idnits 2.17.1 draft-ietf-ipsp-spd-mib-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 23. -- Found old boilerplate from RFC 3978, Section 5.5 on line 3301. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 3312. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 3319. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 3325. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 519 has weird spacing: '... minute ss ...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 18, 2006) is 6394 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2401 (Obsoleted by RFC 4301) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSP M. Baer 3 Internet-Draft Sparta, Inc. 4 Intended status: Informational R. Charlet 5 Expires: April 21, 2007 Self 6 W. Hardaker 7 Sparta, Inc. 8 R. Story 9 Revelstone Software 10 C. Wang 11 ARO/North Carolina State 12 University 13 October 18, 2006 15 IPsec Security Policy Database Configuration MIB 16 draft-ietf-ipsp-spd-mib-07.txt 18 Status of this Memo 20 By submitting this Internet-Draft, each author represents that any 21 applicable patent or other IPR claims of which he or she is aware 22 have been or will be disclosed, and any of which he or she becomes 23 aware will be disclosed, in accordance with Section 6 of BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as Internet- 28 Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/ietf/1id-abstracts.txt. 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html. 41 This Internet-Draft will expire on April 21, 2007. 43 Copyright Notice 45 Copyright (C) The Internet Society (2006). 47 Abstract 49 This document defines an SMIv2 Management Information Base (MIB) 50 module for configuring the security policy database of a device 51 implementing the IPsec protocol. The policy-based packet filtering 52 and the corresponding execution of actions described in this document 53 are of a more general nature than for IPsec configuration alone, such 54 as for configuration of a firewall. This MIB module is designed to 55 be extensible with other enterprise or standards based defined packet 56 filters and actions. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. The Internet-Standard Management Framework . . . . . . . . . . 3 63 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 64 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 65 5.1. Usage Tutorial . . . . . . . . . . . . . . . . . . . . . . 6 66 5.1.1. Notational conventions . . . . . . . . . . . . . . . . 6 67 5.1.2. Implementing an example SPD policy . . . . . . . . . . 7 68 6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 8 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 64 70 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 64 71 7.2. Protecting against unauthenticated access . . . . . . . . 66 72 7.3. Protecting against involuntary disclosure . . . . . . . . 66 73 7.4. Bootstrapping your configuration . . . . . . . . . . . . . 67 74 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67 75 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 67 76 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67 77 10.1. Normative References . . . . . . . . . . . . . . . . . . . 67 78 10.2. Informative References . . . . . . . . . . . . . . . . . . 69 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69 80 Intellectual Property and Copyright Statements . . . . . . . . . . 71 82 1. Introduction 84 This document defines a MIB module for configuration of an IPsec 85 security policy database (SPD). The IPsec model this MIB is designed 86 to configure is based on the "IPsec Configuration Policy Model" 87 (IPCP) [RFC3585]. The IPCP's IPsec model is in turn derived from the 88 DMTF's (see below) IPsec model and from the IPsec model specified in 89 RFC 2401 [RFC2401]. The policy-based packet filtering and the 90 corresponding execution of actions configured by this MIB is of a 91 more general nature than for IPsec configuration only, such as for 92 configuration of a firewall. It is possible to extend this MIB 93 module and add other packet transforming actions that are performed 94 conditionally on an interface's network traffic. 96 The IPsec and IKE specific actions as documented in [RFCXXXX] and 97 [RFCYYYY] respectively and are not documented in this document. 99 Note: RFCXXXX and RFCYYYY should be replaced by the RFC Editor when 100 these values are determined. 102 2. Terminology 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in RFC 2119 [RFC2119]. 108 3. The Internet-Standard Management Framework 110 For a detailed overview of the documents that describe the current 111 Internet-Standard Management Framework, please refer to section 7 of 112 RFC 3410 [RFC3410] 114 Managed objects are accessed via a virtual information store, termed 115 the Management Information Base or MIB. MIB objects are generally 116 accessed through the Simple Network Management Protocol (SNMP). 117 Objects in the MIB are defined using the mechanisms defined in the 118 Structure of Management Information (SMI). This memo specifies a MIB 119 module that is compliant to the SMIv2, which is described in STD 58, 120 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 121 [RFC2580]. 123 4. Relationship to the DMTF Policy Model 125 The Distributed Management Task Force (DMTF) has created an object 126 oriented model of IPsec policy information known as the IPsec Policy 127 Model White Paper [IPPMWP]. The "IPsec Configuration Policy Model" 128 (IPCP) [RFC3585] is based in large part on the DMTF's IPsec policy 129 model and on RFC 2401 [RFC2401]. The IPCP document describes a model 130 for configuring IPsec. This MIB module is a task specific derivation 131 (i.e. an SMIv2 instantiation) of the IPCP's IPsec configuration model 132 for use with SNMPv3. 134 The high-level areas where this MIB module diverges from the IPCP 135 model are: 137 o Policies, Groups, Conditions, and some levels of Actions are 138 generically named. In other words, IPsec specific prefixes like 139 "SA" (Security Association), or "IPsec" are not used. This naming 140 convention is used because packet classification and the matching 141 of conditions to actions is more general than IPsec. The tables 142 in this document can possibly be reused by other packet 143 transforming actions which need to conditionally act on packets 144 matching filters. 146 o Filters are implemented in a more generic and scalable manner, 147 rather than enforcing the condition/filtering pairing of the IPCP 148 and its restrictions upon the user. This MIB module offers a 149 compound filter object providing greater flexibility for complex 150 filters than the IPCP. 152 5. MIB Module Overview 154 The MIB module is modularized into several different parts: rules, 155 filters, and actions. 157 The rules section associates endpoints and groups of rules and 158 consists of the spdEndpointToGroupTable, spdGroupContentsTable, and 159 the spdRuleDefinitionTable. Each row of the spdRuleDefinitionTable 160 connects a filter to an action. It should also be noted that by 161 referencing the spdCompoundFilterTable, the spdRuleDefinitionTable's 162 filter column can indicate a set of filters to be processed. 163 Likewise, by referencing the spdCompoundActionTable, the 164 spdRuleDefinitionTable's action column can indicate multiple actions 165 to be executed. 167 This MIB is structured to allow for reuse through the future creation 168 of extension tables that provide additional filters and/or actions. 169 In fact, the companion documents to this one do just that and define 170 IPsec [RFCXXXX] and IKE [RFCYYYY] specific actions to be used within 171 this SPD configuration MIB. Note, It is expected that in order to 172 function properly, extension action MIBs may impose additional 173 limitations on the objects in this MIB and how they can be used with 174 the extended actions. An extension action may only support a subset 175 of the configuration options available in this MIB. 177 The filter section of the MIB module is composed of the different 178 types of filters in the Policy Model. It is made up of the 179 spdTrueFilter, spdCompoundFilterTable, spdSubfiltersTable 180 spdIpHeaderFilterTable, spdIpOffsetFilterTable, spdTimeFilterTable, 181 spdIpsoHeaderFilterTable. 183 The action section of this MIB module contains only the simple static 184 actions required for the firewall processing that an IPsec SPD 185 implementation requires (e.g. accept, drop, log, ...). The companion 186 documents of this document define the complex actions necessary for 187 IPsec and IKE negotiations. 189 As may have been noticed above, the MIB uses recursion in a similar 190 manner in several different places. In particular the 191 spdGroupContentsTable, the spdCompoundFilterTable / 192 spdSubfiltersTable combination, and the spdCompoundActionTable / 193 spdSubactionsTable combination can reference themselves. 195 In the case of the spdGroupContentsTable, a row can indicate a rule 196 (i.e. a row in the spdRuleDefinitionTable) or a group (i.e. another 197 set of one or more rows in the spdGroupContentsTable). This way a 198 group can contain a set of rules and sub-groups. Sub-groups are just 199 other groups defined in the spdGroupContentsTable. There is no 200 inherent MIB limit to the depth of nesting of groups. 202 The spdCompoundFilterTable / spdSubfiltersTable combination and 203 spdCompoundActionTable / spdSubactionsTable combination are designed 204 almost identically with one being for filters and the other for 205 actions respectively. The following descriptions for the compound 206 filter tables can be directly applied to the compound action tables. 208 The combination of the tables spdCompoundFilterTable and 209 spdSubfiltersTable allow a user to create a set of filters that can 210 be referenced from any table as a single filter. A row in the 211 spdCompoundFilterTable has the basic configuration information for 212 the compound filter. The index of spdCompoundFilterTable, 213 spdCompFiltname, is also used as a partial index to reference a set 214 of ordered rows in the spdSubfiltersTable. Each row in 215 spdSubfiltersTable points at a row in another filter table. In this 216 way, the set of rows in spdSubFiltersTable with a matching 217 spdCompFiltName together with the row in spdCompoundFilterTable 218 indexed by spdCompFiltName create a compound filter. Note that it is 219 possible for a row in the spdSubfiltersTable to point to a row in the 220 spdCompoundFilterTable. This recursion allows the creation of a 221 filter set that include other filter sets within it. There is no 222 inherent MIB limit to the nesting of compound filters within compound 223 filters. 225 5.1. Usage Tutorial 227 In order to use the tables contained in this document, a general 228 understanding of firewall processing is helpful. The processing of 229 the security policy database (SPD) involves applying a set of SPD 230 rules to an interface on a device. The given set of rules to apply 231 to any given interface is defined within the spdEndpointToGroupTable 232 table. This table maps a given interface to a group of rules. In 233 this table, the interface itself is specified using its assigned 234 address. There is also one group of rules per direction (ingress and 235 egress). 237 5.1.1. Notational conventions 239 Notes about the following example operations: 241 1. All the example operations in the following section make use of 242 default values for all columns not listed. The operations and 243 column values given in the examples are the minimal SNMP Varbinds 244 that must be sent to create a row. 246 2. The example operations are formatted such that a row (i.e. the 247 table's Entry object) is operated on by using the indexes to that 248 row and the column values for the that row. 250 3. Below is a generic example of the notation used in the following 251 section's examples of this MIB's usage. This example indicates 252 that the MIB row to be set is the row with the index values of 253 value1 for index1 and value2 for index2. Within this row, 254 column1 is set to column_value1 and colum2 is set to 255 column_value2.: 257 rowEntry(index1 = value1, 258 index2 = value2) 259 = (column1 = column_value1, 260 column2 = column_value2) 262 4. The below is a specific example of the notation used in the 263 following section's examples of this MIB's usage. This example 264 represents the status column of a row in the IP- 265 MIB::ipAddressTable table being set to deprecated. The index 266 values for this row are IPv4 and 192.0.2.1. The example notation 267 would look like the following: 269 ipAddressEntry(ipAddressAddrType = 1, -- ipv4 270 ipAddressAddr = 0xC0000201 ) -- 192.0.2.1 271 = (ipAddressStatus = 2) -- deprecated 273 5.1.2. Implementing an example SPD policy 275 As an example, let us define the following administrative policy: On 276 the network interface with IP address 192.0.2.1, all traffic from 277 host 192.0.2.6 will be dropped and all other traffic will be 278 accepted. 280 This policy is enforced by setting the values in the MIB to do the 281 following: 283 o create a filter for 192.0.2.6 285 o create a rule that connects the 192.0.2.6 filter to a packet drop 286 action 288 o create a rule that always accepts packets 290 o group these rules together in the proper order so that the 291 192.0.2.6 drop rule is checked first. 293 o connect this group of rules to the 192.0.2.1 interface 295 The first step to do this is creating the filter for the IPv4 address 296 192.0.2.6: 298 SpdIpHeaderFilterEntry(spdIpHeadFiltName = "192.0.2.6") 299 = (spdIpHeadFiltType = 0x80, -- sourceAddress 300 spdIpHeadFiltIPVersion = 1, -- IPv4 301 spdIpHeadFiltSrcAddressBegin = 0xC0000206, -- 192.0.2.6 302 spdIpHeadFiltSrcAddressEnd = 0xC0000206, -- 192.0.2.6 303 spdIpHeadFiltRowStatus = 4) -- createAndGo 305 Next, a rule is created to connect the above "192.0.2.6" filter to an 306 action to "drop" the packet, as follows: 308 spdRuleDefinitionEntry(spdRuleDefName = "drop from 192.0.2.6") 309 = (spdRuleDefFilter = 310 spdIpHeadFiltType.9.49.57.50.46.48.46.50.46.54, 311 spdRuleDefAction = spdDropAction.0, 312 spdRuleDefRowStatus = 4) -- createAndGo 314 Next, a rule is created that accepts all packets: 316 spdRuleDefinitionEntry(spdRuleDefName = "accept all") 317 = (spdRuleDefFilter = spdTrueFilter.0, 318 spdRuleDefAction = spdAcceptAction.0, 319 spdRuleDefRowStatus = 4) -- createAndGo 321 Next, these two rules are grouped together. Rule groups attached to 322 an interface are processed one row at a time. The rows are processed 323 from lowest to highest spdGroupContPriority value. Because the row 324 that references the "accept all" rule should be processed last, it is 325 given the higher spdGroupContPriority value. 327 SpdGroupContentsEntry(spdGroupContName = "ingress", 328 spdGroupContPriority = 65535) 329 = (spdGroupContComponentName = "accept all", 330 spdGroupContRowStatus = 4) -- createAndGo 332 SpdGroupContentsEntry(spdGroupContName = "ingress", 333 spdGroupContPriority = 1000) 334 = (spdGroupContComponentName = "drop from 192.0.2.6", 335 spdGroupContRowStatus = 4) -- createAndGo 337 Finally, this group of rules is connected to the 192.0.2.1 interface 338 as follows: 340 SpdEndpointToGroupEntry(spdEndGroupDirection = 1, -- ingress 341 spdEndGroupIdentType = 4, -- IPv4 342 spdEndGroupAddress = 0xC0000001) 344 = (spdEndGroupName = "ingress", 345 spdEndGroupRowStatus = 4) -- createAndGo 347 This completes the necessary steps to implement the policy. Once all 348 of these rules have been applied, the policy should take effect. 350 6. MIB definition 352 The following MIB Module imports from: [RFC2578], [RFC2579], 353 [RFC2580], [RFC2863], [RFC3289], [RFC3411], [RFC4001]. It also uses 354 definitions from [RFC1108], [RFC3060], and [RFC3629]. 356 IPSEC-SPD-MIB DEFINITIONS ::= BEGIN 358 IMPORTS 359 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, 360 Unsigned32, mib-2 FROM SNMPv2-SMI 361 -- [RFC2578] 363 TEXTUAL-CONVENTION, RowStatus, TruthValue, 364 TimeStamp, StorageType, VariablePointer 365 FROM SNMPv2-TC 366 -- [RFC2579] 368 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 369 FROM SNMPv2-CONF 370 -- [RFC2580] 372 InterfaceIndex 373 FROM IF-MIB 374 -- [RFC2863] 376 diffServMIBMultiFieldClfrGroup, IfDirection, 377 diffServMultiFieldClfrNextFree 378 FROM DIFFSERV-MIB 379 -- [RFC3289] 381 InetAddressType, InetAddress 382 FROM INET-ADDRESS-MIB 383 -- [RFC4001] 385 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 386 -- [RFC3411] 388 ; 390 -- 391 -- module identity 392 -- 394 spdMIB MODULE-IDENTITY 395 LAST-UPDATED "200610170000Z" -- 17 October 2006 396 ORGANIZATION "IETF IP Security Policy Working Group" 397 CONTACT-INFO "Michael Baer 398 P.O. Box 72682 399 Davis, CA 95617 400 Phone: +1 530 902 3131 401 Email: baerm@tislabs.com 403 Ricky Charlet 404 Email: rcharlet@alumni.calpoly.edu 406 Wes Hardaker 407 Sparta, Inc. 408 P.O. Box 382 409 Davis, CA 95617 410 Phone: +1 530 792 1913 411 Email: hardaker@tislabs.com 413 Robert Story 414 Revelstone Software 415 PO Box 1812 416 Tucker, GA 30085 417 Phone: +1 770 617 3722 418 Email: rstory@sparta.com 420 Cliff Wang 421 ARO/North Carolina State University 422 4300 S. Miami Blvd. 423 RTP, NC 27709 424 E-Mail: cliffwangmail@yahoo.com" 425 DESCRIPTION 426 "This MIB module defines configuration objects for managing 427 IPsec Security Policies. In general, this MIB can be 428 implemented anywhere IPsec security services exist (e.g., 429 bump-in-the-wire, host, gateway, firewall, router, etc....). 431 Copyright (C) The Internet Society (2006). This version of 432 this MIB module is part of RFC ZZZZ, see the RFC itself for 433 full legal notices." 435 -- Revision History 437 REVISION "200610170000Z" -- 17 October 2006 438 DESCRIPTION "Initial version, published as RFC ZZZZ." 439 -- RFC-editor assigns ZZZZ 441 -- xxx: To be assigned by IANA 442 ::= { mib-2 xxx } 444 -- 445 -- groups of related objects 446 -- 448 spdConfigObjects OBJECT IDENTIFIER 449 ::= { spdMIB 1 } 450 spdNotificationObjects OBJECT IDENTIFIER 451 ::= { spdMIB 2 } 452 spdConformanceObjects OBJECT IDENTIFIER 453 ::= { spdMIB 3 } 454 spdActions OBJECT IDENTIFIER 455 ::= { spdMIB 4 } 457 -- 458 -- Textual Conventions 459 -- 461 SpdBooleanOperator ::= TEXTUAL-CONVENTION 462 STATUS current 463 DESCRIPTION 464 "The SpdBooleanOperator operator is used to specify 465 whether sub-components in a decision making process are 466 ANDed or ORed together to decide if the resulting 467 expression is true or false." 468 SYNTAX INTEGER { or(1), and(2) } 470 SpdAdminStatus ::= TEXTUAL-CONVENTION 471 STATUS current 472 DESCRIPTION 473 "The SpdAdminStatus is used to specify the administrative 474 status of an object. Objects which are disabled MUST NOT 475 be used by the packet processing engine." 476 SYNTAX INTEGER { enabled(1), disabled(2) } 478 SpdIPPacketLogging ::= TEXTUAL-CONVENTION 479 DISPLAY-HINT "d" 480 STATUS current 481 DESCRIPTION 482 "SpdIPPacketLogging specifies whether an audit message 483 SHOULD be logged if a packet is passed through a Security 484 Association (SA) and if some of that packet is included in 485 the log event. A value of '-1' indicates no logging. A 486 value of '0' or greater indicates that logging SHOULD be 487 done and indicates the number of bytes starting at the 488 beginning of the packet to place in the log. Values greater 489 than the size of the packet being processed indicate that 490 the entire packet SHOULD be sent. 492 Examples: 493 '-1' no logging 494 '0' log but do not include any of the packet in the log 495 '20' log and include the first 20 bytes of the packet 496 in the log." 498 SYNTAX Integer32 (-1..65535) 500 SpdTimePeriod ::= TEXTUAL-CONVENTION 501 DISPLAY-HINT "31t" 502 STATUS current 503 DESCRIPTION 504 "This property identifies an overall range of calendar dates 505 and time. In a boolean context, a value within this time 506 range, inclusive, is considered true. 508 This information is encoded as an octet string using 509 the UTF-8 transformation format described in STD 63, 510 RFC3629. 512 It uses the format suggested in RFC 3060. An octet string 513 represents a start date and time and an end date and time. 514 For example: 516 yyyymmddThhmmss/yyyymmddThhmmss 518 Where: yyyy = year mm = month dd = day 519 hh = hour mm = minute ss = second 521 The first 'yyyymmddThhmmss' sub-string indicates the start 522 date and time. The second 'yyyymmddThhmmss' sub-string 523 indicates the end date and time. The character 'T' within 524 these sub-strings indicates the beginning of the time 525 portion of each sub-string. The solidus character '/' 526 separates the start from the end date and time. The end 527 date and time MUST be subsequent to the start date and 528 time. 530 There are also two allowed substitutes for a 531 'yyyymmddThhmmss' sub-string. One for the start date and 532 time and one for the end date and time. 534 If the start date and time is replaced with the string 535 'THISANDPRIOR', this sub-string would indicate the current 536 date and the time and the dates and time previous. 538 If the end date and time is replaced with the string 539 'THISANDFUTURE', this sub-string would indicate the current 540 date and time and the dates and time subsequent. 542 Any of the following SHOULD be considered an 543 'wrongValue' error: 544 - Setting a value with the end date and time earlier than 545 or equal to the start date and time. 546 - Setting the start date and time to 'THISANDFUTURE'. 547 - Setting the end date and time to 'THISANDPRIOR'." 548 REFERENCE "RFC 3060, 3269" 549 SYNTAX OCTET STRING (SIZE (0..31)) 550 -- 551 -- Policy group definitions 552 -- 553 spdLocalConfigObjects OBJECT IDENTIFIER 554 ::= { spdConfigObjects 1 } 556 spdIngressPolicyGroupName OBJECT-TYPE 557 SYNTAX SnmpAdminString (SIZE(0..32)) 558 MAX-ACCESS read-write 559 STATUS current 560 DESCRIPTION 561 "This object indicates the global system policy group that 562 is to be applied on ingress packets (I.E., arriving at an 563 interface from a network) when a given endpoint does not 564 contain a policy definition in the spdEndpointToGroupTable. 565 Its value can be used as an index into the 566 spdGroupContentsTable to retrieve a list of policies. A 567 zero length string indicates no system wide policy exists 568 and the default policy of 'drop' SHOULD be executed for 569 ingress packets until one is imposed by either this object 570 or by the endpoint processing a given packet. 572 This object MUST be persistent" 573 DEFVAL { "" } 574 ::= { spdLocalConfigObjects 1 } 576 spdEgressPolicyGroupName OBJECT-TYPE 577 SYNTAX SnmpAdminString (SIZE(0..32)) 578 MAX-ACCESS read-write 579 STATUS current 580 DESCRIPTION 581 "This object indicates the policy group containing the 582 global system policy that is to be applied on egress 583 packets (I.E., packets leaving an interface and entering a 584 network) when a given endpoint does not contain a policy 585 definition in the spdEndpointToGroupTable. Its value can 586 be used as an index into the spdGroupContentsTable to 587 retrieve a list of policies. A zero length string 588 indicates no system wide policy exists and the default 589 policy of 'drop' SHOULD be executed for egress packets 590 until one is imposed by either this object or by the 591 endpoint processing a given packet. 593 This object MUST be persistent" 594 DEFVAL { "" } 595 ::= { spdLocalConfigObjects 2 } 597 spdEndpointToGroupTable OBJECT-TYPE 598 SYNTAX SEQUENCE OF SpdEndpointToGroupEntry 599 MAX-ACCESS not-accessible 600 STATUS current 601 DESCRIPTION 602 "This table maps policies (groupings) onto an endpoint 603 (interface). A policy group assigned to an endpoint is then 604 used to control access to the network traffic passing 605 through that endpoint. 607 If an endpoint has been configured with a policy group and 608 no rule within that policy group matches that packet, the 609 default action in this case SHALL be to drop the packet. 611 If no policy group has been assigned to an endpoint, then 612 the policy group specified by spdIngressPolicyGroupName MUST 613 be used on traffic inbound from the network through that 614 endpoint and the policy group specified by 615 spdEgressPolicyGroupName MUST be used for traffic outbound 616 to the network through that endpoint." 617 ::= { spdConfigObjects 2 } 619 spdEndpointToGroupEntry OBJECT-TYPE 620 SYNTAX SpdEndpointToGroupEntry 621 MAX-ACCESS not-accessible 622 STATUS current 623 DESCRIPTION 624 "A mapping assigning a policy group to an endpoint." 626 INDEX { spdEndGroupDirection, spdEndGroupInterface } 627 ::= { spdEndpointToGroupTable 1 } 629 SpdEndpointToGroupEntry ::= SEQUENCE { 630 spdEndGroupDirection IfDirection, 631 spdEndGroupInterface InterfaceIndex, 632 spdEndGroupName SnmpAdminString, 633 spdEndGroupLastChanged TimeStamp, 634 spdEndGroupStorageType StorageType, 635 spdEndGroupRowStatus RowStatus 636 } 638 spdEndGroupDirection OBJECT-TYPE 639 SYNTAX IfDirection 640 MAX-ACCESS not-accessible 641 STATUS current 642 DESCRIPTION 643 "This object indicates which direction of packets crossing 644 the interface are associated with which spdEndGroupName 645 object. Ingress packets, or packets into the device match 646 when this value is inbound(1). Egress packets or packets 647 out of the device match when this value is outbound(2)." 649 ::= { spdEndpointToGroupEntry 1 } 651 spdEndGroupInterface OBJECT-TYPE 652 SYNTAX InterfaceIndex 653 MAX-ACCESS not-accessible 654 STATUS current 655 DESCRIPTION 656 "This value matches the IF-MIB's ifTable's ifIndex column 657 and indicates the interface associated with with a given 658 endpoint. This object can be used to uniquely identify an 659 endpoint that a set of policy groups are applied to." 660 ::= { spdEndpointToGroupEntry 2 } 662 spdEndGroupName OBJECT-TYPE 663 SYNTAX SnmpAdminString (SIZE(1..32)) 664 MAX-ACCESS read-create 665 STATUS current 666 DESCRIPTION 667 "The policy group name to apply at this endpoint. The 668 value of the spdEndGroupName object is then used as an 669 index into the spdGroupContentsTable to come up with a list 670 of rules that MUST be applied at this endpoint." 671 ::= { spdEndpointToGroupEntry 3 } 673 spdEndGroupLastChanged OBJECT-TYPE 674 SYNTAX TimeStamp 675 MAX-ACCESS read-only 676 STATUS current 677 DESCRIPTION 678 "The value of sysUpTime when this row was last modified 679 or created either through SNMP SETs or by some other 680 external means. 682 If this row has not been modified since the last 683 re-initialization of the network management subsystem, this 684 object SHOULD have a zero value." 685 ::= { spdEndpointToGroupEntry 4 } 687 spdEndGroupStorageType OBJECT-TYPE 688 SYNTAX StorageType 689 MAX-ACCESS read-create 690 STATUS current 691 DESCRIPTION 692 "The storage type for this row. Rows in this table which 693 were created through an external process MAY have a storage 694 type of readOnly or permanent. 696 For a storage type of permanent, none of the columns have 697 to be writable." 698 DEFVAL { nonVolatile } 699 ::= { spdEndpointToGroupEntry 5 } 701 spdEndGroupRowStatus OBJECT-TYPE 702 SYNTAX RowStatus 703 MAX-ACCESS read-create 704 STATUS current 705 DESCRIPTION 706 "This object indicates the conceptual status of this row. 708 The value of this object has no effect on whether other 709 objects in this conceptual row can be modified. 711 This object is considered 'notReady' and MUST NOT be set to 712 active until one or more active rows exist within the 713 spdGroupContentsTable for the group referenced by the 714 spdEndGroupName object." 715 ::= { spdEndpointToGroupEntry 6 } 717 -- 718 -- policy group definition table 719 -- 721 spdGroupContentsTable OBJECT-TYPE 722 SYNTAX SEQUENCE OF SpdGroupContentsEntry 723 MAX-ACCESS not-accessible 724 STATUS current 725 DESCRIPTION 726 "This table contains a list of rules and/or subgroups 727 contained within a given policy group. For a given value 728 of spdGroupContName, the set of rows sharing that value 729 forms a 'group'. The rows in a group MUST be processed 730 according to the value of the spdGroupContPriority object 731 in each row. The processing MUST be executed starting with 732 the lowest value of spdGroupContPriority and in ascending 733 order thereafter. 735 If an action is executed as the result of the processing of 736 a row in a group, the processing of further rows in that 737 group MUST stop. Iterating to the next policy group row by 738 finding the next largest spdGroupContPriority object SHALL 739 only be done if no actions were run while processing the 740 current row for a given packet." 741 ::= { spdConfigObjects 3 } 743 spdGroupContentsEntry OBJECT-TYPE 744 SYNTAX SpdGroupContentsEntry 745 MAX-ACCESS not-accessible 746 STATUS current 747 DESCRIPTION 748 "Defines a given sub-component within a policy group. A 749 sub-component is either a rule or another group as 750 indicated by spdGroupContCompontentType and referenced by 751 spdGroupContCompontentName." 752 INDEX { spdGroupContName, spdGroupContPriority } 753 ::= { spdGroupContentsTable 1 } 755 SpdGroupContentsEntry ::= SEQUENCE { 756 spdGroupContName SnmpAdminString, 757 spdGroupContPriority Integer32, 758 spdGroupContFilter VariablePointer, 759 spdGroupContComponentType INTEGER, 760 spdGroupContComponentName SnmpAdminString, 761 spdGroupContLastChanged TimeStamp, 762 spdGroupContStorageType StorageType, 763 spdGroupContRowStatus RowStatus 764 } 766 spdGroupContName OBJECT-TYPE 767 SYNTAX SnmpAdminString (SIZE(1..32)) 768 MAX-ACCESS not-accessible 769 STATUS current 770 DESCRIPTION 771 "The administrative name of the group associated with this 772 row. A 'group' is formed by all the rows in this table that 773 have the same value of this object." 774 ::= { spdGroupContentsEntry 1 } 776 spdGroupContPriority OBJECT-TYPE 777 SYNTAX Integer32 (0..65535) 778 MAX-ACCESS not-accessible 779 STATUS current 780 DESCRIPTION 781 "The priority (sequence number) of the sub-component in 782 a group that this row represents. This value indicates 783 the order that each row of this table MUST be processed 784 from low to high. For example, a row with a priority of 0 785 is processed before a row with a priority of 1, a 1 before 786 a 2, etc...." 787 ::= { spdGroupContentsEntry 2 } 789 spdGroupContFilter OBJECT-TYPE 790 SYNTAX VariablePointer 791 MAX-ACCESS read-create 792 STATUS current 793 DESCRIPTION 794 "spdGroupContFilter points to a filter which is evaluated 795 to determine whether the spdGroupContComponentName within 796 this row is exercised. Managers can use this object to 797 classify groups of rules or subgroups together in order to 798 achieve a greater degree of control and optimization over 799 the execution order of the items within the group. If the 800 filter evaluates to false, the rule or subgroup will be 801 skipped and the next rule or subgroup will be evaluated 802 instead. This value can be used to indicate a scalar or a 803 row in a table. When indicating a row in a table, this 804 value MUST point to the first column instance in that row. 806 An example usage of this object would be to limit a 807 group of rules to executing only when the IP packet 808 being process is designated to be processed by IKE. 809 This effectively creates a group of IKE specific rules. 811 The following tables and scalars can be pointed to by this 812 column. All but diffServMultiFieldClfrTable are defined in 813 this MIB: 815 diffServMultiFieldClfrTable 816 spdIpOffsetFilterTable 817 spdTimeFilterTable 818 spdCompoundFilterTable 819 spdTrueFilter 820 spdIpsoHeaderFilterTable 822 Implementations MAY choose to provide support for other 823 filter tables or scalars. 825 If this column is set to a VariablePointer value which 826 references a non-existent row in an otherwise supported 827 table, the inconsistentName exception MUST be returned. If 828 the table or scalar pointed to by the VariablePointer is 829 not supported at all, then an inconsistentValue exception 830 MUST be returned. 832 If during packet processing, a row in this table is applied 833 to a packet and the value of this column in that row 834 references a non-existent or non-supported object, the 835 packet MUST be dropped." 836 REFERENCE "RFC 3289" 837 DEFVAL { spdTrueFilterInstance } 838 ::= { spdGroupContentsEntry 3 } 840 spdGroupContComponentType OBJECT-TYPE 841 SYNTAX INTEGER { group(1), rule(2) } 842 MAX-ACCESS read-create 843 STATUS current 844 DESCRIPTION 845 "Indicates whether the spdGroupContComponentName object 846 is the name of another group defined within the 847 spdGroupContentsTable or is the name of a rule defined 848 within the spdRuleDefinitionTable." 849 DEFVAL { rule } 850 ::= { spdGroupContentsEntry 4 } 852 spdGroupContComponentName OBJECT-TYPE 853 SYNTAX SnmpAdminString (SIZE(1..32)) 854 MAX-ACCESS read-create 855 STATUS current 856 DESCRIPTION 857 "The name of the policy rule or subgroup contained within 858 this row, as indicated by the spdGroupContComponentType 859 object." 860 ::= { spdGroupContentsEntry 5 } 862 spdGroupContLastChanged OBJECT-TYPE 863 SYNTAX TimeStamp 864 MAX-ACCESS read-only 865 STATUS current 866 DESCRIPTION 867 "The value of sysUpTime when this row was last modified 868 or created either through SNMP SETs or by some other 869 external means. 871 If this row has not been modified since the last 872 re-initialization of the network management subsystem, 873 this object SHOULD have a zero value." 874 ::= { spdGroupContentsEntry 6 } 876 spdGroupContStorageType OBJECT-TYPE 877 SYNTAX StorageType 878 MAX-ACCESS read-create 879 STATUS current 880 DESCRIPTION 881 "The storage type for this row. Rows in this table which 882 were created through an external process MAY have a storage 883 type of readOnly or permanent. 885 For a storage type of permanent, none of the columns have 886 to be writable." 887 DEFVAL { nonVolatile } 888 ::= { spdGroupContentsEntry 7 } 890 spdGroupContRowStatus OBJECT-TYPE 891 SYNTAX RowStatus 892 MAX-ACCESS read-create 893 STATUS current 894 DESCRIPTION 895 "This object indicates the conceptual status of this row. 897 The value of this object has no effect on whether other 898 objects in this conceptual row can be modified. 900 This object MUST NOT be set to active until the row to 901 which the spdGroupContComponentName points to exists and is 902 active. 904 If active, this object MUST remain active unless one of the 905 following two conditions are met: 907 I. No active row in spdEndpointToGroupTable exists which 908 references this row's group (i.e. indicate this row's 909 spdGroupContName). 910 II. Or at least one other active row in this table has a 911 matching spdGroupContName. 913 If neither condition is met, an attempt to set this row to 914 something other than active MUST result in an 915 inconsistentValue error." 916 ::= { spdGroupContentsEntry 8 } 918 -- 919 -- policy definition table 920 -- 922 spdRuleDefinitionTable OBJECT-TYPE 923 SYNTAX SEQUENCE OF SpdRuleDefinitionEntry 924 MAX-ACCESS not-accessible 925 STATUS current 926 DESCRIPTION 927 "This table defines a rule by associating a filter 928 or a set of filters to an action to be executed." 929 ::= { spdConfigObjects 4 } 931 spdRuleDefinitionEntry OBJECT-TYPE 932 SYNTAX SpdRuleDefinitionEntry 933 MAX-ACCESS not-accessible 934 STATUS current 935 DESCRIPTION 936 "A row defining a particular rule definition. A rule 937 definition binds a filter pointer to an action pointer." 938 INDEX { spdRuleDefName } 939 ::= { spdRuleDefinitionTable 1 } 941 SpdRuleDefinitionEntry ::= SEQUENCE { 942 spdRuleDefName SnmpAdminString, 943 spdRuleDefDescription SnmpAdminString, 944 spdRuleDefFilter VariablePointer, 945 spdRuleDefFilterNegated TruthValue, 946 spdRuleDefAction VariablePointer, 947 spdRuleDefAdminStatus SpdAdminStatus, 948 spdRuleDefLastChanged TimeStamp, 949 spdRuleDefStorageType StorageType, 950 spdRuleDefRowStatus RowStatus 951 } 953 spdRuleDefName OBJECT-TYPE 954 SYNTAX SnmpAdminString (SIZE(1..32)) 955 MAX-ACCESS not-accessible 956 STATUS current 957 DESCRIPTION 958 "spdRuleDefName is the administratively assigned name of 959 the rule referred to by the spdGroupContComponentName 960 object." 961 ::= { spdRuleDefinitionEntry 1 } 963 spdRuleDefDescription OBJECT-TYPE 964 SYNTAX SnmpAdminString 965 MAX-ACCESS read-create 966 STATUS current 967 DESCRIPTION 968 "A user defined string. This field MAY be used for 969 administrative tracking purposes." 970 DEFVAL { "" } 971 ::= { spdRuleDefinitionEntry 2 } 973 spdRuleDefFilter OBJECT-TYPE 974 SYNTAX VariablePointer 975 MAX-ACCESS read-create 976 STATUS current 977 DESCRIPTION 978 "spdRuleDefFilter points to a filter which is used to 979 evaluate whether the action associated with this row are 980 executed or not. The action will only execute if the 981 filter referenced by this object evaluates to TRUE after 982 first applying any negation required by the 983 spdRuleDefFilterNegated object. 985 The following tables and scalars can be pointed to by this 986 column. All but diffServMultiFieldClfrTable are defined in 987 this MIB. Implementations MAY choose to provide support 988 for other filter tables or scalars as well: 990 diffServMultiFieldClfrTable 991 spdIpOffsetFilterTable 992 spdTimeFilterTable 993 spdCompoundFilterTable 994 spdTrueFilter 996 If this column is set to a VariablePointer value which 997 references a non-existent row in an otherwise supported 998 table, the inconsistentName exception MUST be returned. If 999 the table or scalar pointed to by the VariablePointer is 1000 not supported at all, then an inconsistentValue exception 1001 MUST be returned. 1003 If during packet processing this column has a value that 1004 references a non-existent or non-supported object, the 1005 packet MUST be dropped." 1006 REFERENCE "RFC 3289" 1007 ::= { spdRuleDefinitionEntry 3 } 1009 spdRuleDefFilterNegated OBJECT-TYPE 1010 SYNTAX TruthValue 1011 MAX-ACCESS read-create 1012 STATUS current 1013 DESCRIPTION 1014 "spdRuleDefFilterNegated specifies whether the results of 1015 the filter referenced by the spdRuleDefFilter object is 1016 negated or not." 1017 DEFVAL { false } 1018 ::= { spdRuleDefinitionEntry 4 } 1020 spdRuleDefAction OBJECT-TYPE 1021 SYNTAX VariablePointer 1022 MAX-ACCESS read-create 1023 STATUS current 1024 DESCRIPTION 1025 "This column points to the action to be taken. It MAY, 1026 but is not limited to, point to a row in one of the 1027 following tables: 1029 spdCompoundActionTable 1030 ipsaSaPreconfiguredActionTable 1031 ipiaIkeActionTable 1032 ipiaIpsecActionTable 1034 It MAY also point to one of the scalar objects beneath 1035 spdStaticActions. 1037 If this object is set to a pointer to a row in an 1038 unsupported (or unknown) table, an inconsistentValue 1039 error MUST be returned. 1041 If this object is set to point to a non-existent row in an 1042 otherwise supported table, an inconsistentName error MUST 1043 be returned. 1045 If during packet processing this column has a value that 1046 references a non-existent or non-supported object, the 1047 packet MUST be dropped." 1048 ::= { spdRuleDefinitionEntry 5 } 1050 spdRuleDefAdminStatus OBJECT-TYPE 1051 SYNTAX SpdAdminStatus 1052 MAX-ACCESS read-create 1053 STATUS current 1054 DESCRIPTION 1055 "Indicates whether the current rule definition is considered 1056 active. If the value is enabled the rule MUST be evaluated 1057 when processing packets. If the value is disabled, the 1058 packet processing MUST continue as if this rule's filter 1059 had effectively failed." 1060 DEFVAL { enabled } 1061 ::= { spdRuleDefinitionEntry 6 } 1063 spdRuleDefLastChanged OBJECT-TYPE 1064 SYNTAX TimeStamp 1065 MAX-ACCESS read-only 1066 STATUS current 1067 DESCRIPTION 1068 "The value of sysUpTime when this row was last modified 1069 or created either through SNMP SETs or by some other 1070 external means. 1072 If this row has not been modified since the last 1073 re-initialization of the network management subsystem, this 1074 object SHOULD have a zero value." 1075 ::= { spdRuleDefinitionEntry 7 } 1077 spdRuleDefStorageType OBJECT-TYPE 1078 SYNTAX StorageType 1079 MAX-ACCESS read-create 1080 STATUS current 1081 DESCRIPTION 1082 "The storage type for this row. Rows in this table which 1083 were created through an external process MAY have a 1084 storage type of readOnly or permanent. 1086 For a storage type of permanent, none of the columns have 1087 to be writable." 1088 DEFVAL { nonVolatile } 1089 ::= { spdRuleDefinitionEntry 8 } 1091 spdRuleDefRowStatus OBJECT-TYPE 1092 SYNTAX RowStatus 1093 MAX-ACCESS read-create 1094 STATUS current 1095 DESCRIPTION 1096 "This object indicates the conceptual status of this row. 1098 The value of this object has no effect on whether other 1099 objects in this conceptual row can be modified. 1101 This object MUST NOT be set to active until the containing 1102 conditions, filters and actions have been defined. Once 1103 active, it MUST remain active until no active 1104 policyGroupContents entries are referencing it. A failed 1105 attempt to do so MUST return an inconsistentValue error." 1106 ::= { spdRuleDefinitionEntry 9 } 1108 -- 1109 -- Policy compound filter definition table 1110 -- 1112 spdCompoundFilterTable OBJECT-TYPE 1113 SYNTAX SEQUENCE OF SpdCompoundFilterEntry 1114 MAX-ACCESS not-accessible 1115 STATUS current 1116 DESCRIPTION 1117 "A table defining compound filters and their associated 1118 parameters. A row in this table can be pointed to by a 1119 spdRuleDefFilter object." 1120 ::= { spdConfigObjects 5 } 1122 spdCompoundFilterEntry OBJECT-TYPE 1123 SYNTAX SpdCompoundFilterEntry 1124 MAX-ACCESS not-accessible 1125 STATUS current 1126 DESCRIPTION 1127 "An entry in the spdCompoundFilterTable. Each entry in this 1128 table represents a compound filter. A filter defined by 1129 this table is considered to have a TRUE return value if and 1130 only if: 1132 spdCompFiltLogicType is AND and all of the sub-filters 1133 associated with it, as defined in the spdSubfiltersTable, 1134 are all true themselves (after applying any required 1135 negation as defined by the ficFilterIsNegated object). 1137 spdCompFiltLogicType is OR and at least one of the 1138 sub-filters associated with it, as defined in the 1139 spdSubfiltersTable, is true itself (after applying any 1140 required negation as defined by the ficFilterIsNegated 1141 object." 1142 INDEX { spdCompFiltName } 1143 ::= { spdCompoundFilterTable 1 } 1145 SpdCompoundFilterEntry ::= SEQUENCE { 1146 spdCompFiltName SnmpAdminString, 1147 spdCompFiltDescription SnmpAdminString, 1148 spdCompFiltLogicType SpdBooleanOperator, 1149 spdCompFiltLastChanged TimeStamp, 1150 spdCompFiltStorageType StorageType, 1151 spdCompFiltRowStatus RowStatus 1152 } 1154 spdCompFiltName OBJECT-TYPE 1155 SYNTAX SnmpAdminString (SIZE(1..32)) 1156 MAX-ACCESS not-accessible 1157 STATUS current 1158 DESCRIPTION 1159 "A user definable string. This value is used as an index 1160 into this table." 1161 ::= { spdCompoundFilterEntry 1 } 1163 spdCompFiltDescription OBJECT-TYPE 1164 SYNTAX SnmpAdminString 1165 MAX-ACCESS read-create 1166 STATUS current 1167 DESCRIPTION 1168 "A user definable string. This field MAY be used for 1169 your administrative tracking purposes." 1170 DEFVAL { "" } 1171 ::= { spdCompoundFilterEntry 2 } 1173 spdCompFiltLogicType OBJECT-TYPE 1174 SYNTAX SpdBooleanOperator 1175 MAX-ACCESS read-create 1176 STATUS current 1177 DESCRIPTION 1178 "Indicates whether the sub-component filters of this 1179 compound filter are functionally ANDed or ORed together." 1180 DEFVAL { and } 1181 ::= { spdCompoundFilterEntry 3 } 1183 spdCompFiltLastChanged OBJECT-TYPE 1184 SYNTAX TimeStamp 1185 MAX-ACCESS read-only 1186 STATUS current 1187 DESCRIPTION 1188 "The value of sysUpTime when this row was last modified 1189 or created either through SNMP SETs or by some other 1190 external means. 1192 If this row has not been modified since the last 1193 re-initialization of the network management subsystem, this 1194 object SHOULD have a zero value." 1195 ::= { spdCompoundFilterEntry 4 } 1197 spdCompFiltStorageType OBJECT-TYPE 1198 SYNTAX StorageType 1199 MAX-ACCESS read-create 1200 STATUS current 1201 DESCRIPTION 1202 "The storage type for this row. Rows in this table which 1203 were created through an external process MAY have a 1204 storage type of readOnly or permanent. 1206 For a storage type of permanent, none of the columns have 1207 to be writable." 1208 DEFVAL { nonVolatile } 1209 ::= { spdCompoundFilterEntry 5 } 1211 spdCompFiltRowStatus OBJECT-TYPE 1212 SYNTAX RowStatus 1213 MAX-ACCESS read-create 1214 STATUS current 1215 DESCRIPTION 1216 "This object indicates the conceptual status of this row. 1218 The value of this object has no effect on whether other 1219 objects in this conceptual row can be modified. 1221 Once active, it MUST NOT have its value changed if any 1222 active rows in the spdRuleDefinitionTable are currently 1223 pointing at this row." 1224 ::= { spdCompoundFilterEntry 6 } 1226 -- 1227 -- Policy filters in a cf table 1228 -- 1230 spdSubfiltersTable OBJECT-TYPE 1231 SYNTAX SEQUENCE OF SpdSubfiltersEntry 1232 MAX-ACCESS not-accessible 1233 STATUS current 1234 DESCRIPTION 1235 "This table defines a list of filters contained within a 1236 given compound filter defined in the 1237 spdCompoundFilterTable." 1238 ::= { spdConfigObjects 6 } 1240 spdSubfiltersEntry OBJECT-TYPE 1241 SYNTAX SpdSubfiltersEntry 1242 MAX-ACCESS not-accessible 1243 STATUS current 1244 DESCRIPTION 1245 "An entry in the spdSubfiltersTable. There is an entry in 1246 this table for each subfilter of all compound filters 1247 present in the spdCompoundFilterTable." 1248 INDEX { spdCompFiltName, spdSubFiltPriority } 1249 ::= { spdSubfiltersTable 1 } 1251 SpdSubfiltersEntry ::= SEQUENCE { 1252 spdSubFiltPriority Integer32, 1253 spdSubFiltSubfilter VariablePointer, 1254 spdSubFiltSubfilterIsNegated TruthValue, 1255 spdSubFiltLastChanged TimeStamp, 1256 spdSubFiltStorageType StorageType, 1257 spdSubFiltRowStatus RowStatus 1258 } 1260 spdSubFiltPriority OBJECT-TYPE 1261 SYNTAX Integer32 (0..65535) 1262 MAX-ACCESS not-accessible 1263 STATUS current 1264 DESCRIPTION 1265 "The priority of a given filter within a compound filter. 1266 The order of execution is from lowest to highest priority 1267 value (i.e., priority 0 before priority 1, 1 before 2, 1268 etc...). Implementations MAY choose to follow this ordering 1269 as set by the manager that created the rows. This can allow 1270 a manager to intelligently construct filter lists such that 1271 faster filters are evaluated first." 1272 ::= { spdSubfiltersEntry 1 } 1274 spdSubFiltSubfilter OBJECT-TYPE 1275 SYNTAX VariablePointer 1276 MAX-ACCESS read-create 1277 STATUS current 1278 DESCRIPTION 1279 "The OID of the contained filter. The value of this 1280 object is a VariablePointer which references the filter to 1281 be included in this compound filter. 1283 The following tables and scalars can be pointed to by this 1284 column. All but diffServMultiFieldClfrTable are defined in 1285 this MIB. Implementations MAY choose to provide support 1286 for other filter tables or scalars as well: 1288 diffServMultiFieldClfrTable 1289 spdIpsoHeaderFilterTable 1290 spdIpOffsetFilterTable 1291 spdTimeFilterTable 1292 spdCompoundFilterTable 1293 spdTrueFilter 1295 If this column is set to a VariablePointer value which 1296 references a non-existent row in an otherwise supported 1297 table, the inconsistentName exception MUST be returned. If 1298 the table or scalar pointed to by the VariablePointer is 1299 not supported at all, then an inconsistentValue exception 1300 MUST be returned. 1302 If during packet processing this column has a value that 1303 references a non-existent or non-supported object, the 1304 packet MUST be dropped." 1305 REFERENCE "RFC 3289" 1306 ::= { spdSubfiltersEntry 2 } 1308 spdSubFiltSubfilterIsNegated OBJECT-TYPE 1309 SYNTAX TruthValue 1310 MAX-ACCESS read-create 1311 STATUS current 1312 DESCRIPTION 1313 "Indicates whether the result of applying this subfilter 1314 are negated or not." 1315 DEFVAL { false } 1316 ::= { spdSubfiltersEntry 3 } 1318 spdSubFiltLastChanged OBJECT-TYPE 1319 SYNTAX TimeStamp 1320 MAX-ACCESS read-only 1321 STATUS current 1322 DESCRIPTION 1323 "The value of sysUpTime when this row was last modified 1324 or created either through SNMP SETs or by some other 1325 external means. 1327 If this row has not been modified since the last 1328 re-initialization of the network management subsystem, this 1329 object SHOULD have a zero value." 1330 ::= { spdSubfiltersEntry 4 } 1332 spdSubFiltStorageType OBJECT-TYPE 1333 SYNTAX StorageType 1334 MAX-ACCESS read-create 1335 STATUS current 1336 DESCRIPTION 1337 "The storage type for this row. Rows in this table which 1338 were created through an external process MAY have a 1339 storage type of readOnly or permanent. 1341 For a storage type of permanent, none of the columns have 1342 to be writable." 1343 DEFVAL { nonVolatile } 1344 ::= { spdSubfiltersEntry 5 } 1346 spdSubFiltRowStatus OBJECT-TYPE 1347 SYNTAX RowStatus 1348 MAX-ACCESS read-create 1349 STATUS current 1350 DESCRIPTION 1351 "This object indicates the conceptual status of this row. 1353 The value of this object has no effect on whether other 1354 objects in this conceptual row can be modified. 1356 This object can not be made active until a filter 1357 referenced by the spdSubFiltSubfilter object is both 1358 defined and is active. An attempt to do so MUST result in 1359 an inconsistentValue error. 1361 If active, this object MUST remain active unless one of the 1362 following two conditions are met: 1364 I. No active row in the SpdCompoundFilterTable exists 1365 which has a matching spdCompFiltName. 1366 II. Or at least one other active row in this table has a 1367 matching spdCompFiltName. 1369 If neither condition is met, an attempt to set this row to 1370 something other than active MUST result in an 1371 inconsistentValue error." 1372 ::= { spdSubfiltersEntry 6 } 1374 -- 1375 -- Static Filters 1376 -- 1378 spdStaticFilters OBJECT IDENTIFIER ::= { spdConfigObjects 7 } 1380 spdTrueFilter OBJECT-TYPE 1381 SYNTAX Integer32 (1) 1382 MAX-ACCESS read-only 1383 STATUS current 1384 DESCRIPTION 1385 "This scalar indicates a (automatic) true result for 1386 a filter. I.e. this is a filter that is always 1387 true, useful for adding as a default filter for a 1388 default action or a set of actions." 1389 ::= { spdStaticFilters 1 } 1391 spdTrueFilterInstance OBJECT IDENTIFIER ::= { spdTrueFilter 0 } 1393 -- 1394 -- Policy IP Offset filter definition table 1395 -- 1397 spdIpOffsetFilterTable OBJECT-TYPE 1398 SYNTAX SEQUENCE OF SpdIpOffsetFilterEntry 1399 MAX-ACCESS not-accessible 1400 STATUS current 1401 DESCRIPTION 1402 "This table contains a list of filter definitions to be 1403 used within the spdRuleDefinitionTable or the 1404 spdSubfiltersTable. 1406 This type of filter is used to compare an administrator 1407 specified octet string to the octets at a particular 1408 location in a packet." 1409 ::= { spdConfigObjects 8 } 1411 spdIpOffsetFilterEntry OBJECT-TYPE 1412 SYNTAX SpdIpOffsetFilterEntry 1413 MAX-ACCESS not-accessible 1414 STATUS current 1415 DESCRIPTION 1416 "A definition of a particular filter." 1417 INDEX { spdIpOffFiltName } 1418 ::= { spdIpOffsetFilterTable 1 } 1420 SpdIpOffsetFilterEntry ::= SEQUENCE { 1421 spdIpOffFiltName SnmpAdminString, 1422 spdIpOffFiltOffset Unsigned32, 1423 spdIpOffFiltType INTEGER, 1424 spdIpOffFiltValue OCTET STRING, 1425 spdIpOffFiltLastChanged TimeStamp, 1426 spdIpOffFiltStorageType StorageType, 1427 spdIpOffFiltRowStatus RowStatus 1428 } 1430 spdIpOffFiltName OBJECT-TYPE 1431 SYNTAX SnmpAdminString (SIZE(1..32)) 1432 MAX-ACCESS not-accessible 1433 STATUS current 1434 DESCRIPTION 1435 "The administrative name for this filter." 1436 ::= { spdIpOffsetFilterEntry 1 } 1438 spdIpOffFiltOffset OBJECT-TYPE 1439 SYNTAX Unsigned32 (0..65535) 1440 MAX-ACCESS read-create 1441 STATUS current 1442 DESCRIPTION 1443 "This is the byte offset from the front of the entire IP 1444 packet where the value or arithmetic comparison is done. A 1445 value of '0' indicates the first byte of the packet header. 1446 If this value is greater than the length of the packet, the 1447 filter represented by this row should be considered to 1448 fail." 1449 ::= { spdIpOffsetFilterEntry 2 } 1451 spdIpOffFiltType OBJECT-TYPE 1452 SYNTAX INTEGER { equal(1), 1453 notEqual(2), 1454 arithmeticLess(3), 1455 arithmeticGreaterOrEqual(4), 1456 arithmeticGreater(5), 1457 arithmeticLessOrEqual(6) } 1458 MAX-ACCESS read-create 1459 STATUS current 1460 DESCRIPTION 1461 "This defines the various tests that are used when 1462 evaluating a given filter. 1464 The various tests definable in this table are as follows: 1466 equal: 1467 - Tests if the OCTET STRING, 'spdIpOffFiltValue', matches 1468 a value in the packet starting at the given offset in 1469 the packet and comparing the entire OCTET STRING of 1470 'spdIpOffFiltValue'. Any values compared this way are 1471 assumed to be unsigned integer values in network byte 1472 order of the same length as 'spdIpOffFiltValue'. 1474 notEqual: 1475 - Tests if the OCTET STRING, 'spdIpOffFiltValue', does 1476 not match a value in the packet starting at the given 1477 offset in the packet and comparing to the entire OCTET 1478 STRING of 'spdIpOffFiltValue'. Any values compared 1479 this way are assumed to be unsigned integer values in 1480 network byte order of the same length as 1481 'spdIpOffFiltValue'. 1483 arithmeticLess: 1484 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is 1485 arithmetically less than ('<') the value starting at 1486 the given offset within the packet. The value in the 1487 packet is assumed to be an unsigned integer in network 1488 byte order of the same length as 'spdIpOffFiltValue'. 1490 arithmeticGreaterOrEqual: 1491 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is 1492 arithmetically greater than or equal to ('>=') the 1493 value starting at the given offset within the packet. 1494 The value in the packet is assumed to be an unsigned 1495 integer in network byte order of the same length as 1496 'spdIpOffFiltValue'. 1498 arithmeticGreater: 1499 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is 1500 arithmetically greater than ('>') the value starting at 1501 the given offset within the packet. The value in the 1502 packet is assumed to be an unsigned integer in network 1503 byte order of the same length as 'spdIpOffFiltValue'. 1505 arithmeticLessOrEqual: 1506 - Tests if the OCTET STRING, 'spdIpOffFiltValue', is 1507 arithmetically less than or equal to ('<=') the value 1508 starting at the given offset within the packet. The 1509 value in the packet is assumed to be an unsigned 1510 integer in network byte order of the same length as 1511 'spdIpOffFiltValue'." 1513 ::= { spdIpOffsetFilterEntry 3 } 1515 spdIpOffFiltValue OBJECT-TYPE 1516 SYNTAX OCTET STRING (SIZE(1..1024)) 1517 MAX-ACCESS read-create 1518 STATUS current 1519 DESCRIPTION 1520 "spdIpOffFiltValue is used for match comparisons of a 1521 packet at spdIpOffFiltOffset." 1522 ::= { spdIpOffsetFilterEntry 4 } 1524 spdIpOffFiltLastChanged OBJECT-TYPE 1525 SYNTAX TimeStamp 1526 MAX-ACCESS read-only 1527 STATUS current 1528 DESCRIPTION 1529 "The value of sysUpTime when this row was last modified 1530 or created either through SNMP SETs or by some other 1531 external means. 1533 If this row has not been modified since the last 1534 re-initialization of the network management subsystem, this 1535 object SHOULD have a zero value." 1536 ::= { spdIpOffsetFilterEntry 5 } 1538 spdIpOffFiltStorageType OBJECT-TYPE 1539 SYNTAX StorageType 1540 MAX-ACCESS read-create 1541 STATUS current 1542 DESCRIPTION 1543 "The storage type for this row. Rows in this table which 1544 were created through an external process MAY have a 1545 storage type of readOnly or permanent. 1547 For a storage type of permanent, none of the columns have 1548 to be writable." 1549 DEFVAL { nonVolatile } 1550 ::= { spdIpOffsetFilterEntry 6 } 1552 spdIpOffFiltRowStatus OBJECT-TYPE 1553 SYNTAX RowStatus 1554 MAX-ACCESS read-create 1555 STATUS current 1556 DESCRIPTION 1557 "This object indicates the conceptual status of this row. 1559 The value of this object has no effect on whether other 1560 objects in this conceptual row can be modified. 1562 If active, this object MUST remain active if it is 1563 referenced by an active row in another table. An attempt 1564 to set it to anything other than active while it is 1565 referenced by an active row in another table MUST result in 1566 an inconsistentValue error." 1567 ::= { spdIpOffsetFilterEntry 7 } 1569 -- 1570 -- Time/scheduling filter table 1571 -- 1573 spdTimeFilterTable OBJECT-TYPE 1574 SYNTAX SEQUENCE OF SpdTimeFilterEntry 1575 MAX-ACCESS not-accessible 1576 STATUS current 1577 DESCRIPTION 1578 "Defines a table of filters which can be used to 1579 effectively enable or disable policies based on a valid 1580 time range." 1581 ::= { spdConfigObjects 9 } 1583 spdTimeFilterEntry OBJECT-TYPE 1584 SYNTAX SpdTimeFilterEntry 1585 MAX-ACCESS not-accessible 1586 STATUS current 1587 DESCRIPTION 1588 "A row describing a given time frame for which a policy 1589 is filtered on to activate or deactivate the rule. 1591 If all the column objects in a row are true for the current 1592 time, the row evaluates as 'true'. More explicitly, the 1593 time matching column objects in a row MUST be logically 1594 ANDed together to form the boolean true/false for the row." 1595 INDEX { spdTimeFiltName } 1596 ::= { spdTimeFilterTable 1 } 1598 SpdTimeFilterEntry ::= SEQUENCE { 1599 spdTimeFiltName SnmpAdminString, 1600 spdTimeFiltPeriod SpdTimePeriod, 1601 spdTimeFiltMonthOfYearMask BITS, 1602 spdTimeFiltDayOfMonthMask OCTET STRING, 1603 spdTimeFiltDayOfWeekMask BITS, 1604 spdTimeFiltTimeOfDayMask SpdTimePeriod, 1605 spdTimeFiltLastChanged TimeStamp, 1606 spdTimeFiltStorageType StorageType, 1607 spdTimeFiltRowStatus RowStatus 1608 } 1610 spdTimeFiltName OBJECT-TYPE 1611 SYNTAX SnmpAdminString (SIZE(1..32)) 1612 MAX-ACCESS not-accessible 1613 STATUS current 1614 DESCRIPTION 1615 "An administratively assigned name for this filter." 1616 ::= { spdTimeFilterEntry 1 } 1618 spdTimeFiltPeriod OBJECT-TYPE 1619 SYNTAX SpdTimePeriod 1620 MAX-ACCESS read-create 1621 STATUS current 1622 DESCRIPTION 1623 "The valid time period for this filter. This column is 1624 considered 'true' if the current time is within the range of 1625 this object." 1626 DEFVAL { "THISANDPRIOR/THISANDFUTURE" } 1627 ::= { spdTimeFilterEntry 2 } 1629 spdTimeFiltMonthOfYearMask OBJECT-TYPE 1630 SYNTAX BITS { january(0), february(1), march(2), 1631 april(3), may(4), june(5), july(6), 1632 august(7), september(8), october(9), 1633 november(10), december(11) } 1634 MAX-ACCESS read-create 1635 STATUS current 1636 DESCRIPTION 1637 "A bit mask which indicates acceptable months of the year. 1638 This column evaluates to 'true' if the current month's bit 1639 is set." 1640 DEFVAL { { january, february, march, april, may, june, july, 1641 august, september, october, november, december } } 1642 ::= { spdTimeFilterEntry 3 } 1644 spdTimeFiltDayOfMonthMask OBJECT-TYPE 1645 SYNTAX OCTET STRING (SIZE(8)) 1646 MAX-ACCESS read-create 1647 STATUS current 1648 DESCRIPTION 1649 "Defines which days of the month the current time is 1650 valid for. It is a sequence of 64 BITS, where each BIT 1651 represents a corresponding day of the month in forward or 1652 reverse order. Starting from the left most bit, the first 1653 31 bits identify the day of the month counting from the 1654 beginning of the month. The following 31 bits (bits 32-62) 1655 indicate the day of the month counting from the end month. 1656 For months with fewer than 31 days, the bits that 1657 correspond to the non-existing days of that month are 1658 ignored (e.g. for non-leap year Februarys, bits 29-31 and 1659 60-62 are ignored). 1661 This column evaluates to 'true' if the current day of the 1662 month's bit is set. 1664 For example, A value of 0X'80 00 00 01 00 00 00 00' 1665 indicates that this column evaluates to true on the first 1666 and last days of the month. 1668 The last two bits in the string MUST be zero." 1669 DEFVAL { 'fffffffffffffffe'H } 1670 ::= { spdTimeFilterEntry 4 } 1672 spdTimeFiltDayOfWeekMask OBJECT-TYPE 1673 SYNTAX BITS { sunday(0), monday(1), tuesday(2), 1674 wednesday(3), thursday(4), friday(5), 1675 saturday(6) } 1676 MAX-ACCESS read-create 1677 STATUS current 1678 DESCRIPTION 1679 "A bit mask which defines which days of the week the current 1680 time is valid for. This column evaluates to 'true' if the 1681 current day of the week's bit is set." 1682 DEFVAL { { monday, tuesday, wednesday, thursday, friday, 1683 saturday, sunday } } 1684 ::= { spdTimeFilterEntry 5 } 1686 spdTimeFiltTimeOfDayMask OBJECT-TYPE 1687 SYNTAX SpdTimePeriod 1688 MAX-ACCESS read-create 1689 STATUS current 1690 DESCRIPTION 1691 "Indicates the start and end time of day for which this 1692 filter evaluates to true. The date portions of the 1693 spdTimePeriod TC are ignored for purposes of evaluating this 1694 mask and only the time specific portions are used. 1696 This column evaluates to 'true' if the current time of day 1697 is within the range of the start and end times of day 1698 indicated by this object." 1699 DEFVAL { "00000000T000000/00000000T240000" } 1700 ::= { spdTimeFilterEntry 6 } 1702 spdTimeFiltLastChanged OBJECT-TYPE 1703 SYNTAX TimeStamp 1704 MAX-ACCESS read-only 1705 STATUS current 1706 DESCRIPTION 1707 "The value of sysUpTime when this row was last modified 1708 or created either through SNMP SETs or by some other 1709 external means. 1711 If this row has not been modified since the last 1712 re-initialization of the network management subsystem, this 1713 object SHOULD have a zero value." 1714 ::= { spdTimeFilterEntry 7 } 1716 spdTimeFiltStorageType OBJECT-TYPE 1717 SYNTAX StorageType 1718 MAX-ACCESS read-create 1719 STATUS current 1720 DESCRIPTION 1721 "The storage type for this row. Rows in this table which 1722 were created through an external process MAY have a storage 1723 type of readOnly or permanent. 1725 For a storage type of permanent, none of the columns have 1726 to be writable." 1727 DEFVAL { nonVolatile } 1728 ::= { spdTimeFilterEntry 8 } 1730 spdTimeFiltRowStatus OBJECT-TYPE 1731 SYNTAX RowStatus 1732 MAX-ACCESS read-create 1733 STATUS current 1734 DESCRIPTION 1735 "This object indicates the conceptual status of this 1736 row. 1738 The value of this object has no effect on whether other 1739 objects in this conceptual row can be modified. 1741 If active, this object MUST remain active if it is 1742 referenced by an active row in another table. An attempt 1743 to set it to anything other than active while it is 1744 referenced by an active row in another table MUST result in 1745 an inconsistentValue error." 1746 ::= { spdTimeFilterEntry 9 } 1748 -- 1749 -- IPSO protection authority filtering 1750 -- 1752 spdIpsoHeaderFilterTable OBJECT-TYPE 1753 SYNTAX SEQUENCE OF SpdIpsoHeaderFilterEntry 1754 MAX-ACCESS not-accessible 1755 STATUS current 1756 DESCRIPTION 1757 "This table contains a list of IPSO header filter 1758 definitions to be used within the spdRuleDefinitionTable or 1759 the spdSubfiltersTable. IPSO headers and their values are 1760 described in RFC1108." 1761 REFERENCE "RFC 1108" 1762 ::= { spdConfigObjects 10 } 1764 spdIpsoHeaderFilterEntry OBJECT-TYPE 1765 SYNTAX SpdIpsoHeaderFilterEntry 1766 MAX-ACCESS not-accessible 1767 STATUS current 1768 DESCRIPTION 1769 "A definition of a particular filter." 1770 INDEX { spdIpsoHeadFiltName } 1771 ::= { spdIpsoHeaderFilterTable 1 } 1773 SpdIpsoHeaderFilterEntry ::= SEQUENCE { 1774 spdIpsoHeadFiltName SnmpAdminString, 1775 spdIpsoHeadFiltType BITS, 1776 spdIpsoHeadFiltClassification INTEGER, 1777 spdIpsoHeadFiltProtectionAuth INTEGER, 1778 spdIpsoHeadFiltLastChanged TimeStamp, 1779 spdIpsoHeadFiltStorageType StorageType, 1780 spdIpsoHeadFiltRowStatus RowStatus 1781 } 1783 spdIpsoHeadFiltName OBJECT-TYPE 1784 SYNTAX SnmpAdminString (SIZE(1..32)) 1785 MAX-ACCESS not-accessible 1786 STATUS current 1787 DESCRIPTION 1788 "The administrative name for this filter." 1789 ::= { spdIpsoHeaderFilterEntry 1 } 1791 spdIpsoHeadFiltType OBJECT-TYPE 1792 SYNTAX BITS { classificationLevel(0), 1793 protectionAuthority(1) } 1794 MAX-ACCESS read-create 1795 STATUS current 1796 DESCRIPTION 1797 "This object indicates which of the IPSO header field a 1798 packet is filtered on for this row. If this object is set 1799 to classification(0), the spdIpsoHeadFiltClassification 1800 object indicates how the packet is filtered. If this object 1801 is set to protectionAuthority(1), the 1802 spdIpsoHeadFiltProtectionAuth object indicates how the 1803 packet is filtered." 1804 ::= { spdIpsoHeaderFilterEntry 2 } 1806 spdIpsoHeadFiltClassification OBJECT-TYPE 1807 SYNTAX INTEGER { topSecret(61), secret(90), 1808 confidential(150), unclassified(171) } 1809 MAX-ACCESS read-create 1810 STATUS current 1811 DESCRIPTION 1812 "This object indicates the IPSO classification header field 1813 value that the packet MUST have for this row to evaluate to 1814 'true'. 1816 The values of these enumerations are defined by RFC1108." 1817 REFERENCE "RFC 1108" 1818 ::= { spdIpsoHeaderFilterEntry 3 } 1820 spdIpsoHeadFiltProtectionAuth OBJECT-TYPE 1821 SYNTAX INTEGER { genser(0), siopesi(1), sci(2), 1822 nsa(3), doe(4) } 1823 MAX-ACCESS read-create 1824 STATUS current 1825 DESCRIPTION 1826 "This object indicates the IPSO protection authority header 1827 field value that the packet MUST have for this row to 1828 evaluate to 'true'. 1830 The values of these enumerations are defined by RFC1108. 1831 Hence the reason the SMIv2 convention of not using 0 in 1832 enumerated lists is violated here." 1833 REFERENCE "RFC 1108" 1834 ::= { spdIpsoHeaderFilterEntry 4 } 1836 spdIpsoHeadFiltLastChanged OBJECT-TYPE 1837 SYNTAX TimeStamp 1838 MAX-ACCESS read-only 1839 STATUS current 1840 DESCRIPTION 1841 "The value of sysUpTime when this row was last modified 1842 or created either through SNMP SETs or by some other 1843 external means. 1845 If this row has not been modified since the last 1846 re-initialization of the network management subsystem, this 1847 object SHOULD have a zero value." 1848 ::= { spdIpsoHeaderFilterEntry 5 } 1850 spdIpsoHeadFiltStorageType OBJECT-TYPE 1851 SYNTAX StorageType 1852 MAX-ACCESS read-create 1853 STATUS current 1854 DESCRIPTION 1855 "The storage type for this row. Rows in this table which 1856 were created through an external process MAY have a storage 1857 type of readOnly or permanent. 1859 For a storage type of permanent, none of the columns have 1860 to be writable." 1861 DEFVAL { nonVolatile } 1862 ::= { spdIpsoHeaderFilterEntry 6 } 1864 spdIpsoHeadFiltRowStatus OBJECT-TYPE 1865 SYNTAX RowStatus 1866 MAX-ACCESS read-create 1867 STATUS current 1868 DESCRIPTION 1869 "This object indicates the conceptual status of this row. 1871 The value of this object has no effect on whether other 1872 objects in this conceptual row can be modified. 1874 However, this object MUST NOT be set to active if the 1875 requirements of the spdIpsoHeadFiltType object are not met. 1876 Specifically, if the spdIpsoHeadFiltType bit for 1877 classification(0) is set, the spdIpsoHeadFiltClassification 1878 column MUST have a valid value for the row status to be set 1879 to active. If the spdIpsoHeadFiltType bit for 1880 protectionAuthority(1) is set, the 1881 spdIpsoHeadFiltProtectionAuth column MUST have a valid 1882 value for the row status to be set to active. 1884 If active, this object MUST remain active if it is 1885 referenced by an active row in another table. An attempt 1886 to set it to anything other than active while it is 1887 referenced by an active row in another table MUST result in 1888 an inconsistentValue error." 1889 ::= { spdIpsoHeaderFilterEntry 7 } 1891 -- 1892 -- compound actions table 1893 -- 1894 spdCompoundActionTable OBJECT-TYPE 1895 SYNTAX SEQUENCE OF SpdCompoundActionEntry 1896 MAX-ACCESS not-accessible 1897 STATUS current 1898 DESCRIPTION 1899 "Table used to allow multiple actions to be associated 1900 with a rule. It uses the spdSubactionsTable to do this. 1901 The rows from spdSubactionsTable that are partially indexed 1902 by spdCompActName form the set of compound actions to be 1903 performed. The spdCompActExecutionStrategy column in this 1904 table indicates how those actions are processed." 1905 ::= { spdConfigObjects 11 } 1907 spdCompoundActionEntry OBJECT-TYPE 1908 SYNTAX SpdCompoundActionEntry 1909 MAX-ACCESS not-accessible 1910 STATUS current 1911 DESCRIPTION 1912 "A row in the spdCompoundActionTable." 1913 INDEX { spdCompActName } 1914 ::= { spdCompoundActionTable 1 } 1916 SpdCompoundActionEntry ::= SEQUENCE { 1917 spdCompActName SnmpAdminString, 1918 spdCompActExecutionStrategy INTEGER, 1919 spdCompActLastChanged TimeStamp, 1920 spdCompActStorageType StorageType, 1921 spdCompActRowStatus RowStatus 1922 } 1924 spdCompActName OBJECT-TYPE 1925 SYNTAX SnmpAdminString (SIZE(1..32)) 1926 MAX-ACCESS not-accessible 1927 STATUS current 1928 DESCRIPTION 1929 "This is an administratively assigned name of this 1930 compound action." 1931 ::= { spdCompoundActionEntry 1 } 1933 spdCompActExecutionStrategy OBJECT-TYPE 1934 SYNTAX INTEGER { doAll(1), 1935 doUntilSuccess(2), 1936 doUntilFailure(3) } 1937 MAX-ACCESS read-create 1938 STATUS current 1939 DESCRIPTION 1940 "This object indicates how the sub-actions are executed 1941 based on the success of the actions as they finish 1942 executing. 1944 doAll - run each sub-action regardless of the 1945 exit status of the previous action. 1946 This parent action is always 1947 considered to have acted successfully. 1949 doUntilSuccess - run each sub-action until one succeeds, 1950 at which point stop processing the 1951 sub-actions within this parent 1952 compound action. If one of the 1953 sub-actions did execute successfully, 1954 this parent action is also considered 1955 to have executed successfully. 1957 doUntilFailure - run each sub-action until one fails, 1958 at which point stop processing the 1959 sub-actions within this compound 1960 action. If any sub-action fails, the 1961 result of this parent action is 1962 considered to have failed." 1963 DEFVAL { doUntilSuccess } 1964 ::= { spdCompoundActionEntry 2 } 1966 spdCompActLastChanged OBJECT-TYPE 1967 SYNTAX TimeStamp 1968 MAX-ACCESS read-only 1969 STATUS current 1970 DESCRIPTION 1971 "The value of sysUpTime when this row was last modified 1972 or created either through SNMP SETs or by some other 1973 external means. 1975 If this row has not been modified since the last 1976 re-initialization of the network management subsystem, this 1977 object SHOULD have a zero value." 1978 ::= { spdCompoundActionEntry 3 } 1980 spdCompActStorageType OBJECT-TYPE 1981 SYNTAX StorageType 1982 MAX-ACCESS read-create 1983 STATUS current 1984 DESCRIPTION 1985 "The storage type for this row. Rows in this table which 1986 were created through an external process MAY have a storage 1987 type of readOnly or permanent. 1989 For a storage type of permanent, none of the columns have 1990 to be writable." 1991 DEFVAL { nonVolatile } 1992 ::= { spdCompoundActionEntry 4 } 1994 spdCompActRowStatus OBJECT-TYPE 1995 SYNTAX RowStatus 1996 MAX-ACCESS read-create 1997 STATUS current 1998 DESCRIPTION 1999 "This object indicates the conceptual status of this row. 2001 The value of this object has no effect on whether other 2002 objects in this conceptual row can be modified. 2004 Once a row in the spdCompoundActionTable has been made 2005 active, this object MUST NOT be set to destroy without 2006 first destroying all the contained rows listed in the 2007 spdSubactionsTable." 2008 ::= { spdCompoundActionEntry 5 } 2010 -- 2011 -- actions contained within a compound action 2012 -- 2014 spdSubactionsTable OBJECT-TYPE 2015 SYNTAX SEQUENCE OF SpdSubactionsEntry 2016 MAX-ACCESS not-accessible 2017 STATUS current 2018 DESCRIPTION 2019 "This table contains a list of the sub-actions within a 2020 given compound action. Compound actions executing these 2021 actions MUST execute them in series based on the 2022 spdSubActPriority value, with the lowest value executing 2023 first." 2024 ::= { spdConfigObjects 12 } 2026 spdSubactionsEntry OBJECT-TYPE 2027 SYNTAX SpdSubactionsEntry 2028 MAX-ACCESS not-accessible 2029 STATUS current 2030 DESCRIPTION 2031 "A row containing a reference to a given compound-action 2032 sub-action." 2033 INDEX { spdCompActName, spdSubActPriority } 2034 ::= { spdSubactionsTable 1 } 2036 SpdSubactionsEntry ::= SEQUENCE { 2037 spdSubActPriority Integer32, 2038 spdSubActSubActionName VariablePointer, 2039 spdSubActLastChanged TimeStamp, 2040 spdSubActStorageType StorageType, 2041 spdSubActRowStatus RowStatus 2042 } 2044 spdSubActPriority OBJECT-TYPE 2045 SYNTAX Integer32 (0..65535) 2046 MAX-ACCESS not-accessible 2047 STATUS current 2048 DESCRIPTION 2049 "The priority of a given sub-action within a compound 2050 action. The order in which sub-actions MUST be executed 2051 are based on the value from this column, with the lowest 2052 numeric value executing first (i.e., priority 0 before 2053 priority 1, 1 before 2, etc...)." 2054 ::= { spdSubactionsEntry 1 } 2056 spdSubActSubActionName OBJECT-TYPE 2057 SYNTAX VariablePointer 2058 MAX-ACCESS read-create 2059 STATUS current 2060 DESCRIPTION 2061 "This column points to the action to be taken. It MAY, 2062 but is not limited to, point to a row in one of the 2063 following tables: 2065 spdCompoundActionTable - Allowing recursion 2066 ipsaSaPreconfiguredActionTable 2067 ipiaIkeActionTable 2068 ipiaIpsecActionTable 2070 It MAY also point to one of the scalar objects beneath 2071 spdStaticActions. 2073 If this object is set to a pointer to a row in an 2074 unsupported (or unknown) table, an inconsistentValue 2075 error MUST be returned. 2077 If this object is set to point to a non-existent row in 2078 an otherwise supported table, an inconsistentName error 2079 MUST be returned. 2081 If during packet processing this column has a value that 2082 references a non-existent or non-supported object, the 2083 packet MUST be dropped." 2084 ::= { spdSubactionsEntry 2 } 2086 spdSubActLastChanged OBJECT-TYPE 2087 SYNTAX TimeStamp 2088 MAX-ACCESS read-only 2089 STATUS current 2090 DESCRIPTION 2091 "The value of sysUpTime when this row was last modified 2092 or created either through SNMP SETs or by some other 2093 external means. 2095 If this row has not been modified since the last 2096 re-initialization of the network management subsystem, this 2097 object SHOULD have a zero value." 2098 ::= { spdSubactionsEntry 3 } 2100 spdSubActStorageType OBJECT-TYPE 2101 SYNTAX StorageType 2102 MAX-ACCESS read-create 2103 STATUS current 2104 DESCRIPTION 2105 "The storage type for this row. Rows in this table which 2106 were created through an external process MAY have a storage 2107 type of readOnly or permanent. 2109 For a storage type of permanent, none of the columns have 2110 to be writable." 2111 DEFVAL { nonVolatile } 2112 ::= { spdSubactionsEntry 4 } 2114 spdSubActRowStatus OBJECT-TYPE 2115 SYNTAX RowStatus 2116 MAX-ACCESS read-create 2117 STATUS current 2118 DESCRIPTION 2119 "This object indicates the conceptual status of this row. 2121 The value of this object has no effect on whether other 2122 objects in this conceptual row can be modified. 2124 If active, this object MUST remain active unless one of the 2125 following two conditions are met. An attempt to set it to 2126 anything other than active while the following conditions 2127 are not met MUST result in an inconsistentValue error. The 2128 two conditions are: 2130 I. No active row in the spdCompoundActionTable exists 2131 which has a matching spdCompActName. 2133 II. Or at least one other active row in this table has a 2134 matching spdCompActName." 2135 ::= { spdSubactionsEntry 5 } 2137 -- 2138 -- Static Actions 2139 -- 2141 -- these are static actions which can be pointed to by the 2142 -- spdRuleDefAction or the spdSubActSubActionName objects to 2143 -- drop, accept or reject packets. 2145 spdStaticActions OBJECT IDENTIFIER ::= { spdConfigObjects 13 } 2147 spdDropAction OBJECT-TYPE 2148 SYNTAX Integer32 (1) 2149 MAX-ACCESS read-only 2150 STATUS current 2151 DESCRIPTION 2152 "This scalar indicates that a packet MUST be dropped 2153 and SHOULD NOT have action/packet logging." 2154 ::= { spdStaticActions 1 } 2156 spdDropActionLog OBJECT-TYPE 2157 SYNTAX Integer32 (1) 2158 MAX-ACCESS read-only 2159 STATUS current 2160 DESCRIPTION 2161 "This scalar indicates that a packet MUST be dropped 2162 and SHOULD have action/packet logging." 2163 ::= { spdStaticActions 2 } 2165 spdAcceptAction OBJECT-TYPE 2166 SYNTAX Integer32 (1) 2167 MAX-ACCESS read-only 2168 STATUS current 2169 DESCRIPTION 2170 "This Scalar indicates that a packet MUST be accepted 2171 (pass-through) and SHOULD NOT have action/packet logging." 2172 ::= { spdStaticActions 3 } 2174 spdAcceptActionLog OBJECT-TYPE 2175 SYNTAX Integer32 (1) 2176 MAX-ACCESS read-only 2177 STATUS current 2178 DESCRIPTION 2179 "This scalar indicates that a packet MUST be accepted 2180 (pass-through) and SHOULD have action/packet logging." 2181 ::= { spdStaticActions 4 } 2183 -- 2184 -- 2185 -- Notification objects information 2186 -- 2187 -- 2189 spdNotificationVariables OBJECT IDENTIFIER ::= 2190 { spdNotificationObjects 1 } 2192 spdNotifications OBJECT IDENTIFIER ::= 2193 { spdNotificationObjects 0 } 2195 spdActionExecuted OBJECT-TYPE 2196 SYNTAX VariablePointer 2197 MAX-ACCESS accessible-for-notify 2198 STATUS current 2199 DESCRIPTION 2200 "Points to the action instance that was executed that 2201 resulted in the notification being sent." 2202 ::= { spdNotificationVariables 1 } 2204 spdIPEndpointAddType OBJECT-TYPE 2205 SYNTAX InetAddressType 2206 MAX-ACCESS accessible-for-notify 2207 STATUS current 2208 DESCRIPTION 2209 "Contains the address type for the interface that the 2210 notification triggering packet is passing through." 2211 ::= { spdNotificationVariables 2 } 2213 spdIPEndpointAddress OBJECT-TYPE 2214 SYNTAX InetAddress 2215 MAX-ACCESS accessible-for-notify 2216 STATUS current 2217 DESCRIPTION 2218 "Contains the interface address for the interface that the 2219 notification triggering packet is passing through. 2221 The format of this object is specified by the 2222 spdIPEndpointAddType object." 2223 ::= { spdNotificationVariables 3 } 2225 spdIPSourceType OBJECT-TYPE 2226 SYNTAX InetAddressType 2227 MAX-ACCESS accessible-for-notify 2228 STATUS current 2229 DESCRIPTION 2230 "Contains the source address type of the packet which 2231 triggered the notification." 2232 ::= { spdNotificationVariables 4 } 2234 spdIPSourceAddress OBJECT-TYPE 2235 SYNTAX InetAddress 2236 MAX-ACCESS accessible-for-notify 2237 STATUS current 2238 DESCRIPTION 2239 "Contains the source address of the packet which 2240 triggered the notification. 2242 The format of this object is specified by the 2243 spdIPSourceType object." 2244 ::= { spdNotificationVariables 5 } 2246 spdIPDestinationType OBJECT-TYPE 2247 SYNTAX InetAddressType 2248 MAX-ACCESS accessible-for-notify 2249 STATUS current 2250 DESCRIPTION 2251 "Contains the destination address type of the packet 2252 which triggered the notification." 2253 ::= { spdNotificationVariables 6 } 2255 spdIPDestinationAddress OBJECT-TYPE 2256 SYNTAX InetAddress 2257 MAX-ACCESS accessible-for-notify 2258 STATUS current 2259 DESCRIPTION 2260 "Contains the destination address of the packet which 2261 triggered the notification. 2263 The format of this object is specified by the 2264 spdIPDestinationType object." 2265 ::= { spdNotificationVariables 7 } 2267 spdPacketDirection OBJECT-TYPE 2268 SYNTAX IfDirection 2269 MAX-ACCESS accessible-for-notify 2270 STATUS current 2271 DESCRIPTION 2272 "Indicates if the packet which triggered the action in 2273 questions was ingress (inbound) or egress (outbound)." 2274 ::= { spdNotificationVariables 8 } 2276 spdPacketPart OBJECT-TYPE 2277 SYNTAX OCTET STRING (SIZE (0..65535)) 2278 MAX-ACCESS accessible-for-notify 2279 STATUS current 2280 DESCRIPTION 2281 "spdPacketPart is the front part of the full IP packet that 2282 triggered this notification. The initial size limit is 2283 determined by the smaller of the size indicated by 2285 I. The value of the object with the TC syntax 2286 'SpdIPPacketLogging' that indicated the packet SHOULD be 2287 logged and 2288 II. The size of the triggering packet. 2290 The final limit is determined by the SNMP packet size when 2291 sending the notification. The maximum size that can be 2292 included will be the smaller of the initial size given above 2293 and the length that will fit in a single SNMP notification 2294 packet after the rest of the notification's objects and any 2295 other necessary packet data (headers encoding, etc...) has 2296 been included in the packet." 2297 ::= { spdNotificationVariables 9 } 2299 spdActionNotification NOTIFICATION-TYPE 2300 OBJECTS { spdActionExecuted, spdIPEndpointAddType, 2301 spdIPEndpointAddress, 2302 spdIPSourceType, spdIPSourceAddress, 2303 spdIPDestinationType, 2304 spdIPDestinationAddress, 2305 spdPacketDirection } 2306 STATUS current 2307 DESCRIPTION 2308 "Notification that an action was executed by a rule. 2309 Only actions with logging enabled will result in this 2310 notification getting sent. The object includes the 2311 spdActionExecuted object which will indicate which action 2312 was executed within the scope of the rule. Additionally 2313 the spdIPSourceType, spdIPSourceAddress, 2314 spdIPDestinationType, and spdIPDestinationAddress objects 2315 are included to indicate the packet source and destination 2316 of the packet that triggered the action. Finally the 2317 spdIPEndpointAddType, spdIPEndpointAddress, and 2318 spdPacketDirection objects indicate which interface the 2319 executed action was associated with and if the packet was 2320 ingress or egress through the endpoint. 2322 A spdActionNotification SHOULD be limited to a maximum of 2323 one notification sent per minute for any action 2324 notifications that do not have any other configuration 2325 controlling their send rate. 2327 Note that compound actions with multiple executed 2328 subactions may result in multiple notifications being sent 2329 from a single rule execution." 2330 ::= { spdNotifications 1 } 2332 spdPacketNotification NOTIFICATION-TYPE 2333 OBJECTS { spdActionExecuted, spdIPEndpointAddType, 2334 spdIPEndpointAddress, 2335 spdIPSourceType, spdIPSourceAddress, 2336 spdIPDestinationType, 2337 spdIPDestinationAddress, 2338 spdPacketDirection, 2339 spdPacketPart } 2340 STATUS current 2341 DESCRIPTION 2342 "Notification that a packet passed through a Security 2343 Association (SA). Only SAs created by actions with packet 2344 logging enabled will result in this notification getting 2345 sent. The objects sent MUST include the spdActionExecuted 2346 which will indicate which action was executed within the 2347 scope of the rule. Additionally, the spdIPSourceType, 2348 spdIPSourceAddress, spdIPDestinationType, and 2349 spdIPDestinationAddress, objects MUST be included to 2350 indicate the packet source and destination of the packet 2351 that triggered the action. The spdIPEndpointAddType, 2352 spdIPEndpointAddress, and spdPacketDirection objects are 2353 included to indicate which endpoint the packet was 2354 associated with. Finally, spdPacketPart is included to 2355 enable sending a variable sized part of the front of the 2356 packet with the size dependent on the value of the object of 2357 TC syntax 'SpdIPPacketLogging' which indicated that logging 2358 should be done. 2360 A spdPacketNotification SHOULD be limited to a maximum of 2361 one notification sent per minute for any action 2362 notifications that do not have any other configuration 2363 controlling their send rate. 2365 An action notification SHOULD be limited to a maximum of 2366 one notification sent per minute for any action 2367 notifications that do not have any other configuration 2368 controlling their send rate." 2369 ::= { spdNotifications 2 } 2371 -- 2372 -- 2373 -- Conformance information 2374 -- 2375 -- 2377 spdCompliances OBJECT IDENTIFIER 2378 ::= { spdConformanceObjects 1 } 2379 spdGroups OBJECT IDENTIFIER 2380 ::= { spdConformanceObjects 2 } 2382 -- 2383 -- Compliance statements 2384 -- 2385 -- 2386 spdRuleFilterFullCompliance MODULE-COMPLIANCE 2387 STATUS current 2388 DESCRIPTION 2389 "The compliance statement for SNMP entities that include 2390 an IPsec MIB implementation with Endpoint, Rules, and 2391 filters support. 2393 When this MIB is implemented with support for read-create, 2394 then such an implementation can claim full compliance. Such 2395 devices can then be both monitored and configured with this 2396 MIB." 2398 MODULE -- This Module 2399 MANDATORY-GROUPS { spdEndpointGroup, 2400 spdGroupContentsGroup, 2401 spdRuleDefinitionGroup, 2402 spdStaticFilterGroup, 2403 spdStaticActionGroup , 2404 diffServMIBMultiFieldClfrGroup } 2406 GROUP spdIpsecSystemPolicyNameGroup 2407 DESCRIPTION 2408 "This group is mandatory for IPsec Policy 2409 implementations which support a system policy group 2410 name." 2412 GROUP spdCompoundFilterGroup 2413 DESCRIPTION 2414 "This group is mandatory for IPsec Policy 2415 implementations which support compound filters." 2417 GROUP spdIPOffsetFilterGroup 2418 DESCRIPTION 2419 "This group is mandatory for IPsec Policy 2420 implementations which support IP Offset filters. In 2421 general, this SHOULD be supported by a compliant IPsec 2422 Policy implementation." 2424 GROUP spdTimeFilterGroup 2425 DESCRIPTION 2426 "This group is mandatory for IPsec Policy 2427 implementations which support time filters." 2429 GROUP spdIpsoHeaderFilterGroup 2430 DESCRIPTION 2431 "This group is mandatory for IPsec Policy 2432 implementations which support IPSO Header filters." 2434 GROUP spdCompoundActionGroup 2435 DESCRIPTION 2436 "This group is mandatory for IPsec Policy 2437 implementations which support compound actions." 2439 OBJECT spdEndGroupLastChanged 2440 MIN-ACCESS not-accessible 2441 DESCRIPTION 2442 "This object not required for compliance." 2444 OBJECT spdGroupContComponentType 2445 SYNTAX INTEGER { 2446 rule(2) 2447 } 2448 DESCRIPTION 2449 "Support of the value group(1) is only required for 2450 implementations which support Policy Groups within 2451 Policy Groups." 2453 OBJECT spdGroupContLastChanged 2454 MIN-ACCESS not-accessible 2455 DESCRIPTION 2456 "This object not required for compliance." 2458 OBJECT spdRuleDefLastChanged 2459 MIN-ACCESS not-accessible 2460 DESCRIPTION 2461 "This object not required for compliance." 2463 OBJECT spdCompFiltLastChanged 2464 MIN-ACCESS not-accessible 2465 DESCRIPTION 2466 "This object not required for compliance." 2468 OBJECT spdSubFiltLastChanged 2469 MIN-ACCESS not-accessible 2470 DESCRIPTION 2471 "This object not required for compliance." 2473 OBJECT spdIpOffFiltLastChanged 2474 MIN-ACCESS not-accessible 2475 DESCRIPTION 2476 "This object not required for compliance." 2478 OBJECT spdTimeFiltLastChanged 2479 MIN-ACCESS not-accessible 2480 DESCRIPTION 2481 "This object not required for compliance." 2483 OBJECT spdIpsoHeadFiltLastChanged 2484 MIN-ACCESS not-accessible 2485 DESCRIPTION 2486 "This object not required for compliance." 2488 OBJECT spdCompActLastChanged 2489 MIN-ACCESS not-accessible 2490 DESCRIPTION 2491 "This object not required for compliance." 2493 OBJECT spdSubActLastChanged 2494 MIN-ACCESS not-accessible 2495 DESCRIPTION 2496 "This object not required for compliance." 2498 OBJECT diffServMultiFieldClfrNextFree 2499 MIN-ACCESS not-accessible 2500 DESCRIPTION 2501 "This object is not required for compliance." 2503 ::= { spdCompliances 1 } 2505 spdLoggingCompliance MODULE-COMPLIANCE 2506 STATUS current 2507 DESCRIPTION 2508 "The compliance statement for SNMP entities that support 2509 sending notifications when actions are invoked." 2510 MODULE -- This Module 2511 MANDATORY-GROUPS { spdActionLoggingObjectGroup, 2512 spdActionNotificationGroup } 2514 ::= { spdCompliances 2 } 2516 -- 2517 -- ReadOnly Compliances 2518 -- 2519 spdRuleFilterReadOnlyCompliance MODULE-COMPLIANCE 2520 STATUS current 2521 DESCRIPTION 2522 "The compliance statement for SNMP entities that include 2523 an IPsec MIB implementation with Endpoint, Rules, and 2524 filters support. 2526 If this MIB is implemented without support for read-create 2527 (i.e. in read-only), it is not in full compliance but it 2528 can claim read-only compliance. Such a device can then be 2529 monitored but can not be configured with this MIB." 2531 MODULE -- This Module 2532 MANDATORY-GROUPS { spdEndpointGroup, 2533 spdGroupContentsGroup, 2534 spdRuleDefinitionGroup, 2535 spdStaticFilterGroup, 2536 spdStaticActionGroup , 2537 diffServMIBMultiFieldClfrGroup } 2539 GROUP spdIpsecSystemPolicyNameGroup 2540 DESCRIPTION 2541 "This group is mandatory for IPsec Policy 2542 implementations which support a system policy group 2543 name." 2545 GROUP spdCompoundFilterGroup 2546 DESCRIPTION 2547 "This group is mandatory for IPsec Policy 2548 implementations which support compound filters." 2550 GROUP spdIPOffsetFilterGroup 2551 DESCRIPTION 2552 "This group is mandatory for IPsec Policy 2553 implementations which support IP Offset filters. In 2554 general, this SHOULD be supported by a compliant IPsec 2555 Policy implementation." 2557 GROUP spdTimeFilterGroup 2558 DESCRIPTION 2559 "This group is mandatory for IPsec Policy 2560 implementations which support time filters." 2562 GROUP spdIpsoHeaderFilterGroup 2563 DESCRIPTION 2564 "This group is mandatory for IPsec Policy 2565 implementations which support IPSO Header filters." 2567 GROUP spdCompoundActionGroup 2568 DESCRIPTION 2569 "This group is mandatory for IPsec Policy 2570 implementations which support compound actions." 2572 OBJECT spdCompActExecutionStrategy 2573 MIN-ACCESS read-only 2574 DESCRIPTION 2575 "Write access is not required." 2577 OBJECT spdCompActLastChanged 2578 DESCRIPTION 2579 "This object is not required for compliance." 2581 OBJECT spdCompActRowStatus 2582 MIN-ACCESS read-only 2583 DESCRIPTION 2584 "Write access is not required." 2586 OBJECT spdCompActStorageType 2587 MIN-ACCESS read-only 2588 DESCRIPTION 2589 "Write access is not required." 2591 OBJECT spdCompFiltDescription 2592 MIN-ACCESS read-only 2593 DESCRIPTION 2594 "Write access is not required." 2596 OBJECT spdCompFiltLastChanged 2597 DESCRIPTION 2598 "This object is not required for compliance." 2600 OBJECT spdCompFiltLogicType 2601 MIN-ACCESS read-only 2602 DESCRIPTION 2603 "Write access is not required." 2605 OBJECT spdCompFiltRowStatus 2606 MIN-ACCESS read-only 2607 DESCRIPTION 2608 "Write access is not required." 2610 OBJECT spdCompFiltStorageType 2611 MIN-ACCESS read-only 2612 DESCRIPTION 2613 "Write access is not required." 2615 OBJECT spdEgressPolicyGroupName 2616 MIN-ACCESS read-only 2617 DESCRIPTION 2618 "Write access is not required." 2620 OBJECT spdEndGroupLastChanged 2621 DESCRIPTION 2622 "This object is not required for compliance." 2624 OBJECT spdEndGroupName 2625 MIN-ACCESS read-only 2626 DESCRIPTION 2627 "Write access is not required." 2629 OBJECT spdEndGroupRowStatus 2630 MIN-ACCESS read-only 2631 DESCRIPTION 2632 "Write access is not required." 2634 OBJECT spdEndGroupStorageType 2635 MIN-ACCESS read-only 2636 DESCRIPTION 2637 "Write access is not required." 2639 OBJECT spdGroupContComponentName 2640 MIN-ACCESS read-only 2641 DESCRIPTION 2642 "Write access is not required." 2644 OBJECT spdGroupContComponentType 2645 MIN-ACCESS read-only 2646 DESCRIPTION 2647 "Write access is not required." 2649 OBJECT spdGroupContFilter 2650 MIN-ACCESS read-only 2651 DESCRIPTION 2652 "Write access is not required." 2654 OBJECT spdGroupContLastChanged 2655 DESCRIPTION 2656 "This object is not required for compliance." 2658 OBJECT spdGroupContRowStatus 2659 MIN-ACCESS read-only 2660 DESCRIPTION 2661 "Write access is not required." 2663 OBJECT spdGroupContStorageType 2664 MIN-ACCESS read-only 2665 DESCRIPTION 2666 "Write access is not required." 2668 OBJECT spdIngressPolicyGroupName 2669 MIN-ACCESS read-only 2670 DESCRIPTION 2671 "Write access is not required." 2673 OBJECT spdIpOffFiltLastChanged 2674 DESCRIPTION 2675 "This object is not required for compliance." 2677 OBJECT spdIpOffFiltOffset 2678 MIN-ACCESS read-only 2679 DESCRIPTION 2680 "Write access is not required." 2682 OBJECT spdIpOffFiltRowStatus 2683 MIN-ACCESS read-only 2684 DESCRIPTION 2685 "Write access is not required." 2687 OBJECT spdIpOffFiltStorageType 2688 MIN-ACCESS read-only 2689 DESCRIPTION 2690 "Write access is not required." 2692 OBJECT spdIpOffFiltType 2693 MIN-ACCESS read-only 2694 DESCRIPTION 2695 "Write access is not required." 2697 OBJECT spdIpOffFiltValue 2698 MIN-ACCESS read-only 2699 DESCRIPTION 2700 "Write access is not required." 2702 OBJECT spdIpsoHeadFiltClassification 2703 MIN-ACCESS read-only 2704 DESCRIPTION 2705 "Write access is not required." 2707 OBJECT spdIpsoHeadFiltLastChanged 2708 DESCRIPTION 2709 "This object is not required for compliance." 2711 OBJECT spdIpsoHeadFiltProtectionAuth 2712 MIN-ACCESS read-only 2713 DESCRIPTION 2714 "Write access is not required." 2716 OBJECT spdIpsoHeadFiltRowStatus 2717 MIN-ACCESS read-only 2718 DESCRIPTION 2719 "Write access is not required." 2721 OBJECT spdIpsoHeadFiltStorageType 2722 MIN-ACCESS read-only 2723 DESCRIPTION 2724 "Write access is not required." 2726 OBJECT spdIpsoHeadFiltType 2727 MIN-ACCESS read-only 2728 DESCRIPTION 2729 "Write access is not required." 2731 OBJECT spdRuleDefAction 2732 MIN-ACCESS read-only 2733 DESCRIPTION 2734 "Write access is not required." 2736 OBJECT spdRuleDefAdminStatus 2737 MIN-ACCESS read-only 2738 DESCRIPTION 2739 "Write access is not required." 2741 OBJECT spdRuleDefDescription 2742 MIN-ACCESS read-only 2743 DESCRIPTION 2744 "Write access is not required." 2746 OBJECT spdRuleDefFilter 2747 MIN-ACCESS read-only 2748 DESCRIPTION 2749 "Write access is not required." 2751 OBJECT spdRuleDefFilterNegated 2752 MIN-ACCESS read-only 2753 DESCRIPTION 2754 "Write access is not required." 2756 OBJECT spdRuleDefLastChanged 2757 DESCRIPTION 2758 "This object is not required for compliance." 2760 OBJECT spdRuleDefRowStatus 2761 MIN-ACCESS read-only 2762 DESCRIPTION 2763 "Write access is not required." 2765 OBJECT spdRuleDefStorageType 2766 MIN-ACCESS read-only 2767 DESCRIPTION 2768 "Write access is not required." 2770 OBJECT spdSubActLastChanged 2771 DESCRIPTION 2772 "This object is not required for compliance." 2774 OBJECT spdSubActRowStatus 2775 MIN-ACCESS read-only 2776 DESCRIPTION 2777 "Write access is not required." 2779 OBJECT spdSubActStorageType 2780 MIN-ACCESS read-only 2781 DESCRIPTION 2782 "Write access is not required." 2784 OBJECT spdSubActSubActionName 2785 MIN-ACCESS read-only 2786 DESCRIPTION 2787 "Write access is not required." 2789 OBJECT spdSubFiltLastChanged 2790 DESCRIPTION 2791 "This object is not required for compliance." 2793 OBJECT spdSubFiltRowStatus 2794 MIN-ACCESS read-only 2795 DESCRIPTION 2796 "Write access is not required." 2798 OBJECT spdSubFiltStorageType 2799 MIN-ACCESS read-only 2800 DESCRIPTION 2801 "Write access is not required." 2803 OBJECT spdSubFiltSubfilter 2804 MIN-ACCESS read-only 2805 DESCRIPTION 2806 "Write access is not required." 2808 OBJECT spdSubFiltSubfilterIsNegated 2809 MIN-ACCESS read-only 2810 DESCRIPTION 2811 "Write access is not required." 2813 OBJECT spdTimeFiltDayOfMonthMask 2814 MIN-ACCESS read-only 2815 DESCRIPTION 2816 "Write access is not required." 2818 OBJECT spdTimeFiltDayOfWeekMask 2819 MIN-ACCESS read-only 2820 DESCRIPTION 2821 "Write access is not required." 2823 OBJECT spdTimeFiltLastChanged 2824 DESCRIPTION 2825 "This object is not required for compliance." 2827 OBJECT spdTimeFiltMonthOfYearMask 2828 MIN-ACCESS read-only 2829 DESCRIPTION 2830 "Write access is not required." 2832 OBJECT spdTimeFiltPeriod 2833 MIN-ACCESS read-only 2834 DESCRIPTION 2835 "Write access is not required." 2837 OBJECT spdTimeFiltRowStatus 2838 MIN-ACCESS read-only 2839 DESCRIPTION 2840 "Write access is not required." 2842 OBJECT spdTimeFiltTimeOfDayMask 2843 MIN-ACCESS read-only 2844 DESCRIPTION 2845 "Write access is not required." 2847 OBJECT spdTimeFiltStorageType 2848 MIN-ACCESS read-only 2849 DESCRIPTION 2850 "Write access is not required." 2852 ::= { spdCompliances 3 } 2854 -- 2855 -- 2856 -- Compliance Groups Definitions 2857 -- 2859 -- 2860 -- Endpoint, Rule, Filter Compliance Groups 2861 -- 2863 spdEndpointGroup OBJECT-GROUP 2864 OBJECTS { 2865 spdEndGroupName, spdEndGroupLastChanged, 2866 spdEndGroupStorageType, spdEndGroupRowStatus 2867 } 2868 STATUS current 2869 DESCRIPTION 2870 "This group is made up of objects from the IPsec Policy 2871 Endpoint Table." 2872 ::= { spdGroups 1 } 2874 spdGroupContentsGroup OBJECT-GROUP 2875 OBJECTS { 2876 spdGroupContComponentType, spdGroupContFilter, 2877 spdGroupContComponentName, spdGroupContLastChanged, 2878 spdGroupContStorageType, spdGroupContRowStatus 2879 } 2880 STATUS current 2881 DESCRIPTION 2882 "This group is made up of objects from the IPsec Policy 2883 Group Contents Table." 2884 ::= { spdGroups 2 } 2886 spdIpsecSystemPolicyNameGroup OBJECT-GROUP 2887 OBJECTS { 2888 spdIngressPolicyGroupName, 2889 spdEgressPolicyGroupName 2890 } 2891 STATUS current 2892 DESCRIPTION 2893 "This group is made up of objects represent the System 2894 Policy Group Names." 2895 ::= { spdGroups 3} 2897 spdRuleDefinitionGroup OBJECT-GROUP 2898 OBJECTS { 2899 spdRuleDefDescription, spdRuleDefFilter, 2900 spdRuleDefFilterNegated, spdRuleDefAction, 2901 spdRuleDefAdminStatus, spdRuleDefLastChanged, 2902 spdRuleDefStorageType, spdRuleDefRowStatus 2903 } 2904 STATUS current 2905 DESCRIPTION 2906 "This group is made up of objects from the IPsec Policy Rule 2907 Definition Table." 2908 ::= { spdGroups 4 } 2910 spdCompoundFilterGroup OBJECT-GROUP 2911 OBJECTS { 2912 spdCompFiltDescription, spdCompFiltLogicType, 2913 spdCompFiltLastChanged, spdCompFiltStorageType, 2914 spdCompFiltRowStatus, spdSubFiltSubfilter, 2915 spdSubFiltSubfilterIsNegated, spdSubFiltLastChanged, 2916 spdSubFiltStorageType, spdSubFiltRowStatus 2917 } 2918 STATUS current 2919 DESCRIPTION 2920 "This group is made up of objects from the IPsec Policy 2921 Compound Filter Table and Sub-Filter Table Group." 2922 ::= { spdGroups 5 } 2924 spdStaticFilterGroup OBJECT-GROUP 2925 OBJECTS { spdTrueFilter } 2926 STATUS current 2927 DESCRIPTION 2928 "The static filter group. Currently this is just a true 2929 filter." 2930 ::= { spdGroups 6 } 2932 spdIPOffsetFilterGroup OBJECT-GROUP 2933 OBJECTS { 2934 spdIpOffFiltOffset, spdIpOffFiltType, 2935 spdIpOffFiltValue, spdIpOffFiltLastChanged, 2936 spdIpOffFiltStorageType, spdIpOffFiltRowStatus 2937 } 2939 STATUS current 2940 DESCRIPTION 2941 "This group is made up of objects from the IPsec Policy IP 2942 Offset Filter Table." 2943 ::= { spdGroups 7 } 2945 spdTimeFilterGroup OBJECT-GROUP 2946 OBJECTS { 2947 spdTimeFiltPeriod, 2948 spdTimeFiltMonthOfYearMask, spdTimeFiltDayOfMonthMask, 2949 spdTimeFiltDayOfWeekMask, spdTimeFiltTimeOfDayMask, 2950 spdTimeFiltLastChanged, 2951 spdTimeFiltStorageType, spdTimeFiltRowStatus 2952 } 2953 STATUS current 2954 DESCRIPTION 2955 "This group is made up of objects from the IPsec Policy Time 2956 Filter Table." 2957 ::= { spdGroups 8 } 2959 spdIpsoHeaderFilterGroup OBJECT-GROUP 2960 OBJECTS { 2961 spdIpsoHeadFiltType, spdIpsoHeadFiltClassification, 2962 spdIpsoHeadFiltProtectionAuth, spdIpsoHeadFiltLastChanged, 2963 spdIpsoHeadFiltStorageType, spdIpsoHeadFiltRowStatus 2964 } 2965 STATUS current 2966 DESCRIPTION 2967 "This group is made up of objects from the IPsec Policy IPSO 2968 Header Filter Table." 2969 ::= { spdGroups 9 } 2971 -- 2972 -- action compliance groups 2973 -- 2975 spdStaticActionGroup OBJECT-GROUP 2976 OBJECTS { 2977 spdDropAction, spdAcceptAction, 2978 spdDropActionLog, spdAcceptActionLog 2979 } 2980 STATUS current 2981 DESCRIPTION 2982 "This group is made up of objects from the IPsec Policy 2983 Static Actions." 2984 ::= { spdGroups 10 } 2986 spdCompoundActionGroup OBJECT-GROUP 2987 OBJECTS { 2988 spdCompActExecutionStrategy, spdCompActLastChanged, 2989 spdCompActStorageType, 2991 spdCompActRowStatus, spdSubActSubActionName, 2992 spdSubActLastChanged, spdSubActStorageType, 2993 spdSubActRowStatus 2994 } 2995 STATUS current 2996 DESCRIPTION 2997 "The IPsec Policy Compound Action Table and Actions In 2998 Compound Action Table Group." 2999 ::= { spdGroups 11 } 3001 spdActionLoggingObjectGroup OBJECT-GROUP 3002 OBJECTS { 3003 spdActionExecuted, 3004 spdIPEndpointAddType, spdIPEndpointAddress, 3005 spdIPSourceType, spdIPSourceAddress, 3006 spdIPDestinationType, spdIPDestinationAddress, 3007 spdPacketDirection, spdPacketPart 3008 } 3009 STATUS current 3010 DESCRIPTION 3011 "This group is made up of all the Notification objects for 3012 this MIB." 3013 ::= { spdGroups 12 } 3015 spdActionNotificationGroup NOTIFICATION-GROUP 3016 NOTIFICATIONS { 3017 spdActionNotification, 3018 spdPacketNotification 3019 } 3020 STATUS current 3021 DESCRIPTION 3022 "This group is made up of all the Notifications for this 3023 MIB." 3024 ::= { spdGroups 13 } 3026 END 3028 7. Security Considerations 3030 7.1. Introduction 3032 This document defines a MIB module used to configure IPsec policy 3033 services. Since IPsec provides network security services, all of its 3034 configuration data (e.g. this entire MIB) SHOULD be as secure or more 3035 secure than any of the security services IPsec provides. There are 3036 two main threats you need to protect against when configuring IPsec 3037 devices. 3039 1. Malicious Configuration: This MIB configures network security 3040 services. If an attacker has SET access to any part of this MIB, 3041 the network security services configured by this MIB SHOULD be 3042 considered broken. The network data sent through the associated 3043 gateway should no longer be considered as protected by IPsec 3044 (i.e., it is no longer confidential or authenticated). 3045 Therefore, only the official administrators SHOULD be allowed to 3046 configure a device. In other words, administrators' identities 3047 SHOULD be authenticated and their access rights checked before 3048 they are allowed to do device configuration. The support for SET 3049 operations to the SPD MIB in a non-secure environment, without 3050 proper protection, will invalidate the security of the network 3051 traffic affected by the SPD MIB. 3053 2. Disclosure of Configuration: In general, malicious parties SHOULD 3054 NOT be able to read security configuration data while the data is 3055 in network transit. An attacker reading the configuration data 3056 may be able to find misconfigurations in the MIB that enable 3057 attacks to the network or to the configured node. Since this 3058 entire MIB is used for security configuration, it is highly 3059 RECOMMENDED that only authorized administrators are allowed to 3060 view data in this MIB. In particular, malicious users SHOULD be 3061 prevented from reading SNMP packets containing this MIB's data. 3062 SNMP GET data SHOULD be encrypted when sent across the network. 3063 Also, only authorized administrators SHOULD be allowed SNMP GET 3064 access to any of the MIB objects. 3066 SNMP versions prior to SNMPv3 do not include adequate security. Even 3067 if the network itself is secure (e.g. by using IPsec), earlier 3068 versions of SNMP have virtually no control as to who on the secure 3069 network is allowed to access (i.e. read/change/create/delete) the 3070 objects in this MIB module. 3072 It is RECOMMENDED that implementers use the security features as 3073 provided by the SNMPv3 framework (see [RFC3410], section 8), 3074 including full support for the SNMPv3 cryptographic mechanisms (for 3075 authentication and privacy). 3077 Further, deployment of SNMP versions prior to SNMPv3 is NOT 3078 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 3079 enable cryptographic security. It is then a customer/operator 3080 responsibility to ensure that the SNMP entity giving access to an 3081 instance of this MIB module is properly configured to give access to 3082 the objects only to those principals (users) that have legitimate 3083 rights to GET or SET (change/create/delete) them. 3085 Therefore, when configuring data in the IPSEC-SPD-MIB, you SHOULD use 3086 SNMP version 3. The rest of this discussion assumes the use of 3087 SNMPv3. This is a real strength, because it allows administrators 3088 the ability to load new IPsec configuration on a device and keep the 3089 conversation private and authenticated under the protection of SNMPv3 3090 before any IPsec protections are available. Once initial 3091 establishment of IPsec configuration on a device has been achieved, 3092 it would be possible to set up IPsec SAs to then also provide 3093 security and integrity services to the configuration conversation. 3094 This may seem redundant at first, but will be shown to have a use for 3095 added privacy protection below. 3097 7.2. Protecting against unauthenticated access 3099 The current SNMPv3 User Security Model provides for key based user 3100 authentication. Typically, keys are derived from passwords (but are 3101 not required to be), and the keys are then used in HMAC algorithms 3102 (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP 3103 data. Each SNMP device keeps a (configured) list of users and keys. 3104 Under SNMPv3 user keys may be updated as often as an administrator 3105 cares to have users enter new passwords. But Perfect Forward Secrecy 3106 for user keys in SNMPv3 is not yet provided by standards track 3107 documents, although RFC2786 defines an experimental method of doing 3108 so. 3110 7.3. Protecting against involuntary disclosure 3112 While sending IPsec configuration data to a Policy Enforcement Point 3113 (PEP), there are a few critical parameters which MUST NOT be observed 3114 by third parties. Specifically, except for public keys, keying 3115 information MUST NOT be allowed to be observed by third parties. 3116 This include IKE Pre-Shared Keys and possibly the private key of a 3117 public/private key pair for use in a PKI. Were either of those 3118 parameters to be known to a third party, they could then impersonate 3119 the device to other IKE peers. Aside from those critical parameters, 3120 policy administrators have an interest in not divulging any of their 3121 policy configuration. Any knowledge about a device's configuration 3122 could help an unfriendly party compromise that device. SNMPv3 offers 3123 privacy security services, but at the time this document was written, 3124 the only standardized encryption algorithm supported by SNMPv3 is the 3125 DES encryption algorithm. Support for other (stronger) cryptographic 3126 algorithms is in the works and as of may be done as you read this. 3127 As of October 2006, there a stronger standards track algorithm: AES 3128 [RFC3826]. When configure IPsec policy using this MIB, policy 3129 administrators SHOULD use a privacy security service that is at least 3130 as strong as the desired IPsec policy. E.G., If an administrator 3131 were to use this MIB to configure an IPsec connection that utilizes a 3132 AES algorithms, the SNMP communication configuring the connection 3133 SHOULD be protected by an algorithm as strong or stronger than the 3134 AES algorithm. 3136 7.4. Bootstrapping your configuration 3138 Most vendors will not ship new products with a default SNMPv3 user/ 3139 password pair, but it is possible. If a device does ship with a 3140 default user/password pair, policy administrators SHOULD either 3141 change the password or configure a new user, deleting the default 3142 user (or at a minimum, restrict the access of the default user). 3143 Most SNMPv3 distributions should, hopefully, require an out-of-band 3144 initialization over a trusted medium, such as a local console 3145 connection. 3147 8. IANA Considerations 3149 Only two IANA considerations exist for this document. The first is 3150 just the node number allocation of the IPSEC-SPD-MIB itself. 3152 The IPSEC-SPD-MIB also allows for extension action MIB's. Although 3153 additional actions are not required to use it, the node spdActions is 3154 allocated as a subtree under which IANA can define any additional 3155 actions. IANA would be responsible for allocating any values under 3156 this node. The only restriction is that additional nodes appended to 3157 spdACtions should be in reference to IPSEC-SPD-MIB actions. 3159 9. Acknowledgments 3161 Many other people contributed thoughts and ideas that influenced this 3162 MIB module. Some special thanks are in order for the following 3163 people: 3165 Lindy Foster (Sparta, Inc.) 3166 John Gillis (ADC) 3167 Roger Hartmuller (Sparta, Inc.) 3168 Harrie Hazewinkel 3169 Jamie Jason (Intel Corporation) 3170 David Partain (Ericsson) 3171 Lee Rafalow (IBM) 3172 Jon Saperia (JDS Consulting) 3173 Eric Vyncke (Cisco Systems) 3175 10. References 3177 10.1. Normative References 3179 [RFC1108] Kent, S., "U.S", RFC 1108, November 1991. 3181 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3182 Requirement Levels", BCP 14, RFC 2119, March 1997. 3184 [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the 3185 Internet Protocol", RFC 2401, November 1998. 3187 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 3188 Schoenwaelder, Ed., "Structure of Management Information 3189 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 3191 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 3192 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 3193 STD 58, RFC 2579, April 1999. 3195 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 3196 "Conformance Statements for SMIv2", STD 58, RFC 2580, 3197 April 1999. 3199 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 3200 MIB", RFC 2863, June 2000. 3202 [RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, 3203 "Policy Core Information Model -- Version 1 3204 Specification", RFC 3060, February 2001. 3206 [RFC3289] Baker, F., Chan, K., and A. Smith, "Management Information 3207 Base for the Differentiated Services Architecture", 3208 RFC 3289, May 2002. 3210 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3211 Architecture for Describing Simple Network Management 3212 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3213 December 2002. 3215 [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec 3216 Configuration Policy Information Model", RFC 3585, 3217 August 2003. 3219 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 3220 10646", STD 63, RFC 3629, November 2003. 3222 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 3223 Schoenwaelder, "Textual Conventions for Internet Network 3224 Addresses", RFC 4001, February 2005. 3226 10.2. Informative References 3228 [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. 3229 Wang, "IPsec Security Policy IPsec Action MIB", 3230 December 2002. 3232 [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. 3233 Wang, "IPsec Security Policy IKE Action MIB", 3234 December 2002. 3236 [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White 3237 Paper", More Info http://www.dmtf.org/specs/cim.html, 3238 November 2000. 3240 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 3241 "Introduction and Applicability Statements for Internet- 3242 Standard Management Framework", RFC 3410, December 2002. 3244 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 3245 Advanced Encryption Standard (AES) Cipher Algorithm in the 3246 SNMP User-based Security Model", RFC 3826, June 2004. 3248 Authors' Addresses 3250 Michael Baer 3251 Sparta, Inc. 3252 P.O. Box 72682 3253 Davis, CA 95617 3254 US 3256 Email: baerm@tislabs.com 3258 Ricky Charlet 3259 Self 3261 Email: rcharlet@alumni.calpoly.edu 3262 Wes Hardaker 3263 Sparta, Inc. 3264 P.O. Box 382 3265 Davis, CA 95617 3266 US 3268 Phone: +1 530 792 1913 3269 Email: hardaker@tislabs.com 3271 Robert Story 3272 Revelstone Software 3273 PO Box 1812 3274 Tucker, GA 30085 3275 US 3277 Email: rstory@sparta.com 3279 Cliff Wang 3280 ARO/North Carolina State University 3281 4300 S. Miami Blvd 3282 RTP, NC 27709 3283 US 3285 Email: cliffwangmail@yahoo.com 3287 Full Copyright Statement 3289 Copyright (C) The Internet Society (2006). 3291 This document is subject to the rights, licenses and restrictions 3292 contained in BCP 78, and except as set forth therein, the authors 3293 retain all their rights. 3295 This document and the information contained herein are provided on an 3296 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 3297 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 3298 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 3299 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 3300 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3301 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3303 Intellectual Property 3305 The IETF takes no position regarding the validity or scope of any 3306 Intellectual Property Rights or other rights that might be claimed to 3307 pertain to the implementation or use of the technology described in 3308 this document or the extent to which any license under such rights 3309 might or might not be available; nor does it represent that it has 3310 made any independent effort to identify any such rights. Information 3311 on the procedures with respect to rights in RFC documents can be 3312 found in BCP 78 and BCP 79. 3314 Copies of IPR disclosures made to the IETF Secretariat and any 3315 assurances of licenses to be made available, or the result of an 3316 attempt made to obtain a general license or permission for the use of 3317 such proprietary rights by implementers or users of this 3318 specification can be obtained from the IETF on-line IPR repository at 3319 http://www.ietf.org/ipr. 3321 The IETF invites any interested party to bring to its attention any 3322 copyrights, patents or patent applications, or other proprietary 3323 rights that may cover technology that may be required to implement 3324 this standard. Please address the information to the IETF at 3325 ietf-ipr@ietf.org. 3327 Acknowledgment 3329 Funding for the RFC Editor function is provided by the IETF 3330 Administrative Support Activity (IASA).