ipsp working group Man Li Internet Draft Nokia Expires January 2002 David Arneson No Affiliation Avri Doria Nortel Networks Jamie Jason Intel Cliff Wang SmartPipe July 2001 IPSec Policy Information Base draft-ietf-ipsp-ipsecpib-03.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. 1. Abstract This document specifies a set of policy rule classes (PRC) for configuring IPSec policy at IPsec-enabled devices. Instances of these classes reside in a virtual information store called the IPSec Policy Information Base (PIB). The COPS protocol [COPS] with extensions for provisioning [COPS-PR] is used to transmit this IPSec policy information to IPSec-enabled devices (e.g., security gateways). The PRCs defined in this IPSec PIB are intended for use by the COPS-PR IPSec client type. They complement the PRCs defined in the Framework PIB [FR-PIB]. 2. Conventions used in this document Li, et al Expires January, 2002 1 IPsec Policy Information Base July, 2001 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. 3. Introduction The policy rule classes (PRC) defined in this document contain parameters for IKE phase one and phase two negotiations. Details of these parameters can be found in [IPSEC-IM], [IKE], [ESP], [AH] [DOI], [IPCOMP] and [SPPI]. The PIB defined in this document is based on the IPSec configuration policy model [IPSEC-IM]. The rule and role approach proposed in [PCIM], which scales to large networks, is adopted for distributing IPsec policy over the COPS protocol. 4. Operation Overview Following the policy framework convention [PCIM], the management entity that downloads policy to IPSec-enabled devices will be called a Policy Decision Point (PDP) and the target IPSec-enabled devices will be called Policy Execution Points (PEP). After connecting to a PDP using COPS-PR, a PEP reports to the PDP the PIB Provisioning Classes (PRCs) it supports as well as any limitations related to the implementations of theses classes and parameters. The PEP provides the above information using the frwkPrcSupportTable and the frwkCompLimitsTable defined in the framework PIB [FR-PIB]. In addition, the PEP also reports the interface type capabilities and role combinations it supports using the frwkIfCapSetTable and the frwkIfCapSetRoleComboTable. Each row of the frwkIfCapSetTable contains a capability set name and a reference to an instance of a PRC that describes the capabilities of the interface type. The capability instances may reside in the ipSecIfCapsTable or in a table defined in another PIB. Each row of the frwkIfCapSetRoleComboTable contains an interface capability set name and a role combination. Based on the interface capabilities and role combinations, the PDP provides the PEP with IPSec PIB that contains IPSec policy. Later on, if the interface capabilities or role combinations of the PEP change, the PEP MUST notify the PDP. The PDP will then send a new PIB to the PEP. In addition, if the policy associated with given interface capabilities and role combination change, the PDP MUST download a new IPSec PIB to all the PEPs that have registered with the interface capabilities and role combination. IPsec policy that is pushed down to individual PEP consists of two parts: IKE rules for IKE phase one negotiation and IPsec rules for Li, et al Expires January, 2002 2 IPsec Policy Information Base July, 2001 IKE phase two negotiation. These sets of rules may be pushed down either together or independently. After a PEP reports its interface capabilities and role combinations to a PDP, - if the corresponding policy consists of IPsec rules only (i.e., key management is not performed through IKE), the interface capability set name and the role combination MUST match that in the ipSecRuleTable. For the ipSecActionTable referenced by the ipSecRuleTable, the values of the ipSecActionIkeRuleId attribute MUST be zero, indicating that no IKE associations are used. As a result, the ipSecRuleTable and all subsequent referenced tables are pushed down to the PEP. - if the corresponding policy consists of IKE rules only, the interface capability set name and the role combination MUST match that in the ipSecIkeRuleTable. The ipSecIkeEndpointTable indicates the peer endpoints with which to establish IKE associations. Hence, the ipSecIkeRuleTable and all subsequent referenced tables are pushed down to the PEP. - if the corresponding policy consists of both IPsec rules and IKE rules (i.e., IKE association is established first and it is then used for IPsec association negotiation), , the interface capability set name and the role combination MUST match that in the ipSecRuleTable. The ipSecRuleTable and the ipSecIkeRuleTable that is referenced by the ipSecRuleTable as well as all subsequent referenced tables are pushed down to the PEP. The following figure shows the relations between the tables with an example. The IPSec policy in this example contains both IKE and IPSec rules. +----------------------+ +------------------------+ | ipSecSelectorEntries | | ipSecRuleTableEntries | | Group = 10 |< ------------SelectorGroupId = 10 | +----------------------+ | ActionGroupId = 20 | | IfName = Ether_limit | | Role = Finance_X | +------------------------+ | | v +---------------------------+ +------------------------+ | ipSecIkeRuleEntries | | ipSecActionEntries | | Prid = 30 | | GroupId = 20 | | IkeEndpointGroupId = 40 | | Action = Tunnel | | | < --------- IkeRuleId = 30 | | | | | +---------------------------+ +------------------------+ | \ | Li, et al Expires January, 2002 3 IPsec Policy Information Base July, 2001 | \ | v \ v +---------------------------+ \ ipSecAssociation | ipSecIkeEndpointEntries | \ and subsequent | | \ tables | GroupId = 40 | \ +---------------------------+ \ v ipSecIkeAssociations and subsequent tables 4.1 Selector construction The ipSecAddressTable specifies individual or a range of IP addresses and the ipSecL4PortTable specifies individual or a range of layer 4 ports. The ipSecSelectorTable has references to these two tables. Each row in the selector table represents multiple selectors. These selectors are constructed as follows: 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorSrcAddressGroupId. 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorDstAddressGroupId. 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorSrcPortGroupId. 4. Substitute the ipSecSelectorDstPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorDstPortGroupId. 5. Construct all the possible combinations of the above four fields together with the ipSecSelectorProtocol attribute to form a list of five-tuple selectors Selectors constructed from the same row inherit all the other attributes of the row (e.g., ipSecSelectorGranularity) The following is an example for building the selectors (only relevant fields are shown). Suppose that the ipSecAddressTable is populated with the following rows: AddrMin AddrGroupId 1.2.3.4 1 1.2.3.18 1 5.6.7.1 2 5.6.7.8 2 For every row in this example, the AddrMax is a zero length octet indicating that each row specifies a single IP address. The Layer4PortTable is populated with the following rows: Li, et al Expires January, 2002 4 IPsec Policy Information Base July, 2001 PortMin PortMax PortGroupId 112 150 1 99 99 2 The PortMax is equal to PortMin in the second row indicating that only a single port is specified. The ipSecSelectorTable is populated with: SrcAddrGpId dstAddrGpId srcPortGpId dstPortGpId protocol order 1 2 1 1 udp 1 1 2 2 2 tcp 2 The following selectors are constructed: SrcAddr dstAddr protocol port 1.2.3.4 5.6.7.1 UDP 112-150 1.2.3.4 5.6.7.8 UDP 112-150 1.2.3.18 5.6.7.1 UDP 112-150 1.2.3.18 5.6.7.8 UDP 112-150 1.2.3.4 5.6.7.1 TCP 99 1.2.3.4 5.6.7.8 TCP 99 1.2.3.18 5.6.7.1 TCP 99 1.2.3.18 5.6.7.8 TCP 99 The first four selectors are constructed from the first row of the selector table whose order equals to 1. They can be ordered in any way. However, all of them must be evaluated before the selectors constructed from the second row because the order of the second row equals to 2. The use of references in the ipSecSelectorTable instead of spelling out all the IP addresses and port numbers reduces the number of bytes being pushed down to PEP. Grouping of IP addresses and layer four ports serves the same purpose. 4.2 Start up condition The establishment of IKE or IPsec associations may be triggered in several ways as indicated by ipSecSelectorStartupCondition and ipSecIkeEndpointStartupCondition in the ipSecSelectorTable and ipSecIkeEndpointTable respectively. The triggers may be: OnBoot: IPsec or IKE association is established after system boot. To avoid both endpoints trying to set up the same association, only the endpoint whose ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true can initiate the IPsec (IKE) association establishment. OnTraffic: IPsec association is established only when packets need to be sent and there are no appropriate security associations to protect the packets. If there is no IKE association to protect the Li, et al Expires January, 2002 5 IPsec Policy Information Base July, 2001 IPsec association negotiation, an IKE association should be set up first. OnPolicy: IPsec or IKE association is established according to ipSecRuleTimePeriodSetTable referenced by the corresponding rule. At the time the policy becomes active, only the endpoint whose ipSecSelectorIsOriginator (ipSecIkeEndpointIsOriginator) is true can initiate the IPsec (IKE) association establishment. These triggers are not mutually exclusive. 4.3 Multiple security associations, proposals and transforms Multiple IPsec security associations may be established to protect the same traffic between two end points. The following figure shows an example. SA1 ====================================================== | SA2 | |============================== | || | | || ---|----------------------|--- || | | | | H1 ----- (Internet) ------| SG2 ---- (Local ----- H2 | | Intranet) | ------------------------------ admin. boundary (optional) H1 and H2 are hosts and SG2 is a security gateway on the local Intranet where H2 resides. Suppose that to protect TCP traffic between H1 and H2, an IPsec security association (SA1) in transport mode may be established between H1 and H2. In addition, an IPsec security association (SA2) in tunnel mode may be set up between H1 and SG2. For host H1, it needs to take two actions to protect TCP packets that travel from H1 to H2: first protect the packets with SA1 and then encapsulate the resulted packets into SA2. This requires that the IPSec policy downloaded to H1 contain two actions to be applied to packets in order. The ipSecRuleIpSecActionGroupId in the ipSecRuleTable is used to handle multiple security association establishments or actions. It contains references to the actions specified in the ipSecActionTable. All the actions in the ipSecActionTable whose ipSecActionGroupId matches the ipSecRuleIpSecActionGroupId MUST be applied. The ipSecActionOrder indicates the order these actions should be taken in setting up the security associations. Li, et al Expires January, 2002 6 IPsec Policy Information Base July, 2001 During a security association negotiation, the initiating point can present multiple proposals in preference order. For IPsec security association, every proposal can contain different protocols, e.g., AH, ESP (A single proposal here is equivalent to multiple proposal payloads with the same proposal number as specified in [ISAKMP]). Different protocols are ANDed. Each protocol, in turn, may contain multiple transforms in preference order. The responder must select a single proposal and a single transform for each protocol. Multiple proposals are handled by the ipSecProposalSetTable and ipSecIkeProposalSetTable. The ipSecProposalSetOrder and ipSecIkeProposalSetOrder in these tables indicate preference. Multiple transforms within a protocol are handled by ipSecAhTransformSetTable, ipSecEspTransformSetTable and ipSecCompTransformSetTable. The IpSecAhTransformSetOrder, ipSecEspTransformSetOrder and ipSecCompTransformSetOrder in these tables indicate preferences. 4.4 Credentials for IKE phase one negotiation Credentials such as certificates may be exchanged during IKE phase one negotiation for authentication purpose. An endpoint can possess multiple credentials. How each endpoint obtains its credentials (e.g., through PKI) is out of the scope of IPsec policy distribution. IPsec policy does specify, however, the acceptable peer credentials and the credential sub-fields and their values that MUST match. IpSecPeerCredentialTable specifies a group of credentials that are considered acceptable for a given peer endpoint. Any one of the credentials in a group is acceptable as the IKE peer endpoint credential. IpSecCredentialFieldsTable further specifies, for each credential, their sub-fields and values that MUST be matched. 5. Summary of the IPSec PIB The IPSec PIB consists of seven groups. Each group and the tables it contains are summarized in the following: 5.1 ipSecSelector Group This group specifies the selectors for IPSec associations. 5.1.1 ipSecAddressTable Specifies IP addresses of endpoints. 5.1.2 ipSecL4PortTable Specifies layer four port numbers. 5.1.3 ipSecSelectorTable Li, et al Expires January, 2002 7 IPsec Policy Information Base July, 2001 Specifies IPsec selectors. It has references to ipSecAddressTable and ipSecL4PortTable for selector constructions. 5.2 ipSecAssociation Group This group specifies attributes related to IPSec Security Associations. 5.2.1 ipSecRuleTable Specifies IPsec rules. It references the ipSecSelectorTable and ipSecActionTable to indicate that IP packets that match the selector SHALL be applied with the IPsec action(s). This table also references the ipSecRuleTimePeriodSetTable to specify the time periods during which a rule is valid. 5.2.2 ipSecActionTable Specifies group of IPsec actions. All actions that have the same ipSecActionActionGroupId belong to the same group. Actions in the same group MUST be applied in the order specified by ipSecActionOrder. This table also references ipSecIkeRuleTable to specify rules associated with IKE phase one negotiation. 5.2.3 ipSecAssociationTable Specifies attributes associated with IPsec associations. It references ipSecProposalSetTable to specify associated proposals. 5.2.4 ipSecProposalSetTable Specifies IPsec proposal sets. Proposals within a set are ORed with preference order. 5.2.5 ipSecProposalTable Specifies an IPsec proposal. It has references to ESP, AH and IPComp Transform sets. Within a proposal, different types of transforms are ANDed. Within one type of transforms, the choices are ORed with preference order. 5.3 ipSecIkeAssociation Group This group specifies attributes related to IKE Security Associations 5.3.1 ipSecIkeRuleTable Specifies IKE rules. It contains a reference to ipSecIkeAssociationTable to specify IKE associated actions. In addition, it has a reference to ipSecIkeEndpointTable to specify the endpoints to which this PEP can set up IKE associations. This table also references to ipSecRuleTimePeriodSetTable to specify the time periods during which a rule is valid. 5.3.2 ipSecIkeAssociationTable Li, et al Expires January, 2002 8 IPsec Policy Information Base July, 2001 Specifies attributes related to IKE associations. It references ipSecIkeProposalSetTable to specify associated proposals. 5.3.3 ipSecIkeProposalSetTable Specifies IKE proposal sets. Proposals within a set are ORed with preference order. 5.3.4 ipSecIkeProposalTable Specifies attributes associated with IKE proposals. 5.3.5 ipSecIkeEndpointTable Specifies the peer endpoints with which this PEP establishes IKE associations according to ipSecIkeEndpointStartupCondition. This table also contains a reference to ipSecPeerCredentialTable to specify acceptable peer credentials. 5.3.6 ipSecPeerCredentialTable Specifies groups of IKE peer credentials. Credentials in a group are ORed. In other words, any one of the credentials in a group is acceptable as the IKE peer endpoint credential. This table also contains a reference to ipSecCredentialFieldsTable to further specify sub-field values in a credential that MUST be matched. 5.3.7 ipSecCredentialFieldsTable Specifies the sub-fields and their values to be matched against peer credentials obtained during IKE phase one negotiation. All criteria within a group are ANDed. 5.4 ipSecEspTransform Group This group specifies attributes related to ESP Transform. 5.4.1 ipSecEspTransformSetTable Specifies ESP transform sets. Within a transform set, the choices are ORed with preference order. 5.4.2 ipSecEspTransformTable Specifies ESP transforms. 5.5 ipSecAhTransform Group This group specifies attributes related to AH Transform. 5.5.1 ipSecAhTransformSetTable Specifies AH transform sets. Within a transform set, the choices are ORed with preference order. 5.5.2 ipSecAhTransformTable Specifies AH transforms. 5.6 ipSecCompTransform Group This group specifies attributes related to IPSecComp Transform Li, et al Expires January, 2002 9 IPsec Policy Information Base July, 2001 5.6.1 ipSecCompTransformSetTable Specifies IPComp transform sets. Within a transform set, the choices are ORed with preference order. 5.6.2 ipSecCompTransformTable Specifies IPComp transforms. 5.7 ipSecPolicyTimePeriod Group This group specifies the time periods during which a policy rule is valid. 5.7.1 ipSecRuleTimePeriodSetTable Specifies multiple time period sets. The ipSecRuleTimePeriodTable can specify only a single time period within a day. This table enables the specification of multiple time periods within a day by grouping them into one set. 5.7.2 ipSecRuleTimePeriodTable Specifies the time periods during which a policy rule is valid. The values of the first five attributes in a row are ANDed together to determine the validity period(s). If any of the five attributes is not present, it is treated as having value always enabled. 5.8 ipSecIfCaps Group This group specifies capabilities associated with interface types. 5.8.1 ipSecIfCapsTable Specifies capabilities that may be associated with an interface of a specific type. The instances of this table are referenced by the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR- PIB]. 6. The IPSec PIB IPSEC-POLICY-PIB PIB-DEFINITIONS ::= BEGIN IMPORTS Unsigned 32, MODULE-IDENTITY, OBJECT-TYPE, TEXTUAL-CONVENTION, MODULE-COMPLIANCE FROM COPS-PR-SPPI OBJECT-IDENTITY FROM SNMPv2-SMI TruthValue FROM SNMPv2-TC InstanceId, ReferenceId, TagId, TagReferenceId FROM COPS-PR-SPPI; RoleCombination FROM POLICY-FRAMEWORK-PIB; OBJECT-GROUP Li, et al Expires January, 2002 10 IPsec Policy Information Base July, 2001 From SNMPv2-CONF; ipSecPolicyPib MODULE-IDENTITY SUBJECT-CATEGORY { tbd -- IPSec Client Type } LAST-UPDATED "200107011800Z" ORGANIZATION "IETF ipsp WG" CONTACT-INFO " Man Li Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com Avri Doria Nortel Networks 600 Technology Park Drive Billerica, MA 01821 Phone: +1 401 663 5024 Email: avri@nortelnetworks.com Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 Fax: +1 503 264 9428 E-Mail: jamie.jason@intel.com Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: CWang@smartpipes.com" DESCRIPTION "This PIB module contains a set of policy rule classes that describe IPSec policies." ::= { tbd } ipSecSelector OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies selectors for IPSec associations" ::= { ipSecPolicyPib 1 } ipSecAssociation OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to IPSec Security Associations" Li, et al Expires January, 2002 11 IPsec Policy Information Base July, 2001 ::= { ipSecPolicyPib 2 } ipSecIkeAssociation OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to IKE Security Associations" ::= { ipSecPolicyPib 3 } ipSecEspTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to ESP Transform" ::= { ipSecPolicyPib 4 } ipSecAhTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to AH Transform" ::= { ipSecPolicyPib 5 } ipSecCompTransform OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies attributes related to IPSecComp Transform" ::= { ipSecPolicyPib 6 } ipSecPolicyTimePeriod OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies the time periods during which a policy rule is valid" ::= { ipSecPolicyPib 7 } ipSecIfCaps OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies capabilities associated with interface types." ::= { ipSecPolicyPib 8 } ipSecPolicyPibConformance OBJECT-IDENTITY STATUS current DESCRIPTION "This group specifies requirements for conformance to the IPsec Policy PIB" ::= { ipSecPolicyPib 9 } -- -- -- The ipSecAddressTable -- Li, et al Expires January, 2002 12 IPsec Policy Information Base July, 2001 ipSecAddressTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAddressEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IP addresses." INDEX { ipSecAddressPrid } UNIQUENESS { ipSecAddressAddressType, ipSecAddressAddrMask, ipSecAddressAddrMin, ipSecAddressAddrMax, ipSecAddressGroupId } ::= { ipSecSelector 1 } ipSecAddressEntry OBJECT-TYPE SYNTAX IpSecAddressEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecAddressTable 1 } IpSecAddressEntry ::= SEQUENCE { ipSecAddressPrid InstanceId, ipSecAddressAddressType INTEGER, ipSecAddressAddrMask OCTET STRING, ipSecAddressAddrMin OCTET STRING, ipSecAddressAddrMax OCTET STRING, ipSecAddressGroupId TagId } ipSecAddressPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class." ::= { ipSecAddressEntry 1 } ipSecAddressAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) Li, et al Expires January, 2002 13 IPsec Policy Information Base July, 2001 } STATUS current DESCRIPTION "Specifies the address type. This also controls the length of the OCTET STRING for the ipSecAddressAddrMask, ipSecAddressAddrMin and ipSecAddressAddrMax objects. IPv4 addresses are octet strings of length 4. IPv6 addresses are octet strings of length 16. All other types are octet strings of variable length." ::= { ipSecAddressEntry 2 } ipSecAddressAddrMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "A mask for the matching of the IP address. A zero bit in the mask means that the corresponding bit in the address always matches. This attribute MUST be ignored when ipSecAddressAddressType is not of IPv4 or IPv6 type." ::= { ipSecAddressEntry 3 } ipSecAddressAddrMin OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies an end point address. The Length of the string is based upon the address type. For IPv4 address types, this attribute is a 4-bytes octet string. For IPv6 address types, this attribute is a 16-bytes octet string. For other types of addresses, this attribute is a variable length octet string. A value of all zero (e.g., IPv4 0.0.0.0) accompanied by the ipSecAddressAddrMask of all zero means a wild-carded address, i.e., all addresses match." ::= { ipSecAddressEntry 4 } ipSecAddressAddrMax OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "If a range of addresses are being used then this specifies the ending address. The type of this address must be the same as the ipSecAddressAddrMin. The Length of the string is based upon the address type. For IPv4 address types, this attribute is a 4-bytes octet string. For IPv6 address types, this attribute is a 16-bytes octet string. If no range is specified then this attribute MUST be a zero length OCTET STRING." ::= { ipSecAddressEntry 5 } ipSecAddressGroupId OBJECT-TYPE SYNTAX TagId STATUS current Li, et al Expires January, 2002 14 IPsec Policy Information Base July, 2001 DESCRIPTION "Specifies the group this IP address, address range or subnet address belongs to." ::= { ipSecAddressEntry 6 } -- -- -- The ipSecL4PortTable -- ipSecL4PortTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecL4PortEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies layer four port numbers." INDEX { ipSecL4PortPrid } UNIQUENESS { ipSecL4PortPortMin, ipSecL4PortPortMax, ipSecL4PortGroupId } ::= { ipSecSelector 2 } ipSecL4PortEntry OBJECT-TYPE SYNTAX IpSecL4PortEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecL4PortTable 1 } IpSecL4PortEntry ::= SEQUENCE { ipSecL4PortPrid InstanceId, ipSecL4PortPortMin INTEGER, ipSecL4PortPortMax INTEGER, ipSecL4PortGroupId TagId } ipSecL4PortPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecL4PortEntry 1 } ipSecL4PortPortMin OBJECT-TYPE SYNTAX INTEGER (0..65535) STATUS current DESCRIPTION "Specifies a layer 4 port or the first layer 4 port number of a range of ports." ::= { ipSecL4PortEntry 2 } Li, et al Expires January, 2002 15 IPsec Policy Information Base July, 2001 ipSecL4PortPortMax OBJECT-TYPE SYNTAX INTEGER (0..65535) STATUS current DESCRIPTION "Specifies the last layer 4 port in the range. If only a single port is specified, the value of this attribute must be equal to that of ipSecL4PortPortMin. Otherwise, the value of this attribute MUST be greater than that specified by ipSecL4PortPortMin." ::= { ipSecL4PortEntry 3 } ipSecL4PortGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this port or port range belongs to." ::= { ipSecL4PortEntry 4 } -- -- -- The ipSecSelectorTable -- ipSecSelectorTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecSelectorEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec selectors. Each row in the selector table represents multiple selectors. These selectors are obtained as follows: 1. Substitute the ipSecSelectorSrcAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorSrcAddressGroupId. 2. Substitute the ipSecSelectorDstAddressGroupId with all the IP addresses from the ipSecAddressTable whose ipSecAddressGroupId matches the ipSecSelectorDstAddressGroupId. 3. Substitute the ipSecSelectorSrcPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorSrcPortGroupId. 4. Substitute the ipSecSelectorDstPortGroupId with all the ports or ranges of port whose ipSecL4PortGroupId matches the ipSecSelectorDstPortGroupId. 5. Construct all the possible combinations of the above four fields together with the ipSecSelectorProtocol attribute to form all the five-tuple selectors Selectors constructed from a row inherit all the other attributes of the row (e.g., ipSecSelectorGranularity)." INDEX { ipSecSelectorPrid } Li, et al Expires January, 2002 16 IPsec Policy Information Base July, 2001 UNIQUENESS { ipSecSelectorSrcAddressGroupId, ipSecSelectorSrcPortGroupId, ipSecSelectorDstAddressGroupId, ipSecSelectorDstPortGroupId, ipSecSelectorProtocol, ipSecSelectorGranularity, ipSecSelectorOrder, ipSecSelectorStartupCondition, ipSecSelectorIsOriginator, ipSecSelectorGroupId } ::= { ipSecSelector 3 } ipSecSelectorEntry OBJECT-TYPE SYNTAX IpSecSelectorEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecSelectorTable 1 } IpSecSelectorEntry ::= SEQUENCE { ipSecSelectorPrid InstanceId, ipSecSelectorSrcAddressGroupId TagReferenceId, ipSecSelectorSrcPortGroupId TagReferenceId, ipSecSelectorDstAddressGroupId TagReferenceId, ipSecSelectorDstPortGroupId TagReferenceId, ipSecSelectorProtocol INTEGER, ipSecSelectorGranularity INTEGER, ipSecSelectorOrder Unsigned32, ipSecSelectorStartupCondition BITS, ipSecSelectorIsOriginator TruthValue, ipSecSelectorGroupId TagId } ipSecSelectorPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecSelectorEntry 1 } ipSecSelectorSrcAddressGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "Specifies source addresses. All addresses in ipSecAddressTable whose ipSecAddressGroupId match this value are included as source addresses." ::= { ipSecSelectorEntry 2 } ipSecSelectorSrcPortGroupId OBJECT-TYPE SYNTAX TagReferenceId Li, et al Expires January, 2002 17 IPsec Policy Information Base July, 2001 STATUS current DESCRIPTION "Specifies source layer 4 port numbers. All ports in ipSecL4Port whose ipSecL4PortGroupId match this value are included." ::= { ipSecSelectorEntry 3 } ipSecSelectorDstAddressGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "Specifies destination addresses. All addresses in ipSecAddressTable whose ipSecAddressGroupId match this value are included as destination addresses." ::= { ipSecSelectorEntry 4 } ipSecSelectorDstPortGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "Specifies destination layer 4 port numbers. All ports in ipSecL4Port whose ipSecL4PortGroupId match this value are included." ::= { ipSecSelectorEntry 5 } ipSecSelectorProtocol OBJECT-TYPE SYNTAX INTEGER (0..255) STATUS current DESCRIPTION "Specifies IP protocol to match against the packet's protocol. A value of zero means match all." ::= { ipSecSelectorEntry 6 } ipSecSelectorGranularity OBJECT-TYPE SYNTAX INTEGER { wide(1), narrow(2) } STATUS current DESCRIPTION "Specifies how the security associations established may be used. A value of 1 (Wide) indicates that this security association may be used by all packets that match the same selector that is matched by the packet triggering the establishment of this association. A value of 2 (Narrow) indicates that this security association can be used only by packets that have exactly the same selector attribute values as that of the packet triggering the establishment of this association. " ::= { ipSecSelectorEntry 7 } ipSecSelectorOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current Li, et al Expires January, 2002 18 IPsec Policy Information Base July, 2001 DESCRIPTION "An integer that specifies the precedence order of the selectors within the ipSecSelectorGroup. A given precedence order is positioned before one with a higher-valued precedence order. All selectors constructed from the same row have the same order. The position of selectors with the same order is unspecified." ::= { ipSecSelectorEntry 8 } ipSecSelectorStartupCondition OBJECT-TYPE SYNTAX BITS { onBoot(1), onTraffic(2), onPolicy(3) } STATUS current DESCRIPTION "Specifies the triggering event that causes the rule that references this selector be applied. OnBoot (1) means that the rule is triggered after system boot. This selector is used as the selector for the IPsec action. OnTraffic (2) means that the rule is triggered when packets without associated security associations are sent or received. This selector is used as the selector for the IPsec action. OnPolicy (3) means that the rule is triggered when it becomes valid as specified by ipSecRuleTimePeriodGroupTable. This selector is used as the selector for the IPsec action." ::= { ipSecSelectorEntry 9 } ipSecSelectorIsOriginator OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If ipSecSelectorStartupCondition is either onBoot (1) or onPolicy (3) and when IPsec associations need to be set up, this PEP should initiate the establishment if this attribute is True. Otherwise, it should wait for the other end to initiate the setup." ::= { ipSecSelectorEntry 10 } ipSecSelectorGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specify the group this selector(s) belongs to. Selectors in the same group are provided with the same IPsec services." ::= { ipSecSelectorEntry 11 } -- -- -- The ipSecRuleTable -- Li, et al Expires January, 2002 19 IPsec Policy Information Base July, 2001 ipSecRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec rules. " INDEX { ipSecRulePrid } UNIQUENESS { ipSecRuleIfName, ipSecRuleRoles, ipSecRuleDirection } ::= { ipSecAssociation 1 } ipSecRuleEntry OBJECT-TYPE SYNTAX IpSecRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecRuleTable 1 } IpSecRuleEntry ::= SEQUENCE { ipSecRulePrid InstanceId, ipSecRuleIfName SnmpAdminString, ipSecRuleRoles RoleCombination, ipSecRuleDirection INTEGER, ipSecRuleIpSecSelectorGroupId TagReferenceId, ipSecRuleIpSecActionGroupId TagReferenceId, ipSecRuleIpSecRuleTimePeriodGroupId TagReferenceId } ipSecRulePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class." ::= { ipSecRuleEntry 1 } ipSecRuleIfName OBJECT-TYPE SYNTAX SnmpAdminString STATUS current DESCRIPTION "The interface capability set to which this IPSec rule applies. The interface capability name specified by this attribute must exist in the frwkIfCapSetTable [FR-PIB] prior to association with an instance of this class." ::= { ipSecRuleEntry 2 } ipSecRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION Li, et al Expires January, 2002 20 IPsec Policy Information Base July, 2001 "Specifies the role combination of the interface to which this IPSec rule should apply. There must exist an instance in the frwkIfCapSetRoleComboTable [FR-PIB] specifying this role combination, together with the interface capability set specified by ipSecRuleIfName, prior to association with an instance of this class." ::= { ipSecRuleEntry 3 } ipSecRuleDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } STATUS current DESCRIPTION "Specifies the direction of traffic to which this rule should apply." ::= { ipSecRuleEntry 4 } ipSecRuleIpSecSelectorGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "Identifies the selectors to be associated with this IPSec rule. The selectors in the ipSecSelectorTable whose ipSecSelectorGroupId matches this attribute are provided with the IPSec services specified by this rule." ::= { ipSecRuleEntry 5 } ipSecRuleIpSecActionGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "This attribute identifies the IPsec action group that is associated with this rule. Actions specified in ipSecActionTable whose ipSecActionActionGroupId match the value of this attribute MUST all be applied. The ipSecActionOrder in the ipSecActionTable indicates the order these actions should be taken in setting up the security associations." ::= { ipSecRuleEntry 6 } ipSecRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "This attribute identifies an IPsec rule time period group, specified in ipSecRuleTimePeriodGroupTable, that is associated with this rule A value of zero indicates that this IPsec rule is always valid." ::= { ipSecRuleEntry 7 } Li, et al Expires January, 2002 21 IPsec Policy Information Base July, 2001 -- -- -- The ipSecActionTable -- ipSecActionTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecActionEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies group of IPsec actions. All actions that have the same ipSecActionActionGroupId belong to the same group. Actions in the same group MUST be applied in the order specified by ipSecActionOrder." INDEX { ipSecActionPrid } UNIQUENESS { ipSecActionAction, ipSecActionTunnelEndpointId, ipSecActionDfHandling, ipSecActionDoLogging, ipSecActionIpSecSecurityAssociationId, ipSecActionActionGroupId, ipSecActionOrder, ipSecActionIkeRuleId } ::= { ipSecAssociation 2 } ipSecActionEntry OBJECT-TYPE SYNTAX IpSecActionEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecActionTable 1 } IpSecActionEntry ::= SEQUENCE { ipSecActionPrid InstanceId, ipSecActionAction INTEGER, ipSecActionTunnelEndpointId ReferenceId, ipSecActionDfHandling INTEGER, ipSecActionDoLogging TruthValue, ipSecActionIpSecSecurityAssociationId ReferenceId, ipSecActionActionGroupId TagId, ipSecActionOrder Unsigned32, ipSecActionIkeRuleId ReferenceId } ipSecActionPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecActionEntry 1 } Li, et al Expires January, 2002 22 IPsec Policy Information Base July, 2001 ipSecActionAction OBJECT-TYPE SYNTAX INTEGER { byPass(1), discard(2), transport(3), tunnel(4) } STATUS current DESCRIPTION "Specifies the IPsec action to be applied to the traffic. ByPass(1) means that the packet should pass in clear. Discard(2) means that the packet should be denied. Transport(3) means that the packet should be protected with a security association in transport mode. Tunnel(4) means that the packet should be protected with a security association in tunnel mode. If Tunnel (4) is specified, ipSecActionTunnelEndpointId MUST also be specified." ::= { ipSecActionEntry 2 } ipSecActionTunnelEndpointId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "When ipSecActionAction is tunnel, this attribute specifies the IP address of the other end of the tunnel. The address specified in ipSecAddressTable whose ipSecAddressPrid matches this value is the other end of the tunnel. The address MUST be a single endpoint address. When ipSecActionAction is not tunnel, this attribute SHALL be zero. " ::= { ipSecActionEntry 3 } ipSecActionDfHandling OBJECT-TYPE SYNTAX INTEGER { copy(1), set(2), clear(3) } STATUS current DESCRIPTION "When ipSecActionAction is tunnel, this attribute specifies how the DF bit is managed by the tunnel when ipSecActionAction is tunnel. Copy (1) indicates that the DF bit is copied. Set (2) indicates that the DF bit is set. Clear (3) indicates that the DF bit is cleared. When ipSecActionAction is not tunnel, this attribute SHALL be ignored. " ::= { ipSecActionEntry 4 } ipSecActionDoLogging OBJECT-TYPE SYNTAX TruthValue STATUS current Li, et al Expires January, 2002 23 IPsec Policy Information Base July, 2001 DESCRIPTION "Specifies if an audit message should be logged when discard action is taken." ::= { ipSecActionEntry 5 } ipSecActionIpSecSecurityAssociationId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an IPSec association, specified by ipSecSecurityAssociationPrid in ipSecSecurityAssociationTable, that is associated with this action. When ipSecActionAction attribute specifies Bypass (1) or Discard (2), this attribute MUST have a value of zero. Otherwise, its value MUST be greater than zero." ::= { ipSecActionEntry 6 } ipSecActionActionGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this action belongs to." ::= { ipSecActionEntry 7 } ipSecActionOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the order the actions in this group be applied. An action with a lower order number is applied before one with a higher order number. When ipSecActionAction attribute specifies Bypass (1) or Discard (2), this attribute MUST be ignored. " ::= { ipSecActionEntry 8 } ipSecActionIkeRuleId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an IKE rule, specified by ipSecIkeRulePrid in ipSecIkeRuleTable, that is associated with this IPsec rule. A value of zero means that there is no IKE rule associated. When ipSecActionAction attribute specifies Bypass (1) or Discard (2), this attribute must have a value of zero." ::= { ipSecActionEntry 9 } -- -- -- The ipSecAssociationTable -- Li, et al Expires January, 2002 24 IPsec Policy Information Base July, 2001 ipSecAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAssociationEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies attributes associated with IPsec associations" INDEX { ipSecAssociationPrid } UNIQUENESS { ipSecAssociationRefreshThresholdSeconds, ipSecAssociationRefreshThresholdKilobytes, ipSecAssociationMinLifetimeSeconds, ipSecAssociationMinLifetimeKilobytes, ipSecAssociationTrafficIdleTime, ipSecAssociationUsePfs, ipSecAssociationVendorId, ipSecAssociationUseIkeGroup, ipSecAssociationDhGroup, ipSecAssociationProposalSetId } ::= { ipSecAssociation 3 } ipSecAssociationEntry OBJECT-TYPE SYNTAX IpSecAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecAssociationTable 1 } IpSecAssociationEntry ::= SEQUENCE { ipSecAssociationPrid InstanceId, ipSecAssociationRefreshThresholdSeconds INTEGER, ipSecAssociationRefreshThresholdKilobytes INTEGER, ipSecAssociationMinLifetimeSeconds Unsigned32, ipSecAssociationMinLifetimeKilobytes Unsigned32, ipSecAssociationTrafficIdleTime Unsigned32, ipSecAssociationUsePfs TruthValue, ipSecAssociationVendorId OCTET STRING, ipSecAssociationUseIkeGroup TruthValue, ipSecAssociationDhGroup Unsigned32, ipSecAssociationProposalSetId TagReferenceId } ipSecAssociationPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecAssociationEntry 1 } ipSecAssociationRefreshThresholdSeconds OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current Li, et al Expires January, 2002 25 IPsec Policy Information Base July, 2001 DESCRIPTION "Specifies the percentage of expiration (in other words, the refresh threshold) of an established SA's seconds lifetime at which to begin renegotiation of the SA. A value of 100 means that renegotiation does not occur until the seconds lifetime value has expired." ::= { ipSecAssociationEntry 2 } ipSecAssociationRefreshThresholdKilobytes OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration of an established SA's kilobyte lifetime at which to begin renegotiation of the SA. A value of 100 means that renegotiation does not occur until the seconds lifetime value has expired." ::= { ipSecAssociationEntry 3 } ipSecAssociationMinLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecAssociationEntry 4 } ipSecAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecAssociationEntry 5 } ipSecAssociationTrafficIdleTime OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the amount of time in seconds an SA can remain idle (in other words, no traffic protected by the SA) before it is deleted. A value of zero indicates that there is no idle time detection. The expiration of the SA is determined by the expiration of one of the lifetime values." ::= { ipSecAssociationEntry 6 } ipSecAssociationUsePfs OBJECT-TYPE SYNTAX TruthValue STATUS current Li, et al Expires January, 2002 26 IPsec Policy Information Base July, 2001 DESCRIPTION "If true, PFS SHALL be used when negotiating the phase two IPsec SA." ::= { ipSecAssociationEntry 7 } ipSecAssociationVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Identifies vendor-defined key exchange GroupIDs." ::= { ipSecAssociationEntry 8 } ipSecAssociationUseIkeGroup OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If true, the phase two DH group number MUST be the same as that of phase 1. Otherwise, the group number specified by the ipSecSecurityAssociationDhGroup attribute SHALL be used. This attribute is ignored if ipSecSecurityAssociationUsePfs is false." ::= { ipSecAssociationEntry 9 } ipSecAssociationDhGroup OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "If PFSis used during IKE phase two and ipSecSecurityAssociationUseIkeGroup is false, this attribute specifies the Diffie-Hellman group to use. If the GroupID number is from the vendor-specific range (32768- 65535), the VendorID qualifies the group number. This attribute MUST be ignored if ipSecSecurityAssociationUsePfs is false." ::= { ipSecAssociationEntry 10 } ipSecAssociationProposalSetId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies the IPsec proposal set, specified in ipSecProposalGroupTable, that is associated with this IPsec association." ::= { ipSecAssociationEntry 11 } -- -- -- The ipSecProposalSetTable -- ipSecProposalSetTable OBJECT-TYPE Li, et al Expires January, 2002 27 IPsec Policy Information Base July, 2001 SYNTAX SEQUENCE OF IpSecProposalSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPsec proposal sets. Proposals within a set are ORed with preference order." INDEX { ipSecProposalSetPrid } UNIQUENESS { ipSecProposalSetProposalSetId, ipSecProposalSetProposalId, ipSecProposalSetOrder } ::= { ipSecAssociation 4 } ipSecProposalSetEntry OBJECT-TYPE SYNTAX IpSecProposalSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecProposalSetTable 1 } IpSecProposalSetEntry ::= SEQUENCE { ipSecProposalSetPrid InstanceId, ipSecProposalSetProposalSetId TagId, ipSecProposalSetProposalId ReferenceId, ipSecProposalSetOrder Unsigned32 } ipSecProposalSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecProposalSetEntry 1 } ipSecProposalSetProposalSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that identifies an IPsec proposal set." ::= { ipSecProposalSetEntry 2 } ipSecProposalSetProposalId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an IPsec Proposal, specified by ipSecProposalPrid in ipSecProposalTable, that is included in this set." ::= { ipSecProposalSetEntry 3 } ipSecProposalSetOrder OBJECT-TYPE SYNTAX Unsigned32 Li, et al Expires January, 2002 28 IPsec Policy Information Base July, 2001 STATUS current DESCRIPTION "An integer that specifies the precedence order of the proposal identified by ipSecProposalSetProposalId in a proposal set. The proposal set is identified by ipSecProposalSetProposalSetId. Proposals within a set are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecProposalSetEntry 4 } -- -- -- The ipSecProposalTable -- ipSecProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecProposalEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies an IPsec proposal. It has references to ESP, AH and IPComp Transform sets. Within a proposal, different types of transforms are ANDed. Within one type of transforms, the choices are ORed with preference order." INDEX { ipSecProposalPrid } UNIQUENESS { ipSecProposalLifetimeKilobytes, ipSecProposalLifetimeSeconds, ipSecProposalVendorId, ipSecProposalEspTransformSetId, ipSecProposalAhTransformSetId, ipSecProposalCompTransformSetId } ::= { ipSecAssociation 5 } ipSecProposalEntry OBJECT-TYPE SYNTAX IpSecProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecProposalTable 1 } IpSecProposalEntry ::= SEQUENCE { ipSecProposalPrid InstanceId, ipSecProposalLifetimeKilobytes Unsigned32, ipSecProposalLifetimeSeconds Unsigned32, ipSecProposalVendorId OCTET STRING, ipSecProposalEspTransformSetId TagReferenceId, ipSecProposalAhTransformSetId TagReferenceId, ipSecProposalCompTransformSetId TagReferenceId } Li, et al Expires January, 2002 29 IPsec Policy Information Base July, 2001 ipSecProposalPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecProposalEntry 1 } ipSecProposalLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the kilobyte lifetime for this particular proposal. A value of zero indicates that there is no kilobyte lifetime." ::= { ipSecProposalEntry 2 } ipSecProposalLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the seconds lifetime for this particular proposal. A value of zero indicates that the lifetime value defaults to 8 hours. " ::= { ipSecProposalEntry 3 } ipSecProposalVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Identifies vendor-defined transforms." ::= { ipSecProposalEntry 4 } ipSecProposalEspTransformSetId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies the ESP transform set, specified in ipSecEspTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 5 } ipSecProposalAhTransformSetId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies the AH transform set, specified in ipSecAhTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 6 } ipSecProposalCompTransformSetId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION Li, et al Expires January, 2002 30 IPsec Policy Information Base July, 2001 "An integer that identifies the IPComp transform set, specified in ipSecCompTransformSetTable, that is associated with this proposal." ::= { ipSecProposalEntry 7 } -- -- -- The ipSecIkeAssociationTable -- ipSecIkeAssociationTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeAssociationEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies attributes related to IKE associations." INDEX { ipSecIkeAssociationPrid } UNIQUENESS { ipSecIkeAssociationRefreshThresholdSeconds, ipSecIkeAssociationRefreshThresholdKilobytes, ipSecIkeAssociationMinLiftetimeSeconds, ipSecIkeAssociationMinLifetimeKilobytes, ipSecIkeAssociationTrafficIdleTime, ipSecIkeAssociationExchangeMode, ipSecIkeAssociationUseIkeIdentityType, ipSecIkeAssociationRefreshThresholdDerivedKeys, ipSecIkeAssociationIKEProposalSetId } ::= { ipSecIkeAssociation 6 } ipSecIkeAssociationEntry OBJECT-TYPE SYNTAX IpSecIkeAssociationEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeAssociationTable 1 } IpSecIkeAssociationEntry ::= SEQUENCE { ipSecIkeAssociationPrid InstanceId, ipSecIkeAssociationRefreshThresholdSeconds INTEGER, ipSecIkeAssociationRefreshThresholdKilobytes INTEGER, ipSecIkeAssociationMinLiftetimeSeconds Unsigned32, ipSecIkeAssociationMinLifetimeKilobytes Unsigned32, ipSecIkeAssociationTrafficIdleTime Unsigned32, ipSecIkeAssociationExchangeMode INTEGER, ipSecIkeAssociationUseIkeIdentityType INTEGER, ipSecIkeAssociationRefreshThresholdDerivedKeys INTEGER, ipSecIkeAssociationIKEProposalSetId TagReferenceId } ipSecIkeAssociationPrid OBJECT-TYPE SYNTAX InstanceId Li, et al Expires January, 2002 31 IPsec Policy Information Base July, 2001 STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeAssociationEntry 1 } ipSecIkeAssociationRefreshThresholdSeconds OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration (in other words, the refresh threshold) of an established SA's seconds lifetime at which to begin renegotiation of the SA. A value of 100 means that renegotiation does not occur until the seconds lifetime value has expired." ::= { ipSecIkeAssociationEntry 2 } ipSecIkeAssociationRefreshThresholdKilobytes OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration of an established SA's kilobyte lifetime at which to begin renegotiation of the SA. A value of 100 means that renegotiation does not occur until the seconds lifetime value has expired." ::= { ipSecIkeAssociationEntry 3 } ipSecIkeAssociationMinLiftetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeAssociationEntry 4 } ipSecIkeAssociationMinLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the minimum kilobyte lifetime that will be accepted from a negotiating peer while negotiating an SA based upon this action. A value of zero indicates that there is no minimum lifetime enforced." ::= { ipSecIkeAssociationEntry 5 } ipSecIkeAssociationTrafficIdleTime OBJECT-TYPE SYNTAX Unsigned32 Li, et al Expires January, 2002 32 IPsec Policy Information Base July, 2001 STATUS current DESCRIPTION "Specifies the amount of time in seconds an SA may remain idle (in other words, no traffic protected by the SA) before it is deleted. A value of zero indicates that there is no idle time detection. The expiration of the SA is determined by the expiration of one of the lifetime values." ::= { ipSecIkeAssociationEntry 6 } ipSecIkeAssociationExchangeMode OBJECT-TYPE SYNTAX INTEGER { baseMode(1), mainMode(2), aggressiveMode(4) } STATUS current DESCRIPTION "Specifies the negotiation mode that the IKE server will use for phase one." ::= { ipSecIkeAssociationEntry 7 } ipSecIkeAssociationUseIkeIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the type of IKE identity to use during IKE phase one negotiation." ::= { ipSecIkeAssociationEntry 8 } ipSecIkeAssociationRefreshThresholdDerivedKeys OBJECT-TYPE SYNTAX INTEGER (1..100) STATUS current DESCRIPTION "Specifies the percentage of expiration of an established IKE SA's derived keys lifetime at which to begin renegotiation of the SA. A value of 100 means that renegotiation does not occur until the derived key lifetime value has expired." ::= { ipSecIkeAssociationEntry 9 } Li, et al Expires January, 2002 33 IPsec Policy Information Base July, 2001 ipSecIkeAssociationIKEProposalSetId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies the IKE proposal set, specified in ipSecIkeProposalGroupTable, that is associated with this IKE association." ::= { ipSecIkeAssociationEntry 10 } -- -- -- The ipSecIkeRuleTable -- ipSecIkeRuleTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeRuleEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE rules." INDEX { ipSecIkeRulePrid } UNIQUENESS { ipSecIkeRuleIfName, ipSecIkeRuleRoles } ::= { ipSecIkeAssociation 1 } ipSecIkeRuleEntry OBJECT-TYPE SYNTAX IpSecIkeRuleEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeRuleTable 1 } IpSecIkeRuleEntry ::= SEQUENCE { ipSecIkeRulePrid InstanceId, ipSecIkeRuleIfName SnmpAdminString, ipSecIkeRuleRoles RoleCombination, ipSecIkeRuleIkeAssiciationId ReferenceId, ipSecIkeRuleIpSecRuleTimePeriodGroupId TagReferenceId, ipSecIkeRuleIkeEndpointGroupId TagReferenceId } ipSecIkeRulePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeRuleEntry 1 } ipSecIkeRuleIfName OBJECT-TYPE SYNTAX SnmpAdminString Li, et al Expires January, 2002 34 IPsec Policy Information Base July, 2001 STATUS current DESCRIPTION "The interface capability set to which this IKE rule applies. The interface capability name specified by this attribute must exist in the frwkIfCapSetTable [FR-PIB] prior to association with an instance of this class." ::= { ipSecIkeRuleEntry 2 } ipSecIkeRuleRoles OBJECT-TYPE SYNTAX RoleCombination STATUS current DESCRIPTION "Specifies the role combination of the interface to which this IKE rule should apply. There must exist an instance in the frwkIfCapSetRoleComboTable [FR-PIB] specifying this role combination, together with the interface capability set specified by ipSecRuleIfName, prior to association with an instance of this class." ::= { ipSecIkeRuleEntry 3 } ipSecIkeRuleIkeAssiciationId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "This attribute identifies the IKE action, specified by ipSecIkeAssociationPrid in ipSecIkeAssociationTable, that is associated with this rule" ::= { ipSecIkeRuleEntry 4 } ipSecIkeRuleIpSecRuleTimePeriodGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "This attribute identifies an IPsec rule time period group, sepcified in ipSecRuleTimePeriodGroupTable, that is associated with this IKE rule. A value of zero indicates that this IKE rule is always valid." ::= { ipSecIkeRuleEntry 5 } ipSecIkeRuleIkeEndpointGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies a group of endpoints with which this PEP can set up IKE associations. The endpoints specified in ipSecIkeEndpointTable whose ipSecIkeEndpointGroupId matches this attribute are the endpoints involved. " ::= { ipSecIkeRuleEntry 6 } -- -- Li, et al Expires January, 2002 35 IPsec Policy Information Base July, 2001 -- The ipSecIkeProposalSetTable -- ipSecIkeProposalSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IKE proposal sets. Proposals within a set are ORed with preference order. " INDEX { ipSecIkeProposalSetPrid } UNIQUENESS { ipSecIkeProposalSetProposalSetId, ipSecIkeProposalSetProposalId, ipSecIkeProposalSetOrder } ::= { ipSecIkeAssociation 2 } ipSecIkeProposalSetEntry OBJECT-TYPE SYNTAX IpSecIkeProposalSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeProposalSetTable 1 } IpSecIkeProposalSetEntry ::= SEQUENCE { ipSecIkeProposalSetPrid InstanceId, ipSecIkeProposalSetProposalSetId TagId, ipSecIkeProposalSetProposalId ReferenceId, ipSecIkeProposalSetOrder Unsigned32 } ipSecIkeProposalSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeProposalSetEntry 1 } ipSecIkeProposalSetProposalSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that uniquely identifies an IKE proposal set. " ::= { ipSecIkeProposalSetEntry 2 } ipSecIkeProposalSetProposalId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an IKE proposal, specified by ipSecIkeProposalPrid in the ipSecIkeProposalTable, that is included in this set." Li, et al Expires January, 2002 36 IPsec Policy Information Base July, 2001 ::= { ipSecIkeProposalSetEntry 3 } ipSecIkeProposalSetOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order of the proposal identified by ipSecIkeProposalSetProposalId in a proposal set. The proposal set is identified by ipSecIkeProposalSetProposalSetId. Proposals within a set are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecIkeProposalSetEntry 4 } -- -- -- The ipSecIkeProposalTable -- ipSecIkeProposalTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeProposalEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies attributes associated with IKE proposals." INDEX { ipSecIkeProposalPrid } UNIQUENESS { ipSecIkeProposalMaxLifetimeSeconds, ipSecIkeProposalMaxLifetimeKilobytes, ipSecIkeProposalCipherAlgorithm, ipSecIkeProposalHashAlgorithm, ipSecIkeProposalAuthenticationMethod, ipSecIkeProposalLifetimeDerivedKeys, ipSecIkeProposalPrfAlgorithm, ipSecIkeProposalVendorId, ipSecIkeProposalIkeDhGroup } ::= { ipSecIkeAssociation 3 } ipSecIkeProposalEntry OBJECT-TYPE SYNTAX IpSecIkeProposalEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeProposalTable 1 } IpSecIkeProposalEntry ::= SEQUENCE { ipSecIkeProposalPrid InstanceId, ipSecIkeProposalMaxLifetimeSeconds Unsigned32, ipSecIkeProposalMaxLifetimeKilobytes Unsigned32, ipSecIkeProposalCipherAlgorithm INTEGER, ipSecIkeProposalHashAlgorithm INTEGER, Li, et al Expires January, 2002 37 IPsec Policy Information Base July, 2001 ipSecIkeProposalAuthenticationMethod INTEGER, ipSecIkeProposalLifetimeDerivedKeys Unsigned32, ipSecIkeProposalPrfAlgorithm Unsigned32, ipSecIkeProposalVendorId OCTET STRING, ipSecIkeProposalIkeDhGroup Unsigned32 } ipSecIkeProposalPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeProposalEntry 1 } ipSecIkeProposalMaxLifetimeSeconds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the seconds lifetime for this particular proposal. A value of zero indicates that the lifetime value defaults to 8 hours. " ::= { ipSecIkeProposalEntry 2 } ipSecIkeProposalMaxLifetimeKilobytes OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the kilobyte lifetime for this particular proposal. A value of zero indicates that there is no kilobyte lifetime. " ::= { ipSecIkeProposalEntry 3 } ipSecIkeProposalCipherAlgorithm OBJECT-TYPE SYNTAX INTEGER { des-CBC(1), idea-CBC(2), blowfish-CBC(3), rc5-R16-B64-CBC(4), tripleDes-CBC(5), cast-CBC(6) } STATUS current DESCRIPTION "Specifies the encryption algorithm to propose for the IKE association." ::= { ipSecIkeProposalEntry 4 } ipSecIkeProposalHashAlgorithm OBJECT-TYPE SYNTAX INTEGER { md5(1), sha-1(2), Li, et al Expires January, 2002 38 IPsec Policy Information Base July, 2001 tiger(3) } STATUS current DESCRIPTION "Specifies the hash algorithm to propose for the IKE association." ::= { ipSecIkeProposalEntry 5 } ipSecIkeProposalAuthenticationMethod OBJECT-TYPE SYNTAX INTEGER { presharedKey(1), dssSignatures(2), rsaSignatures(3), rsaEncryption(4), revisedRsaEncryption(5), kerberos(6) } STATUS current DESCRIPTION "Specifies the authentication method to propose for the IKE association." ::= { ipSecIkeProposalEntry 6 } ipSecIkeProposalLifetimeDerivedKeys OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the number of times the IKE phase one key can be used to derive an IKE phase two key. A value of zero indicates that the number of times an IKE phase one key may be used to derive an IKE phase two key is limited by the seconds and/or kilobyte lifetimes." ::= { ipSecIkeProposalEntry 7 } ipSecIkeProposalPrfAlgorithm OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the Psuedo-Random Function (PRF) to propose for the IKE association." ::= { ipSecIkeProposalEntry 8 } ipSecIkeProposalVendorId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Identifies vendor-defined key exchange GroupIDs." ::= { ipSecIkeProposalEntry 9 } ipSecIkeProposalIkeDhGroup OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION Li, et al Expires January, 2002 39 IPsec Policy Information Base July, 2001 "Specifies the Diffie-Hellman group to propose for the IKE association. If the GroupID number is from the vendor-specific range (32768-65535), the VendorID qualifies the group number. " ::= { ipSecIkeProposalEntry 4 } -- -- -- The ipSecIkeEndpointTable -- ipSecIkeEndpointTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIkeEndpointEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies the peer endpoints with which this PEP establishes IKE associations according to ipSecIkeEndpointStartupCondition." INDEX { ipSecIkeEndpointPrid } UNIQUENESS { ipSecIkeEndpointIdentityType, ipSecIkeEndpointIdentity, ipSecIkeEndpointAddressType, ipSecIkeEndpointAddress, ipSecIkeEndpointPeerCredentialId, ipSecIkeEndpointStartupCondition, ipSecIkeEndpointIsOriginator, ipSecIkeEndpointGroupId } ::= { ipSecIkeAssociation 13 } ipSecIkeEndpointEntry OBJECT-TYPE SYNTAX IpSecIkeEndpointEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIkeEndpointTable 1 } IpSecIkeEndpointEntry ::= SEQUENCE { ipSecIkeEndpointPrid InstanceId, ipSecIkeEndpointIdentityType INTEGER, ipSecIkeEndpointIdentity OCTET STRING, ipSecIkeEndpointAddressType INTEGER, ipSecIkeEndpointAddress OCTET STRING, ipSecIkeEndpointPeerCredentialId TagReferenceId, ipSecIkeEndpointStartupCondition BITS, ipSecIkeEndpointIsOriginator TruthValue, ipSecIkeEndpointGroupId TagId } ipSecIkeEndpointPrid OBJECT-TYPE SYNTAX InstanceId STATUS current Li, et al Expires January, 2002 40 IPsec Policy Information Base July, 2001 DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecIkeEndpointEntry 1 } ipSecIkeEndpointIdentityType OBJECT-TYPE SYNTAX INTEGER { ipV4-Address(1), fqdn(2), user-Fqdn(3), ipV4-Subnet(4), ipV6-Address(5), ipV6-Subnet(6), ipV4-Address-Range(7), ipV6-Address-Range(8), der-Asn1-DN(9), der-Asn1-GN(10), key-Id(11) } STATUS current DESCRIPTION "Specifies the type of identity that MUST be provided by the peer in the ID payload during IKE phase one negotiation." ::= { ipSecIkeEndpointEntry 2 } ipSecIkeEndpointIdentity OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to be matched with the ID payload provided by the peer during IKE phase one negotiation." ::= { ipSecIkeEndpointEntry 3 } ipSecIkeEndpointAddressType OBJECT-TYPE SYNTAX INTEGER { ipV4(1), ipV6(2) } STATUS current DESCRIPTION "Specifies IKE peer endpoint address type. This controls the length of the OCTET STRING for the ipSecIkeEndpointAddress. IPv4 addresses (1) are octet strings of length 4. IPv6 addresses (2) are octet strings of length 16." ::= { ipSecIkeEndpointEntry 4 } ipSecIkeEndpointAddress OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies an endpoint address with which this PEP establishes IKE association." ::= { ipSecIkeEndpointEntry 5 } Li, et al Expires January, 2002 41 IPsec Policy Information Base July, 2001 ipSecIkeEndpointPeerCredentialId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies a group of credentials. The credential specified in ipSecPeerCredentialTable whose ipSecPeerCredentialGroupId match this attribute is included in this group. Any one of the credentials in the group is acceptable as the IKE peer credential. If no credentials are used, this attribute MUST be zero." ::= { ipSecIkeEndpointEntry 6 } ipSecIkeEndpointStartupCondition OBJECT-TYPE SYNTAX BITS { onBoot(1), onTraffic(2), onPolicy(3) } STATUS current DESCRIPTION "Specifies the triggering event that causes the IKE rule referenced be applied. OnBoot (1) means that the rule is triggered after system boot. OnTraffic (2) means that the rule is triggered when packets without associated security associations are sent or received. OnPolicy (3) means that the rule is triggered when it becomes valid as specified by ipSecRuleTimePeriodGroupTable. " ::= { ipSecIkeEndpointEntry 7 } ipSecIkeEndpointIsOriginator OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "If this attribute is true, when IKE associations need to be set up, this PEP SHALL initiate the establishment. Otherwise, it SHALL wait for the other end to initiate the setup." ::= { ipSecIkeEndpointEntry 8 } ipSecIkeEndpointGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this IKE endpoint belongs to." ::= { ipSecIkeEndpointEntry 9 } -- -- -- The ipSecPeerCredentialTable -- ipSecPeerCredentialTable OBJECT-TYPE Li, et al Expires January, 2002 42 IPsec Policy Information Base July, 2001 SYNTAX SEQUENCE OF IpSecPeerCredentialEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies groups of IKE peer credentials. Credentials in a group are ORed. Any one of the credentials in a group is acceptable as the IKE peer endpoint credential." INDEX { ipSecPeerCredentialPrid } UNIQUENESS { ipSecPeerCredentialCredentialType, ipSecPeerCredentialFieldsGroupId, ipSecPeerCredentialGroupId } ::= { ipSecIkeAssociation 5 } ipSecPeerCredentialEntry OBJECT-TYPE SYNTAX IpSecPeerCredentialEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecPeerCredentialTable 1 } IpSecPeerCredentialEntry ::= SEQUENCE { ipSecPeerCredentialPrid InstanceId, ipSecPeerCredentialCredentialType INTEGER, ipSecPeerCredentialFieldsGroupId TagReferenceId, ipSecPeerCredentialGroupId TagId } ipSecPeerCredentialPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecPeerCredentialEntry 1 } ipSecPeerCredentialCredentialType OBJECT-TYPE SYNTAX INTEGER { certificateX.509(1), kerberos-ticket(2) } STATUS current DESCRIPTION "Specifies the type of credential to be matched." ::= { ipSecPeerCredentialEntry 2 } ipSecPeerCredentialFieldsGroupId OBJECT-TYPE SYNTAX TagReferenceId STATUS current DESCRIPTION "An integer that identifies a group of matching criteria to be used for this peer credential. The criteria specified in ipSecCredentialFieldsTable whose ipSecCredentialFieldsGroupId Li, et al Expires January, 2002 43 IPsec Policy Information Base July, 2001 match this attribute are the criteria to be used. The identified criteria are ANDed. " ::= { ipSecPeerCredentialEntry 3 } ipSecPeerCredentialGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this credential belongs to. Credentials in a group are ORed. Any one of the credentials in a group is acceptable as the IKE peer endpoint credential." ::= { ipSecPeerCredentialEntry 4 } -- -- -- The ipSecCredentialFieldsTable -- ipSecCredentialFieldsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCredentialFieldsEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies the sub-fields and their values to be matched against peer credentials obtained during IKE phase one negotiation. All criteria within a group are ANDed." INDEX { ipSecCredentialFieldsPrid } UNIQUENESS { ipSecCredentialFieldsName, ipSecCredentialFieldsValue, ipSecCredentialFieldsGroupId } ::= { ipSecIkeAssociation 6 } ipSecCredentialFieldsEntry OBJECT-TYPE SYNTAX IpSecCredentialFieldsEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecCredentialFieldsTable 1 } IpSecCredentialFieldsEntry ::= SEQUENCE { ipSecCredentialFieldsPrid InstanceId, ipSecCredentialFieldsName OCTET STRING, ipSecCredentialFieldsValue OCTET STRING, ipSecCredentialFieldsGroupId TagId } ipSecCredentialFieldsPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION Li, et al Expires January, 2002 44 IPsec Policy Information Base July, 2001 "An integer index to uniquely identify an instance of this class" ::= { ipSecCredentialFieldsEntry 1 } ipSecCredentialFieldsName OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the sub-field of the credential to match with." ::= { ipSecCredentialFieldsEntry 2 } ipSecCredentialFieldsValue OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "Specifies the value to match with the ipSecCredentialFieldsName in a credential." ::= { ipSecCredentialFieldsEntry 3 } ipSecCredentialFieldsGroupId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "Specifies the group this criteria belongs to. All criteria within a group are ANDed." ::= { ipSecCredentialFieldsEntry 4 } -- -- -- The ipSecEspTransformSetTable -- ipSecEspTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies ESP transform sets. Within a transform set, the choices are ORed with preference order." INDEX { ipSecEspTransformSetPrid } UNIQUENESS { ipSecEspTransformSetTransformSetId, ipSecEspTransformSetTransformId, ipSecEspTransformSetOrder } ::= { ipSecEspTransform 1 } ipSecEspTransformSetEntry OBJECT-TYPE SYNTAX IpSecEspTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecEspTransformSetTable 1 } Li, et al Expires January, 2002 45 IPsec Policy Information Base July, 2001 IpSecEspTransformSetEntry ::= SEQUENCE { ipSecEspTransformSetPrid InstanceId, ipSecEspTransformSetTransformSetId TagId, ipSecEspTransformSetTransformId ReferenceId, ipSecEspTransformSetOrder Unsigned32 } ipSecEspTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecEspTransformSetEntry 1 } ipSecEspTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that identifies a set of ESP transforms" ::= { ipSecEspTransformSetEntry 2 } ipSecEspTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an ESP transform, specified by ipSecEspTransformPrid in ipSecEspTransformTable, that is included in this set." ::= { ipSecEspTransformSetEntry 3 } ipSecEspTransformSetOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecEspTransformSetTransformId within a transform set. The transform set is identified by ipSecEspTransformSetTransformSetId. Transforms within a set are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecEspTransformSetEntry 4 } -- -- -- The ipSecEspTransformTable -- ipSecEspTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecEspTransformEntry PIB-ACCESS install STATUS current Li, et al Expires January, 2002 46 IPsec Policy Information Base July, 2001 DESCRIPTION "Specifies ESP transforms." INDEX { ipSecEspTransformPrid } UNIQUENESS { ipSecEspTransformIntegrityTransformId, ipSecEspTransformCipherTransformId, ipSecEspTransformCipherKeyRounds, ipSecEspTransformCipherKeyLength, ipSecEspTransformUseReplayPrevention, ipSecEspTransformReplayPreventionWindowSize } ::= { ipSecEspTransform 2 } ipSecEspTransformEntry OBJECT-TYPE SYNTAX IpSecEspTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecEspTransformTable 1 } IpSecEspTransformEntry ::= SEQUENCE { ipSecEspTransformPrid InstanceId, ipSecEspTransformIntegrityTransformId INTEGER, ipSecEspTransformCipherTransformId INTEGER, ipSecEspTransformCipherKeyRounds Unsigned32, ipSecEspTransformCipherKeyLength Unsigned32, ipSecEspTransformUseReplayPrevention TruthValue, ipSecEspTransformReplayPreventionWindowSize Unsigned32 } ipSecEspTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecEspTransformEntry 1 } ipSecEspTransformIntegrityTransformId OBJECT-TYPE SYNTAX INTEGER { none(0), hmacMd5(1), hmacSha(2), desMac(3), kpdk(4) } STATUS current DESCRIPTION "Specifies the ESP integrity algorithm to propose." ::= { ipSecEspTransformEntry 2 } ipSecEspTransformCipherTransformId OBJECT-TYPE SYNTAX INTEGER { desIV64(1), Li, et al Expires January, 2002 47 IPsec Policy Information Base July, 2001 des(2), tripleDES(3), rc5(4), idea(5), cast(6), blowfish(7), tripleIDEA(8), desIV32(9), rc4(10), null(11) } STATUS current DESCRIPTION "Specifies the ESP cipher/encryption algorithm to propose." ::= { ipSecEspTransformEntry 3 } ipSecEspTransformCipherKeyRounds OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the number of key rounds for the ESP cipher algorithm specified by the attribute ipSecEspTransformCipherTransformId." ::= { ipSecEspTransformEntry 4 } ipSecEspTransformCipherKeyLength OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the length of the ESP cipher key in bits." ::= { ipSecEspTransformEntry 5 } ipSecEspTransformUseReplayPrevention OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to enable replay prevention detection." ::= { ipSecEspTransformEntry 6 } ipSecEspTransformReplayPreventionWindowSize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the length of the window used by replay prevention detection mechanism." ::= { ipSecEspTransformEntry 7 } -- -- -- The ipSecAhTransformSetTable -- ipSecAhTransformSetTable OBJECT-TYPE Li, et al Expires January, 2002 48 IPsec Policy Information Base July, 2001 SYNTAX SEQUENCE OF IpSecAhTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies AH transform sets. Within a transform set, the choices are ORed with preference order." INDEX { ipSecAhTransformSetPrid } UNIQUENESS { ipSecAhTransformSetTransformSetId, ipSecAhTransformSetTransformId, ipSecAhTransformSetOrder } ::= { ipSecAhTransform 1 } ipSecAhTransformSetEntry OBJECT-TYPE SYNTAX IpSecAhTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecAhTransformSetTable 1 } IpSecAhTransformSetEntry ::= SEQUENCE { ipSecAhTransformSetPrid InstanceId, ipSecAhTransformSetTransformSetId TagId, ipSecAhTransformSetTransformId ReferenceId, ipSecAhTransformSetOrder Unsigned32 } ipSecAhTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecAhTransformSetEntry 1 } ipSecAhTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that identifies an AH transform set." ::= { ipSecAhTransformSetEntry 2 } ipSecAhTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an AH transform, as specified by ipSecAhTransform in ipSecAhTransformTable, that is included in this set." ::= { ipSecAhTransformSetEntry 3 } ipSecAhTransformSetOrder OBJECT-TYPE SYNTAX Unsigned32 Li, et al Expires January, 2002 49 IPsec Policy Information Base July, 2001 STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecAhTransformSetTransformId within a transform set. The transform set is identified by ipSecAhTransformSetTransformSetId. Transforms within a set are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecAhTransformSetEntry 4 } -- -- -- The ipSecAhTransformTable -- ipSecAhTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecAhTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies AH transforms." INDEX { ipSecAhTransformPrid } UNIQUENESS { ipSecAhTransformTransformId, ipSecAhTransformUseReplayPrevention, ipSecAhTransformReplayPreventionWindowSize } ::= { ipSecAhTransform 2 } ipSecAhTransformEntry OBJECT-TYPE SYNTAX IpSecAhTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecAhTransformTable 1 } IpSecAhTransformEntry ::= SEQUENCE { ipSecAhTransformPrid InstanceId, ipSecAhTransformTransformId INTEGER, ipSecAhTransformUseReplayPrevention TruthValue, ipSecAhTransformReplayPreventionWindowSize Unsigned32 } ipSecAhTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class " ::= { ipSecAhTransformEntry 1 } ipSecAhTransformTransformId OBJECT-TYPE SYNTAX INTEGER { Li, et al Expires January, 2002 50 IPsec Policy Information Base July, 2001 md5(2), sha-1(3), des(4) } STATUS current DESCRIPTION "Specifies the AH hash algorithm to propose." ::= { ipSecAhTransformEntry 2 } ipSecAhTransformUseReplayPrevention OBJECT-TYPE SYNTAX TruthValue STATUS current DESCRIPTION "Specifies whether to enable replay prevention detection." ::= { ipSecAhTransformEntry 3 } ipSecAhTransformReplayPreventionWindowSize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the length of the window used by replay prevention detection mechanism." ::= { ipSecAhTransformEntry 4 } -- -- -- The ipSecCompTransformSetTable -- ipSecCompTransformSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPComp transform sets. Within a transform set, the choices are ORed with preference order." INDEX { ipSecCompTransformSetPrid } UNIQUENESS { ipSecCompTransformSetTransformSetId, ipSecCompTransformSetTransformId, ipSecCompTransformSetOrder } ::= { ipSecCompTransform 1 } ipSecCompTransformSetEntry OBJECT-TYPE SYNTAX IpSecCompTransformSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecCompTransformSetTable 1 } IpSecCompTransformSetEntry ::= SEQUENCE { Li, et al Expires January, 2002 51 IPsec Policy Information Base July, 2001 ipSecCompTransformSetPrid InstanceId, ipSecCompTransformSetTransformSetId TagId, ipSecCompTransformSetTransformId ReferenceId, ipSecCompTransformSetOrder Unsigned32 } ipSecCompTransformSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecCompTransformSetEntry 1 } ipSecCompTransformSetTransformSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that identifies an IPComp transform set" ::= { ipSecCompTransformSetEntry 2 } ipSecCompTransformSetTransformId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an IPComp Transform, specified by ipSecCompTransformPrid in ipSecCompTransformTable, that is included in this set." ::= { ipSecCompTransformSetEntry 3 } ipSecCompTransformSetOrder OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "An integer that specifies the precedence order of the transform identified by ipSecCompTransformSetTransformId within a transform set. The transform set is identified by ipSecCompTransformSetTransformSetId. Transforms within a set are ORed with preference order. A given precedence order is positioned before one with a higher-valued precedence order." ::= { ipSecCompTransformSetEntry 4 } -- -- -- The ipSecCompTransformTable -- ipSecCompTransformTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecCompTransformEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies IPComp transforms." Li, et al Expires January, 2002 52 IPsec Policy Information Base July, 2001 INDEX { ipSecCompTransformPrid } UNIQUENESS { ipSecCompTransformAlgorithm, ipSecCompTransformDictionarySize, ipSecCompTransformPrivateAlgorithm } ::= { ipSecCompTransform 2 } ipSecCompTransformEntry OBJECT-TYPE SYNTAX IpSecCompTransformEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecCompTransformTable 1 } IpSecCompTransformEntry ::= SEQUENCE { ipSecCompTransformPrid InstanceId, ipSecCompTransformAlgorithm INTEGER, ipSecCompTransformDictionarySize Unsigned32, ipSecCompTransformPrivateAlgorithm Unsigned32 } ipSecCompTransformPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecCompTransformEntry 1 } ipSecCompTransformAlgorithm OBJECT-TYPE SYNTAX INTEGER { oui(1), deflate(2), lzs(3) } STATUS current DESCRIPTION "Specifies the IPComp compression algorithm to propose." ::= { ipSecCompTransformEntry 2 } ipSecCompTransformDictionarySize OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the log2 maximum size of the dictionary." ::= { ipSecCompTransformEntry 3 } ipSecCompTransformPrivateAlgorithm OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies a specific vendor algorithm that will be used. " ::= { ipSecCompTransformEntry 4 } Li, et al Expires January, 2002 53 IPsec Policy Information Base July, 2001 -- -- -- The ipSecRuleTimePeriodTable -- ipSecRuleTimePeriodTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies the time periods during which a policy rule is valid. The values of the first five attributes in a row are ANDed together to determine the validity period(s). If any of the five attributes is not present, it is treated as having value always enabled. " INDEX { ipSecRuleTimePeriodPrid } UNIQUENESS { ipSecRuleTimePeriodTimePeriod, ipSecRuleTimePeriodMonthOfYearMask, ipSecRuleTimePeriodDayOfMonthMask, ipSecRuleTimePeriodDayOfWeekMask, ipSecRuleTimePeriodTimeOfDayMask, ipSecRuleTimePeriodLocalOrUtcTime } ::= { ipSecPolicyTimePeriod 1 } ipSecRuleTimePeriodEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecRuleTimePeriodTable 1 } IpSecRuleTimePeriodEntry ::= SEQUENCE { ipSecRuleTimePeriodPrid InstanceId, ipSecRuleTimePeriodTimePeriod OCTET STRING, ipSecRuleTimePeriodMonthOfYearMask OCTET STRING, ipSecRuleTimePeriodDayOfMonthMask OCTET STRING, ipSecRuleTimePeriodDayOfWeekMask OCTET STRING, ipSecRuleTimePeriodTimeOfDayMask OCTET STRING, ipSecRuleTimePeriodLocalOrUtcTime INTEGER } ipSecRuleTimePeriodPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodEntry 1 } ipSecRuleTimePeriodTimePeriod OBJECT-TYPE Li, et al Expires January, 2002 54 IPsec Policy Information Base July, 2001 SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that identifies an overall range of calendar dates and times over which a policy rule is valid. It reuses the format for an explicit time period defined in RFC 2445 : a string representing a starting date and time, in which the character 'T' indicates the beginning of the time portion, followed by the solidus character '/', followed by a similar string representing an end date and time. The first date indicates the beginning of the range, while the second date indicates the end. Thus, the second date and time must be later than the first. Date/times are expressed as substrings of the form yyyymmddThhmmss. There are also two special cases: - If the first date/time is replaced with the string THISANDPRIOR, then the property indicates that a policy rule is valid [from now] until the date/time that appears after the '/'. - If the second date/time is replaced with the string THISANDFUTURE, then the property indicates that a policy rule becomes valid on the date/time that appears before the '/', and remains valid from that point on. " ::= { ipSecRuleTimePeriodEntry 2 } ipSecRuleTimePeriodMonthOfYearMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which months the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000006 for this property; - a 2-octet field consisting of 12 bits identifying the 12 months of the year, beginning with January and ending with December, followed by 4 bits that are always set to '0'. For each month, the value '1' indicates that the policy is valid for that month, and the value '0' indicates that it is not valid. If this property is omitted, then the policy rule is treated as valid for all twelve months." ::= { ipSecRuleTimePeriodEntry 3 } ipSecRuleTimePeriodDayOfMonthMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION Li, et al Expires January, 2002 55 IPsec Policy Information Base July, 2001 "An octet string that specifies which days of the month the policy is valid for. The octet string is structured as follows: -a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x0000000C for this property; -an 8-octet field consisting of 31 bits identifying the days of the month counting from the beginning, followed by 31 more bits identifying the days of the month counting from the end, followed by 2 bits that are always set to '0'. For each day, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. For months with fewer than 31 days, the digits corresponding to days that the months do not have (counting in both directions) are ignored. " ::= { ipSecRuleTimePeriodEntry 4 } ipSecRuleTimePeriodDayOfWeekMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies which days of the week the policy is valid for. The octet string is structured as follows: - a 4-octet length field, indicating the length of the entire octet string; this field is always set to 0x00000005 for this property; - a 1-octet field consisting of 7 bits identifying the 7 days of the week, beginning with Sunday and ending with Saturday, followed by 1 bit that is always set to '0'. For each day of the week, the value '1' indicates that the policy is valid for that day, and the value '0' indicates that it is not valid. " ::= { ipSecRuleTimePeriodEntry 5 } ipSecRuleTimePeriodTimeOfDayMask OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "An octet string that specifies a range of times in a day the policy is valid for. It is formatted as follows: A time string beginning with the character 'T', followed by the solidus character '/', followed by a second time string. The first time indicates the beginning of the range, while the second time indicates the end. Times are expressed as substrings of the form Thhmmss. The second substring always identifies a later time than the first substring. To allow for ranges that span midnight, however, the Li, et al Expires January, 2002 56 IPsec Policy Information Base July, 2001 value of the second string may be smaller than the value of the first substring. Thus, T080000/T210000 identifies the range from 0800 until 2100, while T210000/T080000 identifies the range from 2100 until 0800 of the following day." ::= { ipSecRuleTimePeriodEntry 6 } ipSecRuleTimePeriodLocalOrUtcTime OBJECT-TYPE SYNTAX INTEGER { localTime(1), utcTime(2) } STATUS current DESCRIPTION "This property indicates whether the times represented in this table represent local times or UTC times. There is no provision for mixing of local times and UTC times: the value of this property applies to all of the other time-related properties." ::= { ipSecRuleTimePeriodEntry 7 } -- -- -- The ipSecRuleTimePeriodSetTable -- ipSecRuleTimePeriodSetTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecRuleTimePeriodSetEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies multiple time period sets. The ipSecRuleTimePeriodTable can specify only a single time period within a day. This table enables the specification of multiple time periods within a day by grouping them into one set. " INDEX { ipSecRuleTimePeriodSetPrid } UNIQUENESS { ipSecRuleTimePeriodSetRuleTimePeriodSetId, ipSecRuleTimePeriodSetRuleTimePeriodId } ::= { ipSecPolicyTimePeriod 2 } ipSecRuleTimePeriodSetEntry OBJECT-TYPE SYNTAX IpSecRuleTimePeriodSetEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecRuleTimePeriodSetTable 1 } IpSecRuleTimePeriodSetEntry ::= SEQUENCE { ipSecRuleTimePeriodSetPrid InstanceId, ipSecRuleTimePeriodSetRuleTimePeriodSetId TagId, ipSecRuleTimePeriodSetRuleTimePeriodId ReferenceId } Li, et al Expires January, 2002 57 IPsec Policy Information Base July, 2001 ipSecRuleTimePeriodSetPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class" ::= { ipSecRuleTimePeriodSetEntry 1 } ipSecRuleTimePeriodSetRuleTimePeriodSetId OBJECT-TYPE SYNTAX TagId STATUS current DESCRIPTION "An integer that uniquely identifies an ipSecRuleTimePeriod set. " ::= { ipSecRuleTimePeriodSetEntry 2 } ipSecRuleTimePeriodSetRuleTimePeriodId OBJECT-TYPE SYNTAX ReferenceId STATUS current DESCRIPTION "An integer that identifies an ipSecRuleTimePeriod, specified by ipSecRuleTimePeriodPrid in the ipSecRuleTimePeriodTable, that is included in this set." ::= { ipSecRuleTimePeriodSetEntry 3 } -- -- -- The ipSecIfCapsTable -- ipSecIfCapsTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSecIfCapsEntry PIB-ACCESS install STATUS current DESCRIPTION "Specifies capabilities that may be associated with an interface of a specific type. The instances of this table are referenced by the frwkIfCapSetCapability attribute of the frwkIfCapSetTable [FR- PIB]." INDEX { ipSecIfCapsPrid } UNIQUENESS { ipSecIfCapsDirection, ipSecIfCapsMaxActions } ::= { ipSecIfCaps 1 } ipSecIfCapsEntry OBJECT-TYPE SYNTAX IpSecIfCapsEntry STATUS current DESCRIPTION "Specifies an instance of this class" ::= { ipSecIfCapsTable 1 } Li, et al Expires January, 2002 58 IPsec Policy Information Base July, 2001 IpSecIfCapsEntry ::= SEQUENCE { ipSecIfCapsPrid InstanceId, ipSecIfCapsDirection INTEGER, ipSecIfCapsMaxActions Unsigned32 } ipSecIfCapsPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An integer index to uniquely identify an instance of this class." ::= { ipSecIfCapsEntry 1 } ipSecIfCapsDirection OBJECT-TYPE SYNTAX INTEGER { in(1), out(2), bi-directional(3) } STATUS current DESCRIPTION "Specifies the direction for which the capability applies." ::= { ipSecIfCapsEntry 2 } ipSecIfCapsMaxActions OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "Specifies the maxmum number of actions an action group may contain. Actions that are specified in the ipSecActionTable and have the same ipSecActionActionGroupId value belong to the same action group. A value of zero indicates that there is no maximum limit." ::= { ipSecIfCapsEntry 3 } -- -- -- Conformance Section -- ipSecPolicyPibConformanceCompliances OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 1 } ipSecPolicyPibConformanceGroups OBJECT IDENTIFIER ::= { ipSecPolicyPibConformance 2 } IPSecPibCompilance MODULE-COMPLIANCE STATUS current DESCRIPTION " Compliance statement" MODULE MANDATORY-GROUPS { Li, et al Expires January, 2002 59 IPsec Policy Information Base July, 2001 ipSecAddressGroup, ipSecL4PortGroup, ipSecSelectorGroup, ipSecRuleGroup, ipSecActionGroup, ipSecAssociationGroup, ipSecProposalSetGroup, ipSecProposalGroup, ipSecIkeAssociationGroup, ipSecIkeRuleGroup, ipSecIkeProposalSetGroup, ipSecIkeProposalGroup, ipSecIkeEndpointGroup, ipSecPeerCredentialGroup, ipSecCredentialFieldsGroup, ipSecEspTransformSetGroup, ipSecEspTransformGroup, ipSecAhTransformSetGroup, ipSecAhTransformGroup, ipSecCompTransformSetGroup, ipSecCompTransformGroup, ipSecIfCapsGroup, } GROUP ipSecRuleTimePeriodGroup DESCRIPTION "The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is supported." GROUP ipSecRuleTimePeriodSetGroup DESCRIPTION "The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling is supported." ::= { ipSecPolicyPibConformanceCompliances 1 } ipSecAddressGroup OBJECT-GROUP OBJECTS { AddressType, AddrMask, AddrMin, AddrMax, GroupId } STATUS current DESCRIPTION " Objects from the ipSecAddressTable." ::= { ipSecPolicyPibConformanceGroups 1 } ipSecL4PortGroup OBJECT-GROUP OBJECTS { PortMin, PortMax, GroupId } STATUS current Li, et al Expires January, 2002 60 IPsec Policy Information Base July, 2001 DESCRIPTION " Objects from the ipSecL4PortTable." ::= { ipSecPolicyPibConformanceGroups 2 } ipSecSelectorGroup OBJECT-GROUP OBJECTS { SrcAddressGroupId, SrcPortGroupId, DstAddressGroupId, DstPortGroupId, Protocol, Granularity, Order, StartupCondition, IsOriginator, GroupId } STATUS current DESCRIPTION " Objects from the ipSecSelectorTable." ::= { ipSecPolicyPibConformanceGroups 3 } ipSecRuleGroup OBJECT-GROUP OBJECTS { IfName, Roles, Direction, IpSecSelectorGroupId, IpSecActionGroupId, IpSecRuleTimePeriodGroupId } STATUS current DESCRIPTION " Objects from the ipSecRuleTable." ::= { ipSecPolicyPibConformanceGroups 4 } ipSecActionGroup OBJECT-GROUP OBJECTS { Action, TunnelEndpointId, DfHandling, DoLogging, IpSecSecurityAssociationId, ActionGroupId, Order, IkeRuleId } STATUS current DESCRIPTION " Objects from the ipSecActionTable." ::= { ipSecPolicyPibConformanceGroups 5} ipSecAssociationGroup OBJECT-GROUP OBJECTS { RefreshThresholdSeconds, RefreshThresholdKilobytes, MinLifetimeSeconds, Li, et al Expires January, 2002 61 IPsec Policy Information Base July, 2001 MinLifetimeKilobytes, TrafficIdleTime, UsePfs, VendorId, UseIkeGroup, DhGroup, ProposalSetId } STATUS current DESCRIPTION " Objects from the ipSecSecurityAssociationTable." ::= { ipSecPolicyPibConformanceGroups 6 } ipSecProposalSetGroup OBJECT-GROUP OBJECTS { ProposalSetId, ProposalId, Order } STATUS current DESCRIPTION " Objects from the ipSecProposalSetTable." ::= { ipSecPolicyPibConformanceGroups 7 } ipSecProposalGroup OBJECT-GROUP OBJECTS { LifetimeKilobytes, LifetimeSeconds, VendorId, EspTransformSetId, AhTransformSetId, CompTransformSetId } STATUS current DESCRIPTION " Objects from the ipSecProposalTable." ::= { ipSecPolicyPibConformanceGroups 8 } ipSecIkeAssociationGroup OBJECT-GROUP OBJECTS { RefreshThresholdSeconds, RefreshThresholdKilobytes, MinLiftetimeSeconds, MinLifetimeKilobytes, TrafficIdleTime, ExchangeMode, UseIkeIdentityType, RefreshThresholdDerivedKeys, IKEProposalSetId } STATUS current DESCRIPTION " Objects from the ipSecIkeAssociationTable." ::= { ipSecPolicyPibConformanceGroups 9 } ipSecIkeRuleGroup OBJECT-GROUP OBJECTS { Li, et al Expires January, 2002 62 IPsec Policy Information Base July, 2001 IfName, Roles, IkeAssiciationId, IpSecRuleTimePeriodGroupId, IkeEndpointGroupId } STATUS current DESCRIPTION " Objects from the ipSecIkeRuleTable." ::= { ipSecPolicyPibConformanceGroups 10 } ipSecIkeProposalSetGroup OBJECT-GROUP OBJECTS { ProposalSetId, ProposalId, Order } STATUS current DESCRIPTION " Objects from the ipSecIkeProposalSetTable." ::= { ipSecPolicyPibConformanceGroups 11 } ipSecIkeProposalGroup OBJECT-GROUP OBJECTS { MaxLifetimeSeconds, MaxLifetimeKilobytes, CipherAlgorithm, HashAlgorithm, AuthenticationMethod, LifetimeDerivedKeys, PrfAlgorithm, VendorId, IkeDhGroup } STATUS current DESCRIPTION " Objects from the ipSecIkeProposalTable." ::= { ipSecPolicyPibConformanceGroups 12 } ipSecIkeEndpointGroup OBJECT-GROUP OBJECTS { IdentityType, Identity, AddressType, Address, PeerCredentialId, StartupCondition, IsOriginator, GroupId } STATUS current DESCRIPTION " Objects from the ipSecIkeEndpointTable." ::= { ipSecPolicyPibConformanceGroups 13 } ipSecPeerCredentialGroup OBJECT-GROUP OBJECTS { Li, et al Expires January, 2002 63 IPsec Policy Information Base July, 2001 CredentialType, FieldsGroupId, GroupId } STATUS current DESCRIPTION " Objects from the ipSecPeerCredentialTable." ::= { ipSecPolicyPibConformanceGroups 14 } ipSecCredentialFieldsGroup OBJECT-GROUP OBJECTS { Name, Value, GroupId } STATUS current DESCRIPTION " Objects from the ipSecCredentialFieldsTable." ::= { ipSecPolicyPibConformanceGroups 15 } ipSecEspTransformSetGroup OBJECT-GROUP OBJECTS { TransformSetId, TransformId, Order } STATUS current DESCRIPTION " Objects from the ipSecEspTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 16 } ipSecEspTransformGroup OBJECT-GROUP OBJECTS { IntegrityTransformId, CipherTransformId, CipherKeyRounds, CipherKeyLength, UseReplayPrevention, ReplayPreventionWindowSize } STATUS current DESCRIPTION " Objects from the ipSecEspTransformTable." ::= { ipSecPolicyPibConformanceGroups 17 } ipSecAhTransformSetGroup OBJECT-GROUP OBJECTS { TransformSetId, TransformId, Order } STATUS current DESCRIPTION " Objects from the ipSecAhTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 18 } ipSecAhTransformGroup OBJECT-GROUP OBJECTS { Li, et al Expires January, 2002 64 IPsec Policy Information Base July, 2001 TransformId, UseReplayPrevention, ReplayPreventionWindowSize } STATUS current DESCRIPTION " Objects from the ipSecAhTransformTable." ::= { ipSecPolicyPibConformanceGroups 19 } ipSecCompTransformSetGroup OBJECT-GROUP OBJECTS { TransformSetId, TransformId, Order } STATUS current DESCRIPTION " Objects from the ipSecCompTransformSetTable." ::= { ipSecPolicyPibConformanceGroups 20 } ipSecCompTransformGroup OBJECT-GROUP OBJECTS { Algorithm, DictionarySize, PrivateAlgorithm } STATUS current DESCRIPTION " Objects from the ipSecCompTransformTable." ::= { ipSecPolicyPibConformanceGroups 21 } ipSecRuleTimePeriodGroup OBJECT-GROUP OBJECTS { TimePeriod, MonthOfYearMask, DayOfMonthMask, DayOfWeekMask, TimeOfDayMask, LocalOrUtcTime } STATUS current DESCRIPTION " The ipSecRuleTimePeriodGroup is mandatory if policy scheduling is supported." ::= { ipSecPolicyPibConformanceGroups 22 } ipSecRuleTimePeriodSetGroup OBJECT-GROUP OBJECTS { RuleTimePeriodSetId, RuleTimePeriodId } STATUS current DESCRIPTION " The ipSecRuleTimePeriodSetGroup is mandatory if policy scheduling is supported." ::= { ipSecPolicyPibConformanceGroups 23 } ipSecIfCapsGroup OBJECT-GROUP Li, et al Expires January, 2002 65 IPsec Policy Information Base July, 2001 OBJECTS { Direction, MaxActions } STATUS current DESCRIPTION " Objects from the ipSecIfCapsTable.." ::= { ipSecPolicyPibConformanceGroups 24 } END 7. Security Considerations Since COPS is used to carry the PIB defined in this document, the security and protection of the information can be provided by either COPS or a combination of COPS and other security protocols, e.g., IPsec or TLS. 8. References [AH] S. Kent, R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [ARCH] S. Kent, R. Atkinson, ôSecurity Architecture for the Internet Protocolö, RFC 2401, November 1998. [ICALENDAR] F. Dawson, D. Stenerson, "Internet Calendaring and Scheduling Core Object Specification (iCalendar)", RFC 2445, November 1998. [COPS] J. Boyle, R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol" RFC 2748, January 2000. [COPS-PR] K. Chan, D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning," RFC 3084, March 2001. [DOI] D. Piper, "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [ESP] S. Kent, R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. Li, et al Expires January, 2002 66 IPsec Policy Information Base July, 2001 [FR-PIB] M. Fine, K. McCloghrie, J. Seligson, K. Chan, S. Hahn, A. Smith, F. Reichmeyer "Framework Policy Information Base", draft- ietf-rap-frameworkpib-04.txt, March 2001. [IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [IPCOMP] A. Shacham, R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. [IPSEC-IM] J. Jason,ôIPSec Configuration Policy Model,ö draft- ietf-ipsp-config-policy-model-02.txt, march 2001. [ISAKMP] D.Maughan, M. Schertler, M.schneider, J. Turner, ôInternet Security Association and Key Management Protocol (ISAKMP)ö, RFC 2408, November 1998. [PCIM] B. Moore, E. Ellesson, J. Strassner, ôPolicy Core Information Model -- Version 1 Specificationö, RFC 3060, February 2000. [SPPI] K. McCloghrie, M. Fine, J. Seligson, K. Chan, S. Chan, A. Smith, F. Reichmeyer, "Structure of Policy Provisioning Information," draft-ietf-rap-sppi-07.txt, May 2001. 9. Author's Addresses Man Li Nokia 5 Wayside Road, Burlington, MA 01803 Phone: +1 781 993 3923 Email: man.m.li@nokia.com David Arneson Email: dla@mediaone.net Avri Doria Nortel Networks 600 Technology Park Drive Billerica, MA 01821 Phone: +1 401 663 5024 Email: avri@nortelnetworks.com Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1 503 264 9531 E-Mail: jamie.jason@intel.com Li, et al Expires January, 2002 67 IPsec Policy Information Base July, 2001 Cliff Wang SmartPipes Inc. Suite 300, 565 Metro Place South Dublin, OH 43017 Phone: +1 614 923 6241 E-Mail: CWang@smartpipes.com Full Copyright Statement "Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into. Li, et al Expires January, 2002 68