rfc1472.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

                         expected that access to this table be limited
                         to those SNMP Party-Pairs for which a privacy
                         protocol is in use for all SNMP messages that
                         the parties exchange.  This table contains both
                         the ID and secret pair(s) that the local PPP
                         entity will advertise to the remote entity and
                         the pair(s) that the local entity will expect
                         from the remote entity.  This table allows for
                         multiple id/secret password pairs to be
                         specified for a particular link by using the
                         pppSecuritySecretsIdIndex object."
               ::= { pppSecurity 3 }


          pppSecuritySecretsEntry   OBJECT-TYPE
               SYNTAX    PppSecuritySecretsEntry
               ACCESS    not-accessible
               STATUS    mandatory
               DESCRIPTION
                         "Secret information."
               INDEX     { pppSecuritySecretsLink,
                         pppSecuritySecretsIdIndex }
               ::= { pppSecuritySecretsTable 1 }




Kastenholz                                                      [Page 7]

RFC 1472                    PPP/Security MIB                   June 1993


          PppSecuritySecretsEntry ::= SEQUENCE {
               pppSecuritySecretsLink
                    INTEGER,
               pppSecuritySecretsIdIndex
                    INTEGER,
               pppSecuritySecretsDirection
                    INTEGER,
               pppSecuritySecretsProtocol
                    OBJECT IDENTIFIER,
               pppSecuritySecretsIdentity
                    OCTET STRING,
               pppSecuritySecretsSecret
                    OCTET STRING,
               pppSecuritySecretsStatus
                    INTEGER
          }

          pppSecuritySecretsLink   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483647)
               ACCESS    read-only
               STATUS    mandatory
               DESCRIPTION
                         "The link to which this ID/Secret pair applies.
                         By convention, if the value of this object is 0
                         then the ID/Secret pair applies to all links."
               ::= { pppSecuritySecretsEntry 1 }


          pppSecuritySecretsIdIndex   OBJECT-TYPE
               SYNTAX    INTEGER(0..2147483647)
               ACCESS    read-only
               STATUS    mandatory
               DESCRIPTION
                         "A unique value for each ID/Secret pair that
                         has been defined for use on this link.  This
                         allows multiple ID/Secret pairs to be defined
                         for each link.  How the local entity selects
                         which pair to use is a local implementation
                         decision."
               ::= { pppSecuritySecretsEntry 2 }


          pppSecuritySecretsDirection   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         local-to-remote(1),
                         remote-to-local(2)
                    }
               ACCESS    read-write



Kastenholz                                                      [Page 8]

RFC 1472                    PPP/Security MIB                   June 1993


               STATUS    mandatory
               DESCRIPTION
                         "This object defines the direction in which a
                         particular ID/Secret pair is valid.  If this
                         object is local-to-remote then the local PPP
                         entity will use the ID/Secret pair when
                         attempting to authenticate the local PPP entity
                         to the remote PPP entity.  If this object is
                         remote-to-local then the local PPP entity will
                         expect the ID/Secret pair to be used by the
                         remote PPP entity when the remote PPP entity
                         attempts to authenticate itself to the local
                         PPP entity."
               ::= { pppSecuritySecretsEntry 3 }


          pppSecuritySecretsProtocol   OBJECT-TYPE
               SYNTAX    OBJECT IDENTIFIER
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The security protocol (e.g. CHAP or PAP) to
                         which this ID/Secret pair applies."
               ::= { pppSecuritySecretsEntry 4 }


          pppSecuritySecretsIdentity   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "The Identity of the ID/Secret pair.  The
                         actual format, semantics, and use of
                         pppSecuritySecretsIdentity depends on the
                         actual security protocol used.  For example, if
                         pppSecuritySecretsProtocol is
                         pppSecurityPapProtocol then this object will
                         contain a PAP Peer-ID. If
                         pppSecuritySecretsProtocol is
                         pppSecurityChapMD5Protocol then this object
                         would contain the CHAP NAME parameter."
               ::= { pppSecuritySecretsEntry 5 }


          pppSecuritySecretsSecret   OBJECT-TYPE
               SYNTAX    OCTET STRING (SIZE(0..255))
               ACCESS    read-write
               STATUS    mandatory



Kastenholz                                                      [Page 9]

RFC 1472                    PPP/Security MIB                   June 1993


               DESCRIPTION
                         "The secret of the ID/Secret pair.  The actual
                         format, semantics, and use of
                         pppSecuritySecretsSecret depends on the actual
                         security protocol used.  For example, if
                         pppSecuritySecretsProtocol is
                         pppSecurityPapProtocol then this object will
                         contain a PAP Password. If
                         pppSecuritySecretsProtocol is
                         pppSecurityChapMD5Protocol then this object
                         would contain the CHAP MD5 Secret."
               ::= { pppSecuritySecretsEntry 6 }


          pppSecuritySecretsStatus   OBJECT-TYPE
               SYNTAX    INTEGER  {
                         invalid(1),
                         valid(2)
                    }
               ACCESS    read-write
               STATUS    mandatory
               DESCRIPTION
                         "Setting this object to the value invalid(1)
                         has the effect of invalidating the
                         corresponding entry in the
                         pppSecuritySecretsTable. It is an
                         implementation-specific matter as to whether
                         the agent removes an invalidated entry from the
                         table.  Accordingly, management stations must
                         be prepared to receive tabular information from
                         agents that corresponds to entries not
                         currently in use.  Proper interpretation of
                         such entries requires examination of the
                         relevant pppSecuritySecretsStatus object."
               DEFVAL    { valid }
               ::= { pppSecuritySecretsEntry 7 }


          END

5.  Acknowledgements

   This document was produced by the PPP working group.  In addition to
   the working group, the author wishes to thank the following
   individuals for their comments and contributions:

          Bill Simpson -- Daydreamer
          Glenn McGregor -- Merit



Kastenholz                                                     [Page 10]

RFC 1472                    PPP/Security MIB                   June 1993


          Jesse Walker -- DEC
          Chris Gunner -- DEC

6.  Security Considerations

   The PPP MIB affords the network operator the ability to configure and
   control the PPP links of a particular system, including the PPP
   authentication protocols. This represents a security risk.

   These risks are addressed in the following manners:

      (1)  All variables which represent a significant security risk
           are placed in separate, optional, MIB Groups. As the MIB
           Group is the quantum of implementation within a MIB, the
           implementor of the MIB may elect not to implement these
           groups.

      (2)  The implementor may choose to implement the variables
           which present a security risk so that they may not be
           written, i.e., the variables are READ-ONLY. This method
           still presents a security risk, and is not recommended,
           in that the variables, specifically the PPP
           Authentication Protocols' variables, may be easily read.

      (3)  Using SNMPv2, the operator can place the variables into
           MIB views which are protected in that the parties which
           have access to those MIB views use authentication and
           privacy protocols, or the operator may elect to make
           these views not accessible to any party.  In order to
           facilitate this placement, all security-related variables
           are placed in separate MIB Tables. This eases the
           identification of the necessary MIB View Subtree.

      (4)  The PPP Security Protocols MIB (this document) contains
           several objects which are very sensitive from a security
           point of view.

   Specifically, this MIB contains objects that define the PPP Peer
   Identities (which can be viewed as "userids") and the secrets used to
   authenticate those Peer Identities (similar to a "password" for the
   "userid").

   Also, this MIB contains variables which would allow a network manager
   to control the operation of the security features of PPP.  An
   intruder could disable PPP security if these variables were not
   properly protected.

   Thus, in order to preserve the integrity, security and privacy of the



Kastenholz                                                     [Page 11]

RFC 1472                    PPP/Security MIB                   June 1993


   PPP security features, an implementation will allow access to this
   MIB only via SNMPv2 and then only for parties which are privacy
   enhanced.  Other access modes, e.g., SNMPv1 or SNMPv2 without
   privacy- enhancement, are very dangerous and the security of the PPP
   service may be compromised.

7.  References

   [1] Rose M., and K. McCloghrie, "Structure and Identification of
       Management Information for TCP/IP-based internets", STD 16, RFC
       1155, Performance Systems International, Hughes LAN Systems, May
       1990.

   [2] McCloghrie K., and M. Rose, Editors, "Management Information Base
       for Network Management of TCP/IP-based internets", STD 17, RFC
       1213, Performance Systems International, March 1991.

   [3] Information processing systems - Open Systems Interconnection -
       Specification of Abstract Syntax Notation One (ASN.1),
       International Organization for Standardization, International
       Standard 8824, December 1987.

   [4] Information processing systems - Open Systems Interconnection -
       Specification of Basic Encoding Rules for Abstract Notation One
       (ASN.1), International Organization for Standardization,
       International Standard 8825, December 1987.

   [5] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
       STD 16, RFC 1212, Performance Systems International, Hughes LAN
       Systems, March 1991.

   [6] Rose, M., Editor, "A Convention for Defining Traps for use with
       the SNMP", RFC 1215, Performance Systems International, March
       1991.

   [7] McCloghrie, K., "Extensions to the Generic-Interface MIB", RFC
       1229, Hughes LAN Systems, Inc., May 1991.

   [8] Simpson, W., "The Point-to-Point Protocol for the Transmission of
       Multi-protocol Datagrams over Point-to-Point Links, RFC 1331,
       Daydreamer, May 1992.

   [9] McGregor, G., "The PPP Internet Protocol Control Protocol", RFC
       1332, Merit, May 1992.

  [10] Baker, F., "Point-to-Point Protocol Extensions for Bridging", RFC
       1220, ACC, April 1991.




Kastenholz                                                     [Page 12]

RFC 1472                    PPP/Security MIB                   June 1993


  [11] Lloyd, B., and W. Simpson, "PPP Authentication Protocols", RFC
       1334, L&A, Daydreamer, October 1992.

  [12] Simpson, W., "PPP Link Quality Monitoring", RFC 1333, Daydreamer,
       May 1992.

8.  Author's Address

   Frank Kastenholz
   FTP Software, Inc.
   2 High Street
   North Andover, Mass 01845 USA

   Phone: (508) 685-4000
   EMail: kasten@ftp.com




































Kastenholz                                                     [Page 13]