idnits 2.17.1 draft-ietf-ipsp-ikeaction-mib-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 36 instances of lines with control characters in the document. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 585: '...atch against. Wildcard mechanisms MUST...' RFC 2119 keyword, line 2800: '... It is RECOMMENDED that implementers...' RFC 2119 keyword, line 2806: '... RECOMMENDED. Instead, it is RECOMM...' RFC 2119 keyword, line 2814: '... SHOULD use SNMP version 3. The res...' RFC 2119 keyword, line 2840: '...parameters which MUST NOT be observed ...' (1 more instance...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 19, 2004) is 7374 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC3411' is defined on line 2895, but no explicit reference was found in the text == Unused Reference: 'RFC3412' is defined on line 2900, but no explicit reference was found in the text == Unused Reference: 'RFC3413' is defined on line 2905, but no explicit reference was found in the text == Unused Reference: 'RFC3414' is defined on line 2909, but no explicit reference was found in the text == Unused Reference: 'RFC3415' is defined on line 2913, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'RFCXXXX' -- Possible downref: Non-RFC (?) normative reference: ref. 'RFCYYYY' ** Downref: Normative reference to an Informational RFC: RFC 3410 Summary: 5 errors (**), 0 flaws (~~), 7 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSP M. Baer 3 Internet-Draft Sparta, Inc. 4 Expires: July 19, 2004 R. Charlet 5 Self 6 W. Hardaker 7 Sparta, Inc. 8 R. Story 9 Revelstone Software 10 C. Wang 11 SmartPipes, Inc. 12 January 19, 2004 14 IPsec Security Policy IKE Action MIB 15 draft-ietf-ipsp-ikeaction-mib-00.txt 17 Status of this Memo 19 This document is an Internet-Draft and is in full conformance with 20 all provisions of Section 10 of RFC2026. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF), its areas, and its working groups. Note that other 24 groups may also distribute working documents as Internet-Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at http:// 32 www.ietf.org/ietf/1id-abstracts.txt. 34 The list of Internet-Draft Shadow Directories can be accessed at 35 http://www.ietf.org/shadow.html. 37 This Internet-Draft will expire on July 19, 2004. 39 Copyright Notice 41 Copyright (C) The Internet Society (2004). All Rights Reserved. 43 Abstract 45 This document defines a SMIv2 Management Information Base (MIB) 46 module for configuring IKE actions for the security policy database 47 (SPD) of a device that uses the IPsec Security Policy Database 48 Configuration MIB for configuring the IKE protocol actions on that 49 device. The IPSP IKE Action MIB integrates directly with the IPsec 50 Security Policy Database Configuration MIB and it is meant to work 51 within the framework of an action referenced by that MIB. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. The Internet-Standard Management Framework . . . . . . . . . . 3 57 3. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 58 4. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 3 59 5. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 59 61 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 59 62 6.2 Protecting against in-authentic access . . . . . . . . . . . . 60 63 6.3 Protecting against involuntary disclosure . . . . . . . . . . 60 64 6.4 Bootstrapping your configuration . . . . . . . . . . . . . . . 61 65 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61 66 Normative References . . . . . . . . . . . . . . . . . . . . . 61 67 Informative References . . . . . . . . . . . . . . . . . . . . 62 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 63 69 Intellectual Property and Copyright Statements . . . . . . . . 64 71 1. Introduction 73 This document defines a MIB module for configuration of an IKE action 74 within the IPsec security policy database (SPD). This module works 75 within the framework of the IPsec Security Policy Database 76 Configuration MIB (IPSP-SPD-MIB). It can be referenced as an action 77 by the IPSP-SPD-MIB and is used to configure IKE negotiations between 78 network devices. 80 Companion document [RFCXXXX], documents the IPsec Security Policy 81 Database Configuration MIB. Companion document [RFCYYYY], documents 82 the IPsec Security Policy IPsec Action MIB for configuration of 83 static IPsec SAs. 85 2. The Internet-Standard Management Framework 87 For a detailed overview of the documents that describe the current 88 Internet-Standard Management Framework, please refer to section 7 of 89 RFC 3410 [RFC3410] 91 Managed objects are accessed via a virtual information store, termed 92 the Management Information Base or MIB. MIB objects are generally 93 accessed through the Simple Network Management Protocol (SNMP). 94 Objects in the MIB are defined using the mechanisms defined in the 95 Structure of Management Information (SMI). This memo specifies a MIB 96 module that is compliant to the SMIv2, which is described in STD 58, 97 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 98 [RFC2580]. 100 3. Relationship to the DMTF Policy Model 102 The Distributed Management Task Force (DMTF) has created an object 103 oriented model of IPsec policy information known as the IPsec Policy 104 Model White Paper [IPPMWP]. The contents of this document are also 105 reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. 106 This MIB module is a task specific derivation of the IKE actions 107 portions of the IPCP for use with SNMPv3. This includes the necessary 108 filters, negotiation, identity and IKE action information required to 109 enable IKE negotiation within the IPsec Policy framework. 111 4. MIB Module Overview 113 The MIB module describes the necessary information to implement IKE 114 actions and their associated negotiations referred to by the IPsec 115 Security Policy Database Configuration MIB. A basic understanding of 116 IKE, of IPsec processing, of the IPsec Configuration Policy Model and 117 of how actions fit in to the overall framework of the IPSP-SPD-MIB 118 are required to use this MIB properly. 120 5. MIB definition 122 IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN 124 IMPORTS 125 MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 126 FROM SNMPv2-SMI 128 TEXTUAL-CONVENTION, RowStatus, TruthValue, 129 TimeStamp, StorageType, VariablePointer 130 FROM SNMPv2-TC 132 MODULE-COMPLIANCE, OBJECT-GROUP 133 FROM SNMPv2-CONF 135 SnmpAdminString 136 FROM SNMP-FRAMEWORK-MIB 138 InetAddressType, InetAddress, InetPortNumber 139 FROM INET-ADDRESS-MIB 141 spdActions, SpdIPPacketLogging, spdEndGroupIdentType, 142 spdEndGroupAddress 143 FROM IPSEC-SPD-MIB 145 IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter, 146 ipsaSharedGroup 147 FROM IPSEC-IPSECACTION-MIB 148 ; 150 -- 151 -- module identity 152 -- 154 ipiaMIB MODULE-IDENTITY 155 LAST-UPDATED "200212100000Z" -- 12 December 2002 156 ORGANIZATION "IETF IP Security Policy Working Group" 157 CONTACT-INFO "Michael Baer 158 Sparta, Inc. 159 Phone: +1 530 902 3131 160 Email: baerm@tislabs.com 162 Ricky Charlet 163 Email: rcharlet@alumni.calpoly.edu 165 Wes Hardaker 166 Sparta, Inc. 167 P.O. Box 382 168 Davis, CA 95617 169 Phone: +1 530 792 1913 170 Email: hardaker@tislabs.com 172 Robert Story 173 Revelstone Software 174 PO Box 1812 175 Tucker, GA 30085 176 Phone: +1 770 617 3722 177 Email: ipsp-mib@revelstone.com 179 Cliff Wang 180 SmartPipes Inc. 181 Suite 300, 565 Metro Place South 182 Dublin, OH 43017 183 Phone: +1 614 923 6241 184 E-Mail: cliffwang2000@yahoo.com" 185 DESCRIPTION 186 "The MIB module for defining IKE actions for managing IPsec 187 Security Policy. 189 Copyright (C) The Internet Society (2003). This version of 190 this MIB module is part of RFC XXXX, see the RFC itself for 191 full legal notices." 193 -- Revision History 195 REVISION "200301070000Z" -- 7 January 2003 196 DESCRIPTION "Initial version, published as RFC xxxx." 197 -- RFC-editor assigns xxxx 199 ::= { spdActions 2 } 201 -- 202 -- groups of related objects 203 -- 205 ipiaConfigObjects OBJECT IDENTIFIER 206 ::= { ipiaMIB 1 } 207 ipiaNotificationObjects OBJECT IDENTIFIER 208 ::= { ipiaMIB 2 } 209 ipiaConformanceObjects OBJECT IDENTIFIER 210 ::= { ipiaMIB 3 } 212 -- 213 -- Textual Conventions 214 -- 216 IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION 217 STATUS current 218 DESCRIPTION "Values for encryption algorithms negotiated 219 for the ISAKMP SA by IKE in Phase I. These are 220 values for SA Attrbute type Encryption 221 Algorithm (1). 223 Unused values <= 65000 are reserved to IANA. 224 Currently assigned values at the time of this 225 writing: 227 reserved(0), -- reserved in IKE 228 desCbc(1), -- RFC 2405 229 ideaCbc(2), 230 blowfishCbc(3), 231 rc5R16B64Cbc(4), -- RC5 R16 B64 CBC 232 tripleDesCbc(5), -- 3DES CBC 233 castCbc(6), 234 aesCbc(7) 236 Values 65001-65535 are for private use among 237 mutually consenting parties." 238 REFERENCE "RFC 2409 appendix A, 239 IANA" 240 SYNTAX Unsigned32 (0..65535) 242 IkeAuthMethod ::= TEXTUAL-CONVENTION 243 STATUS current 244 DESCRIPTION "Values for authentication methods negotiated 245 for the ISAKMP SA by IKE in Phase I. These are 246 values for SA Attrbute type Authentication 247 Method (3). 249 Unused values <= 65000 are reserved to IANA. 251 reserved(0), -- reserved in IKE 252 preSharedKey(1), 253 dssSignatures(2), 254 rsaSignatures(3), 255 encryptionWithRsa(4), 256 revisedEncryptionWithRsa(5), 257 reservedDontUse6(6), -- not to be used 258 reservedDontUse7(7), -- not to be used 259 ecdsaSignatures(8) 261 Values 65001-65535 are for private use among 262 mutually consenting parties." 263 REFERENCE "RFC 2409 appendix A, 264 IANA" 265 SYNTAX Unsigned32 (0..65535) 267 IkeHashAlgorithm ::= TEXTUAL-CONVENTION 268 STATUS current 269 DESCRIPTION "Values for hash algorithms negotiated 270 for the ISAKMP SA by IKE in Phase I. These are 271 values for SA Attrbute type Hash Algorithm (2). 273 Unused values <= 65000 are reserved to IANA. 274 Currently assigned values at the time of this 275 writing: 277 reserved(0), -- reserved in IKE 278 md5(1), -- RFC 1321 279 sha(2), -- FIPS 180-1 280 tiger(3), 281 sha256(4), 282 sha384(5), 283 sha512(6) 285 Values 65001-65535 are for private use among 286 mutually consenting parties." 287 REFERENCE "RFC 2409 appendix A, 288 IANA" 289 SYNTAX Unsigned32 (0..65535) 291 IkeGroupDescription ::= TEXTUAL-CONVENTION 292 STATUS current 293 DESCRIPTION "Values for Oakley key computation groups for 294 Diffie-Hellman exchange negotiated for the ISAKMP 295 SA by IKE in Phase I. They are also used in Phase II 296 when perfect forward secrecy is in use. These are 297 values for SA Attrbute type Group Description (4). 299 Unused values <= 32767 are reserved to IANA. 300 Currently assigned values at the time of this 301 writing: 303 none(0), -- reserved in IKE, used 304 -- in MIBs to reflect that 305 -- none of the predefined 306 -- groups are used 307 modp768(1), -- default 768-bit MODP group 308 modp1024(2), -- alternate 1024-bit MODP 309 -- group 311 ec2nGF155(3), -- EC2N group on Galois 312 -- Field GF[2^155] 313 ec2nGF185(4), -- EC2N group on Galois 314 -- Field GF[2^185] 315 ec2nGF163Random(6), -- EC2N group on Galois 316 -- Field GF[2^163], 317 -- random seed 318 ec2nGF163Koblitz(7), 319 -- EC2N group on Galois 320 -- Field GF[2^163], 321 -- Koblitz curve 322 ec2nGF283Random(8), -- EC2N group on Galois 323 -- Field GF[2^283], 324 -- random seed 325 ec2nGF283Koblitz(9), 326 -- EC2N group on Galois 327 -- Field GF[2^283], 328 -- Koblitz curve 329 ec2nGF409Random(10), 330 -- EC2N group on Galois 331 -- Field GF[2^409], 332 -- random seed 333 ec2nGF409Koblitz(11), 334 -- EC2N group on Galois 335 -- Field GF[2^409], 336 -- Koblitz curve 337 ec2nGF571Random(12), 338 -- EC2N group on Galois 339 -- Field GF[2^571], 340 -- random seed 341 ec2nGF571Koblitz(13) 342 -- EC2N group on Galois 343 -- Field GF[2^571], 344 -- Koblitz curve 346 Values 32768-65535 are for private use among 347 mutually consenting parties." 348 REFERENCE "RFC 2409 appendix A, 349 IANA" 350 SYNTAX Unsigned32 (0..65535) 352 IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION 353 STATUS current 354 DESCRIPTION "These are the IPsec DOI values for the Protocol-Id 355 field in an ISAKMP Proposal Payload, and in all 356 Notification Payloads. 358 They are also used as the Protocol-ID In the 359 Notification Payload and the Delete Payload. 361 Currently assigned values at the time of this 362 writing: 364 reserved(0), -- reserved in DOI 365 protoIsakmp(1), -- message protection 366 -- required during Phase I 367 -- of the IKE protocol 368 protoIpsecAh(2), -- IP packet authentication 369 -- via Authentication Header 370 protoIpsecEsp(3), -- IP packet confidentiality 371 -- via Encapsulating 372 -- Security Payload 373 protoIpcomp(4) -- IP payload compression 375 The values 249-255 are reserved for private use 376 amongst cooperating systems." 377 REFERENCE "RFC 2407 section 4.4.1" 378 SYNTAX Unsigned32 (0..255) 380 -- 381 -- Policy group definitions 382 -- 384 ipiaLocalConfigObjects OBJECT IDENTIFIER 385 ::= { ipiaConfigObjects 1 } 387 -- 388 -- Static Filters 389 -- 391 ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 } 393 ipiaIkePhase1Filter OBJECT-TYPE 394 SYNTAX Integer32 395 MAX-ACCESS read-only 396 STATUS current 397 DESCRIPTION 398 "This static filter can be used to test if a packet is 399 part of an IKE phase-1 negotiation." 400 ::= { ipiaStaticFilters 1 } 402 ipiaIkePhase2Filter OBJECT-TYPE 403 SYNTAX Integer32 404 MAX-ACCESS read-only 405 STATUS current 406 DESCRIPTION 407 "This static filter can be used to test if a packet is 408 part of an IKE phase-2 negotiation." 409 ::= { ipiaStaticFilters 2 } 411 -- 412 -- credential filter table 413 -- 415 ipiaCredentialFilterTable OBJECT-TYPE 416 SYNTAX SEQUENCE OF IpiaCredentialFilterEntry 417 MAX-ACCESS not-accessible 418 STATUS current 419 DESCRIPTION 420 "This table defines filters which can be used to match 421 credentials of IKE peers, where the credentials in question 422 have been obtained from an IKE phase 1 exchange. They may 423 be X.509 certificates, Kerberos tickets, etc..." 424 ::= { ipiaConfigObjects 3 } 426 ipiaCredentialFilterEntry OBJECT-TYPE 427 SYNTAX IpiaCredentialFilterEntry 428 MAX-ACCESS not-accessible 429 STATUS current 430 DESCRIPTION 431 "A row defining a particular credential filter" 432 INDEX { ipiaCredFiltName } 433 ::= { ipiaCredentialFilterTable 1 } 435 IpiaCredentialFilterEntry ::= SEQUENCE { 436 ipiaCredFiltName SnmpAdminString, 437 ipiaCredFiltCredentialType IpsaCredentialType, 438 ipiaCredFiltMatchFieldName OCTET STRING, 439 ipiaCredFiltMatchFieldValue OCTET STRING, 440 ipiaCredFiltAcceptCredFrom OCTET STRING, 441 ipiaCredFiltLastChanged TimeStamp, 442 ipiaCredFiltStorageType StorageType, 443 ipiaCredFiltRowStatus RowStatus 444 } 446 ipiaCredFiltName OBJECT-TYPE 447 SYNTAX SnmpAdminString (SIZE(1..32)) 448 MAX-ACCESS not-accessible 449 STATUS current 450 DESCRIPTION 451 "The administrative name of this filter." 452 ::= { ipiaCredentialFilterEntry 1 } 454 ipiaCredFiltCredentialType OBJECT-TYPE 455 SYNTAX IpsaCredentialType 456 MAX-ACCESS read-create 457 STATUS current 458 DESCRIPTION 459 "The credential type that is expected for this filter to 460 succeed." 461 DEFVAL { x509 } 462 ::= { ipiaCredentialFilterEntry 2 } 464 ipiaCredFiltMatchFieldName OBJECT-TYPE 465 SYNTAX OCTET STRING (SIZE(0..256)) 466 MAX-ACCESS read-create 467 STATUS current 468 DESCRIPTION 469 "The piece of the credential to match against. Examples: 470 serialNumber, signatureAlgorithm, issuerName or 471 subjectName. 473 For credential types without fields (e.g. shared secrec), 474 this field should be left empty, and the entire credential 475 will be matched against the ipiaCredFiltMatchFieldValue." 476 ::= { ipiaCredentialFilterEntry 3 } 478 ipiaCredFiltMatchFieldValue OBJECT-TYPE 479 SYNTAX OCTET STRING (SIZE(1..4096)) 480 MAX-ACCESS read-create 481 STATUS current 482 DESCRIPTION 483 "The value that the field indicated by the 484 ipiaCredFiltMatchFieldName must match against for the 485 filter to be considered TRUE." 486 ::= { ipiaCredentialFilterEntry 4 } 488 ipiaCredFiltAcceptCredFrom OBJECT-TYPE 489 SYNTAX OCTET STRING(SIZE(1..117)) 490 MAX-ACCESS read-create 491 STATUS current 492 DESCRIPTION 493 "This value is used to look up a row in the 494 ipiaIpsecCredMngServiceTable for the Certificate Authority 495 (CA) Information. This value is empty if there is no CA 496 used for this filter." 497 ::= { ipiaCredentialFilterEntry 5 } 499 ipiaCredFiltLastChanged OBJECT-TYPE 500 SYNTAX TimeStamp 501 MAX-ACCESS read-only 502 STATUS current 503 DESCRIPTION 504 "The value of sysUpTime when this row was last modified or 505 created either through SNMP SETs or by some other external 506 means." 507 ::= { ipiaCredentialFilterEntry 6 } 509 ipiaCredFiltStorageType OBJECT-TYPE 510 SYNTAX StorageType 511 MAX-ACCESS read-create 512 STATUS current 513 DESCRIPTION 514 "The storage type for this row. Rows in this table which 515 were created through an external process may have a storage 516 type of readOnly or permanent." 517 DEFVAL { nonVolatile } 518 ::= { ipiaCredentialFilterEntry 7 } 520 ipiaCredFiltRowStatus OBJECT-TYPE 521 SYNTAX RowStatus 522 MAX-ACCESS read-create 523 STATUS current 524 DESCRIPTION 525 "This object indicates the conceptual status of this row." 526 ::= { ipiaCredentialFilterEntry 8 } 528 -- 529 -- Peer Identity Filter Table 530 -- 532 ipiaPeerIdentityFilterTable OBJECT-TYPE 533 SYNTAX SEQUENCE OF IpiaPeerIdentityFilterEntry 534 MAX-ACCESS not-accessible 535 STATUS current 536 DESCRIPTION 537 "This table defines filters which can be used to match 538 credentials of IKE peers, where the credentials in question 539 have been obtained from an IKE phase 1 exchange. They may 540 be X.509 certificates, Kerberos tickets, etc..." 541 ::= { ipiaConfigObjects 4 } 543 ipiaPeerIdentityFilterEntry OBJECT-TYPE 544 SYNTAX IpiaPeerIdentityFilterEntry 545 MAX-ACCESS not-accessible 546 STATUS current 547 DESCRIPTION 548 "A row defining a particular credential filter" 550 INDEX { ipiaPeerIdFiltName } 551 ::= { ipiaPeerIdentityFilterTable 1 } 553 IpiaPeerIdentityFilterEntry ::= SEQUENCE { 554 ipiaPeerIdFiltName SnmpAdminString, 555 ipiaPeerIdFiltIdentityType IpsecDoiIdentType, 556 ipiaPeerIdFiltIdentityValue IpsaIdentityFilter, 557 ipiaPeerIdFiltLastChanged TimeStamp, 558 ipiaPeerIdFiltStorageType StorageType, 559 ipiaPeerIdFiltRowStatus RowStatus 560 } 562 ipiaPeerIdFiltName OBJECT-TYPE 563 SYNTAX SnmpAdminString (SIZE(1..32)) 564 MAX-ACCESS not-accessible 565 STATUS current 566 DESCRIPTION 567 "The administrative name of this filter." 568 ::= { ipiaPeerIdentityFilterEntry 1 } 570 ipiaPeerIdFiltIdentityType OBJECT-TYPE 571 SYNTAX IpsecDoiIdentType 572 MAX-ACCESS read-create 573 STATUS current 574 DESCRIPTION 575 "The type of identity field in the peer ID payload to match 576 against." 577 ::= { ipiaPeerIdentityFilterEntry 2 } 579 ipiaPeerIdFiltIdentityValue OBJECT-TYPE 580 SYNTAX IpsaIdentityFilter 581 MAX-ACCESS read-create 582 STATUS current 583 DESCRIPTION 584 "The string representation of the value that the peer ID 585 payload value must match against. Wildcard mechanisms MUST 586 be supported such that: 588 - a ipiaPeerIdFiltIdentityValue of '*@example.com' will 589 match a userFqdn ID payload of 'JDOE@EXAMPLE.COM' 591 - a ipiaPeerIdFiltIdentityValue of '*.example.com' will 592 match a fqdn ID payload of 'WWW.EXAMPLE.COM' 594 - a ipiaPeerIdFiltIdentityValue of: 595 'cn=*,ou=engineering,o=company,c=us' 596 will match a DER DN ID payload of 597 'cn=John Doe,ou=engineering,o=company,c=us' 599 - a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will 600 match an IPv4 address ID payload of 192.0.2.10 602 - a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also 603 match an IPv4 address ID payload of 192.0.2.10. 605 The character '*' replaces 0 or multiple instances of any 606 character." 607 ::= { ipiaPeerIdentityFilterEntry 3 } 609 ipiaPeerIdFiltLastChanged OBJECT-TYPE 610 SYNTAX TimeStamp 611 MAX-ACCESS read-only 612 STATUS current 613 DESCRIPTION 614 "The value of sysUpTime when this row was last modified or 615 created either through SNMP SETs or by some other external 616 means." 617 ::= { ipiaPeerIdentityFilterEntry 4 } 619 ipiaPeerIdFiltStorageType OBJECT-TYPE 620 SYNTAX StorageType 621 MAX-ACCESS read-create 622 STATUS current 623 DESCRIPTION 624 "The storage type for this row. Rows in this table which 625 were created through an external process may have a storage 626 type of readOnly or permanent." 627 DEFVAL { nonVolatile } 628 ::= { ipiaPeerIdentityFilterEntry 5 } 630 ipiaPeerIdFiltRowStatus OBJECT-TYPE 631 SYNTAX RowStatus 632 MAX-ACCESS read-create 633 STATUS current 634 DESCRIPTION 635 "This object indicates the conceptual status of this row. 636 This object can not be considered active unless the 637 ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue 638 column values are defined." 639 ::= { ipiaPeerIdentityFilterEntry 6 } 641 -- 642 -- Static Actions 643 -- 645 -- these are static actions which can be pointed to by the 646 -- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop, 647 -- accept or reject packets. 649 ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 } 651 ipiaRejectIKEAction OBJECT-TYPE 652 SYNTAX Integer32 653 MAX-ACCESS read-only 654 STATUS current 655 DESCRIPTION 656 "This scalar indicates that a packet should be rejected 657 WITHOUT action/packet logging. This object returns a value 658 of 1 for IPsec policy implementations that support the 659 reject static action." 660 ::= { ipiaStaticActions 1 } 662 ipiaRejectIKEActionLog OBJECT-TYPE 663 SYNTAX Integer32 664 MAX-ACCESS read-only 665 STATUS current 666 DESCRIPTION 667 "This scalar indicates that a packet should be rejected 668 WITH action/packet logging. This object returns a value of 669 1 for IPsec policy implementations that support the reject 670 static action with logging." 671 ::= { ipiaStaticActions 2 } 673 -- 674 -- ipiaIkeActionTable 675 -- 677 ipiaIkeActionTable OBJECT-TYPE 678 SYNTAX SEQUENCE OF IpiaIkeActionEntry 679 MAX-ACCESS not-accessible 680 STATUS current 681 DESCRIPTION 682 "The ipiaIkeActionTable contains a list of the parameters 683 used for an IKE phase 1 SA DOI negotiation. See the 684 corresponding table ipiaIkeActionProposalsTable for a list 685 of proposals contained within a given IKE Action." 686 ::= { ipiaConfigObjects 6 } 688 ipiaIkeActionEntry OBJECT-TYPE 689 SYNTAX IpiaIkeActionEntry 690 MAX-ACCESS not-accessible 691 STATUS current 692 DESCRIPTION 693 "The ipiaIkeActionEntry lists the IKE negotiation 694 attributes." 695 INDEX { ipiaIkeActName } 696 ::= { ipiaIkeActionTable 1 } 698 IpiaIkeActionEntry ::= SEQUENCE { 699 ipiaIkeActName SnmpAdminString, 700 ipiaIkeActParametersName SnmpAdminString, 701 ipiaIkeActThresholdDerivedKeys Integer32, 702 ipiaIkeActExchangeMode INTEGER, 703 ipiaIkeActAgressiveModeGroupId IkeGroupDescription, 704 ipiaIkeActIdentityType IpsecDoiIdentType, 705 ipiaIkeActIdentityContext SnmpAdminString, 706 ipiaIkeActPeerName SnmpAdminString, 707 ipiaIkeActDoActionLogging TruthValue, 708 ipiaIkeActDoPacketLogging SpdIPPacketLogging, 709 ipiaIkeActVendorId OCTET STRING, 710 ipiaIkeActLastChanged TimeStamp, 711 ipiaIkeActStorageType StorageType, 712 ipiaIkeActRowStatus RowStatus 713 } 715 ipiaIkeActName OBJECT-TYPE 716 SYNTAX SnmpAdminString (SIZE(1..32)) 717 MAX-ACCESS not-accessible 718 STATUS current 719 DESCRIPTION 720 "This object contains the name of this ikeAction entry." 721 ::= { ipiaIkeActionEntry 1 } 723 ipiaIkeActParametersName OBJECT-TYPE 724 SYNTAX SnmpAdminString (SIZE(1..32)) 725 MAX-ACCESS read-create 726 STATUS current 727 DESCRIPTION 728 "This object is administratively assigned to reference a row 729 in the ipiaSaNegotiationParametersTable where additional 730 parameters affecting this action may be found." 731 ::= { ipiaIkeActionEntry 2 } 733 ipiaIkeActThresholdDerivedKeys OBJECT-TYPE 734 SYNTAX Integer32 (0..100) 735 MAX-ACCESS read-create 736 STATUS current 737 DESCRIPTION 738 "ipiaIkeActThresholdDerivedKeys specifies what percentage 739 of the derived key limit (see the LifetimeDerivedKeys 740 property of IKEProposal) can expire before IKE should 741 attempt to renegotiate the IKE phase 1 security 742 association." 743 DEFVAL { 100 } 744 ::= { ipiaIkeActionEntry 3 } 746 ipiaIkeActExchangeMode OBJECT-TYPE 747 SYNTAX INTEGER { main(1), agressive(2) } 748 MAX-ACCESS read-create 749 STATUS current 750 DESCRIPTION 751 "ipiaIkeActExchangeMode specifies the IKE Phase 1 752 negotiation mode." 753 DEFVAL { main } 754 ::= { ipiaIkeActionEntry 4 } 756 ipiaIkeActAgressiveModeGroupId OBJECT-TYPE 757 SYNTAX IkeGroupDescription 758 MAX-ACCESS read-create 759 STATUS current 760 DESCRIPTION 761 "The values to be used for Diffie-Hellman exchange." 762 ::= { ipiaIkeActionEntry 5 } 764 ipiaIkeActIdentityType OBJECT-TYPE 765 SYNTAX IpsecDoiIdentType 766 MAX-ACCESS read-create 767 STATUS current 768 DESCRIPTION 769 "This column along with ipiaIkeActIdentityContext and 770 endpoint information is used to refer an 771 ipiaIkeIdentityEntry in the ipiaIkeIdentityTable." 772 ::= { ipiaIkeActionEntry 6 } 774 ipiaIkeActIdentityContext OBJECT-TYPE 775 SYNTAX SnmpAdminString (SIZE(1..32)) 776 MAX-ACCESS read-create 777 STATUS current 778 DESCRIPTION 779 "This column, along with ipiaIkeActIdentityType and endpoint 780 information, is used to refer to an ipiaIkeIdentityEntry in 781 the ipiaIkeIdentityTable." 782 ::= { ipiaIkeActionEntry 7 } 784 ipiaIkeActPeerName OBJECT-TYPE 785 SYNTAX SnmpAdminString(SIZE(0..32)) 786 MAX-ACCESS read-create 787 STATUS current 788 DESCRIPTION 789 "This object indicates the peer id name of the IKE peer. 790 This object can be used to look up the peer id value, 791 address, credentials and other values in the 792 ipiaPeerIdentityTable." 793 ::= { ipiaIkeActionEntry 8 } 795 ipiaIkeActDoActionLogging OBJECT-TYPE 796 SYNTAX TruthValue 797 MAX-ACCESS read-create 798 STATUS current 799 DESCRIPTION 800 "ikeDoActionLogging specifies whether or not an audit 801 message should be logged when this ike SA is created." 802 DEFVAL { false } 803 ::= { ipiaIkeActionEntry 9 } 805 ipiaIkeActDoPacketLogging OBJECT-TYPE 806 SYNTAX SpdIPPacketLogging 807 MAX-ACCESS read-create 808 STATUS current 809 DESCRIPTION 810 "ikeDoPacketLogging specifies whether or not an audit 811 message should be logged and if there is logging, how many 812 bytes of the packet to place in the notification." 813 DEFVAL { -1 } 814 ::= { ipiaIkeActionEntry 10 } 816 ipiaIkeActVendorId OBJECT-TYPE 817 SYNTAX OCTET STRING (SIZE(0..65535)) 818 MAX-ACCESS read-create 819 STATUS current 820 DESCRIPTION 821 "Vendor ID Payload. A value of NULL means that Vendor ID 822 payload will be neither generated nor accepted. A non-NULL 823 value means that a Vendor ID payload will be generated 824 (when acting as an initiator) or is expected (when acting 825 as a responder)." 826 DEFVAL { "" } 827 ::= { ipiaIkeActionEntry 11 } 829 ipiaIkeActLastChanged OBJECT-TYPE 830 SYNTAX TimeStamp 831 MAX-ACCESS read-only 832 STATUS current 833 DESCRIPTION 834 "The value of sysUpTime when this row was last modified or 835 created either through SNMP SETs or by some other external 836 means." 837 ::= { ipiaIkeActionEntry 12 } 839 ipiaIkeActStorageType OBJECT-TYPE 840 SYNTAX StorageType 841 MAX-ACCESS read-create 842 STATUS current 843 DESCRIPTION 844 "The storage type for this row. Rows in this table which 845 were created through an external process may have a storage 846 type of readOnly or permanent." 847 DEFVAL { nonVolatile } 848 ::= { ipiaIkeActionEntry 13 } 850 ipiaIkeActRowStatus OBJECT-TYPE 851 SYNTAX RowStatus 852 MAX-ACCESS read-create 853 STATUS current 854 DESCRIPTION 855 "This object indicates the conceptual status of this row. 857 The value of this object has no effect on whether other 858 objects in this conceptual row can be modified. 860 This object may not be set to destroy if refered to by 861 other rows in other action tables." 862 ::= { ipiaIkeActionEntry 14 } 864 -- 865 -- IPsec action definition table 866 -- 868 ipiaIpsecActionTable OBJECT-TYPE 869 SYNTAX SEQUENCE OF IpiaIpsecActionEntry 870 MAX-ACCESS not-accessible 871 STATUS current 872 DESCRIPTION 873 "The ipiaIpsecActionTable contains a list of the parameters 874 used for an IKE phase 2 IPsec DOI negotiation." 875 ::= { ipiaConfigObjects 7 } 877 ipiaIpsecActionEntry OBJECT-TYPE 878 SYNTAX IpiaIpsecActionEntry 879 MAX-ACCESS not-accessible 880 STATUS current 881 DESCRIPTION 882 "The ipiaIpsecActionEntry lists the IPsec negotiation 883 attributes." 884 INDEX { ipiaIpsecActName } 885 ::= { ipiaIpsecActionTable 1 } 887 IpiaIpsecActionEntry ::= SEQUENCE { 888 ipiaIpsecActName SnmpAdminString, 889 ipiaIpsecActParametersName SnmpAdminString, 890 ipiaIpsecActProposalsName SnmpAdminString, 891 ipiaIpsecActUsePfs TruthValue, 892 ipiaIpsecActVendorId OCTET STRING, 893 ipiaIpsecActGroupId IkeGroupDescription, 894 ipiaIpsecActPeerGatewayIdName OCTET STRING, 895 ipiaIpsecActUseIkeGroup TruthValue, 896 ipiaIpsecActGranularity INTEGER, 897 ipiaIpsecActMode INTEGER, 898 ipiaIpsecActDFHandling INTEGER, 899 ipiaIpsecActDoActionLogging TruthValue, 900 ipiaIpsecActDoPacketLogging SpdIPPacketLogging, 901 ipiaIpsecActLastChanged TimeStamp, 902 ipiaIpsecActStorageType StorageType, 903 ipiaIpsecActRowStatus RowStatus 904 } 906 ipiaIpsecActName OBJECT-TYPE 907 SYNTAX SnmpAdminString (SIZE(1..32)) 908 MAX-ACCESS not-accessible 909 STATUS current 910 DESCRIPTION 911 "ipiaIpsecActName is the name of the ipsecAction entry." 912 ::= { ipiaIpsecActionEntry 1 } 914 ipiaIpsecActParametersName OBJECT-TYPE 915 SYNTAX SnmpAdminString (SIZE(1..32)) 916 MAX-ACCESS read-create 917 STATUS current 918 DESCRIPTION 919 "This object is used to reference a row in the 920 ipiaSaNegotiationParametersTable where additional 921 parameters affecting this action may be found." 922 ::= { ipiaIpsecActionEntry 2 } 924 ipiaIpsecActProposalsName OBJECT-TYPE 925 SYNTAX SnmpAdminString (SIZE(1..32)) 926 MAX-ACCESS read-create 927 STATUS current 928 DESCRIPTION 929 "This object is used to reference one or more rows in the 930 ipiaIpsecProposalsTable where an ordered list of proposals 931 affecting this action may be found." 932 ::= { ipiaIpsecActionEntry 3 } 934 ipiaIpsecActUsePfs OBJECT-TYPE 935 SYNTAX TruthValue 936 MAX-ACCESS read-create 937 STATUS current 938 DESCRIPTION 939 "This MIB object specifies whether or not perfect forward 940 secrecy should be used when refreshing keys. 941 A value of true indicates that PFS should be used." 942 ::= { ipiaIpsecActionEntry 4 } 944 ipiaIpsecActVendorId OBJECT-TYPE 945 SYNTAX OCTET STRING (SIZE(0..255)) 946 MAX-ACCESS read-create 947 STATUS current 948 DESCRIPTION 949 "The VendorID property is used to identify vendor-defined 950 key exchange GroupIDs." 951 ::= { ipiaIpsecActionEntry 5 } 953 ipiaIpsecActGroupId OBJECT-TYPE 954 SYNTAX IkeGroupDescription 955 MAX-ACCESS read-create 956 STATUS current 957 DESCRIPTION 958 "This object specifies the Diffie-Hellman group to use for 959 phase 2 when the object ipiaIpsecActUsePfs is true and the 960 object ipiaIpsecActUseIkeGroup is false. If the GroupID 961 number is from the vendor-specific range (32768-65535), the 962 VendorID qualifies the group number." 963 ::= { ipiaIpsecActionEntry 6 } 965 ipiaIpsecActPeerGatewayIdName OBJECT-TYPE 966 SYNTAX OCTET STRING (SIZE(0..116)) 967 MAX-ACCESS read-create 968 STATUS current 969 DESCRIPTION 970 "This object indicates the peer id name of the peer 971 gateway. This object can be used to look up the peer id 972 value, address and other values in the 973 ipiaPeerIdentityTable. This object is used when initiating 974 a tunnel SA. This object is not used for transport SAs. 975 If no value is set and ipiaIpsecActMode is tunnel, the peer 976 gateway should be determined from the source or destination 977 address of the packet." 978 ::= { ipiaIpsecActionEntry 7 } 980 ipiaIpsecActUseIkeGroup OBJECT-TYPE 981 SYNTAX TruthValue 982 MAX-ACCESS read-create 983 STATUS current 984 DESCRIPTION 985 "This object specifies whether or not to use the same 986 GroupId for phase 2 as was used in phase 1. If UsePFS is 987 false, this entry should be ignored." 988 ::= { ipiaIpsecActionEntry 8 } 990 ipiaIpsecActGranularity OBJECT-TYPE 991 SYNTAX INTEGER { subnet(1), address(2), protocol(3), 992 port(4) } 993 MAX-ACCESS read-create 994 STATUS current 995 DESCRIPTION 996 "This object specifies how the proposed selector for the 997 security association will be created. The selector is 998 created by using the FilterList information. The selector 999 can be subnet, address, porotocol, or port." 1000 ::= { ipiaIpsecActionEntry 9 } 1002 ipiaIpsecActMode OBJECT-TYPE 1003 SYNTAX INTEGER { tunnel(1), transport(2) } 1004 MAX-ACCESS read-create 1005 STATUS current 1006 DESCRIPTION 1007 "This object specifies the encapsulation of the IPsec SA 1008 to be negotiated." 1009 DEFVAL { tunnel } 1010 ::= { ipiaIpsecActionEntry 10 } 1012 ipiaIpsecActDFHandling OBJECT-TYPE 1013 SYNTAX INTEGER { copy(1), set(2), clear(3) } 1014 MAX-ACCESS read-create 1015 STATUS current 1016 DESCRIPTION 1017 "This object specifies the processing of DF bit by the 1018 negotiated IPsec tunnel. 1019 1 - DF bit is copied. 1020 2 - DF bit is set. 1021 3 - DF bit is cleared." 1022 DEFVAL { copy } 1023 ::= { ipiaIpsecActionEntry 11 } 1025 ipiaIpsecActDoActionLogging OBJECT-TYPE 1026 SYNTAX TruthValue 1027 MAX-ACCESS read-create 1028 STATUS current 1029 DESCRIPTION 1030 "ipiaIpsecActDoActionLogging specifies whether or not an 1031 audit message should be logged when this ipsec SA is 1032 created." 1033 DEFVAL { false } 1034 ::= { ipiaIpsecActionEntry 12 } 1036 ipiaIpsecActDoPacketLogging OBJECT-TYPE 1037 SYNTAX SpdIPPacketLogging 1038 MAX-ACCESS read-create 1039 STATUS current 1040 DESCRIPTION 1041 "ipiaIpsecActDoPacketLogging specifies whether or not an 1042 audit message should be logged and if there is logging, how 1043 many bytes of the packet to place in the notification." 1044 DEFVAL { -1 } 1045 ::= { ipiaIpsecActionEntry 13 } 1047 ipiaIpsecActLastChanged OBJECT-TYPE 1048 SYNTAX TimeStamp 1049 MAX-ACCESS read-only 1050 STATUS current 1051 DESCRIPTION 1052 "The value of sysUpTime when this row was last modified or 1053 created either through SNMP SETs or by some other external 1054 means." 1055 ::= { ipiaIpsecActionEntry 14 } 1057 ipiaIpsecActStorageType OBJECT-TYPE 1058 SYNTAX StorageType 1059 MAX-ACCESS read-create 1060 STATUS current 1061 DESCRIPTION 1062 "The storage type for this row. Rows in this table which 1063 were created through an external process may have a storage 1064 type of readOnly or permanent." 1065 DEFVAL { nonVolatile } 1066 ::= { ipiaIpsecActionEntry 15 } 1068 ipiaIpsecActRowStatus OBJECT-TYPE 1069 SYNTAX RowStatus 1070 MAX-ACCESS read-create 1071 STATUS current 1072 DESCRIPTION 1073 "This object indicates the conceptual status of this row. 1075 The value of this object has no effect on whether other 1076 objects in this conceptual row can be modified. 1078 If active, this object must remain active if it is 1079 referenced by a row in another table." 1080 ::= { ipiaIpsecActionEntry 16 } 1082 -- 1083 -- ipiaSaNegotiationParametersTable 1084 -- 1086 -- PROPERTIES MinLifetimeSeconds 1087 -- MinLifetimeKilobytes 1088 -- RefreshThresholdSeconds 1089 -- RefreshThresholdKilobytes 1090 -- IdleDurationSeconds 1092 ipiaSaNegotiationParametersTable OBJECT-TYPE 1093 SYNTAX SEQUENCE OF IpiaSaNegotiationParametersEntry 1094 MAX-ACCESS not-accessible 1095 STATUS current 1096 DESCRIPTION 1097 "This table contains reusable parameters that can be pointed 1098 to by the ipiaIkeActionTable and ipiaIpsecActionTable. 1099 These parameters are reusable since it is likely an 1100 administrator will want to make global policy changes to 1101 lifetime parameters that apply to multiple actions. This 1102 table allows multiple rows in the other actions tables to 1103 reuse global lifetime parameters in this table by 1104 repeatedly pointing to a row cointained within this table." 1105 ::= { ipiaConfigObjects 8 } 1107 ipiaSaNegotiationParametersEntry OBJECT-TYPE 1108 SYNTAX IpiaSaNegotiationParametersEntry 1109 MAX-ACCESS not-accessible 1110 STATUS current 1111 DESCRIPTION 1112 "Contains the attributes of one row in the 1113 ipiaSaNegotiationParametersTable." 1114 INDEX { ipiaSaNegParamName } 1115 ::= { ipiaSaNegotiationParametersTable 1 } 1117 IpiaSaNegotiationParametersEntry ::= SEQUENCE { 1118 ipiaSaNegParamName SnmpAdminString, 1119 ipiaSaNegParamMinLifetimeSecs Unsigned32, 1120 ipiaSaNegParamMinLifetimeKB Unsigned32, 1121 ipiaSaNegParamRefreshThreshSecs Unsigned32, 1122 ipiaSaNegParamRefreshThresholdKB Unsigned32, 1123 ipiaSaNegParamIdleDurationSecs Unsigned32, 1124 ipiaSaNegParamLastChanged TimeStamp, 1125 ipiaSaNegParamStorageType StorageType, 1126 ipiaSaNegParamRowStatus RowStatus 1127 } 1129 ipiaSaNegParamName OBJECT-TYPE 1130 SYNTAX SnmpAdminString (SIZE(1..32)) 1131 MAX-ACCESS not-accessible 1132 STATUS current 1133 DESCRIPTION 1134 "This object contains the administrative name of this 1135 SaNegotiationParametersEntry. This row can be referred 1136 to by this name in other policy action tables." 1137 ::= { ipiaSaNegotiationParametersEntry 1 } 1139 ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE 1140 SYNTAX Unsigned32 1141 MAX-ACCESS read-create 1142 STATUS current 1143 DESCRIPTION 1144 "ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds 1145 lifetime that will be accepted from the peer." 1146 ::= { ipiaSaNegotiationParametersEntry 2 } 1148 ipiaSaNegParamMinLifetimeKB OBJECT-TYPE 1149 SYNTAX Unsigned32 1150 MAX-ACCESS read-create 1151 STATUS current 1152 DESCRIPTION 1153 "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte 1154 lifetime that will be accepted from the peer." 1155 ::= { ipiaSaNegotiationParametersEntry 3 } 1157 ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE 1158 SYNTAX Unsigned32 (1..100) 1159 MAX-ACCESS read-create 1160 STATUS current 1161 DESCRIPTION 1162 "ipiaSaNegParamRefreshThreshSecs specifies what percentage 1163 of the seconds lifetime can expire before IKE should 1164 attempt to renegotiate the IPsec security association. A 1165 value between 1 and 100 representing a percentage. A value 1166 of 100 indicates that the IPsec security association should 1167 not be renegotiated until the seconds lifetime has been 1168 completely reached." 1170 ::= { ipiaSaNegotiationParametersEntry 4 } 1172 ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE 1173 SYNTAX Unsigned32 (1..100) 1174 MAX-ACCESS read-create 1175 STATUS current 1176 DESCRIPTION 1177 "ipiaSaNegParamRefreshThresholdKB specifies what percentage 1178 of the kilobyte lifetime can expire before IKE should 1179 attempt to renegotiate the IPsec security association. A 1180 value between 1 and 100 representing a percentage. A value 1181 of 100 indicates that the IPsec security association should 1182 not be renegotiated until the kilobyte lifetime has been 1183 reached." 1184 ::= { ipiaSaNegotiationParametersEntry 5 } 1186 ipiaSaNegParamIdleDurationSecs OBJECT-TYPE 1187 SYNTAX Unsigned32 1188 MAX-ACCESS read-create 1189 STATUS current 1190 DESCRIPTION 1191 "ipiaSaNegParamIdleDurationSecs specifies how many seconds a 1192 security association may remain idle (i.e., no traffic 1193 protected using the security association) before it is 1194 deleted. A value of zero indicates that idle detection 1195 should not be used for the security association. Any 1196 non-zero value indicates the number of seconds the security 1197 association may remain unused." 1198 ::= { ipiaSaNegotiationParametersEntry 6 } 1200 ipiaSaNegParamLastChanged OBJECT-TYPE 1201 SYNTAX TimeStamp 1202 MAX-ACCESS read-only 1203 STATUS current 1204 DESCRIPTION 1205 "The value of sysUpTime when this row was last modified or 1206 created either through SNMP SETs or by some other external 1207 means." 1208 ::= { ipiaSaNegotiationParametersEntry 7 } 1210 ipiaSaNegParamStorageType OBJECT-TYPE 1211 SYNTAX StorageType 1212 MAX-ACCESS read-create 1213 STATUS current 1214 DESCRIPTION 1215 "The storage type for this row. Rows in this table which 1216 were created through an external process may have a storage 1217 type of readOnly or permanent." 1219 DEFVAL { nonVolatile } 1220 ::= { ipiaSaNegotiationParametersEntry 8 } 1222 ipiaSaNegParamRowStatus OBJECT-TYPE 1223 SYNTAX RowStatus 1224 MAX-ACCESS read-create 1225 STATUS current 1226 DESCRIPTION 1227 "This object indicates the conceptual status of this row. 1229 The value of this object has no effect on whether other 1230 objects in this conceptual row can be modified. 1232 This object may not be set to destroy if refered to by 1233 other rows in other action tables." 1234 ::= { ipiaSaNegotiationParametersEntry 9 } 1236 -- 1237 -- ipiaIkeActionProposalsTable proposals contained within a ikeAction 1238 -- 1240 ipiaIkeActionProposalsTable OBJECT-TYPE 1241 SYNTAX SEQUENCE OF IpiaIkeActionProposalsEntry 1242 MAX-ACCESS not-accessible 1243 STATUS current 1244 DESCRIPTION 1245 "This table contains a list of all ike proposal names found 1246 within a given IKE Action." 1247 ::= { ipiaConfigObjects 9 } 1249 ipiaIkeActionProposalsEntry OBJECT-TYPE 1250 SYNTAX IpiaIkeActionProposalsEntry 1251 MAX-ACCESS not-accessible 1252 STATUS current 1253 DESCRIPTION 1254 "a row containing one ike proposal reference" 1255 INDEX { ipiaIkeActName, ipiaIkeActPropPriority } 1256 ::= { ipiaIkeActionProposalsTable 1 } 1258 IpiaIkeActionProposalsEntry ::= SEQUENCE { 1259 ipiaIkeActPropPriority Integer32, 1260 ipiaIkeActPropName SnmpAdminString, 1261 ipiaIkeActPropLastChanged TimeStamp, 1262 ipiaIkeActPropStorageType StorageType, 1263 ipiaIkeActPropRowStatus RowStatus 1264 } 1266 ipiaIkeActPropPriority OBJECT-TYPE 1267 SYNTAX Integer32 (0..65535) 1268 MAX-ACCESS not-accessible 1269 STATUS current 1270 DESCRIPTION 1271 "The numeric priority of a given contained proposal inside 1272 an ike Action. This index should be used to order the 1273 proposals in an IKE Phase I negotiation, lowest value 1274 first." 1275 ::= { ipiaIkeActionProposalsEntry 1 } 1277 ipiaIkeActPropName OBJECT-TYPE 1278 SYNTAX SnmpAdminString (SIZE(1..32)) 1279 MAX-ACCESS read-create 1280 STATUS current 1281 DESCRIPTION 1282 "The administratively assigned name that can be used to 1283 reference a set of values contained within the 1284 ipiaIkeProposalTable." 1285 ::= { ipiaIkeActionProposalsEntry 2 } 1287 ipiaIkeActPropLastChanged OBJECT-TYPE 1288 SYNTAX TimeStamp 1289 MAX-ACCESS read-only 1290 STATUS current 1291 DESCRIPTION 1292 "The value of sysUpTime when this row was last modified or 1293 created either through SNMP SETs or by some other external 1294 means." 1295 ::= { ipiaIkeActionProposalsEntry 3 } 1297 ipiaIkeActPropStorageType OBJECT-TYPE 1298 SYNTAX StorageType 1299 MAX-ACCESS read-create 1300 STATUS current 1301 DESCRIPTION 1302 "The storage type for this row. Rows in this table which 1303 were created through an external process may have a storage 1304 type of readOnly or permanent." 1305 DEFVAL { nonVolatile } 1306 ::= { ipiaIkeActionProposalsEntry 4 } 1308 ipiaIkeActPropRowStatus OBJECT-TYPE 1309 SYNTAX RowStatus 1310 MAX-ACCESS read-create 1311 STATUS current 1312 DESCRIPTION 1313 "This object indicates the conceptual status of this row. 1315 The value of this object has no effect on whether other 1316 objects in this conceptual row can be modified." 1317 ::= { ipiaIkeActionProposalsEntry 5 } 1319 -- 1320 -- IKE proposal definition table 1321 -- 1323 ipiaIkeProposalTable OBJECT-TYPE 1324 SYNTAX SEQUENCE OF IpiaIkeProposalEntry 1325 MAX-ACCESS not-accessible 1326 STATUS current 1327 DESCRIPTION 1328 "This table contains a list of IKE proposals which are used 1329 in an IKE negotiation." 1330 ::= { ipiaConfigObjects 10 } 1332 ipiaIkeProposalEntry OBJECT-TYPE 1333 SYNTAX IpiaIkeProposalEntry 1334 MAX-ACCESS not-accessible 1335 STATUS current 1336 DESCRIPTION 1337 "One IKE proposal entry." 1338 INDEX { ipiaIkeActPropName } 1339 ::= { ipiaIkeProposalTable 1 } 1341 IpiaIkeProposalEntry ::= SEQUENCE { 1342 ipiaIkePropLifetimeDerivedKeys Unsigned32, 1343 ipiaIkePropCipherAlgorithm IkeEncryptionAlgorithm, 1344 ipiaIkePropCipherKeyLength Unsigned32, 1345 ipiaIkePropCipherKeyRounds Unsigned32, 1346 ipiaIkePropHashAlgorithm IkeHashAlgorithm, 1347 ipiaIkePropPrfAlgorithm INTEGER, 1348 ipiaIkePropVendorId OCTET STRING, 1349 ipiaIkePropDhGroup IkeGroupDescription, 1350 ipiaIkePropAuthenticationMethod IkeAuthMethod, 1351 ipiaIkePropMaxLifetimeSecs Unsigned32, 1352 ipiaIkePropMaxLifetimeKB Unsigned32, 1353 ipiaIkePropLastChanged TimeStamp, 1354 ipiaIkePropStorageType StorageType, 1355 ipiaIkePropRowStatus RowStatus 1356 } 1358 ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE 1359 SYNTAX Unsigned32 1360 MAX-ACCESS read-create 1361 STATUS current 1362 DESCRIPTION 1363 "ipiaIkePropLifetimeDerivedKeys specifies the number of 1364 times that a phase 1 key will be used to derive a phase 2 1365 key before the phase 1 security association needs 1366 renegotiated." 1367 ::= { ipiaIkeProposalEntry 1 } 1369 ipiaIkePropCipherAlgorithm OBJECT-TYPE 1370 SYNTAX IkeEncryptionAlgorithm 1371 MAX-ACCESS read-create 1372 STATUS current 1373 DESCRIPTION 1374 "ipiaIkePropCipherAlgorithm specifies the proposed phase 1 1375 security association encryption algorithm." 1376 ::= { ipiaIkeProposalEntry 2 } 1378 ipiaIkePropCipherKeyLength OBJECT-TYPE 1379 SYNTAX Unsigned32 1380 MAX-ACCESS read-create 1381 STATUS current 1382 DESCRIPTION 1383 "This object specifies, in bits, the key length for 1384 the cipher algorithm used in IKE Phase 1 negotiation." 1385 ::= { ipiaIkeProposalEntry 3 } 1387 ipiaIkePropCipherKeyRounds OBJECT-TYPE 1388 SYNTAX Unsigned32 1389 MAX-ACCESS read-create 1390 STATUS current 1391 DESCRIPTION 1392 "This object specifies the number of key rounds for 1393 the cipher algorithm used in IKE Phase 1 negotiation." 1394 ::= { ipiaIkeProposalEntry 4 } 1396 ipiaIkePropHashAlgorithm OBJECT-TYPE 1397 SYNTAX IkeHashAlgorithm 1398 MAX-ACCESS read-create 1399 STATUS current 1400 DESCRIPTION 1401 "ipiaIkePropHashAlgorithm specifies the proposed phase 1 1402 security assocation hash algorithm." 1403 ::= { ipiaIkeProposalEntry 5 } 1405 ipiaIkePropPrfAlgorithm OBJECT-TYPE 1406 SYNTAX INTEGER { reserved(0) } 1407 MAX-ACCESS read-create 1408 STATUS current 1409 DESCRIPTION 1410 "ipPRFAlgorithm specifies the proposed phase 1 security 1411 association psuedo-random function. 1413 Note: currently no prf algorithms are defined." 1414 ::= { ipiaIkeProposalEntry 6 } 1416 ipiaIkePropVendorId OBJECT-TYPE 1417 SYNTAX OCTET STRING (SIZE(0..255)) 1418 MAX-ACCESS read-create 1419 STATUS current 1420 DESCRIPTION 1421 "The VendorID property is used to identify vendor-defined 1422 key exchange GroupIDs." 1423 ::= { ipiaIkeProposalEntry 7 } 1425 ipiaIkePropDhGroup OBJECT-TYPE 1426 SYNTAX IkeGroupDescription 1427 MAX-ACCESS read-create 1428 STATUS current 1429 DESCRIPTION 1430 "This object specifies the proposed phase 1 security 1431 association Diffie-Hellman group" 1432 ::= { ipiaIkeProposalEntry 8 } 1434 ipiaIkePropAuthenticationMethod OBJECT-TYPE 1435 SYNTAX IkeAuthMethod 1436 MAX-ACCESS read-create 1437 STATUS current 1438 DESCRIPTION 1439 "This object specifies the proposed authentication 1440 method for the phase 1 security association." 1441 ::= { ipiaIkeProposalEntry 9 } 1443 ipiaIkePropMaxLifetimeSecs OBJECT-TYPE 1444 SYNTAX Unsigned32 1445 MAX-ACCESS read-create 1446 STATUS current 1447 DESCRIPTION 1448 "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of 1449 time to propose a security association remain valid. 1451 A value of 0 indicates that the default lifetime of 1452 8 hours should be used." 1453 ::= { ipiaIkeProposalEntry 10 } 1455 ipiaIkePropMaxLifetimeKB OBJECT-TYPE 1456 SYNTAX Unsigned32 1457 MAX-ACCESS read-create 1458 STATUS current 1459 DESCRIPTION 1460 "ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte 1461 lifetime to propose a security association remain valid." 1462 ::= { ipiaIkeProposalEntry 11 } 1464 ipiaIkePropLastChanged OBJECT-TYPE 1465 SYNTAX TimeStamp 1466 MAX-ACCESS read-only 1467 STATUS current 1468 DESCRIPTION 1469 "The value of sysUpTime when this row was last modified or 1470 created either through SNMP SETs or by some other external 1471 means." 1472 ::= { ipiaIkeProposalEntry 12 } 1474 ipiaIkePropStorageType OBJECT-TYPE 1475 SYNTAX StorageType 1476 MAX-ACCESS read-create 1477 STATUS current 1478 DESCRIPTION 1479 "The storage type for this row. Rows in this table which 1480 were created through an external process may have a storage 1481 type of readOnly or permanent." 1482 DEFVAL { nonVolatile } 1483 ::= { ipiaIkeProposalEntry 13 } 1485 ipiaIkePropRowStatus OBJECT-TYPE 1486 SYNTAX RowStatus 1487 MAX-ACCESS read-create 1488 STATUS current 1489 DESCRIPTION 1490 "This object indicates the conceptual status of this row. 1492 The value of this object has no effect on whether other 1493 objects in this conceptual row can be modified." 1494 ::= { ipiaIkeProposalEntry 14 } 1496 -- 1497 -- ipiaIpsecProposalsTable 1498 -- 1500 ipiaIpsecProposalsTable OBJECT-TYPE 1501 SYNTAX SEQUENCE OF IpiaIpsecProposalsEntry 1502 MAX-ACCESS not-accessible 1503 STATUS current 1504 DESCRIPTION 1505 "This table lists one or more IPsec proposals for 1506 IPsec actions." 1507 ::= { ipiaConfigObjects 11 } 1509 ipiaIpsecProposalsEntry OBJECT-TYPE 1510 SYNTAX IpiaIpsecProposalsEntry 1511 MAX-ACCESS not-accessible 1512 STATUS current 1513 DESCRIPTION 1514 "An entry containing (possibly a portion of) a proposal." 1515 INDEX { ipiaIpsecPropName, ipiaIpsecPropPriority, 1516 ipiaIpsecPropProtocolId } 1517 ::= { ipiaIpsecProposalsTable 1 } 1519 IpiaIpsecProposalsEntry ::= SEQUENCE { 1520 ipiaIpsecPropName SnmpAdminString, 1521 ipiaIpsecPropPriority Integer32, 1522 ipiaIpsecPropProtocolId IpsecDoiSecProtocolId, 1523 ipiaIpsecPropTransformsName SnmpAdminString, 1524 ipiaIpsecPropLastChanged TimeStamp, 1525 ipiaIpsecPropStorageType StorageType, 1526 ipiaIpsecPropRowStatus RowStatus 1527 } 1529 ipiaIpsecPropName OBJECT-TYPE 1530 SYNTAX SnmpAdminString (SIZE(1..32)) 1531 MAX-ACCESS not-accessible 1532 STATUS current 1533 DESCRIPTION 1534 "The name of this proposal." 1535 ::= { ipiaIpsecProposalsEntry 1 } 1537 ipiaIpsecPropPriority OBJECT-TYPE 1538 SYNTAX Integer32 (0..65535) 1539 MAX-ACCESS not-accessible 1540 STATUS current 1541 DESCRIPTION 1542 "The priority level (AKA sequence level) of this proposal. 1543 A lower number indicates a higher precedence." 1544 ::= { ipiaIpsecProposalsEntry 2 } 1546 ipiaIpsecPropProtocolId OBJECT-TYPE 1547 SYNTAX IpsecDoiSecProtocolId 1548 MAX-ACCESS not-accessible 1549 STATUS current 1550 DESCRIPTION 1551 "The protocol Id for the transforms for this proposal. The 1552 protoIsakmp(1) value is not valid for this object. This 1553 object, along with the ipiaIpsecPropTransformsName, is the 1554 index into the ipiaIpsecTransformsTable." 1555 ::= { ipiaIpsecProposalsEntry 3 } 1557 ipiaIpsecPropTransformsName OBJECT-TYPE 1558 SYNTAX SnmpAdminString (SIZE(1..32)) 1559 MAX-ACCESS read-create 1560 STATUS current 1561 DESCRIPTION 1562 "The name of the transform or group of transforms for this 1563 protocol. This object, along with the 1564 ipiaIpsecPropProtocolId, is the index into the 1565 ipiaIpsecTransformsTable." 1566 ::= { ipiaIpsecProposalsEntry 4 } 1568 ipiaIpsecPropLastChanged OBJECT-TYPE 1569 SYNTAX TimeStamp 1570 MAX-ACCESS read-only 1571 STATUS current 1572 DESCRIPTION 1573 "The value of sysUpTime when this row was last modified or 1574 created either through SNMP SETs or by some other external 1575 means." 1576 ::= { ipiaIpsecProposalsEntry 5 } 1578 ipiaIpsecPropStorageType OBJECT-TYPE 1579 SYNTAX StorageType 1580 MAX-ACCESS read-create 1581 STATUS current 1582 DESCRIPTION 1583 "The storage type for this row. Rows in this table which 1584 were created through an external process may have a storage 1585 type of readOnly or permanent." 1586 DEFVAL { nonVolatile } 1587 ::= { ipiaIpsecProposalsEntry 6 } 1589 ipiaIpsecPropRowStatus OBJECT-TYPE 1590 SYNTAX RowStatus 1591 MAX-ACCESS read-create 1592 STATUS current 1593 DESCRIPTION 1594 "This object indicates the conceptual status of this row. 1596 The value of this object has no effect on whether other 1597 objects in this conceptual row can be modified. 1599 This row may not be set to active until the corresponding 1600 row in the ipiaIpsecTransformsTable exists and is active." 1601 ::= { ipiaIpsecProposalsEntry 7 } 1603 -- 1604 -- ipiaIpsecTransformsTable 1605 -- 1607 ipiaIpsecTransformsTable OBJECT-TYPE 1608 SYNTAX SEQUENCE OF IpiaIpsecTransformsEntry 1609 MAX-ACCESS not-accessible 1610 STATUS current 1611 DESCRIPTION 1612 "This table lists the IPsec proposals contained within a 1613 given IPsec action and the transforms within each of those 1614 proposals. These proposals and transforms can then be used 1615 to create phase 2 negotiation proposals." 1616 ::= { ipiaConfigObjects 12 } 1618 ipiaIpsecTransformsEntry OBJECT-TYPE 1619 SYNTAX IpiaIpsecTransformsEntry 1620 MAX-ACCESS not-accessible 1621 STATUS current 1622 DESCRIPTION 1623 "An entry containing the information on an IPsec transform." 1624 INDEX { ipiaIpsecTranType, ipiaIpsecTranName, 1625 ipiaIpsecTranPriority } 1626 ::= { ipiaIpsecTransformsTable 1 } 1628 IpiaIpsecTransformsEntry ::= SEQUENCE { 1629 ipiaIpsecTranType IpsecDoiSecProtocolId, 1630 ipiaIpsecTranName SnmpAdminString, 1631 ipiaIpsecTranPriority Integer32, 1632 ipiaIpsecTranTransformName SnmpAdminString, 1633 ipiaIpsecTranLastChanged TimeStamp, 1634 ipiaIpsecTranStorageType StorageType, 1635 ipiaIpsecTranRowStatus RowStatus 1636 } 1638 ipiaIpsecTranType OBJECT-TYPE 1639 SYNTAX IpsecDoiSecProtocolId 1640 MAX-ACCESS not-accessible 1641 STATUS current 1642 DESCRIPTION 1643 "The protocol type for this transform. The protoIsakmp(1) 1644 value is not valid for this object." 1645 ::= { ipiaIpsecTransformsEntry 1 } 1647 ipiaIpsecTranName OBJECT-TYPE 1648 SYNTAX SnmpAdminString (SIZE(1..32)) 1649 MAX-ACCESS not-accessible 1650 STATUS current 1651 DESCRIPTION 1652 "The name for this transform or group of transforms." 1653 ::= { ipiaIpsecTransformsEntry 2 } 1655 ipiaIpsecTranPriority OBJECT-TYPE 1656 SYNTAX Integer32 (0..65535) 1657 MAX-ACCESS not-accessible 1658 STATUS current 1659 DESCRIPTION 1660 "The priority level (AKA sequence level) of the this 1661 transform within the group of transforms. This indicates 1662 the preference for which algorithms are requested when the 1663 list of transforms are sent to the remote host. A lower 1664 number indicates a higher precedence." 1665 ::= { ipiaIpsecTransformsEntry 3 } 1667 ipiaIpsecTranTransformName OBJECT-TYPE 1668 SYNTAX SnmpAdminString (SIZE(1..32)) 1669 MAX-ACCESS read-create 1670 STATUS current 1671 DESCRIPTION 1672 "The name for the given transform. Depending on the value 1673 of ipiaIpsecTranType, this value should be used to lookup 1674 the transform's specific parameters in the 1675 ipiaAhTransformTable, the ipiaEspTransformTable or the 1676 ipiaIpcompTransformTable." 1677 ::= { ipiaIpsecTransformsEntry 4 } 1679 ipiaIpsecTranLastChanged OBJECT-TYPE 1680 SYNTAX TimeStamp 1681 MAX-ACCESS read-only 1682 STATUS current 1683 DESCRIPTION 1684 "The value of sysUpTime when this row was last modified or 1685 created either through SNMP SETs or by some other external 1686 means." 1687 ::= { ipiaIpsecTransformsEntry 5 } 1689 ipiaIpsecTranStorageType OBJECT-TYPE 1690 SYNTAX StorageType 1691 MAX-ACCESS read-create 1692 STATUS current 1693 DESCRIPTION 1694 "The storage type for this row. Rows in this table which 1695 were created through an external process may have a storage 1696 type of readOnly or permanent." 1697 DEFVAL { nonVolatile } 1698 ::= { ipiaIpsecTransformsEntry 6 } 1700 ipiaIpsecTranRowStatus OBJECT-TYPE 1701 SYNTAX RowStatus 1702 MAX-ACCESS read-create 1703 STATUS current 1704 DESCRIPTION 1705 "This object indicates the conceptual status of this row. 1707 The value of this object has no effect on whether other 1708 objects in this conceptual row can be modified. 1710 This row may not be set to active until the corresponding 1711 row in the ipiaAhTransformTable, ipiaEspTransformTable or 1712 the ipiaIpcompTransformTable exists." 1713 ::= { ipiaIpsecTransformsEntry 7 } 1715 -- 1716 -- IKE identity definition table 1717 -- 1719 ipiaIkeIdentityTable OBJECT-TYPE 1720 SYNTAX SEQUENCE OF IpiaIkeIdentityEntry 1721 MAX-ACCESS not-accessible 1722 STATUS current 1723 DESCRIPTION 1724 "IKEIdentity is used to represent the identities that may be 1725 used for an IPProtocolEndpoint (or collection of 1726 IPProtocolEndpoints) to identify itself in IKE phase 1 1727 negotiations. The column ikeIdentityName in an 1728 ipiaIkeActionEntry together with the spdEndGroupIdentType 1729 and the spdEndGroupAddress in the 1730 PolicyEndpointToGroupTable specifies the unique identity to 1731 use in a negotiation exchange." 1732 ::= { ipiaConfigObjects 13 } 1734 ipiaIkeIdentityEntry OBJECT-TYPE 1735 SYNTAX IpiaIkeIdentityEntry 1736 MAX-ACCESS not-accessible 1737 STATUS current 1738 DESCRIPTION 1739 "ikeIdentity lists the attributes of an IKE identity." 1740 INDEX { spdEndGroupIdentType, spdEndGroupAddress, 1741 ipiaIkeActIdentityType, ipiaIkeActIdentityContext } 1743 ::= { ipiaIkeIdentityTable 1 } 1745 IpiaIkeIdentityEntry ::= SEQUENCE { 1746 ipiaIkeIdCredentialName SnmpAdminString, 1747 ipiaIkeIdLastChanged TimeStamp, 1748 ipiaIkeIdStorageType StorageType, 1749 ipiaIkeIdRowStatus RowStatus 1750 } 1752 ipiaIkeIdCredentialName OBJECT-TYPE 1753 SYNTAX SnmpAdminString (SIZE(0..32)) 1754 MAX-ACCESS read-create 1755 STATUS current 1756 DESCRIPTION 1757 "This value is used as an index into the ipiaCredentialTable 1758 to look up the actual credential value and other credential 1759 information. 1761 For ID's without associated credential information, this 1762 value is left blank. 1764 For ID's that are address types, this value may be left 1765 blank and the associated IPProtocolEndpoint or appropriate 1766 member of the Collection of endpoints is used." 1767 ::= { ipiaIkeIdentityEntry 1 } 1769 ipiaIkeIdLastChanged OBJECT-TYPE 1770 SYNTAX TimeStamp 1771 MAX-ACCESS read-only 1772 STATUS current 1773 DESCRIPTION 1774 "The value of sysUpTime when this row was last modified or 1775 created either through SNMP SETs or by some other external 1776 means." 1777 ::= { ipiaIkeIdentityEntry 2 } 1779 ipiaIkeIdStorageType OBJECT-TYPE 1780 SYNTAX StorageType 1781 MAX-ACCESS read-create 1782 STATUS current 1783 DESCRIPTION 1784 "The storage type for this row. Rows in this table which 1785 were created through an external process may have a storage 1786 type of readOnly or permanent." 1787 DEFVAL { nonVolatile } 1788 ::= { ipiaIkeIdentityEntry 3 } 1790 ipiaIkeIdRowStatus OBJECT-TYPE 1791 SYNTAX RowStatus 1792 MAX-ACCESS read-create 1793 STATUS current 1794 DESCRIPTION 1795 "This object indicates the conceptual status of this row. 1797 The value of this object has no effect on whether other 1798 objects in this conceptual row can be modified. 1800 If active, this object must remain active if it is 1801 referenced by a row in another table." 1802 ::= { ipiaIkeIdentityEntry 4 } 1804 -- 1805 -- autostart IKE Table 1807 ipiaAutostartIkeTable OBJECT-TYPE 1808 SYNTAX SEQUENCE OF IpiaAutostartIkeEntry 1809 MAX-ACCESS not-accessible 1810 STATUS current 1811 DESCRIPTION 1812 "The parameters in the autostart IKE Table are used to 1813 automatically initiate IKE phaes I and II (i.e. IPsec) 1814 negotiations on startup. It also will initiate IKE phase I 1815 and II negotiations for a row at the time of that row's 1816 creation" 1817 ::= { ipiaConfigObjects 14 } 1819 ipiaAutostartIkeEntry OBJECT-TYPE 1820 SYNTAX IpiaAutostartIkeEntry 1821 MAX-ACCESS not-accessible 1822 STATUS current 1823 DESCRIPTION 1824 "autostart ike provides the set of parameters to 1825 automatically start IKE and IPsec SA's." 1826 INDEX { ipiaAutoIkePriority } 1827 ::= { ipiaAutostartIkeTable 1 } 1829 IpiaAutostartIkeEntry ::= SEQUENCE { 1830 ipiaAutoIkePriority Integer32, 1831 ipiaAutoIkeAction VariablePointer, 1832 ipiaAutoIkeAddressType InetAddressType, 1833 ipiaAutoIkeSourceAddress InetAddress, 1834 ipiaAutoIkeSourcePort InetPortNumber, 1835 ipiaAutoIkeDestAddress InetAddress, 1836 ipiaAutoIkeDestPort InetPortNumber, 1837 ipiaAutoIkeProtocol Unsigned32, 1838 ipiaAutoIkeLastChanged TimeStamp, 1839 ipiaAutoIkeStorageType StorageType, 1840 ipiaAutoIkeRowStatus RowStatus 1841 } 1843 ipiaAutoIkePriority OBJECT-TYPE 1844 SYNTAX Integer32 (0..65535) 1845 MAX-ACCESS not-accessible 1846 STATUS current 1847 DESCRIPTION 1848 "ipiaAutoIkePriority is an index into the autostartIkeAction 1849 table and can be used to order the autostart IKE actions." 1850 ::= { ipiaAutostartIkeEntry 1 } 1852 ipiaAutoIkeAction OBJECT-TYPE 1853 SYNTAX VariablePointer 1854 MAX-ACCESS read-create 1855 STATUS current 1856 DESCRIPTION 1857 "This pointer is used to point to the action or compound 1858 action that should be initiated by this row." 1859 ::= { ipiaAutostartIkeEntry 2 } 1861 ipiaAutoIkeAddressType OBJECT-TYPE 1862 SYNTAX InetAddressType 1863 MAX-ACCESS read-create 1864 STATUS current 1865 DESCRIPTION 1866 "The property ipiaAutoIkeAddressType specifies the format of 1867 the autoIke source and destination Address values. 1869 Values of unknown, ipv4z, ipv6z and dns are not legal 1870 values for this object." 1871 ::= { ipiaAutostartIkeEntry 3 } 1873 ipiaAutoIkeSourceAddress OBJECT-TYPE 1874 SYNTAX InetAddress 1875 MAX-ACCESS read-create 1876 STATUS current 1877 DESCRIPTION 1878 "The property autoIkeSourecAddress specifies Source IP 1879 address for autostarting IKE SA's, formatted according to 1880 the appropriate convention as defined in the 1881 ipiaAutoIkeAddressType property." 1882 ::= { ipiaAutostartIkeEntry 4 } 1884 ipiaAutoIkeSourcePort OBJECT-TYPE 1885 SYNTAX InetPortNumber 1886 MAX-ACCESS read-create 1887 STATUS current 1888 DESCRIPTION 1889 "The property ipiaAutoIkeSourcePort specifies the port 1890 number for the source port for auotstarting IKE SA's. 1892 The value of 0 for this object is illegal." 1893 ::= { ipiaAutostartIkeEntry 5 } 1895 ipiaAutoIkeDestAddress OBJECT-TYPE 1896 SYNTAX InetAddress 1897 MAX-ACCESS read-create 1898 STATUS current 1899 DESCRIPTION 1900 "The property ipiaAutoIkeDestAddress specifies the 1901 Destination IP address for autostarting IKE SA's, formatted 1902 according to the appropriate convention as defined in the 1903 ipiaAutoIkeAddressType property." 1904 ::= { ipiaAutostartIkeEntry 6 } 1906 ipiaAutoIkeDestPort OBJECT-TYPE 1907 SYNTAX InetPortNumber 1908 MAX-ACCESS read-create 1909 STATUS current 1910 DESCRIPTION 1911 "The property ipiaAutoIkeDestPort specifies the port number 1912 for the destination port for auotstarting IKE SA's. 1914 The value of 0 for this object is illegal." 1915 ::= { ipiaAutostartIkeEntry 7 } 1917 ipiaAutoIkeProtocol OBJECT-TYPE 1918 SYNTAX Unsigned32 (0..255) 1919 MAX-ACCESS read-create 1920 STATUS current 1921 DESCRIPTION 1922 "The property Protocol specifies the protocol number used in 1923 comparing with policy filter entries and used in any phase 1924 2 negotiations." 1925 ::= { ipiaAutostartIkeEntry 8 } 1927 ipiaAutoIkeLastChanged OBJECT-TYPE 1928 SYNTAX TimeStamp 1929 MAX-ACCESS read-only 1930 STATUS current 1931 DESCRIPTION 1932 "The value of sysUpTime when this row was last modified or 1933 created either through SNMP SETs or by some other external 1934 means." 1935 ::= { ipiaAutostartIkeEntry 9 } 1937 ipiaAutoIkeStorageType OBJECT-TYPE 1938 SYNTAX StorageType 1939 MAX-ACCESS read-create 1940 STATUS current 1941 DESCRIPTION 1942 "The storage type for this row. Rows in this table which 1943 were created through an external process may have a storage 1944 type of readOnly or permanent." 1945 DEFVAL { nonVolatile } 1946 ::= { ipiaAutostartIkeEntry 10 } 1948 ipiaAutoIkeRowStatus OBJECT-TYPE 1949 SYNTAX RowStatus 1950 MAX-ACCESS read-create 1951 STATUS current 1952 DESCRIPTION 1953 "This object indicates the conceptual status of this row. 1955 The value of this object has no effect on whether other 1956 objects in this conceptual row can be modified." 1958 ::= { ipiaAutostartIkeEntry 11 } 1960 -- 1961 -- CA Table 1962 -- 1964 ipiaIpsecCredMngServiceTable OBJECT-TYPE 1965 SYNTAX SEQUENCE OF IpiaIpsecCredMngServiceEntry 1966 MAX-ACCESS not-accessible 1967 STATUS current 1968 DESCRIPTION 1969 "A table of Credential Management Service values. This table 1970 is usually used for credential/certificate values that are 1971 used with a management service (e.g. Certificate 1972 Authorities)." 1973 ::= { ipiaConfigObjects 15 } 1975 ipiaIpsecCredMngServiceEntry OBJECT-TYPE 1976 SYNTAX IpiaIpsecCredMngServiceEntry 1977 MAX-ACCESS not-accessible 1978 STATUS current 1979 DESCRIPTION 1980 "A row in the ipiaIpsecCredMngServiceTable." 1982 INDEX { ipiaIcmsName } 1983 ::= { ipiaIpsecCredMngServiceTable 1 } 1985 IpiaIpsecCredMngServiceEntry ::= SEQUENCE { 1986 ipiaIcmsName SnmpAdminString, 1987 ipiaIcmsDistinguishedName OCTET STRING, 1988 ipiaIcmsPolicyStatement OCTET STRING, 1989 ipiaIcmsMaxChainLength Integer32, 1990 ipiaIcmsCredentialName SnmpAdminString, 1991 ipiaIcmsLastChanged TimeStamp, 1992 ipiaIcmsStorageType StorageType, 1993 ipiaIcmsRowStatus RowStatus 1994 } 1996 ipiaIcmsName OBJECT-TYPE 1997 SYNTAX SnmpAdminString(SIZE(1..32)) 1998 MAX-ACCESS not-accessible 1999 STATUS current 2000 DESCRIPTION 2001 "This is an administratively assigned string used to index 2002 this table." 2003 ::= { ipiaIpsecCredMngServiceEntry 1 } 2005 ipiaIcmsDistinguishedName OBJECT-TYPE 2006 SYNTAX OCTET STRING (SIZE(1..256)) 2007 MAX-ACCESS read-create 2008 STATUS current 2009 DESCRIPTION 2010 "This value represents the Distinguished Name of the 2011 Credential Management Service." 2012 ::= { ipiaIpsecCredMngServiceEntry 2 } 2014 ipiaIcmsPolicyStatement OBJECT-TYPE 2015 SYNTAX OCTET STRING (SIZE(0..1024)) 2016 MAX-ACCESS read-create 2017 STATUS current 2018 DESCRIPTION 2019 "This Value represents the Credential Management Service 2020 Policy Statement, or a reference describing how to obtain 2021 it (e.g., a URL). If one doesn't exist, this value can be 2022 left blank" 2023 ::= { ipiaIpsecCredMngServiceEntry 3 } 2025 ipiaIcmsMaxChainLength OBJECT-TYPE 2026 SYNTAX Integer32 (0..255) 2027 MAX-ACCESS read-create 2028 STATUS current 2029 DESCRIPTION 2030 "This value is the maximum length of the chain allowble from 2031 the Credential Management Service to the credential in 2032 question." 2033 DEFVAL { 0 } 2034 ::= { ipiaIpsecCredMngServiceEntry 4} 2036 ipiaIcmsCredentialName OBJECT-TYPE 2037 SYNTAX SnmpAdminString (SIZE(0..32)) 2038 MAX-ACCESS read-create 2039 STATUS current 2040 DESCRIPTION 2041 "This value is used as an index into the ipiaCredentialTable 2042 to look up the actual credential value." 2043 ::= { ipiaIpsecCredMngServiceEntry 5 } 2045 ipiaIcmsLastChanged OBJECT-TYPE 2046 SYNTAX TimeStamp 2047 MAX-ACCESS read-only 2048 STATUS current 2049 DESCRIPTION 2050 "The value of sysUpTime when this row was last modified or 2051 created either through SNMP SETs or by some other external 2052 means." 2053 ::= { ipiaIpsecCredMngServiceEntry 6 } 2055 ipiaIcmsStorageType OBJECT-TYPE 2056 SYNTAX StorageType 2057 MAX-ACCESS read-create 2058 STATUS current 2059 DESCRIPTION 2060 "The storage type for this row. Rows in this table which 2061 were created through an external process may have a storage 2062 type of readOnly or permanent." 2063 DEFVAL { nonVolatile } 2064 ::= { ipiaIpsecCredMngServiceEntry 7 } 2066 ipiaIcmsRowStatus OBJECT-TYPE 2067 SYNTAX RowStatus 2068 MAX-ACCESS read-create 2069 STATUS current 2070 DESCRIPTION 2071 "This object indicates the conceptual status of this row. 2073 The value of this object has no effect on whether other 2074 objects in this conceptual row can be modified. 2076 If active, this object must remain active if it is 2077 referenced by a row in another table." 2079 ::= { ipiaIpsecCredMngServiceEntry 8 } 2081 -- 2082 -- CRL Table 2083 -- 2085 ipiaCredMngCRLTable OBJECT-TYPE 2086 SYNTAX SEQUENCE OF IpiaCredMngCRLEntry 2087 MAX-ACCESS not-accessible 2088 STATUS current 2089 DESCRIPTION 2090 "A table of the Credential Revocation Lists (CRL) for 2091 credential managment services." 2092 ::= { ipiaConfigObjects 16 } 2094 ipiaCredMngCRLEntry OBJECT-TYPE 2095 SYNTAX IpiaCredMngCRLEntry 2096 MAX-ACCESS not-accessible 2097 STATUS current 2098 DESCRIPTION 2099 "A row in the ipiaCredMngCRLTable." 2100 INDEX { ipiaIcmsName , ipiaCmcCRLName } 2101 ::= { ipiaCredMngCRLTable 1 } 2103 IpiaCredMngCRLEntry ::= SEQUENCE { 2104 ipiaCmcCRLName SnmpAdminString, 2105 ipiaCmcDistributionPoint OCTET STRING, 2106 ipiaCmcThisUpdate OCTET STRING, 2107 ipiaCmcNextUpdate OCTET STRING, 2108 ipiaCmcLastChanged TimeStamp, 2109 ipiaCmcStorageType StorageType, 2110 ipiaCmcRowStatus RowStatus 2111 } 2113 ipiaCmcCRLName OBJECT-TYPE 2114 SYNTAX SnmpAdminString(SIZE(1..32)) 2115 MAX-ACCESS not-accessible 2116 STATUS current 2117 DESCRIPTION 2118 "This is an administratively assigned string used to index 2119 this table. It represents a CRL for a given CA from a given 2120 distribution point." 2121 ::= { ipiaCredMngCRLEntry 1 } 2123 ipiaCmcDistributionPoint OBJECT-TYPE 2124 SYNTAX OCTET STRING (SIZE(0..256)) 2125 MAX-ACCESS read-create 2126 STATUS current 2127 DESCRIPTION 2128 "This Value represents a Distribution Point for a Credential 2129 Revocation List. It can be relative to the Credential 2130 Management Service or a full name (URL, e-mail, etc...)." 2131 ::= { ipiaCredMngCRLEntry 2 } 2133 ipiaCmcThisUpdate OBJECT-TYPE 2134 SYNTAX OCTET STRING (SIZE(0..32)) 2135 MAX-ACCESS read-create 2136 STATUS current 2137 DESCRIPTION 2138 "This value is the issue date of this CRL. This 2139 should be in utctime or generalizedtime." 2140 ::= { ipiaCredMngCRLEntry 3 } 2142 ipiaCmcNextUpdate OBJECT-TYPE 2143 SYNTAX OCTET STRING (SIZE(0..32)) 2144 MAX-ACCESS read-create 2145 STATUS current 2146 DESCRIPTION 2147 "This value indicates the date the next version of this CRL 2148 will be issued. This should be in utctime or 2149 generalizedtime." 2150 ::= { ipiaCredMngCRLEntry 4 } 2152 ipiaCmcLastChanged OBJECT-TYPE 2153 SYNTAX TimeStamp 2154 MAX-ACCESS read-only 2155 STATUS current 2156 DESCRIPTION 2157 "The value of sysUpTime when this row was last modified or 2158 created either through SNMP SETs or by some other external 2159 means." 2160 ::= { ipiaCredMngCRLEntry 5 } 2162 ipiaCmcStorageType OBJECT-TYPE 2163 SYNTAX StorageType 2164 MAX-ACCESS read-create 2165 STATUS current 2166 DESCRIPTION 2167 "The storage type for this row. Rows in this table which 2168 were created through an external process may have a storage 2169 type of readOnly or permanent." 2170 DEFVAL { nonVolatile } 2171 ::= { ipiaCredMngCRLEntry 6 } 2173 ipiaCmcRowStatus OBJECT-TYPE 2174 SYNTAX RowStatus 2175 MAX-ACCESS read-create 2176 STATUS current 2177 DESCRIPTION 2178 "This object indicates the conceptual status of this row. 2180 The value of this object has no effect on whether other 2181 objects in this conceptual row can be modified. 2183 If active, this object must remain active if it is 2184 referenced by a row in another table." 2185 ::= { ipiaCredMngCRLEntry 7 } 2187 -- 2188 -- Revoked Certificate Table 2189 -- 2191 ipiaRevokedCertificateTable OBJECT-TYPE 2192 SYNTAX SEQUENCE OF IpiaRevokedCertificateEntry 2193 MAX-ACCESS not-accessible 2194 STATUS current 2195 DESCRIPTION 2196 "A table of Credentials revoked by credential managment 2197 services. That is, this table is a table of Certificates 2198 that are on CRL's, Credential Revocation Lists." 2199 ::= { ipiaConfigObjects 17 } 2201 ipiaRevokedCertificateEntry OBJECT-TYPE 2202 SYNTAX IpiaRevokedCertificateEntry 2203 MAX-ACCESS not-accessible 2204 STATUS current 2205 DESCRIPTION 2206 "A row in the ipiaRevokedCertificateTable." 2207 INDEX { ipiaCmcCRLName, ipiaRctCertSerialNumber} 2208 ::= { ipiaRevokedCertificateTable 1 } 2210 IpiaRevokedCertificateEntry ::= SEQUENCE { 2211 ipiaRctCertSerialNumber Unsigned32, 2212 ipiaRctRevokedDate OCTET STRING, 2213 ipiaRctRevokedReason INTEGER, 2214 ipiaRctLastChanged TimeStamp, 2215 ipiaRctStorageType StorageType, 2216 ipiaRctRowStatus RowStatus 2217 } 2219 ipiaRctCertSerialNumber OBJECT-TYPE 2220 SYNTAX Unsigned32 (0..4294967295) 2221 MAX-ACCESS not-accessible 2222 STATUS current 2223 DESCRIPTION 2224 "This value is the serial number of the revoked 2225 certificate." 2226 ::= { ipiaRevokedCertificateEntry 1 } 2228 ipiaRctRevokedDate OBJECT-TYPE 2229 SYNTAX OCTET STRING (SIZE(0..32)) 2230 MAX-ACCESS read-create 2231 STATUS current 2232 DESCRIPTION 2233 "This value is the revocation date of the certificate. This 2234 should be in utctime or generaltime." 2235 ::= { ipiaRevokedCertificateEntry 2 } 2237 ipiaRctRevokedReason OBJECT-TYPE 2238 SYNTAX INTEGER { reserved(0), unspecified(1), keyCompromise(2), 2239 cACompromise(3), affiliationChanged(4), 2240 superseded(5), cessationOfOperation(6), 2241 certificateHold(7), removeFromCRL(8) } 2242 MAX-ACCESS read-create 2243 STATUS current 2244 DESCRIPTION 2245 "This value is the reason this certificate was revoked." 2246 DEFVAL { unspecified } 2247 ::= { ipiaRevokedCertificateEntry 3 } 2249 ipiaRctLastChanged OBJECT-TYPE 2250 SYNTAX TimeStamp 2251 MAX-ACCESS read-only 2252 STATUS current 2253 DESCRIPTION 2254 "The value of sysUpTime when this row was last modified or 2255 created either through SNMP SETs or by some other external 2256 means." 2257 ::= { ipiaRevokedCertificateEntry 4 } 2259 ipiaRctStorageType OBJECT-TYPE 2260 SYNTAX StorageType 2261 MAX-ACCESS read-create 2262 STATUS current 2263 DESCRIPTION 2264 "The storage type for this row. Rows in this table which 2265 were created through an external process may have a storage 2266 type of readOnly or permanent." 2267 DEFVAL { nonVolatile } 2268 ::= { ipiaRevokedCertificateEntry 5 } 2270 ipiaRctRowStatus OBJECT-TYPE 2271 SYNTAX RowStatus 2272 MAX-ACCESS read-create 2273 STATUS current 2274 DESCRIPTION 2275 "This object indicates the conceptual status of this row. 2277 The value of this object has no effect on whether other 2278 objects in this conceptual row can be modified. 2280 If active, this object must remain active if it is 2281 referenced by a row in another table." 2282 ::= { ipiaRevokedCertificateEntry 6 } 2284 -- 2285 -- 2286 -- Notification objects information 2287 -- 2288 -- 2290 ipiaNotificationVariables OBJECT IDENTIFIER ::= 2291 { ipiaNotificationObjects 1 } 2293 ipiaNotifications OBJECT IDENTIFIER ::= 2294 { ipiaNotificationObjects 0 } 2296 -- 2297 -- 2298 -- Conformance information 2299 -- 2300 -- 2302 ipiaCompliances OBJECT IDENTIFIER 2303 ::= { ipiaConformanceObjects 1 } 2304 ipiaGroups OBJECT IDENTIFIER 2305 ::= { ipiaConformanceObjects 2 } 2307 -- 2308 -- Compliance statements 2309 -- 2310 -- 2312 ipiaIKECompliance MODULE-COMPLIANCE 2313 STATUS current 2314 DESCRIPTION 2315 "The compliance statement for SNMP entities that include an 2316 IPsec MIB implementation and supports IKE actions." 2317 MODULE -- This Module 2318 MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup, 2319 ipiaStaticActionGroup, ipsaSharedGroup } 2321 OBJECT ipiaIkeActRowStatus 2322 SYNTAX RowStatus { 2323 active(1), createAndGo(4), destroy(6) 2324 } 2325 DESCRIPTION 2326 "Support of the values notInService(2), notReady(3), 2327 and createAndWait(5) is not required." 2329 OBJECT ipiaIkeActLastChanged 2330 MIN-ACCESS not-accessible 2331 DESCRIPTION 2332 "This object is optional so as not to impose an undue 2333 burden on resource-constrained devices." 2335 OBJECT ipiaIkeActPropRowStatus 2336 SYNTAX RowStatus { 2337 active(1), createAndGo(4), destroy(6) 2338 } 2339 DESCRIPTION 2340 "Support of the values notInService(2), notReady(3), 2341 and createAndWait(5) is not required." 2343 OBJECT ipiaIkeActPropLastChanged 2344 MIN-ACCESS not-accessible 2345 DESCRIPTION 2346 "This object is optional so as not to impose an undue 2347 burden on resource-constrained devices." 2349 OBJECT ipiaIkePropRowStatus 2350 SYNTAX RowStatus { 2351 active(1), createAndGo(4), destroy(6) 2352 } 2353 DESCRIPTION 2354 "Support of the values notInService(2), notReady(3), 2355 and createAndWait(5) is not required." 2357 OBJECT ipiaIkePropLastChanged 2358 MIN-ACCESS not-accessible 2359 DESCRIPTION 2360 "This object is optional so as not to impose an undue 2361 burden on resource-constrained devices." 2363 OBJECT ipiaIpsecActRowStatus 2364 SYNTAX RowStatus { 2365 active(1), createAndGo(4), destroy(6) 2366 } 2367 DESCRIPTION 2368 "Support of the values notInService(2), notReady(3), 2369 and createAndWait(5) is not required." 2371 OBJECT ipiaIpsecActLastChanged 2372 MIN-ACCESS not-accessible 2373 DESCRIPTION 2374 "This object is optional so as not to impose an undue 2375 burden on resource-constrained devices." 2377 OBJECT ipiaIpsecPropRowStatus 2378 SYNTAX RowStatus { 2379 active(1), createAndGo(4), destroy(6) 2380 } 2381 DESCRIPTION 2382 "Support of the values notInService(2), notReady(3), 2383 and createAndWait(5) is not required." 2385 OBJECT ipiaIpsecPropLastChanged 2386 MIN-ACCESS not-accessible 2387 DESCRIPTION 2388 "This object is optional so as not to impose an undue 2389 burden on resource-constrained devices." 2391 OBJECT ipiaIpsecTranRowStatus 2392 SYNTAX RowStatus { 2393 active(1), createAndGo(4), destroy(6) 2394 } 2395 DESCRIPTION 2396 "Support of the values notInService(2), notReady(3), 2397 and createAndWait(5) is not required." 2399 OBJECT ipiaIpsecTranLastChanged 2400 MIN-ACCESS not-accessible 2401 DESCRIPTION 2402 "This object is optional so as not to impose an undue 2403 burden on resource-constrained devices." 2405 OBJECT ipiaSaNegParamRowStatus 2406 SYNTAX RowStatus { 2407 active(1), createAndGo(4), destroy(6) 2408 } 2409 DESCRIPTION 2410 "Support of the values notInService(2), notReady(3), 2411 and createAndWait(5) is not required." 2413 OBJECT ipiaSaNegParamLastChanged 2414 MIN-ACCESS not-accessible 2415 DESCRIPTION 2416 "This object is optional so as not to impose an undue 2417 burden on resource-constrained devices." 2419 OBJECT ipiaIkeIdRowStatus 2420 SYNTAX RowStatus { 2421 active(1), createAndGo(4), destroy(6) 2422 } 2423 DESCRIPTION 2424 "Support of the values notInService(2), notReady(3), 2425 and createAndWait(5) is not required." 2427 OBJECT ipiaIkeIdLastChanged 2428 MIN-ACCESS not-accessible 2429 DESCRIPTION 2430 "This object is optional so as not to impose an undue 2431 burden on resource-constrained devices." 2433 OBJECT ipiaAutoIkeAddressType 2434 SYNTAX InetAddressType { 2435 ipv4(1), ipv6(2) 2436 } 2437 DESCRIPTION 2438 "Only the ipv4 and ipv6 values make sense for this 2439 object." 2441 OBJECT ipiaAutoIkeRowStatus 2442 SYNTAX RowStatus { 2443 active(1), createAndGo(4), destroy(6) 2444 } 2445 DESCRIPTION 2446 "Support of the values notInService(2), notReady(3), 2447 and createAndWait(5) is not required." 2449 OBJECT ipiaAutoIkeLastChanged 2450 MIN-ACCESS not-accessible 2451 DESCRIPTION 2452 "This object is optional so as not to impose an undue 2453 burden on resource-constrained devices." 2455 OBJECT ipiaCmcDistributionPoint 2456 MIN-ACCESS read-only 2457 DESCRIPTION 2458 "Only read-only access is required for compliance." 2460 OBJECT ipiaCmcThisUpdate 2462 MIN-ACCESS read-only 2463 DESCRIPTION 2464 "Only read-only access is required for compliance." 2466 OBJECT ipiaCmcNextUpdate 2467 MIN-ACCESS read-only 2468 DESCRIPTION 2469 "Only read-only access is required for compliance." 2471 OBJECT ipiaCmcLastChanged 2472 MIN-ACCESS not-accessible 2473 DESCRIPTION 2474 "This object not required for compliance." 2476 OBJECT ipiaCmcStorageType 2477 MIN-ACCESS read-only 2478 DESCRIPTION 2479 "Only read-only access is required for compliance." 2481 OBJECT ipiaCmcRowStatus 2482 SYNTAX RowStatus { 2483 active(1), createAndGo(4), destroy(6) 2484 } 2485 MIN-ACCESS read-only 2486 DESCRIPTION 2487 "Support of the values notInService(2), notReady(3), 2488 and createAndWait(5) is not required. Only read-only 2489 access is required for compliance." 2491 OBJECT ipiaRctRevokedDate 2492 MIN-ACCESS read-only 2493 DESCRIPTION 2494 "Only read-only access is required for compliance." 2496 OBJECT ipiaRctRevokedReason 2497 MIN-ACCESS read-only 2498 DESCRIPTION 2499 "Only read-only access is required for compliance." 2501 OBJECT ipiaRctLastChanged 2502 MIN-ACCESS not-accessible 2503 DESCRIPTION 2504 "This object not required for compliance." 2506 OBJECT ipiaRctStorageType 2507 MIN-ACCESS read-only 2508 DESCRIPTION 2509 "Only read-only access is required for compliance." 2511 OBJECT ipiaRctRowStatus 2512 SYNTAX RowStatus { 2513 active(1), createAndGo(4), destroy(6) 2514 } 2515 MIN-ACCESS read-only 2516 DESCRIPTION 2517 "Support of the values notInService(2), notReady(3), 2518 and createAndWait(5) is not required. Only read-only 2519 access is required for compliance." 2521 OBJECT ipiaIcmsDistinguishedName 2522 MIN-ACCESS read-only 2523 DESCRIPTION 2524 "Only read-only access is required for compliance." 2526 OBJECT ipiaIcmsPolicyStatement 2527 MIN-ACCESS read-only 2528 DESCRIPTION 2529 "Only read-only access is required for compliance." 2531 OBJECT ipiaIcmsMaxChainLength 2532 MIN-ACCESS read-only 2533 DESCRIPTION 2534 "Only read-only access is required for compliance." 2536 OBJECT ipiaIcmsCredentialName 2537 MIN-ACCESS read-only 2538 DESCRIPTION 2539 "Only read-only access is required for compliance." 2541 OBJECT ipiaIcmsLastChanged 2542 MIN-ACCESS not-accessible 2543 DESCRIPTION 2544 "This object not required for compliance." 2546 OBJECT ipiaIcmsStorageType 2547 MIN-ACCESS read-only 2548 DESCRIPTION 2549 "Only read-only access is required for compliance." 2551 OBJECT ipiaIcmsRowStatus 2552 SYNTAX RowStatus { 2553 active(1), createAndGo(4), destroy(6) 2554 } 2555 MIN-ACCESS read-only 2556 DESCRIPTION 2557 "Support of the values notInService(2), notReady(3), 2558 and createAndWait(5) is not required. Only read-only 2559 access is required for compliance." 2561 OBJECT ipiaPeerIdFiltRowStatus 2562 SYNTAX RowStatus { 2563 active(1), createAndGo(4), destroy(6) 2564 } 2565 DESCRIPTION 2566 "Support of the values notInService(2), notReady(3), 2567 and createAndWait(5) is not required." 2569 OBJECT ipiaPeerIdFiltLastChanged 2570 MIN-ACCESS not-accessible 2571 DESCRIPTION 2572 "This object not required for compliance." 2574 OBJECT ipiaCredFiltRowStatus 2575 SYNTAX RowStatus { 2576 active(1), createAndGo(4), destroy(6) 2577 } 2578 DESCRIPTION 2579 "Support of the values notInService(2), notReady(3), 2580 and createAndWait(5) is not required." 2582 OBJECT ipiaCredFiltLastChanged 2583 MIN-ACCESS not-accessible 2584 DESCRIPTION 2585 "This object not required for compliance." 2587 ::= { ipiaCompliances 1 } 2589 ipiaRuleFilterCompliance MODULE-COMPLIANCE 2590 STATUS current 2591 DESCRIPTION 2592 "The compliance statement for SNMP entities that include an 2593 IKEACTION MIB implementation with IKE filters support." 2594 MODULE -- This Module 2595 MANDATORY-GROUPS { ipiaStaticFilterGroup } 2597 GROUP ipiaPeerIdFilterGroup 2598 DESCRIPTION 2599 "This group is mandatory for IPsec Policy 2600 implementations which support Peer Identity filters." 2602 GROUP ipiaCredentialFilterGroup 2603 DESCRIPTION 2604 "This group is mandatory for IPsec Policy 2605 implementations which support IKE Credential filters." 2607 ::= { ipiaCompliances 2 } 2609 -- 2610 -- 2611 -- Compliance Groups Definitions 2612 -- 2614 -- 2615 -- Compliance Groups 2616 -- 2618 ipiaStaticFilterGroup OBJECT-GROUP 2619 OBJECTS { ipiaIkePhase1Filter, 2620 ipiaIkePhase2Filter } 2621 STATUS current 2622 DESCRIPTION 2623 "The static filter group. Currently this is just a true 2624 filter." 2625 ::= { ipiaGroups 1 } 2627 ipiaCredentialFilterGroup OBJECT-GROUP 2628 OBJECTS { 2629 ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName, 2630 ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom, 2631 ipiaCredFiltLastChanged, ipiaCredFiltStorageType, 2632 ipiaCredFiltRowStatus, 2634 ipiaCmcDistributionPoint, ipiaCmcThisUpdate, 2635 ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType, 2636 ipiaCmcRowStatus, 2638 ipiaRctRevokedDate, ipiaRctRevokedReason, 2639 ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus, 2641 ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement, 2642 ipiaIcmsMaxChainLength, ipiaIcmsCredentialName, 2643 ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus 2644 } 2645 STATUS current 2646 DESCRIPTION 2647 "The IPsec Policy Credential Filter Table Group." 2648 ::= { ipiaGroups 2 } 2650 ipiaPeerIdFilterGroup OBJECT-GROUP 2651 OBJECTS { 2652 ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue, 2653 ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType, 2654 ipiaPeerIdFiltRowStatus 2655 } 2656 STATUS current 2657 DESCRIPTION 2658 "The IPsec Policy Peer Identity Filter Table Group." 2659 ::= { ipiaGroups 3 } 2661 -- 2662 -- action compliance groups 2663 -- 2665 ipiaStaticActionGroup OBJECT-GROUP 2666 OBJECTS { 2667 ipiaRejectIKEAction, 2668 ipiaRejectIKEActionLog 2669 } 2670 STATUS current 2671 DESCRIPTION 2672 "The IPsec Policy Static Actions Group." 2673 ::= { ipiaGroups 4 } 2675 ipiaIkeGroup OBJECT-GROUP 2676 OBJECTS { 2677 ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys, 2678 ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId, 2679 ipiaIkeActIdentityType, ipiaIkeActIdentityContext, 2680 ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName, 2681 ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging, 2682 ipiaIkeActLastChanged, ipiaIkeActStorageType, 2683 ipiaIkeActRowStatus, 2685 ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType, 2686 ipiaIkeActPropRowStatus, 2688 ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm, 2689 ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds, 2690 ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm, 2691 ipiaIkePropVendorId, ipiaIkePropDhGroup, 2692 ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs, 2693 ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged, 2694 ipiaIkePropStorageType, 2695 ipiaIkePropRowStatus, 2697 ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB, 2698 ipiaSaNegParamRefreshThreshSecs, 2699 ipiaSaNegParamRefreshThresholdKB, 2700 ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged, 2701 ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus, 2703 ipiaIkeIdCredentialName, ipiaIkeIdLastChanged, 2704 ipiaIkeIdStorageType, ipiaIkeIdRowStatus, 2706 ipiaAutoIkeAction, ipiaAutoIkeAddressType, 2707 ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort, 2708 ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort, 2709 ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged, 2710 ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus, 2712 ipiaCmcDistributionPoint, ipiaCmcThisUpdate, 2713 ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType, 2714 ipiaCmcRowStatus, 2716 ipiaRctRevokedDate, ipiaRctRevokedReason, 2717 ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus, 2719 ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement, 2720 ipiaIcmsMaxChainLength, ipiaIcmsCredentialName, 2721 ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus 2722 } 2723 STATUS current 2724 DESCRIPTION 2725 "This group is the set of objects that support IKE 2726 actions. These objects are from The IPsec Policy IKE 2727 Action Table, The IKE Action Proposals Table, The IKE 2728 Proposal Table, The autostart IKE Table and The IKE 2729 Identity Table, The Peer Identity Table, The Credential 2730 Management Service Table, and the shared table Negotiation 2731 Parameters Table (from the IPSEC-IPSECACTION-MIB." 2732 ::= { ipiaGroups 5 } 2734 ipiaIpsecGroup OBJECT-GROUP 2735 OBJECTS { 2736 ipiaIpsecActParametersName, ipiaIpsecActProposalsName, 2737 ipiaIpsecActUsePfs, ipiaIpsecActVendorId, 2738 ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName, 2739 ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity, 2740 ipiaIpsecActMode, ipiaIpsecActDFHandling, 2741 ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging, 2742 ipiaIpsecActLastChanged, ipiaIpsecActStorageType, 2743 ipiaIpsecActRowStatus, 2745 ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged, 2746 ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus, 2748 ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged, 2749 ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus, 2751 ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB, 2752 ipiaSaNegParamRefreshThreshSecs, 2753 ipiaSaNegParamRefreshThresholdKB, 2754 ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged, 2755 ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus 2756 } 2757 STATUS current 2758 DESCRIPTION 2759 "This group is the set of objects that support IPsec 2760 actions. These objects are from The IPsec Policy IPsec 2761 Actions Table, The IPsec Proposal Table, and The IPsec 2762 Transform Table. This group also includes objects from the 2763 shared tables: Peer Identity Table, Credential Table, 2764 Negotiation Parameters Table, Credential Management Service 2765 Table and the AH, ESP, and IPComp Transform Table." 2766 ::= { ipiaGroups 6 } 2768 END 2770 6. Security Considerations 2772 6.1 Introduction 2774 This document defines a MIB module used to configure IPsec policy 2775 services. Since IKE negotiates keys for IPsec and IPsec provides 2776 security services, it is important that the IKE configuration data be 2777 at least as protected as the IPsec provided security service. There 2778 are two threats you need to thwart when configuring IPsec devices. 2780 1. To make sure that only the official administrators are allowed to 2781 configure a device, only authenticated administrators should be 2782 allowed to do device configuration. The support for SET 2783 operations in a non-secure environment without proper protection 2784 can have a negative effect on network operations. 2786 2. Unfriendly parties should not be able to read configuration data 2787 while the data is in network transit. Any knowledge about a 2788 device's IKE policy configuration could help an unfriendly party 2789 compromise that device and/or a network it protects. It is thus 2790 important to control even GET access to these objects and 2791 possibly to even encrypt the values of these objects when sending 2792 them over the network via SNMP. 2794 SNMP versions prior to SNMPv3 did not include adequate security. Even 2795 if the network itself is secure (for example by using IPsec), even 2796 then, there is no control as to who on the secure network is allowed 2797 to access and GET/SET (read/change/create/delete) the objects in this 2798 MIB module. 2800 It is RECOMMENDED that implementers consider the security features as 2801 provided by the SNMPv3 framework (see [RFC3410], section 8), 2802 including full support for the SNMPv3 cryptographic mechanisms (for 2803 authentication and privacy). 2805 Further, deployment of SNMP versions prior to SNMPv3 is NOT 2806 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 2807 enable cryptographic security. It is then a customer/operator 2808 responsibility to ensure that the SNMP entity giving access to an 2809 instance of this MIB module, is properly configured to give access to 2810 the objects only to those principals (users) that have legitimate 2811 rights to indeed GET or SET (change/create/delete) them. 2813 Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you 2814 SHOULD use SNMP version 3. The rest of this discussion assumes the 2815 use of SNMPv3. This is a real strength, because it allows 2816 administrators the ability to load new IPsec configuration on a 2817 device and keep the conversation private and authenticated under the 2818 protection of SNMPv3 before any IPsec protections are available. 2819 Once initial establishment of IPsec configuration on a device has 2820 been achieved, it would be possible to set up IPsec SAs to then also 2821 provide security and integrity services to the configuration 2822 conversation. This may seem redundant at first, but will be shown to 2823 have a use for added privacy protection below. 2825 6.2 Protecting against in-authentic access 2827 The current SNMPv3 User Security Model provides for key based user 2828 authentication. Typically, keys are derived from passwords (but are 2829 not required to be), and the keys are then used in HMAC algorithms 2830 (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP 2831 data. Each SNMP device keeps a (configured) list of users and keys. 2832 Under SNMPv3 user keys may be updated as often as an administrator 2833 cares to have users enter new passwords. But Perfect Forward Secrecy 2834 for user keys is not yet provided by standards track documents, 2835 although RFC2786 defines an experimental method of doing so. 2837 6.3 Protecting against involuntary disclosure 2839 While sending IKE configuration data to a PEP, there are a few 2840 critical parameters which MUST NOT be observed by third parties. 2841 These include IKE Pre-Shared Keys and possibly the private key of a 2842 public/private key pair for use in a PKI. Were either of those 2843 parameters to be known to a third party, they could then impersonate 2844 your device to other IKE peers. Aside from those critical 2845 parameters, policy administrators have an interest in not divulging 2846 any of their policy configuration. Any knowledge about a device's 2847 configuration could help an unfriendly party compromise that device. 2848 SNMPv3 offers privacy security services, but at the time this 2849 document was written, the only standardized encryption algorithm 2850 supported by SNMPv3 is the DES encryption algorithm. Support for 2851 other (stronger) cryptographic algorithms was in the works and may be 2852 done as you read this. Policy administrators SHOULD use a privacy 2853 security service to configure their IPsec policy which is at least as 2854 strong as the desired IPsec policy. E.G., it is unwise to configure 2855 IPsec parameters implementing 3DES algorithms while only protecting 2856 that conversation with single DES. 2858 6.4 Bootstrapping your configuration 2860 Hopefully vendors will not ship new products with a default SNMPv3 2861 user/password pair, but it is possible. Most SNMPv3 distributions 2862 should hopefully require an out-of-band initialization over a trusted 2863 medium, such as a local console connection. 2865 7. Acknowledgments 2867 Many other people contributed thoughts and ideas that influenced this 2868 MIB module. Some special thanks are in order the following people: 2870 Lindy Foster (Sparta, Inc.) 2871 John Gillis (ADC) 2872 Jamie Jason (Intel Corporation) 2873 Roger Hartmuller (Sparta, Inc.) 2874 David Partain (Ericsson) 2875 Lee Rafalow (IBM) 2876 Jon Saperia (JDS Consulting) 2877 John Shriver (Internap Network Services Corporation) 2878 Eric Vyncke (Cisco Systems) 2880 Normative References 2882 [RFCXXXX] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. 2883 Wang, "IPsec Security Policy Database Configuration MIB", 2884 January 2004. 2886 [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R. and C. 2887 Wang, "IPsec Security Policy IPsec Action MIB", January 2888 2004. 2890 [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, 2891 "Introduction and Applicability Statements for 2892 Internet-Standard Management Framework", RFC 3410, 2893 December 2002. 2895 [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An 2896 Architecture for Describing Simple Network Management 2897 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 2898 December 2002. 2900 [RFC3412] Case, J., Harrington, D., Presuhn, R. and B. Wijnen, 2901 "Message Processing and Dispatching for the Simple Network 2902 Management Protocol (SNMP)", STD 62, RFC 3412, December 2903 2002. 2905 [RFC3413] Levi, D., Meyer, P. and B. Stewart, "Simple Network 2906 Management Protocol (SNMP) Applications", STD 62, RFC 2907 3413, December 2002. 2909 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 2910 (USM) for version 3 of the Simple Network Management 2911 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 2913 [RFC3415] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based 2914 Access Control Model (VACM) for the Simple Network 2915 Management Protocol (SNMP)", STD 62, RFC 3415, December 2916 2002. 2918 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2919 McCloghrie, K., Rose, M. and S. Waldbusser, "Structure of 2920 Management Information Version 2 (SMIv2)", STD 58, RFC 2921 2578, April 1999. 2923 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 2924 McCloghrie, K., Rose, M. and S. Waldbusser, "Textual 2925 Conventions for SMIv2", STD 58, RFC 2579, April 1999. 2927 [RFC2580] McCloghrie, K., Perkins, D. and J. Schoenwaelder, 2928 "Conformance Statements for SMIv2", STD 58, RFC 2580, 2929 April 1999. 2931 [RFC3585] Jason, J., Rafalow, L. and E. Vyncke, "IPsec Configuration 2932 Policy Information Model", RFC 3585, August 2003. 2934 Informative References 2936 [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White Paper", 2937 November 2000. 2939 Authors' Addresses 2941 Michael Baer 2942 Sparta, Inc. 2943 7075 Samuel Morse Drive 2944 Columbia, MD 21046 2945 US 2947 EMail: baerm@tislabs.com 2949 Ricky Charlet 2950 Self 2952 EMail: rcharlet@alumni.calpoly.edu 2954 Wes Hardaker 2955 Sparta, Inc. 2956 P.O. Box 382 2957 Davis, CA 95617 2958 US 2960 Phone: +1 530 792 1913 2961 EMail: hardaker@tislabs.com 2963 Robert Story 2964 Revelstone Software 2965 PO Box 1812 2966 Tucker, GA 30085 2967 US 2969 EMail: rs-snmp@revelstone.com 2971 Cliff Wang 2972 SmartPipes, Inc. 2973 Suite 300, 565 Metro Place South 2974 Dublin, OH, OH 43017 2975 US 2977 EMail: cliffwang2000@yahoo.com 2979 Intellectual Property Statement 2981 The IETF takes no position regarding the validity or scope of any 2982 intellectual property or other rights that might be claimed to 2983 pertain to the implementation or use of the technology described in 2984 this document or the extent to which any license under such rights 2985 might or might not be available; neither does it represent that it 2986 has made any effort to identify any such rights. Information on the 2987 IETF's procedures with respect to rights in standards-track and 2988 standards-related documentation can be found in BCP-11. Copies of 2989 claims of rights made available for publication and any assurances of 2990 licenses to be made available, or the result of an attempt made to 2991 obtain a general license or permission for the use of such 2992 proprietary rights by implementors or users of this specification can 2993 be obtained from the IETF Secretariat. 2995 The IETF invites any interested party to bring to its attention any 2996 copyrights, patents or patent applications, or other proprietary 2997 rights which may cover technology that may be required to practice 2998 this standard. Please address the information to the IETF Executive 2999 Director. 3001 Full Copyright Statement 3003 Copyright (C) The Internet Society (2004). All Rights Reserved. 3005 This document and translations of it may be copied and furnished to 3006 others, and derivative works that comment on or otherwise explain it 3007 or assist in its implementation may be prepared, copied, published 3008 and distributed, in whole or in part, without restriction of any 3009 kind, provided that the above copyright notice and this paragraph are 3010 included on all such copies and derivative works. However, this 3011 document itself may not be modified in any way, such as by removing 3012 the copyright notice or references to the Internet Society or other 3013 Internet organizations, except as needed for the purpose of 3014 developing Internet standards in which case the procedures for 3015 copyrights defined in the Internet Standards process must be 3016 followed, or as required to translate it into languages other than 3017 English. 3019 The limited permissions granted above are perpetual and will not be 3020 revoked by the Internet Society or its successors or assignees. 3022 This document and the information contained herein is provided on an 3023 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3024 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3025 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3027 Internet-Draft