Internet Draft The Definitions of Managed Objects for the Security Protocols of the Point-to-Point Protocol 27 July 1992 Frank Kastenholz FTP Software, Inc 26 Princess Street Wakefield, Mass 01880 USA kasten@ftp.com Status of this Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a ``working draft'' or ``work in progress.'' Please check the 1id-abstracts.txt listing contained in the internet-drafts Shadow Directories on nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au to learn the current status of any Internet Draft. Internet Draft PPP/Security MIB July 1992 This document will be submitted to the Internet Activities Board as a Draft Standard. This document defines an experimental extension to the SNMP MIB. Upon publication as a Draft Standard, a new MIB number will be assigned. This is a working document only, it should neither be cited nor quoted in any formal document. This document will expire before 1 Feb. 1993. Distribution of this document is unlimited. Please send comments to the author. 1. Abstract This memo defines an experimental portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based internets. In particular, it describes managed objects used for managing the Security Protocols on subnetwork interfaces using the family of Point-to-Point Protocols[8, 9, 10, 11, & 12]. This memo does not specify a standard for the Internet community. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 2] Internet Draft PPP/Security MIB July 1992 2. The Network Management Framework The Internet-standard Network Management Framework consists of three components. They are: RFC 1155 which defines the SMI, the mechanisms used for describing and naming objects for the purpose of management. RFC 1212 defines a more concise description mechanism, which is wholly consistent with the SMI. RFC 1156 which defines MIB-I, the core set of managed objects for the Internet suite of protocols. RFC 1213, defines MIB-II, an evolution of MIB-I based on implementation experience and new operational requirements. RFC 1157 which defines the SNMP, the protocol used for network access to managed objects. The Framework permits new objects to be defined for the purpose of experimentation and evaluation. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 3] Internet Draft PPP/Security MIB July 1992 3. Objects Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the subset of Abstract Syntax Notation One (ASN.1) [3] defined in the SMI. In particular, each object has a name, a syntax, and an encoding. The name is an object identifier, an administratively assigned name, which specifies an object type. The object type together with an object instance serves to uniquely identify a specific instantiation of the object. For human convenience, we often use a textual string, termed the OBJECT DESCRIPTOR, to also refer to the object type. The syntax of an object type defines the abstract data structure corresponding to that object type. The ASN.1 language is used for this purpose. However, the SMI [1] purposely restricts the ASN.1 constructs which may be used. These restrictions are explicitly made for simplicity. The encoding of an object type is simply how that object type is represented using the object type's syntax. Implicitly tied to the notion of an object type's syntax and encoding is how the object type is represented when being transmitted on the network. The SMI specifies the use of the basic encoding rules of ASN.1 [4], subject to the additional requirements imposed by the SNMP. 3.1. Format of Definitions Section 5 contains the specification of all object types contained in this MIB module. The object types are defined using the conventions defined in the SMI, as amended by the extensions specified in [5,6]. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 4] Internet Draft PPP/Security MIB July 1992 4. Overview 4.1. Object Selection Criteria To be consistent with IAB directives and good engineering practice, an explicit attempt was made to keep this MIB as simple as possible. This was accomplished by applying the following criteria to objects proposed for inclusion: (1) Require objects be essential for either fault or configuration management. In particular, objects for which the sole purpose was to debug implementations were explicitly excluded from the MIB. (2) Consider evidence of current use and/or utility. (3) Limit the total number of objects. (4) Exclude objects which are simply derivable from others in this or other MIBs. 4.2. Structure of the PPP This section describes the basic model of PPP used in developing the PPP MIB. This information should be useful to the implementor in understanding some of the basic design decisions of the MIB. The PPP is not one single protocol but a large family of protocols. Each of these is, in itself, a fairly complex protocol. The PPP protocols may be divided into three rough categories: Control Protocols The Control Protocols are used to control the operation of the PPP. The Control Protocols include the Link Control Protocol (LCP), the Password Authentication Protocol (PAP), the Link Quality Report (LQR), and the Challenge Handshake Authentication Protocol (CHAP). Network Protocols The Network Protocols are used to move the network traffic over the PPP interface. A Network Protocol Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 5] Internet Draft PPP/Security MIB July 1992 encapsulates the datagrams of a specific higher-layer protocol that is using the PPP as a data link. Note that within the context of PPP, the term "Network Protocol" does not imply an OSI Layer-3 protocol; for instance, there is a Bridging network protocol. Network Control Protocols (NCPs) The NCPs are used to control the operation of the Network Protocols. Generally, each Network Protocol has its own Network Control Protocol; thus, the IP Network Protocol has its IP Control Protocol, the Bridging Network Protocol has its Bridging Network Control Protocol and so on. This document specifies the objects used in managing one of these protocols, namely the Link Control Protocol. 4.3. MIB Groups Objects in this MIB are arranged into several MIB groups. Each group is organized as a set of related objects. These groups are the basic unit of conformance: if the semantics of a group is applicable to an implementation then all objects in the group must be implemented. The PPP MIB is organized into several MIB Groups, including, but not limited to, the following groups: o The PPP Link Group o The PPP LQR Group o The PPP LQR Extensions Group o The PPP IP Group o The PPP Bridge Group o The PPP Security Configuration Group o The PPP CHAP Group o The PPP PAP Group This document specifies the following group: PPP Security Configuration Group The PPP Security Configuration Group contains overall configuration and control variables that apply to PPP security. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 6] Internet Draft PPP/Security MIB July 1992 Implementation of this group is optional for all implementations of PPP that support any of the PPP security protocols (currently only PAP and CHAP). The PPP CHAP Group The PPP CHAP Group contains configuration, status, and control variables that apply to the PPP Challange Handshake Authentication Protocol. Implementation of this group is optional for all implementations of PPP that support the PPP CHAP. The PPP PAP Group The PPP PAP Group contains configuration, status, and control variables that apply to the PPP Password Authentication Protocol. Implementation of this group is optional for all implementations of PPP that support the PPP PAP. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 7] Internet Draft PPP/Security MIB July 1992 5. Definitions RFCpppsec-MIB DEFINITIONS ::= BEGIN IMPORTS experimental, Counter FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212 pppSecurity FROM RFC-ppp TRAP-TYPE FROM RFC-1215; Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 8] Internet Draft PPP/Security MIB July 1992 5.1. PPP Security Configuration Group -- -- The PPP Security Configuration Group -- Implementation of this group is optional for all -- PPP implementations that support a PPP security -- protocol. -- -- The table in this group allows the network manager -- to configure which security protocols are to be -- used on which link and in what order of preference -- each protocol is to be tried. -- pppSecurityConfigTable OBJECT-TYPE SYNTAX SEQUENCE OF PppSecurityConfigEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table containing the configuration and preference parameters for PPP Security." ::= { pppSecurity 1 } pppSecurityConfigEntry OBJECT-TYPE SYNTAX PppSecurityConfigEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Security configuration information for a particular PPP link." INDEX { pppSecurityConfigLink, pppSecurityConfigPreference } ::= { pppSecurityConfigTable 1 } PppSecurityConfigEntry ::= SEQUENCE { pppSecurityConfigLink INTEGER, pppSecurityConfigPreference INTEGER, Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 9] Internet Draft PPP/Security MIB July 1992 pppSecurityConfigProtocol INTEGER } pppSecurityConfigLink OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory DESCRIPTION "The value of ifIndex that identifies the entry in the interface table that is associated with the local PPP entity's link for which this particular security algorithm shall be attempted. A value of 0 indicates the default algorithm - i.e., this entry applies to all links for which explicit entries in the table do not exist." ::= { pppSecurityConfigEntry 1 } pppSecurityConfigPreference OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory DESCRIPTION "The relative preference of the security protocol identified by pppSecurityConfigProtocol. Security protocols with lower values of pppSecurityConfigPreference are tried before protocols with higher values of pppSecurityConfigPreference." ::= { pppSecurityConfigEntry 2 } pppSecurityConfigProtocol OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-write STATUS mandatory DESCRIPTION "Identifies the security protocol to be attempted on the link identified by pppSecurityConfigLink at the preference level identified by pppSecurityConfigPreference. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 10] Internet Draft PPP/Security MIB July 1992 Setting this object to the OBJECT IDENTIFIER { 0 0 }, which is a syntatically valid object identifier, has the effect of invalidating the corresponding entry in this table. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use." ::= { pppSecurityConfigEntry 3 } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 11] Internet Draft PPP/Security MIB July 1992 5.2. PPP CHAP Group -- -- The PPP CHAP Group. -- Implementation of this group is optional for all -- PPP implementations that support the CHAP protocol. -- -- pppSecurityConfigProtocol takes the OBJECT IDENTIFIER -- pppChap to indicate that the Challenge Handshake -- Authentication Protocol is to be used. -- pppChap OBJECT IDENTIFIER ::= { pppSecurity 2 } pppChapTable OBJECT-TYPE SYNTAX SEQUENCE OF PppChapEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table containing the Chap parameters local PPP entity's links." ::= { pppChap 1 } pppChapEntry OBJECT-TYPE SYNTAX PppChapEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "CHAP information for a particular PPP link and preference level." INDEX { pppChapLink, pppChapPreference } ::= { pppChapTable 1 } PppChapEntry ::= SEQUENCE { pppChapLink INTEGER, pppChapPreference INTEGER, pppChapDigestType INTEGER } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 12] Internet Draft PPP/Security MIB July 1992 pppChapLink OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory DESCRIPTION "The value of pppSecurityConfigLink that identifies the entry in the pppSecurityConfig table to which this entry in the pppChapTable applies." ::= { pppChapEntry 1 } pppChapPreference OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory DESCRIPTION "The value of pppSecurityConfigPreference that identifies the entry in the pppSecurityConfig table to which this entry in the pppChapTable applies." ::= { pppChapEntry 2 } pppChapDigestType OBJECT-TYPE SYNTAX INTEGER { invalid(1), md5-chap-digest(2) } ACCESS read-write STATUS mandatory DESCRIPTION "The CHAP Digest format to use in attempting the CHAP authentication as defined by the corresponding entry in the pppSecurityConfig table. Setting this object to the value invalid(1) has the effect of invalidating the corresponding entry in the pppChapTable. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use. Proper interpretation of Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 13] Internet Draft PPP/Security MIB July 1992 such entries requires examination of the relevant pppChapDigestType object." REFERENCE "Section 4.1, Configuration Option Format, of RFC-PPPSEC" DEFVAL { md5-chap-digest } ::= { pppChapEntry 3 } pppChapSecretsTable OBJECT-TYPE SYNTAX SEQUENCE OF PppChapSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table containing the secret CHAP parameters for the local PPP entity. As this table contains secret information, it is expected that access to this table be limited to those SNMP Party-Pairs for which a privacy protocol is in use for all SNMP messages that the parties exchange. This table contains a Name and its associated Digest secret. The parameters in this table are used by the local entity when generating CHAP Response packets. The table allows for multiple name/secret pairs to be specified for a particular link by using the pppChapSecretIdIndex object. These parameters are used by a node when it attempts to authenticate itself." ::= { pppChap 2 } pppChapSecretsEntry OBJECT-TYPE SYNTAX PppChapSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Secret CHAP information to generate a single response." INDEX { pppChapSecretsLinkIndex, pppChapSecretsIdIndex } ::= { pppChapSecretsTable 1 } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 14] Internet Draft PPP/Security MIB July 1992 PppChapSecretsEntry ::= SEQUENCE { pppChapSecretsLinkIndex INTEGER, pppChapSecretsIdIndex INTEGER, pppChapSecretsName OCTET STRING, pppChapSecretsSecret OCTET STRING, pppChapSecretsStatus INTEGER } pppChapSecretsLinkIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-only STATUS mandatory DESCRIPTION "The value of ifIndex that identifies the entry in the interface table that is associated with the local PPP CHAP Entity. If the value of this object is 0 then the name/secret pair applies to all links." ::= { pppChapSecretsEntry 1 } pppChapSecretsIdIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-only STATUS mandatory DESCRIPTION "A unique value for each Name/Secret pair that has been defined for use on this link. This allows multiple Name/Secret pairs to be defined for each link. How the local entity selects which pair to use is a local implementation decision." ::= { pppChapSecretsEntry 2 } pppChapSecretsName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) ACCESS read-write Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 15] Internet Draft PPP/Security MIB July 1992 STATUS mandatory DESCRIPTION "A name." ::= { pppChapSecretsEntry 3 } pppChapSecretsSecret OBJECT-TYPE SYNTAX OCTET STRING -- (SIZE(16)) when MD5 ACCESS read-write STATUS mandatory DESCRIPTION "The digest secret to be associated with the name." ::= { pppChapSecretsEntry 4 } pppChapSecretsStatus OBJECT-TYPE SYNTAX INTEGER { invalid(1), valid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "Setting this object to the value invalid(1) has the effect of invalidating the corresponding entry in the pppChapSecretsTable. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use. Proper interpretation of such entries requires examination of the relevant pppChapSecretsStatus object." DEFVAL { valid } ::= { pppChapSecretsEntry 5 } pppChapPeerSecretsTable OBJECT-TYPE SYNTAX SEQUENCE OF PppChapPeerSecretsEntry ACCESS not-accessible Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 16] Internet Draft PPP/Security MIB July 1992 STATUS mandatory DESCRIPTION "Table containing the secret PAP parameters that are expected of remotes that may attempt to authenticate themselves to the local PPP entity. Received CHAP Responses are expected to match one of the entries in this table. As this table contains secret information, it is expected that access to this table be limited to those SNMP Party-Pairs for which a privacy protocol is in use for all SNMP messages that the parties exchange." ::= { pppChap 3 } pppChapPeerSecretsEntry OBJECT-TYPE SYNTAX PppChapPeerSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Secret remote CHAP information for a particular Peer Name/Secret and link." INDEX { pppChapPeerSecretsLink, pppChapPeerSecretsIndex } ::= { pppChapPeerSecretsTable 1 } PppChapPeerSecretsEntry ::= SEQUENCE { pppChapPeerSecretsLink INTEGER, pppChapPeerSecretsIndex INTEGER, pppChapPeerSecretsName OCTET STRING, pppChapPeerSecretsSecret OCTET STRING, pppChapPeerSecretsStatus INTEGER } pppChapPeerSecretsLink OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 17] Internet Draft PPP/Security MIB July 1992 DESCRIPTION "The value of ifIndex that identifies the entry in the interface table that is associated with the local PPP Link for which this Name/Secret pair will be evaluated as valid. A particular Name/Secret pair is valid only for the link(s) for which there is a pppChapPeerSecretsTable entry containing said Name/Secret pair. By convention, a value of 0 for this object indicates all links on the local PPP entity." ::= { pppChapPeerSecretsEntry 1 } pppChapPeerSecretsIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory DESCRIPTION "A unique value for each Name/Secret pair that has been defined for use on this link. This allows multiple Name/Secret pairs to be defined for each link." ::= { pppChapPeerSecretsEntry 2 } pppChapPeerSecretsName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) ACCESS read-write STATUS mandatory DESCRIPTION "A Peer-Name which may attempt to connect over the link identified by pppChapPeerSecretsLink." ::= { pppChapPeerSecretsEntry 3 } pppChapPeerSecretsSecret OBJECT-TYPE SYNTAX OCTET STRING -- (SIZE(16)) when using MD5 ACCESS read-write STATUS mandatory DESCRIPTION "The Secret associated with the Peer-Name identified in pppChapPeerSecretsName." ::= { pppChapPeerSecretsEntry 4 } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 18] Internet Draft PPP/Security MIB July 1992 pppChapPeerSecretsStatus OBJECT-TYPE SYNTAX INTEGER { invalid(1), valid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "Setting this object to the value invalid(1) has the effect of invalidating the corresponding entry in the pppChapPeerSecretsTable. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use. Proper interpretation of such entries requires examination of the relevant pppChapPeerSecretsStatus object." DEFVAL { valid } ::= { pppChapPeerSecretsEntry 5 } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 19] Internet Draft PPP/Security MIB July 1992 5.3. PPP PAP Group -- -- The PPP PAP Group. -- Implementation of this group is optional for all -- PPP implementations that support the PAP protocol. -- -- pppSecurityConfigProtocol takes the OBJECT IDENTIFIER -- pppPap to indicate that the Password -- Authentication Protocol is to be used. -- -- pppPap OBJECT IDENTIFIER ::= { pppSecurity 3 } pppPapSecretsTable OBJECT-TYPE SYNTAX SEQUENCE OF PppPapSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table containing the secret PAP parameters for the local PPP entity. As this table contains secret information, it is expected that access to this table be limited to those SNMP Party- Pairs for which a privacy protocol is in use for all SNMP messages that the parties exchange. This table contains the Peer-ID and Password that this PPP entity will advertise to the remote entity when sending PAP Authenticate Request packets. The table allows for multiple id/password pairs to be specified for a particular link by using the pppPapSecretIdIndex object." ::= { pppPap 1 } pppPapSecretsEntry OBJECT-TYPE SYNTAX PppPapSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Secret PAP information." INDEX { pppPapSecretsIndex, pppPapSecretsIdIndex } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 20] Internet Draft PPP/Security MIB July 1992 ::= { pppPapSecretsTable 1 } PppPapSecretsEntry ::= SEQUENCE { pppPapSecretsIndex INTEGER, pppPapSecretsIdIndex INTEGER, pppPapSecretsId OCTET STRING, pppPapSecretsPassword OCTET STRING, pppPapSecretsStatus INTEGER } pppPapSecretsIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-only STATUS mandatory DESCRIPTION "The value of ifIndex that identifies the entry in the interface table that is associated with the local PPP Password Authentication Protocol Entity. If the value of this object is 0 then the ID/Password pair applies to all links." ::= { pppPapSecretsEntry 1 } pppPapSecretsIdIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-only STATUS mandatory DESCRIPTION "A unique value for each ID/Password pair that has been defined for use on this link. This allows multiple ID/Password pairs to be defined for each link. How the local entity selects which pair to use is a local implementation decision." ::= { pppPapSecretsEntry 2 } pppPapSecretsId OBJECT-TYPE Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 21] Internet Draft PPP/Security MIB July 1992 SYNTAX OCTET STRING (SIZE(0..255)) ACCESS read-write STATUS mandatory DESCRIPTION "A Peer ID." ::= { pppPapSecretsEntry 3 } pppPapSecretsPassword OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) ACCESS read-write STATUS mandatory DESCRIPTION "The password to be associated with the Peer ID." ::= { pppPapSecretsEntry 4 } pppPapSecretsStatus OBJECT-TYPE SYNTAX INTEGER { invalid(1), valid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "Setting this object to the value invalid(1) has the effect of invalidating the corresponding entry in the pppPapSecretsTable. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use. Proper interpretation of such entries requires examination of the relevant pppPapSecretsStatus object." DEFVAL { valid } ::= { pppPapSecretsEntry 5 } pppPapPeerSecretsTable OBJECT-TYPE Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 22] Internet Draft PPP/Security MIB July 1992 SYNTAX SEQUENCE OF PppPapPeerSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Table containing the secret PAP parameters that are expected of remotes that may attempt to authenticate themselves to the local PPP entity. As this table contains secret information, it is expected that access to this table be limited to those SNMP Party-Pairs for which a privacy protocol is in use for all SNMP messages that the parties exchange." ::= { pppPap 3 } pppPapPeerSecretsEntry OBJECT-TYPE SYNTAX PppPapPeerSecretsEntry ACCESS not-accessible STATUS mandatory DESCRIPTION "Secret remote PAP information for a particular remote ID/password and link." INDEX { pppPapPeerSecretsLink, pppPapPeerSecretsIndex } ::= { pppPapPeerSecretsTable 1 } PppPapPeerSecretsEntry ::= SEQUENCE { pppPapPeerSecretsLink INTEGER, pppPapPeerSecretsIndex INTEGER, pppPapPeerSecretsId OCTET STRING, pppPapPeerSecretsPassword OCTET STRING, pppPapPeerSecretsStatus INTEGER } pppPapPeerSecretsLink OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 23] Internet Draft PPP/Security MIB July 1992 DESCRIPTION "The value of ifIndex that identifies the entry in the interface table that is associated with the local PPP Link for which this ID/Password pair will be evaluated as valid. A particular ID/Password pair is valid only for the link(s) for which there is a pppPapPeerSecretsTable entry containing said ID/Password pair. By convention, a value of 0 for this object indicates all links on the local PPP entity." ::= { pppPapPeerSecretsEntry 1 } pppPapPeerSecretsIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483648) ACCESS read-write STATUS mandatory DESCRIPTION "A unique value for each ID/Password pair that has been defined for use on this link. This allows multiple ID/Password pairs to be defined for each link." ::= { pppPapPeerSecretsEntry 2 } pppPapPeerSecretsId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) ACCESS read-write STATUS mandatory DESCRIPTION "A Peer-ID which may attempt to connect over the link identified by pppPapPeerSecretsLink." ::= { pppPapPeerSecretsEntry 3 } pppPapPeerSecretsPassword OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) ACCESS read-write STATUS mandatory DESCRIPTION "The Password associated with the Peer-ID identified in pppPapPeerSecretsId." ::= { pppPapPeerSecretsEntry 4 } Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 24] Internet Draft PPP/Security MIB July 1992 pppPapPeerSecretsStatus OBJECT-TYPE SYNTAX INTEGER { invalid(1), valid(2) } ACCESS read-write STATUS mandatory DESCRIPTION "Setting this object to the value invalid(1) has the effect of invalidating the corresponding entry in the pppPapPeerSecretsTable. It is an implementation-specific matter as to whether the agent removes an invalidated entry from the table. Accordingly, management stations must be prepared to receive tabular information from agents that corresponds to entries not currently in use. Proper interpretation of such entries requires examination of the relevant pppPapPeerSecretsStatus object." DEFVAL { valid } ::= { pppPapPeerSecretsEntry 5 } END Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 25] Internet Draft PPP/Security MIB July 1992 6. Acknowledgements This document was produced by the PPP working group. In addition to the working group, the author wishes to thank the following individuals for their comments and contributions: Bill Simpson -- Daydreamer Glenn McGregor -- Merit Jesse Walker -- DEC Chris Gunner -- DEC Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 26] Internet Draft PPP/Security MIB July 1992 7. Security Considerations The PPP MIB affords the network operator the ability to configure and control the PPP links of a particular system, including the PPP authentication protocols. This represents a security risk. These risks are addressed in the following manners: (1) All variables which represent a significant security risk are placed in separate, optional, MIB Groups. As the MIB Group is the quantum of implementation within a MIB, the implementor of the MIB may elect not to implement these groups. (2) The implementor may choose to implement the variables which present a security risk so that they may not be written, i.e., the variables are READ-ONLY. This method still presents a security risk, and is not recommended, in that the variables, specifically the PPP Authentication Protocols' variables, may be easily read. (3) Using the new SNMP administrative framework[13,14], the operator can place the variables into MIB views which are protected in that the parties which have access to those MIB views use authentication and privacy protocols, or the operator may elect to make these views not accessible to any party. In order to facilitate this placement, all security-related variables are placed in separate MIB Tables. This eases the identification of the necessary MIB View Subtree. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 27] Internet Draft PPP/Security MIB July 1992 8. References [1] M.T. Rose and K. McCloghrie, Structure and Identification of Management Information for TCP/IP-based internets, Internet Working Group Request for Comments 1155. Network Information Center, SRI International, Menlo Park, California, (May, 1990). [2] K. McCloghrie and M.T. Rose, Management Information Base for Network Management of TCP/IP-based internets - MIB-2, Internet Working Group Request for Comments 1213. Network Information Center, SRI International, Menlo Park, California, (March, 1991). [3] Information processing systems - Open Systems Interconnection - Specification of Abstract Syntax Notation One (ASN.1), International Organization for Standardization. International Standard 8824, (December, 1987). [4] Information processing systems - Open Systems Interconnection - Specification of Basic Encoding Rules for Abstract Notation One (ASN.1), International Organization for Standardization. International Standard 8825, (December, 1987). [5] Rose, M., and K. McCloghrie, Editors, Concise MIB Definitions, RFC 1212, Performance Systems International, Hughes LAN Systems, March 1991. [6] Rose, M., Editor, A Convention for Defining Traps for use with the SNMP, RFC 1215, Performance Systems International, March 1991. [7] K. McCloghrie, Extensions to the Generic-Interface MIB, RFC1229, Hughes LAN Systems, May 1991. [8] W. Simpson, The Point-to-Point Protocol for the Transmission of Multi-protocol Datagrams over Point-to- Point Links, RFC 1331, May 1992. [9] G. McGregor, The PPP Internet Protocol Control Protocol, RFC 1332, Merit, May 1992. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 28] Internet Draft PPP/Security MIB July 1992 [10] F. Baker, Point-to-Point Protocol Extensions for Bridging, RFC1220, ACC, April 1991. [11] PPP Authentication Protocols, Work In Progress [12] W. Simpson, PPP Link Quality Monitoring, RFC 1333, May 1992. [13] New SNMP Administrative Model, Work In Progress. [14] SNMP Security Protocols, Work In Progress. Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 29] Internet Draft PPP/Security MIB July 1992 Table of Contents Status of this Memo .................................... 1 1 Abstract .............................................. 2 2 The Network Management Framework ...................... 3 3 Objects ............................................... 4 3.1 Format of Definitions ............................... 4 4 Overview .............................................. 5 4.1 Object Selection Criteria ........................... 5 4.2 Structure of the PPP ................................ 5 4.3 MIB Groups .......................................... 6 5 Definitions ........................................... 8 5.1 PPP Security Configuration Group .................... 9 5.2 PPP CHAP Group ...................................... 12 5.3 PPP PAP Group ....................................... 20 6 Acknowledgements ...................................... 26 7 Security Considerations ............................... 27 8 References ............................................ 28 Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 30]