idnits 2.17.1 draft-ietf-ipsp-ipsec-conf-mib-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == Mismatching filename: the document gives the document name as 'draft-ietf-ipsp-ipsec-conf-mib-04', but the file name used is 'draft-ietf-ipsp-ipsec-conf-mib-03' ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 1114 instances of too long lines in the document, the longest one being 6 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 317: '... supporting IPv4 MUST support the ipv4...' RFC 2119 keyword, line 318: '... supporting IPv6 MUST support the ipv6...' RFC 2119 keyword, line 338: '...st of rules that MUST be applied to th...' RFC 2119 keyword, line 389: '...riority object and MUST be executed in...' RFC 2119 keyword, line 392: '... MUST stop processing this p...' (217 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Jul 2002) is 7956 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'SNMPTC' is mentioned on line 65, but not defined == Unused Reference: 'IPSEC' is defined on line 5489, but no explicit reference was found in the text == Unused Reference: 'SMITC' is defined on line 5521, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2571 (ref. 'SNMPARCH') (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 (ref. 'TRAPS') ** Downref: Normative reference to an Historic RFC: RFC 1157 (ref. 'SNMPv1') ** Downref: Normative reference to an Historic RFC: RFC 1901 (ref. 'SNMPv2c') ** Obsolete normative reference: RFC 1906 (ref. 'SNMPv2TM') (Obsoleted by RFC 3417) ** Obsolete normative reference: RFC 2572 (ref. 'SNMPv3') (Obsoleted by RFC 3412) ** Obsolete normative reference: RFC 2574 (ref. 'SNMPUSM') (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 1905 (ref. 'SNMPv2') (Obsoleted by RFC 3416) ** Obsolete normative reference: RFC 2573 (ref. 'SNMPAPP') (Obsoleted by RFC 3413) ** Obsolete normative reference: RFC 2575 (ref. 'SNMPVACM') (Obsoleted by RFC 3415) ** Obsolete normative reference: RFC 2570 (ref. 'SNMPINT') (Obsoleted by RFC 3410) -- Possible downref: Non-RFC (?) normative reference: ref. 'IPSECPM' == Outdated reference: A later version (-06) exists of draft-ietf-ipsp-config-policy-model-05 Summary: 22 errors (**), 0 flaws (~~), 8 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSP Working Group M. Baer 3 Internet Draft Network Associates Inc 4 draft-ietf-ipsp-ipsec-conf-mib-04.txt R. Charlet 5 W. Hardaker 6 Network Associates Inc 7 R. Story 8 Revelstone Software 9 C. Wang 10 Smartpipes Inc 11 Jul 2002 13 IPsec Policy Configuration MIB 14 draft-ietf-ipsp-ipsec-conf-mib-04.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. Internet-Drafts are 20 working documents of the Internet Engineering Task Force (IETF), its 21 areas, and its working groups. Note that other groups may also 22 distribute working documents as Internet-Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six 25 months and may be updated, replaced, or obsoleted by other documents 26 at any time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 Copyright Notice 37 Copyright (C) The Internet Society (2002). All Rights Reserved. 39 1. Introduction 41 This document defines a configuration MIB for IPsec [IPSEC]/IKE 42 [IKE] policy. It does not define MIBs for monitoring the state of an 43 IPsec device. It does not define MIBs for configuring other policy 44 related actions. The purpose of this MIB is to allow administrators 45 to be able to configure policy with respect to the IPsec/IKE 46 protocols. However, some of the packet filtering and matching of 47 conditions to actions is of a more general nature than IPsec only. 49 It is possible to add other packet transforming actions to this MIB 50 if those actions needed to be performed conditionally on filtered 51 traffic. 53 2. The SNMP Management Framework 55 The SNMP Management Framework presently consists of five major 56 components: 58 o An overall architecture, described in RFC 2571 [SNMPARCH]. 60 o Mechanisms for describing and naming objects and events for 61 the purpose of management. The first version of this Structure 62 of Management Information (SMI) is called SMIv1 and described 63 in STD 16, RFC 1155 [SMIv1], STD 16, RFC 1212 [MIB] and RFC 64 1215 [TRAPS]. The second version, called SMIv2, is described 65 in STD 58, RFC 2578 [SMIv2], RFC 2579 [SNMPTC] and RFC 2580 66 [SNMPCONF]. 68 o Message protocols for transferring management information. The 69 first version of the SNMP message protocol is called SNMPv1 70 and described in STD 15, RFC 1157 [SNMPv1]. A second version 71 of the SNMP message protocol, which is not an Internet 72 standards track protocol, is called SNMPv2c and described in 73 RFC 1901 [SNMPv2c] and RFC 1906 [SNMPv2TM]. The third 74 version of the message protocol is called SNMPv3 and described 75 in RFC 1906 [snmpv2TM], RFC 2572 [SNMPv3] and RFC 2574 [SNMPUSM]. 77 o Protocol operations for accessing management 78 information. The first set of protocol operations and 79 associated PDU formats is described in STD 15, RFC 80 1157 [SNMPv1]. A second set of protocol operations and 81 associated PDU formats is described in RFC 1905 [SNMPv2]. 83 o A set of fundamental applications described in RFC 84 2573 [SNMPAPP] and the view-based access control mechanism 85 described in RFC 2575 [SNMPVACM]. 87 A more detailed introduction to the current SNMP Management 88 Framework can be found in RFC 2570 [SNMPINT]. 90 Managed objects are accessed via a virtual information store, termed 91 the Management Information Base or MIB. Objects in the MIB are 92 defined using the mechanisms defined in the SMI. 94 This memo specifies a MIB module that is compliant to the SMIv2. A 95 MIB conforming to the SMIv1 can be produced through the appropriate 96 translations. The resulting translated MIB must be semantically 97 equivalent, except where objects or events are omitted because no 98 translation is possible (use of Counter64). Some machine readable 99 information in SMIv2 will be converted into textual descriptions in 100 SMIv1 during the translation process. However, this loss of machine 101 readable information is not considered to change the semantics of 102 the MIB. 104 3. Relationship to the DMTF Policy Model 106 The Distributed Management Task Force has created an object oriented 107 model of IPsec policy information known as the IPsec Policy Model 108 White Paper [IPSECPM]. The contents of this document are also 109 reflected in the internet draft "IPsec Configuration Policy Model" 110 (IPCP) [IPCP]. This MIB is a task specific derivation of the IPCP 111 for use with SNMPv3. 113 A detailed comparison between this MIB and the IPSP model can be 114 found in Appendix A. However, the high-level areas where this MIB 115 diverges from the IPCP model are: 117 o Policies, Groups, Conditions, and some levels of Action are 118 generically named. That is we dropped prefixes like "SA", or 119 "ipsec". This is because we feel that packet classification and 120 matching of conditions to actions is more general than IPsec and 121 could possibly be reused by other packet transforming actions 122 which need to conditionally act on packets matching filters. 124 o Filters are implemented in a more generic and scalable manner, 125 rather than enforcing the condition/filtering pairing and their 126 restrictions upon the user. The MIB offers a compound filter 127 object to provide for greater flexibility when creating complex 128 filters. 130 4. Definitions 132 IPSEC-POLICY-MIB DEFINITIONS ::= BEGIN 134 IMPORTS 135 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, 136 Unsigned32, experimental FROM SNMPv2-SMI 138 TEXTUAL-CONVENTION, RowStatus, TruthValue, 139 TimeStamp, StorageType, VariablePointer, DateAndTime 140 FROM SNMPv2-TC 142 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 143 FROM SNMPv2-CONF 145 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 147 IkeHashAlgorithm, IpsecDoiEncapsulationMode, 148 IpsecDoiIpcompTransform, 149 IpsecDoiAuthAlgorithm, IpsecDoiEspTransform, 150 IpsecDoiSecProtocolId, 151 IkeGroupDescription, IpsecDoiIdentType, 152 IkeEncryptionAlgorithm, IkeAuthMethod FROM IPSEC-ISAKMP-IKE-DOI-TC; 154 -- 155 -- module identity 156 -- 158 ipsecPolicyMIB MODULE-IDENTITY 159 LAST-UPDATED "200102230000Z" -- 23 February 2001 160 ORGANIZATION "IETF IP Security Policy Working Group" 161 CONTACT-INFO "Michael Baer 162 Network Associates, Inc. 163 3965 Freedom Circle, Suite 500 164 Santa Clara, CA 95054 165 Phone: +1 530 304 1628 166 Email: mike_baer@nai.com 168 Ricky Charlet 169 Email: rcharlet@alumni.calpoly.edu 171 Wes Hardaker 172 Network Associates, Inc. 173 3965 Freedom Circle, Suite 500 174 Santa Clara, CA 95054 175 Phone: +1 530 400 2774 176 Email: wes_hardaker@nai.com 177 Robert Story 178 Revelstone Software 179 PO Box 1474 180 Duluth, GA 30096 181 Phone: +1 770 617 3722 182 Email: ipsp-mib@revelstone.com 184 Cliff Wang 185 SmartPipes Inc. 186 Suite 300, 565 Metro Place South 187 Dublin, OH 43017 188 Phone: +1 614 923 6241 189 E-Mail: CWang@smartpipes.com" 190 DESCRIPTION 191 "The MIB module for defining IPsec Policy filters and actions" 193 -- Revision History 195 REVISION "200111210000Z" -- 21 November 2001 196 DESCRIPTION "Many updates and restructuring to match changes in 197 the ipsp policy model." 199 REVISION "200107200000Z" -- 20 July 2001 200 DESCRIPTION "Many updates and restructuring to match changes in 201 the ipsp policy model." 203 REVISION "200102230000Z" -- 23 February 2001 204 DESCRIPTION "This is the initial version of this MIB." 206 ::= { mib-2 XXX } 208 -- 209 -- groups of related objects 210 -- 212 ipsecPolicyConfigObjects OBJECT IDENTIFIER ::= { ipsecPolicyMIB 1 } 213 ipsecPolicyNotificationObjects OBJECT IDENTIFIER ::= { ipsecPolicyMIB 2 } 214 ipsecPolicyConformanceObjects OBJECT IDENTIFIER ::= { ipsecPolicyMIB 3 } 216 -- 217 -- Textual Conventions 218 -- 220 IpsecBooleanOperator ::= TEXTUAL-CONVENTION 221 STATUS current 222 DESCRIPTION 223 "The IpsecBooleanOperator operator is used to specify whether 224 sub-components in a decision making process are ANDed or ORed 225 together to decide if the resulting expression is true or false." 226 SYNTAX INTEGER { or(0), and(1) } 228 IpsecIsNegated ::= TEXTUAL-CONVENTION 229 STATUS current 230 DESCRIPTION 231 "The IpsecIsNegated operator is used to specify whether 232 or not the results of a sub-components return clause is taken 233 as is, or if the logical negation of the result is used instead." 234 SYNTAX INTEGER { no(0), yes(1) } 236 IpsecSADirection ::= TEXTUAL-CONVENTION 237 STATUS current 238 DESCRIPTION 239 "The IpsecSADirection operator is used to specify whether 240 or not a row should apply to outgoing or incoming SAs." 241 SYNTAX INTEGER { outgoing(0), incoming(1) } 243 IpsecIPVersion ::= TEXTUAL-CONVENTION 244 STATUS current 245 DESCRIPTION 246 "Valid values for Internet Protocol versions handled by the 247 IPsec policy system." 248 SYNTAX INTEGER { unknown(0), ipv4(4), ipv6(6) } 250 -- 251 -- Policy group definitions 252 -- 254 ipsecLocalConfigObjects OBJECT IDENTIFIER ::= { ipsecPolicyConfigObjects 1 } 256 systemPolicyGroupName OBJECT-TYPE 257 SYNTAX SnmpAdminString (SIZE(0..32)) 258 MAX-ACCESS read-write 259 STATUS current 260 DESCRIPTION 261 "This object indicates the policy group containing the global 262 system policy that is to be applied when a given endpoint 263 does not contain a policy definition. It's value can be used 264 as an index into the policyGroupContentsTable to retrieve a 265 list of policies. A zero length string indicates no system 266 wide policy exists and the default policy of 'drop' should be 267 executed until one is imposed by either this object or by the 268 endpoint processing a given packet." 269 ::= { ipsecLocalConfigObjects 1 } 271 policyEndpointToGroupTable OBJECT-TYPE 272 SYNTAX SEQUENCE OF PolicyEndpointToGroupEntry 273 MAX-ACCESS not-accessible 274 STATUS current 275 DESCRIPTION 276 "This table is used to map policy (groupings) onto an endpoint 277 where traffic is to pass by. Any policy group assigned to an 278 endpoint is then used to control access to the traffic 279 passing by it. 281 If an endpoint has been configured with a policy group and no 282 contained rule matches the incoming packet, the default 283 action in this case shall be to drop the packet. 285 If no policy group has been assigned to an endpoint, then 286 the default action to take when a packet arrives shall be to 287 allow the packet to pass through to the next processing point." 288 ::= { ipsecPolicyConfigObjects 2 } 290 policyEndpointToGroupEntry OBJECT-TYPE 291 SYNTAX PolicyEndpointToGroupEntry 292 MAX-ACCESS not-accessible 293 STATUS current 294 DESCRIPTION 295 "A mapping assigning a policy group to an endpoint." 296 INDEX { peEndpointIdentType, peEndpointAddress } 297 ::= { policyEndpointToGroupTable 1 } 299 PolicyEndpointToGroupEntry ::= SEQUENCE { 300 peEndpointIdentType IpsecIPVersion, 301 peEndpointAddress OCTET STRING, 302 peGroupName SnmpAdminString, 303 peLastChanged TimeStamp, 304 peStorageType StorageType, 305 peRowStatus RowStatus 306 } 308 peEndpointIdentType OBJECT-TYPE 309 SYNTAX IpsecIPVersion 310 MAX-ACCESS not-accessible 311 STATUS current 312 DESCRIPTION 313 "The IpsecDoiIdentType defining the address format associated with a 314 given endpoint. When combined with the peEndpointAddress 315 these objects can be used to uniquely identify an endpoint 316 that a set of policy groups should be applied to. Devices 317 supporting IPv4 MUST support the ipv4 value, and devices 318 supporting IPv6 MUST support the ipv6 value." 319 ::= { policyEndpointToGroupEntry 1 } 321 peEndpointAddress OBJECT-TYPE 322 SYNTAX OCTET STRING (SIZE(0..64)) 323 MAX-ACCESS not-accessible 324 STATUS current 325 DESCRIPTION 326 "The address of a given endpoint, the format of which is 327 specified by the peEndpointIdentType object." 328 ::= { policyEndpointToGroupEntry 2 } 330 peGroupName OBJECT-TYPE 331 SYNTAX SnmpAdminString (SIZE(1..32)) 332 MAX-ACCESS read-create 333 STATUS current 334 DESCRIPTION 335 "The policy group name to apply to this endpoint. The 336 value of the peGroupName object should then be used as an 337 index into the policyGroupContentsTable to come up with a 338 list of rules that MUST be applied to this endpoint." 339 ::= { policyEndpointToGroupEntry 3 } 341 peLastChanged OBJECT-TYPE 342 SYNTAX TimeStamp 343 MAX-ACCESS read-only 344 STATUS current 345 DESCRIPTION 346 "The value of sysUpTime when this row was last modified or created 347 either through SNMP SETs or by some other external means." 348 ::= { policyEndpointToGroupEntry 4 } 350 peStorageType OBJECT-TYPE 351 SYNTAX StorageType 352 MAX-ACCESS read-create 353 STATUS current 354 DESCRIPTION 355 "The storage type for this row. Rows in this table which were 356 created through an external process may have a storage type of 357 readOnly or permanent. Entries which are permanent are 358 expected to have at least one configurable column in the row, but 359 which columns are in fact modifiable is implementation specific." 360 DEFVAL { nonVolatile } 361 ::= { policyEndpointToGroupEntry 5 } 363 peRowStatus OBJECT-TYPE 364 SYNTAX RowStatus 365 MAX-ACCESS read-create 366 STATUS current 367 DESCRIPTION 368 "This object indicates the conceptual status of this row. 370 The value of this object has no effect on whether other 371 objects in this conceptual row can be modified. 373 This object may not be set to active until the group 374 referenced by the peGroupName object exists within the 375 policyGroupContentsTable." 376 ::= { policyEndpointToGroupEntry 6 } 378 -- 379 -- policy group definition table 380 -- 382 policyGroupContentsTable OBJECT-TYPE 383 SYNTAX SEQUENCE OF PolicyGroupContentsEntry 384 MAX-ACCESS not-accessible 385 STATUS current 386 DESCRIPTION 387 "This table contains a list of rules and/or subgroups 388 contained within a given policy group. The entries are 389 sorted by the pgcPriority object and MUST be executed in 390 order according to this value, starting with the lowest 391 value. Once a group item has been processed, the processor 392 MUST stop processing this packet if an action was executed as 393 a result of the processing of a given group. Iterating into 394 - the next policy group item by finding the next largest 395 pgcPriority object shall only be done if no actions were 396 run when processing the last item for a given packet." 397 ::= { ipsecPolicyConfigObjects 3 } 399 policyGroupContentsEntry OBJECT-TYPE 400 SYNTAX PolicyGroupContentsEntry 401 MAX-ACCESS not-accessible 402 STATUS current 403 DESCRIPTION 404 "Defines a given sub-item within a policy group." 405 INDEX { pgcName, pgcPriority } 406 ::= { policyGroupContentsTable 1 } 408 PolicyGroupContentsEntry ::= SEQUENCE { 409 pgcName SnmpAdminString, 410 pgcPriority Integer32, 411 pgcFilter VariablePointer, 412 pgcGroupComponentType INTEGER, 413 pgcGroupComponentName SnmpAdminString, 414 pgcLastChanged TimeStamp, 415 pgcStorageType StorageType, 416 pgcRowStatus RowStatus 417 } 419 pgcName OBJECT-TYPE 420 SYNTAX SnmpAdminString (SIZE(1..32)) 421 MAX-ACCESS not-accessible 422 STATUS current 423 DESCRIPTION 424 "The administrative name of this group." 425 ::= { policyGroupContentsEntry 1 } 427 pgcPriority OBJECT-TYPE 428 SYNTAX Integer32 (0..65536) 429 MAX-ACCESS not-accessible 430 STATUS current 431 DESCRIPTION 432 "The priority (sequence number) of the sub-component in this group." 433 ::= { policyGroupContentsEntry 2 } 435 pgcFilter OBJECT-TYPE 436 SYNTAX VariablePointer 437 MAX-ACCESS read-create 438 STATUS current 439 DESCRIPTION 440 "pgcFilter points to a filter which is evaluated 441 to determine whether the sub-component within this group 442 should be exerceised. Managers can use this object to 443 classify groups of rules or subgroups together in order to 444 achieve a greater degree of control and optimization over the 445 execution order of the items within the group. If the filter 446 evaluates to false, the rule or subgroup will be skipped and 447 the next rule or subgroup will be evaluated instead. 449 An example usage of this object would be to limit a group of 450 rules to executing only when the IP packet being process is 451 designated to be processed by IKE. This effecitevly creates 452 a group of IKE specific rules. 454 This MIB defines the following tables which may be pointed to 455 by this column. Implementations may chose to provide other 456 filter tables as well: 458 ipHeaderFilterTable 459 timeFilterTable 460 compoundFilterTable 461 trueFilter 463 If this column is set to a VariablePointer value which references 464 a non-existent row in an otherwise supported table, the 465 inconsistentName exception should be returned. If the table 466 pointed to by the VariablePointer is not supported at all, then an 467 inconsistentValue exception should be returned. 468 " 469 DEFVAL { trueFilterInstance } 470 ::= { policyGroupContentsEntry 3 } 472 pgcGroupComponentType OBJECT-TYPE 473 SYNTAX INTEGER { reserved(0), group(1), rule(2) } 474 MAX-ACCESS read-create 475 STATUS current 476 DESCRIPTION 477 "Indicates whether the pgcGroupComponentName object is the 478 name of another group defined within the 479 policyGroupContentsTable or is the name of a rule defined 480 within the policyRuleDefinitionTable." 481 DEFVAL { rule } 482 ::= { policyGroupContentsEntry 4 } 484 pgcGroupComponentName OBJECT-TYPE 485 SYNTAX SnmpAdminString (SIZE(1..32)) 486 MAX-ACCESS read-create 487 STATUS current 488 DESCRIPTION 489 "The name of the policy rule or subgroup contained within this 490 group, as indicated by the pgcGroupComponentType object." 491 ::= { policyGroupContentsEntry 5 } 493 pgcLastChanged OBJECT-TYPE 494 SYNTAX TimeStamp 495 MAX-ACCESS read-only 496 STATUS current 497 DESCRIPTION 498 "The value of sysUpTime when this row was last modified or created 499 either through SNMP SETs or by some other external means." 500 ::= { policyGroupContentsEntry 6 } 502 pgcStorageType OBJECT-TYPE 503 SYNTAX StorageType 504 MAX-ACCESS read-create 505 STATUS current 506 DESCRIPTION 507 "The storage type for this row. Rows in this table which were 508 created through an external process may have a storage type of 509 readOnly or permanent. Entries which are permanent are 510 expected to have at least one configurable column in the row, but 511 which columns are in fact modifiable is implementation specific." 513 DEFVAL { nonVolatile } 514 ::= { policyGroupContentsEntry 7 } 516 pgcRowStatus OBJECT-TYPE 517 SYNTAX RowStatus 518 MAX-ACCESS read-create 519 STATUS current 520 DESCRIPTION 521 "This object indicates the conceptual status of this row. 523 The value of this object has no effect on whether other 524 objects in this conceptual row can be modified. 526 This object may not be set to active until the row to which 527 the pgcGroupComponentName points to exists." 528 ::= { policyGroupContentsEntry 8 } 530 -- 531 -- policy definition table 532 -- 534 policyRuleDefinitionTable OBJECT-TYPE 535 SYNTAX SEQUENCE OF PolicyRuleDefinitionEntry 536 MAX-ACCESS not-accessible 537 STATUS current 538 DESCRIPTION 539 "This table defines a policy rule by associating a filter or a 540 set of filters to an action to be executed." 541 ::= { ipsecPolicyConfigObjects 4 } 543 policyRuleDefinitionEntry OBJECT-TYPE 544 SYNTAX PolicyRuleDefinitionEntry 545 MAX-ACCESS not-accessible 546 STATUS current 547 DESCRIPTION 548 "A row defining a particular policy definition. A rule 549 definition binds a filter pointer to an action pointer.." 550 INDEX { pRuleName } 551 ::= { policyRuleDefinitionTable 1 } 553 PolicyRuleDefinitionEntry ::= SEQUENCE { 554 pRuleName SnmpAdminString, 555 pRuleDescription OCTET STRING, 556 pRuleFilter VariablePointer, 557 pRuleFilterNegated IpsecIsNegated, 558 pRuleAction VariablePointer, 559 pRuleAdminStatus INTEGER, 560 pRuleLastChanged TimeStamp, 561 pRuleStorageType StorageType, 562 pRuleRowStatus RowStatus 563 } 565 pRuleName OBJECT-TYPE 566 SYNTAX SnmpAdminString (SIZE(1..32)) 567 MAX-ACCESS not-accessible 568 STATUS current 569 DESCRIPTION 570 "pRuleName is the administratively assigned name of the rule 571 referred to by the pgcGroupComponentName object." 572 ::= { policyRuleDefinitionEntry 1 } 574 pRuleDescription OBJECT-TYPE 575 SYNTAX OCTET STRING (SIZE(0..255)) 576 MAX-ACCESS read-create 577 STATUS current 578 DESCRIPTION 579 "A user definable string. This field may be used for your 580 administrative tracking purposes." 581 DEFVAL { "" } 582 ::= { policyRuleDefinitionEntry 2 } 584 pRuleFilter OBJECT-TYPE 585 SYNTAX VariablePointer 586 MAX-ACCESS read-create 587 STATUS current 588 DESCRIPTION 589 "pRuleFilter points to a filter which is used to evaluate 590 whether the action associated with this row should be fired 591 or not. The action will only fire if the filter referenced 592 by this object evaluates to TRUE after first applying any 593 negation required by the pRuleFilterNegated object. 595 This MIB defines the following tables which may be pointed to 596 by this column. Implementations may chose to provide other 597 filter tables as well: 599 ipHeaderFilterTable 600 timeFilterTable 601 compoundFilterTable 602 trueFilter 604 If this column is set to a VariablePointer value which references 605 a non-existent row in an otherwise supported table, the 606 inconsistentName exception should be returned. If the table 607 pointed to by the VariablePointer is not supported at all, then an 608 inconsistentValue exception should be returned. 609 " 610 ::= { policyRuleDefinitionEntry 3 } 612 pRuleFilterNegated OBJECT-TYPE 613 SYNTAX IpsecIsNegated 614 MAX-ACCESS read-create 615 STATUS current 616 DESCRIPTION 617 "pRuleFilterNegated specifies whether the filter referenced by 618 the pRuleFilter object should be negated or not." 619 DEFVAL { no } 620 ::= { policyRuleDefinitionEntry 4 } 622 pRuleAction OBJECT-TYPE 623 SYNTAX VariablePointer 624 MAX-ACCESS read-create 625 STATUS current 626 DESCRIPTION 627 "This colmun points to the action to be taken. It may, but is 628 not limited to, point to a row in one of the following 629 tables: 631 compoundActionsTable 632 saPreconfiguredActionTable 633 ikeActionTable 634 ipsecActionTable 636 It may also point to one of the scalar objects beneath 637 saStaticActions. 639 If this object is set to a pointer to a row in an unsupported 640 (or unknown) table, an inconsistentValue error should be 641 returned. 643 If this object is set to point to a non-existent row in an 644 otherwise supported table, an inconsistentName error should 645 be returned. 647 This object may also point to a scalor object, notably static 648 IPsec actions." 649 ::= { policyRuleDefinitionEntry 5 } 651 pRuleAdminStatus OBJECT-TYPE 652 SYNTAX INTEGER { enabled(1), disabled(2) } 653 MAX-ACCESS read-create 654 STATUS current 655 DESCRIPTION 656 "Indicates whether the current rule definition should be 657 considered active. If inactive, it should be evaluated when 658 processing packets. Packets should continue to be processed 659 by the rest of the rules defined in the 660 policyGroupContentsTable as if this rule's filters had 661 effectively failed." 662 DEFVAL { enabled } 663 ::= { policyRuleDefinitionEntry 6 } 665 pRuleLastChanged OBJECT-TYPE 666 SYNTAX TimeStamp 667 MAX-ACCESS read-only 668 STATUS current 669 DESCRIPTION 670 "The value of sysUpTime when this row was last modified or created 671 either through SNMP SETs or by some other external means." 672 ::= { policyRuleDefinitionEntry 7 } 674 pRuleStorageType OBJECT-TYPE 675 SYNTAX StorageType 676 MAX-ACCESS read-create 677 STATUS current 678 DESCRIPTION 679 "The storage type for this row. Rows in this table which were 680 created through an external process may have a storage type of 681 readOnly or permanent. Entries which are permanent are 682 expected to have at least one configurable column in the row, but 683 which columns are in fact modifiable is implementation specific." 684 DEFVAL { nonVolatile } 685 ::= { policyRuleDefinitionEntry 8 } 687 pRuleRowStatus OBJECT-TYPE 688 SYNTAX RowStatus 689 MAX-ACCESS read-create 690 STATUS current 691 DESCRIPTION 692 "This object indicates the conceptual status of this row. 694 The value of this object has no effect on whether other 695 objects in this conceptual row can be modified. 697 This object may not be set to active until the containing 698 contitions, filters and actions have been defined. Once 699 active, it must remain active until no policyGroupContents 700 entries are referencing it." 701 ::= { policyRuleDefinitionEntry 9 } 703 -- 704 -- Policy compound filter definition table 705 -- 707 compoundFilterTable OBJECT-TYPE 708 SYNTAX SEQUENCE OF CompoundFilterEntry 709 MAX-ACCESS not-accessible 710 STATUS current 711 DESCRIPTION 712 "A table defining a compound set of filters and their 713 associated parameters. A row in this table can either be 714 pointed to by a pRuleFilter object or by a ficSubFilter object." 715 ::= { ipsecPolicyConfigObjects 5 } 717 compoundFilterEntry OBJECT-TYPE 718 SYNTAX CompoundFilterEntry 719 MAX-ACCESS not-accessible 720 STATUS current 721 DESCRIPTION 722 "An entry in the compoundFilterTable. A filter defined by this 723 table is considered to have a TRUE return value if and 724 only if: 726 cfLogicType is AND and all of the sub-filters associated 727 with it, as defined in the filtersInCompoundFilterTable, 728 are all true themselves (after applying any requried 729 negation as defined by the 730 ficFilterIsNegated object). 732 cfLogicType is OR and at least one of the sub-filters 733 associated with it, as defined in the 734 filtersInCompoundFilterTable, is true itself 735 (after applying any requried negation as defined by the 736 ficFilterIsNegated object)." 737 INDEX { cfName } 738 ::= { compoundFilterTable 1 } 740 CompoundFilterEntry ::= SEQUENCE { 741 cfName SnmpAdminString, 742 cfDescription OCTET STRING, 743 cfLogicType IpsecBooleanOperator, 744 cfLastChanged TimeStamp, 745 cfStorageType StorageType, 746 cfRowStatus RowStatus 747 } 749 cfName OBJECT-TYPE 750 SYNTAX SnmpAdminString (SIZE(1..32)) 751 MAX-ACCESS not-accessible 752 STATUS current 753 DESCRIPTION 754 "A user definable naming string. You may use this field for your 755 administrative tracking purposes." 756 ::= { compoundFilterEntry 1 } 758 cfDescription OBJECT-TYPE 759 SYNTAX OCTET STRING (SIZE(0..255)) 760 MAX-ACCESS read-create 761 STATUS current 762 DESCRIPTION 763 "A user definable string. You may use this field for your 764 administrative tracking purposes." 765 DEFVAL { ''H } 766 ::= { compoundFilterEntry 2 } 768 cfLogicType OBJECT-TYPE 769 SYNTAX IpsecBooleanOperator 770 MAX-ACCESS read-create 771 STATUS current 772 DESCRIPTION 773 "Indicates whether the filters contained within this filter 774 are functionally ANDed or ORed together." 775 DEFVAL { and } 776 ::= { compoundFilterEntry 3 } 778 cfLastChanged OBJECT-TYPE 779 SYNTAX TimeStamp 780 MAX-ACCESS read-only 781 STATUS current 782 DESCRIPTION 783 "The value of sysUpTime when this row was last modified or created 784 either through SNMP SETs or by some other external means." 785 ::= { compoundFilterEntry 4 } 787 cfStorageType OBJECT-TYPE 788 SYNTAX StorageType 789 MAX-ACCESS read-create 790 STATUS current 791 DESCRIPTION 792 "The storage type for this row. Rows in this table which were 793 created through an external process may have a storage type of 794 readOnly or permanent. Entries which are permanent are 795 expected to have at least one configurable column in the row, but 796 which columns are, in fact, modifiable is implementation specific." 797 DEFVAL { nonVolatile } 798 ::= { compoundFilterEntry 5 } 800 cfRowStatus OBJECT-TYPE 801 SYNTAX RowStatus 802 MAX-ACCESS read-create 803 STATUS current 804 DESCRIPTION 805 "This object indicates the conceptual status of this row. 807 The value of this object has no effect on whether other 808 objects in this conceptual row can be modified. 810 Once active, it may not have its value changed if any active 811 rows in the policyRuleDefinitionTable are currently pointing 812 at this row." 813 ::= { compoundFilterEntry 6 } 815 -- 816 -- Policy filters in a cf table 817 -- 819 filtersInCompoundFilterTable OBJECT-TYPE 820 SYNTAX SEQUENCE OF FiltersInCompoundFilterEntry 821 MAX-ACCESS not-accessible 822 STATUS current 823 DESCRIPTION 824 "This table defines a list of filters contained within a given 825 compound filter set defined in the compoundFilterTable." 826 ::= { ipsecPolicyConfigObjects 6 } 828 filtersInCompoundFilterEntry OBJECT-TYPE 829 SYNTAX FiltersInCompoundFilterEntry 830 MAX-ACCESS not-accessible 831 STATUS current 832 DESCRIPTION 833 "An entry into the list of filters for a given compound filter." 834 INDEX { cfName, ficPriority } 835 ::= { filtersInCompoundFilterTable 1 } 837 FiltersInCompoundFilterEntry ::= SEQUENCE { 838 ficPriority Integer32, 839 ficSubfilter VariablePointer, 840 ficSubfilterIsNegated IpsecIsNegated, 841 ficLastChanged TimeStamp, 842 ficStorageType StorageType, 843 ficRowStatus RowStatus 844 } 846 ficPriority OBJECT-TYPE 847 SYNTAX Integer32 (0..65536) 848 MAX-ACCESS not-accessible 849 STATUS current 850 DESCRIPTION 851 "The priority of a given filter within a conditition. 852 Implementations MAY chose to follow the ordering indicated by 853 the manager that created the rows in order to allow the 854 manager to intelligently construct filter lists such that 855 faster filters are evaluated first." 856 ::= { filtersInCompoundFilterEntry 1 } 858 ficSubfilter OBJECT-TYPE 859 SYNTAX VariablePointer 860 MAX-ACCESS read-create 861 STATUS current 862 DESCRIPTION 863 "The location of the contained filter. The value of this column 864 should be a VariablePointer which references the properties for 865 the filter to be included in this compount filter. This MIB 866 defines the following tables which may be pointed to by this 867 column. Implementations may chose to provide other filter 868 tables as well: 870 ipHeaderFilterTable 871 timeFilterTable 872 compoundFilterTable 873 trueFilter 875 If this column is set to a VariablePointer value which references 876 a non-existent row in an otherwise supported table, the 877 inconsistentName exception should be returned. If the table 878 pointed to by the VariablePointer is not supported at all, then an 879 inconsistentValue exception should be returned." 880 ::= { filtersInCompoundFilterEntry 2 } 882 ficSubfilterIsNegated OBJECT-TYPE 883 SYNTAX IpsecIsNegated 884 MAX-ACCESS read-create 885 STATUS current 886 DESCRIPTION 887 "Indicates whether the result of applying this subfilter should 888 be negated or not. If the ficOnDestination object is set to 889 both source and destination, the negation is applied after the 890 source and destination results are returned and ANDed 891 together. IE, result = !(filter(source) && filter(destination))." 892 DEFVAL { no } 893 ::= { filtersInCompoundFilterEntry 3 } 895 ficLastChanged OBJECT-TYPE 896 SYNTAX TimeStamp 897 MAX-ACCESS read-only 898 STATUS current 899 DESCRIPTION 900 "The value of sysUpTime when this row was last modified or created 901 either through SNMP SETs or by some other external means." 902 ::= { filtersInCompoundFilterEntry 4 } 904 ficStorageType OBJECT-TYPE 905 SYNTAX StorageType 906 MAX-ACCESS read-create 907 STATUS current 908 DESCRIPTION 909 "The storage type for this row. Rows in this table which were 910 created through an external process may have a storage type of 911 readOnly or permanent. Entries which are permanent are 912 expected to have at least one configurable column in the row, but 913 which columns are in fact modifiable is implementation specific." 914 DEFVAL { nonVolatile } 915 ::= { filtersInCompoundFilterEntry 5 } 917 ficRowStatus OBJECT-TYPE 918 SYNTAX RowStatus 919 MAX-ACCESS read-create 920 STATUS current 921 DESCRIPTION 922 "This object indicates the conceptual status of this row. 924 The value of this object has no effect on whether other 925 objects in this conceptual row can be modified. 927 This object can not be made active until the filter 928 referenced by the ficSubFilter object is both defined and is 929 active. An attempt to do so will result in an 930 inconsistentValue error." 931 ::= { filtersInCompoundFilterEntry 6 } 933 -- 934 -- Static Filters 935 -- 937 staticFilters OBJECT IDENTIFIER ::= { ipsecPolicyConfigObjects 7 } 939 trueFilter OBJECT-TYPE 940 SYNTAX Integer32 941 MAX-ACCESS read-only 942 STATUS current 943 DESCRIPTION 944 "This Scalar indicates a (automatic) true result for a 945 filter. i.e. this is a filter that is always true, useful 946 for adding as a default filter for a default action or a 947 set of actions." 948 ::= { staticFilters 1 } 950 trueFilterInstance OBJECT IDENTIFIER ::= { trueFilter 0 } 952 -- 953 -- Policy IPHeader filter definition table 954 -- 956 ipHeaderFilterTable OBJECT-TYPE 957 SYNTAX SEQUENCE OF IpHeaderFilterEntry 958 MAX-ACCESS not-accessible 959 STATUS current 960 DESCRIPTION 961 "This table contains a list of filter definitions to be used 962 within the policyRuleDefinitionTable or the 963 filtersInCompoundFilter table." 964 ::= { ipsecPolicyConfigObjects 8 } 966 ipHeaderFilterEntry OBJECT-TYPE 967 SYNTAX IpHeaderFilterEntry 968 MAX-ACCESS not-accessible 969 STATUS current 970 DESCRIPTION 971 "A definition of a particular filter." 972 INDEX { ihfName } 973 ::= { ipHeaderFilterTable 1 } 975 IpHeaderFilterEntry ::= SEQUENCE { 976 ihfName SnmpAdminString, 977 ihfType BITS, 978 ihfIPVersion IpsecIPVersion, 979 ihfSrcAddressBegin OCTET STRING, 980 ihfSrcAddressEnd OCTET STRING, 981 ihfDstAddressBegin OCTET STRING, 982 ihfDstAddressEnd OCTET STRING, 983 ihfSrcLowPort Integer32, 984 ihfSrcHighPort Integer32, 985 ihfDstLowPort Integer32, 986 ihfDstHighPort Integer32, 987 ihfProtocol Integer32, 988 ihfIPv6FlowLabel OCTET STRING, 989 ihfLastChanged TimeStamp, 990 ihfStorageType StorageType, 991 ihfRowStatus RowStatus 993 } 995 ihfName OBJECT-TYPE 996 SYNTAX SnmpAdminString (SIZE(1..32)) 997 MAX-ACCESS not-accessible 998 STATUS current 999 DESCRIPTION 1000 "The administrative name for this filter." 1001 ::= { ipHeaderFilterEntry 1 } 1003 ihfType OBJECT-TYPE 1004 SYNTAX BITS { sourceAddress(0), destinationAddress(1), 1005 sourcePort(2), destinationPort(3), 1006 protocol(4), ipv6FlowLabel(5) } 1007 MAX-ACCESS read-create 1008 STATUS current 1009 DESCRIPTION 1010 "This defines the various tests that are used when evaluating 1011 a given filter. The results of each test are ANDed together 1012 to produce the result of the entire filter. When processing 1013 this filter, it is recommended for efficiency reasons that 1014 the filter halt processing the instant any of the specified 1015 tests fail. 1017 Once a row is 'active', this object's value may not be 1018 changed unless all the appropriate columns needed by the new 1019 value to be imposed on this object have been appropriately 1020 configured. 1022 The various tests definable in this table are as follows: 1024 sourceAddress: 1025 - Tests if the source address in the packet lies between 1026 the ihfSrcAddress and ihfSrcAddressEnd objects. Note 1027 that setting these two objects to the same address will 1028 limit the search to the exact match of a single 1029 address. The format and length of the address objects are 1030 defined by the ihfIPVersion column. 1032 A row in this table containing a ihfType object with the 1033 sourceAddress object bit but without the ihfIPVersion, 1034 ihfSrcAddress and ihfSrcAddressEnd objects set will cause 1035 the ihfRowStatus object to return the notReady state. 1037 destinationAddress: 1038 - Tests if the destination address in the packet lies between 1039 the ihfDstAddress and ihfDstAddressEnd objects. Note 1040 that setting these two objects to the same address will 1041 limit the search to the exact match of a single 1042 address. The format and length of the address objects are 1043 defined by the ihfIPVersion column. 1045 A row in this table containing a ihfType object with the 1046 destinationAddress object bit but without the ihfIPVersion, 1047 ihfDstAddress and ihfDstAddressEnd objects set will cause 1048 the ihfRowStatus object to return the notReady state. 1050 sourcePort: 1051 - Tests if the source port of IP packets using a protocol 1052 that uses port numbers (at this time, UDP or TCP) lies 1053 between the ihfSrcLowPort and ihfSrcHighPort objects. 1054 Note that setting these two objects to the same address 1055 will limit the search to the exact match of a single 1056 port. 1058 A row in this table containing a ihfType object with the 1059 sourcePort object bit but without the ihfSrcLowPort, 1060 and ihfSrcHighPort objects set will cause the ihfRowStatus 1061 object to return the notReady state. 1063 destinationPort: 1064 - Tests if the source port of IP packets using a protocol 1065 that uses port numbers (at this time, UDP or TCP) lies 1066 between the ihfDstLowPort and ihfDstHighPort objects. 1067 Note that setting these two objects to the same address 1068 will limit the search to the exact match of a single 1069 port. 1071 A row in this table containing a ihfType object with the 1072 sourcePort object bit but without the ihfDstLowPort, 1073 and ihfDstHighPort objects set will cause the ihfRowStatus 1074 object to return the notReady state. 1076 protocol: 1077 - Tests to see if the packet being processed is for the 1078 given protocol type. 1080 A row in this table containing a ihfType object with the 1081 protocol object bit but without the ihfProtocol object 1082 set will cause the ihfRowStatus object to return the 1083 notReady state. 1085 ipv6FlowLabel: 1086 - Tests to see if the packet being processed contains an 1087 ipv6 Flow Label which matches the value in the 1088 ipfIPv6FlowLabel object. Setting this bit mandiates that 1089 for the packet to match the filter, it must be an IPv6 1090 packet. 1092 A row in this table containing a ihfType object with the 1093 ipv6FlowLabel object bit but without the ipfIPv6FlowLabel 1094 object set will cause the ihfRowStatus object to return 1095 the notReady state. 1096 " 1097 ::= { ipHeaderFilterEntry 2 } 1099 ihfIPVersion OBJECT-TYPE 1100 SYNTAX IpsecIPVersion 1101 MAX-ACCESS read-create 1102 STATUS current 1103 DESCRIPTION 1104 "The Internet Protocol version the addresses are to match 1105 against. The value of this property determines the size and 1106 format of the ihfSrcAddress, ihfSrcAddressEnd, 1107 ihfSrcAddressMask, ihfDstAddress, ihfDstAddressEnd, and 1108 ihfDstAddressMask objects." 1109 DEFVAL { ipv6 } 1110 ::= { ipHeaderFilterEntry 3 } 1112 ihfSrcAddressBegin OBJECT-TYPE 1113 SYNTAX OCTET STRING (SIZE(4|16|20)) 1114 MAX-ACCESS read-create 1115 STATUS current 1116 DESCRIPTION 1117 "The source address the packet must match against for this 1118 filter to be considered TRUE." 1119 ::= { ipHeaderFilterEntry 4 } 1121 ihfSrcAddressEnd OBJECT-TYPE 1122 SYNTAX OCTET STRING (SIZE(4|16|20)) 1123 MAX-ACCESS read-create 1124 STATUS current 1125 DESCRIPTION 1126 "The ending address of an source adress range to check a 1127 packet against, where the first is specified by the 1128 ihfSrcAddress object. Set this column to the same value as 1129 the ihfSrcAddress column to get an exact single address match." 1130 ::= { ipHeaderFilterEntry 5 } 1132 ihfDstAddressBegin OBJECT-TYPE 1133 SYNTAX OCTET STRING (SIZE(4|16|20)) 1134 MAX-ACCESS read-create 1135 STATUS current 1136 DESCRIPTION 1137 "The destination address the packet must match against for this 1138 filter to be considered TRUE." 1139 ::= { ipHeaderFilterEntry 6 } 1141 ihfDstAddressEnd OBJECT-TYPE 1142 SYNTAX OCTET STRING (SIZE(4|16|20)) 1143 MAX-ACCESS read-create 1144 STATUS current 1145 DESCRIPTION 1146 "The ending address of an destination adress range to check a 1147 packet against, where the first is specified by the 1148 ihfDstAddress object. Set this column to the same value as 1149 the ihfDstAddress column to get an exact single address match." 1150 ::= { ipHeaderFilterEntry 7 } 1152 ihfSrcLowPort OBJECT-TYPE 1153 SYNTAX Integer32 (0..65536) 1154 MAX-ACCESS read-create 1155 STATUS current 1156 DESCRIPTION 1157 "The low port of the port range a packet's source must match 1158 against. To match, the port number must be greater than or 1159 equal to this value." 1160 ::= { ipHeaderFilterEntry 8 } 1162 ihfSrcHighPort OBJECT-TYPE 1163 SYNTAX Integer32 (0..65536) 1164 MAX-ACCESS read-create 1165 STATUS current 1166 DESCRIPTION 1167 "The high port of the port range a packet's source must match 1168 against. To match, the port number must be less than or 1169 equal to this value." 1170 ::= { ipHeaderFilterEntry 9 } 1172 ihfDstLowPort OBJECT-TYPE 1173 SYNTAX Integer32 (0..65536) 1174 MAX-ACCESS read-create 1175 STATUS current 1176 DESCRIPTION 1177 "The low port of the port range a packet's destination must 1178 match against. To match, the port number must be greater 1179 than or equal to this value." 1180 ::= { ipHeaderFilterEntry 10 } 1182 ihfDstHighPort OBJECT-TYPE 1183 SYNTAX Integer32 (0..65536) 1184 MAX-ACCESS read-create 1185 STATUS current 1186 DESCRIPTION 1187 "The high port of the port range a packet's destination must 1188 match against. To match, the port number must be less than 1189 or equal to this value." 1190 ::= { ipHeaderFilterEntry 11 } 1192 ihfProtocol OBJECT-TYPE 1193 SYNTAX Integer32 (0..255) 1194 MAX-ACCESS read-create 1195 STATUS current 1196 DESCRIPTION 1197 "The protocol number the incoming packet must match against 1198 for this filter to be evaluated as true." 1199 ::= { ipHeaderFilterEntry 12 } 1201 ihfIPv6FlowLabel OBJECT-TYPE 1202 SYNTAX OCTET STRING (SIZE(3)) 1203 MAX-ACCESS read-create 1204 STATUS current 1205 DESCRIPTION 1206 "The IPv6 Flow Label that the packet must match against." 1207 ::= { ipHeaderFilterEntry 13 } 1209 ihfLastChanged OBJECT-TYPE 1210 SYNTAX TimeStamp 1211 MAX-ACCESS read-only 1212 STATUS current 1213 DESCRIPTION 1214 "The value of sysUpTime when this row was last modified or created 1215 either through SNMP SETs or by some other external means." 1216 ::= { ipHeaderFilterEntry 14 } 1218 ihfStorageType OBJECT-TYPE 1219 SYNTAX StorageType 1220 MAX-ACCESS read-create 1221 STATUS current 1222 DESCRIPTION 1223 "The storage type for this row. Rows in this table which were 1224 created through an external process may have a storage type of 1225 readOnly or permanent. Entries which are permanent are 1226 expected to have at least one configurable column in the row, but 1227 which columns are in fact modifiable is implementation specific." 1228 DEFVAL { nonVolatile } 1229 ::= { ipHeaderFilterEntry 15 } 1231 ihfRowStatus OBJECT-TYPE 1232 SYNTAX RowStatus 1233 MAX-ACCESS read-create 1234 STATUS current 1235 DESCRIPTION 1236 "This object indicates the conceptual status of this row. 1238 This object may not be set to active if the requirements of 1239 the ihfType object are not met. In other words, if the 1240 associated value columns needed by a particular test have not 1241 been set, then attempting to change this row to an active 1242 state will result in an inconsistentValue error. See the 1243 ihfType object description for further details." 1244 ::= { ipHeaderFilterEntry 16 } 1246 -- 1247 -- Time/scheduling filter table 1248 -- 1250 timeFilterTable OBJECT-TYPE 1251 SYNTAX SEQUENCE OF TimeFilterEntry 1252 MAX-ACCESS not-accessible 1253 STATUS current 1254 DESCRIPTION 1255 "Defines a table of filters which can be used to effectively 1256 enable or disable policies based on a valid time range." 1257 ::= { ipsecPolicyConfigObjects 9 } 1259 timeFilterEntry OBJECT-TYPE 1260 SYNTAX TimeFilterEntry 1261 MAX-ACCESS not-accessible 1262 STATUS current 1263 DESCRIPTION 1264 "A row describing a given time frame for which a policy may be 1265 filtered on to place the rule active or inactive." 1266 INDEX { tfName } 1267 ::= { timeFilterTable 1 } 1269 TimeFilterEntry ::= SEQUENCE { 1270 tfName SnmpAdminString, 1271 tfPeriodStart DateAndTime, 1272 tfPeriodEnd DateAndTime, 1273 tfMonthOfYearMask BITS, 1274 tfDayOfMonthMask OCTET STRING, 1275 tfDayOfWeekMask BITS, 1276 tfTimeOfDayMaskStart DateAndTime, 1277 tfTimeOfDayMaskEnd DateAndTime, 1278 tfLastChanged TimeStamp, 1279 tfStorageType StorageType, 1280 tfRowStatus RowStatus 1282 } 1284 tfName OBJECT-TYPE 1285 SYNTAX SnmpAdminString (SIZE(1..32)) 1286 MAX-ACCESS not-accessible 1287 STATUS current 1288 DESCRIPTION 1289 "An administratively assigned name for this filter." 1290 ::= { timeFilterEntry 1 } 1292 tfPeriodStart OBJECT-TYPE 1293 SYNTAX DateAndTime 1294 MAX-ACCESS read-create 1295 STATUS current 1296 DESCRIPTION 1297 "The starting time period for this filter. In addition to a 1298 normal DateAndTime string, this object may be set to the 1299 OCTET STRING value THISANDPRIOR which indicates that the 1300 filter is valid from any time before now up until (at least) 1301 now." 1302 DEFVAL { '00000101000000002b0000'H } 1303 ::= { timeFilterEntry 2 } 1305 tfPeriodEnd OBJECT-TYPE 1306 SYNTAX DateAndTime 1307 MAX-ACCESS read-create 1308 STATUS current 1309 DESCRIPTION 1310 "The ending time period for this filter. In addition to a 1311 normal DateAndTime string, this object may be set to the 1312 OCTET STRING value THISANDFUTURE which indicates that the 1313 filter is valid without an ending date and/or time." 1314 DEFVAL { '99991231235959092b0000'H } 1315 ::= { timeFilterEntry 3 } 1317 tfMonthOfYearMask OBJECT-TYPE 1318 SYNTAX BITS { january(0), feburary(1), march(2), april(3), may(4), 1319 june(5), july(6), august(7), september(8), 1320 october(9),november(10), december(11) } 1321 MAX-ACCESS read-create 1322 STATUS current 1323 DESCRIPTION 1324 "A bit mask which overlays the tfPeriodStart to tfPeriodEnd 1325 date range to further restrict the time period to a restricted 1326 set of months of the year." 1327 DEFVAL { { january, feburary, march, april, may, june, july, august, 1328 september, october, november, december } } 1329 ::= { timeFilterEntry 4 } 1331 tfDayOfMonthMask OBJECT-TYPE 1332 SYNTAX OCTET STRING (SIZE(4)) 1333 MAX-ACCESS read-create 1334 STATUS current 1335 DESCRIPTION 1336 "Defines which days of the month this time period is valid 1337 for. It is a sequence of 32 BITS, where each BIT represents a 1338 corresponding day of the month starting from the left most bit 1339 being equal to the first day of the month. The last bit in 1340 the string MUST be zero." 1341 DEFVAL { 'fffffffe'H } 1342 ::= { timeFilterEntry 5 } 1344 tfDayOfWeekMask OBJECT-TYPE 1345 SYNTAX BITS { monday(0), tuesday(1), wednesday(2), thursday(3), 1346 friday(4), saturday(5), sunday(6) } 1347 MAX-ACCESS read-create 1348 STATUS current 1349 DESCRIPTION 1350 "A bit mask which overlays the tfPeriodStart to tfPeriodEnd 1351 date range to further restrict the time period to a restricted 1352 set of days within a given week." 1353 DEFVAL { { monday, tuesday, wednesday, thursday, friday, 1354 saturday, sunday } } 1355 ::= { timeFilterEntry 6 } 1357 tfTimeOfDayMaskStart OBJECT-TYPE 1358 SYNTAX DateAndTime 1359 MAX-ACCESS read-create 1360 STATUS current 1361 DESCRIPTION 1362 "Indicates the starting time of day for which this filter 1363 evaluates to true. The date portions of the DateAndTime TC 1364 are ignored for purposes of evaluating this mask and only the 1365 time specific portions are used." 1366 DEFVAL { '00000000000000002b0000'H } 1367 ::= { timeFilterEntry 7 } 1369 tfTimeOfDayMaskEnd OBJECT-TYPE 1370 SYNTAX DateAndTime 1371 MAX-ACCESS read-create 1372 STATUS current 1373 DESCRIPTION 1374 "Indicates the ending time of day for which this filter 1375 evaluates to true. The date portions of the DateAndTime TC 1376 are ignored for purposes of evaluating this mask and only the 1377 time specific portions are used. If this starting and ending 1378 time values indicated by the tfTimeOfDayMaskStart and 1379 tfTimeOfDayMaskEnd objects are equal, the filter is epected 1380 to be evaluated over the entire 24 hour period." 1381 DEFVAL { '00000000000000002b0000'H } 1382 ::= { timeFilterEntry 8 } 1384 tfLastChanged OBJECT-TYPE 1385 SYNTAX TimeStamp 1386 MAX-ACCESS read-only 1387 STATUS current 1388 DESCRIPTION 1389 "The value of sysUpTime when this row was last modified or created 1390 either through SNMP SETs or by some other external means." 1391 ::= { timeFilterEntry 9 } 1393 tfStorageType OBJECT-TYPE 1394 SYNTAX StorageType 1395 MAX-ACCESS read-create 1396 STATUS current 1397 DESCRIPTION 1398 "The storage type for this row. Rows in this table which were 1399 created through an external process may have a storage type of 1400 readOnly or permanent. Entries which are permanent are 1401 expected to have at least one configurable column in the row, but 1402 which columns are in fact modifiable is implementation specific." 1403 DEFVAL { nonVolatile } 1404 ::= { timeFilterEntry 10 } 1406 tfRowStatus OBJECT-TYPE 1407 SYNTAX RowStatus 1408 MAX-ACCESS read-create 1409 STATUS current 1410 DESCRIPTION 1411 "This object indicates the conceptual status of this row." 1412 ::= { timeFilterEntry 11 } 1414 -- 1415 -- IPSO protection authority filtering 1416 -- 1418 ipsoHeaderFilterTable OBJECT-TYPE 1419 SYNTAX SEQUENCE OF IpsoHeaderFilterEntry 1420 MAX-ACCESS not-accessible 1421 STATUS current 1422 DESCRIPTION 1423 "This table contains a list of IPSO header filter definitions 1424 to be used within the policyRuleDefinitionTable or the 1425 filtersInCompoundFilter table. IPSO headers and their values 1426 are described in RFC1108." 1427 ::= { ipsecPolicyConfigObjects 10 } 1429 ipsoHeaderFilterEntry OBJECT-TYPE 1430 SYNTAX IpsoHeaderFilterEntry 1431 MAX-ACCESS not-accessible 1432 STATUS current 1433 DESCRIPTION 1434 "A definition of a particular filter." 1435 INDEX { ipsohfName } 1436 ::= { ipsoHeaderFilterTable 1 } 1438 IpsoHeaderFilterEntry ::= SEQUENCE { 1439 ipsohfName SnmpAdminString, 1440 ipsohfType BITS, 1441 ipsohfClassification INTEGER, 1442 ipsohfProtectionAuth INTEGER, 1443 ipsohfLastChanged TimeStamp, 1444 ipsohfStorageType StorageType, 1445 ipsohfRowStatus RowStatus 1446 } 1448 ipsohfName OBJECT-TYPE 1449 SYNTAX SnmpAdminString (SIZE(1..32)) 1450 MAX-ACCESS not-accessible 1451 STATUS current 1452 DESCRIPTION 1453 "The administrative name for this filter." 1454 ::= { ipsoHeaderFilterEntry 1 } 1456 ipsohfType OBJECT-TYPE 1457 SYNTAX BITS { classificationLevel(0), protectionAuthority(1) } 1458 MAX-ACCESS read-create 1459 STATUS current 1460 DESCRIPTION 1461 "The IPSO header fields to match the value against." 1462 ::= { ipsoHeaderFilterEntry 2 } 1464 ipsohfClassification OBJECT-TYPE 1465 SYNTAX INTEGER { topSecret(61), secret(90), 1466 confidential(150), unclassified(171) } 1467 MAX-ACCESS read-create 1468 STATUS current 1469 DESCRIPTION 1470 "The IPSO classification header field value must match the 1471 value in this column if the classificationLevel bit is set in 1472 the ipsohfType field." 1473 ::= { ipsoHeaderFilterEntry 3 } 1475 ipsohfProtectionAuth OBJECT-TYPE 1476 SYNTAX INTEGER { genser(0), siopesi(1), sci(2), nsa(3), doe(4) } 1477 MAX-ACCESS read-create 1478 STATUS current 1479 DESCRIPTION 1480 "The IPSO protection authority header field value must match 1481 the value in this column if the protection authority bit is 1482 set in the ipsohfType field." 1483 ::= { ipsoHeaderFilterEntry 4 } 1485 ipsohfLastChanged OBJECT-TYPE 1486 SYNTAX TimeStamp 1487 MAX-ACCESS read-only 1488 STATUS current 1489 DESCRIPTION 1490 "The value of sysUpTime when this row was last modified or created 1491 either through SNMP SETs or by some other external means." 1492 ::= { ipsoHeaderFilterEntry 5 } 1494 ipsohfStorageType OBJECT-TYPE 1495 SYNTAX StorageType 1496 MAX-ACCESS read-create 1497 STATUS current 1498 DESCRIPTION 1499 "The storage type for this row. Rows in this table which were 1500 created through an external process may have a storage type of 1501 readOnly or permanent. Entries which are permanent are 1502 expected to have at least one configurable column in the row, but 1503 which columns are in fact modifiable is implementation specific." 1504 DEFVAL { nonVolatile } 1505 ::= { ipsoHeaderFilterEntry 6 } 1507 ipsohfRowStatus OBJECT-TYPE 1508 SYNTAX RowStatus 1509 MAX-ACCESS read-create 1510 STATUS current 1511 DESCRIPTION 1512 "This object indicates the conceptual status of this row. 1514 This object may not be set to active if the requirements of 1515 the ipsohfType object are not met. In other words, if the 1516 associated value columns needed by a particular test have not 1517 been set, then attempting to change this row to an active 1518 state will result in an inconsistentValue error. See the 1519 ipsohfType object description for further details." 1520 ::= { ipsoHeaderFilterEntry 7 } 1522 -- 1523 -- credential filter table 1524 -- 1526 credentialFilterTable OBJECT-TYPE 1527 SYNTAX SEQUENCE OF CredentialFilterEntry 1528 MAX-ACCESS not-accessible 1529 STATUS current 1530 DESCRIPTION 1531 "This table defines filters which can be used to match 1532 credentials of IKE peers, where the credentials in question 1533 have been obtained from an IKE phase 1 exchange. They may be 1534 X.509 certificates, Kerberos tickets, etc..." 1535 ::= { ipsecPolicyConfigObjects 11 } 1537 credentialFilterEntry OBJECT-TYPE 1538 SYNTAX CredentialFilterEntry 1539 MAX-ACCESS not-accessible 1540 STATUS current 1541 DESCRIPTION 1542 "A row defining a particular credential filter" 1543 INDEX { crfName } 1544 ::= { credentialFilterTable 1 } 1546 CredentialFilterEntry ::= SEQUENCE { 1547 crfName SnmpAdminString, 1548 crfCredentialType INTEGER, 1549 crfMatchFieldName OCTET STRING, 1550 crfMatchFieldValue OCTET STRING, 1551 crfAcceptCredFrom OCTET STRING, 1552 crfLastChanged TimeStamp, 1553 crfStorageType StorageType, 1554 crfRowStatus RowStatus 1555 } 1557 crfName OBJECT-TYPE 1558 SYNTAX SnmpAdminString (SIZE(1..32)) 1559 MAX-ACCESS not-accessible 1560 STATUS current 1561 DESCRIPTION 1562 "The administrative name of this filter." 1563 ::= { credentialFilterEntry 1 } 1565 crfCredentialType OBJECT-TYPE 1566 SYNTAX INTEGER { x509(1), kerberos(2) } 1567 MAX-ACCESS read-create 1568 STATUS current 1569 DESCRIPTION 1570 "The credential type that is expected for this filter to succeed." 1571 DEFVAL { x509 } 1572 ::= { credentialFilterEntry 2 } 1574 crfMatchFieldName OBJECT-TYPE 1575 SYNTAX OCTET STRING (SIZE(1..4096)) 1576 MAX-ACCESS read-create 1577 STATUS current 1578 DESCRIPTION 1579 "The piece of the credential to match against. Examples: 1580 serialNumber, signatureAlgorithm, issuerName, subjectName, ..." 1581 ::= { credentialFilterEntry 3 } 1583 crfMatchFieldValue OBJECT-TYPE 1584 SYNTAX OCTET STRING (SIZE(1..4096)) 1585 MAX-ACCESS read-create 1586 STATUS current 1587 DESCRIPTION 1588 "The value that the field indicated by the crfMatchFieldName 1589 must match against for the filter to be considered TRUE." 1590 ::= { credentialFilterEntry 4 } 1592 crfAcceptCredFrom OBJECT-TYPE 1593 SYNTAX OCTET STRING(SIZE(1..117)) 1594 MAX-ACCESS read-create 1595 STATUS current 1596 DESCRIPTION 1597 "This value is used to look up a row in the 1598 ipsecCredMngServiceTable for the Certificate Authority 1599 Information. This value is empty if there is no CA used for 1600 this filter." 1601 ::= { credentialFilterEntry 5 } 1603 crfLastChanged OBJECT-TYPE 1604 SYNTAX TimeStamp 1605 MAX-ACCESS read-only 1606 STATUS current 1607 DESCRIPTION 1608 "The value of sysUpTime when this row was last modified or created 1609 either through SNMP SETs or by some other external means." 1610 ::= { credentialFilterEntry 6 } 1612 crfStorageType OBJECT-TYPE 1613 SYNTAX StorageType 1614 MAX-ACCESS read-create 1615 STATUS current 1616 DESCRIPTION 1617 "The storage type for this row. Rows in this table which were 1618 created through an external process may have a storage type of 1619 readOnly or permanent. Entries which are permanent are 1620 expected to have at least one configurable column in the row, but 1621 which columns are in fact modifiable is implementation specific." 1622 DEFVAL { nonVolatile } 1623 ::= { credentialFilterEntry 7 } 1625 crfRowStatus OBJECT-TYPE 1626 SYNTAX RowStatus 1627 MAX-ACCESS read-create 1628 STATUS current 1629 DESCRIPTION 1630 "This object indicates the conceptual status of this row." 1631 ::= { credentialFilterEntry 8 } 1633 -- 1634 -- Peer Identity Filter Table 1635 -- 1637 peerIdentityFilterTable OBJECT-TYPE 1638 SYNTAX SEQUENCE OF PeerIdentityFilterEntry 1639 MAX-ACCESS not-accessible 1640 STATUS current 1641 DESCRIPTION 1642 "This table defines filters which can be used to match 1643 credentials of IKE peers, where the credentials in question 1644 have been obtained from an IKE phase 1 exchange. They may be 1645 X.509 certificates, Kerberos tickets, etc..." 1646 ::= { ipsecPolicyConfigObjects 12 } 1648 peerIdentityFilterEntry OBJECT-TYPE 1649 SYNTAX PeerIdentityFilterEntry 1650 MAX-ACCESS not-accessible 1651 STATUS current 1652 DESCRIPTION 1653 "A row defining a particular credential filter" 1654 INDEX { pifName } 1655 ::= { peerIdentityFilterTable 1 } 1657 PeerIdentityFilterEntry ::= SEQUENCE { 1658 pifName SnmpAdminString, 1659 pifIdentityType IpsecDoiIdentType, 1660 pifIdentityValue OCTET STRING, 1661 pifLastChanged TimeStamp, 1662 pifStorageType StorageType, 1663 pifRowStatus RowStatus 1664 } 1666 pifName OBJECT-TYPE 1667 SYNTAX SnmpAdminString (SIZE(1..32)) 1668 MAX-ACCESS not-accessible 1669 STATUS current 1670 DESCRIPTION 1671 "The administrative name of this filter." 1672 ::= { peerIdentityFilterEntry 1 } 1674 pifIdentityType OBJECT-TYPE 1675 SYNTAX IpsecDoiIdentType 1676 MAX-ACCESS read-create 1677 STATUS current 1678 DESCRIPTION 1679 "The type of identity field in the peer ID payload to match 1680 against." 1681 ::= { peerIdentityFilterEntry 2 } 1683 pifIdentityValue OBJECT-TYPE 1684 SYNTAX OCTET STRING (SIZE(1..4096)) 1685 MAX-ACCESS read-create 1686 STATUS current 1687 DESCRIPTION 1688 "The value that the peer ID payload value must match against. 1689 Wildcard mechanims MUST be supported such that: 1691 - a pifIdentityValue of '*@company.com' will match a 1692 userFqdn ID payload of 'JDOE@COMPANY.COM' 1694 - a pifIdentityValue of '*.company.com' will match a fqdn 1695 ID payload of 'WWW.COMPANY.COM' 1697 - a pifIdentityValue of 1698 'cn=*,ou=engineering,o=company,c=us' will match a DER DN ID 1699 payload of 'cn=John Doe,ou=engineering,o=company,c=us' 1701 - a pifIdentityValue of '193.190.125.0/24' will match an 1702 IPv4 address ID payload of 193.190.125.10 1704 - a pifIdentityValue of '193.190.125.*' will also match an 1705 IPv4 address ID payload of 193.190.125.10. 1707 The character '*' replaces 0 or multiple instances of any 1708 character. 1709 " 1710 ::= { peerIdentityFilterEntry 3 } 1712 pifLastChanged OBJECT-TYPE 1713 SYNTAX TimeStamp 1714 MAX-ACCESS read-only 1715 STATUS current 1716 DESCRIPTION 1717 "The value of sysUpTime when this row was last modified or created 1718 either through SNMP SETs or by some other external means." 1719 ::= { peerIdentityFilterEntry 4 } 1721 pifStorageType OBJECT-TYPE 1722 SYNTAX StorageType 1723 MAX-ACCESS read-create 1724 STATUS current 1725 DESCRIPTION 1726 "The storage type for this row. Rows in this table which were 1727 created through an external process may have a storage type of 1728 readOnly or permanent. Entries which are permanent are 1729 expected to have at least one configurable column in the row, but 1730 which columns are in fact modifiable is implementation specific." 1731 DEFVAL { nonVolatile } 1732 ::= { peerIdentityFilterEntry 5 } 1734 pifRowStatus OBJECT-TYPE 1735 SYNTAX RowStatus 1736 MAX-ACCESS read-create 1737 STATUS current 1738 DESCRIPTION 1739 "This object indicates the conceptual status of this row. 1740 This object can not be considered active unless the 1741 pifIdentityType and pifIdentityValue column values are 1742 defined." 1743 ::= { peerIdentityFilterEntry 6 } 1745 -- 1746 -- compound actions table 1747 -- 1749 compoundActionsTable OBJECT-TYPE 1750 SYNTAX SEQUENCE OF CompoundActionsEntry 1751 MAX-ACCESS not-accessible 1752 STATUS current 1753 DESCRIPTION 1754 "Table used to allow multiple actions to be associated with a 1755 rule. It uses the actionsInCompoundActionsTable to do this." 1756 ::= { ipsecPolicyConfigObjects 13 } 1758 compoundActionsEntry OBJECT-TYPE 1759 SYNTAX CompoundActionsEntry 1760 MAX-ACCESS not-accessible 1761 STATUS current 1762 DESCRIPTION 1763 "A row in the compoundActionsTable." 1764 INDEX { caName } 1765 ::= { compoundActionsTable 1 } 1767 CompoundActionsEntry ::= SEQUENCE { 1768 caName SnmpAdminString, 1769 caExecutionStrategy INTEGER, 1770 caLastChanged TimeStamp, 1771 caStorageType StorageType, 1772 caRowStatus RowStatus 1773 } 1775 caName OBJECT-TYPE 1776 SYNTAX SnmpAdminString (SIZE(1..32)) 1777 MAX-ACCESS not-accessible 1778 STATUS current 1779 DESCRIPTION 1780 "This is an administratively assigned name of this compound action." 1781 ::= { compoundActionsEntry 1 } 1783 caExecutionStrategy OBJECT-TYPE 1784 SYNTAX INTEGER { reserved(0), 1785 doAll(1), 1786 doUntilSuccess(2), 1787 doUntilFailure(3) } 1788 MAX-ACCESS read-create 1789 STATUS current 1790 DESCRIPTION 1791 "This object indicates how the sub-actions are executed based 1792 on the success of the actions as they finish executing. 1794 doAll - run each sub-action regardless of the exit 1795 status of the previous action. This parent 1796 action is always considered to have acted 1797 successfully. 1799 doUntilSuccess - run each sub-action until one succeeds, at 1800 which point stop processing the sub-actions 1801 within this parent compound action. If one 1802 of the sub-actions did execute 1803 successfully, this parent action is also 1804 considered to have executed sucessfully. 1806 doUntilFailure - run each sub-action until one fails, at 1807 which point stop processing the sub-actions 1808 within this compound action. If any 1809 sub-action fails, the result of this parent 1810 action is considered to have failed." 1811 DEFVAL { doUntilSuccess } 1812 ::= { compoundActionsEntry 2 } 1814 caLastChanged OBJECT-TYPE 1815 SYNTAX TimeStamp 1816 MAX-ACCESS read-only 1817 STATUS current 1818 DESCRIPTION 1819 "The value of sysUpTime when this row was last modified or created 1820 either through SNMP SETs or by some other external means." 1821 ::= { compoundActionsEntry 3 } 1823 caStorageType OBJECT-TYPE 1824 SYNTAX StorageType 1825 MAX-ACCESS read-create 1826 STATUS current 1827 DESCRIPTION 1828 "The storage type for this row. Rows in this table which were 1829 created through an external process may have a storage type of 1830 readOnly or permanent. Entries which are permanent are 1831 expected to have at least one configurable column in the row, but 1832 which columns are in fact modifiable is implementation specific." 1833 DEFVAL { nonVolatile } 1834 ::= { compoundActionsEntry 4 } 1836 caRowStatus OBJECT-TYPE 1837 SYNTAX RowStatus 1838 MAX-ACCESS read-create 1839 STATUS current 1840 DESCRIPTION 1841 "This object indicates the conceptual status of this row. 1843 The value of this object has no effect on whether other 1844 objects in this conceptual row can be modified. 1846 Once a row in the compoundActionsTable has been made active, 1847 this object may not be set to destroy without first 1848 destroying all the contained rows listed in the 1849 actionsInCompoundActionsTable." 1850 ::= { compoundActionsEntry 5 } 1852 -- 1853 -- actions contained within a compound action 1854 -- 1855 actionsInCompoundActionsTable OBJECT-TYPE 1856 SYNTAX SEQUENCE OF ActionsInCompoundActionsEntry 1857 MAX-ACCESS not-accessible 1858 STATUS current 1859 DESCRIPTION 1860 "This table contains a list of the sub-actions within a given 1861 compound action. Compound actions executing these actions 1862 MUST execute them in series based on the aicaPriority value, 1863 with the lowest value executing first." 1864 ::= { ipsecPolicyConfigObjects 14 } 1866 actionsInCompoundActionsEntry OBJECT-TYPE 1867 SYNTAX ActionsInCompoundActionsEntry 1868 MAX-ACCESS not-accessible 1869 STATUS current 1870 DESCRIPTION 1871 "A row containing a reference to a given compound-action 1872 sub-action." 1873 INDEX { caName, aicaPriority } 1874 ::= { actionsInCompoundActionsTable 1 } 1876 ActionsInCompoundActionsEntry ::= SEQUENCE { 1877 aicaPriority Integer32, 1878 aicaSubActionName VariablePointer, 1879 aicaLastChanged TimeStamp, 1880 aicaStorageType StorageType, 1881 aicaRowStatus RowStatus 1882 } 1884 aicaPriority OBJECT-TYPE 1885 SYNTAX Integer32 (0..65536) 1886 MAX-ACCESS not-accessible 1887 STATUS current 1888 DESCRIPTION 1889 "The priority of a given sub-action within a compound action. 1890 The order in which sub-actions should be executed are based on 1891 the value from this column, with the lowest numeric value 1892 executing first." 1893 ::= { actionsInCompoundActionsEntry 1 } 1895 aicaSubActionName OBJECT-TYPE 1896 SYNTAX VariablePointer 1897 MAX-ACCESS read-create 1898 STATUS current 1899 DESCRIPTION 1900 "This colmun points to the action to be taken. It may, but is 1901 not limited to, point to a row in one of the following 1902 tables: 1904 compoundActionsTable - Allowing recursion 1905 saPreconfiguredActionTable 1906 ikeActionTable 1907 ipsecActionTable 1909 It may also point to one of the scalar objects beneath 1910 saStaticActions. 1912 If this object is set to a pointer to a row in an unsupported 1913 (or unknown) table, an inconsistentValue error should be 1914 returned. 1916 If this object is set to point to a non-existent row in an 1917 otherwise supported table, an inconsistentName error should 1918 be returned." 1919 ::= { actionsInCompoundActionsEntry 2 } 1921 aicaLastChanged OBJECT-TYPE 1922 SYNTAX TimeStamp 1923 MAX-ACCESS read-only 1924 STATUS current 1925 DESCRIPTION 1926 "The value of sysUpTime when this row was last modified or created 1927 either through SNMP SETs or by some other external means." 1928 ::= { actionsInCompoundActionsEntry 3 } 1930 aicaStorageType OBJECT-TYPE 1931 SYNTAX StorageType 1932 MAX-ACCESS read-create 1933 STATUS current 1934 DESCRIPTION 1935 "The storage type for this row. Rows in this table which were 1936 created through an external process may have a storage type of 1937 readOnly or permanent. Entries which are permanent are 1938 expected to have at least one configurable column in the row, but 1939 which columns are in fact modifiable is implementation specific." 1940 DEFVAL { nonVolatile } 1941 ::= { actionsInCompoundActionsEntry 4 } 1943 aicaRowStatus OBJECT-TYPE 1944 SYNTAX RowStatus 1945 MAX-ACCESS read-create 1946 STATUS current 1947 DESCRIPTION 1948 "This object indicates the conceptual status of this row. 1950 The value of this object has no effect on whether other 1951 objects in this conceptual row can be modified." 1953 ::= { actionsInCompoundActionsEntry 5 } 1955 -- 1956 -- Static Actions 1957 -- 1959 -- these are static actions which can be pointed to by the pRuleAction 1960 -- or the aicaSubActionName objects to drop, accept or reject packets. 1962 saStaticActions OBJECT IDENTIFIER ::= { ipsecPolicyConfigObjects 15 } 1964 saDropAction OBJECT-TYPE 1965 SYNTAX Integer32 1966 MAX-ACCESS read-only 1967 STATUS current 1968 DESCRIPTION 1969 "This Scalar indicates that a packet should be dropped WITHOUT 1970 action/packet logging. This object returns a value 1971 of 1 for IPsec policy implementations that support the drog 1972 static action." 1973 ::= { saStaticActions 1 } 1975 saDropActionLog OBJECT-TYPE 1976 SYNTAX Integer32 1977 MAX-ACCESS read-only 1978 STATUS current 1979 DESCRIPTION 1980 "This Scalar indicates that a packet should be dropped WITH 1981 action/packet logging. This object returns a value 1982 of 1 for IPsec policy implementations that support the drop 1983 static action with logging." 1984 ::= { saStaticActions 2 } 1986 saAcceptAction OBJECT-TYPE 1987 SYNTAX Integer32 1988 MAX-ACCESS read-only 1989 STATUS current 1990 DESCRIPTION 1991 "This Scalar indicates that a packet should be accepted 1992 (pass-through) WITHOUT action/packet logging. This object 1993 returns a value of 1 for IPsec policy implementations that 1994 support the accept static action." 1995 ::= { saStaticActions 3 } 1997 saAcceptActionLog OBJECT-TYPE 1998 SYNTAX Integer32 1999 MAX-ACCESS read-only 2000 STATUS current 2001 DESCRIPTION 2002 "This Scalar indicates that a packet should be accepted 2003 (pass-through) WITH action/packet logging. This object 2004 returns a value of 1 for IPsec policy implementations that 2005 support the accept static action with logging." 2006 ::= { saStaticActions 4 } 2008 saRejectIKEAction OBJECT-TYPE 2009 SYNTAX Integer32 2010 MAX-ACCESS read-only 2011 STATUS current 2012 DESCRIPTION 2013 "This Scalar indicates that a packet should be rejected 2014 WITHOUT action/packet logging. This object returns a value of 2015 1 for IPsec policy implementations that support the reject 2016 static action." 2017 ::= { saStaticActions 5 } 2019 saRejectIKEActionLog OBJECT-TYPE 2020 SYNTAX Integer32 2021 MAX-ACCESS read-only 2022 STATUS current 2023 DESCRIPTION 2024 "This Scalar indicates that a packet should be rejected 2025 WITH action/packet logging. This object returns a value of 1 2026 for IPsec policy implementations that support the reject 2027 static action with logging." 2028 ::= { saStaticActions 6 } 2030 -- 2031 -- Preconfigured Action Table 2032 -- 2034 saPreconfiguredActionTable OBJECT-TYPE 2035 SYNTAX SEQUENCE OF SaPreconfiguredActionEntry 2036 MAX-ACCESS not-accessible 2037 STATUS current 2038 DESCRIPTION 2039 "This table is a list of non-negotiated IPsec actions (SAs) that 2040 can be performed and contains or indicates the data necessary 2041 to create such an SA." 2042 ::= { ipsecPolicyConfigObjects 16 } 2044 saPreconfiguredActionEntry OBJECT-TYPE 2045 SYNTAX SaPreconfiguredActionEntry 2046 MAX-ACCESS not-accessible 2047 STATUS current 2048 DESCRIPTION 2049 "One entry in the saPreconfiguredActionTable." 2050 INDEX { sapActionName, sapSADirection } 2051 ::= { saPreconfiguredActionTable 1 } 2053 SaPreconfiguredActionEntry ::= SEQUENCE { 2054 sapActionName SnmpAdminString, 2055 sapSADirection IpsecSADirection, 2056 sapActionDescription OCTET STRING, 2057 sapActionLifetimeSec Unsigned32, 2058 sapActionLifetimeKB Unsigned32, 2059 sapDoActionLogging TruthValue, 2060 sapDoPacketLogging TruthValue, 2061 sapDFHandling INTEGER, 2062 sapActionType IpsecDoiEncapsulationMode, 2063 sapAHSPI Integer32, 2064 sapAHTransformName SnmpAdminString, 2065 sapAHSharedSecretName SnmpAdminString, 2066 sapESPSPI Integer32, 2067 sapESPTransformName SnmpAdminString, 2068 sapESPEncSharedSecretName SnmpAdminString, 2069 sapESPAuthSharedSecretName SnmpAdminString, 2070 sapIPCompSPI Integer32, 2071 sapIPCompTransformName SnmpAdminString, 2072 sapPeerGatewayIdName OCTET STRING, 2073 sapLastChanged TimeStamp, 2074 sapStorageType StorageType, 2075 sapRowStatus RowStatus 2076 } 2078 sapActionName OBJECT-TYPE 2079 SYNTAX SnmpAdminString (SIZE(1..32)) 2080 MAX-ACCESS not-accessible 2081 STATUS current 2082 DESCRIPTION 2083 "This object contains the name of this 2084 SaPreconfiguredActionEntry. This row can be referred to by an 2085 actionsInRuleEntry." 2086 ::= { saPreconfiguredActionEntry 1 } 2088 sapSADirection OBJECT-TYPE 2089 SYNTAX IpsecSADirection 2090 MAX-ACCESS not-accessible 2091 STATUS current 2092 DESCRIPTION 2093 "This object indicates whether a row should apply to outging 2094 or incoming SAs" 2096 ::= { saPreconfiguredActionEntry 2 } 2098 sapActionDescription OBJECT-TYPE 2099 SYNTAX OCTET STRING (SIZE(0..255)) 2100 MAX-ACCESS read-create 2101 STATUS current 2102 DESCRIPTION 2103 "An administratively assigned string which may be used 2104 to describe in human terms what the action does" 2105 DEFVAL { "" } 2106 ::= { saPreconfiguredActionEntry 3 } 2108 sapActionLifetimeSec OBJECT-TYPE 2109 SYNTAX Unsigned32 2110 MAX-ACCESS read-create 2111 STATUS current 2112 DESCRIPTION 2113 "sapActionLifetimeKB specifies how long in seconds the security 2114 association derived from this action should be used. The 2115 default lifetime is 8 hours." 2116 DEFVAL { 28800 } 2117 ::= { saPreconfiguredActionEntry 4 } 2119 sapActionLifetimeKB OBJECT-TYPE 2120 SYNTAX Unsigned32 2121 MAX-ACCESS read-create 2122 STATUS current 2123 DESCRIPTION 2124 "sapActionLifetimeKB specifies how long in kilobytes the 2125 security association derived from this action should be 2126 used. The default value, '0', indicates no kilobyte limit." 2127 DEFVAL { 0 } 2128 ::= { saPreconfiguredActionEntry 5 } 2130 sapDoActionLogging OBJECT-TYPE 2131 SYNTAX TruthValue 2132 MAX-ACCESS read-create 2133 STATUS current 2134 DESCRIPTION 2135 "sapDoActionLogging specifies whether or not an audit message 2136 should be logged when a preconfigured SA is created." 2137 DEFVAL { false } 2138 ::= { saPreconfiguredActionEntry 6 } 2140 sapDoPacketLogging OBJECT-TYPE 2141 SYNTAX TruthValue 2142 MAX-ACCESS read-create 2143 STATUS current 2144 DESCRIPTION 2145 "sapDoPacketLogging specifies whether or not an audit message 2146 should be logged when a packet is passed through the SA." 2147 DEFVAL { false } 2148 ::= { saPreconfiguredActionEntry 7 } 2150 sapDFHandling OBJECT-TYPE 2151 SYNTAX INTEGER { 2152 reserved(0), -- reserved 2153 copy(1), -- indicates copy the DF bit from the 2154 -- internal to external IP header. 2155 set(2), -- set the DF bit in the external IP 2156 -- header to 1. 2157 clear(3) -- clear the DF bit in the external IP 2158 -- header to 0. 2159 } 2160 MAX-ACCESS read-create 2161 STATUS current 2162 DESCRIPTION 2163 "This object specifies how to process the DF bit in packets 2164 sent through the preconfigured SA. This object is not used 2165 for transport SAs." 2166 DEFVAL { copy } 2167 ::= { saPreconfiguredActionEntry 8 } 2169 sapActionType OBJECT-TYPE 2170 SYNTAX IpsecDoiEncapsulationMode 2171 MAX-ACCESS read-create 2172 STATUS current 2173 DESCRIPTION 2174 "This object specifies the encapsulation mode to use for the 2175 preconfigured SA: tunnel or transport mode." 2176 DEFVAL { tunnel } 2177 ::= { saPreconfiguredActionEntry 9 } 2179 sapAHSPI OBJECT-TYPE 2180 SYNTAX Integer32 2181 MAX-ACCESS read-create 2182 STATUS current 2183 DESCRIPTION 2184 "This object represents the SPI value for the AH SA." 2185 ::= { saPreconfiguredActionEntry 10 } 2187 sapAHTransformName OBJECT-TYPE 2188 SYNTAX SnmpAdminString (SIZE(0..32)) 2189 MAX-ACCESS read-create 2190 STATUS current 2191 DESCRIPTION 2192 "This object is the name of the AH transform to use as an 2193 index into the AHTransformTable. A zero length value 2194 indicates no transform of this type is used." 2195 ::= { saPreconfiguredActionEntry 11 } 2197 sapAHSharedSecretName OBJECT-TYPE 2198 SYNTAX SnmpAdminString(SIZE(0..32)) 2199 MAX-ACCESS read-create 2200 STATUS current 2201 DESCRIPTION 2202 "This object contains a name value to be used as an index into 2203 the keyTable which holds the pertinent keying 2204 information for the AH SA." 2205 ::= { saPreconfiguredActionEntry 12 } 2207 sapESPSPI OBJECT-TYPE 2208 SYNTAX Integer32 2209 MAX-ACCESS read-create 2210 STATUS current 2211 DESCRIPTION 2212 "This object represents the SPI value for the ESP SA." 2213 ::= { saPreconfiguredActionEntry 13 } 2215 sapESPTransformName OBJECT-TYPE 2216 SYNTAX SnmpAdminString (SIZE(0..32)) 2217 MAX-ACCESS read-create 2218 STATUS current 2219 DESCRIPTION 2220 "This object is the name of the ESP transform to use as an 2221 index into the ESPTransformTable. A zero length value 2222 indicates no transform of this type is used." 2223 ::= { saPreconfiguredActionEntry 14 } 2225 sapESPEncSharedSecretName OBJECT-TYPE 2226 SYNTAX SnmpAdminString(SIZE(0..32)) 2227 MAX-ACCESS read-create 2228 STATUS current 2229 DESCRIPTION 2230 "This object contains a name value to be used as an index into 2231 the keyTable which holds the pertinent keying 2232 information for the encryption algorithm of the ESP SA." 2233 ::= { saPreconfiguredActionEntry 15 } 2235 sapESPAuthSharedSecretName OBJECT-TYPE 2236 SYNTAX SnmpAdminString(SIZE(0..32)) 2237 MAX-ACCESS read-create 2238 STATUS current 2239 DESCRIPTION 2240 "This object contains a name value to be used as an index into 2241 the keyTable which holds the pertinent keying 2242 information for the authentication algorithm of the ESP SA." 2243 ::= { saPreconfiguredActionEntry 16 } 2245 sapIPCompSPI OBJECT-TYPE 2246 SYNTAX Integer32 2247 MAX-ACCESS read-create 2248 STATUS current 2249 DESCRIPTION 2250 "This object represents the SPI value for the IPComp SA." 2251 ::= { saPreconfiguredActionEntry 17 } 2253 sapIPCompTransformName OBJECT-TYPE 2254 SYNTAX SnmpAdminString (SIZE(0..32)) 2255 MAX-ACCESS read-create 2256 STATUS current 2257 DESCRIPTION 2258 "This object is the name of the IPComp transform to use as an 2259 index into the IPCompTransformTable. A zero length value 2260 indicates no transform of this type is used." 2261 ::= { saPreconfiguredActionEntry 18 } 2263 sapPeerGatewayIdName OBJECT-TYPE 2264 SYNTAX OCTET STRING (SIZE(0..116)) 2265 MAX-ACCESS read-create 2266 STATUS current 2267 DESCRIPTION 2268 "This object indicates the peer id name of the peer gateway. This 2269 object can be used to look up the peer id value, address and 2270 other values in the peerIdentityTable. This object is used 2271 when initiating a tunnel SA. This object is not used for 2272 transport SAs." 2273 ::= { saPreconfiguredActionEntry 19 } 2275 sapLastChanged OBJECT-TYPE 2276 SYNTAX TimeStamp 2277 MAX-ACCESS read-only 2278 STATUS current 2279 DESCRIPTION 2280 "The value of sysUpTime when this row was last modified or created 2281 either through SNMP SETs or by some other external means." 2282 ::= { saPreconfiguredActionEntry 20 } 2284 sapStorageType OBJECT-TYPE 2285 SYNTAX StorageType 2286 MAX-ACCESS read-create 2287 STATUS current 2288 DESCRIPTION 2289 "The storage type for this row. Rows in this table which were 2290 created through an external process may have a storage type of 2291 readOnly or permanent. Entries which are permanent are 2292 expected to have at least one configurable column in the row, but 2293 which columns are in fact modifiable is implementation specific." 2294 DEFVAL { nonVolatile } 2295 ::= { saPreconfiguredActionEntry 21 } 2297 sapRowStatus OBJECT-TYPE 2298 SYNTAX RowStatus 2299 MAX-ACCESS read-create 2300 STATUS current 2301 DESCRIPTION 2302 "This object indicates the conceptual status of this row. 2304 The value of this object has no effect on whether other 2305 objects in this conceptual row can be modified. 2307 If active, this object must remain active if it is referenced 2308 by a row in another table." 2309 ::= { saPreconfiguredActionEntry 22 } 2311 -- 2312 -- saNegotiationParametersTable 2313 -- 2315 -- PROPERTIES MinLifetimeSeconds 2316 -- MinLifetimeKilobytes 2317 -- RefreshThresholdSeconds 2318 -- RefreshThresholdKilobytes 2319 -- IdleDurationSeconds 2321 saNegotiationParametersTable OBJECT-TYPE 2322 SYNTAX SEQUENCE OF SaNegotiationParametersEntry 2323 MAX-ACCESS not-accessible 2324 STATUS current 2325 DESCRIPTION 2326 "This table contains reusable parameters that can be pointed 2327 to by the ikeActionTable and ipsecActionTable. These 2328 parameters are reusable since it is likely an administrator 2329 will want to make global policy changes to lifetime 2330 parameters that apply to multiple actions. This table allows 2331 multiple rows in the other actions tables to reuse global 2332 lifetime pamateres in this table by repeatedly pointing to a 2333 row cointained within this table." 2335 ::= { ipsecPolicyConfigObjects 17 } 2337 saNegotiationParametersEntry OBJECT-TYPE 2338 SYNTAX SaNegotiationParametersEntry 2339 MAX-ACCESS not-accessible 2340 STATUS current 2341 DESCRIPTION 2342 "Contains the attributes of one row in the 2343 saNegotiationParametersTable." 2344 INDEX { sanActionParametersName } 2345 ::= { saNegotiationParametersTable 1 } 2347 SaNegotiationParametersEntry ::= SEQUENCE { 2348 sanActionParametersName SnmpAdminString, 2349 sanMinimumLifetimeSeconds Integer32, 2350 sanMinimumLifetimeKB Integer32, 2351 sanRefreshThresholdSeconds Integer32, 2352 sanRefreshThresholdKB Integer32, 2353 sanIdleDurrationSeconds Integer32, 2354 sanLastChanged TimeStamp, 2355 sanStorageType StorageType, 2356 sanRowStatus RowStatus 2357 } 2359 sanActionParametersName OBJECT-TYPE 2360 SYNTAX SnmpAdminString (SIZE(1..32)) 2361 MAX-ACCESS not-accessible 2362 STATUS current 2363 DESCRIPTION 2364 "This object contains the administrative name of this 2365 SaNegotiationParametersEntry. This row can be refered 2366 to by this name in other policy action tables." 2367 ::= { saNegotiationParametersEntry 1 } 2369 sanMinimumLifetimeSeconds OBJECT-TYPE 2370 SYNTAX Integer32 2371 MAX-ACCESS read-create 2372 STATUS current 2373 DESCRIPTION 2374 "sanMinimumLifetimeSeconds specifies the minimum seconds 2375 lifetime that will be accepted from the peer." 2376 ::= { saNegotiationParametersEntry 2 } 2378 sanMinimumLifetimeKB OBJECT-TYPE 2379 SYNTAX Integer32 2380 MAX-ACCESS read-create 2381 STATUS current 2382 DESCRIPTION 2383 "sanMinimumLifetimeKB specifies the minimum kilobyte 2384 lifetime that will be accepted from the peer." 2385 ::= { saNegotiationParametersEntry 3 } 2387 sanRefreshThresholdSeconds OBJECT-TYPE 2388 SYNTAX Integer32 2389 MAX-ACCESS read-create 2390 STATUS current 2391 DESCRIPTION 2392 "sanRefreshThresholdSeconds specifies what percentage of 2393 the seconds lifetime can expire before IKE should attempt to 2394 renegotiate the IPsec security association. 2395 A value between 1 and 100 representing a percentage. A 2396 value of 100 indicates that the IPsec security 2397 association should not be renegotiated until the 2398 seconds lifetime has been reached." 2399 ::= { saNegotiationParametersEntry 4 } 2401 sanRefreshThresholdKB OBJECT-TYPE 2402 SYNTAX Integer32 2403 MAX-ACCESS read-create 2404 STATUS current 2405 DESCRIPTION 2406 "sanRefreshThresholdKB specifies what percentage of 2407 the kilobyte lifetime can expire before IKE should attempt to 2408 renegotiate the IPsec security association. 2409 A value between 1 and 100 representing a percentage. A 2410 value of 100 indicates that the IPsec security 2411 association should not be renegotiated until the 2412 kilobyte lifetime has been reached." 2413 ::= { saNegotiationParametersEntry 5 } 2415 sanIdleDurrationSeconds OBJECT-TYPE 2416 SYNTAX Integer32 2417 MAX-ACCESS read-create 2418 STATUS current 2419 DESCRIPTION 2420 "sanIdleDurrationSeconds specifies how many seconds a 2421 security association may remain idle (i.e., no traffic protected 2422 using the security association) before it is deleted. 2423 A value of zero indicates that idle detection should 2424 not be used for the security association. Any non-zero 2425 value indicates the number of seconds the security 2426 association may remain unused." 2427 ::= { saNegotiationParametersEntry 6 } 2429 sanLastChanged OBJECT-TYPE 2430 SYNTAX TimeStamp 2431 MAX-ACCESS read-only 2432 STATUS current 2433 DESCRIPTION 2434 "The value of sysUpTime when this row was last modified or created 2435 either through SNMP SETs or by some other external means." 2436 ::= { saNegotiationParametersEntry 7 } 2438 sanStorageType OBJECT-TYPE 2439 SYNTAX StorageType 2440 MAX-ACCESS read-create 2441 STATUS current 2442 DESCRIPTION 2443 "The storage type for this row. Rows in this table which were 2444 created through an external process may have a storage type of 2445 readOnly or permanent. Entries which are permanent are 2446 expected to have at least one configurable column in the row, but 2447 which columns are in fact modifiable is implementation specific." 2448 DEFVAL { nonVolatile } 2449 ::= { saNegotiationParametersEntry 8 } 2451 sanRowStatus OBJECT-TYPE 2452 SYNTAX RowStatus 2453 MAX-ACCESS read-create 2454 STATUS current 2455 DESCRIPTION 2456 "This object indicates the conceptual status of this row. 2458 The value of this object has no effect on whether other 2459 objects in this conceptual row can be modified. 2461 This object may not be set to destroy if refered to by other 2462 rows in other action tables." 2463 ::= { saNegotiationParametersEntry 9 } 2465 -- 2466 -- ikeActionTable 2467 -- 2469 ikeActionTable OBJECT-TYPE 2470 SYNTAX SEQUENCE OF IkeActionEntry 2471 MAX-ACCESS not-accessible 2472 STATUS current 2473 DESCRIPTION 2474 "The ikeActionTable contains a list of the parameters used for 2475 an IKE phase 1 SA DOI negotiation. See the corresponding 2476 table ikeActionProposalGroupTable for a list of proposals 2477 contained within a given IKE Action." 2478 ::= { ipsecPolicyConfigObjects 18 } 2480 ikeActionEntry OBJECT-TYPE 2481 SYNTAX IkeActionEntry 2482 MAX-ACCESS not-accessible 2483 STATUS current 2484 DESCRIPTION 2485 "The ikeActionEntry lists the IKE negotiation attributes." 2486 INDEX { ikeActionName } 2487 ::= { ikeActionTable 1 } 2489 IkeActionEntry ::= SEQUENCE { 2490 ikeActionName SnmpAdminString, 2491 ikeActionParametersName SnmpAdminString, 2492 ikeThresholdDerivedKeys Integer32, 2493 ikeExchangeMode INTEGER, 2494 ikeAgressiveModeGroupId IkeGroupDescription, 2495 ikeIdentityType IpsecDoiIdentType, 2496 ikeIdentityContext SnmpAdminString, 2497 ikePeerName SnmpAdminString, 2498 ikeActionDoActionLogging TruthValue, 2499 ikeActionDoPacketLogging TruthValue, 2500 ikeActionVendorId OCTET STRING, 2501 ikeActionLastChanged TimeStamp, 2502 ikeActionStorageType StorageType, 2503 ikeActionRowStatus RowStatus 2504 } 2506 ikeActionName OBJECT-TYPE 2507 SYNTAX SnmpAdminString (SIZE(1..32)) 2508 MAX-ACCESS not-accessible 2509 STATUS current 2510 DESCRIPTION 2511 "This object contains the name of this ikeAction entry." 2512 ::= { ikeActionEntry 1 } 2514 ikeActionParametersName OBJECT-TYPE 2515 SYNTAX SnmpAdminString (SIZE(1..32)) 2516 MAX-ACCESS read-create 2517 STATUS current 2518 DESCRIPTION 2519 "This object is administratively assigned to reference a row 2520 in the saNegotiationParametersTable where additional 2521 parameters affecting this action may be found." 2522 ::= { ikeActionEntry 2 } 2524 ikeThresholdDerivedKeys OBJECT-TYPE 2525 SYNTAX Integer32 (0..100) 2526 MAX-ACCESS read-create 2527 STATUS current 2528 DESCRIPTION 2529 "ikeThresholdDerivedKeys specifies what percentage 2530 of the derived key limit (see the LifetimeDerivedKeys 2531 property of IKEProposal) can expire before IKE should attempt 2532 to renegotiate the IKE phase 1 security association." 2533 DEFVAL { 100 } 2534 ::= { ikeActionEntry 3 } 2536 ikeExchangeMode OBJECT-TYPE 2537 SYNTAX INTEGER { main(1), agressive(2) } 2538 MAX-ACCESS read-create 2539 STATUS current 2540 DESCRIPTION 2541 "ikeExchangeMode specifies the IKE Phase 1 negotiation mode." 2542 ::= { ikeActionEntry 4 } 2544 ikeAgressiveModeGroupId OBJECT-TYPE 2545 SYNTAX IkeGroupDescription 2546 MAX-ACCESS read-create 2547 STATUS current 2548 DESCRIPTION 2549 "The values to be used for Diffie-Hellman exchange." 2550 ::= { ikeActionEntry 5 } 2552 ikeIdentityType OBJECT-TYPE 2553 SYNTAX IpsecDoiIdentType 2554 MAX-ACCESS read-create 2555 STATUS current 2556 DESCRIPTION 2557 "This column along with ikeIdentityContext and endpoint info 2558 is used to look up the an identity in the ikeIdentityTable." 2559 ::= { ikeActionEntry 6 } 2561 ikeIdentityContext OBJECT-TYPE 2562 SYNTAX SnmpAdminString (SIZE(1..32)) 2563 MAX-ACCESS read-create 2564 STATUS current 2565 DESCRIPTION 2566 "This column is alnong with ikeIdentityType and endpoint 2567 information is used to refer to an ikeIdentityEntry in the 2568 ikeIdentityTable." 2569 ::= { ikeActionEntry 7 } 2571 ikePeerName OBJECT-TYPE 2572 SYNTAX SnmpAdminString(SIZE(1..116)) 2573 MAX-ACCESS read-create 2574 STATUS current 2575 DESCRIPTION 2576 "This object indicates the peer id name of the IKE peer. This 2577 object can be used to look up the peer id value, address, 2578 keys and other values in the peerIdentityTable." 2579 ::= { ikeActionEntry 8 } 2581 ikeActionDoActionLogging OBJECT-TYPE 2582 SYNTAX TruthValue 2583 MAX-ACCESS read-create 2584 STATUS current 2585 DESCRIPTION 2586 "ikeDoActionLogging specifies whether or not an audit 2587 message should be logged when this ike SA is created." 2588 ::= { ikeActionEntry 9 } 2590 ikeActionDoPacketLogging OBJECT-TYPE 2591 SYNTAX TruthValue 2592 MAX-ACCESS read-create 2593 STATUS current 2594 DESCRIPTION 2595 "ikeDoPacketLogging specifies whether or not an audit message 2596 should be logged when a packet is passed through the SA." 2597 ::= { ikeActionEntry 10 } 2599 ikeActionVendorId OBJECT-TYPE 2600 SYNTAX OCTET STRING (SIZE(0..65535)) 2601 MAX-ACCESS read-create 2602 STATUS current 2603 DESCRIPTION 2604 "Vendor ID Payload. A value of NULL means that Vendor ID 2605 payload will be neither generated nor accepted. A non-NULL 2606 value means that a Vendor ID payload will be generated (when 2607 acting as an initiator) or is expected (when acting as a 2608 responder)." 2609 DEFVAL { "" } 2610 ::= { ikeActionEntry 11 } 2612 ikeActionLastChanged OBJECT-TYPE 2613 SYNTAX TimeStamp 2614 MAX-ACCESS read-only 2615 STATUS current 2616 DESCRIPTION 2617 "The value of sysUpTime when this row was last modified or created 2618 either through SNMP SETs or by some other external means." 2619 ::= { ikeActionEntry 12 } 2621 ikeActionStorageType OBJECT-TYPE 2622 SYNTAX StorageType 2623 MAX-ACCESS read-create 2624 STATUS current 2625 DESCRIPTION 2626 "The storage type for this row. Rows in this table which were 2627 created through an external process may have a storage type of 2628 readOnly or permanent. Entries which are permanent are 2629 expected to have at least one configurable column in the row, but 2630 which columns are in fact modifiable is implementation specific." 2631 DEFVAL { nonVolatile } 2632 ::= { ikeActionEntry 13 } 2634 ikeActionRowStatus OBJECT-TYPE 2635 SYNTAX RowStatus 2636 MAX-ACCESS read-create 2637 STATUS current 2638 DESCRIPTION 2639 "The storage type for this row. Rows in this table which were 2640 created through an external process may have a storage type of 2641 readOnly or permanent. Entries which are permanent are 2642 expected to have at least one configurable column in the row, but 2643 which columns are in fact modifiable is implementation specific." 2644 ::= { ikeActionEntry 14 } 2646 -- 2647 -- ikeActionProposalsTable proposals contained within a ikeAction 2648 -- 2650 ikeActionProposalsTable OBJECT-TYPE 2651 SYNTAX SEQUENCE OF IkeActionProposalsEntry 2652 MAX-ACCESS not-accessible 2653 STATUS current 2654 DESCRIPTION 2655 "This table contains a list of all ike proposal names found 2656 within a given IKE Action." 2657 ::= { ipsecPolicyConfigObjects 19 } 2659 ikeActionProposalsEntry OBJECT-TYPE 2660 SYNTAX IkeActionProposalsEntry 2661 MAX-ACCESS not-accessible 2662 STATUS current 2663 DESCRIPTION 2664 "a row containing one ike proposal reference" 2665 INDEX { ikeActionName, ikeActionProposalPriority } 2666 ::= { ikeActionProposalsTable 1 } 2668 IkeActionProposalsEntry ::= SEQUENCE { 2669 ikeActionProposalPriority Integer32, 2670 ikeActionProposalName SnmpAdminString, 2671 ikeActionProposalLastChanged TimeStamp, 2672 ikeActionProposalStorageType StorageType, 2673 ikeActionProposalRowStatus RowStatus 2674 } 2676 ikeActionProposalPriority OBJECT-TYPE 2677 SYNTAX Integer32 (0..65535) 2678 MAX-ACCESS not-accessible 2679 STATUS current 2680 DESCRIPTION 2681 "The numeric priority of a given contained proposal inside an 2682 ike Action. This index should be used to order the proposals 2683 in an IKE Phase I negotiation, lowest value first." 2684 ::= { ikeActionProposalsEntry 1 } 2686 ikeActionProposalName OBJECT-TYPE 2687 SYNTAX SnmpAdminString (SIZE(1..32)) 2688 MAX-ACCESS read-create 2689 STATUS current 2690 DESCRIPTION 2691 "The administratively assigned name that can be used to 2692 reference a set of values contained within the 2693 ikeProposalTable." 2694 ::= { ikeActionProposalsEntry 2 } 2696 ikeActionProposalLastChanged OBJECT-TYPE 2697 SYNTAX TimeStamp 2698 MAX-ACCESS read-only 2699 STATUS current 2700 DESCRIPTION 2701 "The value of sysUpTime when this row was last modified or created 2702 either through SNMP SETs or by some other external means." 2703 ::= { ikeActionProposalsEntry 3 } 2705 ikeActionProposalStorageType OBJECT-TYPE 2706 SYNTAX StorageType 2707 MAX-ACCESS read-create 2708 STATUS current 2709 DESCRIPTION 2710 "The storage type for this row. Rows in this table which were 2711 created through an external process may have a storage type of 2712 readOnly or permanent. Entries which are permanent are 2713 expected to have at least one configurable column in the row, but 2714 which columns are in fact modifiable is implementation specific." 2715 DEFVAL { nonVolatile } 2716 ::= { ikeActionProposalsEntry 4 } 2718 ikeActionProposalRowStatus OBJECT-TYPE 2719 SYNTAX RowStatus 2720 MAX-ACCESS read-create 2721 STATUS current 2722 DESCRIPTION 2723 "This object indicates the conceptual status of this row. 2725 The value of this object has no effect on whether other 2726 objects in this conceptual row can be modified." 2727 ::= { ikeActionProposalsEntry 5 } 2729 -- 2730 -- IKE proposal definition table 2731 -- 2733 ikeProposalTable OBJECT-TYPE 2734 SYNTAX SEQUENCE OF IkeProposalEntry 2735 MAX-ACCESS not-accessible 2736 STATUS current 2737 DESCRIPTION 2738 "This table contains a list of IKE proposals which are used in an 2739 IKE negotiation." 2740 ::= { ipsecPolicyConfigObjects 20 } 2742 ikeProposalEntry OBJECT-TYPE 2743 SYNTAX IkeProposalEntry 2744 MAX-ACCESS not-accessible 2745 STATUS current 2746 DESCRIPTION 2747 "One IKE proposal entry." 2748 INDEX { ikeActionProposalName } 2749 ::= { ikeProposalTable 1 } 2751 IkeProposalEntry ::= SEQUENCE { 2752 ipLifetimeDerivedKeys Unsigned32, 2753 ipCipherAlgorithm IkeEncryptionAlgorithm, 2754 ipCipherKeyLength Unsigned32, 2755 ipCipherKeyRounds Unsigned32, 2756 ipHashAlgorithm IkeHashAlgorithm, 2757 ipPrfAlgorithm INTEGER, 2758 ipVendorId OCTET STRING, 2759 ipDhGroup IkeGroupDescription, 2760 ipAuthenticationMethod IkeAuthMethod, 2761 ipMaxLifetimeSeconds Unsigned32, 2762 ipMaxLifetimeKB Unsigned32, 2763 ipProposalLastChanged TimeStamp, 2764 ipProposalStorageType StorageType, 2765 ipProposalRowStatus RowStatus 2766 } 2768 ipLifetimeDerivedKeys OBJECT-TYPE 2769 SYNTAX Unsigned32 2770 MAX-ACCESS read-create 2771 STATUS current 2772 DESCRIPTION 2773 "ipLifetimeDerivedKeys specifies the number of times that 2774 a phase 1 key will be used to derive a phase 2 key before the 2775 phase 1 security association needs renegotiated." 2776 ::= { ikeProposalEntry 1 } 2778 ipCipherAlgorithm OBJECT-TYPE 2779 SYNTAX IkeEncryptionAlgorithm 2780 MAX-ACCESS read-create 2781 STATUS current 2782 DESCRIPTION 2783 "ipCipherAlgorithm specifies the proposed phase 1 security 2784 association encryption algorithm." 2785 ::= { ikeProposalEntry 2 } 2787 ipCipherKeyLength OBJECT-TYPE 2788 SYNTAX Unsigned32 2789 MAX-ACCESS read-create 2790 STATUS current 2791 DESCRIPTION 2792 "This mib object specifies, in bits, the key length for 2793 the cipher algorithm used in IKE Phase 1 negotiation." 2794 ::= { ikeProposalEntry 3 } 2796 ipCipherKeyRounds OBJECT-TYPE 2797 SYNTAX Unsigned32 2798 MAX-ACCESS read-create 2799 STATUS current 2800 DESCRIPTION 2801 "This mib object specifies the number of key rounds for 2802 the cipher algorithm used in IKE Phase 1 negotiation." 2803 ::= { ikeProposalEntry 4 } 2805 ipHashAlgorithm OBJECT-TYPE 2806 SYNTAX IkeHashAlgorithm 2807 MAX-ACCESS read-create 2808 STATUS current 2809 DESCRIPTION 2810 "ipHashAlgorithm specifies the proposed phase 1 security 2811 assocation hash algorithm." 2812 ::= { ikeProposalEntry 5 } 2814 ipPrfAlgorithm OBJECT-TYPE 2815 SYNTAX INTEGER { reserved(0) } 2816 MAX-ACCESS read-create 2817 STATUS current 2818 DESCRIPTION 2819 "ipPRFAlgorithm specifies the proposed phase 1 security 2820 association psuedo-random function. 2822 Note: currently no prf algortithms are defined." 2823 ::= { ikeProposalEntry 6 } 2825 ipVendorId OBJECT-TYPE 2826 SYNTAX OCTET STRING (SIZE(0..255)) 2827 MAX-ACCESS read-create 2828 STATUS current 2829 DESCRIPTION 2830 "The VendorID property is used to identify vendor-defined key 2831 exchange GroupIDs." 2832 ::= { ikeProposalEntry 7 } 2834 ipDhGroup OBJECT-TYPE 2835 SYNTAX IkeGroupDescription 2836 MAX-ACCESS read-create 2837 STATUS current 2838 DESCRIPTION 2839 "This mib object specifies the proposed phase 1 security 2840 assocation Diffie-Hellman group" 2841 ::= { ikeProposalEntry 8 } 2843 ipAuthenticationMethod OBJECT-TYPE 2844 SYNTAX IkeAuthMethod 2845 MAX-ACCESS read-create 2846 STATUS current 2847 DESCRIPTION 2848 "This mib object specifies the proposed authentication 2849 method for the phase 1 security association." 2850 ::= { ikeProposalEntry 9 } 2852 ipMaxLifetimeSeconds OBJECT-TYPE 2853 SYNTAX Unsigned32 2854 MAX-ACCESS read-create 2855 STATUS current 2856 DESCRIPTION 2857 "ipMaxLifetimeSeconds specifies the maximum amount of 2858 time to propose a security association remain valid." 2859 ::= { ikeProposalEntry 10 } 2861 ipMaxLifetimeKB OBJECT-TYPE 2862 SYNTAX Unsigned32 2863 MAX-ACCESS read-create 2864 STATUS current 2865 DESCRIPTION 2866 "ipMaxLifetimeKB specifies the maximum kilobyte 2867 lifetime to propose a security association remain valid." 2868 ::= { ikeProposalEntry 11 } 2870 ipProposalLastChanged OBJECT-TYPE 2871 SYNTAX TimeStamp 2872 MAX-ACCESS read-only 2873 STATUS current 2874 DESCRIPTION 2875 "The value of sysUpTime when this row was last modified 2876 either through SNMP SETs or by some other external means." 2877 ::= { ikeProposalEntry 12 } 2879 ipProposalStorageType OBJECT-TYPE 2880 SYNTAX StorageType 2881 MAX-ACCESS read-create 2882 STATUS current 2883 DESCRIPTION 2884 "The storage type for this row. Rows in this table which were 2885 created through an external process may have a storage type of 2886 readOnly or permanent. Entries which are permanent are 2887 expected to have at least one configurable column in the row, but 2888 which columns are in fact modifiable is implementation specific." 2889 ::= { ikeProposalEntry 13 } 2891 ipProposalRowStatus OBJECT-TYPE 2892 SYNTAX RowStatus 2893 MAX-ACCESS read-create 2894 STATUS current 2895 DESCRIPTION 2896 "This object indicates the conceptual status of this row. 2898 The value of this object has no effect on whether other 2899 objects in this conceptual row can be modified." 2900 ::= { ikeProposalEntry 14 } 2902 -- 2903 -- IPsec action definition table 2904 -- 2906 ipsecActionTable OBJECT-TYPE 2907 SYNTAX SEQUENCE OF IpsecActionEntry 2908 MAX-ACCESS not-accessible 2909 STATUS current 2910 DESCRIPTION 2911 "The ipsecActionTable contains a list of the parameters used for an 2912 IKE phase 2 IPsec DOI negotiation." 2913 ::= { ipsecPolicyConfigObjects 21 } 2915 ipsecActionEntry OBJECT-TYPE 2916 SYNTAX IpsecActionEntry 2917 MAX-ACCESS not-accessible 2918 STATUS current 2919 DESCRIPTION 2920 "The ipsecActionEntry lists the IPsec negotiation attributes." 2921 INDEX { ipsecActionName } 2922 ::= { ipsecActionTable 1 } 2924 IpsecActionEntry ::= SEQUENCE { 2925 ipsecActionName SnmpAdminString, 2926 ipsecActionParametersName SnmpAdminString, 2927 ipsecActionProposalsName SnmpAdminString, 2928 ipsecUsePfs TruthValue, 2929 ipsecVendorId OCTET STRING, 2930 ipsecGroupId IkeGroupDescription, 2931 ipsecPeerGatewayIdName OCTET STRING, 2932 ipsecUseIkeGroup TruthValue, 2933 ipsecGranularity INTEGER, 2934 ipsecMode INTEGER, 2935 ipsecDFHandling INTEGER, 2936 ipsecDoActionLogging TruthValue, 2937 ipsecDoPacketLogging TruthValue, 2938 ipsecActionLastChanged TimeStamp, 2939 ipsecActionStorageType StorageType, 2940 ipsecActionRowStatus RowStatus 2941 } 2943 ipsecActionName OBJECT-TYPE 2944 SYNTAX SnmpAdminString (SIZE(1..32)) 2945 MAX-ACCESS not-accessible 2946 STATUS current 2947 DESCRIPTION 2948 "ipsecActionName is the name of the ipsecAction entry." 2949 ::= { ipsecActionEntry 1 } 2951 ipsecActionParametersName OBJECT-TYPE 2952 SYNTAX SnmpAdminString (SIZE(1..32)) 2953 MAX-ACCESS read-create 2954 STATUS current 2955 DESCRIPTION 2956 "This object is used to reference a row in the 2957 saNegotationActionParametersTable where additional parameters 2958 affecting this action may be found." 2959 ::= { ipsecActionEntry 2 } 2961 ipsecActionProposalsName OBJECT-TYPE 2962 SYNTAX SnmpAdminString (SIZE(1..32)) 2963 MAX-ACCESS read-create 2964 STATUS current 2965 DESCRIPTION 2966 "This object is used to reference one or more rows in the 2967 ipsecProposalsTable where an ordered list of proposals 2968 affecting this action may be found." 2969 ::= { ipsecActionEntry 3 } 2971 ipsecUsePfs OBJECT-TYPE 2972 SYNTAX TruthValue 2973 MAX-ACCESS read-create 2974 STATUS current 2975 DESCRIPTION 2976 "This MIB object specifies whether or not perfect forward 2977 secrecy should be used when refreshing keys. 2978 A value of true indicates that PFS should be used." 2979 ::= { ipsecActionEntry 4 } 2981 ipsecVendorId OBJECT-TYPE 2982 SYNTAX OCTET STRING (SIZE(0..255)) 2983 MAX-ACCESS read-create 2984 STATUS current 2985 DESCRIPTION 2986 "The VendorID property is used to identify vendor-defined key 2987 exchange GroupIDs." 2988 ::= { ipsecActionEntry 5 } 2990 ipsecGroupId OBJECT-TYPE 2991 SYNTAX IkeGroupDescription 2992 MAX-ACCESS read-create 2993 STATUS current 2994 DESCRIPTION 2995 "This object specifies the Diffie-Hellman group to use for phase 2 2996 when the object ipsecUsePfs is true and the object 2997 ipsecUseIkeGroup is false. If the GroupID number is from the 2998 vendor-specific range (32768-65535), the VendorID qualifies 2999 the group number." 3000 ::= { ipsecActionEntry 6 } 3002 ipsecPeerGatewayIdName OBJECT-TYPE 3003 SYNTAX OCTET STRING (SIZE(0..116)) 3004 MAX-ACCESS read-create 3005 STATUS current 3006 DESCRIPTION 3007 "This object indicates the peer id name of the peer gateway. This 3008 object can be used to look up the peer id value, address and 3009 other values in the peerIdentityTable. This object is used 3010 when initiating a tunnel SA. This object is not used for 3011 transport SAs." 3012 ::= { ipsecActionEntry 7 } 3014 ipsecUseIkeGroup OBJECT-TYPE 3015 SYNTAX TruthValue 3016 MAX-ACCESS read-create 3017 STATUS current 3018 DESCRIPTION 3019 "This object specifies whether or not to use the same GroupId for 3020 phase 2 as was used in phase 1. If UsePFS is false, this entry 3021 should be ignored." 3022 ::= { ipsecActionEntry 8 } 3024 ipsecGranularity OBJECT-TYPE 3025 SYNTAX INTEGER { subnet(1), address(2), protocol(3), port(4) } 3026 MAX-ACCESS read-create 3027 STATUS current 3028 DESCRIPTION 3029 "This object specifies the how the proposed selector for the 3030 security association will be created. The selector is created 3031 by using the FilterList information. The selector can be 3032 subnet, address, porotocol, or port." 3033 ::= { ipsecActionEntry 9 } 3035 ipsecMode OBJECT-TYPE 3036 SYNTAX INTEGER { tunnel(1), transport(2) } 3037 MAX-ACCESS read-create 3038 STATUS current 3039 DESCRIPTION 3040 "This object specifies the encapsulation of the IPsec SA 3041 to be negotiated." 3042 ::= { ipsecActionEntry 10 } 3044 ipsecDFHandling OBJECT-TYPE 3045 SYNTAX INTEGER { copy(1), set(2), clear(3) } 3046 MAX-ACCESS read-create 3047 STATUS current 3048 DESCRIPTION 3049 "This object specifies the processing of DF bit by the 3050 negotiated IPsec tunnel. 3052 1 - DF bit is copied. 3053 2 - DF bit is set. 3054 3 - DF bit is cleared." 3055 ::= { ipsecActionEntry 11 } 3057 ipsecDoActionLogging OBJECT-TYPE 3058 SYNTAX TruthValue 3059 MAX-ACCESS read-create 3060 STATUS current 3061 DESCRIPTION 3062 "ipsecDoActionLogging specifies whether or not an audit 3063 message should be logged when this ipsec SA is created." 3064 ::= { ipsecActionEntry 12 } 3066 ipsecDoPacketLogging OBJECT-TYPE 3067 SYNTAX TruthValue 3068 MAX-ACCESS read-create 3069 STATUS current 3070 DESCRIPTION 3071 "ipsecDoPacketLogging specifies whether or not an audit message 3072 should be logged when a packet is passed through the SA." 3073 ::= { ipsecActionEntry 13 } 3075 ipsecActionLastChanged OBJECT-TYPE 3076 SYNTAX TimeStamp 3077 MAX-ACCESS read-only 3078 STATUS current 3079 DESCRIPTION 3080 "The value of sysUpTime when this row was last modified or created 3081 either through SNMP SETs or by some other external means." 3082 ::= { ipsecActionEntry 14 } 3084 ipsecActionStorageType OBJECT-TYPE 3085 SYNTAX StorageType 3086 MAX-ACCESS read-create 3087 STATUS current 3088 DESCRIPTION 3089 "The storage type for this row. Rows in this table which were 3090 created through an external process may have a storage type of 3091 readOnly or permanent. Entries which are permanent are 3092 expected to have at least one configurable column in the row, but 3093 which columns are in fact modifiable is implementation specific." 3094 ::= { ipsecActionEntry 15 } 3096 ipsecActionRowStatus OBJECT-TYPE 3097 SYNTAX RowStatus 3098 MAX-ACCESS read-create 3099 STATUS current 3100 DESCRIPTION 3101 "This object indicates the conceptual status of this row. 3103 The value of this object has no effect on whether other 3104 objects in this conceptual row can be modified. 3106 If active, this object must remain active if it is referenced 3107 by a row in another table." 3108 ::= { ipsecActionEntry 16 } 3110 -- 3111 -- ipsecProposalsTable 3112 -- 3114 ipsecProposalsTable OBJECT-TYPE 3115 SYNTAX SEQUENCE OF IpsecProposalsEntry 3116 MAX-ACCESS not-accessible 3117 STATUS current 3118 DESCRIPTION 3119 "This table lists one or more IPsec proposals for 3120 IPsec actions." 3121 ::= { ipsecPolicyConfigObjects 22 } 3123 ipsecProposalsEntry OBJECT-TYPE 3124 SYNTAX IpsecProposalsEntry 3125 MAX-ACCESS not-accessible 3126 STATUS current 3127 DESCRIPTION 3128 "An entry containing (possibly a portion of) a proposal." 3129 INDEX { ipsecProposalsName, ipsecProposalsPriority, 3130 ipsecProposalsProtocolId } 3131 ::= { ipsecProposalsTable 1 } 3133 IpsecProposalsEntry ::= SEQUENCE { 3134 ipsecProposalsName SnmpAdminString, 3135 ipsecProposalsPriority Integer32, 3136 ipsecProposalsProtocolId IpsecDoiSecProtocolId, 3137 ipsecProposalsTransformsName SnmpAdminString, 3138 ipsecProposalsLastChanged TimeStamp, 3139 ipsecProposalsStorageType StorageType, 3140 ipsecProposalsRowStatus RowStatus 3141 } 3143 ipsecProposalsName OBJECT-TYPE 3144 SYNTAX SnmpAdminString (SIZE(1..32)) 3145 MAX-ACCESS not-accessible 3146 STATUS current 3147 DESCRIPTION 3148 "The name of this proposal." 3149 ::= { ipsecProposalsEntry 1 } 3151 ipsecProposalsPriority OBJECT-TYPE 3152 SYNTAX Integer32 (0..65535) 3153 MAX-ACCESS not-accessible 3154 STATUS current 3155 DESCRIPTION 3156 "The priority level (AKA sequence level) of this proposal. 3157 A lower number indicates a higher precidence." 3158 ::= { ipsecProposalsEntry 2 } 3160 ipsecProposalsProtocolId OBJECT-TYPE 3161 SYNTAX IpsecDoiSecProtocolId 3162 MAX-ACCESS not-accessible 3163 STATUS current 3164 DESCRIPTION 3165 "The protocol Id for the transforms for this proposal. The 3166 protoIsakmp(1) value is not valid for this object. 3167 This object, along with the ipsecProposalsTransformsName, 3168 is the index into the ipsecTransformsTable." 3169 ::= { ipsecProposalsEntry 3 } 3171 ipsecProposalsTransformsName OBJECT-TYPE 3172 SYNTAX SnmpAdminString 3173 MAX-ACCESS read-create 3174 STATUS current 3175 DESCRIPTION 3176 "The name of the transform or group of transforms for this 3177 protocol. This object, along with the ipsecProposalsProtocolId, 3178 is the index into the ipsecTransformsTable." 3179 ::= { ipsecProposalsEntry 4 } 3181 ipsecProposalsLastChanged OBJECT-TYPE 3182 SYNTAX TimeStamp 3183 MAX-ACCESS read-only 3184 STATUS current 3185 DESCRIPTION 3186 "The value of sysUpTime when this row was last modified or created 3187 either through SNMP SETs or by some other external means." 3188 ::= { ipsecProposalsEntry 5 } 3190 ipsecProposalsStorageType OBJECT-TYPE 3191 SYNTAX StorageType 3192 MAX-ACCESS read-create 3193 STATUS current 3194 DESCRIPTION 3195 "The storage type for this row. Rows in this table which were 3196 created through an external process may have a storage type of 3197 readOnly or permanent. Entries which are permanent are 3198 expected to have at least one configurable column in the row, but 3199 which columns are in fact modifiable is implementation specific." 3200 ::= { ipsecProposalsEntry 6 } 3202 ipsecProposalsRowStatus OBJECT-TYPE 3203 SYNTAX RowStatus 3204 MAX-ACCESS read-create 3205 STATUS current 3206 DESCRIPTION 3207 "This object indicates the conceptual status of this row. 3209 The value of this object has no effect on whether other 3210 objects in this conceptual row can be modified. 3212 This row may not be set to active until the corresponding row 3213 in the ipsecTransformsTable exists and is active." 3214 ::= { ipsecProposalsEntry 7 } 3216 -- 3217 -- ipsecTransformsTable 3218 -- 3220 ipsecTransformsTable OBJECT-TYPE 3221 SYNTAX SEQUENCE OF IpsecTransformsEntry 3222 MAX-ACCESS not-accessible 3223 STATUS current 3224 DESCRIPTION 3225 "This table lists the IPsec proposals contained within a given 3226 IPsec action and the transforms within each of those 3227 proposals. These proposals and transforms can then be used 3228 to create phase 2 negotiation proposals." 3229 ::= { ipsecPolicyConfigObjects 23 } 3231 ipsecTransformsEntry OBJECT-TYPE 3232 SYNTAX IpsecTransformsEntry 3233 MAX-ACCESS not-accessible 3234 STATUS current 3235 DESCRIPTION 3236 "An entry containing the information on an IPsec transform." 3237 INDEX { ipsecTransformsType, ipsecTransformsName, 3238 ipsecTransformsPriority } 3239 ::= { ipsecTransformsTable 1 } 3241 IpsecTransformsEntry ::= SEQUENCE { 3242 ipsecTransformsType IpsecDoiSecProtocolId, 3243 ipsecTransformsName SnmpAdminString, 3244 ipsecTransformsPriority Integer32, 3245 ipsecTransformsTransformName SnmpAdminString, 3246 ipsecTransformsLastChanged TimeStamp, 3247 ipsecTransformsStorageType StorageType, 3248 ipsecTransformsRowStatus RowStatus 3249 } 3251 ipsecTransformsType OBJECT-TYPE 3252 SYNTAX IpsecDoiSecProtocolId 3253 MAX-ACCESS not-accessible 3254 STATUS current 3255 DESCRIPTION 3256 "The protocol type for this transform. The protoIsakmp(1) value 3257 is not valid for this object." 3258 ::= { ipsecTransformsEntry 1 } 3260 ipsecTransformsName OBJECT-TYPE 3261 SYNTAX SnmpAdminString (SIZE(1..32)) 3262 MAX-ACCESS not-accessible 3263 STATUS current 3264 DESCRIPTION 3265 "The name for this transform or group of transforms." 3266 ::= { ipsecTransformsEntry 2 } 3268 ipsecTransformsPriority OBJECT-TYPE 3269 SYNTAX Integer32 (0..65535) 3270 MAX-ACCESS not-accessible 3271 STATUS current 3272 DESCRIPTION 3273 "The priority level (AKA sequence level) of the this transform 3274 within the group of transforms. This indicates the preference 3275 for which algorithms are requested when the list of transforms 3276 are sent to the remote host. A lower number indicates a higher 3277 precidence." 3278 ::= { ipsecTransformsEntry 3 } 3280 ipsecTransformsTransformName OBJECT-TYPE 3281 SYNTAX SnmpAdminString 3282 MAX-ACCESS read-create 3283 STATUS current 3284 DESCRIPTION 3285 "The name for the given transform which can be used to lookup 3286 the transform's specific parameters in the ahTransformTable, 3287 the espTransformTable or the ipcompTransformTable." 3288 ::= { ipsecTransformsEntry 4 } 3290 ipsecTransformsLastChanged OBJECT-TYPE 3291 SYNTAX TimeStamp 3292 MAX-ACCESS read-only 3293 STATUS current 3294 DESCRIPTION 3295 "The value of sysUpTime when this row was last modified or created 3296 either through SNMP SETs or by some other external means." 3297 ::= { ipsecTransformsEntry 5 } 3299 ipsecTransformsStorageType OBJECT-TYPE 3300 SYNTAX StorageType 3301 MAX-ACCESS read-create 3302 STATUS current 3303 DESCRIPTION 3304 "The storage type for this row. Rows in this table which were 3305 created through an external process may have a storage type of 3306 readOnly or permanent. Entries which are permanent are 3307 expected to have at least one configurable column in the row, but 3308 which columns are in fact modifiable is implementation specific." 3309 ::= { ipsecTransformsEntry 6 } 3311 ipsecTransformsRowStatus OBJECT-TYPE 3312 SYNTAX RowStatus 3313 MAX-ACCESS read-create 3314 STATUS current 3315 DESCRIPTION 3316 "This object indicates the conceptual status of this row. 3318 The value of this object has no effect on whether other 3319 objects in this conceptual row can be modified. 3321 This row may not be set to active until the corresponding row 3322 in the ahTransformTable, espTransformTable or the 3323 ipcompTransformTable exists." 3324 ::= { ipsecTransformsEntry 7 } 3326 -- 3327 -- AH transform definition table 3328 -- 3330 ahTransformTable OBJECT-TYPE 3331 SYNTAX SEQUENCE OF AhTransformEntry 3332 MAX-ACCESS not-accessible 3333 STATUS current 3334 DESCRIPTION 3335 "This table lists all the AH transforms which can be used to build 3336 IPsec proposals." 3337 ::= { ipsecPolicyConfigObjects 24 } 3339 ahTransformEntry OBJECT-TYPE 3340 SYNTAX AhTransformEntry 3341 MAX-ACCESS not-accessible 3342 STATUS current 3343 DESCRIPTION 3344 "This entry contains the attributes of one AH transform." 3345 INDEX { ahtName } 3346 ::= { ahTransformTable 1 } 3348 AhTransformEntry ::= SEQUENCE { 3349 ahtName SnmpAdminString, 3350 ahtMaxLifetimeSec Unsigned32, 3351 ahtMaxLifetimeKB Unsigned32, 3352 ahtAlgorithm IpsecDoiAuthAlgorithm, 3353 ahtReplayProtection TruthValue, 3354 ahtReplayWindowSize Unsigned32, 3355 ahtLastChanged TimeStamp, 3356 ahtStorageType StorageType, 3357 ahtRowStatus RowStatus 3358 } 3360 ahtName OBJECT-TYPE 3361 SYNTAX SnmpAdminString (SIZE(1..32)) 3362 MAX-ACCESS not-accessible 3363 STATUS current 3364 DESCRIPTION 3365 "This object contains the name of this AH transform. This row 3366 will be referred to by an ipsecTransformsEntry." 3367 ::= { ahTransformEntry 1 } 3369 ahtMaxLifetimeSec OBJECT-TYPE 3370 SYNTAX Unsigned32 3371 MAX-ACCESS read-create 3372 STATUS current 3373 DESCRIPTION 3374 "ahtMaxLifetimeSec specifies how long in seconds the security 3375 association derived from this transform should be used." 3376 ::= { ahTransformEntry 2 } 3378 ahtMaxLifetimeKB OBJECT-TYPE 3379 SYNTAX Unsigned32 3380 MAX-ACCESS read-create 3381 STATUS current 3382 DESCRIPTION 3383 "ahtMaxLifetimeKB specifies how long in kilobytes the security 3384 association derived from this transform should be used." 3385 ::= { ahTransformEntry 3 } 3387 ahtAlgorithm OBJECT-TYPE 3388 SYNTAX IpsecDoiAuthAlgorithm 3389 MAX-ACCESS read-create 3390 STATUS current 3391 DESCRIPTION 3392 "This object specifies the AH algorithm for this transform." 3393 ::= { ahTransformEntry 4 } 3395 ahtReplayProtection OBJECT-TYPE 3396 SYNTAX TruthValue 3397 MAX-ACCESS read-create 3398 STATUS current 3399 DESCRIPTION 3400 "ahtReplayProtection indicates whether or not anti replay 3401 service is to be provided by this SA." 3402 ::= { ahTransformEntry 5 } 3404 ahtReplayWindowSize OBJECT-TYPE 3405 SYNTAX Unsigned32 3406 MAX-ACCESS read-create 3407 STATUS current 3408 DESCRIPTION 3409 "ahtReplayWindowSize indicates the size, in bits, of the 3410 replay window to use if replay protection is true for this 3411 transform. The window size is assumed to be a power of two. If 3412 Replay Protection is false, this value can be ignored." 3413 ::= { ahTransformEntry 6 } 3415 ahtLastChanged OBJECT-TYPE 3416 SYNTAX TimeStamp 3417 MAX-ACCESS read-only 3418 STATUS current 3419 DESCRIPTION 3420 "The value of sysUpTime when this row was last modified or created 3421 either through SNMP SETs or by some other external means." 3422 ::= { ahTransformEntry 7 } 3424 ahtStorageType OBJECT-TYPE 3425 SYNTAX StorageType 3426 MAX-ACCESS read-create 3427 STATUS current 3428 DESCRIPTION 3429 "The storage type for this row. Rows in this table which were 3430 created through an external process may have a storage type of 3431 readOnly or permanent. Entries which are permanent are 3432 expected to have at least one configurable column in the row, but 3433 which columns are in fact modifiable is implementation specific." 3434 ::= { ahTransformEntry 8 } 3436 ahtRowStatus OBJECT-TYPE 3437 SYNTAX RowStatus 3438 MAX-ACCESS read-create 3439 STATUS current 3440 DESCRIPTION 3441 "This object indicates the conceptual status of this row. 3443 The value of this object has no effect on whether other 3444 objects in this conceptual row can be modified. 3446 If active, this object must remain active if it is referenced 3447 by a row in another table." 3448 ::= { ahTransformEntry 9 } 3450 -- 3451 -- ESP transform definition table 3452 -- 3454 espTransformTable OBJECT-TYPE 3455 SYNTAX SEQUENCE OF EspTransformEntry 3456 MAX-ACCESS not-accessible 3457 STATUS current 3458 DESCRIPTION 3459 "This table lists all the ESP transforms which can be used to build 3460 IPsec proposals" 3461 ::= { ipsecPolicyConfigObjects 25 } 3463 espTransformEntry OBJECT-TYPE 3464 SYNTAX EspTransformEntry 3465 MAX-ACCESS not-accessible 3466 STATUS current 3467 DESCRIPTION 3468 "This entry contains the attributes of one ESP transform." 3469 INDEX { esptName } 3470 ::= { espTransformTable 1 } 3472 EspTransformEntry ::= SEQUENCE { 3473 esptName SnmpAdminString, 3474 esptMaxLifetimeSec Unsigned32, 3475 esptMaxLifetimeKB Unsigned32, 3476 esptCipherTransformId IpsecDoiEspTransform, 3477 esptCipherKeyLength Unsigned32, 3478 esptCipherKeyRounds Unsigned32, 3479 esptIntegrityAlgorithmId IpsecDoiAuthAlgorithm, 3480 esptReplayPrevention TruthValue, 3481 esptReplayWindowSize Unsigned32, 3482 esptLastChanged TimeStamp, 3483 esptStorageType StorageType, 3484 esptRowStatus RowStatus 3485 } 3487 esptName OBJECT-TYPE 3488 SYNTAX SnmpAdminString (SIZE(1..32)) 3489 MAX-ACCESS not-accessible 3490 STATUS current 3491 DESCRIPTION 3492 "The name of this particular espTransform be refered to by an 3493 ipsecTransformsEntry." 3494 ::= { espTransformEntry 1 } 3496 esptMaxLifetimeSec OBJECT-TYPE 3497 SYNTAX Unsigned32 3498 MAX-ACCESS read-create 3499 STATUS current 3500 DESCRIPTION 3501 "esptMaxLifetimeSec specifies how long in seconds the security 3502 association derived from this transform should be used." 3503 ::= { espTransformEntry 2 } 3505 esptMaxLifetimeKB OBJECT-TYPE 3506 SYNTAX Unsigned32 3507 MAX-ACCESS read-create 3508 STATUS current 3509 DESCRIPTION 3510 "esptMaxLifetimeKB specifies how long in kilobytes the security 3511 association derived from this transform should be used." 3512 ::= { espTransformEntry 3 } 3514 esptCipherTransformId OBJECT-TYPE 3515 SYNTAX IpsecDoiEspTransform 3516 MAX-ACCESS read-create 3517 STATUS current 3518 DESCRIPTION 3519 "This mib object specifies the transform ID of the ESP cipher 3520 algorithm." 3521 ::= { espTransformEntry 4 } 3523 esptCipherKeyLength OBJECT-TYPE 3524 SYNTAX Unsigned32 3525 MAX-ACCESS read-create 3526 STATUS current 3527 DESCRIPTION 3528 "This mib object specifies, in bits, the key length for 3529 the ESP cipher algorithm." 3530 ::= { espTransformEntry 5 } 3532 esptCipherKeyRounds OBJECT-TYPE 3533 SYNTAX Unsigned32 3534 MAX-ACCESS read-create 3535 STATUS current 3536 DESCRIPTION 3537 "This mib object specifies the number of key rounds for 3538 the ESP cipher algorithm." 3539 ::= { espTransformEntry 6 } 3541 esptIntegrityAlgorithmId OBJECT-TYPE 3542 SYNTAX IpsecDoiAuthAlgorithm 3543 MAX-ACCESS read-create 3544 STATUS current 3545 DESCRIPTION 3546 "This mib object specifies the ESP integrity algorithm ID." 3547 ::= { espTransformEntry 7 } 3549 esptReplayPrevention OBJECT-TYPE 3550 SYNTAX TruthValue 3551 MAX-ACCESS read-create 3552 STATUS current 3553 DESCRIPTION 3554 "esptReplayPrevention indicates wether or not anti-replay 3555 service is to be provided by this SA." 3556 ::= { espTransformEntry 8 } 3558 esptReplayWindowSize OBJECT-TYPE 3559 SYNTAX Unsigned32 3560 MAX-ACCESS read-create 3561 STATUS current 3562 DESCRIPTION 3563 "esptReplayWindowSize indicates the size, in bits, of the 3564 replay window to use if replay protection is true for this 3565 transform. The window size is assumed to be a power of two. If 3566 Replay Protection is false, this value can be ignored." 3567 ::= { espTransformEntry 9 } 3569 esptLastChanged OBJECT-TYPE 3570 SYNTAX TimeStamp 3571 MAX-ACCESS read-only 3572 STATUS current 3573 DESCRIPTION 3574 "The value of sysUpTime when this row was last modified or created 3575 either through SNMP SETs or by some other external means." 3576 ::= { espTransformEntry 10 } 3578 esptStorageType OBJECT-TYPE 3579 SYNTAX StorageType 3580 MAX-ACCESS read-create 3581 STATUS current 3582 DESCRIPTION 3583 "The storage type for this row. Rows in this table which were 3584 created through an external process may have a storage type of 3585 readOnly or permanent. Entries which are permanent are 3586 expected to have at least one configurable column in the row, but 3587 which columns are in fact modifiable is implementation specific." 3588 ::= { espTransformEntry 11 } 3590 esptRowStatus OBJECT-TYPE 3591 SYNTAX RowStatus 3592 MAX-ACCESS read-create 3593 STATUS current 3594 DESCRIPTION 3595 "This object indicates the conceptual status of this row. 3597 The value of this object has no effect on whether other 3598 objects in this conceptual row can be modified. 3600 If active, this object must remain active if it is referenced 3601 by a row in another table." 3602 ::= { espTransformEntry 12 } 3604 -- 3605 -- IP compression transform definition table 3606 -- 3608 ipcompTransformTable OBJECT-TYPE 3609 SYNTAX SEQUENCE OF IpcompTransformEntry 3610 MAX-ACCESS not-accessible 3611 STATUS current 3612 DESCRIPTION 3613 "This table lists all the IP compression transforms which 3614 can be used to build IPsec proposals during negotiation of 3615 a phase 2 SA." 3616 ::= { ipsecPolicyConfigObjects 26 } 3618 ipcompTransformEntry OBJECT-TYPE 3619 SYNTAX IpcompTransformEntry 3620 MAX-ACCESS not-accessible 3621 STATUS current 3622 DESCRIPTION 3623 "This entry contains the attributes of one IP compression 3624 transform." 3625 INDEX { ipcompTransformName } 3626 ::= { ipcompTransformTable 1 } 3628 IpcompTransformEntry ::= SEQUENCE { 3629 ipcompTransformName SnmpAdminString, 3630 ipcompTransformMaxLifetimeSec Unsigned32, 3631 ipcompTransformMaxLifetimeKB Unsigned32, 3632 ipcompAlgorithm IpsecDoiIpcompTransform, 3633 ipcompDictionarySize Unsigned32, 3634 ipcompPrivateAlgorithm Unsigned32, 3635 ipcompTransformLastChanged TimeStamp, 3636 ipcompTransformStorageType StorageType, 3637 ipcompTransformRowStatus RowStatus 3638 } 3640 ipcompTransformName OBJECT-TYPE 3641 SYNTAX SnmpAdminString (SIZE(1..32)) 3642 MAX-ACCESS not-accessible 3643 STATUS current 3644 DESCRIPTION 3645 "The name of this particular ipcompTransformEntry. This row 3646 will be refered to by an ipsecTransformsEntry." 3647 ::= { ipcompTransformEntry 1 } 3649 ipcompTransformMaxLifetimeSec OBJECT-TYPE 3650 SYNTAX Unsigned32 3651 MAX-ACCESS read-create 3652 STATUS current 3653 DESCRIPTION 3654 "ipcompTransformMaxLifetimeSec specifies how long in seconds 3655 the security association derived from this transform should be 3656 used." 3657 ::= { ipcompTransformEntry 2 } 3659 ipcompTransformMaxLifetimeKB OBJECT-TYPE 3660 SYNTAX Unsigned32 3661 MAX-ACCESS read-create 3662 STATUS current 3663 DESCRIPTION 3664 "ipcompTransformMaxLifetimeKB specifies how long in kilobytes 3665 the security association derived from this transform should be 3666 used." 3668 ::= { ipcompTransformEntry 3 } 3670 ipcompAlgorithm OBJECT-TYPE 3671 SYNTAX IpsecDoiIpcompTransform 3672 MAX-ACCESS read-create 3673 STATUS current 3674 DESCRIPTION 3675 "ipcompAlgorithm specifies the transform ID of the IP compression 3676 algorithm." 3677 ::= { ipcompTransformEntry 4 } 3679 ipcompDictionarySize OBJECT-TYPE 3680 SYNTAX Unsigned32 3681 MAX-ACCESS read-create 3682 STATUS current 3683 DESCRIPTION 3684 "If the algorithm in ipcompAlgorithm requires a dictionary 3685 size configuration parameter, then this is the place to put 3686 it. This object specifies the log2 maximum size of the 3687 dictionary for the compression algorithm." 3688 ::= { ipcompTransformEntry 5 } 3690 ipcompPrivateAlgorithm OBJECT-TYPE 3691 SYNTAX Unsigned32 3692 MAX-ACCESS read-create 3693 STATUS current 3694 DESCRIPTION 3695 "If ipcompPrivateAlgorithm has a value other zero, then it is 3696 up to the vendors implementation to determine the meaning of 3697 this feild and substitute a data compression algorithm in 3698 place of ipcompAlgorithm." 3699 ::= { ipcompTransformEntry 6 } 3701 ipcompTransformLastChanged OBJECT-TYPE 3702 SYNTAX TimeStamp 3703 MAX-ACCESS read-only 3704 STATUS current 3705 DESCRIPTION 3706 "The value of sysUpTime when this row was last modified or created 3707 either through SNMP SETs or by some other external means." 3708 ::= { ipcompTransformEntry 7 } 3710 ipcompTransformStorageType OBJECT-TYPE 3711 SYNTAX StorageType 3712 MAX-ACCESS read-create 3713 STATUS current 3714 DESCRIPTION 3715 "The storage type for this row. Rows in this table which were 3716 created through an external process may have a storage type of 3717 readOnly or permanent. Entries which are permanent are 3718 expected to have at least one configurable column in the row, but 3719 which columns are in fact modifiable is implementation specific." 3720 ::= { ipcompTransformEntry 8 } 3722 ipcompTransformRowStatus OBJECT-TYPE 3723 SYNTAX RowStatus 3724 MAX-ACCESS read-create 3725 STATUS current 3726 DESCRIPTION 3727 "This object indicates the conceptual status of this row. 3729 The value of this object has no effect on whether other 3730 objects in this conceptual row can be modified. 3732 If active, this object must remain active if it is referenced 3733 by a row in another table." 3734 ::= { ipcompTransformEntry 9 } 3736 -- 3737 -- IKE identity definition table 3738 -- 3740 ikeIdentityTable OBJECT-TYPE 3741 SYNTAX SEQUENCE OF IkeIdentityEntry 3742 MAX-ACCESS not-accessible 3743 STATUS current 3744 DESCRIPTION 3745 "IKEIdentity is used to represent the identities that may be 3746 used for an IPProtocolEndpoint (or collection of 3747 IPProtocolEndpoints) to identify itself in IKE phase 1 3748 negotiations. The column ikeIdentityName in an 3749 ikeActionEntry together with the peEndpointIdentType and the 3750 peEndpointAddress in the PolicyEndpointToGroupTable specifies 3751 the unique identity to use in a negotiation exchange." 3752 ::= { ipsecPolicyConfigObjects 27 } 3754 ikeIdentityEntry OBJECT-TYPE 3755 SYNTAX IkeIdentityEntry 3756 MAX-ACCESS not-accessible 3757 STATUS current 3758 DESCRIPTION 3759 "ikeIdentity lists the attributes of an IKE identity." 3760 INDEX { peEndpointIdentType, peEndpointAddress, 3761 ikeIdentityType, ikeIdentityContext } 3763 ::= { ikeIdentityTable 1 } 3765 IkeIdentityEntry ::= SEQUENCE { 3766 ikeIdValue OCTET STRING, 3767 ikeIdKeyName SnmpAdminString, 3768 ikeIdCredMngName SnmpAdminString, 3769 ikeIdLastChanged TimeStamp, 3770 ikeIdStorageType StorageType, 3771 ikeIdRowStatus RowStatus 3772 } 3774 ikeIdValue OBJECT-TYPE 3775 SYNTAX OCTET STRING (SIZE(0..255)) 3776 MAX-ACCESS read-create 3777 STATUS current 3778 DESCRIPTION 3779 "ikeIdValue contains a string encoding of the Identity payload. 3780 For IKEIdentity instances that are address types, the Identity 3781 string value may be omitted and the associated 3782 IPProtocolEndpoint or appropriate member of the Collection of 3783 endpoints is used." 3784 ::= { ikeIdentityEntry 1 } 3786 ikeIdKeyName OBJECT-TYPE 3787 SYNTAX SnmpAdminString 3788 MAX-ACCESS read-create 3789 STATUS current 3790 DESCRIPTION 3791 "This value is used as an index into the keyTable to look up 3792 the actual key value and other key information. For ID's 3793 without associated keying information, this value is left 3794 blank" 3795 ::= { ikeIdentityEntry 2 } 3797 ikeIdCredMngName OBJECT-TYPE 3798 SYNTAX SnmpAdminString 3799 MAX-ACCESS read-create 3800 STATUS current 3801 DESCRIPTION 3802 "This value is used as an inedx into the 3803 ipsecCredMngServiceTable. For ID's that have no credential 3804 management service, this value is left blank." 3805 ::= { ikeIdentityEntry 3 } 3807 ikeIdLastChanged OBJECT-TYPE 3808 SYNTAX TimeStamp 3809 MAX-ACCESS read-only 3810 STATUS current 3811 DESCRIPTION 3812 "The value of sysUpTime when this row was last modified or created 3813 either through SNMP SETs or by some other external means." 3814 ::= { ikeIdentityEntry 4 } 3816 ikeIdStorageType OBJECT-TYPE 3817 SYNTAX StorageType 3818 MAX-ACCESS read-create 3819 STATUS current 3820 DESCRIPTION 3821 "The storage type for this row. Rows in this table which were 3822 created through an external process may have a storage type of 3823 readOnly or permanent. Entries which are permanent are 3824 expected to have at least one configurable column in the row, but 3825 which columns are in fact modifiable is implementation specific." 3826 DEFVAL { nonVolatile } 3827 ::= { ikeIdentityEntry 5 } 3829 ikeIdRowStatus OBJECT-TYPE 3830 SYNTAX RowStatus 3831 MAX-ACCESS read-create 3832 STATUS current 3833 DESCRIPTION 3834 "This object indicates the conceptual status of this row. 3836 The value of this object has no effect on whether other 3837 objects in this conceptual row can be modified. 3839 If active, this object must remain active if it is referenced 3840 by a row in another table." 3841 ::= { ikeIdentityEntry 6 } 3843 -- 3844 -- Peer Identity Table 3845 -- 3847 peerIdentityTable OBJECT-TYPE 3848 SYNTAX SEQUENCE OF PeerIdentityEntry 3849 MAX-ACCESS not-accessible 3850 STATUS current 3851 DESCRIPTION 3852 "PeerIdentity is used to represent the identities that may be 3853 used for peers to identify themselves in IKE phase I/II 3854 negotiations. PeerIdentityTable aggregates the table entries 3855 that provide mappings between identities and their 3856 addresses." 3858 ::= { ipsecPolicyConfigObjects 28 } 3860 peerIdentityEntry OBJECT-TYPE 3861 SYNTAX PeerIdentityEntry 3862 MAX-ACCESS not-accessible 3863 STATUS current 3864 DESCRIPTION 3865 "peerIdentity matches a peer's identity to its address." 3866 INDEX { peerIdName, peerIdPriority } 3867 ::= { peerIdentityTable 1 } 3869 PeerIdentityEntry ::= SEQUENCE { 3870 peerIdName SnmpAdminString, 3871 peerIdPriority Integer32, 3872 peerIdValue OCTET STRING, 3873 peerIdType IpsecDoiIdentType, 3874 peerIdAddress OCTET STRING, 3875 peerIdAddressType IpsecIPVersion, 3876 peerIdKeyName SnmpAdminString, 3877 peerIdCredMngName SnmpAdminString, 3878 peerIdLastChanged TimeStamp, 3879 peerIdStorageType StorageType, 3880 peerIdRowStatus RowStatus 3881 } 3883 peerIdName OBJECT-TYPE 3884 SYNTAX SnmpAdminString (SIZE(1..116)) 3885 MAX-ACCESS not-accessible 3886 STATUS current 3887 DESCRIPTION 3888 "This is an administratively assigned value that, together 3889 with priority, uniquely identifies an entry in this table." 3890 ::= { peerIdentityEntry 1 } 3892 peerIdPriority OBJECT-TYPE 3893 SYNTAX Integer32 (0..2147483647) 3894 MAX-ACCESS not-accessible 3895 STATUS current 3896 DESCRIPTION 3897 "This, along with name, uniquely identifies an entry in this 3898 table. The priority also indicates the order of peer gateways 3899 to initiate or accept SA's from (i.e. try until success)." 3900 ::= { peerIdentityEntry 2 } 3902 peerIdValue OBJECT-TYPE 3903 SYNTAX OCTET STRING (SIZE(0..8192)) 3904 MAX-ACCESS read-create 3905 STATUS current 3906 DESCRIPTION 3907 "peerIdValue contains a string encoding of the Identity 3908 payload for the a peer." 3909 ::= { peerIdentityEntry 3 } 3911 peerIdType OBJECT-TYPE 3912 SYNTAX IpsecDoiIdentType 3913 MAX-ACCESS read-create 3914 STATUS current 3915 DESCRIPTION 3916 "peerIdType is an enumeration identifying the type of the 3917 Identity value." 3918 ::= { peerIdentityEntry 4 } 3920 peerIdAddress OBJECT-TYPE 3921 SYNTAX OCTET STRING (SIZE(0..128)) 3922 MAX-ACCESS read-create 3923 STATUS current 3924 DESCRIPTION 3925 "The property PeerAddress specifies the string representation 3926 of the IP address of the peer formatted according to the 3927 appropriate convention as defined in the PeerAddressType 3928 property (e.g., dotted decimal notation). The property is 3929 defined as follows" 3930 ::= { peerIdentityEntry 5 } 3932 peerIdAddressType OBJECT-TYPE 3933 SYNTAX IpsecIPVersion 3934 MAX-ACCESS read-create 3935 STATUS current 3936 DESCRIPTION 3937 "The property peerIdAddressType specifies the format of the 3938 peerIdAddress property value." 3939 ::= { peerIdentityEntry 6 } 3941 peerIdKeyName OBJECT-TYPE 3942 SYNTAX SnmpAdminString 3943 MAX-ACCESS read-create 3944 STATUS current 3945 DESCRIPTION 3946 "This value is used as an index into the keyTable to look up 3947 the actual key value and other key information. For peer ID's 3948 that have no associated key information, this value is left 3949 blank." 3950 ::= { peerIdentityEntry 7 } 3952 peerIdCredMngName OBJECT-TYPE 3953 SYNTAX SnmpAdminString 3954 MAX-ACCESS read-create 3955 STATUS current 3956 DESCRIPTION 3957 "This value is used as an inedx into the 3958 ipsecCredMngServiceTable. For peer ID's that have no 3959 credential management service, this value is left blank." 3960 ::= { peerIdentityEntry 8 } 3962 peerIdLastChanged OBJECT-TYPE 3963 SYNTAX TimeStamp 3964 MAX-ACCESS read-only 3965 STATUS current 3966 DESCRIPTION 3967 "The value of sysUpTime when this row was last modified or created 3968 either through SNMP SETs or by some other external means." 3969 ::= { peerIdentityEntry 9 } 3971 peerIdStorageType OBJECT-TYPE 3972 SYNTAX StorageType 3973 MAX-ACCESS read-create 3974 STATUS current 3975 DESCRIPTION 3976 "The storage type for this row. Rows in this table which were 3977 created through an external process may have a storage type of 3978 readOnly or permanent. Entries which are permanent are 3979 expected to have at least one configurable column in the row, but 3980 which columns are in fact modifiable is implementation specific." 3981 DEFVAL { nonVolatile } 3982 ::= { peerIdentityEntry 10 } 3984 peerIdRowStatus OBJECT-TYPE 3985 SYNTAX RowStatus 3986 MAX-ACCESS read-create 3987 STATUS current 3988 DESCRIPTION 3989 "This object indicates the conceptual status of this row. 3991 The value of this object has no effect on whether other 3992 objects in this conceptual row can be modified. 3994 If active, this object must remain active if it is referenced 3995 by a row in another table." 3996 ::= { peerIdentityEntry 11 } 3998 -- 3999 -- autostart IKE Table 4000 -- 4001 autostartIkeTable OBJECT-TYPE 4002 SYNTAX SEQUENCE OF AutostartIkeEntry 4003 MAX-ACCESS not-accessible 4004 STATUS current 4005 DESCRIPTION 4006 "The paramters in the autostart IKE Table are used to 4007 automatically initiate IKE phaes I and II (i.e. IPsec) 4008 negotiations at startup." 4009 ::= { ipsecPolicyConfigObjects 29 } 4011 autostartIkeEntry OBJECT-TYPE 4012 SYNTAX AutostartIkeEntry 4013 MAX-ACCESS not-accessible 4014 STATUS current 4015 DESCRIPTION 4016 "autostart ike provides the set of parameters to automatically 4017 start IKE and IPsec SA's." 4018 INDEX { autoIkePriority } 4019 ::= { autostartIkeTable 1 } 4021 AutostartIkeEntry ::= SEQUENCE { 4022 autoIkePriority Integer32, 4023 autoIkeAction VariablePointer, 4024 autoIkeAddressType IpsecIPVersion, 4025 autoIkeSourceAddress OCTET STRING, 4026 autoIkeSourcePort Integer32, 4027 autoIkeDestAddress OCTET STRING, 4028 autoIkeDestPort Integer32, 4029 autoIkeProtocol Unsigned32, 4030 autoIkeLastChanged TimeStamp, 4031 autoIkeStorageType StorageType, 4032 autoIkeRowStatus RowStatus 4033 } 4035 autoIkePriority OBJECT-TYPE 4036 SYNTAX Integer32 (0..65535) 4037 MAX-ACCESS not-accessible 4038 STATUS current 4039 DESCRIPTION 4040 "autoIkePriority is an index into the autostartIkeAction table 4041 and can be used to order the autostart IKE actions." 4042 ::= { autostartIkeEntry 1 } 4044 autoIkeAction OBJECT-TYPE 4045 SYNTAX VariablePointer 4046 MAX-ACCESS read-create 4047 STATUS current 4048 DESCRIPTION 4049 "This poiner is used to point to the IKE action that should be 4050 initiated by this row." 4051 ::= { autostartIkeEntry 2 } 4053 autoIkeAddressType OBJECT-TYPE 4054 SYNTAX IpsecIPVersion 4055 MAX-ACCESS read-create 4056 STATUS current 4057 DESCRIPTION 4058 "The property autoIkeAddressType specifies the format of the 4059 autoIke source and destination Address values." 4060 ::= { autostartIkeEntry 3 } 4062 autoIkeSourceAddress OBJECT-TYPE 4063 SYNTAX OCTET STRING (SIZE(0..8192)) 4064 MAX-ACCESS read-create 4065 STATUS current 4066 DESCRIPTION 4067 "The property autoIkeSourecAddress specifies the string 4068 representation of the Source IP address for autostarting IKE 4069 SA's according to the appropriate convention as defined in 4070 the autoIkeAddressType property." 4071 ::= { autostartIkeEntry 4 } 4073 autoIkeSourcePort OBJECT-TYPE 4074 SYNTAX Integer32 4075 MAX-ACCESS read-create 4076 STATUS current 4077 DESCRIPTION 4078 "The property autoIkeSourcePort specifies the port number for 4079 the source port for auotstarting IKE SA's." 4080 ::= { autostartIkeEntry 5 } 4082 autoIkeDestAddress OBJECT-TYPE 4083 SYNTAX OCTET STRING (SIZE(0..8192)) 4084 MAX-ACCESS read-create 4085 STATUS current 4086 DESCRIPTION 4087 "The property autoIkeDestAddress specifies the string 4088 representation of the Destination IP address for autostarting 4089 IKE SA's according to the appropriate convention as defined 4090 in the autoIkeAddressType property." 4091 ::= { autostartIkeEntry 6 } 4093 autoIkeDestPort OBJECT-TYPE 4094 SYNTAX Integer32 4095 MAX-ACCESS read-create 4096 STATUS current 4097 DESCRIPTION 4098 "The property autoIkeDestPort specifies the port number for 4099 the destination port for auotstarting IKE SA's." 4100 ::= { autostartIkeEntry 7 } 4102 autoIkeProtocol OBJECT-TYPE 4103 SYNTAX Unsigned32 (0..255) 4104 MAX-ACCESS read-create 4105 STATUS current 4106 DESCRIPTION 4107 " The property Protocol specifies the protocol number used in 4108 comparing with policy filter entries and used in any phase 2 4109 negotiations." 4110 ::= { autostartIkeEntry 8 } 4112 autoIkeLastChanged OBJECT-TYPE 4113 SYNTAX TimeStamp 4114 MAX-ACCESS read-only 4115 STATUS current 4116 DESCRIPTION 4117 "The value of sysUpTime when this row was last modified or created 4118 either through SNMP SETs or by some other external means." 4119 ::= { autostartIkeEntry 9 } 4121 autoIkeStorageType OBJECT-TYPE 4122 SYNTAX StorageType 4123 MAX-ACCESS read-create 4124 STATUS current 4125 DESCRIPTION 4126 "The storage type for this row. Rows in this table which were 4127 created through an external process may have a storage type of 4128 readOnly or permanent. Entries which are permanent are 4129 expected to have at least one configurable column in the row, but 4130 which columns are in fact modifiable is implementation specific." 4131 DEFVAL { nonVolatile } 4132 ::= { autostartIkeEntry 10 } 4134 autoIkeRowStatus OBJECT-TYPE 4135 SYNTAX RowStatus 4136 MAX-ACCESS read-create 4137 STATUS current 4138 DESCRIPTION 4139 "This object indicates the conceptual status of this row. 4141 The value of this object has no effect on whether other 4142 objects in this conceptual row can be modified." 4144 ::= { autostartIkeEntry 11 } 4146 -- 4147 -- CA Table 4148 -- 4150 ipsecCredMngServiceTable OBJECT-TYPE 4151 SYNTAX SEQUENCE OF IpsecCredMngServiceEntry 4152 MAX-ACCESS not-accessible 4153 STATUS current 4154 DESCRIPTION 4155 "A table of Credential Management Service values. This table is 4156 usually used for credential/certificate values that are used 4157 with a management service (e.g. Certificate Authorities)." 4158 ::= { ipsecPolicyConfigObjects 30 } 4160 ipsecCredMngServiceEntry OBJECT-TYPE 4161 SYNTAX IpsecCredMngServiceEntry 4162 MAX-ACCESS not-accessible 4163 STATUS current 4164 DESCRIPTION 4165 "A row in the ipsecCredMngServiceTable." 4166 INDEX { icmsName } 4167 ::= { ipsecCredMngServiceTable 1 } 4169 IpsecCredMngServiceEntry ::= SEQUENCE { 4170 icmsName SnmpAdminString, 4171 icmsPolicyStatement OCTET STRING, 4172 icmsCRL OCTET STRING, 4173 icmsCRLDistPoint OCTET STRING, 4174 icmsDistinguishedName OCTET STRING, 4175 icmsMaxChainLength Integer32, 4176 icmsCRLRefreshFreq Integer32, 4177 icmsValue OCTET STRING, 4178 icmsLastChanged TimeStamp, 4179 icmsStorageType StorageType, 4180 icmsRowStatus RowStatus 4181 } 4183 icmsName OBJECT-TYPE 4184 SYNTAX SnmpAdminString(SIZE(1..117)) 4185 MAX-ACCESS not-accessible 4186 STATUS current 4187 DESCRIPTION 4188 "This is an administratively assigned string used to index 4189 this table." 4190 ::= { ipsecCredMngServiceEntry 1 } 4192 icmsPolicyStatement OBJECT-TYPE 4193 SYNTAX OCTET STRING (SIZE(0..8192)) 4194 MAX-ACCESS read-create 4195 STATUS current 4196 DESCRIPTION 4197 "This Value represents the Credential Management Service 4198 Policy Statement, or a reference describing how to obtain it 4199 (e.g., a URL). If one doesn't exist, this value can be left 4200 blank" 4201 ::= { ipsecCredMngServiceEntry 2 } 4203 icmsCRL OBJECT-TYPE 4204 SYNTAX OCTET STRING (SIZE(0..8192)) 4205 MAX-ACCESS read-create 4206 STATUS current 4207 DESCRIPTION 4208 "This value is the CRL for this Credential Management 4209 Service." 4210 ::= { ipsecCredMngServiceEntry 3 } 4212 icmsCRLDistPoint OBJECT-TYPE 4213 SYNTAX OCTET STRING (SIZE(0..8192)) 4214 MAX-ACCESS read-create 4215 STATUS current 4216 DESCRIPTION 4217 "This value represents the CRL Distribution Point for the 4218 Credential Management Service." 4219 ::= { ipsecCredMngServiceEntry 4 } 4221 icmsDistinguishedName OBJECT-TYPE 4222 SYNTAX OCTET STRING (SIZE(0..8192)) 4223 MAX-ACCESS read-create 4224 STATUS current 4225 DESCRIPTION 4226 "This value represents the Distinguished Name of the 4227 Credential Management Service." 4228 ::= { ipsecCredMngServiceEntry 5 } 4230 icmsMaxChainLength OBJECT-TYPE 4231 SYNTAX Integer32 (0..255) 4232 MAX-ACCESS read-create 4233 STATUS current 4234 DESCRIPTION 4235 "This value is the maximum length of the chain allowble from 4236 the Credential Management Service to the credential in 4237 question." 4238 DEFVAL { 0 } 4239 ::= { ipsecCredMngServiceEntry 6} 4241 icmsCRLRefreshFreq OBJECT-TYPE 4242 SYNTAX Integer32 4243 MAX-ACCESS read-create 4244 STATUS current 4245 DESCRIPTION 4246 "This value is the refresh frequency in seconds." 4247 ::= { ipsecCredMngServiceEntry 7 } 4249 icmsValue OBJECT-TYPE 4250 SYNTAX OCTET STRING (SIZE(0..8192)) 4251 MAX-ACCESS read-create 4252 STATUS current 4253 DESCRIPTION 4254 "This is the actual certificate value (i.e. key) for this 4255 Credential Management Service." 4256 ::= { ipsecCredMngServiceEntry 8 } 4258 icmsLastChanged OBJECT-TYPE 4259 SYNTAX TimeStamp 4260 MAX-ACCESS read-only 4261 STATUS current 4262 DESCRIPTION 4263 "The value of sysUpTime when this row was last modified or created 4264 either through SNMP SETs or by some other external means." 4265 ::= { ipsecCredMngServiceEntry 9 } 4267 icmsStorageType OBJECT-TYPE 4268 SYNTAX StorageType 4269 MAX-ACCESS read-create 4270 STATUS current 4271 DESCRIPTION 4272 "The storage type for this row. Rows in this table which were 4273 created through an external process may have a storage type of 4274 readOnly or permanent. Entries which are permanent are 4275 expected to have at least one configurable column in the row, but 4276 which columns are in fact modifiable is implementation specific." 4277 ::= { ipsecCredMngServiceEntry 10 } 4279 icmsRowStatus OBJECT-TYPE 4280 SYNTAX RowStatus 4281 MAX-ACCESS read-create 4282 STATUS current 4283 DESCRIPTION 4284 "This object indicates the conceptual status of this row. 4286 The value of this object has no effect on whether other 4287 objects in this conceptual row can be modified. 4289 If active, this object must remain active if it is referenced 4290 by a row in another table." 4291 ::= { ipsecCredMngServiceEntry 11 } 4293 -- 4294 -- Key Table 4295 -- 4297 keyTable OBJECT-TYPE 4298 SYNTAX SEQUENCE OF KeyEntry 4299 MAX-ACCESS not-accessible 4300 STATUS current 4301 DESCRIPTION 4302 "A table of key values. Among other uses, this table 4303 can be used for keying information for preconfigured IPsec 4304 actions." 4305 ::= { ipsecPolicyConfigObjects 31 } 4307 keyEntry OBJECT-TYPE 4308 SYNTAX KeyEntry 4309 MAX-ACCESS not-accessible 4310 STATUS current 4311 DESCRIPTION 4312 "A row in the keyTable." 4313 INDEX { ktName } 4314 ::= { keyTable 1 } 4316 KeyEntry ::= SEQUENCE { 4317 ktName SnmpAdminString, 4318 ktRemoteID OCTET STRING, 4319 ktKey OCTET STRING, 4320 ktPasswordAlgorithm OCTET STRING, 4321 ktLastChanged TimeStamp, 4322 ktStorageType StorageType, 4323 ktRowStatus RowStatus 4324 } 4326 ktName OBJECT-TYPE 4327 SYNTAX SnmpAdminString(SIZE(1..32)) 4328 MAX-ACCESS not-accessible 4329 STATUS current 4330 DESCRIPTION 4331 "This object represents the name for an entry in this table." 4332 ::= { keyEntry 1 } 4334 ktRemoteID OBJECT-TYPE 4335 SYNTAX OCTET STRING(SIZE(0..256)) 4336 MAX-ACCESS read-create 4337 STATUS current 4338 DESCRIPTION 4339 "This object represents the Identification (e.g. user name) of 4340 the user of the key information on the remote site. If there 4341 is no ID associated with this key, the value of this 4342 object should be the null string." 4343 ::= { keyEntry 2 } 4345 ktKey OBJECT-TYPE 4346 SYNTAX OCTET STRING (SIZE(0..4096)) 4347 MAX-ACCESS read-create 4348 STATUS current 4349 DESCRIPTION 4350 "This object represents the key value. When accessed for 4351 reading, it MUST return a null length (0 length) string and 4352 MUST NOT return the configured key." 4353 ::= { keyEntry 3 } 4355 ktPasswordAlgorithm OBJECT-TYPE 4356 SYNTAX OCTET STRING (SIZE(0..4096)) 4357 MAX-ACCESS read-create 4358 STATUS current 4359 DESCRIPTION 4360 "This object represents the transformation algorithm used to 4361 protect passwords before use in the protocol. For shared 4362 keys without a password, this value can be ignored. For 4363 shared keys that have passwords but no transform algorithm, 4364 this object should be the null string." 4365 ::= { keyEntry 4 } 4367 ktLastChanged OBJECT-TYPE 4368 SYNTAX TimeStamp 4369 MAX-ACCESS read-only 4370 STATUS current 4371 DESCRIPTION 4372 "The value of sysUpTime when this row was last modified or created 4373 either through SNMP SETs or by some other external means." 4374 ::= { keyEntry 5 } 4376 ktStorageType OBJECT-TYPE 4377 SYNTAX StorageType 4378 MAX-ACCESS read-create 4379 STATUS current 4380 DESCRIPTION 4381 "The storage type for this row. Rows in this table which were 4382 created through an external process may have a storage type of 4383 readOnly or permanent. Entries which are permanent are 4384 expected to have at least one configurable column in the row, but 4385 which columns are in fact modifiable is implementation specific." 4386 ::= { keyEntry 6 } 4388 ktRowStatus OBJECT-TYPE 4389 SYNTAX RowStatus 4390 MAX-ACCESS read-create 4391 STATUS current 4392 DESCRIPTION 4393 "This object indicates the conceptual status of this row. 4395 The value of this object has no effect on whether other 4396 objects in this conceptual row can be modified. 4398 If active, this object must remain active if it is referenced 4399 by a row in another table." 4400 ::= { keyEntry 7 } 4402 -- 4403 -- 4404 -- Notification objects information 4405 -- 4406 -- 4408 ipsecPolicyNotificationVariables OBJECT IDENTIFIER ::= 4409 { ipsecPolicyNotificationObjects 1 } 4411 ipsecPolicyNotifications OBJECT IDENTIFIER ::= 4412 { ipsecPolicyNotificationObjects 0 } 4414 ipsecPolicyActionExecuted OBJECT-TYPE 4415 SYNTAX VariablePointer 4416 MAX-ACCESS accessible-for-notify 4417 STATUS current 4418 DESCRIPTION 4419 "Points to the action instance that was executed that 4420 resulted in the notification being sent." 4421 ::= { ipsecPolicyNotificationVariables 1 } 4423 ipsecPolicyActionSource OBJECT-TYPE 4424 SYNTAX VariablePointer 4425 MAX-ACCESS accessible-for-notify 4426 STATUS current 4427 DESCRIPTION 4428 "Contains the source address of the packet which triggered the 4429 action in question." 4430 ::= { ipsecPolicyNotificationVariables 2 } 4432 ipsecPolicyActionDestination OBJECT-TYPE 4433 SYNTAX VariablePointer 4434 MAX-ACCESS accessible-for-notify 4435 STATUS current 4436 DESCRIPTION 4437 "Contains the destination address of the packet which triggered the 4438 action in question." 4439 ::= { ipsecPolicyNotificationVariables 3 } 4441 ipsecPolicyPacketDirection OBJECT-TYPE 4442 SYNTAX INTEGER { inbound(1), outbound(2) } 4443 MAX-ACCESS accessible-for-notify 4444 STATUS current 4445 DESCRIPTION 4446 "Contains the destination address of the packet which triggered the 4447 action in question." 4448 ::= { ipsecPolicyNotificationVariables 4 } 4450 ipsecPolicyActionNotification NOTIFICATION-TYPE 4451 OBJECTS { ipsecPolicyActionExecuted, 4452 ipsecPolicyActionSource, ipsecPolicyActionDestination, 4453 peGroupName, ipsecPolicyPacketDirection } 4454 STATUS current 4455 DESCRIPTION 4456 "Notification that a action was executed by a rule. Only 4457 actions with logging enabled will result in this notification 4458 getting sent. The objects sent must include the pRuleType 4459 object, which will indicate which rule activated the action 4460 and what type of rule it was, as well as the 4461 ipsecPolicyActionExecuted object which will indicate which 4462 action was executed within the scope of the rule. 4463 Additionally the ipsecPolicyActionSource, 4464 ipsecPolicyActionDestination objects must be included to 4465 indicate the packet source and destination of the packet that 4466 triggered the action. Finally, the peGroupName and 4467 ipsecPolicyPacketDirection objects are included to indicate 4468 which endpoint the action was executed in association with 4469 and if the inbound or outbond through the endpoint. 4471 Note that compound actions with multiple 4472 executed subactions may result in multiple notifications 4473 being sent from a single rule execution." 4474 ::= { ipsecPolicyNotifications 1 } 4476 -- 4477 -- 4478 -- Conformance information 4479 -- 4480 -- 4482 ipsecPolicyCompliances OBJECT IDENTIFIER ::= 4483 { ipsecPolicyConformanceObjects 1 } 4484 ipsecPolicyGroups OBJECT IDENTIFIER ::= 4485 { ipsecPolicyConformanceObjects 2 } 4487 -- 4488 -- Compliance statements 4489 -- 4490 -- 4491 ipsecPolicyRuleFilterCompliance MODULE-COMPLIANCE 4492 STATUS current 4493 DESCRIPTION 4494 "The compliance statement for SNMP entities that include an 4495 IPsec MIB implementation with Endpoint, Rules, and filters 4496 support." 4497 MODULE -- This Module 4498 MANDATORY-GROUPS { ipsecPolicyEndpointGroup, 4499 ipsecPolicyGroupContentsGroup, 4500 ipsecPolicyRuleDefinitionGroup, 4501 ipsecPolicyIPHeaderFilterGroup, 4502 ipsecPolicyStaticFilterGroup } 4504 GROUP ipsecSystemPolicyNameGroup 4505 DESCRIPTION 4506 "This group is mandatory for IPsec Policy 4507 implementations which support a system policy group 4508 name." 4510 GROUP ipsecPolicyCompoundFilterGroup 4511 DESCRIPTION 4512 "This group is mandatory for IPsec Policy 4513 implementations which support compound filters." 4515 GROUP ipsecPolicyTimeFilterGroup 4516 DESCRIPTION 4517 "This group is mandatory for IPsec Policy 4518 implementations which support time filters." 4520 GROUP ipsecPolicyIpsoHeaderFilterGroup 4521 DESCRIPTION 4522 "This group is mandatory for IPsec Policy 4523 implementations which support IPSO Header filters." 4525 GROUP ipsecPolicyCredentialFilterGroup 4526 DESCRIPTION 4527 "This group is mandatory for IPsec Policy 4528 implementations which support Credential filters." 4530 GROUP ipsecPolicyPeerIdFilterGroup 4531 DESCRIPTION 4532 "This group is mandatory for IPsec Policy 4533 implementations which support Peer Identity filters." 4535 OBJECT peRowStatus 4536 SYNTAX INTEGER { 4537 active(1), createAndGo(4), destroy(6) 4538 } 4539 DESCRIPTION 4540 "Support of the values notInService(2), notReady(3), 4541 and createAndWait(5) is not required." 4543 OBJECT peLastChanged 4544 MIN-ACCESS not-accessible 4545 DESCRIPTION 4546 "This object not required for compliance." 4548 OBJECT pgcGroupComponentType 4549 SYNTAX INTEGER { 4550 rule(2) 4551 } 4552 DESCRIPTION 4553 "Support of the value group(1) is only required for 4554 implementations which support Policy Groups within Policy 4555 Groups." 4557 OBJECT pgcRowStatus 4558 SYNTAX INTEGER { 4559 active(1), createAndGo(4), destroy(6) 4560 } 4561 DESCRIPTION 4562 "Support of the values notInService(2), notReady(3), 4563 and createAndWait(5) is not required." 4565 OBJECT pgcLastChanged 4566 MIN-ACCESS not-accessible 4567 DESCRIPTION 4568 "This object not required for compliance." 4570 OBJECT pRuleRowStatus 4571 SYNTAX INTEGER { 4572 active(1), createAndGo(4), destroy(6) 4573 } 4574 DESCRIPTION 4575 "Support of the values notInService(2), notReady(3), 4576 and createAndWait(5) is not required." 4578 OBJECT pRuleLastChanged 4579 MIN-ACCESS not-accessible 4580 DESCRIPTION 4581 "This object not required for compliance." 4583 OBJECT cfRowStatus 4584 SYNTAX INTEGER { 4585 active(1), createAndGo(4), destroy(6) 4586 } 4587 DESCRIPTION 4588 "Support of the values notInService(2), notReady(3), 4589 and createAndWait(5) is not required." 4591 OBJECT cfLastChanged 4592 MIN-ACCESS not-accessible 4593 DESCRIPTION 4594 "This object not required for compliance." 4596 OBJECT ficRowStatus 4597 SYNTAX INTEGER { 4598 active(1), createAndGo(4), destroy(6) 4599 } 4600 DESCRIPTION 4601 "Support of the values notInService(2), notReady(3), 4602 and createAndWait(5) is not required." 4604 OBJECT ficLastChanged 4605 MIN-ACCESS not-accessible 4606 DESCRIPTION 4607 "This object not required for compliance." 4609 OBJECT ihfRowStatus 4610 SYNTAX INTEGER { 4611 active(1), createAndGo(4), destroy(6) 4612 } 4613 DESCRIPTION 4614 "Support of the values notInService(2), notReady(3), 4615 and createAndWait(5) is not required." 4617 OBJECT ihfLastChanged 4618 MIN-ACCESS not-accessible 4619 DESCRIPTION 4620 "This object not required for compliance." 4622 OBJECT tfRowStatus 4623 SYNTAX INTEGER { 4624 active(1), createAndGo(4), destroy(6) 4625 } 4626 DESCRIPTION 4627 "Support of the values notInService(2), notReady(3), 4628 and createAndWait(5) is not required." 4630 OBJECT tfLastChanged 4631 MIN-ACCESS not-accessible 4632 DESCRIPTION 4633 "This object not required for compliance." 4635 OBJECT ipsohfRowStatus 4636 SYNTAX INTEGER { 4637 active(1), createAndGo(4), destroy(6) 4638 } 4639 DESCRIPTION 4640 "Support of the values notInService(2), notReady(3), 4641 and createAndWait(5) is not required." 4643 OBJECT ipsohfLastChanged 4644 MIN-ACCESS not-accessible 4645 DESCRIPTION 4646 "This object not required for compliance." 4648 OBJECT crfRowStatus 4649 SYNTAX INTEGER { 4650 active(1), createAndGo(4), destroy(6) 4651 } 4652 DESCRIPTION 4653 "Support of the values notInService(2), notReady(3), 4654 and createAndWait(5) is not required." 4656 OBJECT crfLastChanged 4657 MIN-ACCESS not-accessible 4658 DESCRIPTION 4659 "This object not required for compliance." 4661 OBJECT pifRowStatus 4662 SYNTAX INTEGER { 4663 active(1), createAndGo(4), destroy(6) 4664 } 4665 DESCRIPTION 4666 "Support of the values notInService(2), notReady(3), 4667 and createAndWait(5) is not required." 4669 OBJECT pifLastChanged 4670 MIN-ACCESS not-accessible 4671 DESCRIPTION 4672 "This object not required for compliance." 4674 OBJECT icmsRowStatus 4675 SYNTAX INTEGER { 4676 active(1), createAndGo(4), destroy(6) 4677 } 4678 DESCRIPTION 4679 "Support of the values notInService(2), notReady(3), 4680 and createAndWait(5) is not required." 4682 OBJECT icmsLastChanged 4683 MIN-ACCESS not-accessible 4684 DESCRIPTION 4685 "This object not required for compliance." 4687 ::= { ipsecPolicyCompliances 1 } 4689 ipsecPolicyIPsecCompliance MODULE-COMPLIANCE 4690 STATUS current 4691 DESCRIPTION 4692 "The compliance statement for SNMP entities that include an 4693 IPsec MIB implementation and supports IPsec actions." 4694 MODULE -- This Module 4695 MANDATORY-GROUPS { ipsecPolicyIpsecGroup, 4696 ipsecPolicyStaticActionGroup, 4697 ipsecPolicyPreconfiguredGroup } 4699 GROUP ipsecPolicyCompoundActionGroup 4700 DESCRIPTION 4701 "This group is mandatory for IPsec Policy 4702 implementations which support compound actions." 4704 OBJECT caRowStatus 4705 SYNTAX INTEGER { 4706 active(1), createAndGo(4), destroy(6) 4707 } 4708 DESCRIPTION 4709 "Support of the values notInService(2), notReady(3), 4710 and createAndWait(5) is not required." 4712 OBJECT caLastChanged 4713 MIN-ACCESS not-accessible 4714 DESCRIPTION 4715 "This object is not required for compliance." 4717 OBJECT aicaRowStatus 4718 SYNTAX INTEGER { 4719 active(1), createAndGo(4), destroy(6) 4720 } 4721 DESCRIPTION 4722 "Support of the values notInService(2), notReady(3), 4723 and createAndWait(5) is not required." 4725 OBJECT aicaLastChanged 4726 MIN-ACCESS not-accessible 4727 DESCRIPTION 4728 "This object is not required for compliance." 4730 OBJECT ipsecActionRowStatus 4731 SYNTAX INTEGER { 4732 active(1), createAndGo(4), destroy(6) 4733 } 4734 DESCRIPTION 4735 "Support of the values notInService(2), notReady(3), 4736 and createAndWait(5) is not required." 4738 OBJECT ipsecActionLastChanged 4739 MIN-ACCESS not-accessible 4740 DESCRIPTION 4741 "This object is not required for compliance." 4743 OBJECT ipsecProposalsRowStatus 4744 SYNTAX INTEGER { 4745 active(1), createAndGo(4), destroy(6) 4746 } 4747 DESCRIPTION 4748 "Support of the values notInService(2), notReady(3), 4749 and createAndWait(5) is not required." 4751 OBJECT ipsecProposalsLastChanged 4752 MIN-ACCESS not-accessible 4753 DESCRIPTION 4754 "This object is not required for compliance." 4756 OBJECT ipsecTransformsRowStatus 4757 SYNTAX INTEGER { 4758 active(1), createAndGo(4), destroy(6) 4759 } 4760 DESCRIPTION 4761 "Support of the values notInService(2), notReady(3), 4762 and createAndWait(5) is not required." 4764 OBJECT ipsecTransformsLastChanged 4765 MIN-ACCESS not-accessible 4766 DESCRIPTION 4767 "This object is not required for compliance." 4769 OBJECT sanRowStatus 4770 SYNTAX INTEGER { 4771 active(1), createAndGo(4), destroy(6) 4772 } 4773 DESCRIPTION 4774 "Support of the values notInService(2), notReady(3), 4775 and createAndWait(5) is not required." 4777 OBJECT sanLastChanged 4778 MIN-ACCESS not-accessible 4779 DESCRIPTION 4780 "This object is not required for compliance." 4782 OBJECT ahtRowStatus 4783 SYNTAX INTEGER { 4784 active(1), createAndGo(4), destroy(6) 4785 } 4786 DESCRIPTION 4787 "Support of the values notInService(2), notReady(3), 4788 and createAndWait(5) is not required." 4790 OBJECT ahtLastChanged 4791 MIN-ACCESS not-accessible 4792 DESCRIPTION 4793 "This object is not required for compliance." 4795 OBJECT esptRowStatus 4796 SYNTAX INTEGER { 4797 active(1), createAndGo(4), destroy(6) 4798 } 4799 DESCRIPTION 4800 "Support of the values notInService(2), notReady(3), 4801 and createAndWait(5) is not required." 4803 OBJECT esptLastChanged 4804 MIN-ACCESS not-accessible 4805 DESCRIPTION 4806 "This object is not required for compliance." 4808 OBJECT ipcompTransformRowStatus 4809 SYNTAX INTEGER { 4810 active(1), createAndGo(4), destroy(6) 4811 } 4812 DESCRIPTION 4813 "Support of the values notInService(2), notReady(3), 4814 and createAndWait(5) is not required." 4816 OBJECT ipcompTransformLastChanged 4817 MIN-ACCESS not-accessible 4818 DESCRIPTION 4819 "This object is not required for compliance." 4821 OBJECT peerIdRowStatus 4822 SYNTAX INTEGER { 4823 active(1), createAndGo(4), destroy(6) 4824 } 4825 DESCRIPTION 4826 "Support of the values notInService(2), notReady(3), 4827 and createAndWait(5) is not required." 4829 OBJECT peerIdLastChanged 4830 MIN-ACCESS not-accessible 4831 DESCRIPTION 4832 "This object is not required for compliance." 4834 OBJECT icmsRowStatus 4835 SYNTAX INTEGER { 4836 active(1), createAndGo(4), destroy(6) 4837 } 4838 DESCRIPTION 4839 "Support of the values notInService(2), notReady(3), 4840 and createAndWait(5) is not required." 4842 OBJECT icmsLastChanged 4843 MIN-ACCESS not-accessible 4844 DESCRIPTION 4845 "This object not required for compliance." 4847 OBJECT ktRowStatus 4848 SYNTAX INTEGER { 4849 active(1), createAndGo(4), destroy(6) 4850 } 4851 DESCRIPTION 4852 "Support of the values notInService(2), notReady(3), 4853 and createAndWait(5) is not required." 4855 OBJECT ktLastChanged 4856 MIN-ACCESS not-accessible 4857 DESCRIPTION 4858 "This object is not required for compliance." 4860 OBJECT sapRowStatus 4861 SYNTAX INTEGER { 4862 active(1), createAndGo(4), destroy(6) 4863 } 4864 DESCRIPTION 4865 "Support of the values notInService(2), notReady(3), 4866 and createAndWait(5) is not required." 4868 OBJECT sapLastChanged 4869 MIN-ACCESS not-accessible 4870 DESCRIPTION 4871 "This object is not required for compliance." 4873 ::= { ipsecPolicyCompliances 2 } 4875 ipsecPolicyIKECompliance MODULE-COMPLIANCE 4876 STATUS current 4877 DESCRIPTION 4878 "The compliance statement for SNMP entities that include an 4879 IPsec MIB implementation and supports IKE actions." 4880 MODULE -- This Module 4881 MANDATORY-GROUPS { ipsecPolicyIkeGroup } 4883 GROUP ipsecPolicyCompoundActionGroup 4884 DESCRIPTION 4885 "This group is mandatory for IPsec Policy 4886 implementations which support compound actions." 4888 OBJECT caRowStatus 4889 SYNTAX INTEGER { 4890 active(1), createAndGo(4), destroy(6) 4891 } 4892 DESCRIPTION 4893 "Support of the values notInService(2), notReady(3), 4894 and createAndWait(5) is not required." 4896 OBJECT caLastChanged 4897 MIN-ACCESS not-accessible 4898 DESCRIPTION 4899 "This object is not required for compliance." 4901 OBJECT aicaRowStatus 4902 SYNTAX INTEGER { 4903 active(1), createAndGo(4), destroy(6) 4904 } 4905 DESCRIPTION 4906 "Support of the values notInService(2), notReady(3), 4907 and createAndWait(5) is not required." 4909 OBJECT aicaLastChanged 4910 MIN-ACCESS not-accessible 4911 DESCRIPTION 4912 "This object is not required for compliance." 4914 OBJECT ikeActionRowStatus 4915 SYNTAX INTEGER { 4916 active(1), createAndGo(4), destroy(6) 4917 } 4918 DESCRIPTION 4919 "Support of the values notInService(2), notReady(3), 4920 and createAndWait(5) is not required." 4922 OBJECT ikeActionLastChanged 4923 MIN-ACCESS not-accessible 4924 DESCRIPTION 4925 "This object is not required for compliance." 4927 OBJECT ikeActionProposalRowStatus 4928 SYNTAX INTEGER { 4929 active(1), createAndGo(4), destroy(6) 4930 } 4931 DESCRIPTION 4932 "Support of the values notInService(2), notReady(3), 4933 and createAndWait(5) is not required." 4935 OBJECT ikeActionProposalLastChanged 4936 MIN-ACCESS not-accessible 4937 DESCRIPTION 4938 "This object is not required for compliance." 4940 OBJECT ipProposalRowStatus 4941 SYNTAX INTEGER { 4942 active(1), createAndGo(4), destroy(6) 4943 } 4944 DESCRIPTION 4945 "Support of the values notInService(2), notReady(3), 4946 and createAndWait(5) is not required." 4948 OBJECT ipProposalLastChanged 4949 MIN-ACCESS not-accessible 4950 DESCRIPTION 4951 "This object is not required for compliance." 4953 OBJECT sanRowStatus 4954 SYNTAX INTEGER { 4955 active(1), createAndGo(4), destroy(6) 4956 } 4957 DESCRIPTION 4958 "Support of the values notInService(2), notReady(3), 4959 and createAndWait(5) is not required." 4961 OBJECT sanLastChanged 4962 MIN-ACCESS not-accessible 4963 DESCRIPTION 4964 "This object is not required for compliance." 4966 OBJECT ikeIdRowStatus 4967 SYNTAX INTEGER { 4968 active(1), createAndGo(4), destroy(6) 4969 } 4970 DESCRIPTION 4971 "Support of the values notInService(2), notReady(3), 4972 and createAndWait(5) is not required." 4974 OBJECT ikeIdLastChanged 4975 MIN-ACCESS not-accessible 4976 DESCRIPTION 4977 "This object is not required for compliance." 4979 OBJECT peerIdRowStatus 4980 SYNTAX INTEGER { 4981 active(1), createAndGo(4), destroy(6) 4982 } 4983 DESCRIPTION 4984 "Support of the values notInService(2), notReady(3), 4985 and createAndWait(5) is not required." 4987 OBJECT peerIdLastChanged 4988 MIN-ACCESS not-accessible 4989 DESCRIPTION 4990 "This object is not required for compliance." 4992 OBJECT icmsRowStatus 4993 SYNTAX INTEGER { 4994 active(1), createAndGo(4), destroy(6) 4995 } 4996 DESCRIPTION 4997 "Support of the values notInService(2), notReady(3), 4998 and createAndWait(5) is not required." 5000 OBJECT icmsLastChanged 5001 MIN-ACCESS not-accessible 5002 DESCRIPTION 5003 "This object not required for compliance." 5005 OBJECT autoIkeRowStatus 5006 SYNTAX INTEGER { 5007 active(1), createAndGo(4), destroy(6) 5008 } 5009 DESCRIPTION 5010 "Support of the values notInService(2), notReady(3), 5011 and createAndWait(5) is not required." 5013 OBJECT autoIkeLastChanged 5014 MIN-ACCESS not-accessible 5015 DESCRIPTION 5016 "This object is not required for compliance." 5018 OBJECT ktRowStatus 5019 SYNTAX INTEGER { 5020 active(1), createAndGo(4), destroy(6) 5021 } 5022 DESCRIPTION 5023 "Support of the values notInService(2), notReady(3), 5024 and createAndWait(5) is not required." 5026 OBJECT ktLastChanged 5027 MIN-ACCESS not-accessible 5028 DESCRIPTION 5029 "This object is not required for compliance." 5031 ::= { ipsecPolicyCompliances 3 } 5033 policyLoggingCompliance MODULE-COMPLIANCE 5034 STATUS current 5035 DESCRIPTION 5036 "The compliance statement for SNMP entities that support 5037 sending notifications when actions are invoked." 5038 MODULE -- This Module 5039 MANDATORY-GROUPS { policyActionLoggingObjectGroup, 5040 policyActionNotificationGroup } 5042 ::= { ipsecPolicyCompliances 4 } 5044 -- 5045 -- 5046 -- Compliance Groups Definitions 5047 -- 5049 -- 5050 -- Endpoint, Rule, Filter Compliance Groups 5051 -- 5052 ipsecPolicyEndpointGroup OBJECT-GROUP 5053 OBJECTS { 5054 peGroupName, peLastChanged, peStorageType, peRowStatus 5055 } 5056 STATUS current 5057 DESCRIPTION 5058 "The IPsec Policy Endpoint Table Group." 5059 ::= { ipsecPolicyGroups 1 } 5061 ipsecPolicyGroupContentsGroup OBJECT-GROUP 5062 OBJECTS { 5063 pgcGroupComponentType, pgcFilter, pgcGroupComponentName, 5064 pgcLastChanged, pgcStorageType, pgcRowStatus 5065 } 5066 STATUS current 5067 DESCRIPTION 5068 "The IPsec Policy Group Contents Table Group." 5069 ::= { ipsecPolicyGroups 2 } 5071 ipsecSystemPolicyNameGroup OBJECT-GROUP 5072 OBJECTS { 5073 systemPolicyGroupName 5074 } 5075 STATUS current 5076 DESCRIPTION 5077 "The System Policy Group Name Group." 5078 ::= { ipsecPolicyGroups 3} 5080 ipsecPolicyRuleDefinitionGroup OBJECT-GROUP 5081 OBJECTS { 5082 pRuleDescription, pRuleFilter, 5083 pRuleFilterNegated, pRuleAction, pRuleAdminStatus, 5084 pRuleLastChanged, pRuleStorageType, 5085 pRuleRowStatus 5086 } 5087 STATUS current 5088 DESCRIPTION 5089 "The IPsec Policy Rule Definition Table Group." 5090 ::= { ipsecPolicyGroups 4 } 5092 ipsecPolicyCompoundFilterGroup OBJECT-GROUP 5093 OBJECTS { 5094 cfDescription, cfLogicType, cfLastChanged, cfStorageType, 5095 cfRowStatus, ficSubfilter, ficSubfilterIsNegated, 5096 ficLastChanged, ficStorageType, ficRowStatus 5097 } 5098 STATUS current 5099 DESCRIPTION 5100 "The IPsec Policy Compound Filter Table and Filters in 5101 Compound Filters Table Group." 5102 ::= { ipsecPolicyGroups 5 } 5104 ipsecPolicyStaticFilterGroup OBJECT-GROUP 5105 OBJECTS { trueFilter } 5106 STATUS current 5107 DESCRIPTION 5108 "The static filter group. Currently this is just a true 5109 filter." 5110 ::= { ipsecPolicyGroups 6 } 5112 ipsecPolicyIPHeaderFilterGroup OBJECT-GROUP 5113 OBJECTS { 5114 ihfType, ihfIPVersion, ihfSrcAddressBegin, ihfSrcAddressEnd, 5115 ihfDstAddressBegin, ihfDstAddressEnd, ihfSrcLowPort, 5116 ihfSrcHighPort, ihfDstLowPort, ihfDstHighPort, ihfProtocol, 5117 ihfIPv6FlowLabel, ihfLastChanged, ihfStorageType, ihfRowStatus 5118 } 5119 STATUS current 5120 DESCRIPTION 5121 "The IPsec Policy IP Header Filter Table Group." 5122 ::= { ipsecPolicyGroups 7 } 5124 ipsecPolicyTimeFilterGroup OBJECT-GROUP 5125 OBJECTS { 5126 tfPeriodStart, tfPeriodEnd, tfMonthOfYearMask, 5127 tfDayOfMonthMask, tfDayOfWeekMask, tfTimeOfDayMaskStart, 5128 tfTimeOfDayMaskEnd, tfLastChanged, tfStorageType, tfRowStatus 5129 } 5130 STATUS current 5131 DESCRIPTION 5132 "The IPsec Policy Time Filter Table Group." 5133 ::= { ipsecPolicyGroups 8 } 5135 ipsecPolicyIpsoHeaderFilterGroup OBJECT-GROUP 5136 OBJECTS { 5137 ipsohfType, ipsohfClassification, ipsohfProtectionAuth, 5138 ipsohfLastChanged, ipsohfStorageType, ipsohfRowStatus 5139 } 5140 STATUS current 5141 DESCRIPTION 5142 "The IPsec Policy IPSO Header Filter Table Group." 5143 ::= { ipsecPolicyGroups 9 } 5145 ipsecPolicyCredentialFilterGroup OBJECT-GROUP 5146 OBJECTS { 5147 crfCredentialType, crfMatchFieldName, crfMatchFieldValue, 5148 crfAcceptCredFrom, crfLastChanged, crfStorageType, 5149 crfRowStatus, 5151 icmsPolicyStatement, icmsCRL, icmsCRLDistPoint, 5152 icmsDistinguishedName, icmsMaxChainLength, 5153 icmsCRLRefreshFreq, icmsValue, icmsLastChanged, 5154 icmsStorageType, icmsRowStatus 5155 } 5156 STATUS current 5157 DESCRIPTION 5158 "The IPsec Policy Credential Filter Table Group." 5159 ::= { ipsecPolicyGroups 10 } 5161 ipsecPolicyPeerIdFilterGroup OBJECT-GROUP 5162 OBJECTS { 5163 pifIdentityType, pifIdentityValue, 5164 pifLastChanged, pifStorageType, pifRowStatus 5165 } 5166 STATUS current 5167 DESCRIPTION 5168 "The IPsec Policy Peer Identity Filter Table Group." 5169 ::= { ipsecPolicyGroups 11 } 5171 -- 5172 -- action compliance groups 5173 -- 5175 ipsecPolicyCompoundActionGroup OBJECT-GROUP 5176 OBJECTS { 5177 caExecutionStrategy, caLastChanged, caStorageType, 5178 caRowStatus, aicaSubActionName, aicaLastChanged, 5179 aicaStorageType, aicaRowStatus 5180 } 5181 STATUS current 5182 DESCRIPTION 5183 "The IPsec Policy Compound Action Table and Actions In 5184 Compound Action Table Group." 5185 ::= { ipsecPolicyGroups 12 } 5187 ipsecPolicyPreconfiguredGroup OBJECT-GROUP 5188 OBJECTS { 5189 sapActionDescription, 5190 sapActionLifetimeSec, sapActionLifetimeKB, sapDoActionLogging, 5191 sapDoPacketLogging, sapDFHandling, sapActionType, sapAHSPI, 5192 sapAHTransformName, sapAHSharedSecretName, sapESPSPI, 5193 sapESPTransformName, sapESPEncSharedSecretName, 5194 sapESPAuthSharedSecretName, sapIPCompSPI, 5195 sapIPCompTransformName, sapPeerGatewayIdName, 5196 sapLastChanged, sapStorageType, sapRowStatus, 5198 ahtMaxLifetimeSec, ahtMaxLifetimeKB, ahtAlgorithm, 5199 ahtReplayProtection, ahtReplayWindowSize, ahtLastChanged, 5200 ahtStorageType, 5202 esptMaxLifetimeSec, esptMaxLifetimeKB, 5203 esptCipherTransformId, esptCipherKeyLength, 5204 esptCipherKeyRounds, esptIntegrityAlgorithmId, 5205 esptReplayPrevention, esptReplayWindowSize, 5206 esptLastChanged, esptStorageType, esptRowStatus, 5208 ipcompDictionarySize, ipcompTransformMaxLifetimeSec, 5209 ipcompTransformMaxLifetimeKB, ipcompPrivateAlgorithm, 5210 ipcompTransformLastChanged, ipcompTransformStorageType, 5211 ipcompTransformRowStatus, 5213 peerIdValue, peerIdType, peerIdAddress, peerIdAddressType, 5214 peerIdKeyName, peerIdCredMngName, peerIdLastChanged, 5215 peerIdStorageType, peerIdRowStatus, 5217 icmsPolicyStatement, icmsCRL, icmsCRLDistPoint, 5218 icmsDistinguishedName, icmsMaxChainLength, 5219 icmsCRLRefreshFreq, icmsValue, icmsLastChanged, 5220 icmsStorageType, icmsRowStatus, 5222 ktRemoteID, ktKey, ktPasswordAlgorithm, 5223 ktLastChanged, ktStorageType, ktRowStatus 5224 } 5225 STATUS current 5226 DESCRIPTION 5227 "This group is the set of objects that support preconfigured 5228 IPsec actions. These objects are from The Preconfigured 5229 Action Table. This group also includes objects from the 5230 shared tables: Peer Identity Table, Key Table, Credential 5231 Management Service Table and the AH, ESP, and IPComp 5232 Transform Tables." 5233 ::= { ipsecPolicyGroups 13 } 5235 ipsecPolicyStaticActionGroup OBJECT-GROUP 5236 OBJECTS { 5237 saDropAction, saAcceptAction, saRejectIKEAction, 5238 saDropActionLog, saAcceptActionLog, saRejectIKEActionLog 5239 } 5240 STATUS current 5241 DESCRIPTION 5242 "The IPsec Policy Static Actions Group." 5243 ::= { ipsecPolicyGroups 14 } 5245 ipsecPolicyIpsecGroup OBJECT-GROUP 5246 OBJECTS { 5247 ipsecActionParametersName, ipsecActionProposalsName, 5248 ipsecUsePfs, ipsecVendorId, ipsecGroupId, 5249 ipsecPeerGatewayIdName, ipsecUseIkeGroup, ipsecGranularity, 5250 ipsecMode, ipsecDFHandling, ipsecDoActionLogging, 5251 ipsecDoPacketLogging, ipsecActionLastChanged, 5252 ipsecActionStorageType, ipsecActionRowStatus, 5254 ipsecProposalsTransformsName, ipsecProposalsLastChanged, 5255 ipsecProposalsStorageType, ipsecProposalsRowStatus, 5257 ipsecTransformsTransformName, ipsecTransformsLastChanged, 5258 ipsecTransformsStorageType, ipsecTransformsRowStatus, 5260 sanMinimumLifetimeSeconds, sanMinimumLifetimeKB, 5261 sanRefreshThresholdSeconds, sanRefreshThresholdKB, 5262 sanIdleDurrationSeconds, sanLastChanged, sanStorageType, 5263 sanRowStatus, 5265 ahtMaxLifetimeSec, ahtMaxLifetimeKB, ahtAlgorithm, 5266 ahtReplayProtection, ahtReplayWindowSize, ahtLastChanged, 5267 ahtStorageType, ahtRowStatus, 5269 esptMaxLifetimeSec, esptMaxLifetimeKB, 5270 esptCipherTransformId, esptCipherKeyLength, 5271 esptCipherKeyRounds, esptIntegrityAlgorithmId, 5272 esptReplayPrevention, esptReplayWindowSize, 5273 esptLastChanged, esptStorageType, esptRowStatus, 5275 ipcompDictionarySize, ipcompAlgorithm, 5276 ipcompTransformMaxLifetimeSec, ipcompTransformMaxLifetimeKB, 5277 ipcompPrivateAlgorithm, ipcompTransformLastChanged, 5278 ipcompTransformStorageType, ipcompTransformRowStatus, 5280 peerIdValue, peerIdType, peerIdAddress, peerIdAddressType, 5281 peerIdKeyName, peerIdCredMngName, peerIdLastChanged, 5282 peerIdStorageType, peerIdRowStatus, 5284 icmsPolicyStatement, icmsCRL, icmsCRLDistPoint, 5285 icmsDistinguishedName, icmsMaxChainLength, 5286 icmsCRLRefreshFreq, icmsValue, icmsLastChanged, 5287 icmsStorageType, icmsRowStatus, 5289 ktRemoteID, ktKey, ktPasswordAlgorithm, 5290 ktLastChanged, ktStorageType, ktRowStatus 5291 } 5292 STATUS current 5293 DESCRIPTION 5294 "This group is the set of objects that support IPsec 5295 actions. These objects are from The IPsec Policy IPsec 5296 Actions Table, The IPsec Proposal Table, and The IPsec 5297 Transform Table. This group also includes objects from the 5298 shared tables: Peer Identity Table, Key Table, Negotiation 5299 Parameters Table, Credential Management Service Table and the 5300 AH, ESP, and IPComp Transform Table." 5301 ::= { ipsecPolicyGroups 15 } 5303 ipsecPolicyIkeGroup OBJECT-GROUP 5304 OBJECTS { 5305 ikeActionParametersName, ikeThresholdDerivedKeys, 5306 ikeExchangeMode, ikeAgressiveModeGroupId, ikeIdentityType, 5307 ikeIdentityContext, ikePeerName, ikeActionVendorId, 5308 ikeActionProposalName, ikeActionDoActionLogging, 5309 ikeActionDoPacketLogging, ikeActionLastChanged, 5310 ikeActionStorageType, ikeActionRowStatus, 5312 ikeActionProposalLastChanged, ikeActionProposalStorageType, 5313 ikeActionProposalRowStatus, 5315 ipLifetimeDerivedKeys, ipCipherAlgorithm, ipCipherKeyLength, 5316 ipCipherKeyRounds, ipHashAlgorithm, ipPrfAlgorithm, 5317 ipVendorId, ipDhGroup, ipAuthenticationMethod, 5318 ipMaxLifetimeSeconds, ipMaxLifetimeKB, 5319 ipProposalLastChanged, ipProposalStorageType, 5320 ipProposalRowStatus, 5322 sanMinimumLifetimeSeconds, sanMinimumLifetimeKB, 5323 sanRefreshThresholdSeconds, sanRefreshThresholdKB, 5324 sanIdleDurrationSeconds, sanLastChanged, sanStorageType, 5325 sanRowStatus, 5327 ikeIdValue, ikeIdKeyName, ikeIdCredMngName, ikeIdLastChanged, 5328 ikeIdStorageType, ikeIdRowStatus, 5330 autoIkeAction, autoIkeAddressType, autoIkeSourceAddress, 5331 autoIkeSourcePort, autoIkeDestAddress, autoIkeDestPort, 5332 autoIkeProtocol, autoIkeLastChanged, autoIkeStorageType, 5333 autoIkeRowStatus, 5335 peerIdValue, peerIdType, peerIdAddress, peerIdAddressType, 5336 peerIdKeyName, peerIdCredMngName, peerIdLastChanged, 5337 peerIdStorageType, peerIdRowStatus, 5339 icmsPolicyStatement, icmsCRL, icmsCRLDistPoint, 5340 icmsDistinguishedName, icmsMaxChainLength, 5341 icmsCRLRefreshFreq, icmsValue, icmsLastChanged, 5342 icmsStorageType, icmsRowStatus, 5344 ktRemoteID, ktKey, ktPasswordAlgorithm, 5345 ktLastChanged, ktStorageType, ktRowStatus 5346 } 5347 STATUS current 5348 DESCRIPTION 5349 "This group is the set of objects that support IKE 5350 actions. These objects are from The IPsec Policy IKE Action 5351 Table, The IKE Action Proposals Table, The IKE Proposal 5352 Table, The autostart IKE Table and The IKE Identity Table 5353 . This group also includes objects from the shared tables: 5354 Peer Identity Table, Credential Management Service Table and 5355 Negotiation Parameters Table." 5356 ::= { ipsecPolicyGroups 16 } 5358 policyActionLoggingObjectGroup OBJECT-GROUP 5359 OBJECTS { 5360 ipsecPolicyActionExecuted, ipsecPolicyActionSource, 5361 ipsecPolicyActionDestination, ipsecPolicyPacketDirection 5362 } 5363 STATUS current 5364 DESCRIPTION 5365 "Notification objects." 5366 ::= { ipsecPolicyGroups 17 } 5368 policyActionNotificationGroup NOTIFICATION-GROUP 5369 NOTIFICATIONS { 5370 ipsecPolicyActionNotification 5371 } 5372 STATUS current 5373 DESCRIPTION 5374 "Notifications." 5375 ::= { ipsecPolicyGroups 18 } 5377 END 5379 5. Security Considerations 5381 5.1. Introduction 5383 This document defines an SNMP MIB used to configure IPsec services. 5384 Since IPsec provides security services it is important that the 5385 IPsec configuration data be at least as protected as the IPsec 5386 provided security service. There are two threat you need to thwart 5387 when configuring IPsec devices. 5389 1) only authentic administrators should be allowed to configure 5390 devices. 2) unfriendly parties should not be able to read 5391 configuration data while the data is in network transit. 5393 SNMP version 3 provide security services. Therefore, when 5394 configuring data in the IPSEC-POLICY-MIB, you SHOULD use SNMP 5395 version 3. The rest of this discussion assumes the use of SNMPv3. 5397 SNMPv3 has security services built into the protocol. This is a real 5398 strength, because it allows administrators the ability to load new 5399 IPsec configuration on a device and keep the conversation private 5400 and authenticated under the protection of SNMPv3 before any IPsec 5401 protections are available. Once you do establish some IPsec 5402 configuration on your device, it would be possible to set up IPsec 5403 SAs to then also provide security and integrity services to the 5404 configuration conversation. This may seem redundant at first, but 5405 will be shown to have a use for added privacy protection below. 5407 5.2. Protecting against in-authentic access 5409 The current SNMPv3 User Security Model provides for key based user 5410 authentication. Typically, keys are derived from passwords (but are 5411 not required to be), and the keys are then used in HMAC algorithms 5412 (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP 5413 data. Each SNMP device keeps a (configured) list of users and keys. 5414 Under SNMPv3 user keys may be updated as often as an administrator 5415 cares to have users enter new passwords. But Perfect Forward Secrecy 5416 for user keys is not yet provided by standards track documents, 5417 although RFC2786 defines an experimental method of doing so. 5419 SNMPv3 also provides a View Based Access Model. Different users may 5420 be given different levels of access (read-write, read-only...) to 5421 lists of SNMP objects or subtrees. This view based access control 5422 provides fine levels of access control granularity, making it 5423 possible to allow some administrators to have control over certain 5424 sections of this MIB will prohibiting them from accessing and/or 5425 modifying other sections of the MIB. This may be useful if local 5426 policy administrators should be given rights to add or amend certain 5427 policies, but should not be given rights to change, for example, 5428 corporate level policies. 5430 5.3. Protecting against involuntary disclosure 5432 While sending IPsec configuration data to a PEP, there are a few 5433 critical parameters which MUST NOT be observed by third parties. 5434 These include IKE Pre-Shared Keys and possibly the private key of a 5435 public/private key pair for use in a PKI. Were either of those 5436 parameters to be known to a third party, they could then impersonate 5437 your device to other IKE peers. And aside from those critical 5438 parameters, policy administrators may have an interest in not 5439 divulging their any of their policy configuration. SNMPv3 offers 5440 privacy security services, but at the time this document was 5441 written, it only supported the DES algorithm for privacy services. 5442 Support for other (stronger) crypto algorithms was in the works and 5443 may be done as you read this. Policy administrators SHOULD use a 5444 privacy security service to configure their IPsec policy which is at 5445 least as strong as the desired IPsec policy. It is unwise to 5446 configure IPsec parameters implementing 3DES algorithms while 5447 protecting that conversation with single DES. 5449 5.4. Bootstrapping your configuration 5451 Hopefully vendors will not ship new products with a default SNMPv3 5452 user/password pair, but it is possible. Most SNMPv3 distributions 5453 should hopefully require an out-of-band initialization over a 5454 trusted medium, such as a local console connection. 5456 6. Authors' Addresses: 5458 Michael Baer 5459 Network Associates, Inc. 5460 3965 Freedom Circle, Suite 500 5461 Santa Clara, CA 95054 5462 Phone: +1 530 304 1628 5463 Email: mike_baer@nai.com 5465 Ricky Charlet 5466 Email: rcharlet@alumni.calpoly.edu 5468 Wes Hardaker 5469 Network Associates, Inc. 5470 3965 Freedom Circle, Suite 500 5471 Santa Clara, CA 95054 5472 Phone: +1 530 400 2774 5473 Email: wes_hardaker@nai.com 5475 Robert Story 5476 Revelstone Software 5477 Phone: +1 770 617 3722 5478 Email: rs-snmp@revelstone.com 5480 Cliff Wang 5481 SmartPipes Inc. 5482 Suite 300, 565 Metro Place South 5483 Dublin, OH 43017 5484 Phone: +1 614 923 6241 5485 E-Mail: CWang@smartpipes.com 5487 7. References 5489 [IPSEC] 5490 Kent, S., and Atkinson, R., "Security Architecture for the 5491 Internet Protocol", RFC 2401, November 1998. 5493 [IKE] 5494 Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 5495 RFC 2409, November 1998. 5497 [SNMPARCH] 5498 Harrington, D., Presuhn, R., and B. Wijnen, "An 5499 Architecture for Describing SNMP Management Frameworks", 5500 RFC 2571, April 1999. 5502 [SMIv1] 5503 Rose, M., and K. McCloghrie, "Structure and 5504 Identification of Management Information for TCP/IP-based 5505 Internets", STD 16, RFC 1155, May 1990. 5507 [MIB] 5508 Rose, M., and K. McCloghrie, "Concise MIB Definitions", 5509 STD 16, RFC 1212, March 1991. 5511 [TRAPS] 5512 Rose, M., "A Convention for Defining Traps for use with 5513 the SNMP", RFC 1215, March 1991. 5515 [SMIv2] 5516 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 5517 Rose, M., and S. Waldbusser, "Structure of Management 5518 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 5519 1999. 5521 [SMITC] 5522 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 5523 Rose, M., and S. Waldbusser, "Textual Conventions for 5524 SMIv2", STD 58, RFC 2579, April 1999. 5526 [SNMPCONF] 5527 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 5528 Rose, M., and S. Waldbusser, "Conformance Statements for 5529 SMIv2", STD 58, RFC 2580, April 1999. 5531 [SNMPv1] 5532 Case, J., Fedor, M., Schoffstall, M., and J. Davin, 5533 "Simple Network Management Protocol", STD 15, RFC 1157, 5534 May 1990. 5536 [SNMPv2c] 5537 Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 5538 "Introduction to Community-based SNMPv2", RFC 1901, 5539 January 1996. 5541 [SNMPv2TM] 5542 Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 5543 "Transport Mappings for Version 2 of the Simple Network 5544 Management Protocol (SNMPv2)", RFC 1906, January 1996. 5546 [SNMPv3] 5547 Case, J., Harrington D., Presuhn R., and B. Wijnen, 5548 "Message Processing and Dispatching for the Simple 5549 Network Management Protocol (SNMP)", RFC 2572, April 5550 1999. 5552 [SNMPUSM] 5553 Blumenthal, U., and B. Wijnen, "User-based Security Model 5554 (USM) for version 3 of the Simple Network Management 5555 Protocol (SNMPv3)", RFC 2574, April 1999. 5557 [SNMPv2] 5558 Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, 5559 "Protocol Operations for Version 2 of the Simple Network 5560 Management Protocol (SNMPv2)", RFC 1905, January 1996. 5562 [SNMPAPP] 5563 Levi, D., Meyer, P., and B. Stewart, "SNMPv3 5564 Applications", RFC 2573, April 1999. 5566 [SNMPVACM] 5567 Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 5568 Access Control Model (VACM) for the Simple Network 5569 Management Protocol (SNMP)", RFC 2575, April 1999. 5571 [SNMPINT] 5572 Case, J., Mundy, R., Partain, D., and B. Stewart, 5573 "Introduction to Version 3 of the Internet-standard 5574 Network Management Framework", RFC 2570, April 1999. 5576 [IPSECPM] 5577 Lortz, V., and Rafalow, L., "IPsec Policy Model White Paper", 5578 November 2000. 5580 [IPCP] 5581 Jason, J., Rafalow, L., and Vyncke, E., "IPsec Configuration 5582 Policy Model", draft-ietf-ipsp-config-policy-model-05.txt, 5583 March 2001. 5585 8. Intellectual Property 5587 The IETF takes no position regarding the validity or scope of any 5588 intellectual property or other rights that might be claimed to 5589 pertain to the implementation or use of the technology described in 5590 this document or the extent to which any license under such rights 5591 might or might not be available; neither does it represent that it 5592 has made any effort to identify any such rights. Information on the 5593 IETF's procedures with respect to rights in standards-track and 5594 standards-related documentation can be found in BCP-11. Copies of 5595 claims of rights made available for publication and any assurances 5596 of licenses to be made available, or the result of an attempt made 5597 to obtain a general license or permission for the use of such 5598 proprietary rights by implementors or users of this specification 5599 can be obtained from the IETF Secretariat. 5601 The IETF invites any interested party to bring to its attention any 5602 copyrights, patents or patent applications, or other proprietary 5603 rights which may cover technology that may be required to practice 5604 this standard. Please address the information to the IETF Executive 5605 Director. 5607 9. Acknowledgments 5609 Many other people contributed thoughts and ideas that influenced 5610 this MIB. Some special thanks are in order the following people: 5612 John Gillis (ADC) 5613 Jamie Jason (Intel Corporation) David Partain 5614 (Ericsson) 5615 Lee Rafalow (IBM) Jon Saperia (JDS Consulting) 5616 Eric Vyncke (Cisco Systems) 5618 10. Full Copyright Statement 5620 Copyright (C) The Internet Society (2002). All Rights Reserved. 5622 This document and translations of it may be copied and furnished to 5623 others, and derivative works that comment on or otherwise explain it 5624 or assist in its implementation may be prepared, copied, published 5625 and distributed, in whole or in part, without restriction of any 5626 kind, provided that the above copyright notice and this paragraph 5627 are included on all such copies and derivative works. However, this 5628 document itself may not be modified in any way, such as by removing 5629 the copyright notice or references to the Internet Society or other 5630 Internet organizations, except as needed for the purpose of 5631 developing Internet standards in which case the procedures for 5632 copyrights defined in the Internet Standards process must be 5633 followed, or as required to translate it into languages other than 5634 English. 5636 The limited permissions granted above are perpetual and will not be 5637 revoked by the Internet Society or its successors or assigns. 5639 This document and the information contained herein is provided on an 5640 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 5641 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 5642 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 5643 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 5644 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 5646 Appendix A. MIB's Model Conformance: 5648 The following table shows the IPsec Policy MIB's support of the the 5649 IPsec Policy Model's conformance objects. It lists the conformance 5650 object name and section number, its requirement level 5651 (MAY,MUST,etc.), whether the MIB supports it (yes,no,part=partial), 5652 and a short indication of where/how the MIB supports it. 5654 Many of the "partially" supported objects are actually "partial" 5655 only because the MIB actually allows greater flexibility and reuse 5656 by not enforcing relational constraints. These are noted in the 5657 table below with a "Sup." field of "part" and a note like "1..1 5658 pol.RuleDef.->pol.Grp.Cont. not forced" (for example), which 5659 indicates that the mib does not enforce a strict 1 to 1 mapping and 5660 allows a greater number of references within it's tables. 5662 Table of the IPsec Policy MIB's support of 5663 the IPsec Policy Model's objects 5665 +-------+-------------------------------------------------+--------+------+ 5666 |Sect. | Objects | Req. | Sup. | 5667 +-------+-------------------------------------------------+--------+------+ 5668 | | 'a..b' indicates cardinality range | | | 5669 +-------+-------------------------------------------------+--------+------+ 5670 | | object names may be abbreviated | | | 5671 +-------+-------------------------------------------------+--------+------+ 5672 +-------+-------------------------------------------------+--------+------+ 5673 |Sect. | Objects | Req. | Sup. | 5674 +-------+-------------------------------------------------+--------+------+ 5675 | | | | | 5676 +-------+-------------------------------------------------+--------+------+ 5677 |e.g. | IPsec Model Object | | | 5678 +-------+-------------------------------------------------+--------+------+ 5679 | | IPsec MIB Supports With... | | | 5680 +-------+-------------------------------------------------+--------+------+ 5681 | | | | | 5682 +-------+-------------------------------------------------+--------+------+ 5683 |4 | "Policy Classes" | | | 5684 +-------+-------------------------------------------------+--------+------+ 5685 |4.1 | "Class IPsecPolicyGroup" | MUST | yes | 5686 +-------+-------------------------------------------------+--------+------+ 5687 | | policyGroupContentsTbl | | | 5688 +-------+-------------------------------------------------+--------+------+ 5689 |4.2 | "Class SARule" | MUST | yes | 5690 +-------+-------------------------------------------------+--------+------+ 5691 | | policyRuleDefinitionTbl::pRuleAction | | | 5692 +-------+-------------------------------------------------+--------+------+ 5693 |4.2.1 | "Property PolicyRuleName" | MAY | yes | 5694 +-------+-------------------------------------------------+--------+------+ 5695 | | policyRuledefinitionTbl::pRuleName | | | 5696 +-------+-------------------------------------------------+--------+------+ 5697 |4.2.1 | "Property Enabled" | MUST | yes | 5698 +-------+-------------------------------------------------+--------+------+ 5699 | | policyRuleDefinitionTbl::pRuleEnabled | | | 5700 +-------+-------------------------------------------------+--------+------+ 5701 |4.2.1 | "Property ConditionListType" | MUST | yes | 5702 +-------+-------------------------------------------------+--------+------+ 5703 | | conditionTbl::condtionFilterListType | | | 5704 +-------+-------------------------------------------------+--------+------+ 5705 |4.2.1 | "Property RuleUsage" | MAY | yes | 5706 +-------+-------------------------------------------------+--------+------+ 5707 | | policyRuleDefinitionTbl::pruledescription | | | 5708 +-------+-------------------------------------------------+--------+------+ 5709 |4.2.1 | "Property Mandatory" | MAY | yes | 5710 +-------+-------------------------------------------------+--------+------+ 5711 | | always true implicitly | | | 5712 +-------+-------------------------------------------------+--------+------+ 5713 |4.2.1 | "Property SequencedActions" | MUST | yes | 5714 +-------+-------------------------------------------------+--------+------+ 5715 | | always mandatory implicitly | | | 5716 +-------+-------------------------------------------------+--------+------+ 5717 |4.2.1 | "Property PolicyRoles" | MAY | NA | 5718 +-------+-------------------------------------------------+--------+------+ 5719 +-------+-------------------------------------------------+--------+------+ 5720 |Sect. | Objects | Req. | Sup. | 5721 +-------+-------------------------------------------------+--------+------+ 5722 | | not used in device level model | | | 5723 +-------+-------------------------------------------------+--------+------+ 5724 |4.2.1 | "Property PolicyDecisionStrategy" | MAY | yes | 5725 +-------+-------------------------------------------------+--------+------+ 5726 | | always First Matching implicitly | | | 5727 +-------+-------------------------------------------------+--------+------+ 5728 |4.2.2 | "Property ExecutionStrategy" | MUST | yes | 5729 +-------+-------------------------------------------------+--------+------+ 5730 | | compoundActionsTbl::caExecutionStrategy | | | 5731 +-------+-------------------------------------------------+--------+------+ 5732 |4.2.3 | "Property LimitNegotiation" | MAY | yes | 5733 +-------+-------------------------------------------------+--------+------+ 5734 | | policyRuleDef.Tbl::pRuleLimitNegot. | | | 5735 +-------+-------------------------------------------------+--------+------+ 5736 |4.3 | "Class IKERule" | MUST | yes | 5737 +-------+-------------------------------------------------+--------+------+ 5738 | | ikeActionTbl | | | 5739 +-------+-------------------------------------------------+--------+------+ 5740 |4.3.1 | "Property IdentityContexts" | MAY | yes | 5741 +-------+-------------------------------------------------+--------+------+ 5742 | | ikeRuleId.ContextsTbl::iricId.Context | | | 5743 +-------+-------------------------------------------------+--------+------+ 5744 |4.4 | "Class IPsecRuffle" | MUST | yes | 5745 +-------+-------------------------------------------------+--------+------+ 5746 | | ipsecActionTbl | | | 5747 +-------+-------------------------------------------------+--------+------+ 5748 |4.5 | "Assoc. Class IPsecPolicyForEndpoint" | MAY | yes | 5749 +-------+-------------------------------------------------+--------+------+ 5750 | | policyEndpointToGroupTbl::p.GroupName | | | 5751 +-------+-------------------------------------------------+--------+------+ 5752 |4.5.1 | "Reference Antecedent" | MUST | yes | 5753 +-------+-------------------------------------------------+--------+------+ 5754 | | 0..n policyGroup->policyEndpoints | | | 5755 +-------+-------------------------------------------------+--------+------+ 5756 |4.5.2 | "Reference Dependent" | MUST | yes | 5757 +-------+-------------------------------------------------+--------+------+ 5758 | | 0..1 policyEndpoint->policyGroup | | | 5759 +-------+-------------------------------------------------+--------+------+ 5760 |4.6 | "Assoc. Class IPsecPolicyForSystem" | MAY | yes | 5761 +-------+-------------------------------------------------+--------+------+ 5762 | | systemPolicyGroupName | | | 5763 +-------+-------------------------------------------------+--------+------+ 5764 |4.6.1 | "Reference Antecedent" | MUST | yes | 5765 +-------+-------------------------------------------------+--------+------+ 5766 +-------+-------------------------------------------------+--------+------+ 5767 |Sect. | Objects | Req. | Sup. | 5768 +-------+-------------------------------------------------+--------+------+ 5769 | | 0..1 policyGroup->systemPolicyGroupName | | | 5770 +-------+-------------------------------------------------+--------+------+ 5771 |4.6.2 | "Reference Dependent" | MUST | yes | 5772 +-------+-------------------------------------------------+--------+------+ 5773 | | 1..1 systemPolicyGroupName->policyGroup | | | 5774 +-------+-------------------------------------------------+--------+------+ 5775 |4.7 | "Aggreg. Class SARuleInPolicyGroup" | MUST | yes | 5776 +-------+-------------------------------------------------+--------+------+ 5777 | | policyGrp.Cont.Tbl::pgcGrp.ComponentName | | | 5778 +-------+-------------------------------------------------+--------+------+ 5779 |4.7.1 | "Property Priority" | SHOULD | yes | 5780 +-------+-------------------------------------------------+--------+------+ 5781 | | policyGroupContentsTbl::pgcPriority | | | 5782 +-------+-------------------------------------------------+--------+------+ 5783 |4.7.2 | "Reference GroupComponent" | MUST | part | 5784 +-------+-------------------------------------------------+--------+------+ 5785 | | 1..1 pol.RuleDef.->pol.Grp.Cont. not forced | | | 5786 +-------+-------------------------------------------------+--------+------+ 5787 |4.7.3 | "Reference PartComponent" | MUST | yes | 5788 +-------+-------------------------------------------------+--------+------+ 5789 | | 0..n pol.Grp.Cont.table->pol.RuleDef.Tbl | | | 5790 +-------+-------------------------------------------------+--------+------+ 5791 |4.8 | "Aggregation Class SAConditionInRule" | MUST | yes | 5792 +-------+-------------------------------------------------+--------+------+ 5793 | | policyRuleDefinitionTbl::pRuleName | | | 5794 +-------+-------------------------------------------------+--------+------+ 5795 |4.8.1 | "Property GroupNumber" | SHOULD | part | 5796 +-------+-------------------------------------------------+--------+------+ 5797 | | associated with Octet String, not integer | | | 5798 +-------+-------------------------------------------------+--------+------+ 5799 |4.8.1 | "Property ConditionNegated" | SHOULD | yes | 5800 +-------+-------------------------------------------------+--------+------+ 5801 | | filtersInConditionTbl::ficFilterIsNegated | | | 5802 +-------+-------------------------------------------------+--------+------+ 5803 |4.8.2 | "Reference GroupComponent" | MUST | yes | 5804 +-------+-------------------------------------------------+--------+------+ 5805 | | 0..n cond.Tbl->policyRuleDefinitionTbl | | | 5806 +-------+-------------------------------------------------+--------+------+ 5807 |4.8.3 | "Reference PartComponent" | MUST | part | 5808 +-------+-------------------------------------------------+--------+------+ 5809 | | 1..n pol.RuleDef.->cond.InRule not forced | | | 5810 +-------+-------------------------------------------------+--------+------+ 5811 |4.9 | "Aggreg. Class PolicyActionInSARule" | MUST | yes | 5812 +-------+-------------------------------------------------+--------+------+ 5813 +-------+-------------------------------------------------+--------+------+ 5814 |Sect. | Objects | Req. | Sup. | 5815 +-------+-------------------------------------------------+--------+------+ 5816 | | policyRuleDef.Tbl::pRuleAction | | | 5817 +-------+-------------------------------------------------+--------+------+ 5818 |4.9.1 | "Reference GroupComponent" | MUST | yes | 5819 +-------+-------------------------------------------------+--------+------+ 5820 | | 0..n actions->policyRuleDefinitionTbl | | | 5821 +-------+-------------------------------------------------+--------+------+ 5822 |4.9.2 | "Reference PartComponent" | MUST | yes | 5823 +-------+-------------------------------------------------+--------+------+ 5824 | | 1..n policyRuleDef.Tbl->pRuleAction | | | 5825 +-------+-------------------------------------------------+--------+------+ 5826 |4.9.3 | "Property ActionOrder" | SHOULD | yes | 5827 +-------+-------------------------------------------------+--------+------+ 5828 | | actionsInComp.ActionsEntry::aicaPriority | | | 5829 +-------+-------------------------------------------------+--------+------+ 5830 |5 | "Condition and Filter Classes" | | | 5831 +-------+-------------------------------------------------+--------+------+ 5832 |5.1 | "Class SACondition" | MUST | yes | 5833 +-------+-------------------------------------------------+--------+------+ 5834 | | conditionTbl | | | 5835 +-------+-------------------------------------------------+--------+------+ 5836 |5.2 | "Class IPHeadersFilter" | SHOULD | yes | 5837 +-------+-------------------------------------------------+--------+------+ 5838 | | filterTbl::ipfType = addressOrNetwork | | | 5839 +-------+-------------------------------------------------+--------+------+ 5840 |5.3 | "Class CredentialFilterEntry" | MAY | yes | 5841 +-------+-------------------------------------------------+--------+------+ 5842 | | credentialFilterTbl | | | 5843 +-------+-------------------------------------------------+--------+------+ 5844 |5.3.1 | "Property MatchFieldName" | MUST | yes | 5845 +-------+-------------------------------------------------+--------+------+ 5846 | | credentialFilterTbl::crfMatchFieldName | | | 5847 +-------+-------------------------------------------------+--------+------+ 5848 |5.3.2 | "Property MatchFieldValue" | MUST | yes | 5849 +-------+-------------------------------------------------+--------+------+ 5850 | | credentialFilterTbl::crfMatchFieldValue | | | 5851 +-------+-------------------------------------------------+--------+------+ 5852 |5.3.3 | "Property CredentialType" | MUST | yes | 5853 +-------+-------------------------------------------------+--------+------+ 5854 | | credentialFilterTbl::crfCredentialType | | | 5855 +-------+-------------------------------------------------+--------+------+ 5856 |5.4 | "Class IPSOFilterEntry" | MAY | yes | 5857 +-------+-------------------------------------------------+--------+------+ 5858 | | filterTbl::ipfType = classification/authority | | | 5859 +-------+-------------------------------------------------+--------+------+ 5860 +-------+-------------------------------------------------+--------+------+ 5861 |Sect. | Objects | Req. | Sup. | 5862 +-------+-------------------------------------------------+--------+------+ 5863 |5.4.1 | "Property MatchConditionType" | MUST | yes | 5864 +-------+-------------------------------------------------+--------+------+ 5865 | | filterTbl::ipfType | | | 5866 +-------+-------------------------------------------------+--------+------+ 5867 |5.4.2 | "Property MatchConditionValue" | MUST | yes | 5868 +-------+-------------------------------------------------+--------+------+ 5869 | | filterTbl::ipfClass.Level/ipfAuthority | | | 5870 +-------+-------------------------------------------------+--------+------+ 5871 |5.5 | "Class PeerIDPayloadFilterEntry" | MAY | yes | 5872 +-------+-------------------------------------------------+--------+------+ 5873 | | peerIdentityFilterTbl | | | 5874 +-------+-------------------------------------------------+--------+------+ 5875 |5.5.1 | "Property MatchIdentityType" | MUST | yes | 5876 +-------+-------------------------------------------------+--------+------+ 5877 | | peerIdentityFilterTbl::pifIdentityType | | | 5878 +-------+-------------------------------------------------+--------+------+ 5879 |5.5.2 | "Property MatchIdentityValue" | MUST | yes | 5880 +-------+-------------------------------------------------+--------+------+ 5881 | | peerIdentityFilterTbl::pifIdentityValue | | | 5882 +-------+-------------------------------------------------+--------+------+ 5883 |5.6 | "Assoc. Class FilterOfSACondition" | SHOULD | yes | 5884 +-------+-------------------------------------------------+--------+------+ 5885 | | filtersInCompoundFilterTbl::ficSubfilter | | | 5886 +-------+-------------------------------------------------+--------+------+ 5887 |5.6.1 | "Reference Antecedent" | MUST | yes | 5888 +-------+-------------------------------------------------+--------+------+ 5889 | | 1..1 compoundFilter->filter list | | | 5890 +-------+-------------------------------------------------+--------+------+ 5891 |5.6.2 | "Reference Dependent" | MUST | yes | 5892 +-------+-------------------------------------------------+--------+------+ 5893 | | 0..n filter Tbls->Compound Filter | | | 5894 +-------+-------------------------------------------------+--------+------+ 5895 |5.7 | "Assoc. Class AcceptCredentialFrom" | MAY | yes | 5896 +-------+-------------------------------------------------+--------+------+ 5897 | | credentialFilterTbl::crfAcceptCredFrom | | | 5898 +-------+-------------------------------------------------+--------+------+ 5899 |5.7.1 | "Reference Antecedent" | MUST | yes | 5900 +-------+-------------------------------------------------+--------+------+ 5901 | | 0..n condition->Cred.Mng.Service | | | 5902 +-------+-------------------------------------------------+--------+------+ 5903 |5.7.2 | "Reference Dependent" | MUST | yes | 5904 +-------+-------------------------------------------------+--------+------+ 5905 | | 0..n Cred.Mng.Service->condition | | | 5906 +-------+-------------------------------------------------+--------+------+ 5907 +-------+-------------------------------------------------+--------+------+ 5908 |Sect. | Objects | Req. | Sup. | 5909 +-------+-------------------------------------------------+--------+------+ 5910 |6 | "Action Classes" | | | 5911 +-------+-------------------------------------------------+--------+------+ 5912 |6.1 | "Class SAAction" | MUST | yes | 5913 +-------+-------------------------------------------------+--------+------+ 5914 | | policyRuleDefinitionTbl::pRuleAction | | | 5915 +-------+-------------------------------------------------+--------+------+ 5916 |6.1.1 | "Property DoActionLogging" | MAY | yes | 5917 +-------+-------------------------------------------------+--------+------+ 5918 | | actions all have action logging ability | | | 5919 +-------+-------------------------------------------------+--------+------+ 5920 |6.1.2 | "Property DoPacketLogging" | MAY | yes | 5921 +-------+-------------------------------------------------+--------+------+ 5922 | | actions all have packet logging ability | | | 5923 +-------+-------------------------------------------------+--------+------+ 5924 |6.2 | "Class SAStaticAction" | MUST | yes | 5925 +-------+-------------------------------------------------+--------+------+ 5926 | | saStaticActions | | | 5927 +-------+-------------------------------------------------+--------+------+ 5928 |6.2.1 | "Property LifetimeSeconds" | MUST | part | 5929 +-------+-------------------------------------------------+--------+------+ 5930 | | all support, static only with timeFilterTbl. | | | 5931 +-------+-------------------------------------------------+--------+------+ 5932 |6.3 | "Class IPsecBypassAction" | SHOULD | yes | 5933 +-------+-------------------------------------------------+--------+------+ 5934 | | saAcceptAction | | | 5935 +-------+-------------------------------------------------+--------+------+ 5936 |6.4 | "Class IPsecDiscardAction" | SHOULD | yes | 5937 +-------+-------------------------------------------------+--------+------+ 5938 | | saDropAction | | | 5939 +-------+-------------------------------------------------+--------+------+ 5940 |6.5 | "Class IKERejectAction" | MAY | yes | 5941 +-------+-------------------------------------------------+--------+------+ 5942 | | saRejectIKEAction | | | 5943 +-------+-------------------------------------------------+--------+------+ 5944 |6.6 | "Class PreconfiguredSAAction" | MUST | yes | 5945 +-------+-------------------------------------------------+--------+------+ 5946 | | saPreconfiguredActionTbl | | | 5947 +-------+-------------------------------------------------+--------+------+ 5948 |6.6.1 | "Property LifetimeKilobytes" | MUST | yes | 5949 +-------+-------------------------------------------------+--------+------+ 5950 | | saPrecon.ActionTbl::sapActionLifetimeKB | | | 5951 +-------+-------------------------------------------------+--------+------+ 5952 |6.7 | "Class PreconfiguredTransportAction" | MUST | yes | 5953 +-------+-------------------------------------------------+--------+------+ 5954 +-------+-------------------------------------------------+--------+------+ 5955 |Sect. | Objects | Req. | Sup. | 5956 +-------+-------------------------------------------------+--------+------+ 5957 | | saPrecon.ActionTbl::sapActionType | | | 5958 +-------+-------------------------------------------------+--------+------+ 5959 |6.8 | "Class PreconfiguredTunnelAction" | MUST | yes | 5960 +-------+-------------------------------------------------+--------+------+ 5961 | | saPrecon.ActionTbl::sapActionType | | | 5962 +-------+-------------------------------------------------+--------+------+ 5963 |6.8.1 | "Property DFHandling" | MUST | yes | 5964 +-------+-------------------------------------------------+--------+------+ 5965 | | saPreconfiguredActionTbl::sapDFHandling | | | 5966 +-------+-------------------------------------------------+--------+------+ 5967 |6.9 | "Class SANegotiationAction" | MUST | yes | 5968 +-------+-------------------------------------------------+--------+------+ 5969 | | ikeActionTbl | | | 5970 +-------+-------------------------------------------------+--------+------+ 5971 |6.10 | "Class IKENegotiationAction" | MUST | yes | 5972 +-------+-------------------------------------------------+--------+------+ 5973 | | ikeActionTbl | | | 5974 +-------+-------------------------------------------------+--------+------+ 5975 |6.10.1 | "Property MinLifetimeSeconds" | MAY | yes | 5976 +-------+-------------------------------------------------+--------+------+ 5977 | | saNegot.Param.Tbl::sanMin.LifetimeSeconds | | | 5978 +-------+-------------------------------------------------+--------+------+ 5979 |6.10.2 | "Property MinLifetimeKilobytes" | MAY | yes | 5980 +-------+-------------------------------------------------+--------+------+ 5981 | | saNegot.Param.Tbl::sanMin.LifetimeKB | | | 5982 +-------+-------------------------------------------------+--------+------+ 5983 |6.10.3 | "Property IdleDurationSeconds" | MAY | yes | 5984 +-------+-------------------------------------------------+--------+------+ 5985 | | saNegot.Tbl::sanIdleDurrationSeconds | | | 5986 +-------+-------------------------------------------------+--------+------+ 5987 |6.11 | "Class IPsecAction" | MUST | yes | 5988 +-------+-------------------------------------------------+--------+------+ 5989 | | ipsecActionTbl | | | 5990 +-------+-------------------------------------------------+--------+------+ 5991 |6.11.1 | "Property UsePFS" | MUST | yes | 5992 +-------+-------------------------------------------------+--------+------+ 5993 | | ipsecActionTbl::ipesecUsePFS | | | 5994 +-------+-------------------------------------------------+--------+------+ 5995 |6.11.2 | "Property UseIKEGroup" | MAY | yes | 5996 +-------+-------------------------------------------------+--------+------+ 5997 | | ipsecActionTbl::ipesecUseIkeGroup | | | 5998 +-------+-------------------------------------------------+--------+------+ 5999 |6.11.3 | "Property GroupId" | MUST | yes | 6000 +-------+-------------------------------------------------+--------+------+ 6001 +-------+-------------------------------------------------+--------+------+ 6002 |Sect. | Objects | Req. | Sup. | 6003 +-------+-------------------------------------------------+--------+------+ 6004 | | ipsecActionTbl::ipsecGroudId | | | 6005 +-------+-------------------------------------------------+--------+------+ 6006 |6.11.4 | "Property Granularity" | SHOULD | yes | 6007 +-------+-------------------------------------------------+--------+------+ 6008 | | ipsecActionTbl::ipsecGranularity | | | 6009 +-------+-------------------------------------------------+--------+------+ 6010 |6.11.5 | "Property VendorID" | MAY | yes | 6011 +-------+-------------------------------------------------+--------+------+ 6012 | | ipsecActionTbl::vendorID | | | 6013 +-------+-------------------------------------------------+--------+------+ 6014 |6.12 | "Class IPsecTransportAction" | MUST | yes | 6015 +-------+-------------------------------------------------+--------+------+ 6016 | | ipsecActionTbl::ipsecMode | | | 6017 +-------+-------------------------------------------------+--------+------+ 6018 |6.13 | "Class IPsecTunnelAction" | MUST | yes | 6019 +-------+-------------------------------------------------+--------+------+ 6020 | | ipsecActionTbl::ipsecMode | | | 6021 +-------+-------------------------------------------------+--------+------+ 6022 |6.13.1 | "Property DFHandling" | MUST | yes | 6023 +-------+-------------------------------------------------+--------+------+ 6024 | | ipsecActionTbl::ipsecDFHandling | | | 6025 +-------+-------------------------------------------------+--------+------+ 6026 |6.14 | "Class IKEAction" | MUST | yes | 6027 +-------+-------------------------------------------------+--------+------+ 6028 | | ikeActionTbl | | | 6029 +-------+-------------------------------------------------+--------+------+ 6030 |6.14.1 | "Property ExchangeMode" | MUST | yes | 6031 +-------+-------------------------------------------------+--------+------+ 6032 | | ikeActionTbl::ikeExchangeMode | | | 6033 +-------+-------------------------------------------------+--------+------+ 6034 |6.14.2 | "Property UseIKEIdentityType" | MUST | yes | 6035 +-------+-------------------------------------------------+--------+------+ 6036 | | ikeIdentityTbl::ikeIdType | | | 6037 +-------+-------------------------------------------------+--------+------+ 6038 |6.14.3 | "Property VendorID" | MAY | yes | 6039 +-------+-------------------------------------------------+--------+------+ 6040 | | ikeActionTbl::ipVendorID | | | 6041 +-------+-------------------------------------------------+--------+------+ 6042 |6.14.4 | "Property AggressiveModeGroupId" | MAY | yes | 6043 +-------+-------------------------------------------------+--------+------+ 6044 | | ikeProposalTbl::ipDhGroup | | | 6045 +-------+-------------------------------------------------+--------+------+ 6046 |6.15 | "Class PeerGateway" | MUST | yes | 6047 +-------+-------------------------------------------------+--------+------+ 6048 +-------+-------------------------------------------------+--------+------+ 6049 |Sect. | Objects | Req. | Sup. | 6050 +-------+-------------------------------------------------+--------+------+ 6051 | | peerIdentityTbl | | | 6052 +-------+-------------------------------------------------+--------+------+ 6053 |6.15.1 | "Property Name" | SHOULD | yes | 6054 +-------+-------------------------------------------------+--------+------+ 6055 | | peerIdentityTbl::peerIdName | | | 6056 +-------+-------------------------------------------------+--------+------+ 6057 |6.15.2 | "Property PeerIdentityType" | MUST | yes | 6058 +-------+-------------------------------------------------+--------+------+ 6059 | | peerIdentityTbl::peerIdType | | | 6060 +-------+-------------------------------------------------+--------+------+ 6061 |6.15.3 | "Property PeerIdentity" | MUST | yes | 6062 +-------+-------------------------------------------------+--------+------+ 6063 | | peerIdentityTbl::peerIdValue | | | 6064 +-------+-------------------------------------------------+--------+------+ 6065 |6.16 | "Assoc. Class PeerGatewayForTunnel" | MUST | yes | 6066 +-------+-------------------------------------------------+--------+------+ 6067 | | peerIdentityTbl | | | 6068 +-------+-------------------------------------------------+--------+------+ 6069 |6.16.1 | "Reference Antecedent" | MUST | yes | 6070 +-------+-------------------------------------------------+--------+------+ 6071 | | 0..n ipsec(tunnel)Actions->peerGateway | | | 6072 +-------+-------------------------------------------------+--------+------+ 6073 |6.16.2 | "Reference Dependent" | MUST | yes | 6074 +-------+-------------------------------------------------+--------+------+ 6075 | | 0..n peerGateway->ipsec(tunnel)Action | | | 6076 +-------+-------------------------------------------------+--------+------+ 6077 |6.16.3 | "Property SequenceNumber" | SHOULD | yes | 6078 +-------+-------------------------------------------------+--------+------+ 6079 | | filtersInCompoundFilterTbl::ficPriority | | | 6080 +-------+-------------------------------------------------+--------+------+ 6081 |6.17 | "Aggregation Class ContainedProposal" | MUST | yes | 6082 +-------+-------------------------------------------------+--------+------+ 6083 | | ipsecProposalTbl & ikeActionProposalTbl | | | 6084 +-------+-------------------------------------------------+--------+------+ 6085 |6.17.1 | "Reference GroupComponent" | MUST | yes | 6086 +-------+-------------------------------------------------+--------+------+ 6087 | | 0..n proposal->action | | | 6088 +-------+-------------------------------------------------+--------+------+ 6089 |6.17.2 | "Reference PartComponent" | MUST | part | 6090 +-------+-------------------------------------------------+--------+------+ 6091 | | 1..n action->proposal not forced. | | | 6092 +-------+-------------------------------------------------+--------+------+ 6093 |6.17.3 | "Property SequenceNumber" | MUST | yes | 6094 +-------+-------------------------------------------------+--------+------+ 6095 +-------+-------------------------------------------------+--------+------+ 6096 |Sect. | Objects | Req. | Sup. | 6097 +-------+-------------------------------------------------+--------+------+ 6098 | | ispec/ikeAction proposal(s)Priority | | | 6099 +-------+-------------------------------------------------+--------+------+ 6100 |6.18 | "Assoc. Class HostedPeerGatewayInformation" | MAY | part | 6101 +-------+-------------------------------------------------+--------+------+ 6102 | | implicit connection peer gateway->system | | | 6103 +-------+-------------------------------------------------+--------+------+ 6104 |6.18.1 | "Reference Antecedent" | MUST | no | 6105 +-------+-------------------------------------------------+--------+------+ 6106 |6.18.2 | "Reference Dependent" | MUST | no | 6107 +-------+-------------------------------------------------+--------+------+ 6108 |6.19 | "Assoc. Class TransformOfPreconfig.Action" | MUST | yes | 6109 +-------+-------------------------------------------------+--------+------+ 6110 | | saPreconfiguredActionTbl | | | 6111 +-------+-------------------------------------------------+--------+------+ 6112 |6.19.1 | "Reference Antecedent" | MUST | yes | 6113 +-------+-------------------------------------------------+--------+------+ 6114 | | 2,4,6 preconfiguredAction-> in/out 1-3 | | | 6115 +-------+-------------------------------------------------+--------+------+ 6116 |6.19.2 | "Reference Dependent" | MUST | yes | 6117 +-------+-------------------------------------------------+--------+------+ 6118 | | 0..n transform->preconfiguredAction | | | 6119 +-------+-------------------------------------------------+--------+------+ 6120 |6.19.3 | "Property SPI" | MUST | yes | 6121 +-------+-------------------------------------------------+--------+------+ 6122 | | saPrecon.ActionTbl::AH/ESP/IPComp-SPI | | | 6123 +-------+-------------------------------------------------+--------+------+ 6124 |6.19.4 | "Property Direction" | MUST | yes | 6125 +-------+-------------------------------------------------+--------+------+ 6126 | | saPreconfiguredActionTbl::sapSADirection | | | 6127 +-------+-------------------------------------------------+--------+------+ 6128 |6.20 | "Assoc. Class PeerGtwy.ForPrecon.Tunnel" | MUST | yes | 6129 +-------+-------------------------------------------------+--------+------+ 6130 | | saPrecon.ActionTbl::sapPeerGtwy.IdName | | | 6131 +-------+-------------------------------------------------+--------+------+ 6132 |6.20.1 | "Reference Antecedent" | MUST | yes | 6133 +-------+-------------------------------------------------+--------+------+ 6134 | | 0..n preconfiguredActon->peerGateway | | | 6135 +-------+-------------------------------------------------+--------+------+ 6136 |6.20.2 | "Reference Dependent" | MUST | yes | 6137 +-------+-------------------------------------------------+--------+------+ 6138 | | 0..n peerGateway->precon.Action implicit | | | 6139 +-------+-------------------------------------------------+--------+------+ 6140 |7 | "Proposal and Transform Classes" | | | 6141 +-------+-------------------------------------------------+--------+------+ 6142 +-------+-------------------------------------------------+--------+------+ 6143 |Sect. | Objects | Req. | Sup. | 6144 +-------+-------------------------------------------------+--------+------+ 6145 |7.1 | "Abstract Class SAProposal" | MUST | yes | 6146 +-------+-------------------------------------------------+--------+------+ 6147 | | ipsec/ike/precon./static action objects | | | 6148 +-------+-------------------------------------------------+--------+------+ 6149 |7.1.1 | "Property Name" | SHOULD | yes | 6150 +-------+-------------------------------------------------+--------+------+ 6151 | | ipsec/ike/precon.-ActionProposalName | | | 6152 +-------+-------------------------------------------------+--------+------+ 6153 |7.2 | "Class IKEProposal" | MUST | yes | 6154 +-------+-------------------------------------------------+--------+------+ 6155 | | ikeActionProposalTbl | | | 6156 +-------+-------------------------------------------------+--------+------+ 6157 |7.2.1 | "Property CipherAlgo." | MUST | yes | 6158 +-------+-------------------------------------------------+--------+------+ 6159 | | ikeActionProp.Tbl::ipCipherAlgo. | | | 6160 +-------+-------------------------------------------------+--------+------+ 6161 |7.2.2 | "Property HashAlgo." | MUST | yes | 6162 +-------+-------------------------------------------------+--------+------+ 6163 | | ikeActionProp.Tbl::ipHashAlgo. | | | 6164 +-------+-------------------------------------------------+--------+------+ 6165 |7.2.3 | "Property PRFAlgo." | MAY | yes | 6166 +-------+-------------------------------------------------+--------+------+ 6167 | | ikeActionProp.Tbl::ipPrfAlgo. | | | 6168 +-------+-------------------------------------------------+--------+------+ 6169 |7.2.4 | "Property GroupId" | MUST | yes | 6170 +-------+-------------------------------------------------+--------+------+ 6171 | | ikeActionProp.Tbl::ipDhGroup | | | 6172 +-------+-------------------------------------------------+--------+------+ 6173 |7.2.5 | "Property AuthenticationMethod" | MUST | yes | 6174 +-------+-------------------------------------------------+--------+------+ 6175 | | ikeActionProp.Tbl::ipAuthenticationMethod | | | 6176 +-------+-------------------------------------------------+--------+------+ 6177 |7.2.6 | "Property MaxLifetimeSeconds" | MUST | yes | 6178 +-------+-------------------------------------------------+--------+------+ 6179 | | ikeActionProp.Tbl::ipMaxLifetimeseconds | | | 6180 +-------+-------------------------------------------------+--------+------+ 6181 |7.2.7 | "Property MaxLifetimeKilobytes" | MUST | yes | 6182 +-------+-------------------------------------------------+--------+------+ 6183 | | ikeActionProp.Tbl::ipMaxLifetimeKB | | | 6184 +-------+-------------------------------------------------+--------+------+ 6185 |7.2.8 | "Property VendorID" | MAY | yes | 6186 +-------+-------------------------------------------------+--------+------+ 6187 | | ikeActionProp.Tbl::ipVendorId | | | 6188 +-------+-------------------------------------------------+--------+------+ 6189 +-------+-------------------------------------------------+--------+------+ 6190 |Sect. | Objects | Req. | Sup. | 6191 +-------+-------------------------------------------------+--------+------+ 6192 |7.3 | "Class IPsecProposal" | MUST | yes | 6193 +-------+-------------------------------------------------+--------+------+ 6194 | | ipsecProposalTbl | | | 6195 +-------+-------------------------------------------------+--------+------+ 6196 |7.4 | "Abstract Class SATransform" | MUST | yes | 6197 +-------+-------------------------------------------------+--------+------+ 6198 | | AH/ESP/IPComp-TransformTbl | | | 6199 +-------+-------------------------------------------------+--------+------+ 6200 |7.4.1 | "Property TransformName" | SHOULD | yes | 6201 +-------+-------------------------------------------------+--------+------+ 6202 | | ipsecProp.Tbl::ipsecProp.TransformName | | | 6203 +-------+-------------------------------------------------+--------+------+ 6204 |7.4.2 | "Property VendorID" | MAY | yes | 6205 +-------+-------------------------------------------------+--------+------+ 6206 | | ext. tables can add vendor transforms | | | 6207 +-------+-------------------------------------------------+--------+------+ 6208 |7.4.3 | "Property MaxLifetimeSeconds" | MUST | yes | 6209 +-------+-------------------------------------------------+--------+------+ 6210 | | saNegot.Param.Tbl::sanMin.LifetimeSeconds | | | 6211 +-------+-------------------------------------------------+--------+------+ 6212 |7.4.4 | "Property MaxLifetimeKilobytes" | MUST | yes | 6213 +-------+-------------------------------------------------+--------+------+ 6214 | | saNegot.Param.Tbl::sanMin.LifetimeKB | | | 6215 +-------+-------------------------------------------------+--------+------+ 6216 |7.5 | "Class AHTransform" | MUST | yes | 6217 +-------+-------------------------------------------------+--------+------+ 6218 | | ahTransformTbl | | | 6219 +-------+-------------------------------------------------+--------+------+ 6220 |7.5.1 | "Property AHTransformId" | MUST | yes | 6221 +-------+-------------------------------------------------+--------+------+ 6222 | | ahTransformTbl::ahtName | | | 6223 +-------+-------------------------------------------------+--------+------+ 6224 |7.5.2 | "Property UseReplayPrevention" | MAY | yes | 6225 +-------+-------------------------------------------------+--------+------+ 6226 | | ahTransformTbl::ahtReplayProtection | | | 6227 +-------+-------------------------------------------------+--------+------+ 6228 |7.5.3 | "Property ReplayPreventionWindowSize" | MAY | yes | 6229 +-------+-------------------------------------------------+--------+------+ 6230 | | ahTransformTbl::ahtReplayWindowSize | | | 6231 +-------+-------------------------------------------------+--------+------+ 6232 |7.6 | "Class ESPTransform" | MUST | yes | 6233 +-------+-------------------------------------------------+--------+------+ 6234 | | espTransformTbl | | | 6235 +-------+-------------------------------------------------+--------+------+ 6236 +-------+-------------------------------------------------+--------+------+ 6237 |Sect. | Objects | Req. | Sup. | 6238 +-------+-------------------------------------------------+--------+------+ 6239 |7.6.1 | "Property IntegrityTransformId" | MUST | yes | 6240 +-------+-------------------------------------------------+--------+------+ 6241 | | espTransformTbl::esptIntegrityTransformId | | | 6242 +-------+-------------------------------------------------+--------+------+ 6243 |7.6.2 | "Property CipherTransformId" | MUST | yes | 6244 +-------+-------------------------------------------------+--------+------+ 6245 | | espTransformTbl::esptCipherTransformId | | | 6246 +-------+-------------------------------------------------+--------+------+ 6247 |7.6.3 | "Property CipherKeyLength" | MAY | yes | 6248 +-------+-------------------------------------------------+--------+------+ 6249 | | espTransformTbl::esptCipherKeyLength | | | 6250 +-------+-------------------------------------------------+--------+------+ 6251 |7.6.4 | "Property CipherKeyRounds" | MAY | yes | 6252 +-------+-------------------------------------------------+--------+------+ 6253 | | espTransformTbl::esptCipherKeyRounds | | | 6254 +-------+-------------------------------------------------+--------+------+ 6255 |7.6.5 | "Property UseReplayPrevention" | MAY | yes | 6256 +-------+-------------------------------------------------+--------+------+ 6257 | | espTransformTbl::esptReplayPrevention | | | 6258 +-------+-------------------------------------------------+--------+------+ 6259 |7.6.6 | "Property ReplayPreventionWindowSize" | MAY | yes | 6260 +-------+-------------------------------------------------+--------+------+ 6261 | | espTransformTbl::esptReplayWindowSize | | | 6262 +-------+-------------------------------------------------+--------+------+ 6263 |7.7 | "Class IPCOMPTransform" | MAY | yes | 6264 +-------+-------------------------------------------------+--------+------+ 6265 | | ipcompTransformTbl | | | 6266 +-------+-------------------------------------------------+--------+------+ 6267 |7.7.1 | "Property Algo." | MUST | yes | 6268 +-------+-------------------------------------------------+--------+------+ 6269 | | ipcompTransformTbl::ipcompAlgo. | | | 6270 +-------+-------------------------------------------------+--------+------+ 6271 |7.7.2 | "Property DictionarySize" | MAY | yes | 6272 +-------+-------------------------------------------------+--------+------+ 6273 | | ipcompTransformTbl::ipcompDictionarySize | | | 6274 +-------+-------------------------------------------------+--------+------+ 6275 |7.7.3 | "Property PrivateAlgo." | MAY | yes | 6276 +-------+-------------------------------------------------+--------+------+ 6277 | | ipcompTrans.Tbl::ipcompPrivateAlgo. | | | 6278 +-------+-------------------------------------------------+--------+------+ 6279 |7.8 | "Assoc. Class SAProposalInSystem" | MAY | part | 6280 +-------+-------------------------------------------------+--------+------+ 6281 | | implicit, MIB proposals=props. in system. | | | 6282 +-------+-------------------------------------------------+--------+------+ 6283 +-------+-------------------------------------------------+--------+------+ 6284 |Sect. | Objects | Req. | Sup. | 6285 +-------+-------------------------------------------------+--------+------+ 6286 |7.8.1 | "Reference Antecedent" | MUST | yes | 6287 +-------+-------------------------------------------------+--------+------+ 6288 | | 1..1 SAProponal->System | | | 6289 +-------+-------------------------------------------------+--------+------+ 6290 |7.8.2 | "Reference Dependent" | MUST | yes | 6291 +-------+-------------------------------------------------+--------+------+ 6292 | | 0..n System->SAProposal | | | 6293 +-------+-------------------------------------------------+--------+------+ 6294 |7.9 | "Aggregation Class ContainedTransform" | MUST | yes | 6295 +-------+-------------------------------------------------+--------+------+ 6296 | | ipsecProp.Tbl::ipsecProp.TransformName | | | 6297 +-------+-------------------------------------------------+--------+------+ 6298 |7.9.1 | "Reference GroupComponent" | MUST | yes | 6299 +-------+-------------------------------------------------+--------+------+ 6300 | | 0..n SATransforms->IPsecProposal | | | 6301 +-------+-------------------------------------------------+--------+------+ 6302 |7.9.2 | "Reference PartComponent" | MUST | yes | 6303 +-------+-------------------------------------------------+--------+------+ 6304 | | 1..n IPsecProposal->SATransform | | | 6305 +-------+-------------------------------------------------+--------+------+ 6306 |7.9.3 | "Property SequenceNumber" | MUST | yes | 6307 +-------+-------------------------------------------------+--------+------+ 6308 | | ipsecProposalTbl::ipsecProposalsPriority | | | 6309 +-------+-------------------------------------------------+--------+------+ 6310 |7.10 | "Assoc. Class SATransformInSystem" | MAY | part | 6311 +-------+-------------------------------------------------+--------+------+ 6312 | | MIB transforms=transforms in that system | | | 6313 +-------+-------------------------------------------------+--------+------+ 6314 |7.10.1 | "Reference Antecedent" | MUST | yes | 6315 +-------+-------------------------------------------------+--------+------+ 6316 | | 1..1 SATransform->SystemInstance | | | 6317 +-------+-------------------------------------------------+--------+------+ 6318 |7.10.2 | "Reference Dependent" | MUST | yes | 6319 +-------+-------------------------------------------------+--------+------+ 6320 | | 0..n SystemInstance->SATransform | | | 6321 +-------+-------------------------------------------------+--------+------+ 6322 |8 | "IKE Service and Identity Classes" | | | 6323 +-------+-------------------------------------------------+--------+------+ 6324 |8.1 | "Class IKEService" | MAY | yes | 6325 +-------+-------------------------------------------------+--------+------+ 6326 | | implicit | | | 6327 +-------+-------------------------------------------------+--------+------+ 6328 |8.2 | "Class PeerIdentityTbl" | MAY | yes | 6329 +-------+-------------------------------------------------+--------+------+ 6330 +-------+-------------------------------------------------+--------+------+ 6331 |Sect. | Objects | Req. | Sup. | 6332 +-------+-------------------------------------------------+--------+------+ 6333 | | peerIdentityTbl | | | 6334 +-------+-------------------------------------------------+--------+------+ 6335 |8.2.1 | "Property Name" | SHOULD | no | 6336 +-------+-------------------------------------------------+--------+------+ 6337 |8.3 | "Class PeerIdentityEntry" | MAY | yes | 6338 +-------+-------------------------------------------------+--------+------+ 6339 | | peerIdentityTbl::PeerIdentityEntry | | | 6340 +-------+-------------------------------------------------+--------+------+ 6341 |8.3.1 | "Property PeerIdentity" | SHOULD | yes | 6342 +-------+-------------------------------------------------+--------+------+ 6343 | | peerIdentityTbl::peerIdValue | | | 6344 +-------+-------------------------------------------------+--------+------+ 6345 |8.3.2 | "Property PeerIdentityType" | SHOULD | yes | 6346 +-------+-------------------------------------------------+--------+------+ 6347 | | peerIdentityTbl::peerIdType | | | 6348 +-------+-------------------------------------------------+--------+------+ 6349 |8.3.3 | "Property PeerAddress" | SHOULD | yes | 6350 +-------+-------------------------------------------------+--------+------+ 6351 | | peerIdentityTbl::peerIdAddress | | | 6352 +-------+-------------------------------------------------+--------+------+ 6353 |8.3.4 | "Property PeerAddressType" | SHOULD | yes | 6354 +-------+-------------------------------------------------+--------+------+ 6355 | | peerIdentityTbl::peerIdAddressType | | | 6356 +-------+-------------------------------------------------+--------+------+ 6357 |8.4 | "Class AutostartIKEConfiguration" | MAY | yes | 6358 +-------+-------------------------------------------------+--------+------+ 6359 | | autostartIkeTbl | | | 6360 +-------+-------------------------------------------------+--------+------+ 6361 |8.5 | "Class AutostartIKESetting" | MAY | yes | 6362 +-------+-------------------------------------------------+--------+------+ 6363 | | AutostartIkeEntry | | | 6364 +-------+-------------------------------------------------+--------+------+ 6365 |8.5.1 | "Property Phase1Onle" | MAY | part | 6366 +-------+-------------------------------------------------+--------+------+ 6367 | | autostarkIke references both phase I/II | | | 6368 +-------+-------------------------------------------------+--------+------+ 6369 |8.5.2 | "Property AddressType" | SHOULD | yes | 6370 +-------+-------------------------------------------------+--------+------+ 6371 | | autostartIkeTbl::autoIkeAddressType | | | 6372 +-------+-------------------------------------------------+--------+------+ 6373 |8.5.3 | "Property SourceAddress" | MUST | yes | 6374 +-------+-------------------------------------------------+--------+------+ 6375 | | autostartIkeTbl::autoIkeSourceAddress | | | 6376 +-------+-------------------------------------------------+--------+------+ 6377 +-------+-------------------------------------------------+--------+------+ 6378 |Sect. | Objects | Req. | Sup. | 6379 +-------+-------------------------------------------------+--------+------+ 6380 |8.5.4 | "Property SourcePort" | MUST | yes | 6381 +-------+-------------------------------------------------+--------+------+ 6382 | | autostartIkeTbl::autoIkeSourcePort | | | 6383 +-------+-------------------------------------------------+--------+------+ 6384 |8.5.5 | "Property DestinationAddress" | MUST | yes | 6385 +-------+-------------------------------------------------+--------+------+ 6386 | | autostartIkeTbl::autoIkeDestAddress | | | 6387 +-------+-------------------------------------------------+--------+------+ 6388 |8.5.6 | "Property DestinationPort" | MUST | yes | 6389 +-------+-------------------------------------------------+--------+------+ 6390 | | autostartIkeTbl::autoIkeDestPort | | | 6391 +-------+-------------------------------------------------+--------+------+ 6392 |8.5.7 | "Property Protocol" | MUST | yes | 6393 +-------+-------------------------------------------------+--------+------+ 6394 | | autostartIkeTbl::autoIkeProtocol | | | 6395 +-------+-------------------------------------------------+--------+------+ 6396 |8.6 | "Class IKEIdentity" | MAY | yes | 6397 +-------+-------------------------------------------------+--------+------+ 6398 | | ikeIdentityTbl | | | 6399 +-------+-------------------------------------------------+--------+------+ 6400 |8.6.1 | "Property IdentityType" | MUST | yes | 6401 +-------+-------------------------------------------------+--------+------+ 6402 | | ikeIdentityTbl::ikeIdentityType | | | 6403 +-------+-------------------------------------------------+--------+------+ 6404 |8.6.2 | "Property IdentityValue" | MUST | yes | 6405 +-------+-------------------------------------------------+--------+------+ 6406 | | ikeIdentityTbl::ikeIdentityIdString | | | 6407 +-------+-------------------------------------------------+--------+------+ 6408 |8.6.3 | "Property IdentityContexts" | MAY | yes | 6409 +-------+-------------------------------------------------+--------+------+ 6410 | | ikeIdentityContext | | | 6411 +-------+-------------------------------------------------+--------+------+ 6412 |8.7 | "Assoc. Class HostedPeerIdentityTbl" | MAY | part | 6413 +-------+-------------------------------------------------+--------+------+ 6414 | | MIB peerIdTbl=peerIdTbl on that system | | | 6415 +-------+-------------------------------------------------+--------+------+ 6416 |8.7.1 | "Reference Antecedent" | MUST | yes | 6417 +-------+-------------------------------------------------+--------+------+ 6418 | | 1..1 peerIdTbl->System | | | 6419 +-------+-------------------------------------------------+--------+------+ 6420 |8.7.2 | "Reference Dependent" | MUST | yes | 6421 +-------+-------------------------------------------------+--------+------+ 6422 | | 0..n System->peerIdTbl | | | 6423 +-------+-------------------------------------------------+--------+------+ 6424 +-------+-------------------------------------------------+--------+------+ 6425 |Sect. | Objects | Req. | Sup. | 6426 +-------+-------------------------------------------------+--------+------+ 6427 |8.8 | "Aggregation Class PeerIdentityMember" | MAY | part | 6428 +-------+-------------------------------------------------+--------+------+ 6429 | | PeerIdentityEntries=peerIdentityTbl rows | | | 6430 +-------+-------------------------------------------------+--------+------+ 6431 |8.8.1 | "Reference Collection" | MUST | yes | 6432 +-------+-------------------------------------------------+--------+------+ 6433 | | 1..1 ->PeerIdentityTbl | | | 6434 +-------+-------------------------------------------------+--------+------+ 6435 |8.8.2 | "Reference Member" | MUST | yes | 6436 +-------+-------------------------------------------------+--------+------+ 6437 | | 0..n ->PeerIdentityEntry | | | 6438 +-------+-------------------------------------------------+--------+------+ 6439 |8.9 | "Assoc. Class IKEServicePeerGateway" | MAY | yes | 6440 +-------+-------------------------------------------------+--------+------+ 6441 | | ikeActionTbl::ikePeerGatewayName | | | 6442 +-------+-------------------------------------------------+--------+------+ 6443 |8.9.1 | "Reference Antecedent" | MUST | yes | 6444 +-------+-------------------------------------------------+--------+------+ 6445 | | 0..n IKEService->PeerGateway | | | 6446 +-------+-------------------------------------------------+--------+------+ 6447 |8.9.2 | "Reference Dependent" | MUST | yes | 6448 +-------+-------------------------------------------------+--------+------+ 6449 | | 0..n PeerGateway->IKEService | | | 6450 +-------+-------------------------------------------------+--------+------+ 6451 |8.10 | "Assoc. Class IKEServicePeerIdentityTbl" | MAY | yes | 6452 +-------+-------------------------------------------------+--------+------+ 6453 | | peerIdTbl | | | 6454 +-------+-------------------------------------------------+--------+------+ 6455 |8.10.1 | "Reference Antecedent" | MUST | yes | 6456 +-------+-------------------------------------------------+--------+------+ 6457 | | 0..n IKEService->peerIDTbl | | | 6458 +-------+-------------------------------------------------+--------+------+ 6459 |8.10.2 | "Reference Dependent" | MUST | yes | 6460 +-------+-------------------------------------------------+--------+------+ 6461 | | 0..n peerIDTbl->IKEService | | | 6462 +-------+-------------------------------------------------+--------+------+ 6463 |8.11 | "Assoc. Class IKEAutostartSetting" | MAY | part | 6464 +-------+-------------------------------------------------+--------+------+ 6465 | | implicit, IKEService uses autostartIkeTbl | | | 6466 +-------+-------------------------------------------------+--------+------+ 6467 |8.11.1 | "Reference Element" | MUST | yes | 6468 +-------+-------------------------------------------------+--------+------+ 6469 | | 0..n autostarkIkeEntry->IKEService | | | 6470 +-------+-------------------------------------------------+--------+------+ 6471 +-------+-------------------------------------------------+--------+------+ 6472 |Sect. | Objects | Req. | Sup. | 6473 +-------+-------------------------------------------------+--------+------+ 6474 |8.11.2 | "Reference Setting" | MUST | no | 6475 +-------+-------------------------------------------------+--------+------+ 6476 | | 0..n IKEService->autostartIkeEntry | | | 6477 +-------+-------------------------------------------------+--------+------+ 6478 |8.12 | "Aggreg. Class AutostartIKESettingContext" | MAY | part | 6479 +-------+-------------------------------------------------+--------+------+ 6480 | | 1< entries in autstartIkeTbl,Comp. Actions | | | 6481 +-------+-------------------------------------------------+--------+------+ 6482 |8.12.1 | "Reference Context" | MUST | part | 6483 +-------+-------------------------------------------------+--------+------+ 6484 | | see above | | | 6485 +-------+-------------------------------------------------+--------+------+ 6486 |8.12.2 | "Reference Setting" | MUST | part | 6487 +-------+-------------------------------------------------+--------+------+ 6488 | | see above | | | 6489 +-------+-------------------------------------------------+--------+------+ 6490 |8.12.3 | "Property SequenceNumber" | SHOULD | yes | 6491 +-------+-------------------------------------------------+--------+------+ 6492 | | autostartIkeTbl::autoIkePriority | | | 6493 +-------+-------------------------------------------------+--------+------+ 6494 |8.13 | "Assoc. Class IKEServiceForEndpoint" | MAY | no | 6495 +-------+-------------------------------------------------+--------+------+ 6496 | | associates IKEService to Endpoint | | | 6497 +-------+-------------------------------------------------+--------+------+ 6498 |8.13.1 | "Reference Antecedent" | MUST | no | 6499 +-------+-------------------------------------------------+--------+------+ 6500 |8.13.2 | "Reference Dependent" | MUST | no | 6501 +-------+-------------------------------------------------+--------+------+ 6502 |8.14 | "Assoc. Class IKEAutostartConfiguration" | MAY | part | 6503 +-------+-------------------------------------------------+--------+------+ 6504 | | IKEService->autostartIkeTbl on that system | | | 6505 +-------+-------------------------------------------------+--------+------+ 6506 |8.14.1 | "Reference Antecedent" | MUST | no | 6507 +-------+-------------------------------------------------+--------+------+ 6508 | | 0..n IKEService->autostartIKEconifig. | | | 6509 +-------+-------------------------------------------------+--------+------+ 6510 |8.14.2 | "Reference Dependent" | MUST | NA | 6511 +-------+-------------------------------------------------+--------+------+ 6512 | | 0..n autostartIKEConfiguration->IKEService | | | 6513 +-------+-------------------------------------------------+--------+------+ 6514 |8.14.3 | "Property Active" | SHOULD | no | 6515 +-------+-------------------------------------------------+--------+------+ 6516 |8.15 | "Assoc. Class IKEUsesCred.Mng.Service" | MAY | yes | 6517 +-------+-------------------------------------------------+--------+------+ 6518 +-------+-------------------------------------------------+--------+------+ 6519 |Sect. | Objects | Req. | Sup. | 6520 +-------+-------------------------------------------------+--------+------+ 6521 | | CredentialFilterTbl::crfAccetpCredFrom | | | 6522 +-------+-------------------------------------------------+--------+------+ 6523 |8.15.1 | "Reference Antecedent" | MUST | yes | 6524 +-------+-------------------------------------------------+--------+------+ 6525 | | 0..n IKEServie->Cred.Mng.Service | | | 6526 +-------+-------------------------------------------------+--------+------+ 6527 |8.15.2 | "Reference Dependent" | MUST | yes | 6528 +-------+-------------------------------------------------+--------+------+ 6529 | | 0..n Cred.ManagementService->IKEService | | | 6530 +-------+-------------------------------------------------+--------+------+ 6531 |8.16 | "Assoc. Class EndpointHasLocalIKEId." | MAY | yes | 6532 +-------+-------------------------------------------------+--------+------+ 6533 | | ikeIdentityTbl | | | 6534 +-------+-------------------------------------------------+--------+------+ 6535 |8.16.1 | "Reference Antecedent" | MUST | part | 6536 +-------+-------------------------------------------------+--------+------+ 6537 | | 0..1 IkeIdentity->IPProto.Endpoint not forced | | | 6538 +-------+-------------------------------------------------+--------+------+ 6539 |8.16.2 | "Reference Dependent" | MUST | yes | 6540 +-------+-------------------------------------------------+--------+------+ 6541 | | 0..n IPProtocolEndpoint->IkeIdentity | | | 6542 +-------+-------------------------------------------------+--------+------+ 6543 |8.17 | "Assoc. Class Collect.HasLocalIKEId." | MAY | part | 6544 +-------+-------------------------------------------------+--------+------+ 6545 | | 1< entries in IKEIdentityTbl, not grouped | | | 6546 +-------+-------------------------------------------------+--------+------+ 6547 |8.17.1 | "Reference Antecedent" | MUST | part | 6548 +-------+-------------------------------------------------+--------+------+ 6549 | | 0..1 IkeIdentity->endpointCollection not forced | | | 6550 +-------+-------------------------------------------------+--------+------+ 6551 |8.17.2 | "Reference Dependent" | MUST | yes | 6552 +-------+-------------------------------------------------+--------+------+ 6553 | | 0..n endpoints->IkeIdentity | | | 6554 +-------+-------------------------------------------------+--------+------+ 6555 |8.18 | "Assoc. Class IKEIdentitysCredential" | MAY | yes | 6556 +-------+-------------------------------------------------+--------+------+ 6557 | | associates IKEIdentities to credentials | | | 6558 +-------+-------------------------------------------------+--------+------+ 6559 |8.18.1 | "Reference Antecedent" | MUST | yes | 6560 +-------+-------------------------------------------------+--------+------+ 6561 | | 0..n IKEIdentity -> Credentials | | | 6562 +-------+-------------------------------------------------+--------+------+ 6563 |8.18.2 | "Reference Dependent" | MUST | yes | 6564 +-------+-------------------------------------------------+--------+------+ 6565 +-------+-------------------------------------------------+--------+------+ 6566 |Sect. | Objects | Req. | Sup. | 6567 +-------+-------------------------------------------------+--------+------+ 6568 | | 0..n credentials -> IKEIdentity | | | 6569 +-------+-------------------------------------------------+--------+------+