INTERNET-DRAFT C. DeSanti F. Maino K. McCloghrie Cisco Systems 18 March 2008 MIB for Fibre-Channel Security Protocols (FC-SP) draft-ietf-imss-fc-fcsp-mib-02.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for information related to FC-SP, the Security Protocols defined for Fibre Channel. Expires 11 September 2008 [Page 1] Internet Draft Fibre-Channel Security Protocols MIB March 2008 Table of Contents 1 Introduction ................................................. 3 1.1 Change Log ................................................. 3 2 The Internet-Standard Management Framework ................... 10 3 Overview of Fibre Channel .................................... 10 3.1 Introduction ............................................... 10 3.2 Zoning ..................................................... 11 3.3 Virtual Fabrics ............................................ 11 3.4 Security ................................................... 12 3.4.1 Authentication ........................................... 12 3.4.2 Security Associations .................................... 13 3.4.3 Fabric Security Policies ................................. 14 3.4.4 Policy Model ............................................. 15 3.4.5 Policy Objects ........................................... 15 3.4.6 Three Kinds of Switches .................................. 17 3.4.7 Security Policy Management ............................... 17 3.4.8 FC-SP Zoning ............................................. 18 4 Document Overview ............................................ 19 4.1 Fibre Channel management instance .......................... 19 4.2 Entity Name ................................................ 19 4.3 Fabric Index ............................................... 20 4.4 Interface Index ............................................ 20 4.5 Syntax for Policy Object Names ............................. 20 4.6 Certificates, CAs and CRLs ................................. 21 4.7 Traffic Selectors .......................................... 22 4.8 The MIB Modules ............................................ 22 4.9 Rate Control for Notifications ............................. 25 5 Relationship to Other MIB Modules ............................ 26 6 MIB Module Definitions ....................................... 27 6.1 The T11-FC-SP-TC-MIB Module ................................ 27 6.2 The T11-FC-SP-AUTHENTICATION-MIB Module .................... 43 6.3 The T11-FC-SP-ZONING-MIB Module ............................ 64 6.4 The T11-FC-SP-POLICY-MIB Module ............................ 77 6.5 The T11-FC-SP-SA-MIB Module ................................ 176 7 Acknowledgements ............................................. 232 8 Normative References ......................................... 233 9 Informative References ....................................... 235 10 IANA Considerations ......................................... 236 11 Security Considerations ..................................... 237 12 Authors' Addresses .......................................... 245 Expires 11 September 2008 [Page 2] Internet Draft Fibre-Channel Security Protocols MIB March 2008 1. Introduction This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes managed objects for information concerning the Fibre Channel Security Protocols (FC-SP), as specified in [FC-SP]. The FC-SP standard includes the definition of protocols to authenticate Fibre Channel entities, protocols to set up session keys, protocols to negotiate the parameters required to ensure frame- by-frame integrity and confidentiality, and protocols to establish and distribute policies across a Fibre Channel Fabric. This memo was initially developed by the INCITS T11 committee (http://www.t11.org), which subsequently approved it for forwarding to the IETF. This version of the draft has been updated to reflect comments made during the "WG Last Call" period by the IETF's IMSS working group, with the intent of forwarding it to the IESG for approval as an: "Intended status: Proposed" Internet Standard. -- RFC Editor: please remove 2nd sentence of above paragraph. This memo uses one of the following terms: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. 1.1. Change Log -- RFC Editor: please delete this section. 1.1.1. Initial version The initial version was submitted to T11.5 as T11/06-554v0 on 4 August 2006. 1.1.2. September 2006 version The following changes were made for the version was submitted to T11.5 on 29 September 2006 as T11/06-554v1.txt. Expires 11 September 2008 [Page 3] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - Added t11FcSpZoneSetHashStatus. - Modified t11FcSpAuSendRejNotifyEnable to be just for sending AUTH_Reject messages, and added t11FcSpAuRcvRejNotifyEnable. - Added note in the Security Considerations section to say that DH- CHAP secrets need to be managed by mechanisms other than the MIB modules defined here because they are "highly sensitive". - Added definitions for T11FcSpPolicyObjectType T11FcSpPolicyNameType T11FcSpPolicyName T11FcSpAlphaNumName T11FcSpAlphaNumNameOrNull in the T11-FC-SP-TC-MIB module. - Began defining the T11-FC-SP-POLICY-MIB module. 1.1.3. December 2006 version The following changes were made for the version was submitted to T11.5 on 4 December 2006 as T11/06-554v2.txt. - Added Fibre Channel Overview sub-sections on Zoning, Security, Authentication, Security Associations, Fabric Security Policies, Policy Model, Policy Objects, Three Kinds of Switches, Security Policy Management and FC-SP Zoning. - Added a MIB Overview sub-section on Entity Names. - Added the t11FcSpAuServerProtocol object, and defined t11FcSpAuServerProtocolRadius, t11FcSpAuServerProtocolDiameter and t11FcSpAuServerProtocolTacacs as possible values. - Clarified the value of t11FcSpAuEntityName as being either the value of fcmSwitchWWN (for Switches) or the appropriate value of fcmInstanceWwn (otherwise). - Added Compliance section for T11-FC-SP-AUTHENTICATION-MIB. - Added T11FcSpAlphaNumNameOrNull as a new TC. - Moved the t11FcSpAuIkev2Auth object to the T11-FC-SP-SA-MIB. - Completed most of the T11-FC-SP-POLICY-MIB module. Expires 11 September 2008 [Page 4] Internet Draft Fibre-Channel Security Protocols MIB March 2008 1.1.4. 2 February 2007 version The following changes were made for the version was submitted to T11.5 on 2 February 2007 as T11/07-037v0.txt. - Added the generic t11FcSpPoAttribExtension object to point to objects for specific information extracted out of Attribute Policy Objects, and the t11FcSpPoAuthProtTable table to hold Authentication Protocol Identifiers & Parameters extracted out of an Attribute Policy Object containing a 'AUTH_Negotiate Message Payload'. - Changed the syntax of the Names of IP Management Entries, to use one InetAddressType object and two InetAddress objects instead of using one T11FcSpPolicyNameType object and one T11FcSpPolicyName object. - Changed the semantics of the t11FcSpPoTmpSummryTable to be non- volatile and part of the Non-Active Policy Objects, and correspondingly renamed it to be the t11FcSpPoNaSummaryTable. - Defined the t11FcSpPoStatsTable. - Defined the syntax for t11FcSpPoRejectReasonCode and t11FcSpPoRejectReasonCodeExp in the TC-MIB. - Completed the Fibre Channel Overview section. Updated the Document Overview section. - Added Compliance section in the T11-FC-SP-POLICY-MIB. - Wrote the T11-FC-SP-SA-MIB and T11-FC-SP-CERTS-MIB modules. - Edited all six MIB modules to get them to compile. 1.1.5. 26 February 2007 version The following changes were made for the version was submitted to T11.5 on 26 February 2007 as T11/07-037v1.txt. - Added an overview section on Policy Object names to explain when their syntax is (T11FcSpPolicyNameType, T11FcSpPolicyName) versus when it is (InetAddressType, InetAddress, InetAddress). Expires 11 September 2008 [Page 5] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - Clarified t11FcSpPoIpMgmtEntry's DESCRIPTION to explain that an address range is specified as two addresses: the low and high ends of the range. - Added the t11FcSpPoNaAttribExtension object and the t11FcSpPoNaAuthProtTable table as the non-active Policy counterparts to the t11FcSpPoAttribExtension object and the t11FcSpPoAuthProtTable table. - Added the t11FcSpSaNotifyLifeExceeded notification and its related objects: t11FcSpSaControlLifeExcdEnable, t11FcSpSaControlLifeExcdSpi, t11FcSpSaControlLifeExcdDir and t11FcSpSaControlLifeExcdTime. - Added text to DESCRIPTIONs of t11FcSpSaTSelPropEntry and t11FcSpSaTransEntry to explain that they are proposed or accepted only as a combination pointed to by a row in the t11FcSpSaPropTable. - Corrected the MAX-ACCESS of t11FcSpActiveZoneSetHash and t11FcSpZoneSetDatabaseHash to be read-only. - Changed the statistics table in the T11-FC-SP-AUTHENTICATION-MIB module so that it provides a mapping of Authentication entities onto interfaces, as well as statistics for each such mapping. Changed its name to be t11FcSpAuIfStatsTable to reflect the additional purpose. Changed the t11FcSpAuStatTimeouts object to be mandatory so that implementation of this table is mandatory, so that management applications can reliably use it to determine which Authentication Entity is operating on which interfaces. - Extended the t11FcSpAuRejectSentNotify and t11FcSpAuRejectReceivedNotify notifications so that are also used in the case of terminating an Authentication Transaction via an SW_RJT or LS_RJT. - Added the Authentication Entity's name in the INDEX clause of the t11FcSpCertsTable table. - Completed the Security Considerations section. - Many editorial changes. Expires 11 September 2008 [Page 6] Internet Draft Fibre-Channel Security Protocols MIB March 2008 1.1.6. 11 April 2007 version The following changes were made for the version was submitted to T11.5 on 11 April 2007 as T11/07-037v2.txt. - The term "lifesize" was changed to "lifetime in passed bytes". Also, since 2^^32 is not a large enough range for the number of passed bytes, the "number of passed bytes" is now specified as two objects: one object for the value and another object for the units of that value. This units object is now also used to distinguish between a time interval in passed bytes and a time interval in units of seconds. - Many editorial changes. 1.1.7. 3 May 2007 version The following changes were made for the version was submitted to T11.5 on 3 May 2007 as T11/07-037v3.txt. - Added FCAP in t11FcSpPoAuthProtIdentifier's DESCRIPTION. - Editorial changes. 1.1.8. 12 June 2007 version The following changes were made for the version was submitted to IETF on 12 June 2007 as draft-kzm-imss-fc-fcsp-mib-00.txt : - The Introduction section was changed to reflect the submission of this memo to the IETF's IMSS Working Group. 1.1.9. 13 August 2007 version The following changes were made for the version was submitted to IETF on 13 August 2007 as draft-ietf-imss-fc-fcsp-mib-00.txt : - The Introduction section was changed to reflect the submission of this memo to the IETF's IMSS Working Group. - The References section was updated to reflect two recently published RFCs. Expires 11 September 2008 [Page 7] Internet Draft Fibre-Channel Security Protocols MIB March 2008 1.1.10. 28 November 2007 version The following changes were made for the version was submitted to the IMSS WG's mailing-list on 28 November 2007 as a preliminary version of draft-ietf-imss-fc-fcsp-mib-01.txt : - Deleted the definition of T11-FC-SP-CERTS-MIB, and all references to it. - Changed section 4.6 to say: a) the management of certificates, Certification Authorities and Certificate Revocation Lists is the same in Fibre Channel networks as it is in other networks, and b) that this document assumes that appropriate MIB objects are defined elsewhere, e.g., in [IPSP-IPSEC-ACTION] and [IPSP-IKE-ACTION]. - Moved [IPSP-IPSEC-ACTION] and [IPSP-IKE-ACTION] to be Informative references. - Updated the References section to reflect the publication of RFC 4983. - Fixed date in T11-FC-SP-TC-MIB's REVISION clause to be the same as its LAST-UPDATED. - Fixed inconsistency in syntax of T11FcSaDirection. - Inserted ranges on Unsigned32 auxiliary objects. - Minor rewording in the "Rate Control for Notifications" section. 1.1.11. 25 February 2008 version The following changes were made for the version was created based on Working Group Last Call comments on 25 February 2008 as draft-ietf- imss-fc-fcsp-mib-01.txt: - Wording change to the ORGANIZATION section of all MIB modules. - Changed T11FcSpAlphaNumNameOrNull to T11FcSpAlphaNumNameOrAbsent. - Added REFERENCE clauses to OBJECT-IDENTITYs. - Deleted the definition of t11FcSpSaTSelPropIndex, with t11FcSpSaTSelPropPrecedence replacing it in the INDEX clause of the t11FcSpSaTSelPropTable. Expires 11 September 2008 [Page 8] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - Moved section 3.5 through 3.12 to be sub-sections of section 3.4. - Re-ordered the top-level OID assignments in T11-FC-SP- AUTHENTICATION-MIB. - Changed the syntax of t11FcSpPoSwMembSwitchName, t11FcSpPoNoMembNodeName, t11FcSpPoNaSwMembSwitchName, t11FcSpPoNaNoMembNodeName and t11FcSpPoNaSwConnAllowedName to be consistent. - Defined T11FcSpSecurityProtocolId as a new TC, and used it for the several objects which identify an FC-SP "Security Protocol_Id". - Added a range sub-clause to exclude zero in the values of t11FcSpSaPairTransListIndex and t11FcSpSaPairTransIndex. - Defined new TC's for syntax used multiple times: T11FcSpLifetimeLeft, T11FcSpLifetimeLeftUnits, T11FcSpHashCalculationStatus and T11FcSpSecurityProtocolId. - Added SIZE clause to the syntax of t11FcSpPoSwConnAllowedName. - Added t11FcSpSaControlMaxNotifs as a new object. - Added t11FcSpSaTSelPropStorageType and t11FcSpSaTransStorageType as additional StorageType objects for the two tables in the T11-FC-SP- SA-MIB which are not INDEX-ed by t11FcSpSaIfFabricIndex, i.e., they have different granularity, and so can not share usage of t11FcSpSaIfStorageType. - Many editorial changes and clarifications. 1.1.12. 11 March 2008 version The following changes were made for the version, named draft-ietf- imss-fc-fcsp-mib-02.txt, created for submission to the Area Directors with a request for it to be published as an RFC: - Text added in section 3.4.5 to observe that the Fabric name is in the Switch Membership List Object, not in the Policy Summary Object. - Fixed screw-up in the Table of Contents. Expires 11 September 2008 [Page 9] Internet Draft Fibre-Channel Security Protocols MIB March 2008 2. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 3. Overview of Fibre Channel 3.1. Introduction Fibre Channel (FC) is logically a bidirectional point-to-point serial data channel, structured for high performance. Fibre Channel provides a general transport vehicle for higher level protocols such as Small Computer System Interface (SCSI) command sets, the High- Performance Parallel Interface (HIPPI) data framing, IP (Internet Protocol), IEEE 802.2, and others. Physically, Fibre Channel is an interconnection of multiple communication points, called N_Ports, interconnected either by a switching network, called a Fabric, or by a point-to-point link. A Fibre Channel "Node" consists of one or more N_Ports. A Fabric may consist of multiple Interconnect Elements, some of which are Switches. An N_Port connects to the Fabric via a port on a Switch called an F_Port. When multiple FC Nodes are connected to a single port on a Switch via an "Arbitrated Loop" topology, the Switch port is called an FL_Port, and the Nodes' ports are called NL_Ports. The term Nx_Port is used to refer to either an N_Port or an NL_Port. The term Fx_Port is used to refer to either an F_Port or an FL_Port. A Switch port, which is interconnected to another Switch port via an Inter-Switch Link (ISL), is called an E_Port. A B_Port connects a bridge device with an E_Port on a Switch; a B_Port provides a subset of E_Port functionality. Expires 11 September 2008 [Page 10] Internet Draft Fibre-Channel Security Protocols MIB March 2008 Many Fibre Channel components, including the Fabric, each Node, and most ports, have globally-unique names. These globally-unique names are typically formatted as World Wide Names (WWNs). More information on WWNs can be found in [FC-FS-2]. WWNs are expected to be persistent across agent and unit resets. Fibre Channel frames contain 24-bit address identifiers which identify the frame's source and destination ports. Each FC port has both an address identifier and a WWN. When a Fabric is in use, the FC address identifiers are dynamic and are assigned by a Switch. Each octet of a 24-bit address represents a level in an address hierarchy, with a Domain_ID being the highest level of the hierarchy. 3.2. Zoning Zones within a Fabric provide a mechanism to control frame delivery between Nx_Ports ("Hard Zoning") or to expose selected views of Name Server information ("Soft Zoning"). Communication is only possible when the communicating endpoints are members of a common zone. This technique is similar to virtual private networks in that the Fabric has the ability to group devices into Zones. Hard zoning and soft zoning are two different means of realizing this. Hard zoning is enforced in the Fabric (i.e., Switches) whereas soft zoning is enforced at the endpoints (e.g., HBAs) by relying on the endpoints to not send traffic to an N_Port_ID not obtained from the Name Server with a few exceptions for well known Addresses (e.g., the Name Server). Administrators create Zones to increase network security, and prevent data loss or corruption, by controlling access between devices or user groups. 3.3. Virtual Fabrics The standard for an interconnecting Fabric containing multiple Fabric Switch elements is [FC-SW-4]. [FC-SW-4] carries forward the earlier specification for the operation of a single Fabric in a physical infrastructure, and augments it with the definition of Virtual Fabrics and with the specification of how multiple Virtual Fabrics can operate within one (or more) physical infrastructures. The use of Virtual Fabrics provides for each frame to be tagged in its header to indicate which one of several Virtual Fabrics that frame is being Expires 11 September 2008 [Page 11] Internet Draft Fibre-Channel Security Protocols MIB March 2008 transmitted on. All frames entering a particular "Core Switch" [FC- SW-4] (i.e., a physical Switch) on the same Virtual Fabric are processed by the same "Virtual Switch" within that Core Switch. 3.4. Security The Fibre Channel Security Protocols (FC-SP) standard [FC-SP] describes the protocols used to implement security in a Fibre Channel Fabric, including the definition of: - protocols to authenticate Fibre Channel entities, - protocols to set up session keys, - protocols to negotiate the parameters required to ensure frame- by-frame integrity and confidentiality, and - protocols to establish and distribute (security) policies across a Fibre Channel Fabric. 3.4.1. Authentication Two entities may negotiate whether authentication is required and which Authentication Protocol is to be used. Authentication can be used in Switch to Switch, Node to Switch, and Node to Node communication. The defined Authentication Protocols are able to perform mutual authentication with optional shared key establishment. The shared key computed at the end of an Authentication Transaction may be used to establish Security Associations. The Fabric security architecture is defined for several authentication infrastructures. Secret-based, certificate-based, and password-based authentication infrastructures are accommodated. Specific authentication protocols that directly leverage these three authentication infrastructures are defined. With a secret-based infrastructure, entities within the Fabric environment that establish a security relationship share a common secret or centralize the secret administration in an external (e.g., RADIUS [RFC2865], Diameter [RFC3588] or TACACS [RFC1492]) server. Entities may mutually authenticate with other entities by using the Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) [FC-SP]. Security Associations may be set up using the session key computed at the end of the DH-CHAP transaction. With a certificate-based infrastructure, entities within the Fabric environment are certified by a trusted Certificate Authority (CA). The resulting certificates bind each entity to a public-private key Expires 11 September 2008 [Page 12] Internet Draft Fibre-Channel Security Protocols MIB March 2008 pair that may be used to mutually authenticate with other certified entities via the Fibre Channel Certificate Authentication Protocol (FCAP) [FC-SP]. Security Associations may be set up by using these entity certificates and associated keys or by using the session key computed at the end of the FCAP transaction. With a password-based infrastructure, entities within the Fabric environment that establish a security relationship have knowledge of the password-based credential material of other entities. Entities may use this credential material to mutually authenticate with other entities using the Fibre Channel Password Authentication Protocol (FCPAP) [FC-SP]. Security Associations may be set up using the session key computed at the end of the FCPAP transaction. In addition to DH-CHAP, FCAP and FCPAP, one other Authentication Protocol is defined: IKEv2-AUTH, which refers to the use of an SA Management Transaction of the Security Association Management Protocol (see below) to perform two functions: not only SA management but also authentication. The credentials used in an IKEv2-AUTH transaction are either strong shared secrets or certificates. 3.4.2. Security Associations A subset of the IKEv2 protocol [RFC4306] suitable for Fibre Channel is defined as the (Fibre Channel) Security Association Management protocol [RFC4595]. This protocol provides the means to establish Security Associations (SAs) between Fibre Channel entities. Traffic Selectors are defined to specify which type of traffic has to be protected by which SA, and what the characteristics of the protection are. Two mechanisms are available to protect specific classes of traffic: ESP_Header is used to protect FC-2 frames (see [FC-FS-2] and [RFC4303]), and CT_Authentication is used to protect CT_IUs (Common Transport Information Units) [FC-GS-5]. An entity protecting specific classes of traffic maintains an internal Security Association Database (SADB) that contains the currently active Security Associations and Traffic Selectors. Each active SA has a Security Association entry in the SADB. Each SA entry includes the SA's SPI (the Security Parameters Index which is included in frames transmitted on the SA), a Sequence Number counter, and the parameters for the selected transforms (e.g., encryption algorithm, integrity algorithm, mode of operation of the algorithms, keys). Expires 11 September 2008 [Page 13] Internet Draft Fibre-Channel Security Protocols MIB March 2008 Each active Traffic Selector has an entry in the SADB which indicates whether it is used for ingress traffic or for egress traffic. These Traffic Selector entries are ordered such that they are searched (when checking for a match) in the given order. Two types of Traffic Selector entries may be present: - Traffic Selectors entries identifying FC-2 frames or CT_IUs to be bypassed or discarded; and - Traffic Selectors entries identifying FC-2 frames or CT_IUs to be protected or verified. These entries point to the corresponding SA entry defining the parameters and the security processing to be performed. SAs are unidirectional but they always exist as an SA pair of the same type, one in each direction. 3.4.3. Fabric Security Policies Two separate approaches to defining Policies are adopted in FC-SP, but both approaches follow the same general concept for their Policy model. One is the definition of a Policy Model for Fabric Policies which focus on Security. These Security Policies specify the membership and connectivity allowed within a Fabric, and also which IP hosts are allowed to manage a Fabric. The other approach is to define a variant of the Enhanced Zoning model defined in [FC-SW-4] and [FC-GS-5], such that the variant specifies extensions for use in a secure environment. This variant of Zoning, denoted as "FC-SP Zoning", follows the same general concepts of the Policy model for Security Policies, but keeps Zoning management and enforcement completely independent from the management and enforcement of other policies. Expires 11 September 2008 [Page 14] Internet Draft Fibre-Channel Security Protocols MIB March 2008 3.4.4. Policy Model Figure 25 of [FC-SP] depicts FC-SP's policy management model like this: ***** ************************ * * * Policy * ********************* * M * Add, * Configuration * * Policy * * A * Get, * Entity * * Enforcement * * N * Remove * * * Entity * * A * Policy * +----------------+ * * * * G * Objects * | Non-Active | * * +-------------+ * * I *<-------->* | Policy Objects |==*====*=>| Active | * * N * * +----------------+ * * | Policy | * * G * ************************ * | Objects | * * * * +-------------+ * * * Activate Policy Summary * * * E *=====================================>* +-------------+ * * N * Deactivate Policy Summary * | Policy | * * T *=====================================>* | Summary | * * I * * | Object | * * T * Get Policy Summary * +-------------+ * * Y *<-------------------------------------* * * * Get Policy Objects * * * *<-------------------------------------* * ***** ********************* 3.4.5. Policy Objects The Policies to be enforced by a Fabric are specified in a set of Policy Objects. The various types of Policy Objects are: - The Policy Summary Object is a list of pointers to other Policy Objects, one pointer per each other active Policy Object. Each pointer in a Policy Summary Object is paired with a cryptographic hash of the referenced Policy Object. - The Switch Membership List Object is a Fabric-wide Policy Object that defines which Switches are allowed to be part of a Fabric. - The Node Membership List Object is a Fabric-wide Policy Object that defines which Nodes are allowed to be connected to a Fabric. Expires 11 September 2008 [Page 15] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - The IP Management List Object is a Fabric-wide Policy Object that describes which IP hosts are allowed to manage a Fabric. - A Switch Connectivity Object is a per-Switch Policy Object that describes the topology restrictions for a specific Switch; it specifies the other Switches or Nodes to which the particular Switch may be connected at the Node level and/or at the Port level. - Attribute Objects are Fabric-wide Policy Objects that define optional attributes to be associated with Switches or Nodes. They allow the extension of this policy model by defining new attributes as required. Note that the administratively-specified name for a Fabric is contained in the Switch Membership List Object (not in the Policy Summary Object). When FC-SP is in use, each Fabric has a set of active Policy Objects: - one Policy Summary Object, - one Switch Membership List Object, - one Node Membership List Object, - one IP Management List Object, - zero or more Switch Connectivity Objects, and - zero or more Attribute Objects. The active Policy Objects specify the Policies currently being enforced. In addition, policies not currently being enforced are contained in non-active Policy Objects. To change the active Policy Objects, the non-active Policy Objects are edited as necessary and a new Policy Summary Object which includes/references the changed Policy Objects is activated. 3.4.5.1. Policy Object Names Every Policy Object has a name. In a Fabric's database of Policy Objects, a Policy Object Name is specified as a type/length/value (see section 7.2 of [FC-SP]). The possible types are: Expires 11 September 2008 [Page 16] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - Node_Name - Restricted Node_Name - Port_Name - Restricted Port_Name - Wildcard - Negated Wildcard - Alphanumeric Name - IPv6 Address Range - IPv4 Address Range 3.4.6. Three Kinds of Switches For a Fabric composed of n Switches and m Nodes, the potential complexity of Switch Connectivity Objects is O(n**2) to describe Switch to Switch connections, and O(n*m) for Switch to Node connections. To provide better scaling, the Switch Connectivity Objects are not Fabric-wide information, but are distributed only to where they are needed. To support this, the policy model supports three kinds of Switches in a Fabric: - Server Switches, that maintain the Fabric-wide Policy Objects, all the Switch Connectivity Objects, and a full copy of the FC-SP Zoning Database; - Autonomous Switches, that maintain the Fabric-wide Policy Objects, their own Switch Connectivity Object, and a full copy of the FC-SP Zoning Database; and - Client Switches, that maintain the Fabric-wide Policy Objects, their own Switch Connectivity Object, and a subset of the FC-SP Active Zone Set (which is the configurations of zones currently being enforced by a Fabric, see section 10.4.3.3 of [FC-SW-4]). 3.4.7. Security Policy Management Security Policy can be changed in a server session [FC-GS-5] with a Security Policy Server. All write access to a Security Policy Server occurs within a server session. While read access to a Security Policy Server may occur at any time, the consistency of the returned data is guaranteed only inside a server session. The Enhanced Commit Service [FC-SW-4] is used to perform Fabric operations as and when necessary (see table 144 of [FC-SP]). Each server session begins and ends, with a SSB request and a SSE request respectively, sent to a Security Policy Server. In the Fabric, the Expires 11 September 2008 [Page 17] Internet Draft Fibre-Channel Security Protocols MIB March 2008 SSB requests a lock of the Fabric via an EACA SW_ILS, while the SSE requests a release of the lock via the ERCA SW_ILS [FC-SW-4]. Active and non-active Policy Objects are persistent in that they survive after the end of a server session. 3.4.8. FC-SP Zoning To preserve backward compatibility with existing Zoning definitions and implementations, FC-SP Zoning is defined as a variant of the Enhanced Zoning model defined in [FC-SW-4] and [FC-GS-5] that follows the general concepts of the Policy model for Security Policy Management, but keeps Zoning management and enforcement completely independent. FC-SP Zoning allows for some Switches to retain less than a complete replicated copy of the Zoning Database, as follows: - Server Switches maintain the policies data structures for all Switches in the Fabric plus a replica of the Zoning data structures; - Autonomous Switches maintain only the subset of policies data structures relevant for their operations plus a replica of the Zoning Database; and - Client Switches maintain only the subset of policies data structures and the subset of the Active Zone Set relevant for their operations. When Client Switches are deployed in a Fabric, at least one Server Switch must also be deployed in the same Fabric. A client-server protocol allows Client Switches to dynamically retrieve the Zoning information they may require from the Server Switches. A management application manages the Fabric Zoning configuration through the Fabric Zone Server, while other policies are managed through the Security Policy Server. A new Zoning Check Protocol replaces the Zone Merge Protocol [FC-SW-4], and new command codes are defined for the SFC SW_ILS to distribute the FC-SP Zoning configuration on a Fabric. The Zoning definitions are ordered to allow for the computation of a hash of the Active Zone Set and a hash of the Zone Set Database, plus other optional security data (e.g., for integrity protection of Zoning information). Expires 11 September 2008 [Page 18] Internet Draft Fibre-Channel Security Protocols MIB March 2008 4. Document Overview This document defines five MIB modules which together provide the means for monitoring the operation of, and configuring some parameters of, one or more instances of the FC-SP protocols. 4.1. Fibre Channel management instance A Fibre Channel management instance is defined in [RFC4044] as a separable managed instance of Fibre Channel functionality. Fibre Channel functionality may be grouped into Fibre Channel management instances in whatever way is most convenient for the implementation(s). For example, one such grouping accommodates a single SNMP agent having multiple AgentX [RFC2741] sub-agents, with each sub-agent implementing a different Fibre Channel management instance. The object, fcmInstanceIndex, is IMPORTed from the FC-MGMT-MIB [RFC4044] as the index value to uniquely identify each Fibre Channel management instance, for example within the same SNMP context ([RFC3411] section 3.3.1). 4.2. Entity Name A central capability of FC-SP is the use of an Authentication Protocol. The purpose of each of the possible Authentication Protocols is to allow a Fibre Channel entity to be assured of the identity of each entity with which it is communicating. Examples of such entities are Fibre Channel Switches and Fibre Channel Nx_Ports. Each entity is identified by a name. The FC-MGMT-MIB [RFC4044] defines MIB objects for such names: - for entities which are Fibre Channel Switches, the definition of a Fibre Channel management instance allows multiple Switches to be managed by the same Fibre Channel management instance. In this case, each entity is a Switch and has the name given by the MIB object, fcmSwitchWWN. - for entities other than Fibre Channel Switches, a Fibre Channel management instance can manage only one entity, and the name of the entity is given by the MIB object, fcmInstanceWwn. Expires 11 September 2008 [Page 19] Internet Draft Fibre-Channel Security Protocols MIB March 2008 4.3. Fabric Index With multiple Fabrics, each Fabric has its own instances of the Fabric-related management instrumentation. Thus, these MIB modules define all Fabric-related information in tables which are INDEX-ed by an arbitrary integer, named a "Fabric Index". The syntax of a Fabric Index is T11FabricIndex, imported from T11-TC-MIB [RFC4439]. When a device is connected to a single physical Fabric, without use of any virtual Fabrics, the value of this Fabric Index will always be 1. In an environment of multiple virtual and/or physical Fabrics, this index provides a means to distinguish one Fabric from another. 4.4. Interface Index Several of the MIB modules defined in this document use the InterfaceIndexOrZero syntax in order to allow information to be specified/instantiated on a per-port/interface basis, e.g., for: statistics, Traffic Selectors, Security Associations, etc. This allows the same object to be used either when there is a separate row for each of multiple ports/interfaces, or when multiple interfaces are represented by a single row. The use of a zero value supports the simpler cases of: a) when there is only one port/interface, b) where the implementation chooses to aggregate the information for multiple ports/interfaces. The minimum (for compliance) requirement is to implement any one of the above cases. When a Fabric Index and an object with the InterfaceIndexOrZero syntax are used together in a single INDEX clause, the InterfaceIndexOrZero object is listed before the Fabric Index in order to simplify management queries which retrieve information concerning multiple Fabrics connected to the same port/interface. 4.5. Syntax for Policy Object Names T11FcSpPolicyNameType and T11FcSpPolicyName are two Textual Conventions defined in this document (in the T11-FC-SP-TC-MIB module) to represent the types and values of Policy Object Names (see section 3.9.1 above). However, two of the nine possible types are IPv4 Address Range and IPv6 Address Range. It is standard practice in MIB modules to represent all IP addresses using the standard Textual Conventions defined in [RFC4001] for IP addresses, specifically: InetAddressType and InetAddress. This document adheres to such standard practice to the following extent: Expires 11 September 2008 [Page 20] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - for MIB objects representing a Policy Object Name which can *only* be an IPv4 address range or an IPv6 address range, then those MIB objects are defined as a 3-tuple: (InetAddressType, InetAddress, InetAddress), in which the first address is the low end of the range, the second address is the high end of the range, and both addresses are of the type given by InetAddressType. - for MIB objects representing a Policy Object Name which is (possibly) of a different type, i.e., it is not (necessarily) an IPv4 or IPv6 address range, then those MIB objects are defined as a 2-tuple: (T11FcSpPolicyNameType, T11FcSpPolicyName), in which the first object represents the type of Policy Object Name and the second object represents the value of the Policy Object Name. For MIB objects defined in this manner, if and when they represent a range of IP addresses: a) the value of T11FcSpPolicyNameType differentiates between an IPv4 Address Range and an IPv6 Address Range; and b) the value of T11FcSpPolicyName is one string containing the concatenation of the two addresses which are the low and high addresses of the range. This is the same format as used within FC-SP Policy Objects [FC-SP]. 4.6. Certificates, CAs and CRLs In order to authenticate with the FCAP protocol, each entity, identified by a unique Name, is provided with: a digital certificate associated with that Name, the private/public key pair that corresponds to the certificate, and with the Root Certificate (the certificate of the signing Certification Authority). To authenticate another entity, an entity is required to be provided with the certificate of the associated Certification Authority. FCAP requires entities to support at least four Root Certificates against which received corresponding certificates can be validated. Support for certificate chains and verification of certificate chains containing more than one certificate is optional. Entities need to be able to access a Certificate Revocation List (CRL) for each configured Root Certificate, if one is available from the CA. Certificates on the CRL are considered invalid. The management of certificates, Certification Authorities and Certificate Revocation Lists is the same in Fibre Channel networks as it is in other networks. Therefore, this document does not define any MIB objects for such management. Instead, this document assumes that appropriate MIB objects are defined elsewhere, e.g., in [IPSP- IPSEC-ACTION] and [IPSP-IKE-ACTION]. Expires 11 September 2008 [Page 21] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- RFC Editor: at the future time when you edit this document, if these -- two references are problematic, please delete the "e.g., ..." and -- remove the references from the Informative References section. 4.7. Traffic Selectors When Traffic Selectors are compared against an ingress or egress frame in order to determine the security processing to be applied to that frame, there are circumstances in which multiple Traffic Selectors, specifying different actions, can match with the frame. Specifically, when matching against an egress frame to decide which active Security Association to transmit on, or, against an ingress frame unprotected by FC-SP, i.e., without an SPI value in it, to decide which action ('drop' or 'bypass') to apply. For these cases, the MIB includes a unique precedence value for each Traffic Selector such that the one with the numerically lowest precedence value is determined to be the one that matches. In contrast, ingress frames on active Security Associations (i.e., protected by FC-SP) are compared against the set of traffic selectors negotiated when the Security Association was setup and identified by the SPI value contained in the frame; the action taken depends on whether any Traffic Selector matches, but not on which one. This difference between ingress and egress Traffic Selectors on active Security Associations is reflected in having separate MIB tables defined for them: the table for Traffic Selectors on egress SAs, t11FcSpSaTSelNegOutTable, has a precedence value in its INDEX clause, whereas the table for Traffic Selectors on ingress SAs, t11FcSpSaTSelNegInTable, has an arbitrary integer value in its INDEX clause. For 'drop' and 'bypass' Traffic Selectors, one table, t11FcSpSaTSelDrByTable, having a precedence value in its INDEX clause, is sufficient for both ingress and egress traffic. 4.8. The MIB Modules 4.8.1. The T11-FC-SP-TC-MIB Module This MIB module defines Textual Conventions which are being, or have the potential to be, used in more than one MIB module. The module also defines Object Identifiers to identify the Cryptographic Algorithms listed in [FC-SP] so that they can be used as the value of various MIB objects which specify the algorithms being/to be used by an FC-SP implementation. Expires 11 September 2008 [Page 22] Internet Draft Fibre-Channel Security Protocols MIB March 2008 4.8.2. The T11-FC-SP-AUTHENTICATION-MIB Module This MIB module specifies the management information required to manage FC-SP Authentication Protocols. It defines three tables: - t11FcSpAuEntityTable -- a table of Fibre Channel entities which can be authenticated using FC-SP's Authentication Protocols, including the names, capabilities and basic configuration parameters of the entities. - t11FcSpAuIfStatTable -- this table has two purposes: to be a list of the mappings of a FC-SP Authentication entity onto an interface, and to contain Authentication Protocol per-interface statistics. - t11FcSpAuRejectTable -- a table of FC-SP Authentication Protocol transactions which were recently rejected. It also defines two notifications: one for sending a reject in response to an AUTH message, and another for receiving a reject in response to an AUTH message. 4.8.3. The T11-FC-SP-ZONING-MIB Module This MIB module specifies the extensions to the T11-FC-ZONE-SERVER- MIB module [RFC4936] for the management of FC-SP Zoning Servers. Specifically, it augments three tables defined in T11-FC-ZONE-SERVER- MIB: - t11FcSpZsServerTable -- to this table, it adds FC-SP Zoning information defined for Zone Servers. - t11ZsStatsTable -- to this table, it adds FC-SP Zoning statistics for Zone Servers. - t11ZsNotifyControlTable -- to this table, it adds control information for FC-SP Zoning notifications. It also defines two FC-SP Zoning notifications: one for success and one for failure in the joining of two Fabrics. 4.8.4. The T11-FC-SP-POLICY-MIB Module This MIB module specifies management information which is used to manage FC-SP policies. The MIB module has five parts: Expires 11 September 2008 [Page 23] Internet Draft Fibre-Channel Security Protocols MIB March 2008 - Active Policy Objects - read-only MIB objects representing the set of active Policy Objects for each Fabric; - Activate/Deactivate Operations - read-write MIB objects for invoking operations, either 1) to activate policies which are specified as a set of non-active Policy Objects, or 2) to deactivate the currently-active policies; also included are objects giving the status of invoked operations; - Non-active Policy Objects - read-create MIB objects to create and modify non-active Policy Objects; - Statistics for FC-SP Security Policy Servers; - The definition and control of notifications for the success or failure of the activation or deactivation of FC-SP policies. 4.8.5. The T11-FC-SP-SA-MIB Module This MIB module specifies the management information required to manage Security Associations established via FC-SP. All of the tables in this MIB module are INDEX-ed by t11FcSpSaIfIndex, with syntax InterfaceIndexOrZero, which is either non-zero for a specific interface or zero for all (of the management instance's) interfaces to the particular Fabric. The MIB module consists of six parts: - a per-Fabric table, t11FcSpSaIfTable, of capabilities, parameters, status information and counters; the counters include non-transient aggregates of per-SA transient counters; - three tables, t11FcSpSaPropTable, t11FcSpSaTSelPropTable and t11FcSpSaTransTable, specifying the proposals for an FC-SP entity acting as an SA_Initiator to present to the SA_Responder during the negotiation of Security Associations. The same information is also used by an FC-SP entity acting as an SA_Responder to decide what to accept during the negotiation of Security Associations. One of these tables, t11FcSpSaTransTable, is used not only for information about security transforms to propose and to accept, but also as agreed upon during the negotiation of Security Associations; - a table, t11FcSpSaTSelDrByTable, of Traffic Selectors having the security action of 'drop' or 'bypass' to be applied either to ingress traffic which is unprotected by FC-SP, or to all egress Expires 11 September 2008 [Page 24] Internet Draft Fibre-Channel Security Protocols MIB March 2008 traffic; - four tables, t11FcSpSaPairTable, t11FcSpSaTSelNegInTable, t11FcSpSaTSelNegOutTable and t11FcSpSaTSelSpiTable, containing information about active bidirectional pairs of Security Associations; in particular, t11FcSpSaPairTable has one row per active bidirectional SA pair, t11FcSpSaTSelNegInTable and t11FcSpSaTSelNegOutTable contain information on the Traffic Selectors negotiated on the SAs, and the t11FcSpSaTSelSpiTable is an alternate lookup table such that the Traffic Selector(s) in use on a particular Security Association can be quickly determined based on its (ingress) SPI value; - a table, t11FcSpSaControlTable, of control and other information concerning the generation of notifications for events related to FC-SP Security Associations; - one notification, t11FcSpSaNotifyAuthFailure, generated on the occurrence of an Authentication failure for a received FC-2 or CT_IU frame. 4.9. Rate Control for Notifications All but one of the notifications defined in the five MIB modules in this document are notifications which are generated based on events occurring in the "control plane", e.g., notifications which are generated at the frequency of operator-initiated activities. The one exception is t11FcSpSaNotifyAuthFailure, which is generated based on an event occurring in the "data plane", and could (in a worst case scenario) occur for every received ingress frame. Therefore, a method of rate controlling the generation of notifications is needed for t11FcSpSaNotifyAuthFailure, but not for any of the other notifications. For t11FcSpSaNotifyAuthFailure, rate control is achieved by specifying that a) after the first occurrence of an Authentication failure on any particular Security Association, the SNMP notifications for second and subsequent failures are suppressed for the duration of a time window, and b) that even the notification for the first occurrence is suppressed after it is sent in the same time window for a configured (in t11FcSpSaControlMaxNotifs) number of Security Associations within a Fabric. Note that while these suppressions prevent the the network being flooded with notifications, the Authentication Failures themselves must still be Expires 11 September 2008 [Page 25] Internet Draft Fibre-Channel Security Protocols MIB March 2008 detected and counted. The length of the time window is given by t11FcSpSaControlWindow, a read-write object in the t11FcSpSaControlTable. If and when the time since the last generation of the notification is less than the value of sysUpTime (e.g., if one or more notifications have occurred since the last re-initialization of the management system), then t11FcSpSaControlElapsed and t11FcSpSaControlSuppressed contain the elapsed time since the last notification and the number of notifications suppressed in the window after sending the last one, respectively. Otherwise, t11FcSpSaControlElapsed contains the value of sysUpTime and t11FcSpSaControlSuppressed has the value zero. 5. Relationship to Other MIB Modules The first standardized MIB module for Fibre Channel [RFC2837] was focussed on Fibre Channel Switches. It was obsoleted by the more generic Fibre Channel Management MIB [RFC4044] which defines basic information for Fibre Channel Nodes and Switches, including extensions to the standard IF-MIB [RFC2863] for Fibre Channel interfaces. Several other MIB modules have since been defined to extend [RFC4044] for various specific Fibre Channel functionality, (e.g., [RFC4438], [RFC4439], [RFC4625], [RFC4626], [RFC4747], [RFC4936], [RFC4935], [RFC4983]). The MIB modules defined in this memo further extend [RFC4044] to cover the operation of Fibre Channel Security Protocols, as specified in [FC-SP]. One part of the FC-SP specification is "FC-SP Zoning" which is an extension/variant of the Fibre Channel Zoning defined in [FC-GS-5]. Management information for the latter is defined in the T11-FC-ZONE- SERVER-MIB module [RFC4936]. Consequently, the T11-FC-SP-ZONING-MIB module defined in this document defines the extensions to the T11-FC- ZONE-SERVER-MIB module which are needed to manage FC-SP Zoning. The MIB modules in this memo import some common Textual Conventions from T11-TC-MIB defined in [RFC4439] and from INET-ADDRESS-MIB defined in [RFC4001]. If the RADIUS protocol is used for access to an external server, information about RADIUS Servers is likely to be available from the RADIUS-AUTH-CLIENT-MIB [RFC4668]. Expires 11 September 2008 [Page 26] Internet Draft Fibre-Channel Security Protocols MIB March 2008 6. MIB Module Definitions 6.1. The T11-FC-SP-TC-MIB Module T11-FC-SP-TC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-IDENTITY, mib-2, Unsigned32 FROM SNMPv2-SMI -- [RFC2578] TEXTUAL-CONVENTION FROM SNMPv2-TC; -- [RFC2579] t11FcTcMIB MODULE-IDENTITY LAST-UPDATED "200801030000Z" ORGANIZATION "This MIB module was developed through the coordinated effort of two organizations: T11 began the development and the IETF's IMSS Working Group finished it." CONTACT-INFO " Claudio DeSanti Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA EMail: cds@cisco.com Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA Email: kzm@cisco.com" DESCRIPTION "This MIB module defines Textual Conventions for use in the multiple MIB modules which together define the instrumentation for an implementation of the Fibre Channel Security Protocols (FC-SP) specification. This MIB module also defines Object Identities (for use as possible values of MIB objects with syntax AutonomousType), including OIDs for the Cryptographic Algorithms defined in FC-SP. Copyright (C) The IETF Trust (2008). This version of this MIB module is part of RFC yyyy; see the RFC itself for full legal notices." -- RFC Editor: replace yyyy with actual RFC number & remove this note Expires 11 September 2008 [Page 27] Internet Draft Fibre-Channel Security Protocols MIB March 2008 REVISION "200801030000Z" DESCRIPTION "Initial version of this MIB module, published as RFCyyyy." -- RFC-Editor, replace yyyy with actual RFC number & remove this note ::= { mib-2 nnn } -- to be assigned by IANA -- RFC Editor: replace nnn with IANA-assigned number & remove this note t11FcSpIdentities OBJECT IDENTIFIER ::= { t11FcTcMIB 1 } t11FcSpAlgorithms OBJECT IDENTIFIER ::= { t11FcSpIdentities 1 } -- -- Textual Conventions -- T11FcSpPolicyHashFormat ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Identifies a cryptographic hash function used to create a hash value which summarizes an FC-SP Policy Object. Each definition of an object with this TC as its syntax must be accompanied by a corresponding definition of an object with T11FcSpPolicyHashValue as its syntax, and containing the hash value. The first two cryptographic hash functions are: Hash Type Hash Tag Hash Length (Bytes) SHA-1 '00000001'h 20 SHA-256 '00000002'h 32 " REFERENCE "- INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 7.1.3.1 and table 106. - FIPS PUB 180-2." SYNTAX OCTET STRING (SIZE (4)) Expires 11 September 2008 [Page 28] Internet Draft Fibre-Channel Security Protocols MIB March 2008 T11FcSpPolicyHashValue ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "Represents the value of the cryptographic hash function of an FC-SP Policy Object. Each definition of an object with this TC as its syntax must be accompanied by a corresponding definition of an object with T11FcSpPolicyHashFormat as its syntax. The corresponding object identifies the cryptographic hash function used to create the hash value." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 7.1.3.1 and table 106." SYNTAX OCTET STRING (SIZE (0..64)) T11FcSpHashCalculationStatus ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "When some kind of 'database' is defined in a set of read-write MIB objects, it is common that multiple changes in the data need to be made at the same time. So, if hash values are maintained for that data, those hash values are only correct if and when they are re-calculated after every change. In such circumstances, the use of an object with this syntax allows the re-calculation of the hash values to be deferred until all changes have been made and therefore the calculation need only be done once after all changes, rather than repeatedly/after each individual change. The definition of an object defined using this TC is required to specify which one or more instances of which MIB objects contain the hash values operated upon (or whose status is given) by the value of this TC. When read, the value of an object with this syntax is either: correct -- the identified MIB object instance(s) contain the correct hash values; or stale -- the identified MIB object instance(s) contain stale (possibly incorrect) values. Expires 11 September 2008 [Page 29] Internet Draft Fibre-Channel Security Protocols MIB March 2008 Writing a value of 'calculate' is a request to re-calculate and update the values of the corresponding instances of the the identified MIB objects. Writing a value of 'correct' or 'stale' to this object is an error ('wrongValue')." SYNTAX INTEGER { calculate(1), correct(2), stale(3) } T11FcSpAuthRejectReasonCode ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A reason code contained in an AUTH_Reject message, or in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT (rejecting an AUTH-ELS)." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 17, 48, 52." SYNTAX INTEGER { authFailure(1), logicalError(2), logicalBusy(3), authILSNotSupported(4), authELSNotSupported(5), notLoggedIn(6) } T11FcSpAuthRejReasonCodeExp ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A reason code explanation contained in an AUTH_Reject message, or in an SW_RJT (rejecting an AUTH_ILS), or in an LS_RJT (rejecting an AUTH-ELS)." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Tables 18, 48, 52." SYNTAX INTEGER { authMechanismNotUsable(1), dhGroupNotUsable(2), hashFunctionNotUsable(3), authTransactionAlreadyStarted(4), Expires 11 September 2008 [Page 30] Internet Draft Fibre-Channel Security Protocols MIB March 2008 authenticationFailed(5), incorrectPayload(6), incorrectAuthProtocolMessage(7), restartAuthProtocol(8), authConcatNotSupported(9), unsupportedProtocolVersion(10), logicalBusy(11), authILSNotSupported(12), authELSNotSupported(13), notLoggedIn(14) } T11FcSpHashFunctions ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A set of zero, one or more hash functions defined for use in FC-SP." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 14." SYNTAX BITS { md5(0), sha1(1) } T11FcSpSignFunctions ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A set of zero, one or more signature functions defined for signing certificates for use with FCAP in FC-SP." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, tables 38 & 39." SYNTAX BITS { rsaSha1(0) } Expires 11 September 2008 [Page 31] Internet Draft Fibre-Channel Security Protocols MIB March 2008 T11FcSpDhGroups ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A set of zero, one or more DH Groups defined for use in FC-SP." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 15." SYNTAX BITS { null(0), group1024(1), group1280(2), group1536(3), group2048(4), group3072(5), group4096(6), group6144(7), group8192(8) } T11FcSpPolicyObjectType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A value which identifies the type of an FC-SP Policy Object." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 102." SYNTAX INTEGER { summary(1), switchMemberList(2), nodeMemberList(3), switchConnectivity(4), ipMgmtList(5), attribute(6) } Expires 11 September 2008 [Page 32] Internet Draft Fibre-Channel Security Protocols MIB March 2008 T11FcSpPolicyNameType ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The format and usage of a companion object having T11FcSpPolicyName as its syntax. Six of the values indicate the same format, i.e., they differ only in semantics. That common format is a Fibre Channel 'Name_Identifier', i.e., the same syntax as 'FcNameIdOrZero (SIZE(8))'. These six are three pairs of one restricted and one unrestricted. Each usage of this syntax must specify what the meaning of "restricted" is for that usage, and how the characteristics and behavior of restricted names differ from unrestricted names. The six are: 'nodeName' - a Node_Name, which is the Name_Identifier associated with a Fibre Channel Node. 'restrictedNodeName' - a Restricted Node_Name. 'portName' - the Name_Identifier associated with a Fibre Channel Port. 'restrictedPortName' - a Restricted Port_Name. 'wildcard' - a Wildcard value which is used to identify 'all others' (typically, all other members of a Policy Object, not all other Policy Objects). 'restrictedWildcard' - a Restricted Wildcard value. Other possible values are: 'alphaNumericName' - the value begins with an ASCII letter (upper or lower case) followed by (0 ... 63) characters from the set: lower case letters, upper case letters, digits, and the four symbols: dollar-sign ($), dash (-), caret (^), and underscore (_). Expires 11 September 2008 [Page 33] Internet Draft Fibre-Channel Security Protocols MIB March 2008 'ipv6AddressRange' - two IPv6 addresses in network byte order, the numerically smallest first and the numerically largest second; total length is 32 bytes. 'ipv4AddressRange' - two IPv4 addresses in network byte order, the numerically smallest first and the numerically largest second; total length is 8 bytes." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 103." SYNTAX INTEGER { nodeName(1), restrictedNodeName(2), portName(3), restrictedPortName(4), wildcard(5), restrictedWildcard(6), alphaNumericName(7), ipv6AddressRange(8), ipv4AddressRange(9) } T11FcSpPolicyName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A syntax used, when defining Policy Objects, for the name of something. An object which uses this syntax always identifies a a companion object with syntax T11FcSpPolicyNameType such that the companion object specifies the format and usage of the object with this syntax. When the companion object has the value 'wildcard' or 'restrictedWildcard', the value of the T11FcSpPolicyName object is: '0000000000000000'h." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 103." SYNTAX OCTET STRING (SIZE (1..64)) Expires 11 September 2008 [Page 34] Internet Draft Fibre-Channel Security Protocols MIB March 2008 T11FcSpAlphaNumName ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A syntax used when defining Policy Objects for the name of something, where the name is always in the format specified by: T11FcSpPolicyNameType = 'alphaNumericName' " REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 103." SYNTAX OCTET STRING (SIZE (1..64)) T11FcSpAlphaNumNameOrAbsent ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An extension of the T11FcSpAlphaNumName TC which one additional possible value: the zero-length string to indicate the absence of a name." SYNTAX OCTET STRING (SIZE (0..64)) T11FcSaDirection ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The direction of frame transmission on a Security Association. Note that Security Associations are unidirectional but they always exist as part of an SA pair of the same type in opposite directions." SYNTAX INTEGER { ingress(1), egress(2) } Expires 11 September 2008 [Page 35] Internet Draft Fibre-Channel Security Protocols MIB March 2008 T11FcSpiIndex ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An SPI (Security Parameter Index) value is carried in the SPI field of a frame protected by the ESP_Header. An SPI is also carried in the SAID field of a Common Transport Information Unit (CT_IU) protected by CT_Authentication. An SPI value identifies the Security Association on which the frame is being transmitted." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 4.7.2 and 4.7.3." SYNTAX Unsigned32 (0..4294967295) -- the default range!! T11FcSpPrecedence ::= TEXTUAL-CONVENTION DISPLAY-HINT "d" STATUS current DESCRIPTION "The precedence of a Traffic Selector. If a frame matches with two or more Traffic Selectors, then the match which takes precedence is the one with the Traffic Selector having the numerically smallest precedence value. Note that precedence values are not necessarily contiguous." SYNTAX Unsigned32 (0..4294967295) -- the default range!! T11FcRoutingControl ::= TEXTUAL-CONVENTION DISPLAY-HINT "1x" STATUS current DESCRIPTION "A value stored in the R_CTL (Routing Control) 8-bit field of an FC-2 frame containing routing and information bits to categorize the frame function. For FC-2 frames, an R_CTL value typically distinguishes between control versus data frames, and/or solicited versus unsolicited frames, and in combination with the TYPE field (see T11FcSpType) identifies a particular link layer service/protocol using FC-2. For CT_Authentication, the information field in the R_CTL field contains '02'h for Request CT_IUs, and '03'h for Response CT_IUs. Expires 11 September 2008 [Page 36] Internet Draft Fibre-Channel Security Protocols MIB March 2008 The comparison of two values having this syntax is done by treating each string as an 8-bit numeric value." REFERENCE " - Fibre Channel - Framing and Signaling-2 (FC-FS-2), INCITS xxx/200x, Project T11/1619-D Rev 1.01, 8 August 2006, section 9.3. - Fibre Channel - Generic Services-5 (FC-GS-5), ANSI INCITS 427-2006, sections 4.5.2.4.2, 4.5.2.4.3 and table 12." SYNTAX OCTET STRING (SIZE(1)) T11FcSpType ::= TEXTUAL-CONVENTION DISPLAY-HINT "2x" STATUS current DESCRIPTION "A value, or combination of values, contained in a frame header used in identifying the link layer service/protocol of a frame. The value is always two octets: - for FC-2 frames, the first octet is zero and the second octet contains the Data structure type (TYPE) value defined by FC-FS-2. The TYPE value is used in combination with T11FcRoutingControl to identify a link layer service/protocol. - for Common Transport Information Units (CT_IUs), the first octet contains a GS_Type value and the second octet contains a GS_Subtype value, defined by FC-GS-5. The comparison of two values having this syntax is done by treating each string as the numeric value obtained by numerically combining the individual octet's value as follows: (256 * 1st-octet) + 2nd-octet " REFERENCE " - Fibre Channel - Framing and Signaling-2 (FC-FS-2), INCITS xxx/200x, Project T11/1619-D Rev 1.01, 8 August 2006, section 9.6. - Fibre Channel - Generic Services-5 (FC-GS-5), ANSI INCITS 427-2006, sections 4.3.2.4 and 4.3.2.5." Expires 11 September 2008 [Page 37] Internet Draft Fibre-Channel Security Protocols MIB March 2008 SYNTAX OCTET STRING (SIZE(2)) T11FcSpTransforms ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A list of the standardized transforms which are defined by FC-SP for use with ESP_Header, CT_Authentication and/or IKEv2 Support." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Appendix A.3.1, tables A.23, A.24, A.25, A.26." SYNTAX BITS { encrNull(0), encrAesCbc(1), encrAesCtr(2), encrAesGcm(3), encr3Des(4), prfHmacMd5(5), prfHmacSha1(6), prfAesCbc(7), authHmacMd5L96(8), authHmacSha1L96(9), authHmacMd5L128(10), authHmacSha1L160(11), encrNullAuthAesGmac(12), dhGroups1024bit(13), dhGroups2048bit(14) } T11FcSpSecurityProtocolId ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "A Security Protocol identifier to identify the protocol by which traffic is to be protected, e.g., ESP_Header or CT_Authentication." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 6.3.2.2 and table 67." SYNTAX INTEGER { espHeader(1), ctAuth(2) } Expires 11 September 2008 [Page 38] Internet Draft Fibre-Channel Security Protocols MIB March 2008 T11FcSpLifetimeLeft ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This TC is used for one object of an associated pair of objects. The object with this syntax specifies a remaining lifetime of something, e.g., of an SA, where the lifetime is given in the units specified by the other object of the pair which has T11FcSpLifetimeLeftUnits as its syntax." SYNTAX Unsigned32 T11FcSpLifetimeLeftUnits ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "An object, defined using T11FcSpLifetimeLeft TC as its syntax, is required to be one of an associated pair of objects such that the other object of the pair is defined with this T11FcSpLifetimeLeftUnits TC as its syntax and with its value specifying the units of the remaining lifetime given by the value of the T11FcSpLifetimeLeft object." SYNTAX INTEGER { seconds(1), -- seconds kiloBytes(2), -- 10^^3 bytes megaBytes(3), -- 10^^6 bytes gigaBytes(4), -- 10^^9 bytes teraBytes(5), -- 10^^12 bytes petaBytes(6), -- 10^^15 bytes exaBytes(7), -- 10^^18 bytes zettaBytes(8), -- 10^^21 bytes yottaBytes(9) -- 10^^24 bytes } Expires 11 September 2008 [Page 39] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- -- Object Identities to identify the Cryptographic Algorithms -- listed in FC-SP. -- t11FcSpEncryptAlgorithms OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 1 } t11FcSpEncrNull OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_NULL algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 70." ::= { t11FcSpEncryptAlgorithms 1 } t11FcSpEncrAesCbc OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_AES_CBC algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 70." ::= { t11FcSpEncryptAlgorithms 2 } t11FcSpEncrAesCtr OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_AES_CTR algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 70." ::= { t11FcSpEncryptAlgorithms 3 } t11FcSpEncrAesGcm OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_AES_GCM algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 70." ::= { t11FcSpEncryptAlgorithms 4 } t11FcSpEncr3Des OBJECT-IDENTITY Expires 11 September 2008 [Page 40] Internet Draft Fibre-Channel Security Protocols MIB March 2008 STATUS current DESCRIPTION "The ENCR_3DES algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 70." ::= { t11FcSpEncryptAlgorithms 5 } t11FcSpAuthAlgorithms OBJECT IDENTIFIER ::= { t11FcSpAlgorithms 2 } t11FcSpAuthNull OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_NONE algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 72." ::= { t11FcSpAuthAlgorithms 1 } t11FcSpAuthHmacMd5L96 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_MD5_96 algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 72." ::= { t11FcSpAuthAlgorithms 2 } t11FcSpAuthHmacSha1L96 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_SHA1_96 algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 72." ::= { t11FcSpAuthAlgorithms 3 } t11FcSpAuthHmacMd5L128 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_MD5_128 algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), Expires 11 September 2008 [Page 41] Internet Draft Fibre-Channel Security Protocols MIB March 2008 13 June 2006, Table 72." ::= { t11FcSpAuthAlgorithms 4 } t11FcSpAuthHmacSha1L160 OBJECT-IDENTITY STATUS current DESCRIPTION "The AUTH_HMAC_SHA1_160 algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 72." ::= { t11FcSpAuthAlgorithms 5 } t11FcSpEncrNullAuthAesGmac OBJECT-IDENTITY STATUS current DESCRIPTION "The ENCR_NULL_AUTH_AES_GMAC algorithm." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 70." ::= { t11FcSpEncryptAlgorithms 6 } END Expires 11 September 2008 [Page 42] Internet Draft Fibre-Channel Security Protocols MIB March 2008 6.2. The T11-FC-SP-AUTHENTICATION-MIB Module --******************************************************************** -- FC-SP Authentication Protocols -- T11-FC-SP-AUTHENTICATION-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, NOTIFICATION-TYPE, mib-2, Counter32, Unsigned32 FROM SNMPv2-SMI -- [RFC2578] MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- [RFC2580] StorageType, AutonomousType, TruthValue, TimeStamp FROM SNMPv2-TC -- [RFC2579] InterfaceIndex FROM IF-MIB -- [RFC2863] fcmInstanceIndex, FcNameIdOrZero FROM FC-MGMT-MIB -- [RFC4044] t11FamLocalSwitchWwn FROM T11-FC-FABRIC-ADDR-MGR-MIB -- [RFC4439] T11FabricIndex FROM T11-TC-MIB -- [RFC4439] T11FcSpDhGroups, T11FcSpHashFunctions, T11FcSpSignFunctions, T11FcSpLifetimeLeft, T11FcSpLifetimeLeftUnits, T11FcSpAuthRejectReasonCode, T11FcSpAuthRejReasonCodeExp FROM T11-FC-SP-TC-MIB; t11FcSpAuthenticationMIB MODULE-IDENTITY LAST-UPDATED "200801030000Z" ORGANIZATION "This MIB module was developed through the coordinated effort of two organizations: T11 began the development and the IETF's IMSS Working Group finished it." CONTACT-INFO " Claudio DeSanti Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA EMail: cds@cisco.com Expires 11 September 2008 [Page 43] Internet Draft Fibre-Channel Security Protocols MIB March 2008 Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA Email: kzm@cisco.com" DESCRIPTION "This MIB module specifies the management information required to manage the Authentication Protocols defined by Fibre Channel's FC-SP specification. This MIB module defines three tables: - t11FcSpAuEntityTable is a table of Fibre Channel entities which can be authenticated using FC-SP's Authentication Protocols. - t11FcSpAuIfStatTable is a table with one row for each mapping of an Authentication entity onto an interface, containing statistics information. - t11FcSpAuRejectTable is a table of volatile information about FC-SP Authentication Protocol transactions which were most recently rejected. Copyright (C) The IETF Trust (2008). This version of this MIB module is part of RFC yyyy; see the RFC itself for full legal notices." -- RFC Editor: replace yyyy with actual RFC number & remove this note REVISION "200801030000Z" DESCRIPTION "Initial version of this MIB module, published as RFCyyyy." -- RFC-Editor, replace yyyy with actual RFC number & remove this note ::= { mib-2 nnn } -- to be assigned by IANA -- RFC Editor: replace nnn with IANA-assigned number & remove this note t11FcSpAuMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 0 } t11FcSpAuMIBObjects OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 1 } t11FcSpAuMIBConformance OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 2 } t11FcSpAuMIBIdentities OBJECT IDENTIFIER ::= { t11FcSpAuthenticationMIB 3 } Expires 11 September 2008 [Page 44] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- -- OIDs defined for use as values of t11FcSpAuServerProtocol -- t11FcSpAuServerProtocolRadius OBJECT-IDENTITY STATUS current DESCRIPTION "This OID identifies RADIUS as the protocol used to communicate with an External Server as part of the process by which identities are verified. In this case, information about the RADIUS Servers is likely to be provided in radiusAuthServerExtTable defined in the RADIUS-AUTH-CLIENT-MIB." REFERENCE "radiusAuthServerExtTable in 'RADIUS Authentication Client MIB', RFC 4668, August 2006." ::= { t11FcSpAuMIBIdentities 1 } t11FcSpAuServerProtocolDiameter OBJECT-IDENTITY STATUS current DESCRIPTION "This OID identifies Diameter as the protocol used to communicate with an External Server as part of the process by which identities are verified." REFERENCE "RFC 3588, September 2003." ::= { t11FcSpAuMIBIdentities 2 } t11FcSpAuServerProtocolTacacs OBJECT-IDENTITY STATUS current DESCRIPTION "This OID identifies TACACS as the protocol used to communicate with an External Server as part of the process by which identities are verified." REFERENCE "RFC 1492, July 1993." ::= { t11FcSpAuMIBIdentities 3 } Expires 11 September 2008 [Page 45] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- -- Configuration for the Authentication Protocols -- t11FcSpAuEntityTable OBJECT-TYPE SYNTAX SEQUENCE OF T11FcSpAuEntityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of Fibre Channel entities which can be authenticated using FC-SP's Authentication Protocols. The purpose of an FC-SP Authentication Protocol is to verify that a claimed name is associated with the claiming entity. The Authentication Protocols can be used to authenticate Nx_Ports, B_Ports, or Switches." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 3.2.25." ::= { t11FcSpAuMIBObjects 1 } t11FcSpAuEntityEntry OBJECT-TYPE SYNTAX T11FcSpAuEntityEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Information about the configuration and capabilities of an FC-SP entity (which is managed within the Fibre Channel management instance identified by fcmInstanceIndex) on a particular Fabric with respect to FC-SP's Authentication Protocols." INDEX { fcmInstanceIndex, t11FcSpAuEntityName, t11FcSpAuFabricIndex } ::= { t11FcSpAuEntityTable 1 } T11FcSpAuEntityEntry ::= SEQUENCE { t11FcSpAuEntityName FcNameIdOrZero, t11FcSpAuFabricIndex T11FabricIndex, t11FcSpAuServerProtocol AutonomousType, -- Config parameters t11FcSpAuStorageType StorageType, t11FcSpAuSendRejNotifyEnable TruthValue, t11FcSpAuRcvRejNotifyEnable TruthValue, t11FcSpAuDefaultLifetime Unsigned32, Expires 11 September 2008 [Page 46] Internet Draft Fibre-Channel Security Protocols MIB March 2008 t11FcSpAuDefaultLifetimeUnits INTEGER, t11FcSpAuRejectMaxRows Unsigned32, -- Capabilities t11FcSpAuDhChapHashFunctions T11FcSpHashFunctions, t11FcSpAuDhChapDhGroups T11FcSpDhGroups, t11FcSpAuFcapHashFunctions T11FcSpHashFunctions, t11FcSpAuFcapCertsSignFunctions T11FcSpSignFunctions, t11FcSpAuFcapDhGroups T11FcSpDhGroups, t11FcSpAuFcpapHashFunctions T11FcSpHashFunctions, t11FcSpAuFcpapDhGroups T11FcSpDhGroups } t11FcSpAuEntityName OBJECT-TYPE SYNTAX FcNameIdOrZero (SIZE (8)) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The name used to identify the FC-SP entity. For entities which are Fibre Channel Switches, this value corresponds to the Switch's value of fcmSwitchWWN. For entities other than Fibre Channel Switches, this value corresponds to the value of fcmInstanceWwn for the corresponding Fibre Channel management instance." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 5.3.3. fcmInstanceWwn & fcmSwitchWWN, 'Fibre Channel Management MIB', RFC 4044, May 2005." ::= { t11FcSpAuEntityEntry 1 } t11FcSpAuFabricIndex OBJECT-TYPE SYNTAX T11FabricIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index value which uniquely identifies a particular Fabric to which the entity is attached." ::= { t11FcSpAuEntityEntry 2 } t11FcSpAuServerProtocol OBJECT-TYPE SYNTAX AutonomousType MAX-ACCESS read-only STATUS current Expires 11 September 2008 [Page 47] Internet Draft Fibre-Channel Security Protocols MIB March 2008 DESCRIPTION "The protocol, if any, used by the entity to communicate with a third party (i.e., an External Server) as part of the process by which it verifies DH-CHAP responses. For example, if the entity is using an external RADIUS server to verify DH-CHAP responses, then this object will have the value t11FcSpAuServerProtocolRadius. The value, zeroDotZero, is used to indicate that no protocol is being used to communicate with a third party to verify DH-CHAP responses. When no protocol is being used, or if the third party is unreachable via the specified protocol, then locally configured information (if any) may be used instead." ::= { t11FcSpAuEntityEntry 3 } t11FcSpAuStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-write STATUS current DESCRIPTION "This object specifies the memory realization of configuration information related to an FC-SP Entity on a particular Fabric; specifically, for MIB objects in the row containing this object. Even if an instance of this object has the value 'permanent(4)', none of the information in the corresponding row of this table needs to be writable." ::= { t11FcSpAuEntityEntry 4 } t11FcSpAuSendRejNotifyEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "An indication of whether or not the entity should issue t11FcSpAuRejectSentNotify notifications when sending AUTH_Reject/SW_RJT/LS_RJT to reject an AUTH message. If the value of the object is 'true', then this type of notification is generated. If the value is 'false', this type of notification is not generated." DEFVAL { false } Expires 11 September 2008 [Page 48] Internet Draft Fibre-Channel Security Protocols MIB March 2008 ::= { t11FcSpAuEntityEntry 5 } t11FcSpAuRcvRejNotifyEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "An indication of whether or not the entity should issue t11FcSpAuRejectReceivedNotify notifications on the receipt of AUTH_Reject/SW_RJT/LS_RJT messages. If the value of the object is 'true', then this type of notification is generated. If the value is 'false', this type of notification is not generated." DEFVAL { false } ::= { t11FcSpAuEntityEntry 6 } t11FcSpAuDefaultLifetime OBJECT-TYPE SYNTAX T11FcSpLifetimeLeft MAX-ACCESS read-write STATUS current DESCRIPTION "When the value of this object is non-zero, it specifies the default value of a lifetime, specified in units given by the corresponding instance of t11FcSpAuDefaultLifetimeUnits. This default lifetime is to be used for any Security Association which has no explicitly-specified value for its lifetime. An SA's lifetime is either the time interval or the number of passed bytes, after which the SA has to be terminated and (if necessary) replaced with a new SA. If this object is zero, then there is no default value for lifetime." DEFVAL { 28800 } -- 8 hours (in units of seconds) ::= { t11FcSpAuEntityEntry 7 } t11FcSpAuDefaultLifetimeUnits OBJECT-TYPE SYNTAX T11FcSpLifetimeLeftUnits MAX-ACCESS read-write STATUS current DESCRIPTION "The units in which the value of the corresponding instance of t11FcSpAuDefaultLifetime specifies a Expires 11 September 2008 [Page 49] Internet Draft Fibre-Channel Security Protocols MIB March 2008 default lifetime for a Security Association which has no explicitly-specified value for its lifetime." DEFVAL { seconds } ::= { t11FcSpAuEntityEntry 8 } t11FcSpAuRejectMaxRows OBJECT-TYPE SYNTAX Unsigned32 (0..1000) MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum number of rows in the t11FcSpAuRejectTable for this entity on this Fabric. If and when an AUTH message is rejected and the t11FcSpAuRejectTable already contains this maximum number of rows for the specific entity and Fabric, the row containing the oldest information is discarded and replaced by a row containing information about the new rejection. There will be less than this maximum number of rows in the t11FcSpAuRejectTable in exceptional circumstances, e.g., after an agent restart. In an implementation which does not support the t11FcSpAuRejectTable, this object will always be zero." ::= { t11FcSpAuEntityEntry 9 } t11FcSpAuDhChapHashFunctions OBJECT-TYPE SYNTAX T11FcSpHashFunctions MAX-ACCESS read-only STATUS current DESCRIPTION "The hash functions which the entity supports when using the DH-CHAP algorithm." ::= { t11FcSpAuEntityEntry 10 } t11FcSpAuDhChapDhGroups OBJECT-TYPE SYNTAX T11FcSpDhGroups MAX-ACCESS read-only STATUS current DESCRIPTION "The DH Groups which the entity supports when using the DH-CHAP algorithm in FC-SP." ::= { t11FcSpAuEntityEntry 11 } t11FcSpAuFcapHashFunctions OBJECT-TYPE Expires 11 September 2008 [Page 50] Internet Draft Fibre-Channel Security Protocols MIB March 2008 SYNTAX T11FcSpHashFunctions MAX-ACCESS read-only STATUS current DESCRIPTION "The hash functions which the entity supports when specified as Protocol Parameters in the AUTH_Negotiate message for FCAP in FC-SP." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 5.5.2.1 and table 28." ::= { t11FcSpAuEntityEntry 12 } t11FcSpAuFcapCertsSignFunctions OBJECT-TYPE SYNTAX T11FcSpSignFunctions MAX-ACCESS read-only STATUS current DESCRIPTION "The signature functions used within certificates which the entity supports when using FCAP in FC-SP." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, section 5.5.4.2 and tables 38 & 39." ::= { t11FcSpAuEntityEntry 13 } t11FcSpAuFcapDhGroups OBJECT-TYPE SYNTAX T11FcSpDhGroups MAX-ACCESS read-only STATUS current DESCRIPTION "The DH Groups which the entity supports when using the FCAP algorithm in FC-SP." ::= { t11FcSpAuEntityEntry 14 } t11FcSpAuFcpapHashFunctions OBJECT-TYPE SYNTAX T11FcSpHashFunctions MAX-ACCESS read-only STATUS current DESCRIPTION "The hash functions which the entity supports when using the FCPAP algorithm in FC-SP." ::= { t11FcSpAuEntityEntry 15 } t11FcSpAuFcpapDhGroups OBJECT-TYPE Expires 11 September 2008 [Page 51] Internet Draft Fibre-Channel Security Protocols MIB March 2008 SYNTAX T11FcSpDhGroups MAX-ACCESS read-only STATUS current DESCRIPTION "The DH Groups which the entity supports when using the FCPAP algorithm in FC-SP." ::= { t11FcSpAuEntityEntry 16 } -- -- The Mapping of Authentication Entities onto Interfaces -- and Statistics -- t11FcSpAuIfStatTable OBJECT-TYPE SYNTAX SEQUENCE OF T11FcSpAuIfStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each FC-SP Authentication entity can operate on one or more interfaces, but at most one of them can operate on each interface. A row in this table exists for each interface to each Fabric on which each Authentication entity operates. The objects within this table contain statistics information related to FC-SP's Authentication Protocols." ::= { t11FcSpAuMIBObjects 2 } t11FcSpAuIfStatEntry OBJECT-TYPE SYNTAX T11FcSpAuIfStatEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A set of Authentication Protocols statistics for an FC-SP Authentication entity (identified by t11FcSpAuEntityName) on one of its interfaces to a particular Fabric, which is managed within the Fibre Channel management instance identified by fcmInstanceIndex." INDEX { fcmInstanceIndex, t11FcSpAuEntityName, t11FcSpAuIfStatInterfaceIndex, t11FcSpAuIfStatFabricIndex } ::= { t11FcSpAuIfStatTable 1 } T11FcSpAuIfStatEntry ::= SEQUENCE { t11FcSpAuIfStatInterfaceIndex InterfaceIndex, Expires 11 September 2008 [Page 52] Internet Draft Fibre-Channel Security Protocols MIB March 2008 t11FcSpAuIfStatFabricIndex T11FabricIndex, t11FcSpAuIfStatTimeouts Counter32, t11FcSpAuIfStatInAcceptedMsgs Counter32, t11FcSpAuIfStatInLsSwRejectedMsgs Counter32, t11FcSpAuIfStatInAuthRejectedMsgs Counter32, t11FcSpAuIfStatOutAcceptedMsgs Counter32, t11FcSpAuIfStatOutLsSwRejectedMsgs Counter32, t11FcSpAuIfStatOutAuthRejectedMsgs Counter32 } t11FcSpAuIfStatInterfaceIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "The interface on which the FC-SP Authentication entity operates and for which the statistics are collected." ::= { t11FcSpAuIfStatEntry 1 } t11FcSpAuIfStatFabricIndex OBJECT-TYPE SYNTAX T11FabricIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "A index value identifying the particular Fabric for which the statistics are collected." ::= { t11FcSpAuIfStatEntry 2 } t11FcSpAuIfStatTimeouts OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of FC-SP Authentication Protocol messages sent by the particular entity on the particular Fabric on the particular interface, for which no response was received within a timeout period. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.11." ::= { t11FcSpAuIfStatEntry 3 } Expires 11 September 2008 [Page 53] Internet Draft Fibre-Channel Security Protocols MIB March 2008 t11FcSpAuIfStatInAcceptedMsgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of FC-SP Authentication Protocol messages received and accepted by the particular entity on the particular Fabric on the particular interface. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." ::= { t11FcSpAuIfStatEntry 4 } t11FcSpAuIfStatInLsSwRejectedMsgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of FC-SP Authentication Protocol messages received by the particular entity on the particular Fabric on particular interface, and rejected by a lower-level (SW_RJT or LS_RJT) reject. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." ::= { t11FcSpAuIfStatEntry 5 } t11FcSpAuIfStatInAuthRejectedMsgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of FC-SP Authentication Protocol messages received by the particular entity on the particular Fabric on particular interface, and rejected by an AUTH_Reject message. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." Expires 11 September 2008 [Page 54] Internet Draft Fibre-Channel Security Protocols MIB March 2008 REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." ::= { t11FcSpAuIfStatEntry 6 } t11FcSpAuIfStatOutAcceptedMsgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of FC-SP Authentication Protocol messages sent by the particular entity on the particular Fabric on the particular interface, which were accepted by the neighbouring entity, i.e., not rejected by an AUTH_Reject message, nor by a lower-level (SW_RJT or LS_RJT) reject. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." ::= { t11FcSpAuIfStatEntry 7 } t11FcSpAuIfStatOutLsSwRejectedMsgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of FC-SP Authentication Protocol messages sent by the particular entity on the particular Fabric on the particular interface, which were rejected by a lower-level (SW_RJT or LS_RJT) reject. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." ::= { t11FcSpAuIfStatEntry 8 } t11FcSpAuIfStatOutAuthRejectedMsgs OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION Expires 11 September 2008 [Page 55] Internet Draft Fibre-Channel Security Protocols MIB March 2008 "The number of FC-SP Authentication Protocol messages sent by the particular entity on the particular Fabric on the particular interface, which were rejected by an AUTH_Reject message. This counter has no discontinuities other than those which all Counter32's have when sysUpTime=0." REFERENCE "Fibre Channel - Security Protocols (FC-SP), T11/Project 1570-D/Rev 1.8, June 2006, section 5.1." ::= { t11FcSpAuIfStatEntry 9 } -- -- Information about Authentication Protocol Transactions -- which were recently rejected -- t11FcSpAuRejectTable OBJECT-TYPE SYNTAX SEQUENCE OF T11FcSpAuRejectEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table of volatile information about FC-SP Authentication Protocol transactions which were recently rejected with an AUTH_Reject message, or with an SW_RJT/LS_RJT. The maximum number of rows in this table for a specific entity on a specific Fabric is given by the value of the corresponding instance of t11FcSpAuRejectMaxRows. The syntax of t11FcSpAuRejTimestamp is TimeStamp, and thus its value rolls-over to zero after approximately 497 days. To avoid any confusion due to such a roll-over, rows should be deleted from this table before they are 497 days old. This table will be empty if no AUTH_Reject messages, nor any SW_RJT/LS_RJT's rejecting an AUTH message, have been sent or received since the last re-initialization of the agent." ::= { t11FcSpAuMIBObjects 3 } t11FcSpAuRejectEntry OBJECT-TYPE SYNTAX T11FcSpAuRejectEntry MAX-ACCESS not-accessible Expires 11 September 2008 [Page 56] Internet Draft Fibre-Channel Security Protocols MIB March 2008 STATUS current DESCRIPTION "Information about one AUTH message (either an AUTH_ELS or an AUTH_ILS) which was rejected with an AUTH_Reject, SW_RJT or LS_RJT message, sent/received by the entity identified by values of fcmInstanceIndex and t11FcSpAuEntityName, on an interface to a particular Fabric." INDEX { fcmInstanceIndex, t11FcSpAuEntityName, t11FcSpAuRejInterfaceIndex, t11FcSpAuRejFabricIndex, t11FcSpAuRejTimestamp } ::= { t11FcSpAuRejectTable 1 } T11FcSpAuRejectEntry ::= SEQUENCE { t11FcSpAuRejInterfaceIndex InterfaceIndex, t11FcSpAuRejFabricIndex T11FabricIndex, t11FcSpAuRejTimestamp TimeStamp, t11FcSpAuRejDirection INTEGER, t11FcSpAuRejType INTEGER, t11FcSpAuRejAuthMsgString OCTET STRING, t11FcSpAuRejReasonCode T11FcSpAuthRejectReasonCode, t11FcSpAuRejReasonCodeExp T11FcSpAuthRejReasonCodeExp } t11FcSpAuRejInterfaceIndex OBJECT-TYPE SYNTAX InterfaceIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "The interface on which the rejected AUTH message was sent or received." ::= { t11FcSpAuRejectEntry 1 } t11FcSpAuRejFabricIndex OBJECT-TYPE SYNTAX T11FabricIndex MAX-ACCESS not-accessible STATUS current DESCRIPTION "A index value identifying the particular Fabric on which the rejected AUTH message was sent or received." ::= { t11FcSpAuRejectEntry 2 } t11FcSpAuRejTimestamp OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS not-accessible Expires 11 September 2008 [Page 57] Internet Draft Fibre-Channel Security Protocols MIB March 2008 STATUS current DESCRIPTION "The time at which the AUTH message was rejected. If two rows have the same value of this object for the same entity on the same interface and Fabric, the value of this object for the later one is incremented by one." ::= { t11FcSpAuRejectEntry 3 } t11FcSpAuRejDirection OBJECT-TYPE SYNTAX INTEGER { sent(1), received(2) } MAX-ACCESS read-only STATUS current DESCRIPTION "An indication of whether the the rejection was sent or received by the identified entity. The value 'sent(1)' corresponds to a notification of type t11FcSpAuRejectSentNotify; the value 'received(2)' corresponds to t11FcSpAuRejectReceivedNotify." ::= { t11FcSpAuRejectEntry 4 } t11FcSpAuRejType OBJECT-TYPE SYNTAX INTEGER { authReject(1), swRjt(2), lsRjt(3) } MAX-ACCESS read-only STATUS current DESCRIPTION "An indication of whether the rejection was an AUTH_Reject, an SW_RJT or an LS_RJT." ::= { t11FcSpAuRejectEntry 5 } t11FcSpAuRejAuthMsgString OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The binary content of the AUTH message which was rejected, formatted as an octet string (in network byte order) containing the content of the message. If the binary content is unavailable, then the length is zero. Otherwise, the first octet of the Expires 11 September 2008 [Page 58] Internet Draft Fibre-Channel Security Protocols MIB March 2008 message identifies the type of message: '90'h - an AUTH_ELS, see Table 6 in FC-SP, '40'h - an AUTH_ILS, see Table 3 in FC-SP, or '41'h - an B_AUTH_ILS, see Table 5 in FC-SP. and the remainder of the message may be truncated." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Tables 3, 5 and 6." ::= { t11FcSpAuRejectEntry 6 } t11FcSpAuRejReasonCode OBJECT-TYPE SYNTAX T11FcSpAuthRejectReasonCode MAX-ACCESS read-only STATUS current DESCRIPTION "The reason code with which this AUTH message was rejected." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 17, 48, 52." ::= { t11FcSpAuRejectEntry 7 } t11FcSpAuRejReasonCodeExp OBJECT-TYPE SYNTAX T11FcSpAuthRejReasonCodeExp MAX-ACCESS read-only STATUS current DESCRIPTION "The reason code explanation with which this AUTH message was rejected." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 17, 48, 52." ::= { t11FcSpAuRejectEntry 8 } Expires 11 September 2008 [Page 59] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- -- Notifications -- t11FcSpAuRejectSentNotify NOTIFICATION-TYPE OBJECTS { t11FamLocalSwitchWwn, t11FcSpAuRejAuthMsgString, t11FcSpAuRejType, t11FcSpAuRejReasonCode, t11FcSpAuRejReasonCodeExp } STATUS current DESCRIPTION "This notification indicates that a Switch (identified by the value of t11FamLocalSwitchWwn) has sent a reject message of the type indicated by t11FcSpAuRejType in response to an AUTH message. The content of the rejected AUTH message is given by the value of t11FcSpAuRejAuthMsgString. The values of the Reason Code and Reason Code Explanation in the AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp." ::= { t11FcSpAuMIBNotifications 1 } t11FcSpAuRejectReceivedNotify NOTIFICATION-TYPE OBJECTS { t11FamLocalSwitchWwn, t11FcSpAuRejAuthMsgString, t11FcSpAuRejType, t11FcSpAuRejReasonCode, t11FcSpAuRejReasonCodeExp } STATUS current DESCRIPTION "This notification indicates that a Switch (identified by the value of t11FamLocalSwitchWwn) has received a reject message of the type indicated by t11FcSpAuRejType in response to an AUTH message. The content of the rejected AUTH message is given by the value of t11FcSpAuRejAuthMsgString. The values of the Reason Code and Reason Code Explanation in the AUTH_Reject/SW_RJT/LS_RJT are indicated by the values of t11FcSpAuRejReasonCode and t11FcSpAuRejReasonCodeExp." ::= { t11FcSpAuMIBNotifications 2 } Expires 11 September 2008 [Page 60] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- -- Conformance -- t11FcSpAuMIBCompliances OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 1 } t11FcSpAuMIBGroups OBJECT IDENTIFIER ::= { t11FcSpAuMIBConformance 2 } t11FcSpAuMIBCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for entities which implement one or more of the Authentication Protocols defined in FC-SP." MODULE -- this module MANDATORY-GROUPS { t11FcSpAuGeneralGroup, t11FcSpAuRejectedGroup, t11FcSpAuNotificationGroup } GROUP t11FcSpAuIfStatsGroup DESCRIPTION "These counters, of particular FC-SP messages and events, are mandatory only for those systems that count such messages/events." -- Write access is not required for any objects in this MIB module: OBJECT t11FcSpAuStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT t11FcSpAuSendRejNotifyEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT t11FcSpAuRcvRejNotifyEnable MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT t11FcSpAuDefaultLifetime Expires 11 September 2008 [Page 61] Internet Draft Fibre-Channel Security Protocols MIB March 2008 MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT t11FcSpAuDefaultLifetimeUnits MIN-ACCESS read-only DESCRIPTION "Write access is not required." OBJECT t11FcSpAuRejectMaxRows MIN-ACCESS read-only DESCRIPTION "Write access is not required." ::= { t11FcSpAuMIBCompliances 1 } -- Units of Conformance t11FcSpAuGeneralGroup OBJECT-GROUP OBJECTS { t11FcSpAuServerProtocol, t11FcSpAuStorageType, t11FcSpAuSendRejNotifyEnable, t11FcSpAuRcvRejNotifyEnable, t11FcSpAuDefaultLifetime, t11FcSpAuDefaultLifetimeUnits, t11FcSpAuRejectMaxRows, t11FcSpAuDhChapHashFunctions, t11FcSpAuDhChapDhGroups, t11FcSpAuFcapHashFunctions, t11FcSpAuFcapCertsSignFunctions, t11FcSpAuFcapDhGroups, t11FcSpAuFcpapHashFunctions, t11FcSpAuFcpapDhGroups, t11FcSpAuIfStatTimeouts } STATUS current DESCRIPTION "A collection of objects for the capabilities and configuration parameters of FC-SP's Authentication Protocols. The inclusion of t11FcSpAuIfStatTimeouts in this group provides information on mappings of Authentication entities onto interfaces." ::= { t11FcSpAuMIBGroups 1 } t11FcSpAuIfStatsGroup OBJECT-GROUP Expires 11 September 2008 [Page 62] Internet Draft Fibre-Channel Security Protocols MIB March 2008 OBJECTS { t11FcSpAuIfStatInAcceptedMsgs, t11FcSpAuIfStatInLsSwRejectedMsgs, t11FcSpAuIfStatInAuthRejectedMsgs, t11FcSpAuIfStatOutAcceptedMsgs, t11FcSpAuIfStatOutLsSwRejectedMsgs, t11FcSpAuIfStatOutAuthRejectedMsgs } STATUS current DESCRIPTION "A collection of objects for monitoring the operations of FC-SP's Authentication Protocols." ::= { t11FcSpAuMIBGroups 2 } t11FcSpAuRejectedGroup OBJECT-GROUP OBJECTS { t11FcSpAuRejDirection, t11FcSpAuRejType, t11FcSpAuRejAuthMsgString, t11FcSpAuRejReasonCode, t11FcSpAuRejReasonCodeExp } STATUS current DESCRIPTION "A collection of objects holding information concerning FC-SP Authentication Protocol transactions which were recently rejected with an AUTH_Reject, with an SW_RJT, or with an LS_RJT." ::= { t11FcSpAuMIBGroups 3 } t11FcSpAuNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { t11FcSpAuRejectSentNotify, t11FcSpAuRejectReceivedNotify } STATUS current DESCRIPTION "A collection of notifications for use in the management of FC-SP's Authentication Protocols." ::= { t11FcSpAuMIBGroups 4 } END Expires 11 September 2008 [Page 63] Internet Draft Fibre-Channel Security Protocols MIB March 2008 6.3. The T11-FC-SP-ZONING-MIB Module --******************************************************************* -- FC-SP Zoning -- T11-FC-SP-ZONING-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, mib-2, Counter32 FROM SNMPv2-SMI -- [RFC2578] TruthValue FROM SNMPv2-TC -- [RFC2579] MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF -- [RFC2580] ifIndex FROM IF-MIB -- [RFC2863] t11ZsServerEntry, t11ZsStatsEntry, t11ZsNotifyControlEntry, t11ZsFabricIndex FROM T11-FC-ZONE-SERVER-MIB -- [RFC4936] T11FcSpPolicyHashValue, T11FcSpPolicyHashFormat, T11FcSpHashCalculationStatus FROM T11-FC-SP-TC-MIB; t11FcSpZoningMIB MODULE-IDENTITY LAST-UPDATED "200801030000Z" ORGANIZATION "This MIB module was developed through the coordinated effort of two organizations: T11 began the development and the IETF's IMSS Working Group finished it." CONTACT-INFO " Claudio DeSanti Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA EMail: cds@cisco.com Keith McCloghrie Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA Expires 11 September 2008 [Page 64] Internet Draft Fibre-Channel Security Protocols MIB March 2008 Email: kzm@cisco.com" DESCRIPTION "This MIB module specifies the extensions to the T11-FC-ZONE-SERVER-MIB module which are necessary for the management of Fibre Channel's FC-SP Zoning Servers, as defined in the FC-SP specification. The persistence of values written to these MIB objects is the same as the persistence of the objects they extend, i.e., it is given by the value of the relevant instance of t11ZsServerDatabaseStorageType (defined in the T11-FC-ZONE-SERVER-MIB module). Copyright (C) The IETF Trust (2008). This version of this MIB module is part of RFC yyyy; see the RFC itself for full legal notices." -- RFC Editor: replace yyyy with actual RFC number & remove this note REVISION "200801030000Z" DESCRIPTION "Initial version of this MIB module, published as RFCyyyy." -- RFC-Editor, replace yyyy with actual RFC number & remove this note ::= { mib-2 nnn } -- to be assigned by IANA -- RFC Editor: replace nnn with IANA-assigned number & remove this note t11FcSpZsMIBNotifications OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 0 } t11FcSpZsMIBObjects OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 1 } t11FcSpZsMIBConformance OBJECT IDENTIFIER ::= { t11FcSpZoningMIB 2 } t11FcSpZsConfiguration OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 1 } t11FcSpZsStatistics OBJECT IDENTIFIER ::= { t11FcSpZsMIBObjects 2 } Expires 11 September 2008 [Page 65] Internet Draft Fibre-Channel Security Protocols MIB March 2008 -- -- Augmenting the table of Zone Servers -- t11FcSpZsServerTable OBJECT-TYPE SYNTAX SEQUENCE OF T11FcSpZsServerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table which provides FC-SP-specific information about the Zone Servers on each Fabric in one or more Switches." ::= { t11FcSpZsConfiguration 1 } t11FcSpZsServerEntry OBJECT-TYPE SYNTAX T11FcSpZsServerEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Each entry contains information relevant to FC-SP for a particular Zone Server for a particular Fabric on a particular Switch. The Fabric and Switch are identified in the same manner as in t11ZsServerEntry." AUGMENTS { t11ZsServerEntry } ::= { t11FcSpZsServerTable 1 } T11FcSpZsServerEntry ::= SEQUENCE { t11FcSpZsServerCapabilityObject BITS, t11FcSpZsServerEnabled TruthValue, t11FcSpZoneSetHashStatus T11FcSpHashCalculationStatus, t11FcSpActiveZoneSetHashType T11FcSpPolicyHashFormat, t11FcSpActiveZoneSetHash T11FcSpPolicyHashValue, t11FcSpZoneSetDatabaseHashType T11FcSpPolicyHashFormat, t11FcSpZoneSetDatabaseHash T11FcSpPolicyHashValue } t11FcSpZsServerCapabilityObject OBJECT-TYPE SYNTAX BITS { fcSpZoning(0) } MAX-ACCESS read-only STATUS current DESCRIPTION "Capabilities of the Zone Server for the particular Fabric on the particular Switch, with respect to FC-SP Zoning: Expires 11 September 2008 [Page 66] Internet Draft Fibre-Channel Security Protocols MIB March 2008 fcSpZoning -- set to 1 to indicate the Switch is capable of supporting FC-SP Zoning. " REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 184." ::= { t11FcSpZsServerEntry 1 } t11FcSpZsServerEnabled OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "This object indicates whether the Zone Server for the particular Fabric on the particular Switch, is operating in FC-SP Zoning mode." REFERENCE "INCITS xxx/200x, T11/Project 1570-D/Rev 1.8, Fibre Channel - Security Protocols (FC-SP), 13 June 2006, Table 185." ::= { t11FcSpZsServerEntry 2 } t11FcSpZoneSetHashStatus OBJECT-TYPE SYNTAX T11FcSpHashCalculationStatus MAX-ACCESS read-write STATUS current DESCRIPTION "When read, the value of this object is either: correct -- the corresponding instances of both t11FcSpActiveZoneSetHash and t11FcSpZoneSetDatabaseHash contain the correct hash values; or stale -- the corresponding instances of t11FcSpActiveZoneSetHash and t11FcSpZoneSetDatabaseHash contain stale (possibly incorrect) values; Writing a value of 'calculate'