--- 1/draft-ietf-radext-rfc2618bis-02.txt 2006-05-15 22:12:38.000000000 +0200 +++ 2/draft-ietf-radext-rfc2618bis-03.txt 2006-05-15 22:12:38.000000000 +0200 @@ -1,18 +1,18 @@ Network Working Group D. Nelson Internet-Draft Enterasys Networks -Obsoletes: RFC 2618 (if approved) January 20, 2006 -Expires: July 24, 2006 +Obsoletes: RFC 2618 (if approved) May 12, 2006 +Expires: November 13, 2006 RADIUS Auth Client MIB (IPv6) - draft-ietf-radext-rfc2618bis-02.txt + draft-ietf-radext-rfc2618bis-03.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -23,21 +23,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on July 24, 2006. + This Internet-Draft will expire on November 13, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This memo defines a set of extensions which instrument RADIUS authentication client functions. These extensions represent a portion of the Management Information Base (MIB) for use with network @@ -53,26 +53,28 @@ Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 - 10. Normative References . . . . . . . . . . . . . . . . . . . . . 20 - Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 - Intellectual Property and Copyright Statements . . . . . . . . . . 23 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 + 10.2. Informative References . . . . . . . . . . . . . . . . . 22 + Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 + Intellectual Property and Copyright Statements . . . . . . . . . . 24 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This document uses terminology from RFC 2865 [RFC2865]. This document uses the word "malformed" with respect to RADIUS @@ -149,21 +151,21 @@ both client and server functions. For example, a RADIUS proxy may act as a server to one or more RADIUS authentication clients, while simultaneously acting as an authentication client to one or more authentication servers. In such situations, it is expected that RADIUS entities combining client and server functionality will support both the client and server MIBs. This MIB module contains two scalars as well as a single table, the RADIUS Authentication Server Table, which contains one row for each RADIUS authentication server with which the client shares a secret. - Each entry in the RADIUS Authentication Server Table includes fifteen + Each entry in the RADIUS Authentication Server Table includes sixteen columns presenting a view of the activity of the RADIUS authentication client. 6. Deprecated Objects The deprecated table in this MIB is carried forward from RFC 2618 [RFC2618]. There are two conditions under which it MAY be desirable for managed entities to continue to support the deprecated table: 1. The managed entity only supports IPv4 address formats. @@ -192,47 +194,55 @@ IMPORTS MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Counter32, Integer32, Gauge32, IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI SnmpAdminString FROM SNMP-FRAMEWORK-MIB InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; radiusAuthClientMIB MODULE-IDENTITY - LAST-UPDATED "200601200000Z" -- 20 Jan 2006 + LAST-UPDATED "200605100000Z" -- 10 May 2006 ORGANIZATION "IETF RADIUS Extensions Working Group." CONTACT-INFO " Bernard Aboba Microsoft One Microsoft Way Redmond, WA 98052 US Phone: +1 425 936 6605 EMail: bernarda@microsoft.com" DESCRIPTION "The MIB module for entities implementing the client side of the Remote Authentication Dial-In User Service - (RADIUS) authentication protocol." - REVISION "200601200000Z" -- 20 Jan 2006 - DESCRIPTION "Revised version as published in RFC xxxx. This - version obsoletes that of RFC 2618 by deprecating the MIB - table containing IPv4-only address formats and defining a - new table to add support for version neutral IP address - formats. The remaining MIB objects from RFC 2618 are carried - forward into this version." - REVISION "9906110000Z" -- 11 Jun 1999 - DESCRIPTION "Initial version as published in RFC 2618." + (RADIUS) authentication protocol. Copyright (C) The + Internet Society (2006). This version of this MIB + module is part of RFC xxxx; see the RFC itself for + full legal notices." + + -- RFC Editor: replace xxxx with actual RFC number at the time of + -- publication, and remove this note. + + REVISION "200605100000Z" -- 10 May 2006 + DESCRIPTION + "Revised version as published in RFC xxxx. This + version obsoletes that of RFC 2618 by deprecating + the MIB table containing IPv4-only address formats + and defining a new table to add support for version + neutral IP address formats. The remaining MIB objects + from RFC 2618 are carried forward into this version." -- RFC Editor: replace xxxx with actual RFC number at the time of -- publication, and remove this note. + REVISION "199906110000Z" -- 11 Jun 1999 + DESCRIPTION "Initial version as published in RFC 2618." ::= { radiusAuthentication 2 } radiusMIB OBJECT-IDENTITY STATUS current DESCRIPTION "The OID assigned to RADIUS MIB work by the IANA." ::= { mib-2 67 } radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} @@ -519,21 +529,22 @@ radiusAuthClientExtAccessRequests Counter32, radiusAuthClientExtAccessRetransmissions Counter32, radiusAuthClientExtAccessAccepts Counter32, radiusAuthClientExtAccessRejects Counter32, radiusAuthClientExtAccessChallenges Counter32, radiusAuthClientExtMalformedAccessResponses Counter32, radiusAuthClientExtBadAuthenticators Counter32, radiusAuthClientExtPendingRequests Gauge32, radiusAuthClientExtTimeouts Counter32, radiusAuthClientExtUnknownTypes Counter32, - radiusAuthClientExtPacketsDropped Counter32 + radiusAuthClientExtPacketsDropped Counter32, + radiusAuthClientCounterDiscontinuity TimeTicks } radiusAuthServerExtIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A number uniquely identifying each RADIUS Authentication server with which this client communicates." @@ -551,26 +563,26 @@ SYNTAX InetAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the RADIUS authentication server referred to in this table entry, using the version neutral IP address format." ::= { radiusAuthServerExtEntry 3 } radiusAuthClientServerInetPortNumber OBJECT-TYPE - SYNTAX InetPortNumber + SYNTAX InetPortNumber ( 1..65535 ) MAX-ACCESS read-only STATUS current DESCRIPTION "The UDP port the client is using to send requests - to this server." + to this server. The value of zero (0) is invalid." REFERENCE "RFC 2865 section 3" ::= { radiusAuthServerExtEntry 4 } radiusAuthClientExtRoundTripTime OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The time interval (in hundredths of a second) between the most recent Access-Reply/Access-Challenge and the @@ -593,71 +605,92 @@ -- -- radiusAuthClientExtAccessRequests OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Request packets sent - to this server. This does not include retransmissions." + to this server. This does not include retransmissions. + This counter may experience a discontinuity when the + RADIUS Client module within the managed entity is + reinitialized, as indicated by the current value of + radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 section 4.1" ::= { radiusAuthServerExtEntry 6 } radiusAuthClientExtAccessRetransmissions OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Request packets - retransmitted to this RADIUS authentication server." + retransmitted to this RADIUS authentication server. + This counter may experience a discontinuity when + the RADIUS Client module within the managed entity + is reinitialized, as indicated by the current value + of radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 sections 2.5, 4.1" ::= { radiusAuthServerExtEntry 7 } radiusAuthClientExtAccessAccepts OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Accept packets - (valid or invalid) received from this server." + (valid or invalid) received from this server. + This counter may experience a discontinuity when + the RADIUS Client module within the managed entity + is reinitialized, as indicated by the current value + of radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 section 4.2" ::= { radiusAuthServerExtEntry 8 } radiusAuthClientExtAccessRejects OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Reject packets - (valid or invalid) received from this server." + (valid or invalid) received from this server. + This counter may experience a discontinuity when + the RADIUS Client module within the managed + entity is reinitialized, as indicated by the + current value of + radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 section 4.3" ::= { radiusAuthServerExtEntry 9 } radiusAuthClientExtAccessChallenges OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Challenge packets - (valid or invalid) received from this server." + (valid or invalid) received from this server. + This counter may experience a discontinuity when + the RADIUS Client module within the managed + entity is reinitialized, as indicated by the + current value of + radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 section 4.4" ::= { radiusAuthServerExtEntry 10 } -- "Access-Response" includes an Access-Accept, Access-Challenge -- or Access-Reject - radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or @@ -655,33 +688,41 @@ SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or Message Authenticator attributes or unknown types - are not included as malformed access responses." + are not included as malformed access responses. + This counter may experience a discontinuity when + the RADIUS Client module within the managed entity + is reinitialized, as indicated by the current value + of radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 sections 3, 4" ::= { radiusAuthServerExtEntry 11 } radiusAuthClientExtBadAuthenticators OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Response packets containing invalid authenticators or Message - Authenticator attributes received from this server." + Authenticator attributes received from this server. + This counter may experience a discontinuity when + the RADIUS Client module within the managed entity + is reinitialized, as indicated by the current value + of radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 section 3" ::= { radiusAuthServerExtEntry 12 } radiusAuthClientExtPendingRequests OBJECT-TYPE SYNTAX Gauge32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS Access-Request packets @@ -697,46 +738,70 @@ SYNTAX Counter32 UNITS "timeouts" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of authentication timeouts to this server. After a timeout the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different - server is counted as a Request as well as a timeout." + server is counted as a Request as well as a timeout. + This counter may experience a discontinuity when the + RADIUS Client module within the managed entity is + reinitialized, as indicated by the current value of + radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 sections 2.5, 4.1" ::= { radiusAuthServerExtEntry 14 } radiusAuthClientExtUnknownTypes OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS packets of unknown type which were received from this server on the authentication - port." + port. This counter may experience a discontinuity + when the RADIUS Client module within the managed + entity is reinitialized, as indicated by the current + value of radiusAuthClientCounterDiscontinuity." REFERENCE "RFC 2865 section 4" ::= { radiusAuthServerExtEntry 15 } radiusAuthClientExtPacketsDropped OBJECT-TYPE SYNTAX Counter32 UNITS "packets" MAX-ACCESS read-only STATUS current DESCRIPTION "The number of RADIUS packets of which were received from this server on the authentication port - and dropped for some other reason." + and dropped for some other reason. This counter may + experience a discontinuity when the RADIUS Client + module within the managed entity is reinitialized, + as indicated by the current value of + radiusAuthClientCounterDiscontinuity." ::= { radiusAuthServerExtEntry 16 } + + radiusAuthClientCounterDiscontinuity OBJECT-TYPE + SYNTAX TimeTicks + UNITS "centiseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of centiseconds since the last discontinuity + in the RADIUS Client counters. A discontinuity may + be the result of a reinitialization of the RADIUS + Client module within the managed entity." + ::= { radiusAuthServerExtEntry 17 } + -- conformance information radiusAuthClientMIBConformance OBJECT IDENTIFIER ::= { radiusAuthClientMIB 2 } radiusAuthClientMIBCompliances OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 1 } radiusAuthClientMIBGroups OBJECT IDENTIFIER ::= { radiusAuthClientMIBConformance 2 } @@ -760,20 +825,31 @@ STATUS current DESCRIPTION "The compliance statement for authentication clients implementing the RADIUS Authentication Client IPv6 Extensions MIB. Implementation of this module is for entities that support IPv6, or support IPv4 and IPv6." MODULE -- this module MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } + OBJECT radiusAuthServerInetAddressType + SYNTAX InetAddressType { ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to support + IPv4 and globally unique IPv6 addresses." + + OBJECT radiusAuthServerInetAddress + SYNTAX InetAddress ( SIZE (4|16) ) + DESCRIPTION + "An implementation is only required to support + IPv4 and globally unique IPv6 addresses." ::= { radiusAuthClientMIBCompliances 2 } -- units of conformance radiusAuthClientMIBGroup OBJECT-GROUP OBJECTS { radiusAuthClientIdentifier, radiusAuthClientInvalidServerAddresses, radiusAuthServerAddress, radiusAuthClientServerPortNumber, radiusAuthClientRoundTripTime, @@ -805,21 +881,22 @@ radiusAuthClientExtAccessRequests, radiusAuthClientExtAccessRetransmissions, radiusAuthClientExtAccessAccepts, radiusAuthClientExtAccessRejects, radiusAuthClientExtAccessChallenges, radiusAuthClientExtMalformedAccessResponses, radiusAuthClientExtBadAuthenticators, radiusAuthClientExtPendingRequests, radiusAuthClientExtTimeouts, radiusAuthClientExtUnknownTypes, - radiusAuthClientExtPacketsDropped + radiusAuthClientExtPacketsDropped, + radiusAuthClientCounterDiscontinuity } STATUS current DESCRIPTION "The collection of extended objects providing management of RADIUS Authentication Clients using version neutral IP address format." ::= { radiusAuthClientMIBGroups 2 } END @@ -868,77 +945,64 @@ provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate - rights to indeed GET or SET (change/create/delete) them + rights to indeed GET or SET (change/create/delete) them. -10. Normative References +10. References + +10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. - [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model - (USM) for version 3 of the Simple Network Management - Protocol (SNMPv3)", RFC 2574, April 1999. - - [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based - Access Control Model (VACM) for the Simple Network - Management Protocol (SNMP)", RFC 2575, April 1999. - [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. - [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", - RFC 2618, June 1999. - [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. +10.2. Informative References + + [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", + RFC 2618, June 1999. + [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. - [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An - Architecture for Describing Simple Network Management - Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, - December 2002. - - [RFC3418] Presuhn, R., "Management Information Base (MIB) for the - Simple Network Management Protocol (SNMP)", STD 62, - RFC 3418, December 2002. - [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. Appendix A. Acknowledgments - The Authors of the original MIB are Bernard Aboba and Glen Zorn. + The authors of the original MIB are Bernard Aboba and Glen Zorn. Many thanks to all reviewers, especially to Dave Harrington, Dan - Romascanu, C.M. Heard, Bruno Pape and Greg Weber. + Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. Author's Address David B. Nelson Enterasys Networks 50 Minuteman Road Andover, MA 01810 USA Email: dnelson@enterasys.com