IPSP Working Group M. Baer Internet Draft Network Associates Inc draft-ietf-ipsp-ipsec-conf-mib-00.txt R. Charlet Redcreek Communications W. Hardaker Network Associates Inc D. Partain Ericsson J. Saperia JDS Consulting Inc C. Wang Smartpipes Inc Feb 2001 IPsec Policy Configuration MIB draft-ietf-ipsp-ipsec-conf-mib-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. 1. Introduction This document defines a configuration MIB for IPsec/IKE policy. It does not define MIBs for monitoring the state of an IPsec device. It does not define MIBs for configuring other policy related actions. The purpose of this MIB is to allow adminstrators to be able to Various Authors [Page 1] Internet Draft IPsec Policy Configuration MIB February 2001 configure IPsec/IKE devices. However, some of the packet filtering and matching of conditions to actions is of a more general nature than IPsec only. It is possible to add other packet transforming actions to this MIB if those actions needed to be performed conditionally on filtered traffic. 2. The SNMP Management Framework The SNMP Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16, RFC 1155 [2], STD 16, RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in STD 58, RFC 2578 [5], RFC 2579 [6] and RFC 2580 [7]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. o A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15]. A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [18]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A Various Authors [Page 2] Internet Draft IPsec Policy Configuration MIB February 2001 MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 3. Relationship to the DMTF Policy Model The Distributed Managment Task Force has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper. The contents of this document are also reflected in the internet draft "IPsec Configuration Policy Model" (IPCP). This MIB is a task specific derivation of the IPCP for use with SNMPv3. Areas where this MIB diverge from the IPCP model are: o Policies, Groups, Conditions, and some levels of Action are genericly named. That is we dropped prefixes like "SA", or "ipsec". This is because we feel that packet classification and matching of conditions to actions is more general than IPsec and could possibly be reused by other packet transforming actions which need to conditionally act on packets matching filters. o You can't implement groups of groups of policies with this MIB. There can however be multiple groups associated with an IpProtocolEndpoint (an interface). We felt this was simpler to represent in SMI and accomplishes the same goals. o There can be a list of actions and a list of fall-back actions associated with a condition set via one rule. The list of actions is intended to accommodate performing both multiple actions as well as actions aside from IPsec on packets matching this condition set (like NAT or QOS...). The list of fall-back actions is intended to accommodate IKE redundancy incase an IKE peer is unreachable. o The various filter objects were combined into a single table and hence multiple filters can be represented in one row of an SMI table. This promotes efficiency of data storage since some information can be shared in circumstances where this is appropriate to make use of. o Conditions were modified to be of more than one type, rather than being forced to be triggered only during one event type. This allows them to be configured to be, for example, both a Various Authors [Page 3] Internet Draft IPsec Policy Configuration MIB February 2001 startup condition and a manually activated condition. 4. Elements of Procedure This section describes the elements of procedure that a security policy database engine would follow when processing an event using the rules defined by the IPSEC-POLICY-MIB. An event that triggers processing using this data would be one of: 1) startup of the engine. 2) a manual administrative request to process a rule. 3) unprotected data arriving across an endpoint. 4) an IKE message arriving across an endpoint. The steps to be taken when one of these events occurs are: 1) Consult the policyEndpointToGroupTable using the endpoint's transport domain and address as indexes to the table. An ordered list of groups (G) referenced by the peGroupName object are extracted from the policyEndpointToGroupTable table and are ordered according to the peEndpointPriority column, the lowest of the peEndpointPriority values being processed first. 2) For each group in (G), the policyIKERulesInGroupTable and the policyIPsecRulesInGroupTable are consulted using the peGroupName as an index to produce an ordered (using policyIKERulePriority and policyIPsecRulePriority) list of IKE Rules (I) and IPsec rules (R). 3) Each of the rules in (I) and (R) are then processed to determine if they are applicable by consulting the conditionsInRuleTable table to produce an ordered (using conditionSequenceNumber) list of conditions (C). 4) For each condition, the conditionUsage object in the conditionTable is first consulted to see if the condition is viable for the event in question. If it is viable for the given event and the event involves traffic, a list of filters (F) for the condition is extracted from the filtersInConditionTable. 5) Each filter in (F) is evaluated to determine if it is true or false. Multiple tests defined inside a filter must all pass for the filter to be true. Filters that are to be applied to both the source and destination addresses, as defined by the ficOnDestination object, must be run twice and be successful on each address in order to be considered successful itself. The result is possibly negated, based on the value of the ficFilterIsNegated object in the filtersInConditionTable. Various Authors [Page 4] Internet Draft IPsec Policy Configuration MIB February 2001 6) If any filter fails to pass any of its tests, the entire condition is considered to have failed. Note that the result of the condition is possibly negated according to the conditionIsNegated object in the conditionsInRuleTable. Based on the final result of this condition, one of the following should be performed: a) If the final result of the condition is false, and the pgIKEConditionListType for the current rule is 'and' then the next rule must be processed, returning to step #3. b) If the condition is false and the pgIKEConditionListType type is 'or', then the next condition in (C) must be processed, returning to step #4, unless no further rules exist in (I) or (R) in which case the next group in (G) must be processed by returning to step #2, unless there are no further groups in (G), in which case the current packet must be dropped and this action possibly logged (according to XXX). c) If the condition result is true and the pgIKEConditionListType is 'and' then the next condition in (C) must be processed, returning to step #4, unless it is the last condition in (C) in which case the rule is considered to have passed its conditions and step #7 should be consulted. d) If the condition result is true and the pgIKEConditionListType is 'or' then processing of the conditions in (C) and the rule is considered to have passed its conditions and step #7 should be consulted. 7) Using the actionRuleName, the actionsInRuleTable should be consulted to retrieve a list of ordered actions. This list is constructed by consulting the table where the lowest actionFailureSequenceNumber associated with the actionRuleName is taken and all rows matching both the actionRuleName and this value of the actionFailureSequenceNumber are collected and prioritized according to the actionSuccessSequenceNumber object. This should produce an initial set of actions (A). 8) Each action in (A) is executed according to the parameters associated with it according to the value of the actionName RowPointer, which should be a pointer into a table which describes what action should be taken and what parameters are to be used when executing it. The two action tables defined in this MIB for use with this row pointer are the saStaticActionTable and the saNegotiationActionTable. 9) Depending on whether all the actions in (A) succeed or fail, the following steps must be taken: Various Authors [Page 5] Internet Draft IPsec Policy Configuration MIB February 2001 a) If any action in (A) fails, a new set (A) is constructed using the next highest value of actionFailureSequenceNumber, returning to step 8 to execute them (functionally, these are "fall-back actions"). If no further fall-back actions exist in the actionsInRuleTable, then processing of the current packet must be halted and the packet is dropped. This event should be logged (XXX: define notifications). b) If all of the actions in (A) succeed, then processing of this packet stops (IE, no futher groups or rules are consulted). 5. Definitions IPSEC-POLICY-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 FROM SNMPv2-SMI TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType, RowPointer, TDomain, TAddress FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP NOTIFICATION-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB; -- -- module identity -- ipsecPolicyMIB MODULE-IDENTITY LAST-UPDATED "200102230000Z" -- 23 February 2001 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer Network Associates, Inc. 3965 Freedom Circle, Suite 500 Santa Clara, CA 95054 Phone: +1 530 304 1628 Email: mike_baer@nai.com Ricky Charlet Redcreek Communications 3900 Newpark Mall Rd. Newark, CA 94560 Phone: +1 510 795 6903 Email: rcharlet@redcreek.com Wes Hardaker Network Associates, Inc. Various Authors [Page 6] Internet Draft IPsec Policy Configuration MIB February 2001 3965 Freedom Circle, Suite 500 Santa Clara, CA 95054 Phone: +1 530 400 2774 Email: wes_hardaker@nai.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: CWang@smartpipes.com XXX: insert everyone else's" DESCRIPTION "The MIB module for defining IPsec Policy filters and actions" -- Revision History REVISION "200102230000Z" -- 23 February 2001 DESCRIPTION "This is the initial version of this MIB." ::= { XXX } -- -- groups of related objects -- ipsecPolicyConfigObjects OBJECT IDENTIFIER ::= { ipsecPolicyMIB 1 } ipsecPolicyNotificationObjects OBJECT IDENTIFIER ::= { ipsecPolicyMIB 2 } ipsecPolicyConformanceObjects OBJECT IDENTIFIER ::= { ipsecPolicyMIB 3 } -- -- Textual Conventions -- IpsecBooleanOperator ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpsecBooleanOperator operator is used to specify whether sub-components in a decision making process are ANDed or ORed together to decide if the resulting expression is true or false." SYNTAX INTEGER { or(0), and(1) } IpsecIsNegated ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpsecIsNegated operator is used to specify whether or not the results of a sub-components return clause is taken as is, or if the logical negation of the result is used instead." Various Authors [Page 7] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX TruthValue IpsecGroupId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpsecGroupId sepecifies the Diffie-Hellman group to use for phase 2 negotiations. A vendor specific GroupID range is available for use from 32768-65535. The well known groupIDs defined here are taken from RFC2412." SYNTAX INTEGER { modp768(1), modp1024(2), ec2ngp155(3), ec2ngp185(4), modp1536(5) } -- -- Policy group definitions -- policyEndpointToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to map policy groupings onto an endpoint that they will apply to. Any policy groups assigned to this endpoint are then used to control access to the traffic passing by it. If an endpoint has been configured with at least one policy group and no contained rule in any group matched the incoming packet, the default action in this case shall be to drop the packet. If no policy groups have been assigned to an endpoint, then the default action to take when a packet arrives shall be to allow the packet to pass through to the next processing point. The peGroupPriority object indicates the ordering that a list of groups will be applied to a given endpoint. Once a group has been processed, the processor MUST stop processing this packet if an action was executed as a result of the processing of a given group. Iterating into the next policy group by finding the next largest peGroupPriority object shall only be done if no actions were run when processing the last group for a given packet." ::= { ipsecPolicyConfigObjects 1 } policyEndpointToGroupEntry OBJECT-TYPE SYNTAX PolicyEndpointToGroupEntry MAX-ACCESS not-accessible Various Authors [Page 8] Internet Draft IPsec Policy Configuration MIB February 2001 STATUS current DESCRIPTION "A mapping assigning a policy group to an endpoint." INDEX { peEndpointDomain, peEndpointAddress, peGroupPriority } ::= { policyEndpointToGroupTable 1 } PolicyEndpointToGroupEntry ::= SEQUENCE { peEndpointDomain TDomain, peEndpointAddress TAddress, peGroupPriority Integer32, peGroupName SnmpAdminString, peLastChanged TimeStamp, peStorageType StorageType } peEndpointDomain OBJECT-TYPE SYNTAX TDomain MAX-ACCESS not-accessible STATUS current DESCRIPTION "The TDomain defining the address format associated with a given endpoint. When combined with the peEndpointAddress these objects can be used to uniquely identify an endpoint that a set of policy groups should be applied to." ::= { policyEndpointToGroupEntry 1 } peEndpointAddress OBJECT-TYPE SYNTAX TAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION "The address of a given endpoint, the format of which is specified by the peEndpointDomain object." ::= { policyEndpointToGroupEntry 2 } peGroupPriority OBJECT-TYPE SYNTAX Integer32 (1..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A number specifying the priority level of this group. A group assigned to an endpoint with a lower numerical priority level is processed before a group assigned to the same endpoint with a higher numerical priority level. Processing of groups on an endpoint stops as soon after the first action in a group is executed." ::= { policyEndpointToGroupEntry 3 } Various Authors [Page 9] Internet Draft IPsec Policy Configuration MIB February 2001 peGroupName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The policy group name to apply to this endpoint. The value of the peGroupName object should then be used as an index into the policyIKERulesInGroupTable and the policyIPsecRulesInGroupTable to come up with a list of rules that MUST be applied to this endpoint." ::= { policyEndpointToGroupEntry 4 } peLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { policyEndpointToGroupEntry 5 } peStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { policyEndpointToGroupEntry 6 } peRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" Various Authors [Page 10] Internet Draft IPsec Policy Configuration MIB February 2001 ::= { policyEndpointToGroupEntry 7 } -- -- Policy IKE Rules in a Group Table -- policyIKERulesInGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyIKERulesInGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table holds a listing of IKE rules. Conditions and Actions are associated with each rule in this table through the conditionsInRuleTable and actionsInRuleTable respectively. " ::= { ipsecPolicyConfigObjects 2 } policyIKERulesInGroupEntry OBJECT-TYPE SYNTAX PolicyIKERulesInGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A particular IKE rule associated with a policy group." INDEX { peGroupName, pgIKERulePriority } ::= { policyIKERulesInGroupTable 1 } PolicyIKERulesInGroupEntry ::= SEQUENCE { pgIKERulePriority Integer32, pgIKERuleName SnmpAdminString, pgIKERuleDescription OCTET STRING, pgIKEConditionListType IpsecBooleanOperator, pgIKEidentityContexts OCTET STRING, pgIKERuleLastChanged TimeStamp, pgIKERuleStorageType StorageType } pgIKERulePriority OBJECT-TYPE SYNTAX Integer32 (1..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "pgIKERulePriority is the priority of this pgIKERuleName within its relevant peGroupName. This represents the order that Rules should be processed within Groups. Lower values are processed first." ::= { policyIKERulesInGroupEntry 1 } pgIKERuleName OBJECT-TYPE Various Authors [Page 11] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "pgIKERuleName is the name of the rule associated with a peGroupName. This name will match a set of conditionsInRuleEntries and a set of actionsInRuleEntries via the contitionRuleName and actionRuleName respectively. Those are the conditions and actions associated with this rule." ::= { policyIKERulesInGroupEntry 2 } pgIKERuleDescription OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. This field may be used for your administrative tracking purposes." DEFVAL { ''H } ::= { policyIKERulesInGroupEntry 3 } pgIKEConditionListType OBJECT-TYPE SYNTAX IpsecBooleanOperator MAX-ACCESS read-create STATUS current DESCRIPTION "pgIKEConditionListType defines if the list of associtated conditions with this rule is an ANDed list or an ORed list." DEFVAL { true } ::= { policyIKERulesInGroupEntry 4 } pgIKEidentityContexts OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..511)) MAX-ACCESS read-create STATUS current DESCRIPTION "pgIKEidentityContexts is a string array that corresponds to an ANDed list of values. If the string is broken by a CR LF sequence, then multiple strings exist, and they are to be logically ORed with each other. This property is used to establish a phase 1 IKE SA by using this property in conjunction with the UseIKEIdentityType property in the corresponding IKEAction. These two properties are then used to find an appropriate IKEIdentity object for use on the protected IPProtocolEndpoint." ::= { policyIKERulesInGroupEntry 5 } pgIKERuleLastChanged OBJECT-TYPE Various Authors [Page 12] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { policyIKERulesInGroupEntry 6 } pgIKERuleStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { policyIKERulesInGroupEntry 7 } pgIKERuleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { policyIKERulesInGroupEntry 8 } -- -- Policy IPsec Rules in a Group Table -- policyIpsecRulesInGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF PolicyIpsecRulesInGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table holds lists of IpsecRules associated with pePolicyGroups. Each peGroupName may have a list of Various Authors [Page 13] Internet Draft IPsec Policy Configuration MIB February 2001 policyIpsecRules associated with it. Each policyIpsecRule may in turn have a list of conditions and actions associated with it." ::= { ipsecPolicyConfigObjects 3 } policyIpsecRulesInGroupEntry OBJECT-TYPE SYNTAX PolicyIpsecRulesInGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A particular IPsec Rule associated with a policy group." INDEX { peGroupName, pgIPsecRulePriority } ::= { policyIpsecRulesInGroupTable 1 } PolicyIpsecRulesInGroupEntry ::= SEQUENCE { pgIPsecRulePriority Integer32, pgIPsecRuleName SnmpAdminString, pgIPsecRuleDescription OCTET STRING, pgIPsecConditionListType IpsecBooleanOperator, pgIPsecRuleLastChanged TimeStamp, pgIPsecRuleStorageType StorageType } pgIPsecRulePriority OBJECT-TYPE SYNTAX Integer32 (1..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "pgIPsecRulePriority is the priority of this pgIPsecRuleName within its relevant peGroupName. This represents the order that Rules should be processed within Groups. Lower values are processed first." ::= { policyIpsecRulesInGroupEntry 1 } pgIPsecRuleName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "pgIPsecRuleName is the name of the rule associated with a peGroupName. This name will match a set of conditionsInRuleEntries and a set of actionsInRuleEntries via the contitionRuleName and actionRuleName respectively. Those are the conditions and actions associated with this rule." ::= { policyIpsecRulesInGroupEntry 2 } pgIPsecRuleDescription OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) Various Authors [Page 14] Internet Draft IPsec Policy Configuration MIB February 2001 MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. You may use this field for your administrative tracking purposes." DEFVAL { ''H } ::= { policyIpsecRulesInGroupEntry 3 } pgIPsecConditionListType OBJECT-TYPE SYNTAX IpsecBooleanOperator MAX-ACCESS read-create STATUS current DESCRIPTION "pgIPsecConditionListType defines if the list of associtated conditions with this rule is an ANDed list or an ORed list." DEFVAL { true } ::= { policyIpsecRulesInGroupEntry 4 } pgIPsecRuleLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { policyIpsecRulesInGroupEntry 5 } pgIPsecRuleStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { policyIpsecRulesInGroupEntry 6 } pgIPsecRuleRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other Various Authors [Page 15] Internet Draft IPsec Policy Configuration MIB February 2001 objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { policyIpsecRulesInGroupEntry 7 } -- -- Policy conditions in a rule table -- conditionsInRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF ConditionsInRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of conditions associated with an ipsec policy rule. In particular, an pgIPsecRuleName can be used to get a list of related conditionName's and their parameters from this table." ::= { ipsecPolicyConfigObjects 4 } conditionsInRuleEntry OBJECT-TYPE SYNTAX ConditionsInRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "conditionsInRuleEntry represents a condition associated with rule." INDEX { conditionRuleName, conditionSequenceNumber } ::= { conditionsInRuleTable 1 } ConditionsInRuleEntry ::= SEQUENCE { conditionRuleName SnmpAdminString, conditionSequenceNumber Integer32, conditionIsNegated IpsecIsNegated, conditionName SnmpAdminString, conditionLastChanged TimeStamp, conditionStorageType StorageType } conditionRuleName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "conditionRuleName is the name of the rule that is associated with conditionName" ::= { conditionsInRuleEntry 1 } Various Authors [Page 16] Internet Draft IPsec Policy Configuration MIB February 2001 conditionSequenceNumber OBJECT-TYPE SYNTAX Integer32 (1..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "conditionSequenceNumber is the priority of the conditionName in this row. This represents the order that conditions should be processed in a Rule. Lower values are processed first." ::= { conditionsInRuleEntry 2 } conditionIsNegated OBJECT-TYPE SYNTAX IpsecIsNegated MAX-ACCESS read-create STATUS current DESCRIPTION "conditionIsNegated indicates whether the condition results should be negated (e.g. if a boolean 'not' is performed on the condition)." DEFVAL { false } ::= { conditionsInRuleEntry 3 } conditionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "conditionName is the name of the condition associated with the conditionRuleName." ::= { conditionsInRuleEntry 4 } conditionLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { conditionsInRuleEntry 5 } conditionStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but Various Authors [Page 17] Internet Draft IPsec Policy Configuration MIB February 2001 which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { conditionsInRuleEntry 6 } conditionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. For a row in the conditionInRuleTable to change to the active state, the row in the conditionTable that is indicated by conditionName must be active and the row in the XXX: rowTable/saRowTable? indicated by conditionRuleName must be active. No conditions are necessary to become inactive, although the rows in conditionTable and XXX: rowTable/saRowTable? should be active at all times that this row is active. " ::= { conditionsInRuleEntry 7 } -- -- Policy Actions in a rule table -- actionsInRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF ActionsInRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table of actions associates actions with an ipsec policy rule. In Particular, an pgIPsecRuleName can be used to get a list of related actionName's from this table. This table can includes multiple actions that are associated with a rule name and any fallback actions associated with that rule name." ::= { ipsecPolicyConfigObjects 5 } actionsInRuleEntry OBJECT-TYPE SYNTAX ActionsInRuleEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "actionsInRuleEntry represents an action associated with a rule." INDEX { actionRuleName, actionFailureSequenceNumber, actionSuccessSequenceNumber } Various Authors [Page 18] Internet Draft IPsec Policy Configuration MIB February 2001 ::= { actionsInRuleTable 1 } ActionsInRuleEntry ::= SEQUENCE { actionRuleName SnmpAdminString, actionFailureSequenceNumber Integer32, actionSuccessSequenceNumber Integer32, actionName RowPointer, actionLastChanged TimeStamp, actionStorageType StorageType } actionRuleName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "actionRuleName is the name of the rule that is associated with actionName." ::= { actionsInRuleEntry 1 } actionFailureSequenceNumber OBJECT-TYPE SYNTAX Integer32 (1..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "actionFailureSequenceNumber represents the ordering of fallback actions. Lower numbers indicate action sets that are attempted first. e.g. if the actions with the same value of actionRuleName and and actionFailureSequenceNumber fail, the actions (if any) with the same actionRuleName but with the next higher value of actionFailureSequenceNumber will be attempted next." ::= { actionsInRuleEntry 2 } actionSuccessSequenceNumber OBJECT-TYPE SYNTAX Integer32 (1..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "actionSuccessSequenceNumber represents the ordering of actions associated with a rule. Lower numbers indicate actions that are attempted first. The group of rows that have the same actionRuleName and actionFailureSequenceNumber indicate (by actionName) the actions that should be completed in the order specified by actionSuccessSequenceNumber." ::= { actionsInRuleEntry 3 } actionName OBJECT-TYPE Various Authors [Page 19] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX RowPointer MAX-ACCESS read-create STATUS current DESCRIPTION "actionName is the name of the action that is associated with actionRuleName." ::= { actionsInRuleEntry 4 } actionLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { actionsInRuleEntry 5 } actionStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { actionsInRuleEntry 6 } actionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. For a row in the actionsInRuleTable to change to the active state, the row in the XXX: actionTable? indicated by actionName must be active and the row in the XXX: rowTable/saRowTable? indicated by actionRuleName must be active. No conditions are necessary to become inactive, although the rows in Various Authors [Page 20] Internet Draft IPsec Policy Configuration MIB February 2001 XXX: actionTable? and rowTable/saRowTable? should be active at all times that this row is active. " ::= { actionsInRuleEntry 7 } -- -- Policy condition definitions table -- conditionTable OBJECT-TYPE SYNTAX SEQUENCE OF ConditionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of conditions and their associated parameters." ::= { ipsecPolicyConfigObjects 6 } conditionEntry OBJECT-TYPE SYNTAX ConditionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the conditions table. A condition listed in this table is considered to have a successful return value if and only if all of the filters associated with the condition, as defined in the filtersInConditionTable, are all true themselves (after applying any negation as defined by the ficFilterIsNegated object). IE, filter results are always ANDed together. XXX: the only functional data in this table is the conditionUsage object. Should this get moved into the conditionsInRuleTable instead (which changes the semantics of how things work)? It really does belong here though, but moving it up would reduce the table count." INDEX { conditionName } ::= { conditionTable 1 } ConditionEntry ::= SEQUENCE { conditionDescription OCTET STRING, conditionUsage BITS, condititionLastChanged TimeStamp, condititionStorageType StorageType } conditionDescription OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current Various Authors [Page 21] Internet Draft IPsec Policy Configuration MIB February 2001 DESCRIPTION "A user definable string. You may use this field for your administrative tracking purposes." DEFVAL { ''H } ::= { conditionEntry 1 } conditionUsage OBJECT-TYPE SYNTAX BITS { onBoot(0), onManual(1), onDataTraffic(2), onIKEMessage(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "Defines when this condition is to be used. If the condition type includes: onBoot: The condition is considered to be true at the boot time of the ipsec policy system and the rules are initially checked for this conditiion. Filters defined in the filtersInCondition table are ignored for purposes of evaluating the condition results in this case. onManual: The condition is considered to be true when the ipsec policy system is processing the rule(s) as a result of an appropriate administrative operation, such as the pushing of a XXX:insert-object-from-non-existent-button-table button. Filters defined in the filtersInCondition table are ignored for purposes of evaluating the condition results in this case. onDataTraffic: This condition is considered to be true when evaluated when traffic is processed by it and all filters results defined by the filtersInConditionsTable are also evaluated to be true (I.E., the filter results are ANDed together). onIKEMessage: This condition is considered to be true when evaluated when IKE related traffic is processed by it and all filters results defined by the filtersInConditionsTable are also evaluated to be true (I.E., the filter results are ANDed together)." Various Authors [Page 22] Internet Draft IPsec Policy Configuration MIB February 2001 ::= { conditionEntry 2 } condititionLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { conditionEntry 3 } condititionStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columnsare in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { conditionEntry 4 } condititionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This row can not be made active until the conditionUsage object has been defined. Until that point the object should return a notReady state when queried and any attempts to set it to active will result in a inconsistentValue error. Once active, it may not have its value changed if any active rows in the conditionsInRuleTable have a conditionName matching the conditionName of this row. XXX: must at least one filter be defined? Only if type above is related to traffic? Should we create a 'true' filter type to allow an explicit forced always true condition to be created?" ::= { conditionEntry 5 } Various Authors [Page 23] Internet Draft IPsec Policy Configuration MIB February 2001 -- -- Policy filters in a condition table -- filtersInConditionTable OBJECT-TYPE SYNTAX SEQUENCE OF FiltersInConditionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a list of filters contained within a given condition defined in the conditionTable." ::= { ipsecPolicyConfigObjects 7 } filtersInConditionEntry OBJECT-TYPE SYNTAX FiltersInConditionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry into the list of filters for a given condition. An entry row here maps a conditionName to a ficFilterName which can be used as an index into the filterTable to retrieve the filter's definition." INDEX { conditionName, ficFilterName } ::= { filtersInConditionTable 1 } FiltersInConditionEntry ::= SEQUENCE { ficFilterName SnmpAdminString, ficOnDestination BITS, ficLastChanged TimeStamp, ficStorageType StorageType } ficFilterName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "An administratively assigned unique name that can be used to reference the filter's definition via the filterTable." ::= { filtersInConditionEntry 1 } ficOnDestination OBJECT-TYPE SYNTAX BITS { source(0), destination(1) } MAX-ACCESS read-create STATUS current DESCRIPTION "Whether the filter is to be applied to the source and/or the destination address. If both the source and destination Various Authors [Page 24] Internet Draft IPsec Policy Configuration MIB February 2001 address bits are set, the filter must successfully apply to both addresses for the filter itself to be considered to have successful result." ::= { filtersInConditionEntry 2 } ficFilterIsNegated OBJECT-TYPE SYNTAX IpsecIsNegated MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the result of applying this filter should be negated or not. If the ficOnDestination object is set to both source and destination, the negation is applied after the source and destination results are returned and ANDed together. IE, result = !(filter(source) && filter(destination))." DEFVAL { false } ::= { filtersInConditionEntry 3 } ficLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { filtersInConditionEntry 4 } ficStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { filtersInConditionEntry 5 } ficRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other Various Authors [Page 25] Internet Draft IPsec Policy Configuration MIB February 2001 objects in this conceptual row can be modified. This object can not be made active until the filter referenced by the ficFilterName object is both defined and it's row is active in the filterTable. An attempt to do so will result in an inconsistentValue error. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { filtersInConditionEntry 6 } -- -- Policy filter definition table -- filterTable OBJECT-TYPE SYNTAX SEQUENCE OF FilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of filter definitions to be used within the filtersInConditionTable." ::= { ipsecPolicyConfigObjects 8 } filterEntry OBJECT-TYPE SYNTAX FilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A particular filter definition. For a filter to be considered to have a TRUE result, all of the tests as defined by the filterType column must pass successfully. In other words, all sub-tests of a given filter are logically ANDed together." INDEX { ficFilterName } ::= { filterTable 1 } FilterEntry ::= SEQUENCE { filterType BITS, filterExternalOID OBJECT IDENTIFIER, filterDomain TDomain, filterAddress TAddress, filterMask TAddress, filterRangeBegin TAddress, filterRangeEnd TAddress, filterFQDNName OCTET STRING, Various Authors [Page 26] Internet Draft IPsec Policy Configuration MIB February 2001 filterClassificationLevel Integer32, filterAuthority Integer32, filterLastChanged TimeStamp, filterStorageType StorageType } filterType OBJECT-TYPE SYNTAX BITS { external(0), addressOrNetwork(1), addressRange(2), fqdn(3), protocol(4), portRange(5), classification(6), authority(7) } MAX-ACCESS read-create STATUS current DESCRIPTION "This defines the various tests that are used when evaluating a given filter. The results of each test are ANDed together to produce the result of the entire filter. When processing this filter, it is recommended for efficiency reasons that the filter halt processing the instance any of the specified tests fail. The various tests definable in this table are as follows: external: - XXX: To be defined later. addressOrNetwork: - Tests for address or network matches using the filterDomain, filterAddress and filterMask objects. Any protocol and/or port specification defined by the filterDomain object is ignored for this test and only the address related information is used from the filterAddress and filterMask objects to evaluate this test. A row with a filterRowStatus object set to active may not have the addressOrNetwork test bit turned on until either the filterRowStatus value is changed to notInService or until the filterDomain, filterAddress, and filterMask objects have been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the addressOrNetwork test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain, filterAddress, and filterMask objects have not been appropriately configured. addressRange: - Tests to see if an address falls within a starting and Various Authors [Page 27] Internet Draft IPsec Policy Configuration MIB February 2001 ending address pair using the filterRangeBegin and filterRangeEnd objects. Any protocol and/or port specification defined by the filterDomain object is ignored for this test and only the address related information is used from the filterRangeBegin and filterRangeEnd objects to evaluate this test. A row with a filterRowStatus object set to active may not have the addressRange test bit turned on until either the filterRowStatus value is changed to notInService or until the filterDomain, filterRangeEnd, and filterRangeEnd objects have been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the addressRange test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain, filterRangeEnd, and filterRangeEnd objects have not been appropriately configured. fqdn: - Tests to see if an address matches a fully-qualified-domain-name expression defined by the filterFQDNName object. The filterFQDNName object may contain a string that will match a single host, such as host.company.com, or may contain an expression using wildcards such as *.company.com. A row with a filterRowStatus object set to active may not have the fqdn test bit turned on until either the filterRowStatus value is changed to notInService or until the filterFQDNName object has been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the fqdn test bit set will cause the filterRowStatus object to return the notReady state if the filterFQDNName object has not been appropriately configured. protocol: - Tests to see if the incoming packet matches the protocol as defined by the filterDomain object. The other aspects of the filterDomain object (address and port information) are ignored when evaluating this test. A row with a filterRowStatus object set to active may not Various Authors [Page 28] Internet Draft IPsec Policy Configuration MIB February 2001 have the protocol test bit turned on until either the filterRowStatus value is changed to notInService or until the filterDomain object has been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the protocol test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain object has not been appropriately configured. portRange: - Tests to see if the portnumber used by the protocol falls within a starting and ending pair of port numbers, which is defined by the the filterRangeBegin and filterRangeEnd objects. Any protocol and/or address specification defined by the filterDomain object is ignored for this test and only the port number related information is used from the filterRangeBegin and filterRangeEnd objects to evaluate this test. If the protocol specified by the filterDomain object does not contain port number information, the result of this test will be false. XXX: disallow setting filterDomain to a domain that doesn't contain a port range if the portRange test is specified? A row with a filterRowStatus object set to active may not have the portRange test bit turned on until either the filterRowStatus value is changed to notInService or until the filterDomain, filterRangeEnd, and filterRangeEnd objects have been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the portRange test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain, filterRangeEnd, and filterRangeEnd objects have not been appropriately configured. classification: - Tests to see if the classification level of the incoming packet matches the classification level specified by the filterClassificationLevel object. If it does not match, or if the incoming packet does not have a classification level associated with it, this filter is considered to have a unsuccessful return status. Various Authors [Page 29] Internet Draft IPsec Policy Configuration MIB February 2001 A row with a filterRowStatus object set to active may not have the classification test bit turned on until either the filterRowStatus value is changed to notInService or until the filterClassificationLevel object has been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the classification test bit set will cause the filterRowStatus object to return the notReady state if the filterClassificationLevel object has not been appropriately configured. authority: - Tests to see if the protection authority source of the incoming packet matches the authority source specified by the filterAuthority object. If it does not match, or if the incoming packet does not have a protection authority associated with it, this filter is considered to have a unsuccessful return status. A row with a filterRowStatus object set to active may not have the authority test bit turned on until either the filterRowStatus value is changed to notInService or until the filterAuthority object has been appropriately configured first. Attempting to do so will produce a inconsistentValue error. A row in this table which is not active and with the authority test bit set will cause the filterRowStatus object to return the notReady state if the filterAuthority object has not been appropriately configured. XXX: is an empty test set legal? if so, is it true or false? " ::= { filterEntry 1 } filterExternalOID OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-create STATUS current DESCRIPTION "XXX: To be defined later." ::= { filterEntry 2 } filterDomain OBJECT-TYPE SYNTAX TDomain Various Authors [Page 30] Internet Draft IPsec Policy Configuration MIB February 2001 MAX-ACCESS read-create STATUS current DESCRIPTION "The transport domain that will be used to help define the semantics of the addressOrNetwork, addressRange, and protocol tests. For addressOrNetwork and addressRange tests, if the filterDomain address type does match the address type to be tested against, the filter result is to be considered a failure. For the portRange test, if the filterDomain does not specify a port number, the filter result is considered to be a failure. For protocol tests, if the filterDomain object's protocol specification does not match the protocol of the packet the filter is being applied to, the filter result is to be considered a failure." ::= { filterEntry 3 } filterAddress OBJECT-TYPE SYNTAX TAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The address to use when performing an addressOrNetwork test. For an addressOrNetwork test, the filterAddress and filterMask pair define an address or set of addresses to match the address from the incoming packet against. The filterMask defines which bits of the filterAddress and incoming address the test should be performed against. Any differing bits in the masked portion of the two addresses indicates a test failure. If a port number is required by the corresponding TDomain defined in the filterDomain object, it can be given any value in this object as it will not be used in the test." ::= { filterEntry 4 } filterMask OBJECT-TYPE SYNTAX TAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The network mask to use when performing an addressOrNetwork Various Authors [Page 31] Internet Draft IPsec Policy Configuration MIB February 2001 test. This mask will be applied to the filterAddress object contents to produce a subnet address to test against. A network mask consisting of all bits set to 1 should be used when an exact match against the entire address from the filterAddress is desired. If a port number is required by the corresponding TDomain defined in the filterDomain object, it can be given any value in this object as it will not be used in the test." ::= { filterEntry 5 } filterRangeBegin OBJECT-TYPE SYNTAX TAddress MAX-ACCESS read-create STATUS current DESCRIPTION "Defines the beginning half of an address and/or port range to be used when performing addressRange or portRange tests. The addressRange test is considered a success if and only if the address type specified by the filterDomain object matches the address type of the address to be tested against AND the address to be tested against falls between the addresses defined in the filterRangeBegin and filterRangeEnd objects. If a port and/or protocol is specified by this object or the filterDomain object, it is ignored for the purpose of this test. The portRange test is considered a success if and only if the port number to be tested against falls between the port numbers specified in the filterRangeBegin and filterRangeEnd objects. This test is to be considered a failure if the filterRangeBegin/filterRangeEnd objects don't include a port number because the filterDomain object doesn't specify a TAddress type that requires one. If an address and/or protocol is specified by this object or the filterDomain object, it is ignored for the purpose of this test." ::= { filterEntry 6 } filterRangeEnd OBJECT-TYPE SYNTAX TAddress MAX-ACCESS read-create STATUS current DESCRIPTION "Defines the ending half of an address and/or port range to be used when performing addressRange or portRange tests." ::= { filterEntry 7 } filterFQDNName OBJECT-TYPE Various Authors [Page 32] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX OCTET STRING MAX-ACCESS read-create STATUS current DESCRIPTION "Defines a string used to match against the host name of the packet to be filtered. The string may contain one or more wildcard characters '*', so as to match an entire domain such as '*.mydomain.com'." ::= { filterEntry 8 } filterClassificationLevel OBJECT-TYPE SYNTAX INTEGER { topSecret(61), secret(90), confidential(150), unclassified(171) } MAX-ACCESS read-create STATUS current DESCRIPTION "The classification level at which the classification test must match against for the filter to be considered successful." ::= { filterEntry 9 } filterAuthority OBJECT-TYPE SYNTAX INTEGER { genser(0), stopEsi(1), sci(2), nsa(3), doe(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "The authority for which the authority test must match against for the filter to be considered successful." ::= { filterEntry 10 } filterLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { filterEntry 11 } filterStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are Various Authors [Page 33] Internet Draft IPsec Policy Configuration MIB February 2001 expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { filterEntry 12 } filterRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to active if the requirements of the filterType object are not meant. In other words, if the associated value columns needed by a particular test have not been set, then attempting to change this row to an active state will result in an inconsistentValue error. See the filterType object description for further details. Once a row in this table has been made active by this object, the value of this object for that row MAY NOT be changed (E.G., to destroy or notInService) if any active row in the filtersInConditionTable table has it's ficFilterName object set to this row's ficFilterName. An attempt to do so will result in an inconsistentValue error. A row in this table which is not active and with the addressOrNetwork test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain, filterAddress, and filterMask objects have not been appropriately configured. A row in this table which is not active and with the addressRange test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain, filterRangeEnd, and filterRangeEnd objects have not been appropriately configured. A row in this table which is not active and with the fqdn test bit set will cause the filterRowStatus object to return the notReady state if the filterFQDNName object has not been appropriately configured. A row in this table which is not active and with the protocol test bit set will cause the filterRowStatus object to return Various Authors [Page 34] Internet Draft IPsec Policy Configuration MIB February 2001 the notReady state if the filterDomain object has not been appropriately configured. A row in this table which is not active and with the portRange test bit set will cause the filterRowStatus object to return the notReady state if the filterDomain, filterRangeEnd, and filterRangeEnd objects have not been appropriately configured. A row in this table which is not active and with the classification test bit set will cause the filterRowStatus object to return the notReady state if the filterClassificationLevel object has not been appropriately configured. A row in this table which is not active and with the authority test bit set will cause the filterRowStatus object to return the notReady state if the filterAuthority object has not been appropriately configured. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { filterEntry 13 } saStaticActionTable OBJECT-TYPE SYNTAX SEQUENCE OF SaStaticActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists a list of non-negotiated IPsec actions that can be performed." ::= { ipsecPolicyConfigObjects 9 } saStaticActionEntry OBJECT-TYPE SYNTAX SaStaticActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "One entry in the saStaticActionTable." INDEX { sasActionName } ::= { saStaticActionTable 1 } SaStaticActionEntry ::= SEQUENCE { sasActionName SnmpAdminString, sasActionDescription OCTET STRING, sasActionType INTEGER, sasActionLifetime Integer32, Various Authors [Page 35] Internet Draft IPsec Policy Configuration MIB February 2001 sasDoLogging TruthValue, sasLastChanged TimeStamp, sasStorageType StorageType } sasActionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this SaStaticActionEntry. This row can be refered to by an actionsInRuleEntry." ::= { saStaticActionEntry 1 } sasActionDescription OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "An administratively assigned string which may be used to describe in human terms what the action does" DEFVAL { ''H } ::= { saStaticActionEntry 2 } sasActionType OBJECT-TYPE SYNTAX INTEGER { bypass(0), discard(1), rejectIke(2), preconfigured(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the action taken on the packet. 0 ----- bypass the packet 1 ----- drop the packet 2 ----- reject IKE negotiation 3 ----- use the pre-configured SA." ::= { saStaticActionEntry 3 } sasActionLifetime OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "sasActionLifetime specifies how long the security association derived from this action should be used." ::= { saStaticActionEntry 4 } sasDoLogging OBJECT-TYPE SYNTAX TruthValue Various Authors [Page 36] Internet Draft IPsec Policy Configuration MIB February 2001 MAX-ACCESS read-create STATUS current DESCRIPTION "sasDoLogging specifies whether or not an audit message should be logged when a packet is discarded." ::= { saStaticActionEntry 5 } sasLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { saStaticActionEntry 6 } sasStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { saStaticActionEntry 7 } sasRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { saStaticActionEntry 8 } saNegotiationActionTable OBJECT-TYPE Various Authors [Page 37] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX SEQUENCE OF SaNegotiationActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the possible IPsec and IKE actions." ::= { ipsecPolicyConfigObjects 10 } saNegotiationActionEntry OBJECT-TYPE SYNTAX SaNegotiationActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains the attributes of one saNegotiationActionEntry." INDEX { sanActionName } ::= { saNegotiationActionTable 1 } SaNegotiationActionEntry ::= SEQUENCE { sanActionName SnmpAdminString, sanActionDescription OCTET STRING, sanIKEActionName SnmpAdminString, sanIPsecActionName SnmpAdminString, sanMinimumLifetimeSeconds Integer32, sanMinimumLifetimeKB Integer32, sanRefreshThresholdSeconds Integer32, sanRefreshThresholdKB Integer32, sanIdleDurrationSeconds Integer32, sanLastChanged TimeStamp, sanStorageType StorageType } sanActionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains the name of this SaNegotiationActionEntry. This row can be refered to by an actionsInRuleEntry" ::= { saNegotiationActionEntry 1 } sanActionDescription OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "An administratively assigned string which may be used to describe in human terms what the action does" DEFVAL { ''H } Various Authors [Page 38] Internet Draft IPsec Policy Configuration MIB February 2001 ::= { saNegotiationActionEntry 2 } sanIKEActionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This row will refer to an IkeActionEntry of the ikeActionTable." ::= { saNegotiationActionEntry 3 } sanIPsecActionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This row will refer to an IpsecActionEntry of the ipsecActionTable." ::= { saNegotiationActionEntry 4 } sanMinimumLifetimeSeconds OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "sanMinimumLifetimeSeconds specifies the minimum seconds lifetime that will be accepted from the peer." ::= { saNegotiationActionEntry 5 } sanMinimumLifetimeKB OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "sanMinimumLifetimeKB specifies the minimum kilobyte lifetime that will be accepted from the peer." ::= { saNegotiationActionEntry 6 } sanRefreshThresholdSeconds OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "sanRefreshThresholdSeconds specifies what percentage of the seconds lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A Various Authors [Page 39] Internet Draft IPsec Policy Configuration MIB February 2001 value of 100 indicates that the IPsec security association should not be renegotiated until the seconds lifetime has been reached." ::= { saNegotiationActionEntry 7 } sanRefreshThresholdKB OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "sanRefreshThresholdKB specifies what percentage of the kilobyte lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the kilobyte lifetime has been reached." ::= { saNegotiationActionEntry 8 } sanIdleDurrationSeconds OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "sanIdleDurrationSeconds specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. A value of zero indicates that idle detection should not be used for the security association. Any non-zero value indicates the number of seconds the security association may remain unused." ::= { saNegotiationActionEntry 9 } sanLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { saNegotiationActionEntry 10 } sanStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were Various Authors [Page 40] Internet Draft IPsec Policy Configuration MIB February 2001 created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { saNegotiationActionEntry 11 } sanRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { saNegotiationActionEntry 12 } ikeActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ikeActionTable contains a list of the parameters used for an IKE phase 1 SA DOI negotiation." ::= { ipsecPolicyConfigObjects 11 } ikeActionEntry OBJECT-TYPE SYNTAX IkeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ipsecActionEntry lists the IKE negotiation attributes." INDEX { ikeActionName } ::= { ikeActionTable 1 } IkeActionEntry ::= SEQUENCE { ikeActionName SnmpAdminString, ikeThresholdDerivedKeys Integer32, ikeExchangeMode INTEGER, ikeAgressiveModeGroupId IpsecGroupId, ikeProposalName SnmpAdminString, ikeEndpointName SnmpAdminString, Various Authors [Page 41] Internet Draft IPsec Policy Configuration MIB February 2001 ikeActionLastChange TimeStamp, ikeActionStorageType StorageType } ikeActionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this ikeAction entry. This row will be refered to by an SaNegotiationActionEntry." ::= { ikeActionEntry 1 } ikeThresholdDerivedKeys OBJECT-TYPE SYNTAX Integer32 (0..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ikeThresholdDerivedKeys specifies what percentage of the derived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE should attempt to renegotiate the IKE phase 1 security association." ::= { ikeActionEntry 2 } ikeExchangeMode OBJECT-TYPE SYNTAX INTEGER { main(1), agressive(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "ikeExchangeMode specifies the IKE Phase 1 negotiation mode." ::= { ikeActionEntry 3 } ikeAgressiveModeGroupId OBJECT-TYPE SYNTAX IpsecGroupId MAX-ACCESS read-create STATUS current DESCRIPTION "" ::= { ikeActionEntry 4 } ikeProposalName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This row refers to an ikeProposalEntry in the ikeProposalTable." ::= { ikeActionEntry 5 } Various Authors [Page 42] Internet Draft IPsec Policy Configuration MIB February 2001 ikeIdentityName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "This row refers to an ikeIdentityEntry in the ikeIdentityTable." ::= { ikeActionEntry 6 } ikeActionLastChange OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ikeActionEntry 7 } ikeActionStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." DEFVAL { nonVolatile } ::= { ikeActionEntry 8 } ikeActionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { ikeActionEntry 9 } -- -- IKE proposal definition table -- ikeProposalTable OBJECT-TYPE Various Authors [Page 43] Internet Draft IPsec Policy Configuration MIB February 2001 SYNTAX SEQUENCE OF IkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IKE proposals which are used in an IKE negotiation." ::= { ipsecPolicyConfigObjects 12 } ikeProposalEntry OBJECT-TYPE SYNTAX IkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "One IKE proposal entry." INDEX { ikeProposalName } ::= { ikeProposalTable 1 } IkeProposalEntry ::= SEQUENCE { ikeLifetimeDerivedKeys Unsigned32, ikeCipherAlgorithm INTEGER, ikeCipherKeyLength Unsigned32, ikeCipherKeyRounds Unsigned32, ikeHashAlgorithm INTEGER, ikePrfAlgorithm INTEGER, ikeVendorId OCTET STRING, ikeDhGroup IpsecGroupId, ikeAuthenticationMethod INTEGER, ikeMaxLifetimeSeconds Unsigned32, ikeMaxLifetimeKB Unsigned32, ikePropsalLastChanged TimeStamp, ikePropsalStorageType StorageType } ikeLifetimeDerivedKeys OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ikeLifetimeDerivedKeys specifies the number of times that a phase 1 key will be used to derive a phase 2 key before the phase 1 security association needs renegotiated." ::= { ikeProposalEntry 1 } ikeCipherAlgorithm OBJECT-TYPE SYNTAX INTEGER { desCbc(1), ideaCbc(2), blowfishCbc(3), rc5Rc16B64Cbc(4), tripleDesCbc(5), castCbc(6) } MAX-ACCESS read-create STATUS current Various Authors [Page 44] Internet Draft IPsec Policy Configuration MIB February 2001 DESCRIPTION "ikeCipherAlgorithm specifies the proposed phase 1 security association encryption algorithm." ::= { ikeProposalEntry 2 } ikeCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies, in bits, the key length for the cipher algorithm used in IKE Phase 1 negotiation." ::= { ikeProposalEntry 3 } ikeCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies the number of key rounds for the cipher algorithm used in IKE Phase 1 negotiation." ::= { ikeProposalEntry 4 } ikeHashAlgorithm OBJECT-TYPE SYNTAX INTEGER { md5(1), sha(2), tiger(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "ikeHashAlgorithm specifies the proposed phase 1 security assocation hash algorithm." ::= { ikeProposalEntry 5 } ikePrfAlgorithm OBJECT-TYPE SYNTAX INTEGER { reserved(0) } MAX-ACCESS read-create STATUS current DESCRIPTION "ikePRFAlgorithm specifies the proposed phase 1 security association psuedo-random function. Note: currently no prf algortithms are defined." ::= { ikeProposalEntry 6 } ikeVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION Various Authors [Page 45] Internet Draft IPsec Policy Configuration MIB February 2001 "The VendorID property is used to identify vendor-defined key exchange GroupIDs." ::= { ikeProposalEntry 7 } ikeDhGroup OBJECT-TYPE SYNTAX IpsecGroupId MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies the proposed phase 1 security assocation Diffie-Hellman group" ::= { ikeProposalEntry 8 } ikeAuthenticationMethod OBJECT-TYPE SYNTAX INTEGER { digitalSignature(1), pubKeyEncryption(2), revisedPubKeyEncryption(3), preSharedKey(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies the proposed authentication method for the phase 1 security association." ::= { ikeProposalEntry 9 } ikeMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ikeMaxLifetimeSeconds specifies the maximum amount of time to propose a security association remain valid." ::= { ikeProposalEntry 10 } ikeMaxLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ikeMaxLifetimeKB specifies the maximum kilobyte lifetime to propose a security association remain valid." ::= { ikeProposalEntry 11 } ikePropsalLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified either through SNMP SETs or by some other external means." Various Authors [Page 46] Internet Draft IPsec Policy Configuration MIB February 2001 ::= { ikeProposalEntry 12 } ikePropsalStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { ikeProposalEntry 13 } ikePropsalRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { ikeProposalEntry 14 } -- -- IPsec action definition table -- ipsecActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ipsecActionTable contains a list of the parameters used for an IKE phase 2 IPsec DOI negotiation." ::= { ipsecPolicyConfigObjects 13 } ipsecActionEntry OBJECT-TYPE SYNTAX IpsecActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ipsecActionEntry lists the IPsec negotiation attributes." INDEX { ipsecActionName } ::= { ipsecActionTable 1 } Various Authors [Page 47] Internet Draft IPsec Policy Configuration MIB February 2001 IpsecActionEntry ::= SEQUENCE { ipsecActionName SnmpAdminString, ipsecProposalName SnmpAdminString, ipsecUsePfs TruthValue, ipsecVendorId OCTET STRING, ipsecGroupId INTEGER, ipsecUseIkeGroup TruthValue, ipsecGranularity INTEGER, ipsecMode INTEGER, ipsecDFHandleing INTEGER, ipsecActionLastChange TimeStamp, ipsecActionStorageType StorageType } ipsecActionName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "ipsecActionName is the name of the ipsecAction entry." ::= { ipsecActionEntry 1 } ipsecProposalName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The name of an ipsecProposal refered to by this ipsecActionEntry." ::= { ipsecActionEntry 2 } ipsecUsePfs OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This MIB object specifies whether or not perfect forward secrecy should be used when refreshing keys. A value of true indicates that PFS should be used." ::= { ipsecActionEntry 3 } ipsecVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "The VendorID property is used to identify vendor-defined key Various Authors [Page 48] Internet Draft IPsec Policy Configuration MIB February 2001 exchange GroupIDs." ::= { ipsecActionEntry 4 } ipsecGroupId OBJECT-TYPE SYNTAX IpsecGroupId MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the Diffie-Hellman group to use for phase 2 when the object ipsecUsePfs is true and the object ipsecUseIkeGroup is false. If the GroupID number is from the vendor-specific range (32768-65535), the VendorID qualifies the group number." ::= { ipsecActionEntry 5 } ipsecUseIkeGroup OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, this entry should be ignore." ::= { ipsecActionEntry 6} ipsecGranularity OBJECT-TYPE SYNTAX INTEGER { wideSelector(1), narrowSelector(2)} MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the how the proposed selector for the security association will be created. For wideSelector (1) choice, the selector is created by using the FilterList information. The selector can be subnet or range address. For narrowSelector(2), the selector is created by using the traffic parameters (i.e., the 5-tuple of the traffic). " ::= { ipsecActionEntry 7 } ipsecMode OBJECT-TYPE SYNTAX INTEGER { tunnel(1), transport(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the encapsulation of the IPsec SA to be negotiated." ::= { ipsecActionEntry 8 } Various Authors [Page 49] Internet Draft IPsec Policy Configuration MIB February 2001 ipsecDFHandleing OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the processing of DF bit by the negotiated IPsec tunnel. 1 - DF bit is copied. 2 - DF bit is set. 3 - DF bit is cleared." ::= { ipsecActionEntry 9 } -- PROPERTIES MinLifetimeSeconds -- MinLifetimeKilobytes -- RefreshThresholdSeconds -- RefreshThresholdKilobytes -- IdleDurationSeconds ipsecActionLastChange OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsecActionEntry 10 } ipsecActionStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { ipsecActionEntry 11 } ipsecActionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other Various Authors [Page 50] Internet Draft IPsec Policy Configuration MIB February 2001 objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { ipsecActionEntry 12 } -- -- IPsec proposal definition table -- ipsecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpsecProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists the IPsec proposals for SA negotiations. An IPsecPropsal contains transform lists that specify the phase 2 negotiation proposals for transform parameters. Rows in this table are refered to by the ipsecProposalName column from the ipsecAction table." ::= { ipsecPolicyConfigObjects 14 } ipsecProposalEntry OBJECT-TYPE SYNTAX IpsecProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry containing the information on an IPsec proposal." INDEX { ipsecPropsalName } ::= { ipsecProposalTable 1 } IpsecProposalEntry ::= SEQUENCE { ipsecPropsalName SnmpAdminString, ipsecProposalSet INTEGER, ipsecAhTransformSet SnmpAdminString, ipsecEspTransformSet SnmpAdminString, ipsecIpcompTransformSet SnmpAdminString, ipsecLastChanged TimeStamp, ipsecStorageType StorageType } ipsecPropsalName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current Various Authors [Page 51] Internet Draft IPsec Policy Configuration MIB February 2001 DESCRIPTION "This objcet contains the name of the entry. This row is refered to by the ipsecPropsalName column from an ipsecActionEntry." ::= { ipsecProposalEntry 1 } ipsecProposalSet OBJECT-TYPE SYNTAX INTEGER { esp(1), espAndAh(2), ah(3), ipcomp(4), ipcompAndEsp(5), ipcompAndEspAndAh(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "An ipsecProposal informs a system which protocol or combination of protocols to build an SA (bundle) with. Only a certian few combinations are sensible." ::= { ipsecProposalEntry 2 } ipsecAhTransformSet OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "If and only if the AH protocol is called for by the ipsecPropsalSet, then this row will refer to a (list of) AhTransformEntry(s). Otherwise, any value in this colunm is ignored." ::= { ipsecProposalEntry 3 } ipsecEspTransformSet OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "If and only if the ESP protocol is called for by the ipsecPropsalSet, then this row will refer to a (list of) ESPTransformEntry(s). Otherwise, any value in this colunm is ignored." ::= { ipsecProposalEntry 4 } ipsecIpcompTransformSet OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "If and only if the IPCOMP protocol is called for by the ipsecProposalSet, then this row will refer to a (list of) IPCOMPTransformEntry(s). Otherwise, any value in this colunm is ignored." ::= { ipsecProposalEntry 5 } Various Authors [Page 52] Internet Draft IPsec Policy Configuration MIB February 2001 ipsecLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipsecProposalEntry 6 } ipsecStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { ipsecProposalEntry 7 } ipsecProposalRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { ipsecProposalEntry 8 } -- -- AH transform definition table -- ahTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF AhTransformEntry MAX-ACCESS not-accessible STATUS current Various Authors [Page 53] Internet Draft IPsec Policy Configuration MIB February 2001 DESCRIPTION "This table lists all the AH transforms which can be used to build IPsec proposals." ::= { ipsecPolicyConfigObjects 15 } ahTransformEntry OBJECT-TYPE SYNTAX AhTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one AH transform." INDEX { ahTransformName } ::= { ahTransformTable 1 } AhTransformEntry ::= SEQUENCE { ahTransformName SnmpAdminString, ahTransformPriority Unsigned32, ahTransformId INTEGER, ahAntiReplay Unsigned32, ahTransformLastChanged TimeStamp, ahTransformStorageType StorageType } ahTransformName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this AH transform. This row will be refered to by an ipsecProposalEntry. If a list of ahTransformEntryies all have the same name, then they are priority sorted by ahTransformPriority. " ::= { ahTransformEntry 1 } ahTransformPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ahTransformPriority indicates the preferability of this transform proposal. For the set of ahTransformEntries which have the same ahTransformName, the ahTransformPriority must be unique for each member on the list, must start at 1 and monotonically increase to the last member of the list. Lower numbers indicate higher preferability." ::= { ahTransformEntry 2 } Various Authors [Page 54] Internet Draft IPsec Policy Configuration MIB February 2001 ahTransformId OBJECT-TYPE SYNTAX INTEGER { ahMd5(2), ahSha(3), ahDes(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies specifies the transform ID of the AH algorithm to propose during a Phase 2 SA negotiation." ::= { ahTransformEntry 3 } ahAntiReplay OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ahAntiReplay indicates wether or not anti replay service is to be provided by this SA." ::= { ahTransformEntry 4 } ahTransformLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ahTransformEntry 5 } ahTransformStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { ahTransformEntry 6 } ahTransformRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. Various Authors [Page 55] Internet Draft IPsec Policy Configuration MIB February 2001 XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { ahTransformEntry 7 } -- -- ESP transform definition table -- espTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF EspTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the ESP transforms which can be used to build IPsec proposals" ::= { ipsecPolicyConfigObjects 16 } espTransformEntry OBJECT-TYPE SYNTAX EspTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one ESP transform." INDEX { espTransformName } ::= { espTransformTable 1 } EspTransformEntry ::= SEQUENCE { espTransformName SnmpAdminString, espTransformPriority Unsigned32, espCipherTransformId INTEGER, espCipherKeyLength Unsigned32, espCipherKeyRounds Unsigned32, espIntegrityTransformId INTEGER, espAntiReplay Unsigned32, espTransformLastChange TimeStamp, espTransfromStorageType StorageType } espTransformName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name of this particular espTransformEntry. This row will Various Authors [Page 56] Internet Draft IPsec Policy Configuration MIB February 2001 be refered to by an ipsecProposalEntry. If a list of espTransformEntries all have the same name, then they are priority sorted by espTransformPriority. " ::= { espTransformEntry 1 } espTransformPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "espTransformPriority indicates the preferability of this transform proposal. For the set of espTransformEntries which have the same espTransformName, the espTransformPriority must be unique for each member on the list, must start at 1 and monotonically increase to the last member of the list. Lower numbers indicate higher preferability." ::= { espTransformEntry 2 } espCipherTransformId OBJECT-TYPE SYNTAX INTEGER { espDesIv64(1), espDes(2), esp3Des(3), espRc5(4), espIdea(5), espCast(6), espBlowfish(7), esp3Idea(8), espDesIv32(9), espRc4(10), espNull(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies the transform ID of the ESP cipher algorithm." ::= { espTransformEntry 3 } espCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies, in bits, the key length for the ESP encryption algorithm." ::= { espTransformEntry 4 } espCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies the number of key rounds for the ESP encryption algorithm." Various Authors [Page 57] Internet Draft IPsec Policy Configuration MIB February 2001 ::= { espTransformEntry 5 } espIntegrityTransformId OBJECT-TYPE SYNTAX INTEGER { hmacNd5(1), hmacSha(2), desMac(3), kpdk(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This mib object specifies the transform ID of the ESP integrity algorithm." ::= { espTransformEntry 6 } espAntiReplay OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "espAntiReplay indicates wether or not anti-replay service is to be provided by this SA." ::= { espTransformEntry 7 } espTransformLastChange OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { espTransformEntry 8 } espTransfromStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { espTransformEntry 9 } espTransformRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. Various Authors [Page 58] Internet Draft IPsec Policy Configuration MIB February 2001 The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { espTransformEntry 10 } -- -- IP compression transform definition table -- ipcompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpcompTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table lists all the IP compression transforms which can be used to build IPsec proposals during negotiation of a phase 2 SA." ::= { ipsecPolicyConfigObjects 17 } ipcompTransformEntry OBJECT-TYPE SYNTAX IpcompTransformEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This entry contains the attributes of one IP compression transform." INDEX { ipcompTransformName } ::= { ipcompTransformTable 1 } IpcompTransformEntry ::= SEQUENCE { ipcompTransformName SnmpAdminString, ipcompTransformPriority Unsigned32, ipcompAlgorithm INTEGER, ipcompDictionarySize Unsigned32, ipcompPrivateAlgorithm Unsigned32, ipcompTransformLastChange TimeStamp, ipcompTransformStorageType StorageType } ipcompTransformName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create Various Authors [Page 59] Internet Draft IPsec Policy Configuration MIB February 2001 STATUS current DESCRIPTION "The name of this particular ipcompTransformEntry. This row will be refered to by an ipsecProposalEntry. If a list of ipcompTransformEntries all have the same name, then they are priority sorted by ipcompTransformPriority. " ::= { ipcompTransformEntry 1 } ipcompTransformPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipcompTransformPriority indicates the preferability of this transform proposal. For the set of ipcompTransformEntries which have the same ipcompTransformName, the ipcompTransformPriority must be unique for each member on the list, must start at 1 and monotonically increase to the last member of the list. Lower numbers indicate higher preferability." ::= { ipcompTransformEntry 2 } ipcompAlgorithm OBJECT-TYPE SYNTAX INTEGER { ipcompOui(1), ipcompDeflate(2), ipcompLzs(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "ipcompAlgorithm specifies the transform ID of the IP compression algorithm." ::= { ipcompTransformEntry 3 } ipcompDictionarySize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "If the algorithm in ipcompAlgorithm requires a dictionary size configuration parameter, then this is the place to put it. This object specifies the log2 maximum size of the dictionary for the compression algorithm." ::= { ipcompTransformEntry 4 } ipcompPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION Various Authors [Page 60] Internet Draft IPsec Policy Configuration MIB February 2001 "If ipcompPrivateAlgorithm has a value other zero, then it is up to the vendors implementation to determine the meaning of this feild and substitute a data compression algorithm in place of ipcompAlgorithm." ::= { ipcompTransformEntry 5 } ipcompTransformLastChange OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipcompTransformEntry 6 } ipcompTransformStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." ::= { ipcompTransformEntry 7 } ipcompTransformRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { ipcompTransformEntry 8 } -- -- IKE endpoint definition table -- Various Authors [Page 61] Internet Draft IPsec Policy Configuration MIB February 2001 ikeIdentityTable OBJECT-TYPE SYNTAX SEQUENCE OF IkeIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or ollection of IPProtocolEndpoints) to identify itself in IKE phase 1 negotiations. The column .UseIKEIdentityType in an ikeActionEntry specifies which type of the available identities to use in a negotiation exchange and the column .IdentityContexts in an ikeRule specifies the match values to be used, along with the local address, to be used in selecting the appropriate identity for a negotiation. The ElementID property value should be that of either the IPProtocolEndpoint or Collection of endpoints as appropriate." ::= { ipsecPolicyConfigObjects 18 } ikeIdentityEntry OBJECT-TYPE SYNTAX IkeIdentityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "ikeIdentity lists the attributes of an IKE identity." INDEX { ikeIdentityName } ::= { ikeIdentityTable 1 } IkeIdentityEntry ::= SEQUENCE { ikeIdentityName SnmpAdminString, ikeIdentityType INTEGER, ikeIdentityIdString OCTET STRING, ikeIdentityIsOriginator INTEGER, ikeIdentityLastChange TimeStamp, ikeIdentityStorageType StorageType } ikeIdentityName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "An administrative name for this row entry." ::= { ikeIdentityEntry 1 } ikeIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4Addr(1), fqdn(2), userAtFqdn(3), ipV4AddrSubnet(4), ipV6Addr(5), ipV6AddrSubnet(6), ipV4AddrRange(7), ipV6AddrRange(8), derAsn1Dn(9), Various Authors [Page 62] Internet Draft IPsec Policy Configuration MIB February 2001 derAsn1Gn(10), keyId(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "The IdentityType specifies the type of IKE Identity." ::= { ikeIdentityEntry 2 } ikeIdentityIdString OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-create STATUS current DESCRIPTION "Identity contains a string encoding of the Identity payload. For IKEIdentity instances that are address types, the Identity string value may be omitted and the associated IPProtocolEndpoint or appropriate member of the Collection of endpoints is used." ::= { ikeIdentityEntry 3 } ikeIdentityIsOriginator OBJECT-TYPE SYNTAX INTEGER { originator(1), nonOriginator(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies whether the local IKE entity will initiate the IKE negotiation with this peer when such action is triggered by a non-traffic driven event." ::= { ikeIdentityEntry 4 } ikeIdentityLastChange OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-create STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ikeIdentityEntry 5 } ikeIdentityStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Entries which are permanent are expected to have at least one configurable column in the row, but which columns are in fact modifiable is implementation specific." Various Authors [Page 63] Internet Draft IPsec Policy Configuration MIB February 2001 DEFVAL { nonVolatile } ::= { ikeIdentityEntry 6 } ikeIdentityRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. XXX: indicate minimum conditions allowed when transitioning between non-active and active states (both directions). IE, which sub/super-table rows must be of the requested stated? Which columns must be defined for this row to be operational?" ::= { ikeIdentityEntry 7 } END 6. Security Considerations 6.1 Introduction This document defines an SNMP MIB used to configure IPsec. Since IPsec provides security services it is important that the IPsec configuration data be at least as protected as the IPsec provided security service. There are two threat you need to thwart when configuring IPsec devices. 1) only authentic administrators should be allowed to configure devices. 2) unfriendly parties should not be able to read configuration data while the data is in network transit. SNMP version 3 provide security services. Therefore, when configuring data in the IPSEC-POLICY-MIB, you SHOULD use SNMP version 3. The rest of this discussion assumes the use of SNMPv3. SNMPv3 has security services built into the protocol. This is a real strength, because it allows administrators the ability to load new IPsec configuration on a device and keep the conversation private and authenticated under the protection of SNMPv3 before any IPsec protections are available. Once you do establish some IPsec configuration on your device, it would be possible to set up IPsec SAs to then also provide security and integrity services to the configuration conversation. This may seem redundant at first, but will be show to have a use for added privacy protection below. Various Authors [Page 64] Internet Draft IPsec Policy Configuration MIB February 2001 6.2 Protecting against in-authentic access The current SNMPv3 User Security Model provides for key based user authentication. Typically, keys are derived from passwords (but are not required to be), and the keys are then used in HMAC algorithms (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so. SNMPv3 also provides a View Based Access Model. Different users may be given different levels of access (read-write, read-only...) to lists of SNMP objects or subtrees. This view based access control provides fine levels of access control granularity, making it possible to allow some administrators to have control over certain sections of this MIB will prohibiting them from accessing and/or modifying other sections of the MIB. This may be useful if local policy administrators should be given rights to add or amend certain policies, but should not be given rights to change, for example, corporate level policies. 6.3 Protecting against involuntary disclosure While sending IPsec configuration data to a PEP, there are a few critical parameters which MUST NOT be observed by third parties. These include IKE Pre Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate your device to other IKE peers. And aside from those critical parameters, policy administrators may have an interest in not divulging their any of their policy configuration. SNMPv3 offers privacy security services, but at the time this document was written, it only supported the DES algorithm for privacy services. Support for other (stronger) crypto algorithms was in the works and may be done as you read this. Policy administrators SHOULD use a privacy security service to configure their IPsec policy which is at least as strong as the desired IPsec policy. It is unwise to configure IPsec parameters implementing 3DES algorithms while protecting that conversation with single DES. 6.4 Bootstrapping your configuration Hopefully vendors will not ship new products with a default SNMPv3 user/password pair, but it is possible. Most SNMPv3 distributions should hopefully require an out-of-band initialization over a trusted medium, such as a local console connection. Various Authors [Page 65] Internet Draft IPsec Policy Configuration MIB February 2001 7. Author's Addresses: Michael Baer Network Associates, Inc. 3965 Freedom Circle, Suite 500 Santa Clara, CA 95054 Phone: +1 530 304 1628 Email: mike_baer@nai.com Ricky Charlet Redcreek Communications 3900 Newpark Mall Rd. Newark, CA 94560 Phone: +1 510 795 6903 Email: rcharlet@redcreek.com Wes Hardaker Network Associates, Inc. 3965 Freedom Circle, Suite 500 Santa Clara, CA 95054 Phone: +1 530 400 2774 Email: wes_hardaker@nai.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: CWang@smartpipes.com 8. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary Various Authors [Page 66] Internet Draft IPsec Policy Configuration MIB February 2001 rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 9. Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Various Authors [Page 67]