The Enterasys Networks MIB module for configuring rapid
rekeying on SNMPv1-only platforms.
This MIB includes encrypted variants of selected objects
from the Enterasys 802.1x Rapid Rekeying MIB.
N O T I C E
Use of this MIB in any product requires the approval
of the Office of the CTO, Enterasys Networks, Inc.
Permission to use this MIB will not be granted for
products in which SNMPv3 is now, or will soon be,
implemented. Permission to use this MIB in products
that are never scheduled to implement SNMPv3 will be
granted on a case-by-case basis, depending on what
other suitable, secure means of configuration are
available in the product.
The following is a discussion of the encoding/decoding and
encryption/decryption methods that must be used to extract
data from an encrypted OCTET STRING. (These methods are the
same as for the Enterasys Networks encrypted RADIUS Client
MIB.)
The encryption/decryption methods make use of an agreed-upon
Secret and an Authenticator shared between the SNMP network
management system and the entity that implements the MIB.
The encryption/decryption algorithm, as presented herein, is
taken from the RADIUS protocol, and is the method specified
for encryption of Tunnel-Password Attributes in RFC 2868.
To permit plug-and-play remote installation, configuration,
and management of the device, the device will algorithmically
derive the initial shared secret and the initial authenticator.
For security reasons, the network manager should change the
authenticator portion of the management encryption key after
initial configuration. The methods available for doing this
are implementation-specific and subject to change. (On the
RoamAbout AccessPoint 2000, the encrypted RADIUS client MIB
contains an authenticator object used for both that MIB and
this one.)
All read-write and write-only access objects except the table
index are encoded into fields in an OCTET STRING.
Octet String
Before encryption, the 'native' objects must be encoded into
a formatted Octet String. After decryption, the Octet String
must be decoded to obtain the 'native' objects.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Salt |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
The data type of the non-encrypted 'native' data:
1 = Integer32
2 = OCTET STRING
Length
The length in octets of the native object sub-field of
the Octet String, exclusive of any optional padding.
Note that the Integrity Check sub-fields (CRC, OID-tail,
Time Stamp, Source IP Address) are not included in this
length value, but since the IC sub-fields are always
present and are of fixed length, there is no impediment
to proper packet parsing.
Salt
The Salt field is two octets in length and is used to
ensure the uniqueness of the encryption key used to
encrypt each object.
The most significant bit (leftmost) of the Salt field
MUST be set (1). The contents of each Salt field in a
given SNMP packet must be unique.
String
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CRC (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OID-tail (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time Stamp (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source IP Address (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Object/Padding ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The plain-text String field consists of six logical
sub-fields: the CRC, OID-tail, Time Stamp, Source IP
address and native Object sub-fields (all of which are
required), and the optional Padding sub-field. The
String field MUST be treated as a counted-string of
undistinguished octets, and not as a standard
C/UNIX-style null-terminated, printable ASCII string.
CRC Sub-field
The CRC sub-field contains a 32-bit CRC (CRC-32)
calculated over the following concatentated sub-fields
of the String: the OID-tail, Time Stamp, Source IP
Address and unpadded native Object fields. The CRC
sub-field acts as an integrity check on the decrypted
data.
OID-tail Sub-field
The OID-tail sub-field contains the least significant
four octets of the Object ID of the varbind. This
field is included as an integrity check on the OID of
the varbind.
Time Stamp Sub-field
The Time Stamp sub-field contains a 32-bit unsigned
integer value representing the time the encrypted
message was assembled. This field acts as an
integrity check by facilitating the disposal of stale
or replayed messages. The time window of acceptance is
implementation dependant, and may be the subject of
local (i.e. managed entity) policy configuration. The
Time Stamp is relative time, in units of seconds,
referenced to the sysUpTime object of the managed
entity.
Source IP Address Sub-field
The Source IP Address sub-field contains an unsigned
32-bit representation of the IPv4 address of the
source of the encrypted message. This is an added
check to allow verification of the source of the
varbind.
The CRC, OID-tail, Time Stamp, and Source IP Address
sub-fields are collectively hereinafter refered to as
the Integrity Check (IC) sub-fields.
Object/Padding Sub-field
Object
The Object sub-field contains the actual or native
object data followed by padding, if necessary.
Padding
If the combined length (in octets) of the
non-encrypted CRC, OID-tail, Time Stamp, Source IP
Address, and native Object sub-fields is not an even
multiple of 16, then the Padding sub-field MUST be
present. If it is present, the length of the
Padding sub-field is variable, between 1 and 15
octets. The value of the pad octets SHOULD be zero.
Encrypting/Decrypting the String Field
The entire String field MUST be encrypted as follows,
prior to transmission:
Construct a plain-text version of the String field by
concatenating the CRC, OID-tail, Time Stamp, Source IP
address, and native Object sub-fields. If necessary,
pad the resulting string until its length (in octets)
is an even multiple of 16. It is recommended that zero
octets (0x00) be used for padding. Call this plain-text
P.
Shared Secret
The shared secret is formed from the MAC
(hardware) address of the primary management
interface of the managed device (containing the
RADIUS Client). The MAC address is represented
as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33.
Authenticator
The 128-bit authenticator is a pre-defined
constant. The default value of the authenticator
is an Enterasys Networks trade secret. This value
is settable and the user is advised to change it
from the default value after initial configuration
of the system. Contact the MIB author for
additional information on the default value.
Call the shared secret S, the [pseudo-random] 128-bit
Authenticator R, and the contents of the Salt field A.
Break P into 16 octet chunks p(1), p(2)...p(i),
where i = len(P)/16. Call the cipher-text blocks
c(1), c(2)...c(i) and the final cipher-text C.
Intermediate values b(1), b(2)...c(i) are required.
Encryption is performed in the following manner ('+'
indicates concatenation):
b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2)
. .
. .
. .
b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
The resulting encrypted String field will contain
c(1)+c(2)+...+c(i).
On receipt, the process is reversed to yield the
plain-text String.
Parsed from file enterasys-encr-8021x-rekeying-mib.txt
Company: None
Module: ENTERASYS-ENCR-8021X-REKEYING-MIB
The Enterasys Networks MIB module for configuring rapid
rekeying on SNMPv1-only platforms.
This MIB includes encrypted variants of selected objects
from the Enterasys 802.1x Rapid Rekeying MIB.
N O T I C E
Use of this MIB in any product requires the approval
of the Office of the CTO, Enterasys Networks, Inc.
Permission to use this MIB will not be granted for
products in which SNMPv3 is now, or will soon be,
implemented. Permission to use this MIB in products
that are never scheduled to implement SNMPv3 will be
granted on a case-by-case basis, depending on what
other suitable, secure means of configuration are
available in the product.
The following is a discussion of the encoding/decoding and
encryption/decryption methods that must be used to extract
data from an encrypted OCTET STRING. (These methods are the
same as for the Enterasys Networks encrypted RADIUS Client
MIB.)
The encryption/decryption methods make use of an agreed-upon
Secret and an Authenticator shared between the SNMP network
management system and the entity that implements the MIB.
The encryption/decryption algorithm, as presented herein, is
taken from the RADIUS protocol, and is the method specified
for encryption of Tunnel-Password Attributes in RFC 2868.
To permit plug-and-play remote installation, configuration,
and management of the device, the device will algorithmically
derive the initial shared secret and the initial authenticator.
For security reasons, the network manager should change the
authenticator portion of the management encryption key after
initial configuration. The methods available for doing this
are implementation-specific and subject to change. (On the
RoamAbout AccessPoint 2000, the encrypted RADIUS client MIB
contains an authenticator object used for both that MIB and
this one.)
All read-write and write-only access objects except the table
index are encoded into fields in an OCTET STRING.
Octet String
Before encryption, the 'native' objects must be encoded into
a formatted Octet String. After decryption, the Octet String
must be decoded to obtain the 'native' objects.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Salt |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
The data type of the non-encrypted 'native' data:
1 = Integer32
2 = OCTET STRING
Length
The length in octets of the native object sub-field of
the Octet String, exclusive of any optional padding.
Note that the Integrity Check sub-fields (CRC, OID-tail,
Time Stamp, Source IP Address) are not included in this
length value, but since the IC sub-fields are always
present and are of fixed length, there is no impediment
to proper packet parsing.
Salt
The Salt field is two octets in length and is used to
ensure the uniqueness of the encryption key used to
encrypt each object.
The most significant bit (leftmost) of the Salt field
MUST be set (1). The contents of each Salt field in a
given SNMP packet must be unique.
String
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CRC (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OID-tail (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time Stamp (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source IP Address (4 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Object/Padding ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The plain-text String field consists of six logical
sub-fields: the CRC, OID-tail, Time Stamp, Source IP
address and native Object sub-fields (all of which are
required), and the optional Padding sub-field. The
String field MUST be treated as a counted-string of
undistinguished octets, and not as a standard
C/UNIX-style null-terminated, printable ASCII string.
CRC Sub-field
The CRC sub-field contains a 32-bit CRC (CRC-32)
calculated over the following concatentated sub-fields
of the String: the OID-tail, Time Stamp, Source IP
Address and unpadded native Object fields. The CRC
sub-field acts as an integrity check on the decrypted
data.
OID-tail Sub-field
The OID-tail sub-field contains the least significant
four octets of the Object ID of the varbind. This
field is included as an integrity check on the OID of
the varbind.
Time Stamp Sub-field
The Time Stamp sub-field contains a 32-bit unsigned
integer value representing the time the encrypted
message was assembled. This field acts as an
integrity check by facilitating the disposal of stale
or replayed messages. The time window of acceptance is
implementation dependant, and may be the subject of
local (i.e. managed entity) policy configuration. The
Time Stamp is relative time, in units of seconds,
referenced to the sysUpTime object of the managed
entity.
Source IP Address Sub-field
The Source IP Address sub-field contains an unsigned
32-bit representation of the IPv4 address of the
source of the encrypted message. This is an added
check to allow verification of the source of the
varbind.
The CRC, OID-tail, Time Stamp, and Source IP Address
sub-fields are collectively hereinafter refered to as
the Integrity Check (IC) sub-fields.
Object/Padding Sub-field
Object
The Object sub-field contains the actual or native
object data followed by padding, if necessary.
Padding
If the combined length (in octets) of the
non-encrypted CRC, OID-tail, Time Stamp, Source IP
Address, and native Object sub-fields is not an even
multiple of 16, then the Padding sub-field MUST be
present. If it is present, the length of the
Padding sub-field is variable, between 1 and 15
octets. The value of the pad octets SHOULD be zero.
Encrypting/Decrypting the String Field
The entire String field MUST be encrypted as follows,
prior to transmission:
Construct a plain-text version of the String field by
concatenating the CRC, OID-tail, Time Stamp, Source IP
address, and native Object sub-fields. If necessary,
pad the resulting string until its length (in octets)
is an even multiple of 16. It is recommended that zero
octets (0x00) be used for padding. Call this plain-text
P.
Shared Secret
The shared secret is formed from the MAC
(hardware) address of the primary management
interface of the managed device (containing the
RADIUS Client). The MAC address is represented
as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33.
Authenticator
The 128-bit authenticator is a pre-defined
constant. The default value of the authenticator
is an Enterasys Networks trade secret. This value
is settable and the user is advised to change it
from the default value after initial configuration
of the system. Contact the MIB author for
additional information on the default value.
Call the shared secret S, the [pseudo-random] 128-bit
Authenticator R, and the contents of the Salt field A.
Break P into 16 octet chunks p(1), p(2)...p(i),
where i = len(P)/16. Call the cipher-text blocks
c(1), c(2)...c(i) and the final cipher-text C.
Intermediate values b(1), b(2)...c(i) are required.
Encryption is performed in the following manner ('+'
indicates concatenation):
b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2)
. .
. .
. .
b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
The resulting encrypted String field will contain
c(1)+c(2)+...+c(i).
On receipt, the process is reversed to yield the
plain-text String.
Parsed from file ENTERASYS-ENCR-8021X-REKEYING-MIB.mib
Module: ENTERASYS-ENCR-8021X-REKEYING-MIB
Vendor: Enterasys Networks
Module: ENTERASYS-ENCR-8021X-REKEYING-MIB
[Automatically extracted from oidview.com]
etsysEncr8021xRekeyingMIB MODULE-IDENTITY LAST-UPDATED "200203142049Z" ORGANIZATION "Enterasys Networks, Inc" CONTACT-INFO "Postal: Enterasys Networks 35 Industrial Way, P.O. Box 5005 Rochester, NH 03867-0505 Phone: +1 603 332 9400 E-mail: [email protected] WWW: http://www.enterasys.com" DESCRIPTION "The Enterasys Networks MIB module for configuring rapid rekeying on SNMPv1-only platforms. This MIB includes encrypted variants of selected objects from the Enterasys 802.1x Rapid Rekeying MIB. N O T I C E Use of this MIB in any product requires the approval of the Office of the CTO, Enterasys Networks, Inc. Permission to use this MIB will not be granted for products in which SNMPv3 is now, or will soon be, implemented. Permission to use this MIB in products that are never scheduled to implement SNMPv3 will be granted on a case-by-case basis, depending on what other suitable, secure means of configuration are available in the product. The following is a discussion of the encoding/decoding and encryption/decryption methods that must be used to extract data from an encrypted OCTET STRING. (These methods are the same as for the Enterasys Networks encrypted RADIUS Client MIB.) The encryption/decryption methods make use of an agreed-upon Secret and an Authenticator shared between the SNMP network management system and the entity that implements the MIB. The encryption/decryption algorithm, as presented herein, is taken from the RADIUS protocol, and is the method specified for encryption of Tunnel-Password Attributes in RFC 2868. To permit plug-and-play remote installation, configuration, and management of the device, the device will algorithmically derive the initial shared secret and the initial authenticator. For security reasons, the network manager should change the authenticator portion of the management encryption key after initial configuration. The methods available for doing this are implementation-specific and subject to change. (On the RoamAbout AccessPoint 2000, the encrypted RADIUS client MIB contains an authenticator object used for both that MIB and this one.) All read-write and write-only access objects except the table index are encoded into fields in an OCTET STRING. Octet String Before encryption, the 'native' objects must be encoded into a formatted Octet String. After decryption, the Octet String must be decoded to obtain the 'native' objects. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Salt | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type The data type of the non-encrypted 'native' data: 1 = Integer32 2 = OCTET STRING Length The length in octets of the native object sub-field of the Octet String, exclusive of any optional padding. Note that the Integrity Check sub-fields (CRC, OID-tail, Time Stamp, Source IP Address) are not included in this length value, but since the IC sub-fields are always present and are of fixed length, there is no impediment to proper packet parsing. Salt The Salt field is two octets in length and is used to ensure the uniqueness of the encryption key used to encrypt each object. The most significant bit (leftmost) of the Salt field MUST be set (1). The contents of each Salt field in a given SNMP packet must be unique. String 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CRC (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OID-tail (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IP Address (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Object/Padding ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The plain-text String field consists of six logical sub-fields: the CRC, OID-tail, Time Stamp, Source IP address and native Object sub-fields (all of which are required), and the optional Padding sub-field. The String field MUST be treated as a counted-string of undistinguished octets, and not as a standard C/UNIX-style null-terminated, printable ASCII string. CRC Sub-field The CRC sub-field contains a 32-bit CRC (CRC-32) calculated over the following concatentated sub-fields of the String: the OID-tail, Time Stamp, Source IP Address and unpadded native Object fields. The CRC sub-field acts as an integrity check on the decrypted data. OID-tail Sub-field The OID-tail sub-field contains the least significant four octets of the Object ID of the varbind. This field is included as an integrity check on the OID of the varbind. Time Stamp Sub-field The Time Stamp sub-field contains a 32-bit unsigned integer value representing the time the encrypted message was assembled. This field acts as an integrity check by facilitating the disposal of stale or replayed messages. The time window of acceptance is implementation dependant, and may be the subject of local (i.e. managed entity) policy configuration. The Time Stamp is relative time, in units of seconds, referenced to the sysUpTime object of the managed entity. Source IP Address Sub-field The Source IP Address sub-field contains an unsigned 32-bit representation of the IPv4 address of the source of the encrypted message. This is an added check to allow verification of the source of the varbind. The CRC, OID-tail, Time Stamp, and Source IP Address sub-fields are collectively hereinafter refered to as the Integrity Check (IC) sub-fields. Object/Padding Sub-field Object The Object sub-field contains the actual or native object data followed by padding, if necessary. Padding If the combined length (in octets) of the non-encrypted CRC, OID-tail, Time Stamp, Source IP Address, and native Object sub-fields is not an even multiple of 16, then the Padding sub-field MUST be present. If it is present, the length of the Padding sub-field is variable, between 1 and 15 octets. The value of the pad octets SHOULD be zero. Encrypting/Decrypting the String Field The entire String field MUST be encrypted as follows, prior to transmission: Construct a plain-text version of the String field by concatenating the CRC, OID-tail, Time Stamp, Source IP address, and native Object sub-fields. If necessary, pad the resulting string until its length (in octets) is an even multiple of 16. It is recommended that zero octets (0x00) be used for padding. Call this plain-text P. Shared Secret The shared secret is formed from the MAC (hardware) address of the primary management interface of the managed device (containing the RADIUS Client). The MAC address is represented as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33. Authenticator The 128-bit authenticator is a pre-defined constant. The default value of the authenticator is an Enterasys Networks trade secret. This value is settable and the user is advised to change it from the default value after initial configuration of the system. Contact the MIB author for additional information on the default value. Call the shared secret S, the [pseudo-random] 128-bit Authenticator R, and the contents of the Salt field A. Break P into 16 octet chunks p(1), p(2)...p(i), where i = len(P)/16. Call the cipher-text blocks c(1), c(2)...c(i) and the final cipher-text C. Intermediate values b(1), b(2)...c(i) are required. Encryption is performed in the following manner ('+' indicates concatenation): b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) . . . . . . b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i) The resulting encrypted String field will contain c(1)+c(2)+...+c(i). On receipt, the process is reversed to yield the plain-text String." REVISION "200203142049Z" DESCRIPTION "The initial version of this MIB module." ::= { etsysModules 20 }
etsysEncr8021xRekeyingMIB MODULE-IDENTITY LAST-UPDATED "200203142049Z" ORGANIZATION "Enterasys Networks, Inc" CONTACT-INFO "Postal: Enterasys Networks 35 Industrial Way, P.O. Box 5005 Rochester, NH 03867-0505 Phone: +1 603 332 9400 E-mail: [email protected] WWW: http://www.enterasys.com" DESCRIPTION "The Enterasys Networks MIB module for configuring rapid rekeying on SNMPv1-only platforms. This MIB includes encrypted variants of selected objects from the Enterasys 802.1x Rapid Rekeying MIB. N O T I C E Use of this MIB in any product requires the approval of the Office of the CTO, Enterasys Networks, Inc. Permission to use this MIB will not be granted for products in which SNMPv3 is now, or will soon be, implemented. Permission to use this MIB in products that are never scheduled to implement SNMPv3 will be granted on a case-by-case basis, depending on what other suitable, secure means of configuration are available in the product. The following is a discussion of the encoding/decoding and encryption/decryption methods that must be used to extract data from an encrypted OCTET STRING. (These methods are the same as for the Enterasys Networks encrypted RADIUS Client MIB.) The encryption/decryption methods make use of an agreed-upon Secret and an Authenticator shared between the SNMP network management system and the entity that implements the MIB. The encryption/decryption algorithm, as presented herein, is taken from the RADIUS protocol, and is the method specified for encryption of Tunnel-Password Attributes in RFC 2868. To permit plug-and-play remote installation, configuration, and management of the device, the device will algorithmically derive the initial shared secret and the initial authenticator. For security reasons, the network manager should change the authenticator portion of the management encryption key after initial configuration. The methods available for doing this are implementation-specific and subject to change. (On the RoamAbout AccessPoint 2000, the encrypted RADIUS client MIB contains an authenticator object used for both that MIB and this one.) All read-write and write-only access objects except the table index are encoded into fields in an OCTET STRING. Octet String Before encryption, the 'native' objects must be encoded into a formatted Octet String. After decryption, the Octet String must be decoded to obtain the 'native' objects. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Salt | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type The data type of the non-encrypted 'native' data: 1 = Integer32 2 = OCTET STRING Length The length in octets of the native object sub-field of the Octet String, exclusive of any optional padding. Note that the Integrity Check sub-fields (CRC, OID-tail, Time Stamp, Source IP Address) are not included in this length value, but since the IC sub-fields are always present and are of fixed length, there is no impediment to proper packet parsing. Salt The Salt field is two octets in length and is used to ensure the uniqueness of the encryption key used to encrypt each object. The most significant bit (leftmost) of the Salt field MUST be set (1). The contents of each Salt field in a given SNMP packet must be unique. String 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CRC (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OID-tail (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Stamp (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IP Address (4 bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Object/Padding ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The plain-text String field consists of six logical sub-fields: the CRC, OID-tail, Time Stamp, Source IP address and native Object sub-fields (all of which are required), and the optional Padding sub-field. The String field MUST be treated as a counted-string of undistinguished octets, and not as a standard C/UNIX-style null-terminated, printable ASCII string. CRC Sub-field The CRC sub-field contains a 32-bit CRC (CRC-32) calculated over the following concatentated sub-fields of the String: the OID-tail, Time Stamp, Source IP Address and unpadded native Object fields. The CRC sub-field acts as an integrity check on the decrypted data. OID-tail Sub-field The OID-tail sub-field contains the least significant four octets of the Object ID of the varbind. This field is included as an integrity check on the OID of the varbind. Time Stamp Sub-field The Time Stamp sub-field contains a 32-bit unsigned integer value representing the time the encrypted message was assembled. This field acts as an integrity check by facilitating the disposal of stale or replayed messages. The time window of acceptance is implementation dependant, and may be the subject of local (i.e. managed entity) policy configuration. The Time Stamp is relative time, in units of seconds, referenced to the sysUpTime object of the managed entity. Source IP Address Sub-field The Source IP Address sub-field contains an unsigned 32-bit representation of the IPv4 address of the source of the encrypted message. This is an added check to allow verification of the source of the varbind. The CRC, OID-tail, Time Stamp, and Source IP Address sub-fields are collectively hereinafter refered to as the Integrity Check (IC) sub-fields. Object/Padding Sub-field Object The Object sub-field contains the actual or native object data followed by padding, if necessary. Padding If the combined length (in octets) of the non-encrypted CRC, OID-tail, Time Stamp, Source IP Address, and native Object sub-fields is not an even multiple of 16, then the Padding sub-field MUST be present. If it is present, the length of the Padding sub-field is variable, between 1 and 15 octets. The value of the pad octets SHOULD be zero. Encrypting/Decrypting the String Field The entire String field MUST be encrypted as follows, prior to transmission: Construct a plain-text version of the String field by concatenating the CRC, OID-tail, Time Stamp, Source IP address, and native Object sub-fields. If necessary, pad the resulting string until its length (in octets) is an even multiple of 16. It is recommended that zero octets (0x00) be used for padding. Call this plain-text P. Shared Secret The shared secret is formed from the MAC (hardware) address of the primary management interface of the managed device (containing the RADIUS Client). The MAC address is represented as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33. Authenticator The 128-bit authenticator is a pre-defined constant. The default value of the authenticator is an Enterasys Networks trade secret. This value is settable and the user is advised to change it from the default value after initial configuration of the system. Contact the MIB author for additional information on the default value. Call the shared secret S, the [pseudo-random] 128-bit Authenticator R, and the contents of the Salt field A. Break P into 16 octet chunks p(1), p(2)...p(i), where i = len(P)/16. Call the cipher-text blocks c(1), c(2)...c(i) and the final cipher-text C. Intermediate values b(1), b(2)...c(i) are required. Encryption is performed in the following manner ('+' indicates concatenation): b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) . . . . . . b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i) The resulting encrypted String field will contain c(1)+c(2)+...+c(i). On receipt, the process is reversed to yield the plain-text String." REVISION "200203142049Z" DESCRIPTION "The initial version of this MIB module." ::= { etsysModules 20 }
OID | Name | Sub children | Sub Nodes Total | Description |
---|---|---|---|---|
1.3.6.1.4.1.5624.1.2.20.1 | etsysEncrDot1xRekeyingObjects | 1 | 7 | None |
1.3.6.1.4.1.5624.1.2.20.2 | etsysEncrDot1xRekeyingConformance | 2 | 4 | None |
OID | Name | Sub children | Sub Nodes Total | Description |
---|---|---|---|---|
1.3.6.1.4.1.5624.1.2.1 | etsysModuleName | 0 | 0 | This mib module defines a portion of the SNMP enterprise MIBs under Enterasys enterprise OID pertaining to System OIDs. This modul… |
1.3.6.1.4.1.5624.1.2.2 | enterasysOidsMib, etsysModuleOID | 1 | 1 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to system OIDs.… |
1.3.6.1.4.1.5624.1.2.3 | etsysMibOrg | 0 | 0 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID. This module defines OBJEC… |
1.3.6.1.4.1.5624.1.2.4 | etsysRadiusAuthClientMIB | 2 | 24 | The Enterasys Networks Proprietary MIB module for entities implementing the client side of the Remote Access Dialin User Service … |
1.3.6.1.4.1.5624.1.2.5 | etsysRadiusAuthClientEncryptMIB | 2 | 25 | The Enterasys Networks Proprietary MIB module for entities implementing the client side of the Remote Access Dialin User Service … |
1.3.6.1.4.1.5624.1.2.6 | etsysPolicyProfileMIB | 11 | 143 | This MIB module defines a portion of the SNMP enterprise MIBs under the Enterasys enterprise OID pertaining to the mapping of per… |
1.3.6.1.4.1.5624.1.2.8 | etsysPwaMIB | 6 | 76 | This mib provides the ability to configure the port web authentication (PWA) component in a switch. PWA provides a way of authent… |
1.3.6.1.4.1.5624.1.2.9 | etsysDot11ExtMIB | 2 | 48 | This mib module defines a portion of the SNMP enterprise MIBs under Enterasys Networks enterprise OID as an extension to the IEEE… |
1.3.6.1.4.1.5624.1.2.10 | enterasysESwitchMIB | 2 | 37 | The Enterasys Networks Proprietary MIB module for entities implementing the Extended Switch Objects. |
1.3.6.1.4.1.5624.1.2.11 | enterasysR2MgmtMIB | 2 | 41 | The Enterasys Networks Proprietary MIB module for entities implementing objects specific to RoamAbout R2 Wireless Access Platform. |
1.3.6.1.4.1.5624.1.2.12 | etsysConfigurationChangeMIB | 4 | 28 | This MIB module defines a portion of the SNMP enterprise MIBs under the Enterasys enterprise OID pertaining to the monitoring of … |
1.3.6.1.4.1.5624.1.2.13 | etsysDiagnosticMessageMIB | 3 | 24 | This MIB module defines a portion of the SNMP enterprise MIBs under the Enterasys enterprise OID pertaining to the retrieval of d… |
1.3.6.1.4.1.5624.1.2.14 | etsysSyslogClientMIB | 4 | 49 | This MIB module defines a portion of the SNMP enterprise MIBs under the Enterasys enterprise OID pertaining to the configuration … |
1.3.6.1.4.1.5624.1.2.15 | etsysFileManagementMIB | 4 | 56 | This MIB module defines a portion of the SNMP enterprise MIBs under the Enterasys enterprise OID pertaining to the transferring a… |
1.3.6.1.4.1.5624.1.2.16 | etsysConfigurationManagementMIB | 3 | 41 | This MIB module defines a portion of the SNMP MIB under Enterasys Networks' enterprise OID pertaining to configuration management. |
1.3.6.1.4.1.5624.1.2.17 | etsys8021xRekeyingMIB | 2 | 13 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to IEEE 802.1x … |
1.3.6.1.4.1.5624.1.2.18 | etsys8021xExtensionsMIB | 2 | 81 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to IEEE 802.1x … |
1.3.6.1.4.1.5624.1.2.19 | etsysEncr8021xConfigMIB | 2 | 28 | The Enterasys Networks MIB module for configuring IEEE 802.1x implementations on SNMPv1-only platforms. This MIB includes encrypt… |
1.3.6.1.4.1.5624.1.2.21 | etsysMACLockingMIB | 2 | 37 | This MIB module defines the portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to MAC Lockin… |
1.3.6.1.4.1.5624.1.2.22 | etsysVlanInterfaceMIB | 3 | 20 | This MIB module defines a portion of the SNMP enterprise MIBs under the Enterasys enterprise OID pertaining to the creation of MI… |
1.3.6.1.4.1.5624.1.2.24 | etsysSnmpPersistenceMIB | 2 | 18 | This MIB modules provides objects that allow management applications to commit persistent SNMP configuration information to persi… |
1.3.6.1.4.1.5624.1.2.25 | etsysMACAuthenticationMIB | 2 | 43 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to MAC-Authenti… |
1.3.6.1.4.1.5624.1.2.26 | etsysSshServerMIB | 2 | 50 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to Secure Shell… |
1.3.6.1.4.1.5624.1.2.27 | etsysRadiusAcctClientMIB | 2 | 24 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to the client s… |
1.3.6.1.4.1.5624.1.2.28 | etsysMstpMIB | 2 | 64 | This mib module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to the Multiple… |
1.3.6.1.4.1.5624.1.2.29 | etsysSpanningTreeDiagnosticMIB | 0 | 0 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to the Spanning… |
1.3.6.1.4.1.5624.1.2.30 | etsysTlsMIB | 0 | 0 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to Transport La… |
1.3.6.1.4.1.5624.1.2.31 | etsysIetfBridgeMibExtMIB | 0 | 0 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to proprietary … |
1.3.6.1.4.1.5624.1.2.32 | etsysWiFiProtectedAccessMIB | 0 | 0 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to Wi-Fi Protec… |
1.3.6.1.4.1.5624.1.2.33 | etsysIetfpBridgeMibExtMIB | 0 | 0 | This MIB module defines a portion of the SNMP MIB under Enterasys Networks' enterprise OID pertaining to proprietary extensions t… |
1.3.6.1.4.1.5624.1.2.34 | etsysJumboEthernetFrameMIB | 0 | 0 | This MIB module defines a portion of the SNMP MIB under the Enterasys Networks enterprise OID pertaining to jumbo Ethernet frames. |
1.3.6.1.4.1.5624.1.2.35 | etsysIeee8023LagMibExtMIB | 0 | 0 | This MIB module defines a portion of the SNMP MIB under Enterasys Networks' enterprise OID pertaining to proprietary extensions t… |
1.3.6.1.4.1.5624.1.2.36 | etsysSecureShellServerMIB | 0 | 0 | This MIB module defines a portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to Secure Shell… |
1.3.6.1.4.1.5624.1.2.38 | etsysSntpClientMIB | 2 | 49 | This MIB module defines a portion of the SNMP MIB under the Enterasys Networks enterprise OID pertaining to SNTP client configura… |
1.3.6.1.4.1.5624.1.2.39 | etsysServiceLevelReportingMIB | 2 | 89 | This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/IP-based in… |
1.3.6.1.4.1.5624.1.2.40 | etsysConvergenceEndPointMIB | 2 | 47 | This MIB module defines a portion of the SNMP MIB under Enterasys Networks' enterprise OID pertaining to Convergence End Point ma… |
1.3.6.1.4.1.5624.1.2.43 | etsysFlowLimitingMIB | 0 | 0 | This MIB module defines the portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to the Flow L… |
1.3.6.1.4.1.5624.1.2.44 | etsysUpnTcMIB | 0 | 0 | This MIB module defines textual conventions related to the management of User Personalized Networks. The conventions defined bel… |
1.3.6.1.4.1.5624.1.2.45 | etsysThreatNotificationMIB | 0 | 0 | This MIB module defines the portion of the SNMP enterprise MIBs under Enterasys Networks' enterprise OID pertaining to the Threat… |
1.3.6.1.4.1.5624.1.2.46 | etsysMultiAuthMIB | 2 | 53 | This MIB module defines a portion of the SNMP MIB under the Enterasys Networks enterprise OID pertaining to configuration of mult… |
1.3.6.1.4.1.5624.1.2.47 | etsysImageValidationMIB | 2 | 14 | This MIB module defines a portion of the SNMP MIB under Enterasys Networks' enterprise OID pertaining to new image validation and… |