One document matched: draft-garcia-martinez-cgamib-01.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes" ?>
<?rfc compact="yes"?>
<rfc obsoletes="" updates="" category="std" ipr="full3978"
docName="draft-garcia-martinez-cgamib-01">
<front>
<title abbrev="CGA MIB">
Management Information Base for Cryptographically Generated Addresses (CGA)
</title>
<author initials="A." surname="Garcia-Martinez" fullname="Alberto Garcia-Martinez">
<organization abbrev="UC3M">
Universidad Carlos III de Madrid
</organization>
<address>
<postal>
<street>Av. Universidad 30</street>
<city>Leganes</city>
<region>Madrid</region>
<code>28911</code>
<country>SPAIN</country>
</postal>
<phone>34 91 6249500</phone>
<email>alberto@it.uc3m.es</email>
<uri>http://www.it.uc3m.es</uri>
</address>
</author>
<date year="2008"/>
<abstract>
<t>This memo defines a portion of the Management Information Base (MIB) for managing Cryptographically Generated Addresses (CGA).</t>
</abstract>
</front>
<middle>
<section title="The Internet-Standard Management Framework">
<t> For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 <xref target="RFC3410"></xref>.
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 <xref target="RFC2578"></xref>, STD 58, RFC 2579 <xref target="RFC2579"></xref> and STD 58, RFC 2580
<xref target="RFC2580"></xref>.
</t>
</section>
<section title="Overview">
<t> This document defines the portion of the Management Information Base (MIB) to be used for managing
Cryptographically Generated Addresses (CGA) <xref target="RFC3972"></xref>. CGA addresses are IPv6 addresses for which the interface
identifier is generated by computing a one-way hash function from a public signature key and some auxiliary parameters. </t>
<t> The cgaLocalTable includes the information related to the CGA addresses configured as local addresses in the system (i.e. local to the
system). These CGA can be used by any protocol requiring CGA configured as local addresses, such as SEND or SHIM6. This table contains
CGA-specific information such as the elements of the CGA Parameters data
structure. More information related to the address can be obtained from the corresponding entries at the ipAddressTable <xref target="RFC4293"></xref>.
CGA addresses are represented as an InetAddressIPv6 type defined in <xref target="RFC4001"></xref>. Managers can create new entries in the table to configure
the node with new CGA addresses. A discrete spin lock object is used to coordinate the creation of rows by different
managers. The table also includes a columnar object that indicates the protocols that are currently using the local CGA.</t>
<t> The cgaRemoteTable contains information related to CGA addresses of remote systems. Different protocols (e.g. SEND or SHIM6) or means can be
used to convey this information to the managed node, and many of these protocols can be using a given CGA at the same time. The table contains the
address represented as an InetAddressIPv6 type, and the elements of the CGA Parameters Data structure. The table also includes a columnar object that indicates the protocols that are currently using the local CGA.</t>
</section>
<section title="Definitions">
<t>CGA-MIB DEFINITIONS ::= BEGIN</t>
<t>IMPORTS</t>
<figure>
<artwork>
MODULE-IDENTITY, OBJECT-TYPE, mib-2 FROM SNMPv2-SMI
TEXTUAL-CONVENTION, TestAndIncr,
RowStatus, StorageType, TimeStamp FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
InetAddressIPv6 FROM INET-ADDRESS-MIB
ipAddressAddrType, ipAddressAddr FROM IP-MIB;
</artwork>
</figure>
<t>cgaMIB MODULE-IDENTITY</t>
<list hangIndent='4'>
<t>LAST-UPDATED "200812170000Z"</t>
<t>ORGANIZATION "IETF CSI (Cga & Send Maintenance) Working Group"</t>
<t>CONTACT-INFO</t>
<list hangIndent='7'>
<t>"Editor:</t>
<t></t>
<t>Alberto Garcia-Martinez</t>
<t>U. Carlos III de Madrid</t>
<t>Avenida Universidad, 30</t>
<t>Leganes, Madrid 28911</t>
<t>Spain</t>
<t>Email: alberto.garcia@uc3m.es</t>
<t></t>
<t>CSI Working Group: cga-ext@ietf.org"</t>
</list>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>" The MIB module for managing the CGA Parameters data structure of CGAs local to the managed node.</t>
<t></t>
<t> Copyright (C) The IETF Trust (2008). This version of this MIB module is part of RFC yyyy; see the RFC itself for full legal notices."</t>
</list>
<figure><artwork>
-- RFC Ed.: replace yyyy with actual RFC number & remove this
-- note
</artwork></figure>
<t>REVISION "200812170000Z"</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Initial version, published as RFC yyyy."</t>
</list>
<figure><artwork>
-- RFC Ed.: replace yyyy with actual RFC number & remove
-- this note
</artwork></figure>
<t>::= { mib-2 XXX }</t>
<figure><artwork>
-- RFC Ed.: replace XXX with actual number assigned by IANA
-- & remove this note
</artwork></figure>
</list>
<figure><artwork>
--
-- The textual conventions we define and use in this MIB.
--
</artwork></figure>
<t>CgaModifier ::= TEXTUAL-CONVENTION</t>
<list hangIndent='4'>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"128-bit unsigned integer, which can be any value. Used during CGA generation to implement the hash extension and add randomness to the address."</t>
</list>
<t>REFERENCE "RFC 3972"</t>
<t>SYNTAX OCTET STRING (SIZE (16))</t>
</list>
<t>CgaCollisionCount ::= TEXTUAL-CONVENTION</t>
<list hangIndent='4'>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Counter that is incremented during CGA generation to recover from an address collision. Up to two collisions are allowed."</t>
</list>
<t>REFERENCE "RFC 3972"</t>
<t>SYNTAX INTEGER {</t>
<list hangIndent='4'>
<t>zerocollisions(0),</t>
<t>onecollision(1),</t>
<t>twocollisions(2)</t>
</list>
<t>}</t>
</list>
<t>CgaKeyInfo::= TEXTUAL-CONVENTION</t>
<list hangIndent='4'>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Variable-length field containing the key (either public or private) of the
address (CGA) owner. The key MUST be formatted as a DER-encoded
<xref target="CCITT.X690.2002"></xref> ASN.1 structure of the type SubjectPublicKeyInfo,
defined in the Internet X.509 certificate profile <xref target="RFC3280"></xref>. When RSA is used, the
algorithm identifier MUST be rsaEncryption, which is
1.2.840.113549.1.1.1, and the RSA public key MUST be formatted by
using the RSAPublicKey type as specified in Section 2.3.1 of RFC
3279 <xref target="RFC3279"></xref>. The length of this field is determined by the ASN.1 encoding."</t>
</list>
<t>REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"</t>
<t>SYNTAX OCTET STRING (SIZE (0..1024))</t>
</list>
<t>CgaProtocolsUsingCga::= TEXTUAL-CONVENTION</t>
<list hangIndent='4'>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"BITS construct to indicate the protocols that are using a CGA. A protocol is using the CGA if the protocol specific part
of the system is using this CGA (for example, because its parameters are cached for future use in the protocol)</t>
<t>The management system may not support the update of this object, in which case the unknown bit must be set to 1. If the unknown bit is set to 1
no other bit must be set to 1.</t>
<t>Several protocols can be using at the same time a CGA, so many bits could be set at the same time (except when the unknown bit is set).
It can also occur that no protocol is currently using the CGA, for example, just after the configuration of the CGA in the system. In this case
no bits are set. This should be the default value for this object if the management system supports the update of this object."</t>
</list>
<t>SYNTAX BITS {</t>
<list hangIndent='4'>
<t>unknown(0),</t>
<t>send(1),</t>
<t>shim6(2) }</t>
</list>
</list>
<t></t>
<t>cga OBJECT IDENTIFIER ::= { cgaMIB 1 }</t>
<figure><artwork>
--
-- Information related to local CGA
--
</artwork></figure>
<t>cgaLocalSpinLock OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX TestAndIncr</t>
<t>MAX-ACCESS read-write</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An advisory lock used to allow cooperating SNMP managers to
coordinate their use of the set operation in creating or
removing rows within the cgaLocalTable. Note that the rows in the cgaLocalTable must not be modified (except for the RowStatus columnar object).</t>
<t>In order to use this lock to coordinate the use of set
operations, managers should first retrieve
cgaLocalSpinLock. They should then determine the
appropriate row to create or remove (setting the appropriate value to the cgaLocalRowStatus object). Finally, they should
issue the appropriate set command, including the retrieved
value of cgaLocalSpinLock. If another manager has created or destroyed the row in the meantime, then the value of
cgaLocalSpinLock will have changed, and the creation will
fail as it will be specifying an incorrect value for
cgaLocalSpinLock. It is suggested, but not required, that
the cgaLocalSpinLock be the first var bind for each set of
objects representing a 'row' in a PDU."</t>
</list>
<t>::= { cga 1 }</t>
</list>
<t>cgaLocalTable OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX SEQUENCE OF CgaLocalEntry</t>
<t>MAX-ACCESS not-accessible</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"This table contains information relevant to CGA addresses configured as local addresses in the node.</t>
<t>The table is intended to allow managers to add or remove entries as a whole. The modification of the parameters that are used to calculate the CGA would generate inconsistencies, so it is not allowed.
Entries in this table have a corresponding entry in the ipAddressTable <xref target="RFC4293"></xref>, which provides information such as the interface in which it is configured, its status, the time at which it was created, or changed, etc."</t>
<t>::= { cga 2 }</t>
</list>
</list>
<t>cgaLocalEntry OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaLocalEntry</t>
<t>MAX-ACCESS not-accessible</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An entry in this table must exist for each CGA address configured as a local address.
Each entry in the cgaLocalTable with cgaLocalAdminStatus equal to validAndEnabled(1)
must have a corresponding entry in the IP-MIB:ipAddressTable <xref target="RFC4293"></xref>, and the value for the INDEX of an entry of the cgaLocalTable is the same as the
value of the INDEX for the corresponding entry of the IP-MIB:ipAddressTable.</t>
<t>The value of the ipAddressAddr
must be the result of the computation of the Hash1 operation defined in <xref target="RFC3972"></xref>. The value of the ipAddressAddrType
must be ipv6(2) or ipv6z.
The IP-MIB:ipAddressLastChanged object must be changed to reflect any update in the corresponding
cgaLocalTable row. The values of the cgaLocalStorageType and of the corresponding IP-MIB:ipAddressStorageType should be the same.</t>
<t>The administrator can create a new row by setting appropriate values to the parameters that are used to build the CGA:
cgaLocalModifier, cgaLocalCollisionCount, cgaLocalPublicKey, cgaLocalPrivateKey and cgaLocalExtensionFields. Additionally the corresponding entry in the
IP-MIB:ipAddressTable must have the IP-MIB:ipAddressRowStatus set to active(1) before or at the same time as the cgaLocalOperStatus
object of the entry is set to validAndEnabled(1).
Note that if the address should only be used as a CGA, the operations of setting the IP-MIB:ipAddressRowStatus columnar object to active(1) and the
cgaLocalOperStatus to validAndEnabled(1) should be performed atomically.
The removal of an entry in the cgaLocalTable does not automatically require the removal of the corresponding entry in the IP-MIB:ipAddressAddrType,
because the address may remain operational even if it is not usable as a CGA.
Once the value of the cgaLocalOperStatus of an entry has been set once to validAndEnabled(1), the cgaLocalModifier, cgaLocalCollisionCount,
cgaLocalPublicKey, cgaLocalPrivateKey and cgaLocalExtensionFields columnar objects of the entry must remain unmodified.</t>
<t>The removal of an entry of the IP-MIB:ipAddressTable must result in the removal of the corresponding entry in the cgaLocalTable.</t>
<t>The agent may generate new entries if they are configured by other means than network management."</t>
</list>
<t>INDEX { ipAddressAddrType, ipAddressAddr }</t>
<t>::= { cgaLocalTable 1 }</t>
</list>
<t>CgaLocalEntry ::= SEQUENCE {</t>
<list hangIndent='8'>
<t>cgaLocalModifier CgaModifier,</t>
<t>cgaLocalCollisionCount CgaCollisionCount,</t>
<t>cgaLocalPublicKey CgaKeyInfo,</t>
<t>cgaLocalPrivateKey CgaKeyInfo,</t>
<t>cgaLocalExtensionFields OCTET STRING,</t>
<t>cgaLocalProtocolsUsingCga CgaProtocolsUsingCga,</t>
<t>cgaLocalAdminStatus INTEGER,</t>
<t>cgaLocalOperStatus INTEGER,</t>
<t>cgaLocalRowStatus RowStatus,</t>
<t>cgaLocalStorageType StorageType</t>
</list>
<list hangIndent='4'>
<t>}</t>
</list>
<t>cgaLocalModifier OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaModifier</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"128-bit unsigned integer, which can be any value. Used during CGA generation to implement the hash extension and add randomness to the address.</t>
<t>This object should not be modified once the cgaLocalRowStatus object has been set to validAndEnabled(1) for the first time."</t>
</list>
<t>::= { cgaLocalEntry 1 }</t>
</list>
<t>cgaLocalCollisionCount OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaCollisionCount</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Counter that is incremented during CGA generation to recover from an address collision.</t>
<t>This object should not be modified once the cgaLocalRowStatus object has been set to validAndEnabled(1) for the first time."</t>
</list>
<t>::= { cgaLocalEntry 2 }</t>
</list>
<t>cgaLocalPublicKey OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaKeyInfo</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Variable-length field containing the public key of the address owner.</t>
<t>This object should not be modified once the cgaLocalRowStatus object has been set to validAndEnabled(1) for the first time."</t>
</list>
<t>REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"</t>
<t>::= { cgaLocalEntry 3 }</t>
</list>
<t>cgaLocalPrivateKey OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaKeyInfo</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Variable-length field containing the private key of the address owner.</t>
<t>This object should not be modified once the cgaLocalRowStatus object has been set to validAndEnabled(1) for the first time."</t>
</list>
<t>REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"</t>
<t>::= { cgaLocalEntry 4 }</t>
</list>
<t>cgaLocalExtensionFields OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX OCTET STRING (SIZE (0..1024))</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Optional variable-length field. Defined as an opaque type.</t>
<t>This object should not be modified once the cgaLocalRowStatus object has been set to validAndEnabled(1) for the first time."</t>
</list>
<t>::= { cgaLocalEntry 5 }</t>
</list>
<t>cgaLocalProtocolsUsingCga OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaProtocolsUsingCga</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Protocols currently using this CGA."</t>
</list>
<t>::= { cgaLocalEntry 6 }</t>
</list>
<t>cgaLocalAdminStatus OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX INTEGER {</t>
<list hangIndent='4'>
<t>enabled(1),</t>
<t>disabled(2) }</t>
</list>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The desired state of the CGA. When set to enabled(1), the administrator requires the CGA to be available as a valid local address of the system. Conversely, when set to
disabled, the administrator requires the CGA not to be available as an address for the system."</t>
</list>
<t>DEFVAL { disabled }</t>
<t>::= { cgaLocalEntry 7 }</t>
</list>
<t>cgaLocalOperStatus OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX INTEGER {</t>
<list hangIndent='4'>
<t>validAndEnabled(1),</t>
<t>disabled(2) }</t>
</list>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The current operational state of the CGA. The state validAndEnabled(1) indicates that this entry is both valid and operational as a local address
in the system.</t>
<t>A CGA is valid if it fulfills the conditions stated in in RFC 3972, i.e.
the computation of the Hash1 function to a bit string that includes information from the objects cgaLocalModifier, cgaLocalCollisionCount,
cgaLocalPublicKey, cgaLocalExtensionFields, along with the prefix of the ipAddressAddr object, results in the interface identifier of the
ipAddressAddr; and
the computation of another hash function, Hash2, defined to operate with the same input data as for Hash2, results in 16*sec bits equal to zero
(being sec the three leftmost bits of the interface identifier of the address)."</t>
</list>
<t>::= { cgaLocalEntry 8 }</t>
</list>
<t>cgaLocalRowStatus OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX RowStatus</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The status of this conceptual row.</t>
<t>A conceptual row can not be made active until all the columnar objects, except may be the cgaLocalAdminStatus y cgaLocalOperStatus, have been assigned a value."</t>
</list>
<t>::= { cgaLocalEntry 9 }</t>
</list>
<t>cgaLocalStorageType OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX StorageType</t>
<t>MAX-ACCESS read-create</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The storage type for this conceptual row. If this object
has a value of 'permanent', then no other objects are
required to be able to be modified.</t>
<t>The values of the cgaLocalStorageType and of the corresponding IP-MIB:ipAddressStorageType should be the same."</t>
</list>
<t>DEFVAL { volatile }</t>
<t>::= { cgaLocalEntry 10 }</t>
</list>
<figure><artwork>
--
-- table to store information about the valid CGAs corresponding
-- to remote nodes
--
</artwork></figure>
<t>cgaRemoteTable OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX SEQUENCE OF CgaRemoteEntry</t>
<t>MAX-ACCESS not-accessible</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"List of valid CGA addresses of remote nodes. A CGA is valid if it fulfills the conditions stated in in RFC 3972, i.e.
the computation of the Hash1 function to a bit string that includes information from the objects cgaRemoteModifier, cgaRemoteCollisionCount,
cgaRemotePublicKey, cgaRemoteExtensionFields, along with the prefix of the cgaRemoteAddr object, results in the interface identifier of the
cgaRemoteAddr; and
the computation of another hash function, Hash2, defined to operate with the same input data as for Hash2, results in 16*sec bits equal to zero
(being sec the three leftmost bits of the interface identifier of the address).</t>
<t>In general, the agent populates the entries in this table with the information obtained using a CGA-aware protocol (i.e. SEND or SHIM6),
and these protocols can be responsible for deleting the entry according to the rules defined for their operation.
The information that could be associated with the CGA specific to a protocol (for example, the link layer address associated to the CGA) must be
managed in a MIB specific for the considered protocol. Note that many protocols could be using the same remote CGA. </t>
<t>All the objects in this table are defined as read-only."</t>
</list>
<t>::= { cga 3 }</t>
</list>
<t>cgaRemoteEntry OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaRemoteEntry</t>
<t>MAX-ACCESS not-accessible</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Information related with a remote CGA."</t>
</list>
<t>INDEX { cgaRemoteAddr }</t>
<t>::= { cgaRemoteTable 1 }</t>
</list>
<t>CgaRemoteEntry ::= SEQUENCE {</t>
<list hangIndent='8'>
<t>cgaRemoteAddr InetAddressIPv6,</t>
<t>cgaRemoteModifier CgaModifier,</t>
<t>cgaRemoteCollisionCount CgaCollisionCount,</t>
<t>cgaRemotePublicKey CgaKeyInfo,</t>
<t>cgaRemoteExtensionFields OCTET STRING,</t>
<t>cgaRemoteProtocolsUsingCga CgaProtocolsUsingCga,</t>
<t>cgaRemoteOrigin INTEGER,</t>
<t>cgaRemoteCreated TimeStamp</t>
</list>
<list hangIndent='4'>
<t>}</t>
</list>
<t>cgaRemoteAddr OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX InetAddressIPv6</t>
<t>MAX-ACCESS not-accessible</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The CGA IPv6 address to which this entry's addressing information is associated."</t>
</list>
<t>::= { cgaRemoteEntry 1 }</t>
</list>
<t>cgaRemoteModifier OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaModifier</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"128-bit unsigned integer, which can be any value. Used during CGA generation to implement the hash extension and add randomness to the address."</t>
</list>
<t>::= { cgaRemoteEntry 2 }</t>
</list>
<t>cgaRemoteCollisionCount OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaCollisionCount</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Counter that is incremented during CGA generation to recover from an address collision."</t>
</list>
<t>::= { cgaRemoteEntry 3 }</t>
</list>
<t>cgaRemotePublicKey OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaKeyInfo</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Variable-length field containing the public key of the remote node owner of the address."</t>
</list>
<t>::= { cgaRemoteEntry 4 }</t>
</list>
<t>cgaRemoteExtensionFields OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX OCTET STRING (SIZE (0..1024))</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Optional variable-length field. Defined as an opaque type."</t>
</list>
<t>::= { cgaRemoteEntry 5 }</t>
</list>
<t>cgaRemoteProtocolsUsingCga OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX CgaProtocolsUsingCga</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"Protocols currently using this CGA."</t>
</list>
<t>::= { cgaRemoteEntry 6 }</t>
</list>
<t>cgaRemoteOrigin OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX INTEGER {</t>
<list hangIndent='4'>
<t>other(1),</t>
<t>manual(2),</t>
<t>send(3),</t>
<t>shim6(4)</t>
</list>
<t>}</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The origin of the CGA entry.</t>
<t>manual(2) indicates that the CGA was manually configured, e.g. by user configuration.</t>
<t>send(3) indicates that the CGA was received through the SEND protocol <xref target="RFC3971"></xref>.</t>
<t>shim6 indicates that the CGA was received through the SEND protocol.</t>
<t>Note that each protocol may require different rules for validating the CGA (for example, different number of minimum bits for the key).</t>
<t>Note also that although created by a particular mean, the CGA could be used at the same time by many protocols."</t>
</list>
<t>::= { cgaRemoteEntry 7 }</t>
</list>
<t>cgaRemoteCreated OBJECT-TYPE</t>
<list hangIndent='4'>
<t>SYNTAX TimeStamp</t>
<t>MAX-ACCESS read-only</t>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The value of sysUpTime at the time this entry was created.
If this entry was created prior to the last re-
initialization of the local network management subsystem,
then this object contains a zero value."</t>
</list>
<t>::= { cgaRemoteEntry 8 }</t>
</list>
<figure><artwork>
--
-- conformance information
--
</artwork></figure>
<t>cgaMIBConformance OBJECT IDENTIFIER ::= { cgaMIB 2 }</t>
<t>cgaMIBCompliances OBJECT IDENTIFIER ::= { cgaMIBConformance 1 }</t>
<t>cgaMIBGroups OBJECT IDENTIFIER ::= { cgaMIBConformance 2 }</t>
<t>cgaMIBCompliance MODULE-COMPLIANCE</t>
<list hangIndent='4'>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The compliance statement for systems with CGA addresses."</t>
</list>
<t>MODULE -- this module</t>
<figure><artwork>
-- neither of the groups defined here are mandatory. Any of them
-- can be implemented, depending on the use of the CGAs. For
-- example, it could be acceptable not implementing local CGA
-- addresses, but being able to store remote CGA addresses.
</artwork></figure>
<t>-- MANDATORY-GROUPS { }</t>
<t></t>
<t>GROUP cgaLocalGroup</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"This group is mandatory for nodes that support the use of CGA as local addresses."</t>
</list>
<t></t>
<t>GROUP cgaRemoteGroup</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"This group is mandatory for nodes that implement protocols that may rely on the identification of remote nodes as CGA addresses, such as SEND or Shim6."</t>
</list>
<t></t>
<t>OBJECT cgaLocalSpinLock</t>
<t>MIN-ACCESS not-accessible</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to implement this
object. However, if an agent provides write access to any
of the other objects in the cgaLocalGroup, it SHOULD
provide write access to this object as well."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalModifier</t>
<t>MIN-ACCESS read-only</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to provide write or create access
to this object."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalCollisionCount</t>
<t>MIN-ACCESS read-only</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to provide write or create access
to this object."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalPublicKey</t>
<t>MIN-ACCESS read-only</t>
<list hangIndent='7'>
<t>DESCRIPTION</t>
<t>"An agent is not required to provide write or create access
to this object."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalPrivateKey</t>
<t>MIN-ACCESS not-accessible</t>
<list hangIndent='7'>
<t>DESCRIPTION</t>
<t>"An agent is not required to provide write or create access
to this object. However, if an agent provides write access to any other objects in the cgaLocalGroup, it SHOULD provide write (and read) access to this
object as well.
Read access to this object is not required. If write access is not provided to other objects in the cgaLocalGroup, the cgaLocalPrivateKey may be not readable."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalExtensionFields</t>
<t>MIN-ACCESS read-only</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to provide write or create access
to this object."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalProtocolsUsingCga</t>
<t>SYNTAX BITS { unknown(0) }</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to update the protocols currently using the CGA. In this case, the unknown(0) value is shown."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalAdminStatus</t>
<t>MIN-ACCESS read-only</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to provide write or create access
to this object."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalRowStatus</t>
<t>SYNTAX RowStatus { active(1) }</t>
<t>MIN-ACCESS read-only</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to provide write or create access
to this object. In this case, the only value permitted is active(1)."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaLocalStorageType</t>
<t>MIN-ACCESS read-only</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to provide write or create access
to this object.
If an agent allows this object to be written or created, it
is not required to allow this object to be set to readOnly,
permanent, or nonVolatile."</t>
</list>
<vspace blankLines='1' />
<t>OBJECT cgaRemoteProtocolsUsingCga</t>
<t>SYNTAX BITS { unknown(0) }</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"An agent is not required to update the protocols currently using the CGA. In this case, the unknown(0) value is shown."</t>
</list>
<vspace blankLines='1' />
<t>::= { cgaMIBCompliances 1 }</t>
</list>
<figure><artwork>
-- group definitions
</artwork></figure>
<t>cgaLocalGroup OBJECT-GROUP</t>
<list hangIndent='4'>
<t>OBJECTS {</t>
<list hangIndent='4'>
<t>cgaLocalSpinLock, cgaLocalModifier, cgaLocalCollisionCount, cgaLocalPublicKey, cgaLocalPrivateKey, cgaLocalExtensionFields, cgaLocalProtocolsUsingCga, cgaLocalAdminStatus, cgaLocalOperStatus, cgaLocalRowStatus, cgaLocalStorageType }</t>
</list>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The group of the elements representing the components of the CGA Parameters data structure for the local node."</t>
</list>
<t>::= { cgaMIBGroups 1 }</t>
</list>
<t>cgaRemoteGroup OBJECT-GROUP</t>
<list hangIndent='4'>
<t>OBJECTS { </t>
<list hangIndent='4'>
<t>cgaRemoteModifier, cgaRemoteCollisionCount, cgaRemotePublicKey, cgaRemoteExtensionFields, cgaRemoteProtocolsUsingCga, cgaRemoteOrigin, cgaRemoteCreated }</t>
</list>
<t>STATUS current</t>
<t>DESCRIPTION</t>
<list hangIndent='7'>
<t>"The group of the elements representing the components of the CGA Parameters data structure for remote nodes."</t>
</list>
<t>::= { cgaMIBGroups 2 }</t>
</list>
<t>END</t>
</section>
<section title="Security Considerations">
<t>Some of the management objects of this MIB module have been defined with either a MAX-ACCESS clause of read-create (for the columnar objects belonging to the cgaLocalTable) or read-write (for the spinlock object to control access to that table). Such access capability may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations.</t>
<t>The objects of the cgaLocalTable specify the CGA addresses configured in this node. An attacker could delete or disable the entry associated to a CGA
to prevent the node to benefit from the authentication and certification facilities provided by the combination of the CGA addresses and protocols
such as SeND (RFC3972) or SHIM6.</t>
<t>The addition by an attacker of a row composed of consistent information about a CGA could allow the node to be able to impersonate the identity of another node.</t>
<t>Regarding to the risks of providing GET access to the tables defined in this MIB, relevant risks arise from the fact that the private key (contained in the
cgaLocalPrivateKey object) could be disclosed. Some implementations not providing write access to the CGA elements may also disable read access to the cgaLocalPrivateKey object.
The rest of the information contained in the cgaLocalTable is used to prove the identity of the node considered to other nodes communicating with it. Therefore, the disclosure of this information does not provide great
advantage for an attacker in order to impersonate the identity of the node (unless factoring attacks become practical, and the private key could be
derived from the public one, in which case the CGA should be changed). Other risks are essentially the same as faced by the knowledge of a set of non-CGA, i.e. being able to correlate traffic from different
addresses. Analogous considerations can be stated for the information contained in the cgaRemoteTable.</t>
<t>SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.</t>
<t>It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see <xref target="RFC3410"></xref>, section 8), including full
support for the SNMPv3 cryptographic mechanisms (for authentication
and privacy).</t>
<t>Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module, is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.</t>
</section>
<section title="IANA Considerations">
<t>The MIB module in this document uses the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry:</t>
<figure>
<artwork>
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
send-MIB { mib-2 XXX }
</artwork>
</figure>
<t>Editor's Note (to be removed prior to publication): the IANA is
requested to assign a value for "XXX" under the 'mib-2' subtree
and to record the assignment in the SMI Numbers registry. When
the assignment has been made, the RFC Editor is asked to replace
"XXX" (here and in the MIB module) with the assigned value and to
remove this note.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2578"?>
<?rfc include="reference.RFC.2579"?>
<?rfc include="reference.RFC.2580"?>
<?rfc include="reference.RFC.3279"?>
<?rfc include="reference.RFC.3280"?>
<?rfc include="reference.RFC.3972"?>
<?rfc include="reference.RFC.4001"?>
<?rfc include="reference.RFC.4293"?>
<?rfc include="reference.CCITT.X690.2002"?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.3410"?>
<?rfc include="reference.RFC.3971"?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 10:59:09 |