ENTERASYS-ENCR-8021X-REKEYING-MIB

The Enterasys Networks MIB module for configuring rapid
        rekeying on SNMPv1-only platforms.
        
        This MIB includes encrypted variants of selected objects
        from the Enterasys 802.1x Rapid Rekeying MIB.
        
                               ------------------
        
                                  N O T I C E
        
             Use of this MIB in any product requires the approval
             of the Office of the CTO, Enterasys Networks, Inc.  
             Permission to use this MIB will not be granted for 
             products in which SNMPv3 is now, or will soon be,
             implemented.  Permission to use this MIB in products
             that are never scheduled to implement SNMPv3 will be 
             granted on a case-by-case basis, depending on what 
             other suitable, secure means of configuration are
             available in the product.
        
                               ------------------
        
        The following is a discussion of the encoding/decoding and
        encryption/decryption methods that must be used to extract
        data from an encrypted OCTET STRING.  (These methods are the
        same as for the Enterasys Networks encrypted RADIUS Client
        MIB.)
         
        The encryption/decryption methods make use of an agreed-upon
        Secret and an Authenticator shared between the SNMP network
        management system and the entity that implements the MIB.
        
        The encryption/decryption algorithm, as presented herein, is
        taken from the RADIUS protocol, and is the method specified
        for encryption of Tunnel-Password Attributes in RFC 2868.
        
        To permit plug-and-play remote installation, configuration,
        and management of the device, the device will algorithmically
        derive the initial shared secret and the initial authenticator.
        
        For security reasons, the network manager should change the
        authenticator portion of the management encryption key after
        initial configuration.  The methods available for doing this
        are implementation-specific and subject to change.  (On the
        RoamAbout AccessPoint 2000, the encrypted RADIUS client MIB
        contains an authenticator object used for both that MIB and
        this one.)
        
        All read-write and write-only access objects except the table
        index are encoded into fields in an OCTET STRING.
        
        Octet String
        
        Before encryption, the 'native' objects must be encoded into
        a formatted Octet String.  After decryption, the Octet String
        must be decoded to obtain the 'native' objects.
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |     Type      |    Length     |   Salt                        |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |   String ...
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           
            Type
        
               The data type of the non-encrypted 'native' data:
        
               1 = Integer32
               2 = OCTET STRING
         
            Length
        
               The length in octets of the native object sub-field of
               the Octet String, exclusive of any optional padding.
               Note that the Integrity Check sub-fields (CRC, OID-tail,
               Time Stamp, Source IP Address) are not included in this
               length value, but since the IC sub-fields are always
               present and are of fixed length, there is no impediment
               to proper packet parsing.
        
            Salt
        
               The Salt field is two octets in length and is used to
               ensure the uniqueness of the encryption key used to
               encrypt each object.
        
               The most significant bit (leftmost) of the Salt field
               MUST be set (1).  The contents of each Salt field in a
               given SNMP packet must be unique.
         
            String
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  CRC (4 bytes)                                                |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  OID-tail (4 bytes)                                           |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Time Stamp (4 bytes)                                         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Source IP Address (4 bytes)                                  |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Object/Padding ...
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
           
               The plain-text String field consists of six logical
               sub-fields: the CRC, OID-tail, Time Stamp, Source IP
               address and native Object sub-fields (all of which are
               required), and the optional Padding sub-field.  The
               String field MUST be treated as a counted-string of
               undistinguished octets, and not as a standard
               C/UNIX-style null-terminated, printable ASCII string.
         
               CRC Sub-field
        
                 The CRC sub-field contains a 32-bit CRC (CRC-32)
                 calculated over the following concatentated sub-fields
                 of the String: the OID-tail, Time Stamp, Source IP
                 Address and unpadded native Object fields.  The CRC
                 sub-field acts as an integrity check on the decrypted
                 data.
         
               OID-tail Sub-field
         
                 The OID-tail sub-field contains the least significant
                 four octets of the Object ID of the varbind.  This
                 field is included as an integrity check on the OID of
                 the varbind.
         
               Time Stamp Sub-field
         
                 The Time Stamp sub-field contains a 32-bit unsigned
                 integer value representing the time the encrypted
                 message was assembled.  This field acts as an
                 integrity check by facilitating the disposal of stale
                 or replayed messages. The time window of acceptance is
                 implementation dependant, and may be the subject of
                 local (i.e. managed entity) policy configuration.  The
                 Time Stamp is relative time, in units of seconds,
                 referenced to the sysUpTime object of the managed
                 entity.
         
               Source IP Address Sub-field
         
                 The Source IP Address sub-field contains an unsigned
                 32-bit representation of the IPv4 address of the
                 source of the encrypted message.  This is an added
                 check to allow verification of the source of the
                 varbind.
        
               The CRC, OID-tail, Time Stamp, and Source IP Address
               sub-fields are collectively hereinafter refered to as
               the Integrity Check (IC) sub-fields.
         
               Object/Padding Sub-field
        
                 Object 
                   The Object sub-field contains the actual or native
                   object data followed by padding, if necessary.
         
                 Padding
                   If the combined length (in octets) of the
                   non-encrypted CRC, OID-tail, Time Stamp, Source IP
                   Address, and native Object sub-fields is not an even
                   multiple of 16, then the Padding sub-field MUST be
                   present.  If it is present, the length of the
                   Padding sub-field is variable, between 1 and 15
                   octets.  The value of the pad octets SHOULD be zero.
         
            Encrypting/Decrypting the String Field
        
               The entire String field MUST be encrypted as follows,
               prior to transmission:
         
               Construct a plain-text version of the String field by
               concatenating the CRC, OID-tail, Time Stamp, Source IP
               address, and native Object sub-fields.  If necessary,
               pad the resulting string until its length (in octets)
               is an even multiple of 16.  It is recommended that zero
               octets (0x00) be used for padding.  Call this plain-text
               P.
        
                  Shared Secret
        
                     The shared secret is formed from the MAC
                     (hardware) address of the primary management
                     interface of the managed device (containing the
                     RADIUS Client).  The MAC address is represented
                     as up-cased, dashed-ASCII, e.g. 08-00-2B-11-22-33.
         
                 Authenticator
         
                     The 128-bit authenticator is a pre-defined
                     constant.  The default value of the authenticator
                     is an Enterasys Networks trade secret.  This value
                     is settable and the user is advised to change it
                     from the default value after initial configuration
                     of the system.  Contact the MIB author for
                     additional information on the default value.
         
               Call the shared secret S, the [pseudo-random] 128-bit 
               Authenticator R, and the contents of the Salt field A.  
               Break P into 16 octet chunks p(1), p(2)...p(i), 
               where i = len(P)/16.  Call the cipher-text blocks 
               c(1), c(2)...c(i) and the final cipher-text C.
               Intermediate values b(1), b(2)...c(i) are required.
               Encryption is performed in the following manner ('+'
               indicates concatenation):
         
           b(1) = MD5(S + R + A)   c(1) = p(1) xor b(1)   C = c(1)
           b(2) = MD5(S + c(1))    c(2) = p(2) xor b(2)   C = C + c(2)
                        .                       .
                        .                       .
                        .                       .
           b(i) = MD5(S + c(i-1))  c(i) = p(i) xor b(i)   C = C + c(i)
         
               The resulting encrypted String field will contain
               c(1)+c(2)+...+c(i).
        
               On receipt, the process is reversed to yield the
               plain-text String.

Imported Objects

etsysModulesENTERASYS-MIB-NAMES
dot1xPaePortNumberIEEE8021-PAE-MIB
MODULE-COMPLIANCE, OBJECT-GROUPSNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPESNMPv2-SMI
etsysEncr8021xRekeyingMIB .1.3.6.1.4.1.5624.1.2.20
etsysEncrDot1xRekeyingObjects .1.3.6.1.4.1.5624.1.2.20.1
etsysEncrDot1xRekeyBaseBranch .1.3.6.1.4.1.5624.1.2.20.1.1
etsysEncrDot1xRekeyConfigTable .1.3.6.1.4.1.5624.1.2.20.1.1.1
etsysEncrDot1xRekeyConfigEntry .1.3.6.1.4.1.5624.1.2.20.1.1.1.1
etsysEncrDot1xRekeyEnabled .1.3.6.1.4.1.5624.1.2.20.1.1.1.1.1
etsysEncrDot1xRekeyPeriod .1.3.6.1.4.1.5624.1.2.20.1.1.1.1.2
etsysEncrDot1xRekeyLength .1.3.6.1.4.1.5624.1.2.20.1.1.1.1.3
etsysEncrDot1xRekeyAsymmetric .1.3.6.1.4.1.5624.1.2.20.1.1.1.1.4
etsysEncrDot1xRekeyingConformance .1.3.6.1.4.1.5624.1.2.20.2
etsysEncrDot1xRekeyingGroups .1.3.6.1.4.1.5624.1.2.20.2.1
etsysEncrDot1xRekeyingCompliances .1.3.6.1.4.1.5624.1.2.20.2.2