summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4672.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc4672.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc4672.txt')
-rw-r--r--doc/rfc/rfc4672.txt1291
1 files changed, 1291 insertions, 0 deletions
diff --git a/doc/rfc/rfc4672.txt b/doc/rfc/rfc4672.txt
new file mode 100644
index 0000000..560579b
--- /dev/null
+++ b/doc/rfc/rfc4672.txt
@@ -0,0 +1,1291 @@
+
+
+
+
+
+
+Network Working Group S. De Cnodder
+Request for Comments: 4672 Alcatel
+Category: Informational N. Jonnala
+ M. Chiba
+ Cisco Systems, Inc.
+ September 2006
+
+
+ RADIUS Dynamic Authorization Client MIB
+
+Status of This Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes the Remote Authentication Dial-In User
+ Service (RADIUS) (RFC2865) Dynamic Authorization Client (DAC)
+ functions that support the dynamic authorization extensions as
+ defined in RFC 3576.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 1.1. Requirements Notation ......................................2
+ 1.2. Terminology ................................................2
+ 2. The Internet-Standard Management Framework ......................3
+ 3. Overview ........................................................3
+ 4. RADIUS Dynamic Authorization Client MIB Definitions .............3
+ 5. Security Considerations ........................................19
+ 6. IANA Considerations ............................................20
+ 7. Acknowledgements ...............................................20
+ 8. References .....................................................21
+ 8.1. Normative References ......................................21
+ 8.2. Informative References ....................................21
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 1]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+1. Introduction
+
+ This memo defines a portion of the Management Information Base (MIB)
+ for use with network management protocols in the Internet community.
+ In particular, it describes the Remote Authentication Dial-In User
+ Service (RADIUS) [RFC2865] Dynamic Authorization Client (DAC)
+ functions that support the dynamic authorization extensions as
+ defined in RFC 3576.
+
+ It is becoming increasingly important to support Dynamic
+ Authorization extensions on the network access server (NAS) devices
+ to handle the Disconnect and Change-of-Authorization (CoA) messages,
+ as described in [RFC3576]. As a result, the effective management of
+ RADIUS Dynamic Authorization entities is of considerable importance.
+ This RADIUS Dynamic Authorization Client MIB complements the managed
+ objects used for managing RADIUS authentication and accounting
+ servers, as described in [RFC4669] and [RFC4671], respectively.
+
+1.1. Requirements Notation
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+1.2. Terminology
+
+ Dynamic Authorization Server (DAS)
+
+ The component that resides on the NAS that processes the Disconnect
+ and Change-of-Authorization (CoA) Request packets [RFC3576] sent by
+ the Dynamic Authorization Client.
+
+ Dynamic Authorization Client (DAC)
+
+ The component that sends Disconnect and CoA-Request packets to the
+ Dynamic Authorization Server. Although this component often resides
+ on the RADIUS server, it is also possible for this component to be
+ located on a separate host, such as a Rating Engine.
+
+ Dynamic Authorization Server Port
+
+ The UDP port on which the Dynamic Authorization Server listens for
+ the Disconnect and CoA requests sent by the Dynamic Authorization
+ Client.
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 2]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+2. The Internet-Standard Management Framework
+
+ For a detailed overview of the documents that describe the current
+ Internet-Standard Management Framework, please refer to section 7 of
+ [RFC3410].
+
+ Managed objects are accessed via a virtual information store, termed
+ the Management Information Base or MIB. MIB objects are generally
+ accessed through the Simple Network Management Protocol (SNMP).
+ Objects in the MIB are defined using the mechanisms defined in the
+ Structure of Management Information (SMI). This memo specifies a MIB
+ module that is compliant to the SMIv2, which is described in STD 58,
+ RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
+ [RFC2580].
+
+3. Overview
+
+ "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the
+ operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
+ CoA-Request, CoA-ACK, and CoA-NAK packets. [RFC4673] defines the
+ Dynamic Authorization Server MIB and the relationship with other MIB
+ modules. This MIB module for the Dynamic Authorization Client
+ contains the following:
+
+ 1. Two scalar objects
+
+ 2. One Dynamic Authorization Server table. This table contains one
+ row for each DAS with which the DAC shares a secret.
+
+4. RADIUS Dynamic Authorization Client MIB Definitions
+
+ RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN
+
+ IMPORTS
+ MODULE-IDENTITY, OBJECT-TYPE,
+ Counter32, Gauge32, Integer32,
+ mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578]
+ SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411]
+ InetAddressType, InetAddress,
+ InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001]
+ MODULE-COMPLIANCE,
+ OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580]
+
+ radiusDynAuthClientMIB MODULE-IDENTITY
+ LAST-UPDATED "200608290000Z" -- 29 August 2006
+ ORGANIZATION "IETF RADEXT Working Group"
+ CONTACT-INFO
+ " Stefaan De Cnodder
+
+
+
+De Cnodder, et al. Informational [Page 3]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ Alcatel
+ Francis Wellesplein 1
+ B-2018 Antwerp
+ Belgium
+
+ Phone: +32 3 240 85 15
+ EMail: stefaan.de_cnodder@alcatel.be
+
+ Nagi Reddy Jonnala
+ Cisco Systems, Inc.
+ Divyasree Chambers, B Wing,
+ O'Shaugnessy Road,
+ Bangalore-560027, India.
+
+ Phone: +91 94487 60828
+ EMail: njonnala@cisco.com
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ Phone: +1 408 525 7198
+ EMail: mchiba@cisco.com "
+ DESCRIPTION
+ "The MIB module for entities implementing the client
+ side of the Dynamic Authorization Extensions to the
+ Remote Authentication Dial-In User Service (RADIUS)
+ protocol. Copyright (C) The Internet Society (2006).
+ Initial version as published in RFC 4672;
+ for full legal notices see the RFC itself."
+
+ REVISION "200609290000Z" -- 29 August 2006
+ DESCRIPTION "Initial version as published in RFC 4672"
+ ::= { mib-2 145 }
+
+ radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::=
+ { radiusDynAuthClientMIB 1 }
+
+ radiusDynAuthClientScalars OBJECT IDENTIFIER ::=
+ { radiusDynAuthClientMIBObjects 1 }
+
+ radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Disconnect-Ack and Disconnect-NAK packets
+
+
+
+De Cnodder, et al. Informational [Page 4]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ received from unknown addresses. This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ ::= { radiusDynAuthClientScalars 1 }
+
+ radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE
+ SYNTAX Counter32
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of CoA-Ack and CoA-NAK packets received from
+ unknown addresses. Disconnect-NAK packets received
+ from unknown addresses. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ ::= { radiusDynAuthClientScalars 2 }
+
+ radiusDynAuthServerTable OBJECT-TYPE
+ SYNTAX SEQUENCE OF RadiusDynAuthServerEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "The (conceptual) table listing the RADIUS Dynamic
+ Authorization Servers with which the client shares a
+ secret."
+ ::= { radiusDynAuthClientMIBObjects 2 }
+
+ radiusDynAuthServerEntry OBJECT-TYPE
+ SYNTAX RadiusDynAuthServerEntry
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "An entry (conceptual row) representing one Dynamic
+ Authorization Server with which the client shares a
+ secret."
+ INDEX { radiusDynAuthServerIndex }
+ ::= { radiusDynAuthServerTable 1 }
+
+ RadiusDynAuthServerEntry ::= SEQUENCE {
+ radiusDynAuthServerIndex Integer32,
+ radiusDynAuthServerAddressType InetAddressType,
+ radiusDynAuthServerAddress InetAddress,
+ radiusDynAuthServerClientPortNumber InetPortNumber,
+ radiusDynAuthServerID SnmpAdminString,
+ radiusDynAuthClientRoundTripTime TimeTicks,
+ radiusDynAuthClientDisconRequests Counter32,
+
+
+
+De Cnodder, et al. Informational [Page 5]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthClientDisconAuthOnlyRequests Counter32,
+ radiusDynAuthClientDisconRetransmissions Counter32,
+ radiusDynAuthClientDisconAcks Counter32,
+ radiusDynAuthClientDisconNaks Counter32,
+ radiusDynAuthClientDisconNakAuthOnlyRequest Counter32,
+ radiusDynAuthClientDisconNakSessNoContext Counter32,
+ radiusDynAuthClientMalformedDisconResponses Counter32,
+ radiusDynAuthClientDisconBadAuthenticators Counter32,
+ radiusDynAuthClientDisconPendingRequests Gauge32,
+ radiusDynAuthClientDisconTimeouts Counter32,
+ radiusDynAuthClientDisconPacketsDropped Counter32,
+ radiusDynAuthClientCoARequests Counter32,
+ radiusDynAuthClientCoAAuthOnlyRequest Counter32,
+ radiusDynAuthClientCoARetransmissions Counter32,
+ radiusDynAuthClientCoAAcks Counter32,
+ radiusDynAuthClientCoANaks Counter32,
+ radiusDynAuthClientCoANakAuthOnlyRequest Counter32,
+ radiusDynAuthClientCoANakSessNoContext Counter32,
+ radiusDynAuthClientMalformedCoAResponses Counter32,
+ radiusDynAuthClientCoABadAuthenticators Counter32,
+ radiusDynAuthClientCoAPendingRequests Gauge32,
+ radiusDynAuthClientCoATimeouts Counter32,
+ radiusDynAuthClientCoAPacketsDropped Counter32,
+ radiusDynAuthClientUnknownTypes Counter32,
+ radiusDynAuthClientCounterDiscontinuity TimeTicks
+ }
+
+
+ radiusDynAuthServerIndex OBJECT-TYPE
+ SYNTAX Integer32 (1..2147483647)
+ MAX-ACCESS not-accessible
+ STATUS current
+ DESCRIPTION
+ "A number uniquely identifying each RADIUS Dynamic
+ Authorization Server with which this Dynamic
+ Authorization Client communicates. This number is
+ allocated by the agent implementing this MIB module
+ and is unique in this context."
+ ::= { radiusDynAuthServerEntry 1 }
+
+ radiusDynAuthServerAddressType OBJECT-TYPE
+ SYNTAX InetAddressType
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The type of IP address of the RADIUS Dynamic
+ Authorization Server referred to in this table entry."
+ ::= { radiusDynAuthServerEntry 2 }
+
+
+
+De Cnodder, et al. Informational [Page 6]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthServerAddress OBJECT-TYPE
+ SYNTAX InetAddress
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The IP address value of the RADIUS Dynamic
+ Authorization Server referred to in this table entry
+ using the version neutral IP address format. The type
+ of this address is determined by the value of the
+ radiusDynAuthServerAddressType object."
+ ::= { radiusDynAuthServerEntry 3 }
+
+ radiusDynAuthServerClientPortNumber OBJECT-TYPE
+ SYNTAX InetPortNumber (1..65535)
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The UDP destination port that the RADIUS Dynamic
+ Authorization Client is using to send requests to this
+ server. The value zero is invalid."
+ ::= { radiusDynAuthServerEntry 4 }
+
+
+ radiusDynAuthServerID OBJECT-TYPE
+ SYNTAX SnmpAdminString
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The NAS-Identifier of the RADIUS Dynamic Authorization
+ Server referred to in this table entry. This is not
+ necessarily the same as sysName in MIB II."
+ REFERENCE
+ "RFC 2865, Section 5.32, NAS-Identifier."
+ ::= { radiusDynAuthServerEntry 5 }
+
+ radiusDynAuthClientRoundTripTime OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "hundredths of a second"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time interval (in hundredths of a second) between
+ the most recent Disconnect or CoA request and the
+ receipt of the corresponding Disconnect or CoA reply.
+ A value of zero is returned if no reply has been
+ received yet from this server."
+ ::= { radiusDynAuthServerEntry 6 }
+
+
+
+
+De Cnodder, et al. Informational [Page 7]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthClientDisconRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Requests sent
+ to this Dynamic Authorization Server. This also
+ includes the RADIUS Disconnect-Requests that have a
+ Service-Type attribute with value 'Authorize Only'.
+ Disconnect-NAK packets received from unknown addresses.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 7 }
+
+ radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Requests that include a
+ Service-Type attribute with value 'Authorize Only'
+ sent to this Dynamic Authorization Server.
+ Disconnect-NAK packets received from unknown addresses.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 8 }
+
+ radiusDynAuthClientDisconRetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "retransmissions"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-request packets
+ retransmitted to this RADIUS Dynamic Authorization
+ Server. Disconnect-NAK packets received from unknown
+ addresses. This counter may experience a discontinuity
+ when the DAC module (re)starts, as indicated by the
+ value of radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+
+
+
+De Cnodder, et al. Informational [Page 8]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 9 }
+
+ radiusDynAuthClientDisconAcks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-ACK packets
+ received from this Dynamic Authorization Server. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 10 }
+
+ radiusDynAuthClientDisconNaks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ received from this Dynamic Authorization Server.
+ This includes the RADIUS Disconnect-NAK packets
+ received with a Service-Type attribute with value
+ 'Authorize Only' and the RADIUS Disconnect-NAK
+ packets received if no session context was found. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 11 }
+
+ radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ that include a Service-Type attribute with value
+ 'Authorize Only' received from this Dynamic
+ Authorization Server. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+
+
+
+De Cnodder, et al. Informational [Page 9]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 12 }
+
+ radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-NAK packets
+ received from this Dynamic Authorization Server
+ because no session context was found; i.e., it
+ includes an Error-Cause attribute with value 503
+ ('Session Context Not Found'). This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 13 }
+
+ radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of malformed RADIUS Disconnect-Ack and
+ Disconnect-NAK packets received from this Dynamic
+ Authorization Server. Bad authenticators and unknown
+ types are not included as malformed Disconnect-Ack and
+ Disconnect-NAK packets. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 14 }
+
+ radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 10]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ DESCRIPTION
+ "The number of RADIUS Disconnect-Ack and Disconnect-NAK
+ packets that contained invalid Authenticator field
+ received from this Dynamic Authorization Server. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 15 }
+
+ radiusDynAuthClientDisconPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS Disconnect-request packets
+ destined for this server that have not yet timed out
+ or received a response. This variable is incremented
+ when an Disconnect-Request is sent and decremented
+ due to receipt of a Disconnect-Ack, a Disconnect-NAK,
+ a timeout, or a retransmission."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 16 }
+
+ radiusDynAuthClientDisconTimeouts OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of Disconnect request timeouts to this
+ server. After a timeout, the client may retry to the
+ same server or give up. A retry to the same server is
+ counted as a retransmit and as a timeout. A send
+ to a different server is counted as a
+ Disconnect-Request and as a timeout. This counter
+ may experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM)."
+ ::= { radiusDynAuthServerEntry 17 }
+
+ radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE
+
+
+
+De Cnodder, et al. Informational [Page 11]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming Disconnect-Ack and
+ Disconnect-NAK packets from this Dynamic Authorization
+ Server silently discarded by the client application for
+ some reason other than malformed, bad authenticators,
+ or unknown types. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.1, Disconnect Messages (DM), and
+ Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 18 }
+
+ radiusDynAuthClientCoARequests OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-Requests sent to this
+ Dynamic Authorization Server. This also includes
+ CoA requests that have a Service-Type attribute
+ with value 'Authorize Only'. This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 19 }
+
+ radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-requests that include a
+ Service-Type attribute with value 'Authorize Only'
+ sent to this Dynamic Authorization Client. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+
+
+
+De Cnodder, et al. Informational [Page 12]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 20 }
+
+ radiusDynAuthClientCoARetransmissions OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "retransmissions"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-request packets
+ retransmitted to this RADIUS Dynamic Authorization
+ Server. This counter may experience a discontinuity
+ when the DAC module (re)starts, as indicated by the
+ value of radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 21 }
+
+ radiusDynAuthClientCoAAcks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-ACK packets received from
+ this Dynamic Authorization Server. This counter may
+ experience a discontinuity when the DAC module
+ (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 22 }
+
+ radiusDynAuthClientCoANaks OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets received from
+ this Dynamic Authorization Server. This includes the
+ RADIUS CoA-NAK packets received with a Service-Type
+ attribute with value 'Authorize Only' and the RADIUS
+ CoA-NAK packets received because no session context
+
+
+
+De Cnodder, et al. Informational [Page 13]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ was found. This counter may experience a discontinuity
+ when the DAC module (re)starts, as indicated by the
+ value of radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 23 }
+
+ radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets that include a
+ Service-Type attribute with value 'Authorize Only'
+ received from this Dynamic Authorization Server. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 24 }
+
+ radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-NAK packets received from
+ this Dynamic Authorization Server because no session
+ context was found; i.e., it includes an Error-Cause
+ attribute with value 503 ('Session Context Not Found').
+ This counter may experience a discontinuity when the
+ DAC module (re)starts as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 25 }
+
+ radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 14]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ DESCRIPTION
+ "The number of malformed RADIUS CoA-Ack and CoA-NAK
+ packets received from this Dynamic Authorization
+ Server. Bad authenticators and unknown types are
+ not included as malformed CoA-Ack and CoA-NAK packets.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 26 }
+
+ radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-Ack and CoA-NAK packets
+ that contained invalid Authenticator field
+ received from this Dynamic Authorization Server.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 27 }
+
+ radiusDynAuthClientCoAPendingRequests OBJECT-TYPE
+ SYNTAX Gauge32
+ UNITS "requests"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of RADIUS CoA-request packets destined for
+ this server that have not yet timed out or received a
+ response. This variable is incremented when an
+ CoA-Request is sent and decremented due to receipt of
+ a CoA-Ack, a CoA-NAK, or a timeout, or a
+ retransmission."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 28 }
+
+ radiusDynAuthClientCoATimeouts OBJECT-TYPE
+
+
+
+De Cnodder, et al. Informational [Page 15]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ SYNTAX Counter32
+ UNITS "timeouts"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of CoA request timeouts to this server.
+ After a timeout, the client may retry to the same
+ server or give up. A retry to the same server is
+ counted as a retransmit and as a timeout. A send to
+ a different server is counted as a CoA-Request and
+ as a timeout. This counter may experience a
+ discontinuity when the DAC module (re)starts, as
+ indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA)."
+ ::= { radiusDynAuthServerEntry 29 }
+
+ radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming CoA-Ack and CoA-NAK from this
+ Dynamic Authorization Server silently discarded by the
+ client application for some reason other than
+ malformed, bad authenticators, or unknown types. This
+ counter may experience a discontinuity when the DAC
+ module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+ REFERENCE
+ "RFC 3576, Section 2.2, Change-of-Authorization
+ Messages (CoA), and Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 30 }
+
+ radiusDynAuthClientUnknownTypes OBJECT-TYPE
+ SYNTAX Counter32
+ UNITS "replies"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of incoming packets of unknown types
+ that were received on the Dynamic Authorization port.
+ This counter may experience a discontinuity when the
+ DAC module (re)starts, as indicated by the value of
+ radiusDynAuthClientCounterDiscontinuity."
+
+
+
+De Cnodder, et al. Informational [Page 16]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ REFERENCE
+ "RFC 3576, Section 2.3, Packet Format."
+ ::= { radiusDynAuthServerEntry 31 }
+
+ radiusDynAuthClientCounterDiscontinuity OBJECT-TYPE
+ SYNTAX TimeTicks
+ UNITS "hundredths of a second"
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The time (in hundredths of a second) since the
+ last counter discontinuity. A discontinuity may
+ be the result of a reinitialization of the DAC
+ module within the managed entity."
+ ::= { radiusDynAuthServerEntry 32 }
+
+
+ -- conformance information
+
+ radiusDynAuthClientMIBConformance
+ OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 }
+ radiusDynAuthClientMIBCompliances
+ OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 }
+ radiusDynAuthClientMIBGroups
+ OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 }
+ -- compliance statements
+
+ radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE
+ STATUS current
+ DESCRIPTION
+ "The compliance statement for entities implementing
+ the RADIUS Dynamic Authorization Client.
+ Implementation of this module is for entities that
+ support IPv4 and/or IPv6."
+ MODULE -- this module
+ MANDATORY-GROUPS { radiusDynAuthClientMIBGroup }
+
+ OBJECT radiusDynAuthServerAddressType
+ SYNTAX InetAddressType { ipv4(1), ipv6(2) }
+ DESCRIPTION
+ "An implementation is only required to support IPv4 and
+ globally unique IPv6 addresses."
+
+ OBJECT radiusDynAuthServerAddress
+ SYNTAX InetAddress (SIZE(4|16))
+ DESCRIPTION
+ "An implementation is only required to support IPv4 and
+ globally unique IPv6 addresses."
+
+
+
+De Cnodder, et al. Informational [Page 17]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ GROUP radiusDynAuthClientAuthOnlyGroup
+ DESCRIPTION
+ "Only required for Dynamic Authorization Clients that
+ are supporting Service-Type attributes with value
+ 'Authorize-Only'."
+
+
+ GROUP radiusDynAuthClientNoSessGroup
+ DESCRIPTION
+ "This group is not required if the Dynamic
+ Authorization Server cannot easily determine whether
+ a session exists (e.g., in case of a RADIUS
+ proxy)."
+
+ ::= { radiusDynAuthClientMIBCompliances 1 }
+
+ -- units of conformance
+
+ radiusDynAuthClientMIBGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses,
+ radiusDynAuthClientCoAInvalidServerAddresses,
+ radiusDynAuthServerAddressType,
+ radiusDynAuthServerAddress,
+ radiusDynAuthServerClientPortNumber,
+ radiusDynAuthServerID,
+ radiusDynAuthClientRoundTripTime,
+ radiusDynAuthClientDisconRequests,
+ radiusDynAuthClientDisconRetransmissions,
+ radiusDynAuthClientDisconAcks,
+ radiusDynAuthClientDisconNaks,
+ radiusDynAuthClientMalformedDisconResponses,
+ radiusDynAuthClientDisconBadAuthenticators,
+ radiusDynAuthClientDisconPendingRequests,
+ radiusDynAuthClientDisconTimeouts,
+ radiusDynAuthClientDisconPacketsDropped,
+ radiusDynAuthClientCoARequests,
+ radiusDynAuthClientCoARetransmissions,
+ radiusDynAuthClientCoAAcks,
+ radiusDynAuthClientCoANaks,
+ radiusDynAuthClientMalformedCoAResponses,
+ radiusDynAuthClientCoABadAuthenticators,
+ radiusDynAuthClientCoAPendingRequests,
+ radiusDynAuthClientCoATimeouts,
+ radiusDynAuthClientCoAPacketsDropped,
+ radiusDynAuthClientUnknownTypes,
+ radiusDynAuthClientCounterDiscontinuity
+ }
+ STATUS current
+
+
+
+De Cnodder, et al. Informational [Page 18]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ DESCRIPTION
+ "The collection of objects providing management of
+ a RADIUS Dynamic Authorization Client."
+ ::= { radiusDynAuthClientMIBGroups 1 }
+
+ radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests,
+ radiusDynAuthClientDisconNakAuthOnlyRequest,
+ radiusDynAuthClientCoAAuthOnlyRequest,
+ radiusDynAuthClientCoANakAuthOnlyRequest
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects supporting the RADIUS
+ messages including Service-Type attribute with
+ value 'Authorize Only'."
+ ::= { radiusDynAuthClientMIBGroups 2 }
+
+ radiusDynAuthClientNoSessGroup OBJECT-GROUP
+ OBJECTS { radiusDynAuthClientDisconNakSessNoContext,
+ radiusDynAuthClientCoANakSessNoContext
+ }
+ STATUS current
+ DESCRIPTION
+ "The collection of objects supporting the RADIUS
+ messages that are referring to non-existing sessions."
+ ::= { radiusDynAuthClientMIBGroups 3 }
+
+
+
+ END
+
+5. Security Considerations
+
+ There are no management objects defined in this MIB module that have
+ a MAX-ACCESS clause of read-write and/or read-create. So, if this
+ MIB module is implemented correctly, then there is no risk that an
+ intruder can alter or create any management objects of this MIB
+ module via direct SNMP SET operations.
+
+ Some of the readable objects in this MIB module (i.e., objects with a
+ MAX-ACCESS other than not-accessible) may be considered sensitive or
+ vulnerable in some network environments. It is thus important to
+ control even GET and/or NOTIFY access to these objects and possibly
+ to even encrypt the values of these objects when sending them over
+ the network via SNMP. These are the tables and objects and their
+ sensitivity/vulnerability:
+
+
+
+
+De Cnodder, et al. Informational [Page 19]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ radiusDynAuthServerAddress and radiusDynAuthServerAddressType
+
+ These can be used to determine the address of the DAS with which
+ the DAC is communicating. This information could be useful in
+ mounting an attack on the DAS.
+
+ radiusDynAuthServerID
+
+ This can be used to determine the Identifier of the DAS. This
+ information could be useful in impersonating the DAS.
+
+ radiusDynAuthServerClientPortNumber
+
+ This can be used to determine the destination port number to which
+ the DAC is sending. This information could be useful in mounting
+ an attack on the DAS.
+
+ SNMP versions prior to SNMPv3 did not include adequate security.
+ Even if the network itself is secure (for example by using IPsec),
+ even then, there is no control as to who on the secure network is
+ allowed to access and GET/SET (read/change/create/delete) the objects
+ in this MIB module.
+
+ It is RECOMMENDED that implementers consider the security features as
+ provided by the SNMPv3 framework (see [RFC3410], section 8),
+ including full support for the SNMPv3 cryptographic mechanisms (for
+ authentication and privacy).
+
+ Further, deployment of SNMP versions prior to SNMPv3 is NOT
+ RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
+ enable cryptographic security. It is then a customer/operator
+ responsibility to ensure that the SNMP entity giving access to an
+ instance of this MIB module is properly configured to give access to
+ the objects only to those principals (users) that have legitimate
+ rights to indeed GET or SET (change/create/delete) them.
+
+6. IANA Considerations
+
+ The IANA has assigned OID number 145 under mib-2.
+
+7. Acknowledgements
+
+ The authors would also like to acknowledge the following people for
+ their comments on this document: Bernard Aboba, Alan DeKok, David
+ Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg
+ Weber, Bert Wijnen, and Glen Zorn.
+
+
+
+
+
+De Cnodder, et al. Informational [Page 20]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+8. References
+
+8.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Structure of Management Information Version 2 (SMIv2)",
+ STD 58, RFC 2578, April 1999.
+
+ [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Textual Conventions for SMIv2", STD 58, RFC 2579, April
+ 1999.
+
+ [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
+ "Conformance Statements for SMIv2", STD 58, RFC 2580,
+ April 1999.
+
+ [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
+ Architecture for Describing Simple Network Management
+ Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
+ December 2002.
+
+ [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
+ Aboba, "Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)", RFC 3576,
+ July 2003.
+
+ [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
+ Schoenwaelder, "Textual Conventions for Internet Network
+ Addresses", RFC 4001, February 2005.
+
+8.2. Informative References
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)", RFC
+ 2865, June 2000.
+
+ [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
+ "Introduction and Applicability Statements for Internet-
+ Standard Management Framework", RFC 3410, December 2002.
+
+ [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
+ RFC 4669, August 2006.
+
+ [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
+ 4671, August 2006.
+
+
+
+De Cnodder, et al. Informational [Page 21]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+ [RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
+ Authorization Server MIB", RFC 4673, September 2006.
+
+Authors' Addresses
+
+ Stefaan De Cnodder
+ Alcatel
+ Francis Wellesplein 1
+ B-2018 Antwerp
+ Belgium
+
+ Phone: +32 3 240 85 15
+ EMail: stefaan.de_cnodder@alcatel.be
+
+
+ Nagi Reddy Jonnala
+ Cisco Systems, Inc.
+ Divyasree Chambers, B Wing, O'Shaugnessy Road
+ Bangalore-560027, India
+
+ Phone: +91 94487 60828
+ EMail: njonnala@cisco.com
+
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ Phone: +1 408 525 7198
+ EMail: mchiba@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 22]
+
+RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+De Cnodder, et al. Informational [Page 23]
+