idnits 2.17.1 draft-ietf-ipsp-ikeaction-mib-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 23. -- Found old boilerplate from RFC 3978, Section 5.5 on line 3119. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 3130. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 3137. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 3143. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE SYNTAX Unsigned32 (1..100) UNITS "seconds" MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamRefreshThreshSecs specifies what percentage of the seconds lifetime can expire before IKE SHOULD attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association SHOULD not be renegotiated until the seconds lifetime has been completely reached." ::= { ipiaSaNegotiationParametersEntry 4 } == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE SYNTAX Unsigned32 (1..100) MAX-ACCESS read-create STATUS current DESCRIPTION "ipiaSaNegParamRefreshThresholdKB specifies what percentage of the kilobyte lifetime can expire before IKE SHOULD attempt to renegotiate the IPsec security association. A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association SHOULD not be renegotiated until the kilobyte lifetime has been reached." ::= { ipiaSaNegotiationParametersEntry 5 } -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 19, 2006) is 6398 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2409 (Obsoleted by RFC 4306) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSP M. Baer 3 Internet-Draft Sparta, Inc. 4 Intended status: Informational R. Charlet 5 Expires: April 22, 2007 Self 6 W. Hardaker 7 Sparta, Inc. 8 R. Story 9 Revelstone Software 10 C. Wang 11 ARO/North Carolina State 12 University 13 October 19, 2006 15 IPsec Security Policy IKE Action MIB 16 draft-ietf-ipsp-ikeaction-mib-02.txt 18 Status of this Memo 20 By submitting this Internet-Draft, each author represents that any 21 applicable patent or other IPR claims of which he or she is aware 22 have been or will be disclosed, and any of which he or she becomes 23 aware will be disclosed, in accordance with Section 6 of BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as Internet- 28 Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/ietf/1id-abstracts.txt. 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html. 41 This Internet-Draft will expire on April 22, 2007. 43 Copyright Notice 45 Copyright (C) The Internet Society (2006). 47 Abstract 49 This document defines a SMIv2 Management Information Base (MIB) 50 module for configuring Internet Key Exchange (IKE) actions for the 51 security policy database (SPD) of a device that uses the IPsec 52 Security Policy Database Configuration MIB for configuring the IKE 53 protocol actions on that device. The IPsec IKE Action MIB integrates 54 directly with the IPsec Security Policy Database Configuration MIB 55 and it is meant to work within the framework of an action referenced 56 by that MIB. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. The Internet-Standard Management Framework . . . . . . . . . . 3 63 4. Relationship to the DMTF Policy Model . . . . . . . . . . . . 3 64 5. MIB Module Overview . . . . . . . . . . . . . . . . . . . . . 4 65 6. MIB definition . . . . . . . . . . . . . . . . . . . . . . . . 4 66 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 67 7.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 61 68 7.2. Protecting against unauthenticated access . . . . . . . . 63 69 7.3. Protecting against involuntary disclosure . . . . . . . . 63 70 7.4. Bootstrapping your configuration . . . . . . . . . . . . . 63 71 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 64 72 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 64 73 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64 74 10.1. Normative References . . . . . . . . . . . . . . . . . . . 64 75 10.2. Informative References . . . . . . . . . . . . . . . . . . 65 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 65 77 Intellectual Property and Copyright Statements . . . . . . . . . . 67 79 1. Introduction 81 This document defines a MIB module for configuration of an Internet 82 Key Exchange (IKE) [RFC2409] action within the IPsec security policy 83 database (SPD). This module works within the framework of the IPsec 84 Security Policy Database Configuration MIB (IPSEC-SPD-MIB) [RFCZZZZ]. 85 It can be referenced as an action by the IPSEC-SPD-MIB and is used to 86 configure IKE negotiations between network devices. 88 Companion document [RFCZZZZ], documents the IPsec Security Policy 89 Database Configuration MIB. Companion document [RFCYYYY], documents 90 the IPsec Security Policy IPsec Action MIB for configuration of 91 static IPsec SAs. 93 2. Terminology 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in RFC 2119 [RFC2119]. 99 3. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410] 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 4. Relationship to the DMTF Policy Model 116 The Distributed Management Task Force (DMTF) has created an object 117 oriented model of IPsec policy information known as the IPsec Policy 118 Model White Paper [IPPMWP]. The contents of this document are also 119 reflected in the "IPsec Configuration Policy Model" (IPCP) [RFC3585]. 120 This MIB module is a task specific derivation (i.e. an SMIv2 121 instantiation) of the IKE actions portions of the IPCP's IPsec 122 configuration model for use with SNMPv3. This includes the necessary 123 filter, negotiation, identity and IKE action information required to 124 enable IKE negotiation within the IPsec Policy framework. 126 5. MIB Module Overview 128 The MIB module describes the necessary information to implement IKE 129 actions and their associated negotiations referred to by the IPsec 130 Security Policy Database Configuration MIB. A basic understanding of 131 IKE, of IPsec processing, of the IPsec Configuration Policy Model and 132 of how actions fit into the overall framework of the IPSEC-SPD-MIB 133 are required to use this MIB properly. When referring to an action 134 in this MIB from the IPSEC-SPD-MIB, the filters within the IPSEC-SPD- 135 MIB that are associated to the action are limited to those that are 136 supported by IKE [RFC2409] and this MIB. 138 6. MIB definition 140 The following MIB Module imports from: [RFC2578], [RFC2579], 141 [RFC2580], [RFC3411], [RFC4001]. 143 IPSEC-IKEACTION-MIB DEFINITIONS ::= BEGIN 145 IMPORTS 146 MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32 147 FROM SNMPv2-SMI 148 -- [rfc2578] 150 TEXTUAL-CONVENTION, RowStatus, TruthValue, 151 TimeStamp, StorageType, VariablePointer 152 FROM SNMPv2-TC 153 -- [rfc2579] 155 MODULE-COMPLIANCE, OBJECT-GROUP 156 FROM SNMPv2-CONF 157 -- [rfc2580] 159 SnmpAdminString 160 FROM SNMP-FRAMEWORK-MIB 161 -- [rfc3411] 163 InetAddressType, InetAddress, InetPortNumber 164 FROM INET-ADDRESS-MIB 165 -- [rfc4001] 167 spdActions, SpdIPPacketLogging, spdEndGroupInterface 168 FROM IPSEC-SPD-MIB 169 -- [rfcZZZZ] 171 IpsaCredentialType, IpsecDoiIdentType, IpsaIdentityFilter, 172 ipsaSharedGroup 173 FROM IPSEC-IPSECACTION-MIB 174 -- [rfcXXXX] 175 ; 177 -- 178 -- module identity 179 -- 181 ipiaMIB MODULE-IDENTITY 182 LAST-UPDATED "20060905'" -- 05 September 2006 183 ORGANIZATION "IETF IP Security Policy Working Group" 184 CONTACT-INFO "Michael Baer 185 P.O. Box 72682 186 Davis, CA 95617 187 Phone: +1 530 902 3131 188 Email: baerm@tislabs.com 190 Ricky Charlet 191 Email: rcharlet@alumni.calpoly.edu 193 Wes Hardaker 194 Sparta, Inc. 195 P.O. Box 382 196 Davis, CA 95617 197 Phone: +1 530 792 1913 198 Email: hardaker@tislabs.com 200 Robert Story 201 Revelstone Software 202 PO Box 1812 203 Tucker, GA 30085 204 Phone: +1 770 617 3722 205 Email: rstory@sparta.com 207 Cliff Wang 208 ARO/North Carolina State University 209 4300 S. Miami Blvd. 210 RTP, NC 27709 211 E-Mail: cliffwangmail@yahoo.com" 213 DESCRIPTION 214 "The MIB module for defining IKE actions for managing IPsec 215 Security Policy. 217 Copyright (C) The Internet Society (2006). This version of 218 this MIB module is part of RFC YYYY, see the RFC itself for 219 full legal notices." 221 -- Revision History 223 REVISION "20060905'" -- 05 September 2006 224 DESCRIPTION "Initial version, published as RFC YYYY." 225 -- RFC-editor assigns YYYY 227 ::= { spdActions 2 } 229 -- 230 -- groups of related objects 231 -- 233 ipiaConfigObjects OBJECT IDENTIFIER 234 ::= { ipiaMIB 1 } 235 ipiaNotificationObjects OBJECT IDENTIFIER 236 ::= { ipiaMIB 2 } 237 ipiaConformanceObjects OBJECT IDENTIFIER 238 ::= { ipiaMIB 3 } 240 -- 241 -- Textual Conventions 242 -- 244 IkeEncryptionAlgorithm ::= TEXTUAL-CONVENTION 245 DISPLAY-HINT "d" 246 STATUS current 247 DESCRIPTION "Values for encryption algorithms negotiated 248 for the ISAKMP SA by IKE in Phase I. These are 249 values for SA Attrbute type Encryption 250 Algorithm (1). 252 Unused values <= 65000 are reserved to IANA. 253 Currently assigned values at the time of this 254 writing: 256 reserved(0), -- reserved in IKE 257 desCbc(1), -- RFC 2405 258 ideaCbc(2), 259 blowfishCbc(3), 260 rc5R16B64Cbc(4), -- RC5 R16 B64 CBC 261 tripleDesCbc(5), -- 3DES CBC 262 castCbc(6), 263 aesCbc(7) 265 Values 65001-65535 are for private use among 266 mutually consenting parties." 267 REFERENCE "RFC 2409 appendix A, 268 IANA" 269 SYNTAX Unsigned32 (0..65535) 271 IkeAuthMethod ::= TEXTUAL-CONVENTION 272 DISPLAY-HINT "d" 273 STATUS current 274 DESCRIPTION "Values for authentication methods negotiated 275 for the ISAKMP SA by IKE in Phase I. These are 276 values for SA Attrbute type Authentication 277 Method (3). 279 Unused values <= 65000 are reserved to IANA. 281 reserved(0), -- reserved in IKE 282 preSharedKey(1), 283 dssSignatures(2), 284 rsaSignatures(3), 285 encryptionWithRsa(4), 286 revisedEncryptionWithRsa(5), 287 reservedDontUse6(6), -- not to be used 288 reservedDontUse7(7), -- not to be used 289 ecdsaSignatures(8) 291 Values 65001-65535 are for private use among 292 mutually consenting parties." 293 REFERENCE "RFC 2409 appendix A, 294 IANA" 295 SYNTAX Unsigned32 (0..65535) 297 IkeHashAlgorithm ::= TEXTUAL-CONVENTION 298 DISPLAY-HINT "d" 299 STATUS current 300 DESCRIPTION "Values for hash algorithms negotiated 301 for the ISAKMP SA by IKE in Phase I. These are 302 values for SA Attrbute type Hash Algorithm (2). 304 Unused values <= 65000 are reserved to IANA. 305 Currently assigned values at the time of this 306 writing: 308 reserved(0), -- reserved in IKE 309 md5(1), -- RFC 1321 310 sha(2), -- FIPS 180-1 311 tiger(3), 312 sha256(4), 313 sha384(5), 314 sha512(6) 316 Values 65001-65535 are for private use among 317 mutually consenting parties." 318 REFERENCE "RFC 2409 appendix A, 319 IANA" 320 SYNTAX Unsigned32 (0..65535) 322 IkeGroupDescription ::= TEXTUAL-CONVENTION 323 DISPLAY-HINT "d" 324 STATUS current 325 DESCRIPTION "Values for Oakley key computation groups for 326 Diffie-Hellman exchange negotiated for the ISAKMP 327 SA by IKE in Phase I. They are also used in Phase II 328 when perfect forward secrecy is in use. These are 329 values for SA Attrbute type Group Description (4). 331 Unused values <= 32767 are reserved to IANA. 332 Currently assigned values at the time of this 333 writing: 335 none(0), -- reserved in IKE, used 336 -- in MIBs to reflect that 337 -- none of the predefined 338 -- groups are used 339 modp768(1), -- default 768-bit MODP group 340 modp1024(2), -- alternate 1024-bit MODP 341 -- group 342 ec2nGF155(3), -- EC2N group on Galois 343 -- Field GF[2^155] 344 ec2nGF185(4), -- EC2N group on Galois 345 -- Field GF[2^185] 346 ec2nGF163Random(6), -- EC2N group on Galois 347 -- Field GF[2^163], 348 -- random seed 349 ec2nGF163Koblitz(7), 350 -- EC2N group on Galois 351 -- Field GF[2^163], 352 -- Koblitz curve 353 ec2nGF283Random(8), -- EC2N group on Galois 354 -- Field GF[2^283], 355 -- random seed 356 ec2nGF283Koblitz(9), 357 -- EC2N group on Galois 358 -- Field GF[2^283], 359 -- Koblitz curve 360 ec2nGF409Random(10), 361 -- EC2N group on Galois 362 -- Field GF[2^409], 363 -- random seed 364 ec2nGF409Koblitz(11), 365 -- EC2N group on Galois 366 -- Field GF[2^409], 367 -- Koblitz curve 368 ec2nGF571Random(12), 369 -- EC2N group on Galois 370 -- Field GF[2^571], 371 -- random seed 372 ec2nGF571Koblitz(13) 373 -- EC2N group on Galois 374 -- Field GF[2^571], 375 -- Koblitz curve 377 Values 32768-65535 are for private use among 378 mutually consenting parties." 379 REFERENCE "RFC 2409 appendix A, 380 IANA" 381 SYNTAX Unsigned32 (0..65535) 383 IpsecDoiSecProtocolId ::= TEXTUAL-CONVENTION 384 DISPLAY-HINT "d" 385 STATUS current 386 DESCRIPTION "These are the IPsec DOI values for the Protocol-Id 387 field in an ISAKMP Proposal Payload, and in all 388 Notification Payloads. 390 They are also used as the Protocol-ID In the 391 Notification Payload and the Delete Payload. 393 Currently assigned values at the time of this 394 writing: 396 reserved(0), -- reserved in DOI 397 protoIsakmp(1), -- message protection 398 -- required during Phase I 399 -- of the IKE protocol 400 protoIpsecAh(2), -- IP packet authentication 401 -- via Authentication Header 402 protoIpsecEsp(3), -- IP packet confidentiality 403 -- via Encapsulating 404 -- Security Payload 405 protoIpcomp(4) -- IP payload compression 407 The values 249-255 are reserved for private use 408 amongst cooperating systems." 410 REFERENCE "RFC 2407 section 4.4.1" 411 SYNTAX Unsigned32 (0..255) 413 -- 414 -- Policy group definitions 415 -- 417 ipiaLocalConfigObjects OBJECT IDENTIFIER 418 ::= { ipiaConfigObjects 1 } 420 -- 421 -- Static Filters 422 -- 424 ipiaStaticFilters OBJECT IDENTIFIER ::= { ipiaConfigObjects 2 } 426 ipiaIkePhase1Filter OBJECT-TYPE 427 SYNTAX Integer32 428 MAX-ACCESS read-only 429 STATUS current 430 DESCRIPTION 431 "This static filter can be used to test if a packet is 432 part of an IKE phase-1 negotiation." 433 ::= { ipiaStaticFilters 1 } 435 ipiaIkePhase2Filter OBJECT-TYPE 436 SYNTAX Integer32 437 MAX-ACCESS read-only 438 STATUS current 439 DESCRIPTION 440 "This static filter can be used to test if a packet is 441 part of an IKE phase-2 negotiation." 442 ::= { ipiaStaticFilters 2 } 444 -- 445 -- credential filter table 446 -- 448 ipiaCredentialFilterTable OBJECT-TYPE 449 SYNTAX SEQUENCE OF IpiaCredentialFilterEntry 450 MAX-ACCESS not-accessible 451 STATUS current 452 DESCRIPTION 453 "This table is used to provide credentials for IKE 454 identities. 456 It can be used to for filters which are matched to 457 credentials of IKE peers, where the credentials in question 458 have been obtained from an IKE phase 1 exchange. They MAY 459 be X.509 certificates, Kerberos tickets, etc... 461 It can also be used to provide credentials for local IKE 462 identities." 463 ::= { ipiaConfigObjects 3 } 465 ipiaCredentialFilterEntry OBJECT-TYPE 466 SYNTAX IpiaCredentialFilterEntry 467 MAX-ACCESS not-accessible 468 STATUS current 469 DESCRIPTION 470 "A row defining a particular credential filter" 471 INDEX { ipiaCredFiltName } 472 ::= { ipiaCredentialFilterTable 1 } 474 IpiaCredentialFilterEntry ::= SEQUENCE { 475 ipiaCredFiltName SnmpAdminString, 476 ipiaCredFiltCredentialType IpsaCredentialType, 477 ipiaCredFiltMatchFieldName OCTET STRING, 478 ipiaCredFiltMatchFieldValue OCTET STRING, 479 ipiaCredFiltAcceptCredFrom OCTET STRING, 480 ipiaCredFiltLastChanged TimeStamp, 481 ipiaCredFiltStorageType StorageType, 482 ipiaCredFiltRowStatus RowStatus 483 } 485 ipiaCredFiltName OBJECT-TYPE 486 SYNTAX SnmpAdminString (SIZE(1..32)) 487 MAX-ACCESS not-accessible 488 STATUS current 489 DESCRIPTION 490 "The administrative name of this filter." 491 ::= { ipiaCredentialFilterEntry 1 } 493 ipiaCredFiltCredentialType OBJECT-TYPE 494 SYNTAX IpsaCredentialType 495 MAX-ACCESS read-create 496 STATUS current 497 DESCRIPTION 498 "The credential type that is expected for this filter to 499 succeed." 500 DEFVAL { x509 } 501 ::= { ipiaCredentialFilterEntry 2 } 503 ipiaCredFiltMatchFieldName OBJECT-TYPE 504 SYNTAX OCTET STRING (SIZE(0..256)) 505 MAX-ACCESS read-create 506 STATUS current 507 DESCRIPTION 508 "The piece of the credential to match against. Examples: 509 serialNumber, signatureAlgorithm, issuerName or 510 subjectName. 512 For credential types without fields (e.g. shared secret), 513 this field SHOULD be left empty, and the entire credential 514 will be matched against the ipiaCredFiltMatchFieldValue." 515 ::= { ipiaCredentialFilterEntry 3 } 517 ipiaCredFiltMatchFieldValue OBJECT-TYPE 518 SYNTAX OCTET STRING (SIZE(1..4096)) 519 MAX-ACCESS read-create 520 STATUS current 521 DESCRIPTION 522 "The value that the field indicated by the 523 ipiaCredFiltMatchFieldName MUST match against for the 524 filter to be considered TRUE." 525 ::= { ipiaCredentialFilterEntry 4 } 527 ipiaCredFiltAcceptCredFrom OBJECT-TYPE 528 SYNTAX OCTET STRING(SIZE(1..117)) 529 MAX-ACCESS read-create 530 STATUS current 531 DESCRIPTION 532 "This value is used to look up a row in the 533 ipiaIpsecCredMngServiceTable for the Certificate Authority 534 (CA) Information. This value is empty if there is no CA 535 used for this filter." 536 ::= { ipiaCredentialFilterEntry 5 } 538 ipiaCredFiltLastChanged OBJECT-TYPE 539 SYNTAX TimeStamp 540 MAX-ACCESS read-only 541 STATUS current 542 DESCRIPTION 543 "The value of sysUpTime when this row was last modified or 544 created either through SNMP SETs or by some other external 545 means." 546 ::= { ipiaCredentialFilterEntry 6 } 548 ipiaCredFiltStorageType OBJECT-TYPE 549 SYNTAX StorageType 550 MAX-ACCESS read-create 551 STATUS current 552 DESCRIPTION 553 "The storage type for this row. Rows in this table which 554 were created through an external process MAY have a storage 555 type of readOnly or permanent. 557 For a storage type of permanent, none of the columns have 558 to be writable." 559 DEFVAL { nonVolatile } 560 ::= { ipiaCredentialFilterEntry 7 } 562 ipiaCredFiltRowStatus OBJECT-TYPE 563 SYNTAX RowStatus 564 MAX-ACCESS read-create 565 STATUS current 566 DESCRIPTION 567 "This object indicates the conceptual status of this row. 569 The value of this object has no effect on whether other 570 objects in this conceptual row can be modified. 572 If active, this object MUST remain active if it is 573 referenced by an active row in another table. An attempt 574 to set it to anything other than active while it is 575 referenced by an active row in another table MUST result in 576 an inconsistentValue error." 577 ::= { ipiaCredentialFilterEntry 8 } 579 -- 580 -- Peer Identity Filter Table 581 -- 583 ipiaPeerIdentityFilterTable OBJECT-TYPE 584 SYNTAX SEQUENCE OF IpiaPeerIdentityFilterEntry 585 MAX-ACCESS not-accessible 586 STATUS current 587 DESCRIPTION 588 "This table defines filters which can be used to match 589 credentials of IKE peers, where the credentials in question 590 have been obtained from an IKE phase 1 exchange. They MAY 591 be X.509 certificates, Kerberos tickets, etc..." 592 ::= { ipiaConfigObjects 4 } 594 ipiaPeerIdentityFilterEntry OBJECT-TYPE 595 SYNTAX IpiaPeerIdentityFilterEntry 596 MAX-ACCESS not-accessible 597 STATUS current 598 DESCRIPTION 599 "A row defining a particular credential filter" 600 INDEX { ipiaPeerIdFiltName } 601 ::= { ipiaPeerIdentityFilterTable 1 } 603 IpiaPeerIdentityFilterEntry ::= SEQUENCE { 604 ipiaPeerIdFiltName SnmpAdminString, 605 ipiaPeerIdFiltIdentityType IpsecDoiIdentType, 606 ipiaPeerIdFiltIdentityValue IpsaIdentityFilter, 607 ipiaPeerIdFiltLastChanged TimeStamp, 608 ipiaPeerIdFiltStorageType StorageType, 609 ipiaPeerIdFiltRowStatus RowStatus 610 } 612 ipiaPeerIdFiltName OBJECT-TYPE 613 SYNTAX SnmpAdminString (SIZE(1..32)) 614 MAX-ACCESS not-accessible 615 STATUS current 616 DESCRIPTION 617 "The administrative name of this filter." 618 ::= { ipiaPeerIdentityFilterEntry 1 } 620 ipiaPeerIdFiltIdentityType OBJECT-TYPE 621 SYNTAX IpsecDoiIdentType 622 MAX-ACCESS read-create 623 STATUS current 624 DESCRIPTION 625 "The type of identity field in the peer ID payload to match 626 against." 627 ::= { ipiaPeerIdentityFilterEntry 2 } 629 ipiaPeerIdFiltIdentityValue OBJECT-TYPE 630 SYNTAX IpsaIdentityFilter 631 MAX-ACCESS read-create 632 STATUS current 633 DESCRIPTION 634 "The string representation of the value that the peer ID 635 payload value MUST match against. Wildcard mechanisms MUST 636 be supported such that: 638 - a ipiaPeerIdFiltIdentityValue of '*@example.com' will 639 match a userFqdn ID payload of 'JDOE@EXAMPLE.COM' 641 - a ipiaPeerIdFiltIdentityValue of '*.example.com' will 642 match a fqdn ID payload of 'WWW.EXAMPLE.COM' 644 - a ipiaPeerIdFiltIdentityValue of: 645 'cn=*,ou=engineering,o=company,c=us' 646 will match a DER DN ID payload of 647 'cn=John Doe,ou=engineering,o=company,c=us' 649 - a ipiaPeerIdFiltIdentityValue of '192.0.2.0/24' will 650 match an IPv4 address ID payload of 192.0.2.10 652 - a ipiaPeerIdFiltIdentityValue of '192.0.2.*' will also 653 match an IPv4 address ID payload of 192.0.2.10. 655 The character '*' replaces 0 or multiple instances of any 656 character." 657 ::= { ipiaPeerIdentityFilterEntry 3 } 659 ipiaPeerIdFiltLastChanged OBJECT-TYPE 660 SYNTAX TimeStamp 661 MAX-ACCESS read-only 662 STATUS current 663 DESCRIPTION 664 "The value of sysUpTime when this row was last modified or 665 created either through SNMP SETs or by some other external 666 means." 667 ::= { ipiaPeerIdentityFilterEntry 4 } 669 ipiaPeerIdFiltStorageType OBJECT-TYPE 670 SYNTAX StorageType 671 MAX-ACCESS read-create 672 STATUS current 673 DESCRIPTION 674 "The storage type for this row. Rows in this table which 675 were created through an external process MAY have a storage 676 type of readOnly or permanent. 678 For a storage type of permanent, none of the columns have 679 to be writable." 680 DEFVAL { nonVolatile } 681 ::= { ipiaPeerIdentityFilterEntry 5 } 683 ipiaPeerIdFiltRowStatus OBJECT-TYPE 684 SYNTAX RowStatus 685 MAX-ACCESS read-create 686 STATUS current 687 DESCRIPTION 688 "This object indicates the conceptual status of this row. 690 This object can not be considered active unless the 691 ipiaPeerIdFiltIdentityType and ipiaPeerIdFiltIdentityValue 692 column values are defined. 694 The value of this object has no effect on whether other 695 objects in this conceptual row can be modified. 697 If active, this object MUST remain active if it is 698 referenced by an active row in another table. An attempt 699 to set it to anything other than active while it is 700 referenced by an active row in another table MUST result in 701 an inconsistentValue error." 702 ::= { ipiaPeerIdentityFilterEntry 6 } 704 -- 705 -- Static Actions 706 -- 708 -- these are static actions which can be pointed to by the 709 -- ipiaRuleDefAction or the ipiaSubActSubActionName objects to drop, 710 -- accept or reject packets. 712 ipiaStaticActions OBJECT IDENTIFIER ::= { ipiaConfigObjects 5 } 714 ipiaRejectIKEAction OBJECT-TYPE 715 SYNTAX Integer32 716 MAX-ACCESS read-only 717 STATUS current 718 DESCRIPTION 719 "This scalar indicates that a packet SHOULD be rejected 720 WITHOUT action/packet logging. This object returns a value 721 of 1 for IPsec policy implementations that support the 722 reject static action." 723 ::= { ipiaStaticActions 1 } 725 ipiaRejectIKEActionLog OBJECT-TYPE 726 SYNTAX Integer32 727 MAX-ACCESS read-only 728 STATUS current 729 DESCRIPTION 730 "This scalar indicates that a packet SHOULD be rejected 731 WITH action/packet logging. This object returns a value of 732 1 for IPsec policy implementations that support the reject 733 static action with logging." 734 ::= { ipiaStaticActions 2 } 736 -- 737 -- ipiaIkeActionTable 738 -- 740 ipiaIkeActionTable OBJECT-TYPE 741 SYNTAX SEQUENCE OF IpiaIkeActionEntry 742 MAX-ACCESS not-accessible 743 STATUS current 744 DESCRIPTION 745 "The ipiaIkeActionTable contains a list of the parameters 746 used for an IKE phase 1 SA DOI negotiation. See the 747 corresponding table ipiaIkeActionProposalsTable for a list 748 of proposals contained within a given IKE Action." 749 ::= { ipiaConfigObjects 6 } 751 ipiaIkeActionEntry OBJECT-TYPE 752 SYNTAX IpiaIkeActionEntry 753 MAX-ACCESS not-accessible 754 STATUS current 755 DESCRIPTION 756 "The ipiaIkeActionEntry lists the IKE negotiation 757 attributes." 758 INDEX { ipiaIkeActName } 759 ::= { ipiaIkeActionTable 1 } 761 IpiaIkeActionEntry ::= SEQUENCE { 762 ipiaIkeActName SnmpAdminString, 763 ipiaIkeActParametersName SnmpAdminString, 764 ipiaIkeActThresholdDerivedKeys Integer32, 765 ipiaIkeActExchangeMode INTEGER, 766 ipiaIkeActAgressiveModeGroupId IkeGroupDescription, 767 ipiaIkeActIdentityType IpsecDoiIdentType, 768 ipiaIkeActIdentityContext SnmpAdminString, 769 ipiaIkeActPeerName SnmpAdminString, 770 ipiaIkeActDoActionLogging TruthValue, 771 ipiaIkeActDoPacketLogging SpdIPPacketLogging, 772 ipiaIkeActVendorId OCTET STRING, 773 ipiaIkeActLastChanged TimeStamp, 774 ipiaIkeActStorageType StorageType, 775 ipiaIkeActRowStatus RowStatus 776 } 778 ipiaIkeActName OBJECT-TYPE 779 SYNTAX SnmpAdminString (SIZE(1..32)) 780 MAX-ACCESS not-accessible 781 STATUS current 782 DESCRIPTION 783 "This object contains the name of this ikeAction entry." 784 ::= { ipiaIkeActionEntry 1 } 786 ipiaIkeActParametersName OBJECT-TYPE 787 SYNTAX SnmpAdminString (SIZE(1..32)) 788 MAX-ACCESS read-create 789 STATUS current 790 DESCRIPTION 791 "This object is administratively assigned to reference a row 792 in the ipiaSaNegotiationParametersTable where additional 793 parameters affecting this action can be found. 795 An attempt to set this object to a value that does not 796 exist in the ipiaSaNegotiationParametersTable MUST result 797 in an inconsistentValue error." 798 ::= { ipiaIkeActionEntry 2 } 800 ipiaIkeActThresholdDerivedKeys OBJECT-TYPE 801 SYNTAX Integer32 (0..100) 802 MAX-ACCESS read-create 803 STATUS current 804 DESCRIPTION 805 "ipiaIkeActThresholdDerivedKeys specifies what percentage 806 of the derived key limit (see the LifetimeDerivedKeys 807 property of IKEProposal) can expire before IKE SHOULD 808 attempt to renegotiate the IKE phase 1 security 809 association." 810 DEFVAL { 100 } 811 ::= { ipiaIkeActionEntry 3 } 813 ipiaIkeActExchangeMode OBJECT-TYPE 814 SYNTAX INTEGER { main(1), agressive(2) } 815 MAX-ACCESS read-create 816 STATUS current 817 DESCRIPTION 818 "ipiaIkeActExchangeMode specifies the IKE Phase 1 819 negotiation mode." 820 DEFVAL { main } 821 ::= { ipiaIkeActionEntry 4 } 823 ipiaIkeActAgressiveModeGroupId OBJECT-TYPE 824 SYNTAX IkeGroupDescription 825 MAX-ACCESS read-create 826 STATUS current 827 DESCRIPTION 828 "The values to be used for Diffie-Hellman exchange." 829 ::= { ipiaIkeActionEntry 5 } 831 ipiaIkeActIdentityType OBJECT-TYPE 832 SYNTAX IpsecDoiIdentType 833 MAX-ACCESS read-create 834 STATUS current 835 DESCRIPTION 836 "This column along with ipiaIkeActIdentityContext and 837 endpoint information is used to refer an 838 ipiaIkeIdentityEntry in the ipiaIkeIdentityTable." 839 ::= { ipiaIkeActionEntry 6 } 841 ipiaIkeActIdentityContext OBJECT-TYPE 842 SYNTAX SnmpAdminString (SIZE(1..32)) 843 MAX-ACCESS read-create 844 STATUS current 845 DESCRIPTION 846 "This column, along with ipiaIkeActIdentityType and endpoint 847 information, is used to refer to an ipiaIkeIdentityEntry in 848 the ipiaIkeIdentityTable." 849 ::= { ipiaIkeActionEntry 7 } 851 ipiaIkeActPeerName OBJECT-TYPE 852 SYNTAX SnmpAdminString(SIZE(0..32)) 853 MAX-ACCESS read-create 854 STATUS current 855 DESCRIPTION 856 "This object indicates the peer id name of the IKE peer. 857 This object can be used to look up the peer id value, 858 address, credentials and other values in the 859 ipiaPeerIdentityTable." 860 ::= { ipiaIkeActionEntry 8 } 862 ipiaIkeActDoActionLogging OBJECT-TYPE 863 SYNTAX TruthValue 864 MAX-ACCESS read-create 865 STATUS current 866 DESCRIPTION 867 "ikeDoActionLogging specifies whether or not an audit 868 message SHOULD be logged when this ike SA is created." 869 DEFVAL { false } 870 ::= { ipiaIkeActionEntry 9 } 872 ipiaIkeActDoPacketLogging OBJECT-TYPE 873 SYNTAX SpdIPPacketLogging 874 MAX-ACCESS read-create 875 STATUS current 876 DESCRIPTION 877 "ikeDoPacketLogging specifies whether or not an audit 878 message SHOULD be logged and if there is logging, how many 879 bytes of the packet to place in the notification." 880 DEFVAL { -1 } 881 ::= { ipiaIkeActionEntry 10 } 883 ipiaIkeActVendorId OBJECT-TYPE 884 SYNTAX OCTET STRING (SIZE(0..65535)) 885 MAX-ACCESS read-create 886 STATUS current 887 DESCRIPTION 888 "Vendor ID Payload. A value of NULL means that Vendor ID 889 payload will be neither generated nor accepted. A non-NULL 890 value means that a Vendor ID payload will be generated 891 (when acting as an initiator) or is expected (when acting 892 as a responder)." 893 DEFVAL { "" } 894 ::= { ipiaIkeActionEntry 11 } 896 ipiaIkeActLastChanged OBJECT-TYPE 897 SYNTAX TimeStamp 898 MAX-ACCESS read-only 899 STATUS current 900 DESCRIPTION 901 "The value of sysUpTime when this row was last modified or 902 created either through SNMP SETs or by some other external 903 means." 904 ::= { ipiaIkeActionEntry 12 } 906 ipiaIkeActStorageType OBJECT-TYPE 907 SYNTAX StorageType 908 MAX-ACCESS read-create 909 STATUS current 910 DESCRIPTION 911 "The storage type for this row. Rows in this table which 912 were created through an external process MAY have a storage 913 type of readOnly or permanent. 915 For a storage type of permanent, none of the columns have 916 to be writable." 917 DEFVAL { nonVolatile } 918 ::= { ipiaIkeActionEntry 13 } 920 ipiaIkeActRowStatus OBJECT-TYPE 921 SYNTAX RowStatus 922 MAX-ACCESS read-create 923 STATUS current 924 DESCRIPTION 925 "This object indicates the conceptual status of this row. 927 The value of this object has no effect on whether other 928 objects in this conceptual row can be modified. 930 This object MUST NOT be set to destroy if referred to by 931 other rows in other action tables. An attempt to set it to 932 anything other than active while it is referenced by an 933 active row in another table MUST result in an 934 inconsistentValue error." 935 ::= { ipiaIkeActionEntry 14 } 937 -- 938 -- IPsec action definition table 939 -- 941 ipiaIpsecActionTable OBJECT-TYPE 942 SYNTAX SEQUENCE OF IpiaIpsecActionEntry 943 MAX-ACCESS not-accessible 944 STATUS current 945 DESCRIPTION 946 "The ipiaIpsecActionTable contains a list of the parameters 947 used for an IKE phase 2 IPsec DOI negotiation." 948 ::= { ipiaConfigObjects 7 } 950 ipiaIpsecActionEntry OBJECT-TYPE 951 SYNTAX IpiaIpsecActionEntry 952 MAX-ACCESS not-accessible 953 STATUS current 954 DESCRIPTION 955 "The ipiaIpsecActionEntry lists the IPsec negotiation 956 attributes." 957 INDEX { ipiaIpsecActName } 958 ::= { ipiaIpsecActionTable 1 } 960 IpiaIpsecActionEntry ::= SEQUENCE { 961 ipiaIpsecActName SnmpAdminString, 962 ipiaIpsecActParametersName SnmpAdminString, 963 ipiaIpsecActProposalsName SnmpAdminString, 964 ipiaIpsecActUsePfs TruthValue, 965 ipiaIpsecActVendorId OCTET STRING, 966 ipiaIpsecActGroupId IkeGroupDescription, 967 ipiaIpsecActPeerGatewayIdName OCTET STRING, 968 ipiaIpsecActUseIkeGroup TruthValue, 969 ipiaIpsecActGranularity INTEGER, 970 ipiaIpsecActMode INTEGER, 971 ipiaIpsecActDFHandling INTEGER, 972 ipiaIpsecActDoActionLogging TruthValue, 973 ipiaIpsecActDoPacketLogging SpdIPPacketLogging, 974 ipiaIpsecActLastChanged TimeStamp, 975 ipiaIpsecActStorageType StorageType, 976 ipiaIpsecActRowStatus RowStatus 977 } 978 ipiaIpsecActName OBJECT-TYPE 979 SYNTAX SnmpAdminString (SIZE(1..32)) 980 MAX-ACCESS not-accessible 981 STATUS current 982 DESCRIPTION 983 "ipiaIpsecActName is the name of the ipsecAction entry." 984 ::= { ipiaIpsecActionEntry 1 } 986 ipiaIpsecActParametersName OBJECT-TYPE 987 SYNTAX SnmpAdminString (SIZE(1..32)) 988 MAX-ACCESS read-create 989 STATUS current 990 DESCRIPTION 991 "This object is used to reference a row in the 992 ipiaSaNegotiationParametersTable where additional 993 parameters affecting this action can be found. 995 An attempt to set this column to a value that does not 996 exist in the ipiaSaNegotiationParametersTable MUST result 997 in an inconsistentValue error." 998 ::= { ipiaIpsecActionEntry 2 } 1000 ipiaIpsecActProposalsName OBJECT-TYPE 1001 SYNTAX SnmpAdminString (SIZE(1..32)) 1002 MAX-ACCESS read-create 1003 STATUS current 1004 DESCRIPTION 1005 "This object is used to reference one or more rows in the 1006 ipiaIpsecProposalsTable where an ordered list of proposals 1007 affecting this action can be found. 1009 An attempt to set this column to a value that does not 1010 exist in the ipiaIpsecProposalsTable MUST result in an 1011 inconsistentValue error." 1012 ::= { ipiaIpsecActionEntry 3 } 1014 ipiaIpsecActUsePfs OBJECT-TYPE 1015 SYNTAX TruthValue 1016 MAX-ACCESS read-create 1017 STATUS current 1018 DESCRIPTION 1019 "This MIB object specifies whether or not perfect forward 1020 secrecy is used when refreshing keys. A value of true 1021 indicates that PFS SHOULD be used." 1022 ::= { ipiaIpsecActionEntry 4 } 1024 ipiaIpsecActVendorId OBJECT-TYPE 1025 SYNTAX OCTET STRING (SIZE(0..255)) 1026 MAX-ACCESS read-create 1027 STATUS current 1028 DESCRIPTION 1029 "The VendorID property is used to identify vendor-defined 1030 key exchange GroupIDs." 1031 ::= { ipiaIpsecActionEntry 5 } 1033 ipiaIpsecActGroupId OBJECT-TYPE 1034 SYNTAX IkeGroupDescription 1035 MAX-ACCESS read-create 1036 STATUS current 1037 DESCRIPTION 1038 "This object specifies the Diffie-Hellman group to use for 1039 phase 2 when the object ipiaIpsecActUsePfs is true and the 1040 object ipiaIpsecActUseIkeGroup is false. If the GroupID 1041 number is from the vendor-specific range (32768-65535), the 1042 VendorID qualifies the group number." 1043 ::= { ipiaIpsecActionEntry 6 } 1045 ipiaIpsecActPeerGatewayIdName OBJECT-TYPE 1046 SYNTAX OCTET STRING (SIZE(0..116)) 1047 MAX-ACCESS read-create 1048 STATUS current 1049 DESCRIPTION 1050 "This object indicates the peer id name of the peer 1051 gateway. This object can be used to look up the peer id 1052 value, address and other values in the 1053 ipiaPeerIdentityTable. This object is used when initiating 1054 a tunnel SA. This object is not used for transport SAs. 1055 If no value is set and ipiaIpsecActMode is tunnel, the peer 1056 gateway is determined from the source or destination 1057 address of the packet." 1058 ::= { ipiaIpsecActionEntry 7 } 1060 ipiaIpsecActUseIkeGroup OBJECT-TYPE 1061 SYNTAX TruthValue 1062 MAX-ACCESS read-create 1063 STATUS current 1064 DESCRIPTION 1065 "This object specifies whether or not to use the same 1066 GroupId for phase 2 as was used in phase 1. If UsePFS is 1067 false, this entry SHOULD be ignored." 1068 ::= { ipiaIpsecActionEntry 8 } 1070 ipiaIpsecActGranularity OBJECT-TYPE 1071 SYNTAX INTEGER { subnet(1), address(2), protocol(3), 1072 port(4) } 1074 MAX-ACCESS read-create 1075 STATUS current 1076 DESCRIPTION 1077 "This object specifies how the proposed selector for the 1078 security association will be created. The selector is 1079 created by using the FilterList information. The selector 1080 can be subnet, address, porotocol, or port." 1081 ::= { ipiaIpsecActionEntry 9 } 1083 ipiaIpsecActMode OBJECT-TYPE 1084 SYNTAX INTEGER { tunnel(1), transport(2) } 1085 MAX-ACCESS read-create 1086 STATUS current 1087 DESCRIPTION 1088 "This object specifies the encapsulation of the IPsec SA 1089 to be negotiated." 1090 DEFVAL { tunnel } 1091 ::= { ipiaIpsecActionEntry 10 } 1093 ipiaIpsecActDFHandling OBJECT-TYPE 1094 SYNTAX INTEGER { copy(1), set(2), clear(3) } 1095 MAX-ACCESS read-create 1096 STATUS current 1097 DESCRIPTION 1098 "This object specifies the processing of DF bit by the 1099 negotiated IPsec tunnel. 1100 1 - DF bit is copied. 1101 2 - DF bit is set. 1102 3 - DF bit is cleared." 1103 DEFVAL { copy } 1104 ::= { ipiaIpsecActionEntry 11 } 1106 ipiaIpsecActDoActionLogging OBJECT-TYPE 1107 SYNTAX TruthValue 1108 MAX-ACCESS read-create 1109 STATUS current 1110 DESCRIPTION 1111 "ipiaIpsecActDoActionLogging specifies whether or not an 1112 audit message SHOULD be logged when this ipsec SA is 1113 created." 1114 DEFVAL { false } 1115 ::= { ipiaIpsecActionEntry 12 } 1117 ipiaIpsecActDoPacketLogging OBJECT-TYPE 1118 SYNTAX SpdIPPacketLogging 1119 MAX-ACCESS read-create 1120 STATUS current 1121 DESCRIPTION 1122 "ipiaIpsecActDoPacketLogging specifies whether or not an 1123 audit message SHOULD be logged and if there is logging, how 1124 many bytes of the packet to place in the notification." 1125 DEFVAL { -1 } 1126 ::= { ipiaIpsecActionEntry 13 } 1128 ipiaIpsecActLastChanged OBJECT-TYPE 1129 SYNTAX TimeStamp 1130 MAX-ACCESS read-only 1131 STATUS current 1132 DESCRIPTION 1133 "The value of sysUpTime when this row was last modified or 1134 created either through SNMP SETs or by some other external 1135 means." 1136 ::= { ipiaIpsecActionEntry 14 } 1138 ipiaIpsecActStorageType OBJECT-TYPE 1139 SYNTAX StorageType 1140 MAX-ACCESS read-create 1141 STATUS current 1142 DESCRIPTION 1143 "The storage type for this row. Rows in this table which 1144 were created through an external process MAY have a storage 1145 type of readOnly or permanent. 1147 For a storage type of permanent, none of the columns have 1148 to be writable." 1149 DEFVAL { nonVolatile } 1150 ::= { ipiaIpsecActionEntry 15 } 1152 ipiaIpsecActRowStatus OBJECT-TYPE 1153 SYNTAX RowStatus 1154 MAX-ACCESS read-create 1155 STATUS current 1156 DESCRIPTION 1157 "This object indicates the conceptual status of this row. 1159 The value of this object has no effect on whether other 1160 objects in this conceptual row can be modified. 1162 If active, this object MUST remain active if it is 1163 referenced by an active row in another table. An attempt 1164 to set it to anything other than active while it is 1165 referenced by an active row in another table MUST result in 1166 an inconsistentValue error." 1167 ::= { ipiaIpsecActionEntry 16 } 1169 -- 1170 -- ipiaSaNegotiationParametersTable 1171 -- 1173 -- PROPERTIES MinLifetimeSeconds 1174 -- MinLifetimeKilobytes 1175 -- RefreshThresholdSeconds 1176 -- RefreshThresholdKilobytes 1177 -- IdleDurationSeconds 1179 ipiaSaNegotiationParametersTable OBJECT-TYPE 1180 SYNTAX SEQUENCE OF IpiaSaNegotiationParametersEntry 1181 MAX-ACCESS not-accessible 1182 STATUS current 1183 DESCRIPTION 1184 "This table contains reusable parameters that can be pointed 1185 to by the ipiaIkeActionTable and ipiaIpsecActionTable. 1186 These parameters are reusable since it is likely an 1187 administrator will want to make global policy changes to 1188 lifetime parameters that apply to multiple actions. This 1189 table allows multiple rows in the other actions tables to 1190 reuse global lifetime parameters in this table by 1191 repeatedly pointing to a row cointained within this table." 1192 ::= { ipiaConfigObjects 8 } 1194 ipiaSaNegotiationParametersEntry OBJECT-TYPE 1195 SYNTAX IpiaSaNegotiationParametersEntry 1196 MAX-ACCESS not-accessible 1197 STATUS current 1198 DESCRIPTION 1199 "Contains the attributes of one row in the 1200 ipiaSaNegotiationParametersTable." 1201 INDEX { ipiaSaNegParamName } 1202 ::= { ipiaSaNegotiationParametersTable 1 } 1204 IpiaSaNegotiationParametersEntry ::= SEQUENCE { 1205 ipiaSaNegParamName SnmpAdminString, 1206 ipiaSaNegParamMinLifetimeSecs Unsigned32, 1207 ipiaSaNegParamMinLifetimeKB Unsigned32, 1208 ipiaSaNegParamRefreshThreshSecs Unsigned32, 1209 ipiaSaNegParamRefreshThresholdKB Unsigned32, 1210 ipiaSaNegParamIdleDurationSecs Unsigned32, 1211 ipiaSaNegParamLastChanged TimeStamp, 1212 ipiaSaNegParamStorageType StorageType, 1213 ipiaSaNegParamRowStatus RowStatus 1214 } 1216 ipiaSaNegParamName OBJECT-TYPE 1217 SYNTAX SnmpAdminString (SIZE(1..32)) 1218 MAX-ACCESS not-accessible 1219 STATUS current 1220 DESCRIPTION 1221 "This object contains the administrative name of this 1222 SaNegotiationParametersEntry. This row can be referred 1223 to by this name in other policy action tables." 1224 ::= { ipiaSaNegotiationParametersEntry 1 } 1226 ipiaSaNegParamMinLifetimeSecs OBJECT-TYPE 1227 SYNTAX Unsigned32 1228 UNITS "seconds" 1229 MAX-ACCESS read-create 1230 STATUS current 1231 DESCRIPTION 1232 "ipiaSaNegParamMinLifetimeSecs specifies the minimum seconds 1233 lifetime that will be accepted from the peer." 1234 ::= { ipiaSaNegotiationParametersEntry 2 } 1236 ipiaSaNegParamMinLifetimeKB OBJECT-TYPE 1237 SYNTAX Unsigned32 1238 MAX-ACCESS read-create 1239 STATUS current 1240 DESCRIPTION 1241 "ipiaSaNegParamMinLifetimeKB specifies the minimum kilobyte 1242 lifetime that will be accepted from the peer." 1243 ::= { ipiaSaNegotiationParametersEntry 3 } 1245 ipiaSaNegParamRefreshThreshSecs OBJECT-TYPE 1246 SYNTAX Unsigned32 (1..100) 1247 UNITS "seconds" 1248 MAX-ACCESS read-create 1249 STATUS current 1250 DESCRIPTION 1251 "ipiaSaNegParamRefreshThreshSecs specifies what percentage 1252 of the seconds lifetime can expire before IKE SHOULD 1253 attempt to renegotiate the IPsec security association. A 1254 value between 1 and 100 representing a percentage. A value 1255 of 100 indicates that the IPsec security association SHOULD 1256 not be renegotiated until the seconds lifetime has been 1257 completely reached." 1258 ::= { ipiaSaNegotiationParametersEntry 4 } 1260 ipiaSaNegParamRefreshThresholdKB OBJECT-TYPE 1261 SYNTAX Unsigned32 (1..100) 1262 MAX-ACCESS read-create 1263 STATUS current 1264 DESCRIPTION 1265 "ipiaSaNegParamRefreshThresholdKB specifies what percentage 1266 of the kilobyte lifetime can expire before IKE SHOULD 1267 attempt to renegotiate the IPsec security association. A 1268 value between 1 and 100 representing a percentage. A value 1269 of 100 indicates that the IPsec security association SHOULD 1270 not be renegotiated until the kilobyte lifetime has been 1271 reached." 1272 ::= { ipiaSaNegotiationParametersEntry 5 } 1274 ipiaSaNegParamIdleDurationSecs OBJECT-TYPE 1275 SYNTAX Unsigned32 1276 UNITS "seconds" 1277 MAX-ACCESS read-create 1278 STATUS current 1279 DESCRIPTION 1280 "ipiaSaNegParamIdleDurationSecs specifies how many seconds a 1281 security association MAY remain idle (i.e., no traffic 1282 protected using the security association) before it is 1283 deleted. A value of zero indicates that idle detection 1284 SHOULD NOT be used for the security association. Any 1285 non-zero value indicates the number of seconds the security 1286 association can remain unused." 1287 ::= { ipiaSaNegotiationParametersEntry 6 } 1289 ipiaSaNegParamLastChanged OBJECT-TYPE 1290 SYNTAX TimeStamp 1291 MAX-ACCESS read-only 1292 STATUS current 1293 DESCRIPTION 1294 "The value of sysUpTime when this row was last modified or 1295 created either through SNMP SETs or by some other external 1296 means." 1297 ::= { ipiaSaNegotiationParametersEntry 7 } 1299 ipiaSaNegParamStorageType OBJECT-TYPE 1300 SYNTAX StorageType 1301 MAX-ACCESS read-create 1302 STATUS current 1303 DESCRIPTION 1304 "The storage type for this row. Rows in this table which 1305 were created through an external process MAY have a storage 1306 type of readOnly or permanent. 1308 For a storage type of permanent, none of the columns have 1309 to be writable." 1310 DEFVAL { nonVolatile } 1311 ::= { ipiaSaNegotiationParametersEntry 8 } 1313 ipiaSaNegParamRowStatus OBJECT-TYPE 1314 SYNTAX RowStatus 1315 MAX-ACCESS read-create 1316 STATUS current 1317 DESCRIPTION 1318 "This object indicates the conceptual status of this row. 1320 The value of this object has no effect on whether other 1321 objects in this conceptual row can be modified. 1323 If active, this object MUST remain active if it is 1324 referenced by an active row in another table. An attempt 1325 to set it to anything other than active while it is 1326 referenced by an active row in another table MUST result in 1327 an inconsistentValue error." 1328 ::= { ipiaSaNegotiationParametersEntry 9 } 1330 -- 1331 -- ipiaIkeActionProposalsTable proposals contained within a ikeAction 1332 -- 1334 ipiaIkeActionProposalsTable OBJECT-TYPE 1335 SYNTAX SEQUENCE OF IpiaIkeActionProposalsEntry 1336 MAX-ACCESS not-accessible 1337 STATUS current 1338 DESCRIPTION 1339 "This table contains a list of all ike proposal names found 1340 within a given IKE Action." 1341 ::= { ipiaConfigObjects 9 } 1343 ipiaIkeActionProposalsEntry OBJECT-TYPE 1344 SYNTAX IpiaIkeActionProposalsEntry 1345 MAX-ACCESS not-accessible 1346 STATUS current 1347 DESCRIPTION 1348 "a row containing one ike proposal reference" 1349 INDEX { ipiaIkeActName, ipiaIkeActPropPriority } 1350 ::= { ipiaIkeActionProposalsTable 1 } 1352 IpiaIkeActionProposalsEntry ::= SEQUENCE { 1353 ipiaIkeActPropPriority Integer32, 1354 ipiaIkeActPropName SnmpAdminString, 1355 ipiaIkeActPropLastChanged TimeStamp, 1356 ipiaIkeActPropStorageType StorageType, 1357 ipiaIkeActPropRowStatus RowStatus 1358 } 1360 ipiaIkeActPropPriority OBJECT-TYPE 1361 SYNTAX Integer32 (0..65535) 1362 MAX-ACCESS not-accessible 1363 STATUS current 1364 DESCRIPTION 1365 "The numeric priority of a given contained proposal inside 1366 an ike Action. This index SHOULD be used to order the 1367 proposals in an IKE Phase I negotiation, lowest value first 1368 (i.e. 0 first, then 1,2,etc...)." 1369 ::= { ipiaIkeActionProposalsEntry 1 } 1371 ipiaIkeActPropName OBJECT-TYPE 1372 SYNTAX SnmpAdminString (SIZE(1..32)) 1373 MAX-ACCESS read-create 1374 STATUS current 1375 DESCRIPTION 1376 "The administratively assigned name that can be used to 1377 reference a set of values contained within the 1378 ipiaIkeProposalTable. 1380 An attempt to set this object to a value that doesn't exist 1381 in the ipiaIkeProposalTable MUST result in an 1382 inconsistentValue error." 1383 ::= { ipiaIkeActionProposalsEntry 2 } 1385 ipiaIkeActPropLastChanged OBJECT-TYPE 1386 SYNTAX TimeStamp 1387 MAX-ACCESS read-only 1388 STATUS current 1389 DESCRIPTION 1390 "The value of sysUpTime when this row was last modified or 1391 created either through SNMP SETs or by some other external 1392 means." 1393 ::= { ipiaIkeActionProposalsEntry 3 } 1395 ipiaIkeActPropStorageType OBJECT-TYPE 1396 SYNTAX StorageType 1397 MAX-ACCESS read-create 1398 STATUS current 1399 DESCRIPTION 1400 "The storage type for this row. Rows in this table which 1401 were created through an external process MAY have a storage 1402 type of readOnly or permanent. 1404 For a storage type of permanent, none of the columns have 1405 to be writable." 1406 DEFVAL { nonVolatile } 1407 ::= { ipiaIkeActionProposalsEntry 4 } 1409 ipiaIkeActPropRowStatus OBJECT-TYPE 1410 SYNTAX RowStatus 1411 MAX-ACCESS read-create 1412 STATUS current 1413 DESCRIPTION 1414 "This object indicates the conceptual status of this row. 1416 The value of this object has no effect on whether other 1417 objects in this conceptual row can be modified. 1419 If active, this object MUST remain active unless one of the 1420 following two conditions are met. An attempt to set it to 1421 anything other than active while the following conditions 1422 are not met MUST result in an inconsistentValue error. The 1423 two conditions are: 1425 I. No active row in the ipiaIkeActionTable exists 1426 which has a matching ipiaIkeActName. 1428 II. Or at least one other active row in this table has a 1429 matching ipiaIkeActName." 1430 ::= { ipiaIkeActionProposalsEntry 5 } 1432 -- 1433 -- IKE proposal definition table 1434 -- 1436 ipiaIkeProposalTable OBJECT-TYPE 1437 SYNTAX SEQUENCE OF IpiaIkeProposalEntry 1438 MAX-ACCESS not-accessible 1439 STATUS current 1440 DESCRIPTION 1441 "This table contains a list of IKE proposals which are used 1442 in an IKE negotiation." 1443 ::= { ipiaConfigObjects 10 } 1445 ipiaIkeProposalEntry OBJECT-TYPE 1446 SYNTAX IpiaIkeProposalEntry 1447 MAX-ACCESS not-accessible 1448 STATUS current 1449 DESCRIPTION 1450 "One IKE proposal entry." 1451 INDEX { ipiaIkeActPropName } 1452 ::= { ipiaIkeProposalTable 1 } 1454 IpiaIkeProposalEntry ::= SEQUENCE { 1455 ipiaIkePropLifetimeDerivedKeys Unsigned32, 1456 ipiaIkePropCipherAlgorithm IkeEncryptionAlgorithm, 1457 ipiaIkePropCipherKeyLength Unsigned32, 1458 ipiaIkePropCipherKeyRounds Unsigned32, 1459 ipiaIkePropHashAlgorithm IkeHashAlgorithm, 1460 ipiaIkePropPrfAlgorithm INTEGER, 1461 ipiaIkePropVendorId OCTET STRING, 1462 ipiaIkePropDhGroup IkeGroupDescription, 1463 ipiaIkePropAuthenticationMethod IkeAuthMethod, 1464 ipiaIkePropMaxLifetimeSecs Unsigned32, 1465 ipiaIkePropMaxLifetimeKB Unsigned32, 1466 ipiaIkePropLastChanged TimeStamp, 1467 ipiaIkePropStorageType StorageType, 1468 ipiaIkePropRowStatus RowStatus 1469 } 1471 ipiaIkePropLifetimeDerivedKeys OBJECT-TYPE 1472 SYNTAX Unsigned32 1473 MAX-ACCESS read-create 1474 STATUS current 1475 DESCRIPTION 1476 "ipiaIkePropLifetimeDerivedKeys specifies the number of 1477 times that a phase 1 key will be used to derive a phase 2 1478 key before the phase 1 security association needs 1479 renegotiated." 1480 ::= { ipiaIkeProposalEntry 1 } 1482 ipiaIkePropCipherAlgorithm OBJECT-TYPE 1483 SYNTAX IkeEncryptionAlgorithm 1484 MAX-ACCESS read-create 1485 STATUS current 1486 DESCRIPTION 1487 "ipiaIkePropCipherAlgorithm specifies the proposed phase 1 1488 security association encryption algorithm." 1489 ::= { ipiaIkeProposalEntry 2 } 1491 ipiaIkePropCipherKeyLength OBJECT-TYPE 1492 SYNTAX Unsigned32 1493 MAX-ACCESS read-create 1494 STATUS current 1495 DESCRIPTION 1496 "This object specifies, in bits, the key length for 1497 the cipher algorithm used in IKE Phase 1 negotiation." 1498 ::= { ipiaIkeProposalEntry 3 } 1500 ipiaIkePropCipherKeyRounds OBJECT-TYPE 1501 SYNTAX Unsigned32 1502 MAX-ACCESS read-create 1503 STATUS current 1504 DESCRIPTION 1505 "This object specifies the number of key rounds for 1506 the cipher algorithm used in IKE Phase 1 negotiation." 1507 ::= { ipiaIkeProposalEntry 4 } 1509 ipiaIkePropHashAlgorithm OBJECT-TYPE 1510 SYNTAX IkeHashAlgorithm 1511 MAX-ACCESS read-create 1512 STATUS current 1513 DESCRIPTION 1514 "ipiaIkePropHashAlgorithm specifies the proposed phase 1 1515 security assocation hash algorithm." 1516 ::= { ipiaIkeProposalEntry 5 } 1518 ipiaIkePropPrfAlgorithm OBJECT-TYPE 1519 SYNTAX INTEGER { reserved(0) } 1520 MAX-ACCESS read-create 1521 STATUS current 1522 DESCRIPTION 1523 "ipPRFAlgorithm specifies the proposed phase 1 security 1524 association psuedo-random function. 1526 Note: currently no prf algorithms are defined." 1527 ::= { ipiaIkeProposalEntry 6 } 1529 ipiaIkePropVendorId OBJECT-TYPE 1530 SYNTAX OCTET STRING (SIZE(0..255)) 1531 MAX-ACCESS read-create 1532 STATUS current 1533 DESCRIPTION 1534 "The VendorID property is used to identify vendor-defined 1535 key exchange GroupIDs." 1536 ::= { ipiaIkeProposalEntry 7 } 1538 ipiaIkePropDhGroup OBJECT-TYPE 1539 SYNTAX IkeGroupDescription 1540 MAX-ACCESS read-create 1541 STATUS current 1542 DESCRIPTION 1543 "This object specifies the proposed phase 1 security 1544 association Diffie-Hellman group" 1545 ::= { ipiaIkeProposalEntry 8 } 1547 ipiaIkePropAuthenticationMethod OBJECT-TYPE 1548 SYNTAX IkeAuthMethod 1549 MAX-ACCESS read-create 1550 STATUS current 1551 DESCRIPTION 1552 "This object specifies the proposed authentication 1553 method for the phase 1 security association." 1554 ::= { ipiaIkeProposalEntry 9 } 1556 ipiaIkePropMaxLifetimeSecs OBJECT-TYPE 1557 SYNTAX Unsigned32 1558 MAX-ACCESS read-create 1559 STATUS current 1560 DESCRIPTION 1561 "ipiaIkePropMaxLifetimeSecs specifies the maximum amount of 1562 time to propose a security association remain valid. 1564 A value of 0 indicates that the default lifetime of 1565 8 hours SHOULD be used." 1566 ::= { ipiaIkeProposalEntry 10 } 1568 ipiaIkePropMaxLifetimeKB OBJECT-TYPE 1569 SYNTAX Unsigned32 1570 MAX-ACCESS read-create 1571 STATUS current 1572 DESCRIPTION 1573 "ipiaIkePropMaxLifetimeKB specifies the maximum kilobyte 1574 lifetime to propose a security association remain valid." 1575 ::= { ipiaIkeProposalEntry 11 } 1577 ipiaIkePropLastChanged OBJECT-TYPE 1578 SYNTAX TimeStamp 1579 MAX-ACCESS read-only 1580 STATUS current 1581 DESCRIPTION 1582 "The value of sysUpTime when this row was last modified or 1583 created either through SNMP SETs or by some other external 1584 means." 1585 ::= { ipiaIkeProposalEntry 12 } 1587 ipiaIkePropStorageType OBJECT-TYPE 1588 SYNTAX StorageType 1589 MAX-ACCESS read-create 1590 STATUS current 1591 DESCRIPTION 1592 "The storage type for this row. Rows in this table which 1593 were created through an external process MAY have a storage 1594 type of readOnly or permanent. 1596 For a storage type of permanent, none of the columns have 1597 to be writable." 1598 DEFVAL { nonVolatile } 1599 ::= { ipiaIkeProposalEntry 13 } 1601 ipiaIkePropRowStatus OBJECT-TYPE 1602 SYNTAX RowStatus 1603 MAX-ACCESS read-create 1604 STATUS current 1605 DESCRIPTION 1606 "This object indicates the conceptual status of this row. 1608 The value of this object has no effect on whether other 1609 objects in this conceptual row can be modified. 1611 If active, this object MUST remain active if it is 1612 referenced by an active row in another table. An attempt 1613 to set it to anything other than active while it is 1614 referenced by an active row in another table MUST result in 1615 an inconsistentValue error." 1616 ::= { ipiaIkeProposalEntry 14 } 1618 -- 1619 -- ipiaIpsecProposalsTable 1620 -- 1622 ipiaIpsecProposalsTable OBJECT-TYPE 1623 SYNTAX SEQUENCE OF IpiaIpsecProposalsEntry 1624 MAX-ACCESS not-accessible 1625 STATUS current 1626 DESCRIPTION 1627 "This table lists one or more IPsec proposals for 1628 IPsec actions." 1629 ::= { ipiaConfigObjects 11 } 1631 ipiaIpsecProposalsEntry OBJECT-TYPE 1632 SYNTAX IpiaIpsecProposalsEntry 1633 MAX-ACCESS not-accessible 1634 STATUS current 1635 DESCRIPTION 1636 "An entry containing (possibly a portion of) a proposal." 1637 INDEX { ipiaIpsecPropName, ipiaIpsecPropPriority, 1638 ipiaIpsecPropProtocolId } 1639 ::= { ipiaIpsecProposalsTable 1 } 1641 IpiaIpsecProposalsEntry ::= SEQUENCE { 1642 ipiaIpsecPropName SnmpAdminString, 1643 ipiaIpsecPropPriority Integer32, 1644 ipiaIpsecPropProtocolId IpsecDoiSecProtocolId, 1645 ipiaIpsecPropTransformsName SnmpAdminString, 1646 ipiaIpsecPropLastChanged TimeStamp, 1647 ipiaIpsecPropStorageType StorageType, 1648 ipiaIpsecPropRowStatus RowStatus 1649 } 1651 ipiaIpsecPropName OBJECT-TYPE 1652 SYNTAX SnmpAdminString (SIZE(1..32)) 1653 MAX-ACCESS not-accessible 1654 STATUS current 1655 DESCRIPTION 1656 "The name of this proposal." 1657 ::= { ipiaIpsecProposalsEntry 1 } 1659 ipiaIpsecPropPriority OBJECT-TYPE 1660 SYNTAX Integer32 (0..65535) 1661 MAX-ACCESS not-accessible 1662 STATUS current 1663 DESCRIPTION 1664 "The priority level (AKA sequence level) of this proposal. 1665 A lower number indicates a higher precedence (0 before 1, 1666 etc..)." 1667 ::= { ipiaIpsecProposalsEntry 2 } 1669 ipiaIpsecPropProtocolId OBJECT-TYPE 1670 SYNTAX IpsecDoiSecProtocolId 1671 MAX-ACCESS not-accessible 1672 STATUS current 1673 DESCRIPTION 1674 "The protocol Id for the transforms for this proposal. The 1675 protoIsakmp(1) value is not valid for this object. This 1676 object, along with the ipiaIpsecPropTransformsName, is the 1677 index into the ipiaIpsecTransformsTable." 1678 ::= { ipiaIpsecProposalsEntry 3 } 1680 ipiaIpsecPropTransformsName OBJECT-TYPE 1681 SYNTAX SnmpAdminString (SIZE(1..32)) 1682 MAX-ACCESS read-create 1683 STATUS current 1684 DESCRIPTION 1685 "The name of the transform or group of transforms for this 1686 protocol. This object, along with the 1687 ipiaIpsecPropProtocolId, is the index into the 1688 ipiaIpsecTransformsTable. 1690 An attempt to set this object to a value that does not 1691 exist in the ipiaIpsecTransformTable MUST result in an 1692 inconsistentValue error." 1693 ::= { ipiaIpsecProposalsEntry 4 } 1695 ipiaIpsecPropLastChanged OBJECT-TYPE 1696 SYNTAX TimeStamp 1697 MAX-ACCESS read-only 1698 STATUS current 1699 DESCRIPTION 1700 "The value of sysUpTime when this row was last modified or 1701 created either through SNMP SETs or by some other external 1702 means." 1703 ::= { ipiaIpsecProposalsEntry 5 } 1705 ipiaIpsecPropStorageType OBJECT-TYPE 1706 SYNTAX StorageType 1707 MAX-ACCESS read-create 1708 STATUS current 1709 DESCRIPTION 1710 "The storage type for this row. Rows in this table which 1711 were created through an external process MAY have a storage 1712 type of readOnly or permanent. 1714 For a storage type of permanent, none of the columns have 1715 to be writable." 1716 DEFVAL { nonVolatile } 1717 ::= { ipiaIpsecProposalsEntry 6 } 1719 ipiaIpsecPropRowStatus OBJECT-TYPE 1720 SYNTAX RowStatus 1721 MAX-ACCESS read-create 1722 STATUS current 1723 DESCRIPTION 1724 "This object indicates the conceptual status of this row. 1726 The value of this object has no effect on whether other 1727 objects in this conceptual row can be modified. 1729 This row MUST NOT be set to active until the corresponding 1730 row(s) in the ipiaIpsecTransformsTable exists and is 1731 active. 1733 If active, this object MUST remain active unless one of the 1734 following two conditions are met. An attempt to set it to 1735 anything other than active while the following conditions 1736 are not met MUST result in an inconsistentValue error. The 1737 two conditions are: 1739 I. No active row in the ipiaIkeActionProposalTable exists 1740 which has a matching ipiaIpsecPropName. 1742 II. Or at least one other active row in this table has a 1743 matching ipiaIpsecPropName." 1744 ::= { ipiaIpsecProposalsEntry 7 } 1746 -- 1747 -- ipiaIpsecTransformsTable 1748 -- 1750 ipiaIpsecTransformsTable OBJECT-TYPE 1751 SYNTAX SEQUENCE OF IpiaIpsecTransformsEntry 1752 MAX-ACCESS not-accessible 1753 STATUS current 1754 DESCRIPTION 1755 "This table lists the IPsec proposals contained within a 1756 given IPsec action and the transforms within each of those 1757 proposals. These proposals and transforms can then be used 1758 to create phase 2 negotiation proposals." 1759 ::= { ipiaConfigObjects 12 } 1761 ipiaIpsecTransformsEntry OBJECT-TYPE 1762 SYNTAX IpiaIpsecTransformsEntry 1763 MAX-ACCESS not-accessible 1764 STATUS current 1765 DESCRIPTION 1766 "An entry containing the information on an IPsec transform." 1767 INDEX { ipiaIpsecTranType, ipiaIpsecTranName, 1768 ipiaIpsecTranPriority } 1769 ::= { ipiaIpsecTransformsTable 1 } 1771 IpiaIpsecTransformsEntry ::= SEQUENCE { 1772 ipiaIpsecTranType IpsecDoiSecProtocolId, 1773 ipiaIpsecTranName SnmpAdminString, 1774 ipiaIpsecTranPriority Integer32, 1775 ipiaIpsecTranTransformName SnmpAdminString, 1776 ipiaIpsecTranLastChanged TimeStamp, 1777 ipiaIpsecTranStorageType StorageType, 1778 ipiaIpsecTranRowStatus RowStatus 1779 } 1781 ipiaIpsecTranType OBJECT-TYPE 1782 SYNTAX IpsecDoiSecProtocolId 1783 MAX-ACCESS not-accessible 1784 STATUS current 1785 DESCRIPTION 1786 "The protocol type for this transform. The protoIsakmp(1) 1787 value is not valid for this object." 1788 ::= { ipiaIpsecTransformsEntry 1 } 1790 ipiaIpsecTranName OBJECT-TYPE 1791 SYNTAX SnmpAdminString (SIZE(1..32)) 1792 MAX-ACCESS not-accessible 1793 STATUS current 1794 DESCRIPTION 1795 "The name for this transform or group of transforms." 1796 ::= { ipiaIpsecTransformsEntry 2 } 1798 ipiaIpsecTranPriority OBJECT-TYPE 1799 SYNTAX Integer32 (0..65535) 1800 MAX-ACCESS not-accessible 1801 STATUS current 1802 DESCRIPTION 1803 "The priority level (AKA sequence level) of the this 1804 transform within the group of transforms (0 before 1, 1805 etc...). This indicates the preference for which 1806 algorithms are requested when the list of transforms are 1807 sent to the remote host. A lower number indicates a higher 1808 precedence." 1809 ::= { ipiaIpsecTransformsEntry 3 } 1811 ipiaIpsecTranTransformName OBJECT-TYPE 1812 SYNTAX SnmpAdminString (SIZE(1..32)) 1813 MAX-ACCESS read-create 1814 STATUS current 1815 DESCRIPTION 1816 "The name for the given transform. Depending on the value 1817 of ipiaIpsecTranType, this value is used to lookup the 1818 transform's specific parameters in the 1819 ipiaAhTransformTable, the ipiaEspTransformTable or the 1820 ipiaIpcompTransformTable." 1821 ::= { ipiaIpsecTransformsEntry 4 } 1823 ipiaIpsecTranLastChanged OBJECT-TYPE 1824 SYNTAX TimeStamp 1825 MAX-ACCESS read-only 1826 STATUS current 1827 DESCRIPTION 1828 "The value of sysUpTime when this row was last modified or 1829 created either through SNMP SETs or by some other external 1830 means." 1831 ::= { ipiaIpsecTransformsEntry 5 } 1833 ipiaIpsecTranStorageType OBJECT-TYPE 1834 SYNTAX StorageType 1835 MAX-ACCESS read-create 1836 STATUS current 1837 DESCRIPTION 1838 "The storage type for this row. Rows in this table which 1839 were created through an external process MAY have a storage 1840 type of readOnly or permanent. 1842 For a storage type of permanent, none of the columns have 1843 to be writable." 1844 DEFVAL { nonVolatile } 1845 ::= { ipiaIpsecTransformsEntry 6 } 1847 ipiaIpsecTranRowStatus OBJECT-TYPE 1848 SYNTAX RowStatus 1849 MAX-ACCESS read-create 1850 STATUS current 1851 DESCRIPTION 1852 "This object indicates the conceptual status of this row. 1854 The value of this object has no effect on whether other 1855 objects in this conceptual row can be modified. 1857 This row MUST NOT be set to active until the corresponding 1858 row in the ipiaAhTransformTable, ipiaEspTransformTable or 1859 the ipiaIpcompTransformTable exists. 1861 If active, this object MUST remain active unless one of the 1862 following two conditions are met. An attempt to set it to 1863 anything other than active while the following conditions 1864 are not met MUST result in an inconsistentValue error. The 1865 two conditions are: 1867 I. No active row in the IpiaIpsecProposalsTable exists 1868 which has a matching ipiaIpsecPropTransformsName. 1870 II. Or at least one other active row in this table has a 1871 matching ipiaIpsecPropTransformsName." 1872 ::= { ipiaIpsecTransformsEntry 7 } 1874 -- 1875 -- IKE identity definition table 1876 -- 1878 ipiaIkeIdentityTable OBJECT-TYPE 1879 SYNTAX SEQUENCE OF IpiaIkeIdentityEntry 1880 MAX-ACCESS not-accessible 1881 STATUS current 1882 DESCRIPTION 1883 "IKEIdentity is used to represent the identities that are 1884 used for an IPProtocolEndpoint (or collection of 1885 IPProtocolEndpoints) to identify itself in IKE phase 1 1886 negotiations. The column ipiaIkeActIdentityType and 1887 ipiaIkeIdentityContext in an ipiaIkeActionEntry together 1888 with the spdEndGroupInterface in the 1889 spdEndpointToGroupTable specifies the unique identity to 1890 use in a negotiation exchange." 1891 ::= { ipiaConfigObjects 13 } 1893 ipiaIkeIdentityEntry OBJECT-TYPE 1894 SYNTAX IpiaIkeIdentityEntry 1895 MAX-ACCESS not-accessible 1896 STATUS current 1897 DESCRIPTION 1898 "ikeIdentity lists the attributes of an IKE identity." 1900 INDEX { spdEndGroupInterface, ipiaIkeActIdentityType, 1901 ipiaIkeActIdentityContext } 1902 ::= { ipiaIkeIdentityTable 1 } 1904 IpiaIkeIdentityEntry ::= SEQUENCE { 1905 ipiaIkeIdCredentialName SnmpAdminString, 1906 ipiaIkeIdLastChanged TimeStamp, 1907 ipiaIkeIdStorageType StorageType, 1908 ipiaIkeIdRowStatus RowStatus 1909 } 1911 ipiaIkeIdCredentialName OBJECT-TYPE 1912 SYNTAX SnmpAdminString (SIZE(0..32)) 1913 MAX-ACCESS read-create 1914 STATUS current 1915 DESCRIPTION 1916 "This value is used as an index into the 1917 ipiaCredentialFilterTable to look up the actual credential 1918 value and other credential information. 1920 For ID's without associated credential information, this 1921 value is left blank. 1923 For ID's that are address types, this value MAY be left 1924 blank and the associated IPProtocolEndpoint or appropriate 1925 member of the Collection of endpoints is used." 1926 ::= { ipiaIkeIdentityEntry 1 } 1928 ipiaIkeIdLastChanged OBJECT-TYPE 1929 SYNTAX TimeStamp 1930 MAX-ACCESS read-only 1931 STATUS current 1932 DESCRIPTION 1933 "The value of sysUpTime when this row was last modified or 1934 created either through SNMP SETs or by some other external 1935 means." 1936 ::= { ipiaIkeIdentityEntry 2 } 1938 ipiaIkeIdStorageType OBJECT-TYPE 1939 SYNTAX StorageType 1940 MAX-ACCESS read-create 1941 STATUS current 1942 DESCRIPTION 1943 "The storage type for this row. Rows in this table which 1944 were created through an external process MAY have a storage 1945 type of readOnly or permanent. 1947 For a storage type of permanent, none of the columns have 1948 to be writable." 1949 DEFVAL { nonVolatile } 1950 ::= { ipiaIkeIdentityEntry 3 } 1952 ipiaIkeIdRowStatus OBJECT-TYPE 1953 SYNTAX RowStatus 1954 MAX-ACCESS read-create 1955 STATUS current 1956 DESCRIPTION 1957 "This object indicates the conceptual status of this row. 1959 The value of this object has no effect on whether other 1960 objects in this conceptual row can be modified. 1962 If active, this object MUST remain active if it is 1963 referenced by an active row in another table. An attempt 1964 to set it to anything other than active while it is 1965 referenced by an active row in another table MUST result in 1966 an inconsistentValue error." 1967 ::= { ipiaIkeIdentityEntry 4 } 1969 -- 1970 -- autostart IKE Table 1972 ipiaAutostartIkeTable OBJECT-TYPE 1973 SYNTAX SEQUENCE OF IpiaAutostartIkeEntry 1974 MAX-ACCESS not-accessible 1975 STATUS current 1976 DESCRIPTION 1977 "The parameters in the autostart IKE Table are used to 1978 automatically initiate IKE phaes I and II (i.e. IPsec) 1979 negotiations on startup. It also will initiate IKE phase I 1980 and II negotiations for a row at the time of that row's 1981 creation" 1982 ::= { ipiaConfigObjects 14 } 1984 ipiaAutostartIkeEntry OBJECT-TYPE 1985 SYNTAX IpiaAutostartIkeEntry 1986 MAX-ACCESS not-accessible 1987 STATUS current 1988 DESCRIPTION 1989 "autostart ike provides the set of parameters to 1990 automatically start IKE and IPsec SA's." 1991 INDEX { ipiaAutoIkePriority } 1992 ::= { ipiaAutostartIkeTable 1 } 1994 IpiaAutostartIkeEntry ::= SEQUENCE { 1995 ipiaAutoIkePriority Integer32, 1996 ipiaAutoIkeAction VariablePointer, 1997 ipiaAutoIkeAddressType InetAddressType, 1998 ipiaAutoIkeSourceAddress InetAddress, 1999 ipiaAutoIkeSourcePort InetPortNumber, 2000 ipiaAutoIkeDestAddress InetAddress, 2001 ipiaAutoIkeDestPort InetPortNumber, 2002 ipiaAutoIkeProtocol Unsigned32, 2003 ipiaAutoIkeLastChanged TimeStamp, 2004 ipiaAutoIkeStorageType StorageType, 2005 ipiaAutoIkeRowStatus RowStatus 2006 } 2008 ipiaAutoIkePriority OBJECT-TYPE 2009 SYNTAX Integer32 (0..65535) 2010 MAX-ACCESS not-accessible 2011 STATUS current 2012 DESCRIPTION 2013 "ipiaAutoIkePriority is an index into the autostartIkeAction 2014 table and can be used to order the autostart IKE actions (0 2015 before 1, etc...)." 2016 ::= { ipiaAutostartIkeEntry 1 } 2018 ipiaAutoIkeAction OBJECT-TYPE 2019 SYNTAX VariablePointer 2020 MAX-ACCESS read-create 2021 STATUS current 2022 DESCRIPTION 2023 "This pointer is used to point to the action or compound 2024 action that is initiated by this row. This value 2025 can be used to indicate a scalar or a row in a table. When 2026 indicating a row in a table, this value MUST point to the 2027 first column instance in that row. 2029 If this column is set to a VariablePointer value which 2030 references a non-existent row in an otherwise supported 2031 table or if the table or scalar pointed to by the 2032 VariablePointer is not supported at all, the 2033 inconsistentValue exception MUST be returned. 2035 If during packet processing this column has a value that 2036 references a non-existent or non-supported object, the 2037 packet MUST be dropped." 2038 ::= { ipiaAutostartIkeEntry 2 } 2040 ipiaAutoIkeAddressType OBJECT-TYPE 2041 SYNTAX InetAddressType 2042 MAX-ACCESS read-create 2043 STATUS current 2044 DESCRIPTION 2045 "The property ipiaAutoIkeAddressType specifies the format of 2046 the autoIke source and destination Address values." 2047 ::= { ipiaAutostartIkeEntry 3 } 2049 ipiaAutoIkeSourceAddress OBJECT-TYPE 2050 SYNTAX InetAddress 2051 MAX-ACCESS read-create 2052 STATUS current 2053 DESCRIPTION 2054 "The property autoIkeSourecAddress specifies Source IP 2055 address for autostarting IKE SA's, formatted according to 2056 the appropriate convention as defined in the 2057 ipiaAutoIkeAddressType property." 2058 ::= { ipiaAutostartIkeEntry 4 } 2060 ipiaAutoIkeSourcePort OBJECT-TYPE 2061 SYNTAX InetPortNumber 2062 MAX-ACCESS read-create 2063 STATUS current 2064 DESCRIPTION 2065 "The property ipiaAutoIkeSourcePort specifies the port 2066 number for the source port for auotstarting IKE SA's. 2068 The value of 0 for this object is illegal." 2069 ::= { ipiaAutostartIkeEntry 5 } 2071 ipiaAutoIkeDestAddress OBJECT-TYPE 2072 SYNTAX InetAddress 2073 MAX-ACCESS read-create 2074 STATUS current 2075 DESCRIPTION 2076 "The property ipiaAutoIkeDestAddress specifies the 2077 Destination IP address for autostarting IKE SA's, formatted 2078 according to the appropriate convention as defined in the 2079 ipiaAutoIkeAddressType property." 2080 ::= { ipiaAutostartIkeEntry 6 } 2082 ipiaAutoIkeDestPort OBJECT-TYPE 2083 SYNTAX InetPortNumber 2084 MAX-ACCESS read-create 2085 STATUS current 2086 DESCRIPTION 2087 "The property ipiaAutoIkeDestPort specifies the port number 2088 for the destination port for auotstarting IKE SA's. 2090 The value of 0 for this object is illegal." 2091 ::= { ipiaAutostartIkeEntry 7 } 2093 ipiaAutoIkeProtocol OBJECT-TYPE 2094 SYNTAX Unsigned32 (0..255) 2095 MAX-ACCESS read-create 2096 STATUS current 2097 DESCRIPTION 2098 "The property Protocol specifies the protocol number used in 2099 comparing with policy filter entries and used in any phase 2100 2 negotiations." 2101 ::= { ipiaAutostartIkeEntry 8 } 2103 ipiaAutoIkeLastChanged OBJECT-TYPE 2104 SYNTAX TimeStamp 2105 MAX-ACCESS read-only 2106 STATUS current 2107 DESCRIPTION 2108 "The value of sysUpTime when this row was last modified or 2109 created either through SNMP SETs or by some other external 2110 means." 2111 ::= { ipiaAutostartIkeEntry 9 } 2113 ipiaAutoIkeStorageType OBJECT-TYPE 2114 SYNTAX StorageType 2115 MAX-ACCESS read-create 2116 STATUS current 2117 DESCRIPTION 2118 "The storage type for this row. Rows in this table which 2119 were created through an external process MAY have a storage 2120 type of readOnly or permanent. 2122 For a storage type of permanent, none of the columns have 2123 to be writable." 2124 DEFVAL { nonVolatile } 2125 ::= { ipiaAutostartIkeEntry 10 } 2127 ipiaAutoIkeRowStatus OBJECT-TYPE 2128 SYNTAX RowStatus 2129 MAX-ACCESS read-create 2130 STATUS current 2131 DESCRIPTION 2132 "This object indicates the conceptual status of this row. 2134 The value of this object has no effect on whether other 2135 objects in this conceptual row can be modified. 2137 This object MUST NOT be set to active until the object to 2138 which the ipiaAutoIkeAction points to exists and is 2139 active. 2141 If active, this object MUST remain active if it is 2142 referenced by an active row in another table. An attempt 2143 to set it to anything other than active while it is 2144 referenced by an active row in another table MUST result in 2145 an inconsistentValue error." 2146 ::= { ipiaAutostartIkeEntry 11 } 2148 -- 2149 -- CA Table 2150 -- 2152 ipiaIpsecCredMngServiceTable OBJECT-TYPE 2153 SYNTAX SEQUENCE OF IpiaIpsecCredMngServiceEntry 2154 MAX-ACCESS not-accessible 2155 STATUS current 2156 DESCRIPTION 2157 "A table of Credential Management Service values. This 2158 table is usually used for credential/certificate values 2159 that are used with a management service (e.g. Certificate 2160 Authorities)." 2161 ::= { ipiaConfigObjects 15 } 2163 ipiaIpsecCredMngServiceEntry OBJECT-TYPE 2164 SYNTAX IpiaIpsecCredMngServiceEntry 2165 MAX-ACCESS not-accessible 2166 STATUS current 2167 DESCRIPTION 2168 "A row in the ipiaIpsecCredMngServiceTable." 2169 INDEX { ipiaIcmsName } 2170 ::= { ipiaIpsecCredMngServiceTable 1 } 2172 IpiaIpsecCredMngServiceEntry ::= SEQUENCE { 2173 ipiaIcmsName SnmpAdminString, 2174 ipiaIcmsDistinguishedName OCTET STRING, 2175 ipiaIcmsPolicyStatement OCTET STRING, 2176 ipiaIcmsMaxChainLength Integer32, 2177 ipiaIcmsCredentialName SnmpAdminString, 2178 ipiaIcmsLastChanged TimeStamp, 2179 ipiaIcmsStorageType StorageType, 2180 ipiaIcmsRowStatus RowStatus 2181 } 2183 ipiaIcmsName OBJECT-TYPE 2184 SYNTAX SnmpAdminString(SIZE(1..32)) 2185 MAX-ACCESS not-accessible 2186 STATUS current 2187 DESCRIPTION 2188 "This is an administratively assigned string used to index 2189 this table." 2190 ::= { ipiaIpsecCredMngServiceEntry 1 } 2192 ipiaIcmsDistinguishedName OBJECT-TYPE 2193 SYNTAX OCTET STRING (SIZE(1..256)) 2194 MAX-ACCESS read-create 2195 STATUS current 2196 DESCRIPTION 2197 "This value represents the Distinguished Name of the 2198 Credential Management Service." 2199 ::= { ipiaIpsecCredMngServiceEntry 2 } 2201 ipiaIcmsPolicyStatement OBJECT-TYPE 2202 SYNTAX OCTET STRING (SIZE(0..1024)) 2203 MAX-ACCESS read-create 2204 STATUS current 2205 DESCRIPTION 2206 "This Value represents the Credential Management Service 2207 Policy Statement, or a reference describing how to obtain 2208 it (e.g., a URL). If one doesn't exist, this value can be 2209 left blank" 2210 ::= { ipiaIpsecCredMngServiceEntry 3 } 2212 ipiaIcmsMaxChainLength OBJECT-TYPE 2213 SYNTAX Integer32 (0..255) 2214 MAX-ACCESS read-create 2215 STATUS current 2216 DESCRIPTION 2217 "This value is the maximum length of the chain allowble from 2218 the Credential Management Service to the credential in 2219 question." 2221 DEFVAL { 0 } 2222 ::= { ipiaIpsecCredMngServiceEntry 4} 2224 ipiaIcmsCredentialName OBJECT-TYPE 2225 SYNTAX SnmpAdminString (SIZE(0..32)) 2226 MAX-ACCESS read-create 2227 STATUS current 2228 DESCRIPTION 2229 "This value is used as an index into the 2230 ipiaCredentialFilterTable to look up the actual credential 2231 value." 2232 ::= { ipiaIpsecCredMngServiceEntry 5 } 2234 ipiaIcmsLastChanged OBJECT-TYPE 2235 SYNTAX TimeStamp 2236 MAX-ACCESS read-only 2237 STATUS current 2238 DESCRIPTION 2239 "The value of sysUpTime when this row was last modified or 2240 created either through SNMP SETs or by some other external 2241 means." 2242 ::= { ipiaIpsecCredMngServiceEntry 6 } 2244 ipiaIcmsStorageType OBJECT-TYPE 2245 SYNTAX StorageType 2246 MAX-ACCESS read-create 2247 STATUS current 2248 DESCRIPTION 2249 "The storage type for this row. Rows in this table which 2250 were created through an external process MAY have a storage 2251 type of readOnly or permanent. 2253 For a storage type of permanent, none of the columns have 2254 to be writable." 2255 DEFVAL { nonVolatile } 2256 ::= { ipiaIpsecCredMngServiceEntry 7 } 2258 ipiaIcmsRowStatus OBJECT-TYPE 2259 SYNTAX RowStatus 2260 MAX-ACCESS read-create 2261 STATUS current 2262 DESCRIPTION 2263 "This object indicates the conceptual status of this row. 2265 The value of this object has no effect on whether other 2266 objects in this conceptual row can be modified. 2268 If active, this object MUST remain active if it is 2269 referenced by an active row in another table. An attempt 2270 to set it to anything other than active while it is 2271 referenced by an active row in another table MUST result in 2272 an inconsistentValue error." 2273 ::= { ipiaIpsecCredMngServiceEntry 8 } 2275 -- 2276 -- CRL Table 2277 -- 2279 ipiaCredMngCRLTable OBJECT-TYPE 2280 SYNTAX SEQUENCE OF IpiaCredMngCRLEntry 2281 MAX-ACCESS not-accessible 2282 STATUS current 2283 DESCRIPTION 2284 "A table of the Credential Revocation Lists (CRL) for 2285 credential managment services." 2286 ::= { ipiaConfigObjects 16 } 2288 ipiaCredMngCRLEntry OBJECT-TYPE 2289 SYNTAX IpiaCredMngCRLEntry 2290 MAX-ACCESS not-accessible 2291 STATUS current 2292 DESCRIPTION 2293 "A row in the ipiaCredMngCRLTable." 2294 INDEX { ipiaIcmsName , ipiaCmcCRLName } 2295 ::= { ipiaCredMngCRLTable 1 } 2297 IpiaCredMngCRLEntry ::= SEQUENCE { 2298 ipiaCmcCRLName SnmpAdminString, 2299 ipiaCmcDistributionPoint OCTET STRING, 2300 ipiaCmcThisUpdate OCTET STRING, 2301 ipiaCmcNextUpdate OCTET STRING, 2302 ipiaCmcLastChanged TimeStamp, 2303 ipiaCmcStorageType StorageType, 2304 ipiaCmcRowStatus RowStatus 2305 } 2307 ipiaCmcCRLName OBJECT-TYPE 2308 SYNTAX SnmpAdminString(SIZE(1..32)) 2309 MAX-ACCESS not-accessible 2310 STATUS current 2311 DESCRIPTION 2312 "This is an administratively assigned string used to index 2313 this table. It represents a CRL for a given CA from a given 2314 distribution point." 2315 ::= { ipiaCredMngCRLEntry 1 } 2317 ipiaCmcDistributionPoint OBJECT-TYPE 2318 SYNTAX OCTET STRING (SIZE(0..256)) 2319 MAX-ACCESS read-create 2320 STATUS current 2321 DESCRIPTION 2322 "This Value represents a Distribution Point for a Credential 2323 Revocation List. It can be relative to the Credential 2324 Management Service or a full name (URL, e-mail, etc...)." 2325 ::= { ipiaCredMngCRLEntry 2 } 2327 ipiaCmcThisUpdate OBJECT-TYPE 2328 SYNTAX OCTET STRING (SIZE(0..32)) 2329 MAX-ACCESS read-create 2330 STATUS current 2331 DESCRIPTION 2332 "This value is the issue date of this CRL. This 2333 SHOULD be in utctime or generalizedtime." 2334 ::= { ipiaCredMngCRLEntry 3 } 2336 ipiaCmcNextUpdate OBJECT-TYPE 2337 SYNTAX OCTET STRING (SIZE(0..32)) 2338 MAX-ACCESS read-create 2339 STATUS current 2340 DESCRIPTION 2341 "This value indicates the date the next version of this CRL 2342 will be issued. This SHOULD be in utctime or 2343 generalizedtime." 2344 ::= { ipiaCredMngCRLEntry 4 } 2346 ipiaCmcLastChanged OBJECT-TYPE 2347 SYNTAX TimeStamp 2348 MAX-ACCESS read-only 2349 STATUS current 2350 DESCRIPTION 2351 "The value of sysUpTime when this row was last modified or 2352 created either through SNMP SETs or by some other external 2353 means." 2354 ::= { ipiaCredMngCRLEntry 5 } 2356 ipiaCmcStorageType OBJECT-TYPE 2357 SYNTAX StorageType 2358 MAX-ACCESS read-create 2359 STATUS current 2360 DESCRIPTION 2361 "The storage type for this row. Rows in this table which 2362 were created through an external process MAY have a storage 2363 type of readOnly or permanent. 2365 For a storage type of permanent, none of the columns have 2366 to be writable." 2367 DEFVAL { nonVolatile } 2368 ::= { ipiaCredMngCRLEntry 6 } 2370 ipiaCmcRowStatus OBJECT-TYPE 2371 SYNTAX RowStatus 2372 MAX-ACCESS read-create 2373 STATUS current 2374 DESCRIPTION 2375 "This object indicates the conceptual status of this row. 2377 The value of this object has no effect on whether other 2378 objects in this conceptual row can be modified. 2380 If active, this object MUST remain active if it is 2381 referenced by an active row in another table. An attempt 2382 to set it to anything other than active while it is 2383 referenced by an active row in another table MUST result in 2384 an inconsistentValue error." 2385 ::= { ipiaCredMngCRLEntry 7 } 2387 -- 2388 -- Revoked Certificate Table 2389 -- 2391 ipiaRevokedCertificateTable OBJECT-TYPE 2392 SYNTAX SEQUENCE OF IpiaRevokedCertificateEntry 2393 MAX-ACCESS not-accessible 2394 STATUS current 2395 DESCRIPTION 2396 "A table of Credentials revoked by credential managment 2397 services. That is, this table is a table of Certificates 2398 that are on CRL's, Credential Revocation Lists." 2399 ::= { ipiaConfigObjects 17 } 2401 ipiaRevokedCertificateEntry OBJECT-TYPE 2402 SYNTAX IpiaRevokedCertificateEntry 2403 MAX-ACCESS not-accessible 2404 STATUS current 2405 DESCRIPTION 2406 "A row in the ipiaRevokedCertificateTable." 2407 INDEX { ipiaCmcCRLName, ipiaRctCertSerialNumber} 2408 ::= { ipiaRevokedCertificateTable 1 } 2410 IpiaRevokedCertificateEntry ::= SEQUENCE { 2411 ipiaRctCertSerialNumber Unsigned32, 2412 ipiaRctRevokedDate OCTET STRING, 2413 ipiaRctRevokedReason INTEGER, 2414 ipiaRctLastChanged TimeStamp, 2415 ipiaRctStorageType StorageType, 2416 ipiaRctRowStatus RowStatus 2417 } 2419 ipiaRctCertSerialNumber OBJECT-TYPE 2420 SYNTAX Unsigned32 (0..4294967295) 2421 MAX-ACCESS not-accessible 2422 STATUS current 2423 DESCRIPTION 2424 "This value is the serial number of the revoked 2425 certificate." 2426 ::= { ipiaRevokedCertificateEntry 1 } 2428 ipiaRctRevokedDate OBJECT-TYPE 2429 SYNTAX OCTET STRING (SIZE(0..32)) 2430 MAX-ACCESS read-create 2431 STATUS current 2432 DESCRIPTION 2433 "This value is the revocation date of the certificate. This 2434 SHOULD be in utctime or generaltime." 2435 ::= { ipiaRevokedCertificateEntry 2 } 2437 ipiaRctRevokedReason OBJECT-TYPE 2438 SYNTAX INTEGER { unspecified(1), keyCompromise(2), 2439 cACompromise(3), affiliationChanged(4), 2440 superseded(5), cessationOfOperation(6), 2441 certificateHold(7), removeFromCRL(8) } 2442 MAX-ACCESS read-create 2443 STATUS current 2444 DESCRIPTION 2445 "This value is the reason this certificate was revoked." 2446 DEFVAL { unspecified } 2447 ::= { ipiaRevokedCertificateEntry 3 } 2449 ipiaRctLastChanged OBJECT-TYPE 2450 SYNTAX TimeStamp 2451 MAX-ACCESS read-only 2452 STATUS current 2453 DESCRIPTION 2454 "The value of sysUpTime when this row was last modified or 2455 created either through SNMP SETs or by some other external 2456 means." 2457 ::= { ipiaRevokedCertificateEntry 4 } 2459 ipiaRctStorageType OBJECT-TYPE 2460 SYNTAX StorageType 2461 MAX-ACCESS read-create 2462 STATUS current 2463 DESCRIPTION 2464 "The storage type for this row. Rows in this table which 2465 were created through an external process MAY have a storage 2466 type of readOnly or permanent. 2468 For a storage type of permanent, none of the columns have 2469 to be writable." 2470 DEFVAL { nonVolatile } 2471 ::= { ipiaRevokedCertificateEntry 5 } 2473 ipiaRctRowStatus OBJECT-TYPE 2474 SYNTAX RowStatus 2475 MAX-ACCESS read-create 2476 STATUS current 2477 DESCRIPTION 2478 "This object indicates the conceptual status of this row. 2480 The value of this object has no effect on whether other 2481 objects in this conceptual row can be modified. 2483 If active, this object MUST remain active if it is 2484 referenced by an active row in another table. An attempt 2485 to set it to anything other than active while it is 2486 referenced by an active row in another table MUST result in 2487 an inconsistentValue error." 2488 ::= { ipiaRevokedCertificateEntry 6 } 2490 -- 2491 -- 2492 -- Notification objects information 2493 -- 2494 -- 2496 ipiaNotificationVariables OBJECT IDENTIFIER ::= 2497 { ipiaNotificationObjects 1 } 2499 ipiaNotifications OBJECT IDENTIFIER ::= 2500 { ipiaNotificationObjects 0 } 2502 -- 2503 -- 2504 -- Conformance information 2505 -- 2506 -- 2507 ipiaCompliances OBJECT IDENTIFIER 2508 ::= { ipiaConformanceObjects 1 } 2509 ipiaGroups OBJECT IDENTIFIER 2510 ::= { ipiaConformanceObjects 2 } 2512 -- 2513 -- Compliance statements 2514 -- 2515 -- 2517 ipiaIKECompliance MODULE-COMPLIANCE 2518 STATUS current 2519 DESCRIPTION 2520 "The compliance statement for SNMP entities that include an 2521 IPsec MIB implementation and supports IKE actions. 2523 -- OBJECT ipiaAutoIkeAddressType 2524 -- SYNTAX InetAddreessType { ipv4(1), ipv6(2) } 2525 -- DESCRIPTION 2526 -- Only support for global IPv4 and IPv6 address 2527 -- types is required. 2528 -- 2529 -- OBJECT ipiaAutoIkeSourceAddress 2530 -- SYNTAX InetAddress (SIZE(4|16)) 2531 -- DESCRIPTION 2532 -- Only support for global IPv4 and IPv6 address 2533 -- types is required. 2534 -- OBJECT ipiaAutoIkeDestAddress 2535 -- SYNTAX InetAddress (SIZE(4|16)) 2536 -- DESCRIPTION 2537 -- Only support for global IPv4 and IPv6 address 2538 -- types is required. 2539 --" 2540 MODULE -- This Module 2541 MANDATORY-GROUPS { ipiaIpsecGroup, ipiaIkeGroup, 2542 ipiaStaticActionGroup, ipsaSharedGroup } 2544 OBJECT ipiaIkeActLastChanged 2545 MIN-ACCESS not-accessible 2546 DESCRIPTION 2547 "This object is optional so as not to impose an undue 2548 burden on resource-constrained devices." 2550 OBJECT ipiaIkeActPropLastChanged 2551 MIN-ACCESS not-accessible 2552 DESCRIPTION 2553 "This object is optional so as not to impose an undue 2554 burden on resource-constrained devices." 2556 OBJECT ipiaIkePropLastChanged 2557 MIN-ACCESS not-accessible 2558 DESCRIPTION 2559 "This object is optional so as not to impose an undue 2560 burden on resource-constrained devices." 2562 OBJECT ipiaIpsecActLastChanged 2563 MIN-ACCESS not-accessible 2564 DESCRIPTION 2565 "This object is optional so as not to impose an undue 2566 burden on resource-constrained devices." 2568 OBJECT ipiaIpsecPropLastChanged 2569 MIN-ACCESS not-accessible 2570 DESCRIPTION 2571 "This object is optional so as not to impose an undue 2572 burden on resource-constrained devices." 2574 OBJECT ipiaIpsecTranLastChanged 2575 MIN-ACCESS not-accessible 2576 DESCRIPTION 2577 "This object is optional so as not to impose an undue 2578 burden on resource-constrained devices." 2580 OBJECT ipiaSaNegParamLastChanged 2581 MIN-ACCESS not-accessible 2582 DESCRIPTION 2583 "This object is optional so as not to impose an undue 2584 burden on resource-constrained devices." 2586 OBJECT ipiaIkeIdLastChanged 2587 MIN-ACCESS not-accessible 2588 DESCRIPTION 2589 "This object is optional so as not to impose an undue 2590 burden on resource-constrained devices." 2592 OBJECT ipiaAutoIkeLastChanged 2593 MIN-ACCESS not-accessible 2594 DESCRIPTION 2595 "This object is optional so as not to impose an undue 2596 burden on resource-constrained devices." 2598 OBJECT ipiaCmcDistributionPoint 2599 MIN-ACCESS read-only 2600 DESCRIPTION 2601 "Only read-only access is required for compliance." 2603 OBJECT ipiaCmcThisUpdate 2604 MIN-ACCESS read-only 2605 DESCRIPTION 2606 "Only read-only access is required for compliance." 2608 OBJECT ipiaCmcNextUpdate 2609 MIN-ACCESS read-only 2610 DESCRIPTION 2611 "Only read-only access is required for compliance." 2613 OBJECT ipiaCmcLastChanged 2614 MIN-ACCESS not-accessible 2615 DESCRIPTION 2616 "This object not required for compliance." 2618 OBJECT ipiaCmcStorageType 2619 MIN-ACCESS read-only 2620 DESCRIPTION 2621 "Only read-only access is required for compliance." 2623 OBJECT ipiaRctRevokedDate 2624 MIN-ACCESS read-only 2625 DESCRIPTION 2626 "Only read-only access is required for compliance." 2628 OBJECT ipiaRctRevokedReason 2629 MIN-ACCESS read-only 2630 DESCRIPTION 2631 "Only read-only access is required for compliance." 2633 OBJECT ipiaRctLastChanged 2634 MIN-ACCESS not-accessible 2635 DESCRIPTION 2636 "This object not required for compliance." 2638 OBJECT ipiaRctStorageType 2639 MIN-ACCESS read-only 2640 DESCRIPTION 2641 "Only read-only access is required for compliance." 2643 OBJECT ipiaIcmsDistinguishedName 2644 MIN-ACCESS read-only 2645 DESCRIPTION 2646 "Only read-only access is required for compliance." 2648 OBJECT ipiaIcmsPolicyStatement 2649 MIN-ACCESS read-only 2650 DESCRIPTION 2651 "Only read-only access is required for compliance." 2653 OBJECT ipiaIcmsMaxChainLength 2654 MIN-ACCESS read-only 2655 DESCRIPTION 2656 "Only read-only access is required for compliance." 2658 OBJECT ipiaIcmsCredentialName 2659 MIN-ACCESS read-only 2660 DESCRIPTION 2661 "Only read-only access is required for compliance." 2663 OBJECT ipiaIcmsLastChanged 2664 MIN-ACCESS not-accessible 2665 DESCRIPTION 2666 "This object not required for compliance." 2668 OBJECT ipiaIcmsStorageType 2669 MIN-ACCESS read-only 2670 DESCRIPTION 2671 "Only read-only access is required for compliance." 2673 ::= { ipiaCompliances 1 } 2675 ipiaRuleFilterCompliance MODULE-COMPLIANCE 2676 STATUS current 2677 DESCRIPTION 2678 "The compliance statement for SNMP entities that include an 2679 IKEACTION MIB implementation with IKE filters support." 2680 MODULE -- This Module 2681 MANDATORY-GROUPS { ipiaStaticFilterGroup } 2683 GROUP ipiaPeerIdFilterGroup 2684 DESCRIPTION 2685 "This group is mandatory for IPsec Policy 2686 implementations which support Peer Identity filters." 2688 OBJECT ipiaPeerIdFiltLastChanged 2689 MIN-ACCESS not-accessible 2690 DESCRIPTION 2691 "This object not required for compliance." 2693 GROUP ipiaCredentialFilterGroup 2694 DESCRIPTION 2695 "This group is mandatory for IPsec Policy 2696 implementations which support IKE Credential filters." 2698 OBJECT ipiaCredFiltLastChanged 2699 MIN-ACCESS not-accessible 2700 DESCRIPTION 2701 "This object not required for compliance." 2703 ::= { ipiaCompliances 2 } 2705 -- 2706 -- 2707 -- Compliance Groups Definitions 2708 -- 2710 -- 2711 -- Compliance Groups 2712 -- 2714 ipiaStaticFilterGroup OBJECT-GROUP 2715 OBJECTS { ipiaIkePhase1Filter, 2716 ipiaIkePhase2Filter } 2717 STATUS current 2718 DESCRIPTION 2719 "The static filter group. Currently this is just a true 2720 filter." 2721 ::= { ipiaGroups 1 } 2723 ipiaCredentialFilterGroup OBJECT-GROUP 2724 OBJECTS { 2725 ipiaCredFiltCredentialType, ipiaCredFiltMatchFieldName, 2726 ipiaCredFiltMatchFieldValue, ipiaCredFiltAcceptCredFrom, 2727 ipiaCredFiltLastChanged, ipiaCredFiltStorageType, 2728 ipiaCredFiltRowStatus, 2730 ipiaCmcDistributionPoint, ipiaCmcThisUpdate, 2731 ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType, 2732 ipiaCmcRowStatus, 2734 ipiaRctRevokedDate, ipiaRctRevokedReason, 2735 ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus, 2737 ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement, 2738 ipiaIcmsMaxChainLength, ipiaIcmsCredentialName, 2739 ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus 2740 } 2741 STATUS current 2742 DESCRIPTION 2743 "This group is made up of objects from the IPsec Policy 2744 Credential Filter Table." 2745 ::= { ipiaGroups 2 } 2747 ipiaPeerIdFilterGroup OBJECT-GROUP 2748 OBJECTS { 2749 ipiaPeerIdFiltIdentityType, ipiaPeerIdFiltIdentityValue, 2750 ipiaPeerIdFiltLastChanged, ipiaPeerIdFiltStorageType, 2751 ipiaPeerIdFiltRowStatus 2752 } 2753 STATUS current 2754 DESCRIPTION 2755 "This group is made up of objects from the IPsec Policy Peer 2756 Identity Filter Table." 2757 ::= { ipiaGroups 3 } 2759 -- 2760 -- action compliance groups 2761 -- 2763 ipiaStaticActionGroup OBJECT-GROUP 2764 OBJECTS { 2765 ipiaRejectIKEAction, 2766 ipiaRejectIKEActionLog 2767 } 2768 STATUS current 2769 DESCRIPTION 2770 "This group is made up of IPsec Policy Static Actions 2771 objects." 2772 ::= { ipiaGroups 4 } 2774 ipiaIkeGroup OBJECT-GROUP 2775 OBJECTS { 2776 ipiaIkeActParametersName, ipiaIkeActThresholdDerivedKeys, 2777 ipiaIkeActExchangeMode, ipiaIkeActAgressiveModeGroupId, 2778 ipiaIkeActIdentityType, ipiaIkeActIdentityContext, 2779 ipiaIkeActPeerName, ipiaIkeActVendorId, ipiaIkeActPropName, 2780 ipiaIkeActDoActionLogging, ipiaIkeActDoPacketLogging, 2781 ipiaIkeActLastChanged, ipiaIkeActStorageType, 2782 ipiaIkeActRowStatus, 2784 ipiaIkeActPropLastChanged, ipiaIkeActPropStorageType, 2785 ipiaIkeActPropRowStatus, 2787 ipiaIkePropLifetimeDerivedKeys, ipiaIkePropCipherAlgorithm, 2788 ipiaIkePropCipherKeyLength, ipiaIkePropCipherKeyRounds, 2789 ipiaIkePropHashAlgorithm, ipiaIkePropPrfAlgorithm, 2790 ipiaIkePropVendorId, ipiaIkePropDhGroup, 2791 ipiaIkePropAuthenticationMethod, ipiaIkePropMaxLifetimeSecs, 2792 ipiaIkePropMaxLifetimeKB, ipiaIkePropLastChanged, 2793 ipiaIkePropStorageType, 2794 ipiaIkePropRowStatus, 2795 ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB, 2796 ipiaSaNegParamRefreshThreshSecs, 2797 ipiaSaNegParamRefreshThresholdKB, 2798 ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged, 2799 ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus, 2801 ipiaIkeIdCredentialName, ipiaIkeIdLastChanged, 2802 ipiaIkeIdStorageType, ipiaIkeIdRowStatus, 2804 ipiaAutoIkeAction, ipiaAutoIkeAddressType, 2805 ipiaAutoIkeSourceAddress, ipiaAutoIkeSourcePort, 2806 ipiaAutoIkeDestAddress, ipiaAutoIkeDestPort, 2807 ipiaAutoIkeProtocol, ipiaAutoIkeLastChanged, 2808 ipiaAutoIkeStorageType, ipiaAutoIkeRowStatus, 2810 ipiaCmcDistributionPoint, ipiaCmcThisUpdate, 2811 ipiaCmcNextUpdate, ipiaCmcLastChanged, ipiaCmcStorageType, 2812 ipiaCmcRowStatus, 2814 ipiaRctRevokedDate, ipiaRctRevokedReason, 2815 ipiaRctLastChanged, ipiaRctStorageType, ipiaRctRowStatus, 2817 ipiaIcmsDistinguishedName, ipiaIcmsPolicyStatement, 2818 ipiaIcmsMaxChainLength, ipiaIcmsCredentialName, 2819 ipiaIcmsLastChanged, ipiaIcmsStorageType, ipiaIcmsRowStatus 2820 } 2821 STATUS current 2822 DESCRIPTION 2823 "This group is the set of objects that support IKE 2824 actions. These objects are from The IPsec Policy IKE 2825 Action Table, The IKE Action Proposals Table, The IKE 2826 Proposal Table, The autostart IKE Table and The IKE 2827 Identity Table, The Peer Identity Table, The Credential 2828 Management Service Table, and the shared table Negotiation 2829 Parameters Table (from the IPSEC-IPSECACTION-MIB." 2830 ::= { ipiaGroups 5 } 2832 ipiaIpsecGroup OBJECT-GROUP 2833 OBJECTS { 2834 ipiaIpsecActParametersName, ipiaIpsecActProposalsName, 2835 ipiaIpsecActUsePfs, ipiaIpsecActVendorId, 2836 ipiaIpsecActGroupId, ipiaIpsecActPeerGatewayIdName, 2837 ipiaIpsecActUseIkeGroup, ipiaIpsecActGranularity, 2838 ipiaIpsecActMode, ipiaIpsecActDFHandling, 2839 ipiaIpsecActDoActionLogging, ipiaIpsecActDoPacketLogging, 2840 ipiaIpsecActLastChanged, ipiaIpsecActStorageType, 2841 ipiaIpsecActRowStatus, 2842 ipiaIpsecPropTransformsName, ipiaIpsecPropLastChanged, 2843 ipiaIpsecPropStorageType, ipiaIpsecPropRowStatus, 2845 ipiaIpsecTranTransformName, ipiaIpsecTranLastChanged, 2846 ipiaIpsecTranStorageType, ipiaIpsecTranRowStatus, 2848 ipiaSaNegParamMinLifetimeSecs, ipiaSaNegParamMinLifetimeKB, 2849 ipiaSaNegParamRefreshThreshSecs, 2850 ipiaSaNegParamRefreshThresholdKB, 2851 ipiaSaNegParamIdleDurationSecs, ipiaSaNegParamLastChanged, 2852 ipiaSaNegParamStorageType, ipiaSaNegParamRowStatus 2853 } 2854 STATUS current 2855 DESCRIPTION 2856 "This group is the set of objects that support IPsec 2857 actions. These objects are from The IPsec Policy IPsec 2858 Actions Table, The IPsec Proposal Table, and The IPsec 2859 Transform Table. This group also includes objects from the 2860 shared tables: Peer Identity Table, Credential Table, 2861 Negotiation Parameters Table, Credential Management Service 2862 Table and the AH, ESP, and IPComp Transform Table." 2863 ::= { ipiaGroups 6 } 2865 END 2867 7. Security Considerations 2869 7.1. Introduction 2871 This document defines a MIB module used to configure IPsec policy 2872 services. Since IKE negotiates keys for IPsec and IPsec provides 2873 security services, it is important that the IKE configuration data 2874 SHOULD be least as protected as the IPsec provided security service. 2875 There are two main threats you need to thwart when configuring IPsec 2876 devices. 2878 1. Malicious Configuration: This MIB configures network security 2879 services. If an attacker has SET access to any part of this MIB, 2880 the network security services configured by this MIB SHOULD be 2881 considered broken. The network data sent through the associated 2882 gateway should no longer be considered as protected by IPsec 2883 (i.e., it is no longer confidential or authenticated). 2884 Therefore, only the official administrators SHOULD be allowed to 2885 configure a device. In other words, administrators' identities 2886 SHOULD be authenticated and their access rights checked before 2887 they are allowed to do device configuration. The support for SET 2888 operations to the IPSEC-IKEACTION-MIB in a non-secure 2889 environment, without proper protection, will invalidate the 2890 security of the network traffic affected by the IPSEC-IKEACITON- 2891 MIB. 2893 2. Disclosure of Configuration: In general, malicious parties SHOULD 2894 NOT be able to read security configuration data while the data is 2895 in network transit. An attacker reading the configuration data 2896 may be able to find misconfigurations in the MIB that enable 2897 attacks to the network or to the configured node. Since this 2898 entire MIB is used for security configuration, it is highly 2899 RECOMMENDED that only authorized administrators are allowed to 2900 view data in this MIB. In particular, malicious users SHOULD be 2901 prevented from reading SNMP packets containing this MIB's data. 2902 SNMP GET data SHOULD be encrypted when sent across the network. 2903 Also, only authorized administrators SHOULD be allowed SNMP GET 2904 access to any of the MIB objects. 2906 SNMP versions prior to SNMPv3 do not include adequate security. Even 2907 if the network itself is secure (e.g. by using IPsec), earlier 2908 versions of SNMP have virtually no control as to who on the secure 2909 network is allowed to access (i.e. read/change/create/delete) the 2910 objects in this MIB module. 2912 It is RECOMMENDED that implementers consider the security features as 2913 provided by the SNMPv3 framework (see [RFC3410], section 8), 2914 including full support for the SNMPv3 cryptographic mechanisms (for 2915 authentication and privacy). 2917 Further, deployment of SNMP versions prior to SNMPv3 is NOT 2918 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 2919 enable cryptographic security. It is then a customer/operator 2920 responsibility to ensure that the SNMP entity giving access to an 2921 instance of this MIB module is properly configured to give access to 2922 the objects only to those principals (users) that have legitimate 2923 rights to GET or SET (change/create/delete) them. 2925 Therefore, when configuring data in the IPSEC-IKEACTION-MIB, you 2926 SHOULD use SNMP version 3. The rest of this discussion assumes the 2927 use of SNMPv3. This is a real strength, because it allows 2928 administrators the ability to load new IPsec configuration on a 2929 device and keep the conversation private and authenticated under the 2930 protection of SNMPv3 before any IPsec protections are available. 2931 Once initial establishment of IPsec configuration on a device has 2932 been achieved, it would be possible to set up IPsec SAs to then also 2933 provide security and integrity services to the configuration 2934 conversation. This may seem redundant at first, but will be shown to 2935 have a use for added privacy protection below. 2937 7.2. Protecting against unauthenticated access 2939 The current SNMPv3 User Security Model provides for key based user 2940 authentication. Typically, keys are derived from passwords (but are 2941 not required to be), and the keys are then used in HMAC algorithms 2942 (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP 2943 data. Each SNMP device keeps a (configured) list of users and keys. 2944 Under SNMPv3 user keys may be updated as often as an administrator 2945 cares to have users enter new passwords. But Perfect Forward Secrecy 2946 for user keys is not yet provided by standards track documents, 2947 although RFC2786 defines an experimental method of doing so. 2949 7.3. Protecting against involuntary disclosure 2951 While sending IPsec configuration data to a Policy Enforcement Point 2952 (PEP), there are a few critical parameters which MUST NOT be observed 2953 by third parties. Specifically, except for public keys, keying 2954 information MUST NOT be allowed to be observed by third parties. 2955 This include IKE Pre-Shared Keys and possibly the private key of a 2956 public/private key pair for use in a PKI. Were either of those 2957 parameters to be known to a third party, they could then impersonate 2958 the device to other IKE peers. Aside from those critical parameters, 2959 policy administrators have an interest in not divulging any of their 2960 policy configuration. Any knowledge about a device's configuration 2961 could help an unfriendly party compromise that device. SNMPv3 offers 2962 privacy security services, but at the time this document was written, 2963 the only standardized encryption algorithm supported by SNMPv3 is the 2964 DES encryption algorithm. Support for other (stronger) cryptographic 2965 algorithms is in the works and may be done as you read this (e.g. 2966 AES [RFC3826]). When configure IPsec policy using this MIB, policy 2967 administrators SHOULD use a privacy security service that is at least 2968 as strong as the desired IPsec policy. E.G., If an administrator 2969 were to use this MIB to configure an IPsec connection that utilizes a 2970 3DES algorithms, the SNMP communication configuring the connection 2971 SHOULD be protected by an algorithm as strong or stronger than the 2972 3DES algorithm. 2974 7.4. Bootstrapping your configuration 2976 Most vendors will not ship new products with a default SNMPv3 user/ 2977 password pair, but it is possible. If a device does ship with a 2978 default user/password pair, policy administrators SHOULD either 2979 change the password or configure a new user, deleting the default 2980 user (or at a minimum, restrict the access of the default user). 2981 Most SNMPv3 distributions should, hopefully, require an out-of-band 2982 initialization over a trusted medium, such as a local console 2983 connection. If a product does install with default user/password 2984 information, these values should be changed before connecting to a 2985 network. 2987 8. IANA Considerations 2989 Only one IANA consideration exist for this document. The 2990 consideration is the node number allocation of the IPSEC-IKEACTION- 2991 MIB under the IPSEC-SPD-MIB MIB's spdActions node. 2993 9. Acknowledgments 2995 Many other people contributed thoughts and ideas that influenced this 2996 MIB module. Some special thanks are in order for the following 2997 people: 2999 Lindy Foster (Sparta, Inc.) 3000 John Gillis (ADC) 3001 Jamie Jason (Intel Corporation) 3002 Roger Hartmuller (Sparta, Inc.) 3003 David Partain (Ericsson) 3004 Lee Rafalow (IBM) 3005 Jon Saperia (JDS Consulting) 3006 John Shriver (Internap Network Services Corporation) 3007 Eric Vyncke (Cisco Systems) 3009 10. References 3011 10.1. Normative References 3013 [RFCZZZZ] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. 3014 Wang, "IPsec Security Policy Database Configuration MIB", 3015 January 2004. 3017 [RFCYYYY] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. 3018 Wang, "IPsec Security Policy IPsec Action MIB", 3019 January 2004. 3021 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3022 Requirement Levels", BCP 14, RFC 2119, March 1997. 3024 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 3025 "Introduction and Applicability Statements for Internet- 3026 Standard Management Framework", RFC 3410, December 2002. 3028 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 3029 Architecture for Describing Simple Network Management 3030 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 3031 December 2002. 3033 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 3034 (IKE)", RFC 2409, November 1998. 3036 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 3037 Schoenwaelder, Ed., "Structure of Management Information 3038 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 3040 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 3041 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 3042 STD 58, RFC 2579, April 1999. 3044 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 3045 "Conformance Statements for SMIv2", STD 58, RFC 2580, 3046 April 1999. 3048 [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec 3049 Configuration Policy Information Model", RFC 3585, 3050 August 2003. 3052 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 3053 Schoenwaelder, "Textual Conventions for Internet Network 3054 Addresses", RFC 4001, February 2005. 3056 10.2. Informative References 3058 [IPPMWP] Lortz, V. and L. Rafalow, "IPsec Policy Model White 3059 Paper", More Info http://www.dmtf.org/specs/cim.html, 3060 November 2000. 3062 [RFC3826] Blumenthal, U., Maino, F., and K. McCloghrie, "The 3063 Advanced Encryption Standard (AES) Cipher Algorithm in the 3064 SNMP User-based Security Model", RFC 3826, June 2004. 3066 Authors' Addresses 3068 Michael Baer 3069 Sparta, Inc. 3070 P.O. Box 72682 3071 Davis, CA 95617 3072 US 3074 Email: baerm@tislabs.com 3075 Ricky Charlet 3076 Self 3078 Email: rcharlet@alumni.calpoly.edu 3080 Wes Hardaker 3081 Sparta, Inc. 3082 P.O. Box 382 3083 Davis, CA 95617 3084 US 3086 Phone: +1 530 792 1913 3087 Email: hardaker@tislabs.com 3089 Robert Story 3090 Revelstone Software 3091 PO Box 1812 3092 Tucker, GA 30085 3093 US 3095 Email: rstory@sparta.com 3097 Cliff Wang 3098 ARO/North Carolina State University 3099 4300 S. Miami Blvd 3100 RTP, NC 27709 3101 US 3103 Email: cliffwangmail@yahoo.com 3105 Full Copyright Statement 3107 Copyright (C) The Internet Society (2006). 3109 This document is subject to the rights, licenses and restrictions 3110 contained in BCP 78, and except as set forth therein, the authors 3111 retain all their rights. 3113 This document and the information contained herein are provided on an 3114 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 3115 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 3116 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 3117 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 3118 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3119 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3121 Intellectual Property 3123 The IETF takes no position regarding the validity or scope of any 3124 Intellectual Property Rights or other rights that might be claimed to 3125 pertain to the implementation or use of the technology described in 3126 this document or the extent to which any license under such rights 3127 might or might not be available; nor does it represent that it has 3128 made any independent effort to identify any such rights. Information 3129 on the procedures with respect to rights in RFC documents can be 3130 found in BCP 78 and BCP 79. 3132 Copies of IPR disclosures made to the IETF Secretariat and any 3133 assurances of licenses to be made available, or the result of an 3134 attempt made to obtain a general license or permission for the use of 3135 such proprietary rights by implementers or users of this 3136 specification can be obtained from the IETF on-line IPR repository at 3137 http://www.ietf.org/ipr. 3139 The IETF invites any interested party to bring to its attention any 3140 copyrights, patents or patent applications, or other proprietary 3141 rights that may cover technology that may be required to implement 3142 this standard. Please address the information to the IETF at 3143 ietf-ipr@ietf.org. 3145 Acknowledgment 3147 Funding for the RFC Editor function is provided by the IETF 3148 Administrative Support Activity (IASA).