Draft                     Ident MIB                     Jul 92
          
          
                                    Ident MIB
          
                             Tue Jul 31 14:50:52 1992
          
          
                                Michael St. Johns
                            U.S. Department of Defense
                               stjohns@UMD5.UMD.EDU
          
          
                                 Marshall T. Rose
                           Dover Beach Consulting, Inc.
                              mrose@dbc.mtview.ca.us
          
          
          
          
          
          
          1.  Status of this Memo
          
          This document is an Internet Draft.  Internet Drafts are
          working documents of the Internet Engineering Task Force
          (IETF), its Areas, and its Working Groups.  Note that other
          groups may also distribute working documents as Internet
          Drafts.
          
          Internet Drafts are draft documents valid for a maximum of six
          months.  Internet Drafts may be updated, replaced, or
          obsoleted by other documents at any time.  It is not
          appropriate to use Internet Drafts as reference material or to
          cite them other than as a "working draft" or "work in
          progress".
          
          Please check the 1id-abstracts.txt listing contained in the
          internet-drafts Shadow Directories on nic.ddn.mil,
          nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or
          munnari.oz.au to learn the current status of any Internet
          Draft.
          
          
          2.  Abstract
          
          This memo defines a MIB for use with identifying the users
          associated with TCP connections.  It provides functionality
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 1]


          Draft                     Ident MIB                     Jul 92
          
          
          approximately equivalent to that provided by the protocol
          defined in RFC 931[1].
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 2]


          Draft                     Ident MIB                     Jul 92
          
          
          3.  The Network Management Framework
          
          The Internet-standard Network Management Framework consists of
          three components.  They are:
          
          RFC 1155[2] which defines the SMI, the mechanisms used for
          describing and naming objects for the purpose of management.
          RFC 1212[3] defines a more concise description mechanism,
          which is wholly consistent with the SMI.
          
          RFC 1213[4] which defines MIB-II, the core set of managed
          objects for the Internet suite of protocols.
          
          RFC 1157[5] which defines the SNMP, the protocol used for
          network access to managed objects.
          
          The Framework permits new objects to be defined for the
          purpose of experimentation and evaluation.
          
          Managed objects are accessed via a virtual information store,
          termed the Management Information Base or MIB.  Within a given
          MIB module, objects are defined using RFC 1212's OBJECT-TYPE
          macro.  At a minimum, each object has a name, a syntax, an
          access-level, and an implementation-status.
          
          The name is an object identifier, an administratively assigned
          name, which specifies an object type.  The object type
          together with an object instance serves to uniquely identify a
          specific instantiation of the object.  For human convenience,
          we often use a textual string, termed the object descriptor,
          to also refer to the object type.
          
          The syntax of an object type defines the abstract data
          structure corresponding to that object type.  The ASN.1[6]
          language is used for this purpose.  However, RFC 1155
          purposely restricts the ASN.1 constructs which may be used.
          These restrictions are explicitly made for simplicity.
          
          The access-level of an object type defines whether it makes
          "protocol sense" to read and/or write the value of an instance
          of the object type.  (This access-level is independent of any
          administrative authorization policy.)
          
          The implementation-status of an object type indicates whether
          the object is mandatory, optional, obsolete, or deprecated.
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 3]


          Draft                     Ident MIB                     Jul 92
          
          
          4.  Ident MIB
          
          The Ident MIB defines a uniform set of objects useful for
          identifying users associated with TCP connections.  End-
          systems which support TCP may, at their option, implement this
          MIB.  However, administrators should read Section 6 ("Security
          Considerations") before enabling these MIB objects.
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 4]


          Draft                     Ident MIB                     Jul 92
          
          
          5.  Definitions
          
          RFC-ident-MIB DEFINITIONS ::= BEGIN
          
          IMPORTS
              experimental
                  FROM RFC-1155
              OBJECT-TYPE
                  FROM RFC-1212
              tcpConnLocalAddress, tcpConnLocalPort,
              tcpConnRemAddress, tcpConnRemPort
                      FROM RFC1213-MIB;
          
          
          ident   OBJECT IDENTIFIER ::= { experimental 33 }
          
          
          -- conformance groups
          
          identInfo       OBJECT IDENTIFIER ::= { ident 1 }
          
          
          -- textual conventions
          
          -- none
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 5]


          Draft                     Ident MIB                     Jul 92
          
          
          -- the ident information system group
          --
          -- implementation of this group is mandatory
          
          identTable OBJECT-TYPE
                  SYNTAX  SEQUENCE OF IdentEntry
                  ACCESS  not-accessible
                  STATUS  mandatory
                  DESCRIPTION
                      "A table containing user information for TCP
                      connections.
          
                      Note that this table contains entries for all TCP
                      connections on a managed system.  The
                      corresponding instance of tcpConnState (defined in
                      MIB-II) indicates the state of a particular
                      connection."
                  ::= { identInfo 1 }
          
          identEntry OBJECT-TYPE
                  SYNTAX  IdentEntry
                  ACCESS  not-accessible
                  STATUS  mandatory
                  DESCRIPTION
                      "User information about a particular TCP
                      connection."
                  INDEX   { tcpConnLocalAddress, tcpConnLocalPort,
                            tcpConnRemAddress, tcpConnRemPort }
                  ::= { identTable 1 }
          
          IdentEntry ::=
              SEQUENCE {
                  identStatus     INTEGER,
                  identOpSys      OBJECT IDENTIFIER,
                  identCharset    OBJECT IDENTIFIER,
                  identUserid     OCTET STRING,
                  identMisc       OCTET STRING
              }
          
          identStatus OBJECT-TYPE
                  SYNTAX  INTEGER {
                              noError(1),
                              unknownError(2)
                          }
                  ACCESS  read-only
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 6]


          Draft                     Ident MIB                     Jul 92
          
          
                  STATUS  mandatory
                  DESCRIPTION
                      "Indicates whether user information for the
                      associated TCP connection can be determined.  A
                      value of `noError(1)' indicates that user
                      information is available.  A value of
                      `unknownError(2)' indicates that user information
                      is not available."
                  ::= { identEntry 1 }
          
          identOpSys OBJECT-TYPE
                  SYNTAX  OBJECT IDENTIFIER
                  ACCESS  read-only
                  STATUS  mandatory
                  DESCRIPTION
                      "Indicates the type of operating system in use.
                      In addition to identifying an operating system,
                      each assignment made for this purpose also
                      (implicitly) identifies the textual format and
                      maximum size of the corresponding identUserid and
                      identMisc objects.
          
                      The `identSystems' subtree may be used by the IANA
                      for assignments."
                  ::= { identEntry 2 }
          
          identCharset OBJECT-TYPE
                  SYNTAX  OBJECT IDENTIFIER
                  ACCESS  read-only
                  STATUS  mandatory
                  DESCRIPTION
                      "Indicates the repertoire of the corresponding
                      identUserid and identMisc objects.
          
                      The `identCharsets' subtree may be used by the
                      IANA for assignments."
                  ::= { identEntry 3 }
          
          identUserid OBJECT-TYPE
                  SYNTAX  OCTET STRING (SIZE (0..255))
                  ACCESS  read-only
                  STATUS  mandatory
                  DESCRIPTION
                      "Indicates the user's identity.  Interpretation of
                      this object requires examination of the
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 7]


          Draft                     Ident MIB                     Jul 92
          
          
                      corresponding value of the identOpSys and
                      identCharset objects."
                  ::= { identEntry 4 }
          
          identMisc OBJECT-TYPE
                  SYNTAX  OCTET STRING (SIZE (0..255))
                  ACCESS  read-only
                  STATUS  mandatory
                  DESCRIPTION
                      "Indicates miscellaneous information about the
                      user.  Interpretation of this object requires
                      examination of the corresponding value of the
                      identOpSys and identCharset objects."
                  ::= { identEntry 5 }
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 8]


          Draft                     Ident MIB                     Jul 92
          
          
          -- operating system assignments, used for identOpSys
          
          identSystems    OBJECT IDENTIFIER ::= { ident 2 }
          
          -- when the Assigned Numbers "system name" is UNIX
          identSysUnix    OBJECT IDENTIFIER ::= { identSystems 1 }
          -- when identOpSys has the value identSysUnix:
          --
          --      identUserid corresponds to the UNIX username (pw_name)
          --          of length 1 to 8 octets
          --
          --      the syntax (and length) of identMisc is a local matter
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993           [Page 9]


          Draft                     Ident MIB                     Jul 92
          
          
          -- character set assignments, used for identCharset
          
          identCharsets   OBJECT IDENTIFIER ::= { ident 3 }
          
          -- the NVT ASCII repertoire
          charsetNvtAscii OBJECT IDENTIFIER ::= { identCharsets 1 }
          
          
          END
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993          [Page 10]


          Draft                     Ident MIB                     Jul 92
          
          
          6.  Security Considerations
          
          The information available through this MIB is at most as
          trustworthy as the host providing it OR the organization
          operating the host.  For example, a PC in an open lab has few
          if any controls on it to prevent a user from having an SNMP
          query return any identifier the user wants.  Likewise, if the
          host has been compromised the information returned may be
          completely erroneous and misleading.
          
          This portion of the MIB space should only be used to gain
          hints as to who "owns" a particular TCP connection --
          information returned should NOT be considered authoritative
          for at least the reasons described above.  At best, this MIB
          provides some additional auditing information with respect to
          TCP connections.  At worse it can provide misleading,
          incorrect or maliciously incorrect information.
          
          The use of the information contained in this MIB for other
          than auditing or normal network management functions is
          strongly discouraged.  Specifically, using information from
          this MIB space to make access control decisions - either as
          the primary method (i.e no other checks) or as an adjunct to
          other methods may result in a weakening of normal system
          security.
          
          This MIB provides access to information about users, entities,
          objects or processes which some systems might normally
          consider private. The information accessible through this MIB
          is a rough analog of the CallerID services provided by some
          phone companies and many of the same privacy consideration and
          arguments that apply to CallerID service apply to this MIB
          space.  If you wouldn't run a "finger" server[7] due to
          privacy considerations, you might not want to provide access
          to this MIB space on a general basis. Access to this portion
          of the MIB tree may be controlled under the normal methods
          available through SNMP agent implementations.
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993          [Page 11]


          Draft                     Ident MIB                     Jul 92
          
          
          7.  References
          
          [1]  M. St. Johns, Authentication Server.  Request for
               Comments 931, (May, 1990).
          
          [2]  M.T. Rose and K. McCloghrie, Structure and Identification
               of Management Information for TCP/IP-based internets.
               Request for Comments 1155, (May, 1990).
          
          [3]  M.T. Rose and K. McCloghrie, Concise MIB Definitions.
               Request for Comments 1212, (March, 1991).
          
          [4]  K. McCloghrie and M.T. Rose, Management Information Base
               for Network Management of TCP/IP-based internets: MIB-II.
               Request for Comments 1213, (March, 1991).
          
          [5]  J.D. Case, M.S. Fedor, M.L. Schoffstall, and J.R. Davin,
               Simple Network Management Protocol.  Request for Comments
               1157, (May, 1990).
          
          [6]  Information processing systems - Open Systems
               Interconnection - Specification of Abstract Syntax
               Notation One (ASN.1), International Organization for
               Standardization.  International Standard 8824, (December,
               1987).
          
          [7]  D.P. Zimmerman, Finger User Information Protocol.
               Request for Comments 1288, (December, 1991).
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993          [Page 12]


          Draft                     Ident MIB                     Jul 92
          
          
          Table of Contents
          
          
          1 Status of this Memo ...................................    1
          2 Abstract ..............................................    1
          3 The Network Management Framework ......................    3
          4 Ident MIB .............................................    4
          5 Definitions ...........................................    5
          5.1 Conformance Groups ..................................    5
          5.2 Textual Conventions .................................    5
          5.3 The Ident information Group .........................    6
          5.4 Operating System Assignments ........................    9
          5.4.1 identSysUnix ......................................    9
          5.5 Character Set Assignments ...........................   10
          5.5.1 charsetNvtAscii ...................................   10
          6 Security Considerations ...............................   11
          7 References ............................................   12
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          
          St. Johns, Rose    Expires January 31, 1993          [Page 13]