📄 rfc1472.txt
字号:
expected that access to this table be limited
to those SNMP Party-Pairs for which a privacy
protocol is in use for all SNMP messages that
the parties exchange. This table contains both
the ID and secret pair(s) that the local PPP
entity will advertise to the remote entity and
the pair(s) that the local entity will expect
from the remote entity. This table allows for
multiple id/secret password pairs to be
specified for a particular link by using the
pppSecuritySecretsIdIndex object."
::= { pppSecurity 3 }
pppSecuritySecretsEntry OBJECT-TYPE
SYNTAX PppSecuritySecretsEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Secret information."
INDEX { pppSecuritySecretsLink,
pppSecuritySecretsIdIndex }
::= { pppSecuritySecretsTable 1 }
Kastenholz [Page 7]
RFC 1472 PPP/Security MIB June 1993
PppSecuritySecretsEntry ::= SEQUENCE {
pppSecuritySecretsLink
INTEGER,
pppSecuritySecretsIdIndex
INTEGER,
pppSecuritySecretsDirection
INTEGER,
pppSecuritySecretsProtocol
OBJECT IDENTIFIER,
pppSecuritySecretsIdentity
OCTET STRING,
pppSecuritySecretsSecret
OCTET STRING,
pppSecuritySecretsStatus
INTEGER
}
pppSecuritySecretsLink OBJECT-TYPE
SYNTAX INTEGER(0..2147483647)
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The link to which this ID/Secret pair applies.
By convention, if the value of this object is 0
then the ID/Secret pair applies to all links."
::= { pppSecuritySecretsEntry 1 }
pppSecuritySecretsIdIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483647)
ACCESS read-only
STATUS mandatory
DESCRIPTION
"A unique value for each ID/Secret pair that
has been defined for use on this link. This
allows multiple ID/Secret pairs to be defined
for each link. How the local entity selects
which pair to use is a local implementation
decision."
::= { pppSecuritySecretsEntry 2 }
pppSecuritySecretsDirection OBJECT-TYPE
SYNTAX INTEGER {
local-to-remote(1),
remote-to-local(2)
}
ACCESS read-write
Kastenholz [Page 8]
RFC 1472 PPP/Security MIB June 1993
STATUS mandatory
DESCRIPTION
"This object defines the direction in which a
particular ID/Secret pair is valid. If this
object is local-to-remote then the local PPP
entity will use the ID/Secret pair when
attempting to authenticate the local PPP entity
to the remote PPP entity. If this object is
remote-to-local then the local PPP entity will
expect the ID/Secret pair to be used by the
remote PPP entity when the remote PPP entity
attempts to authenticate itself to the local
PPP entity."
::= { pppSecuritySecretsEntry 3 }
pppSecuritySecretsProtocol OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The security protocol (e.g. CHAP or PAP) to
which this ID/Secret pair applies."
::= { pppSecuritySecretsEntry 4 }
pppSecuritySecretsIdentity OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The Identity of the ID/Secret pair. The
actual format, semantics, and use of
pppSecuritySecretsIdentity depends on the
actual security protocol used. For example, if
pppSecuritySecretsProtocol is
pppSecurityPapProtocol then this object will
contain a PAP Peer-ID. If
pppSecuritySecretsProtocol is
pppSecurityChapMD5Protocol then this object
would contain the CHAP NAME parameter."
::= { pppSecuritySecretsEntry 5 }
pppSecuritySecretsSecret OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0..255))
ACCESS read-write
STATUS mandatory
Kastenholz [Page 9]
RFC 1472 PPP/Security MIB June 1993
DESCRIPTION
"The secret of the ID/Secret pair. The actual
format, semantics, and use of
pppSecuritySecretsSecret depends on the actual
security protocol used. For example, if
pppSecuritySecretsProtocol is
pppSecurityPapProtocol then this object will
contain a PAP Password. If
pppSecuritySecretsProtocol is
pppSecurityChapMD5Protocol then this object
would contain the CHAP MD5 Secret."
::= { pppSecuritySecretsEntry 6 }
pppSecuritySecretsStatus OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
valid(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Setting this object to the value invalid(1)
has the effect of invalidating the
corresponding entry in the
pppSecuritySecretsTable. It is an
implementation-specific matter as to whether
the agent removes an invalidated entry from the
table. Accordingly, management stations must
be prepared to receive tabular information from
agents that corresponds to entries not
currently in use. Proper interpretation of
such entries requires examination of the
relevant pppSecuritySecretsStatus object."
DEFVAL { valid }
::= { pppSecuritySecretsEntry 7 }
END
5. Acknowledgements
This document was produced by the PPP working group. In addition to
the working group, the author wishes to thank the following
individuals for their comments and contributions:
Bill Simpson -- Daydreamer
Glenn McGregor -- Merit
Kastenholz [Page 10]
RFC 1472 PPP/Security MIB June 1993
Jesse Walker -- DEC
Chris Gunner -- DEC
6. Security Considerations
The PPP MIB affords the network operator the ability to configure and
control the PPP links of a particular system, including the PPP
authentication protocols. This represents a security risk.
These risks are addressed in the following manners:
(1) All variables which represent a significant security risk
are placed in separate, optional, MIB Groups. As the MIB
Group is the quantum of implementation within a MIB, the
implementor of the MIB may elect not to implement these
groups.
(2) The implementor may choose to implement the variables
which present a security risk so that they may not be
written, i.e., the variables are READ-ONLY. This method
still presents a security risk, and is not recommended,
in that the variables, specifically the PPP
Authentication Protocols' variables, may be easily read.
(3) Using SNMPv2, the operator can place the variables into
MIB views which are protected in that the parties which
have access to those MIB views use authentication and
privacy protocols, or the operator may elect to make
these views not accessible to any party. In order to
facilitate this placement, all security-related variables
are placed in separate MIB Tables. This eases the
identification of the necessary MIB View Subtree.
(4) The PPP Security Protocols MIB (this document) contains
several objects which are very sensitive from a security
point of view.
Specifically, this MIB contains objects that define the PPP Peer
Identities (which can be viewed as "userids") and the secrets used to
authenticate those Peer Identities (similar to a "password" for the
"userid").
Also, this MIB contains variables which would allow a network manager
to control the operation of the security features of PPP. An
intruder could disable PPP security if these variables were not
properly protected.
Thus, in order to preserve the integrity, security and privacy of the
Kastenholz [Page 11]
RFC 1472 PPP/Security MIB June 1993
PPP security features, an implementation will allow access to this
MIB only via SNMPv2 and then only for parties which are privacy
enhanced. Other access modes, e.g., SNMPv1 or SNMPv2 without
privacy- enhancement, are very dangerous and the security of the PPP
service may be compromised.
7. References
[1] Rose M., and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based internets", STD 16, RFC
1155, Performance Systems International, Hughes LAN Systems, May
1990.
[2] McCloghrie K., and M. Rose, Editors, "Management Information Base
for Network Management of TCP/IP-based internets", STD 17, RFC
1213, Performance Systems International, March 1991.
[3] Information processing systems - Open Systems Interconnection -
Specification of Abstract Syntax Notation One (ASN.1),
International Organization for Standardization, International
Standard 8824, December 1987.
[4] Information processing systems - Open Systems Interconnection -
Specification of Basic Encoding Rules for Abstract Notation One
(ASN.1), International Organization for Standardization,
International Standard 8825, December 1987.
[5] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
STD 16, RFC 1212, Performance Systems International, Hughes LAN
Systems, March 1991.
[6] Rose, M., Editor, "A Convention for Defining Traps for use with
the SNMP", RFC 1215, Performance Systems International, March
1991.
[7] McCloghrie, K., "Extensions to the Generic-Interface MIB", RFC
1229, Hughes LAN Systems, Inc., May 1991.
[8] Simpson, W., "The Point-to-Point Protocol for the Transmission of
Multi-protocol Datagrams over Point-to-Point Links, RFC 1331,
Daydreamer, May 1992.
[9] McGregor, G., "The PPP Internet Protocol Control Protocol", RFC
1332, Merit, May 1992.
[10] Baker, F., "Point-to-Point Protocol Extensions for Bridging", RFC
1220, ACC, April 1991.
Kastenholz [Page 12]
RFC 1472 PPP/Security MIB June 1993
[11] Lloyd, B., and W. Simpson, "PPP Authentication Protocols", RFC
1334, L&A, Daydreamer, October 1992.
[12] Simpson, W., "PPP Link Quality Monitoring", RFC 1333, Daydreamer,
May 1992.
8. Author's Address
Frank Kastenholz
FTP Software, Inc.
2 High Street
North Andover, Mass 01845 USA
Phone: (508) 685-4000
EMail: kasten@ftp.com
Kastenholz [Page 13]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -