Network Working Group                                 A. Garcia-Martinez
Internet-Draft                                                      UC3M
Intended status: Informational                              July 4, 2008
Expires: January 5, 2009


 Management Information Base for Cryptographically Generated Addresses
                                 (CGA)
                    draft-garcia-martinez-cgamib-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 5, 2009.

Abstract

   This memo defines a portion of the Management Information Base (MIB)
   for managing Cryptographically Generated Addresses (CGA).












Garcia-Martinez          Expires January 5, 2009                [Page 1]


Internet-Draft                   CGA MIB                       July 2008


Table of Contents

   1.  The Internet-Standard Management Framework . . . . . . . . . .  3
   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 19
     6.2.  Informative References . . . . . . . . . . . . . . . . . . 20
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20
   Intellectual Property and Copyright Statements . . . . . . . . . . 21







































Garcia-Martinez          Expires January 5, 2009                [Page 2]


Internet-Draft                   CGA MIB                       July 2008


1.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   RFC 3410 [RFC3410].  Managed objects are accessed via a virtual
   information store, termed the Management Information Base or MIB.
   MIB objects are generally accessed through the Simple Network
   Management Protocol (SNMP).  Objects in the MIB are defined using the
   mechanisms defined in the Structure of Management Information (SMI).
   This memo specifies a MIB module that is compliant to the SMIv2,
   which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579
   [RFC2579] and STD 58, RFC 2580 [RFC2580].


2.  Overview

   This document defines the portion of the Management Information Base
   (MIB) to be used for managing Cryptographically Generated Addresses
   (CGA) [RFC3972].  CGA addresses are IPv6 addresses for which the
   interface identifier is generated by computing a one-way hash
   function from a public signature key and some auxiliary parameters.

   The cgaLocalTable includes the information related to the CGA
   addresses configured as local addresses in the system (i.e. local to
   the system).  These CGA can be used by any protocol requiring CGA
   configured as local addresses, such as SEND or SHIM6.  This table
   contains CGA-specific information such as the elements of the CGA
   Parameters data structure.  More information related to the address
   can be obtained from the corresponding entries at the ipAddressTable
   [RFC4293].  CGA addresses are represented as an InetAddressIPv6 type
   defined in [RFC4001].  Managers can create new entries in the table
   to configure the node with new CGA addresses.  A discrete spin lock
   object is used to coordinate the creation of rows by different
   managers.  The table also includes a columnar object that indicates
   the protocols that are currently using the local CGA.

   The cgaRemoteTable contains information related to CGA addresses of
   remote systems.  Different protocols (e.g.  SEND or SHIM6) or means
   can be used to convey this information to the managed node, and many
   of these protocols can be using a given CGA at the same time.  The
   table contains the address represented as an InetAddressIPv6 type,
   and the elements of the CGA Parameters Data structure.  The table
   also includes a columnar object that indicates the protocols that are
   currently using the local CGA.







Garcia-Martinez          Expires January 5, 2009                [Page 3]


Internet-Draft                   CGA MIB                       July 2008


3.  Definitions

   CGA-MIB DEFINITIONS ::= BEGIN

   IMPORTS

      MODULE-IDENTITY, OBJECT-TYPE, mib-2          FROM SNMPv2-SMI
      TEXTUAL-CONVENTION, TestAndIncr,
      RowStatus, StorageType, TimeStamp            FROM SNMPv2-TC
      MODULE-COMPLIANCE, OBJECT-GROUP              FROM SNMPv2-CONF
      InetAddressIPv6                              FROM INET-ADDRESS-MIB
      ipAddressAddrType, ipAddressAddr             FROM IP-MIB;

   cgaMIB MODULE-IDENTITY
       LAST-UPDATED "200807040000Z"
       ORGANIZATION "IETF CSI (Cga & Send Maintenance) Working Group"
       CONTACT-INFO
              "Editor:

              Alberto Garcia-Martinez
              U. Carlos III de Madrid
              Avenida Universidad, 30
              Leganes, Madrid 28911
              Spain
              Email: alberto.garcia@uc3m.es

              CSI Working Group: cga-ext@ietf.org"
       DESCRIPTION
              " The MIB module for managing the CGA Parameters data
              structure of CGAs local to the managed node.

              Copyright (C) The IETF Trust (2008).  This version of this
              MIB module is part of RFC yyyy; see the RFC itself for
              full legal notices."

       -- RFC Ed.: replace yyyy with actual RFC number & remove this
       -- note

       REVISION "200805050000Z"
       DESCRIPTION
              "Initial version, published as RFC yyyy."

                 -- RFC Ed.: replace yyyy with actual RFC number & remove
                 -- this note

       ::= { mib-2 XXX }

          -- RFC Ed.: replace XXX with actual number assigned by IANA



Garcia-Martinez          Expires January 5, 2009                [Page 4]


Internet-Draft                   CGA MIB                       July 2008


          -- & remove this note


   --
   -- The textual conventions we define and use in this MIB.
   --

   CgaModifier ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
              "128-bit unsigned integer, which can be any value.  Used
              during CGA generation to implement the hash extension and
              add randomness to the address."
       REFERENCE "RFC 3972"
       SYNTAX OCTET STRING (SIZE (16))

   CgaCollisionCount ::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
              "Counter that is incremented during CGA generation to
              recover from an address collision.  Up to two collisions
              are allowed."
       REFERENCE "RFC 3972"
       SYNTAX INTEGER {
           zerocollisions(0),
           onecollision(1),
           twocollisions(2)
       }

   CgaPublicKeyInfo::= TEXTUAL-CONVENTION
       STATUS current
       DESCRIPTION
              "Variable-length field containing the public key of the
              address (CGA) owner.  The public key MUST be formatted as
              a DER-encoded [CCITT.X690.2002] ASN.1 structure of the
              type SubjectPublicKeyInfo, defined in the Internet X.509
              certificate profile [RFC3280].  When RSA is used, the
              algorithm identifier MUST be rsaEncryption, which is
              1.2.840.113549.1.1.1, and the RSA public key MUST be
              formatted by using the RSAPublicKey type as specified in
              Section 2.3.1 of RFC 3279 [RFC3279].  The length of this
              field is determined by the ASN.1 encoding."
       REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"
       SYNTAX OCTET STRING (SIZE (0..1024))

   CgaProtocolsUsingCga::= TEXTUAL-CONVENTION





Garcia-Martinez          Expires January 5, 2009                [Page 5]


Internet-Draft                   CGA MIB                       July 2008


       STATUS current
       DESCRIPTION
              "BITS construct to indicate the protocols that are using a
              CGA.  A protocol is using the CGA if the protocol specific
              part of the system is using this CGA (for example, because
              its parameters are cached for future use in the protocol)
              The management system may not support the update of this
              object, in which case the unknown bit must be set to 1.
              If the unknown bit is set to one no other bit must be set
              to one.
              Several protocols can be using at the same time a CGA, so
              many bits could be set at the same time (except when the
              unknown bit is set).  It can also occur that no protocol
              is currently using the CGA, for example, just after the
              configuration of the CGA in the system.  In this case no
              bits are set.  This should be the default value for this
              object if the management system supports the update of
              this object.
              This object should not be modified once the
              cgaLocalRowStatus object has been set to
              validAndEnabled(1) for the first time."
       SYNTAX BITS {
           unknown(0),
           send(1),
           shim6(2) }

   cga OBJECT IDENTIFIER ::= { cgaMIB 1 }

   --
   -- Information related to local CGA
   --

   cgaLocalSpinLock OBJECT-TYPE
       SYNTAX TestAndIncr
       MAX-ACCESS read-write
       STATUS current
       DESCRIPTION
              "An advisory lock used to allow cooperating SNMP managers
              to coordinate their use of the set operation in creating
              or removing rows within the cgaLocalTable.  Note that the
              rows in the cgaLocalTable must not be modified (except for
              the RowStatus columnar object).
              In order to use this lock to coordinate the use of set
              operations, managers should first retrieve
              cgaLocalSpinLock.  They should then determine the
              appropriate row to create or remove (setting the
              appropriate value to the cgaLocalRowStatus object).
              Finally, they should issue the appropriate set command,



Garcia-Martinez          Expires January 5, 2009                [Page 6]


Internet-Draft                   CGA MIB                       July 2008


              including the retrieved value of cgaLocalSpinLock.  If
              another manager has created or destroyed the row in the
              meantime, then the value of cgaLocalSpinLock will have
              changed, and the creation will fail as it will be
              specifying an incorrect value for cgaLocalSpinLock.  It is
              suggested, but not required, that the cgaLocalSpinLock be
              the first var bind for each set of objects representing a
              'row' in a PDU."
       ::= { cga 1 }

   cgaLocalTable OBJECT-TYPE
       SYNTAX SEQUENCE OF CgaLocalEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
              "This table contains information relevant to CGA addresses
              configured as local addresses in the node.
              The table is intended to allow managers to add or remove
              entries as a whole.  The modification of the parameters
              that are used to calculate the CGA would generate
              inconsistencies, so it is not allowed.  Entries in this
              table have a corresponding entry in the ipAddressTable
              [RFC4293], which provides information such as the
              interface in which it is configured, its status, the time
              at which it was created, or changed, etc."
              ::= { cga 2 }

   cgaLocalEntry OBJECT-TYPE
       SYNTAX CgaLocalEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
              "An entry in this table must exist for each CGA address
              configured as a local address.  Each entry in the
              cgaLocalTable with cgaLocalAdminStatus equal to
              validAndEnabled(1) must have a corresponding entry in the
              IP-MIB:ipAddressTable [RFC4293], and the value for the
              INDEX of an entry of the cgaLocalTable is the same as the
              value of the INDEX for the corresponding entry of the
              IP^MIB:ipAddressTable.
              The value of the ipAddressAddr must be the result of the
              computation of the Hash1 operation defined in [RFC3972].
              The value of the ipAddressAddrType must be ipv6(2) or
              ipv6z.  The IP-MIB:ipAddressLastChanged object must be
              changed to reflect any update in the corresponding
              cgaLocalTable row.  The values of the cgaLocalStorageType
              and of the corresponding IP-MIB:ipAddressStorageType
              should be the same.



Garcia-Martinez          Expires January 5, 2009                [Page 7]


Internet-Draft                   CGA MIB                       July 2008


              The administrator can create a new row by setting
              appropriate values to the parameters that are used to
              build the CGA: cgaLocalModifier, cgaLocalCollisionCount,
              cgaLocalPublicKey and cgaLocalExtensionFields.
              Additionally the corresponding entry in the IP-
              MIB:ipAddressTable must have the IP-MIB:ipAddressRowStatus
              set to active(1) before or at the same time as the
              cgaLocalOperStatus object of the entry is set to
              validAndEnabled(1).  Note that if the address should only
              be used as a CGA, the operations of setting the IP-
              MIB:ipAddressRowStatus columnar object to active(1) and
              the cgaLocalOperStatus to validAndEnabled(1) should be
              performed atomically.  The removal of an entry in the
              cgaLocalTable does not automatically require the removal
              of the corresponding entry in the IP-
              MIB:ipAddressAddrType, because the address may remain
              operational even if it is not usable as a CGA.  Once the
              value of the cgaLocalOperStatus of an entry has been set
              once to validAndEnabled(1), the cgaLocalModifier,
              cgaLocalCollisionCount, cgaLocalPublicKey and
              cgaLocalExtensionFields columnar objects of the entry must
              remain unmodified.
              The removal of an entry of the IP-MIB:ipAddressTable must
              result in the removal of the corresponding entry in the
              cgaLocalTable.
              The agent may generate new entries if they are configured
              by other means than network management."
       INDEX { ipAddressAddrType, ipAddressAddr }
       ::= { cgaLocalTable 1 }

   CgaLocalEntry ::= SEQUENCE {
           cgaLocalModifier CgaModifier,
           cgaLocalCollisionCount CgaCollisionCount,
           cgaLocalPublicKey CgaPublicKeyInfo,
           cgaLocalExtensionFields OCTET STRING,
           cgaLocalProtocolsUsingCga CgaProtocolsUsingCga,
           cgaLocalAdminStatus INTEGER,
           cgaLocalOperStatus INTEGER,
           cgaLocalRowStatus RowStatus,
           cgaLocalStorageType StorageType
       }

   cgaLocalModifier OBJECT-TYPE
       SYNTAX CgaModifier
       MAX-ACCESS read-create
       STATUS current





Garcia-Martinez          Expires January 5, 2009                [Page 8]


Internet-Draft                   CGA MIB                       July 2008


       DESCRIPTION
              "128-bit unsigned integer, which can be any value.  Used
              during CGA generation to implement the hash extension and
              add randomness to the address.
              This object should not be modified once the
              cgaLocalRowStatus object has been set to
              validAndEnabled(1) for the first time."
       ::= { cgaLocalEntry 1 }

   cgaLocalCollisionCount OBJECT-TYPE
       SYNTAX CgaCollisionCount
       MAX-ACCESS read-create
       STATUS current
       DESCRIPTION
              "Counter that is incremented during CGA generation to
              recover from an address collision.
              This object should not be modified once the
              cgaLocalRowStatus object has been set to
              validAndEnabled(1) for the first time."
       ::= { cgaLocalEntry 2 }

   cgaLocalPublicKey OBJECT-TYPE
       SYNTAX CgaPublicKeyInfo
       MAX-ACCESS read-create
       STATUS current
       DESCRIPTION
              "Variable-length field containing the public key of the
              address owner.
              This object should not be modified once the
              cgaLocalRowStatus object has been set to
              validAndEnabled(1) for the first time."
       REFERENCE "RFC 3279, RFC 3280, ITU-T Recommendation X.690"
       ::= { cgaLocalEntry 3 }

   cgaLocalExtensionFields OBJECT-TYPE
       SYNTAX OCTET STRING (SIZE (0..1024))
       MAX-ACCESS read-create
       STATUS current
       DESCRIPTION
              "Optional variable-length field.  Defined as an opaque
              type.
              This object should not be modified once the
              cgaLocalRowStatus object has been set to
              validAndEnabled(1) for the first time."
       ::= { cgaLocalEntry 4 }

   cgaLocalProtocolsUsingCga OBJECT-TYPE




Garcia-Martinez          Expires January 5, 2009                [Page 9]


Internet-Draft                   CGA MIB                       July 2008


       SYNTAX CgaProtocolsUsingCga
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "Protocols currently using this CGA."
       ::= { cgaLocalEntry 5 }

   cgaLocalAdminStatus OBJECT-TYPE
       SYNTAX INTEGER {
           enabled(1),
           disabled(2) }
       MAX-ACCESS read-create
       STATUS current
       DESCRIPTION
              "The desired state of the CGA.  When set to enabled(1),
              the administrator requires the CGA to be available as a
              valid local address of the system.  Conversely, when set
              to disabled, the administrator requires the CGA not to be
              available as an address for the system."
       DEFVAL { disabled }
       ::= { cgaLocalEntry 6 }

   cgaLocalOperStatus OBJECT-TYPE
       SYNTAX INTEGER {
           validAndEnabled(1),
           disabled(2) }
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "The current operational state of the CGA.  The state
              validAndEnabled(1) indicates that this entry is both valid
              and operational as a local address in the system.
              A CGA is valid if it fulfills the conditions stated in in
              RFC 3972, i.e. the computation of the Hash1 function to a
              bit string that includes information from the objects
              cgaLocalModifier, cgaLocalCollisionCount,
              cgaLocalPublicKey, cgaLocalExtensionFields, along with the
              prefix of the ipAddressAddr object, results in the
              interface identifier of the ipAddressAddr; and the
              computation of another hash function, Hash2, defined to
              operate with the same input data as for Hash2, results in
              16*sec bits equal to zero (being sec the three leftmost
              bits of the interface identifier of the address)."
       ::= { cgaLocalEntry 7 }

   cgaLocalRowStatus OBJECT-TYPE





Garcia-Martinez          Expires January 5, 2009               [Page 10]


Internet-Draft                   CGA MIB                       July 2008


       SYNTAX RowStatus
       MAX-ACCESS read-create
       STATUS current
       DESCRIPTION
              "The status of this conceptual row.
              A conceptual row can not be made active until all the
              columnar objects, except may be the cgaLocalAdminStatus y
              cgaLocalOperStatus, have been assigned a value."
       ::= { cgaLocalEntry 8 }

   cgaLocalStorageType OBJECT-TYPE
       SYNTAX StorageType
       MAX-ACCESS read-create
       STATUS current
       DESCRIPTION
              "The storage type for this conceptual row.  If this object
              has a value of 'permanent', then no other objects are
              required to be able to be modified.
              The values of the cgaLocalStorageType and of the
              corresponding IP-MIB:ipAddressStorageType should be the
              same."
       DEFVAL { volatile }
       ::= { cgaLocalEntry 9 }


   --
   -- table to store information about the valid CGAs corresponding
   -- to remote nodes
   --

   cgaRemoteTable OBJECT-TYPE
       SYNTAX SEQUENCE OF CgaRemoteEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
              "List of valid CGA addresses of remote nodes.  A CGA is
              valid if it fulfills the conditions stated in in RFC 3972,
              i.e. the computation of the Hash1 function to a bit string
              that includes information from the objects
              cgaRemoteModifier, cgaRemoteCollisionCount,
              cgaRemotePublicKey, cgaRemoteExtensionFields, along with
              the prefix of the cgaRemoteAddr object, results in the
              interface identifier of the cgaRemoteAddr; and the
              computation of another hash function, Hash2, defined to
              operate with the same input data as for Hash2, results in
              16*sec bits equal to zero (being sec the three leftmost
              bits of the interface identifier of the address).




Garcia-Martinez          Expires January 5, 2009               [Page 11]


Internet-Draft                   CGA MIB                       July 2008


              In general, the agent populates the entries in this table
              with the information obtained using a CGA-aware protocol
              (i.e.  SEND or SHIM6), and these protocols can be
              responsible for deleting the entry according to the rules
              defined for their operation.  The information that could
              be associated with the CGA specific to a protocol (for
              example, the link layer address associated to the CGA)
              must be managed in a MIB specific for the considered
              protocol.  Note that many protocols could be using the
              same remote CGA.
              All the objects in this table are defined as read-only."
       ::= { cga 3 }

   cgaRemoteEntry OBJECT-TYPE
       SYNTAX CgaRemoteEntry
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
              "Information related with a remote CGA."
       INDEX { cgaRemoteAddr }
       ::= { cgaRemoteTable 1 }

   CgaRemoteEntry ::= SEQUENCE {
           cgaRemoteAddr InetAddressIPv6,
           cgaRemoteModifier CgaModifier,
           cgaRemoteCollisionCount CgaCollisionCount,
           cgaRemotePublicKey CgaPublicKeyInfo,
           cgaRemoteExtensionFields OCTET STRING,
           cgaRemoteProtocolsUsingCga CgaProtocolsUsingCga,
           cgaRemoteOrigin INTEGER,
           cgaRemoteCreated TimeStamp
       }

   cgaRemoteAddr OBJECT-TYPE
       SYNTAX InetAddressIPv6
       MAX-ACCESS not-accessible
       STATUS current
       DESCRIPTION
              "The CGA IPv6 address to which this entry's addressing
              information is associated."
       ::= { cgaRemoteEntry 1 }

   cgaRemoteModifier OBJECT-TYPE
       SYNTAX CgaModifier
       MAX-ACCESS read-only
       STATUS current





Garcia-Martinez          Expires January 5, 2009               [Page 12]


Internet-Draft                   CGA MIB                       July 2008


       DESCRIPTION
              "128-bit unsigned integer, which can be any value.  Used
              during CGA generation to implement the hash extension and
              add randomness to the address."
       ::= { cgaRemoteEntry 2 }

   cgaRemoteCollisionCount OBJECT-TYPE
       SYNTAX CgaCollisionCount
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "Counter that is incremented during CGA generation to
              recover from an address collision."
       ::= { cgaRemoteEntry 3 }

   cgaRemotePublicKey OBJECT-TYPE
       SYNTAX CgaPublicKeyInfo
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "Variable-length field containing the public key of the
              remote node owner of the address."
       ::= { cgaRemoteEntry 4 }

   cgaRemoteExtensionFields OBJECT-TYPE
       SYNTAX OCTET STRING (SIZE (0..1024))
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "Optional variable-length field.  Defined as an opaque
              type."
       ::= { cgaRemoteEntry 5 }

   cgaRemoteProtocolsUsingCga OBJECT-TYPE
       SYNTAX CgaProtocolsUsingCga
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "Protocols currently using this CGA."
       ::= { cgaRemoteEntry 6 }

   cgaRemoteOrigin OBJECT-TYPE
       SYNTAX INTEGER {
           other(1),
           manual(2),
           send(3),





Garcia-Martinez          Expires January 5, 2009               [Page 13]


Internet-Draft                   CGA MIB                       July 2008


           shim6(4)
       }
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "The origin of the CGA entry.
              manual(2) indicates that the CGA was manually configured,
              e.g. by user configuration.
              send(3) indicates that the CGA was received through the
              SEND protocol [RFC3971].
              shim6 indicates that the CGA was received through the SEND
              protocol.
              Note that each protocol may require different rules for
              validating the CGA (for example, different number of
              minimum bits for the key).
              Note also that although created by a particular mean, the
              CGA could be used at the same time by many protocols."
       ::= { cgaRemoteEntry 7 }

   cgaRemoteCreated OBJECT-TYPE
       SYNTAX TimeStamp
       MAX-ACCESS read-only
       STATUS current
       DESCRIPTION
              "The value of sysUpTime at the time this entry was
              created.  If this entry was created prior to the last re-
              initialization of the local network management subsystem,
              then this object contains a zero value."
       ::= { cgaRemoteEntry 8 }


   --
   -- conformance information
   --


   cgaMIBConformance OBJECT IDENTIFIER ::= { cgaMIB 2 }

   cgaMIBCompliances OBJECT IDENTIFIER ::= { cgaMIBConformance 1 }

   cgaMIBGroups OBJECT IDENTIFIER ::= { cgaMIBConformance 2 }

   cgaMIBCompliance MODULE-COMPLIANCE
       STATUS current
       DESCRIPTION
              "The compliance statement for systems with CGA addresses."





Garcia-Martinez          Expires January 5, 2009               [Page 14]


Internet-Draft                   CGA MIB                       July 2008


       MODULE -- this module

          -- neither of the groups defined here are mandatory. Any of them
          -- can be implemented, depending on the use of the CGAs. For
          -- example, it could be acceptable not implementing local CGA
          -- addresses, but being able to store remote CGA addresses.

       -- MANDATORY-GROUPS { }

       GROUP cgaLocalGroup
       DESCRIPTION
              "This group is mandatory for nodes that support the use of
              CGA as local addresses."

       GROUP cgaRemoteGroup
       DESCRIPTION
              "This group is mandatory for nodes that implement
              protocols that may rely on the identification of remote
              nodes as CGA addresses, such as SEND or Shim6."

       OBJECT cgaLocalSpinLock
       MIN-ACCESS not-accessible
       DESCRIPTION
              "An agent is not required to provide write access to this
              object.  However, if an agent provides write access to any
              of the other objects in the cgaLocalGroup, it SHOULD
              provide write access to this object as well."

       OBJECT cgaLocalModifier
       MIN-ACCESS read-only
       DESCRIPTION
              "An agent is not required to provide write or create
              access to this object."

       OBJECT cgaLocalCollisionCount
       MIN-ACCESS read-only
       DESCRIPTION
              "An agent is not required to provide write or create
              access to this object."

       OBJECT cgaLocalPublicKey
       MIN-ACCESS read-only
              DESCRIPTION
              "An agent is not required to provide write or create
              access to this object."






Garcia-Martinez          Expires January 5, 2009               [Page 15]


Internet-Draft                   CGA MIB                       July 2008


       OBJECT cgaLocalExtensionFields
       MIN-ACCESS read-only
       DESCRIPTION
              "An agent is not required to provide write or create
              access to this object."

       OBJECT cgaLocalProtocolsUsingCga
       SYNTAX BITS { unknown(0) }
       DESCRIPTION
              "An agent is not required to update the protocols
              currently using the CGA.  In this case, the unknown(0)
              value is shown."

       OBJECT cgaLocalAdminStatus
       MIN-ACCESS read-only
       DESCRIPTION
              "An agent is not required to provide write or create
              access to this object."

       OBJECT cgaLocalRowStatus
       SYNTAX RowStatus { active(1) }
       MIN-ACCESS read-only
       DESCRIPTION
              "An agent is not required to provide write or create
              access to this object.  In this case, the only value
              permitted is active(1)."

       OBJECT cgaLocalStorageType
       MIN-ACCESS read-only
       DESCRIPTION
              "An agent is not required to provide write or create
              access to this object.  If an agent allows this object to
              be written or created, it is not required to allow this
              object to be set to readOnly, permanent, or nonVolatile."

       OBJECT cgaRemoteProtocolsUsingCga
       SYNTAX BITS { unknown(0) }
       DESCRIPTION
              "An agent is not required to update the protocols
              currently using the CGA.  In this case, the unknown(0)
              value is shown."

       ::= { cgaMIBCompliances 1 }



   -- group definitions




Garcia-Martinez          Expires January 5, 2009               [Page 16]


Internet-Draft                   CGA MIB                       July 2008


   cgaLocalGroup OBJECT-GROUP
       OBJECTS {
           cgaLocalSpinLock, cgaLocalModifier, cgaLocalCollisionCount,
           cgaLocalPublicKey, cgaLocalExtensionFields,
           cgaLocalProtocolsUsingCga, cgaLocalAdminStatus,
           cgaLocalOperStatus, cgaLocalRowStatus, cgaLocalStorageType }
       STATUS current
       DESCRIPTION
              "The group of the elements representing the components of
              the CGA Parameters data structure for the local node."
       ::= { cgaMIBGroups 1 }

   cgaRemoteGroup OBJECT-GROUP
       OBJECTS {
           cgaRemoteModifier, cgaRemoteCollisionCount,
           cgaRemotePublicKey, cgaRemoteExtensionFields,
           cgaRemoteProtocolsUsingCga, cgaRemoteOrigin, cgaRemoteCreated
           }
       STATUS current
       DESCRIPTION
              "The group of the elements representing the components of
              the CGA Parameters data structure for remote nodes."
       ::= { cgaMIBGroups 2 }

   END


4.  Security Considerations

   Some of the management objects of this MIB module have been defined
   with either a MAX-ACCESS clause of read-create (for the columnar
   objects belonging to the cgaLocalTable) or read-write (for the
   spinlock object to control access to that table).  Such access
   capability may be considered sensitive or vulnerable in some network
   environments.  The support for SET operations in a non-secure
   environment without proper protection can have a negative effect on
   network operations.

   The objects of the cgaLocalTable specify the CGA addresses configured
   in this node.  An attacker could delete or disable the entry
   associated to a CGA to prevent the node to benefit from the
   authentication and certification facilities provided by the
   combination of the CGA addresses and protocols such as SeND (RFC3972)
   or SHIM6.

   The addition by an attacker of a row composed of consistent
   information about a CGA could allow the node to be able to
   impersonate the identity of another node.



Garcia-Martinez          Expires January 5, 2009               [Page 17]


Internet-Draft                   CGA MIB                       July 2008


   Regarding to the risks of providing GET access to the tables defined
   in this MIB, we should note that the information contained in the
   cgaLocalTable is used to prove the identity of the node considered to
   other nodes communicating with it.  The disclosure of this
   information does not provide great advantage for an attacker in order
   to impersonate the identity of the node (unless factoring attacks
   become practical, and the private key could be derived from the
   public one, in which case the CGA should be changed).  Other risks
   are essentially the same as faced by the knowledge of a set of non-
   CGA, i.e. being able to correlate traffic from different addresses.
   Analogous considerations can be stated for cgaRemoteTable.

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPSec),
   even then, there is no control as to who on the secure network is
   allowed to access and GET/SET (read/change/create/delete) the objects
   in this MIB module.

   It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy).

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an
   instance of this MIB module, is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.


5.  IANA Considerations

   The MIB module in this document uses the following IANA-assigned
   OBJECT IDENTIFIER values recorded in the SMI Numbers registry:


         Descriptor        OBJECT IDENTIFIER value
         ----------        -----------------------

         send-MIB          { mib-2 XXX }


   Editor's Note (to be removed prior to publication): the IANA is
   requested to assign a value for "XXX" under the 'mib-2' subtree and
   to record the assignment in the SMI Numbers registry.  When the
   assignment has been made, the RFC Editor is asked to replace "XXX"



Garcia-Martinez          Expires January 5, 2009               [Page 18]


Internet-Draft                   CGA MIB                       July 2008


   (here and in the MIB module) with the assigned value and to remove
   this note.


6.  References

6.1.  Normative References

   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Structure of Management Information
              Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Textual Conventions for SMIv2",
              STD 58, RFC 2579, April 1999.

   [RFC2580]  McCloghrie, K., Perkins, D., and J. Schoenwaelder,
              "Conformance Statements for SMIv2", STD 58, RFC 2580,
              April 1999.

   [RFC3279]  Bassham, L., Polk, W., and R. Housley, "Algorithms and
              Identifiers for the Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 3279, April 2002.

   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
              X.509 Public Key Infrastructure Certificate and
              Certificate Revocation List (CRL) Profile", RFC 3280,
              April 2002.

   [RFC3972]  Aura, T., "Cryptographically Generated Addresses (CGA)",
              RFC 3972, March 2005.

   [RFC4001]  Daniele, M., Haberman, B., Routhier, S., and J.
              Schoenwaelder, "Textual Conventions for Internet Network
              Addresses", RFC 4001, February 2005.

   [RFC4293]  Routhier, S., "Management Information Base for the
              Internet Protocol (IP)", RFC 4293, April 2006.

   [CCITT.X690.2002]
              International International Telephone and Telegraph
              Consultative Committee, "ASN.1 encoding rules:
              Specification of basic encoding Rules (BER), Canonical
              encoding rules (CER) and Distinguished encoding rules
              (DER)", CCITT Recommendation X.690, July 2002.





Garcia-Martinez          Expires January 5, 2009               [Page 19]


Internet-Draft                   CGA MIB                       July 2008


6.2.  Informative References

   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
              "Introduction and Applicability Statements for Internet-
              Standard Management Framework", RFC 3410, December 2002.

   [RFC3971]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
              Neighbor Discovery (SEND)", RFC 3971, March 2005.


Author's Address

   Alberto Garcia-Martinez
   Universidad Carlos III de Madrid
   Av. Universidad 30
   Leganes, Madrid  28911
   SPAIN

   Phone: 34 91 6249500
   Email: alberto@it.uc3m.es
   URI:   http://www.it.uc3m.es






























Garcia-Martinez          Expires January 5, 2009               [Page 20]


Internet-Draft                   CGA MIB                       July 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.











Garcia-Martinez          Expires January 5, 2009               [Page 21]