idnits 2.17.1 draft-ietf-ipsp-ipsec-conf-mib-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 420: '... supporting IPv4 MUST support the ipv4...' RFC 2119 keyword, line 421: '... supporting IPv6 MUST support the ipv6...' RFC 2119 keyword, line 445: '...st of rules that MUST be applied to th...' RFC 2119 keyword, line 494: '...spGroupContPriority object and MUST be...' RFC 2119 keyword, line 497: '... processor MUST stop processing ...' (14 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 5096 has weird spacing: '... last row f...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 2003) is 7706 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) Summary: 7 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPSP Working Group M. Baer 3 Internet Draft Network Associates Inc 4 draft-ietf-ipsp-ipsec-conf-mib-06.txt R. Charlet 5 W. Hardaker 6 Network Associates Inc 7 R. Story 8 Revelstone Software 9 C. Wang 10 Smartpipes Inc 11 March 2003 13 IPsec Policy Configuration MIB module 14 draft-ietf-ipsp-ipsec-conf-mib-06.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. Internet-Drafts are 20 working documents of the Internet Engineering Task Force (IETF), its 21 areas, and its working groups. Note that other groups may also 22 distribute working documents as Internet-Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six 25 months and may be updated, replaced, or obsoleted by other documents 26 at any time. It is inappropriate to use Internet-Drafts as 27 reference material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 Copyright Notice 37 Copyright (C) The Internet Society (2003). All Rights Reserved. 39 Abstract 41 This document defines a Management Information Base (MIB) module for 42 managing the Internet Security Protocol (IPsec) and Internet Key 43 Exchange (IKE) protocols and associated policies. Some of the 44 policy-based packet filtering and the corresponding execution of 45 actions is of a more general nature than for IPsec configuration 46 only. This MIB module is designed with future extensibility in 47 mind. It is thus possible to externally add other packet filters 48 and actions to the policy-based packet filtering system defined in 49 this document. 51 Table of Contents 53 1. Introduction ............................................ 3 54 2. The Internet-Standard Management Framework .............. 3 55 3. Relationship to the DMTF Policy Model ................... 3 56 4. MIB Module Overview ..................................... 5 57 5. Definitions ............................................. 5 58 ipspEndpointToGroupTable .............................. 9 59 ipspGroupContentsTable ............................... 12 60 ipspRuleDefinitionTable .............................. 15 61 ipspCompoundFilterTable .............................. 18 62 ipspSubfiltersTable .................................. 21 63 ipspIpHeaderFilterTable .............................. 24 64 ipspIpOffsetFilterTable .............................. 31 65 ipspTimeFilterTable .................................. 35 66 ipspIpsoHeaderFilterTable ............................ 39 67 ipspCredentialFilterTable ............................ 41 68 ipspPeerIdentityFilterTable .......................... 44 69 ipspCompoundActionTable .............................. 46 70 ipspSubactionsTable .................................. 48 71 ipspSaPreconfiguredActionTable ....................... 52 72 ipspSaNegotiationParametersTable ..................... 58 73 ipspIkeActionTable ................................... 61 74 ipspIkeActionProposalsTable .......................... 65 75 ipspIkeProposalTable ................................. 67 76 ipspIpsecActionTable ................................. 71 77 ipspIpsecProposalsTable .............................. 75 78 ipspIpsecTransformsTable ............................. 77 79 ipspAhTransformTable ................................. 80 80 ipspEspTransformTable ................................ 82 81 ipspIpcompTransformTable ............................. 86 82 ipspIkeIdentityTable ................................. 89 83 ipspPeerIdentityTable ................................ 90 84 ipspAutostartIkeTable ................................ 94 85 ipspIpsecCredMngServiceTable ......................... 97 86 ipspCredMngCRLTable .................................. 99 87 ipspRevokedCertificateTable ......................... 102 88 ipspCredentialTable ................................. 104 89 ipspCredentialSegmentTable .......................... 107 90 6. References ............................................ 139 91 6.1. Normative References .................................. 139 92 6.2. Informative References ................................ 140 93 7. Intellectual Property ................................. 140 94 8. Security Considerations ............................... 140 95 8.1. Introduction .......................................... 140 96 8.2. Protecting against in-authentic access ................ 141 97 8.3. Protecting against involuntary disclosure ............. 142 98 8.4. Bootstrapping your configuration ...................... 142 99 9. Acknowledgments ....................................... 142 100 10. Authors' Addresses .................................... 143 101 11. Full Copyright Statement .............................. 143 103 1. Introduction 105 This document defines a configuration MIB module for IPsec 106 [IPSEC]/IKE [IKE] policy. It does not define MIB modules for 107 monitoring the state of an IPsec device. It does not define MIB 108 modules for configuring other policy related actions. The purpose 109 of this MIB module is to allow administrators to be able to 110 configure policy with respect to the IPsec/IKE protocols. However, 111 some of the packet filtering and matching of conditions to actions 112 is of a more general nature than IPsec only. It is possible to add 113 other packet transforming actions to this MIB module if those 114 actions needed to be performed conditionally on filtered traffic. 116 2. The Internet-Standard Management Framework 118 For a detailed overview of the documents that describe the current 119 Internet-Standard Management Framework, please refer to section 7 of 120 RFC 3410 [RFC3410] 122 Managed objects are accessed via a virtual information store, termed 123 the Management Information Base or MIB. MIB objects are generally 124 accessed through the Simple Network Management Protocol (SNMP). 125 Objects in the MIB are defined using the mechanisms defined in the 126 Structure of Management Information (SMI). This memo specifies a 127 MIB module that is compliant to the SMIv2, which is described in STD 128 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 129 2580 [RFC2580]. 131 3. Relationship to the DMTF Policy Model 133 The Distributed Management Task Force has created an object oriented 134 model of IPsec policy information known as the IPsec Policy Model 135 White Paper [IPSECPM]. The contents of this document are also 136 reflected in the internet draft (RFCXXXX) "IPsec Configuration 137 Policy Model" (IPCP) [IPCP]. This MIB module is a task specific 138 derivation of the IPCP for use with SNMPv3. 140 The high-level areas where this MIB module diverges from the IPCP 141 model are: 143 o Policies, Groups, Conditions, and some levels of Action are 144 generically named. That is we dropped prefixes like "SA", or 145 "ipsec". This is because we feel that packet classification 146 and matching of conditions to actions is more general than 147 IPsec and could possibly be reused by other packet 148 transforming actions which need to conditionally act on 149 packets matching filters. 151 o Filters are implemented in a more generic and scalable 152 manner, rather than enforcing the condition/filtering 153 pairing and their restrictions upon the user. The MIB 154 module offers a compound filter object to provide for 155 greater flexibility when creating complex filters. 157 4. MIB Module Overview 159 The MIB module is modularized into several different parts: rules, 160 filters, and actions. The rules section connects endpoints and 161 groups of rules together. This is partially made up of the 162 ipspEndpointToGroupTable, ipspGroupContentsTable, and the 163 ipspRuleDefinitionTable. Each row of the ipspRuleDefinitionTable 164 connects a filter(s) with an action(s). It is structured to allow 165 for reuse through the future creation of extension tables that 166 provide additional filters and/or actions. 168 The filter section of the MIB module is composed of all the 169 different types of filters in the Policy Model. It is partially 170 made up of the trueFilter, ipspCompoundFilterTable, 171 ipspIpHeaderFilterTable, ipspIpOffsetFilterTable, 172 ipspTimeFilterTable, ipspIpsoHeaderFilterTable, 173 ipspCredentialFilterTable, and the ipspPeerIdentityFilterTable. 175 The action section of the MIB module contains different action types 176 from the Policy Model. It is also separated into Firewall actions 177 (accept, drop, log, ...), IKE actions, and IPsec actions. It is 178 partially made up of the ipspStaticActions, ipspCompoundActionTable, 179 ipspSaPreconfiguredActionTable, ipspIkeActionTable, 180 ipspIkeActionProposalsTable, ipspIkeIdentityTable, 181 ipspPeerIdentityTable, ipspIpsecActionTable, 182 ipspIpsecProposalsTable, ipspIpsecTransformsTable, 183 ipspAhTransformTable, and the ipspEspTransformTable. 185 5. Definitions 187 IPSEC-POLICY-MIB DEFINITIONS ::= BEGIN 189 IMPORTS 190 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Integer32, 191 Unsigned32, mib-2, experimental FROM SNMPv2-SMI 193 TEXTUAL-CONVENTION, RowStatus, TruthValue, 194 TimeStamp, StorageType, VariablePointer, DateAndTime 195 FROM SNMPv2-TC 197 MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP 198 FROM SNMPv2-CONF 200 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 201 InetAddressType, InetAddress, InetPortNumber 202 FROM INET-ADDRESS-MIB 204 IkeHashAlgorithm, 205 IpsecDoiEncapsulationMode, 206 IpsecDoiIpcompTransform, 207 IpsecDoiAuthAlgorithm, 208 IpsecDoiEspTransform, 209 IpsecDoiSecProtocolId, 210 IkeGroupDescription, IpsecDoiIdentType, 211 IkeEncryptionAlgorithm, IkeAuthMethod 212 FROM IPSEC-ISAKMP-IKE-DOI-TC; 214 -- 215 -- module identity 216 -- 218 ipspMIB MODULE-IDENTITY 219 LAST-UPDATED "200212100000Z" -- 12 December 2002 220 ORGANIZATION "IETF IP Security Policy Working Group" 221 CONTACT-INFO "Michael Baer 222 Network Associates, Inc. 223 3965 Freedom Circle, Suite 500 224 Santa Clara, CA 95054 225 Phone: +1 530 902 3131 226 Email: mike_baer@nai.com 228 Ricky Charlet 229 Email: rcharlet@alumni.calpoly.edu 231 Wes Hardaker 232 Network Associates, Inc. 233 3965 Freedom Circle, Suite 500 234 Santa Clara, CA 95054 235 Phone: +1 530 400 2774 236 Email: wes_hardaker@nai.com 238 Robert Story 239 Revelstone Software 240 PO Box 1474 241 Duluth, GA 30096 242 Phone: +1 770 617 3722 243 Email: ipsp-mib@revelstone.com 245 Cliff Wang 246 SmartPipes Inc. 247 Suite 300, 565 Metro Place South 248 Dublin, OH 43017 249 Phone: +1 614 923 6241 250 E-Mail: CWang@smartpipes.com" 251 DESCRIPTION 252 "The MIB module for defining IPsec Policy filters and actions. 254 Copyright (C) The Internet Society (2003). This version of this 255 MIB module is part of RFC XXXX, see the RFC itself for full 256 legal notices." 258 -- Revision History 260 REVISION "200301070000Z" -- 7 January 2003 261 DESCRIPTION "Initial version, published as RFC xxxx." 262 -- RFC-editor assigns xxxx 264 -- XXX: To be assigned by IANA 265 ::= { mib-2 XXX } 267 -- 268 -- groups of related objects 269 -- 271 ipspConfigObjects OBJECT IDENTIFIER 272 ::= { ipspMIB 1 } 273 ipspNotificationObjects OBJECT IDENTIFIER 274 ::= { ipspMIB 2 } 275 ipspConformanceObjects OBJECT IDENTIFIER 276 ::= { ipspMIB 3 } 278 -- 279 -- Textual Conventions 280 -- 282 IpspBooleanOperator ::= TEXTUAL-CONVENTION 283 STATUS current 284 DESCRIPTION 285 "The IpspBooleanOperator operator is used to specify whether 286 sub-components in a decision making process are ANDed or ORed 287 together to decide if the resulting expression is true or 288 false." 289 SYNTAX INTEGER { or(1), and(2) } 291 IpspAdminStatus ::= TEXTUAL-CONVENTION 292 STATUS current 293 DESCRIPTION 294 "The IpspAdminStatus is used to specify the administrative 295 status of an object. Objects which are disabled must not 296 be used by the packet processing engine." 298 SYNTAX INTEGER { enabled(1), disabled(2) } 300 IpspSADirection ::= TEXTUAL-CONVENTION 301 STATUS current 302 DESCRIPTION 303 "The IpspSADirection operator is used to specify whether 304 or not a row should apply to outgoing or incoming SAs." 305 SYNTAX INTEGER { outgoing(1), incoming(2) } 307 IpspIPPacketLogging ::= TEXTUAL-CONVENTION 308 STATUS current 309 DESCRIPTION 310 "IpspIPPacketLogging specifies whether or not an audit 311 message should be logged when a packet is passed through an 312 SA. A value of '-1' indicates no logging. A value of '0' or 313 greater indicates that logging should be done and how many 314 bytes of the beginning of the packet to place in the log. 315 Values greater than the size of the packet being processed 316 indicate that the entire packet should be sent. 318 Examples: 319 '-1' no logging 320 '0' log but do not include any of the packet in the log 321 '20' log and include the first 20 bytes of the packet in the 322 log." 323 SYNTAX Integer32 (-1..65536) 325 IpspIdentityFilter ::= TEXTUAL-CONVENTION 326 STATUS current 327 DESCRIPTION 328 "IpspIdentityFilter contains a string encoded Identity Type 329 value to be used in comparisons against an IKE Identity 330 payload. Wherever this TC is used, there should be an 331 accompanying column which uses the IpsecDoiIdentType TC to 332 specify the type of data in this object. 334 See the IpsecDoiIdentType TC for the supported identity types 335 available. Note that the IpsecDoiIdentType TC sepcifies how 336 to encode binary values, while this object will contain human 337 readable string versions." 338 SYNTAX OCTET STRING (SIZE(1..256)) 340 IpspCredentialType ::= TEXTUAL-CONVENTION 341 STATUS current 342 DESCRIPTION 343 "IpspCredentialType identifies the type of credential 344 contained in a corresponding IpspIdentityFilter object." 345 SYNTAX INTEGER { reserved(0), 346 unknown(1), 347 sharedSecret(2), 348 x509(3), 349 kerberos(4) } 351 -- 352 -- Policy group definitions 353 -- 355 ipspLocalConfigObjects OBJECT IDENTIFIER 356 ::= { ipspConfigObjects 1 } 358 ipspSystemPolicyGroupName OBJECT-TYPE 359 SYNTAX SnmpAdminString (SIZE(0..32)) 360 MAX-ACCESS read-write 361 STATUS current 362 DESCRIPTION 363 "This object indicates the policy group containing the global 364 system policy that is to be applied when a given endpoint 365 does not contain a policy definition. Its value can be used 366 as an index into the ipspGroupContentsTable to retrieve a 367 list of policies. A zero length string indicates no system 368 wide policy exists and the default policy of 'accept' should 369 be executed until one is imposed by either this object or by 370 the endpoint processing a given packet." 371 ::= { ipspLocalConfigObjects 1 } 373 ipspEndpointToGroupTable OBJECT-TYPE 374 SYNTAX SEQUENCE OF IpspEndpointToGroupEntry 375 MAX-ACCESS not-accessible 376 STATUS current 377 DESCRIPTION 378 "This table is used to map policy (groupings) onto an endpoint 379 where traffic is to pass by. Any policy group assigned to an 380 endpoint is then used to control access to the traffic 381 passing by it. 383 If an endpoint has been configured with a policy group and no 384 contained rule matches the incoming packet, the default 385 action in this case shall be to drop the packet. 387 If no policy group has been assigned to an endpoint, then the 388 policy group specified by ipspSystemPolicyGroupName should be 389 used for the endpoint." 390 ::= { ipspConfigObjects 2 } 392 ipspEndpointToGroupEntry OBJECT-TYPE 393 SYNTAX IpspEndpointToGroupEntry 394 MAX-ACCESS not-accessible 395 STATUS current 396 DESCRIPTION 397 "A mapping assigning a policy group to an endpoint." 398 INDEX { ipspEndGroupIdentType, ipspEndGroupAddress } 399 ::= { ipspEndpointToGroupTable 1 } 401 IpspEndpointToGroupEntry ::= SEQUENCE { 402 ipspEndGroupIdentType InetAddressType, 403 ipspEndGroupAddress InetAddress, 404 ipspEndGroupName SnmpAdminString, 405 ipspEndGroupLastChanged TimeStamp, 406 ipspEndGroupStorageType StorageType, 407 ipspEndGroupRowStatus RowStatus 408 } 410 ipspEndGroupIdentType OBJECT-TYPE 411 SYNTAX InetAddressType 412 MAX-ACCESS not-accessible 413 STATUS current 414 DESCRIPTION 415 "The Internet Protocol version of the address associated with 416 a given endpoint. All addresses are represented as an array 417 of octets in network byte order. When combined with the 418 ipspEndGroupAddress these objects can be used to uniquely 419 identify an endpoint that a set of policy groups should be 420 applied to. Devices supporting IPv4 MUST support the ipv4 421 value, and devices supporting IPv6 MUST support the ipv6 422 value. 424 Values of unknown, ipv4z, ipv6z and dns are not legal values 425 for this object." 426 ::= { ipspEndpointToGroupEntry 1 } 428 ipspEndGroupAddress OBJECT-TYPE 429 SYNTAX InetAddress (SIZE (4|16)) 430 MAX-ACCESS not-accessible 431 STATUS current 432 DESCRIPTION 433 "The address of a given endpoint, the format of which is 434 specified by the ipspEndGroupIdentType object." 435 ::= { ipspEndpointToGroupEntry 2 } 437 ipspEndGroupName OBJECT-TYPE 438 SYNTAX SnmpAdminString (SIZE(1..32)) 439 MAX-ACCESS read-create 440 STATUS current 441 DESCRIPTION 442 "The policy group name to apply to this endpoint. The 443 value of the ipspEndGroupName object should then be used as 444 an index into the ipspGroupContentsTable to come up with a 445 list of rules that MUST be applied to this endpoint." 446 ::= { ipspEndpointToGroupEntry 3 } 448 ipspEndGroupLastChanged OBJECT-TYPE 449 SYNTAX TimeStamp 450 MAX-ACCESS read-only 451 STATUS current 452 DESCRIPTION 453 "The value of sysUpTime when this row was last modified or 454 created either through SNMP SETs or by some other external 455 means." 456 ::= { ipspEndpointToGroupEntry 4 } 458 ipspEndGroupStorageType OBJECT-TYPE 459 SYNTAX StorageType 460 MAX-ACCESS read-create 461 STATUS current 462 DESCRIPTION 463 "The storage type for this row. Rows in this table which were 464 created through an external process may have a storage type 465 of readOnly or permanent." 466 DEFVAL { nonVolatile } 467 ::= { ipspEndpointToGroupEntry 5 } 469 ipspEndGroupRowStatus OBJECT-TYPE 470 SYNTAX RowStatus 471 MAX-ACCESS read-create 472 STATUS current 473 DESCRIPTION 474 "This object indicates the conceptual status of this row. 476 The value of this object has no effect on whether other 477 objects in this conceptual row can be modified. 479 This object may not be set to active until one or more active 480 rows exist within the ipspGroupContentsTable for the group 481 referenced by the ipspEndGroupName object." 482 ::= { ipspEndpointToGroupEntry 6 } 484 -- 485 -- policy group definition table 486 -- 487 ipspGroupContentsTable OBJECT-TYPE 488 SYNTAX SEQUENCE OF IpspGroupContentsEntry 489 MAX-ACCESS not-accessible 490 STATUS current 491 DESCRIPTION 492 "This table contains a list of rules and/or subgroups 493 contained within a given policy group. The entries are 494 sorted by the ipspGroupContPriority object and MUST be 495 executed in order according to this value, starting with the 496 lowest value. Once a group item has been processed, the 497 processor MUST stop processing this packet if an action was 498 executed as a result of the processing of a given group. 499 Iterating into the next policy group item by finding the next 500 largest ipspGroupContPriority object shall only be done if no 501 actions were run when processing the last item for a given 502 packet." 503 ::= { ipspConfigObjects 3 } 505 ipspGroupContentsEntry OBJECT-TYPE 506 SYNTAX IpspGroupContentsEntry 507 MAX-ACCESS not-accessible 508 STATUS current 509 DESCRIPTION 510 "Defines a given sub-item within a policy group." 511 INDEX { ipspGroupContName, ipspGroupContPriority } 512 ::= { ipspGroupContentsTable 1 } 514 IpspGroupContentsEntry ::= SEQUENCE { 515 ipspGroupContName SnmpAdminString, 516 ipspGroupContPriority Integer32, 517 ipspGroupContFilter VariablePointer, 518 ipspGroupContComponentType INTEGER, 519 ipspGroupContComponentName SnmpAdminString, 520 ipspGroupContLastChanged TimeStamp, 521 ipspGroupContStorageType StorageType, 522 ipspGroupContRowStatus RowStatus 523 } 525 ipspGroupContName OBJECT-TYPE 526 SYNTAX SnmpAdminString (SIZE(1..32)) 527 MAX-ACCESS not-accessible 528 STATUS current 529 DESCRIPTION 530 "The administrative name of this group." 531 ::= { ipspGroupContentsEntry 1 } 533 ipspGroupContPriority OBJECT-TYPE 534 SYNTAX Integer32 (0..65536) 535 MAX-ACCESS not-accessible 536 STATUS current 537 DESCRIPTION 538 "The priority (sequence number) of the sub-component in this 539 group." 540 ::= { ipspGroupContentsEntry 2 } 542 ipspGroupContFilter OBJECT-TYPE 543 SYNTAX VariablePointer 544 MAX-ACCESS read-create 545 STATUS current 546 DESCRIPTION 547 "ipspGroupContFilter points to a filter which is evaluated 548 to determine whether the sub-component within this group 549 should be exercised. Managers can use this object to 550 classify groups of rules or subgroups together in order to 551 achieve a greater degree of control and optimization over the 552 execution order of the items within the group. If the filter 553 evaluates to false, the rule or subgroup will be skipped and 554 the next rule or subgroup will be evaluated instead. 556 An example usage of this object would be to limit a group of 557 rules to executing only when the IP packet being process is 558 designated to be processed by IKE. This effecitevly creates 559 a group of IKE specific rules. 561 This MIB defines the following tables and scalars which may 562 be pointed to by this column. Implementations may choose to 563 provide support for other filter tables or scalars as well: 565 ipspIpHeaderFilterTable 566 ipspIpOffsetFilterTable 567 ipspTimeFilterTable 568 ipspCompoundFilterTable 569 ipspTrueFilter 571 If this column is set to a VariablePointer value which 572 references a non-existent row in an otherwise supported 573 table, the inconsistentName exception should be returned. If 574 the table or scalar pointed to by the VariablePointer is not 575 supported at all, then an inconsistentValue exception should 576 be returned." 577 DEFVAL { ipspTrueFilterInstance } 578 ::= { ipspGroupContentsEntry 3 } 580 ipspGroupContComponentType OBJECT-TYPE 581 SYNTAX INTEGER { reserved(0), group(1), rule(2) } 582 MAX-ACCESS read-create 583 STATUS current 584 DESCRIPTION 585 "Indicates whether the ipspGroupContComponentName object is 586 the name of another group defined within the 587 ipspGroupContentsTable or is the name of a rule defined 588 within the ipspRuleDefinitionTable." 589 DEFVAL { rule } 590 ::= { ipspGroupContentsEntry 4 } 592 ipspGroupContComponentName OBJECT-TYPE 593 SYNTAX SnmpAdminString (SIZE(1..32)) 594 MAX-ACCESS read-create 595 STATUS current 596 DESCRIPTION 597 "The name of the policy rule or subgroup contained within this 598 group, as indicated by the ipspGroupContComponentType 599 object." 600 ::= { ipspGroupContentsEntry 5 } 602 ipspGroupContLastChanged OBJECT-TYPE 603 SYNTAX TimeStamp 604 MAX-ACCESS read-only 605 STATUS current 606 DESCRIPTION 607 "The value of sysUpTime when this row was last modified or 608 created either through SNMP SETs or by some other external 609 means." 610 ::= { ipspGroupContentsEntry 6 } 612 ipspGroupContStorageType OBJECT-TYPE 613 SYNTAX StorageType 614 MAX-ACCESS read-create 615 STATUS current 616 DESCRIPTION 617 "The storage type for this row. Rows in this table which were 618 created through an external process may have a storage type 619 of readOnly or permanent." 620 DEFVAL { nonVolatile } 621 ::= { ipspGroupContentsEntry 7 } 623 ipspGroupContRowStatus OBJECT-TYPE 624 SYNTAX RowStatus 625 MAX-ACCESS read-create 626 STATUS current 627 DESCRIPTION 628 "This object indicates the conceptual status of this row. 630 The value of this object has no effect on whether other 631 objects in this conceptual row can be modified. 633 This object may not be set to active until the row to which 634 the ipspGroupContComponentName points to exists." 635 ::= { ipspGroupContentsEntry 8 } 637 -- 638 -- policy definition table 639 -- 641 ipspRuleDefinitionTable OBJECT-TYPE 642 SYNTAX SEQUENCE OF IpspRuleDefinitionEntry 643 MAX-ACCESS not-accessible 644 STATUS current 645 DESCRIPTION 646 "This table defines a policy rule by associating a filter or a 647 set of filters to an action to be executed." 648 ::= { ipspConfigObjects 4 } 650 ipspRuleDefinitionEntry OBJECT-TYPE 651 SYNTAX IpspRuleDefinitionEntry 652 MAX-ACCESS not-accessible 653 STATUS current 654 DESCRIPTION 655 "A row defining a particular policy definition. A rule 656 definition binds a filter pointer to an action pointer." 657 INDEX { ipspRuleDefName } 658 ::= { ipspRuleDefinitionTable 1 } 660 IpspRuleDefinitionEntry ::= SEQUENCE { 661 ipspRuleDefName SnmpAdminString, 662 ipspRuleDefDescription SnmpAdminString, 663 ipspRuleDefFilter VariablePointer, 664 ipspRuleDefFilterNegated TruthValue, 665 ipspRuleDefAction VariablePointer, 666 ipspRuleDefAdminStatus IpspAdminStatus, 667 ipspRuleDefLastChanged TimeStamp, 668 ipspRuleDefStorageType StorageType, 669 ipspRuleDefRowStatus RowStatus 670 } 672 ipspRuleDefName OBJECT-TYPE 673 SYNTAX SnmpAdminString (SIZE(1..32)) 674 MAX-ACCESS not-accessible 675 STATUS current 676 DESCRIPTION 677 "ipspRuleDefName is the administratively assigned name of the 678 rule referred to by the ipspGroupContComponentName object." 679 ::= { ipspRuleDefinitionEntry 1 } 681 ipspRuleDefDescription OBJECT-TYPE 682 SYNTAX SnmpAdminString 683 MAX-ACCESS read-create 684 STATUS current 685 DESCRIPTION 686 "A user definable string. This field may be used for your 687 administrative tracking purposes." 688 DEFVAL { "" } 689 ::= { ipspRuleDefinitionEntry 2 } 691 ipspRuleDefFilter OBJECT-TYPE 692 SYNTAX VariablePointer 693 MAX-ACCESS read-create 694 STATUS current 695 DESCRIPTION 696 "ipspRuleDefFilter points to a filter which is used to 697 evaluate whether the action associated with this row should 698 be fired or not. The action will only fire if the filter 699 referenced by this object evaluates to TRUE after first 700 applying any negation required by the 701 ipspRuleDefFilterNegated object. 703 This MIB defines the following tables and scalars which may 704 be pointed to by this column. Implementations may choose to 705 provide support for other filter tables or scalars as well: 707 ipspIpHeaderFilterTable 708 ipspIpOffsetFilterTable 709 ipspTimeFilterTable 710 ipspCompoundFilterTable 711 ipspTrueFilter 713 If this column is set to a VariablePointer value which 714 references a non-existent row in an otherwise supported 715 table, the inconsistentName exception should be returned. If 716 the table or scalar pointed to by the VariablePointer is not 717 supported at all, then an inconsistentValue exception should 718 be returned." 719 ::= { ipspRuleDefinitionEntry 3 } 721 ipspRuleDefFilterNegated OBJECT-TYPE 722 SYNTAX TruthValue 723 MAX-ACCESS read-create 724 STATUS current 725 DESCRIPTION 726 "ipspRuleDefFilterNegated specifies whether the filter 727 referenced by the ipspRuleDefFilter object should be negated 728 or not." 729 DEFVAL { false } 730 ::= { ipspRuleDefinitionEntry 4 } 732 ipspRuleDefAction OBJECT-TYPE 733 SYNTAX VariablePointer 734 MAX-ACCESS read-create 735 STATUS current 736 DESCRIPTION 737 "This column points to the action to be taken. It may, but is 738 not limited to, point to a row in one of the following 739 tables: 741 ipspCompoundActionTable 742 ipspSaPreconfiguredActionTable 743 ipspIkeActionTable 744 ipspIpsecActionTable 746 It may also point to one of the scalar objects beneath 747 ipspStaticActions. 749 If this object is set to a pointer to a row in an unsupported 750 (or unknown) table, an inconsistentValue error should be 751 returned. 753 If this object is set to point to a non-existent row in an 754 otherwise supported table, an inconsistentName error should 755 be returned." 756 ::= { ipspRuleDefinitionEntry 5 } 758 ipspRuleDefAdminStatus OBJECT-TYPE 759 SYNTAX IpspAdminStatus 760 MAX-ACCESS read-create 761 STATUS current 762 DESCRIPTION 763 "Indicates whether the current rule definition should be 764 considered active. If enabled, it should be evaluated when 765 processing packets. If disabled, packets should continue to 766 be processed by the rest of the rules defined in the 767 ipspGroupContentsTable as if this rule's filters had 768 effectively failed." 769 DEFVAL { enabled } 770 ::= { ipspRuleDefinitionEntry 6 } 772 ipspRuleDefLastChanged OBJECT-TYPE 773 SYNTAX TimeStamp 774 MAX-ACCESS read-only 775 STATUS current 776 DESCRIPTION 777 "The value of sysUpTime when this row was last modified or 778 created either through SNMP SETs or by some other external 779 means." 780 ::= { ipspRuleDefinitionEntry 7 } 782 ipspRuleDefStorageType OBJECT-TYPE 783 SYNTAX StorageType 784 MAX-ACCESS read-create 785 STATUS current 786 DESCRIPTION 787 "The storage type for this row. Rows in this table which were 788 created through an external process may have a storage type 789 of readOnly or permanent." 790 DEFVAL { nonVolatile } 791 ::= { ipspRuleDefinitionEntry 8 } 793 ipspRuleDefRowStatus OBJECT-TYPE 794 SYNTAX RowStatus 795 MAX-ACCESS read-create 796 STATUS current 797 DESCRIPTION 798 "This object indicates the conceptual status of this row. 800 The value of this object has no effect on whether other 801 objects in this conceptual row can be modified. 803 This object may not be set to active until the containing 804 contitions, filters and actions have been defined. Once 805 active, it must remain active until no policyGroupContents 806 entries are referencing it." 807 ::= { ipspRuleDefinitionEntry 9 } 809 -- 810 -- Policy compound filter definition table 811 -- 813 ipspCompoundFilterTable OBJECT-TYPE 814 SYNTAX SEQUENCE OF IpspCompoundFilterEntry 815 MAX-ACCESS not-accessible 816 STATUS current 817 DESCRIPTION 818 "A table defining a compound set of filters and their 819 associated parameters. A row in this table can either be 820 pointed to by a ipspRuleDefFilter object or by a ficSubFilter 821 object." 823 ::= { ipspConfigObjects 5 } 825 ipspCompoundFilterEntry OBJECT-TYPE 826 SYNTAX IpspCompoundFilterEntry 827 MAX-ACCESS not-accessible 828 STATUS current 829 DESCRIPTION 830 "An entry in the ipspCompoundFilterTable. A filter defined by 831 this table is considered to have a TRUE return value if and 832 only if: 834 ipspCompFiltLogicType is AND and all of the sub-filters 835 associated with it, as defined in the ipspSubfiltersTable, 836 are all true themselves (after applying any requried 837 negation as defined by the ficFilterIsNegated object). 839 ipspCompFiltLogicType is OR and at least one of the 840 sub-filters associated with it, as defined in the 841 ipspSubfiltersTable, is true itself (after applying any 842 requried negation as defined by the ficFilterIsNegated 843 object)." 844 INDEX { ipspCompFiltName } 845 ::= { ipspCompoundFilterTable 1 } 847 IpspCompoundFilterEntry ::= SEQUENCE { 848 ipspCompFiltName SnmpAdminString, 849 ipspCompFiltDescription SnmpAdminString, 850 ipspCompFiltLogicType IpspBooleanOperator, 851 ipspCompFiltLastChanged TimeStamp, 852 ipspCompFiltStorageType StorageType, 853 ipspCompFiltRowStatus RowStatus 854 } 856 ipspCompFiltName OBJECT-TYPE 857 SYNTAX SnmpAdminString (SIZE(1..32)) 858 MAX-ACCESS not-accessible 859 STATUS current 860 DESCRIPTION 861 "A user definable string. You may use this field for your 862 administrative tracking purposes." 863 ::= { ipspCompoundFilterEntry 1 } 865 ipspCompFiltDescription OBJECT-TYPE 866 SYNTAX SnmpAdminString 867 MAX-ACCESS read-create 868 STATUS current 869 DESCRIPTION 870 "A user definable string. You may use this field for your 871 administrative tracking purposes." 872 DEFVAL { ''H } 873 ::= { ipspCompoundFilterEntry 2 } 875 ipspCompFiltLogicType OBJECT-TYPE 876 SYNTAX IpspBooleanOperator 877 MAX-ACCESS read-create 878 STATUS current 879 DESCRIPTION 880 "Indicates whether the filters contained within this filter 881 are functionally ANDed or ORed together." 882 DEFVAL { and } 883 ::= { ipspCompoundFilterEntry 3 } 885 ipspCompFiltLastChanged OBJECT-TYPE 886 SYNTAX TimeStamp 887 MAX-ACCESS read-only 888 STATUS current 889 DESCRIPTION 890 "The value of sysUpTime when this row was last modified or 891 created either through SNMP SETs or by some other external 892 means." 893 ::= { ipspCompoundFilterEntry 4 } 895 ipspCompFiltStorageType OBJECT-TYPE 896 SYNTAX StorageType 897 MAX-ACCESS read-create 898 STATUS current 899 DESCRIPTION 900 "The storage type for this row. Rows in this table which were 901 created through an external process may have a storage type 902 of readOnly or permanent." 903 DEFVAL { nonVolatile } 904 ::= { ipspCompoundFilterEntry 5 } 906 ipspCompFiltRowStatus OBJECT-TYPE 907 SYNTAX RowStatus 908 MAX-ACCESS read-create 909 STATUS current 910 DESCRIPTION 911 "This object indicates the conceptual status of this row. 913 The value of this object has no effect on whether other 914 objects in this conceptual row can be modified. 916 Once active, it may not have its value changed if any active 917 rows in the ipspRuleDefinitionTable are currently pointing 918 at this row." 919 ::= { ipspCompoundFilterEntry 6 } 921 -- 922 -- Policy filters in a cf table 923 -- 925 ipspSubfiltersTable OBJECT-TYPE 926 SYNTAX SEQUENCE OF IpspSubfiltersEntry 927 MAX-ACCESS not-accessible 928 STATUS current 929 DESCRIPTION 930 "This table defines a list of filters contained within a given 931 compound filter set defined in the ipspCompoundFilterTable." 932 ::= { ipspConfigObjects 6 } 934 ipspSubfiltersEntry OBJECT-TYPE 935 SYNTAX IpspSubfiltersEntry 936 MAX-ACCESS not-accessible 937 STATUS current 938 DESCRIPTION 939 "An entry into the list of filters for a given compound 940 filter." 941 INDEX { ipspCompFiltName, ipspSubFiltPriority } 942 ::= { ipspSubfiltersTable 1 } 944 IpspSubfiltersEntry ::= SEQUENCE { 945 ipspSubFiltPriority Integer32, 946 ipspSubFiltSubfilter VariablePointer, 947 ipspSubFiltSubfilterIsNegated TruthValue, 948 ipspSubFiltLastChanged TimeStamp, 949 ipspSubFiltStorageType StorageType, 950 ipspSubFiltRowStatus RowStatus 951 } 953 ipspSubFiltPriority OBJECT-TYPE 954 SYNTAX Integer32 (0..65536) 955 MAX-ACCESS not-accessible 956 STATUS current 957 DESCRIPTION 958 "The priority of a given filter within a condition. 959 Implementations MAY choose to follow the ordering indicated 960 by the manager that created the rows in order to allow the 961 manager to intelligently construct filter lists such that 962 faster filters are evaluated first." 963 ::= { ipspSubfiltersEntry 1 } 965 ipspSubFiltSubfilter OBJECT-TYPE 966 SYNTAX VariablePointer 967 MAX-ACCESS read-create 968 STATUS current 969 DESCRIPTION 970 "The location of the contained filter. The value of this 971 column should be a VariablePointer which references the 972 properties for the filter to be included in this compound 973 filter. 975 This MIB defines the following tables and scalars which may 976 be pointed to by this column. Implementations may choose to 977 provide support for other filter tables or scalars as well: 979 ipspIpHeaderFilterTable 980 ipspIpOffsetFilterTable 981 ipspTimeFilterTable 982 ipspCompoundFilterTable 983 ipspTrueFilter 985 If this column is set to a VariablePointer value which 986 references a non-existent row in an otherwise supported 987 table, the inconsistentName exception should be returned. If 988 the table or scalar pointed to by the VariablePointer is not 989 supported at all, then an inconsistentValue exception should 990 be returned." 991 ::= { ipspSubfiltersEntry 2 } 993 ipspSubFiltSubfilterIsNegated OBJECT-TYPE 994 SYNTAX TruthValue 995 MAX-ACCESS read-create 996 STATUS current 997 DESCRIPTION 998 "Indicates whether the result of applying this subfilter 999 should be negated or not." 1000 DEFVAL { false } 1001 ::= { ipspSubfiltersEntry 3 } 1003 ipspSubFiltLastChanged OBJECT-TYPE 1004 SYNTAX TimeStamp 1005 MAX-ACCESS read-only 1006 STATUS current 1007 DESCRIPTION 1008 "The value of sysUpTime when this row was last modified or 1009 created either through SNMP SETs or by some other external 1010 means." 1011 ::= { ipspSubfiltersEntry 4 } 1013 ipspSubFiltStorageType OBJECT-TYPE 1014 SYNTAX StorageType 1015 MAX-ACCESS read-create 1016 STATUS current 1017 DESCRIPTION 1018 "The storage type for this row. Rows in this table which were 1019 created through an external process may have a storage type 1020 of readOnly or permanent." 1021 DEFVAL { nonVolatile } 1022 ::= { ipspSubfiltersEntry 5 } 1024 ipspSubFiltRowStatus OBJECT-TYPE 1025 SYNTAX RowStatus 1026 MAX-ACCESS read-create 1027 STATUS current 1028 DESCRIPTION 1029 "This object indicates the conceptual status of this row. 1031 The value of this object has no effect on whether other 1032 objects in this conceptual row can be modified. 1034 This object can not be made active until the filter 1035 referenced by the ficSubFilter object is both defined and is 1036 active. An attempt to do so will result in an 1037 inconsistentValue error." 1038 ::= { ipspSubfiltersEntry 6 } 1040 -- 1041 -- Static Filters 1042 -- 1044 ipspStaticFilters OBJECT IDENTIFIER ::= { ipspConfigObjects 7 } 1046 ipspTrueFilter OBJECT-TYPE 1047 SYNTAX Integer32 1048 MAX-ACCESS read-only 1049 STATUS current 1050 DESCRIPTION 1051 "This scalar indicates a (automatic) true result for a 1052 filter. I.e. this is a filter that is always true, 1053 useful for adding as a default filter for a default 1054 action or a set of actions." 1055 ::= { ipspStaticFilters 1 } 1057 ipspTrueFilterInstance OBJECT IDENTIFIER ::= { ipspTrueFilter 0 } 1059 ipspIkePhase1Filter OBJECT-TYPE 1060 SYNTAX Integer32 1061 MAX-ACCESS read-only 1062 STATUS current 1063 DESCRIPTION 1064 "This static filter can be used to test if a packet is 1065 part of an IKE phase-1 negotiation." 1066 ::= { ipspStaticFilters 2 } 1068 ipspIkePhase2Filter OBJECT-TYPE 1069 SYNTAX Integer32 1070 MAX-ACCESS read-only 1071 STATUS current 1072 DESCRIPTION 1073 "This static filter can be used to test if a packet is 1074 part of an IKE phase-2 negotiation." 1075 ::= { ipspStaticFilters 3 } 1077 -- 1078 -- Policy IPHeader filter definition table 1079 -- 1081 ipspIpHeaderFilterTable OBJECT-TYPE 1082 SYNTAX SEQUENCE OF IpspIpHeaderFilterEntry 1083 MAX-ACCESS not-accessible 1084 STATUS current 1085 DESCRIPTION 1086 "This table contains a list of filter definitions to be used 1087 within the ipspRuleDefinitionTable or the 1088 ipspSubfilterTable table." 1089 ::= { ipspConfigObjects 8 } 1091 ipspIpHeaderFilterEntry OBJECT-TYPE 1092 SYNTAX IpspIpHeaderFilterEntry 1093 MAX-ACCESS not-accessible 1094 STATUS current 1095 DESCRIPTION 1096 "A definition of a particular filter." 1097 INDEX { ipspIpHeadFiltName } 1098 ::= { ipspIpHeaderFilterTable 1 } 1100 IpspIpHeaderFilterEntry ::= SEQUENCE { 1101 ipspIpHeadFiltName SnmpAdminString, 1102 ipspIpHeadFiltType BITS, 1103 ipspIpHeadFiltIPVersion InetAddressType, 1104 ipspIpHeadFiltSrcAddressBegin InetAddress, 1105 ipspIpHeadFiltSrcAddressEnd InetAddress, 1106 ipspIpHeadFiltDstAddressBegin InetAddress, 1107 ipspIpHeadFiltDstAddressEnd InetAddress, 1108 ipspIpHeadFiltSrcLowPort InetPortNumber, 1109 ipspIpHeadFiltSrcHighPort InetPortNumber, 1110 ipspIpHeadFiltDstLowPort InetPortNumber, 1111 ipspIpHeadFiltDstHighPort InetPortNumber, 1112 ipspIpHeadFiltProtocol Integer32, 1113 ipspIpHeadFiltIPv6FlowLabel Integer32, 1114 ipspIpHeadFiltLastChanged TimeStamp, 1115 ipspIpHeadFiltStorageType StorageType, 1116 ipspIpHeadFiltRowStatus RowStatus 1117 } 1119 ipspIpHeadFiltName OBJECT-TYPE 1120 SYNTAX SnmpAdminString (SIZE(1..32)) 1121 MAX-ACCESS not-accessible 1122 STATUS current 1123 DESCRIPTION 1124 "The administrative name for this filter." 1125 ::= { ipspIpHeaderFilterEntry 1 } 1127 ipspIpHeadFiltType OBJECT-TYPE 1128 SYNTAX BITS { sourceAddress(0), destinationAddress(1), 1129 sourcePort(2), destinationPort(3), 1130 protocol(4), ipv6FlowLabel(5) } 1131 MAX-ACCESS read-create 1132 STATUS current 1133 DESCRIPTION 1134 "This defines the various tests that are used when evaluating 1135 a given filter. The results of each test are ANDed together 1136 to produce the result of the entire filter. When processing 1137 this filter, it is recommended for efficiency reasons that 1138 the filter halt processing the instant any of the specified 1139 tests fail. 1141 Once a row is 'active', this object's value may not be 1142 changed unless all the appropriate columns needed by the new 1143 value to be imposed on this object have been appropriately 1144 configured. 1146 The various tests definable in this table are as follows: 1148 sourceAddress: 1149 - Tests if the source address in the packet lies between 1150 the ipspIpHeadFiltSrcAddressBegin and 1151 ipspIpHeadFiltSrcAddressEnd objects. 1153 Note that setting these two objects to the same address 1154 will limit the search to the exact match of a single 1155 address. The format and length of the address objects 1156 are defined by the ipspIpHeadFiltIPVersion column. 1158 A row in this table containing a ipspIpHeadFiltType 1159 object with the sourceAddress object bit but without the 1160 ipspIpHeadFiltIPVersion, ipspIpHeadFiltSrcAddressBegin 1161 and ipspIpHeadFiltSrcAddressEnd objects set will cause 1162 the ipspIpHeadFiltRowStatus object to return the notReady 1163 state. 1165 destinationAddress: 1166 - Tests if the destination address in the packet lies 1167 between the ipspIpHeadFiltDstAddressBegin and 1168 ipspIpHeadFiltDstAddressEnd objects. Note that setting 1169 these two objects to the same address will limit the 1170 search to the exact match of a single address. The 1171 format and length of the address objects are defined by 1172 the ipspIpHeadFiltIPVersion column. 1174 A row in this table containing a ipspIpHeadFiltType 1175 object with the destinationAddress object bit but without 1176 the ipspIpHeadFiltIPVersion, 1177 ipspIpHeadFiltDstAddressBegin and 1179 ipspIpHeadFiltDstAddressEnd objects set will cause the 1180 ipspIpHeadFiltRowStatus object to return the notReady 1181 state. 1183 sourcePort: 1184 - Tests if the source port of IP packets using a protocol 1185 that uses port numbers (at this time, UDP or TCP) lies 1186 between the ipspIpHeadFiltSrcLowPort and 1187 ipspIpHeadFiltSrcHighPort objects. Note that setting 1188 these two objects to the same address will limit the 1189 search to the exact match of a single port. 1191 A row in this table containing a ipspIpHeadFiltType 1192 object with the sourcePort object bit but without the 1193 ipspIpHeadFiltSrcLowPort, and ipspIpHeadFiltSrcHighPort 1194 objects set will cause the ipspIpHeadFiltRowStatus object 1195 to return the notReady state. 1197 destinationPort: 1198 - Tests if the source port of IP packets using a protocol 1199 that uses port numbers (at this time, UDP or TCP) lies 1200 between the ipspIpHeadFiltDstLowPort and 1201 ipspIpHeadFiltDstHighPort objects. Note that setting 1202 these two objects to the same address will limit the 1203 search to the exact match of a single port. 1205 A row in this table containing a ipspIpHeadFiltType 1206 object with the sourcePort object bit but without the 1207 ipspIpHeadFiltDstLowPort, and ipspIpHeadFiltDstHighPort 1208 objects set will cause the ipspIpHeadFiltRowStatus object 1209 to return the notReady state. 1211 protocol: 1212 - Tests to see if the packet being processed is for the 1213 given protocol type. 1215 A row in this table containing a ipspIpHeadFiltType 1216 object with the protocol object bit but without the 1217 ipspIpHeadFiltProtocol object set will cause the 1218 ipspIpHeadFiltRowStatus object to return the notReady 1219 state. 1221 ipv6FlowLabel: 1222 - Tests to see if the packet being processed contains an 1223 ipv6 Flow Label which matches the value in the 1224 ipfIPv6FlowLabel object. Setting this bit mandates that 1225 for the packet to match the filter, it must be an IPv6 1226 packet. 1228 A row in this table containing a ipspIpHeadFiltType 1229 object with the ipv6FlowLabel object bit but without the 1230 ipfIPv6FlowLabel object set will cause the 1231 ipspIpHeadFiltRowStatus object to return the notReady 1232 state." 1233 ::= { ipspIpHeaderFilterEntry 2 } 1235 ipspIpHeadFiltIPVersion OBJECT-TYPE 1236 SYNTAX InetAddressType 1237 MAX-ACCESS read-create 1238 STATUS current 1239 DESCRIPTION 1240 "The Internet Protocol version the addresses are to match 1241 against. The value of this property determines the size and 1242 format of the ipspIpHeadFiltSrcAddressBegin, 1243 ipspIpHeadFiltSrcAddressEnd, ipspIpHeadFiltDstAddressBegin, 1244 and ipspIpHeadFiltDstAddressEnd objects. 1246 Values of unknown, ipv4z, ipv6z and dns are not legal values 1247 for this object." 1248 DEFVAL { ipv6 } 1249 ::= { ipspIpHeaderFilterEntry 3 } 1251 ipspIpHeadFiltSrcAddressBegin OBJECT-TYPE 1252 SYNTAX InetAddress 1253 MAX-ACCESS read-create 1254 STATUS current 1255 DESCRIPTION 1256 "The starting address of a source address range that the 1257 packet must match against for this filter to be considered 1258 TRUE. 1260 This object is only used if sourceAddress is set in 1261 ipspIpHeadFiltType." 1262 ::= { ipspIpHeaderFilterEntry 4 } 1264 ipspIpHeadFiltSrcAddressEnd OBJECT-TYPE 1265 SYNTAX InetAddress 1266 MAX-ACCESS read-create 1267 STATUS current 1268 DESCRIPTION 1269 "The ending address of a source address range to check a 1270 packet against, where the starting is specified by the 1271 ipspIpHeadFiltSrcAddressBegin object. Set this column to the 1272 same value as the ipspIpHeadFiltSrcAddressBegin column to get 1273 an exact single address match. 1275 This object is only used if sourceAddress is set in 1276 ipspIpHeadFiltType." 1277 ::= { ipspIpHeaderFilterEntry 5 } 1279 ipspIpHeadFiltDstAddressBegin OBJECT-TYPE 1280 SYNTAX InetAddress 1281 MAX-ACCESS read-create 1282 STATUS current 1283 DESCRIPTION 1284 "The starting address of a destination address range that the 1285 packet must match against for this filter to be considered 1286 TRUE. 1288 This object is only used if destinationAddress is set in 1289 ipspIpHeadFiltType." 1290 ::= { ipspIpHeaderFilterEntry 6 } 1292 ipspIpHeadFiltDstAddressEnd OBJECT-TYPE 1293 SYNTAX InetAddress 1294 MAX-ACCESS read-create 1295 STATUS current 1296 DESCRIPTION 1297 "The ending address of a destination address range to check a 1298 packet against, where the first is specified by the 1299 ipspIpHeadFiltDstAddressBegin object. Set this column to the 1300 same value as the ipspIpHeadFiltDstAddressBegin column to get 1301 an exact single address match. 1303 This object is only used if destinationAddress is set in 1304 ipspIpHeadFiltType." 1305 ::= { ipspIpHeaderFilterEntry 7 } 1307 ipspIpHeadFiltSrcLowPort OBJECT-TYPE 1308 SYNTAX InetPortNumber 1309 MAX-ACCESS read-create 1310 STATUS current 1311 DESCRIPTION 1312 "The low port of the port range a packet's source must match 1313 against. To match, the port number must be greater than or 1314 equal to this value. 1316 This object is only used if sourcePort is set in 1317 ipspIpHeadFiltType. 1319 The value of 0 for this object is illegal." 1320 ::= { ipspIpHeaderFilterEntry 8 } 1322 ipspIpHeadFiltSrcHighPort OBJECT-TYPE 1323 SYNTAX InetPortNumber 1324 MAX-ACCESS read-create 1325 STATUS current 1326 DESCRIPTION 1327 "The high port of the port range a packet's source must match 1328 against. To match, the port number must be less than or 1329 equal to this value. 1331 This object is only used if sourcePort is set in 1332 ipspIpHeadFiltType. 1334 The value of 0 for this object is illegal." 1335 ::= { ipspIpHeaderFilterEntry 9 } 1337 ipspIpHeadFiltDstLowPort OBJECT-TYPE 1338 SYNTAX InetPortNumber 1339 MAX-ACCESS read-create 1340 STATUS current 1341 DESCRIPTION 1342 "The low port of the port range a packet's destination must 1343 match against. To match, the port number must be greater 1344 than or equal to this value. 1346 This object is only used if destinationPort is set in 1347 ipspIpHeadFiltType. 1349 The value of 0 for this object is illegal." 1350 ::= { ipspIpHeaderFilterEntry 10 } 1352 ipspIpHeadFiltDstHighPort OBJECT-TYPE 1353 SYNTAX InetPortNumber 1354 MAX-ACCESS read-create 1355 STATUS current 1356 DESCRIPTION 1357 "The high port of the port range a packet's destination must 1358 match against. To match, the port number must be less than 1359 or equal to this value. 1361 This object is only used if destinationPort is set in 1362 ipspIpHeadFiltType. 1364 The value of 0 for this object is illegal." 1365 ::= { ipspIpHeaderFilterEntry 11 } 1367 ipspIpHeadFiltProtocol OBJECT-TYPE 1368 SYNTAX Integer32 (0..255) 1369 MAX-ACCESS read-create 1370 STATUS current 1371 DESCRIPTION 1372 "The protocol number the incoming packet must match against 1373 for this filter to be evaluated as true. 1375 This object is only used if protocol is set in 1376 ipspIpHeadFiltType." 1377 ::= { ipspIpHeaderFilterEntry 12 } 1379 ipspIpHeadFiltIPv6FlowLabel OBJECT-TYPE 1380 SYNTAX Integer32 (0..1048575) 1381 MAX-ACCESS read-create 1382 STATUS current 1383 DESCRIPTION 1384 "The IPv6 Flow Label that the packet must match against. 1386 This object is only used if ipv6FlowLabel is set in 1387 ipspIpHeadFiltType." 1388 ::= { ipspIpHeaderFilterEntry 13 } 1390 ipspIpHeadFiltLastChanged OBJECT-TYPE 1391 SYNTAX TimeStamp 1392 MAX-ACCESS read-only 1393 STATUS current 1394 DESCRIPTION 1395 "The value of sysUpTime when this row was last modified or 1396 created either through SNMP SETs or by some other external 1397 means." 1398 ::= { ipspIpHeaderFilterEntry 14 } 1400 ipspIpHeadFiltStorageType OBJECT-TYPE 1401 SYNTAX StorageType 1402 MAX-ACCESS read-create 1403 STATUS current 1404 DESCRIPTION 1405 "The storage type for this row. Rows in this table which were 1406 created through an external process may have a storage type 1407 of readOnly or permanent." 1408 DEFVAL { nonVolatile } 1409 ::= { ipspIpHeaderFilterEntry 15 } 1411 ipspIpHeadFiltRowStatus OBJECT-TYPE 1412 SYNTAX RowStatus 1413 MAX-ACCESS read-create 1414 STATUS current 1415 DESCRIPTION 1416 "This object indicates the conceptual status of this row. 1418 This object may not be set to active if the requirements of 1419 the ipspIpHeadFiltType object are not met. In other words, 1420 if the associated value columns needed by a particular test 1421 have not been set, then attempting to change this row to an 1422 active state will result in an inconsistentValue error. See 1423 the ipspIpHeadFiltType object description for further 1424 details." 1425 ::= { ipspIpHeaderFilterEntry 16 } 1427 -- 1428 -- Policy IP Offset filter definition table 1429 -- 1431 ipspIpOffsetFilterTable OBJECT-TYPE 1432 SYNTAX SEQUENCE OF IpspIpOffsetFilterEntry 1433 MAX-ACCESS not-accessible 1434 STATUS current 1435 DESCRIPTION 1436 "This table contains a list of filter definitions to be used 1437 within the ipspRuleDefinitionTable or the 1438 ipspSubfilterTable." 1439 ::= { ipspConfigObjects 9 } 1441 ipspIpOffsetFilterEntry OBJECT-TYPE 1442 SYNTAX IpspIpOffsetFilterEntry 1443 MAX-ACCESS not-accessible 1444 STATUS current 1445 DESCRIPTION 1446 "A definition of a particular filter." 1448 INDEX { ipspIpOffFiltName } 1449 ::= { ipspIpOffsetFilterTable 1 } 1451 IpspIpOffsetFilterEntry ::= SEQUENCE { 1452 ipspIpOffFiltName SnmpAdminString, 1453 ipspIpOffFiltOffset Integer32, 1454 ipspIpOffFiltType INTEGER, 1455 ipspIpOffFiltNumber Integer32, 1456 ipspIpOffFiltValue OCTET STRING, 1457 ipspIpOffFiltLastChanged TimeStamp, 1458 ipspIpOffFiltStorageType StorageType, 1459 ipspIpOffFiltRowStatus RowStatus 1460 } 1462 ipspIpOffFiltName OBJECT-TYPE 1463 SYNTAX SnmpAdminString (SIZE(1..32)) 1464 MAX-ACCESS not-accessible 1465 STATUS current 1466 DESCRIPTION 1467 "The administrative name for this filter." 1468 ::= { ipspIpOffsetFilterEntry 1 } 1470 ipspIpOffFiltOffset OBJECT-TYPE 1471 SYNTAX Integer32 (0..65536) 1472 MAX-ACCESS read-create 1473 STATUS current 1474 DESCRIPTION 1475 "This is the byte offset from the front of the IP packet where 1476 the value or arithmetic comparison is done. A value of '0' 1477 indicates the first byte in the packet." 1478 ::= { ipspIpOffsetFilterEntry 2 } 1480 ipspIpOffFiltType OBJECT-TYPE 1481 SYNTAX INTEGER { valueMatch(1), 1482 valueNotMatch(2), 1483 arithmeticEqual(3), 1484 arithmeticNotEqual(4), 1485 arithmeticLess(5), 1486 arithmeticGreaterOrEqual(6), 1487 arithmeticGreater(7), 1488 arithmeticLessOrEqual(8) } 1489 MAX-ACCESS read-create 1490 STATUS current 1491 DESCRIPTION 1492 "This defines the various tests that are used when evaluating 1493 a given filter. 1495 Once a row is 'active', this object's value may not be 1496 changed unless the appropriate columns, ipspIpOffFiltNumber 1497 or ipspIpOffFiltValue, needed by the new value to be imposed 1498 on this object have been appropriately configured. 1500 The various tests definable in this table are as follows: 1502 valueMatch: 1503 - Tests if the OCTET STRING, 'ipspIpOffFiltValue', matches 1504 a value in the packet starting at the given offset in the 1505 packet and comparing the entire OCTET STRING of 1506 'ipspIpOffFiltValue'. 1508 valueNotMatch: 1509 - Tests if the OCTET STRING, 'ipspIpOffFiltValue', does not 1510 match a value in the packet starting at the given offset 1511 in the packet and comparing to the entire OCTET STRING of 1512 'ipspIpOffFiltValue'. 1514 arithmeticEqual: 1515 - Tests if the Integer32, 'ipspIpOffFiltNumber', is 1516 arithmetically equal ('=') to the 4 byte value starting 1517 at the given offset within the packet. The value in the 1518 packet is assumed to be in network byte order. 1520 arithmeticNotEqual: 1521 - Tests if the Integer32, 'ipspIpOffFiltNumber', is 1522 arithmetically not equal ('!=') to the 4 byte value 1523 starting at the given offset within the packet. The 1524 value in the packet is assumed to be in network byte 1525 order. 1527 arithmeticLess: 1528 - Tests if the Integer32, 'ipspIpOffFiltNumber', is 1529 arithmetically less than ('<') the 4 byte value starting 1530 at the given offset within the packet. The value in the 1531 packet is assumed to be in network byte order. 1533 arithmeticGreaterOrEqual: 1534 - Tests if the Integer32, 'ipspIpOffFiltNumber', is 1535 arithmetically greater than or equal to ('>=') the 4 byte 1536 value starting at the given offset within the packet. 1537 The value in the packet is assumed to be in network byte 1538 order. 1540 arithmeticGreater: 1541 - Tests if the Integer32, 'ipspIpOffFiltNumber', is 1542 arithmetically greater than ('>') the 4 byte value 1543 starting at the given offset within the packet. The 1544 value in the packet is assumed to be in network byte 1545 order. 1547 arithmeticLessOrEqual: 1548 - Tests if the Integer32, 'ipspIpOffFiltNumber', is 1549 arithmetically less than or equal to ('<=') the 4 byte 1550 value starting at the given offset within the packet. 1551 The value in the packet is assumed to be in network byte 1552 order." 1554 ::= { ipspIpOffsetFilterEntry 3 } 1556 ipspIpOffFiltNumber OBJECT-TYPE 1557 SYNTAX Integer32 (0..65536) 1558 MAX-ACCESS read-create 1559 STATUS current 1560 DESCRIPTION 1562 "ipspIpOffFiltNumber is used for arithmetic matching of a 1563 packets at ipspIpOffFiltOffset. This object is only used if 1564 one of 1565 the arithmetic types is chosen in ipspIpOffFiltType." 1566 ::= { ipspIpOffsetFilterEntry 4 } 1568 ipspIpOffFiltValue OBJECT-TYPE 1569 SYNTAX OCTET STRING (SIZE(0..1024)) 1570 MAX-ACCESS read-create 1571 STATUS current 1572 DESCRIPTION 1573 "ipspIpOffFiltValue is used for match comparisons of a packet at 1574 ipspIpOffFiltOffset. This object is only used if one of the 1575 match types is chosen in ipspIpOffFiltType." 1576 ::= { ipspIpOffsetFilterEntry 5 } 1578 ipspIpOffFiltLastChanged OBJECT-TYPE 1579 SYNTAX TimeStamp 1580 MAX-ACCESS read-only 1581 STATUS current 1582 DESCRIPTION 1583 "The value of sysUpTime when this row was last modified or 1584 created either through SNMP SETs or by some other external 1585 means." 1586 ::= { ipspIpOffsetFilterEntry 6 } 1588 ipspIpOffFiltStorageType OBJECT-TYPE 1589 SYNTAX StorageType 1590 MAX-ACCESS read-create 1591 STATUS current 1592 DESCRIPTION 1593 "The storage type for this row. Rows in this table which were 1594 created through an external process may have a storage type 1595 of readOnly or permanent." 1596 DEFVAL { nonVolatile } 1597 ::= { ipspIpOffsetFilterEntry 7 } 1599 ipspIpOffFiltRowStatus OBJECT-TYPE 1600 SYNTAX RowStatus 1601 MAX-ACCESS read-create 1602 STATUS current 1603 DESCRIPTION 1604 "This object indicates the conceptual status of this row. 1606 This object may not be set to active if the requirements of 1607 the ipspIpOffFiltType object are not met. In other words, if 1608 the associated value columns needed by a particular test have 1609 not been set, then attempting to change this row to an active 1610 state will result in an inconsistentValue error. See the 1611 ipspIpOffFiltType object description for further details." 1612 ::= { ipspIpOffsetFilterEntry 8 } 1614 -- 1615 -- Time/scheduling filter table 1616 -- 1618 ipspTimeFilterTable OBJECT-TYPE 1619 SYNTAX SEQUENCE OF IpspTimeFilterEntry 1620 MAX-ACCESS not-accessible 1621 STATUS current 1622 DESCRIPTION 1623 "Defines a table of filters which can be used to effectively 1624 enable or disable policies based on a valid time range." 1625 ::= { ipspConfigObjects 10 } 1627 ipspTimeFilterEntry OBJECT-TYPE 1628 SYNTAX IpspTimeFilterEntry 1629 MAX-ACCESS not-accessible 1630 STATUS current 1631 DESCRIPTION 1632 "A row describing a given time frame for which a policy may be 1633 filtered on to place the rule active or inactive." 1634 INDEX { ipspTimeFiltName } 1635 ::= { ipspTimeFilterTable 1 } 1637 IpspTimeFilterEntry ::= SEQUENCE { 1638 ipspTimeFiltName SnmpAdminString, 1639 ipspTimeFiltPeriodStart DateAndTime, 1640 ipspTimeFiltPeriodEnd DateAndTime, 1641 ipspTimeFiltMonthOfYearMask BITS, 1642 ipspTimeFiltDayOfMonthMask OCTET STRING, 1643 ipspTimeFiltDayOfWeekMask BITS, 1644 ipspTimeFiltTimeOfDayMaskStart DateAndTime, 1645 ipspTimeFiltTimeOfDayMaskEnd DateAndTime, 1646 ipspTimeFiltLastChanged TimeStamp, 1647 ipspTimeFiltStorageType StorageType, 1648 ipspTimeFiltRowStatus RowStatus 1649 } 1651 ipspTimeFiltName OBJECT-TYPE 1652 SYNTAX SnmpAdminString (SIZE(1..32)) 1653 MAX-ACCESS not-accessible 1654 STATUS current 1655 DESCRIPTION 1656 "An administratively assigned name for this filter." 1657 ::= { ipspTimeFilterEntry 1 } 1659 ipspTimeFiltPeriodStart OBJECT-TYPE 1660 SYNTAX DateAndTime 1661 MAX-ACCESS read-create 1662 STATUS current 1663 DESCRIPTION 1664 "The starting time period for this filter. In addition to a 1665 normal DateAndTime string, this object may be set to the 1666 OCTET STRING value THISANDPRIOR which indicates that the 1667 filter is valid from any time before now up until (at least) 1668 now." 1669 DEFVAL { '00000101000000002b0000'H } 1670 ::= { ipspTimeFilterEntry 2 } 1672 ipspTimeFiltPeriodEnd OBJECT-TYPE 1673 SYNTAX DateAndTime 1674 MAX-ACCESS read-create 1675 STATUS current 1676 DESCRIPTION 1677 "The ending time period for this filter. In addition to a 1678 normal DateAndTime string, this object may be set to the 1679 OCTET STRING value THISANDFUTURE which indicates that the 1680 filter is valid without an ending date and/or time." 1681 DEFVAL { '99991231235959092b0000'H } 1682 ::= { ipspTimeFilterEntry 3 } 1684 ipspTimeFiltMonthOfYearMask OBJECT-TYPE 1685 SYNTAX BITS { january(0), february(1), march(2), april(3), 1686 may(4), june(5), july(6), august(7), 1687 september(8), october(9),november(10), 1688 december(11) } 1689 MAX-ACCESS read-create 1690 STATUS current 1691 DESCRIPTION 1692 "A bit mask which overlays the ipspTimeFiltPeriodStart to 1693 ipspTimeFiltPeriodEnd date range to further restrict the time 1694 period to a restricted set of months of the year." 1695 DEFVAL { { january, february, march, april, may, june, july, 1696 august, september, october, november, december } } 1697 ::= { ipspTimeFilterEntry 4 } 1699 ipspTimeFiltDayOfMonthMask OBJECT-TYPE 1700 SYNTAX OCTET STRING (SIZE(4)) 1701 MAX-ACCESS read-create 1702 STATUS current 1703 DESCRIPTION 1704 "Defines which days of the month this time period is valid 1705 for. It is a sequence of 32 BITS, where each BIT represents 1706 a corresponding day of the month starting from the left most 1707 bit being equal to the first day of the month. The last bit 1708 in the string MUST be zero." 1709 DEFVAL { 'fffffffe'H } 1710 ::= { ipspTimeFilterEntry 5 } 1712 ipspTimeFiltDayOfWeekMask OBJECT-TYPE 1713 SYNTAX BITS { monday(0), tuesday(1), wednesday(2), 1714 thursday(3), friday(4), saturday(5), 1715 sunday(6) } 1716 MAX-ACCESS read-create 1717 STATUS current 1718 DESCRIPTION 1719 "A bit mask which overlays the ipspTimeFiltPeriodStart to 1720 ipspTimeFiltPeriodEnd date range to further restrict the time 1721 period to a restricted set of days within a given week." 1722 DEFVAL { { monday, tuesday, wednesday, thursday, friday, 1723 saturday, sunday } } 1724 ::= { ipspTimeFilterEntry 6 } 1726 ipspTimeFiltTimeOfDayMaskStart OBJECT-TYPE 1727 SYNTAX DateAndTime 1728 MAX-ACCESS read-create 1729 STATUS current 1730 DESCRIPTION 1731 "Indicates the starting time of day for which this filter 1732 evaluates to true. The date portions of the DateAndTime TC 1733 are ignored for purposes of evaluating this mask and only the 1734 time specific portions are used." 1735 DEFVAL { '00000000000000002b0000'H } 1736 ::= { ipspTimeFilterEntry 7 } 1738 ipspTimeFiltTimeOfDayMaskEnd OBJECT-TYPE 1739 SYNTAX DateAndTime 1740 MAX-ACCESS read-create 1741 STATUS current 1742 DESCRIPTION 1743 "Indicates the ending time of day for which this filter 1744 evaluates to true. The date portions of the DateAndTime TC 1745 are ignored for purposes of evaluating this mask and only the 1746 time specific portions are used. If this starting and ending 1747 time values indicated by the ipspTimeFiltTimeOfDayMaskStart 1748 and ipspTimeFiltTimeOfDayMaskEnd objects are equal, the 1749 filter is expected to be evaluated over the entire 24 hour 1750 period." 1751 DEFVAL { '00000000000000002b0000'H } 1752 ::= { ipspTimeFilterEntry 8 } 1754 ipspTimeFiltLastChanged OBJECT-TYPE 1755 SYNTAX TimeStamp 1756 MAX-ACCESS read-only 1757 STATUS current 1758 DESCRIPTION 1759 "The value of sysUpTime when this row was last modified or 1760 created either through SNMP SETs or by some other external 1761 means." 1762 ::= { ipspTimeFilterEntry 9 } 1764 ipspTimeFiltStorageType OBJECT-TYPE 1765 SYNTAX StorageType 1766 MAX-ACCESS read-create 1767 STATUS current 1768 DESCRIPTION 1769 "The storage type for this row. Rows in this table which were 1770 created through an external process may have a storage type 1771 of readOnly or permanent." 1772 DEFVAL { nonVolatile } 1773 ::= { ipspTimeFilterEntry 10 } 1775 ipspTimeFiltRowStatus OBJECT-TYPE 1776 SYNTAX RowStatus 1777 MAX-ACCESS read-create 1778 STATUS current 1779 DESCRIPTION 1780 "This object indicates the conceptual status of this row." 1781 ::= { ipspTimeFilterEntry 11 } 1783 -- 1784 -- IPSO protection authority filtering 1785 -- 1787 ipspIpsoHeaderFilterTable OBJECT-TYPE 1788 SYNTAX SEQUENCE OF IpspIpsoHeaderFilterEntry 1789 MAX-ACCESS not-accessible 1790 STATUS current 1791 DESCRIPTION 1792 "This table contains a list of IPSO header filter definitions 1793 to be used within the ipspRuleDefinitionTable or the 1794 ipspSubfilterTable. IPSO headers and their values 1795 are described in RFC1108." 1796 ::= { ipspConfigObjects 11 } 1798 ipspIpsoHeaderFilterEntry OBJECT-TYPE 1799 SYNTAX IpspIpsoHeaderFilterEntry 1800 MAX-ACCESS not-accessible 1801 STATUS current 1802 DESCRIPTION 1803 "A definition of a particular filter." 1804 INDEX { ipspIpsoHeadFiltName } 1805 ::= { ipspIpsoHeaderFilterTable 1 } 1807 IpspIpsoHeaderFilterEntry ::= SEQUENCE { 1808 ipspIpsoHeadFiltName SnmpAdminString, 1809 ipspIpsoHeadFiltType BITS, 1810 ipspIpsoHeadFiltClassification INTEGER, 1811 ipspIpsoHeadFiltProtectionAuth INTEGER, 1812 ipspIpsoHeadFiltLastChanged TimeStamp, 1813 ipspIpsoHeadFiltStorageType StorageType, 1814 ipspIpsoHeadFiltRowStatus RowStatus 1815 } 1817 ipspIpsoHeadFiltName OBJECT-TYPE 1818 SYNTAX SnmpAdminString (SIZE(1..32)) 1819 MAX-ACCESS not-accessible 1820 STATUS current 1821 DESCRIPTION 1822 "The administrative name for this filter." 1823 ::= { ipspIpsoHeaderFilterEntry 1 } 1825 ipspIpsoHeadFiltType OBJECT-TYPE 1826 SYNTAX BITS { classificationLevel(0), 1827 protectionAuthority(1) } 1828 MAX-ACCESS read-create 1829 STATUS current 1830 DESCRIPTION 1831 "The IPSO header fields to match the value against." 1832 ::= { ipspIpsoHeaderFilterEntry 2 } 1834 ipspIpsoHeadFiltClassification OBJECT-TYPE 1835 SYNTAX INTEGER { topSecret(61), secret(90), 1836 confidential(150), unclassified(171) } 1837 MAX-ACCESS read-create 1838 STATUS current 1839 DESCRIPTION 1840 "The IPSO classification header field value must match the 1841 value in this column if the classificationLevel bit is set in 1842 the ipspIpsoHeadFiltType field. 1844 The values of these enumerations are defined by RFC1108." 1845 ::= { ipspIpsoHeaderFilterEntry 3 } 1847 ipspIpsoHeadFiltProtectionAuth OBJECT-TYPE 1848 SYNTAX INTEGER { genser(0), siopesi(1), sci(2), 1849 nsa(3), doe(4) } 1850 MAX-ACCESS read-create 1851 STATUS current 1852 DESCRIPTION 1853 "The IPSO protection authority header field value must match 1854 the value in this column if the protection authority bit is 1855 set in the ipspIpsoHeadFiltType field. 1857 The values of these enumerations are defined by RFC1108. 1858 Hence the reason the SMIv2 convention of not using 0 in enum 1859 lists is violated here." 1860 ::= { ipspIpsoHeaderFilterEntry 4 } 1862 ipspIpsoHeadFiltLastChanged OBJECT-TYPE 1863 SYNTAX TimeStamp 1864 MAX-ACCESS read-only 1865 STATUS current 1866 DESCRIPTION 1867 "The value of sysUpTime when this row was last modified or 1868 created either through SNMP SETs or by some other external 1869 means." 1870 ::= { ipspIpsoHeaderFilterEntry 5 } 1872 ipspIpsoHeadFiltStorageType OBJECT-TYPE 1873 SYNTAX StorageType 1874 MAX-ACCESS read-create 1875 STATUS current 1876 DESCRIPTION 1877 "The storage type for this row. Rows in this table which were 1878 created through an external process may have a storage type 1879 of readOnly or permanent." 1880 DEFVAL { nonVolatile } 1881 ::= { ipspIpsoHeaderFilterEntry 6 } 1883 ipspIpsoHeadFiltRowStatus OBJECT-TYPE 1884 SYNTAX RowStatus 1885 MAX-ACCESS read-create 1886 STATUS current 1887 DESCRIPTION 1888 "This object indicates the conceptual status of this row. 1890 This object may not be set to active if the requirements of 1891 the ipspIpsoHeadFiltType object are not met. In other words, 1892 if the associated value columns needed by a particular test 1893 have not been set, then attempting to change this row to an 1894 active state will result in an inconsistentValue error. See 1895 the ipspIpsoHeadFiltType object description for further 1896 details." 1897 ::= { ipspIpsoHeaderFilterEntry 7 } 1899 -- 1900 -- credential filter table 1901 -- 1903 ipspCredentialFilterTable OBJECT-TYPE 1904 SYNTAX SEQUENCE OF IpspCredentialFilterEntry 1905 MAX-ACCESS not-accessible 1906 STATUS current 1907 DESCRIPTION 1908 "This table defines filters which can be used to match 1909 credentials of IKE peers, where the credentials in question 1910 have been obtained from an IKE phase 1 exchange. They may be 1911 X.509 certificates, Kerberos tickets, etc..." 1912 ::= { ipspConfigObjects 12 } 1914 ipspCredentialFilterEntry OBJECT-TYPE 1915 SYNTAX IpspCredentialFilterEntry 1916 MAX-ACCESS not-accessible 1917 STATUS current 1918 DESCRIPTION 1919 "A row defining a particular credential filter" 1920 INDEX { ipspCredFiltName } 1921 ::= { ipspCredentialFilterTable 1 } 1923 IpspCredentialFilterEntry ::= SEQUENCE { 1924 ipspCredFiltName SnmpAdminString, 1925 ipspCredFiltCredentialType IpspCredentialType, 1926 ipspCredFiltMatchFieldName OCTET STRING, 1927 ipspCredFiltMatchFieldValue OCTET STRING, 1928 ipspCredFiltAcceptCredFrom OCTET STRING, 1929 ipspCredFiltLastChanged TimeStamp, 1930 ipspCredFiltStorageType StorageType, 1931 ipspCredFiltRowStatus RowStatus 1932 } 1934 ipspCredFiltName OBJECT-TYPE 1935 SYNTAX SnmpAdminString (SIZE(1..32)) 1936 MAX-ACCESS not-accessible 1937 STATUS current 1938 DESCRIPTION 1939 "The administrative name of this filter." 1940 ::= { ipspCredentialFilterEntry 1 } 1942 ipspCredFiltCredentialType OBJECT-TYPE 1943 SYNTAX IpspCredentialType 1944 MAX-ACCESS read-create 1945 STATUS current 1946 DESCRIPTION 1947 "The credential type that is expected for this filter to 1948 succeed." 1949 DEFVAL { x509 } 1950 ::= { ipspCredentialFilterEntry 2 } 1952 ipspCredFiltMatchFieldName OBJECT-TYPE 1953 SYNTAX OCTET STRING (SIZE(0..256)) 1954 MAX-ACCESS read-create 1955 STATUS current 1956 DESCRIPTION 1957 "The piece of the credential to match against. Examples: 1958 serialNumber, signatureAlgorithm, issuerName or subjectName. 1960 For credential types without fields (e.g. shared secrec), 1961 this field should be left empty, and the entire credential 1962 will be matched against the ipspCredFiltMatchFieldValue." 1963 ::= { ipspCredentialFilterEntry 3 } 1965 ipspCredFiltMatchFieldValue OBJECT-TYPE 1966 SYNTAX OCTET STRING (SIZE(1..4096)) 1967 MAX-ACCESS read-create 1968 STATUS current 1969 DESCRIPTION 1970 "The value that the field indicated by the 1971 ipspCredFiltMatchFieldName must match against for the filter 1972 to be considered TRUE." 1973 ::= { ipspCredentialFilterEntry 4 } 1975 ipspCredFiltAcceptCredFrom OBJECT-TYPE 1976 SYNTAX OCTET STRING(SIZE(1..117)) 1977 MAX-ACCESS read-create 1978 STATUS current 1979 DESCRIPTION 1980 "This value is used to look up a row in the 1981 ipspIpsecCredMngServiceTable for the Certificate Authority (CA) 1982 Information. This value is empty if there is no CA used for 1983 this filter." 1984 ::= { ipspCredentialFilterEntry 5 } 1986 ipspCredFiltLastChanged OBJECT-TYPE 1987 SYNTAX TimeStamp 1988 MAX-ACCESS read-only 1989 STATUS current 1990 DESCRIPTION 1991 "The value of sysUpTime when this row was last modified or 1992 created either through SNMP SETs or by some other external 1993 means." 1994 ::= { ipspCredentialFilterEntry 6 } 1996 ipspCredFiltStorageType OBJECT-TYPE 1997 SYNTAX StorageType 1998 MAX-ACCESS read-create 1999 STATUS current 2000 DESCRIPTION 2001 "The storage type for this row. Rows in this table which were 2002 created through an external process may have a storage type 2003 of readOnly or permanent." 2004 DEFVAL { nonVolatile } 2005 ::= { ipspCredentialFilterEntry 7 } 2007 ipspCredFiltRowStatus OBJECT-TYPE 2008 SYNTAX RowStatus 2009 MAX-ACCESS read-create 2010 STATUS current 2011 DESCRIPTION 2012 "This object indicates the conceptual status of this row." 2013 ::= { ipspCredentialFilterEntry 8 } 2015 -- 2016 -- Peer Identity Filter Table 2017 -- 2018 ipspPeerIdentityFilterTable OBJECT-TYPE 2019 SYNTAX SEQUENCE OF IpspPeerIdentityFilterEntry 2020 MAX-ACCESS not-accessible 2021 STATUS current 2022 DESCRIPTION 2023 "This table defines filters which can be used to match 2024 credentials of IKE peers, where the credentials in question 2025 have been obtained from an IKE phase 1 exchange. They may be 2026 X.509 certificates, Kerberos tickets, etc..." 2027 ::= { ipspConfigObjects 13 } 2029 ipspPeerIdentityFilterEntry OBJECT-TYPE 2030 SYNTAX IpspPeerIdentityFilterEntry 2031 MAX-ACCESS not-accessible 2032 STATUS current 2033 DESCRIPTION 2034 "A row defining a particular credential filter" 2035 INDEX { ipspPeerIdFiltName } 2036 ::= { ipspPeerIdentityFilterTable 1 } 2038 IpspPeerIdentityFilterEntry ::= SEQUENCE { 2039 ipspPeerIdFiltName SnmpAdminString, 2040 ipspPeerIdFiltIdentityType IpsecDoiIdentType, 2041 ipspPeerIdFiltIdentityValue IpspIdentityFilter, 2042 ipspPeerIdFiltLastChanged TimeStamp, 2043 ipspPeerIdFiltStorageType StorageType, 2044 ipspPeerIdFiltRowStatus RowStatus 2045 } 2047 ipspPeerIdFiltName OBJECT-TYPE 2048 SYNTAX SnmpAdminString (SIZE(1..32)) 2049 MAX-ACCESS not-accessible 2050 STATUS current 2051 DESCRIPTION 2052 "The administrative name of this filter." 2053 ::= { ipspPeerIdentityFilterEntry 1 } 2055 ipspPeerIdFiltIdentityType OBJECT-TYPE 2056 SYNTAX IpsecDoiIdentType 2057 MAX-ACCESS read-create 2058 STATUS current 2059 DESCRIPTION 2060 "The type of identity field in the peer ID payload to match 2061 against." 2062 ::= { ipspPeerIdentityFilterEntry 2 } 2064 ipspPeerIdFiltIdentityValue OBJECT-TYPE 2065 SYNTAX IpspIdentityFilter 2066 MAX-ACCESS read-create 2067 STATUS current 2068 DESCRIPTION 2069 "The string representation of the value that the peer ID 2070 payload value must match against. Wildcard mechanisms MUST be 2071 supported such that: 2073 - a ipspPeerIdFiltIdentityValue of '*@example.com' will match 2074 a userFqdn ID payload of 'JDOE@EXAMPLE.COM' 2076 - a ipspPeerIdFiltIdentityValue of '*.example.com' will match 2077 a fqdn ID payload of 'WWW.EXAMPLE.COM' 2079 - a ipspPeerIdFiltIdentityValue of: 2080 'cn=*,ou=engineering,o=company,c=us' 2081 will match a DER DN ID payload of 2082 'cn=John Doe,ou=engineering,o=company,c=us' 2084 - a ipspPeerIdFiltIdentityValue of '192.0.2.0/24' will match 2085 an IPv4 address ID payload of 192.0.2.10 2087 - a ipspPeerIdFiltIdentityValue of '192.0.2.*' will also 2088 match an IPv4 address ID payload of 192.0.2.10. 2090 The character '*' replaces 0 or multiple instances of any 2091 character." 2092 ::= { ipspPeerIdentityFilterEntry 3 } 2094 ipspPeerIdFiltLastChanged OBJECT-TYPE 2095 SYNTAX TimeStamp 2096 MAX-ACCESS read-only 2097 STATUS current 2098 DESCRIPTION 2099 "The value of sysUpTime when this row was last modified or 2100 created either through SNMP SETs or by some other external 2101 means." 2102 ::= { ipspPeerIdentityFilterEntry 4 } 2104 ipspPeerIdFiltStorageType OBJECT-TYPE 2105 SYNTAX StorageType 2106 MAX-ACCESS read-create 2107 STATUS current 2108 DESCRIPTION 2109 "The storage type for this row. Rows in this table which were 2110 created through an external process may have a storage type 2111 of readOnly or permanent." 2112 DEFVAL { nonVolatile } 2113 ::= { ipspPeerIdentityFilterEntry 5 } 2115 ipspPeerIdFiltRowStatus OBJECT-TYPE 2116 SYNTAX RowStatus 2117 MAX-ACCESS read-create 2118 STATUS current 2119 DESCRIPTION 2120 "This object indicates the conceptual status of this row. 2121 This object can not be considered active unless the 2122 ipspPeerIdFiltIdentityType and ipspPeerIdFiltIdentityValue 2123 column values are defined." 2124 ::= { ipspPeerIdentityFilterEntry 6 } 2126 -- 2127 -- compound actions table 2128 -- 2130 ipspCompoundActionTable OBJECT-TYPE 2131 SYNTAX SEQUENCE OF IpspCompoundActionEntry 2132 MAX-ACCESS not-accessible 2133 STATUS current 2134 DESCRIPTION 2135 "Table used to allow multiple actions to be associated with a 2136 rule. It uses the ipspSubactionsTable to do this." 2137 ::= { ipspConfigObjects 14 } 2139 ipspCompoundActionEntry OBJECT-TYPE 2140 SYNTAX IpspCompoundActionEntry 2141 MAX-ACCESS not-accessible 2142 STATUS current 2143 DESCRIPTION 2144 "A row in the ipspCompoundActionTable." 2145 INDEX { ipspCompActName } 2146 ::= { ipspCompoundActionTable 1 } 2148 IpspCompoundActionEntry ::= SEQUENCE { 2149 ipspCompActName SnmpAdminString, 2150 ipspCompActExecutionStrategy INTEGER, 2151 ipspCompActLastChanged TimeStamp, 2152 ipspCompActStorageType StorageType, 2153 ipspCompActRowStatus RowStatus 2154 } 2156 ipspCompActName OBJECT-TYPE 2157 SYNTAX SnmpAdminString (SIZE(1..32)) 2158 MAX-ACCESS not-accessible 2159 STATUS current 2160 DESCRIPTION 2161 "This is an administratively assigned name of this compound 2162 action." 2164 ::= { ipspCompoundActionEntry 1 } 2166 ipspCompActExecutionStrategy OBJECT-TYPE 2167 SYNTAX INTEGER { reserved(0), 2168 doAll(1), 2169 doUntilSuccess(2), 2170 doUntilFailure(3) } 2171 MAX-ACCESS read-create 2172 STATUS current 2173 DESCRIPTION 2174 "This object indicates how the sub-actions are executed based 2175 on the success of the actions as they finish executing. 2177 doAll - run each sub-action regardless of the 2178 exit status of the previous action. This 2179 parent action is always considered to have 2180 acted successfully. 2182 doUntilSuccess - run each sub-action until one succeeds, at 2183 which point stop processing the sub-actions 2184 within this parent compound action. If one 2185 of the sub-actions did execute 2186 successfully, this parent action is also 2187 considered to have executed sucessfully. 2189 doUntilFailure - run each sub-action until one fails, at 2190 which point stop processing the sub-actions 2191 within this compound action. If any 2192 sub-action fails, the result of this parent 2193 action is considered to have failed." 2194 DEFVAL { doUntilSuccess } 2195 ::= { ipspCompoundActionEntry 2 } 2197 ipspCompActLastChanged OBJECT-TYPE 2198 SYNTAX TimeStamp 2199 MAX-ACCESS read-only 2200 STATUS current 2201 DESCRIPTION 2202 "The value of sysUpTime when this row was last modified or 2203 created either through SNMP SETs or by some other external 2204 means." 2205 ::= { ipspCompoundActionEntry 3 } 2207 ipspCompActStorageType OBJECT-TYPE 2208 SYNTAX StorageType 2209 MAX-ACCESS read-create 2210 STATUS current 2211 DESCRIPTION 2212 "The storage type for this row. Rows in this table which were 2213 created through an external process may have a storage type 2214 of readOnly or permanent." 2215 DEFVAL { nonVolatile } 2216 ::= { ipspCompoundActionEntry 4 } 2218 ipspCompActRowStatus OBJECT-TYPE 2219 SYNTAX RowStatus 2220 MAX-ACCESS read-create 2221 STATUS current 2222 DESCRIPTION 2223 "This object indicates the conceptual status of this row. 2225 The value of this object has no effect on whether other 2226 objects in this conceptual row can be modified. 2228 Once a row in the ipspCompoundActionTable has been made active, 2229 this object may not be set to destroy without first 2230 destroying all the contained rows listed in the 2231 ipspSubactionsTable." 2232 ::= { ipspCompoundActionEntry 5 } 2234 -- 2235 -- actions contained within a compound action 2236 -- 2238 ipspSubactionsTable OBJECT-TYPE 2239 SYNTAX SEQUENCE OF IpspSubactionsEntry 2240 MAX-ACCESS not-accessible 2241 STATUS current 2242 DESCRIPTION 2243 "This table contains a list of the sub-actions within a given 2244 compound action. Compound actions executing these actions 2245 MUST execute them in series based on the ipspSubActPriority 2246 value, with the lowest value executing first." 2247 ::= { ipspConfigObjects 15 } 2249 ipspSubactionsEntry OBJECT-TYPE 2250 SYNTAX IpspSubactionsEntry 2251 MAX-ACCESS not-accessible 2252 STATUS current 2253 DESCRIPTION 2254 "A row containing a reference to a given compound-action 2255 sub-action." 2256 INDEX { ipspCompActName, ipspSubActPriority } 2257 ::= { ipspSubactionsTable 1 } 2259 IpspSubactionsEntry ::= SEQUENCE { 2260 ipspSubActPriority Integer32, 2261 ipspSubActSubActionName VariablePointer, 2262 aiipspCompActLastChanged TimeStamp, 2263 aiipspCompActStorageType StorageType, 2264 aiipspCompActRowStatus RowStatus 2265 } 2267 ipspSubActPriority OBJECT-TYPE 2268 SYNTAX Integer32 (0..65536) 2269 MAX-ACCESS not-accessible 2270 STATUS current 2271 DESCRIPTION 2272 "The priority of a given sub-action within a compound action. 2273 The order in which sub-actions should be executed are based 2274 on the value from this column, with the lowest numeric value 2275 executing first." 2276 ::= { ipspSubactionsEntry 1 } 2278 ipspSubActSubActionName OBJECT-TYPE 2279 SYNTAX VariablePointer 2280 MAX-ACCESS read-create 2281 STATUS current 2282 DESCRIPTION 2283 "This column points to the action to be taken. It may, but is 2284 not limited to, point to a row in one of the following 2285 tables: 2287 ipspCompoundActionTable - Allowing recursion 2288 ipspSaPreconfiguredActionTable 2289 ipspIkeActionTable 2290 ipspIpsecActionTable 2292 It may also point to one of the scalar objects beneath 2293 ipspStaticActions. 2295 If this object is set to a pointer to a row in an unsupported 2296 (or unknown) table, an inconsistentValue error should be 2297 returned. 2299 If this object is set to point to a non-existent row in an 2300 otherwise supported table, an inconsistentName error should 2301 be returned." 2302 ::= { ipspSubactionsEntry 2 } 2304 aiipspCompActLastChanged OBJECT-TYPE 2305 SYNTAX TimeStamp 2306 MAX-ACCESS read-only 2307 STATUS current 2308 DESCRIPTION 2309 "The value of sysUpTime when this row was last modified or 2310 created either through SNMP SETs or by some other external 2311 means." 2312 ::= { ipspSubactionsEntry 3 } 2314 aiipspCompActStorageType OBJECT-TYPE 2315 SYNTAX StorageType 2316 MAX-ACCESS read-create 2317 STATUS current 2318 DESCRIPTION 2319 "The storage type for this row. Rows in this table which were 2320 created through an external process may have a storage type 2321 of readOnly or permanent." 2322 DEFVAL { nonVolatile } 2323 ::= { ipspSubactionsEntry 4 } 2325 aiipspCompActRowStatus OBJECT-TYPE 2326 SYNTAX RowStatus 2327 MAX-ACCESS read-create 2328 STATUS current 2329 DESCRIPTION 2330 "This object indicates the conceptual status of this row. 2332 The value of this object has no effect on whether other 2333 objects in this conceptual row can be modified." 2334 ::= { ipspSubactionsEntry 5 } 2336 -- 2337 -- Static Actions 2338 -- 2340 -- these are static actions which can be pointed to by the 2341 -- ipspRuleDefAction or the ipspSubActSubActionName objects to drop, 2342 -- accept or reject packets. 2344 ipspStaticActions OBJECT IDENTIFIER ::= { ipspConfigObjects 16 } 2346 ipspDropAction OBJECT-TYPE 2347 SYNTAX Integer32 2348 MAX-ACCESS read-only 2349 STATUS current 2350 DESCRIPTION 2351 "This scalar indicates that a packet should be dropped WITHOUT 2352 action/packet logging. This object returns a value 2353 of 1 for IPsec policy implementations that support the drop 2354 static action." 2356 ::= { ipspStaticActions 1 } 2358 ipspDropActionLog OBJECT-TYPE 2359 SYNTAX Integer32 2360 MAX-ACCESS read-only 2361 STATUS current 2362 DESCRIPTION 2363 "This scalar indicates that a packet should be dropped WITH 2364 action/packet logging. This object returns a value 2365 of 1 for IPsec policy implementations that support the drop 2366 static action with logging." 2367 ::= { ipspStaticActions 2 } 2369 ipspAcceptAction OBJECT-TYPE 2370 SYNTAX Integer32 2371 MAX-ACCESS read-only 2372 STATUS current 2373 DESCRIPTION 2374 "This Scalar indicates that a packet should be accepted 2375 (pass-through) WITHOUT action/packet logging. This object 2376 returns a value of 1 for IPsec policy implementations that 2377 support the accept static action." 2378 ::= { ipspStaticActions 3 } 2380 ipspAcceptActionLog OBJECT-TYPE 2381 SYNTAX Integer32 2382 MAX-ACCESS read-only 2383 STATUS current 2384 DESCRIPTION 2385 "This scalar indicates that a packet should be accepted 2386 (pass-through) WITH action/packet logging. This object 2387 returns a value of 1 for IPsec policy implementations that 2388 support the accept static action with logging." 2389 ::= { ipspStaticActions 4 } 2391 ipspRejectIKEAction OBJECT-TYPE 2392 SYNTAX Integer32 2393 MAX-ACCESS read-only 2394 STATUS current 2395 DESCRIPTION 2396 "This scalar indicates that a packet should be rejected 2397 WITHOUT action/packet logging. This object returns a value 2398 of 1 for IPsec policy implementations that support the reject 2399 static action." 2400 ::= { ipspStaticActions 5 } 2402 ipspRejectIKEActionLog OBJECT-TYPE 2403 SYNTAX Integer32 2404 MAX-ACCESS read-only 2405 STATUS current 2406 DESCRIPTION 2407 "This scalar indicates that a packet should be rejected 2408 WITH action/packet logging. This object returns a value of 1 2409 for IPsec policy implementations that support the reject 2410 static action with logging." 2411 ::= { ipspStaticActions 6 } 2413 -- 2414 -- Preconfigured Action Table 2415 -- 2417 ipspSaPreconfiguredActionTable OBJECT-TYPE 2418 SYNTAX SEQUENCE OF IpspSaPreconfiguredActionEntry 2419 MAX-ACCESS not-accessible 2420 STATUS current 2421 DESCRIPTION 2422 "This table is a list of non-negotiated IPsec actions (SAs) 2423 that can be performed and contains or indicates the data 2424 necessary to create such an SA." 2425 ::= { ipspConfigObjects 17 } 2427 ipspSaPreconfiguredActionEntry OBJECT-TYPE 2428 SYNTAX IpspSaPreconfiguredActionEntry 2429 MAX-ACCESS not-accessible 2430 STATUS current 2431 DESCRIPTION 2432 "One entry in the ipspSaPreconfiguredActionTable." 2433 INDEX { ipspSaPreActActionName, ipspSaPreActSADirection } 2434 ::= { ipspSaPreconfiguredActionTable 1 } 2436 IpspSaPreconfiguredActionEntry ::= SEQUENCE { 2437 ipspSaPreActActionName SnmpAdminString, 2438 ipspSaPreActSADirection IpspSADirection, 2439 ipspSaPreActActionDescription SnmpAdminString, 2440 ipspSaPreActActionLifetimeSec Unsigned32, 2441 ipspSaPreActActionLifetimeKB Unsigned32, 2442 ipspSaPreActDoActionLogging TruthValue, 2443 ipspSaPreActDoPacketLogging IpspIPPacketLogging, 2444 ipspSaPreActDFHandling INTEGER, 2445 ipspSaPreActActionType IpsecDoiEncapsulationMode, 2446 ipspSaPreActAHSPI Integer32, 2447 ipspSaPreActAHTransformName SnmpAdminString, 2448 ipspSaPreActAHSharedSecretName SnmpAdminString, 2449 ipspSaPreActESPSPI Integer32, 2450 ipspSaPreActESPTransformName SnmpAdminString, 2451 ipspSaPreActESPEncSecretName SnmpAdminString, 2452 ipspSaPreActESPAuthSecretName SnmpAdminString, 2453 ipspSaPreActIPCompSPI Integer32, 2454 ipspSaPreActIPCompTransformName SnmpAdminString, 2455 ipspSaPreActPeerGatewayIdName SnmpAdminString, 2456 ipspSaPreActLastChanged TimeStamp, 2457 ipspSaPreActStorageType StorageType, 2458 ipspSaPreActRowStatus RowStatus 2459 } 2461 ipspSaPreActActionName OBJECT-TYPE 2462 SYNTAX SnmpAdminString (SIZE(1..32)) 2463 MAX-ACCESS not-accessible 2464 STATUS current 2465 DESCRIPTION 2466 "This object contains the name of this 2467 SaPreconfiguredActionEntry." 2468 ::= { ipspSaPreconfiguredActionEntry 1 } 2470 ipspSaPreActSADirection OBJECT-TYPE 2471 SYNTAX IpspSADirection 2472 MAX-ACCESS not-accessible 2473 STATUS current 2474 DESCRIPTION 2475 "This object indicates whether a row should apply to outgoing 2476 or incoming SAs" 2477 ::= { ipspSaPreconfiguredActionEntry 2 } 2479 ipspSaPreActActionDescription OBJECT-TYPE 2480 SYNTAX SnmpAdminString 2481 MAX-ACCESS read-create 2482 STATUS current 2483 DESCRIPTION 2484 "An administratively assigned string which may be used 2485 to describe what the action does." 2486 DEFVAL { "" } 2487 ::= { ipspSaPreconfiguredActionEntry 3 } 2489 ipspSaPreActActionLifetimeSec OBJECT-TYPE 2490 SYNTAX Unsigned32 2491 MAX-ACCESS read-create 2492 STATUS current 2493 DESCRIPTION 2494 "ipspSaPreActActionLifetimeSec specifies how long in seconds the 2495 security association derived from this action should be used. 2496 The default lifetime is 8 hours. 2498 Note: the actual lifetime of the preconfigured SA will be the 2499 lesser of the value of this object and of the value of the 2500 MaxLifetimeSecs property of the associated transform. 2502 A value of 0 indicates no time limit on the lifetime 2503 of the SA." 2504 DEFVAL { 28800 } 2505 ::= { ipspSaPreconfiguredActionEntry 4 } 2507 ipspSaPreActActionLifetimeKB OBJECT-TYPE 2508 SYNTAX Unsigned32 2509 MAX-ACCESS read-create 2510 STATUS current 2511 DESCRIPTION 2512 "ipspSaPreActActionLifetimeKB specifies how long the 2513 security association derived from this action should be used. 2514 After this value in KiloBytes has passed through the security 2515 association, it should no longer be used. 2517 Note: the actual lifetime of the preconfigured SA will be the 2518 lesser of the value of this object and of the value of the 2519 MaxLifetimeKB property of the associated transform. 2521 The default value, '0', indicates no kilobyte limit." 2522 DEFVAL { 0 } 2523 ::= { ipspSaPreconfiguredActionEntry 5 } 2525 ipspSaPreActDoActionLogging OBJECT-TYPE 2526 SYNTAX TruthValue 2527 MAX-ACCESS read-create 2528 STATUS current 2529 DESCRIPTION 2530 "ipspSaPreActDoActionLogging specifies whether or not an audit 2531 message should be logged when a preconfigured SA is created." 2532 DEFVAL { false } 2533 ::= { ipspSaPreconfiguredActionEntry 6 } 2535 ipspSaPreActDoPacketLogging OBJECT-TYPE 2536 SYNTAX IpspIPPacketLogging 2537 MAX-ACCESS read-create 2538 STATUS current 2539 DESCRIPTION 2540 "ipspSaPreActDoPacketLogging specifies whether or not an audit 2541 message should be logged and if there is logging, how many 2542 bytes of the packet to place in the notification." 2543 DEFVAL { -1 } 2544 ::= { ipspSaPreconfiguredActionEntry 7 } 2546 ipspSaPreActDFHandling OBJECT-TYPE 2547 SYNTAX INTEGER { 2548 reserved(0), -- reserved 2549 copy(1), -- indicates copy the DF bit from the 2550 -- internal to external IP header. 2551 set(2), -- set the DF bit in the external IP 2552 -- header to 1. 2553 clear(3) -- clear the DF bit in the external IP 2554 -- header to 0. 2555 } 2556 MAX-ACCESS read-create 2557 STATUS current 2558 DESCRIPTION 2559 "This object specifies how to process the DF bit in packets 2560 sent through the preconfigured SA. This object is not used 2561 for transport SAs." 2562 DEFVAL { copy } 2563 ::= { ipspSaPreconfiguredActionEntry 8 } 2565 ipspSaPreActActionType OBJECT-TYPE 2566 SYNTAX IpsecDoiEncapsulationMode 2567 MAX-ACCESS read-create 2568 STATUS current 2569 DESCRIPTION 2570 "This object specifies the encapsulation mode to use for the 2571 preconfigured SA: tunnel or transport mode." 2572 DEFVAL { tunnel } 2573 ::= { ipspSaPreconfiguredActionEntry 9 } 2575 ipspSaPreActAHSPI OBJECT-TYPE 2576 SYNTAX Integer32 2577 MAX-ACCESS read-create 2578 STATUS current 2579 DESCRIPTION 2580 "This object represents the SPI value for the AH SA." 2581 ::= { ipspSaPreconfiguredActionEntry 10 } 2583 ipspSaPreActAHTransformName OBJECT-TYPE 2584 SYNTAX SnmpAdminString (SIZE(0..32)) 2585 MAX-ACCESS read-create 2586 STATUS current 2587 DESCRIPTION 2588 "This object is the name of the AH transform to use as an 2589 index into the AHTransformTable. A zero length value 2590 indicates no transform of this type is used." 2591 ::= { ipspSaPreconfiguredActionEntry 11 } 2593 ipspSaPreActAHSharedSecretName OBJECT-TYPE 2594 SYNTAX SnmpAdminString(SIZE(0..32)) 2595 MAX-ACCESS read-create 2596 STATUS current 2597 DESCRIPTION 2598 "This object contains a name value to be used as an index into 2599 the ipspCredentialTable which holds the pertinent keying 2600 information for the AH SA." 2601 ::= { ipspSaPreconfiguredActionEntry 12 } 2603 ipspSaPreActESPSPI OBJECT-TYPE 2604 SYNTAX Integer32 2605 MAX-ACCESS read-create 2606 STATUS current 2607 DESCRIPTION 2608 "This object represents the SPI value for the ESP SA." 2609 ::= { ipspSaPreconfiguredActionEntry 13 } 2611 ipspSaPreActESPTransformName OBJECT-TYPE 2612 SYNTAX SnmpAdminString (SIZE(0..32)) 2613 MAX-ACCESS read-create 2614 STATUS current 2615 DESCRIPTION 2616 "This object is the name of the ESP transform to use as an 2617 index into the ESPTransformTable. A zero length value 2618 indicates no transform of this type is used." 2619 ::= { ipspSaPreconfiguredActionEntry 14 } 2621 ipspSaPreActESPEncSecretName OBJECT-TYPE 2622 SYNTAX SnmpAdminString(SIZE(0..32)) 2623 MAX-ACCESS read-create 2624 STATUS current 2625 DESCRIPTION 2626 "This object contains a name value to be used as an index into 2627 the ipspCredentialTable which holds the pertinent keying 2628 information for the encryption algorithm of the ESP SA." 2629 ::= { ipspSaPreconfiguredActionEntry 15 } 2631 ipspSaPreActESPAuthSecretName OBJECT-TYPE 2632 SYNTAX SnmpAdminString(SIZE(0..32)) 2633 MAX-ACCESS read-create 2634 STATUS current 2635 DESCRIPTION 2636 "This object contains a name value to be used as an index into 2637 the ipspCredentialTable which holds the pertinent keying 2638 information for the authentication algorithm of the ESP SA." 2639 ::= { ipspSaPreconfiguredActionEntry 16 } 2641 ipspSaPreActIPCompSPI OBJECT-TYPE 2642 SYNTAX Integer32 2643 MAX-ACCESS read-create 2644 STATUS current 2645 DESCRIPTION 2646 "This object represents the SPI value for the IPComp SA." 2647 ::= { ipspSaPreconfiguredActionEntry 17 } 2649 ipspSaPreActIPCompTransformName OBJECT-TYPE 2650 SYNTAX SnmpAdminString (SIZE(0..32)) 2651 MAX-ACCESS read-create 2652 STATUS current 2653 DESCRIPTION 2654 "This object is the name of the IPComp transform to use as an 2655 index into the IPCompTransformTable. A zero length value 2656 indicates no transform of this type is used." 2657 ::= { ipspSaPreconfiguredActionEntry 18 } 2659 ipspSaPreActPeerGatewayIdName OBJECT-TYPE 2660 SYNTAX SnmpAdminString (SIZE(0..32)) 2661 MAX-ACCESS read-create 2662 STATUS current 2663 DESCRIPTION 2664 "This object indicates the peer id name of the peer 2665 gateway. This object can be used to look up the peer gateway 2666 address in the ipspPeerIdentityTable. 2668 This object is only used when initiating a tunnel SA, and 2669 is not used for transport SAs. If ipspSaPreActActionType 2670 specifies tunnel mode and this object is empty, the peer 2671 gateway should be determined from the source or destination 2672 of the packet." 2673 DEFVAL { "" } 2674 ::= { ipspSaPreconfiguredActionEntry 19 } 2676 ipspSaPreActLastChanged OBJECT-TYPE 2677 SYNTAX TimeStamp 2678 MAX-ACCESS read-only 2679 STATUS current 2680 DESCRIPTION 2681 "The value of sysUpTime when this row was last modified or 2682 created either through SNMP SETs or by some other external 2683 means." 2684 ::= { ipspSaPreconfiguredActionEntry 20 } 2686 ipspSaPreActStorageType OBJECT-TYPE 2687 SYNTAX StorageType 2688 MAX-ACCESS read-create 2689 STATUS current 2690 DESCRIPTION 2691 "The storage type for this row. Rows in this table which were 2692 created through an external process may have a storage type 2693 of readOnly or permanent." 2694 DEFVAL { nonVolatile } 2695 ::= { ipspSaPreconfiguredActionEntry 21 } 2697 ipspSaPreActRowStatus OBJECT-TYPE 2698 SYNTAX RowStatus 2699 MAX-ACCESS read-create 2700 STATUS current 2701 DESCRIPTION 2702 "This object indicates the conceptual status of this row. 2704 The value of this object has no effect on whether other 2705 objects in this conceptual row can be modified. 2707 If active, this object must remain active if it is referenced 2708 by a row in another table." 2709 ::= { ipspSaPreconfiguredActionEntry 22 } 2711 -- 2712 -- ipspSaNegotiationParametersTable 2713 -- 2715 -- PROPERTIES MinLifetimeSeconds 2716 -- MinLifetimeKilobytes 2717 -- RefreshThresholdSeconds 2718 -- RefreshThresholdKilobytes 2719 -- IdleDurationSeconds 2721 ipspSaNegotiationParametersTable OBJECT-TYPE 2722 SYNTAX SEQUENCE OF IpspSaNegotiationParametersEntry 2723 MAX-ACCESS not-accessible 2724 STATUS current 2725 DESCRIPTION 2726 "This table contains reusable parameters that can be pointed 2727 to by the ipspIkeActionTable and ipspIpsecActionTable. These 2728 parameters are reusable since it is likely an administrator 2729 will want to make global policy changes to lifetime 2730 parameters that apply to multiple actions. This table allows 2731 multiple rows in the other actions tables to reuse global 2732 lifetime parameters in this table by repeatedly pointing to a 2733 row cointained within this table." 2734 ::= { ipspConfigObjects 18 } 2736 ipspSaNegotiationParametersEntry OBJECT-TYPE 2737 SYNTAX IpspSaNegotiationParametersEntry 2738 MAX-ACCESS not-accessible 2739 STATUS current 2740 DESCRIPTION 2741 "Contains the attributes of one row in the 2742 ipspSaNegotiationParametersTable." 2743 INDEX { ipspSaNegParamName } 2744 ::= { ipspSaNegotiationParametersTable 1 } 2746 IpspSaNegotiationParametersEntry ::= SEQUENCE { 2747 ipspSaNegParamName SnmpAdminString, 2748 ipspSaNegParamMinLifetimeSecs Unsigned32, 2749 ipspSaNegParamMinLifetimeKB Unsigned32, 2750 ipspSaNegParamRefreshThreshSecs Unsigned32, 2751 ipspSaNegParamRefreshThresholdKB Unsigned32, 2752 ipspSaNegParamIdleDurationSecs Unsigned32, 2753 ipspSaNegParamLastChanged TimeStamp, 2754 ipspSaNegParamStorageType StorageType, 2755 ipspSaNegParamRowStatus RowStatus 2756 } 2758 ipspSaNegParamName OBJECT-TYPE 2759 SYNTAX SnmpAdminString (SIZE(1..32)) 2760 MAX-ACCESS not-accessible 2761 STATUS current 2762 DESCRIPTION 2763 "This object contains the administrative name of this 2764 SaNegotiationParametersEntry. This row can be referred 2765 to by this name in other policy action tables." 2766 ::= { ipspSaNegotiationParametersEntry 1 } 2768 ipspSaNegParamMinLifetimeSecs OBJECT-TYPE 2769 SYNTAX Unsigned32 2770 MAX-ACCESS read-create 2771 STATUS current 2772 DESCRIPTION 2773 "ipspSaNegParamMinLifetimeSecs specifies the minimum seconds 2774 lifetime that will be accepted from the peer." 2775 ::= { ipspSaNegotiationParametersEntry 2 } 2777 ipspSaNegParamMinLifetimeKB OBJECT-TYPE 2778 SYNTAX Unsigned32 2779 MAX-ACCESS read-create 2780 STATUS current 2781 DESCRIPTION 2782 "ipspSaNegParamMinLifetimeKB specifies the minimum kilobyte 2783 lifetime that will be accepted from the peer." 2784 ::= { ipspSaNegotiationParametersEntry 3 } 2786 ipspSaNegParamRefreshThreshSecs OBJECT-TYPE 2787 SYNTAX Unsigned32 (1..100) 2788 MAX-ACCESS read-create 2789 STATUS current 2790 DESCRIPTION 2791 "ipspSaNegParamRefreshThreshSecs specifies what percentage of 2792 the seconds lifetime can expire before IKE should attempt to 2793 renegotiate the IPsec security association. 2794 A value between 1 and 100 representing a percentage. A 2795 value of 100 indicates that the IPsec security 2796 association should not be renegotiated until the 2797 seconds lifetime has been completely reached." 2798 ::= { ipspSaNegotiationParametersEntry 4 } 2800 ipspSaNegParamRefreshThresholdKB OBJECT-TYPE 2801 SYNTAX Unsigned32 (1..100) 2802 MAX-ACCESS read-create 2803 STATUS current 2804 DESCRIPTION 2805 "ipspSaNegParamRefreshThresholdKB specifies what percentage of 2806 the kilobyte lifetime can expire before IKE should attempt 2807 to renegotiate the IPsec security association. A value 2808 between 1 and 100 representing a percentage. A value of 100 2809 indicates that the IPsec security association should not be 2810 renegotiated until the kilobyte lifetime has been reached." 2811 ::= { ipspSaNegotiationParametersEntry 5 } 2813 ipspSaNegParamIdleDurationSecs OBJECT-TYPE 2814 SYNTAX Unsigned32 2815 MAX-ACCESS read-create 2816 STATUS current 2817 DESCRIPTION 2818 "ipspSaNegParamIdleDurationSecs specifies how many seconds a 2819 security association may remain idle (i.e., no traffic 2820 protected using the security association) before it is 2821 deleted. A value of zero indicates that idle detection 2822 should not be used for the security association. Any 2823 non-zero value indicates the number of seconds the security 2824 association may remain unused." 2825 ::= { ipspSaNegotiationParametersEntry 6 } 2827 ipspSaNegParamLastChanged OBJECT-TYPE 2828 SYNTAX TimeStamp 2829 MAX-ACCESS read-only 2830 STATUS current 2831 DESCRIPTION 2832 "The value of sysUpTime when this row was last modified or 2833 created either through SNMP SETs or by some other external 2834 means." 2835 ::= { ipspSaNegotiationParametersEntry 7 } 2837 ipspSaNegParamStorageType OBJECT-TYPE 2838 SYNTAX StorageType 2839 MAX-ACCESS read-create 2840 STATUS current 2841 DESCRIPTION 2842 "The storage type for this row. Rows in this table which were 2843 created through an external process may have a storage type 2844 of readOnly or permanent." 2845 DEFVAL { nonVolatile } 2846 ::= { ipspSaNegotiationParametersEntry 8 } 2848 ipspSaNegParamRowStatus OBJECT-TYPE 2849 SYNTAX RowStatus 2850 MAX-ACCESS read-create 2851 STATUS current 2852 DESCRIPTION 2853 "This object indicates the conceptual status of this row. 2855 The value of this object has no effect on whether other 2856 objects in this conceptual row can be modified. 2858 This object may not be set to destroy if refered to by other 2859 rows in other action tables." 2860 ::= { ipspSaNegotiationParametersEntry 9 } 2862 -- 2863 -- ipspIkeActionTable 2864 -- 2866 ipspIkeActionTable OBJECT-TYPE 2867 SYNTAX SEQUENCE OF IpspIkeActionEntry 2868 MAX-ACCESS not-accessible 2869 STATUS current 2870 DESCRIPTION 2871 "The ipspIkeActionTable contains a list of the parameters used 2872 for an IKE phase 1 SA DOI negotiation. See the corresponding 2873 table ipspIkeActionProposalsTable for a list of proposals 2874 contained within a given IKE Action." 2875 ::= { ipspConfigObjects 19 } 2877 ipspIkeActionEntry OBJECT-TYPE 2878 SYNTAX IpspIkeActionEntry 2879 MAX-ACCESS not-accessible 2880 STATUS current 2881 DESCRIPTION 2882 "The ipspIkeActionEntry lists the IKE negotiation attributes." 2883 INDEX { ipspIkeActName } 2884 ::= { ipspIkeActionTable 1 } 2886 IpspIkeActionEntry ::= SEQUENCE { 2887 ipspIkeActName SnmpAdminString, 2888 ipspIkeActParametersName SnmpAdminString, 2889 ipspIkeActThresholdDerivedKeys Integer32, 2890 ipspIkeActExchangeMode INTEGER, 2891 ipspIkeActAgressiveModeGroupId IkeGroupDescription, 2892 ipspIkeActIdentityType IpsecDoiIdentType, 2893 ipspIkeActIdentityContext SnmpAdminString, 2894 ipspIkeActPeerName SnmpAdminString, 2895 ipspIkeActDoActionLogging TruthValue, 2896 ipspIkeActDoPacketLogging IpspIPPacketLogging, 2897 ipspIkeActVendorId OCTET STRING, 2898 ipspIkeActLastChanged TimeStamp, 2899 ipspIkeActStorageType StorageType, 2900 ipspIkeActRowStatus RowStatus 2901 } 2903 ipspIkeActName OBJECT-TYPE 2904 SYNTAX SnmpAdminString (SIZE(1..32)) 2905 MAX-ACCESS not-accessible 2906 STATUS current 2907 DESCRIPTION 2908 "This object contains the name of this ikeAction entry." 2909 ::= { ipspIkeActionEntry 1 } 2911 ipspIkeActParametersName OBJECT-TYPE 2912 SYNTAX SnmpAdminString (SIZE(1..32)) 2913 MAX-ACCESS read-create 2914 STATUS current 2915 DESCRIPTION 2916 "This object is administratively assigned to reference a row 2917 in the ipspSaNegotiationParametersTable where additional 2918 parameters affecting this action may be found." 2919 ::= { ipspIkeActionEntry 2 } 2921 ipspIkeActThresholdDerivedKeys OBJECT-TYPE 2922 SYNTAX Integer32 (0..100) 2923 MAX-ACCESS read-create 2924 STATUS current 2925 DESCRIPTION 2926 "ipspIkeActThresholdDerivedKeys specifies what percentage 2927 of the derived key limit (see the LifetimeDerivedKeys 2928 property of IKEProposal) can expire before IKE should attempt 2929 to renegotiate the IKE phase 1 security association." 2931 DEFVAL { 100 } 2932 ::= { ipspIkeActionEntry 3 } 2934 ipspIkeActExchangeMode OBJECT-TYPE 2935 SYNTAX INTEGER { main(1), agressive(2) } 2936 MAX-ACCESS read-create 2937 STATUS current 2938 DESCRIPTION 2939 "ipspIkeActExchangeMode specifies the IKE Phase 1 negotiation 2940 mode." 2941 DEFVAL { main } 2942 ::= { ipspIkeActionEntry 4 } 2944 ipspIkeActAgressiveModeGroupId OBJECT-TYPE 2945 SYNTAX IkeGroupDescription 2946 MAX-ACCESS read-create 2947 STATUS current 2948 DESCRIPTION 2949 "The values to be used for Diffie-Hellman exchange." 2950 ::= { ipspIkeActionEntry 5 } 2952 ipspIkeActIdentityType OBJECT-TYPE 2953 SYNTAX IpsecDoiIdentType 2954 MAX-ACCESS read-create 2955 STATUS current 2956 DESCRIPTION 2957 "This column along with ipspIkeActIdentityContext and endpoint 2958 information is used to refer an ipspIkeIdentityEntry in the 2959 ipspIkeIdentityTable." 2960 ::= { ipspIkeActionEntry 6 } 2962 ipspIkeActIdentityContext OBJECT-TYPE 2963 SYNTAX SnmpAdminString (SIZE(1..32)) 2964 MAX-ACCESS read-create 2965 STATUS current 2966 DESCRIPTION 2967 "This column, along with ipspIkeActIdentityType and endpoint 2968 information, is used to refer to an ipspIkeIdentityEntry in the 2969 ipspIkeIdentityTable." 2970 ::= { ipspIkeActionEntry 7 } 2972 ipspIkeActPeerName OBJECT-TYPE 2973 SYNTAX SnmpAdminString(SIZE(0..32)) 2974 MAX-ACCESS read-create 2975 STATUS current 2976 DESCRIPTION 2977 "This object indicates the peer id name of the IKE peer. This 2978 object can be used to look up the peer id value, address, 2979 credentials and other values in the ipspPeerIdentityTable." 2980 ::= { ipspIkeActionEntry 8 } 2982 ipspIkeActDoActionLogging OBJECT-TYPE 2983 SYNTAX TruthValue 2984 MAX-ACCESS read-create 2985 STATUS current 2986 DESCRIPTION 2987 "ikeDoActionLogging specifies whether or not an audit 2988 message should be logged when this ike SA is created." 2989 DEFVAL { false } 2990 ::= { ipspIkeActionEntry 9 } 2992 ipspIkeActDoPacketLogging OBJECT-TYPE 2993 SYNTAX IpspIPPacketLogging 2994 MAX-ACCESS read-create 2995 STATUS current 2996 DESCRIPTION 2997 "ikeDoPacketLogging specifies whether or not an audit message 2998 should be logged and if there is logging, how many bytes of 2999 the packet to place in the notification." 3000 DEFVAL { -1 } 3001 ::= { ipspIkeActionEntry 10 } 3003 ipspIkeActVendorId OBJECT-TYPE 3004 SYNTAX OCTET STRING (SIZE(0..65535)) 3005 MAX-ACCESS read-create 3006 STATUS current 3007 DESCRIPTION 3008 "Vendor ID Payload. A value of NULL means that Vendor ID 3009 payload will be neither generated nor accepted. A non-NULL 3010 value means that a Vendor ID payload will be generated (when 3011 acting as an initiator) or is expected (when acting as a 3012 responder)." 3013 DEFVAL { "" } 3014 ::= { ipspIkeActionEntry 11 } 3016 ipspIkeActLastChanged OBJECT-TYPE 3017 SYNTAX TimeStamp 3018 MAX-ACCESS read-only 3019 STATUS current 3020 DESCRIPTION 3021 "The value of sysUpTime when this row was last modified or 3022 created either through SNMP SETs or by some other external 3023 means." 3024 ::= { ipspIkeActionEntry 12 } 3026 ipspIkeActStorageType OBJECT-TYPE 3027 SYNTAX StorageType 3028 MAX-ACCESS read-create 3029 STATUS current 3030 DESCRIPTION 3031 "The storage type for this row. Rows in this table which were 3032 created through an external process may have a storage type 3033 of readOnly or permanent." 3034 DEFVAL { nonVolatile } 3035 ::= { ipspIkeActionEntry 13 } 3037 ipspIkeActRowStatus OBJECT-TYPE 3038 SYNTAX RowStatus 3039 MAX-ACCESS read-create 3040 STATUS current 3041 DESCRIPTION 3042 "This object indicates the conceptual status of this row. 3044 The value of this object has no effect on whether other 3045 objects in this conceptual row can be modified. 3047 This object may not be set to destroy if refered to by other 3048 rows in other action tables." 3049 ::= { ipspIkeActionEntry 14 } 3051 -- 3052 -- ipspIkeActionProposalsTable proposals contained within a ikeAction 3053 -- 3055 ipspIkeActionProposalsTable OBJECT-TYPE 3056 SYNTAX SEQUENCE OF IpspIkeActionProposalsEntry 3057 MAX-ACCESS not-accessible 3058 STATUS current 3059 DESCRIPTION 3060 "This table contains a list of all ike proposal names found 3061 within a given IKE Action." 3062 ::= { ipspConfigObjects 20 } 3064 ipspIkeActionProposalsEntry OBJECT-TYPE 3065 SYNTAX IpspIkeActionProposalsEntry 3066 MAX-ACCESS not-accessible 3067 STATUS current 3068 DESCRIPTION 3069 "a row containing one ike proposal reference" 3070 INDEX { ipspIkeActName, ipspIkeActPropPriority } 3071 ::= { ipspIkeActionProposalsTable 1 } 3073 IpspIkeActionProposalsEntry ::= SEQUENCE { 3074 ipspIkeActPropPriority Integer32, 3075 ipspIkeActPropName SnmpAdminString, 3076 ipspIkeActPropLastChanged TimeStamp, 3077 ipspIkeActPropStorageType StorageType, 3078 ipspIkeActPropRowStatus RowStatus 3079 } 3081 ipspIkeActPropPriority OBJECT-TYPE 3082 SYNTAX Integer32 (0..65535) 3083 MAX-ACCESS not-accessible 3084 STATUS current 3085 DESCRIPTION 3086 "The numeric priority of a given contained proposal inside an 3087 ike Action. This index should be used to order the proposals 3088 in an IKE Phase I negotiation, lowest value first." 3089 ::= { ipspIkeActionProposalsEntry 1 } 3091 ipspIkeActPropName OBJECT-TYPE 3092 SYNTAX SnmpAdminString (SIZE(1..32)) 3093 MAX-ACCESS read-create 3094 STATUS current 3095 DESCRIPTION 3096 "The administratively assigned name that can be used to 3097 reference a set of values contained within the 3098 ipspIkeProposalTable." 3099 ::= { ipspIkeActionProposalsEntry 2 } 3101 ipspIkeActPropLastChanged OBJECT-TYPE 3102 SYNTAX TimeStamp 3103 MAX-ACCESS read-only 3104 STATUS current 3105 DESCRIPTION 3106 "The value of sysUpTime when this row was last modified or 3107 created either through SNMP SETs or by some other external 3108 means." 3109 ::= { ipspIkeActionProposalsEntry 3 } 3111 ipspIkeActPropStorageType OBJECT-TYPE 3112 SYNTAX StorageType 3113 MAX-ACCESS read-create 3114 STATUS current 3115 DESCRIPTION 3116 "The storage type for this row. Rows in this table which were 3117 created through an external process may have a storage type 3118 of readOnly or permanent." 3119 DEFVAL { nonVolatile } 3120 ::= { ipspIkeActionProposalsEntry 4 } 3122 ipspIkeActPropRowStatus OBJECT-TYPE 3123 SYNTAX RowStatus 3124 MAX-ACCESS read-create 3125 STATUS current 3126 DESCRIPTION 3127 "This object indicates the conceptual status of this row. 3129 The value of this object has no effect on whether other 3130 objects in this conceptual row can be modified." 3131 ::= { ipspIkeActionProposalsEntry 5 } 3133 -- 3134 -- IKE proposal definition table 3135 -- 3137 ipspIkeProposalTable OBJECT-TYPE 3138 SYNTAX SEQUENCE OF IpspIkeProposalEntry 3139 MAX-ACCESS not-accessible 3140 STATUS current 3141 DESCRIPTION 3142 "This table contains a list of IKE proposals which are used in 3143 an IKE negotiation." 3144 ::= { ipspConfigObjects 21 } 3146 ipspIkeProposalEntry OBJECT-TYPE 3147 SYNTAX IpspIkeProposalEntry 3148 MAX-ACCESS not-accessible 3149 STATUS current 3150 DESCRIPTION 3151 "One IKE proposal entry." 3152 INDEX { ipspIkeActPropName } 3153 ::= { ipspIkeProposalTable 1 } 3155 IpspIkeProposalEntry ::= SEQUENCE { 3156 ipspIkePropLifetimeDerivedKeys Unsigned32, 3157 ipspIkePropCipherAlgorithm IkeEncryptionAlgorithm, 3158 ipspIkePropCipherKeyLength Unsigned32, 3159 ipspIkePropCipherKeyRounds Unsigned32, 3160 ipspIkePropHashAlgorithm IkeHashAlgorithm, 3161 ipspIkePropPrfAlgorithm INTEGER, 3162 ipspIkePropVendorId OCTET STRING, 3163 ipspIkePropDhGroup IkeGroupDescription, 3164 ipspIkePropAuthenticationMethod IkeAuthMethod, 3165 ipspIkePropMaxLifetimeSecs Unsigned32, 3166 ipspIkePropMaxLifetimeKB Unsigned32, 3167 ipspIkePropProposalLastChanged TimeStamp, 3168 ipspIkePropProposalStorageType StorageType, 3169 ipspIkePropProposalRowStatus RowStatus 3170 } 3172 ipspIkePropLifetimeDerivedKeys OBJECT-TYPE 3173 SYNTAX Unsigned32 3174 MAX-ACCESS read-create 3175 STATUS current 3176 DESCRIPTION 3177 "ipspIkePropLifetimeDerivedKeys specifies the number of times 3178 that a phase 1 key will be used to derive a phase 2 key 3179 before the phase 1 security association needs renegotiated." 3180 ::= { ipspIkeProposalEntry 1 } 3182 ipspIkePropCipherAlgorithm OBJECT-TYPE 3183 SYNTAX IkeEncryptionAlgorithm 3184 MAX-ACCESS read-create 3185 STATUS current 3186 DESCRIPTION 3187 "ipspIkePropCipherAlgorithm specifies the proposed phase 1 3188 security association encryption algorithm." 3189 ::= { ipspIkeProposalEntry 2 } 3191 ipspIkePropCipherKeyLength OBJECT-TYPE 3192 SYNTAX Unsigned32 3193 MAX-ACCESS read-create 3194 STATUS current 3195 DESCRIPTION 3196 "This object specifies, in bits, the key length for 3197 the cipher algorithm used in IKE Phase 1 negotiation." 3198 ::= { ipspIkeProposalEntry 3 } 3200 ipspIkePropCipherKeyRounds OBJECT-TYPE 3201 SYNTAX Unsigned32 3202 MAX-ACCESS read-create 3203 STATUS current 3204 DESCRIPTION 3205 "This object specifies the number of key rounds for 3206 the cipher algorithm used in IKE Phase 1 negotiation." 3207 ::= { ipspIkeProposalEntry 4 } 3209 ipspIkePropHashAlgorithm OBJECT-TYPE 3210 SYNTAX IkeHashAlgorithm 3211 MAX-ACCESS read-create 3212 STATUS current 3213 DESCRIPTION 3214 "ipspIkePropHashAlgorithm specifies the proposed phase 1 3215 security assocation hash algorithm." 3216 ::= { ipspIkeProposalEntry 5 } 3218 ipspIkePropPrfAlgorithm OBJECT-TYPE 3219 SYNTAX INTEGER { reserved(0) } 3220 MAX-ACCESS read-create 3221 STATUS current 3222 DESCRIPTION 3223 "ipPRFAlgorithm specifies the proposed phase 1 security 3224 association psuedo-random function. 3226 Note: currently no prf algorithms are defined." 3227 ::= { ipspIkeProposalEntry 6 } 3229 ipspIkePropVendorId OBJECT-TYPE 3230 SYNTAX OCTET STRING (SIZE(0..255)) 3231 MAX-ACCESS read-create 3232 STATUS current 3233 DESCRIPTION 3234 "The VendorID property is used to identify vendor-defined key 3235 exchange GroupIDs." 3236 ::= { ipspIkeProposalEntry 7 } 3238 ipspIkePropDhGroup OBJECT-TYPE 3239 SYNTAX IkeGroupDescription 3240 MAX-ACCESS read-create 3241 STATUS current 3242 DESCRIPTION 3243 "This object specifies the proposed phase 1 security 3244 association Diffie-Hellman group" 3245 ::= { ipspIkeProposalEntry 8 } 3247 ipspIkePropAuthenticationMethod OBJECT-TYPE 3248 SYNTAX IkeAuthMethod 3249 MAX-ACCESS read-create 3250 STATUS current 3251 DESCRIPTION 3252 "This object specifies the proposed authentication 3253 method for the phase 1 security association." 3254 ::= { ipspIkeProposalEntry 9 } 3256 ipspIkePropMaxLifetimeSecs OBJECT-TYPE 3257 SYNTAX Unsigned32 3258 MAX-ACCESS read-create 3259 STATUS current 3260 DESCRIPTION 3261 "ipspIkePropMaxLifetimeSecs specifies the maximum amount of 3262 time to propose a security association remain valid. 3264 A value of 0 indicates that the default lifetime of 3265 8 hours should be used." 3267 ::= { ipspIkeProposalEntry 10 } 3269 ipspIkePropMaxLifetimeKB OBJECT-TYPE 3270 SYNTAX Unsigned32 3271 MAX-ACCESS read-create 3272 STATUS current 3273 DESCRIPTION 3274 "ipspIkePropMaxLifetimeKB specifies the maximum kilobyte 3275 lifetime to propose a security association remain valid." 3276 ::= { ipspIkeProposalEntry 11 } 3278 ipspIkePropProposalLastChanged OBJECT-TYPE 3279 SYNTAX TimeStamp 3280 MAX-ACCESS read-only 3281 STATUS current 3282 DESCRIPTION 3283 "The value of sysUpTime when this row was last modified or 3284 created either through SNMP SETs or by some other external 3285 means." 3286 ::= { ipspIkeProposalEntry 12 } 3288 ipspIkePropProposalStorageType OBJECT-TYPE 3289 SYNTAX StorageType 3290 MAX-ACCESS read-create 3291 STATUS current 3292 DESCRIPTION 3293 "The storage type for this row. Rows in this table which were 3294 created through an external process may have a storage type 3295 of readOnly or permanent." 3296 DEFVAL { nonVolatile } 3297 ::= { ipspIkeProposalEntry 13 } 3299 ipspIkePropProposalRowStatus OBJECT-TYPE 3300 SYNTAX RowStatus 3301 MAX-ACCESS read-create 3302 STATUS current 3303 DESCRIPTION 3304 "This object indicates the conceptual status of this row. 3306 The value of this object has no effect on whether other 3307 objects in this conceptual row can be modified." 3308 ::= { ipspIkeProposalEntry 14 } 3310 -- 3311 -- IPsec action definition table 3312 -- 3313 ipspIpsecActionTable OBJECT-TYPE 3314 SYNTAX SEQUENCE OF IpspIpsecActionEntry 3315 MAX-ACCESS not-accessible 3316 STATUS current 3317 DESCRIPTION 3318 "The ipspIpsecActionTable contains a list of the parameters 3319 used for an IKE phase 2 IPsec DOI negotiation." 3320 ::= { ipspConfigObjects 22 } 3322 ipspIpsecActionEntry OBJECT-TYPE 3323 SYNTAX IpspIpsecActionEntry 3324 MAX-ACCESS not-accessible 3325 STATUS current 3326 DESCRIPTION 3327 "The ipspIpsecActionEntry lists the IPsec negotiation 3328 attributes." 3329 INDEX { ipspIpsecActName } 3330 ::= { ipspIpsecActionTable 1 } 3332 IpspIpsecActionEntry ::= SEQUENCE { 3333 ipspIpsecActName SnmpAdminString, 3334 ipspIpsecActParametersName SnmpAdminString, 3335 ipspIpsecActProposalsName SnmpAdminString, 3336 ipspIpsecActUsePfs TruthValue, 3337 ipspIpsecActVendorId OCTET STRING, 3338 ipspIpsecActGroupId IkeGroupDescription, 3339 ipspIpsecActPeerGatewayIdName OCTET STRING, 3340 ipspIpsecActUseIkeGroup TruthValue, 3341 ipspIpsecActGranularity INTEGER, 3342 ipspIpsecActMode INTEGER, 3343 ipspIpsecActDFHandling INTEGER, 3344 ipspIpsecActDoActionLogging TruthValue, 3345 ipspIpsecActDoPacketLogging IpspIPPacketLogging, 3346 ipspIpsecActLastChanged TimeStamp, 3347 ipspIpsecActStorageType StorageType, 3348 ipspIpsecActRowStatus RowStatus 3349 } 3351 ipspIpsecActName OBJECT-TYPE 3352 SYNTAX SnmpAdminString (SIZE(1..32)) 3353 MAX-ACCESS not-accessible 3354 STATUS current 3355 DESCRIPTION 3356 "ipspIpsecActName is the name of the ipsecAction entry." 3357 ::= { ipspIpsecActionEntry 1 } 3359 ipspIpsecActParametersName OBJECT-TYPE 3360 SYNTAX SnmpAdminString (SIZE(1..32)) 3361 MAX-ACCESS read-create 3362 STATUS current 3363 DESCRIPTION 3364 "This object is used to reference a row in the 3365 ipspSaNegotiationParametersTable where additional parameters 3366 affecting this action may be found." 3367 ::= { ipspIpsecActionEntry 2 } 3369 ipspIpsecActProposalsName OBJECT-TYPE 3370 SYNTAX SnmpAdminString (SIZE(1..32)) 3371 MAX-ACCESS read-create 3372 STATUS current 3373 DESCRIPTION 3374 "This object is used to reference one or more rows in the 3375 ipspIpsecProposalsTable where an ordered list of proposals 3376 affecting this action may be found." 3377 ::= { ipspIpsecActionEntry 3 } 3379 ipspIpsecActUsePfs OBJECT-TYPE 3380 SYNTAX TruthValue 3381 MAX-ACCESS read-create 3382 STATUS current 3383 DESCRIPTION 3384 "This MIB object specifies whether or not perfect forward 3385 secrecy should be used when refreshing keys. 3386 A value of true indicates that PFS should be used." 3387 ::= { ipspIpsecActionEntry 4 } 3389 ipspIpsecActVendorId OBJECT-TYPE 3390 SYNTAX OCTET STRING (SIZE(0..255)) 3391 MAX-ACCESS read-create 3392 STATUS current 3393 DESCRIPTION 3394 "The VendorID property is used to identify vendor-defined key 3395 exchange GroupIDs." 3396 ::= { ipspIpsecActionEntry 5 } 3398 ipspIpsecActGroupId OBJECT-TYPE 3399 SYNTAX IkeGroupDescription 3400 MAX-ACCESS read-create 3401 STATUS current 3402 DESCRIPTION 3403 "This object specifies the Diffie-Hellman group to use for 3404 phase 2 when the object ipspIpsecActUsePfs is true and the 3405 object ipspIpsecActUseIkeGroup is false. If the GroupID 3406 number is from the vendor-specific range (32768-65535), the 3407 VendorID qualifies the group number." 3409 ::= { ipspIpsecActionEntry 6 } 3411 ipspIpsecActPeerGatewayIdName OBJECT-TYPE 3412 SYNTAX OCTET STRING (SIZE(0..116)) 3413 MAX-ACCESS read-create 3414 STATUS current 3415 DESCRIPTION 3416 "This object indicates the peer id name of the peer 3417 gateway. This object can be used to look up the peer id 3418 value, address and other values in the ipspPeerIdentityTable. 3419 This object is used when initiating a tunnel SA. This object 3420 is not used for transport SAs. If no value is set and 3421 ipspIpsecActMode is tunnel, the peer gateway should be 3422 determined from the source or destination address of the 3423 packet." 3424 ::= { ipspIpsecActionEntry 7 } 3426 ipspIpsecActUseIkeGroup OBJECT-TYPE 3427 SYNTAX TruthValue 3428 MAX-ACCESS read-create 3429 STATUS current 3430 DESCRIPTION 3431 "This object specifies whether or not to use the same GroupId 3432 for phase 2 as was used in phase 1. If UsePFS is false, this 3433 entry should be ignored." 3434 ::= { ipspIpsecActionEntry 8 } 3436 ipspIpsecActGranularity OBJECT-TYPE 3437 SYNTAX INTEGER { subnet(1), address(2), protocol(3), 3438 port(4) } 3439 MAX-ACCESS read-create 3440 STATUS current 3441 DESCRIPTION 3442 "This object specifies how the proposed selector for the 3443 security association will be created. The selector is 3444 created by using the FilterList information. The selector 3445 can be subnet, address, porotocol, or port." 3446 ::= { ipspIpsecActionEntry 9 } 3448 ipspIpsecActMode OBJECT-TYPE 3449 SYNTAX INTEGER { tunnel(1), transport(2) } 3450 MAX-ACCESS read-create 3451 STATUS current 3452 DESCRIPTION 3453 "This object specifies the encapsulation of the IPsec SA 3454 to be negotiated." 3455 DEFVAL { tunnel } 3456 ::= { ipspIpsecActionEntry 10 } 3458 ipspIpsecActDFHandling OBJECT-TYPE 3459 SYNTAX INTEGER { copy(1), set(2), clear(3) } 3460 MAX-ACCESS read-create 3461 STATUS current 3462 DESCRIPTION 3463 "This object specifies the processing of DF bit by the 3464 negotiated IPsec tunnel. 3465 1 - DF bit is copied. 3466 2 - DF bit is set. 3467 3 - DF bit is cleared." 3468 DEFVAL { copy } 3469 ::= { ipspIpsecActionEntry 11 } 3471 ipspIpsecActDoActionLogging OBJECT-TYPE 3472 SYNTAX TruthValue 3473 MAX-ACCESS read-create 3474 STATUS current 3475 DESCRIPTION 3476 "ipspIpsecActDoActionLogging specifies whether or not an audit 3477 message should be logged when this ipsec SA is created." 3478 DEFVAL { false } 3479 ::= { ipspIpsecActionEntry 12 } 3481 ipspIpsecActDoPacketLogging OBJECT-TYPE 3482 SYNTAX IpspIPPacketLogging 3483 MAX-ACCESS read-create 3484 STATUS current 3485 DESCRIPTION 3486 "ipspIpsecActDoPacketLogging specifies whether or not an audit 3487 message should be logged and if there is logging, how many 3488 bytes of the packet to place in the notification." 3489 DEFVAL { -1 } 3490 ::= { ipspIpsecActionEntry 13 } 3492 ipspIpsecActLastChanged OBJECT-TYPE 3493 SYNTAX TimeStamp 3494 MAX-ACCESS read-only 3495 STATUS current 3496 DESCRIPTION 3497 "The value of sysUpTime when this row was last modified or 3498 created either through SNMP SETs or by some other external 3499 means." 3500 ::= { ipspIpsecActionEntry 14 } 3502 ipspIpsecActStorageType OBJECT-TYPE 3503 SYNTAX StorageType 3504 MAX-ACCESS read-create 3505 STATUS current 3506 DESCRIPTION 3507 "The storage type for this row. Rows in this table which were 3508 created through an external process may have a storage type 3509 of readOnly or permanent." 3510 DEFVAL { nonVolatile } 3511 ::= { ipspIpsecActionEntry 15 } 3513 ipspIpsecActRowStatus OBJECT-TYPE 3514 SYNTAX RowStatus 3515 MAX-ACCESS read-create 3516 STATUS current 3517 DESCRIPTION 3518 "This object indicates the conceptual status of this row. 3520 The value of this object has no effect on whether other 3521 objects in this conceptual row can be modified. 3523 If active, this object must remain active if it is referenced 3524 by a row in another table." 3525 ::= { ipspIpsecActionEntry 16 } 3527 -- 3528 -- ipspIpsecProposalsTable 3529 -- 3531 ipspIpsecProposalsTable OBJECT-TYPE 3532 SYNTAX SEQUENCE OF IpspIpsecProposalsEntry 3533 MAX-ACCESS not-accessible 3534 STATUS current 3535 DESCRIPTION 3536 "This table lists one or more IPsec proposals for 3537 IPsec actions." 3538 ::= { ipspConfigObjects 23 } 3540 ipspIpsecProposalsEntry OBJECT-TYPE 3541 SYNTAX IpspIpsecProposalsEntry 3542 MAX-ACCESS not-accessible 3543 STATUS current 3544 DESCRIPTION 3545 "An entry containing (possibly a portion of) a proposal." 3546 INDEX { ipspIpsecPropName, ipspIpsecPropPriority, 3547 ipspIpsecPropProtocolId } 3548 ::= { ipspIpsecProposalsTable 1 } 3550 IpspIpsecProposalsEntry ::= SEQUENCE { 3551 ipspIpsecPropName SnmpAdminString, 3552 ipspIpsecPropPriority Integer32, 3553 ipspIpsecPropProtocolId IpsecDoiSecProtocolId, 3554 ipspIpsecPropTransformsName SnmpAdminString, 3555 ipspIpsecPropLastChanged TimeStamp, 3556 ipspIpsecPropStorageType StorageType, 3557 ipspIpsecPropRowStatus RowStatus 3558 } 3560 ipspIpsecPropName OBJECT-TYPE 3561 SYNTAX SnmpAdminString (SIZE(1..32)) 3562 MAX-ACCESS not-accessible 3563 STATUS current 3564 DESCRIPTION 3565 "The name of this proposal." 3566 ::= { ipspIpsecProposalsEntry 1 } 3568 ipspIpsecPropPriority OBJECT-TYPE 3569 SYNTAX Integer32 (0..65535) 3570 MAX-ACCESS not-accessible 3571 STATUS current 3572 DESCRIPTION 3573 "The priority level (AKA sequence level) of this proposal. 3574 A lower number indicates a higher precedence." 3575 ::= { ipspIpsecProposalsEntry 2 } 3577 ipspIpsecPropProtocolId OBJECT-TYPE 3578 SYNTAX IpsecDoiSecProtocolId 3579 MAX-ACCESS not-accessible 3580 STATUS current 3581 DESCRIPTION 3582 "The protocol Id for the transforms for this proposal. The 3583 protoIsakmp(1) value is not valid for this object. 3584 This object, along with the ipspIpsecPropTransformsName, 3585 is the index into the ipspIpsecTransformsTable." 3586 ::= { ipspIpsecProposalsEntry 3 } 3588 ipspIpsecPropTransformsName OBJECT-TYPE 3589 SYNTAX SnmpAdminString (SIZE(1..32)) 3590 MAX-ACCESS read-create 3591 STATUS current 3592 DESCRIPTION 3593 "The name of the transform or group of transforms for this 3594 protocol. This object, along with the 3595 ipspIpsecPropProtocolId, is the index into the 3596 ipspIpsecTransformsTable." 3597 ::= { ipspIpsecProposalsEntry 4 } 3599 ipspIpsecPropLastChanged OBJECT-TYPE 3600 SYNTAX TimeStamp 3601 MAX-ACCESS read-only 3602 STATUS current 3603 DESCRIPTION 3604 "The value of sysUpTime when this row was last modified or 3605 created either through SNMP SETs or by some other external 3606 means." 3607 ::= { ipspIpsecProposalsEntry 5 } 3609 ipspIpsecPropStorageType OBJECT-TYPE 3610 SYNTAX StorageType 3611 MAX-ACCESS read-create 3612 STATUS current 3613 DESCRIPTION 3614 "The storage type for this row. Rows in this table which were 3615 created through an external process may have a storage type 3616 of readOnly or permanent." 3617 DEFVAL { nonVolatile } 3618 ::= { ipspIpsecProposalsEntry 6 } 3620 ipspIpsecPropRowStatus OBJECT-TYPE 3621 SYNTAX RowStatus 3622 MAX-ACCESS read-create 3623 STATUS current 3624 DESCRIPTION 3625 "This object indicates the conceptual status of this row. 3627 The value of this object has no effect on whether other 3628 objects in this conceptual row can be modified. 3630 This row may not be set to active until the corresponding row 3631 in the ipspIpsecTransformsTable exists and is active." 3632 ::= { ipspIpsecProposalsEntry 7 } 3634 -- 3635 -- ipspIpsecTransformsTable 3636 -- 3638 ipspIpsecTransformsTable OBJECT-TYPE 3639 SYNTAX SEQUENCE OF IpspIpsecTransformsEntry 3640 MAX-ACCESS not-accessible 3641 STATUS current 3642 DESCRIPTION 3643 "This table lists the IPsec proposals contained within a given 3644 IPsec action and the transforms within each of those 3645 proposals. These proposals and transforms can then be used 3646 to create phase 2 negotiation proposals." 3647 ::= { ipspConfigObjects 24 } 3649 ipspIpsecTransformsEntry OBJECT-TYPE 3650 SYNTAX IpspIpsecTransformsEntry 3651 MAX-ACCESS not-accessible 3652 STATUS current 3653 DESCRIPTION 3654 "An entry containing the information on an IPsec transform." 3655 INDEX { ipspIpsecTranType, ipspIpsecTranName, 3656 ipspIpsecTranPriority } 3657 ::= { ipspIpsecTransformsTable 1 } 3659 IpspIpsecTransformsEntry ::= SEQUENCE { 3660 ipspIpsecTranType IpsecDoiSecProtocolId, 3661 ipspIpsecTranName SnmpAdminString, 3662 ipspIpsecTranPriority Integer32, 3663 ipspIpsecTranTransformName SnmpAdminString, 3664 ipspIpsecTranLastChanged TimeStamp, 3665 ipspIpsecTranStorageType StorageType, 3666 ipspIpsecTranRowStatus RowStatus 3667 } 3669 ipspIpsecTranType OBJECT-TYPE 3670 SYNTAX IpsecDoiSecProtocolId 3671 MAX-ACCESS not-accessible 3672 STATUS current 3673 DESCRIPTION 3674 "The protocol type for this transform. The protoIsakmp(1) 3675 value is not valid for this object." 3676 ::= { ipspIpsecTransformsEntry 1 } 3678 ipspIpsecTranName OBJECT-TYPE 3679 SYNTAX SnmpAdminString (SIZE(1..32)) 3680 MAX-ACCESS not-accessible 3681 STATUS current 3682 DESCRIPTION 3683 "The name for this transform or group of transforms." 3684 ::= { ipspIpsecTransformsEntry 2 } 3686 ipspIpsecTranPriority OBJECT-TYPE 3687 SYNTAX Integer32 (0..65535) 3688 MAX-ACCESS not-accessible 3689 STATUS current 3690 DESCRIPTION 3691 "The priority level (AKA sequence level) of the this transform 3692 within the group of transforms. This indicates the 3693 preference for which algorithms are requested when the list 3694 of transforms are sent to the remote host. A lower number 3695 indicates a higher precedence." 3696 ::= { ipspIpsecTransformsEntry 3 } 3698 ipspIpsecTranTransformName OBJECT-TYPE 3699 SYNTAX SnmpAdminString (SIZE(1..32)) 3700 MAX-ACCESS read-create 3701 STATUS current 3702 DESCRIPTION 3703 "The name for the given transform. Depending on the value of 3704 ipspIpsecTranType, this value should be used to lookup the 3705 transform's specific parameters in the ipspAhTransformTable, 3706 the ipspEspTransformTable or the ipspIpcompTransformTable." 3707 ::= { ipspIpsecTransformsEntry 4 } 3709 ipspIpsecTranLastChanged OBJECT-TYPE 3710 SYNTAX TimeStamp 3711 MAX-ACCESS read-only 3712 STATUS current 3713 DESCRIPTION 3714 "The value of sysUpTime when this row was last modified or 3715 created either through SNMP SETs or by some other external 3716 means." 3717 ::= { ipspIpsecTransformsEntry 5 } 3719 ipspIpsecTranStorageType OBJECT-TYPE 3720 SYNTAX StorageType 3721 MAX-ACCESS read-create 3722 STATUS current 3723 DESCRIPTION 3724 "The storage type for this row. Rows in this table which were 3725 created through an external process may have a storage type 3726 of readOnly or permanent." 3727 DEFVAL { nonVolatile } 3728 ::= { ipspIpsecTransformsEntry 6 } 3730 ipspIpsecTranRowStatus OBJECT-TYPE 3731 SYNTAX RowStatus 3732 MAX-ACCESS read-create 3733 STATUS current 3734 DESCRIPTION 3735 "This object indicates the conceptual status of this row. 3737 The value of this object has no effect on whether other 3738 objects in this conceptual row can be modified. 3740 This row may not be set to active until the corresponding row 3741 in the ipspAhTransformTable, ipspEspTransformTable or the 3742 ipspIpcompTransformTable exists." 3743 ::= { ipspIpsecTransformsEntry 7 } 3745 -- 3746 -- AH transform definition table 3747 -- 3749 ipspAhTransformTable OBJECT-TYPE 3750 SYNTAX SEQUENCE OF IpspAhTransformEntry 3751 MAX-ACCESS not-accessible 3752 STATUS current 3753 DESCRIPTION 3754 "This table lists all the AH transforms which can be used to 3755 build IPsec proposals." 3756 ::= { ipspConfigObjects 25 } 3758 ipspAhTransformEntry OBJECT-TYPE 3759 SYNTAX IpspAhTransformEntry 3760 MAX-ACCESS not-accessible 3761 STATUS current 3762 DESCRIPTION 3763 "This entry contains the attributes of one AH transform." 3764 INDEX { ipspAhTranName } 3765 ::= { ipspAhTransformTable 1 } 3767 IpspAhTransformEntry ::= SEQUENCE { 3768 ipspAhTranName SnmpAdminString, 3769 ipspAhTranMaxLifetimeSec Unsigned32, 3770 ipspAhTranMaxLifetimeKB Unsigned32, 3771 ipspAhTranAlgorithm IpsecDoiAuthAlgorithm, 3772 ipspAhTranReplayProtection TruthValue, 3773 ipspAhTranReplayWindowSize Unsigned32, 3774 ipspAhTranLastChanged TimeStamp, 3775 ipspAhTranStorageType StorageType, 3776 ipspAhTranRowStatus RowStatus 3777 } 3779 ipspAhTranName OBJECT-TYPE 3780 SYNTAX SnmpAdminString (SIZE(1..32)) 3781 MAX-ACCESS not-accessible 3782 STATUS current 3783 DESCRIPTION 3784 "This object contains the name of this AH transform. This row 3785 will be referred to by an ipspIpsecTransformsEntry." 3786 ::= { ipspAhTransformEntry 1 } 3788 ipspAhTranMaxLifetimeSec OBJECT-TYPE 3789 SYNTAX Unsigned32 3790 MAX-ACCESS read-create 3791 STATUS current 3792 DESCRIPTION 3793 "ipspAhTranMaxLifetimeSec specifies how long in seconds the 3794 security association derived from this transform should be 3795 used. 3797 A value of 0 indicates that the default lifetime of 3798 8 hours should be used." 3799 ::= { ipspAhTransformEntry 2 } 3801 ipspAhTranMaxLifetimeKB OBJECT-TYPE 3802 SYNTAX Unsigned32 3803 MAX-ACCESS read-create 3804 STATUS current 3805 DESCRIPTION 3806 "ipspAhTranMaxLifetimeKB specifies how long in kilobytes the 3807 security association derived from this transform should be 3808 used." 3809 ::= { ipspAhTransformEntry 3 } 3811 ipspAhTranAlgorithm OBJECT-TYPE 3812 SYNTAX IpsecDoiAuthAlgorithm 3813 MAX-ACCESS read-create 3814 STATUS current 3815 DESCRIPTION 3816 "This object specifies the AH algorithm for this transform." 3817 ::= { ipspAhTransformEntry 4 } 3819 ipspAhTranReplayProtection OBJECT-TYPE 3820 SYNTAX TruthValue 3821 MAX-ACCESS read-create 3822 STATUS current 3823 DESCRIPTION 3824 "ipspAhTranReplayProtection indicates whether or not anti replay 3825 service is to be provided by this SA." 3826 ::= { ipspAhTransformEntry 5 } 3828 ipspAhTranReplayWindowSize OBJECT-TYPE 3829 SYNTAX Unsigned32 3830 MAX-ACCESS read-create 3831 STATUS current 3832 DESCRIPTION 3833 "ipspAhTranReplayWindowSize indicates the size, in bits, of 3834 the replay window to use if replay protection is true for 3835 this transform. The window size is assumed to be a power of 3836 two. If Replay Protection is false, this value can be 3837 ignored." 3838 ::= { ipspAhTransformEntry 6 } 3840 ipspAhTranLastChanged OBJECT-TYPE 3841 SYNTAX TimeStamp 3842 MAX-ACCESS read-only 3843 STATUS current 3844 DESCRIPTION 3845 "The value of sysUpTime when this row was last modified or 3846 created either through SNMP SETs or by some other external 3847 means." 3848 ::= { ipspAhTransformEntry 7 } 3850 ipspAhTranStorageType OBJECT-TYPE 3851 SYNTAX StorageType 3852 MAX-ACCESS read-create 3853 STATUS current 3854 DESCRIPTION 3855 "The storage type for this row. Rows in this table which were 3856 created through an external process may have a storage type 3857 of readOnly or permanent." 3858 DEFVAL { nonVolatile } 3859 ::= { ipspAhTransformEntry 8 } 3861 ipspAhTranRowStatus OBJECT-TYPE 3862 SYNTAX RowStatus 3863 MAX-ACCESS read-create 3864 STATUS current 3865 DESCRIPTION 3866 "This object indicates the conceptual status of this row. 3868 The value of this object has no effect on whether other 3869 objects in this conceptual row can be modified. 3871 If active, this object must remain active if it is referenced 3872 by a row in another table." 3873 ::= { ipspAhTransformEntry 9 } 3875 -- 3876 -- ESP transform definition table 3877 -- 3879 ipspEspTransformTable OBJECT-TYPE 3880 SYNTAX SEQUENCE OF IpspEspTransformEntry 3881 MAX-ACCESS not-accessible 3882 STATUS current 3883 DESCRIPTION 3884 "This table lists all the ESP transforms which can be used to 3885 build IPsec proposals" 3887 ::= { ipspConfigObjects 26 } 3889 ipspEspTransformEntry OBJECT-TYPE 3890 SYNTAX IpspEspTransformEntry 3891 MAX-ACCESS not-accessible 3892 STATUS current 3893 DESCRIPTION 3894 "This entry contains the attributes of one ESP transform." 3895 INDEX { ipspEspTranName } 3896 ::= { ipspEspTransformTable 1 } 3898 IpspEspTransformEntry ::= SEQUENCE { 3899 ipspEspTranName SnmpAdminString, 3900 ipspEspTranMaxLifetimeSec Unsigned32, 3901 ipspEspTranMaxLifetimeKB Unsigned32, 3902 ipspEspTranCipherTransformId IpsecDoiEspTransform, 3903 ipspEspTranCipherKeyLength Unsigned32, 3904 ipspEspTranCipherKeyRounds Unsigned32, 3905 ipspEspTranIntegrityAlgorithmId IpsecDoiAuthAlgorithm, 3906 ipspEspTranReplayPrevention TruthValue, 3907 ipspEspTranReplayWindowSize Unsigned32, 3908 ipspEspTranLastChanged TimeStamp, 3909 ipspEspTranStorageType StorageType, 3910 ipspEspTranRowStatus RowStatus 3911 } 3913 ipspEspTranName OBJECT-TYPE 3914 SYNTAX SnmpAdminString (SIZE(1..32)) 3915 MAX-ACCESS not-accessible 3916 STATUS current 3917 DESCRIPTION 3918 "The name of this particular espTransform be referred to by an 3919 ipspIpsecTransformsEntry." 3920 ::= { ipspEspTransformEntry 1 } 3922 ipspEspTranMaxLifetimeSec OBJECT-TYPE 3923 SYNTAX Unsigned32 3924 MAX-ACCESS read-create 3925 STATUS current 3926 DESCRIPTION 3927 "ipspEspTranMaxLifetimeSec specifies how long in seconds the 3928 security association derived from this transform should be 3929 used. 3931 A value of 0 indicates that the default lifetime of 3932 8 hours should be used." 3933 ::= { ipspEspTransformEntry 2 } 3935 ipspEspTranMaxLifetimeKB OBJECT-TYPE 3936 SYNTAX Unsigned32 3937 MAX-ACCESS read-create 3938 STATUS current 3939 DESCRIPTION 3940 "ipspEspTranMaxLifetimeKB specifies how long in kilobytes the 3941 security association derived from this transform should be 3942 used." 3943 ::= { ipspEspTransformEntry 3 } 3945 ipspEspTranCipherTransformId OBJECT-TYPE 3946 SYNTAX IpsecDoiEspTransform 3947 MAX-ACCESS read-create 3948 STATUS current 3949 DESCRIPTION 3950 "This object specifies the transform ID of the ESP cipher 3951 algorithm." 3952 ::= { ipspEspTransformEntry 4 } 3954 ipspEspTranCipherKeyLength OBJECT-TYPE 3955 SYNTAX Unsigned32 3956 MAX-ACCESS read-create 3957 STATUS current 3958 DESCRIPTION 3959 "This object specifies, in bits, the key length for 3960 the ESP cipher algorithm." 3961 ::= { ipspEspTransformEntry 5 } 3963 ipspEspTranCipherKeyRounds OBJECT-TYPE 3964 SYNTAX Unsigned32 3965 MAX-ACCESS read-create 3966 STATUS current 3967 DESCRIPTION 3968 "This object specifies the number of key rounds for 3969 the ESP cipher algorithm." 3970 ::= { ipspEspTransformEntry 6 } 3972 ipspEspTranIntegrityAlgorithmId OBJECT-TYPE 3973 SYNTAX IpsecDoiAuthAlgorithm 3974 MAX-ACCESS read-create 3975 STATUS current 3976 DESCRIPTION 3977 "This object specifies the ESP integrity algorithm ID." 3978 ::= { ipspEspTransformEntry 7 } 3980 ipspEspTranReplayPrevention OBJECT-TYPE 3981 SYNTAX TruthValue 3982 MAX-ACCESS read-create 3983 STATUS current 3984 DESCRIPTION 3985 "ipspEspTranReplayPrevention indicates whether or not 3986 anti-replay service is to be provided by this SA." 3987 ::= { ipspEspTransformEntry 8 } 3989 ipspEspTranReplayWindowSize OBJECT-TYPE 3990 SYNTAX Unsigned32 3991 MAX-ACCESS read-create 3992 STATUS current 3993 DESCRIPTION 3994 "ipspEspTranReplayWindowSize indicates the size, in bits, of 3995 the replay window to use if replay protection is true for 3996 this transform. The window size is assumed to be a power of 3997 two. If Replay Protection is false, this value can be 3998 ignored." 3999 ::= { ipspEspTransformEntry 9 } 4001 ipspEspTranLastChanged OBJECT-TYPE 4002 SYNTAX TimeStamp 4003 MAX-ACCESS read-only 4004 STATUS current 4005 DESCRIPTION 4006 "The value of sysUpTime when this row was last modified or 4007 created either through SNMP SETs or by some other external 4008 means." 4009 ::= { ipspEspTransformEntry 10 } 4011 ipspEspTranStorageType OBJECT-TYPE 4012 SYNTAX StorageType 4013 MAX-ACCESS read-create 4014 STATUS current 4015 DESCRIPTION 4016 "The storage type for this row. Rows in this table which were 4017 created through an external process may have a storage type 4018 of readOnly or permanent." 4019 DEFVAL { nonVolatile } 4020 ::= { ipspEspTransformEntry 11 } 4022 ipspEspTranRowStatus OBJECT-TYPE 4023 SYNTAX RowStatus 4024 MAX-ACCESS read-create 4025 STATUS current 4026 DESCRIPTION 4027 "This object indicates the conceptual status of this row. 4029 The value of this object has no effect on whether other 4030 objects in this conceptual row can be modified. 4032 If active, this object must remain active if it is referenced 4033 by a row in another table." 4034 ::= { ipspEspTransformEntry 12 } 4036 -- 4037 -- IP compression transform definition table 4038 -- 4040 ipspIpcompTransformTable OBJECT-TYPE 4041 SYNTAX SEQUENCE OF IpspIpcompTransformEntry 4042 MAX-ACCESS not-accessible 4043 STATUS current 4044 DESCRIPTION 4045 "This table lists all the IP compression transforms which 4046 can be used to build IPsec proposals during negotiation of 4047 a phase 2 SA." 4048 ::= { ipspConfigObjects 27 } 4050 ipspIpcompTransformEntry OBJECT-TYPE 4051 SYNTAX IpspIpcompTransformEntry 4052 MAX-ACCESS not-accessible 4053 STATUS current 4054 DESCRIPTION 4055 "This entry contains the attributes of one IP compression 4056 transform." 4057 INDEX { ipspIpcompTranName } 4058 ::= { ipspIpcompTransformTable 1 } 4060 IpspIpcompTransformEntry ::= SEQUENCE { 4061 ipspIpcompTranName SnmpAdminString, 4062 ipspIpcompTranMaxLifetimeSec Unsigned32, 4063 ipspIpcompTranMaxLifetimeKB Unsigned32, 4064 ipspIpcompTranAlgorithm IpsecDoiIpcompTransform, 4065 ipspIpcompTranDictionarySize Unsigned32, 4066 ipspIpcompTranPrivateAlgorithm Unsigned32, 4067 ipspIpcompTranLastChanged TimeStamp, 4068 ipspIpcompTranStorageType StorageType, 4069 ipspIpcompTranRowStatus RowStatus 4070 } 4072 ipspIpcompTranName OBJECT-TYPE 4073 SYNTAX SnmpAdminString (SIZE(1..32)) 4074 MAX-ACCESS not-accessible 4075 STATUS current 4076 DESCRIPTION 4077 "The name of this ipspIpcompTransformEntry." 4078 ::= { ipspIpcompTransformEntry 1 } 4080 ipspIpcompTranMaxLifetimeSec OBJECT-TYPE 4081 SYNTAX Unsigned32 4082 MAX-ACCESS read-create 4083 STATUS current 4084 DESCRIPTION 4085 "ipspIpcompTranMaxLifetimeSec specifies how long in seconds 4086 the security association derived from this transform should 4087 be used. 4089 A value of 0 indicates that the default lifetime of 4090 8 hours should be used." 4091 ::= { ipspIpcompTransformEntry 2 } 4093 ipspIpcompTranMaxLifetimeKB OBJECT-TYPE 4094 SYNTAX Unsigned32 4095 MAX-ACCESS read-create 4096 STATUS current 4097 DESCRIPTION 4098 "ipspIpcompTranMaxLifetimeKB specifies how long in kilobytes 4099 the security association derived from this transform should 4100 be used." 4101 ::= { ipspIpcompTransformEntry 3 } 4103 ipspIpcompTranAlgorithm OBJECT-TYPE 4104 SYNTAX IpsecDoiIpcompTransform 4105 MAX-ACCESS read-create 4106 STATUS current 4107 DESCRIPTION 4108 "ipspIpcompTranAlgorithm specifies the transform ID of the IP 4109 compression algorithm." 4110 ::= { ipspIpcompTransformEntry 4 } 4112 ipspIpcompTranDictionarySize OBJECT-TYPE 4113 SYNTAX Unsigned32 4114 MAX-ACCESS read-create 4115 STATUS current 4116 DESCRIPTION 4117 "If the algorithm in ipspIpcompTranAlgorithm requires a 4118 dictionary size configuration parameter, then this is the 4119 place to put it. This object specifies the log2 maximum size 4120 of the dictionary for the compression algorithm." 4121 ::= { ipspIpcompTransformEntry 5 } 4123 ipspIpcompTranPrivateAlgorithm OBJECT-TYPE 4124 SYNTAX Unsigned32 4125 MAX-ACCESS read-create 4126 STATUS current 4127 DESCRIPTION 4128 "If ipspIpcompTranPrivateAlgorithm has a value other zero, 4129 then it is up to the vendors implementation to determine the 4130 meaning of this field and substitute a data compression 4131 algorithm in place of ipspIpcompTranAlgorithm." 4132 ::= { ipspIpcompTransformEntry 6 } 4134 ipspIpcompTranLastChanged OBJECT-TYPE 4135 SYNTAX TimeStamp 4136 MAX-ACCESS read-only 4137 STATUS current 4138 DESCRIPTION 4139 "The value of sysUpTime when this row was last modified or 4140 created either through SNMP SETs or by some other external 4141 means." 4142 ::= { ipspIpcompTransformEntry 7 } 4144 ipspIpcompTranStorageType OBJECT-TYPE 4145 SYNTAX StorageType 4146 MAX-ACCESS read-create 4147 STATUS current 4148 DESCRIPTION 4149 "The storage type for this row. Rows in this table which were 4150 created through an external process may have a storage type 4151 of readOnly or permanent." 4152 DEFVAL { nonVolatile } 4153 ::= { ipspIpcompTransformEntry 8 } 4155 ipspIpcompTranRowStatus OBJECT-TYPE 4156 SYNTAX RowStatus 4157 MAX-ACCESS read-create 4158 STATUS current 4159 DESCRIPTION 4160 "This object indicates the conceptual status of this row. 4162 The value of this object has no effect on whether other 4163 objects in this conceptual row can be modified. 4165 If active, this object must remain active if it is referenced 4166 by a row in another table." 4167 ::= { ipspIpcompTransformEntry 9 } 4169 -- 4170 -- IKE identity definition table 4171 -- 4173 ipspIkeIdentityTable OBJECT-TYPE 4174 SYNTAX SEQUENCE OF IpspIkeIdentityEntry 4175 MAX-ACCESS not-accessible 4176 STATUS current 4177 DESCRIPTION 4178 "IKEIdentity is used to represent the identities that may be 4179 used for an IPProtocolEndpoint (or collection of 4180 IPProtocolEndpoints) to identify itself in IKE phase 1 4181 negotiations. The column ikeIdentityName in an 4182 ipspIkeActionEntry together with the ipspEndGroupIdentType 4183 and the ipspEndGroupAddress in the PolicyEndpointToGroupTable 4184 specifies the unique identity to use in a negotiation 4185 exchange." 4186 ::= { ipspConfigObjects 28 } 4188 ipspIkeIdentityEntry OBJECT-TYPE 4189 SYNTAX IpspIkeIdentityEntry 4190 MAX-ACCESS not-accessible 4191 STATUS current 4192 DESCRIPTION 4193 "ikeIdentity lists the attributes of an IKE identity." 4194 INDEX { ipspEndGroupIdentType, ipspEndGroupAddress, 4195 ipspIkeActIdentityType, ipspIkeActIdentityContext } 4196 ::= { ipspIkeIdentityTable 1 } 4198 IpspIkeIdentityEntry ::= SEQUENCE { 4199 ipspIkeIdCredentialName SnmpAdminString, 4200 ipspIkeIdLastChanged TimeStamp, 4201 ipspIkeIdStorageType StorageType, 4202 ipspIkeIdRowStatus RowStatus 4203 } 4205 ipspIkeIdCredentialName OBJECT-TYPE 4206 SYNTAX SnmpAdminString (SIZE(0..32)) 4207 MAX-ACCESS read-create 4208 STATUS current 4209 DESCRIPTION 4210 "This value is used as an index into the ipspCredentialTable to 4211 look up the actual credential value and other credential 4212 information. 4214 For ID's without associated credential information, this 4215 value is left blank. 4217 For ID's that are address types, this value may be left blank 4218 and the associated IPProtocolEndpoint or appropriate member 4219 of the Collection of endpoints is used." 4220 ::= { ipspIkeIdentityEntry 1 } 4222 ipspIkeIdLastChanged OBJECT-TYPE 4223 SYNTAX TimeStamp 4224 MAX-ACCESS read-only 4225 STATUS current 4226 DESCRIPTION 4227 "The value of sysUpTime when this row was last modified or 4228 created either through SNMP SETs or by some other external 4229 means." 4230 ::= { ipspIkeIdentityEntry 2 } 4232 ipspIkeIdStorageType OBJECT-TYPE 4233 SYNTAX StorageType 4234 MAX-ACCESS read-create 4235 STATUS current 4236 DESCRIPTION 4237 "The storage type for this row. Rows in this table which were 4238 created through an external process may have a storage type 4239 of readOnly or permanent." 4240 DEFVAL { nonVolatile } 4241 ::= { ipspIkeIdentityEntry 3 } 4243 ipspIkeIdRowStatus OBJECT-TYPE 4244 SYNTAX RowStatus 4245 MAX-ACCESS read-create 4246 STATUS current 4247 DESCRIPTION 4248 "This object indicates the conceptual status of this row. 4250 The value of this object has no effect on whether other 4251 objects in this conceptual row can be modified. 4253 If active, this object must remain active if it is referenced 4254 by a row in another table." 4255 ::= { ipspIkeIdentityEntry 4 } 4257 -- 4258 -- Peer Identity Table 4259 -- 4261 ipspPeerIdentityTable OBJECT-TYPE 4262 SYNTAX SEQUENCE OF IpspPeerIdentityEntry 4263 MAX-ACCESS not-accessible 4264 STATUS current 4265 DESCRIPTION 4266 "PeerIdentity is used to represent the identities that may be 4267 used for peers to identify themselves in IKE phase I/II 4268 negotiations. PeerIdentityTable aggregates the table entries 4269 that provide mappings between identities and their 4270 addresses." 4271 ::= { ipspConfigObjects 29 } 4273 ipspPeerIdentityEntry OBJECT-TYPE 4274 SYNTAX IpspPeerIdentityEntry 4275 MAX-ACCESS not-accessible 4276 STATUS current 4277 DESCRIPTION 4278 "peerIdentity matches a peer's identity to its address." 4279 INDEX { ipspPeerIdName, ipspPeerIdPriority } 4280 ::= { ipspPeerIdentityTable 1 } 4282 IpspPeerIdentityEntry ::= SEQUENCE { 4283 ipspPeerIdName SnmpAdminString, 4284 ipspPeerIdPriority Integer32, 4285 ipspPeerIdType IpsecDoiIdentType, 4286 ipspPeerIdValue IpspIdentityFilter, 4287 ipspPeerIdAddressType InetAddressType, 4288 ipspPeerIdAddress InetAddress, 4289 ipspPeerIdCredentialName SnmpAdminString, 4290 ipspPeerIdLastChanged TimeStamp, 4291 ipspPeerIdStorageType StorageType, 4292 ipspPeerIdRowStatus RowStatus 4293 } 4295 ipspPeerIdName OBJECT-TYPE 4296 SYNTAX SnmpAdminString (SIZE(1..32)) 4297 MAX-ACCESS not-accessible 4298 STATUS current 4299 DESCRIPTION 4300 "This is an administratively assigned value that, together 4301 with ipspPeerIdPriority, uniquely identifies an entry in this 4302 table." 4303 ::= { ipspPeerIdentityEntry 1 } 4305 ipspPeerIdPriority OBJECT-TYPE 4306 SYNTAX Integer32 (0..2147483647) 4307 MAX-ACCESS not-accessible 4308 STATUS current 4309 DESCRIPTION 4310 "This object, along with ipspPeerIdName, uniquely identifies an 4311 entry in this table. The priority also indicates the order 4312 of peer gateways to initiate or accept SAs from (i.e. try 4313 until success)." 4314 ::= { ipspPeerIdentityEntry 2 } 4316 ipspPeerIdType OBJECT-TYPE 4317 SYNTAX IpsecDoiIdentType 4318 MAX-ACCESS read-create 4319 STATUS current 4320 DESCRIPTION 4321 "ipspPeerIdType is an enumeration identifying the type of the 4322 Identity value." 4323 ::= { ipspPeerIdentityEntry 3 } 4325 ipspPeerIdValue OBJECT-TYPE 4326 SYNTAX IpspIdentityFilter 4327 MAX-ACCESS read-create 4328 STATUS current 4329 DESCRIPTION 4330 "ipspPeerIdValue contains an Identity filter to be used to match 4331 against the identity payload in an IKE request. If this value 4332 matches the value in the identity payload, the credential for 4333 the peer can be found using the ipspPeerIdCredentialName as 4334 an index into the credential table." 4335 ::= { ipspPeerIdentityEntry 4 } 4337 ipspPeerIdAddressType OBJECT-TYPE 4338 SYNTAX InetAddressType 4339 MAX-ACCESS read-create 4340 STATUS current 4341 DESCRIPTION 4342 "The property ipspPeerIdAddressType specifies the format of the 4343 ipspPeerIdAddress property value." 4344 ::= { ipspPeerIdentityEntry 5 } 4346 ipspPeerIdAddress OBJECT-TYPE 4347 SYNTAX InetAddress 4348 MAX-ACCESS read-create 4349 STATUS current 4350 DESCRIPTION 4351 "The property PeerAddress specifies the IP address of the 4352 peer. The format is specified by the ipspPeerIdAddressType. 4354 Values of unknown, ipv4z, ipv6z and dns are not legal values 4355 for this object." 4356 ::= { ipspPeerIdentityEntry 6 } 4358 ipspPeerIdCredentialName OBJECT-TYPE 4359 SYNTAX SnmpAdminString (SIZE(0..32)) 4360 MAX-ACCESS read-create 4361 STATUS current 4362 DESCRIPTION 4363 "This value is used as an index into the ipspCredentialTable to 4364 look up the actual credential value and other credential 4365 information. For peer IDs that have no associated credential 4366 information, this value is left blank." 4367 ::= { ipspPeerIdentityEntry 7 } 4369 ipspPeerIdLastChanged OBJECT-TYPE 4370 SYNTAX TimeStamp 4371 MAX-ACCESS read-only 4372 STATUS current 4373 DESCRIPTION 4374 "The value of sysUpTime when this row was last modified or 4375 created either through SNMP SETs or by some other external 4376 means." 4377 ::= { ipspPeerIdentityEntry 8 } 4379 ipspPeerIdStorageType OBJECT-TYPE 4380 SYNTAX StorageType 4381 MAX-ACCESS read-create 4382 STATUS current 4383 DESCRIPTION 4384 "The storage type for this row. Rows in this table which were 4385 created through an external process may have a storage type 4386 of readOnly or permanent." 4387 DEFVAL { nonVolatile } 4388 ::= { ipspPeerIdentityEntry 9 } 4390 ipspPeerIdRowStatus OBJECT-TYPE 4391 SYNTAX RowStatus 4392 MAX-ACCESS read-create 4393 STATUS current 4394 DESCRIPTION 4395 "This object indicates the conceptual status of this row. 4397 The value of this object has no effect on whether other 4398 objects in this conceptual row can be modified. 4400 If active, this object must remain active if it is referenced 4401 by a row in another table." 4402 ::= { ipspPeerIdentityEntry 10 } 4404 -- 4405 -- autostart IKE Table 4406 -- 4407 ipspAutostartIkeTable OBJECT-TYPE 4408 SYNTAX SEQUENCE OF IpspAutostartIkeEntry 4409 MAX-ACCESS not-accessible 4410 STATUS current 4411 DESCRIPTION 4412 "The parameters in the autostart IKE Table are used to 4413 automatically initiate IKE phaes I and II (i.e. IPsec) 4414 negotiations on startup. It also will initiate IKE phase I 4415 and II negotiations for a row at the time of that row's 4416 creation" 4417 ::= { ipspConfigObjects 30 } 4419 ipspAutostartIkeEntry OBJECT-TYPE 4420 SYNTAX IpspAutostartIkeEntry 4421 MAX-ACCESS not-accessible 4422 STATUS current 4423 DESCRIPTION 4424 "autostart ike provides the set of parameters to automatically 4425 start IKE and IPsec SA's." 4426 INDEX { ipspAutoIkePriority } 4427 ::= { ipspAutostartIkeTable 1 } 4429 IpspAutostartIkeEntry ::= SEQUENCE { 4430 ipspAutoIkePriority Integer32, 4431 ipspAutoIkeAction VariablePointer, 4432 ipspAutoIkeAddressType InetAddressType, 4433 ipspAutoIkeSourceAddress InetAddress, 4434 ipspAutoIkeSourcePort InetPortNumber, 4435 ipspAutoIkeDestAddress InetAddress, 4436 ipspAutoIkeDestPort InetPortNumber, 4437 ipspAutoIkeProtocol Unsigned32, 4438 ipspAutoIkeLastChanged TimeStamp, 4439 ipspAutoIkeStorageType StorageType, 4440 ipspAutoIkeRowStatus RowStatus 4441 } 4443 ipspAutoIkePriority OBJECT-TYPE 4444 SYNTAX Integer32 (0..65535) 4445 MAX-ACCESS not-accessible 4446 STATUS current 4447 DESCRIPTION 4448 "ipspAutoIkePriority is an index into the autostartIkeAction 4449 table and can be used to order the autostart IKE actions." 4450 ::= { ipspAutostartIkeEntry 1 } 4452 ipspAutoIkeAction OBJECT-TYPE 4453 SYNTAX VariablePointer 4454 MAX-ACCESS read-create 4455 STATUS current 4456 DESCRIPTION 4457 "This pointer is used to point to the action or compound 4458 action that should be initiated by this row." 4459 ::= { ipspAutostartIkeEntry 2 } 4461 ipspAutoIkeAddressType OBJECT-TYPE 4462 SYNTAX InetAddressType 4463 MAX-ACCESS read-create 4464 STATUS current 4465 DESCRIPTION 4466 "The property ipspAutoIkeAddressType specifies the format of the 4467 autoIke source and destination Address values. 4469 Values of unknown, ipv4z, ipv6z and dns are not legal values 4470 for this object." 4471 ::= { ipspAutostartIkeEntry 3 } 4473 ipspAutoIkeSourceAddress OBJECT-TYPE 4474 SYNTAX InetAddress 4475 MAX-ACCESS read-create 4476 STATUS current 4477 DESCRIPTION 4478 "The property autoIkeSourecAddress specifies Source IP address 4479 for autostarting IKE SA's, formatted according to the 4480 appropriate convention as defined in the 4481 ipspAutoIkeAddressType property." 4482 ::= { ipspAutostartIkeEntry 4 } 4484 ipspAutoIkeSourcePort OBJECT-TYPE 4485 SYNTAX InetPortNumber 4486 MAX-ACCESS read-create 4487 STATUS current 4488 DESCRIPTION 4489 "The property ipspAutoIkeSourcePort specifies the port number 4490 for the source port for auotstarting IKE SA's. 4492 The value of 0 for this object is illegal." 4493 ::= { ipspAutostartIkeEntry 5 } 4495 ipspAutoIkeDestAddress OBJECT-TYPE 4496 SYNTAX InetAddress 4497 MAX-ACCESS read-create 4498 STATUS current 4499 DESCRIPTION 4500 "The property ipspAutoIkeDestAddress specifies the Destination 4501 IP address for autostarting IKE SA's, formatted according to 4502 the appropriate convention as defined in the 4503 ipspAutoIkeAddressType property." 4504 ::= { ipspAutostartIkeEntry 6 } 4506 ipspAutoIkeDestPort OBJECT-TYPE 4507 SYNTAX InetPortNumber 4508 MAX-ACCESS read-create 4509 STATUS current 4510 DESCRIPTION 4511 "The property ipspAutoIkeDestPort specifies the port number for 4512 the destination port for auotstarting IKE SA's. 4514 The value of 0 for this object is illegal." 4515 ::= { ipspAutostartIkeEntry 7 } 4517 ipspAutoIkeProtocol OBJECT-TYPE 4518 SYNTAX Unsigned32 (0..255) 4519 MAX-ACCESS read-create 4520 STATUS current 4521 DESCRIPTION 4522 "The property Protocol specifies the protocol number used in 4523 comparing with policy filter entries and used in any phase 2 4524 negotiations." 4525 ::= { ipspAutostartIkeEntry 8 } 4527 ipspAutoIkeLastChanged OBJECT-TYPE 4528 SYNTAX TimeStamp 4529 MAX-ACCESS read-only 4530 STATUS current 4531 DESCRIPTION 4532 "The value of sysUpTime when this row was last modified or 4533 created either through SNMP SETs or by some other external 4534 means." 4535 ::= { ipspAutostartIkeEntry 9 } 4537 ipspAutoIkeStorageType OBJECT-TYPE 4538 SYNTAX StorageType 4539 MAX-ACCESS read-create 4540 STATUS current 4541 DESCRIPTION 4542 "The storage type for this row. Rows in this table which were 4543 created through an external process may have a storage type 4544 of readOnly or permanent." 4545 DEFVAL { nonVolatile } 4546 ::= { ipspAutostartIkeEntry 10 } 4548 ipspAutoIkeRowStatus OBJECT-TYPE 4549 SYNTAX RowStatus 4550 MAX-ACCESS read-create 4551 STATUS current 4552 DESCRIPTION 4553 "This object indicates the conceptual status of this row. 4555 The value of this object has no effect on whether other 4556 objects in this conceptual row can be modified." 4558 ::= { ipspAutostartIkeEntry 11 } 4560 -- 4561 -- CA Table 4562 -- 4564 ipspIpsecCredMngServiceTable OBJECT-TYPE 4565 SYNTAX SEQUENCE OF IpspIpsecCredMngServiceEntry 4566 MAX-ACCESS not-accessible 4567 STATUS current 4568 DESCRIPTION 4569 "A table of Credential Management Service values. This table 4570 is usually used for credential/certificate values that are 4571 used with a management service (e.g. Certificate 4572 Authorities)." 4573 ::= { ipspConfigObjects 31 } 4575 ipspIpsecCredMngServiceEntry OBJECT-TYPE 4576 SYNTAX IpspIpsecCredMngServiceEntry 4577 MAX-ACCESS not-accessible 4578 STATUS current 4579 DESCRIPTION 4580 "A row in the ipspIpsecCredMngServiceTable." 4581 INDEX { ipspIcmsName } 4582 ::= { ipspIpsecCredMngServiceTable 1 } 4584 IpspIpsecCredMngServiceEntry ::= SEQUENCE { 4585 ipspIcmsName SnmpAdminString, 4586 ipspIcmsDistinguishedName OCTET STRING, 4587 ipspIcmsPolicyStatement OCTET STRING, 4588 ipspIcmsMaxChainLength Integer32, 4589 ipspIcmsCredentialName SnmpAdminString, 4590 ipspIcmsLastChanged TimeStamp, 4591 ipspIcmsStorageType StorageType, 4592 ipspIcmsRowStatus RowStatus 4593 } 4595 ipspIcmsName OBJECT-TYPE 4596 SYNTAX SnmpAdminString(SIZE(1..32)) 4597 MAX-ACCESS not-accessible 4598 STATUS current 4599 DESCRIPTION 4600 "This is an administratively assigned string used to index 4601 this table." 4602 ::= { ipspIpsecCredMngServiceEntry 1 } 4604 ipspIcmsDistinguishedName OBJECT-TYPE 4605 SYNTAX OCTET STRING (SIZE(1..256)) 4606 MAX-ACCESS read-create 4607 STATUS current 4608 DESCRIPTION 4609 "This value represents the Distinguished Name of the 4610 Credential Management Service." 4611 ::= { ipspIpsecCredMngServiceEntry 2 } 4613 ipspIcmsPolicyStatement OBJECT-TYPE 4614 SYNTAX OCTET STRING (SIZE(0..1024)) 4615 MAX-ACCESS read-create 4616 STATUS current 4617 DESCRIPTION 4618 "This Value represents the Credential Management Service 4619 Policy Statement, or a reference describing how to obtain it 4620 (e.g., a URL). If one doesn't exist, this value can be left 4621 blank" 4622 ::= { ipspIpsecCredMngServiceEntry 3 } 4624 ipspIcmsMaxChainLength OBJECT-TYPE 4625 SYNTAX Integer32 (0..255) 4626 MAX-ACCESS read-create 4627 STATUS current 4628 DESCRIPTION 4629 "This value is the maximum length of the chain allowble from 4630 the Credential Management Service to the credential in 4631 question." 4632 DEFVAL { 0 } 4633 ::= { ipspIpsecCredMngServiceEntry 4} 4635 ipspIcmsCredentialName OBJECT-TYPE 4636 SYNTAX SnmpAdminString (SIZE(0..32)) 4637 MAX-ACCESS read-create 4638 STATUS current 4639 DESCRIPTION 4640 "This value is used as an index into the ipspCredentialTable 4641 to look up the actual credential value." 4642 ::= { ipspIpsecCredMngServiceEntry 5 } 4644 ipspIcmsLastChanged OBJECT-TYPE 4645 SYNTAX TimeStamp 4646 MAX-ACCESS read-only 4647 STATUS current 4648 DESCRIPTION 4649 "The value of sysUpTime when this row was last modified or 4650 created either through SNMP SETs or by some other external 4651 means." 4652 ::= { ipspIpsecCredMngServiceEntry 6 } 4654 ipspIcmsStorageType OBJECT-TYPE 4655 SYNTAX StorageType 4656 MAX-ACCESS read-create 4657 STATUS current 4658 DESCRIPTION 4659 "The storage type for this row. Rows in this table which were 4660 created through an external process may have a storage type 4661 of readOnly or permanent." 4662 DEFVAL { nonVolatile } 4663 ::= { ipspIpsecCredMngServiceEntry 7 } 4665 ipspIcmsRowStatus OBJECT-TYPE 4666 SYNTAX RowStatus 4667 MAX-ACCESS read-create 4668 STATUS current 4669 DESCRIPTION 4670 "This object indicates the conceptual status of this row. 4672 The value of this object has no effect on whether other 4673 objects in this conceptual row can be modified. 4675 If active, this object must remain active if it is referenced 4676 by a row in another table." 4677 ::= { ipspIpsecCredMngServiceEntry 8 } 4679 -- 4680 -- CRL Table 4681 -- 4683 ipspCredMngCRLTable OBJECT-TYPE 4684 SYNTAX SEQUENCE OF IpspCredMngCRLEntry 4685 MAX-ACCESS not-accessible 4686 STATUS current 4687 DESCRIPTION 4688 "A table of the Credential Revocation Lists (CRL) for 4689 credential managment services." 4690 ::= { ipspConfigObjects 32 } 4692 ipspCredMngCRLEntry OBJECT-TYPE 4693 SYNTAX IpspCredMngCRLEntry 4694 MAX-ACCESS not-accessible 4695 STATUS current 4696 DESCRIPTION 4697 "A row in the ipspCredMngCRLTable." 4698 INDEX { ipspIcmsName , ipspCmcCRLName } 4699 ::= { ipspCredMngCRLTable 1 } 4701 IpspCredMngCRLEntry ::= SEQUENCE { 4702 ipspCmcCRLName SnmpAdminString, 4703 ipspCmcDistributionPoint OCTET STRING, 4704 ipspCmcThisUpdate OCTET STRING, 4705 ipspCmcNextUpdate OCTET STRING, 4706 ipspCmcLastChanged TimeStamp, 4707 ipspCmcStorageType StorageType, 4708 ipspCmcRowStatus RowStatus 4709 } 4711 ipspCmcCRLName OBJECT-TYPE 4712 SYNTAX SnmpAdminString(SIZE(1..32)) 4713 MAX-ACCESS not-accessible 4714 STATUS current 4715 DESCRIPTION 4716 "This is an administratively assigned string used to index 4717 this table. It represents a CRL for a given CA from a given 4718 distribution point." 4719 ::= { ipspCredMngCRLEntry 1 } 4721 ipspCmcDistributionPoint OBJECT-TYPE 4722 SYNTAX OCTET STRING (SIZE(0..256)) 4723 MAX-ACCESS read-create 4724 STATUS current 4725 DESCRIPTION 4726 "This Value represents a Distribution Point for a Credential 4727 Revocation List. It can be relative to the Credential 4728 Management Service or a full name (URL, e-mail, etc...)." 4729 ::= { ipspCredMngCRLEntry 2 } 4731 ipspCmcThisUpdate OBJECT-TYPE 4732 SYNTAX OCTET STRING (SIZE(0..32)) 4733 MAX-ACCESS read-create 4734 STATUS current 4735 DESCRIPTION 4736 "This value is the issue date of this CRL. This 4737 should be in utctime or generalizedtime." 4738 ::= { ipspCredMngCRLEntry 3 } 4740 ipspCmcNextUpdate OBJECT-TYPE 4741 SYNTAX OCTET STRING (SIZE(0..32)) 4742 MAX-ACCESS read-create 4743 STATUS current 4744 DESCRIPTION 4745 "This value indicates the date the next version of this CRL 4746 will be issued. This should be in utctime or 4747 generalizedtime." 4748 ::= { ipspCredMngCRLEntry 4 } 4750 ipspCmcLastChanged OBJECT-TYPE 4751 SYNTAX TimeStamp 4752 MAX-ACCESS read-only 4753 STATUS current 4754 DESCRIPTION 4755 "The value of sysUpTime when this row was last modified or 4756 created either through SNMP SETs or by some other external 4757 means." 4758 ::= { ipspCredMngCRLEntry 5 } 4760 ipspCmcStorageType OBJECT-TYPE 4761 SYNTAX StorageType 4762 MAX-ACCESS read-create 4763 STATUS current 4764 DESCRIPTION 4765 "The storage type for this row. Rows in this table which were 4766 created through an external process may have a storage type 4767 of readOnly or permanent." 4768 DEFVAL { nonVolatile } 4769 ::= { ipspCredMngCRLEntry 6 } 4771 ipspCmcRowStatus OBJECT-TYPE 4772 SYNTAX RowStatus 4773 MAX-ACCESS read-create 4774 STATUS current 4775 DESCRIPTION 4776 "This object indicates the conceptual status of this row. 4778 The value of this object has no effect on whether other 4779 objects in this conceptual row can be modified. 4781 If active, this object must remain active if it is referenced 4782 by a row in another table." 4783 ::= { ipspCredMngCRLEntry 7 } 4785 -- 4786 -- Revoked Certificate Table 4787 -- 4788 ipspRevokedCertificateTable OBJECT-TYPE 4789 SYNTAX SEQUENCE OF IpspRevokedCertificateEntry 4790 MAX-ACCESS not-accessible 4791 STATUS current 4792 DESCRIPTION 4793 "A table of Credentials revoked by credential managment 4794 services. That is, this table is a table of Certificates 4795 that are on CRL's, Credential Revocation Lists." 4796 ::= { ipspConfigObjects 33 } 4798 ipspRevokedCertificateEntry OBJECT-TYPE 4799 SYNTAX IpspRevokedCertificateEntry 4800 MAX-ACCESS not-accessible 4801 STATUS current 4802 DESCRIPTION 4803 "A row in the ipspRevokedCertificateTable." 4804 INDEX { ipspCmcCRLName, ipspRctCertSerialNumber} 4805 ::= { ipspRevokedCertificateTable 1 } 4807 IpspRevokedCertificateEntry ::= SEQUENCE { 4808 ipspRctCertSerialNumber Unsigned32, 4809 ipspRctRevokedDate OCTET STRING, 4810 ipspRctRevokedReason INTEGER, 4811 ipspRctLastChanged TimeStamp, 4812 ipspRctStorageType StorageType, 4813 ipspRctRowStatus RowStatus 4814 } 4816 ipspRctCertSerialNumber OBJECT-TYPE 4817 SYNTAX Unsigned32 (0..4294967295) 4818 MAX-ACCESS not-accessible 4819 STATUS current 4820 DESCRIPTION 4821 "This value is the serial number of the revoked certificate." 4822 ::= { ipspRevokedCertificateEntry 1 } 4824 ipspRctRevokedDate OBJECT-TYPE 4825 SYNTAX OCTET STRING (SIZE(0..32)) 4826 MAX-ACCESS read-create 4827 STATUS current 4828 DESCRIPTION 4829 "This value is the revocation date of the certificate. This 4830 should be in utctime or generaltime." 4831 ::= { ipspRevokedCertificateEntry 2 } 4833 ipspRctRevokedReason OBJECT-TYPE 4834 SYNTAX INTEGER { reserved(0), unspecified(1), keyCompromise(2), 4835 cACompromise(3), affiliationChanged(4), 4836 superseded(5), cessationOfOperation(6), 4837 certificateHold(7), removeFromCRL(8) } 4838 MAX-ACCESS read-create 4839 STATUS current 4840 DESCRIPTION 4841 "This value is the reason this certificate was revoked." 4842 DEFVAL { unspecified } 4843 ::= { ipspRevokedCertificateEntry 3 } 4845 ipspRctLastChanged OBJECT-TYPE 4846 SYNTAX TimeStamp 4847 MAX-ACCESS read-only 4848 STATUS current 4849 DESCRIPTION 4850 "The value of sysUpTime when this row was last modified or 4851 created either through SNMP SETs or by some other external 4852 means." 4853 ::= { ipspRevokedCertificateEntry 4 } 4855 ipspRctStorageType OBJECT-TYPE 4856 SYNTAX StorageType 4857 MAX-ACCESS read-create 4858 STATUS current 4859 DESCRIPTION 4860 "The storage type for this row. Rows in this table which were 4861 created through an external process may have a storage type 4862 of readOnly or permanent." 4863 DEFVAL { nonVolatile } 4864 ::= { ipspRevokedCertificateEntry 5 } 4866 ipspRctRowStatus OBJECT-TYPE 4867 SYNTAX RowStatus 4868 MAX-ACCESS read-create 4869 STATUS current 4870 DESCRIPTION 4871 "This object indicates the conceptual status of this row. 4873 The value of this object has no effect on whether other 4874 objects in this conceptual row can be modified. 4876 If active, this object must remain active if it is referenced 4877 by a row in another table." 4878 ::= { ipspRevokedCertificateEntry 6 } 4880 -- 4881 -- Credential Table 4882 -- 4883 ipspCredentialTable OBJECT-TYPE 4884 SYNTAX SEQUENCE OF IpspCredentialEntry 4885 MAX-ACCESS not-accessible 4886 STATUS current 4887 DESCRIPTION 4888 "A table of credential values. Example of Credentials are 4889 shared secrets, certificates or kerberos tickets." 4890 ::= { ipspConfigObjects 34 } 4892 ipspCredentialEntry OBJECT-TYPE 4893 SYNTAX IpspCredentialEntry 4894 MAX-ACCESS not-accessible 4895 STATUS current 4896 DESCRIPTION 4897 "A row in the ipspCredentialTable." 4898 INDEX { ipspCredName } 4899 ::= { ipspCredentialTable 1 } 4901 IpspCredentialEntry ::= SEQUENCE { 4902 ipspCredName SnmpAdminString, 4903 ipspCredType IpspCredentialType, 4904 ipspCredCredential OCTET STRING, 4905 ipspCredSize Integer32, 4906 ipspCredMngName SnmpAdminString, 4907 ipspCredRemoteID OCTET STRING, 4908 ipspCredAdminStatus IpspAdminStatus, 4909 ipspCredLastChanged TimeStamp, 4910 ipspCredStorageType StorageType, 4911 ipspCredRowStatus RowStatus 4912 } 4914 ipspCredName OBJECT-TYPE 4915 SYNTAX SnmpAdminString(SIZE(1..32)) 4916 MAX-ACCESS not-accessible 4917 STATUS current 4918 DESCRIPTION 4919 "This object represents the name for an entry in this table." 4920 ::= { ipspCredentialEntry 1 } 4922 ipspCredType OBJECT-TYPE 4923 SYNTAX IpspCredentialType 4924 MAX-ACCESS read-create 4925 STATUS current 4926 DESCRIPTION 4927 "This object represents the type of the credential for this 4928 row." 4929 ::= { ipspCredentialEntry 2 } 4931 ipspCredCredential OBJECT-TYPE 4932 SYNTAX OCTET STRING (SIZE(0..1024)) 4933 MAX-ACCESS read-create 4934 STATUS current 4935 DESCRIPTION 4936 "This object represents the credential value. 4938 If the size of the credential is greater than 1024, the 4939 credential must be configured via the ipspCredSegmentTable. 4941 For credential type where the disclosure of the credential 4942 would compromise the credential (e.g. shared secrets), when 4943 this object is accessed for reading, it MUST return a null 4944 length (0 length) string and MUST NOT return the configured 4945 credential." 4946 ::= { ipspCredentialEntry 3 } 4948 ipspCredSize OBJECT-TYPE 4949 SYNTAX Integer32 4950 MAX-ACCESS read-only 4951 STATUS current 4952 DESCRIPTION 4953 "This value represents the size of the credential. 4955 If this value is greater than 1024, the ipspCreCredential 4956 column will return an empty (0 length) string. In this case, 4957 the value of the credential must be retrived from the 4958 ipspCredSegmentTable. 4960 For credential type where the disclosure of the credential 4961 would compromise the credential (e.g. shared secrets), when 4962 this object is accessed for reading, it MUST return a value 4963 of 0 and MUST NOT return the size credential." 4964 ::= { ipspCredentialEntry 4 } 4966 ipspCredMngName OBJECT-TYPE 4967 SYNTAX SnmpAdminString (SIZE(0..32)) 4968 MAX-ACCESS read-create 4969 STATUS current 4970 DESCRIPTION 4971 "This value is used as an index into the 4972 ipspIpsecCredMngServiceTable. For IDs that have no credential 4973 management service, this value is left blank." 4974 ::= { ipspCredentialEntry 5 } 4976 ipspCredRemoteID OBJECT-TYPE 4977 SYNTAX OCTET STRING(SIZE(0..256)) 4978 MAX-ACCESS read-create 4979 STATUS current 4980 DESCRIPTION 4981 "This object represents the Identification (e.g. user name) of 4982 the user of the key information on the remote site. If there 4983 is no ID associated with this credential, the value of this 4984 object should be the null string." 4985 ::= { ipspCredentialEntry 6 } 4987 ipspCredAdminStatus OBJECT-TYPE 4988 SYNTAX IpspAdminStatus 4989 MAX-ACCESS read-create 4990 STATUS current 4991 DESCRIPTION 4992 "Indicates whether this credential should be considered active. 4993 Rows with a disabled status must not be used for any purpose, 4994 including IKE or IPSEC processing. 4996 For credentials whose size does not execeed the maximum size 4997 for the ipspCredCredential, it may be set to enabled during 4998 row creation. For larger credentials, it should be left as 4999 disabled until all rows have been uploaded to the 5000 ipspCredSegmentTable." 5001 DEFVAL { disabled } 5002 ::= { ipspCredentialEntry 7 } 5004 ipspCredLastChanged OBJECT-TYPE 5005 SYNTAX TimeStamp 5006 MAX-ACCESS read-only 5007 STATUS current 5008 DESCRIPTION 5009 "The value of sysUpTime when this row was last modified or 5010 created either through SNMP SETs or by some other external 5011 means." 5012 ::= { ipspCredentialEntry 8 } 5014 ipspCredStorageType OBJECT-TYPE 5015 SYNTAX StorageType 5016 MAX-ACCESS read-create 5017 STATUS current 5018 DESCRIPTION 5019 "The storage type for this row. Rows in this table which were 5020 created through an external process may have a storage type 5021 of readOnly or permanent." 5022 DEFVAL { nonVolatile } 5023 ::= { ipspCredentialEntry 9 } 5025 ipspCredRowStatus OBJECT-TYPE 5026 SYNTAX RowStatus 5027 MAX-ACCESS read-create 5028 STATUS current 5029 DESCRIPTION 5030 "This object indicates the conceptual status of this row. 5032 The value of this object has no effect on whether other 5033 objects in this conceptual row can be modified. 5035 If active, this object must remain active if it is referenced 5036 by a row in another table." 5037 ::= { ipspCredentialEntry 10 } 5039 -- 5040 -- Credential Segement Value Table 5041 -- 5043 ipspCredentialSegmentTable OBJECT-TYPE 5044 SYNTAX SEQUENCE OF IpspCredentialSegmentEntry 5045 MAX-ACCESS not-accessible 5046 STATUS current 5047 DESCRIPTION 5048 "A table of credential segments. This table is used for 5049 credentials which are larger than the maximum size allowed 5050 for ipspCredCredential." 5051 ::= { ipspConfigObjects 35 } 5053 ipspCredentialSegmentEntry OBJECT-TYPE 5054 SYNTAX IpspCredentialSegmentEntry 5055 MAX-ACCESS not-accessible 5056 STATUS current 5057 DESCRIPTION 5058 "A row in the ipspCredentialSegmentTable." 5059 INDEX { ipspCredName, ipspCredSegIndex } 5060 ::= { ipspCredentialSegmentTable 1 } 5062 IpspCredentialSegmentEntry ::= SEQUENCE { 5063 ipspCredSegIndex Integer32, 5064 ipspCredSegValue OCTET STRING, 5065 ipspCredSegLastChanged TimeStamp, 5066 ipspCredSegStorageType StorageType, 5067 ipspCredSegRowStatus RowStatus 5068 } 5070 ipspCredSegIndex OBJECT-TYPE 5071 SYNTAX Integer32 (1..65535) 5072 MAX-ACCESS not-accessible 5073 STATUS current 5074 DESCRIPTION 5075 "This object represents the segment number for this segment. 5077 By default, each segment will be 1024 octets. However, when 5078 this table is accessed using a context of 'ipsp4096', 5079 'ipsp8192' or 'ipsp16384' a segment size of 4096, 8192 or 5080 16384 (respectively) will be used instead. 5082 The number of rows which need to be retrieved or set can be 5083 calculated by obtaining the value of the ipspCredSize column 5084 from the corresponding ipspCredentialTable row and dividing it 5085 by the segment size." 5086 ::= { ipspCredentialSegmentEntry 1 } 5088 ipspCredSegValue OBJECT-TYPE 5089 SYNTAX OCTET STRING 5090 MAX-ACCESS read-create 5091 STATUS current 5092 DESCRIPTION 5093 "This object represents one segment of the credential. 5095 By default, each complete segment will be 1024 octets. (The 5096 last row for a given credential might be smaller, if the 5097 credential size is not a multiple of the segment size). 5099 An implementation may optionally support segment sizes of 5100 256, 4096, 8192 or the full object size when this table is 5101 is accessed using a context of 'ipspCred256', 'ipspCred4096', 5102 'ipspCred8192' or 'ipspCredFull' (respectively). 5104 The number of rows which need to be retrieved or set can be 5105 calculated by obtaining the value of the ipspCredSize column 5106 from the corresponding ipspCredentialTable row and dividing it 5107 by the segment size." 5108 ::= { ipspCredentialSegmentEntry 2 } 5110 ipspCredSegLastChanged OBJECT-TYPE 5111 SYNTAX TimeStamp 5112 MAX-ACCESS read-only 5113 STATUS current 5114 DESCRIPTION 5115 "The value of sysUpTime when this credential was last modified 5116 or created either through SNMP SETs or by some other external 5117 means. Note that the last changed type will be the same for 5118 all segemnts of the credential." 5119 ::= { ipspCredentialSegmentEntry 3 } 5121 ipspCredSegStorageType OBJECT-TYPE 5122 SYNTAX StorageType 5123 MAX-ACCESS read-only 5124 STATUS current 5125 DESCRIPTION 5126 "The storage type for this row. This object is read-only. Rows 5127 in this table have the same value as the ipspCredStorageType 5128 for the corresponding row in the ipspCredentialTable." 5129 DEFVAL { nonVolatile } 5130 ::= { ipspCredentialSegmentEntry 4 } 5132 ipspCredSegRowStatus OBJECT-TYPE 5133 SYNTAX RowStatus 5134 MAX-ACCESS read-create 5135 STATUS current 5136 DESCRIPTION 5137 "This object indicates the conceptual status of this row. 5139 The segment of this object has no effect on whether other 5140 objects in this conceptual row can be modified. 5142 If active, this object must remain active if it is referenced 5143 by a row in another table." 5144 ::= { ipspCredentialSegmentEntry 5 } 5146 -- 5147 -- 5148 -- Notification objects information 5149 -- 5150 -- 5152 ipspNotificationVariables OBJECT IDENTIFIER ::= 5153 { ipspNotificationObjects 1 } 5155 ipspNotifications OBJECT IDENTIFIER ::= 5156 { ipspNotificationObjects 0 } 5158 ipspActionExecuted OBJECT-TYPE 5159 SYNTAX VariablePointer 5160 MAX-ACCESS accessible-for-notify 5161 STATUS current 5162 DESCRIPTION 5163 "Points to the action instance that was executed that 5164 resulted in the notification being sent." 5165 ::= { ipspNotificationVariables 1 } 5167 ipspIPInterfaceType OBJECT-TYPE 5168 SYNTAX InetAddressType 5169 MAX-ACCESS accessible-for-notify 5170 STATUS current 5171 DESCRIPTION 5172 "Contains the interface type for the interface that the 5173 packet which triggered the notification in question is 5174 passing through." 5175 ::= { ipspNotificationVariables 2 } 5177 ipspIPInterfaceAddress OBJECT-TYPE 5178 SYNTAX InetAddress 5179 MAX-ACCESS accessible-for-notify 5180 STATUS current 5181 DESCRIPTION 5182 "Contains the interface address for the interface that the 5183 packet which triggered the notification in question is 5184 passing through." 5185 ::= { ipspNotificationVariables 3 } 5187 ipspIPSourceType OBJECT-TYPE 5188 SYNTAX InetAddressType 5189 MAX-ACCESS accessible-for-notify 5190 STATUS current 5191 DESCRIPTION 5192 "Contains the source address type of the packet which 5193 triggered the notification in question." 5194 ::= { ipspNotificationVariables 4 } 5196 ipspIPSourceAddress OBJECT-TYPE 5197 SYNTAX InetAddress 5198 MAX-ACCESS accessible-for-notify 5199 STATUS current 5200 DESCRIPTION 5201 "Contains the source address of the packet which triggered the 5202 notification in question." 5203 ::= { ipspNotificationVariables 5 } 5205 ipspIPDestinationType OBJECT-TYPE 5206 SYNTAX InetAddressType 5207 MAX-ACCESS accessible-for-notify 5208 STATUS current 5209 DESCRIPTION 5210 "Contains the destination address type of the packet which 5211 triggered the notification in question." 5212 ::= { ipspNotificationVariables 6 } 5214 ipspIPDestinationAddress OBJECT-TYPE 5215 SYNTAX InetAddress 5216 MAX-ACCESS accessible-for-notify 5217 STATUS current 5218 DESCRIPTION 5219 "Contains the destination address of the packet which 5220 triggered the notification in question." 5221 ::= { ipspNotificationVariables 7 } 5223 ipspPacketDirection OBJECT-TYPE 5224 SYNTAX INTEGER { inbound(1), outbound(2) } 5225 MAX-ACCESS accessible-for-notify 5226 STATUS current 5227 DESCRIPTION 5228 "Indicates if the packet whic triggered the action in 5229 questions was inbound our outbound." 5230 ::= { ipspNotificationVariables 8 } 5232 ipspPacketPart OBJECT-TYPE 5233 SYNTAX OCTET STRING 5234 MAX-ACCESS accessible-for-notify 5235 STATUS current 5236 DESCRIPTION 5237 "Is the front part of the packet that triggered this 5238 notification. The size is determined by the value of 5239 'IpspIPPacketLogging' or the size of the packet, whichever 5240 is smaller." 5241 ::= { ipspNotificationVariables 9 } 5243 ipspActionNotification NOTIFICATION-TYPE 5244 OBJECTS { ipspActionExecuted, ipspIPInterfaceType, 5245 ipspIPInterfaceAddress, 5246 ipspIPSourceType, ipspIPSourceAddress, 5247 ipspIPDestinationType, 5248 ipspIPDestinationAddress, 5249 ipspPacketDirection } 5250 STATUS current 5251 DESCRIPTION 5252 "Notification that an action was executed by a rule. Only 5253 actions with logging enabled will result in this notification 5254 getting sent. The objects sent must include the 5255 ipspActionExecuted object which will indicate which 5256 action was executed within the scope of the rule. 5257 Additionally the ipspIPSourceType, 5258 ipspIPSourceAddress, ipspIPDestinationType, and 5259 ipspIPDestinationAddress objects must be included to 5260 indicate the packet source and destination of the packet that 5261 triggered the action. Finally the 5262 ipspIPInterfaceType, ipspIPInterfaceAddress, 5263 and ipspPacketDirection objects are included to 5264 indicate which interface the action was executed in 5265 association with and if the packet was inbound or outbond 5266 through the endpoint. 5268 Note that compound actions with multiple 5269 executed subactions may result in multiple notifications 5270 being sent from a single rule execution." 5271 ::= { ipspNotifications 1 } 5273 ipspPacketNotification NOTIFICATION-TYPE 5274 OBJECTS { ipspActionExecuted, ipspIPInterfaceType, 5275 ipspIPInterfaceAddress, 5276 ipspIPSourceType, ipspIPSourceAddress, 5277 ipspIPDestinationType, 5278 ipspIPDestinationAddress, 5279 ipspPacketDirection, 5280 ipspPacketPart } 5281 STATUS current 5282 DESCRIPTION 5283 "Notification that a packet passed through an SA. Only 5284 SA's created by actions with packet logging enabled will 5285 result in this notification getting sent. The objects sent 5286 must include the ipspActionExecuted which will 5287 indicate which action was executed within the scope of the 5288 rule. Additionally, the ipspIPSourceType, 5289 ipspIPSourceAddress, ipspIPDestinationType, and 5290 ipspIPDestinationAddress, objects must be included to 5291 indicate the packet source and destination of the packet that 5292 triggered the action. The ipspIPInterfaceType, 5293 ipspIPInterfaceAddress, and ipspPacketDirection 5294 objects are included to indicate which endpoint the packet 5295 was associated with. Finally, ipspPacketPart is 5296 including for sending a variable sized part of the front of 5297 the packet depending on the value of IpspIPPacketLogging." 5299 ::= { ipspNotifications 2 } 5301 -- 5302 -- 5303 -- Conformance information 5304 -- 5305 -- 5307 ipspCompliances OBJECT IDENTIFIER 5308 ::= { ipspConformanceObjects 1 } 5309 ipspGroups OBJECT IDENTIFIER 5310 ::= { ipspConformanceObjects 2 } 5312 -- 5313 -- Compliance statements 5314 -- 5315 -- 5316 ipspRuleFilterCompliance MODULE-COMPLIANCE 5317 STATUS current 5318 DESCRIPTION 5319 "The compliance statement for SNMP entities that include an 5320 IPsec MIB implementation with Endpoint, Rules, and filters 5321 support." 5322 MODULE -- This Module 5323 MANDATORY-GROUPS { ipspEndpointGroup, 5324 ipspGroupContentsGroup, 5325 ipspRuleDefinitionGroup, 5326 ipspIPHeaderFilterGroup, 5327 ipspStaticFilterGroup } 5329 GROUP ipspIpsecSystemPolicyNameGroup 5330 DESCRIPTION 5331 "This group is mandatory for IPsec Policy 5332 implementations which support a system policy group 5333 name." 5335 GROUP ipspCompoundFilterGroup 5336 DESCRIPTION 5337 "This group is mandatory for IPsec Policy 5338 implementations which support compound filters." 5340 GROUP ipspIPOffsetFilterGroup 5341 DESCRIPTION 5342 "This group is mandatory for IPsec Policy 5343 implementations which support IP Offset filters. In 5344 general, this SHOULD be supported by a compliant IPsec 5345 Policy implementation." 5347 GROUP ipspTimeFilterGroup 5348 DESCRIPTION 5349 "This group is mandatory for IPsec Policy 5350 implementations which support time filters." 5352 GROUP ipspIpsoHeaderFilterGroup 5353 DESCRIPTION 5354 "This group is mandatory for IPsec Policy 5355 implementations which support IPSO Header filters." 5357 GROUP ipspCredentialFilterGroup 5358 DESCRIPTION 5359 "This group is mandatory for IPsec Policy 5360 implementations which support Credential filters." 5362 GROUP ipspPeerIdFilterGroup 5363 DESCRIPTION 5364 "This group is mandatory for IPsec Policy 5365 implementations which support Peer Identity filters." 5367 OBJECT ipspEndGroupRowStatus 5368 SYNTAX RowStatus { 5369 active(1), createAndGo(4), destroy(6) 5370 } 5371 DESCRIPTION 5372 "Support of the values notInService(2), notReady(3), 5373 and createAndWait(5) is not required." 5375 OBJECT ipspEndGroupLastChanged 5376 MIN-ACCESS not-accessible 5377 DESCRIPTION 5378 "This object not required for compliance." 5380 OBJECT ipspGroupContComponentType 5381 SYNTAX INTEGER { 5382 rule(2) 5383 } 5384 DESCRIPTION 5385 "Support of the value group(1) is only required for 5386 implementations which support Policy Groups within Policy 5387 Groups." 5389 OBJECT ipspGroupContRowStatus 5390 SYNTAX RowStatus { 5391 active(1), createAndGo(4), destroy(6) 5392 } 5393 DESCRIPTION 5394 "Support of the values notInService(2), notReady(3), 5395 and createAndWait(5) is not required." 5397 OBJECT ipspGroupContLastChanged 5398 MIN-ACCESS not-accessible 5399 DESCRIPTION 5400 "This object not required for compliance." 5402 OBJECT ipspRuleDefRowStatus 5403 SYNTAX RowStatus { 5404 active(1), createAndGo(4), destroy(6) 5405 } 5406 DESCRIPTION 5407 "Support of the values notInService(2), notReady(3), 5408 and createAndWait(5) is not required." 5410 OBJECT ipspRuleDefLastChanged 5411 MIN-ACCESS not-accessible 5412 DESCRIPTION 5413 "This object not required for compliance." 5415 OBJECT ipspCompFiltRowStatus 5416 SYNTAX RowStatus { 5417 active(1), createAndGo(4), destroy(6) 5418 } 5419 DESCRIPTION 5420 "Support of the values notInService(2), notReady(3), 5421 and createAndWait(5) is not required." 5423 OBJECT ipspCompFiltLastChanged 5424 MIN-ACCESS not-accessible 5425 DESCRIPTION 5426 "This object not required for compliance." 5428 OBJECT ipspSubFiltRowStatus 5429 SYNTAX RowStatus { 5430 active(1), createAndGo(4), destroy(6) 5431 } 5432 DESCRIPTION 5433 "Support of the values notInService(2), notReady(3), 5434 and createAndWait(5) is not required." 5436 OBJECT ipspSubFiltLastChanged 5437 MIN-ACCESS not-accessible 5438 DESCRIPTION 5439 "This object not required for compliance." 5441 OBJECT ipspIpHeadFiltIPVersion 5442 SYNTAX InetAddressType { 5443 ipv4(1), ipv6(2) 5444 } 5445 DESCRIPTION 5446 "Only the ipv4 and ipv6 values make sense for this 5447 object." 5449 OBJECT ipspIpHeadFiltRowStatus 5450 SYNTAX RowStatus { 5451 active(1), createAndGo(4), destroy(6) 5452 } 5453 DESCRIPTION 5454 "Support of the values notInService(2), notReady(3), 5455 and createAndWait(5) is not required." 5457 OBJECT ipspIpHeadFiltLastChanged 5458 MIN-ACCESS not-accessible 5459 DESCRIPTION 5460 "This object not required for compliance." 5462 OBJECT ipspIpOffFiltRowStatus 5463 SYNTAX RowStatus { 5464 active(1), createAndGo(4), destroy(6) 5465 } 5466 DESCRIPTION 5467 "Support of the values notInService(2), notReady(3), 5468 and createAndWait(5) is not required." 5470 OBJECT ipspIpOffFiltLastChanged 5471 MIN-ACCESS not-accessible 5472 DESCRIPTION 5473 "This object not required for compliance." 5475 OBJECT ipspTimeFiltRowStatus 5476 SYNTAX RowStatus { 5477 active(1), createAndGo(4), destroy(6) 5478 } 5479 DESCRIPTION 5480 "Support of the values notInService(2), notReady(3), 5481 and createAndWait(5) is not required." 5483 OBJECT ipspTimeFiltLastChanged 5484 MIN-ACCESS not-accessible 5485 DESCRIPTION 5486 "This object not required for compliance." 5488 OBJECT ipspIpsoHeadFiltRowStatus 5489 SYNTAX RowStatus { 5490 active(1), createAndGo(4), destroy(6) 5491 } 5492 DESCRIPTION 5493 "Support of the values notInService(2), notReady(3), 5494 and createAndWait(5) is not required." 5496 OBJECT ipspIpsoHeadFiltLastChanged 5497 MIN-ACCESS not-accessible 5498 DESCRIPTION 5499 "This object not required for compliance." 5501 OBJECT ipspCmcDistributionPoint 5502 MIN-ACCESS read-only 5503 DESCRIPTION 5504 "Only read-only access is required for compliance." 5506 OBJECT ipspCmcThisUpdate 5507 MIN-ACCESS read-only 5508 DESCRIPTION 5509 "Only read-only access is required for compliance." 5511 OBJECT ipspCmcNextUpdate 5512 MIN-ACCESS read-only 5513 DESCRIPTION 5514 "Only read-only access is required for compliance." 5516 OBJECT ipspCmcLastChanged 5517 MIN-ACCESS not-accessible 5518 DESCRIPTION 5519 "This object not required for compliance." 5521 OBJECT ipspCmcStorageType 5522 MIN-ACCESS read-only 5523 DESCRIPTION 5524 "Only read-only access is required for compliance." 5526 OBJECT ipspCmcRowStatus 5527 SYNTAX RowStatus { 5528 active(1), createAndGo(4), destroy(6) 5529 } 5530 MIN-ACCESS read-only 5531 DESCRIPTION 5532 "Support of the values notInService(2), notReady(3), 5533 and createAndWait(5) is not required. Only read-only 5534 access is required for compliance." 5536 OBJECT ipspRctRevokedDate 5537 MIN-ACCESS read-only 5538 DESCRIPTION 5539 "Only read-only access is required for compliance." 5541 OBJECT ipspRctRevokedReason 5542 MIN-ACCESS read-only 5543 DESCRIPTION 5544 "Only read-only access is required for compliance." 5546 OBJECT ipspRctLastChanged 5547 MIN-ACCESS not-accessible 5548 DESCRIPTION 5549 "This object not required for compliance." 5551 OBJECT ipspRctStorageType 5552 MIN-ACCESS read-only 5553 DESCRIPTION 5554 "Only read-only access is required for compliance." 5556 OBJECT ipspRctRowStatus 5557 SYNTAX RowStatus { 5558 active(1), createAndGo(4), destroy(6) 5559 } 5560 MIN-ACCESS read-only 5561 DESCRIPTION 5562 "Support of the values notInService(2), notReady(3), 5563 and createAndWait(5) is not required. Only read-only 5564 access is required for compliance." 5566 OBJECT ipspIcmsDistinguishedName 5567 MIN-ACCESS read-only 5568 DESCRIPTION 5569 "Only read-only access is required for compliance." 5571 OBJECT ipspIcmsPolicyStatement 5572 MIN-ACCESS read-only 5573 DESCRIPTION 5574 "Only read-only access is required for compliance." 5576 OBJECT ipspIcmsMaxChainLength 5577 MIN-ACCESS read-only 5578 DESCRIPTION 5579 "Only read-only access is required for compliance." 5581 OBJECT ipspIcmsCredentialName 5582 MIN-ACCESS read-only 5583 DESCRIPTION 5584 "Only read-only access is required for compliance." 5586 OBJECT ipspIcmsLastChanged 5587 MIN-ACCESS not-accessible 5588 DESCRIPTION 5589 "This object not required for compliance." 5591 OBJECT ipspIcmsStorageType 5592 MIN-ACCESS read-only 5593 DESCRIPTION 5594 "Only read-only access is required for compliance." 5596 OBJECT ipspIcmsRowStatus 5597 SYNTAX RowStatus { 5598 active(1), createAndGo(4), destroy(6) 5599 } 5600 MIN-ACCESS read-only 5601 DESCRIPTION 5602 "Support of the values notInService(2), notReady(3), 5603 and createAndWait(5) is not required. Only read-only 5604 access is required for compliance." 5606 OBJECT ipspCredType 5607 MIN-ACCESS read-only 5608 DESCRIPTION 5609 "Only read-only access is required for compliance." 5611 OBJECT ipspCredCredential 5612 MIN-ACCESS read-only 5613 DESCRIPTION 5614 "Only read-only access is required for compliance." 5616 OBJECT ipspCredMngName 5617 MIN-ACCESS read-only 5618 DESCRIPTION 5619 "Only read-only access is required for compliance." 5621 OBJECT ipspCredRemoteID 5622 MIN-ACCESS read-only 5623 DESCRIPTION 5624 "Only read-only access is required for compliance." 5626 OBJECT ipspCredStorageType 5627 MIN-ACCESS read-only 5628 DESCRIPTION 5629 "Only read-only access is required for compliance." 5631 OBJECT ipspCredRowStatus 5632 SYNTAX RowStatus { 5633 active(1), createAndGo(4), destroy(6) 5634 } 5635 DESCRIPTION 5636 "Support of the values notInService(2), notReady(3), 5637 and createAndWait(5) is not required." 5639 OBJECT ipspCredLastChanged 5640 MIN-ACCESS not-accessible 5641 DESCRIPTION 5642 "This object is optional so as not to impose an undue 5643 burden on resource-constrained devices." 5645 OBJECT ipspCredFiltRowStatus 5646 SYNTAX RowStatus { 5647 active(1), createAndGo(4), destroy(6) 5648 } 5649 DESCRIPTION 5650 "Support of the values notInService(2), notReady(3), 5651 and createAndWait(5) is not required." 5653 OBJECT ipspCredFiltLastChanged 5654 MIN-ACCESS not-accessible 5655 DESCRIPTION 5656 "This object not required for compliance." 5658 OBJECT ipspPeerIdFiltRowStatus 5659 SYNTAX RowStatus { 5660 active(1), createAndGo(4), destroy(6) 5661 } 5662 DESCRIPTION 5663 "Support of the values notInService(2), notReady(3), 5664 and createAndWait(5) is not required." 5666 OBJECT ipspPeerIdFiltLastChanged 5667 MIN-ACCESS not-accessible 5668 DESCRIPTION 5669 "This object not required for compliance." 5671 ::= { ipspCompliances 1 } 5673 ipspIPsecCompliance MODULE-COMPLIANCE 5674 STATUS current 5675 DESCRIPTION 5676 "The compliance statement for SNMP entities that include an 5677 IPsec MIB implementation and supports IPsec actions." 5678 MODULE -- This Module 5679 MANDATORY-GROUPS { ipspIpsecGroup, 5680 ipspStaticActionGroup, 5681 ipspPreconfiguredGroup } 5683 GROUP ipspCompoundActionGroup 5684 DESCRIPTION 5685 "This group is mandatory for IPsec Policy 5686 implementations which support compound actions." 5688 OBJECT ipspCompActRowStatus 5689 SYNTAX RowStatus { 5690 active(1), createAndGo(4), destroy(6) 5691 } 5692 DESCRIPTION 5693 "Support of the values notInService(2), notReady(3), 5694 and createAndWait(5) is not required." 5696 OBJECT ipspCompActLastChanged 5697 MIN-ACCESS not-accessible 5698 DESCRIPTION 5699 "This object is optional so as not to impose an undue 5700 burden on resource-constrained devices." 5702 OBJECT aiipspCompActRowStatus 5703 SYNTAX RowStatus { 5704 active(1), createAndGo(4), destroy(6) 5705 } 5706 DESCRIPTION 5707 "Support of the values notInService(2), notReady(3), 5708 and createAndWait(5) is not required." 5710 OBJECT aiipspCompActLastChanged 5711 MIN-ACCESS not-accessible 5712 DESCRIPTION 5713 "This object is optional so as not to impose an undue 5714 burden on resource-constrained devices." 5716 OBJECT ipspIpsecActRowStatus 5717 SYNTAX RowStatus { 5718 active(1), createAndGo(4), destroy(6) 5719 } 5720 DESCRIPTION 5721 "Support of the values notInService(2), notReady(3), 5722 and createAndWait(5) is not required." 5724 OBJECT ipspIpsecActLastChanged 5725 MIN-ACCESS not-accessible 5726 DESCRIPTION 5727 "This object is optional so as not to impose an undue 5728 burden on resource-constrained devices." 5730 OBJECT ipspIpsecPropRowStatus 5731 SYNTAX RowStatus { 5732 active(1), createAndGo(4), destroy(6) 5733 } 5734 DESCRIPTION 5735 "Support of the values notInService(2), notReady(3), 5736 and createAndWait(5) is not required." 5738 OBJECT ipspIpsecPropLastChanged 5739 MIN-ACCESS not-accessible 5740 DESCRIPTION 5741 "This object is optional so as not to impose an undue 5742 burden on resource-constrained devices." 5744 OBJECT ipspIpsecTranRowStatus 5745 SYNTAX RowStatus { 5746 active(1), createAndGo(4), destroy(6) 5747 } 5748 DESCRIPTION 5749 "Support of the values notInService(2), notReady(3), 5750 and createAndWait(5) is not required." 5752 OBJECT ipspIpsecTranLastChanged 5753 MIN-ACCESS not-accessible 5754 DESCRIPTION 5755 "This object is optional so as not to impose an undue 5756 burden on resource-constrained devices." 5758 OBJECT ipspSaNegParamRowStatus 5759 SYNTAX RowStatus { 5760 active(1), createAndGo(4), destroy(6) 5761 } 5762 DESCRIPTION 5763 "Support of the values notInService(2), notReady(3), 5764 and createAndWait(5) is not required." 5766 OBJECT ipspSaNegParamLastChanged 5767 MIN-ACCESS not-accessible 5768 DESCRIPTION 5769 "This object is optional so as not to impose an undue 5770 burden on resource-constrained devices." 5772 OBJECT ipspAhTranRowStatus 5773 SYNTAX RowStatus { 5774 active(1), createAndGo(4), destroy(6) 5775 } 5776 DESCRIPTION 5777 "Support of the values notInService(2), notReady(3), 5778 and createAndWait(5) is not required." 5780 OBJECT ipspAhTranLastChanged 5781 MIN-ACCESS not-accessible 5782 DESCRIPTION 5783 "This object is optional so as not to impose an undue 5784 burden on resource-constrained devices." 5786 OBJECT ipspEspTranRowStatus 5787 SYNTAX RowStatus { 5788 active(1), createAndGo(4), destroy(6) 5789 } 5790 DESCRIPTION 5791 "Support of the values notInService(2), notReady(3), 5792 and createAndWait(5) is not required." 5794 OBJECT ipspEspTranLastChanged 5795 MIN-ACCESS not-accessible 5796 DESCRIPTION 5797 "This object is optional so as not to impose an undue 5798 burden on resource-constrained devices." 5800 OBJECT ipspIpcompTranRowStatus 5801 SYNTAX RowStatus { 5802 active(1), createAndGo(4), destroy(6) 5803 } 5804 DESCRIPTION 5805 "Support of the values notInService(2), notReady(3), 5806 and createAndWait(5) is not required." 5808 OBJECT ipspIpcompTranLastChanged 5809 MIN-ACCESS not-accessible 5810 DESCRIPTION 5811 "This object is optional so as not to impose an undue 5812 burden on resource-constrained devices." 5814 OBJECT ipspPeerIdAddressType 5815 SYNTAX InetAddressType { 5816 ipv4(1), ipv6(2) 5817 } 5818 DESCRIPTION 5819 "Only the ipv4 and ipv6 values make sense for this 5820 object." 5822 OBJECT ipspPeerIdRowStatus 5823 SYNTAX RowStatus { 5824 active(1), createAndGo(4), destroy(6) 5825 } 5826 DESCRIPTION 5827 "Support of the values notInService(2), notReady(3), 5828 and createAndWait(5) is not required." 5830 OBJECT ipspPeerIdLastChanged 5831 MIN-ACCESS not-accessible 5832 DESCRIPTION 5833 "This object is optional so as not to impose an undue 5834 burden on resource-constrained devices." 5836 OBJECT ipspCredRowStatus 5837 SYNTAX RowStatus { 5838 active(1), createAndGo(4), destroy(6) 5839 } 5840 DESCRIPTION 5841 "Support of the values notInService(2), notReady(3), 5842 and createAndWait(5) is not required." 5844 OBJECT ipspCredLastChanged 5845 MIN-ACCESS not-accessible 5846 DESCRIPTION 5847 "This object is optional so as not to impose an undue 5848 burden on resource-constrained devices." 5850 OBJECT ipspCredSegRowStatus 5851 SYNTAX RowStatus { 5852 active(1), createAndGo(4), destroy(6) 5853 } 5854 DESCRIPTION 5855 "Support of the values notInService(2), notReady(3), 5856 and createAndWait(5) is not required." 5858 OBJECT ipspCredSegLastChanged 5859 MIN-ACCESS not-accessible 5860 DESCRIPTION 5861 "This object is optional so as not to impose an undue 5862 burden on resource-constrained devices." 5864 OBJECT ipspSaPreActRowStatus 5865 SYNTAX RowStatus { 5866 active(1), createAndGo(4), destroy(6) 5867 } 5868 DESCRIPTION 5869 "Support of the values notInService(2), notReady(3), 5870 and createAndWait(5) is not required." 5872 OBJECT ipspSaPreActLastChanged 5873 MIN-ACCESS not-accessible 5874 DESCRIPTION 5875 "This object is optional so as not to impose an undue 5876 burden on resource-constrained devices." 5878 ::= { ipspCompliances 2 } 5880 ipspIKECompliance MODULE-COMPLIANCE 5881 STATUS current 5882 DESCRIPTION 5883 "The compliance statement for SNMP entities that include an 5884 IPsec MIB implementation and supports IKE actions." 5885 MODULE -- This Module 5886 MANDATORY-GROUPS { ipspIkeGroup } 5888 GROUP ipspCompoundActionGroup 5889 DESCRIPTION 5890 "This group is mandatory for IPsec Policy 5891 implementations which support compound actions." 5893 OBJECT ipspCompActRowStatus 5894 SYNTAX RowStatus { 5895 active(1), createAndGo(4), destroy(6) 5896 } 5897 DESCRIPTION 5898 "Support of the values notInService(2), notReady(3), 5899 and createAndWait(5) is not required." 5901 OBJECT ipspCompActLastChanged 5902 MIN-ACCESS not-accessible 5903 DESCRIPTION 5904 "This object is optional so as not to impose an undue 5905 burden on resource-constrained devices." 5907 OBJECT aiipspCompActRowStatus 5908 SYNTAX RowStatus { 5909 active(1), createAndGo(4), destroy(6) 5910 } 5911 DESCRIPTION 5912 "Support of the values notInService(2), notReady(3), 5913 and createAndWait(5) is not required." 5915 OBJECT aiipspCompActLastChanged 5916 MIN-ACCESS not-accessible 5917 DESCRIPTION 5918 "This object is optional so as not to impose an undue 5919 burden on resource-constrained devices." 5921 OBJECT ipspIkeActRowStatus 5922 SYNTAX RowStatus { 5923 active(1), createAndGo(4), destroy(6) 5924 } 5925 DESCRIPTION 5926 "Support of the values notInService(2), notReady(3), 5927 and createAndWait(5) is not required." 5929 OBJECT ipspIkeActLastChanged 5930 MIN-ACCESS not-accessible 5931 DESCRIPTION 5932 "This object is optional so as not to impose an undue 5933 burden on resource-constrained devices." 5935 OBJECT ipspIkeActPropRowStatus 5936 SYNTAX RowStatus { 5937 active(1), createAndGo(4), destroy(6) 5939 } 5940 DESCRIPTION 5941 "Support of the values notInService(2), notReady(3), 5942 and createAndWait(5) is not required." 5944 OBJECT ipspIkeActPropLastChanged 5945 MIN-ACCESS not-accessible 5946 DESCRIPTION 5947 "This object is optional so as not to impose an undue 5948 burden on resource-constrained devices." 5950 OBJECT ipspIkePropProposalRowStatus 5951 SYNTAX RowStatus { 5952 active(1), createAndGo(4), destroy(6) 5953 } 5954 DESCRIPTION 5955 "Support of the values notInService(2), notReady(3), 5956 and createAndWait(5) is not required." 5958 OBJECT ipspIkePropProposalLastChanged 5959 MIN-ACCESS not-accessible 5960 DESCRIPTION 5961 "This object is optional so as not to impose an undue 5962 burden on resource-constrained devices." 5964 OBJECT ipspSaNegParamRowStatus 5965 SYNTAX RowStatus { 5966 active(1), createAndGo(4), destroy(6) 5967 } 5968 DESCRIPTION 5969 "Support of the values notInService(2), notReady(3), 5970 and createAndWait(5) is not required." 5972 OBJECT ipspSaNegParamLastChanged 5973 MIN-ACCESS not-accessible 5974 DESCRIPTION 5975 "This object is optional so as not to impose an undue 5976 burden on resource-constrained devices." 5978 OBJECT ipspIkeIdRowStatus 5979 SYNTAX RowStatus { 5980 active(1), createAndGo(4), destroy(6) 5981 } 5982 DESCRIPTION 5983 "Support of the values notInService(2), notReady(3), 5984 and createAndWait(5) is not required." 5986 OBJECT ipspIkeIdLastChanged 5987 MIN-ACCESS not-accessible 5988 DESCRIPTION 5989 "This object is optional so as not to impose an undue 5990 burden on resource-constrained devices." 5992 OBJECT ipspPeerIdRowStatus 5993 SYNTAX RowStatus { 5994 active(1), createAndGo(4), destroy(6) 5995 } 5996 DESCRIPTION 5997 "Support of the values notInService(2), notReady(3), 5998 and createAndWait(5) is not required." 6000 OBJECT ipspPeerIdLastChanged 6001 MIN-ACCESS not-accessible 6002 DESCRIPTION 6003 "This object is optional so as not to impose an undue 6004 burden on resource-constrained devices." 6006 OBJECT ipspAutoIkeAddressType 6007 SYNTAX InetAddressType { 6008 ipv4(1), ipv6(2) 6009 } 6010 DESCRIPTION 6011 "Only the ipv4 and ipv6 values make sense for this 6012 object." 6014 OBJECT ipspAutoIkeRowStatus 6015 SYNTAX RowStatus { 6016 active(1), createAndGo(4), destroy(6) 6017 } 6018 DESCRIPTION 6019 "Support of the values notInService(2), notReady(3), 6020 and createAndWait(5) is not required." 6022 OBJECT ipspAutoIkeLastChanged 6023 MIN-ACCESS not-accessible 6024 DESCRIPTION 6025 "This object is optional so as not to impose an undue 6026 burden on resource-constrained devices." 6028 OBJECT ipspCmcDistributionPoint 6029 MIN-ACCESS read-only 6030 DESCRIPTION 6031 "Only read-only access is required for compliance." 6033 OBJECT ipspCmcThisUpdate 6034 MIN-ACCESS read-only 6035 DESCRIPTION 6036 "Only read-only access is required for compliance." 6038 OBJECT ipspCmcNextUpdate 6039 MIN-ACCESS read-only 6040 DESCRIPTION 6041 "Only read-only access is required for compliance." 6043 OBJECT ipspCmcLastChanged 6044 MIN-ACCESS not-accessible 6045 DESCRIPTION 6046 "This object not required for compliance." 6048 OBJECT ipspCmcStorageType 6049 MIN-ACCESS read-only 6050 DESCRIPTION 6051 "Only read-only access is required for compliance." 6053 OBJECT ipspCmcRowStatus 6054 SYNTAX RowStatus { 6055 active(1), createAndGo(4), destroy(6) 6056 } 6057 MIN-ACCESS read-only 6058 DESCRIPTION 6059 "Support of the values notInService(2), notReady(3), 6060 and createAndWait(5) is not required. Only read-only 6061 access is required for compliance." 6063 OBJECT ipspRctRevokedDate 6064 MIN-ACCESS read-only 6065 DESCRIPTION 6066 "Only read-only access is required for compliance." 6068 OBJECT ipspRctRevokedReason 6069 MIN-ACCESS read-only 6070 DESCRIPTION 6071 "Only read-only access is required for compliance." 6073 OBJECT ipspRctLastChanged 6074 MIN-ACCESS not-accessible 6075 DESCRIPTION 6076 "This object not required for compliance." 6078 OBJECT ipspRctStorageType 6079 MIN-ACCESS read-only 6080 DESCRIPTION 6081 "Only read-only access is required for compliance." 6083 OBJECT ipspRctRowStatus 6084 SYNTAX RowStatus { 6085 active(1), createAndGo(4), destroy(6) 6086 } 6087 MIN-ACCESS read-only 6088 DESCRIPTION 6089 "Support of the values notInService(2), notReady(3), 6090 and createAndWait(5) is not required. Only read-only 6091 access is required for compliance." 6093 OBJECT ipspIcmsDistinguishedName 6094 MIN-ACCESS read-only 6095 DESCRIPTION 6096 "Only read-only access is required for compliance." 6098 OBJECT ipspIcmsPolicyStatement 6099 MIN-ACCESS read-only 6100 DESCRIPTION 6101 "Only read-only access is required for compliance." 6103 OBJECT ipspIcmsMaxChainLength 6104 MIN-ACCESS read-only 6105 DESCRIPTION 6106 "Only read-only access is required for compliance." 6108 OBJECT ipspIcmsCredentialName 6109 MIN-ACCESS read-only 6110 DESCRIPTION 6111 "Only read-only access is required for compliance." 6113 OBJECT ipspIcmsLastChanged 6114 MIN-ACCESS not-accessible 6115 DESCRIPTION 6116 "This object not required for compliance." 6118 OBJECT ipspIcmsStorageType 6119 MIN-ACCESS read-only 6120 DESCRIPTION 6121 "Only read-only access is required for compliance." 6123 OBJECT ipspIcmsRowStatus 6124 SYNTAX RowStatus { 6125 active(1), createAndGo(4), destroy(6) 6126 } 6127 MIN-ACCESS read-only 6128 DESCRIPTION 6129 "Support of the values notInService(2), notReady(3), 6130 and createAndWait(5) is not required. Only read-only 6131 access is required for compliance." 6133 OBJECT ipspCredRowStatus 6134 SYNTAX RowStatus { 6135 active(1), createAndGo(4), destroy(6) 6136 } 6137 DESCRIPTION 6138 "Support of the values notInService(2), notReady(3), 6139 and createAndWait(5) is not required." 6141 OBJECT ipspCredLastChanged 6142 MIN-ACCESS not-accessible 6143 DESCRIPTION 6144 "This object is optional so as not to impose an undue 6145 burden on resource-constrained devices." 6147 OBJECT ipspCredSegRowStatus 6148 SYNTAX RowStatus { 6149 active(1), createAndGo(4), destroy(6) 6150 } 6151 DESCRIPTION 6152 "Support of the values notInService(2), notReady(3), 6153 and createAndWait(5) is not required." 6155 OBJECT ipspCredSegLastChanged 6156 MIN-ACCESS not-accessible 6157 DESCRIPTION 6158 "This object is optional so as not to impose an undue 6159 burden on resource-constrained devices." 6161 ::= { ipspCompliances 3 } 6163 ipspLoggingCompliance MODULE-COMPLIANCE 6164 STATUS current 6165 DESCRIPTION 6166 "The compliance statement for SNMP entities that support 6167 sending notifications when actions are invoked." 6168 MODULE -- This Module 6169 MANDATORY-GROUPS { ipspActionLoggingObjectGroup, 6170 ipspActionNotificationGroup } 6172 ::= { ipspCompliances 4 } 6174 -- 6175 -- 6176 -- Compliance Groups Definitions 6177 -- 6178 -- 6179 -- Endpoint, Rule, Filter Compliance Groups 6180 -- 6182 ipspEndpointGroup OBJECT-GROUP 6183 OBJECTS { 6184 ipspEndGroupName, ipspEndGroupLastChanged, 6185 ipspEndGroupStorageType, ipspEndGroupRowStatus 6186 } 6187 STATUS current 6188 DESCRIPTION 6189 "The IPsec Policy Endpoint Table Group." 6190 ::= { ipspGroups 1 } 6192 ipspGroupContentsGroup OBJECT-GROUP 6193 OBJECTS { 6194 ipspGroupContComponentType, ipspGroupContFilter, 6195 ipspGroupContComponentName, ipspGroupContLastChanged, 6196 ipspGroupContStorageType, ipspGroupContRowStatus 6197 } 6198 STATUS current 6199 DESCRIPTION 6200 "The IPsec Policy Group Contents Table Group." 6201 ::= { ipspGroups 2 } 6203 ipspIpsecSystemPolicyNameGroup OBJECT-GROUP 6204 OBJECTS { 6205 ipspSystemPolicyGroupName 6206 } 6207 STATUS current 6208 DESCRIPTION 6209 "The System Policy Group Name Group." 6210 ::= { ipspGroups 3} 6212 ipspRuleDefinitionGroup OBJECT-GROUP 6213 OBJECTS { 6214 ipspRuleDefDescription, ipspRuleDefFilter, 6215 ipspRuleDefFilterNegated, ipspRuleDefAction, 6216 ipspRuleDefAdminStatus, ipspRuleDefLastChanged, 6217 ipspRuleDefStorageType, ipspRuleDefRowStatus 6218 } 6219 STATUS current 6220 DESCRIPTION 6221 "The IPsec Policy Rule Definition Table Group." 6222 ::= { ipspGroups 4 } 6224 ipspCompoundFilterGroup OBJECT-GROUP 6225 OBJECTS { 6226 ipspCompFiltDescription, ipspCompFiltLogicType, 6227 ipspCompFiltLastChanged, ipspCompFiltStorageType, 6228 ipspCompFiltRowStatus, ipspSubFiltSubfilter, 6229 ipspSubFiltSubfilterIsNegated, ipspSubFiltLastChanged, 6230 ipspSubFiltStorageType, ipspSubFiltRowStatus 6231 } 6232 STATUS current 6233 DESCRIPTION 6234 "The IPsec Policy Compound Filter Table and Filters in 6235 Compound Filters Table Group." 6236 ::= { ipspGroups 5 } 6238 ipspStaticFilterGroup OBJECT-GROUP 6239 OBJECTS { ipspTrueFilter, ipspIkePhase1Filter, 6240 ipspIkePhase2Filter } 6241 STATUS current 6242 DESCRIPTION 6243 "The static filter group. Currently this is just a true 6244 filter." 6245 ::= { ipspGroups 6 } 6247 ipspIPHeaderFilterGroup OBJECT-GROUP 6248 OBJECTS { 6249 ipspIpHeadFiltType, ipspIpHeadFiltIPVersion, 6250 ipspIpHeadFiltSrcAddressBegin, ipspIpHeadFiltSrcAddressEnd, 6251 ipspIpHeadFiltDstAddressBegin, ipspIpHeadFiltDstAddressEnd, 6252 ipspIpHeadFiltSrcLowPort, ipspIpHeadFiltSrcHighPort, 6253 ipspIpHeadFiltDstLowPort, ipspIpHeadFiltDstHighPort, 6254 ipspIpHeadFiltProtocol, ipspIpHeadFiltIPv6FlowLabel, 6255 ipspIpHeadFiltLastChanged, ipspIpHeadFiltStorageType, 6256 ipspIpHeadFiltRowStatus 6257 } 6258 STATUS current 6259 DESCRIPTION 6260 "The IPsec Policy IP Header Filter Table Group." 6261 ::= { ipspGroups 7 } 6263 ipspIPOffsetFilterGroup OBJECT-GROUP 6264 OBJECTS { 6265 ipspIpOffFiltOffset, ipspIpOffFiltType, ipspIpOffFiltNumber, 6266 ipspIpOffFiltValue, ipspIpOffFiltLastChanged, 6267 ipspIpOffFiltStorageType, ipspIpOffFiltRowStatus 6268 } 6270 STATUS current 6271 DESCRIPTION 6272 "The IPsec Policy IP Offset Filter Table Group." 6273 ::= { ipspGroups 8 } 6275 ipspTimeFilterGroup OBJECT-GROUP 6276 OBJECTS { 6277 ipspTimeFiltPeriodStart, ipspTimeFiltPeriodEnd, 6278 ipspTimeFiltMonthOfYearMask, ipspTimeFiltDayOfMonthMask, 6279 ipspTimeFiltDayOfWeekMask, ipspTimeFiltTimeOfDayMaskStart, 6280 ipspTimeFiltTimeOfDayMaskEnd, ipspTimeFiltLastChanged, 6281 ipspTimeFiltStorageType, ipspTimeFiltRowStatus 6282 } 6283 STATUS current 6284 DESCRIPTION 6285 "The IPsec Policy Time Filter Table Group." 6286 ::= { ipspGroups 9 } 6288 ipspIpsoHeaderFilterGroup OBJECT-GROUP 6289 OBJECTS { 6290 ipspIpsoHeadFiltType, ipspIpsoHeadFiltClassification, 6291 ipspIpsoHeadFiltProtectionAuth, ipspIpsoHeadFiltLastChanged, 6292 ipspIpsoHeadFiltStorageType, ipspIpsoHeadFiltRowStatus 6293 } 6294 STATUS current 6295 DESCRIPTION 6296 "The IPsec Policy IPSO Header Filter Table Group." 6297 ::= { ipspGroups 10 } 6299 ipspCredentialFilterGroup OBJECT-GROUP 6300 OBJECTS { 6301 ipspCredFiltCredentialType, ipspCredFiltMatchFieldName, 6302 ipspCredFiltMatchFieldValue, ipspCredFiltAcceptCredFrom, 6303 ipspCredFiltLastChanged, ipspCredFiltStorageType, 6304 ipspCredFiltRowStatus, 6306 ipspCmcDistributionPoint, ipspCmcThisUpdate, ipspCmcNextUpdate, 6307 ipspCmcLastChanged, ipspCmcStorageType, ipspCmcRowStatus, 6309 ipspRctRevokedDate, ipspRctRevokedReason, 6310 ipspRctLastChanged, ipspRctStorageType, ipspRctRowStatus, 6312 ipspIcmsDistinguishedName, ipspIcmsPolicyStatement, 6313 ipspIcmsMaxChainLength, ipspIcmsCredentialName, 6314 ipspIcmsLastChanged, ipspIcmsStorageType, ipspIcmsRowStatus, 6316 ipspCredType, ipspCredCredential, ipspCredMngName, ipspCredSize, 6317 ipspCredRemoteID, ipspCredAdminStatus, ipspCredLastChanged, 6318 ipspCredStorageType, ipspCredRowStatus, 6320 ipspCredSegValue, ipspCredSegLastChanged, 6321 ipspCredSegStorageType, ipspCredSegRowStatus 6322 } 6323 STATUS current 6324 DESCRIPTION 6325 "The IPsec Policy Credential Filter Table Group." 6326 ::= { ipspGroups 11 } 6328 ipspPeerIdFilterGroup OBJECT-GROUP 6329 OBJECTS { 6330 ipspPeerIdFiltIdentityType, ipspPeerIdFiltIdentityValue, 6331 ipspPeerIdFiltLastChanged, ipspPeerIdFiltStorageType, 6332 ipspPeerIdFiltRowStatus 6333 } 6334 STATUS current 6335 DESCRIPTION 6336 "The IPsec Policy Peer Identity Filter Table Group." 6337 ::= { ipspGroups 12 } 6339 -- 6340 -- action compliance groups 6341 -- 6343 ipspCompoundActionGroup OBJECT-GROUP 6344 OBJECTS { 6345 ipspCompActExecutionStrategy, ipspCompActLastChanged, 6346 ipspCompActStorageType, 6348 ipspCompActRowStatus, ipspSubActSubActionName, 6349 aiipspCompActLastChanged, aiipspCompActStorageType, 6350 aiipspCompActRowStatus 6351 } 6352 STATUS current 6353 DESCRIPTION 6354 "The IPsec Policy Compound Action Table and Actions In 6355 Compound Action Table Group." 6356 ::= { ipspGroups 13 } 6358 ipspPreconfiguredGroup OBJECT-GROUP 6359 OBJECTS { 6360 ipspSaPreActActionDescription, ipspSaPreActActionLifetimeSec, 6361 ipspSaPreActActionLifetimeKB, ipspSaPreActDoActionLogging, 6362 ipspSaPreActDoPacketLogging, ipspSaPreActDFHandling, 6363 ipspSaPreActActionType, ipspSaPreActAHSPI, 6364 ipspSaPreActAHTransformName, ipspSaPreActAHSharedSecretName, 6365 ipspSaPreActESPSPI, ipspSaPreActESPTransformName, 6366 ipspSaPreActESPEncSecretName, ipspSaPreActESPAuthSecretName, 6367 ipspSaPreActIPCompSPI, ipspSaPreActIPCompTransformName, 6368 ipspSaPreActPeerGatewayIdName, ipspSaPreActLastChanged, 6369 ipspSaPreActStorageType, ipspSaPreActRowStatus, 6370 ipspAhTranMaxLifetimeSec, ipspAhTranMaxLifetimeKB, 6371 ipspAhTranAlgorithm, ipspAhTranReplayProtection, 6372 ipspAhTranReplayWindowSize, ipspAhTranLastChanged, 6373 ipspAhTranStorageType, 6375 ipspEspTranMaxLifetimeSec, ipspEspTranMaxLifetimeKB, 6376 ipspEspTranCipherTransformId, ipspEspTranCipherKeyLength, 6377 ipspEspTranCipherKeyRounds, ipspEspTranIntegrityAlgorithmId, 6378 ipspEspTranReplayPrevention, ipspEspTranReplayWindowSize, 6379 ipspEspTranLastChanged, ipspEspTranStorageType, 6380 ipspEspTranRowStatus, 6382 ipspIpcompTranDictionarySize, ipspIpcompTranMaxLifetimeSec, 6383 ipspIpcompTranMaxLifetimeKB, ipspIpcompTranPrivateAlgorithm, 6384 ipspIpcompTranLastChanged, ipspIpcompTranStorageType, 6385 ipspIpcompTranRowStatus, 6387 ipspPeerIdValue, ipspPeerIdType, ipspPeerIdAddress, 6388 ipspPeerIdAddressType, ipspPeerIdCredentialName, 6389 ipspPeerIdLastChanged, ipspPeerIdStorageType, 6390 ipspPeerIdRowStatus, 6392 ipspCredType, ipspCredCredential, ipspCredMngName, ipspCredSize, 6393 ipspCredRemoteID, ipspCredAdminStatus, ipspCredLastChanged, 6394 ipspCredStorageType, ipspCredRowStatus, 6396 ipspCredSegValue, ipspCredSegLastChanged, 6397 ipspCredSegStorageType, ipspCredSegRowStatus 6398 } 6399 STATUS current 6400 DESCRIPTION 6401 "This group is the set of objects that support preconfigured 6402 IPsec actions. These objects are from The Preconfigured 6403 Action Table. This group also includes objects from the 6404 shared tables: Peer Identity Table, Credential Table, 6405 Credential Management Service Table and the AH, ESP, and 6406 IPComp Transform Tables." 6407 ::= { ipspGroups 14 } 6409 ipspStaticActionGroup OBJECT-GROUP 6410 OBJECTS { 6411 ipspDropAction, ipspAcceptAction, ipspRejectIKEAction, 6412 ipspDropActionLog, ipspAcceptActionLog, ipspRejectIKEActionLog 6413 } 6414 STATUS current 6415 DESCRIPTION 6416 "The IPsec Policy Static Actions Group." 6417 ::= { ipspGroups 15 } 6419 ipspIpsecGroup OBJECT-GROUP 6420 OBJECTS { 6421 ipspIpsecActParametersName, ipspIpsecActProposalsName, 6422 ipspIpsecActUsePfs, ipspIpsecActVendorId, ipspIpsecActGroupId, 6423 ipspIpsecActPeerGatewayIdName, ipspIpsecActUseIkeGroup, 6424 ipspIpsecActGranularity, ipspIpsecActMode, 6425 ipspIpsecActDFHandling, ipspIpsecActDoActionLogging, 6426 ipspIpsecActDoPacketLogging, ipspIpsecActLastChanged, 6427 ipspIpsecActStorageType, ipspIpsecActRowStatus, 6429 ipspIpsecPropTransformsName, ipspIpsecPropLastChanged, 6430 ipspIpsecPropStorageType, ipspIpsecPropRowStatus, 6432 ipspIpsecTranTransformName, ipspIpsecTranLastChanged, 6433 ipspIpsecTranStorageType, ipspIpsecTranRowStatus, 6435 ipspSaNegParamMinLifetimeSecs, ipspSaNegParamMinLifetimeKB, 6436 ipspSaNegParamRefreshThreshSecs, 6437 ipspSaNegParamRefreshThresholdKB, 6438 ipspSaNegParamIdleDurationSecs, ipspSaNegParamLastChanged, 6439 ipspSaNegParamStorageType, ipspSaNegParamRowStatus, 6441 ipspAhTranMaxLifetimeSec, ipspAhTranMaxLifetimeKB, 6442 ipspAhTranAlgorithm, ipspAhTranReplayProtection, 6443 ipspAhTranReplayWindowSize, ipspAhTranLastChanged, 6444 ipspAhTranStorageType, ipspAhTranRowStatus, 6446 ipspEspTranMaxLifetimeSec, ipspEspTranMaxLifetimeKB, 6447 ipspEspTranCipherTransformId, ipspEspTranCipherKeyLength, 6448 ipspEspTranCipherKeyRounds, ipspEspTranIntegrityAlgorithmId, 6449 ipspEspTranReplayPrevention, ipspEspTranReplayWindowSize, 6450 ipspEspTranLastChanged, ipspEspTranStorageType, 6451 ipspEspTranRowStatus, 6453 ipspIpcompTranDictionarySize, ipspIpcompTranAlgorithm, 6454 ipspIpcompTranMaxLifetimeSec, ipspIpcompTranMaxLifetimeKB, 6455 ipspIpcompTranPrivateAlgorithm, ipspIpcompTranLastChanged, 6456 ipspIpcompTranStorageType, ipspIpcompTranRowStatus, 6458 ipspPeerIdValue, ipspPeerIdType, ipspPeerIdAddress, 6459 ipspPeerIdAddressType, ipspPeerIdCredentialName, 6460 ipspPeerIdLastChanged, ipspPeerIdStorageType, 6461 ipspPeerIdRowStatus, 6463 ipspCredType, ipspCredCredential, ipspCredMngName, ipspCredSize, 6464 ipspCredRemoteID, ipspCredAdminStatus, ipspCredLastChanged, 6465 ipspCredStorageType, ipspCredRowStatus, 6466 ipspCredSegValue, ipspCredSegLastChanged, 6467 ipspCredSegStorageType, ipspCredSegRowStatus 6468 } 6469 STATUS current 6470 DESCRIPTION 6471 "This group is the set of objects that support IPsec 6472 actions. These objects are from The IPsec Policy IPsec 6473 Actions Table, The IPsec Proposal Table, and The IPsec 6474 Transform Table. This group also includes objects from the 6475 shared tables: Peer Identity Table, Credential Table, 6476 Negotiation Parameters Table, Credential Management Service 6477 Table and the AH, ESP, and IPComp Transform Table." 6478 ::= { ipspGroups 16 } 6480 ipspIkeGroup OBJECT-GROUP 6481 OBJECTS { 6482 ipspIkeActParametersName, ipspIkeActThresholdDerivedKeys, 6483 ipspIkeActExchangeMode, ipspIkeActAgressiveModeGroupId, 6484 ipspIkeActIdentityType, ipspIkeActIdentityContext, 6485 ipspIkeActPeerName, ipspIkeActVendorId, ipspIkeActPropName, 6486 ipspIkeActDoActionLogging, ipspIkeActDoPacketLogging, 6487 ipspIkeActLastChanged, ipspIkeActStorageType, 6488 ipspIkeActRowStatus, 6490 ipspIkeActPropLastChanged, ipspIkeActPropStorageType, 6491 ipspIkeActPropRowStatus, 6493 ipspIkePropLifetimeDerivedKeys, ipspIkePropCipherAlgorithm, 6494 ipspIkePropCipherKeyLength, ipspIkePropCipherKeyRounds, 6495 ipspIkePropHashAlgorithm, ipspIkePropPrfAlgorithm, 6496 ipspIkePropVendorId, ipspIkePropDhGroup, 6497 ipspIkePropAuthenticationMethod, ipspIkePropMaxLifetimeSecs, 6498 ipspIkePropMaxLifetimeKB, ipspIkePropProposalLastChanged, 6499 ipspIkePropProposalStorageType, ipspIkePropProposalRowStatus, 6501 ipspSaNegParamMinLifetimeSecs, ipspSaNegParamMinLifetimeKB, 6502 ipspSaNegParamRefreshThreshSecs, 6503 ipspSaNegParamRefreshThresholdKB, 6504 ipspSaNegParamIdleDurationSecs, ipspSaNegParamLastChanged, 6505 ipspSaNegParamStorageType, ipspSaNegParamRowStatus, 6507 ipspIkeIdCredentialName, 6508 ipspIkeIdLastChanged, ipspIkeIdStorageType, ipspIkeIdRowStatus, 6510 ipspAutoIkeAction, ipspAutoIkeAddressType, 6511 ipspAutoIkeSourceAddress, ipspAutoIkeSourcePort, 6512 ipspAutoIkeDestAddress, ipspAutoIkeDestPort, 6513 ipspAutoIkeProtocol, ipspAutoIkeLastChanged, 6514 ipspAutoIkeStorageType, ipspAutoIkeRowStatus, 6516 ipspPeerIdValue, ipspPeerIdType, ipspPeerIdAddress, 6517 ipspPeerIdAddressType, ipspPeerIdCredentialName, 6518 ipspPeerIdLastChanged, ipspPeerIdStorageType, 6519 ipspPeerIdRowStatus, 6521 ipspCmcDistributionPoint, ipspCmcThisUpdate, ipspCmcNextUpdate, 6522 ipspCmcLastChanged, ipspCmcStorageType, ipspCmcRowStatus, 6524 ipspRctRevokedDate, ipspRctRevokedReason, 6525 ipspRctLastChanged, ipspRctStorageType, ipspRctRowStatus, 6527 ipspIcmsDistinguishedName, ipspIcmsPolicyStatement, 6528 ipspIcmsMaxChainLength, ipspIcmsCredentialName, 6529 ipspIcmsLastChanged, ipspIcmsStorageType, ipspIcmsRowStatus, 6531 ipspCredType, ipspCredCredential, ipspCredMngName, ipspCredSize, 6532 ipspCredRemoteID, ipspCredAdminStatus, ipspCredLastChanged, 6533 ipspCredStorageType, ipspCredRowStatus, 6535 ipspCredSegValue, ipspCredSegLastChanged, 6536 ipspCredSegStorageType, ipspCredSegRowStatus 6537 } 6538 STATUS current 6539 DESCRIPTION 6540 "This group is the set of objects that support IKE 6541 actions. These objects are from The IPsec Policy IKE Action 6542 Table, The IKE Action Proposals Table, The IKE Proposal 6543 Table, The autostart IKE Table and The IKE Identity Table. 6544 This group also includes objects from the shared tables: Peer 6545 Identity Table, Credential Management Service Table and 6546 Negotiation Parameters Table." 6547 ::= { ipspGroups 17 } 6549 ipspActionLoggingObjectGroup OBJECT-GROUP 6550 OBJECTS { 6551 ipspActionExecuted, 6552 ipspIPInterfaceType, ipspIPInterfaceAddress, 6553 ipspIPSourceType, ipspIPSourceAddress, 6554 ipspIPDestinationType, ipspIPDestinationAddress, 6555 ipspPacketDirection, ipspPacketPart 6556 } 6557 STATUS current 6558 DESCRIPTION 6559 "Notification objects." 6560 ::= { ipspGroups 18 } 6562 ipspActionNotificationGroup NOTIFICATION-GROUP 6563 NOTIFICATIONS { 6564 ipspActionNotification, 6565 ipspPacketNotification 6566 } 6567 STATUS current 6568 DESCRIPTION 6569 "Notifications." 6570 ::= { ipspGroups 19 } 6572 END 6574 6. References 6576 6.1. Normative References 6578 [IPSEC] 6579 Kent, S., and Atkinson, R., "Security Architecture for the 6580 Internet Protocol", RFC 2401, November 1998. 6582 [IKE] 6583 Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 6584 RFC 2409, November 1998. 6586 [RFC2578] 6587 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 6588 Rose, M. and S. Waldbusser, "Structure of Management 6589 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 6590 1999. 6592 [RFC2579] 6593 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 6594 Rose, M. and S. Waldbusser, "Textual Conventions for 6595 SMIv2", STD 58, RFC 2579, April 1999. 6597 [RFC2580] 6598 McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 6599 Rose, M. and S. Waldbusser, "Conformance Statements for 6600 SMIv2", STD 58, RFC 2580, April 1999. 6602 [IPCP] 6603 Jason, J., Rafalow, L., and Vyncke, E., "IPsec Configuration 6604 Policy Model", RFCXXX: 6605 draft-ietf-ipsp-config-policy-model-06.txt, August 2002. 6607 6.2. Informative References 6609 [RFC3410] 6610 Case, J., Mundy, R., Partain, D. and B. Stewart, 6611 "Introduction and Applicability Statements for Internet- 6612 Standard Management Framework", RFC 3410, December 2002. 6614 [IPSECPM] 6615 Lortz, V., and Rafalow, L., "IPsec Policy Model White Paper", 6616 November 2000. 6618 7. Intellectual Property 6620 The IETF takes no position regarding the validity or scope of any 6621 intellectual property or other rights that might be claimed to 6622 pertain to the implementation or use of the technology described in 6623 this document or the extent to which any license under such rights 6624 might or might not be available; neither does it represent that it 6625 has made any effort to identify any such rights. Information on the 6626 IETF's procedures with respect to rights in standards-track and 6627 standards-related documentation can be found in BCP-11. Copies of 6628 claims of rights made available for publication and any assurances 6629 of licenses to be made available, or the result of an attempt made 6630 to obtain a general license or permission for the use of such 6631 proprietary rights by implementors or users of this specification 6632 can be obtained from the IETF Secretariat. 6634 The IETF invites any interested party to bring to its attention any 6635 copyrights, patents or patent applications, or other proprietary 6636 rights which may cover technology that may be required to practice 6637 this standard. Please address the information to the IETF Executive 6638 Director. 6640 8. Security Considerations 6642 8.1. Introduction 6644 This document defines a MIB module used to configure IPsec policy 6645 services. Since IPsec provides security services it is important 6646 that the IPsec configuration data be at least as protected as the 6647 IPsec provided security service. There are two threats you need to 6648 thwart when configuring IPsec devices. 6650 1) To make sure that only the official administrators are allowed 6651 to configure a device, only authenticated administrators 6652 should be allowed to do device configuration. The support for 6653 SET operations in a non-secure environment without proper 6654 protection can have a negative effect on network operations. 6656 2) Unfriendly parties should not be able to read configuration 6657 data while the data is in network transit. Any knowledge 6658 about a device's IPsec policy configuration could help an 6659 unfriendly party compromise that device and/or a network it 6660 protects. It is thus important to control even GET access to 6661 these objects and possibly to even encrypt the values of these 6662 objects when sending them over the network via SNMP. 6664 SNMP versions prior to SNMPv3 did not include adequate security. 6665 Even if the network itself is secure (for example by using IPsec), 6666 even then, there is no control as to who on the secure network is 6667 allowed to access and GET/SET (read/change/create/delete) the 6668 objects in this MIB module. 6670 It is RECOMMENDED that implementers consider the security features 6671 as provided by the SNMPv3 framework (see [RFC3410], section 8), 6672 including full support for the SNMPv3 cryptographic mechanisms (for 6673 authentication and privacy). 6675 Further, deployment of SNMP versions prior to SNMPv3 is NOT 6676 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 6677 enable cryptographic security. It is then a customer/operator 6678 responsibility to ensure that the SNMP entity giving access to an 6679 instance of this MIB module, is properly configured to give access 6680 to the objects only to those principals (users) that have legitimate 6681 rights to indeed GET or SET (change/create/delete) them. 6683 Therefore, when configuring data in the IPSEC-POLICY-MIB, you SHOULD 6684 use SNMP version 3. The rest of this discussion assumes the use of 6685 SNMPv3. This is a real strength, because it allows administrators 6686 the ability to load new IPsec configuration on a device and keep the 6687 conversation private and authenticated under the protection of 6688 SNMPv3 before any IPsec protections are available. Once initial 6689 establishment of IPsec configuration on a device has been achieved, 6690 it would be possible to set up IPsec SAs to then also provide 6691 security and integrity services to the configuration conversation. 6692 This may seem redundant at first, but will be shown to have a use 6693 for added privacy protection below. 6695 8.2. Protecting against in-authentic access 6697 The current SNMPv3 User Security Model provides for key based user 6698 authentication. Typically, keys are derived from passwords (but are 6699 not required to be), and the keys are then used in HMAC algorithms 6700 (currently MD5 and SHA-1 HMACs are defined) to authenticate all SNMP 6701 data. Each SNMP device keeps a (configured) list of users and keys. 6702 Under SNMPv3 user keys may be updated as often as an administrator 6703 cares to have users enter new passwords. But Perfect Forward 6704 Secrecy for user keys is not yet provided by standards track 6705 documents, although RFC2786 defines an experimental method of doing 6706 so. 6708 SNMPv3 also provides a View Based Access Model for authorization 6709 control. Different users may be given different levels of access 6710 (read-write, read-only...) to lists of SNMP objects or subtrees. 6711 This view based access control provides fine levels of access 6712 control granularity, making it possible to allow some administrators 6713 to have control over certain sections of this MIB module will 6714 prohibiting them from accessing and/or modifying other sections of 6715 the MIB module. This may be useful if local policy administrators 6716 should be given rights to add or amend certain policies, but should 6717 not be given rights to change, for example, corporate level 6718 policies. 6720 8.3. Protecting against involuntary disclosure 6722 While sending IPsec configuration data to a PEP, there are a few 6723 critical parameters which MUST NOT be observed by third parties. 6724 These include IKE Pre-Shared Keys and possibly the private key of a 6725 public/private key pair for use in a PKI. Were either of those 6726 parameters to be known to a third party, they could then impersonate 6727 your device to other IKE peers. Aside from those critical 6728 parameters, policy administrators have an interest in not divulging 6729 any of their policy configuration. Any knowledge about a device's 6730 configuration could help an unfriendly party compromise that device. 6731 SNMPv3 offers privacy security services, but at the time this 6732 document was written, the only standardized encryption algorithm 6733 supported by SNMPv3 is the DES encryption algorithm. Support for 6734 other (stronger) cryptographic algorithms was in the works and may 6735 be done as you read this. Policy administrators SHOULD use a 6736 privacy security service to configure their IPsec policy which is at 6737 least as strong as the desired IPsec policy. E.G., it is unwise to 6738 configure IPsec parameters implementing 3DES algorithms while only 6739 protecting that conversation with single DES. 6741 8.4. Bootstrapping your configuration 6743 Hopefully vendors will not ship new products with a default SNMPv3 6744 user/password pair, but it is possible. Most SNMPv3 distributions 6745 should hopefully require an out-of-band initialization over a 6746 trusted medium, such as a local console connection. 6748 9. Acknowledgments 6750 Many other people contributed thoughts and ideas that influenced 6751 this MIB module. Some special thanks are in order the following 6752 people: 6754 Lindy Foster (Network Associates Laboratories) 6755 John Gillis (ADC) 6756 Jamie Jason (Intel Corporation) 6757 David Partain (Ericsson) 6758 Lee Rafalow (IBM) 6759 Jon Saperia (JDS Consulting) 6760 Eric Vyncke (Cisco Systems) 6762 10. Authors' Addresses 6764 Michael Baer 6765 Network Associates, Inc. 6766 3965 Freedom Circle, Suite 500 6767 Santa Clara, CA 95054 6768 Phone: +1 530 304 1628 6769 Email: mike_baer@nai.com 6771 Ricky Charlet 6772 Email: rcharlet@alumni.calpoly.edu 6774 Wes Hardaker 6775 Network Associates, Inc. 6776 3965 Freedom Circle, Suite 500 6777 Santa Clara, CA 95054 6778 Phone: +1 530 400 2774 6779 Email: wes_hardaker@nai.com 6781 Robert Story 6782 Revelstone Software 6783 Phone: +1 770 617 3722 6784 Email: rs-snmp@revelstone.com 6786 Cliff Wang 6787 SmartPipes Inc. 6788 Suite 300, 565 Metro Place South 6789 Dublin, OH 43017 6790 Phone: +1 614 205 0161 6791 E-Mail: cliffwang2000@yahoo.com 6793 11. Full Copyright Statement 6795 Copyright (C) The Internet Society (2003). All Rights Reserved. 6797 This document and translations of it may be copied and furnished to 6798 others, and derivative works that comment on or otherwise explain it 6799 or assist in its implementation may be prepared, copied, published 6800 and distributed, in whole or in part, without restriction of any 6801 kind, provided that the above copyright notice and this paragraph 6802 are included on all such copies and derivative works. However, this 6803 document itself may not be modified in any way, such as by removing 6804 the copyright notice or references to the Internet Society or other 6805 Internet organizations, except as needed for the purpose of 6806 developing Internet standards in which case the procedures for 6807 copyrights defined in the Internet Standards process must be 6808 followed, or as required to translate it into languages other than 6809 English. 6811 The limited permissions granted above are perpetual and will not be 6812 revoked by the Internet Society or its successors or assigns. 6814 This document and the information contained herein is provided on an 6815 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 6816 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 6817 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 6818 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 6819 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.