One document matched: draft-ietf-ips-auth-mib-05.txt
Differences from draft-ietf-ips-auth-mib-04.txt
Internet Draft Mark Bakke
<draft-ietf-ips-auth-mib-05.txt> Cisco Systems
Expires June 2004 Jim Muchow
December 2003
Definitions of Managed Objects for User Identity Authorization
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in TCP/IP based internets.
In particular it defines objects for managing user identities and the
names, addresses, and credentials required manage access control, for
use with various protocols. This draft was motivated by the need for
the configuration of authorized user identities for the iSCSI
protocol, but has been extended to be useful for other protocols that
have similar requirements. It is important to note that this MIB
provides only the set of identities to be used within access lists;
it is the responsibility of other MIBs making use of this one to tie
them to their own access lists or other authorization control
Bakke, Muchow Expires June 2004 [Page 1]
Internet Draft IPS Authorization MIB December 2003
methods.
Acknowledgments
In addition to the authors, several people contributed to the
development of this MIB through discussions of authentication,
authorization, and access within the iSCSI MIB and security teams,
including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom
McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill
Studenmund (Wasabi Systems) for adding the Kerberos method, and to
Ayman Ghanem for finding and suggesting changes to several problems
found in the MIB.
Thanks especially to Keith McCloghrie for serving as advisor for this
MIB.
Table of Contents
1. Introduction..............................................2
2. The Internet-Standard Management Framework................3
3. Relationship to Other MIBs................................3
4. Discussion................................................4
4.1. Authorization MIB Object Model..........................4
4.2. ipsAuthInstance.........................................5
4.3. ipsAuthIdentity.........................................5
4.4. ipsAuthIdentityName.....................................5
4.5. ipsAuthIdentityAddress..................................6
4.6. ipsAuthCredential.......................................7
4.7. IP, Fibre Channel, and Other Addresses..................7
4.8. Descriptors: Using OIDs in Place of Enumerated Types....8
4.9. Notifications...........................................8
5. MIB Definitions...........................................9
6. Security Considerations..................................27
7. Normative References.....................................28
8. Informative References...................................28
9. Authors' Addresses.......................................29
10. IPR Notice..............................................29
11. Full Copyright Notice...................................30
1. Introduction
This MIB will be used to configure and/or look at the configuration
of user identities and their credential information. For the
purposes of this MIB, a "user" identity does not need to be an actual
person; a user can also be a host, an application, a cluster of
hosts, or any other identifiable entity that can be authorized to
access a resource.
Bakke, Muchow Expires June 2004 [Page 2]
Internet Draft IPS Authorization MIB December 2003
Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is
intended to allow configuration of user identities and their names,
addresses, and credentials. MIN-ACCESS for all objects is read-only
for those implementations that configure through other means, but
require the ability to monitor user identities.
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Relationship to Other MIBs
The identity authorization MIB does not directly address objects
within other MIBs. The identity address objects contain IPv4, IPv6,
or other address types, and as such may be indirectly related to
objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465]
MIB.
This MIB does not provide actual authorization or access control
lists; it provides a means to identify entities that can be included
in other authorization lists. This should generally be done in MIBs
that reference identities in this one. It also does not cover login
or authentication failure statistics or notifications, as these are
all fairly application-specific, and are not generic enough to
include here.
The user identity objects within this MIB are typically referenced
from other MIBs by a RowPointer within that MIB. A MIB containing
resources for which it requires a list of authorized user identities
may create such a list, with a single RowPointer within each list
element pointing to a user identity within this MIB. This is neither
required nor restricted by this MIB.
Bakke, Muchow Expires June 2004 [Page 3]
Internet Draft IPS Authorization MIB December 2003
4. Discussion
This MIB structure is intended to allow the configuration of a list
of user identities, each with a list of names, addresses,
credentials, and certificates which when combined will distinguish
that identity.
The authorization MIB is structured around two primary "objects", the
authorization instance, and the identity, which serve as containers
for the remainder of the objects. This section contains a brief
description of the "object" hierarchy and a description of each
object, followed by a discussion of the actual SNMP table structure
within the objects.
4.1. Authorization MIB Object Model
The top-level object in this structure is the authorization instance,
which "contains" all of the other objects. The indexing hierarchy of
this MIB looks like:
ipsAuthInstance
-- A distinct authorization entity within the managed system.
-- Most implementations will have just one of these.
ipsAuthIdentity
-- A user identity, consisting of a set of identity names,
-- addresses, and credentials reflected in the following
-- objects:
ipsAuthIdentityName
-- A name for a user identity. A name should be globally
-- unique, and unchanging over time. Some protocols may
-- not require this one.
ipsAuthIdentityAddress
-- An address range, typically but not necessarily an
-- IPv4, IPv6, or Fibre Channel address range, at which
-- the identity is allowed to reside.
ipsAuthCredential
-- A single credential, such as a CHAP username,
-- which can be used to verify the identity.
ipsAuthCredChap
-- CHAP-specific attributes for an ipsAuthCredential
ipsAuthCredSrp
-- SRP-specific attributes
ipsAuthCredKerberos
-- Kerberos-specific attributes
Each identity contains the information necessary to identify a
particular end-point that wishes to access a service, such as iSCSI.
Bakke, Muchow Expires June 2004 [Page 4]
Internet Draft IPS Authorization MIB December 2003
An identity can contain multiple names, addresses, and credentials.
4.2. ipsAuthInstance
The ipsAuthInstanceAttributesTable is the primary table of the
authorization MIB. Every other table entry in this MIB includes the
index of an ipsAuthInstanceAttributesEntry as its primary index. An
authorization instance is basically a managed set of identities.
Many implementations will include just one authorization instance row
in this table. However, there will be cases where multiple rows in
this table may be used:
- A large system may be "partitioned" into multiple, distinct virtual
systems, perhaps sharing the SNMP agent but not their lists of
identities. Each virtual system would have its own authorization
instance.
- A set of stackable systems, each with their own set of identities,
may be represented by a common SNMP agent. Each individual system
would have its own authorization instance.
- Multiple protocols, each with their own set of identities, may
exist within a single system and be represented by a single SNMP
agent. In this case, each protocol may have its own authorization
instance.
4.3. ipsAuthIdentity
The ipsAuthIdentAttributesTable contains one entry for each
configured user identity. The identity contains only a description
of what the identity is used for; its attributes are all contained in
other tables, since they can each have multiple values.
Other MIBs containing lists of users authorized to access a
particular resource should generally contain a RowPointer to the
ipsAuthIdentAttributesEntry which will, if authenticated, be allowed
access to the resource.
All other table entries make use of the indices to this table as
their primary indices.
4.4. ipsAuthIdentityName
The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names,
each of which belong to, and may be used to identify, a particular
identity in the authIdentity table.
Bakke, Muchow Expires June 2004 [Page 5]
Internet Draft IPS Authorization MIB December 2003
Implementations making use of the authorization MIB may identify
their resources by names, addresses, or both. A name is typically a
unique (within the required scope), unchanging identifier for a
resource. It will normally meet some or all of the requirements for a
Uniform Resource Name [RFC1737], although a name in the context of
this MIB does not need to be a URN. Identifiers that typically
change over time should generally be placed into the
ipsAuthIdentityAddress table; names that have no uniqueness
properties should usually be placed into the description attribute
for the identity.
An example of an identity name is the iSCSI Name, defined in [ISCSI].
If this table contains no entries associated with a particular user
identity, the implementation does not need to check any name
parameters when verifying that identity. If the table contains
multiple entries associated with a particular user identity, the
implementation should consider a match with any one of these entries
to be valid.
4.5. ipsAuthIdentityAddress
The ipsAuthIdentAddrAttributesTable contains a list of addresses at
which the identity may reside. For example, an identity may be
allowed access to a resource only from a certain IP address, or only
if its address is in a certain range or set of ranges.
Each entry contains a starting and ending address. If a single
address is desired in the list, both starting and ending addresses
must be identical.
Each entry contains an AddrType attribute. This attribute contains
an enumeration registered as an IANA Address Family type [IANA-AF].
Although many implementations will use IPv4 or IPv6 address types for
these entries, any IANA-registered type may be used, as long as it
makes sense to the application.
Matching any address within any range within the list associated with
a particular identity is considered to be a valid match. If no
entries are present in this list for a given identity, its address is
automatically assumed to match the identity.
Netmasks are not supported, since an address range can express the
same thing with more flexibility. An application specifying
addresses using network masks may do so, and convert to and from
address ranges when reading or writing this MIB.
Bakke, Muchow Expires June 2004 [Page 6]
Internet Draft IPS Authorization MIB December 2003
4.6. ipsAuthCredential
The ipsAuthCredentialAttributesTable contains a list of credentials,
each of which may be used to verify a particular identity.
Each credential contains an authentication method to be used, such as
CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute
contains an object identifier instead of an enumerated type, allowing
other MIBs to add their own authentication methods, without modifying
this MIB.
For each entry in this table, there will exist an entry in another
table containing its attributes. The table in which to place the
entry depends on the AuthMethod attribute:
CHAP If the AuthMethod is set to the CHAP OID, an entry using the
same indices as the ipsAuthCredential will exist in the
ipsAuthCredChap table, which contains the CHAP username.
SRP If the AuthMethod is set to the SRP OID, an entry using the
same indices as the ipsAuthCredential will exist in the
ipsAuthCredSrp table, which contains the SRP username.
Kerberos If the AuthMethod is set to the Kerberos OID, an entry using
the same indices as the ipsAuthCredential will exist in the
ipsAuthCredKerberos table, which contains the Kerberos
principal.
Other If the AuthMethod is set to any OID not defined in this MIB,
an entry using the same indices as the ipsAuthCredential
entry should be placed in the other MIB that define whatever
attributes are needed for that type of credential.
4.7. IP, Fibre Channel, and Other Addresses
The IP addresses in this MIB are represented by two attributes, one
of type AddressFamilyNumbers, and the other of type AuthAddress.
Each address can take on any of the types within the list of address
family numbers; the most likely being IPv4, IPv6, or one of the Fibre
Channel address types.
The type AuthAddress is an octet string. If the address family is
IPv4 or IPv6, the format is taken from the InetAddress specified in
[RFC3291]. If the address family is one of the Fibre Channel types,
the format is identical to the FcNameIdOrZero type defined in
[FCMGMT].
Bakke, Muchow Expires June 2004 [Page 7]
Internet Draft IPS Authorization MIB December 2003
4.8. Descriptors: Using OIDs in Place of Enumerated Types
Some attributes, particularly the authentication method attribute,
would normally require an enumerated type. However, implementations
will likely need to add new authentication method types of their own,
without extending this MIB. To make this work, the MIB defines a set
of object identities within ipsAuthDescriptors. Each of these object
identities is basically an enumerated type.
Attributes that make use of these object identities have a value
which is an OID instead of an enumerated type. These OIDs can either
indicate the object identities defined in this MIB, or object
identities defined elsewhere, such as in an enterprise MIB. Those
implementations that add their own authentication methods should also
define a corresponding object identity for each of these methods
within their own enterprise MIB, and return its OID whenever one of
these attributes is using that method.
4.9. Notifications
Monitoring of authentication failures and other notification events
are outside the scope of this MIB, as they are generally application-
specific. No notifications are provided or required.
Bakke, Muchow Expires June 2004 [Page 8]
Internet Draft IPS Authorization MIB December 2003
5. MIB Definitions
IPS-AUTH-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32,
experimental
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, RowStatus, AutonomousType
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB -- RFC 2571
AddressFamilyNumbers
FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB
;
ipsAuthModule MODULE-IDENTITY
LAST-UPDATED "200312090000Z" -- December 9, 2003
ORGANIZATION "IETF IPS Working Group"
CONTACT-INFO
"
Mark Bakke
Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130
Maple Grove, MN
USA 55311
Tel: +1 763-398-1000
Fax: +1 763-398-1001
E-mail: mbakke@cisco.com
Jim Muchow
E-mail: jamesdmuchow@yahoo.com"
DESCRIPTION
"The IP Storage Authorization MIB module."
REVISION "200312090000Z" -- December 9, 2003
DESCRIPTION
"Initial revision published as RFC xxxx."
Bakke, Muchow Expires June 2004 [Page 9]
Internet Draft IPS Authorization MIB December 2003
--::= { mib-2 xx }
-- in case you want to COMPILE
::= { experimental 99999 }
ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 }
ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 }
ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 }
-- Textual Conventions
IpsAuthAddress ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"IP Storage requires the use of address information
that uses not only the InetAddress type defined in the
INET-ADDRESS-MIB, but also Fibre Channel type defined
in the Fibre Channel Management MIB. Although these
address types are recognized in the IANA Address Family
Numbers MIB, the addressing mechanisms have not been
merged into a well-known, common type. This data type,
the IpsAuthAddress, performs this function for this MIB."
REFERENCE
"IANA-ADDRESS-FAMILY-NUMBERS-MIB;
INET-ADDRESS-MIB (RFC 2851);
Fibre Channel Management MIB (presently defined in
draft-ietf-ips-fcmgmt-mib-01.txt)."
SYNTAX OCTET STRING (SIZE(0..255))
------------------------------------------------------------------------
ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 }
ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 }
ipsAuthMethodNone OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when no authentication
method is used."
REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 1 }
ipsAuthMethodSrp OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when the authentication
method is SRP."
REFERENCE "iSCSI Protocol Specification."
Bakke, Muchow Expires June 2004 [Page 10]
Internet Draft IPS Authorization MIB December 2003
::= { ipsAuthMethodTypes 2 }
ipsAuthMethodChap OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when the authentication
method is CHAP."
REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 3 }
ipsAuthMethodKerberos OBJECT-IDENTITY
STATUS current
DESCRIPTION
"The authoritative identifier when the authentication
method is Kerberos."
REFERENCE "iSCSI Protocol Specification."
::= { ipsAuthMethodTypes 4 }
----------------------------------------------------------------------
ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 }
-- Instance Attributes Table
ipsAuthInstanceAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of Authorization instances present on the system."
::= { ipsAuthInstance 2 }
ipsAuthInstanceAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthInstanceAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a particular Authorization instance."
INDEX { ipsAuthInstIndex }
::= { ipsAuthInstanceAttributesTable 1 }
IpsAuthInstanceAttributesEntry ::= SEQUENCE {
ipsAuthInstIndex Unsigned32,
ipsAuthInstDescr SnmpAdminString
}
ipsAuthInstIndex OBJECT-TYPE
Bakke, Muchow Expires June 2004 [Page 11]
Internet Draft IPS Authorization MIB December 2003
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary integer used to uniquely identify a
particular authorization instance."
::= { ipsAuthInstanceAttributesEntry 1 }
ipsAuthInstDescr OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"An octet string, determined by the implementation to
describe the authorization instance. When only a single
instance is present, this object may be set to the
zero-length string; with multiple authorization
instances, it may be used in an implementation-dependent
manner to describe the purpose of the respective instance."
::= { ipsAuthInstanceAttributesEntry 2 }
ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 }
-- User Identity Attributes Table
ipsAuthIdentAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of user identities, each belonging to a
particular ipsAuthInstance."
::= { ipsAuthIdentity 1 }
ipsAuthIdentAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
describing a user identity within an authorization
instance on this node."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex }
::= { ipsAuthIdentAttributesTable 1 }
IpsAuthIdentAttributesEntry ::= SEQUENCE {
ipsAuthIdentIndex Unsigned32,
ipsAuthIdentDescription SnmpAdminString,
Bakke, Muchow Expires June 2004 [Page 12]
Internet Draft IPS Authorization MIB December 2003
ipsAuthIdentRowStatus RowStatus
}
ipsAuthIdentIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary integer used to uniquely identify a
particular identity instance within an authorization
instance present on the node."
::= { ipsAuthIdentAttributesEntry 1 }
ipsAuthIdentDescription OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string describing this particular identity."
::= { ipsAuthIdentAttributesEntry 2 }
ipsAuthIdentRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthIdentAttributesEntry 3 }
ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 }
-- User Initiator Name Attributes Table
ipsAuthIdentNameAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of unique names that can be used to positively
identify a particular user identity."
::= { ipsAuthIdentityName 1 }
ipsAuthIdentNameAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentNameAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
Bakke, Muchow Expires June 2004 [Page 13]
Internet Draft IPS Authorization MIB December 2003
"An entry (row) containing management information
applicable to a unique identity name which can be used
to identify a user identity within a particular
authorization instance."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex,
ipsAuthIdentNameIndex }
::= { ipsAuthIdentNameAttributesTable 1 }
IpsAuthIdentNameAttributesEntry ::= SEQUENCE {
ipsAuthIdentNameIndex Unsigned32,
ipsAuthIdentName SnmpAdminString,
ipsAuthIdentNameRowStatus RowStatus
}
ipsAuthIdentNameIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary integer used to uniquely identify a
particular identity name instance within an
ipsAuthIdentity within an authorization instance."
::= { ipsAuthIdentNameAttributesEntry 1 }
ipsAuthIdentName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A character string which is the unique name of an
identity that may be used to identify this ipsAuthIdent
entry."
::= { ipsAuthIdentNameAttributesEntry 2 }
ipsAuthIdentNameRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthIdentNameAttributesEntry 3 }
ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 }
-- User Initiator Address Attributes Table
ipsAuthIdentAddrAttributesTable OBJECT-TYPE
Bakke, Muchow Expires June 2004 [Page 14]
Internet Draft IPS Authorization MIB December 2003
SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of address ranges that are allowed to serve
as the endpoint addresses of a particular identity.
An address range includes a starting and ending address
and an optional netmask, and an address type indicator,
which can specify whether the address is IPv4, IPv6,
FC-WWPN, or FC-WWNN."
::= { ipsAuthIdentityAddress 1 }
ipsAuthIdentAddrAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthIdentAddrAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to an address range which is used as part
of the authorization of an identity
within an authorization instance on this node."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex,
ipsAuthIdentAddrIndex }
::= { ipsAuthIdentAddrAttributesTable 1 }
IpsAuthIdentAddrAttributesEntry ::= SEQUENCE {
ipsAuthIdentAddrIndex Unsigned32,
ipsAuthIdentAddrType AddressFamilyNumbers,
ipsAuthIdentAddrStart IpsAuthAddress,
ipsAuthIdentAddrEnd IpsAuthAddress,
ipsAuthIdentAddrRowStatus RowStatus
}
ipsAuthIdentAddrIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary integer used to uniquely identify a
particular ipsAuthIdentAddress instance within an
ipsAuthIdentity within an authorization instance
present on the node."
::= { ipsAuthIdentAddrAttributesEntry 1 }
ipsAuthIdentAddrType OBJECT-TYPE
SYNTAX AddressFamilyNumbers
MAX-ACCESS read-create
STATUS current
Bakke, Muchow Expires June 2004 [Page 15]
Internet Draft IPS Authorization MIB December 2003
DESCRIPTION
"The type of Address in the ipsAuthIdentAddress
start, end, and mask fields. This type is taken
from the IANA address family types; more types may
be registered independently of this MIB."
::= { ipsAuthIdentAddrAttributesEntry 2 }
ipsAuthIdentAddrStart OBJECT-TYPE
SYNTAX IpsAuthAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The starting address of the allowed address range."
::= { ipsAuthIdentAddrAttributesEntry 3 }
ipsAuthIdentAddrEnd OBJECT-TYPE
SYNTAX IpsAuthAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The ending address of the allowed address range.
If the ipsAuthIdentAddrEntry specifies a single
address, this shall match the ipsAuthIdentAddrStart."
::= { ipsAuthIdentAddrAttributesEntry 4 }
ipsAuthIdentAddrRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthIdentAddrAttributesEntry 5 }
ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 }
-- Credential Attributes Table
ipsAuthCredentialAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of credentials related to user identities
that are allowed as valid authenticators of the
particular identity."
::= { ipsAuthCredential 1 }
Bakke, Muchow Expires June 2004 [Page 16]
Internet Draft IPS Authorization MIB December 2003
ipsAuthCredentialAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredentialAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a credential which verifies a user
identity within an authorization instance."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredentialAttributesTable 1 }
IpsAuthCredentialAttributesEntry ::= SEQUENCE {
ipsAuthCredIndex Unsigned32,
ipsAuthCredAuthMethod AutonomousType,
ipsAuthCredRowStatus RowStatus
}
ipsAuthCredIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An arbitrary integer used to uniquely identify a
particular Credential instance within an instance
present on the node."
::= { ipsAuthCredentialAttributesEntry 1 }
ipsAuthCredAuthMethod OBJECT-TYPE
SYNTAX AutonomousType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object contains an OBJECT IDENTIFIER
which identifies the authentication method
used with this credential.
Some standardized values for this object are defined
within the ipsAuthMethods subtree."
::= { ipsAuthCredentialAttributesEntry 2 }
ipsAuthCredRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCredentialAttributesEntry 3 }
Bakke, Muchow Expires June 2004 [Page 17]
Internet Draft IPS Authorization MIB December 2003
ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 }
-- Credential Chap-Specific Attributes Table
ipsAuthCredChapAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of CHAP attributes for credentials that
use ipsAuthMethodChap as its ipsAuthCredAuthMethod."
::= { ipsAuthCredChap 1 }
ipsAuthCredChapAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredChapAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a credential which uses
ipsAuthMethodChap as their ipsAuthCredAuthMethod."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredChapAttributesTable 1 }
IpsAuthCredChapAttributesEntry ::= SEQUENCE {
ipsAuthCredChapUserName SnmpAdminString,
ipsAuthCredChapRowStatus RowStatus
}
ipsAuthCredChapUserName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing the CHAP user name for this
credential."
::= { ipsAuthCredChapAttributesEntry 1 }
-- ipsAuthCredChapPassword (2) deleted
ipsAuthCredChapRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCredChapAttributesEntry 3 }
Bakke, Muchow Expires June 2004 [Page 18]
Internet Draft IPS Authorization MIB December 2003
ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 }
-- Credential Srp-Specific Attributes Table
ipsAuthCredSrpAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of SRP attributes for credentials that
use ipsAuthMethodSrp as their ipsAuthCredAuthMethod."
::= { ipsAuthCredSrp 1 }
ipsAuthCredSrpAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredSrpAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a credential which uses
ipsAuthMethodSrp as its ipsAuthCredAuthMethod."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredSrpAttributesTable 1 }
IpsAuthCredSrpAttributesEntry ::= SEQUENCE {
ipsAuthCredSrpUserName SnmpAdminString,
ipsAuthCredSrpRowStatus RowStatus
}
ipsAuthCredSrpUserName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing the CHAP user name for this
credential."
::= { ipsAuthCredSrpAttributesEntry 1 }
-- ipsAuthCredSrpPassword (2) deleted
ipsAuthCredSrpRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCredSrpAttributesEntry 3 }
Bakke, Muchow Expires June 2004 [Page 19]
Internet Draft IPS Authorization MIB December 2003
ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 }
-- Credential Kerberos-Specific Attributes Table
ipsAuthCredKerbAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of Kerberos attributes for credentials that
use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod."
::= { ipsAuthCredKerberos 1 }
ipsAuthCredKerbAttributesEntry OBJECT-TYPE
SYNTAX IpsAuthCredKerbAttributesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry (row) containing management information
applicable to a credential which uses
ipsAuthMethodKerberos as its ipsAuthCredAuthMethod."
INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex }
::= { ipsAuthCredKerbAttributesTable 1 }
IpsAuthCredKerbAttributesEntry ::= SEQUENCE {
ipsAuthCredKerbPrincipal SnmpAdminString,
ipsAuthCredKerbRowStatus RowStatus
}
ipsAuthCredKerbPrincipal OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"An octet string containing a Kerberos principal
for this credential."
::= { ipsAuthCredKerbAttributesEntry 1 }
ipsAuthCredKerbRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This field allows entries to be dynamically added and
removed from this table via SNMP."
::= { ipsAuthCredKerbAttributesEntry 2 }
------------------------------------------------------------------------
Bakke, Muchow Expires June 2004 [Page 20]
Internet Draft IPS Authorization MIB December 2003
-- Notifications
-- There are no notifications necessary in this MIB.
------------------------------------------------------------------------
-- Conformance Statements
ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 }
ipsAuthInstanceAttributesGroup OBJECT-GROUP
OBJECTS {
ipsAuthInstDescr
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
authorization instances."
::= { ipsAuthGroups 1 }
ipsAuthIdentAttributesGroup OBJECT-GROUP
OBJECTS {
ipsAuthIdentDescription,
ipsAuthIdentRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
user identities within an authorization instance."
::= { ipsAuthGroups 2 }
ipsAuthIdentNameAttributesGroup OBJECT-GROUP
OBJECTS {
ipsAuthIdentName,
ipsAuthIdentNameRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
user names within user identities within an authorization
instance."
::= { ipsAuthGroups 3 }
ipsAuthIdentAddrAttributesGroup OBJECT-GROUP
OBJECTS {
ipsAuthIdentAddrType,
ipsAuthIdentAddrStart,
ipsAuthIdentAddrEnd,
Bakke, Muchow Expires June 2004 [Page 21]
Internet Draft IPS Authorization MIB December 2003
ipsAuthIdentAddrRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
address ranges within user identities within an
authorization instance."
::= { ipsAuthGroups 4 }
ipsAuthIdentCredAttributesGroup OBJECT-GROUP
OBJECTS {
ipsAuthCredAuthMethod,
ipsAuthCredRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
credentials within user identities within an authorization
instance."
::= { ipsAuthGroups 5 }
ipsAuthIdentChapAttrGroup OBJECT-GROUP
OBJECTS {
ipsAuthCredChapUserName,
ipsAuthCredChapRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
CHAP credentials within user identities within an
authorization instance."
::= { ipsAuthGroups 6 }
ipsAuthIdentSrpAttrGroup OBJECT-GROUP
OBJECTS {
ipsAuthCredSrpUserName,
ipsAuthCredSrpRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
SRP credentials within user identities within an
authorization instance."
::= { ipsAuthGroups 7 }
ipsAuthIdentKerberosAttrGroup OBJECT-GROUP
OBJECTS {
ipsAuthCredKerbPrincipal,
Bakke, Muchow Expires June 2004 [Page 22]
Internet Draft IPS Authorization MIB December 2003
ipsAuthCredKerbRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects providing information about
Kerberos credentials within user identities within an
authorization instance."
::= { ipsAuthGroups 8 }
------------------------------------------------------------------------
ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 }
ipsAuthComplianceV1 MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"Initial version of compliance statement based on
initial version of MIB.
The Instance and Identity groups are mandatory;
at least one of the other groups (Name, Address,
Credential, Certificate) is also mandatory for
any given implementation."
MODULE -- this module
MANDATORY-GROUPS {
ipsAuthInstanceAttributesGroup,
ipsAuthIdentAttributesGroup
}
-- Conditionally mandatory groups to be included with
-- the mandatory groups when necessary.
GROUP ipsAuthIdentNameAttributesGroup
DESCRIPTION
"This group is mandatory for all implementations
that make use of unique identity names."
GROUP ipsAuthIdentAddrAttributesGroup
DESCRIPTION
"This group is mandatory for all implementations
that use addresses to help verify identities."
GROUP ipsAuthIdentCredAttributesGroup
DESCRIPTION
"This group is mandatory for all implementations
that use credentials to help verify identities."
GROUP ipsAuthIdentChapAttrGroup
Bakke, Muchow Expires June 2004 [Page 23]
Internet Draft IPS Authorization MIB December 2003
DESCRIPTION
"This group is mandatory for all implementations
that use CHAP to help verify identities.
The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented."
GROUP ipsAuthIdentSrpAttrGroup
DESCRIPTION
"This group is mandatory for all implementations
that use SRP to help verify identities.
The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented."
GROUP ipsAuthIdentKerberosAttrGroup
DESCRIPTION
"This group is mandatory for all implementations
that use Kerberos to help verify identities.
The ipsAuthIdentCredAttributesGroup must be
implemented if this group is implemented."
OBJECT ipsAuthInstDescr
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentDescription
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthIdentName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentNameRowStatus
Bakke, Muchow Expires June 2004 [Page 24]
Internet Draft IPS Authorization MIB December 2003
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthIdentAddrType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentAddrStart
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentAddrEnd
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthIdentAddrRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredAuthMethod
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredChapUserName
MIN-ACCESS read-only
Bakke, Muchow Expires June 2004 [Page 25]
Internet Draft IPS Authorization MIB December 2003
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredChapRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredSrpUserName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredSrpRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
OBJECT ipsAuthCredKerbPrincipal
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT ipsAuthCredKerbRowStatus
SYNTAX INTEGER { active(1) } -- subset of RowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required, and only one of the
six enumerated values for the RowStatus textual
convention need be supported, specifically:
active(1)."
::= { ipsAuthCompliances 1 }
END
Bakke, Muchow Expires June 2004 [Page 26]
Internet Draft IPS Authorization MIB December 2003
6. Security Considerations
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their
sensitivity/vulnerability:
All tables provide the ability to set up which credentials may be
used to access services on the managed system, to remove
legitimate credentials (a denial of service), or to remove
individual credentials to weaken the requirements for access of a
particular service. Write access must always be tightly
controlled. Note that some types of credentials, such as CHAP or
SRP, also require passwords or verifiers to be associated with the
credential. These are managed outside this MIB.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
All tables provide the ability to find out which names, addresses,
and credentials would be required to access services on the
managed system. If these credentials are easily spoofed
(particularly the name or address), read access to the MIB must be
tightly controlled.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementors consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
Bakke, Muchow Expires June 2004 [Page 27]
Internet Draft IPS Authorization MIB December 2003
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
7. Normative References
[RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M.
Rose, and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April
1999.
[RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M.
Rose, and S. Waldbusser, "Textual Conventions for SMIv2",
STD 58, RFC 2579, April 1999.
[RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M.
Rose, and S. Waldbusser, "Conformance Statements for SMIv2",
STD 58, RFC 2580, April 1999.
[RFC3291] M. Daniele, et. al., "Textual Conventions for Internet
Network Addresses", RFC 3291, May 2002.
[IANA-AF] IANA, "IANA Address Family Numbers MIB",
http://www.iana.org/assignments/ianaaddressfamilynumbers-mib
[RFC1213] K. McCloghrie, M. Rose, "Management Information Base for
Network Management of TCP/IP-based internets:MIB-II", March
1991.
[RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the
Internet Protocol using SMIv2", November 1996.
[RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP
Version 6: Textual Conventions and General Group", December
1998.
8. Informative References
[RFC3410] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction
and Applicability Statements for Internet-Standard
Management Framework", RFC 3410, December 2002.
[ISCSI] Satran, J., et. al., "iSCSI", Work in Progress, draft-ietf-
ips-iscsi-20, January 2003.
[RFC1737] K. Sollins, L. Masinter, "Functional Requirements for
Uniform Resource Names", December 1994.
Bakke, Muchow Expires June 2004 [Page 28]
Internet Draft IPS Authorization MIB December 2003
[RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol
(CHAP)", August 1996.
[RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication
Service (V5)", September 1993.
[RFC2945] T. Wu, "The SRP Authentication and Key Exchange System",
September 2000.
[FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", Work in
Progress, draft-ietf-ips-fcmgmt-mib-03, October 2002.
9. Authors' Addresses
Mark Bakke
Postal: Cisco Systems, Inc
6450 Wedgwood Road, Suite 130
Maple Grove, MN
USA 55311
Tel: +1 763-398-1000
Fax: +1 763-398-1001
E-mail: mbakke@cisco.com
Jim Muchow
E-mail: jamesdmuchow@yahoo.com"
10. IPR Notice
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made
available for publication and any assurances of licenses to be made
available, or the result of an attempt made to obtain a general
license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the
IETF Secretariat.
Bakke, Muchow Expires June 2004 [Page 29]
Internet Draft IPS Authorization MIB December 2003
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
11. Full Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Bakke, Muchow Expires June 2004 [Page 30]
| PAFTECH AB 2003-2026 | 2026-04-19 18:58:34 |