSI
protocol, but has been extended to be useful for other protocols that protocol, but has been extended to be useful for other protocols that
skipping to change at page 2, line 29 skipping to change at page 2, line 30
7.1. Authorization MIB Object Model..........................5 7.1. Authorization MIB Object Model..........................5
7.2. ipsAuthInstance.........................................6 7.2. ipsAuthInstance.........................................6
7.3. ipsAuthIdentity.........................................7 7.3. ipsAuthIdentity.........................................7
7.4. ipsAuthIdentityName.....................................7 7.4. ipsAuthIdentityName.....................................7
7.5. ipsAuthIdentityAddress..................................8 7.5. ipsAuthIdentityAddress..................................8
7.6. ipsAuthCredential.......................................8 7.6. ipsAuthCredential.......................................8
7.7. IP, Fibre Channel, and Other Addresses..................9 7.7. IP, Fibre Channel, and Other Addresses..................9
7.8. Descriptors: Using OIDs in Place of Enumerated Types....9 7.8. Descriptors: Using OIDs in Place of Enumerated Types....9
7.9. Notifications..........................................10 7.9. Notifications..........................................10
8. MIB Definitions..........................................11 8. MIB Definitions..........................................11
9. Security Considerations..................................33 9. Security Considerations..................................36
10. IANA Considerations.....................................34 10. IANA Considerations.....................................41
10.1. OID Assignment........................................34 10.1. OID Assignment........................................41
10. Normative References....................................34 11. Normative References....................................41
11. Informative References..................................35 12. Informative References..................................42
Authors' Addresses......................................35 Acknowledgments.........................................42
IPR Notice..............................................36 Authors' Addresses......................................42
Full Copyright Notice...................................36 IPR Notice..............................................43
Full Copyright Notice...................................43
1. Introduction 1. Introduction
This MIB module will be used to configure and/or look at the This MIB module will be used to configure and/or look at the
configuration of user identities and their credential information. configuration of user identities and their credential information.
For the purposes of this MIB module, a "user" identity does not need For the purposes of this MIB module, a "user" identity does not need
to be an actual person; a user can also be a host, an application, a to be an actual person; a user can also be a host, an application, a
cluster of hosts, or any other identifiable entity that can be cluster of hosts, or any other identifiable entity that can be
authorized to access a resource. authorized to access a resource.
skipping to change at page 3, line 32 skipping to change at page 3, line 34
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
4. Relationship to Other MIB Modules 4. Relationship to Other MIB Modules
The IPS-AUTH-MIB module does not directly address objects within The IPS-AUTH-MIB module does not directly address objects within
other modules. The identity address objects contain IPv4, IPv6, or other modules. The identity address objects contain IPv4, IPv6, or
other address types, and as such may be indirectly related to objects other address types, and as such may be indirectly related to objects
within the IPv4 [RFC2011] or IPv6 [RFC2465] MIB modules. within the IP [RFC2011bis] MIB module.
This MIB module does not provide actual authorization or access This MIB module does not provide actual authorization or access
control lists; it provides a means to identify entities that can be control lists; it provides a means to identify entities that can be
included in other authorization lists. This should generally be done included in other authorization lists. This should generally be done
in MIB modules that reference identities in this one. It also does in MIB modules that reference identities in this one. It also does
not cover login or authentication failure statistics or not cover login or authentication failure statistics or
notifications, as these are all fairly application-specific, and are notifications, as these are all fairly application-specific, and are
not generic enough to include here. not generic enough to include here.
The user identity objects within this module are typically referenced The user identity objects within this module are typically referenced
skipping to change at page 11, line 28 skipping to change at page 11, line 28
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 3411 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
AddressFamilyNumbers AddressFamilyNumbers
FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
; ;
ipsAuthMibModule MODULE-IDENTITY ipsAuthMibModule MODULE-IDENTITY
LAST-UPDATED "200510180000Z" -- October 18, 2005 LAST-UPDATED "200602240000Z" -- February 24, 2006
ORGANIZATION "IETF IPS Working Group" ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO CONTACT-INFO
" "
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
7900 International Drive, Suite 400 7900 International Drive, Suite 400
Bloomington, MN Bloomington, MN
USA 55425 USA 55425
E-mail: mbakke@cisco.com E-mail: mbakke@cisco.com
skipping to change at page 11, line 50 skipping to change at page 11, line 50
James Muchow James Muchow
Postal: Qlogic Corp. Postal: Qlogic Corp.
6321 Bury Dr. 6321 Bury Dr.
Eden Prairie, MN Eden Prairie, MN
USA 55346 USA 55346
E-Mail: james.muchow@qlogic.com" E-Mail: james.muchow@qlogic.com"
DESCRIPTION DESCRIPTION
"The IP Storage Authorization MIB module. "The IP Storage Authorization MIB module.
Copyright (C) The Internet Society (2005). This version of Copyright (C) The Internet Society (2006). This version of
this MIB module is part of RFC yyyy; see the RFC itself for this MIB module is part of RFC yyyy; see the RFC itself for
full legal notices." full legal notices."
-- RFC Ed.: replace yyyy with actual RFC number & remove this note -- RFC Ed.: replace yyyy with actual RFC number & remove this note
REVISION "200510180000Z" -- October 18, 2005 REVISION "200602240000Z" -- February 24, 2006
DESCRIPTION DESCRIPTION
"Initial version of the IP Storage Authentication MIB module" "Initial version of the IP Storage Authentication MIB module,
published as RFC yyyy" -- RFC Ed.: fill in yyyy
::= { mib-2 xx } -- xx to be assigned by IANA ::= { mib-2 xx } -- xx to be assigned by IANA
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 } ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 } ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 } ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 }
-- Textual Conventions -- Textual Conventions
IpsAuthAddress ::= TEXTUAL-CONVENTION IpsAuthAddress ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"IP Storage requires the use of address information "IP Storage requires the use of address information
that uses not only the InetAddress type defined in the that uses not only the InetAddress type defined in the
INET-ADDRESS-MIB, but also Fibre Channel type defined INET-ADDRESS-MIB, but also Fibre Channel type defined
in the Fibre Channel Management MIB. Although these in the Fibre Channel Management MIB. Although these
address types are recognized in the IANA Address Family address types are recognized in the IANA Address Family
Numbers MIB, the addressing mechanisms have not been Numbers MIB, the addressing mechanisms have not been
merged into a well-known, common type. This data type, merged into a well-known, common type. This data type,
the IpsAuthAddress, performs this function for this MIB the IpsAuthAddress, performs the merging for this MIB
module." module.
The formats of objects of this type are determined by
a corresponding object with syntax AddressFamilyNumbers
and thus, every object defined using this TC must
identify the object with syntax AddressFamilyNumbers
which specifies its type.
The syntax and semantics of this object depends on the
identified AddressFamilyNumbers object as follows:
AddressFamilyNumbers this object
==================== ===========
ipV4(1) restricted to the same syntax and
semantics as the InetAddressIPv4 TC.
ipV6(2) restricted to the same syntax and
semantics as the InetAddressIPv6 TC.
fibreChannelWWPN (22)
& fibreChannelWWNN(23) restricted to the same syntax and
semantics as the FcNameIdOrZero TC.
Using types other than the above should not be used unless
the corresponding format of the IpsAuthAddress object is
further specified (e.g., in a future revision of this TC)."
REFERENCE REFERENCE
"IANA-ADDRESS-FAMILY-NUMBERS-MIB; "IANA-ADDRESS-FAMILY-NUMBERS-MIB;
INET-ADDRESS-MIB (RFC 2851); INET-ADDRESS-MIB (RFC 4001);
FC-MGMT-MIB (RFC 4044)." FC-MGMT-MIB (RFC 4044)."
SYNTAX OCTET STRING (SIZE(0..255)) SYNTAX OCTET STRING (SIZE(0..255))
--****************************************************************** --******************************************************************
ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 }
ipsAuthMethodTypes OBJECT-IDENTITY ipsAuthMethodTypes OBJECT-IDENTITY
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 16, line 34 skipping to change at page 17, line 11
::= { ipsAuthIdentAttributesEntry 2 } ::= { ipsAuthIdentAttributesEntry 2 }
ipsAuthIdentRowStatus OBJECT-TYPE ipsAuthIdentRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The value of
ipsAuthIdentDescription may be set while
ipsAuthIdentRowStatus is 'active'."
::= { ipsAuthIdentAttributesEntry 3 } ::= { ipsAuthIdentAttributesEntry 3 }
ipsAuthIdentStorageType OBJECT-TYPE ipsAuthIdentStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthIdentAttributesEntry 4 } ::= { ipsAuthIdentAttributesEntry 4 }
ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }
-- User Initiator Name Attributes Table -- User Initiator Name Attributes Table
ipsAuthIdentNameAttributesTable OBJECT-TYPE ipsAuthIdentNameAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 18, line 16 skipping to change at page 18, line 46
::= { ipsAuthIdentNameAttributesEntry 2 } ::= { ipsAuthIdentNameAttributesEntry 2 }
ipsAuthIdentNameRowStatus OBJECT-TYPE ipsAuthIdentNameRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The value of
ipsAuthIdentName may be set when this value is 'active'."
::= { ipsAuthIdentNameAttributesEntry 3 } ::= { ipsAuthIdentNameAttributesEntry 3 }
ipsAuthIdentNameStorageType OBJECT-TYPE ipsAuthIdentNameStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthIdentNameAttributesEntry 4 } ::= { ipsAuthIdentNameAttributesEntry 4 }
ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 }
-- User Initiator Address Attributes Table -- User Initiator Address Attributes Table
ipsAuthIdentAddrAttributesTable OBJECT-TYPE ipsAuthIdentAddrAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 19, line 41 skipping to change at page 20, line 27
an agent unless a reboot has occurred. An agent an agent unless a reboot has occurred. An agent
should attempt to keep this value persistent across should attempt to keep this value persistent across
reboots." reboots."
::= { ipsAuthIdentAddrAttributesEntry 1 } ::= { ipsAuthIdentAddrAttributesEntry 1 }
ipsAuthIdentAddrType OBJECT-TYPE ipsAuthIdentAddrType OBJECT-TYPE
SYNTAX AddressFamilyNumbers SYNTAX AddressFamilyNumbers
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The type of Address in the ipsAuthIdentAddress "The address types used in the ipsAuthIdentAddrStart
start, end, and mask fields. This type is taken and ipsAuthAddrEnd objects. This type is taken
from the IANA address family types; more types may from the IANA address family types."
be registered independently of this MIB module."
::= { ipsAuthIdentAddrAttributesEntry 2 } ::= { ipsAuthIdentAddrAttributesEntry 2 }
ipsAuthIdentAddrStart OBJECT-TYPE ipsAuthIdentAddrStart OBJECT-TYPE
SYNTAX IpsAuthAddress SYNTAX IpsAuthAddress
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The starting address of the allowed address range." "The starting address of the allowed address range.
The format of this object is determined by
ipsAuthIdentAddrType."
::= { ipsAuthIdentAddrAttributesEntry 3 } ::= { ipsAuthIdentAddrAttributesEntry 3 }
ipsAuthIdentAddrEnd OBJECT-TYPE ipsAuthIdentAddrEnd OBJECT-TYPE
SYNTAX IpsAuthAddress SYNTAX IpsAuthAddress
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The ending address of the allowed address range. "The ending address of the allowed address range.
If the ipsAuthIdentAddrEntry specifies a single If the ipsAuthIdentAddrEntry specifies a single
address, this shall match the ipsAuthIdentAddrStart." address, this shall match the ipsAuthIdentAddrStart.
The format of this object is determined by
ipsAuthIdentAddrType."
::= { ipsAuthIdentAddrAttributesEntry 4 } ::= { ipsAuthIdentAddrAttributesEntry 4 }
ipsAuthIdentAddrRowStatus OBJECT-TYPE ipsAuthIdentAddrRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The values of
ipsAuthIdentAddrStart, ipsAuthIdentAddrEnd may be set
when this value is 'active'. The value of
ipsAuthIdentAddrType may not be set when this value is
'active'."
::= { ipsAuthIdentAddrAttributesEntry 5 } ::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthIdentAddrStorageType OBJECT-TYPE ipsAuthIdentAddrStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthIdentAddrAttributesEntry 6 } ::= { ipsAuthIdentAddrAttributesEntry 6 }
ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 }
-- Credential Attributes Table -- Credential Attributes Table
ipsAuthCredentialAttributesTable OBJECT-TYPE ipsAuthCredentialAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 21, line 12 skipping to change at page 22, line 5
particular identity." particular identity."
::= { ipsAuthCredential 1 } ::= { ipsAuthCredential 1 }
ipsAuthCredentialAttributesEntry OBJECT-TYPE ipsAuthCredentialAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredentialAttributesEntry SYNTAX IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which verifies a user applicable to a credential which verifies a user
identity within an authorization instance." identity within an authorization instance.
To provide complete information in this MIB for a credential,
the management station must not only create the row in this
table but must also create a row in another table, where the
other table is determined by the value of ipsAuthCredAuthMethod,
e.g, if ipsAuthCredAuthMethod has the value ipsAuthMethodChap,
a row must be created in the ipsAuthCredChapAttributesTable."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredentialAttributesTable 1 } ::= { ipsAuthCredentialAttributesTable 1 }
IpsAuthCredentialAttributesEntry ::= SEQUENCE { IpsAuthCredentialAttributesEntry ::= SEQUENCE {
ipsAuthCredIndex Unsigned32, ipsAuthCredIndex Unsigned32,
ipsAuthCredAuthMethod AutonomousType, ipsAuthCredAuthMethod AutonomousType,
ipsAuthCredRowStatus RowStatus, ipsAuthCredRowStatus RowStatus,
ipsAuthCredStorageType StorageType ipsAuthCredStorageType StorageType
} }
skipping to change at page 21, line 46 skipping to change at page 22, line 46
ipsAuthCredAuthMethod OBJECT-TYPE ipsAuthCredAuthMethod OBJECT-TYPE
SYNTAX AutonomousType SYNTAX AutonomousType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object contains an OBJECT IDENTIFIER "This object contains an OBJECT IDENTIFIER
which identifies the authentication method which identifies the authentication method
used with this credential. used with this credential.
When a row is created in this table, a corresponding
row must be created by the management station
in a corresponding table specified by this value.
When a row is deleted from this table, the corresponding
row must be automatically deleted by the agent in
the corresponding table specified by this value.
If the value of this object is ipsAuthMethodNone, no
corresponding rows are created or deleted from other
tables.
Some standardized values for this object are defined Some standardized values for this object are defined
within the ipsAuthMethods subtree." within the ipsAuthMethodTypes subtree."
::= { ipsAuthCredentialAttributesEntry 2 } ::= { ipsAuthCredentialAttributesEntry 2 }
ipsAuthCredRowStatus OBJECT-TYPE ipsAuthCredRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The value of
ipsAuthCredAuthMethod must not be changed while this row
is 'active'."
::= { ipsAuthCredentialAttributesEntry 3 } ::= { ipsAuthCredentialAttributesEntry 3 }
ipsAuthCredStorageType OBJECT-TYPE ipsAuthCredStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredentialAttributesEntry 4 } ::= { ipsAuthCredentialAttributesEntry 4 }
ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 }
-- Credential Chap-Specific Attributes Table -- Credential Chap-Specific Attributes Table
ipsAuthCredChapAttributesTable OBJECT-TYPE ipsAuthCredChapAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of CHAP attributes for credentials that "A list of CHAP attributes for credentials that
use ipsAuthMethodChap as its ipsAuthCredAuthMethod." use ipsAuthMethodChap as its ipsAuthCredAuthMethod.
A row in this table can only exist when an instance of
the ipsAuthCredAuthMethod object exists (or is created
simultaneously) having the same instance identifiers
and a value of 'ipsAuthMethodChap'."
::= { ipsAuthCredChap 1 } ::= { ipsAuthCredChap 1 }
ipsAuthCredChapAttributesEntry OBJECT-TYPE ipsAuthCredChapAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredChapAttributesEntry SYNTAX IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential which uses
ipsAuthMethodChap as their ipsAuthCredAuthMethod." ipsAuthMethodChap as its ipsAuthCredAuthMethod.
When a row is created in ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredChap, the
management station must create a corresponding row
in this table.
When a row is deleted from ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredChap, the
agent must delete the corresponding row (if any) in
this table."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredChapAttributesTable 1 } ::= { ipsAuthCredChapAttributesTable 1 }
IpsAuthCredChapAttributesEntry ::= SEQUENCE { IpsAuthCredChapAttributesEntry ::= SEQUENCE {
ipsAuthCredChapUserName SnmpAdminString, ipsAuthCredChapUserName SnmpAdminString,
ipsAuthCredChapRowStatus RowStatus, ipsAuthCredChapRowStatus RowStatus,
ipsAuthCredChapStorageType StorageType ipsAuthCredChapStorageType StorageType
} }
ipsAuthCredChapUserName OBJECT-TYPE ipsAuthCredChapUserName OBJECT-TYPE
skipping to change at page 23, line 25 skipping to change at page 25, line 9
::= { ipsAuthCredChapAttributesEntry 1 } ::= { ipsAuthCredChapAttributesEntry 1 }
ipsAuthCredChapRowStatus OBJECT-TYPE ipsAuthCredChapRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The value of
ipsAuthCredChapUserName may be changed while this row
is 'active'."
::= { ipsAuthCredChapAttributesEntry 2 } ::= { ipsAuthCredChapAttributesEntry 2 }
ipsAuthCredChapStorageType OBJECT-TYPE ipsAuthCredChapStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredChapAttributesEntry 3 } ::= { ipsAuthCredChapAttributesEntry 3 }
ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 }
-- Credential Srp-Specific Attributes Table -- Credential Srp-Specific Attributes Table
ipsAuthCredSrpAttributesTable OBJECT-TYPE ipsAuthCredSrpAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of SRP attributes for credentials that "A list of SRP attributes for credentials that
use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." use ipsAuthMethodSrp as its ipsAuthCredAuthMethod.
A row in this table can only exist when an instance of
the ipsAuthCredAuthMethod object exists (or is created
simultaneously) having the same instance identifiers
and a value of 'ipsAuthMethodSrp'."
::= { ipsAuthCredSrp 1 } ::= { ipsAuthCredSrp 1 }
ipsAuthCredSrpAttributesEntry OBJECT-TYPE ipsAuthCredSrpAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredSrpAttributesEntry SYNTAX IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential which uses
ipsAuthMethodSrp as its ipsAuthCredAuthMethod." ipsAuthMethodSrp as its ipsAuthCredAuthMethod.
When a row is created in ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredSrp, the
management station must create a corresponding row
in this table.
When a row is deleted from ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredSrp, the
agent must delete the corresponding row (if any) in
this table."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredSrpAttributesTable 1 } ::= { ipsAuthCredSrpAttributesTable 1 }
IpsAuthCredSrpAttributesEntry ::= SEQUENCE { IpsAuthCredSrpAttributesEntry ::= SEQUENCE {
ipsAuthCredSrpUserName SnmpAdminString, ipsAuthCredSrpUserName SnmpAdminString,
ipsAuthCredSrpRowStatus RowStatus, ipsAuthCredSrpRowStatus RowStatus,
ipsAuthCredSrpStorageType StorageType ipsAuthCredSrpStorageType StorageType
} }
ipsAuthCredSrpUserName OBJECT-TYPE ipsAuthCredSrpUserName OBJECT-TYPE
skipping to change at page 24, line 40 skipping to change at page 26, line 44
::= { ipsAuthCredSrpAttributesEntry 1 } ::= { ipsAuthCredSrpAttributesEntry 1 }
ipsAuthCredSrpRowStatus OBJECT-TYPE ipsAuthCredSrpRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The value of
ipsAuthCredSrpUserName may be changed while the status
of this row is 'active'."
::= { ipsAuthCredSrpAttributesEntry 2 } ::= { ipsAuthCredSrpAttributesEntry 2 }
ipsAuthCredSrpStorageType OBJECT-TYPE ipsAuthCredSrpStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredSrpAttributesEntry 3 } ::= { ipsAuthCredSrpAttributesEntry 3 }
ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 }
-- Credential Kerberos-Specific Attributes Table -- Credential Kerberos-Specific Attributes Table
ipsAuthCredKerbAttributesTable OBJECT-TYPE ipsAuthCredKerbAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
skipping to change at page 25, line 17 skipping to change at page 27, line 24
ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 }
-- Credential Kerberos-Specific Attributes Table -- Credential Kerberos-Specific Attributes Table
ipsAuthCredKerbAttributesTable OBJECT-TYPE ipsAuthCredKerbAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of Kerberos attributes for credentials that "A list of Kerberos attributes for credentials that
use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." use ipsAuthMethodKerberos as its ipsAuthCredAuthMethod.
A row in this table can only exist when an instance of
the ipsAuthCredAuthMethod object exists (or is created
simultaneously) having the same instance identifiers
and a value of 'ipsAuthMethodKerb'."
::= { ipsAuthCredKerberos 1 } ::= { ipsAuthCredKerberos 1 }
ipsAuthCredKerbAttributesEntry OBJECT-TYPE ipsAuthCredKerbAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredKerbAttributesEntry SYNTAX IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential which uses
ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." ipsAuthMethodKerberos as its ipsAuthCredAuthMethod.
When a row is created in ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the
management station must create a corresponding row
in this table.
When a row is deleted from ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the
agent must delete the corresponding row (if any) in
this table."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredKerbAttributesTable 1 } ::= { ipsAuthCredKerbAttributesTable 1 }
IpsAuthCredKerbAttributesEntry ::= SEQUENCE { IpsAuthCredKerbAttributesEntry ::= SEQUENCE {
ipsAuthCredKerbPrincipal SnmpAdminString, ipsAuthCredKerbPrincipal SnmpAdminString,
ipsAuthCredKerbRowStatus RowStatus, ipsAuthCredKerbRowStatus RowStatus,
ipsAuthCredKerbStorageType StorageType ipsAuthCredKerbStorageType StorageType
} }
ipsAuthCredKerbPrincipal OBJECT-TYPE ipsAuthCredKerbPrincipal OBJECT-TYPE
skipping to change at page 26, line 8 skipping to change at page 28, line 31
::= { ipsAuthCredKerbAttributesEntry 1 } ::= { ipsAuthCredKerbAttributesEntry 1 }
ipsAuthCredKerbRowStatus OBJECT-TYPE ipsAuthCredKerbRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus." Rows may be discarded using RowStatus. The value of
ipsAuthCredKerbPrincipal may be changed while this row
is 'active'."
::= { ipsAuthCredKerbAttributesEntry 2 } ::= { ipsAuthCredKerbAttributesEntry 2 }
ipsAuthCredKerbStorageType OBJECT-TYPE ipsAuthCredKerbStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"The storage type for all read-create objects in this row. "The storage type for all read-create objects in this row.
Rows in this table that were created through an external Rows in this table that were created through an external
process may have a storage type of readOnly or permanent." process may have a storage type of readOnly or permanent.
Conceptual rows having the value 'permanent' need not
allow write access to any columnar objects in the row."
DEFVAL { nonVolatile } DEFVAL { nonVolatile }
::= { ipsAuthCredKerbAttributesEntry 3 } ::= { ipsAuthCredKerbAttributesEntry 3 }
--****************************************************************** --******************************************************************
-- Notifications -- Notifications
-- There are no notifications necessary in this MIB module. -- There are no notifications necessary in this MIB module.
--****************************************************************** --******************************************************************
skipping to change at page 33, line 7 skipping to change at page 36, line 7
six enumerated values for the RowStatus textual six enumerated values for the RowStatus textual
convention need be supported, specifically: convention need be supported, specifically:
active(1)." active(1)."
::= { ipsAuthCompliances 1 } ::= { ipsAuthCompliances 1 }
END END
9. Security Considerations 9. Security Considerations
9.1. MIB Security Considerations
There are a number of management objects defined in this MIB module There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their network operations. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
All tables provide the ability to set up which credentials may be o in the ipsAuthInstanceAttributesTable:
used to access services on the managed system, to remove
legitimate credentials (a denial of service), or to remove - ipsAuthInstDescr could be modified to camouflage the existence
individual credentials to weaken the requirements for access of a of a rogue authorization instance;
particular service. Write access must always be tightly
controlled. Note that some types of credentials, such as CHAP or o in the ipsAuthIdentAttributesTable:
SRP, also require passwords or verifiers to be associated with the
credential. These are managed outside this MIB module. - ipsAuthIdentDescription could be modified to camouflage the
existence of a rogue identity;
- ipsAuthIdentRowStatus could be modified to add or delete a rogue
identity;
- ipsAuthIdentStorageType could be modified to make temporary rows
permanent, or permanent rows temporary;
o in the ipsAuthIdentNameAttributesTable:
- ipsAuthIdentName could be modified to change the name of an
existing identity;
- ipsAuthIdentNameRowStatus could be modified to add or delete a
name of an existing identity;
- ipsAuthIdentNameStorageType could be modified to make temporary
rows permanent, or permanent rows temporary;
o in the ipsAuthIdentAddrAttributesTable:
- ipsAuthIdentAddrType could be modified to change the type of
address checking performed;
- ipsAuthIdentAddrStart could be modified to change the start of
the allowed range;
- ipsAuthIdentAddrEnd could be modified to change the end of the
allowed range;
- ipsAuthIdentAddrRowStatus could be modified to add or delete the
checking of an address range;
- ipsAuthIdentAddrStorageType could be modified to make temporary
rows permanent, or permanent rows temporary;
o in the ipsAuthCredentialAttributesTable:
- ipsAuthCredAuthMethod could be modified to change the type of
authentication to be used;
- ipsAuthCredRowStatus could be modified to add or delete checking
of credentials;
- ipsAuthCredStorageType could be modified to make temporary rows
permanent, or permanent rows temporary;
o in the ipsAuthCredChapAttributesTable:
- ipsAuthCredChapUserName could be modified to change the CHAP
user name for a credential;
- ipsAuthCredChapRowStatus could be modified to add or delete CHAP
attributes for credentials;
- ipsAuthCredChapStorageType could be modified to make temporary
rows permanent, or permanent rows temporary;
o in the ipsAuthCredSrpAttributesTable:
- ipsAuthCredSrpUserName could be modified to change the SRP user
name for a credential;
- ipsAuthCredSrpRowStatus could be modified to add or delete SRP
attributes for credentials;
- ipsAuthCredSrpStorageType could be modified to make temporary
rows permanent, or permanent rows temporary;
o in the ipsAuthCredKerbAttributesTable:
- ipsAuthCredKerbPrincipal could be modified to change the
Kerberos principal for a credential;
- ipsAuthCredKerbRowStatus could be modified to add or delete
Kerberos attributes for credentials;
- ipsAuthCredKerbStorageType could be modified to make temporary
rows permanent, or permanent rows temporary;
Note that removal of legitimate credentials can result in either
denial of service or can weaken the requirements for access of a
particular service. Note also that some types of credentials, such
as CHAP or SRP, also require passwords or verifiers to be associated
with the credential. These are managed outside this MIB module.
Some of the readable objects in this MIB module (i.e., objects with a Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
All tables provide the ability to find out which names, addresses, o All tables (specifically: ipsAuthInstanceAttributesTable,
and credentials would be required to access services on the ipsAuthIdentAttributesTable, ipsAuthIdentNameAttributesTable,
managed system. If these credentials are easily spoofed ipsAuthIdentAddrAttributesTable, ipsAuthCredentialAttributesTable,
(particularly the name or address), read access to this MIB module ipsAuthCredChapAttributesTable, ipsAuthCredSrpAttributesTable and
must be tightly controlled. ipsAuthCredKerbAttributesTable) provide the ability to find out
which names, addresses, and credentials would be required to
access services on the managed system. If these credentials are
easily spoofed (particularly the name or address), read access to
this MIB module must be tightly controlled. When used with
pointers from another MIB module to rows in the
ipsAuthIdentAttributesTable, this MIB module provides information
about which entities are authorized to connect to which.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module. in this MIB module.
It is RECOMMENDED that implementors consider the security features as It is RECOMMENDED that implementors consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
skipping to change at page 34, line 15 skipping to change at page 39, line 15
the objects only to those principals (users) that have legitimate the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them. rights to indeed GET or SET (change/create/delete) them.
In many implementations, the objects in this MIB module can be read In many implementations, the objects in this MIB module can be read
and modified via other mechanisms or protocols in addition to this and modified via other mechanisms or protocols in addition to this
MIB module. For the system to be secure, other mechanisms that can MIB module. For the system to be secure, other mechanisms that can
read and modify the contents of this MIB module must also address the read and modify the contents of this MIB module must also address the
above issues, and handle the threats outlined in [RFC3411], section above issues, and handle the threats outlined in [RFC3411], section
1.4. 1.4.
Given the sensitivity of information contained in this MIB module, it
is strongly recommended that encryption (SNMPv3 with a securityLevel
of authPriv [RFC3411]) be used for all access to objects in this MIB
module.
9.2. Other Security Considerations
An identity consists of a set of names (e.g., an iSCSI Initiator
Name), addresses (e.g., an IP address or Fibre Channel WWN), and
credentials (e.g., a CHAP user name).
To match an identity, one must match:
o One of the IdentNames belonging to the IdentIndex, unless there
are no IdentNames for the IdentIndex, and
o One of the IdentAddrs belonging to the IdentIndex, unless there
are no IdentAddrs for the IdentIndex, and
o One of the IdentCreds belonging to the IdentIndex, unless there
are no Creds for the IdentIndex.
Note that if any of the above lists are empty for a given IdentIndex,
any identifier of that type is considered to match the identity. The
non-empty lists will still be checked. For example, if the IdentAddrs
list is empty for the IndentIndex, but there are entries in
IdentNames and IdentCreds, any address will be considered a match, as
long as the offered name and credential match one of the IdentNames
and IdentCreds respectively.
This leaves a possible security window while adding and removing
entries from one of these lists. For example, an identity could
consist of no IdentNames, no IdentAddrs, and exactly one IdentCred.
If that IdentCred was to be updated, several methods could be used:
o The UserName or Principal could be simply written in the
appropriate table, if the credential's type remained the same
(recommended).
o The new credential could be added, then the old deleted
(recommended).
o The new credential could be added, and the old deleted in the same
SNMP request (recommended, but do the add first).
o The old credential could be deleted, then the new added (Don't
Use!).
Of the above methods, the last leaves a window in which the list is
empty, possibly allowing unconstrained access to the resource making
use of this MIB. This method should never be used for Names, Addrs,
or Creds.
The use of the third method, adding and deleting within the same
request, should be used with care. It is recommended that within the
request, the add be done first. Otherwise, an implementation may
attempt to perform these operations in order, potentially leaving a
window.
The first two methods are recommended.
Care must also be taken when updating the IdentAddrs for an identity.
Each IdentAddr specifies a range of addresses that match the
identity, and has an address type, starting address, and ending
address. Modifying these one at a time can open a temporary window
where a larger range of addresses are allowed. For example, a single
address is specified using IdentAddrType = ipv4, IdentAddrStart =
IdentAddrEnd = 192.0.2.5. We want to update this to specify the
single address 192.0.2.34. If the end address is updated first, we
temporarily allow the range 192.0.2.5 .. 192.0.2.34, which is not
what we want. Similarly, if we change from 192.0.2.34 back to
192.0.2.5, and we update IdentAddrStart first, we end up with the
range again. To handle this, an application must either:
o update both IdentAddrStart and IdentAddrEnd in the same SNMP set
request, or
o add the new IdentAddrStart and IdentAddrEnd with a new
IdentAddrIndex, then delete the old one, using the methods shown
before.
Since the value of IdentAddrType specifies the formats of
IdentAddrStart and IdentAddrEnd, modification of IdentAddrType is not
allowed for an existing row.
10. IANA Considerations 10. IANA Considerations
10.1. OID Assignment 10.1. OID Assignment
IANA is requested to make a MIB OID assignment under the mib-2 IANA is requested to make a MIB OID assignment under the mib-2
branch. branch.
11. Normative References 11. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
skipping to change at page 34, line 50 skipping to change at page 41, line 40
for Describing Simple Network Management Protocol (SNMP) for Describing Simple Network Management Protocol (SNMP)
Management Frameworks", RFC 3411, December 2002. Management Frameworks", RFC 3411, December 2002.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
[IANA-AF] IANA, "IANA Address Family Numbers MIB", [IANA-AF] IANA, "IANA Address Family Numbers MIB",
http://www.iana.org/assignments/ianaaddressfamilynumbers-mib http://www.iana.org/assignments/ianaaddressfamilynumbers-mib
[RFC2011] McCloghrie, K., "SNMPv2 Management Information Base for the [RFC2011bis]
Internet Protocol using SMIv2", November 1996. Routhier, S., "Management Information Base for the Internet
Protocol (IP)", draft-ietf-ipv6-rfc2011-update-10.txt, May
[RFC2465] Haskin, D., and S. Onishi, "Management Information Base for 2004.
IP Version 6: Textual Conventions and General Group",
December 1998.
[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication
Protocol (CHAP)", August 1996. Protocol (CHAP)", August 1996.
[RFC1510] Kohl, J., and C. Neuman, "The Kerberos Network [RFC1510] Kohl, J., and C. Neuman, "The Kerberos Network
Authentication Service (V5)", September 1993. Authentication Service (V5)", September 1993.
[RFC2945] Wu, T., "The SRP Authentication and Key Exchange System", [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System",
September 2000. September 2000.
skipping to change at page 36, line 49 skipping to change at page 43, line 38
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at ietf-
ipr@ietf.org. ipr@ietf.org.
Full Copyright Notice Full Copyright Notice
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 45 change blocks. 
70 lines changed or deleted 368 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/