--- 1/draft-ietf-radext-rfc2618bis-03.txt 2006-06-29 22:13:52.000000000 +0200 +++ 2/draft-ietf-radext-rfc2618bis-04.txt 2006-06-29 22:13:52.000000000 +0200 @@ -1,18 +1,18 @@ Network Working Group D. Nelson Internet-Draft Enterasys Networks -Obsoletes: RFC 2618 (if approved) May 12, 2006 -Expires: November 13, 2006 +Obsoletes: RFC 2618 (if approved) June 26, 2006 +Expires: December 28, 2006 - RADIUS Auth Client MIB (IPv6) - draft-ietf-radext-rfc2618bis-03.txt + RADIUS Authentication Client MIB for IPV6 + draft-ietf-radext-rfc2618bis-04.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -23,29 +23,29 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on November 13, 2006. + This Internet-Draft will expire on December 28, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract - This memo defines a set of extensions which instrument RADIUS + This memo defines a set of extensions, which instrument RADIUS authentication client functions. These extensions represent a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. Using these extensions IP-based management stations can manage RADIUS authentication clients. This memo obsoletes RFC 2618 by deprecating the MIB table containing IPv4-only address formats and defining a new table to add support for version neutral IP address formats. The remaining MIB objects from RFC 2618 are carried forward into this document. The memo also adds @@ -55,22 +55,22 @@ 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The Internet-Standard Management Framework . . . . . . . . . . 3 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 10.2. Informative References . . . . . . . . . . . . . . . . . 22 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 Intellectual Property and Copyright Statements . . . . . . . . . . 24 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. @@ -146,21 +146,25 @@ authentication client MIB, while RADIUS authentication servers implement the server function, and thus would be expected to implement the RADIUS authentication server MIB. However, it is possible for a RADIUS authentication entity to perform both client and server functions. For example, a RADIUS proxy may act as a server to one or more RADIUS authentication clients, while simultaneously acting as an authentication client to one or more authentication servers. In such situations, it is expected that RADIUS entities combining client and server functionality will - support both the client and server MIBs. + support both the client and server MIBs. The client MIB is defined + in this document, and the server MIB is defined in [2619bis]. + + RFC Editor: Replace the above I-D reference with the assigned RFC + number at the time of publication and delete this note. This MIB module contains two scalars as well as a single table, the RADIUS Authentication Server Table, which contains one row for each RADIUS authentication server with which the client shares a secret. Each entry in the RADIUS Authentication Server Table includes sixteen columns presenting a view of the activity of the RADIUS authentication client. 6. Deprecated Objects @@ -915,20 +920,25 @@ control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: radiusAuthServerIPAddress This can be used to determine the address of the RADIUS authentication server with which the client is communicating. This information could be useful in mounting an attack on the authentication server. + radiusAuthClientServerPortNumber This can be used to determine the + port number on which the RADIUS authentication client is sending. + This information could be useful in impersonating the client in + order to send data to the authentication server. + radiusAuthServerInetAddress This can be used to determine the address of the RADIUS authentication server with which the client is communicating. This information could be useful in mounting an attack on the authentication server. radiusAuthClientServerInetPortNumber This can be used to determine the port number on which the RADIUS authentication client is sending. This information could be useful in impersonating the client in order to send data to the authentication server. @@ -967,33 +977,37 @@ STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. + [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. + Schoenwaelder, "Textual Conventions for Internet Network + Addresses", RFC 4001, February 2005. + 10.2. Informative References + [2619bis] Nelson, D., "RADIUS Authentication Server MIB for IPv6", + draft-ietf-radext-rfc2619bis-04.txt (work in progress), + June 2006. + [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", RFC 2618, June 1999. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. - [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. - Schoenwaelder, "Textual Conventions for Internet Network - Addresses", RFC 4001, February 2005. - Appendix A. Acknowledgments The authors of the original MIB are Bernard Aboba and Glen Zorn. Many thanks to all reviewers, especially to Dave Harrington, Dan Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. Author's Address David B. Nelson