One document matched: draft-garcia-martinez-cgamib-01.txt
Differences from draft-garcia-martinez-cgamib-00.txt
Network Working Group A. Garcia-Martinez
Internet-Draft UC3M
Intended status: Standards Track December 18, 2008
Expires: June 21, 2009
Management Information Base for Cryptographically Generated Addresses
(CGA)
draft-garcia-martinez-cgamib-01
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 21, 2009.
Copyright Notice
Copyright (c) 2008 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Abstract
This memo defines a portion of the Management Information Base (MIB)
Garcia-Martinez Expires June 21, 2009 [Page 1]
Internet-Draft CGA MIB December 2008
for managing Cryptographically Generated Addresses (CGA).
Table of Contents
1. The Internet-Standard Management Framework . . . . . . . . . . 3
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 18
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1. Normative References . . . . . . . . . . . . . . . . . . . 19
6.2. Informative References . . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20
Garcia-Martinez Expires June 21, 2009 [Page 2]
Internet-Draft CGA MIB December 2008
1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410]. Managed objects are accessed via a virtual
information store, termed the Management Information Base or MIB.
MIB objects are generally accessed through the Simple Network
Management Protocol (SNMP). Objects in the MIB are defined using the
mechanisms defined in the Structure of Management Information (SMI).
This memo specifies a MIB module that is compliant to the SMIv2,
which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579
[RFC2579] and STD 58, RFC 2580 [RFC2580].
2. Overview
This document defines the portion of the Management Information Base
(MIB) to be used for managing Cryptographically Generated Addresses
(CGA) [RFC3972]. CGA addresses are IPv6 addresses for which the
interface identifier is generated by computing a one-way hash
function from a public signature key and some auxiliary parameters.
The cgaLocalTable includes the information related to the CGA
addresses configured as local addresses in the system (i.e. local to
the system). These CGA can be used by any protocol requiring CGA
configured as local addresses, such as SEND or SHIM6. This table
contains CGA-specific information such as the elements of the CGA
Parameters data structure. More information related to the address
can be obtained from the corresponding entries at the ipAddressTable
[RFC4293]. CGA addresses are represented as an InetAddressIPv6 type
defined in [RFC4001]. Managers can create new entries in the table
to configure the node with new CGA addresses. A discrete spin lock
object is used to coordinate the creation of rows by different
managers. The table also includes a columnar object that indicates
the protocols that are currently using the local CGA.
The cgaRemoteTable contains information related to CGA addresses of
remote systems. Different protocols (e.g. SEND or SHIM6) or means
can be used to convey this information to the managed node, and many
of these protocols can be using a given CGA at the same time. The
table contains the address represented as an InetAddressIPv6 type,
and the elements of the CGA Parameters Data structure. The table
also includes a columnar object that indicates the protocols that are
currently using the local CGA.
Garcia-Martinez Expires June 21, 2009 [Page 3]
Internet-Draft CGA MIB December 2008
3. Definitions
CGA-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, mib-2 FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TestAndIncr,
RowStatus, StorageType, TimeStamp FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
InetAddressIPv6 FROM INET-ADDRESS-MIB
ipAddressAddrType, ipAddressAddr FROM IP-MIB;
cgaMIB MODULE-IDENTITY
LAST-UPDATED "200812170000Z"
ORGANIZATION "IETF CSI (Cga & Send Maintenance) Working Group"
CONTACT-INFO
"Editor:
Alberto Garcia-Martinez
U. Carlos III de Madrid
Avenida Universidad, 30
Leganes, Madrid 28911
Spain
Email: alberto.garcia@uc3m.es
CSI Working Group: cga-ext@ietf.org"
DESCRIPTION
" The MIB module for managing the CGA Parameters data
structure of CGAs local to the managed node.
Copyright (c) 2008 IETF Trust and the persons identified
as the document authors. All rights reserved.
This version of this MIB module is part of RFC yyyy; see
the RFC itself for full legal notices."
-- RFC Ed.: replace yyyy with actual RFC number & remove this
-- note
REVISION "200812170000Z"
DESCRIPTION
"Initial version, published as RFC yyyy."
-- RFC Ed.: replace yyyy with actual RFC number & remove
-- this note
Garcia-Martinez Expires June 21, 2009 [Page 4]
Internet-Draft CGA MIB December 2008
::= { mib-2 XXX }
-- RFC Ed.: replace XXX with actual number assigned by IANA
-- & remove this note
--
-- The textual conventions we define and use in this MIB.
--
CgaModifier ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"128-bit unsigned integer, which can be any value. Used
during CGA generation to implement the hash extension and
add randomness to the address."
REFERENCE "RFC 3972"
SYNTAX OCTET STRING (SIZE (16))
CgaCollisionCount ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Counter that is incremented during CGA generation to
recover from an address collision. Up to two collisions
are allowed."
REFERENCE "RFC 3972"
SYNTAX INTEGER {
zerocollisions(0),
onecollision(1),
twocollisions(2)
}
CgaKeyInfo::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Variable-length field containing the key (either public
or private) of the address (CGA) owner. The key MUST be
formatted as a DER-encoded [CCITT.X690.2002] ASN.1
structure of the type SubjectPublicKeyInfo, defined in the
Internet X.509 certificate profile [RFC3280]. When RSA is
used, the algorithm identifier MUST be rsaEncryption,
which is 1.2.840.113549.1.1.1, and the RSA public key MUST
be formatted by using the RSAPublicKey type as specified
in Section 2.3.1 of RFC 3279 [RFC3279]. The length of
this field is determined by the ASN.1 encoding."
REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"
Garcia-Martinez Expires June 21, 2009 [Page 5]
Internet-Draft CGA MIB December 2008
SYNTAX OCTET STRING (SIZE (0..1024))
CgaProtocolsUsingCga::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"BITS construct to indicate the protocols that are using a
CGA. A protocol is using the CGA if the protocol specific
part of the system is using this CGA (for example, because
its parameters are cached for future use in the protocol)
The management system may not support the update of this
object, in which case the unknown bit must be set to 1.
If the unknown bit is set to 1 no other bit must be set to
1.
Several protocols can be using at the same time a CGA, so
many bits could be set at the same time (except when the
unknown bit is set). It can also occur that no protocol
is currently using the CGA, for example, just after the
configuration of the CGA in the system. In this case no
bits are set. This should be the default value for this
object if the management system supports the update of
this object."
SYNTAX BITS {
unknown(0),
send(1),
shim6(2) }
cga OBJECT IDENTIFIER ::= { cgaMIB 1 }
--
-- Information related to local CGA
--
cgaLocalSpinLock OBJECT-TYPE
SYNTAX TestAndIncr
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An advisory lock used to allow cooperating SNMP managers
to coordinate their use of the set operation in creating
or removing rows within the cgaLocalTable. Note that the
rows in the cgaLocalTable must not be modified (except for
the RowStatus columnar object).
In order to use this lock to coordinate the use of set
operations, managers should first retrieve
cgaLocalSpinLock. They should then determine the
appropriate row to create or remove (setting the
appropriate value to the cgaLocalRowStatus object).
Finally, they should issue the appropriate set command,
Garcia-Martinez Expires June 21, 2009 [Page 6]
Internet-Draft CGA MIB December 2008
including the retrieved value of cgaLocalSpinLock. If
another manager has created or destroyed the row in the
meantime, then the value of cgaLocalSpinLock will have
changed, and the creation will fail as it will be
specifying an incorrect value for cgaLocalSpinLock. It is
suggested, but not required, that the cgaLocalSpinLock be
the first var bind for each set of objects representing a
'row' in a PDU."
::= { cga 1 }
cgaLocalTable OBJECT-TYPE
SYNTAX SEQUENCE OF CgaLocalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table contains information relevant to CGA addresses
configured as local addresses in the node.
The table is intended to allow managers to add or remove
entries as a whole. The modification of the parameters
that are used to calculate the CGA would generate
inconsistencies, so it is not allowed. Entries in this
table have a corresponding entry in the ipAddressTable
[RFC4293], which provides information such as the
interface in which it is configured, its status, the time
at which it was created, or changed, etc."
::= { cga 2 }
cgaLocalEntry OBJECT-TYPE
SYNTAX CgaLocalEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in this table must exist for each CGA address
configured as a local address. Each entry in the
cgaLocalTable with cgaLocalAdminStatus equal to
validAndEnabled(1) must have a corresponding entry in the
IP-MIB:ipAddressTable [RFC4293], and the value for the
INDEX of an entry of the cgaLocalTable is the same as the
value of the INDEX for the corresponding entry of the IP-
MIB:ipAddressTable.
The value of the ipAddressAddr must be the result of the
computation of the Hash1 operation defined in [RFC3972].
The value of the ipAddressAddrType must be ipv6(2) or
ipv6z. The IP-MIB:ipAddressLastChanged object must be
changed to reflect any update in the corresponding
cgaLocalTable row. The values of the cgaLocalStorageType
and of the corresponding IP-MIB:ipAddressStorageType
should be the same.
Garcia-Martinez Expires June 21, 2009 [Page 7]
Internet-Draft CGA MIB December 2008
The administrator can create a new row by setting
appropriate values to the parameters that are used to
build the CGA: cgaLocalModifier, cgaLocalCollisionCount,
cgaLocalPublicKey, cgaLocalPrivateKey and
cgaLocalExtensionFields. Additionally the corresponding
entry in the IP-MIB:ipAddressTable must have the IP-
MIB:ipAddressRowStatus set to active(1) before or at the
same time as the cgaLocalOperStatus object of the entry is
set to validAndEnabled(1). Note that if the address
should only be used as a CGA, the operations of setting
the IP-MIB:ipAddressRowStatus columnar object to active(1)
and the cgaLocalOperStatus to validAndEnabled(1) should be
performed atomically. The removal of an entry in the
cgaLocalTable does not automatically require the removal
of the corresponding entry in the IP-
MIB:ipAddressAddrType, because the address may remain
operational even if it is not usable as a CGA. Once the
value of the cgaLocalOperStatus of an entry has been set
once to validAndEnabled(1), the cgaLocalModifier,
cgaLocalCollisionCount, cgaLocalPublicKey,
cgaLocalPrivateKey and cgaLocalExtensionFields columnar
objects of the entry must remain unmodified.
The removal of an entry of the IP-MIB:ipAddressTable must
result in the removal of the corresponding entry in the
cgaLocalTable.
The agent may generate new entries if they are configured
by other means than network management."
INDEX { ipAddressAddrType, ipAddressAddr }
::= { cgaLocalTable 1 }
CgaLocalEntry ::= SEQUENCE {
cgaLocalModifier CgaModifier,
cgaLocalCollisionCount CgaCollisionCount,
cgaLocalPublicKey CgaKeyInfo,
cgaLocalPrivateKey CgaKeyInfo,
cgaLocalExtensionFields OCTET STRING,
cgaLocalProtocolsUsingCga CgaProtocolsUsingCga,
cgaLocalAdminStatus INTEGER,
cgaLocalOperStatus INTEGER,
cgaLocalRowStatus RowStatus,
cgaLocalStorageType StorageType
}
cgaLocalModifier OBJECT-TYPE
SYNTAX CgaModifier
MAX-ACCESS read-create
Garcia-Martinez Expires June 21, 2009 [Page 8]
Internet-Draft CGA MIB December 2008
STATUS current
DESCRIPTION
"128-bit unsigned integer, which can be any value. Used
during CGA generation to implement the hash extension and
add randomness to the address.
This object should not be modified once the
cgaLocalRowStatus object has been set to
validAndEnabled(1) for the first time."
::= { cgaLocalEntry 1 }
cgaLocalCollisionCount OBJECT-TYPE
SYNTAX CgaCollisionCount
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Counter that is incremented during CGA generation to
recover from an address collision.
This object should not be modified once the
cgaLocalRowStatus object has been set to
validAndEnabled(1) for the first time."
::= { cgaLocalEntry 2 }
cgaLocalPublicKey OBJECT-TYPE
SYNTAX CgaKeyInfo
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Variable-length field containing the public key of the
address owner.
This object should not be modified once the
cgaLocalRowStatus object has been set to
validAndEnabled(1) for the first time."
REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"
::= { cgaLocalEntry 3 }
cgaLocalPrivateKey OBJECT-TYPE
SYNTAX CgaKeyInfo
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Variable-length field containing the private key of the
address owner.
This object should not be modified once the
cgaLocalRowStatus object has been set to
validAndEnabled(1) for the first time."
REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"
Garcia-Martinez Expires June 21, 2009 [Page 9]
Internet-Draft CGA MIB December 2008
::= { cgaLocalEntry 4 }
cgaLocalExtensionFields OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..1024))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Optional variable-length field. Defined as an opaque
type.
This object should not be modified once the
cgaLocalRowStatus object has been set to
validAndEnabled(1) for the first time."
::= { cgaLocalEntry 5 }
cgaLocalProtocolsUsingCga OBJECT-TYPE
SYNTAX CgaProtocolsUsingCga
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Protocols currently using this CGA."
::= { cgaLocalEntry 6 }
cgaLocalAdminStatus OBJECT-TYPE
SYNTAX INTEGER {
enabled(1),
disabled(2) }
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The desired state of the CGA. When set to enabled(1),
the administrator requires the CGA to be available as a
valid local address of the system. Conversely, when set
to disabled, the administrator requires the CGA not to be
available as an address for the system."
DEFVAL { disabled }
::= { cgaLocalEntry 7 }
cgaLocalOperStatus OBJECT-TYPE
SYNTAX INTEGER {
validAndEnabled(1),
disabled(2) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The current operational state of the CGA. The state
validAndEnabled(1) indicates that this entry is both valid
and operational as a local address in the system.
Garcia-Martinez Expires June 21, 2009 [Page 10]
Internet-Draft CGA MIB December 2008
A CGA is valid if it fulfills the conditions stated in in
RFC 3972, i.e. the computation of the Hash1 function to a
bit string that includes information from the objects
cgaLocalModifier, cgaLocalCollisionCount,
cgaLocalPublicKey, cgaLocalExtensionFields, along with the
prefix of the ipAddressAddr object, results in the
interface identifier of the ipAddressAddr; and the
computation of another hash function, Hash2, defined to
operate with the same input data as for Hash2, results in
16*sec bits equal to zero (being sec the three leftmost
bits of the interface identifier of the address)."
::= { cgaLocalEntry 8 }
cgaLocalRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The status of this conceptual row.
A conceptual row can not be made active until all the
columnar objects, except may be the cgaLocalAdminStatus y
cgaLocalOperStatus, have been assigned a value."
::= { cgaLocalEntry 9 }
cgaLocalStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this conceptual row. If this object
has a value of 'permanent', then no other objects are
required to be able to be modified.
The values of the cgaLocalStorageType and of the
corresponding IP-MIB:ipAddressStorageType should be the
same."
DEFVAL { volatile }
::= { cgaLocalEntry 10 }
--
-- table to store information about the valid CGAs corresponding
-- to remote nodes
--
cgaRemoteTable OBJECT-TYPE
SYNTAX SEQUENCE OF CgaRemoteEntry
Garcia-Martinez Expires June 21, 2009 [Page 11]
Internet-Draft CGA MIB December 2008
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"List of valid CGA addresses of remote nodes. A CGA is
valid if it fulfills the conditions stated in in RFC 3972,
i.e. the computation of the Hash1 function to a bit string
that includes information from the objects
cgaRemoteModifier, cgaRemoteCollisionCount,
cgaRemotePublicKey, cgaRemoteExtensionFields, along with
the prefix of the cgaRemoteAddr object, results in the
interface identifier of the cgaRemoteAddr; and the
computation of another hash function, Hash2, defined to
operate with the same input data as for Hash2, results in
16*sec bits equal to zero (being sec the three leftmost
bits of the interface identifier of the address).
In general, the agent populates the entries in this table
with the information obtained using a CGA-aware protocol
(i.e. SEND or SHIM6), and these protocols can be
responsible for deleting the entry according to the rules
defined for their operation. The information that could
be associated with the CGA specific to a protocol (for
example, the link layer address associated to the CGA)
must be managed in a MIB specific for the considered
protocol. Note that many protocols could be using the
same remote CGA.
All the objects in this table are defined as read-only."
::= { cga 3 }
cgaRemoteEntry OBJECT-TYPE
SYNTAX CgaRemoteEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Information related with a remote CGA."
INDEX { cgaRemoteAddr }
::= { cgaRemoteTable 1 }
CgaRemoteEntry ::= SEQUENCE {
cgaRemoteAddr InetAddressIPv6,
cgaRemoteModifier CgaModifier,
cgaRemoteCollisionCount CgaCollisionCount,
cgaRemotePublicKey CgaKeyInfo,
cgaRemoteExtensionFields OCTET STRING,
cgaRemoteProtocolsUsingCga CgaProtocolsUsingCga,
cgaRemoteOrigin INTEGER,
cgaRemoteCreated TimeStamp
Garcia-Martinez Expires June 21, 2009 [Page 12]
Internet-Draft CGA MIB December 2008
}
cgaRemoteAddr OBJECT-TYPE
SYNTAX InetAddressIPv6
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The CGA IPv6 address to which this entry's addressing
information is associated."
::= { cgaRemoteEntry 1 }
cgaRemoteModifier OBJECT-TYPE
SYNTAX CgaModifier
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"128-bit unsigned integer, which can be any value. Used
during CGA generation to implement the hash extension and
add randomness to the address."
::= { cgaRemoteEntry 2 }
cgaRemoteCollisionCount OBJECT-TYPE
SYNTAX CgaCollisionCount
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counter that is incremented during CGA generation to
recover from an address collision."
::= { cgaRemoteEntry 3 }
cgaRemotePublicKey OBJECT-TYPE
SYNTAX CgaKeyInfo
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Variable-length field containing the public key of the
remote node owner of the address."
::= { cgaRemoteEntry 4 }
cgaRemoteExtensionFields OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..1024))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Optional variable-length field. Defined as an opaque
type."
Garcia-Martinez Expires June 21, 2009 [Page 13]
Internet-Draft CGA MIB December 2008
::= { cgaRemoteEntry 5 }
cgaRemoteProtocolsUsingCga OBJECT-TYPE
SYNTAX CgaProtocolsUsingCga
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Protocols currently using this CGA."
::= { cgaRemoteEntry 6 }
cgaRemoteOrigin OBJECT-TYPE
SYNTAX INTEGER {
other(1),
manual(2),
send(3),
shim6(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The origin of the CGA entry.
manual(2) indicates that the CGA was manually configured,
e.g. by user configuration.
send(3) indicates that the CGA was received through the
SEND protocol [RFC3971].
shim6 indicates that the CGA was received through the SEND
protocol.
Note that each protocol may require different rules for
validating the CGA (for example, different number of
minimum bits for the key).
Note also that although created by a particular mean, the
CGA could be used at the same time by many protocols."
::= { cgaRemoteEntry 7 }
cgaRemoteCreated OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime at the time this entry was
created. If this entry was created prior to the last re-
initialization of the local network management subsystem,
then this object contains a zero value."
::= { cgaRemoteEntry 8 }
--
-- conformance information
Garcia-Martinez Expires June 21, 2009 [Page 14]
Internet-Draft CGA MIB December 2008
--
cgaMIBConformance OBJECT IDENTIFIER ::= { cgaMIB 2 }
cgaMIBCompliances OBJECT IDENTIFIER ::= { cgaMIBConformance 1 }
cgaMIBGroups OBJECT IDENTIFIER ::= { cgaMIBConformance 2 }
cgaMIBCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for systems with CGA addresses."
MODULE -- this module
-- neither of the groups defined here are mandatory. Any of them
-- can be implemented, depending on the use of the CGAs. For
-- example, it could be acceptable not implementing local CGA
-- addresses, but being able to store remote CGA addresses.
-- MANDATORY-GROUPS { }
GROUP cgaLocalGroup
DESCRIPTION
"This group is mandatory for nodes that support the use of
CGA as local addresses."
GROUP cgaRemoteGroup
DESCRIPTION
"This group is mandatory for nodes that implement
protocols that may rely on the identification of remote
nodes as CGA addresses, such as SEND or Shim6."
OBJECT cgaLocalSpinLock
MIN-ACCESS not-accessible
DESCRIPTION
"An agent is not required to implement this object.
However, if an agent provides write access to any of the
other objects in the cgaLocalGroup, it SHOULD provide
write access to this object as well."
OBJECT cgaLocalModifier
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write or create
access to this object."
Garcia-Martinez Expires June 21, 2009 [Page 15]
Internet-Draft CGA MIB December 2008
OBJECT cgaLocalCollisionCount
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write or create
access to this object."
OBJECT cgaLocalPublicKey
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write or create
access to this object."
OBJECT cgaLocalPrivateKey
MIN-ACCESS not-accessible
DESCRIPTION
"An agent is not required to provide write or create
access to this object. However, if an agent provides
write access to any other objects in the cgaLocalGroup, it
SHOULD provide write (and read) access to this object as
well. Read access to this object is not required. If
write access is not provided to other objects in the
cgaLocalGroup, the cgaLocalPrivateKey may be not
readable."
OBJECT cgaLocalExtensionFields
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write or create
access to this object."
OBJECT cgaLocalProtocolsUsingCga
SYNTAX BITS { unknown(0) }
DESCRIPTION
"An agent is not required to update the protocols
currently using the CGA. In this case, the unknown(0)
value is shown."
OBJECT cgaLocalAdminStatus
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write or create
access to this object."
OBJECT cgaLocalRowStatus
SYNTAX RowStatus { active(1) }
MIN-ACCESS read-only
Garcia-Martinez Expires June 21, 2009 [Page 16]
Internet-Draft CGA MIB December 2008
DESCRIPTION
"An agent is not required to provide write or create
access to this object. In this case, the only value
permitted is active(1)."
OBJECT cgaLocalStorageType
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write or create
access to this object. If an agent allows this object to
be written or created, it is not required to allow this
object to be set to readOnly, permanent, or nonVolatile."
OBJECT cgaRemoteProtocolsUsingCga
SYNTAX BITS { unknown(0) }
DESCRIPTION
"An agent is not required to update the protocols
currently using the CGA. In this case, the unknown(0)
value is shown."
::= { cgaMIBCompliances 1 }
-- group definitions
cgaLocalGroup OBJECT-GROUP
OBJECTS {
cgaLocalSpinLock, cgaLocalModifier, cgaLocalCollisionCount,
cgaLocalPublicKey, cgaLocalPrivateKey,
cgaLocalExtensionFields, cgaLocalProtocolsUsingCga,
cgaLocalAdminStatus, cgaLocalOperStatus, cgaLocalRowStatus,
cgaLocalStorageType }
STATUS current
DESCRIPTION
"The group of the elements representing the components of
the CGA Parameters data structure for the local node."
::= { cgaMIBGroups 1 }
cgaRemoteGroup OBJECT-GROUP
OBJECTS {
cgaRemoteModifier, cgaRemoteCollisionCount,
cgaRemotePublicKey, cgaRemoteExtensionFields,
cgaRemoteProtocolsUsingCga, cgaRemoteOrigin, cgaRemoteCreated
}
Garcia-Martinez Expires June 21, 2009 [Page 17]
Internet-Draft CGA MIB December 2008
STATUS current
DESCRIPTION
"The group of the elements representing the components of
the CGA Parameters data structure for remote nodes."
::= { cgaMIBGroups 2 }
END
4. Security Considerations
Some of the management objects of this MIB module have been defined
with either a MAX-ACCESS clause of read-create (for the columnar
objects belonging to the cgaLocalTable) or read-write (for the
spinlock object to control access to that table). Such access
capability may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations.
The objects of the cgaLocalTable specify the CGA addresses configured
in this node. An attacker could delete or disable the entry
associated to a CGA to prevent the node to benefit from the
authentication and certification facilities provided by the
combination of the CGA addresses and protocols such as SeND (RFC3972)
or SHIM6.
The addition by an attacker of a row composed of consistent
information about a CGA could allow the node to be able to
impersonate the identity of another node.
Regarding to the risks of providing GET access to the tables defined
in this MIB, relevant risks arise from the fact that the private key
(contained in the cgaLocalPrivateKey object) could be disclosed.
Some implementations not providing write access to the CGA elements
may also disable read access to the cgaLocalPrivateKey object. The
rest of the information contained in the cgaLocalTable is used to
prove the identity of the node considered to other nodes
communicating with it. Therefore, the disclosure of this information
does not provide great advantage for an attacker in order to
impersonate the identity of the node (unless factoring attacks become
practical, and the private key could be derived from the public one,
in which case the CGA should be changed). Other risks are
essentially the same as faced by the knowledge of a set of non-CGA,
i.e. being able to correlate traffic from different addresses.
Analogous considerations can be stated for the information contained
in the cgaRemoteTable.
Garcia-Martinez Expires June 21, 2009 [Page 18]
Internet-Draft CGA MIB December 2008
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module, is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
5. IANA Considerations
The MIB module in this document uses the following IANA-assigned
OBJECT IDENTIFIER values recorded in the SMI Numbers registry:
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
send-MIB { mib-2 XXX }
Editor's Note (to be removed prior to publication): the IANA is
requested to assign a value for "XXX" under the 'mib-2' subtree and
to record the assignment in the SMI Numbers registry. When the
assignment has been made, the RFC Editor is asked to replace "XXX"
(here and in the MIB module) with the assigned value and to remove
this note.
6. References
6.1. Normative References
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
Garcia-Martinez Expires June 21, 2009 [Page 19]
Internet-Draft CGA MIB December 2008
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 3279, April 2002.
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002.
[RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)",
RFC 3972, March 2005.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
[RFC4293] Routhier, S., "Management Information Base for the
Internet Protocol (IP)", RFC 4293, April 2006.
[CCITT.X690.2002]
International International Telephone and Telegraph
Consultative Committee, "ASN.1 encoding rules:
Specification of basic encoding Rules (BER), Canonical
encoding rules (CER) and Distinguished encoding rules
(DER)", CCITT Recommendation X.690, July 2002.
6.2. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
Neighbor Discovery (SEND)", RFC 3971, March 2005.
Garcia-Martinez Expires June 21, 2009 [Page 20]
Internet-Draft CGA MIB December 2008
Author's Address
Alberto Garcia-Martinez
Universidad Carlos III de Madrid
Av. Universidad 30
Leganes, Madrid 28911
SPAIN
Phone: 34 91 6249500
Email: alberto@it.uc3m.es
URI: http://www.it.uc3m.es
Garcia-Martinez Expires June 21, 2009 [Page 21]
| PAFTECH AB 2003-2026 | 2026-04-23 06:07:04 |