Internet Draft
The Definitions of Managed Objects for
the Security Protocols of
the Point-to-Point Protocol
27 July 1992
Frank Kastenholz
FTP Software, Inc
26 Princess Street
Wakefield, Mass 01880 USA
kasten@ftp.com
Status of this Memo
This document is an Internet Draft. Internet Drafts are
working documents of the Internet Engineering Task Force
(IETF), its Areas, and its Working Groups. Note that other
groups may also distribute working documents as Internet
Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or
obsoleted by other documents at any time. It is not
appropriate to use Internet Drafts as reference material or to
cite them other than as a ``working draft'' or ``work in
progress.'' Please check the 1id-abstracts.txt listing
contained in the internet-drafts Shadow Directories on
nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or
munnari.oz.au to learn the current status of any Internet
Draft.
Internet Draft PPP/Security MIB July 1992
This document will be submitted to the Internet Activities
Board as a Draft Standard. This document defines an
experimental extension to the SNMP MIB. Upon publication as a
Draft Standard, a new MIB number will be assigned. This is a
working document only, it should neither be cited nor quoted
in any formal document.
This document will expire before 1 Feb. 1993.
Distribution of this document is unlimited.
Please send comments to the author.
1. Abstract
This memo defines an experimental portion of the Management
Information Base (MIB) for use with network management
protocols in TCP/IP-based internets. In particular, it
describes managed objects used for managing the Security
Protocols on subnetwork interfaces using the family of
Point-to-Point Protocols[8, 9, 10, 11, & 12].
This memo does not specify a standard for the Internet
community.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 2]
Internet Draft PPP/Security MIB July 1992
2. The Network Management Framework
The Internet-standard Network Management Framework consists of
three components. They are:
RFC 1155 which defines the SMI, the mechanisms used for
describing and naming objects for the purpose of
management. RFC 1212 defines a more concise description
mechanism, which is wholly consistent with the SMI.
RFC 1156 which defines MIB-I, the core set of managed
objects for the Internet suite of protocols. RFC 1213,
defines MIB-II, an evolution of MIB-I based on
implementation experience and new operational
requirements.
RFC 1157 which defines the SNMP, the protocol used for
network access to managed objects.
The Framework permits new objects to be defined for the
purpose of experimentation and evaluation.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 3]
Internet Draft PPP/Security MIB July 1992
3. Objects
Managed objects are accessed via a virtual information store,
termed the Management Information Base or MIB. Objects in the
MIB are defined using the subset of Abstract Syntax Notation
One (ASN.1) [3] defined in the SMI. In particular, each
object has a name, a syntax, and an encoding. The name is an
object identifier, an administratively assigned name, which
specifies an object type. The object type together with an
object instance serves to uniquely identify a specific
instantiation of the object. For human convenience, we often
use a textual string, termed the OBJECT DESCRIPTOR, to also
refer to the object type.
The syntax of an object type defines the abstract data
structure corresponding to that object type. The ASN.1
language is used for this purpose. However, the SMI [1]
purposely restricts the ASN.1 constructs which may be used.
These restrictions are explicitly made for simplicity.
The encoding of an object type is simply how that object type
is represented using the object type's syntax. Implicitly
tied to the notion of an object type's syntax and encoding is
how the object type is represented when being transmitted on
the network.
The SMI specifies the use of the basic encoding rules of ASN.1
[4], subject to the additional requirements imposed by the
SNMP.
3.1. Format of Definitions
Section 5 contains the specification of all object types
contained in this MIB module. The object types are defined
using the conventions defined in the SMI, as amended by the
extensions specified in [5,6].
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 4]
Internet Draft PPP/Security MIB July 1992
4. Overview
4.1. Object Selection Criteria
To be consistent with IAB directives and good engineering
practice, an explicit attempt was made to keep this MIB as
simple as possible. This was accomplished by applying the
following criteria to objects proposed for inclusion:
(1) Require objects be essential for either fault or
configuration management. In particular, objects for
which the sole purpose was to debug implementations were
explicitly excluded from the MIB.
(2) Consider evidence of current use and/or utility.
(3) Limit the total number of objects.
(4) Exclude objects which are simply derivable from others in
this or other MIBs.
4.2. Structure of the PPP
This section describes the basic model of PPP used in
developing the PPP MIB. This information should be useful to
the implementor in understanding some of the basic design
decisions of the MIB.
The PPP is not one single protocol but a large family of
protocols. Each of these is, in itself, a fairly complex
protocol. The PPP protocols may be divided into three rough
categories:
Control Protocols
The Control Protocols are used to control the operation
of the PPP. The Control Protocols include the Link
Control Protocol (LCP), the Password Authentication
Protocol (PAP), the Link Quality Report (LQR), and the
Challenge Handshake Authentication Protocol (CHAP).
Network Protocols
The Network Protocols are used to move the network
traffic over the PPP interface. A Network Protocol
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 5]
Internet Draft PPP/Security MIB July 1992
encapsulates the datagrams of a specific higher-layer
protocol that is using the PPP as a data link. Note that
within the context of PPP, the term "Network Protocol"
does not imply an OSI Layer-3 protocol; for instance,
there is a Bridging network protocol.
Network Control Protocols (NCPs)
The NCPs are used to control the operation of the Network
Protocols. Generally, each Network Protocol has its own
Network Control Protocol; thus, the IP Network Protocol
has its IP Control Protocol, the Bridging Network
Protocol has its Bridging Network Control Protocol and so
on.
This document specifies the objects used in managing one of
these protocols, namely the Link Control Protocol.
4.3. MIB Groups
Objects in this MIB are arranged into several MIB groups.
Each group is organized as a set of related objects.
These groups are the basic unit of conformance: if the
semantics of a group is applicable to an implementation then
all objects in the group must be implemented.
The PPP MIB is organized into several MIB Groups, including,
but not limited to, the following groups:
o The PPP Link Group
o The PPP LQR Group
o The PPP LQR Extensions Group
o The PPP IP Group
o The PPP Bridge Group
o The PPP Security Configuration Group
o The PPP CHAP Group
o The PPP PAP Group
This document specifies the following group:
PPP Security Configuration Group
The PPP Security Configuration Group contains overall
configuration and control variables that apply to PPP
security.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 6]
Internet Draft PPP/Security MIB July 1992
Implementation of this group is optional for all
implementations of PPP that support any of the PPP
security protocols (currently only PAP and CHAP).
The PPP CHAP Group
The PPP CHAP Group contains configuration, status, and
control variables that apply to the PPP Challange
Handshake Authentication Protocol.
Implementation of this group is optional for all
implementations of PPP that support the PPP CHAP.
The PPP PAP Group
The PPP PAP Group contains configuration, status, and
control variables that apply to the PPP Password
Authentication Protocol.
Implementation of this group is optional for all
implementations of PPP that support the PPP PAP.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 7]
Internet Draft PPP/Security MIB July 1992
5. Definitions
RFCpppsec-MIB DEFINITIONS ::= BEGIN
IMPORTS
experimental, Counter
FROM RFC1155-SMI
OBJECT-TYPE
FROM RFC-1212
pppSecurity
FROM RFC-ppp
TRAP-TYPE
FROM RFC-1215;
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 8]
Internet Draft PPP/Security MIB July 1992
5.1.
PPP Security Configuration Group
--
-- The PPP Security Configuration Group
-- Implementation of this group is optional for all
-- PPP implementations that support a PPP security
-- protocol.
--
-- The table in this group allows the network manager
-- to configure which security protocols are to be
-- used on which link and in what order of preference
-- each protocol is to be tried.
--
pppSecurityConfigTable OBJECT-TYPE
SYNTAX SEQUENCE OF PppSecurityConfigEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Table containing the configuration and
preference parameters for PPP Security."
::= { pppSecurity 1 }
pppSecurityConfigEntry OBJECT-TYPE
SYNTAX PppSecurityConfigEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Security configuration information for a
particular PPP link."
INDEX { pppSecurityConfigLink,
pppSecurityConfigPreference }
::= { pppSecurityConfigTable 1 }
PppSecurityConfigEntry ::= SEQUENCE {
pppSecurityConfigLink
INTEGER,
pppSecurityConfigPreference
INTEGER,
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 9]
Internet Draft PPP/Security MIB July 1992
pppSecurityConfigProtocol
INTEGER
}
pppSecurityConfigLink OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The value of ifIndex that identifies the entry
in the interface table that is associated with
the local PPP entity's link for which this
particular security algorithm shall be
attempted. A value of 0 indicates the default
algorithm - i.e., this entry applies to all
links for which explicit entries in the table
do not exist."
::= { pppSecurityConfigEntry 1 }
pppSecurityConfigPreference OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The relative preference of the security
protocol identified by
pppSecurityConfigProtocol. Security protocols
with lower values of
pppSecurityConfigPreference are tried before
protocols with higher values of
pppSecurityConfigPreference."
::= { pppSecurityConfigEntry 2 }
pppSecurityConfigProtocol OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Identifies the security protocol to be
attempted on the link identified by
pppSecurityConfigLink at the preference level
identified by pppSecurityConfigPreference.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 10]
Internet Draft PPP/Security MIB July 1992
Setting this object to the OBJECT IDENTIFIER {
0 0 }, which is a syntatically valid object
identifier, has the effect of invalidating the
corresponding entry in this table. It is an
implementation-specific matter as to whether
the agent removes an invalidated entry from the
table. Accordingly, management stations must be
prepared to receive tabular information from
agents that corresponds to entries not
currently in use."
::= { pppSecurityConfigEntry 3 }
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 11]
Internet Draft PPP/Security MIB July 1992
5.2. PPP CHAP Group
--
-- The PPP CHAP Group.
-- Implementation of this group is optional for all
-- PPP implementations that support the CHAP protocol.
--
-- pppSecurityConfigProtocol takes the OBJECT IDENTIFIER
-- pppChap to indicate that the Challenge Handshake
-- Authentication Protocol is to be used.
--
pppChap OBJECT IDENTIFIER ::= { pppSecurity 2 }
pppChapTable OBJECT-TYPE
SYNTAX SEQUENCE OF PppChapEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Table containing the Chap parameters local PPP
entity's links."
::= { pppChap 1 }
pppChapEntry OBJECT-TYPE
SYNTAX PppChapEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"CHAP information for a particular PPP link and
preference level."
INDEX { pppChapLink, pppChapPreference }
::= { pppChapTable 1 }
PppChapEntry ::= SEQUENCE {
pppChapLink
INTEGER,
pppChapPreference
INTEGER,
pppChapDigestType
INTEGER
}
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 12]
Internet Draft PPP/Security MIB July 1992
pppChapLink OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The value of pppSecurityConfigLink that
identifies the entry in the pppSecurityConfig
table to which this entry in the pppChapTable
applies."
::= { pppChapEntry 1 }
pppChapPreference OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The value of pppSecurityConfigPreference that
identifies the entry in the pppSecurityConfig
table to which this entry in the pppChapTable
applies."
::= { pppChapEntry 2 }
pppChapDigestType OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
md5-chap-digest(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The CHAP Digest format to use in attempting
the CHAP authentication as defined by the
corresponding entry in the pppSecurityConfig
table. Setting this object to the value
invalid(1) has the effect of invalidating the
corresponding entry in the pppChapTable. It is
an implementation-specific matter as to whether
the agent removes an invalidated entry from the
table. Accordingly, management stations must
be prepared to receive tabular information from
agents that corresponds to entries not
currently in use. Proper interpretation of
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 13]
Internet Draft PPP/Security MIB July 1992
such entries requires examination of the
relevant pppChapDigestType object."
REFERENCE
"Section 4.1, Configuration Option Format, of
RFC-PPPSEC"
DEFVAL { md5-chap-digest }
::= { pppChapEntry 3 }
pppChapSecretsTable OBJECT-TYPE
SYNTAX SEQUENCE OF PppChapSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Table containing the secret CHAP parameters
for the local PPP entity. As this table
contains secret information, it is expected
that access to this table be limited to those
SNMP Party-Pairs for which a privacy protocol
is in use for all SNMP messages that the
parties exchange. This table contains a Name
and its associated Digest secret. The
parameters in this table are used by the local
entity when generating CHAP Response packets.
The table allows for multiple name/secret pairs
to be specified for a particular link by using
the pppChapSecretIdIndex object. These
parameters are used by a node when it attempts
to authenticate itself."
::= { pppChap 2 }
pppChapSecretsEntry OBJECT-TYPE
SYNTAX PppChapSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Secret CHAP information to generate a single
response."
INDEX { pppChapSecretsLinkIndex,
pppChapSecretsIdIndex }
::= { pppChapSecretsTable 1 }
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 14]
Internet Draft PPP/Security MIB July 1992
PppChapSecretsEntry ::= SEQUENCE {
pppChapSecretsLinkIndex
INTEGER,
pppChapSecretsIdIndex
INTEGER,
pppChapSecretsName
OCTET STRING,
pppChapSecretsSecret
OCTET STRING,
pppChapSecretsStatus
INTEGER
}
pppChapSecretsLinkIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The value of ifIndex that identifies the entry
in the interface table that is associated with
the local PPP CHAP Entity. If the value of this
object is 0 then the name/secret pair applies
to all links."
::= { pppChapSecretsEntry 1 }
pppChapSecretsIdIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-only
STATUS mandatory
DESCRIPTION
"A unique value for each Name/Secret pair that
has been defined for use on this link. This
allows multiple Name/Secret pairs to be defined
for each link. How the local entity selects
which pair to use is a local implementation
decision."
::= { pppChapSecretsEntry 2 }
pppChapSecretsName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 15]
Internet Draft PPP/Security MIB July 1992
STATUS mandatory
DESCRIPTION
"A name."
::= { pppChapSecretsEntry 3 }
pppChapSecretsSecret OBJECT-TYPE
SYNTAX OCTET STRING -- (SIZE(16)) when MD5
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The digest secret to be associated with the
name."
::= { pppChapSecretsEntry 4 }
pppChapSecretsStatus OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
valid(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Setting this object to the value invalid(1)
has the effect of invalidating the
corresponding entry in the pppChapSecretsTable.
It is an implementation-specific matter as to
whether the agent removes an invalidated entry
from the table. Accordingly, management
stations must be prepared to receive tabular
information from agents that corresponds to
entries not currently in use. Proper
interpretation of such entries requires
examination of the relevant
pppChapSecretsStatus object."
DEFVAL { valid }
::= { pppChapSecretsEntry 5 }
pppChapPeerSecretsTable OBJECT-TYPE
SYNTAX SEQUENCE OF PppChapPeerSecretsEntry
ACCESS not-accessible
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 16]
Internet Draft PPP/Security MIB July 1992
STATUS mandatory
DESCRIPTION
"Table containing the secret PAP parameters
that are expected of remotes that may attempt
to authenticate themselves to the local PPP
entity. Received CHAP Responses are expected to
match one of the entries in this table. As this
table contains secret information, it is
expected that access to this table be limited
to those SNMP Party-Pairs for which a privacy
protocol is in use for all SNMP messages that
the parties exchange."
::= { pppChap 3 }
pppChapPeerSecretsEntry OBJECT-TYPE
SYNTAX PppChapPeerSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Secret remote CHAP information for a
particular Peer Name/Secret and link."
INDEX { pppChapPeerSecretsLink,
pppChapPeerSecretsIndex }
::= { pppChapPeerSecretsTable 1 }
PppChapPeerSecretsEntry ::= SEQUENCE {
pppChapPeerSecretsLink
INTEGER,
pppChapPeerSecretsIndex
INTEGER,
pppChapPeerSecretsName
OCTET STRING,
pppChapPeerSecretsSecret
OCTET STRING,
pppChapPeerSecretsStatus
INTEGER
}
pppChapPeerSecretsLink OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 17]
Internet Draft PPP/Security MIB July 1992
DESCRIPTION
"The value of ifIndex that identifies the entry
in the interface table that is associated with
the local PPP Link for which this Name/Secret
pair will be evaluated as valid. A particular
Name/Secret pair is valid only for the link(s)
for which there is a pppChapPeerSecretsTable
entry containing said Name/Secret pair. By
convention, a value of 0 for this object
indicates all links on the local PPP entity."
::= { pppChapPeerSecretsEntry 1 }
pppChapPeerSecretsIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
DESCRIPTION
"A unique value for each Name/Secret pair that
has been defined for use on this link. This
allows multiple Name/Secret pairs to be defined
for each link."
::= { pppChapPeerSecretsEntry 2 }
pppChapPeerSecretsName OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"A Peer-Name which may attempt to connect over
the link identified by pppChapPeerSecretsLink."
::= { pppChapPeerSecretsEntry 3 }
pppChapPeerSecretsSecret OBJECT-TYPE
SYNTAX OCTET STRING -- (SIZE(16)) when using MD5
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The Secret associated with the Peer-Name
identified in pppChapPeerSecretsName."
::= { pppChapPeerSecretsEntry 4 }
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 18]
Internet Draft PPP/Security MIB July 1992
pppChapPeerSecretsStatus OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
valid(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Setting this object to the value invalid(1)
has the effect of invalidating the
corresponding entry in the
pppChapPeerSecretsTable. It is an
implementation-specific matter as to whether
the agent removes an invalidated entry from the
table. Accordingly, management stations must
be prepared to receive tabular information from
agents that corresponds to entries not
currently in use. Proper interpretation of
such entries requires examination of the
relevant pppChapPeerSecretsStatus object."
DEFVAL { valid }
::= { pppChapPeerSecretsEntry 5 }
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 19]
Internet Draft PPP/Security MIB July 1992
5.3. PPP PAP Group
--
-- The PPP PAP Group.
-- Implementation of this group is optional for all
-- PPP implementations that support the PAP protocol.
--
-- pppSecurityConfigProtocol takes the OBJECT IDENTIFIER
-- pppPap to indicate that the Password
-- Authentication Protocol is to be used.
--
--
pppPap OBJECT IDENTIFIER ::= { pppSecurity 3 }
pppPapSecretsTable OBJECT-TYPE
SYNTAX SEQUENCE OF PppPapSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Table containing the secret PAP parameters for
the local PPP entity. As this table contains
secret information, it is expected that access
to this table be limited to those SNMP Party-
Pairs for which a privacy protocol is in use
for all SNMP messages that the parties
exchange. This table contains the Peer-ID and
Password that this PPP entity will advertise to
the remote entity when sending PAP Authenticate
Request packets. The table allows for multiple
id/password pairs to be specified for a
particular link by using the
pppPapSecretIdIndex object."
::= { pppPap 1 }
pppPapSecretsEntry OBJECT-TYPE
SYNTAX PppPapSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Secret PAP information."
INDEX { pppPapSecretsIndex, pppPapSecretsIdIndex }
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 20]
Internet Draft PPP/Security MIB July 1992
::= { pppPapSecretsTable 1 }
PppPapSecretsEntry ::= SEQUENCE {
pppPapSecretsIndex
INTEGER,
pppPapSecretsIdIndex
INTEGER,
pppPapSecretsId
OCTET STRING,
pppPapSecretsPassword
OCTET STRING,
pppPapSecretsStatus
INTEGER
}
pppPapSecretsIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The value of ifIndex that identifies the entry
in the interface table that is associated with
the local PPP Password Authentication Protocol
Entity. If the value of this object is 0 then
the ID/Password pair applies to all links."
::= { pppPapSecretsEntry 1 }
pppPapSecretsIdIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-only
STATUS mandatory
DESCRIPTION
"A unique value for each ID/Password pair that
has been defined for use on this link. This
allows multiple ID/Password pairs to be defined
for each link. How the local entity selects
which pair to use is a local implementation
decision."
::= { pppPapSecretsEntry 2 }
pppPapSecretsId OBJECT-TYPE
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 21]
Internet Draft PPP/Security MIB July 1992
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"A Peer ID."
::= { pppPapSecretsEntry 3 }
pppPapSecretsPassword OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The password to be associated with the Peer
ID."
::= { pppPapSecretsEntry 4 }
pppPapSecretsStatus OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
valid(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Setting this object to the value invalid(1)
has the effect of invalidating the
corresponding entry in the pppPapSecretsTable.
It is an implementation-specific matter as to
whether the agent removes an invalidated entry
from the table. Accordingly, management
stations must be prepared to receive tabular
information from agents that corresponds to
entries not currently in use. Proper
interpretation of such entries requires
examination of the relevant pppPapSecretsStatus
object."
DEFVAL { valid }
::= { pppPapSecretsEntry 5 }
pppPapPeerSecretsTable OBJECT-TYPE
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 22]
Internet Draft PPP/Security MIB July 1992
SYNTAX SEQUENCE OF PppPapPeerSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Table containing the secret PAP parameters
that are expected of remotes that may attempt
to authenticate themselves to the local PPP
entity. As this table contains secret
information, it is expected that access to this
table be limited to those SNMP Party-Pairs for
which a privacy protocol is in use for all SNMP
messages that the parties exchange."
::= { pppPap 3 }
pppPapPeerSecretsEntry OBJECT-TYPE
SYNTAX PppPapPeerSecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Secret remote PAP information for a particular
remote ID/password and link."
INDEX { pppPapPeerSecretsLink, pppPapPeerSecretsIndex
}
::= { pppPapPeerSecretsTable 1 }
PppPapPeerSecretsEntry ::= SEQUENCE {
pppPapPeerSecretsLink
INTEGER,
pppPapPeerSecretsIndex
INTEGER,
pppPapPeerSecretsId
OCTET STRING,
pppPapPeerSecretsPassword
OCTET STRING,
pppPapPeerSecretsStatus
INTEGER
}
pppPapPeerSecretsLink OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 23]
Internet Draft PPP/Security MIB July 1992
DESCRIPTION
"The value of ifIndex that identifies the entry
in the interface table that is associated with
the local PPP Link for which this ID/Password
pair will be evaluated as valid. A particular
ID/Password pair is valid only for the link(s)
for which there is a pppPapPeerSecretsTable
entry containing said ID/Password pair. By
convention, a value of 0 for this object
indicates all links on the local PPP entity."
::= { pppPapPeerSecretsEntry 1 }
pppPapPeerSecretsIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483648)
ACCESS read-write
STATUS mandatory
DESCRIPTION
"A unique value for each ID/Password pair that
has been defined for use on this link. This
allows multiple ID/Password pairs to be defined
for each link."
::= { pppPapPeerSecretsEntry 2 }
pppPapPeerSecretsId OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"A Peer-ID which may attempt to connect over
the link identified by pppPapPeerSecretsLink."
::= { pppPapPeerSecretsEntry 3 }
pppPapPeerSecretsPassword OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The Password associated with the Peer-ID
identified in pppPapPeerSecretsId."
::= { pppPapPeerSecretsEntry 4 }
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 24]
Internet Draft PPP/Security MIB July 1992
pppPapPeerSecretsStatus OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
valid(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Setting this object to the value invalid(1)
has the effect of invalidating the
corresponding entry in the
pppPapPeerSecretsTable. It is an
implementation-specific matter as to whether
the agent removes an invalidated entry from the
table. Accordingly, management stations must
be prepared to receive tabular information from
agents that corresponds to entries not
currently in use. Proper interpretation of
such entries requires examination of the
relevant pppPapPeerSecretsStatus object."
DEFVAL { valid }
::= { pppPapPeerSecretsEntry 5 }
END
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 25]
Internet Draft PPP/Security MIB July 1992
6. Acknowledgements
This document was produced by the PPP working group. In
addition to the working group, the author wishes to thank the
following individuals for their comments and contributions:
Bill Simpson -- Daydreamer
Glenn McGregor -- Merit
Jesse Walker -- DEC
Chris Gunner -- DEC
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 26]
Internet Draft PPP/Security MIB July 1992
7. Security Considerations
The PPP MIB affords the network operator the ability to
configure and control the PPP links of a particular system,
including the PPP authentication protocols. This represents a
security risk.
These risks are addressed in the following manners:
(1) All variables which represent a significant security risk
are placed in separate, optional, MIB Groups. As the MIB
Group is the quantum of implementation within a MIB, the
implementor of the MIB may elect not to implement these
groups.
(2) The implementor may choose to implement the variables
which present a security risk so that they may not be
written, i.e., the variables are READ-ONLY. This method
still presents a security risk, and is not recommended,
in that the variables, specifically the PPP
Authentication Protocols' variables, may be easily read.
(3) Using the new SNMP administrative framework[13,14], the
operator can place the variables into MIB views which are
protected in that the parties which have access to those
MIB views use authentication and privacy protocols, or
the operator may elect to make these views not accessible
to any party. In order to facilitate this placement, all
security-related variables are placed in separate MIB
Tables. This eases the identification of the necessary
MIB View Subtree.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 27]
Internet Draft PPP/Security MIB July 1992
8. References
[1] M.T. Rose and K. McCloghrie, Structure and Identification
of Management Information for TCP/IP-based internets,
Internet Working Group Request for Comments 1155.
Network Information Center, SRI International, Menlo
Park, California, (May, 1990).
[2] K. McCloghrie and M.T. Rose, Management Information Base
for Network Management of TCP/IP-based internets - MIB-2,
Internet Working Group Request for Comments 1213.
Network Information Center, SRI International, Menlo
Park, California, (March, 1991).
[3] Information processing systems - Open Systems
Interconnection - Specification of Abstract Syntax
Notation One (ASN.1), International Organization for
Standardization. International Standard 8824, (December,
1987).
[4] Information processing systems - Open Systems
Interconnection - Specification of Basic Encoding Rules
for Abstract Notation One (ASN.1), International
Organization for Standardization. International Standard
8825, (December, 1987).
[5] Rose, M., and K. McCloghrie, Editors, Concise MIB
Definitions, RFC 1212, Performance Systems International,
Hughes LAN Systems, March 1991.
[6] Rose, M., Editor, A Convention for Defining Traps for use
with the SNMP, RFC 1215, Performance Systems
International, March 1991.
[7] K. McCloghrie, Extensions to the Generic-Interface MIB,
RFC1229, Hughes LAN Systems, May 1991.
[8] W. Simpson, The Point-to-Point Protocol for the
Transmission of Multi-protocol Datagrams over Point-to-
Point Links, RFC 1331, May 1992.
[9] G. McGregor, The PPP Internet Protocol Control Protocol,
RFC 1332, Merit, May 1992.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 28]
Internet Draft PPP/Security MIB July 1992
[10] F. Baker, Point-to-Point Protocol Extensions for
Bridging, RFC1220, ACC, April 1991.
[11] PPP Authentication Protocols, Work In Progress
[12] W. Simpson, PPP Link Quality Monitoring, RFC 1333, May
1992.
[13] New SNMP Administrative Model, Work In Progress.
[14] SNMP Security Protocols, Work In Progress.
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 29]
Internet Draft PPP/Security MIB July 1992
Table of Contents
Status of this Memo .................................... 1
1 Abstract .............................................. 2
2 The Network Management Framework ...................... 3
3 Objects ............................................... 4
3.1 Format of Definitions ............................... 4
4 Overview .............................................. 5
4.1 Object Selection Criteria ........................... 5
4.2 Structure of the PPP ................................ 5
4.3 MIB Groups .......................................... 6
5 Definitions ........................................... 8
5.1 PPP Security Configuration Group .................... 9
5.2 PPP CHAP Group ...................................... 12
5.3 PPP PAP Group ....................................... 20
6 Acknowledgements ...................................... 26
7 Security Considerations ............................... 27
8 References ............................................ 28
Frank J. Kastenholz Exp. 1 Feb. 1993 [Page 30]
