IPSP M. Baer Internet-Draft Sparta, Inc. Expires: August 28, 2006 R. Charlet Self W. Hardaker Sparta, Inc. R. Story Revelstone Software C. Wang ARO/North Carolina State University February 24, 2006 IPsec Security Policy Database Configuration MIB draft-ietf-ipsp-spd-mib-05.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 28, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Baer, et al. Expires August 28, 2006 [Page 1] Internet-Draft IPsec SPD configuration MIB February 2006 This document defines an SMIv2 Management Information Base (MIB) module for configuring the security policy database of a device implementing the IPsec protocol. The policy-based packet filtering and the corresponding execution of actions described in this document are of a more general nature than for IPsec configuration alone, such as for configuration of a firewall. This MIB module is designed to be extensible with other enterprise or standards based defined packet filters and actions. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Internet-Standard Management Framework . . . . . . . . . . 3 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 4.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 5 4.1.1. Notational conventions . . . . . . . . . . . . . . . . 5 4.1.2. Implementing an example SPD policy . . . . . . . . . . 6 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 64 6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 64 6.2. Protecting against in-authentic access . . . . . . . . . . 65 6.3. Protecting against involuntary disclosure . . . . . . . . 66 6.4. Bootstrapping your configuration . . . . . . . . . . . . . 66 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 67 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67 9.1. Normative References . . . . . . . . . . . . . . . . . . . 67 9.2. Informative References . . . . . . . . . . . . . . . . . . 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69 Intellectual Property and Copyright Statements . . . . . . . . . . 70 Baer, et al. Expires August 28, 2006 [Page 2] Internet-Draft IPsec SPD configuration MIB February 2006 1. Introduction This document defines a MIB module for configuration of an IPsec security policy database (SPD). The policy-based packet filtering and the corresponding execution of actions is of a more general nature than for IPsec configuration only, such as for configuration of a firewall. It is possible to extend this MIB module and add other packet transforming actions that are performed conditionally on an interface's network traffic. The IPsec and IKE specific actions as documented in [RFCXXXX] and [RFCYYYY] respectively and are not documented in this document. Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when these values are determined. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410] Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Relationship to the DMTF Policy Model The Distributed Management Task Force (DMTF) has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy model. The IPCP document describes a model for configuring IPsec. This MIB module is a task specific derivation (i.e. an SMIv2 instantiation) of the IPCP's IPsec configuration model for use with SNMPv3. The high-level areas where this MIB module diverges from the IPCP model are: Baer, et al. Expires August 28, 2006 [Page 3] Internet-Draft IPsec SPD configuration MIB February 2006 o Policies, Groups, Conditions, and some levels of Actions are generically named. In other words, IPsec specific prefixes like "SA" (Security Association), or "IPsec" are not used. This naming convention is used because packet classification and the matching of conditions to actions is more general than IPsec. The tables in this document can possibly be reused by other packet transforming actions which need to conditionally act on packets matching filters. o Filters are implemented in a more generic and scalable manner, rather than enforcing the condition/filtering pairing of the IPCP and its restrictions upon the user. This MIB module offers a compound filter object providing greater flexibility for complex filters than the IPCP. 4. MIB Module Overview The MIB module is modularized into several different parts: rules, filters, and actions. The rules section associates endpoints and groups of rules and consists of the spdEndpointToGroupTable, spdGroupContentsTable, and the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable connects a filter to an action. It should also be noted that by referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's filter column can indicate a set of filters to be processed. Likewise, by referencing the spdCompoundActionTable, the spdRuleDefinitionTable's action column can indicate multiple actions to be executed. This MIB is structured to allow for reuse through the future creation of extension tables that provide additional filters and/or actions. In fact, the companion documents to this one do just that to define IPsec and IKE specific actions to be used within this SPD configuration MIB. The filter section of the MIB module is composed of the different types of filters in the Policy Model. It is made up of the spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable, spdCompoundFilterTable, spdIpsoHeaderFilterTable. The action section of this MIB module contains only the simple static actions required for the firewall processing that an IPsec SPD implementation requires (e.g. accept, drop, log, ...). The companion documents of this document define the complex actions necessary for IPsec and IKE negotiations. Baer, et al. Expires August 28, 2006 [Page 4] Internet-Draft IPsec SPD configuration MIB February 2006 As may have been noticed above, the MIB uses recursion similarly in several different places. In particular the spdGroupContentsTable, the spdCompoundFilterTable / spdSubfiltersTable combination, and the spdCompoundActionTable / spdSubactionsTable combination can reference themselves. In the case of the spdGroupContentsTable, a row can indicate a rule (i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another set of one or more rows in the spdGroupContentsTable). This way a group can contain a set of rules and sub-groups. Sub-groups are just other groups defined in the spdGroupContentsTable. There is no inherit MIB limit to the nesting of groups. The spdCompoundFilterTable / spdSubfiltersTable combination and spdCompoundActionTable / spdSubactionsTable combination are designed almost identically with one being for filters and the other for actions respectively. The following descriptions for the compound filter tables can be directly applied to the compound action tables. The combination of the tables spdCompoundFilterTable and spdSubfiltersTable allow a user to create a set of filters that can be referenced any table as a single filter. A row in the spdCompoundFilterTable has the basic configuration information for the compound filter. It's name (spdCompFiltname) references a set of rows in the spdSubfiltersTable. Each row in spdSubfiltersTable points at a row in another filter table. In this way, a set of ordered filters composing the compound filter is created. Note that it is possible for one of the rows in the spdSubfiltersTable to point at a row in the spdCompoundFilterTable. This recursion allows the creation of a filter set that include other filter sets within it. There is no inherit MIB limit to the nesting of compound filters within compound filters. 4.1. Usage Tutorial In order to use the tables contained in this document, a general understanding of firewall processing is necessary. The processing of the security policy database involves applying a set of firewall rules to an interface on a device. The given set of rules to apply to any given interface is defined within the ipspEndpointToGroupTable table. This table maps a given interface to a group of rules. In this table, the interface itself is specified using its assigned address. There is also one group of rules per direction (ingress and egress). 4.1.1. Notational conventions Notes about the following example operations: Baer, et al. Expires August 28, 2006 [Page 5] Internet-Draft IPsec SPD configuration MIB February 2006 1. All the example operations in the following section make use of default values for all columns not listed. The operations and column values given in the examples are the minimal SNMP Varbinds that must be sent to create a row. 2. The example operations are formatted such that a row (i.e. the table's Entry object) is operated on by using the indexes to that row and the column values for the that row. 3. Below is a generic example of the notation used in the following section's examples of this MIB's usage. It indicates that the columns column1 and column2 in row rowEntry with indexes index1 and index2 are being set to value1 and value2 respectively.: rowEntry(index1 = value1, index2 = value2) = (column1 = column_value1, column2 = column_value2) 4. The below is a specific example of the notation used in the following section's examples of this MIB's usage. The below shows the status of a row in the IP-MIB::ipAddressTable table being changed to. deprecated. The index values for this row are IPv4 and 192.0.2.1. The example notation would look like the following: ipAddressEntry(ipAddressAddrType = 1, -- ipv4 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1 = (ipAddressStatus = 2) -- deprecated 4.1.2. Implementing an example SPD policy As an example, let us define the following administrative policy: On the network interface with IP address 192.0.2.1, all traffic from host 192.0.2.6 will be dropped and all other traffic will be accepted. This policy is enforced by setting the values in the MIB to do the following: o create a filter for 192.0.2.6 o create a rule that connects the 192.0.2.6 filter to a packet drop action o create a rule that always accepts packets Baer, et al. Expires August 28, 2006 [Page 6] Internet-Draft IPsec SPD configuration MIB February 2006 o group these rules together in the proper order so that the 192.0.2.6 drop rule is checked first. o connect this group of rules to the 192.0.2.1 interface The first step to do this is creating the filter for the IPv4 address 192.0.2.6: SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6") = (spdIpHeadFiltType = 0x80, -- sourceAddress spdIpHeadFiltIPVersion = 1, -- IPv4 spdIpHeadFiltSrcAddressBegin = 0xC0000206, -- 192.0.2.6 spdIpHeadFiltSrcAddressEnd = 0xC0000206, -- 192.0.2.6 spdIpHeadFiltRowStatus = 4) -- createAndGo Next, a rule is created to connect the above "192.0.2.6" filter to an action to "drop" the packet, as follows: spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6") = (spdRuleDefFilter = spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54, spdRuleDefAction = spdDropAction.0, spdRuleDefRowStatus = 4) -- createAndGo Next, a rule is created that accepts all packets: spdRuleDefinitionEntry(spdRuleDefName = "accept all") = (spdRuleDefFilter = spdTrueFilter.0, spdRuleDefAction = spdAcceptAction.0, spdRuleDefRowStatus = 4) -- createAndGo Next, these two rules are grouped together. Rule groups attached to an interface are processed one row at a time. The rows are processed from lowest to highest spdGroupContPiority value. Because the row that references the "accept all" rule should be processed last, it is given the higher spdGroupContPriority value. SpdGroupContentsEntry(spdGroupContName = "ingress", spdGroupContPriority = 65535) = (spdGroupContComponentName = "accept all", spdGroupContRowStatus = 4) -- createAndGo SpdGroupContentsEntry(spdGroupContName = "ingress", spdGroupContPriority = 1000) = (spdGroupContComponentName = "drop from 192.0.2.6", spdGroupContRowStatus = 4) -- createAndGo Finally, this group of rules is connected to the 192.0.2.1 interface Baer, et al. Expires August 28, 2006 [Page 7] Internet-Draft IPsec SPD configuration MIB February 2006 as follows: SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress spdEndGroupIdentType = 4, -- IPv4 spdEndGroupAddress = 0xC0000001) = (spdEndGroupName = "ingress", spdEndGroupRowStatus = 4) -- createAndGo This completes the necessary steps to implement the policy. Once all of these rules have been applied, the policy should take effect. 5. MIB definition The following MIB Module imports from: [RFC2578], [RFC2579], [RFC2580], [RFC3411], [RFC4001], [RFC3289]. It also uses definitions from [RFC1108]. IPSEC-SPD-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, mib-2 FROM SNMPv2-SMI -- [RFC2578] TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType, VariablePointer, DateAndTime FROM SNMPv2-TC -- [RFC2579] MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- [RFC2580] SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] InetAddressType, InetAddress FROM INET-ADDRESS-MIB -- [RFC3291] diffServMIBMultiFieldClfrGroup, IfDirection, diffServMultiFieldClfrNextFree FROM DIFFSERV-MIB Baer, et al. Expires August 28, 2006 [Page 8] Internet-Draft IPsec SPD configuration MIB February 2006 -- [RFC3289] ; -- -- module identity -- spdMIB MODULE-IDENTITY LAST-UPDATED "200602240000Z" -- 24 February 2006 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer Sparta, Inc. Phone: +1 530 902 3131 Email: baerm@tislabs.com Ricky Charlet Email: rcharlet@alumni.calpoly.edu Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 Phone: +1 530 792 1913 Email: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 Phone: +1 770 617 3722 Email: ipsp-mib@revelstone.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: cliffwang2000@yahoo.com" DESCRIPTION "This MIB module defines configuration objects for managing IPsec Security Policies. Copyright (C) The Internet Society (2005). This version of this MIB module is part of RFC ZZZZ, see the RFC itself for full legal notices." -- Revision History Baer, et al. Expires August 28, 2006 [Page 9] Internet-Draft IPsec SPD configuration MIB February 2006 REVISION "200602240000Z" -- 24 February 2006 DESCRIPTION "Initial version, published as RFC ZZZZ." -- RFC-editor assigns ZZZZ -- xxx: To be assigned by IANA ::= { mib-2 xxx } -- -- groups of related objects -- spdConfigObjects OBJECT IDENTIFIER ::= { spdMIB 1 } spdNotificationObjects OBJECT IDENTIFIER ::= { spdMIB 2 } spdConformanceObjects OBJECT IDENTIFIER ::= { spdMIB 3 } spdActions OBJECT IDENTIFIER ::= { spdMIB 4 } -- -- Textual Conventions -- SpdBooleanOperator ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The SpdBooleanOperator operator is used to specify whether sub-components in a decision making process are ANDed or ORed together to decide if the resulting expression is true or false." SYNTAX INTEGER { or(1), and(2) } SpdAdminStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The SpdAdminStatus is used to specify the administrative status of an object. Objects which are disabled must not be used by the packet processing engine." SYNTAX INTEGER { enabled(1), disabled(2) } SpdIPPacketLogging ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "SpdIPPacketLogging specifies whether an audit message should be logged if a packet is passed through a Security Association (SA) and if some of that packet should be Baer, et al. Expires August 28, 2006 [Page 10] Internet-Draft IPsec SPD configuration MIB February 2006 included in the log event. A value of '-1' indicates no logging. A value of '0' or greater indicates that logging should be done and indicates the number of bytes starting at the beginning of the packet to place in the log. Values greater than the size of the packet being processed indicate that the entire packet should be sent. Examples: '-1' no logging '0' log but do not include any of the packet in the log '20' log and include the first 20 bytes of the packet in the log." SYNTAX Integer32 (-1..65535) -- -- Policy group definitions -- spdLocalConfigObjects OBJECT IDENTIFIER ::= { spdConfigObjects 1 } spdIngressPolicyGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the global system policy group that is to be applied on ingress packets (I.E., arriving at a interface) when a given endpoint does not contain a policy definition in the spdEndpointToGroupTable. Its value can be used as an index into the spdGroupContentsTable to retrieve a list of policies. A zero length string indicates no system wide policy exists and the default policy of 'drop' should be executed for ingress packets until one is imposed by either this object or by the endpoint processing a given packet. This object MUST be persistent" DEFVAL { "" } ::= { spdLocalConfigObjects 1 } spdEgressPolicyGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the policy group containing the Baer, et al. Expires August 28, 2006 [Page 11] Internet-Draft IPsec SPD configuration MIB February 2006 global system policy that is to be applied on egress packets (I.E., leaving an interface) when a given endpoint does not contain a policy definition in the spdEndpointToGroupTable. Its value can be used as an index into the spdGroupContentsTable to retrieve a list of policies. A zero length string indicates no system wide policy exits and the default policy of 'drop' should be executed for egress packets until one is imposed by either this object or by the endpoint processing a given packet. This object MUST be persistent" DEFVAL { "" } ::= { spdLocalConfigObjects 2 } spdEndpointToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table maps policies (groupings) onto an endpoint where traffic is to pass by. Any policy group assigned to an endpoint is then used to control access to the traffic passing by it. If an endpoint has been configured with a policy group and no rule within that policy group matches the ingress packet, the default action in this case shall be to drop the packet. If no policy group has been assigned to an endpoint, then the policy group specified by spdSystemPolicyGroupName MUST be used for the endpoint." ::= { spdConfigObjects 2 } spdEndpointToGroupEntry OBJECT-TYPE SYNTAX SpdEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A mapping assigning a policy group to an endpoint. Note: Since the spdEndGroupAddressType object currently only allows for IPv4 and IPv6 address, the spdEndGroupAddress value should be either 4 or 16 octets long. But implementors should be aware that if the size of spdEndGroupAddress ever exceeds 115 octets, column instance OIDs (i.e. the index) for this table will have more than 128 sub-identifiers and will be unaccessible using SNMPv1, Baer, et al. Expires August 28, 2006 [Page 12] Internet-Draft IPsec SPD configuration MIB February 2006 SNMPv2c, or SNMPv3." INDEX { spdEndGroupDirection, spdEndGroupAddressType, spdEndGroupAddress } ::= { spdEndpointToGroupTable 1 } SpdEndpointToGroupEntry ::= SEQUENCE { spdEndGroupDirection IfDirection, spdEndGroupAddressType InetAddressType, spdEndGroupAddress InetAddress, spdEndGroupName SnmpAdminString, spdEndGroupLastChanged TimeStamp, spdEndGroupStorageType StorageType, spdEndGroupRowStatus RowStatus } spdEndGroupDirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates which direction of packets crossing the interface should be associated with which spdEndGroupName object. Ingress packets, or packets into the device match when this value is inbound(1). Egress packets or packets out of the device match when this value is outbound(2)." ::= { spdEndpointToGroupEntry 1 } spdEndGroupAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Internet Protocol version of the address associated with a given endpoint. All addresses are represented as an array of octets in network byte order. When combined with the spdEndGroupAddress these objects can be used to uniquely identify an endpoint that a set of policy groups should be applied to. Devices supporting IPv4 MUST support the ipv4 value, and devices supporting IPv6 MUST support the ipv6 value." ::= { spdEndpointToGroupEntry 2 } spdEndGroupAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS not-accessible STATUS current DESCRIPTION Baer, et al. Expires August 28, 2006 [Page 13] Internet-Draft IPsec SPD configuration MIB February 2006 "The address of a given endpoint. The format of this object is specified by the spdEndGroupAddressType object." ::= { spdEndpointToGroupEntry 3 } spdEndGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The policy group name to apply to this endpoint. The value of the spdEndGroupName object should then be used as an index into the spdGroupContentsTable to come up with a list of rules that MUST be applied to this endpoint." ::= { spdEndpointToGroupEntry 4 } spdEndGroupLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdEndpointToGroupEntry 5 } spdEndGroupStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdEndpointToGroupEntry 6 } spdEndGroupRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. Baer, et al. Expires August 28, 2006 [Page 14] Internet-Draft IPsec SPD configuration MIB February 2006 The value of this object has no effect on whether other objects in this conceptual row can be modified. This object is considered 'notReady' and may not be set to active until one or more active rows exist within the spdGroupContentsTable for the group referenced by the spdEndGroupName object." ::= { spdEndpointToGroupEntry 7 } -- -- policy group definition table -- spdGroupContentsTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdGroupContentsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of rules and/or subgroups contained within a given policy group. For a given value of spdGroupContName, the set of rows sharing that value forms a 'group'. The rows in a group MUST be processed according to the value of the spdGroupContPriority object. The processing MUST be executed starting with the lowest value of spdGroupContPriority and in ascending order thereafter. If an action is executed as the result of the procesing of a row in a group, the processing of further rows in that group MUST stop. Iterating to the next policy group row by finding the next largest spdGroupContPriority object shall only be done if no actions were run while processing the current row for a given packet." ::= { spdConfigObjects 3 } spdGroupContentsEntry OBJECT-TYPE SYNTAX SpdGroupContentsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a given sub-component within a policy group. A sub-component is either a rule or another group as indicated by spdGroupContCompontentType and referenced by spdGroupContCompontentName." INDEX { spdGroupContName, spdGroupContPriority } ::= { spdGroupContentsTable 1 } SpdGroupContentsEntry ::= SEQUENCE { Baer, et al. Expires August 28, 2006 [Page 15] Internet-Draft IPsec SPD configuration MIB February 2006 spdGroupContName SnmpAdminString, spdGroupContPriority Integer32, spdGroupContFilter VariablePointer, spdGroupContComponentType INTEGER, spdGroupContComponentName SnmpAdminString, spdGroupContLastChanged TimeStamp, spdGroupContStorageType StorageType, spdGroupContRowStatus RowStatus } spdGroupContName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of this group. A 'group' is formed by all the rows in this table that have the same value of this object." ::= { spdGroupContentsEntry 1 } spdGroupContPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority (sequence number) of the sub-component in this group. This value indicates the order that each row of this table should be processed from low to high. For example, a row with a priority of 0 is processed before a row with a priority of 1, a 1 before a 2, etc...." ::= { spdGroupContentsEntry 2 } spdGroupContFilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "spdGroupContFilter points to a filter which is evaluated to determine whether the spdGroupContComponentName within this row should be exercised. Managers can use this object to classify groups of rules or subgroups together in order to achieve a greater degree of control and optimization over the execution order of the items within the group. If the filter evaluates to false, the rule or subgroup will be skipped and the next rule or subgroup will be evaluated instead. This value can be used to indicate a scalar or a row in a table. When indicating a row in a table, this value MUST point to the first column instance in that row. Baer, et al. Expires August 28, 2006 [Page 16] Internet-Draft IPsec SPD configuration MIB February 2006 An example usage of this object would be to limit a group of rules to executing only when the IP packet being process is designated to be processed by IKE. This effectively creates a group of IKE specific rules. This MIB defines the following tables and scalars which may be pointed to by this column. Implementations may choose to provide support for other filter tables or scalars as well: diffServMultiFieldClfrTable spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter spdIpsoHeaderFilterTable If this column is set to a VariablePointer value which references a non-existent row in an otherwise supported table, the inconsistentValue exception should be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an genErr exception should be returned. If during packet processing this column has a value that references a non-existent or non-supported object, the packet should be dropped." DEFVAL { spdTrueFilter } ::= { spdGroupContentsEntry 3 } spdGroupContComponentType OBJECT-TYPE SYNTAX INTEGER { group(1), rule(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the spdGroupContComponentName object is the name of another group defined within the spdGroupContentsTable or is the name of a rule defined within the spdRuleDefinitionTable." DEFVAL { rule } ::= { spdGroupContentsEntry 4 } spdGroupContComponentName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the policy rule or subgroup contained within Baer, et al. Expires August 28, 2006 [Page 17] Internet-Draft IPsec SPD configuration MIB February 2006 this group, as indicated by the spdGroupContComponentType object." ::= { spdGroupContentsEntry 5 } spdGroupContLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdGroupContentsEntry 6 } spdGroupContStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdGroupContentsEntry 7 } spdGroupContRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to active until the row to which the spdGroupContComponentName points to exists and is active. If active, this object MUST remain active unless one of the following two conditions are met: I. No active row in spdEndpointToGroupTable exists which references this row's group (i.e. indicate this row's spdGroupContName). Baer, et al. Expires August 28, 2006 [Page 18] Internet-Draft IPsec SPD configuration MIB February 2006 II. Or at least one other active row in this table has a matching spdGroupContName. If neither condition is met, an attempt to set this row to something other than active should result in an inconsistentValue error." ::= { spdGroupContentsEntry 8 } -- -- policy definition table -- spdRuleDefinitionTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a rule by associating a filter or a set of filters to an action to be executed." ::= { spdConfigObjects 4 } spdRuleDefinitionEntry OBJECT-TYPE SYNTAX SpdRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular rule definition. A rule definition binds a filter pointer to an action pointer." INDEX { spdRuleDefName } ::= { spdRuleDefinitionTable 1 } SpdRuleDefinitionEntry ::= SEQUENCE { spdRuleDefName SnmpAdminString, spdRuleDefDescription SnmpAdminString, spdRuleDefFilter VariablePointer, spdRuleDefFilterNegated TruthValue, spdRuleDefAction VariablePointer, spdRuleDefAdminStatus SpdAdminStatus, spdRuleDefLastChanged TimeStamp, spdRuleDefStorageType StorageType, spdRuleDefRowStatus RowStatus } spdRuleDefName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current Baer, et al. Expires August 28, 2006 [Page 19] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "spdRuleDefName is the administratively assigned name of the rule referred to by the spdGroupContComponentName object." ::= { spdRuleDefinitionEntry 1 } spdRuleDefDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user defined string. This field may be used for administrative tracking purposes." DEFVAL { "" } ::= { spdRuleDefinitionEntry 2 } spdRuleDefFilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "spdRuleDefFilter points to a filter which is used to evaluate whether the action associated with this row should be executed or not. The action will only fire if the filter referenced by this object evaluates to TRUE after first applying any negation required by the spdRuleDefFilterNegated object. This MIB defines the following tables and scalars which may be pointed to by this column. Implementations may choose to provide support for other filter tables or scalars as well: diffServMultiFieldClfrTable spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter If this column is set to a VariablePointer value which references a non-existent row in an otherwise supported table, the inconsistentName exception should be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception should be returned. If during packet processing this column has a value that references a non-existent or non-supported object, the Baer, et al. Expires August 28, 2006 [Page 20] Internet-Draft IPsec SPD configuration MIB February 2006 packet should be dropped." ::= { spdRuleDefinitionEntry 3 } spdRuleDefFilterNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "spdRuleDefFilterNegated specifies whether the filter referenced by the spdRuleDefFilter object should be negated or not." DEFVAL { false } ::= { spdRuleDefinitionEntry 4 } spdRuleDefAction OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This column points to the action to be taken. It may, but is not limited to, point to a row in one of the following tables: spdCompoundActionTable ipsaSaPreconfiguredActionTable ipiaIkeActionTable ipiaIpsecActionTable It may also point to one of the scalar objects beneath spdStaticActions. If this object is set to a pointer to a row in an unsupported (or unknown) table, an inconsistentValue error should be returned. If this object is set to point to a non-existent row in an otherwise supported table, an inconsistentName error should be returned. If during packet processing this column has a value that references a non-existent or non-supported object, the packet should be dropped." ::= { spdRuleDefinitionEntry 5 } spdRuleDefAdminStatus OBJECT-TYPE SYNTAX SpdAdminStatus MAX-ACCESS read-create STATUS current Baer, et al. Expires August 28, 2006 [Page 21] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "Indicates whether the current rule definition is considered active. If the value is enabled the rule MUST be evaluated when processing packets. If the value is disabled, the packet processing MUST continue as if this rule's filter had effectively failed." DEFVAL { enabled } ::= { spdRuleDefinitionEntry 6 } spdRuleDefLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdRuleDefinitionEntry 7 } spdRuleDefStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdRuleDefinitionEntry 8 } spdRuleDefRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to active until the containing conditions, filters and actions have been defined. Once active, it must remain active until no active policyGroupContents entries are referencing it. A failed attempt to do so should return an inconsistentValue error." Baer, et al. Expires August 28, 2006 [Page 22] Internet-Draft IPsec SPD configuration MIB February 2006 ::= { spdRuleDefinitionEntry 9 } -- -- Policy compound filter definition table -- spdCompoundFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table defining a compound set of filters and the set's associated parameters. A row in this table can be pointed to by a spdRuleDefFilter object." ::= { spdConfigObjects 5 } spdCompoundFilterEntry OBJECT-TYPE SYNTAX SpdCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the spdCompoundFilterTable. A filter defined by this table is considered to have a TRUE return value if and only if: spdCompFiltLogicType is AND and all of the sub-filters associated with it, as defined in the spdSubfiltersTable, are all true themselves (after applying any required negation as defined by the ficFilterIsNegated object). spdCompFiltLogicType is OR and at least one of the sub-filters associated with it, as defined in the spdSubfiltersTable, is true itself (after applying any required negation as defined by the ficFilterIsNegated object." INDEX { spdCompFiltName } ::= { spdCompoundFilterTable 1 } SpdCompoundFilterEntry ::= SEQUENCE { spdCompFiltName SnmpAdminString, spdCompFiltDescription SnmpAdminString, spdCompFiltLogicType SpdBooleanOperator, spdCompFiltLastChanged TimeStamp, spdCompFiltStorageType StorageType, spdCompFiltRowStatus RowStatus } spdCompFiltName OBJECT-TYPE Baer, et al. Expires August 28, 2006 [Page 23] Internet-Draft IPsec SPD configuration MIB February 2006 SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user definable string. This value is used as an index into this table." ::= { spdCompoundFilterEntry 1 } spdCompFiltDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. You may use this field for your administrative tracking purposes." DEFVAL { "" } ::= { spdCompoundFilterEntry 2 } spdCompFiltLogicType OBJECT-TYPE SYNTAX SpdBooleanOperator MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the filters contained within this filter are functionally ANDed or ORed together." DEFVAL { and } ::= { spdCompoundFilterEntry 3 } spdCompFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdCompoundFilterEntry 4 } spdCompFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. Baer, et al. Expires August 28, 2006 [Page 24] Internet-Draft IPsec SPD configuration MIB February 2006 For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdCompoundFilterEntry 5 } spdCompFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. Once active, it may not have its value changed if any active rows in the spdRuleDefinitionTable are currently pointing at this row." ::= { spdCompoundFilterEntry 6 } -- -- Policy filters in a cf table -- spdSubfiltersTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a list of filters contained within a given compound filter set defined in the spdCompoundFilterTable." ::= { spdConfigObjects 6 } spdSubfiltersEntry OBJECT-TYPE SYNTAX SpdSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in a list of filters for a given compound filter. A list is formed by the set of rows in this table that share the same value of spdCompFiltName. There will also be an associated row in the spdCompoundFilterTable with parameters specific to the filter set." INDEX { spdCompFiltName, spdSubFiltPriority } ::= { spdSubfiltersTable 1 } SpdSubfiltersEntry ::= SEQUENCE { Baer, et al. Expires August 28, 2006 [Page 25] Internet-Draft IPsec SPD configuration MIB February 2006 spdSubFiltPriority Integer32, spdSubFiltSubfilter VariablePointer, spdSubFiltSubfilterIsNegated TruthValue, spdSubFiltLastChanged TimeStamp, spdSubFiltStorageType StorageType, spdSubFiltRowStatus RowStatus } spdSubFiltPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given filter within a set of filters. The order of execution should be from lowest to highest priority value (i.e., priority 0 before priority 1, 1 before 2, etc...). Implementations MAY choose to follow this ordering as set by the manager that created the rows. This can allow a manager to intelligently construct filter lists such that faster filters are evaluated first." ::= { spdSubfiltersEntry 1 } spdSubFiltSubfilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "The location of the contained filter. The value of this column should be a VariablePointer which references the properties for the filter to be included in this compound filter. This MIB defines the following tables and scalars which may be pointed to by this column. Implementations may choose to provide support for other filter tables or scalars as well: diffServMultiFieldClfrTable spdIpsoHeaderFilterTable spdIpOffsetFilterTable spdTimeFilterTable spdCompoundFilterTable spdTrueFilter If this column is set to a VariablePointer value which references a non-existent row in an otherwise supported table, the inconsistentName exception should be returned. If the table or scalar pointed to by the Baer, et al. Expires August 28, 2006 [Page 26] Internet-Draft IPsec SPD configuration MIB February 2006 VariablePointer is not supported at all, then an inconsistentValue exception should be returned. If during packet processing this column has a value that references a non-existent or non-supported object, the packet should be dropped." ::= { spdSubfiltersEntry 2 } spdSubFiltSubfilterIsNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the result of applying this subfilter should be negated." DEFVAL { false } ::= { spdSubfiltersEntry 3 } spdSubFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdSubfiltersEntry 4 } spdSubFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdSubfiltersEntry 5 } spdSubFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. Baer, et al. Expires August 28, 2006 [Page 27] Internet-Draft IPsec SPD configuration MIB February 2006 The value of this object has no effect on whether other objects in this conceptual row can be modified. This object can not be made active until a filter referenced by the spdSubFiltSubfilter object is both defined and is active. An attempt to do so will result in an inconsistentValue error. If active, this object MUST remain active unless one of the following two conditions are met: I. No active row in the SpdCompoundFilterTable exists which has a matching spdCompFiltName. II. Or at least one other active row in this table has a matching spdCompFiltName. If neither condition is met, an attempt to set this row to something other than active should result in an inconsistentValue error." ::= { spdSubfiltersEntry 6 } -- -- Static Filters -- spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } spdTrueFilter OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates a (automatic) true result for a filter. I.e. this is a filter that is always true, useful for adding as a default filter for a default action or a set of actions." ::= { spdStaticFilters 1 } spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 } -- -- Policy IP Offset filter definition table -- spdIpOffsetFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry Baer, et al. Expires August 28, 2006 [Page 28] Internet-Draft IPsec SPD configuration MIB February 2006 MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of filter definitions to be used within the spdRuleDefinitionTable or the spdSubfiltersTable. This filter is used to compare an administrator set variable length octet string to the octets at a particular location in a packet." ::= { spdConfigObjects 8 } spdIpOffsetFilterEntry OBJECT-TYPE SYNTAX SpdIpOffsetFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { spdIpOffFiltName } ::= { spdIpOffsetFilterTable 1 } SpdIpOffsetFilterEntry ::= SEQUENCE { spdIpOffFiltName SnmpAdminString, spdIpOffFiltOffset Integer32, spdIpOffFiltType INTEGER, spdIpOffFiltValue OCTET STRING, spdIpOffFiltLastChanged TimeStamp, spdIpOffFiltStorageType StorageType, spdIpOffFiltRowStatus RowStatus } spdIpOffFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { spdIpOffsetFilterEntry 1 } spdIpOffFiltOffset OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the byte offset from the front of the entire IP packet where the value or arithmetic comparison is done. A value of '0' indicates the first byte of the packet header." ::= { spdIpOffsetFilterEntry 2 } Baer, et al. Expires August 28, 2006 [Page 29] Internet-Draft IPsec SPD configuration MIB February 2006 spdIpOffFiltType OBJECT-TYPE SYNTAX INTEGER { equal(1), notEqual(2), arithmeticLess(3), arithmeticGreaterOrEqual(4), arithmeticGreater(5), arithmeticLessOrEqual(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "This defines the various tests that are used when evaluating a given filter. The various tests definable in this table are as follows: equal: - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches a value in the packet starting at the given offset in the packet and comparing the entire OCTET STRING of 'spdIpOffFiltValue'. Any numeric values compared this way are assumed to be unsigned integer values in network byte order of the same length as 'spdIpOffFiltValue'. notEqual: - Tests if the OCTET STRING, 'spdIpOffFiltValue', does not match a value in the packet starting at the given offset in the packet and comparing to the entire OCTET STRING of 'spdIpOffFiltValue'. Any numeric values compared this way are assumed to be unsigned integer values in network byte order of the same length as 'spdIpOffFiltValue'. arithmeticLess: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically less than ('<') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'. arithmeticGreaterOrEqual: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically greater than or equal to ('>=') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'. Baer, et al. Expires August 28, 2006 [Page 30] Internet-Draft IPsec SPD configuration MIB February 2006 arithmeticGreater: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically greater than ('>') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'. arithmeticLessOrEqual: - Tests if the OCTET STRING, 'spdIpOffFiltValue', is arithmetically less than or equal to ('<=') the value starting at the given offset within the packet. The value in the packet is assumed to be an unsigned integer in network byte order of the same length as 'spdIpOffFiltValue'." ::= { spdIpOffsetFilterEntry 3 } spdIpOffFiltValue OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "spdIpOffFiltValue is used for match comparisons of a packet at spdIpOffFiltOffset." ::= { spdIpOffsetFilterEntry 4 } spdIpOffFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdIpOffsetFilterEntry 5 } spdIpOffFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." Baer, et al. Expires August 28, 2006 [Page 31] Internet-Draft IPsec SPD configuration MIB February 2006 DEFVAL { nonVolatile } ::= { spdIpOffsetFilterEntry 6 } spdIpOffFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table will result in an inconsistentValue error." ::= { spdIpOffsetFilterEntry 7 } -- -- Time/scheduling filter table -- spdTimeFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a table of filters which can be used to effectively enable or disable policies based on a valid time range." ::= { spdConfigObjects 9 } spdTimeFilterEntry OBJECT-TYPE SYNTAX SpdTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row describing a given time frame for which a policy may be filtered on to place the rule active or inactive. If all the column objects in a row are true for the current time, the row evaluates as 'true'. More explicitly, the time matching column objects in a row MUST be logically AND'd together to form the boolean true/false for the row." Baer, et al. Expires August 28, 2006 [Page 32] Internet-Draft IPsec SPD configuration MIB February 2006 INDEX { spdTimeFiltName } ::= { spdTimeFilterTable 1 } SpdTimeFilterEntry ::= SEQUENCE { spdTimeFiltName SnmpAdminString, spdTimeFiltPeriodStart DateAndTime, spdTimeFiltPeriodEnd DateAndTime, spdTimeFiltMonthOfYearMask BITS, spdTimeFiltDayOfMonthMask OCTET STRING, spdTimeFiltDayOfWeekMask BITS, spdTimeFiltTimeOfDayMaskStart DateAndTime, spdTimeFiltTimeOfDayMaskEnd DateAndTime, spdTimeFiltLastChanged TimeStamp, spdTimeFiltStorageType StorageType, spdTimeFiltRowStatus RowStatus } spdTimeFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An administratively assigned name for this filter." ::= { spdTimeFilterEntry 1 } spdTimeFiltPeriodStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The starting time for this filter. This column is considered 'true' if the current time evaluates as later than this object. Note: the default value of this object is the minimum value for a DateAndTime object and should evaluate to 'true' for any realistic time." DEFVAL { '00000101000000002b0000'H } ::= { spdTimeFilterEntry 2 } spdTimeFiltPeriodEnd OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The ending time for this filter. This column is considered 'true' if the current time evaluates as previous to this Baer, et al. Expires August 28, 2006 [Page 33] Internet-Draft IPsec SPD configuration MIB February 2006 object. Note: the default value for this object is the maximum value for a DateAndTime object and should evaluate to 'true' for any realistic time." DEFVAL { '99991231235959092b0000'H } ::= { spdTimeFilterEntry 3 } spdTimeFiltMonthOfYearMask OBJECT-TYPE SYNTAX BITS { january(0), february(1), march(2), april(3), may(4), june(5), july(6), august(7), september(8), october(9), november(10), december(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask which indicates acceptable months of the year. This column evaluates to 'true' if the current month's bit is set." DEFVAL { { january, february, march, april, may, june, july, august, september, october, november, december } } ::= { spdTimeFilterEntry 4 } spdTimeFiltDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE(8)) MAX-ACCESS read-create STATUS current DESCRIPTION "Defines which days of the month the current time is valid for. It is a sequence of 64 BITS, where each BIT represents a corresponding day of the month in forward or reverse order. Starting from the left most bit, the first 31 bits identify the day of the month counting from the beginning of the month. The following 31 bits (bits 32-62) indicate the day of the month counting from the end month. For months with fewer than 31 days, the bits that correspond to the non-existing days of that month are ignored (e.g. for non-leap year Februarys, bits 29-31 and 60-62 are ignored). This column evaluates to 'true' if the current day of the month's bit is set. For example, A value of 0X'80 00 00 01 00 00 00 00' indicates that this column evaluates to true on the first and last days of the month. Baer, et al. Expires August 28, 2006 [Page 34] Internet-Draft IPsec SPD configuration MIB February 2006 The last two bits in the string MUST be zero." DEFVAL { 'fffffffffffffffe'H } ::= { spdTimeFilterEntry 5 } spdTimeFiltDayOfWeekMask OBJECT-TYPE SYNTAX BITS { sunday(0), monday(1), tuesday(2), wednesday(3), thursday(4), friday(5), saturday(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask which defines which days of the week the current time is valid for. This column evaluates to 'true' if the current day of the week's bit is set." DEFVAL { { monday, tuesday, wednesday, thursday, friday, saturday, sunday } } ::= { spdTimeFilterEntry 6 } spdTimeFiltTimeOfDayMaskStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates the starting time of day for which this filter evaluates to true. The date portions of the DateAndTime TC are ignored for purposes of evaluating this mask and only the time specific portions are used. This column evaluates to 'true' in two cases. It is 'true' if the current time of day is later than the time of day indicated by this object. It is also 'true' if this object is equal to the spdTimeFiltTimeOfDayMaskEnd object." DEFVAL { '00000000000000002b0000'H } ::= { spdTimeFilterEntry 7 } spdTimeFiltTimeOfDayMaskEnd OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates the ending time of day for which this filter evaluates to true. The date portions of the DateAndTime TC are ignored for purposes of evaluating this mask and only the time specific portions are used. This column evaluates to 'true' in two cases. It is 'true' if the current time of day is previous to the time of day indicated by this object. It is also 'true' if this object Baer, et al. Expires August 28, 2006 [Page 35] Internet-Draft IPsec SPD configuration MIB February 2006 is equal to the spdTimeFiltTimeOfDayMaskStart object." DEFVAL { '00000000000000002b0000'H } ::= { spdTimeFilterEntry 8 } spdTimeFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdTimeFilterEntry 9 } spdTimeFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdTimeFilterEntry 10 } spdTimeFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. However, any attempt to set this row to active when the spdTimeFiltTimeOfDayMaskEnd object is earlier than spdTimeFiltTimeOfDayMaskStart object should fail with an inconsistentValue error. Although, setting these objects to the same value is allowed. If active, this object must remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is Baer, et al. Expires August 28, 2006 [Page 36] Internet-Draft IPsec SPD configuration MIB February 2006 referenced by an active row in another table will result in an inconsistentValue error." ::= { spdTimeFilterEntry 11 } -- -- IPSO protection authority filtering -- spdIpsoHeaderFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IPSO header filter definitions to be used within the spdRuleDefinitionTable or the spdSubfiltersTable. IPSO headers and their values are described in RFC1108." REFERENCE "RFC 1108" ::= { spdConfigObjects 10 } spdIpsoHeaderFilterEntry OBJECT-TYPE SYNTAX SpdIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { spdIpsoHeadFiltName } ::= { spdIpsoHeaderFilterTable 1 } SpdIpsoHeaderFilterEntry ::= SEQUENCE { spdIpsoHeadFiltName SnmpAdminString, spdIpsoHeadFiltType BITS, spdIpsoHeadFiltClassification INTEGER, spdIpsoHeadFiltProtectionAuth INTEGER, spdIpsoHeadFiltLastChanged TimeStamp, spdIpsoHeadFiltStorageType StorageType, spdIpsoHeadFiltRowStatus RowStatus } spdIpsoHeadFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { spdIpsoHeaderFilterEntry 1 } spdIpsoHeadFiltType OBJECT-TYPE Baer, et al. Expires August 28, 2006 [Page 37] Internet-Draft IPsec SPD configuration MIB February 2006 SYNTAX BITS { classificationLevel(0), protectionAuthority(1) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates which of the IPSO header field a packet should be filtered on for this row. If this object is set to classification(0), the spdIpsoHeadFiltClassification object indicates how the packet is filtered. If this object is set to protectionAuthority(1), the spdIpsoHeadFiltProtectionAuth object indicates how the packet is filtered." ::= { spdIpsoHeaderFilterEntry 2 } spdIpsoHeadFiltClassification OBJECT-TYPE SYNTAX INTEGER { topSecret(61), secret(90), confidential(150), unclassified(171) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the IPSO classification header field value that the packet must have for this row to evaluate to 'true'. The values of these enumerations are defined by RFC1108." REFERENCE "RFC 1108" ::= { spdIpsoHeaderFilterEntry 3 } spdIpsoHeadFiltProtectionAuth OBJECT-TYPE SYNTAX INTEGER { genser(0), siopesi(1), sci(2), nsa(3), doe(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the IPSO protection authority header field value that the packet must have for this row to evaluate to 'true'. The values of these enumerations are defined by RFC1108. Hence the reason the SMIv2 convention of not using 0 in enum lists is violated here." REFERENCE "RFC 1108" ::= { spdIpsoHeaderFilterEntry 4 } spdIpsoHeadFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current Baer, et al. Expires August 28, 2006 [Page 38] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdIpsoHeaderFilterEntry 5 } spdIpsoHeadFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdIpsoHeaderFilterEntry 6 } spdIpsoHeadFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. However, this object may not be set to active if the requirements of the spdIpsoHeadFiltType object are not met. Specifically, if the spdIpsoHeadFiltType bit for classification(0) is set, the spdIpsoHeadFiltClassification column MUST have a valid value for the row status to be set to active. If the spdIpsoHeadFiltType bit for protectionAuthority(1) is set, the spdIpsoHeadFiltProtectionAuth column MUST have a valid value for the row status to be set to active. If active, this object must remain active if it is referenced by an active row in another table. An attempt to set it to anything other than active while it is referenced by an active row in another table will result in an inconsistentValue error." ::= { spdIpsoHeaderFilterEntry 7 } -- Baer, et al. Expires August 28, 2006 [Page 39] Internet-Draft IPsec SPD configuration MIB February 2006 -- compound actions table -- spdCompoundActionTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table used to allow multiple actions to be associated with a rule. It uses the spdSubactionsTable to do this. The rows from spdSubactionsTable that are partially indexed by spdCompActName form the set of compound actions to be performed. The spdCompActExecutionStrategy column in this table indicates how those actions are processed." ::= { spdConfigObjects 11 } spdCompoundActionEntry OBJECT-TYPE SYNTAX SpdCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the spdCompoundActionTable." INDEX { spdCompActName } ::= { spdCompoundActionTable 1 } SpdCompoundActionEntry ::= SEQUENCE { spdCompActName SnmpAdminString, spdCompActExecutionStrategy INTEGER, spdCompActLastChanged TimeStamp, spdCompActStorageType StorageType, spdCompActRowStatus RowStatus } spdCompActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned name of this compound action." ::= { spdCompoundActionEntry 1 } spdCompActExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { doAll(1), doUntilSuccess(2), doUntilFailure(3) } MAX-ACCESS read-create STATUS current Baer, et al. Expires August 28, 2006 [Page 40] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "This object indicates how the sub-actions are executed based on the success of the actions as they finish executing. doAll - run each sub-action regardless of the exit status of the previous action. This parent action is always considered to have acted successfully. doUntilSuccess - run each sub-action until one succeeds, at which point stop processing the sub-actions within this parent compound action. If one of the sub-actions did execute successfully, this parent action is also considered to have executed sucessfully. doUntilFailure - run each sub-action until one fails, at which point stop processing the sub-actions within this compound action. If any sub-action fails, the result of this parent action is considered to have failed." DEFVAL { doUntilSuccess } ::= { spdCompoundActionEntry 2 } spdCompActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdCompoundActionEntry 3 } spdCompActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." Baer, et al. Expires August 28, 2006 [Page 41] Internet-Draft IPsec SPD configuration MIB February 2006 DEFVAL { nonVolatile } ::= { spdCompoundActionEntry 4 } spdCompActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. Once a row in the spdCompoundActionTable has been made active, this object may not be set to destroy without first destroying all the contained rows listed in the spdSubactionsTable." ::= { spdCompoundActionEntry 5 } -- -- actions contained within a compound action -- spdSubactionsTable OBJECT-TYPE SYNTAX SEQUENCE OF SpdSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of the sub-actions within a given compound action. Compound actions executing these actions MUST execute them in series based on the spdSubActPriority value, with the lowest value executing first." ::= { spdConfigObjects 12 } spdSubactionsEntry OBJECT-TYPE SYNTAX SpdSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row containing a reference to a given compound-action sub-action." INDEX { spdCompActName, spdSubActPriority } ::= { spdSubactionsTable 1 } SpdSubactionsEntry ::= SEQUENCE { spdSubActPriority Integer32, Baer, et al. Expires August 28, 2006 [Page 42] Internet-Draft IPsec SPD configuration MIB February 2006 spdSubActSubActionName VariablePointer, spdSubActLastChanged TimeStamp, spdSubActStorageType StorageType, spdSubActRowStatus RowStatus } spdSubActPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given sub-action within a compound action. The order in which sub-actions should be executed are based on the value from this column, with the lowest numeric value executing first (i.e., priority 0 before priority 1, 1 before 2, etc...)." ::= { spdSubactionsEntry 1 } spdSubActSubActionName OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This column points to the action to be taken. It may, but is not limited to, point to a row in one of the following tables: spdCompoundActionTable - Allowing recursion ipsaSaPreconfiguredActionTable ipiaIkeActionTable ipiaIpsecActionTable It may also point to one of the scalar objects beneath spdStaticActions. If this object is set to a pointer to a row in an unsupported (or unknown) table, an inconsistentValue error should be returned. If this object is set to point to a non-existent row in an otherwise supported table, an inconsistentName error should be returned. If during packet processing this column has a value that references a non-existent or non-supported object, the packet should be dropped." ::= { spdSubactionsEntry 2 } Baer, et al. Expires August 28, 2006 [Page 43] Internet-Draft IPsec SPD configuration MIB February 2006 spdSubActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { spdSubactionsEntry 3 } spdSubActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent. For a storage type of permanent, none of the columns have to be writable." DEFVAL { nonVolatile } ::= { spdSubactionsEntry 4 } spdSubActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active unless one of the following two conditions are met. An attempt to set it to anything other than active while the following conditions are not met will result in an inconsistentValue error. The two conditions are: I. No active row in the spdCompoundActionTable exists which has a matching spdCompActName. II. Or at least one other active row in this table has a matching spdCompActName." ::= { spdSubactionsEntry 5 } -- Baer, et al. Expires August 28, 2006 [Page 44] Internet-Draft IPsec SPD configuration MIB February 2006 -- Static Actions -- -- these are static actions which can be pointed to by the -- spdRuleDefAction or the spdSubActSubActionName objects to -- drop, accept or reject packets. spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } spdDropAction OBJECT-TYPE SYNTAX Integer32 (1) MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be dropped WITHOUT action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the drop static action." ::= { spdStaticActions 1 } spdDropActionLog OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be dropped WITH action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the drop static action with logging." ::= { spdStaticActions 2 } spdAcceptAction OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This Scalar indicates that a packet should be accepted (pass-through) WITHOUT action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the accept static action." ::= { spdStaticActions 3 } spdAcceptActionLog OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be accepted Baer, et al. Expires August 28, 2006 [Page 45] Internet-Draft IPsec SPD configuration MIB February 2006 (pass-through) WITH action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the accept static action with logging." ::= { spdStaticActions 4 } -- -- -- Notification objects information -- -- spdNotificationVariables OBJECT IDENTIFIER ::= { spdNotificationObjects 1 } spdNotifications OBJECT IDENTIFIER ::= { spdNotificationObjects 0 } spdActionExecuted OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Points to the action instance that was executed that resulted in the notification being sent." ::= { spdNotificationVariables 1 } spdIPEndpointAddType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the interface type for the interface that the packet which triggered the notification is passing through." ::= { spdNotificationVariables 2 } spdIPEndpointAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the interface address for the interface that the packet which triggered the notification is passing through. The format of this object is specified by the spdIPEndpointAddType object." ::= { spdNotificationVariables 3 } Baer, et al. Expires August 28, 2006 [Page 46] Internet-Draft IPsec SPD configuration MIB February 2006 spdIPSourceType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the source address type of the packet which triggered the notification." ::= { spdNotificationVariables 4 } spdIPSourceAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the source address of the packet which triggered the notification. The format of this object is specified by the spdIPSourceType object." ::= { spdNotificationVariables 5 } spdIPDestinationType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the destination address type of the packet which triggered the notification." ::= { spdNotificationVariables 6 } spdIPDestinationAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Contains the destination address of the packet which triggered the notification. The format of this object is specified by the spdIPDestinationType object." ::= { spdNotificationVariables 7 } spdPacketDirection OBJECT-TYPE SYNTAX IfDirection MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates if the packet which triggered the action in Baer, et al. Expires August 28, 2006 [Page 47] Internet-Draft IPsec SPD configuration MIB February 2006 questions was ingress (inbound) our egress (outbound)." ::= { spdNotificationVariables 8 } spdPacketPart OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..65535)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Is the front part of the full IP packet that triggered this notification. The initial size limit is determined by the smaller of the size indicated by I. The value of the object with the TC syntax 'SpdIPPacketLogging' that indicated the packet should be logged and II. The size of the triggering packet. The final limit is determined by the SNMP packet size when sending the notification. The maximum size that can be included will be the smaller of the initial size given above and the length that will fit in a single SNMP notification packet after the rest of the notification's objects and any other necessary packet data (headers encoding, etc...) has been included in the packet." ::= { spdNotificationVariables 9 } spdActionNotification NOTIFICATION-TYPE OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection } STATUS current DESCRIPTION "Notification that an action was executed by a rule. Only actions with logging enabled will result in this notification getting sent. The objects sent must include the spdActionExecuted object which will indicate which action was executed within the scope of the rule. Additionally the spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, and spdIPDestinationAddress objects must be included to indicate the packet source and destination of the packet that triggered the action. Finally the spdIPEndpointAddType, spdIPEndpointAddress, and spdPacketDirection objects are included to indicate which interface the action was executed in association with and if the packet was ingress or egress through the endpoint. Baer, et al. Expires August 28, 2006 [Page 48] Internet-Draft IPsec SPD configuration MIB February 2006 Note that compound actions with multiple executed subactions may result in multiple notifications being sent from a single rule execution." ::= { spdNotifications 1 } spdPacketNotification NOTIFICATION-TYPE OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection, spdPacketPart } STATUS current DESCRIPTION "Notification that a packet passed through a Security Association (SA). Only SA's created by actions with packet logging enabled will result in this notification getting sent. The objects sent must include the spdActionExecuted which will indicate which action was executed within the scope of the rule. Additionally, the spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, and spdIPDestinationAddress, objects must be included to indicate the packet source and destination of the packet that triggered the action. The spdIPEndpointAddType, spdIPEndpointAddress, and spdPacketDirection objects are included to indicate which endpoint the packet was associated with. Finally, spdPacketPart is included to enable sending a variable sized part of the front of the packet with the size dependent on the value of the object of TC syntax 'SpdIPPacketLogging' which indicated logging should be done." ::= { spdNotifications 2 } -- -- -- Conformance information -- -- spdCompliances OBJECT IDENTIFIER ::= { spdConformanceObjects 1 } spdGroups OBJECT IDENTIFIER ::= { spdConformanceObjects 2 } -- -- Compliance statements Baer, et al. Expires August 28, 2006 [Page 49] Internet-Draft IPsec SPD configuration MIB February 2006 -- -- spdRuleFilterFullCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation with Endpoint, Rules, and filters support. When this MIB is implemented with support for read-create, then such an implementation can claim full compliance. Such devices can then be both monitored and configured with this MIB. There are a number of INDEX objects that cannot be represented in the form of OBJECT clauses in SMIv2, but for which we have the following compliance requirements, expressed in OBJECT clause form in this description clause: -- OBJECT spdEndGroupAddressType -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } -- DESCRIPTION -- Only support for global IPv4 and IPv6 address -- types is required. -- -- OBJECT spdEndGroupAddress -- SYNTAX InetAddress (SIZE(4|16)) -- DESCRIPTION -- Only support for global IPv4 and IPv6 address -- types is required. --" MODULE -- This Module MANDATORY-GROUPS { spdEndpointGroup, spdGroupContentsGroup, spdRuleDefinitionGroup, spdStaticFilterGroup, spdStaticActionGroup , diffServMIBMultiFieldClfrGroup } GROUP spdIpsecSystemPolicyNameGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support a system policy group name." GROUP spdCompoundFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy Baer, et al. Expires August 28, 2006 [Page 50] Internet-Draft IPsec SPD configuration MIB February 2006 implementations which support compound filters." GROUP spdIPOffsetFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support IP Offset filters. In general, this SHOULD be supported by a compliant IPsec Policy implementation." GROUP spdTimeFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support time filters." GROUP spdIpsoHeaderFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support IPSO Header filters." GROUP spdCompoundActionGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support compound actions." OBJECT spdEndGroupLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdGroupContComponentType SYNTAX INTEGER { rule(2) } DESCRIPTION "Support of the value group(1) is only required for implementations which support Policy Groups within Policy Groups." OBJECT spdGroupContLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdRuleDefLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." Baer, et al. Expires August 28, 2006 [Page 51] Internet-Draft IPsec SPD configuration MIB February 2006 OBJECT spdCompFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdSubFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdIpOffFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdTimeFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdIpsoHeadFiltLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdCompActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT spdSubActLastChanged MIN-ACCESS not-accessible DESCRIPTION "This object not required for compliance." OBJECT diffServMultiFieldClfrNextFree MIN-ACCESS not-accessible DESCRIPTION "This object is not required for compliance." ::= { spdCompliances 1 } spdLoggingCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that support sending notifications when actions are invoked." Baer, et al. Expires August 28, 2006 [Page 52] Internet-Draft IPsec SPD configuration MIB February 2006 MODULE -- This Module MANDATORY-GROUPS { spdActionLoggingObjectGroup, spdActionNotificationGroup } ::= { spdCompliances 2 } -- -- ReadOnly Compliances -- spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities that include an IPsec MIB implementation with Endpoint, Rules, and filters support. If this MIB is implemented without support for read-create (i.e. in read-only), it is not in full compliance but it can claim read-only compliance. Such a device can then be monitored but can not be configured with this MIB. There are a number of INDEX objects that cannot be represented in the form of OBJECT clauses in SMIv2, but for which we have the following compliance requirements, expressed in OBJECT clause form in this description clause: -- OBJECT spdEndGroupAddressType -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } -- DESCRIPTION -- Only support for global IPv4 and IPv6 address -- types is required. -- -- OBJECT spdEndGroupAddress -- SYNTAX InetAddress (SIZE(4|16)) -- DESCRIPTION -- Only support for global IPv4 and IPv6 address -- types is required. --" MODULE -- This Module MANDATORY-GROUPS { spdEndpointGroup, spdGroupContentsGroup, spdRuleDefinitionGroup, spdStaticFilterGroup, spdStaticActionGroup , diffServMIBMultiFieldClfrGroup } GROUP spdIpsecSystemPolicyNameGroup DESCRIPTION Baer, et al. Expires August 28, 2006 [Page 53] Internet-Draft IPsec SPD configuration MIB February 2006 "This group is mandatory for IPsec Policy implementations which support a system policy group name." GROUP spdCompoundFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support compound filters." GROUP spdIPOffsetFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support IP Offset filters. In general, this SHOULD be supported by a compliant IPsec Policy implementation." GROUP spdTimeFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support time filters." GROUP spdIpsoHeaderFilterGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support IPSO Header filters." GROUP spdCompoundActionGroup DESCRIPTION "This group is mandatory for IPsec Policy implementations which support compound actions." OBJECT spdCompActExecutionStrategy MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdCompActLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdCompActRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdCompActStorageType MIN-ACCESS read-only DESCRIPTION Baer, et al. Expires August 28, 2006 [Page 54] Internet-Draft IPsec SPD configuration MIB February 2006 "Write access is not required." OBJECT spdCompFiltDescription MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdCompFiltLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdCompFiltLogicType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdCompFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdCompFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdEgressPolicyGroupName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdEndGroupLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdEndGroupName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdEndGroupRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdEndGroupStorageType MIN-ACCESS read-only DESCRIPTION Baer, et al. Expires August 28, 2006 [Page 55] Internet-Draft IPsec SPD configuration MIB February 2006 "Write access is not required." OBJECT spdGroupContComponentName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdGroupContComponentType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdGroupContFilter MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdGroupContLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdGroupContRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdGroupContStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIngressPolicyGroupName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpOffFiltLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdIpOffFiltOffset MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpOffFiltRowStatus MIN-ACCESS read-only DESCRIPTION Baer, et al. Expires August 28, 2006 [Page 56] Internet-Draft IPsec SPD configuration MIB February 2006 "Write access is not required." OBJECT spdIpOffFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpOffFiltType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpOffFiltValue MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpsoHeadFiltClassification MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpsoHeadFiltLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdIpsoHeadFiltProtectionAuth MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpsoHeadFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpsoHeadFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdIpsoHeadFiltType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdRuleDefAction MIN-ACCESS read-only Baer, et al. Expires August 28, 2006 [Page 57] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "Write access is not required." OBJECT spdRuleDefAdminStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdRuleDefDescription MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdRuleDefFilter MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdRuleDefFilterNegated MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdRuleDefLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdRuleDefRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdRuleDefStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdSubActLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdSubActRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdSubActStorageType MIN-ACCESS read-only Baer, et al. Expires August 28, 2006 [Page 58] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "Write access is not required." OBJECT spdSubActSubActionName MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdSubFiltLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdSubFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdSubFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdSubFiltSubfilter MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdSubFiltSubfilterIsNegated MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltDayOfMonthMask MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltDayOfWeekMask MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltLastChanged DESCRIPTION "This object is not required for compliance." OBJECT spdTimeFiltMonthOfYearMask MIN-ACCESS read-only Baer, et al. Expires August 28, 2006 [Page 59] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "Write access is not required." OBJECT spdTimeFiltPeriodEnd MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltPeriodStart MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltTimeOfDayMaskStart MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltTimeOfDayMaskEnd MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT spdTimeFiltStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { spdCompliances 3 } -- -- -- Compliance Groups Definitions -- -- -- Endpoint, Rule, Filter Compliance Groups -- spdEndpointGroup OBJECT-GROUP OBJECTS { spdEndGroupName, spdEndGroupLastChanged, Baer, et al. Expires August 28, 2006 [Page 60] Internet-Draft IPsec SPD configuration MIB February 2006 spdEndGroupStorageType, spdEndGroupRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Endpoint Table." ::= { spdGroups 1 } spdGroupContentsGroup OBJECT-GROUP OBJECTS { spdGroupContComponentType, spdGroupContFilter, spdGroupContComponentName, spdGroupContLastChanged, spdGroupContStorageType, spdGroupContRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Group Contents Table." ::= { spdGroups 2 } spdIpsecSystemPolicyNameGroup OBJECT-GROUP OBJECTS { spdIngressPolicyGroupName, spdEgressPolicyGroupName } STATUS current DESCRIPTION "This group is made up of objects represent the System Policy Group Names." ::= { spdGroups 3} spdRuleDefinitionGroup OBJECT-GROUP OBJECTS { spdRuleDefDescription, spdRuleDefFilter, spdRuleDefFilterNegated, spdRuleDefAction, spdRuleDefAdminStatus, spdRuleDefLastChanged, spdRuleDefStorageType, spdRuleDefRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Rule Definition Table." ::= { spdGroups 4 } spdCompoundFilterGroup OBJECT-GROUP OBJECTS { spdCompFiltDescription, spdCompFiltLogicType, spdCompFiltLastChanged, spdCompFiltStorageType, Baer, et al. Expires August 28, 2006 [Page 61] Internet-Draft IPsec SPD configuration MIB February 2006 spdCompFiltRowStatus, spdSubFiltSubfilter, spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged, spdSubFiltStorageType, spdSubFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Compound Filter Table and Sub-Filter Table Group." ::= { spdGroups 5 } spdStaticFilterGroup OBJECT-GROUP OBJECTS { spdTrueFilter } STATUS current DESCRIPTION "The static filter group. Currently this is just a true filter." ::= { spdGroups 6 } spdIPOffsetFilterGroup OBJECT-GROUP OBJECTS { spdIpOffFiltOffset, spdIpOffFiltType, spdIpOffFiltValue, spdIpOffFiltLastChanged, spdIpOffFiltStorageType, spdIpOffFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy IP Offset Filter Table." ::= { spdGroups 7 } spdTimeFilterGroup OBJECT-GROUP OBJECTS { spdTimeFiltPeriodStart, spdTimeFiltPeriodEnd, spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask, spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMaskStart, spdTimeFiltTimeOfDayMaskEnd, spdTimeFiltLastChanged, spdTimeFiltStorageType, spdTimeFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Time Filter Table." ::= { spdGroups 8 } spdIpsoHeaderFilterGroup OBJECT-GROUP OBJECTS { spdIpsoHeadFiltType, spdIpsoHeadFiltClassification, Baer, et al. Expires August 28, 2006 [Page 62] Internet-Draft IPsec SPD configuration MIB February 2006 spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged, spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy IPSO Header Filter Table." ::= { spdGroups 9 } -- -- action compliance groups -- spdStaticActionGroup OBJECT-GROUP OBJECTS { spdDropAction, spdAcceptAction, spdDropActionLog, spdAcceptActionLog } STATUS current DESCRIPTION "This group is made up of objects from the IPsec Policy Static Actions." ::= { spdGroups 10 } spdCompoundActionGroup OBJECT-GROUP OBJECTS { spdCompActExecutionStrategy, spdCompActLastChanged, spdCompActStorageType, spdCompActRowStatus, spdSubActSubActionName, spdSubActLastChanged, spdSubActStorageType, spdSubActRowStatus } STATUS current DESCRIPTION "The IPsec Policy Compound Action Table and Actions In Compound Action Table Group." ::= { spdGroups 11 } spdActionLoggingObjectGroup OBJECT-GROUP OBJECTS { spdActionExecuted, spdIPEndpointAddType, spdIPEndpointAddress, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection, spdPacketPart } STATUS current Baer, et al. Expires August 28, 2006 [Page 63] Internet-Draft IPsec SPD configuration MIB February 2006 DESCRIPTION "This group is made up of all the Notification objects for this MIB." ::= { spdGroups 12 } spdActionNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { spdActionNotification, spdPacketNotification } STATUS current DESCRIPTION "This group is made up of all the Notifications for this MIB." ::= { spdGroups 13 } END 6. Security Considerations 6.1. Introduction This document defines a MIB module used to configure IPsec policy services. Since IPsec provides network security services, all of its configuration data (e.g. this entire MIB) should be as secure or more secure than any of the security services IPsec provides. There are two main threats you need to protect against when configuring IPsec devices. 1. Malicious Configuration: This MIB configures network security services. If an attacker has SET access to any part of this MIB, the network security services configured by this MIB should be considered broken. The network data sent through the associated gateway should no longer be considered as protected by IPsec (i.e., it is no longer confidential or authenticated). Therefore, only the official administrators should be allowed to configure a device. In other words, administrators' identities should be authenticated and their access rights checked before they are allowed to do device configuration. The support for SET operations to the IPSP MIB in a non-secure environment, without proper protection, will invalidate the security of the network traffic affected by the IPSP MIB. Baer, et al. Expires August 28, 2006 [Page 64] Internet-Draft IPsec SPD configuration MIB February 2006 2. Disclosure of Configuration: In general, malicious parties should not be able to read security configuration data while the data is in network transit. An attacker reading the configuration data may be able to find compromises in the device and the network due to poor and misconfiguration. Since this entire MIB is used for security configuration, it is highly recommended that only authorized administrators should be allow to view data in this MIB. In particular, malicious users should be prevented from reading SNMP packets containing this MIB's data. SNMP GET data should be encrypted when sent across the network. Also, only authorized administrators should be allowed SNMP GET access to any of the MIB objects. SNMP versions prior to SNMPv3 do not include adequate security. Even if the network itself is secure (e.g. by using IPsec), earlier versions of SNMP have virtually no control as to who on the secure network is allowed to access (i.e. read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to GET or SET (change/create/delete) them. Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use SNMP version 3. The rest of this discussion assumes the use of SNMPv3. This is a real strength, because it allows administrators the ability to load new IPsec configuration on a device and keep the conversation private and authenticated under the protection of SNMPv3 before any IPsec protections are available. Once initial establishment of IPsec configuration on a device has been achieved, it would be possible to set up IPsec SAs to then also provide security and integrity services to the configuration conversation. This may seem redundant at first, but will be shown to have a use for added privacy protection below. 6.2. Protecting against in-authentic access The current SNMPv3 User Security Model provides for key based user authentication. Typically, keys are derived from passwords (but are Baer, et al. Expires August 28, 2006 [Page 65] Internet-Draft IPsec SPD configuration MIB February 2006 not required to be), and the keys are then used in HMAC algorithms (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP data. Each SNMP device keeps a (configured) list of users and keys. Under SNMPv3 user keys may be updated as often as an administrator cares to have users enter new passwords. But Perfect Forward Secrecy for user keys in SNMPv3 is not yet provided by standards track documents, although RFC2786 defines an experimental method of doing so. 6.3. Protecting against involuntary disclosure While sending IPsec configuration data to a Policy Enforcement Point (PEP), there are a few critical parameters which MUST NOT be observed by third parties. Specifically, except for public keys, keying information MUST NOT be allowed to be observed by third parties. This include IKE Pre-Shared Keys and possibly the private key of a public/private key pair for use in a PKI. Were either of those parameters to be known to a third party, they could then impersonate the device to other IKE peers. Aside from those critical parameters, policy administrators have an interest in not divulging any of their policy configuration. Any knowledge about a device's configuration could help an unfriendly party compromise that device. SNMPv3 offers privacy security services, but at the time this document was written, the only standardized encryption algorithm supported by SNMPv3 is the DES encryption algorithm. Support for other (stronger) cryptographic algorithms is in the works and may be done as you read this (e.g. AES [RFC3826]). When configure IPsec policy using this MIB, policy administrators SHOULD use a privacy security service that is at least as strong as the desired IPsec policy. E.G., If an administrator were to use this MIB to configure an IPsec connection that utilizes a 3DES algorithms, the SNMP communication configuring the connection should be protected by an algorithm as strong or stronger than the 3DES algorithm. 6.4. Bootstrapping your configuration Most vendors will not ship new products with a default SNMPv3 user/ password pair, but it is possible. If a device does ship with a default user/password pair, policy administrators SHOULD either change the password or configure a new user, deleting the default user (or at a minimum, restrict the access of the default user). Most SNMPv3 distributions should, hopefully, require an out-of-band initialization over a trusted medium, such as a local console connection. 7. IANA Considerations Baer, et al. Expires August 28, 2006 [Page 66] Internet-Draft IPsec SPD configuration MIB February 2006 Only two IANA considerations exist for this document. The first is just the node number allocation of the IPSEC-SPD-MIB itself. The IPSEC-SPD-MIB also allows for extension action MIB's. Although additional actions are not required to use it, the node spdActions is allocated for any additional actions that wish to use it. IANA would be responsible for allocating any values under this node. 8. Acknowledgments Many other people contributed thoughts and ideas that influenced this MIB module. Some special thanks are in order for the following people: Lindy Foster (Sparta, Inc.) John Gillis (ADC) Roger Hartmuller (Sparta, Inc.) Harrie Hazewinkel Jamie Jason (Intel Corporation) David Partain (Ericsson) Lee Rafalow (IBM) Jon Saperia (JDS Consulting) Eric Vyncke (Cisco Systems) 9. References 9.1. Normative References [RFC1108] Kent, S., "U.S", RFC 1108, November 1991. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information Base for the Differentiated Services Architecture", RFC 3289, May 2002. Baer, et al. Expires August 28, 2006 [Page 67] Internet-Draft IPsec SPD configuration MIB February 2006 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec Configuration Policy Information Model", RFC 3585, August 2003. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. 9.2. Informative References [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IPsec Action MIB", December 2002. [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. Wang, "IPsec Security Policy IKE Action MIB", December 2002. [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", November 2000. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model", RFC 3826, June 2004. Baer, et al. Expires August 28, 2006 [Page 68] Internet-Draft IPsec SPD configuration MIB February 2006 Authors' Addresses Michael Baer Sparta, Inc. 7075 Samuel Morse Drive Columbia, MD 21046 US Email: baerm@tislabs.com Ricky Charlet Self Email: rcharlet@alumni.calpoly.edu Wes Hardaker Sparta, Inc. P.O. Box 382 Davis, CA 95617 US Phone: +1 530 792 1913 Email: hardaker@tislabs.com Robert Story Revelstone Software PO Box 1812 Tucker, GA 30085 US Email: rstory@sparta.com Cliff Wang ARO/North Carolina State University 4300 S. Miami Blvd RTP, NC 27709 US Email: cliffwangmail@yahoo.com Baer, et al. Expires August 28, 2006 [Page 69] Internet-Draft IPsec SPD configuration MIB February 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Baer, et al. Expires August 28, 2006 [Page 70]