Identification MIB
draft-ietf-ident-mib-03
The information below is for an old version of the document that is already published as an RFC.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 1414.
|
|
|---|---|---|---|
| Authors | Dr. Marshall T. Rose , Michael StJohns | ||
| Last updated | 2013-03-02 (Latest revision 1992-08-03) | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Additional resources | cnri.reston.va.us%3A~/ietf.mailing.lists/ident/%2A | ||
| Stream | WG state | (None) | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 1414 (Historic) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ietf-ident-mib-03
Draft Ident MIB Jul 92
Ident MIB
Tue Jul 31 14:50:52 1992
Michael St. Johns
U.S. Department of Defense
stjohns@UMD5.UMD.EDU
Marshall T. Rose
Dover Beach Consulting, Inc.
mrose@dbc.mtview.ca.us
1. Status of this Memo
This document is an Internet Draft. Internet Drafts are
working documents of the Internet Engineering Task Force
(IETF), its Areas, and its Working Groups. Note that other
groups may also distribute working documents as Internet
Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or
obsoleted by other documents at any time. It is not
appropriate to use Internet Drafts as reference material or to
cite them other than as a "working draft" or "work in
progress".
Please check the 1id-abstracts.txt listing contained in the
internet-drafts Shadow Directories on nic.ddn.mil,
nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or
munnari.oz.au to learn the current status of any Internet
Draft.
2. Abstract
This memo defines a MIB for use with identifying the users
associated with TCP connections. It provides functionality
St. Johns, Rose Expires January 31, 1993 [Page 1]
Draft Ident MIB Jul 92
approximately equivalent to that provided by the protocol
defined in RFC 931[1].
St. Johns, Rose Expires January 31, 1993 [Page 2]
Draft Ident MIB Jul 92
3. The Network Management Framework
The Internet-standard Network Management Framework consists of
three components. They are:
RFC 1155[2] which defines the SMI, the mechanisms used for
describing and naming objects for the purpose of management.
RFC 1212[3] defines a more concise description mechanism,
which is wholly consistent with the SMI.
RFC 1213[4] which defines MIB-II, the core set of managed
objects for the Internet suite of protocols.
RFC 1157[5] which defines the SNMP, the protocol used for
network access to managed objects.
The Framework permits new objects to be defined for the
purpose of experimentation and evaluation.
Managed objects are accessed via a virtual information store,
termed the Management Information Base or MIB. Within a given
MIB module, objects are defined using RFC 1212's OBJECT-TYPE
macro. At a minimum, each object has a name, a syntax, an
access-level, and an implementation-status.
The name is an object identifier, an administratively assigned
name, which specifies an object type. The object type
together with an object instance serves to uniquely identify a
specific instantiation of the object. For human convenience,
we often use a textual string, termed the object descriptor,
to also refer to the object type.
The syntax of an object type defines the abstract data
structure corresponding to that object type. The ASN.1[6]
language is used for this purpose. However, RFC 1155
purposely restricts the ASN.1 constructs which may be used.
These restrictions are explicitly made for simplicity.
The access-level of an object type defines whether it makes
"protocol sense" to read and/or write the value of an instance
of the object type. (This access-level is independent of any
administrative authorization policy.)
The implementation-status of an object type indicates whether
the object is mandatory, optional, obsolete, or deprecated.
St. Johns, Rose Expires January 31, 1993 [Page 3]
Draft Ident MIB Jul 92
4. Ident MIB
The Ident MIB defines a uniform set of objects useful for
identifying users associated with TCP connections. End-
systems which support TCP may, at their option, implement this
MIB. However, administrators should read Section 6 ("Security
Considerations") before enabling these MIB objects.
St. Johns, Rose Expires January 31, 1993 [Page 4]
Draft Ident MIB Jul 92
5. Definitions
RFC-ident-MIB DEFINITIONS ::= BEGIN
IMPORTS
experimental
FROM RFC-1155
OBJECT-TYPE
FROM RFC-1212
tcpConnLocalAddress, tcpConnLocalPort,
tcpConnRemAddress, tcpConnRemPort
FROM RFC1213-MIB;
ident OBJECT IDENTIFIER ::= { experimental 33 }
-- conformance groups
identInfo OBJECT IDENTIFIER ::= { ident 1 }
-- textual conventions
-- none
St. Johns, Rose Expires January 31, 1993 [Page 5]
Draft Ident MIB Jul 92
-- the ident information system group
--
-- implementation of this group is mandatory
identTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdentEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"A table containing user information for TCP
connections.
Note that this table contains entries for all TCP
connections on a managed system. The
corresponding instance of tcpConnState (defined in
MIB-II) indicates the state of a particular
connection."
::= { identInfo 1 }
identEntry OBJECT-TYPE
SYNTAX IdentEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"User information about a particular TCP
connection."
INDEX { tcpConnLocalAddress, tcpConnLocalPort,
tcpConnRemAddress, tcpConnRemPort }
::= { identTable 1 }
IdentEntry ::=
SEQUENCE {
identStatus INTEGER,
identOpSys OBJECT IDENTIFIER,
identCharset OBJECT IDENTIFIER,
identUserid OCTET STRING,
identMisc OCTET STRING
}
identStatus OBJECT-TYPE
SYNTAX INTEGER {
noError(1),
unknownError(2)
}
ACCESS read-only
St. Johns, Rose Expires January 31, 1993 [Page 6]
Draft Ident MIB Jul 92
STATUS mandatory
DESCRIPTION
"Indicates whether user information for the
associated TCP connection can be determined. A
value of `noError(1)' indicates that user
information is available. A value of
`unknownError(2)' indicates that user information
is not available."
::= { identEntry 1 }
identOpSys OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"Indicates the type of operating system in use.
In addition to identifying an operating system,
each assignment made for this purpose also
(implicitly) identifies the textual format and
maximum size of the corresponding identUserid and
identMisc objects.
The `identSystems' subtree may be used by the IANA
for assignments."
::= { identEntry 2 }
identCharset OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"Indicates the repertoire of the corresponding
identUserid and identMisc objects.
The `identCharsets' subtree may be used by the
IANA for assignments."
::= { identEntry 3 }
identUserid OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..255))
ACCESS read-only
STATUS mandatory
DESCRIPTION
"Indicates the user's identity. Interpretation of
this object requires examination of the
St. Johns, Rose Expires January 31, 1993 [Page 7]
Draft Ident MIB Jul 92
corresponding value of the identOpSys and
identCharset objects."
::= { identEntry 4 }
identMisc OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..255))
ACCESS read-only
STATUS mandatory
DESCRIPTION
"Indicates miscellaneous information about the
user. Interpretation of this object requires
examination of the corresponding value of the
identOpSys and identCharset objects."
::= { identEntry 5 }
St. Johns, Rose Expires January 31, 1993 [Page 8]
Draft Ident MIB Jul 92
-- operating system assignments, used for identOpSys
identSystems OBJECT IDENTIFIER ::= { ident 2 }
-- when the Assigned Numbers "system name" is UNIX
identSysUnix OBJECT IDENTIFIER ::= { identSystems 1 }
-- when identOpSys has the value identSysUnix:
--
-- identUserid corresponds to the UNIX username (pw_name)
-- of length 1 to 8 octets
--
-- the syntax (and length) of identMisc is a local matter
St. Johns, Rose Expires January 31, 1993 [Page 9]
Draft Ident MIB Jul 92
-- character set assignments, used for identCharset
identCharsets OBJECT IDENTIFIER ::= { ident 3 }
-- the NVT ASCII repertoire
charsetNvtAscii OBJECT IDENTIFIER ::= { identCharsets 1 }
END
St. Johns, Rose Expires January 31, 1993 [Page 10]
Draft Ident MIB Jul 92
6. Security Considerations
The information available through this MIB is at most as
trustworthy as the host providing it OR the organization
operating the host. For example, a PC in an open lab has few
if any controls on it to prevent a user from having an SNMP
query return any identifier the user wants. Likewise, if the
host has been compromised the information returned may be
completely erroneous and misleading.
This portion of the MIB space should only be used to gain
hints as to who "owns" a particular TCP connection --
information returned should NOT be considered authoritative
for at least the reasons described above. At best, this MIB
provides some additional auditing information with respect to
TCP connections. At worse it can provide misleading,
incorrect or maliciously incorrect information.
The use of the information contained in this MIB for other
than auditing or normal network management functions is
strongly discouraged. Specifically, using information from
this MIB space to make access control decisions - either as
the primary method (i.e no other checks) or as an adjunct to
other methods may result in a weakening of normal system
security.
This MIB provides access to information about users, entities,
objects or processes which some systems might normally
consider private. The information accessible through this MIB
is a rough analog of the CallerID services provided by some
phone companies and many of the same privacy consideration and
arguments that apply to CallerID service apply to this MIB
space. If you wouldn't run a "finger" server[7] due to
privacy considerations, you might not want to provide access
to this MIB space on a general basis. Access to this portion
of the MIB tree may be controlled under the normal methods
available through SNMP agent implementations.
St. Johns, Rose Expires January 31, 1993 [Page 11]
Draft Ident MIB Jul 92
7. References
[1] M. St. Johns, Authentication Server. Request for
Comments 931, (May, 1990).
[2] M.T. Rose and K. McCloghrie, Structure and Identification
of Management Information for TCP/IP-based internets.
Request for Comments 1155, (May, 1990).
[3] M.T. Rose and K. McCloghrie, Concise MIB Definitions.
Request for Comments 1212, (March, 1991).
[4] K. McCloghrie and M.T. Rose, Management Information Base
for Network Management of TCP/IP-based internets: MIB-II.
Request for Comments 1213, (March, 1991).
[5] J.D. Case, M.S. Fedor, M.L. Schoffstall, and J.R. Davin,
Simple Network Management Protocol. Request for Comments
1157, (May, 1990).
[6] Information processing systems - Open Systems
Interconnection - Specification of Abstract Syntax
Notation One (ASN.1), International Organization for
Standardization. International Standard 8824, (December,
1987).
[7] D.P. Zimmerman, Finger User Information Protocol.
Request for Comments 1288, (December, 1991).
St. Johns, Rose Expires January 31, 1993 [Page 12]
Draft Ident MIB Jul 92
Table of Contents
1 Status of this Memo ................................... 1
2 Abstract .............................................. 1
3 The Network Management Framework ...................... 3
4 Ident MIB ............................................. 4
5 Definitions ........................................... 5
5.1 Conformance Groups .................................. 5
5.2 Textual Conventions ................................. 5
5.3 The Ident information Group ......................... 6
5.4 Operating System Assignments ........................ 9
5.4.1 identSysUnix ...................................... 9
5.5 Character Set Assignments ........................... 10
5.5.1 charsetNvtAscii ................................... 10
6 Security Considerations ............................... 11
7 References ............................................ 12
St. Johns, Rose Expires January 31, 1993 [Page 13]