draft-ietf-ips-auth-mib-08.txt   rfc4545.txt 
Internet Draft Mark Bakke Network Working Group M. Bakke
<draft-ietf-ips-auth-mib-08.txt> Cisco Systems Request for Comments: 4545 Cisco Systems
Expires August 2006 Category: Standards Track J. Muchow
James Muchow
Qlogic Corp. Qlogic Corp.
February 2006
Definitions of Managed Objects for Definitions of Managed Objects for
IP Storage User Identity Authorization IP Storage User Identity Authorization
Status of this Memo Status of This Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at This document specifies an Internet standards track protocol for the
http://www.ietf.org/shadow.html. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP based internets. for use with network management protocols in TCP/IP-based internets.
In particular it defines objects for managing user identities and the In particular, it defines objects for managing user identities and
names, addresses, and credentials required manage access control, for the names, addresses, and credentials required manage access control,
use with various protocols. This draft was motivated by the need for for use with various protocols. This document was motivated by the
the configuration of authorized user identities for the iSCSI need for the configuration of authorized user identities for the
protocol, but has been extended to be useful for other protocols that iSCSI protocol, but has been extended to be useful for other
have similar requirements. It is important to note that this MIB protocols that have similar requirements. It is important to note
module provides only the set of identities to be used within access that this MIB module provides only the set of identities to be used
lists; it is the responsibility of other MIB modules making use of within access lists; it is the responsibility of other MIB modules
this one to tie them to their own access lists or other authorization making use of this one to tie them to their own access lists or other
control methods. authorization control methods.
Table of Contents Table of Contents
1. Introduction..............................................2 1. Introduction ....................................................3
2. Specification of Requirements.............................3 2. Specification of Requirements ...................................3
3. The Internet-Standard Management Framework................3 3. The Internet-Standard Management Framework ......................3
4. Relationship to Other MIB Modules.........................3 4. Relationship to Other MIB Modules ...............................3
5. Relationship to the USM MIB Module........................4 5. Relationship to the USM MIB Module ..............................4
6. Relationship SNMP Contexts................................4 6. Relationship to SNMP Contexts ...................................5
7. Discussion................................................5 7. Discussion ......................................................5
7.1. Authorization MIB Object Model..........................5 7.1. Authorization MIB Object Model .............................5
7.2. ipsAuthInstance.........................................6 7.2. ipsAuthInstance ............................................6
7.3. ipsAuthIdentity.........................................7 7.3. ipsAuthIdentity ............................................7
7.4. ipsAuthIdentityName.....................................7 7.4. ipsAuthIdentityName ........................................7
7.5. ipsAuthIdentityAddress..................................8 7.5. ipsAuthIdentityAddress .....................................8
7.6. ipsAuthCredential.......................................8 7.6. ipsAuthCredential ..........................................8
7.7. IP, Fibre Channel, and Other Addresses..................9 7.7. IP, Fibre Channel, and Other Addresses .....................9
7.8. Descriptors: Using OIDs in Place of Enumerated Types....9 7.8. Descriptors: Using OIDs in Place of Enumerated Types ......10
7.9. Notifications..........................................10 7.9. Notifications .............................................10
8. MIB Definitions..........................................11 8. MIB Definitions ................................................11
9. Security Considerations..................................36 9. Security Considerations ........................................35
10. IANA Considerations.....................................41 9.1. MIB Security Considerations ...............................35
10.1. OID Assignment........................................41 9.2. Other Security Considerations .............................38
11. Normative References....................................41 10. IANA Considerations ...........................................40
12. Informative References..................................42 11. Normative References ..........................................40
Acknowledgments.........................................42 12. Informative References ........................................41
Authors' Addresses......................................42 13. Acknowledgements ..............................................41
IPR Notice..............................................43
Full Copyright Notice...................................43
1. Introduction 1. Introduction
This MIB module will be used to configure and/or look at the This MIB module will be used to configure and/or look at the
configuration of user identities and their credential information. configuration of user identities and their credential information.
For the purposes of this MIB module, a "user" identity does not need For the purposes of this MIB module, a "user" identity does not need
to be an actual person; a user can also be a host, an application, a to be an actual person; a user can also be a host, an application, a
cluster of hosts, or any other identifiable entity that can be cluster of hosts, or any other identifiable entity that can be
authorized to access a resource. authorized to access a resource.
skipping to change at page 3, line 33 skipping to change at page 3, line 45
Objects in the MIB are defined using the mechanisms defined in the Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58, module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580]. [RFC2580].
4. Relationship to Other MIB Modules 4. Relationship to Other MIB Modules
The IPS-AUTH-MIB module does not directly address objects within The IPS-AUTH-MIB module does not directly address objects within
other modules. The identity address objects contain IPv4, IPv6, or other modules. The identity address objects contain IPv4, IPv6, or
other address types, and as such may be indirectly related to objects other address types, and as such they may be indirectly related to
within the IP [RFC2011bis] MIB module. objects within the IP [RFC4293] MIB module.
This MIB module does not provide actual authorization or access This MIB module does not provide actual authorization or access
control lists; it provides a means to identify entities that can be control lists; it provides a means to identify entities that can be
included in other authorization lists. This should generally be done included in other authorization lists. This should generally be done
in MIB modules that reference identities in this one. It also does in MIB modules that reference identities in this one. It also does
not cover login or authentication failure statistics or not cover login or authentication failure statistics or
notifications, as these are all fairly application-specific, and are notifications, as these are all fairly application specific and are
not generic enough to include here. not generic enough to be included here.
The user identity objects within this module are typically referenced The user identity objects within this module are typically referenced
from other modules by a RowPointer within that module. A module from other modules by a RowPointer within that module. A module
containing resources for which it requires a list of authorized user containing resources for which it requires a list of authorized user
identities may create such a list, with a single RowPointer within identities may create such a list, with a single RowPointer within
each list element pointing to a user identity within this module. each list element pointing to a user identity within this module.
This is neither required nor restricted by this MIB module. This is neither required nor restricted by this MIB module.
5. Relationship to the USM MIB Module 5. Relationship to the USM MIB Module
The User-based Security Model (USM) [RFC3414] also defines the The User-based Security Model (USM) [RFC3414] also defines the
concept of a user, defining authentication and privacy protocols and concept of a user, defining authentication and privacy protocols and
their credentials. The definition of USM includes the SNMP-USER- their credentials. The definition of USM includes the SNMP-USER-
BASED-SM-MIB module which allows configuration of SNMPv3 user BASED-SM-MIB module allows configuration of SNMPv3 user credentials
credentials to protect SNMPv3 messages. Although USM's users are not to protect SNMPv3 messages. Although USM's users are not related to
related to the user identities managed by the IPS-AUTH-MIB module the user identities managed by the IPS-AUTH-MIB module defined in
defined in this document, USM will often be implemented on the same this document, USM will often be implemented on the same system as
system as the IPS-AUTH-MIB module, with the SNMP-USER-BASED-SM-MIB the IPS-AUTH-MIB module, with the SNMP-USER-BASED-SM-MIB module used
module used to manage the security protecting SNMPv3 messages, to manage the security protecting SNMPv3 messages, including those
including those which access the IPS-AUTH-MIB module. that access the IPS-AUTH-MIB module.
The term "user" in this document is distinct from an SNMPv3 user, and The term "user" in this document is distinct from an SNMPv3 user and
is intended to include, but is not limited to, users of IP storage is intended to include, but is not limited to, users of IP storage
devices. A "user" in this document is a collection of user names devices. A "user" in this document is a collection of user names
(unique identifiers), user addresses, and credentials that can be (unique identifiers), user addresses, and credentials that can be
used together to determine whether an entity should be allowed access used together to determine whether an entity should be allowed access
to a resource. Each user can have multiple names, addresses, and to a resource. Each user can have multiple names, addresses, and
credentials. As a result, this MIB module is particularly suited to credentials. As a result, this MIB module is particularly suited to
managing users of storage resources, which are typically given access managing users of storage resources, which are typically given access
control lists consisting of potentially multiple identifiers, control lists consisting of potentially multiple identifiers,
addresses, and credentials. This MIB module provides for addresses, and credentials. This MIB module provides for
authorization lists only, and does not include setting of data authorization lists only and does not include setting of data privacy
privacy parameters. parameters.
In contrast, an SNMPv3 user as defined in [RFC3414] has exactly one In contrast, an SNMPv3 user as defined in [RFC3414] has exactly one
user-name, one authentication protocol, and one privacy protocol, user-name, one authentication protocol, and one privacy protocol,
along with their associated information and SNMP-specific along with their associated information and SNMP-specific
information, such as an engine ID. These objects are defined to information, such as an engine ID. These objects are defined to
support exactly the information needed for SNMPv3 security. support exactly the information needed for SNMPv3 security.
For the remainder of this document, the term "user" means an IPS- For the remainder of this document, the term "user" means an IPS-
AUTH-MIB user identity. AUTH-MIB user identity.
6. Relationship to SNMP Contexts 6. Relationship to SNMP Contexts
Each non-scalar object in the IPS-AUTH-MIB module is indexed first by Each non-scalar object in the IPS-AUTH-MIB module is indexed first by
an Instance. Each instance is a collection of identities that can be an instance. Each instance is a collection of identities that can be
used to authorize access to a resource. The use of an instance works used to authorize access to a resource. The use of an instance works
well with partitionable or hierarchical devices and fits in logically well with partitionable or hierarchical devices and fits in logically
with other management schemes. Instances do not replace SNMP with other management schemes. Instances do not replace SNMP
contexts, however they do provide a very simple way to assign a contexts; however, they do provide a very simple way to assign a
collection of identities within a device to one or more SNMP collection of identities within a device to one or more SNMP
contexts, without having to do so for each identity's row. contexts, without having to do so for each identity's row.
7. Discussion 7. Discussion
This MIB module structure is intended to allow the configuration of a This MIB module structure is intended to allow the configuration of a
list of user identities, each with a list of names, addresses, list of user identities, each with a list of names, addresses,
credentials, and certificates which when combined will distinguish credentials, and certificates that, when combined, will distinguish
that identity. that identity.
The IPS-AUTH-MIB module is structured around two primary "objects", The IPS-AUTH-MIB module is structured around two primary "objects",
the authorization instance, and the identity, which serve as the authorization instance and the identity, which serve as
containers for the remainder of the objects. This section contains a containers for the remainder of the objects. This section contains a
brief description of the "object" hierarchy and a description of each brief description of the "object" hierarchy and a description of each
object, followed by a discussion of the actual SNMP table structure object, followed by a discussion of the actual SNMP table structure
within the objects. within the objects.
7.1. Authorization MIB Object Model 7.1. Authorization MIB Object Model
The top-level object in this structure is the authorization instance, The top-level object in this structure is the authorization instance,
which "contains" all of the other objects. The indexing hierarchy of which "contains" all of the other objects. The indexing hierarchy of
this module looks like: this module looks like:
skipping to change at page 6, line 4 skipping to change at page 6, line 11
-- the identity is allowed to reside. -- the identity is allowed to reside.
ipsAuthCredential ipsAuthCredential
-- A single credential, such as a CHAP username, -- A single credential, such as a CHAP username,
-- which can be used to verify the identity. -- which can be used to verify the identity.
ipsAuthCredChap ipsAuthCredChap
-- CHAP-specific attributes for an ipsAuthCredential -- CHAP-specific attributes for an ipsAuthCredential
ipsAuthCredSrp ipsAuthCredSrp
-- SRP-specific attributes -- SRP-specific attributes
ipsAuthCredKerberos ipsAuthCredKerberos
-- Kerberos-specific attributes -- Kerberos-specific attributes
Each identity contains the information necessary to identify a Each identity contains the information necessary to identify a
particular end-point that wishes to access a service, such as iSCSI. particular end-point that wishes to access a service, such as iSCSI.
An identity can contain multiple names, addresses, and credentials. An identity can contain multiple names, addresses, and credentials.
Each of these names, addresses, and credentials exists in its own Each of these names, addresses, and credentials exists in its own
row. If multiple rows of one of these three types are present, they row. If multiple rows of one of these three types are present, they
are treated in an "OR" fashion; an entity to be authorized need only are treated in an "OR" fashion; an entity to be authorized need only
match one of the rows. If rows of different types are present (e.g. match one of the rows. If rows of different types are present (e.g.,
a name and an address), these are treated in an "AND" fashion; an a name and an address), these are treated in an "AND" fashion; an
entity to be authorized must match at least one row from each entity to be authorized must match at least one row from each
category. If there are no rows present of a category, this category category. If there are no rows present of a category, this category
is ignored. is ignored.
For example, if an ipsAuthIdentity contains two rows of For example, if an ipsAuthIdentity contains two rows of
ipsAuthIdentityAddress, one row of ipsAuthCredential, and no rows of ipsAuthIdentityAddress, one row of ipsAuthCredential, and no rows of
ipsAuthIdentityName, an entity must match the Credential row and at ipsAuthIdentityName, an entity must match the Credential row and at
least one of the two Address rows to match the identity. least one of the two Address rows to match the identity.
skipping to change at page 6, line 39 skipping to change at page 6, line 47
The ipsAuthInstanceAttributesTable is the primary table of the IPS- The ipsAuthInstanceAttributesTable is the primary table of the IPS-
AUTH-MIB module. Every other table entry in this module includes the AUTH-MIB module. Every other table entry in this module includes the
index of an ipsAuthInstanceAttributesEntry as its primary index. An index of an ipsAuthInstanceAttributesEntry as its primary index. An
authorization instance is basically a managed set of identities. authorization instance is basically a managed set of identities.
Many implementations will include just one authorization instance row Many implementations will include just one authorization instance row
in this table. However, there will be cases where multiple rows in in this table. However, there will be cases where multiple rows in
this table may be used: this table may be used:
- A large system may be "partitioned" into multiple, distinct virtual - A large system may be "partitioned" into multiple, distinct
systems, perhaps sharing the SNMP agent but not their lists of virtual systems, perhaps sharing the SNMP agent but not their
identities. Each virtual system would have its own authorization lists of identities. Each virtual system would have its own
instance. authorization instance.
- A set of stackable systems, each with their own set of identities, - A set of stackable systems, each with its own set of identities,
may be represented by a common SNMP agent. Each individual system may be represented by a common SNMP agent. Each individual
would have its own authorization instance. system would have its own authorization instance.
- Multiple protocols, each with their own set of identities, may - Multiple protocols, each with its own set of identities, may
exist within a single system and be represented by a single SNMP exist within a single system and be represented by a single SNMP
agent. In this case, each protocol may have its own authorization agent. In this case, each protocol may have its own
instance. authorization instance.
An entry in this table is often referenced by its name An entry in this table is often referenced by its name
(ipsAuthInstDescr), which should be displayed to the user by the (ipsAuthInstDescr), which should be displayed to the user by the
management station. When an implementation supports only one entry management station. When an implementation supports only one entry
in this table, the description may be returned as a zero-length in this table, the description may be returned as a zero-length
string. string.
7.3. ipsAuthIdentity 7.3. ipsAuthIdentity
The ipsAuthIdentAttributesTable contains one entry for each The ipsAuthIdentAttributesTable contains one entry for each
configured user identity. The identity contains only a description configured user identity. The identity contains only a description
of what the identity is used for; its attributes are all contained in of what the identity is used for; its attributes are all contained in
other tables, since they can each have multiple values. other tables, since they can each have multiple values.
Other MIB modules containing lists of users authorized to access a Other MIB modules containing lists of users authorized to access a
particular resource should generally contain a RowPointer to the particular resource should generally contain a RowPointer to the
ipsAuthIdentAttributesEntry which will, if authenticated, be allowed ipsAuthIdentAttributesEntry that will, if authenticated, be allowed
access to the resource. access to the resource.
All other table entries make use of the indices to this table as All other table entries make use of the indices to this table as
their primary indices. their primary indices.
7.4. ipsAuthIdentityName 7.4. ipsAuthIdentityName
The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
each of which belong to, and may be used to identify, a particular each of which belongs to, and may be used to identify, a particular
identity in the authIdentity table. identity in the authIdentity table.
Implementations making use of the IPS-AUTH-MIB module may identify Implementations making use of the IPS-AUTH-MIB module may identify
their resources by names, addresses, or both. A name is typically a their resources by names, addresses, or both. A name is typically a
unique (within the required scope), unchanging identifier for a unique (within the required scope), unchanging identifier for a
resource. It will normally meet some or all of the requirements for a resource. It will normally meet some or all of the requirements for
Uniform Resource Name [RFC1737], although a name in the context of a Uniform Resource Name [RFC1737], although a name in the context of
this MIB module does not need to be a URN. Identifiers that this MIB module does not need to be a URN. Identifiers that
typically change over time should generally be placed into the typically change over time should generally be placed into the
ipsAuthIdentityAddress table; names that have no uniqueness ipsAuthIdentityAddress table; names that have no uniqueness
properties should usually be placed into the description attribute properties should usually be placed into the description attribute
for the identity. for the identity.
An example of an identity name is the iSCSI Name, defined in An example of an identity name is the iSCSI Name, defined in
[RFC3720]. Any other MIB module defining names to be used as [RFC3720]. Any other MIB module defining names to be used as
ipsAuthIdentityName objects should specify how its names are unique, ipsAuthIdentityName objects should specify how its names are unique,
and the domain within which they are unique. and the domain within which they are unique.
skipping to change at page 8, line 25 skipping to change at page 8, line 35
address is desired in the list, both starting and ending addresses address is desired in the list, both starting and ending addresses
must be identical. must be identical.
Each entry contains an AddrType attribute. This attribute contains Each entry contains an AddrType attribute. This attribute contains
an enumeration registered as an IANA Address Family type [IANA-AF]. an enumeration registered as an IANA Address Family type [IANA-AF].
Although many implementations will use IPv4 or IPv6 address types for Although many implementations will use IPv4 or IPv6 address types for
these entries, any IANA-registered type may be used, as long as it these entries, any IANA-registered type may be used, as long as it
makes sense to the application. makes sense to the application.
Matching any address within any range within the list associated with Matching any address within any range within the list associated with
a particular identity is considered to be a valid match. If no a particular identity is considered a valid match. If no entries are
entries are present in this list for a given identity, its address is present in this list for a given identity, its address is
automatically assumed to match the identity. automatically assumed to match the identity.
Netmasks are not supported, since an address range can express the Netmasks are not supported, since an address range can express the
same thing with more flexibility. An application specifying same thing with more flexibility. An application specifying
addresses using network masks may do so, and convert to and from addresses using network masks may do so, and convert to and from
address ranges when reading or writing this MIB module. address ranges when reading or writing this MIB module.
7.6. ipsAuthCredential 7.6. ipsAuthCredential
The ipsAuthCredentialAttributesTable contains a list of credentials, The ipsAuthCredentialAttributesTable contains a list of credentials,
each of which may be used to verify a particular identity. each of which may be used to verify a particular identity.
Each credential contains an authentication method to be used, such as Each credential contains an authentication method to be used, such as
CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC4120]. This attribute
contains an object identifier instead of an enumerated type, allowing contains an object identifier instead of an enumerated type, allowing
other MIB modules to add their own authentication methods, without other MIB modules to add their own authentication methods, without
modifying this MIB module. modifying this MIB module.
For each entry in this table, there will exist an entry in another For each entry in this table, there will exist an entry in another
table containing its attributes. The table in which to place the table containing its attributes. The table in which to place the
entry depends on the AuthMethod attribute: entry depends on the AuthMethod attribute:
CHAP If the AuthMethod is set to the CHAP OID, an entry using the CHAP If the AuthMethod is set to the CHAP OID, an entry using the
same indices as the ipsAuthCredential will exist in the same indices as the ipsAuthCredential will exist in the
skipping to change at page 9, line 20 skipping to change at page 9, line 34
the same indices as the ipsAuthCredential will exist in the the same indices as the ipsAuthCredential will exist in the
ipsAuthCredKerberos table, which contains the Kerberos ipsAuthCredKerberos table, which contains the Kerberos
principal. principal.
Other If the AuthMethod is set to any OID not defined in this Other If the AuthMethod is set to any OID not defined in this
module, an entry using the same indices as the module, an entry using the same indices as the
ipsAuthCredential entry should be placed in the other module ipsAuthCredential entry should be placed in the other module
that define whatever attributes are needed for that type of that define whatever attributes are needed for that type of
credential. credential.
An additional credential type can be added to this MIB module by
defining a new OID in the ipsAuthMethodTypes subtree, and defining a
new table specific to that credential type.
7.7. IP, Fibre Channel, and Other Addresses 7.7. IP, Fibre Channel, and Other Addresses
The IP addresses in this MIB module are represented by two The IP addresses in this MIB module are represented by two
attributes, one of type AddressFamilyNumbers, and the other of type attributes, one of type AddressFamilyNumbers, and the other of type
AuthAddress. Each address can take on any of the types within the AuthAddress. Each address can take on any of the types within the
list of address family numbers; the most likely being IPv4, IPv6, or list of address family numbers; the most likely being IPv4, IPv6, or
one of the Fibre Channel address types. one of the Fibre Channel address types.
The type AuthAddress is an octet string. If the address family is The type AuthAddress is an octet string. If the address family is
IPv4 or IPv6, the format is taken from the InetAddress specified in IPv4 or IPv6, the format is taken from the InetAddress specified in
skipping to change at page 9, line 43 skipping to change at page 10, line 14
7.8. Descriptors: Using OIDs in Place of Enumerated Types 7.8. Descriptors: Using OIDs in Place of Enumerated Types
Some attributes, particularly the authentication method attribute, Some attributes, particularly the authentication method attribute,
would normally require an enumerated type. However, implementations would normally require an enumerated type. However, implementations
will likely need to add new authentication method types of their own, will likely need to add new authentication method types of their own,
without extending this MIB module. To make this work, this module without extending this MIB module. To make this work, this module
defines a set of object identities within ipsAuthDescriptors. Each defines a set of object identities within ipsAuthDescriptors. Each
of these object identities is basically an enumerated type. of these object identities is basically an enumerated type.
Attributes that make use of these object identities have a value Attributes that make use of these object identities have a value that
which is an OID instead of an enumerated type. These OIDs can either is an OID instead of an enumerated type. These OIDs can either
indicate the object identities defined in this module, or object indicate the object identities defined in this module, or object
identities defined elsewhere, such as in an enterprise MIB module. identities defined elsewhere, such as in an enterprise MIB module.
Those implementations that add their own authentication methods Those implementations that add their own authentication methods
should also define a corresponding object identity for each of these should also define a corresponding object identity for each of these
methods within their own enterprise MIB module, and return its OID methods within their own enterprise MIB module, and return its OID
whenever one of these attributes is using that method. whenever one of these attributes is using that method.
7.9. Notifications 7.9. Notifications
Monitoring of authentication failures and other notification events Monitoring of authentication failures and other notification events
are outside the scope of this MIB module, as they are generally are outside the scope of this MIB module, as they are generally
application-specific. No notifications are provided or required. application specific. No notifications are provided or required.
8. MIB Definitions 8. MIB Definitions
IPS-AUTH-MIB DEFINITIONS ::= BEGIN IPS-AUTH-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32,
mib-2 mib-2
FROM SNMPv2-SMI FROM SNMPv2-SMI
skipping to change at page 11, line 28 skipping to change at page 11, line 28
FROM SNMPv2-CONF FROM SNMPv2-CONF
SnmpAdminString SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 3411 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
AddressFamilyNumbers AddressFamilyNumbers
FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
; ;
ipsAuthMibModule MODULE-IDENTITY ipsAuthMibModule MODULE-IDENTITY
LAST-UPDATED "200602240000Z" -- February 24, 2006 LAST-UPDATED "200605220000Z" -- May 22, 2006
ORGANIZATION "IETF IPS Working Group" ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO CONTACT-INFO
" "
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
7900 International Drive, Suite 400 7900 International Drive, Suite 400
Bloomington, MN Bloomington, MN
USA 55425 USA 55425
E-mail: mbakke@cisco.com E-mail: mbakke@cisco.com
skipping to change at page 12, line 4 skipping to change at page 11, line 51
Postal: Qlogic Corp. Postal: Qlogic Corp.
6321 Bury Dr. 6321 Bury Dr.
Eden Prairie, MN Eden Prairie, MN
USA 55346 USA 55346
E-Mail: james.muchow@qlogic.com" E-Mail: james.muchow@qlogic.com"
DESCRIPTION DESCRIPTION
"The IP Storage Authorization MIB module. "The IP Storage Authorization MIB module.
Copyright (C) The Internet Society (2006). This version of Copyright (C) The Internet Society (2006). This version of
this MIB module is part of RFC yyyy; see the RFC itself for this MIB module is part of RFC 4545; see the RFC itself for
full legal notices." full legal notices."
REVISION "200602240000Z" -- February 24, 2006 REVISION "200605220000Z" -- May 22, 2006
DESCRIPTION DESCRIPTION
"Initial version of the IP Storage Authentication MIB module, "Initial version of the IP Storage Authentication MIB module,
published as RFC yyyy" -- RFC Ed.: fill in yyyy published as RFC 4545"
::= { mib-2 xx } -- xx to be assigned by IANA ::= { mib-2 141 }
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 } ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthMibModule 0 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 } ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthMibModule 1 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 } ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthMibModule 2 }
-- Textual Conventions -- Textual Conventions
IpsAuthAddress ::= TEXTUAL-CONVENTION IpsAuthAddress ::= TEXTUAL-CONVENTION
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 12, line 34 skipping to change at page 12, line 31
that uses not only the InetAddress type defined in the that uses not only the InetAddress type defined in the
INET-ADDRESS-MIB, but also Fibre Channel type defined INET-ADDRESS-MIB, but also Fibre Channel type defined
in the Fibre Channel Management MIB. Although these in the Fibre Channel Management MIB. Although these
address types are recognized in the IANA Address Family address types are recognized in the IANA Address Family
Numbers MIB, the addressing mechanisms have not been Numbers MIB, the addressing mechanisms have not been
merged into a well-known, common type. This data type, merged into a well-known, common type. This data type,
the IpsAuthAddress, performs the merging for this MIB the IpsAuthAddress, performs the merging for this MIB
module. module.
The formats of objects of this type are determined by The formats of objects of this type are determined by
a corresponding object with syntax AddressFamilyNumbers a corresponding object with syntax AddressFamilyNumbers,
and thus, every object defined using this TC must and thus every object defined using this TC must
identify the object with syntax AddressFamilyNumbers identify the object with syntax AddressFamilyNumbers
which specifies its type. that specifies its type.
The syntax and semantics of this object depends on the The syntax and semantics of this object depend on the
identified AddressFamilyNumbers object as follows: identified AddressFamilyNumbers object as follows:
AddressFamilyNumbers this object AddressFamilyNumbers this object
==================== =========== ==================== ===========
ipV4(1) restricted to the same syntax and ipV4(1) restricted to the same syntax and
semantics as the InetAddressIPv4 TC. semantics as the InetAddressIPv4 TC.
ipV6(2) restricted to the same syntax and ipV6(2) restricted to the same syntax and
semantics as the InetAddressIPv6 TC. semantics as the InetAddressIPv6 TC.
fibreChannelWWPN (22) fibreChannelWWPN (22)
& fibreChannelWWNN(23) restricted to the same syntax and & fibreChannelWWNN(23) restricted to the same syntax and
semantics as the FcNameIdOrZero TC. semantics as the FcNameIdOrZero TC.
Using types other than the above should not be used unless Types other than the above should not be used unless
the corresponding format of the IpsAuthAddress object is the corresponding format of the IpsAuthAddress object is
further specified (e.g., in a future revision of this TC)." further specified (e.g., in a future revision of this TC)."
REFERENCE REFERENCE
"IANA-ADDRESS-FAMILY-NUMBERS-MIB; "IANA-ADDRESS-FAMILY-NUMBERS-MIB;
INET-ADDRESS-MIB (RFC 4001); INET-ADDRESS-MIB (RFC 4001);
FC-MGMT-MIB (RFC 4044)." FC-MGMT-MIB (RFC 4044)."
SYNTAX OCTET STRING (SIZE(0..255)) SYNTAX OCTET STRING (SIZE(0..255))
--****************************************************************** --******************************************************************
skipping to change at page 17, line 48 skipping to change at page 17, line 45
"A list of unique names that can be used to positively "A list of unique names that can be used to positively
identify a particular user identity." identify a particular user identity."
::= { ipsAuthIdentityName 1 } ::= { ipsAuthIdentityName 1 }
ipsAuthIdentNameAttributesEntry OBJECT-TYPE ipsAuthIdentNameAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentNameAttributesEntry SYNTAX IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a unique identity name which can be used applicable to a unique identity name, which can be used
to identify a user identity within a particular to identify a user identity within a particular
authorization instance." authorization instance."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, INDEX { ipsAuthInstIndex, ipsAuthIdentIndex,
ipsAuthIdentNameIndex } ipsAuthIdentNameIndex }
::= { ipsAuthIdentNameAttributesTable 1 } ::= { ipsAuthIdentNameAttributesTable 1 }
IpsAuthIdentNameAttributesEntry ::= SEQUENCE { IpsAuthIdentNameAttributesEntry ::= SEQUENCE {
ipsAuthIdentNameIndex Unsigned32, ipsAuthIdentNameIndex Unsigned32,
ipsAuthIdentName SnmpAdminString, ipsAuthIdentName SnmpAdminString,
ipsAuthIdentNameRowStatus RowStatus, ipsAuthIdentNameRowStatus RowStatus,
ipsAuthIdentNameStorageType StorageType ipsAuthIdentNameStorageType StorageType
} }
ipsAuthIdentNameIndex OBJECT-TYPE ipsAuthIdentNameIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295) SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
skipping to change at page 18, line 33 skipping to change at page 18, line 30
an agent unless a reboot has occurred. An agent an agent unless a reboot has occurred. An agent
should attempt to keep this value persistent across should attempt to keep this value persistent across
reboots." reboots."
::= { ipsAuthIdentNameAttributesEntry 1 } ::= { ipsAuthIdentNameAttributesEntry 1 }
ipsAuthIdentName OBJECT-TYPE ipsAuthIdentName OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A character string which is the unique name of an "A character string that is the unique name of an
identity that may be used to identify this ipsAuthIdent identity that may be used to identify this ipsAuthIdent
entry." entry."
::= { ipsAuthIdentNameAttributesEntry 2 } ::= { ipsAuthIdentNameAttributesEntry 2 }
ipsAuthIdentNameRowStatus OBJECT-TYPE ipsAuthIdentNameRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
skipping to change at page 19, line 38 skipping to change at page 19, line 35
which can specify whether the address is IPv4, IPv6, which can specify whether the address is IPv4, IPv6,
FC-WWPN, or FC-WWNN." FC-WWPN, or FC-WWNN."
::= { ipsAuthIdentityAddress 1 } ::= { ipsAuthIdentityAddress 1 }
ipsAuthIdentAddrAttributesEntry OBJECT-TYPE ipsAuthIdentAddrAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentAddrAttributesEntry SYNTAX IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to an address range which is used as part applicable to an address range that is used as part
of the authorization of an identity of the authorization of an identity
within an authorization instance on this node." within an authorization instance on this node."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, INDEX { ipsAuthInstIndex, ipsAuthIdentIndex,
ipsAuthIdentAddrIndex } ipsAuthIdentAddrIndex }
::= { ipsAuthIdentAddrAttributesTable 1 } ::= { ipsAuthIdentAddrAttributesTable 1 }
IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { IpsAuthIdentAddrAttributesEntry ::= SEQUENCE {
ipsAuthIdentAddrIndex Unsigned32, ipsAuthIdentAddrIndex Unsigned32,
ipsAuthIdentAddrType AddressFamilyNumbers, ipsAuthIdentAddrType AddressFamilyNumbers,
ipsAuthIdentAddrStart IpsAuthAddress, ipsAuthIdentAddrStart IpsAuthAddress,
skipping to change at page 21, line 14 skipping to change at page 21, line 11
ipsAuthIdentAddrRowStatus OBJECT-TYPE ipsAuthIdentAddrRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
Rows may be discarded using RowStatus. The values of Rows may be discarded using RowStatus. The values of
ipsAuthIdentAddrStart, ipsAuthIdentAddrEnd may be set ipsAuthIdentAddrStart and ipsAuthIdentAddrEnd may be set
when this value is 'active'. The value of when this value is 'active'. The value of
ipsAuthIdentAddrType may not be set when this value is ipsAuthIdentAddrType may not be set when this value is
'active'." 'active'."
::= { ipsAuthIdentAddrAttributesEntry 5 } ::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthIdentAddrStorageType OBJECT-TYPE ipsAuthIdentAddrStorageType OBJECT-TYPE
SYNTAX StorageType SYNTAX StorageType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
skipping to change at page 22, line 4 skipping to change at page 21, line 50
that are allowed as valid authenticators of the that are allowed as valid authenticators of the
particular identity." particular identity."
::= { ipsAuthCredential 1 } ::= { ipsAuthCredential 1 }
ipsAuthCredentialAttributesEntry OBJECT-TYPE ipsAuthCredentialAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredentialAttributesEntry SYNTAX IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which verifies a user applicable to a credential that verifies a user
identity within an authorization instance. identity within an authorization instance.
To provide complete information in this MIB for a credential, To provide complete information in this MIB for a credential,
the management station must not only create the row in this the management station must not only create the row in this
table but must also create a row in another table, where the table but must also create a row in another table, where the
other table is determined by the value of ipsAuthCredAuthMethod, other table is determined by the value of
e.g, if ipsAuthCredAuthMethod has the value ipsAuthMethodChap, ipsAuthCredAuthMethod, e.g., if ipsAuthCredAuthMethod has the
a row must be created in the ipsAuthCredChapAttributesTable." value ipsAuthMethodChap, a row must be created in the
ipsAuthCredChapAttributesTable."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredentialAttributesTable 1 } ::= { ipsAuthCredentialAttributesTable 1 }
IpsAuthCredentialAttributesEntry ::= SEQUENCE { IpsAuthCredentialAttributesEntry ::= SEQUENCE {
ipsAuthCredIndex Unsigned32, ipsAuthCredIndex Unsigned32,
ipsAuthCredAuthMethod AutonomousType, ipsAuthCredAuthMethod AutonomousType,
ipsAuthCredRowStatus RowStatus, ipsAuthCredRowStatus RowStatus,
ipsAuthCredStorageType StorageType ipsAuthCredStorageType StorageType
} }
skipping to change at page 22, line 43 skipping to change at page 22, line 42
should attempt to keep this value persistent across should attempt to keep this value persistent across
reboots." reboots."
::= { ipsAuthCredentialAttributesEntry 1 } ::= { ipsAuthCredentialAttributesEntry 1 }
ipsAuthCredAuthMethod OBJECT-TYPE ipsAuthCredAuthMethod OBJECT-TYPE
SYNTAX AutonomousType SYNTAX AutonomousType
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This object contains an OBJECT IDENTIFIER "This object contains an OBJECT IDENTIFIER
which identifies the authentication method that identifies the authentication method
used with this credential. used with this credential.
When a row is created in this table, a corresponding When a row is created in this table, a corresponding
row must be created by the management station row must be created by the management station
in a corresponding table specified by this value. in a corresponding table specified by this value.
When a row is deleted from this table, the corresponding When a row is deleted from this table, the corresponding
row must be automatically deleted by the agent in row must be automatically deleted by the agent in
the corresponding table specified by this value. the corresponding table specified by this value.
skipping to change at page 23, line 50 skipping to change at page 23, line 49
ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 }
-- Credential Chap-Specific Attributes Table -- Credential Chap-Specific Attributes Table
ipsAuthCredChapAttributesTable OBJECT-TYPE ipsAuthCredChapAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of CHAP attributes for credentials that "A list of CHAP attributes for credentials that
use ipsAuthMethodChap as its ipsAuthCredAuthMethod. use ipsAuthMethodChap as their ipsAuthCredAuthMethod.
A row in this table can only exist when an instance of A row in this table can only exist when an instance of
the ipsAuthCredAuthMethod object exists (or is created the ipsAuthCredAuthMethod object exists (or is created
simultaneously) having the same instance identifiers simultaneously) having the same instance identifiers
and a value of 'ipsAuthMethodChap'." and a value of 'ipsAuthMethodChap'."
::= { ipsAuthCredChap 1 } ::= { ipsAuthCredChap 1 }
ipsAuthCredChapAttributesEntry OBJECT-TYPE ipsAuthCredChapAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredChapAttributesEntry SYNTAX IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential that uses
ipsAuthMethodChap as its ipsAuthCredAuthMethod. ipsAuthMethodChap as their ipsAuthCredAuthMethod.
When a row is created in ipsAuthCredentialAttributesTable When a row is created in ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredChap, the with ipsAuthCredAuthMethod = ipsAuthCredChap, the
management station must create a corresponding row management station must create a corresponding row
in this table. in this table.
When a row is deleted from ipsAuthCredentialAttributesTable When a row is deleted from ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredChap, the with ipsAuthCredAuthMethod = ipsAuthCredChap, the
agent must delete the corresponding row (if any) in agent must delete the corresponding row (if any) in
this table." this table."
skipping to change at page 25, line 51 skipping to change at page 25, line 49
simultaneously) having the same instance identifiers simultaneously) having the same instance identifiers
and a value of 'ipsAuthMethodSrp'." and a value of 'ipsAuthMethodSrp'."
::= { ipsAuthCredSrp 1 } ::= { ipsAuthCredSrp 1 }
ipsAuthCredSrpAttributesEntry OBJECT-TYPE ipsAuthCredSrpAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredSrpAttributesEntry SYNTAX IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential that uses
ipsAuthMethodSrp as its ipsAuthCredAuthMethod. ipsAuthMethodSrp as their ipsAuthCredAuthMethod.
When a row is created in ipsAuthCredentialAttributesTable When a row is created in ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredSrp, the with ipsAuthCredAuthMethod = ipsAuthCredSrp, the
management station must create a corresponding row management station must create a corresponding row
in this table. in this table.
When a row is deleted from ipsAuthCredentialAttributesTable When a row is deleted from ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredSrp, the with ipsAuthCredAuthMethod = ipsAuthCredSrp, the
agent must delete the corresponding row (if any) in agent must delete the corresponding row (if any) in
this table." this table."
skipping to change at page 27, line 24 skipping to change at page 27, line 22
ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 }
-- Credential Kerberos-Specific Attributes Table -- Credential Kerberos-Specific Attributes Table
ipsAuthCredKerbAttributesTable OBJECT-TYPE ipsAuthCredKerbAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A list of Kerberos attributes for credentials that "A list of Kerberos attributes for credentials that
use ipsAuthMethodKerberos as its ipsAuthCredAuthMethod. use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod.
A row in this table can only exist when an instance of A row in this table can only exist when an instance of
the ipsAuthCredAuthMethod object exists (or is created the ipsAuthCredAuthMethod object exists (or is created
simultaneously) having the same instance identifiers simultaneously) having the same instance identifiers
and a value of 'ipsAuthMethodKerb'." and a value of 'ipsAuthMethodKerb'."
::= { ipsAuthCredKerberos 1 } ::= { ipsAuthCredKerberos 1 }
ipsAuthCredKerbAttributesEntry OBJECT-TYPE ipsAuthCredKerbAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredKerbAttributesEntry SYNTAX IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"An entry (row) containing management information "An entry (row) containing management information
applicable to a credential which uses applicable to a credential that uses
ipsAuthMethodKerberos as its ipsAuthCredAuthMethod. ipsAuthMethodKerberos as its ipsAuthCredAuthMethod.
When a row is created in ipsAuthCredentialAttributesTable When a row is created in ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the
management station must create a corresponding row management station must create a corresponding row
in this table. in this table.
When a row is deleted from ipsAuthCredentialAttributesTable When a row is deleted from ipsAuthCredentialAttributesTable
with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the with ipsAuthCredAuthMethod = ipsAuthCredKerberos, the
agent must delete the corresponding row (if any) in agent must delete the corresponding row (if any) in
skipping to change at page 28, line 19 skipping to change at page 28, line 17
} }
ipsAuthCredKerbPrincipal OBJECT-TYPE ipsAuthCredKerbPrincipal OBJECT-TYPE
SYNTAX SnmpAdminString SYNTAX SnmpAdminString
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A character string containing a Kerberos principal "A character string containing a Kerberos principal
for this credential." for this credential."
REFERENCE REFERENCE
"J. Kohl, C. Neuman, RFC 1510: The Kerberos Network "C. Neuman, S. Hartman, and K. Raeburn, RFC 4120:
Authentication Service (V5), September 1993" The Kerberos Network Authentication Service (V5),
July 2005"
::= { ipsAuthCredKerbAttributesEntry 1 } ::= { ipsAuthCredKerbAttributesEntry 1 }
ipsAuthCredKerbRowStatus OBJECT-TYPE ipsAuthCredKerbRowStatus OBJECT-TYPE
SYNTAX RowStatus SYNTAX RowStatus
MAX-ACCESS read-create MAX-ACCESS read-create
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"This field allows entries to be dynamically added and "This field allows entries to be dynamically added and
removed from this table via SNMP. When adding a row to removed from this table via SNMP. When adding a row to
this table, all non-Index/RowStatus objects must be set. this table, all non-Index/RowStatus objects must be set.
skipping to change at page 34, line 45 skipping to change at page 34, line 45
OBJECT ipsAuthCredKerbPrincipal OBJECT ipsAuthCredKerbPrincipal
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required." "Write access is not required."
OBJECT ipsAuthCredKerbRowStatus OBJECT ipsAuthCredKerbRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only MIN-ACCESS read-only
DESCRIPTION DESCRIPTION
"Write access is not required, and only one of the "Write access is not required, and only one of the six
six enumerated values for the RowStatus textual enumerated values for the RowStatus textual convention need
convention need be supported, specifically: be supported, specifically: active(1)."
active(1)."
::= { ipsAuthCompliances 1 } ::= { ipsAuthCompliances 1 }
END END
9. Security Considerations 9. Security Considerations
9.1. MIB Security Considerations 9.1. MIB Security Considerations
There are a number of management objects defined in this MIB module There are a number of management objects defined in this MIB module
skipping to change at page 38, line 11 skipping to change at page 37, line 11
- ipsAuthCredKerbPrincipal could be modified to change the - ipsAuthCredKerbPrincipal could be modified to change the
Kerberos principal for a credential; Kerberos principal for a credential;
- ipsAuthCredKerbRowStatus could be modified to add or delete - ipsAuthCredKerbRowStatus could be modified to add or delete
Kerberos attributes for credentials; Kerberos attributes for credentials;
- ipsAuthCredKerbStorageType could be modified to make temporary - ipsAuthCredKerbStorageType could be modified to make temporary
rows permanent, or permanent rows temporary; rows permanent, or permanent rows temporary;
Note that removal of legitimate credentials can result in either Note that removal of legitimate credentials can result in either
denial of service or can weaken the requirements for access of a denial of service or weakening the requirements for access of a
particular service. Note also that some types of credentials, such particular service. Note also that some types of credentials, such
as CHAP or SRP, also require passwords or verifiers to be associated as CHAP or SRP, also require passwords or verifiers to be associated
with the credential. These are managed outside this MIB module. with the credential. These are managed outside this MIB module.
Some of the readable objects in this MIB module (i.e., objects with a Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability: sensitivity/vulnerability:
o All tables (specifically: ipsAuthInstanceAttributesTable, o All tables (specifically: ipsAuthInstanceAttributesTable,
ipsAuthIdentAttributesTable, ipsAuthIdentNameAttributesTable, ipsAuthIdentAttributesTable, ipsAuthIdentNameAttributesTable,
ipsAuthIdentAddrAttributesTable, ipsAuthCredentialAttributesTable, ipsAuthIdentAddrAttributesTable, ipsAuthCredentialAttributesTable,
ipsAuthCredChapAttributesTable, ipsAuthCredSrpAttributesTable and ipsAuthCredChapAttributesTable, ipsAuthCredSrpAttributesTable, and
ipsAuthCredKerbAttributesTable) provide the ability to find out ipsAuthCredKerbAttributesTable) provide the ability to find out
which names, addresses, and credentials would be required to which names, addresses, and credentials would be required to
access services on the managed system. If these credentials are access services on the managed system. If these credentials are
easily spoofed (particularly the name or address), read access to easily spoofed (particularly the name or address), read access to
this MIB module must be tightly controlled. When used with this MIB module must be tightly controlled. When used with
pointers from another MIB module to rows in the pointers from another MIB module to rows in the
ipsAuthIdentAttributesTable, this MIB module provides information ipsAuthIdentAttributesTable, this MIB module provides information
about which entities are authorized to connect to which. about which entities are authorized to connect to which entities.
SNMP versions prior to SNMPv3 did not include adequate security. SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec), Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module. in this MIB module.
It is RECOMMENDED that implementors consider the security features as It is RECOMMENDED that implementors consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8), provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for including full support for the SNMPv3 cryptographic mechanisms (for
skipping to change at page 39, line 23 skipping to change at page 38, line 23
1.4. 1.4.
Given the sensitivity of information contained in this MIB module, it Given the sensitivity of information contained in this MIB module, it
is strongly recommended that encryption (SNMPv3 with a securityLevel is strongly recommended that encryption (SNMPv3 with a securityLevel
of authPriv [RFC3411]) be used for all access to objects in this MIB of authPriv [RFC3411]) be used for all access to objects in this MIB
module. module.
9.2. Other Security Considerations 9.2. Other Security Considerations
An identity consists of a set of names (e.g., an iSCSI Initiator An identity consists of a set of names (e.g., an iSCSI Initiator
Name), addresses (e.g., an IP address or Fibre Channel WWN), and Name), addresses (e.g., an IP address or Fibre Channel World Wide
credentials (e.g., a CHAP user name). Name (WWN)), and credentials (e.g., a CHAP user name).
To match an identity, one must match: To match an identity, one must match:
o One of the IdentNames belonging to the IdentIndex, unless there o One of the IdentNames belonging to the IdentIndex, unless there
are no IdentNames for the IdentIndex, and are no IdentNames for the IdentIndex, and
o One of the IdentAddrs belonging to the IdentIndex, unless there o One of the IdentAddrs belonging to the IdentIndex, unless there
are no IdentAddrs for the IdentIndex, and are no IdentAddrs for the IdentIndex, and
o One of the IdentCreds belonging to the IdentIndex, unless there o One of the IdentCreds belonging to the IdentIndex, unless there
are no Creds for the IdentIndex. are no Creds for the IdentIndex.
Note that if any of the above lists are empty for a given IdentIndex, Note that if any of the above lists are empty for a given IdentIndex,
any identifier of that type is considered to match the identity. The any identifier of that type is considered to match the identity. The
non-empty lists will still be checked. For example, if the IdentAddrs non-empty lists will still be checked. For example, if the
list is empty for the IndentIndex, but there are entries in IdentAddrs list is empty for the IndentIndex, but there are entries
IdentNames and IdentCreds, any address will be considered a match, as in IdentNames and IdentCreds, any address will be considered a match,
long as the offered name and credential match one of the IdentNames as long as the offered name and credential match one of the
and IdentCreds respectively. IdentNames and IdentCreds, respectively.
This leaves a possible security window while adding and removing This leaves a possible security window while adding and removing
entries from one of these lists. For example, an identity could entries from one of these lists. For example, an identity could
consist of no IdentNames, no IdentAddrs, and exactly one IdentCred. consist of no IdentNames, no IdentAddrs, and exactly one IdentCred.
If that IdentCred was to be updated, several methods could be used: If that IdentCred was to be updated, several methods could be used:
o The UserName or Principal could be simply written in the o The UserName or Principal could be simply written in the
appropriate table, if the credential's type remained the same appropriate table, if the credential's type remained the same
(recommended). (recommended).
o The new credential could be added, then the old deleted o The new credential could be added, then the old deleted
(recommended). (recommended).
o The new credential could be added, and the old deleted in the same o The new credential could be added, and the old deleted in the same
SNMP request (recommended, but do the add first). SNMP request (recommended, but do the add first).
o The old credential could be deleted, then the new added (Don't o The old credential could be deleted, then the new added (Don't
Use!). use!).
Of the above methods, the last leaves a window in which the list is Of the above methods, the last leaves a window in which the list is
empty, possibly allowing unconstrained access to the resource making empty, possibly allowing unconstrained access to the resource making
use of this MIB. This method should never be used for Names, Addrs, use of this MIB. This method should never be used for Names, Addrs,
or Creds. or Creds.
The use of the third method, adding and deleting within the same The use of the third method, adding and deleting within the same
request, should be used with care. It is recommended that within the request, should be used with care. It is recommended that within the
request, the add be done first. Otherwise, an implementation may request, the add be done first. Otherwise, an implementation may
attempt to perform these operations in order, potentially leaving a attempt to perform these operations in order, potentially leaving a
skipping to change at page 41, line 7 skipping to change at page 40, line 11
o add the new IdentAddrStart and IdentAddrEnd with a new o add the new IdentAddrStart and IdentAddrEnd with a new
IdentAddrIndex, then delete the old one, using the methods shown IdentAddrIndex, then delete the old one, using the methods shown
before. before.
Since the value of IdentAddrType specifies the formats of Since the value of IdentAddrType specifies the formats of
IdentAddrStart and IdentAddrEnd, modification of IdentAddrType is not IdentAddrStart and IdentAddrEnd, modification of IdentAddrType is not
allowed for an existing row. allowed for an existing row.
10. IANA Considerations 10. IANA Considerations
10.1. OID Assignment The IANA has assigned a MIB OID number under the mib-2 branch for the
IANA is requested to make a MIB OID assignment under the mib-2 IPS-AUTH-MIB.
branch.
11. Normative References 11. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J. , [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J. ,
Rose, M., and S. Waldbusser, "Structure of Management Rose, M., and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April Information Version 2 (SMIv2)", STD 58, RFC 2578, April
1999. 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Textual Conventions for Rose, M., and S. Waldbusser, "Textual Conventions for
SMIv2", STD 58, RFC 2579, April 1999. SMIv2", STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Conformance Statements for Rose, M., and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999. SMIv2", STD 58, RFC 2580, April 1999.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
for Describing Simple Network Management Protocol (SNMP) Architecture for Describing Simple Network Management
Management Frameworks", RFC 3411, December 2002. Protocol (SNMP) Management Frameworks", RFC 3411, December
2002.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005. Addresses", RFC 4001, February 2005.
[IANA-AF] IANA, "IANA Address Family Numbers MIB", [IANA-AF] IANA, "IANA Address Family Numbers MIB",
http://www.iana.org/assignments/ianaaddressfamilynumbers-mib http://www.iana.org/assignments/
ianaaddressfamilynumbers-mib.
[RFC2011bis] [RFC4293] Routhier, S., "Management Information Base for the
Routhier, S., "Management Information Base for the Internet Internet Protocol (IP)", RFC 4293, April 2006.
Protocol (IP)", draft-ietf-ipv6-rfc2011-update-10.txt, May
2004.
[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication
Protocol (CHAP)", August 1996. Protocol (CHAP)", RFC 1994, August 1996.
[RFC1510] Kohl, J., and C. Neuman, "The Kerberos Network [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Authentication Service (V5)", September 1993. Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[RFC2945] Wu, T., "The SRP Authentication and Key Exchange System", [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System",
September 2000. RFC 2945, September 2000.
12. Informative References 12. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC3414] Blumenthal, U., and B. Wijnen, "User-based Security Model [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", RFC 3414, December 2002. Protocol (SNMPv3)", RFC 3414, December 2002.
[RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M., and [RFC3720] Satran, J., Meth, K., Sapuntzakis, C., Chadalapaka, M.,
E. Zeidner, "Internet Small Computer Systems Interface and E. Zeidner, "Internet Small Computer Systems Interface
(iSCSI)", RFC 3720, March 2004. (iSCSI)", RFC 3720, March 2004.
[RFC1737] Sollins, K., and L. Masinter, "Functional Requirements for [RFC1737] Sollins, K. and L. Masinter, "Functional Requirements for
Uniform Resource Names", RFC 1737, December 1994. Uniform Resource Names", RFC 1737, December 1994.
[RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044, [RFC4044] McCloghrie, K., "Fibre Channel Management MIB", RFC 4044,
May 2005. May 2005.
Acknowledgments 13. Acknowledgements
In addition to the authors, several people contributed to the In addition to the authors, several people contributed to the
development of this MIB module through discussions of authentication, development of this MIB module through discussions of authentication,
authorization, and access within the iSCSI MIB module and security authorization, and access within the iSCSI MIB module and security
teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie, teams, including John Hufferd, Marjorie Krueger, Keith McCloghrie,
Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill Tom McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill
Studenmund (Wasabi Systems) for adding the Kerberos method, and to Studenmund (Wasabi Systems) for adding the Kerberos method, and to
Ayman Ghanem for finding and suggesting changes to several problems Ayman Ghanem for finding and suggesting changes to several problems
found in the MIB module. found in the MIB module.
skipping to change at page 42, line 47 skipping to change at page 42, line 13
MIB module. MIB module.
Authors' Addresses Authors' Addresses
Mark Bakke Mark Bakke
Postal: Cisco Systems, Inc Postal: Cisco Systems, Inc
7900 International Drive, Suite 400 7900 International Drive, Suite 400
Bloomington, MN Bloomington, MN
USA 55425 USA 55425
Email: mbakke@cisco.com EMail: mbakke@cisco.com
James Muchow James Muchow
Postal: Qlogic Corp. Postal: Qlogic Corp.
6321 Bury Drive 6321 Bury Drive
Eden Prairie, MN Eden Prairie, MN
USA 55346 USA 55346
Email: james.muchow@qlogic.com EMail: james.muchow@qlogic.com
IPR Notice Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at
ipr@ietf.org. ietf-ipr@ietf.org.
Full Copyright Notice
Copyright (C) The Internet Society (2006). This document is subject Acknowledgement
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an Funding for the RFC Editor function is provided by the IETF
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS Administrative Support Activity (IASA).
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 77 change blocks. 
178 lines changed or deleted 175 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/