IPSP Working Group M. Baer Internet Draft Network Associates Inc draft-ietf-ipsp-ipsec-conf-mib-06.txt R. Charlet W. Hardaker Network Associates Inc R. Story Revelstone Software C. Wang Smartpipes Inc March 2003 IPsec Policy Configuration MIB module draft-ietf-ipsp-ipsec-conf-mib-06.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document defines a Management Information Base (MIB) module for managing the Internet Security Protocol (IPsec) and Internet Key Exchange (IKE) protocols and associated policies. Some of the policy-based packet filtering and the corresponding execution of actions is of a more general nature than for IPsec configuration only. This MIB module is designed with future extensibility in mind. It is thus possible to externally add other packet filters Various Authors [Page 1] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 and actions to the policy-based packet filtering system defined in this document. Table of Contents 1. Introduction ............................................ 3 2. The Internet-Standard Management Framework .............. 3 3. Relationship to the DMTF Policy Model ................... 3 4. MIB Module Overview ..................................... 5 5. Definitions ............................................. 5 ipspEndpointToGroupTable .............................. 9 ipspGroupContentsTable ............................... 12 ipspRuleDefinitionTable .............................. 15 ipspCompoundFilterTable .............................. 18 ipspSubfiltersTable .................................. 21 ipspIpHeaderFilterTable .............................. 24 ipspIpOffsetFilterTable .............................. 31 ipspTimeFilterTable .................................. 35 ipspIpsoHeaderFilterTable ............................ 39 ipspCredentialFilterTable ............................ 41 ipspPeerIdentityFilterTable .......................... 44 ipspCompoundActionTable .............................. 46 ipspSubactionsTable .................................. 48 ipspSaPreconfiguredActionTable ....................... 52 ipspSaNegotiationParametersTable ..................... 58 ipspIkeActionTable ................................... 61 ipspIkeActionProposalsTable .......................... 65 ipspIkeProposalTable ................................. 67 ipspIpsecActionTable ................................. 71 ipspIpsecProposalsTable .............................. 75 ipspIpsecTransformsTable ............................. 77 ipspAhTransformTable ................................. 80 ipspEspTransformTable ................................ 82 ipspIpcompTransformTable ............................. 86 ipspIkeIdentityTable ................................. 89 ipspPeerIdentityTable ................................ 90 ipspAutostartIkeTable ................................ 94 ipspIpsecCredMngServiceTable ......................... 97 ipspCredMngCRLTable .................................. 99 ipspRevokedCertificateTable ......................... 102 ipspCredentialTable ................................. 104 ipspCredentialSegmentTable .......................... 107 6. References ............................................ 139 6.1. Normative References .................................. 139 6.2. Informative References ................................ 140 7. Intellectual Property ................................. 140 8. Security Considerations ............................... 140 8.1. Introduction .......................................... 140 Various Authors [Page 2] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 8.2. Protecting against in-authentic access ................ 141 8.3. Protecting against involuntary disclosure ............. 142 8.4. Bootstrapping your configuration ...................... 142 9. Acknowledgments ....................................... 142 10. Authors' Addresses .................................... 143 11. Full Copyright Statement .............................. 143 1. Introduction This document defines a configuration MIB module for IPsec [IPSEC]/IKE [IKE] policy. It does not define MIB modules for monitoring the state of an IPsec device. It does not define MIB modules for configuring other policy related actions. The purpose of this MIB module is to allow administrators to be able to configure policy with respect to the IPsec/IKE protocols. However, some of the packet filtering and matching of conditions to actions is of a more general nature than IPsec only. It is possible to add other packet transforming actions to this MIB module if those actions needed to be performed conditionally on filtered traffic. 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410] Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Relationship to the DMTF Policy Model The Distributed Management Task Force has created an object oriented model of IPsec policy information known as the IPsec Policy Model White Paper [IPSECPM]. The contents of this document are also reflected in the internet draft (RFCXXXX) "IPsec Configuration Policy Model" (IPCP) [IPCP]. This MIB module is a task specific derivation of the IPCP for use with SNMPv3. The high-level areas where this MIB module diverges from the IPCP model are: o Policies, Groups, Conditions, and some levels of Action are Various Authors [Page 3] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 generically named. That is we dropped prefixes like "SA", or "ipsec". This is because we feel that packet classification and matching of conditions to actions is more general than IPsec and could possibly be reused by other packet transforming actions which need to conditionally act on packets matching filters. o Filters are implemented in a more generic and scalable manner, rather than enforcing the condition/filtering pairing and their restrictions upon the user. The MIB module offers a compound filter object to provide for greater flexibility when creating complex filters. Various Authors [Page 4] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 4. MIB Module Overview The MIB module is modularized into several different parts: rules, filters, and actions. The rules section connects endpoints and groups of rules together. This is partially made up of the ipspEndpointToGroupTable, ipspGroupContentsTable, and the ipspRuleDefinitionTable. Each row of the ipspRuleDefinitionTable connects a filter(s) with an action(s). It is structured to allow for reuse through the future creation of extension tables that provide additional filters and/or actions. The filter section of the MIB module is composed of all the different types of filters in the Policy Model. It is partially made up of the trueFilter, ipspCompoundFilterTable, ipspIpHeaderFilterTable, ipspIpOffsetFilterTable, ipspTimeFilterTable, ipspIpsoHeaderFilterTable, ipspCredentialFilterTable, and the ipspPeerIdentityFilterTable. The action section of the MIB module contains different action types from the Policy Model. It is also separated into Firewall actions (accept, drop, log, ...), IKE actions, and IPsec actions. It is partially made up of the ipspStaticActions, ipspCompoundActionTable, ipspSaPreconfiguredActionTable, ipspIkeActionTable, ipspIkeActionProposalsTable, ipspIkeIdentityTable, ipspPeerIdentityTable, ipspIpsecActionTable, ipspIpsecProposalsTable, ipspIpsecTransformsTable, ipspAhTransformTable, and the ipspEspTransformTable. 5. Definitions IPSEC-POLICY-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, Unsigned32, mib-2, experimental FROM SNMPv2-SMI TEXTUAL-CONVENTION, RowStatus, TruthValue, TimeStamp, StorageType, VariablePointer, DateAndTime FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB Various Authors [Page 5] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 InetAddressType, InetAddress, InetPortNumber FROM INET-ADDRESS-MIB IkeHashAlgorithm, IpsecDoiEncapsulationMode, IpsecDoiIpcompTransform, IpsecDoiAuthAlgorithm, IpsecDoiEspTransform, IpsecDoiSecProtocolId, IkeGroupDescription, IpsecDoiIdentType, IkeEncryptionAlgorithm, IkeAuthMethod FROM IPSEC-ISAKMP-IKE-DOI-TC; -- -- module identity -- ipspMIB MODULE-IDENTITY LAST-UPDATED "200212100000Z" -- 12 December 2002 ORGANIZATION "IETF IP Security Policy Working Group" CONTACT-INFO "Michael Baer Network Associates, Inc. 3965 Freedom Circle, Suite 500 Santa Clara, CA 95054 Phone: +1 530 902 3131 Email: mike_baer@nai.com Ricky Charlet Email: rcharlet@alumni.calpoly.edu Wes Hardaker Network Associates, Inc. 3965 Freedom Circle, Suite 500 Santa Clara, CA 95054 Phone: +1 530 400 2774 Email: wes_hardaker@nai.com Robert Story Revelstone Software PO Box 1474 Duluth, GA 30096 Phone: +1 770 617 3722 Email: ipsp-mib@revelstone.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Various Authors [Page 6] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 Phone: +1 614 923 6241 E-Mail: CWang@smartpipes.com" DESCRIPTION "The MIB module for defining IPsec Policy filters and actions. Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC XXXX, see the RFC itself for full legal notices." -- Revision History REVISION "200301070000Z" -- 7 January 2003 DESCRIPTION "Initial version, published as RFC xxxx." -- RFC-editor assigns xxxx -- XXX: To be assigned by IANA ::= { mib-2 XXX } -- -- groups of related objects -- ipspConfigObjects OBJECT IDENTIFIER ::= { ipspMIB 1 } ipspNotificationObjects OBJECT IDENTIFIER ::= { ipspMIB 2 } ipspConformanceObjects OBJECT IDENTIFIER ::= { ipspMIB 3 } -- -- Textual Conventions -- IpspBooleanOperator ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpspBooleanOperator operator is used to specify whether sub-components in a decision making process are ANDed or ORed together to decide if the resulting expression is true or false." SYNTAX INTEGER { or(1), and(2) } IpspAdminStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpspAdminStatus is used to specify the administrative status of an object. Objects which are disabled must not be used by the packet processing engine." Various Authors [Page 7] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX INTEGER { enabled(1), disabled(2) } IpspSADirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The IpspSADirection operator is used to specify whether or not a row should apply to outgoing or incoming SAs." SYNTAX INTEGER { outgoing(1), incoming(2) } IpspIPPacketLogging ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpspIPPacketLogging specifies whether or not an audit message should be logged when a packet is passed through an SA. A value of '-1' indicates no logging. A value of '0' or greater indicates that logging should be done and how many bytes of the beginning of the packet to place in the log. Values greater than the size of the packet being processed indicate that the entire packet should be sent. Examples: '-1' no logging '0' log but do not include any of the packet in the log '20' log and include the first 20 bytes of the packet in the log." SYNTAX Integer32 (-1..65536) IpspIdentityFilter ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpspIdentityFilter contains a string encoded Identity Type value to be used in comparisons against an IKE Identity payload. Wherever this TC is used, there should be an accompanying column which uses the IpsecDoiIdentType TC to specify the type of data in this object. See the IpsecDoiIdentType TC for the supported identity types available. Note that the IpsecDoiIdentType TC sepcifies how to encode binary values, while this object will contain human readable string versions." SYNTAX OCTET STRING (SIZE(1..256)) IpspCredentialType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "IpspCredentialType identifies the type of credential contained in a corresponding IpspIdentityFilter object." SYNTAX INTEGER { reserved(0), Various Authors [Page 8] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 unknown(1), sharedSecret(2), x509(3), kerberos(4) } -- -- Policy group definitions -- ipspLocalConfigObjects OBJECT IDENTIFIER ::= { ipspConfigObjects 1 } ipspSystemPolicyGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates the policy group containing the global system policy that is to be applied when a given endpoint does not contain a policy definition. Its value can be used as an index into the ipspGroupContentsTable to retrieve a list of policies. A zero length string indicates no system wide policy exists and the default policy of 'accept' should be executed until one is imposed by either this object or by the endpoint processing a given packet." ::= { ipspLocalConfigObjects 1 } ipspEndpointToGroupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is used to map policy (groupings) onto an endpoint where traffic is to pass by. Any policy group assigned to an endpoint is then used to control access to the traffic passing by it. If an endpoint has been configured with a policy group and no contained rule matches the incoming packet, the default action in this case shall be to drop the packet. If no policy group has been assigned to an endpoint, then the policy group specified by ipspSystemPolicyGroupName should be used for the endpoint." ::= { ipspConfigObjects 2 } ipspEndpointToGroupEntry OBJECT-TYPE Various Authors [Page 9] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX IpspEndpointToGroupEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A mapping assigning a policy group to an endpoint." INDEX { ipspEndGroupIdentType, ipspEndGroupAddress } ::= { ipspEndpointToGroupTable 1 } IpspEndpointToGroupEntry ::= SEQUENCE { ipspEndGroupIdentType InetAddressType, ipspEndGroupAddress InetAddress, ipspEndGroupName SnmpAdminString, ipspEndGroupLastChanged TimeStamp, ipspEndGroupStorageType StorageType, ipspEndGroupRowStatus RowStatus } ipspEndGroupIdentType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Internet Protocol version of the address associated with a given endpoint. All addresses are represented as an array of octets in network byte order. When combined with the ipspEndGroupAddress these objects can be used to uniquely identify an endpoint that a set of policy groups should be applied to. Devices supporting IPv4 MUST support the ipv4 value, and devices supporting IPv6 MUST support the ipv6 value. Values of unknown, ipv4z, ipv6z and dns are not legal values for this object." ::= { ipspEndpointToGroupEntry 1 } ipspEndGroupAddress OBJECT-TYPE SYNTAX InetAddress (SIZE (4|16)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The address of a given endpoint, the format of which is specified by the ipspEndGroupIdentType object." ::= { ipspEndpointToGroupEntry 2 } ipspEndGroupName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create Various Authors [Page 10] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "The policy group name to apply to this endpoint. The value of the ipspEndGroupName object should then be used as an index into the ipspGroupContentsTable to come up with a list of rules that MUST be applied to this endpoint." ::= { ipspEndpointToGroupEntry 3 } ipspEndGroupLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspEndpointToGroupEntry 4 } ipspEndGroupStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspEndpointToGroupEntry 5 } ipspEndGroupRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to active until one or more active rows exist within the ipspGroupContentsTable for the group referenced by the ipspEndGroupName object." ::= { ipspEndpointToGroupEntry 6 } -- -- policy group definition table -- Various Authors [Page 11] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspGroupContentsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspGroupContentsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of rules and/or subgroups contained within a given policy group. The entries are sorted by the ipspGroupContPriority object and MUST be executed in order according to this value, starting with the lowest value. Once a group item has been processed, the processor MUST stop processing this packet if an action was executed as a result of the processing of a given group. Iterating into the next policy group item by finding the next largest ipspGroupContPriority object shall only be done if no actions were run when processing the last item for a given packet." ::= { ipspConfigObjects 3 } ipspGroupContentsEntry OBJECT-TYPE SYNTAX IpspGroupContentsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a given sub-item within a policy group." INDEX { ipspGroupContName, ipspGroupContPriority } ::= { ipspGroupContentsTable 1 } IpspGroupContentsEntry ::= SEQUENCE { ipspGroupContName SnmpAdminString, ipspGroupContPriority Integer32, ipspGroupContFilter VariablePointer, ipspGroupContComponentType INTEGER, ipspGroupContComponentName SnmpAdminString, ipspGroupContLastChanged TimeStamp, ipspGroupContStorageType StorageType, ipspGroupContRowStatus RowStatus } ipspGroupContName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of this group." ::= { ipspGroupContentsEntry 1 } ipspGroupContPriority OBJECT-TYPE SYNTAX Integer32 (0..65536) Various Authors [Page 12] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority (sequence number) of the sub-component in this group." ::= { ipspGroupContentsEntry 2 } ipspGroupContFilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "ipspGroupContFilter points to a filter which is evaluated to determine whether the sub-component within this group should be exercised. Managers can use this object to classify groups of rules or subgroups together in order to achieve a greater degree of control and optimization over the execution order of the items within the group. If the filter evaluates to false, the rule or subgroup will be skipped and the next rule or subgroup will be evaluated instead. An example usage of this object would be to limit a group of rules to executing only when the IP packet being process is designated to be processed by IKE. This effecitevly creates a group of IKE specific rules. This MIB defines the following tables and scalars which may be pointed to by this column. Implementations may choose to provide support for other filter tables or scalars as well: ipspIpHeaderFilterTable ipspIpOffsetFilterTable ipspTimeFilterTable ipspCompoundFilterTable ipspTrueFilter If this column is set to a VariablePointer value which references a non-existent row in an otherwise supported table, the inconsistentName exception should be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception should be returned." DEFVAL { ipspTrueFilterInstance } ::= { ipspGroupContentsEntry 3 } ipspGroupContComponentType OBJECT-TYPE SYNTAX INTEGER { reserved(0), group(1), rule(2) } MAX-ACCESS read-create Various Authors [Page 13] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "Indicates whether the ipspGroupContComponentName object is the name of another group defined within the ipspGroupContentsTable or is the name of a rule defined within the ipspRuleDefinitionTable." DEFVAL { rule } ::= { ipspGroupContentsEntry 4 } ipspGroupContComponentName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The name of the policy rule or subgroup contained within this group, as indicated by the ipspGroupContComponentType object." ::= { ipspGroupContentsEntry 5 } ipspGroupContLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspGroupContentsEntry 6 } ipspGroupContStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspGroupContentsEntry 7 } ipspGroupContRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other Various Authors [Page 14] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 objects in this conceptual row can be modified. This object may not be set to active until the row to which the ipspGroupContComponentName points to exists." ::= { ipspGroupContentsEntry 8 } -- -- policy definition table -- ipspRuleDefinitionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a policy rule by associating a filter or a set of filters to an action to be executed." ::= { ipspConfigObjects 4 } ipspRuleDefinitionEntry OBJECT-TYPE SYNTAX IpspRuleDefinitionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular policy definition. A rule definition binds a filter pointer to an action pointer." INDEX { ipspRuleDefName } ::= { ipspRuleDefinitionTable 1 } IpspRuleDefinitionEntry ::= SEQUENCE { ipspRuleDefName SnmpAdminString, ipspRuleDefDescription SnmpAdminString, ipspRuleDefFilter VariablePointer, ipspRuleDefFilterNegated TruthValue, ipspRuleDefAction VariablePointer, ipspRuleDefAdminStatus IpspAdminStatus, ipspRuleDefLastChanged TimeStamp, ipspRuleDefStorageType StorageType, ipspRuleDefRowStatus RowStatus } ipspRuleDefName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "ipspRuleDefName is the administratively assigned name of the Various Authors [Page 15] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 rule referred to by the ipspGroupContComponentName object." ::= { ipspRuleDefinitionEntry 1 } ipspRuleDefDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. This field may be used for your administrative tracking purposes." DEFVAL { "" } ::= { ipspRuleDefinitionEntry 2 } ipspRuleDefFilter OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "ipspRuleDefFilter points to a filter which is used to evaluate whether the action associated with this row should be fired or not. The action will only fire if the filter referenced by this object evaluates to TRUE after first applying any negation required by the ipspRuleDefFilterNegated object. This MIB defines the following tables and scalars which may be pointed to by this column. Implementations may choose to provide support for other filter tables or scalars as well: ipspIpHeaderFilterTable ipspIpOffsetFilterTable ipspTimeFilterTable ipspCompoundFilterTable ipspTrueFilter If this column is set to a VariablePointer value which references a non-existent row in an otherwise supported table, the inconsistentName exception should be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception should be returned." ::= { ipspRuleDefinitionEntry 3 } ipspRuleDefFilterNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION Various Authors [Page 16] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 "ipspRuleDefFilterNegated specifies whether the filter referenced by the ipspRuleDefFilter object should be negated or not." DEFVAL { false } ::= { ipspRuleDefinitionEntry 4 } ipspRuleDefAction OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This column points to the action to be taken. It may, but is not limited to, point to a row in one of the following tables: ipspCompoundActionTable ipspSaPreconfiguredActionTable ipspIkeActionTable ipspIpsecActionTable It may also point to one of the scalar objects beneath ipspStaticActions. If this object is set to a pointer to a row in an unsupported (or unknown) table, an inconsistentValue error should be returned. If this object is set to point to a non-existent row in an otherwise supported table, an inconsistentName error should be returned." ::= { ipspRuleDefinitionEntry 5 } ipspRuleDefAdminStatus OBJECT-TYPE SYNTAX IpspAdminStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the current rule definition should be considered active. If enabled, it should be evaluated when processing packets. If disabled, packets should continue to be processed by the rest of the rules defined in the ipspGroupContentsTable as if this rule's filters had effectively failed." DEFVAL { enabled } ::= { ipspRuleDefinitionEntry 6 } ipspRuleDefLastChanged OBJECT-TYPE SYNTAX TimeStamp Various Authors [Page 17] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspRuleDefinitionEntry 7 } ipspRuleDefStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspRuleDefinitionEntry 8 } ipspRuleDefRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to active until the containing contitions, filters and actions have been defined. Once active, it must remain active until no policyGroupContents entries are referencing it." ::= { ipspRuleDefinitionEntry 9 } -- -- Policy compound filter definition table -- ipspCompoundFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table defining a compound set of filters and their associated parameters. A row in this table can either be pointed to by a ipspRuleDefFilter object or by a ficSubFilter object." Various Authors [Page 18] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ::= { ipspConfigObjects 5 } ipspCompoundFilterEntry OBJECT-TYPE SYNTAX IpspCompoundFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the ipspCompoundFilterTable. A filter defined by this table is considered to have a TRUE return value if and only if: ipspCompFiltLogicType is AND and all of the sub-filters associated with it, as defined in the ipspSubfiltersTable, are all true themselves (after applying any requried negation as defined by the ficFilterIsNegated object). ipspCompFiltLogicType is OR and at least one of the sub-filters associated with it, as defined in the ipspSubfiltersTable, is true itself (after applying any requried negation as defined by the ficFilterIsNegated object)." INDEX { ipspCompFiltName } ::= { ipspCompoundFilterTable 1 } IpspCompoundFilterEntry ::= SEQUENCE { ipspCompFiltName SnmpAdminString, ipspCompFiltDescription SnmpAdminString, ipspCompFiltLogicType IpspBooleanOperator, ipspCompFiltLastChanged TimeStamp, ipspCompFiltStorageType StorageType, ipspCompFiltRowStatus RowStatus } ipspCompFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user definable string. You may use this field for your administrative tracking purposes." ::= { ipspCompoundFilterEntry 1 } ipspCompFiltDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable string. You may use this field for your Various Authors [Page 19] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 administrative tracking purposes." DEFVAL { ''H } ::= { ipspCompoundFilterEntry 2 } ipspCompFiltLogicType OBJECT-TYPE SYNTAX IpspBooleanOperator MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the filters contained within this filter are functionally ANDed or ORed together." DEFVAL { and } ::= { ipspCompoundFilterEntry 3 } ipspCompFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspCompoundFilterEntry 4 } ipspCompFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspCompoundFilterEntry 5 } ipspCompFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. Once active, it may not have its value changed if any active rows in the ipspRuleDefinitionTable are currently pointing Various Authors [Page 20] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 at this row." ::= { ipspCompoundFilterEntry 6 } -- -- Policy filters in a cf table -- ipspSubfiltersTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines a list of filters contained within a given compound filter set defined in the ipspCompoundFilterTable." ::= { ipspConfigObjects 6 } ipspSubfiltersEntry OBJECT-TYPE SYNTAX IpspSubfiltersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry into the list of filters for a given compound filter." INDEX { ipspCompFiltName, ipspSubFiltPriority } ::= { ipspSubfiltersTable 1 } IpspSubfiltersEntry ::= SEQUENCE { ipspSubFiltPriority Integer32, ipspSubFiltSubfilter VariablePointer, ipspSubFiltSubfilterIsNegated TruthValue, ipspSubFiltLastChanged TimeStamp, ipspSubFiltStorageType StorageType, ipspSubFiltRowStatus RowStatus } ipspSubFiltPriority OBJECT-TYPE SYNTAX Integer32 (0..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given filter within a condition. Implementations MAY choose to follow the ordering indicated by the manager that created the rows in order to allow the manager to intelligently construct filter lists such that faster filters are evaluated first." ::= { ipspSubfiltersEntry 1 } ipspSubFiltSubfilter OBJECT-TYPE Various Authors [Page 21] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "The location of the contained filter. The value of this column should be a VariablePointer which references the properties for the filter to be included in this compound filter. This MIB defines the following tables and scalars which may be pointed to by this column. Implementations may choose to provide support for other filter tables or scalars as well: ipspIpHeaderFilterTable ipspIpOffsetFilterTable ipspTimeFilterTable ipspCompoundFilterTable ipspTrueFilter If this column is set to a VariablePointer value which references a non-existent row in an otherwise supported table, the inconsistentName exception should be returned. If the table or scalar pointed to by the VariablePointer is not supported at all, then an inconsistentValue exception should be returned." ::= { ipspSubfiltersEntry 2 } ipspSubFiltSubfilterIsNegated OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the result of applying this subfilter should be negated or not." DEFVAL { false } ::= { ipspSubfiltersEntry 3 } ipspSubFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspSubfiltersEntry 4 } ipspSubFiltStorageType OBJECT-TYPE Various Authors [Page 22] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspSubfiltersEntry 5 } ipspSubFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object can not be made active until the filter referenced by the ficSubFilter object is both defined and is active. An attempt to do so will result in an inconsistentValue error." ::= { ipspSubfiltersEntry 6 } -- -- Static Filters -- ipspStaticFilters OBJECT IDENTIFIER ::= { ipspConfigObjects 7 } ipspTrueFilter OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates a (automatic) true result for a filter. I.e. this is a filter that is always true, useful for adding as a default filter for a default action or a set of actions." ::= { ipspStaticFilters 1 } ipspTrueFilterInstance OBJECT IDENTIFIER ::= { ipspTrueFilter 0 } ipspIkePhase1Filter OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only Various Authors [Page 23] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "This static filter can be used to test if a packet is part of an IKE phase-1 negotiation." ::= { ipspStaticFilters 2 } ipspIkePhase2Filter OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This static filter can be used to test if a packet is part of an IKE phase-2 negotiation." ::= { ipspStaticFilters 3 } -- -- Policy IPHeader filter definition table -- ipspIpHeaderFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspIpHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of filter definitions to be used within the ipspRuleDefinitionTable or the ipspSubfilterTable table." ::= { ipspConfigObjects 8 } ipspIpHeaderFilterEntry OBJECT-TYPE SYNTAX IpspIpHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { ipspIpHeadFiltName } ::= { ipspIpHeaderFilterTable 1 } IpspIpHeaderFilterEntry ::= SEQUENCE { ipspIpHeadFiltName SnmpAdminString, ipspIpHeadFiltType BITS, ipspIpHeadFiltIPVersion InetAddressType, ipspIpHeadFiltSrcAddressBegin InetAddress, ipspIpHeadFiltSrcAddressEnd InetAddress, ipspIpHeadFiltDstAddressBegin InetAddress, ipspIpHeadFiltDstAddressEnd InetAddress, ipspIpHeadFiltSrcLowPort InetPortNumber, ipspIpHeadFiltSrcHighPort InetPortNumber, Various Authors [Page 24] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspIpHeadFiltDstLowPort InetPortNumber, ipspIpHeadFiltDstHighPort InetPortNumber, ipspIpHeadFiltProtocol Integer32, ipspIpHeadFiltIPv6FlowLabel Integer32, ipspIpHeadFiltLastChanged TimeStamp, ipspIpHeadFiltStorageType StorageType, ipspIpHeadFiltRowStatus RowStatus } ipspIpHeadFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { ipspIpHeaderFilterEntry 1 } ipspIpHeadFiltType OBJECT-TYPE SYNTAX BITS { sourceAddress(0), destinationAddress(1), sourcePort(2), destinationPort(3), protocol(4), ipv6FlowLabel(5) } MAX-ACCESS read-create STATUS current DESCRIPTION "This defines the various tests that are used when evaluating a given filter. The results of each test are ANDed together to produce the result of the entire filter. When processing this filter, it is recommended for efficiency reasons that the filter halt processing the instant any of the specified tests fail. Once a row is 'active', this object's value may not be changed unless all the appropriate columns needed by the new value to be imposed on this object have been appropriately configured. The various tests definable in this table are as follows: sourceAddress: - Tests if the source address in the packet lies between the ipspIpHeadFiltSrcAddressBegin and ipspIpHeadFiltSrcAddressEnd objects. Note that setting these two objects to the same address will limit the search to the exact match of a single address. The format and length of the address objects are defined by the ipspIpHeadFiltIPVersion column. Various Authors [Page 25] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 A row in this table containing a ipspIpHeadFiltType object with the sourceAddress object bit but without the ipspIpHeadFiltIPVersion, ipspIpHeadFiltSrcAddressBegin and ipspIpHeadFiltSrcAddressEnd objects set will cause the ipspIpHeadFiltRowStatus object to return the notReady state. destinationAddress: - Tests if the destination address in the packet lies between the ipspIpHeadFiltDstAddressBegin and ipspIpHeadFiltDstAddressEnd objects. Note that setting these two objects to the same address will limit the search to the exact match of a single address. The format and length of the address objects are defined by the ipspIpHeadFiltIPVersion column. A row in this table containing a ipspIpHeadFiltType object with the destinationAddress object bit but without the ipspIpHeadFiltIPVersion, ipspIpHeadFiltDstAddressBegin and ipspIpHeadFiltDstAddressEnd objects set will cause the ipspIpHeadFiltRowStatus object to return the notReady state. sourcePort: - Tests if the source port of IP packets using a protocol that uses port numbers (at this time, UDP or TCP) lies between the ipspIpHeadFiltSrcLowPort and ipspIpHeadFiltSrcHighPort objects. Note that setting these two objects to the same address will limit the search to the exact match of a single port. A row in this table containing a ipspIpHeadFiltType object with the sourcePort object bit but without the ipspIpHeadFiltSrcLowPort, and ipspIpHeadFiltSrcHighPort objects set will cause the ipspIpHeadFiltRowStatus object to return the notReady state. destinationPort: - Tests if the source port of IP packets using a protocol that uses port numbers (at this time, UDP or TCP) lies between the ipspIpHeadFiltDstLowPort and ipspIpHeadFiltDstHighPort objects. Note that setting these two objects to the same address will limit the search to the exact match of a single port. A row in this table containing a ipspIpHeadFiltType Various Authors [Page 26] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 object with the sourcePort object bit but without the ipspIpHeadFiltDstLowPort, and ipspIpHeadFiltDstHighPort objects set will cause the ipspIpHeadFiltRowStatus object to return the notReady state. protocol: - Tests to see if the packet being processed is for the given protocol type. A row in this table containing a ipspIpHeadFiltType object with the protocol object bit but without the ipspIpHeadFiltProtocol object set will cause the ipspIpHeadFiltRowStatus object to return the notReady state. ipv6FlowLabel: - Tests to see if the packet being processed contains an ipv6 Flow Label which matches the value in the ipfIPv6FlowLabel object. Setting this bit mandates that for the packet to match the filter, it must be an IPv6 packet. A row in this table containing a ipspIpHeadFiltType object with the ipv6FlowLabel object bit but without the ipfIPv6FlowLabel object set will cause the ipspIpHeadFiltRowStatus object to return the notReady state." ::= { ipspIpHeaderFilterEntry 2 } ipspIpHeadFiltIPVersion OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The Internet Protocol version the addresses are to match against. The value of this property determines the size and format of the ipspIpHeadFiltSrcAddressBegin, ipspIpHeadFiltSrcAddressEnd, ipspIpHeadFiltDstAddressBegin, and ipspIpHeadFiltDstAddressEnd objects. Values of unknown, ipv4z, ipv6z and dns are not legal values for this object." DEFVAL { ipv6 } ::= { ipspIpHeaderFilterEntry 3 } ipspIpHeadFiltSrcAddressBegin OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create Various Authors [Page 27] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "The starting address of a source address range that the packet must match against for this filter to be considered TRUE. This object is only used if sourceAddress is set in ipspIpHeadFiltType." ::= { ipspIpHeaderFilterEntry 4 } ipspIpHeadFiltSrcAddressEnd OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The ending address of a source address range to check a packet against, where the starting is specified by the ipspIpHeadFiltSrcAddressBegin object. Set this column to the same value as the ipspIpHeadFiltSrcAddressBegin column to get an exact single address match. This object is only used if sourceAddress is set in ipspIpHeadFiltType." ::= { ipspIpHeaderFilterEntry 5 } ipspIpHeadFiltDstAddressBegin OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The starting address of a destination address range that the packet must match against for this filter to be considered TRUE. This object is only used if destinationAddress is set in ipspIpHeadFiltType." ::= { ipspIpHeaderFilterEntry 6 } ipspIpHeadFiltDstAddressEnd OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The ending address of a destination address range to check a packet against, where the first is specified by the ipspIpHeadFiltDstAddressBegin object. Set this column to the same value as the ipspIpHeadFiltDstAddressBegin column to get an exact single address match. Various Authors [Page 28] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 This object is only used if destinationAddress is set in ipspIpHeadFiltType." ::= { ipspIpHeaderFilterEntry 7 } ipspIpHeadFiltSrcLowPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The low port of the port range a packet's source must match against. To match, the port number must be greater than or equal to this value. This object is only used if sourcePort is set in ipspIpHeadFiltType. The value of 0 for this object is illegal." ::= { ipspIpHeaderFilterEntry 8 } ipspIpHeadFiltSrcHighPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The high port of the port range a packet's source must match against. To match, the port number must be less than or equal to this value. This object is only used if sourcePort is set in ipspIpHeadFiltType. The value of 0 for this object is illegal." ::= { ipspIpHeaderFilterEntry 9 } ipspIpHeadFiltDstLowPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The low port of the port range a packet's destination must match against. To match, the port number must be greater than or equal to this value. This object is only used if destinationPort is set in ipspIpHeadFiltType. The value of 0 for this object is illegal." ::= { ipspIpHeaderFilterEntry 10 } Various Authors [Page 29] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspIpHeadFiltDstHighPort OBJECT-TYPE SYNTAX InetPortNumber MAX-ACCESS read-create STATUS current DESCRIPTION "The high port of the port range a packet's destination must match against. To match, the port number must be less than or equal to this value. This object is only used if destinationPort is set in ipspIpHeadFiltType. The value of 0 for this object is illegal." ::= { ipspIpHeaderFilterEntry 11 } ipspIpHeadFiltProtocol OBJECT-TYPE SYNTAX Integer32 (0..255) MAX-ACCESS read-create STATUS current DESCRIPTION "The protocol number the incoming packet must match against for this filter to be evaluated as true. This object is only used if protocol is set in ipspIpHeadFiltType." ::= { ipspIpHeaderFilterEntry 12 } ipspIpHeadFiltIPv6FlowLabel OBJECT-TYPE SYNTAX Integer32 (0..1048575) MAX-ACCESS read-create STATUS current DESCRIPTION "The IPv6 Flow Label that the packet must match against. This object is only used if ipv6FlowLabel is set in ipspIpHeadFiltType." ::= { ipspIpHeaderFilterEntry 13 } ipspIpHeadFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspIpHeaderFilterEntry 14 } Various Authors [Page 30] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspIpHeadFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspIpHeaderFilterEntry 15 } ipspIpHeadFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. This object may not be set to active if the requirements of the ipspIpHeadFiltType object are not met. In other words, if the associated value columns needed by a particular test have not been set, then attempting to change this row to an active state will result in an inconsistentValue error. See the ipspIpHeadFiltType object description for further details." ::= { ipspIpHeaderFilterEntry 16 } -- -- Policy IP Offset filter definition table -- ipspIpOffsetFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspIpOffsetFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of filter definitions to be used within the ipspRuleDefinitionTable or the ipspSubfilterTable." ::= { ipspConfigObjects 9 } ipspIpOffsetFilterEntry OBJECT-TYPE SYNTAX IpspIpOffsetFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." Various Authors [Page 31] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 INDEX { ipspIpOffFiltName } ::= { ipspIpOffsetFilterTable 1 } IpspIpOffsetFilterEntry ::= SEQUENCE { ipspIpOffFiltName SnmpAdminString, ipspIpOffFiltOffset Integer32, ipspIpOffFiltType INTEGER, ipspIpOffFiltNumber Integer32, ipspIpOffFiltValue OCTET STRING, ipspIpOffFiltLastChanged TimeStamp, ipspIpOffFiltStorageType StorageType, ipspIpOffFiltRowStatus RowStatus } ipspIpOffFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { ipspIpOffsetFilterEntry 1 } ipspIpOffFiltOffset OBJECT-TYPE SYNTAX Integer32 (0..65536) MAX-ACCESS read-create STATUS current DESCRIPTION "This is the byte offset from the front of the IP packet where the value or arithmetic comparison is done. A value of '0' indicates the first byte in the packet." ::= { ipspIpOffsetFilterEntry 2 } ipspIpOffFiltType OBJECT-TYPE SYNTAX INTEGER { valueMatch(1), valueNotMatch(2), arithmeticEqual(3), arithmeticNotEqual(4), arithmeticLess(5), arithmeticGreaterOrEqual(6), arithmeticGreater(7), arithmeticLessOrEqual(8) } MAX-ACCESS read-create STATUS current DESCRIPTION "This defines the various tests that are used when evaluating a given filter. Once a row is 'active', this object's value may not be Various Authors [Page 32] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 changed unless the appropriate columns, ipspIpOffFiltNumber or ipspIpOffFiltValue, needed by the new value to be imposed on this object have been appropriately configured. The various tests definable in this table are as follows: valueMatch: - Tests if the OCTET STRING, 'ipspIpOffFiltValue', matches a value in the packet starting at the given offset in the packet and comparing the entire OCTET STRING of 'ipspIpOffFiltValue'. valueNotMatch: - Tests if the OCTET STRING, 'ipspIpOffFiltValue', does not match a value in the packet starting at the given offset in the packet and comparing to the entire OCTET STRING of 'ipspIpOffFiltValue'. arithmeticEqual: - Tests if the Integer32, 'ipspIpOffFiltNumber', is arithmetically equal ('=') to the 4 byte value starting at the given offset within the packet. The value in the packet is assumed to be in network byte order. arithmeticNotEqual: - Tests if the Integer32, 'ipspIpOffFiltNumber', is arithmetically not equal ('!=') to the 4 byte value starting at the given offset within the packet. The value in the packet is assumed to be in network byte order. arithmeticLess: - Tests if the Integer32, 'ipspIpOffFiltNumber', is arithmetically less than ('<') the 4 byte value starting at the given offset within the packet. The value in the packet is assumed to be in network byte order. arithmeticGreaterOrEqual: - Tests if the Integer32, 'ipspIpOffFiltNumber', is arithmetically greater than or equal to ('>=') the 4 byte value starting at the given offset within the packet. The value in the packet is assumed to be in network byte order. arithmeticGreater: - Tests if the Integer32, 'ipspIpOffFiltNumber', is arithmetically greater than ('>') the 4 byte value starting at the given offset within the packet. The Various Authors [Page 33] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 value in the packet is assumed to be in network byte order. arithmeticLessOrEqual: - Tests if the Integer32, 'ipspIpOffFiltNumber', is arithmetically less than or equal to ('<=') the 4 byte value starting at the given offset within the packet. The value in the packet is assumed to be in network byte order." ::= { ipspIpOffsetFilterEntry 3 } ipspIpOffFiltNumber OBJECT-TYPE SYNTAX Integer32 (0..65536) MAX-ACCESS read-create STATUS current DESCRIPTION "ipspIpOffFiltNumber is used for arithmetic matching of a packets at ipspIpOffFiltOffset. This object is only used if one of the arithmetic types is chosen in ipspIpOffFiltType." ::= { ipspIpOffsetFilterEntry 4 } ipspIpOffFiltValue OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..1024)) MAX-ACCESS read-create STATUS current DESCRIPTION "ipspIpOffFiltValue is used for match comparisons of a packet at ipspIpOffFiltOffset. This object is only used if one of the match types is chosen in ipspIpOffFiltType." ::= { ipspIpOffsetFilterEntry 5 } ipspIpOffFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspIpOffsetFilterEntry 6 } ipspIpOffFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create Various Authors [Page 34] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspIpOffsetFilterEntry 7 } ipspIpOffFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. This object may not be set to active if the requirements of the ipspIpOffFiltType object are not met. In other words, if the associated value columns needed by a particular test have not been set, then attempting to change this row to an active state will result in an inconsistentValue error. See the ipspIpOffFiltType object description for further details." ::= { ipspIpOffsetFilterEntry 8 } -- -- Time/scheduling filter table -- ipspTimeFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines a table of filters which can be used to effectively enable or disable policies based on a valid time range." ::= { ipspConfigObjects 10 } ipspTimeFilterEntry OBJECT-TYPE SYNTAX IpspTimeFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row describing a given time frame for which a policy may be filtered on to place the rule active or inactive." INDEX { ipspTimeFiltName } ::= { ipspTimeFilterTable 1 } IpspTimeFilterEntry ::= SEQUENCE { Various Authors [Page 35] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspTimeFiltName SnmpAdminString, ipspTimeFiltPeriodStart DateAndTime, ipspTimeFiltPeriodEnd DateAndTime, ipspTimeFiltMonthOfYearMask BITS, ipspTimeFiltDayOfMonthMask OCTET STRING, ipspTimeFiltDayOfWeekMask BITS, ipspTimeFiltTimeOfDayMaskStart DateAndTime, ipspTimeFiltTimeOfDayMaskEnd DateAndTime, ipspTimeFiltLastChanged TimeStamp, ipspTimeFiltStorageType StorageType, ipspTimeFiltRowStatus RowStatus } ipspTimeFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An administratively assigned name for this filter." ::= { ipspTimeFilterEntry 1 } ipspTimeFiltPeriodStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The starting time period for this filter. In addition to a normal DateAndTime string, this object may be set to the OCTET STRING value THISANDPRIOR which indicates that the filter is valid from any time before now up until (at least) now." DEFVAL { '00000101000000002b0000'H } ::= { ipspTimeFilterEntry 2 } ipspTimeFiltPeriodEnd OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "The ending time period for this filter. In addition to a normal DateAndTime string, this object may be set to the OCTET STRING value THISANDFUTURE which indicates that the filter is valid without an ending date and/or time." DEFVAL { '99991231235959092b0000'H } ::= { ipspTimeFilterEntry 3 } Various Authors [Page 36] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspTimeFiltMonthOfYearMask OBJECT-TYPE SYNTAX BITS { january(0), february(1), march(2), april(3), may(4), june(5), july(6), august(7), september(8), october(9),november(10), december(11) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask which overlays the ipspTimeFiltPeriodStart to ipspTimeFiltPeriodEnd date range to further restrict the time period to a restricted set of months of the year." DEFVAL { { january, february, march, april, may, june, july, august, september, october, november, december } } ::= { ipspTimeFilterEntry 4 } ipspTimeFiltDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE(4)) MAX-ACCESS read-create STATUS current DESCRIPTION "Defines which days of the month this time period is valid for. It is a sequence of 32 BITS, where each BIT represents a corresponding day of the month starting from the left most bit being equal to the first day of the month. The last bit in the string MUST be zero." DEFVAL { 'fffffffe'H } ::= { ipspTimeFilterEntry 5 } ipspTimeFiltDayOfWeekMask OBJECT-TYPE SYNTAX BITS { monday(0), tuesday(1), wednesday(2), thursday(3), friday(4), saturday(5), sunday(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "A bit mask which overlays the ipspTimeFiltPeriodStart to ipspTimeFiltPeriodEnd date range to further restrict the time period to a restricted set of days within a given week." DEFVAL { { monday, tuesday, wednesday, thursday, friday, saturday, sunday } } ::= { ipspTimeFilterEntry 6 } ipspTimeFiltTimeOfDayMaskStart OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION Various Authors [Page 37] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 "Indicates the starting time of day for which this filter evaluates to true. The date portions of the DateAndTime TC are ignored for purposes of evaluating this mask and only the time specific portions are used." DEFVAL { '00000000000000002b0000'H } ::= { ipspTimeFilterEntry 7 } ipspTimeFiltTimeOfDayMaskEnd OBJECT-TYPE SYNTAX DateAndTime MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates the ending time of day for which this filter evaluates to true. The date portions of the DateAndTime TC are ignored for purposes of evaluating this mask and only the time specific portions are used. If this starting and ending time values indicated by the ipspTimeFiltTimeOfDayMaskStart and ipspTimeFiltTimeOfDayMaskEnd objects are equal, the filter is expected to be evaluated over the entire 24 hour period." DEFVAL { '00000000000000002b0000'H } ::= { ipspTimeFilterEntry 8 } ipspTimeFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspTimeFilterEntry 9 } ipspTimeFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspTimeFilterEntry 10 } ipspTimeFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current Various Authors [Page 38] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 DESCRIPTION "This object indicates the conceptual status of this row." ::= { ipspTimeFilterEntry 11 } -- -- IPSO protection authority filtering -- ipspIpsoHeaderFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IPSO header filter definitions to be used within the ipspRuleDefinitionTable or the ipspSubfilterTable. IPSO headers and their values are described in RFC1108." ::= { ipspConfigObjects 11 } ipspIpsoHeaderFilterEntry OBJECT-TYPE SYNTAX IpspIpsoHeaderFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A definition of a particular filter." INDEX { ipspIpsoHeadFiltName } ::= { ipspIpsoHeaderFilterTable 1 } IpspIpsoHeaderFilterEntry ::= SEQUENCE { ipspIpsoHeadFiltName SnmpAdminString, ipspIpsoHeadFiltType BITS, ipspIpsoHeadFiltClassification INTEGER, ipspIpsoHeadFiltProtectionAuth INTEGER, ipspIpsoHeadFiltLastChanged TimeStamp, ipspIpsoHeadFiltStorageType StorageType, ipspIpsoHeadFiltRowStatus RowStatus } ipspIpsoHeadFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name for this filter." ::= { ipspIpsoHeaderFilterEntry 1 } ipspIpsoHeadFiltType OBJECT-TYPE SYNTAX BITS { classificationLevel(0), Various Authors [Page 39] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 protectionAuthority(1) } MAX-ACCESS read-create STATUS current DESCRIPTION "The IPSO header fields to match the value against." ::= { ipspIpsoHeaderFilterEntry 2 } ipspIpsoHeadFiltClassification OBJECT-TYPE SYNTAX INTEGER { topSecret(61), secret(90), confidential(150), unclassified(171) } MAX-ACCESS read-create STATUS current DESCRIPTION "The IPSO classification header field value must match the value in this column if the classificationLevel bit is set in the ipspIpsoHeadFiltType field. The values of these enumerations are defined by RFC1108." ::= { ipspIpsoHeaderFilterEntry 3 } ipspIpsoHeadFiltProtectionAuth OBJECT-TYPE SYNTAX INTEGER { genser(0), siopesi(1), sci(2), nsa(3), doe(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "The IPSO protection authority header field value must match the value in this column if the protection authority bit is set in the ipspIpsoHeadFiltType field. The values of these enumerations are defined by RFC1108. Hence the reason the SMIv2 convention of not using 0 in enum lists is violated here." ::= { ipspIpsoHeaderFilterEntry 4 } ipspIpsoHeadFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspIpsoHeaderFilterEntry 5 } ipspIpsoHeadFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create Various Authors [Page 40] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspIpsoHeaderFilterEntry 6 } ipspIpsoHeadFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. This object may not be set to active if the requirements of the ipspIpsoHeadFiltType object are not met. In other words, if the associated value columns needed by a particular test have not been set, then attempting to change this row to an active state will result in an inconsistentValue error. See the ipspIpsoHeadFiltType object description for further details." ::= { ipspIpsoHeaderFilterEntry 7 } -- -- credential filter table -- ipspCredentialFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspCredentialFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines filters which can be used to match credentials of IKE peers, where the credentials in question have been obtained from an IKE phase 1 exchange. They may be X.509 certificates, Kerberos tickets, etc..." ::= { ipspConfigObjects 12 } ipspCredentialFilterEntry OBJECT-TYPE SYNTAX IpspCredentialFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular credential filter" INDEX { ipspCredFiltName } ::= { ipspCredentialFilterTable 1 } Various Authors [Page 41] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 IpspCredentialFilterEntry ::= SEQUENCE { ipspCredFiltName SnmpAdminString, ipspCredFiltCredentialType IpspCredentialType, ipspCredFiltMatchFieldName OCTET STRING, ipspCredFiltMatchFieldValue OCTET STRING, ipspCredFiltAcceptCredFrom OCTET STRING, ipspCredFiltLastChanged TimeStamp, ipspCredFiltStorageType StorageType, ipspCredFiltRowStatus RowStatus } ipspCredFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of this filter." ::= { ipspCredentialFilterEntry 1 } ipspCredFiltCredentialType OBJECT-TYPE SYNTAX IpspCredentialType MAX-ACCESS read-create STATUS current DESCRIPTION "The credential type that is expected for this filter to succeed." DEFVAL { x509 } ::= { ipspCredentialFilterEntry 2 } ipspCredFiltMatchFieldName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..256)) MAX-ACCESS read-create STATUS current DESCRIPTION "The piece of the credential to match against. Examples: serialNumber, signatureAlgorithm, issuerName or subjectName. For credential types without fields (e.g. shared secrec), this field should be left empty, and the entire credential will be matched against the ipspCredFiltMatchFieldValue." ::= { ipspCredentialFilterEntry 3 } ipspCredFiltMatchFieldValue OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..4096)) MAX-ACCESS read-create STATUS current DESCRIPTION "The value that the field indicated by the Various Authors [Page 42] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspCredFiltMatchFieldName must match against for the filter to be considered TRUE." ::= { ipspCredentialFilterEntry 4 } ipspCredFiltAcceptCredFrom OBJECT-TYPE SYNTAX OCTET STRING(SIZE(1..117)) MAX-ACCESS read-create STATUS current DESCRIPTION "This value is used to look up a row in the ipspIpsecCredMngServiceTable for the Certificate Authority (CA) Information. This value is empty if there is no CA used for this filter." ::= { ipspCredentialFilterEntry 5 } ipspCredFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspCredentialFilterEntry 6 } ipspCredFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspCredentialFilterEntry 7 } ipspCredFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row." ::= { ipspCredentialFilterEntry 8 } -- -- Peer Identity Filter Table -- Various Authors [Page 43] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspPeerIdentityFilterTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspPeerIdentityFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines filters which can be used to match credentials of IKE peers, where the credentials in question have been obtained from an IKE phase 1 exchange. They may be X.509 certificates, Kerberos tickets, etc..." ::= { ipspConfigObjects 13 } ipspPeerIdentityFilterEntry OBJECT-TYPE SYNTAX IpspPeerIdentityFilterEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row defining a particular credential filter" INDEX { ipspPeerIdFiltName } ::= { ipspPeerIdentityFilterTable 1 } IpspPeerIdentityFilterEntry ::= SEQUENCE { ipspPeerIdFiltName SnmpAdminString, ipspPeerIdFiltIdentityType IpsecDoiIdentType, ipspPeerIdFiltIdentityValue IpspIdentityFilter, ipspPeerIdFiltLastChanged TimeStamp, ipspPeerIdFiltStorageType StorageType, ipspPeerIdFiltRowStatus RowStatus } ipspPeerIdFiltName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The administrative name of this filter." ::= { ipspPeerIdentityFilterEntry 1 } ipspPeerIdFiltIdentityType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of identity field in the peer ID payload to match against." ::= { ipspPeerIdentityFilterEntry 2 } ipspPeerIdFiltIdentityValue OBJECT-TYPE SYNTAX IpspIdentityFilter Various Authors [Page 44] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 MAX-ACCESS read-create STATUS current DESCRIPTION "The string representation of the value that the peer ID payload value must match against. Wildcard mechanisms MUST be supported such that: - a ipspPeerIdFiltIdentityValue of '*@example.com' will match a userFqdn ID payload of 'JDOE@EXAMPLE.COM' - a ipspPeerIdFiltIdentityValue of '*.example.com' will match a fqdn ID payload of 'WWW.EXAMPLE.COM' - a ipspPeerIdFiltIdentityValue of: 'cn=*,ou=engineering,o=company,c=us' will match a DER DN ID payload of 'cn=John Doe,ou=engineering,o=company,c=us' - a ipspPeerIdFiltIdentityValue of '192.0.2.0/24' will match an IPv4 address ID payload of 192.0.2.10 - a ipspPeerIdFiltIdentityValue of '192.0.2.*' will also match an IPv4 address ID payload of 192.0.2.10. The character '*' replaces 0 or multiple instances of any character." ::= { ipspPeerIdentityFilterEntry 3 } ipspPeerIdFiltLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspPeerIdentityFilterEntry 4 } ipspPeerIdFiltStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspPeerIdentityFilterEntry 5 } Various Authors [Page 45] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspPeerIdFiltRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. This object can not be considered active unless the ipspPeerIdFiltIdentityType and ipspPeerIdFiltIdentityValue column values are defined." ::= { ipspPeerIdentityFilterEntry 6 } -- -- compound actions table -- ipspCompoundActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table used to allow multiple actions to be associated with a rule. It uses the ipspSubactionsTable to do this." ::= { ipspConfigObjects 14 } ipspCompoundActionEntry OBJECT-TYPE SYNTAX IpspCompoundActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row in the ipspCompoundActionTable." INDEX { ipspCompActName } ::= { ipspCompoundActionTable 1 } IpspCompoundActionEntry ::= SEQUENCE { ipspCompActName SnmpAdminString, ipspCompActExecutionStrategy INTEGER, ipspCompActLastChanged TimeStamp, ipspCompActStorageType StorageType, ipspCompActRowStatus RowStatus } ipspCompActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is an administratively assigned name of this compound action." Various Authors [Page 46] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ::= { ipspCompoundActionEntry 1 } ipspCompActExecutionStrategy OBJECT-TYPE SYNTAX INTEGER { reserved(0), doAll(1), doUntilSuccess(2), doUntilFailure(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates how the sub-actions are executed based on the success of the actions as they finish executing. doAll - run each sub-action regardless of the exit status of the previous action. This parent action is always considered to have acted successfully. doUntilSuccess - run each sub-action until one succeeds, at which point stop processing the sub-actions within this parent compound action. If one of the sub-actions did execute successfully, this parent action is also considered to have executed sucessfully. doUntilFailure - run each sub-action until one fails, at which point stop processing the sub-actions within this compound action. If any sub-action fails, the result of this parent action is considered to have failed." DEFVAL { doUntilSuccess } ::= { ipspCompoundActionEntry 2 } ipspCompActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspCompoundActionEntry 3 } ipspCompActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION Various Authors [Page 47] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspCompoundActionEntry 4 } ipspCompActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. Once a row in the ipspCompoundActionTable has been made active, this object may not be set to destroy without first destroying all the contained rows listed in the ipspSubactionsTable." ::= { ipspCompoundActionEntry 5 } -- -- actions contained within a compound action -- ipspSubactionsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of the sub-actions within a given compound action. Compound actions executing these actions MUST execute them in series based on the ipspSubActPriority value, with the lowest value executing first." ::= { ipspConfigObjects 15 } ipspSubactionsEntry OBJECT-TYPE SYNTAX IpspSubactionsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A row containing a reference to a given compound-action sub-action." INDEX { ipspCompActName, ipspSubActPriority } ::= { ipspSubactionsTable 1 } Various Authors [Page 48] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 IpspSubactionsEntry ::= SEQUENCE { ipspSubActPriority Integer32, ipspSubActSubActionName VariablePointer, aiipspCompActLastChanged TimeStamp, aiipspCompActStorageType StorageType, aiipspCompActRowStatus RowStatus } ipspSubActPriority OBJECT-TYPE SYNTAX Integer32 (0..65536) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The priority of a given sub-action within a compound action. The order in which sub-actions should be executed are based on the value from this column, with the lowest numeric value executing first." ::= { ipspSubactionsEntry 1 } ipspSubActSubActionName OBJECT-TYPE SYNTAX VariablePointer MAX-ACCESS read-create STATUS current DESCRIPTION "This column points to the action to be taken. It may, but is not limited to, point to a row in one of the following tables: ipspCompoundActionTable - Allowing recursion ipspSaPreconfiguredActionTable ipspIkeActionTable ipspIpsecActionTable It may also point to one of the scalar objects beneath ipspStaticActions. If this object is set to a pointer to a row in an unsupported (or unknown) table, an inconsistentValue error should be returned. If this object is set to point to a non-existent row in an otherwise supported table, an inconsistentName error should be returned." ::= { ipspSubactionsEntry 2 } aiipspCompActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only Various Authors [Page 49] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspSubactionsEntry 3 } aiipspCompActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspSubactionsEntry 4 } aiipspCompActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { ipspSubactionsEntry 5 } -- -- Static Actions -- -- these are static actions which can be pointed to by the -- ipspRuleDefAction or the ipspSubActSubActionName objects to drop, -- accept or reject packets. ipspStaticActions OBJECT IDENTIFIER ::= { ipspConfigObjects 16 } ipspDropAction OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be dropped WITHOUT action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the drop static action." Various Authors [Page 50] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ::= { ipspStaticActions 1 } ipspDropActionLog OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be dropped WITH action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the drop static action with logging." ::= { ipspStaticActions 2 } ipspAcceptAction OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This Scalar indicates that a packet should be accepted (pass-through) WITHOUT action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the accept static action." ::= { ipspStaticActions 3 } ipspAcceptActionLog OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be accepted (pass-through) WITH action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the accept static action with logging." ::= { ipspStaticActions 4 } ipspRejectIKEAction OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be rejected WITHOUT action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the reject static action." ::= { ipspStaticActions 5 } ipspRejectIKEActionLog OBJECT-TYPE SYNTAX Integer32 Various Authors [Page 51] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 MAX-ACCESS read-only STATUS current DESCRIPTION "This scalar indicates that a packet should be rejected WITH action/packet logging. This object returns a value of 1 for IPsec policy implementations that support the reject static action with logging." ::= { ipspStaticActions 6 } -- -- Preconfigured Action Table -- ipspSaPreconfiguredActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspSaPreconfiguredActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is a list of non-negotiated IPsec actions (SAs) that can be performed and contains or indicates the data necessary to create such an SA." ::= { ipspConfigObjects 17 } ipspSaPreconfiguredActionEntry OBJECT-TYPE SYNTAX IpspSaPreconfiguredActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "One entry in the ipspSaPreconfiguredActionTable." INDEX { ipspSaPreActActionName, ipspSaPreActSADirection } ::= { ipspSaPreconfiguredActionTable 1 } IpspSaPreconfiguredActionEntry ::= SEQUENCE { ipspSaPreActActionName SnmpAdminString, ipspSaPreActSADirection IpspSADirection, ipspSaPreActActionDescription SnmpAdminString, ipspSaPreActActionLifetimeSec Unsigned32, ipspSaPreActActionLifetimeKB Unsigned32, ipspSaPreActDoActionLogging TruthValue, ipspSaPreActDoPacketLogging IpspIPPacketLogging, ipspSaPreActDFHandling INTEGER, ipspSaPreActActionType IpsecDoiEncapsulationMode, ipspSaPreActAHSPI Integer32, ipspSaPreActAHTransformName SnmpAdminString, ipspSaPreActAHSharedSecretName SnmpAdminString, ipspSaPreActESPSPI Integer32, Various Authors [Page 52] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspSaPreActESPTransformName SnmpAdminString, ipspSaPreActESPEncSecretName SnmpAdminString, ipspSaPreActESPAuthSecretName SnmpAdminString, ipspSaPreActIPCompSPI Integer32, ipspSaPreActIPCompTransformName SnmpAdminString, ipspSaPreActPeerGatewayIdName SnmpAdminString, ipspSaPreActLastChanged TimeStamp, ipspSaPreActStorageType StorageType, ipspSaPreActRowStatus RowStatus } ipspSaPreActActionName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this SaPreconfiguredActionEntry." ::= { ipspSaPreconfiguredActionEntry 1 } ipspSaPreActSADirection OBJECT-TYPE SYNTAX IpspSADirection MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object indicates whether a row should apply to outgoing or incoming SAs" ::= { ipspSaPreconfiguredActionEntry 2 } ipspSaPreActActionDescription OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "An administratively assigned string which may be used to describe what the action does." DEFVAL { "" } ::= { ipspSaPreconfiguredActionEntry 3 } ipspSaPreActActionLifetimeSec OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaPreActActionLifetimeSec specifies how long in seconds the security association derived from this action should be used. The default lifetime is 8 hours. Various Authors [Page 53] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this object and of the value of the MaxLifetimeSecs property of the associated transform. A value of 0 indicates no time limit on the lifetime of the SA." DEFVAL { 28800 } ::= { ipspSaPreconfiguredActionEntry 4 } ipspSaPreActActionLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaPreActActionLifetimeKB specifies how long the security association derived from this action should be used. After this value in KiloBytes has passed through the security association, it should no longer be used. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this object and of the value of the MaxLifetimeKB property of the associated transform. The default value, '0', indicates no kilobyte limit." DEFVAL { 0 } ::= { ipspSaPreconfiguredActionEntry 5 } ipspSaPreActDoActionLogging OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaPreActDoActionLogging specifies whether or not an audit message should be logged when a preconfigured SA is created." DEFVAL { false } ::= { ipspSaPreconfiguredActionEntry 6 } ipspSaPreActDoPacketLogging OBJECT-TYPE SYNTAX IpspIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaPreActDoPacketLogging specifies whether or not an audit message should be logged and if there is logging, how many bytes of the packet to place in the notification." DEFVAL { -1 } ::= { ipspSaPreconfiguredActionEntry 7 } Various Authors [Page 54] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspSaPreActDFHandling OBJECT-TYPE SYNTAX INTEGER { reserved(0), -- reserved copy(1), -- indicates copy the DF bit from the -- internal to external IP header. set(2), -- set the DF bit in the external IP -- header to 1. clear(3) -- clear the DF bit in the external IP -- header to 0. } MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies how to process the DF bit in packets sent through the preconfigured SA. This object is not used for transport SAs." DEFVAL { copy } ::= { ipspSaPreconfiguredActionEntry 8 } ipspSaPreActActionType OBJECT-TYPE SYNTAX IpsecDoiEncapsulationMode MAX-ACCESS read-create STATUS current DESCRIPTION "This object specifies the encapsulation mode to use for the preconfigured SA: tunnel or transport mode." DEFVAL { tunnel } ::= { ipspSaPreconfiguredActionEntry 9 } ipspSaPreActAHSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the AH SA." ::= { ipspSaPreconfiguredActionEntry 10 } ipspSaPreActAHTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the AH transform to use as an index into the AHTransformTable. A zero length value indicates no transform of this type is used." ::= { ipspSaPreconfiguredActionEntry 11 } ipspSaPreActAHSharedSecretName OBJECT-TYPE Various Authors [Page 55] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipspCredentialTable which holds the pertinent keying information for the AH SA." ::= { ipspSaPreconfiguredActionEntry 12 } ipspSaPreActESPSPI OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the ESP SA." ::= { ipspSaPreconfiguredActionEntry 13 } ipspSaPreActESPTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the ESP transform to use as an index into the ESPTransformTable. A zero length value indicates no transform of this type is used." ::= { ipspSaPreconfiguredActionEntry 14 } ipspSaPreActESPEncSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipspCredentialTable which holds the pertinent keying information for the encryption algorithm of the ESP SA." ::= { ipspSaPreconfiguredActionEntry 15 } ipspSaPreActESPAuthSecretName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object contains a name value to be used as an index into the ipspCredentialTable which holds the pertinent keying information for the authentication algorithm of the ESP SA." ::= { ipspSaPreconfiguredActionEntry 16 } ipspSaPreActIPCompSPI OBJECT-TYPE Various Authors [Page 56] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "This object represents the SPI value for the IPComp SA." ::= { ipspSaPreconfiguredActionEntry 17 } ipspSaPreActIPCompTransformName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is the name of the IPComp transform to use as an index into the IPCompTransformTable. A zero length value indicates no transform of this type is used." ::= { ipspSaPreconfiguredActionEntry 18 } ipspSaPreActPeerGatewayIdName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the peer gateway. This object can be used to look up the peer gateway address in the ipspPeerIdentityTable. This object is only used when initiating a tunnel SA, and is not used for transport SAs. If ipspSaPreActActionType specifies tunnel mode and this object is empty, the peer gateway should be determined from the source or destination of the packet." DEFVAL { "" } ::= { ipspSaPreconfiguredActionEntry 19 } ipspSaPreActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspSaPreconfiguredActionEntry 20 } ipspSaPreActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current Various Authors [Page 57] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspSaPreconfiguredActionEntry 21 } ipspSaPreActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table." ::= { ipspSaPreconfiguredActionEntry 22 } -- -- ipspSaNegotiationParametersTable -- -- PROPERTIES MinLifetimeSeconds -- MinLifetimeKilobytes -- RefreshThresholdSeconds -- RefreshThresholdKilobytes -- IdleDurationSeconds ipspSaNegotiationParametersTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspSaNegotiationParametersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains reusable parameters that can be pointed to by the ipspIkeActionTable and ipspIpsecActionTable. These parameters are reusable since it is likely an administrator will want to make global policy changes to lifetime parameters that apply to multiple actions. This table allows multiple rows in the other actions tables to reuse global lifetime parameters in this table by repeatedly pointing to a row cointained within this table." ::= { ipspConfigObjects 18 } ipspSaNegotiationParametersEntry OBJECT-TYPE Various Authors [Page 58] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 SYNTAX IpspSaNegotiationParametersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Contains the attributes of one row in the ipspSaNegotiationParametersTable." INDEX { ipspSaNegParamName } ::= { ipspSaNegotiationParametersTable 1 } IpspSaNegotiationParametersEntry ::= SEQUENCE { ipspSaNegParamName SnmpAdminString, ipspSaNegParamMinLifetimeSecs Unsigned32, ipspSaNegParamMinLifetimeKB Unsigned32, ipspSaNegParamRefreshThreshSecs Unsigned32, ipspSaNegParamRefreshThresholdKB Unsigned32, ipspSaNegParamIdleDurationSecs Unsigned32, ipspSaNegParamLastChanged TimeStamp, ipspSaNegParamStorageType StorageType, ipspSaNegParamRowStatus RowStatus } ipspSaNegParamName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the administrative name of this SaNegotiationParametersEntry. This row can be referred to by this name in other policy action tables." ::= { ipspSaNegotiationParametersEntry 1 } ipspSaNegParamMinLifetimeSecs OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaNegParamMinLifetimeSecs specifies the minimum seconds lifetime that will be accepted from the peer." ::= { ipspSaNegotiationParametersEntry 2 } ipspSaNegParamMinLifetimeKB OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaNegParamMinLifetimeKB specifies the minimum kilobyte lifetime that will be accepted from the peer." ::= { ipspSaNegotiationParametersEntry 3 } Various Authors [Page 59] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspSaNegParamRefreshThreshSecs OBJECT-TYPE SYNTAX Unsigned32 (1..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaNegParamRefreshThreshSecs specifies what percentage of the seconds lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the seconds lifetime has been completely reached." ::= { ipspSaNegotiationParametersEntry 4 } ipspSaNegParamRefreshThresholdKB OBJECT-TYPE SYNTAX Unsigned32 (1..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaNegParamRefreshThresholdKB specifies what percentage of the kilobyte lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the kilobyte lifetime has been reached." ::= { ipspSaNegotiationParametersEntry 5 } ipspSaNegParamIdleDurationSecs OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-create STATUS current DESCRIPTION "ipspSaNegParamIdleDurationSecs specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. A value of zero indicates that idle detection should not be used for the security association. Any non-zero value indicates the number of seconds the security association may remain unused." ::= { ipspSaNegotiationParametersEntry 6 } ipspSaNegParamLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external Various Authors [Page 60] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 means." ::= { ipspSaNegotiationParametersEntry 7 } ipspSaNegParamStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspSaNegotiationParametersEntry 8 } ipspSaNegParamRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to destroy if refered to by other rows in other action tables." ::= { ipspSaNegotiationParametersEntry 9 } -- -- ipspIkeActionTable -- ipspIkeActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspIkeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The ipspIkeActionTable contains a list of the parameters used for an IKE phase 1 SA DOI negotiation. See the corresponding table ipspIkeActionProposalsTable for a list of proposals contained within a given IKE Action." ::= { ipspConfigObjects 19 } ipspIkeActionEntry OBJECT-TYPE SYNTAX IpspIkeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION Various Authors [Page 61] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 "The ipspIkeActionEntry lists the IKE negotiation attributes." INDEX { ipspIkeActName } ::= { ipspIkeActionTable 1 } IpspIkeActionEntry ::= SEQUENCE { ipspIkeActName SnmpAdminString, ipspIkeActParametersName SnmpAdminString, ipspIkeActThresholdDerivedKeys Integer32, ipspIkeActExchangeMode INTEGER, ipspIkeActAgressiveModeGroupId IkeGroupDescription, ipspIkeActIdentityType IpsecDoiIdentType, ipspIkeActIdentityContext SnmpAdminString, ipspIkeActPeerName SnmpAdminString, ipspIkeActDoActionLogging TruthValue, ipspIkeActDoPacketLogging IpspIPPacketLogging, ipspIkeActVendorId OCTET STRING, ipspIkeActLastChanged TimeStamp, ipspIkeActStorageType StorageType, ipspIkeActRowStatus RowStatus } ipspIkeActName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "This object contains the name of this ikeAction entry." ::= { ipspIkeActionEntry 1 } ipspIkeActParametersName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object is administratively assigned to reference a row in the ipspSaNegotiationParametersTable where additional parameters affecting this action may be found." ::= { ipspIkeActionEntry 2 } ipspIkeActThresholdDerivedKeys OBJECT-TYPE SYNTAX Integer32 (0..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipspIkeActThresholdDerivedKeys specifies what percentage of the derived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE should attempt to renegotiate the IKE phase 1 security association." Various Authors [Page 62] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 DEFVAL { 100 } ::= { ipspIkeActionEntry 3 } ipspIkeActExchangeMode OBJECT-TYPE SYNTAX INTEGER { main(1), agressive(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "ipspIkeActExchangeMode specifies the IKE Phase 1 negotiation mode." DEFVAL { main } ::= { ipspIkeActionEntry 4 } ipspIkeActAgressiveModeGroupId OBJECT-TYPE SYNTAX IkeGroupDescription MAX-ACCESS read-create STATUS current DESCRIPTION "The values to be used for Diffie-Hellman exchange." ::= { ipspIkeActionEntry 5 } ipspIkeActIdentityType OBJECT-TYPE SYNTAX IpsecDoiIdentType MAX-ACCESS read-create STATUS current DESCRIPTION "This column along with ipspIkeActIdentityContext and endpoint information is used to refer an ipspIkeIdentityEntry in the ipspIkeIdentityTable." ::= { ipspIkeActionEntry 6 } ipspIkeActIdentityContext OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This column, along with ipspIkeActIdentityType and endpoint information, is used to refer to an ipspIkeIdentityEntry in the ipspIkeIdentityTable." ::= { ipspIkeActionEntry 7 } ipspIkeActPeerName OBJECT-TYPE SYNTAX SnmpAdminString(SIZE(0..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the peer id name of the IKE peer. This object can be used to look up the peer id value, address, Various Authors [Page 63] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 credentials and other values in the ipspPeerIdentityTable." ::= { ipspIkeActionEntry 8 } ipspIkeActDoActionLogging OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "ikeDoActionLogging specifies whether or not an audit message should be logged when this ike SA is created." DEFVAL { false } ::= { ipspIkeActionEntry 9 } ipspIkeActDoPacketLogging OBJECT-TYPE SYNTAX IpspIPPacketLogging MAX-ACCESS read-create STATUS current DESCRIPTION "ikeDoPacketLogging specifies whether or not an audit message should be logged and if there is logging, how many bytes of the packet to place in the notification." DEFVAL { -1 } ::= { ipspIkeActionEntry 10 } ipspIkeActVendorId OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..65535)) MAX-ACCESS read-create STATUS current DESCRIPTION "Vendor ID Payload. A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder)." DEFVAL { "" } ::= { ipspIkeActionEntry 11 } ipspIkeActLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspIkeActionEntry 12 } Various Authors [Page 64] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspIkeActStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspIkeActionEntry 13 } ipspIkeActRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. This object may not be set to destroy if refered to by other rows in other action tables." ::= { ipspIkeActionEntry 14 } -- -- ipspIkeActionProposalsTable proposals contained within a ikeAction -- ipspIkeActionProposalsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspIkeActionProposalsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of all ike proposal names found within a given IKE Action." ::= { ipspConfigObjects 20 } ipspIkeActionProposalsEntry OBJECT-TYPE SYNTAX IpspIkeActionProposalsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "a row containing one ike proposal reference" INDEX { ipspIkeActName, ipspIkeActPropPriority } ::= { ipspIkeActionProposalsTable 1 } IpspIkeActionProposalsEntry ::= SEQUENCE { Various Authors [Page 65] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspIkeActPropPriority Integer32, ipspIkeActPropName SnmpAdminString, ipspIkeActPropLastChanged TimeStamp, ipspIkeActPropStorageType StorageType, ipspIkeActPropRowStatus RowStatus } ipspIkeActPropPriority OBJECT-TYPE SYNTAX Integer32 (0..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The numeric priority of a given contained proposal inside an ike Action. This index should be used to order the proposals in an IKE Phase I negotiation, lowest value first." ::= { ipspIkeActionProposalsEntry 1 } ipspIkeActPropName OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..32)) MAX-ACCESS read-create STATUS current DESCRIPTION "The administratively assigned name that can be used to reference a set of values contained within the ipspIkeProposalTable." ::= { ipspIkeActionProposalsEntry 2 } ipspIkeActPropLastChanged OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when this row was last modified or created either through SNMP SETs or by some other external means." ::= { ipspIkeActionProposalsEntry 3 } ipspIkeActPropStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "The storage type for this row. Rows in this table which were created through an external process may have a storage type of readOnly or permanent." DEFVAL { nonVolatile } ::= { ipspIkeActionProposalsEntry 4 } Various Authors [Page 66] Internet Draft IPsec Policy Configuration MIB module Mar. 2003 ipspIkeActPropRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified." ::= { ipspIkeActionProposalsEntry 5 } -- -- IKE proposal definition table -- ipspIkeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpspIkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IKE proposals which are used in an IKE negotiation." ::= { ipspConfigObjects 21 } ipspIkeProposalEntry OBJECT-TYPE SYNTAX IpspIkeProposalEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "One IKE proposal entry." INDEX { ipspIkeActPropName } ::= { ipspIkeProposalTable 1 } IpspIkeProposalEntry ::= SEQUENCE { ipspIkePropLifetimeDerivedKeys Unsigned32, ipspIkePropCipherAlgorithm IkeEncryptionAlgorithm, ipspIkePropCipherKeyLength Unsigned32, ipspIkePropCipherKeyRounds Unsigned32, ipspIkePropHashAlgorithm IkeHashAlgorithm, ipspIkePropPrfAlgorithm INTEGER, ipspIkePropVendorId OCTET STRING, ipspIkePropDhGroup IkeGroupDescription, ipspIkePropAuthenticationMethod IkeAuthMethod, ipspIkePropMaxLifetimeSecs Unsigned32, ipspIkePropMaxLifetimeKB Unsigned32, ipspIkePropProposalLastChanged TimeStamp, ipspIkePropProposalStorageType StorageType, Various Authors